Understanding RSA Key Files: Mathematics, Six‑Layer Model, Tools, and Usage Scenarios

This article provides a comprehensive technical overview of RSA key files, covering their mathematical foundations, a six‑layer abstraction model, practical tooling, and common deployment scenarios such as HTTPS and MySQL SSL.

RSA Mathematical Basis

RSA security relies on the difficulty of factoring a large composite number m = p × q , where p and q are large prime numbers. The Euler totient ψ = (p‑1)(q‑1) is used to compute the private exponent d such that e × d ≡ 1 (mod ψ) . Typical public exponent e = 65537 is chosen to be coprime with ψ . The public key consists of the pair (m, e) and the private key of (m, d) , optionally storing intermediate values p, q, e to speed up decryption.

RSA Six‑Layer Model

Data: raw mathematical values (m, e, p, q, subject, issuer).

Serialization: encoding of the data (ASN.1, DER).

Structure: container formats (PKCS#1, PKCS#8, X.509).

Text: conversion of binary data to Base64 text.

Presentation: PEM wrapper with BEGIN/END labels.

Application: real‑world usage (public keys, certificates, JKS, CSR, certificate chains).

Tooling (OpenSSL and keytool)

# Generate a 2048‑bit PKCS#1 private key
openssl genrsa -out private.pem 2048
# Extract a PKCS#8 public key from the private key
openssl rsa -in private.pem -out public.pem -pubout
# Convert PKCS#1 public key to PKCS#8 format
openssl rsa -in public.pem -out public-pkcs8.pem -RSAPublicKey_in
# View public key details
openssl rsa -in public.pem -pubin -text -noout
# Create a CSR from an existing private key
openssl req -key private.pem -out request.csr -new
# Sign the CSR to obtain a certificate (valid 365 days)
openssl x509 -req -in request.csr -signkey private.pem -out cert.crt -days 365
# Convert a CA certificate to JKS format
keytool -importcert -alias Cacert -file ca.crt -keystore truststoremysql.jks -storepass password123
# Convert PKCS#12 keystore to JKS
keytool -importkeystore -srckeystore client-keystore.p12 -srcstoretype pkcs12 -srcstorepass mypassword -destkeystore clientstore.jks -deststoretype JKS -deststorepass password456

PEM Format

PEM (Privacy‑Enhanced Mail) wraps the binary ASN.1/DER data in Base64 and adds clear textual delimiters:

-----BEGIN
-----
-----END
-----

ASN.1 and Encoding Rules

ASN.1 defines a type‑length‑value (TLV) syntax for representing structured data. Common encoding rules are BER, CER, and the unambiguous DER. DER‑encoded data is usually Base64‑encoded to form PEM files. The first two Base64 characters of a DER‑encoded RSA key are "MI".

Usage Scenarios

HTTPS One‑Way Authentication

Server creates server.crt and server.key (via OpenSSL).

Server sends server.crt to the client.

Client validates the certificate, generates a session key, encrypts it with the server’s public key, and sends it back.

Server decrypts the session key with server.key and uses it to encrypt/decrypt HTTP traffic.

HTTPS Two‑Way Authentication

Server and client exchange certificates ( server.crt and client.crt ).

Both sides validate each other’s certificates (signed by a common CA).

After validation, the same session‑key exchange as in one‑way authentication proceeds.

MySQL SSL (Single and Mutual Authentication)

Server config: ca.crt , server.crt , server.key (certificate signed by ca.crt ).

Client config for single‑way: only ca.crt to verify the server.

Client config for mutual authentication: ca.crt , client.crt , client.key (client certificate signed by the same CA).

JKS keystores are created with keytool and referenced in the JDBC URL, e.g.: verifyServerCertificate=true&useSSL=true&requireSSL=true&trustCertificateKeyStoreUrl=file:./truststore.jks&trustCertificateKeyStorePassword=password123

The article concludes with an appendix listing ASN.1 definitions for PKCS#1, PKCS#8, and X.509 structures.