The openssl genpkey command is a utility for generating asymmetric private keys.
openssl genpkey or genrsa
The openssl genpkey utility has superseded the genrsa utility. While the genrsa is still valid and in use today, it is recommended to start using genpkey. genpkey gives you more than just the ability to generate RSA keys, as it also allows you to generate RSA, RSA-PSS, EC, X25519, X448, ED25519 and ED448.
If you want to learn more about the genrsa utility, please read our post about the genrsa.
openssl genpkey encrypt with a password
To generate an encrypted RSA private key, run the following command:
openssl genpkey -algorithm RSA -out key.pem -aes-256-cbc
Where -algorithm RSA means generate an RSA private key, -out key.pem is the filename that will contain the encrypted private key, and -aes-256-cbc is the cipher used to encrypt the private key. Note that you will be prompted for a password to secure the private key.
When viewing the encrypted private key, the headers will be -----BEGIN ENCRYPTED PRIVATE KEY----- which are different than the headers you get when using the genrsa utility.
Generate an EC private key with genpkey
openssl genpkey -algorithm EC -out eckey.pem -pkeyopt ec_paramgen_curve:P-384 -pkeyopt ec_param_enc:named_curve
Where -algorithm EC means use the EC algorithm, -out eckey.pem is the filename of the private key, -pkeyopt ec_paramgen_curve:P-384 is the name of the curve.
Generate an X25519 private key with genpkey
openssl genpkey -algorithm X25519 -out key.pem
Where -algorithm X25519 is the algorithm being used, and -out key.pem is the filename that will store the generated private key.
X25519 is an elliptic curve DH exchange.
Generate an ED448 private key with genpkey
openssl genpkey -algorithm ED448 -out key.pem
Where -algorithm ED448 is the algorithm being used, and -out key.pem is the filename that will store the generated private key.
ED448 is an elliptic curve used with ECDH key exchange.
Leave a Reply