PKI Certificate Tutorials - Herong's Tutorial Examples - v1.12, by Herong Yang
"openssl genpkey -algorithm RSA" - RSA Private Key
This section describes the 'openssl genpkey -algorithm RSA' command, which generates a RSA private/public key pair. It replaces the old 'openssl genrsa' command
RSA (Rivest Shamir Adleman) is a well-known private/public key algorithm developed by Ron Rivest, Adi Shamir and Leonard Adleman in 1977. You can generate RSA private/public key pairs using the "openssl genpkey -algorithm RSA" command as shown in the this tutorial.
1. Generate a 2048-bit RSA private/public key pair.
herong$ openssl genpkey -algorithm RSA -out key.pem \ -pkeyopt rsa_keygen_bits:2048 ....................................+++++ ......................................................+++++
2. Look at the generated key file. It is written in PEM format. Both the private key and the public key are included in the file, even it is marked as "PRIVATE KEY".
herong$ more key.pem -----BEGIN PRIVATE KEY----- MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDTuEF/WQawZmGh anwOJM+Q+Is3llJ3Of0uDUbbyJK2FJBbIFV+h1iGMnhCYzMwisrp6Wc1oox326Au ... 4vkXrX0RK/RiJnHbX9GDQoiV -----END PRIVATE KEY-----
3. Generate a RSA private/public key pair and encrypt the key file with a given password using the "aes-128-cbc" algorithm.
herong$ openssl genpkey -algorithm RSA -out key.pem \ -aes-128-cbc -pass pass:TopSecret ............+++++ .....+++++
4. Look at the encrypted key file. It is written in PEM format and marked as "ENCRYPTED PRIVATE KEY". It is important to encrypt all private key files to protect your identity.
herong$ more key.pem -----BEGIN ENCRYPTED PRIVATE KEY----- MIIFLTBXBgkqhkiG9w0BBQ0wSjApBgkqhkiG9w0BBQwwHAQIRvYt2WldchMCAggA MAwGCCqGSIb3DQIJBQAwHQYJYIZIAWUDBAECBBC8WE7b6D28Ilhw4UTcJ6HpBIIE ... 09DgEMcXFmPGfNGZRj+2ijGoxtnDKMJ+R/uvUjinTZd6 -----END ENCRYPTED PRIVATE KEY-----
5. Print out information from a RSA key file. It actually stores the components used to construct the private key and the public key.
herong$ openssl rsa -in key.pem -text -noout Enter pass phrase for key.pem: TopSecret RSA Private-Key: (2048 bit, 2 primes) modulus: 00:da:cc:0c:de:01:1b:4b:0f:f8:38:ba:c4:09:22: b6:ab:49:f2:72:b1:28:f8:b9:48:12:87:59:1f:82: ... 3d:85 publicExponent: 65537 (0x10001) privateExponent: 00:a5:8d:e2:6a:95:61:c6:81:55:eb:ee:fd:e8:7f: b8:c2:91:18:7f:ca:27:5b:54:2f:01:be:22:24:a2: ... 9b:01 prime1: 00:f3:61:06:a5:62:8e:63:22:88:6e:cc:2e:e8:77: 53:f1:7a:bf:e6:03:2a:45:f0:ed:1f:4b:3b:22:3b: ... 17:c7:ae:0a:9a:b2:fa:3e:c5 prime2: 00:e6:24:af:ec:d4:ce:23:4b:fc:27:ab:27:43:d5: b1:43:99:62:b5:2d:15:9a:83:94:e9:51:27:9f:28: ... a2:17:f9:f2:2f:8c:0b:ef:c1 exponent1: 00:db:92:2f:a2:c9:d5:d8:0e:71:b4:34:36:25:b8: 72:5d:2b:f7:31:16:ad:ee:c7:bb:c6:3d:e3:2d:b1: ... 6c:79:d3:c4:f1:68:83:68:59 exponent2: 00:d4:79:00:76:7d:0d:87:26:ca:b8:70:da:42:55: 52:5f:9f:87:b2:ce:d9:c8:1a:3c:eb:9f:02:1e:7d: ... 84:10:f0:b0:38:57:6a:59:c1 coefficient: 00:c9:57:30:48:4e:e3:df:b5:1b:3f:5a:55:9d:61: 25:23:3d:47:86:e6:1d:cf:33:ba:96:e9:56:ba:9f: ... 7d:c7:a2:c2:71:4a:33:e4:6b
6. Extract the public key from a RSA key file.
herong$ openssl rsa -in key.pem -pubout -out public.pem Enter pass phrase for key.pem: TopSecret writing RSA key
7. Look at the public key file. It is written in PEM format and marked as "PUBLIC KEY".
herong$ more public.pem -----BEGIN PUBLIC KEY----- MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2swM3gEbSw/4OLrECSK2 q0nycrEo+LlIEodZH4JEUuF9Zwu89I0y1hbnfG2iYeF05C0mxrLpz7H9GLOqpEz8 ... hQIDAQAB -----END PUBLIC KEY-----
8. Print out information from the RSA public key file. It stores only the components used to construct the public key.
herong$ openssl rsa -pubin -in public.pem -text -noout RSA Public-Key: (2048 bit) Modulus: 00:da:cc:0c:de:01:1b:4b:0f:f8:38:ba:c4:09:22: b6:ab:49:f2:72:b1:28:f8:b9:48:12:87:59:1f:82: ... 3d:85 Exponent: 65537 (0x10001)
My RSA private/public key file is ready for generating CSRs (Certificate Signing Requests).
If you are still using an older release of OpenSSL, you need to the "openssl genrsa" command to generate RSA private/public key pairs. Here are some examples:
1. Generate a 2048-bit RSA private/public key pair using the "openssl genrsa" command
herong$ openssl genrsa -out key.pem 2048 Generating RSA private key, 2048 bit long modulus (2 primes) .....................+++++ ..........................................................+++++ e is 65537 (0x010001)
2. Generate a RSA private/public key pair and encrypt the key file with a given password using the "aes-128-cbc" algorithm.
herong$ openssl genrsa -out key.pem -aes128 -passout pass:TopSecret Generating RSA private key, 2048 bit long modulus (2 primes) .........................+++++ ...+++++ e is 65537 (0x010001)
3. Look at the encrypted key file. It is written in PEM format and marked as "RSA PRIVATE KEY". It also contains information on the encryption algorithm.
herong$ more key.pem -----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: AES-128-CBC,B5C911D111E39041D2FC304934076AAE qwO0IO644R/DOyRh5uzsAW1UhXZAM3qqMhHz1UwW/94gn5sv/Blqe4u3Fef+u1/z 8AzbN/hc4WIum8b63pNt2l0krF3OXDGWfoaiLfrCWoO61j8C2NmdtW13y78JR9k6 ... -----END RSA PRIVATE KEY-----
Table of Contents
Introduction of PKI (Public Key Infrastructure)
Introduction of PKI Certificate
►OpenSSL - Cryptography Toolkit
"openssl genpkey" - Generate Private Key
►"openssl genpkey -algorithm RSA" - RSA Private Key
"openssl genpkey -algorithm EC" - EC Private Key
"openssl req" - CSR (Certificate Signing Request)
"openssl req -new" - Generate CSR from Key
"openssl req -newkey ..." - Generate Key and CSR
"openssl req -x509" - Generate Self-Signed Certificate
"openssl x509" - X.509 Certificate Command
"openssl x509 -CA ..." - CA Signing Certificate
"openssl ca" - CA (Certificate Authority) Tool
Java "keytool" Commands and KeyStore Files
PKCS12 Certificate Bundle File