Generate RSA Key Pair with openssl genpkey

Generate RSA Key Pair with openssl genpkey

OpenSSL is a giant command-line binary capable of a lot of various security related utilities. Each utility is easily broken down via the first argument of openssl. For instance, to generate an RSA key, the command to use will be openssl genpkey.

Generate 2048-bit AES-256 Encrypted RSA Private Key .pem

The following command will result in an output file of private.pem in which will be a private RSA key in the PEM format.

openssl genpkey -algorithm RSA -aes256 -out private.pem

Let’s break this command down:

When executing this command, it will ask for a password to encrypt the key with. After selecting a password, a file will be created in the current director named private.pem.

Private RSA keys generated with this utility start with the text -----BEGIN PRIVATE KEY-----.

You can inspect this file with the command cat private.pem.

-----BEGIN PRIVATE KEY-----
MIICdwIBADANBgkqhkiG9w0BAQEFAASCAmEwggJdAgEAAoGBANQNgxR9B0Er7qG/
gVGyfMbsOhXaYf5y5UD6lj8ymcOtezbLJTdAsPP2UI27r5iNspIEdFKpKs6eLJ84
kn4SCaog0MCib6CIwZeQekuYEve5g4/CpOUCdcGOOad0Stg8orWIlQW3CXDyyicu
/YMrM30OJ54q30ppUpKsCB+P1dXdAgMBAAECgYBixUBvBKWiZ5IpaQgVQ6v3BAUy
NJw8Zsv97jqZiTox+NZReWIGUG2b1PlEa02pIycv+D8uWXmE8Awcxb8GVeSFruAE
X7Vnn7J2QSJAfNKqGVuut0aypx/NYNeVKs9LpK6PZ5XKMrsKA9IsRxNzP01TrJ2v
sqkBI9tIBhcVGoqbQQJBAOsUeG+sv6iZE+V6vYF2C9Exx4xYYzZenfEsOy1Nm4W2
6ybdJu17vb021Qut6BePS8l66uWkb28AYbWMJGprJ6UCQQDm7HFCh4JRvdMFwB/Q
+vUqcFdTFeVk87HFxKnUU/KYvtbb+vqs/wayLW0yy1norpVRNYdF5RlMKvHE3JkQ
L1/ZAkEAltQ2heh/vCwjcOx0pJjZ8ioPT4PyfBLvIatweJu/umZnsDLa5CqtzbZd
sTWuoVcmmCpOhnMfsEe9aV92ifUgpQJALzc5ETlT1BLUCuD1oG0vo7XEpSBc/v80
4hMMBnYDrGeY1vHCP40FeXkAUtpxT7oinbAsMIZfXcuKE45nXX/SQQJBAJBQbAhY
OZD3yn0Ig29beKN5a37RFZQ0fxkerF+jLt9rrjelp115riY+Vb/UbrIWby6S511Y
V6dAhJDqvhyR6CY=
-----END PRIVATE KEY-----

Export Public RSA Key From Private Key

In order to export the public key from the freshly generated private RSA Key, the openssl rsa utility, which is used for processing RSA keys.

The command to export a public key is as follows:

openssl rsa -in private.pem -pubout -outform PEM -out public.pem

This will result in a public key, due to the flag -pubout.

Inspect this file with cat public.pem:

-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDUDYMUfQdBK+6hv4FRsnzG7DoV
2mH+cuVA+pY/MpnDrXs2yyU3QLDz9lCNu6+YjbKSBHRSqSrOniyfOJJ+EgmqINDA
om+giMGXkHpLmBL3uYOPwqTlAnXBjjmndErYPKK1iJUFtwlw8sonLv2DKzN9Diee
Kt9KaVKSrAgfj9XV3QIDAQAB
-----END PUBLIC KEY-----

The public key can be uploaded to other servers and services to encrypt data for the private key to decrypt.

This file will start with -----BEGIN PUBLIC KEY-----. If this file doesn’t start with “BEGIN PUBLIC KEY”, do not upload it as a public key to any source!