"openssl genpkey -algorithm RSA" - RSA Private Key

This section describes the 'openssl genpkey -algorithm RSA' command, which generates a RSA private/public key pair. It replaces the old 'openssl genrsa' command

RSA (Rivest Shamir Adleman) is a well-known private/public key algorithm developed by Ron Rivest, Adi Shamir and Leonard Adleman in 1977. You can generate RSA private/public key pairs using the "openssl genpkey -algorithm RSA" command as shown in the this tutorial.

1. Generate a 2048-bit RSA private/public key pair.

herong$ openssl genpkey -algorithm RSA -out key.pem \
  -pkeyopt rsa_keygen_bits:2048

....................................+++++
......................................................+++++

2. Look at the generated key file. It is written in PEM format. Both the private key and the public key are included in the file, even it is marked as "PRIVATE KEY".

herong$ more key.pem

-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDTuEF/WQawZmGh
anwOJM+Q+Is3llJ3Of0uDUbbyJK2FJBbIFV+h1iGMnhCYzMwisrp6Wc1oox326Au
...
4vkXrX0RK/RiJnHbX9GDQoiV
-----END PRIVATE KEY-----

3. Generate a RSA private/public key pair and encrypt the key file with a given password using the "aes-128-cbc" algorithm.

herong$ openssl genpkey -algorithm RSA -out key.pem \
  -aes-128-cbc -pass pass:TopSecret

............+++++
.....+++++

4. Look at the encrypted key file. It is written in PEM format and marked as "ENCRYPTED PRIVATE KEY". It is important to encrypt all private key files to protect your identity.

herong$ more key.pem

-----BEGIN ENCRYPTED PRIVATE KEY-----
MIIFLTBXBgkqhkiG9w0BBQ0wSjApBgkqhkiG9w0BBQwwHAQIRvYt2WldchMCAggA
MAwGCCqGSIb3DQIJBQAwHQYJYIZIAWUDBAECBBC8WE7b6D28Ilhw4UTcJ6HpBIIE
...
09DgEMcXFmPGfNGZRj+2ijGoxtnDKMJ+R/uvUjinTZd6
-----END ENCRYPTED PRIVATE KEY-----

5. Print out information from a RSA key file. It actually stores the components used to construct the private key and the public key.

herong$ openssl rsa -in key.pem -text -noout 

Enter pass phrase for key.pem: TopSecret

RSA Private-Key: (2048 bit, 2 primes)
modulus:
    00:da:cc:0c:de:01:1b:4b:0f:f8:38:ba:c4:09:22:
    b6:ab:49:f2:72:b1:28:f8:b9:48:12:87:59:1f:82:
    ...
    3d:85
publicExponent: 65537 (0x10001)
privateExponent:
    00:a5:8d:e2:6a:95:61:c6:81:55:eb:ee:fd:e8:7f:
    b8:c2:91:18:7f:ca:27:5b:54:2f:01:be:22:24:a2:
    ...
    9b:01
prime1:
    00:f3:61:06:a5:62:8e:63:22:88:6e:cc:2e:e8:77:
    53:f1:7a:bf:e6:03:2a:45:f0:ed:1f:4b:3b:22:3b:
    ...
    17:c7:ae:0a:9a:b2:fa:3e:c5
prime2:
    00:e6:24:af:ec:d4:ce:23:4b:fc:27:ab:27:43:d5:
    b1:43:99:62:b5:2d:15:9a:83:94:e9:51:27:9f:28:
    ...
    a2:17:f9:f2:2f:8c:0b:ef:c1
exponent1:
    00:db:92:2f:a2:c9:d5:d8:0e:71:b4:34:36:25:b8:
    72:5d:2b:f7:31:16:ad:ee:c7:bb:c6:3d:e3:2d:b1:
    ...
    6c:79:d3:c4:f1:68:83:68:59
exponent2:
    00:d4:79:00:76:7d:0d:87:26:ca:b8:70:da:42:55:
    52:5f:9f:87:b2:ce:d9:c8:1a:3c:eb:9f:02:1e:7d:
    ...
    84:10:f0:b0:38:57:6a:59:c1
coefficient:
    00:c9:57:30:48:4e:e3:df:b5:1b:3f:5a:55:9d:61:
    25:23:3d:47:86:e6:1d:cf:33:ba:96:e9:56:ba:9f:
    ...
    7d:c7:a2:c2:71:4a:33:e4:6b

6. Extract the public key from a RSA key file.

herong$ openssl rsa -in key.pem -pubout -out public.pem

Enter pass phrase for key.pem: TopSecret
writing RSA key

7. Look at the public key file. It is written in PEM format and marked as "PUBLIC KEY".

herong$ more public.pem

-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2swM3gEbSw/4OLrECSK2
q0nycrEo+LlIEodZH4JEUuF9Zwu89I0y1hbnfG2iYeF05C0mxrLpz7H9GLOqpEz8
...
hQIDAQAB
-----END PUBLIC KEY-----

8. Print out information from the RSA public key file. It stores only the components used to construct the public key.

herong$ openssl rsa -pubin -in public.pem -text -noout 

RSA Public-Key: (2048 bit)
Modulus:
    00:da:cc:0c:de:01:1b:4b:0f:f8:38:ba:c4:09:22:
    b6:ab:49:f2:72:b1:28:f8:b9:48:12:87:59:1f:82:
    ...
    3d:85
Exponent: 65537 (0x10001)

My RSA private/public key file is ready for generating CSRs (Certificate Signing Requests).

If you are still using an older release of OpenSSL, you need to the "openssl genrsa" command to generate RSA private/public key pairs. Here are some examples:

1. Generate a 2048-bit RSA private/public key pair using the "openssl genrsa" command

herong$ openssl genrsa -out key.pem 2048

Generating RSA private key, 2048 bit long modulus (2 primes)
.....................+++++
..........................................................+++++
e is 65537 (0x010001)

2. Generate a RSA private/public key pair and encrypt the key file with a given password using the "aes-128-cbc" algorithm.

herong$ openssl genrsa -out key.pem -aes128 -passout pass:TopSecret
Generating RSA private key, 2048 bit long modulus (2 primes)
.........................+++++
...+++++
e is 65537 (0x010001)

3. Look at the encrypted key file. It is written in PEM format and marked as "RSA PRIVATE KEY". It also contains information on the encryption algorithm.

herong$ more key.pem

-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,B5C911D111E39041D2FC304934076AAE

qwO0IO644R/DOyRh5uzsAW1UhXZAM3qqMhHz1UwW/94gn5sv/Blqe4u3Fef+u1/z
8AzbN/hc4WIum8b63pNt2l0krF3OXDGWfoaiLfrCWoO61j8C2NmdtW13y78JR9k6
...
-----END RSA PRIVATE KEY-----

Table of Contents

 About This Book

 Introduction of PKI (Public Key Infrastructure)

 Introduction of PKI Certificate

 PKI Certificate File Formats

OpenSSL - Cryptography Toolkit

 What Is OpenSSL

 What Is "openssl" Command

 "openssl genpkey" - Generate Private Key

"openssl genpkey -algorithm RSA" - RSA Private Key

 "openssl genpkey -algorithm EC" - EC Private Key

 "openssl req" - CSR (Certificate Signing Request)

 "openssl req -new" - Generate CSR from Key

 "openssl req -newkey ..." - Generate Key and CSR

 "openssl req -x509" - Generate Self-Signed Certificate

 "openssl x509" - X.509 Certificate Command

 "openssl x509 -CA ..." - CA Signing Certificate

 "openssl ca" - CA (Certificate Authority) Tool

 Java "keytool" Commands and KeyStore Files

 PKI Certificate Store

 PKCS12 Certificate Bundle File

 PKCS7 Certificate Chain File

 PKI Certificate Related Terminology

 References

 Full Version in PDF/EPUB