How To: Generate OpenSSL RSA Key Pair

OpenSSL is a giant command-line binary capable of a lot of various security related utilities. Each utility is easily broken down via the first argument of openssl . For instance, to generate an RSA key, the command to use will be openssl genpkey .

Generate 2048-bit AES-256 Encrypted RSA Private Key .pem

The following command will result in an output file of private.pem in which will be a private RSA key in the PEM format.

openssl genpkey -algorithm RSA -aes256 -out private.pem

Let’s break this command down:

openssl : The binary that contains the code to generate an RSA key (and many other utilities).

: The binary that contains the code to generate an RSA key (and many other utilities). genpkey : Specifies the utility to use.

: Specifies the utility to use. -algorithm RSA : Specifies to use the RSA algorithm.

: Specifies to use the RSA algorithm. -aes256 : Specifies to use the AES-256 cipher, which is newer and more secure than DES. Default is no cipher.

: Specifies to use the AES-256 cipher, which is newer and more secure than DES. Default is no cipher. -out private.pem : Specifies that a file named “private.pem” should be created with the contents of the private key. Default is STDOUT .

When executing this command, it will ask for a password to encrypt the key with. After selecting a password, a file will be created in the current director named private.pem .

Private RSA keys generated with this utility start with the text -----BEGIN PRIVATE KEY----- .

You can inspect this file with the command cat private.pem .

-----BEGIN PRIVATE KEY----- MIICdwIBADANBgkqhkiG9w0BAQEFAASCAmEwggJdAgEAAoGBANQNgxR9B0Er7qG/ gVGyfMbsOhXaYf5y5UD6lj8ymcOtezbLJTdAsPP2UI27r5iNspIEdFKpKs6eLJ84 kn4SCaog0MCib6CIwZeQekuYEve5g4/CpOUCdcGOOad0Stg8orWIlQW3CXDyyicu /YMrM30OJ54q30ppUpKsCB+P1dXdAgMBAAECgYBixUBvBKWiZ5IpaQgVQ6v3BAUy NJw8Zsv97jqZiTox+NZReWIGUG2b1PlEa02pIycv+D8uWXmE8Awcxb8GVeSFruAE X7Vnn7J2QSJAfNKqGVuut0aypx/NYNeVKs9LpK6PZ5XKMrsKA9IsRxNzP01TrJ2v sqkBI9tIBhcVGoqbQQJBAOsUeG+sv6iZE+V6vYF2C9Exx4xYYzZenfEsOy1Nm4W2 6ybdJu17vb021Qut6BePS8l66uWkb28AYbWMJGprJ6UCQQDm7HFCh4JRvdMFwB/Q +vUqcFdTFeVk87HFxKnUU/KYvtbb+vqs/wayLW0yy1norpVRNYdF5RlMKvHE3JkQ L1/ZAkEAltQ2heh/vCwjcOx0pJjZ8ioPT4PyfBLvIatweJu/umZnsDLa5CqtzbZd sTWuoVcmmCpOhnMfsEe9aV92ifUgpQJALzc5ETlT1BLUCuD1oG0vo7XEpSBc/v80 4hMMBnYDrGeY1vHCP40FeXkAUtpxT7oinbAsMIZfXcuKE45nXX/SQQJBAJBQbAhY OZD3yn0Ig29beKN5a37RFZQ0fxkerF+jLt9rrjelp115riY+Vb/UbrIWby6S511Y V6dAhJDqvhyR6CY= -----END PRIVATE KEY-----

Export Public RSA Key From Private Key

In order to export the public key from the freshly generated private RSA Key, the openssl rsa utility, which is used for processing RSA keys.

The command to export a public key is as follows:

openssl rsa -in private.pem -pubout -outform PEM -out public.pem

This will result in a public key, due to the flag -pubout.

Inspect this file with cat public.pem :

-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDUDYMUfQdBK+6hv4FRsnzG7DoV 2mH+cuVA+pY/MpnDrXs2yyU3QLDz9lCNu6+YjbKSBHRSqSrOniyfOJJ+EgmqINDA om+giMGXkHpLmBL3uYOPwqTlAnXBjjmndErYPKK1iJUFtwlw8sonLv2DKzN9Diee Kt9KaVKSrAgfj9XV3QIDAQAB -----END PUBLIC KEY-----

The public key can be uploaded to other servers and services to encrypt data for the private key to decrypt.