OpenSSL: Generate Key – RSA Private Key

An RSA key is a private key based on RSA algorithm, used for authentication and an symmetric key exchange during establishment of an SSL/TLS session.

The RSA private key in PEM format (the most common format for X.509 certificates, CSRs and cryptographic keys) can be generated from the command line using the openssl genpkey utility.

Cool Tip: Check whether an SSL Certificate or a CSR match a Private Key using the OpenSSL utility from the command line! Read more →

Generate RSA Private Key using OpenSSL

genrsa vs genpkey: The OpenSSL genpkey utility has superseded the genrsa utility.

Generate an RSA private key using default parameters:

$ openssl genpkey -algorithm RSA -out key.pem

The unencrypted PKCS#8 encoded RSA private key starts and ends with these tags:

$ sed -n -e '1p;$p' key.pem
-----BEGIN PRIVATE KEY-----
-----END PRIVATE KEY-----

Generate 2048-bit RSA private key (by default 1024-bit):

$ openssl genpkey -algorithm RSA \
                  -pkeyopt rsa_keygen_bits:2048 \
                  -out key.pem

Create an RSA private key encrypted by 128-bit AES algorythm:

$ openssl genpkey -algorithm RSA \
                  -aes-128-cbc \
                  -out key.pem

The passphrase can also be specified non-interactively:

$ openssl genpkey -algorithm RSA \
                  -aes-128-cbc \
                  -pass pass:<passphrase> \
                  -out key.pem

Cool Tip: Check the quality of your SSL certificate! Find out its Key length from the Linux command line! Read more →

The encrypted PKCS#8 encoded RSA private key starts and ends with these tags:

$ sed -n -e '1p;$p' key.pem
-----BEGIN ENCRYPTED PRIVATE KEY-----
-----END ENCRYPTED PRIVATE KEY-----

Decrypt a password protected RSA private key:

$ openssl rsa -in key.pem