The openssl rsa command and utility is used to manage and process RSA keys. Use this command to encrypt decrypt, convert between forms of keys and print contents of the RSA keys.
Generate an RSA key with openssl
See our posts on generating an RSA key with both genpkey and genrsa. genpkey is the most recent and preferred command.
openssl rsa encrypt
To encrypt an rsa key with the openssl rsa utility, run the following command:
openssl rsa -in key.pem -des3 -out encrypted-key.pemWhere -in key.pem is the plaintext private key, -des3 is the encryption algorithm, and -out encrypted-key.pem is the file to hold the encrypted RSA private key.
Note that -des3 can be replaced with other supported algorithms, including -aes256 and others.
Here is an example plaintext key:
-----BEGIN PRIVATE KEY-----
MIICdgIBADANBgkqhkiG9w0BAQEFAASCAmAwggJcAgEAAoGBANBL+9BH4H8UWf3q
fm+/CfnUYKh1SoBIvLCxvJGRO+UtfpSCLzGqHgzfnq/u2Rj5qhk7R/P+XfTVeI0H
w6bc1EqksNLPlGfAEWY+LV18eC/QkNvHU/uGRiMIyNzoLrAIB+W3GXR8+fED+SuJ
Hb5Zk1iyWgnwMyWGgNklToNGCMarAgMBAAECgYAWZcU6/S+XmpGeqwNTcsBY28xU
8N/E8Y1QlpwHLw24s+6je2glt/wpODZxBobTl60Br40qIFTsCbQ/vfD81UwCVOye
IZzyZpU4YI16a58KVVOg7C0VvzpXNO9En3TFKiupfSu0vdWSKmbH7lcbg5Rk4Jvb
Dc8CfHWZE8CbFI242QJBAPjJ1wpHPKAtSBiwWrrQA13JJHnV9FcjBR5B1aLBbUG+
laXD1RSPLBhzRpmiK4HPDNAXUNoEWJllXvGmLjLEwL0CQQDWVavgzGxZe+VEC4ZL
d38UgvmuH4sBXH+gjCFdR5pcwuCDEZ7qfpqiws2udH66kBPB+aTv5CxOIpP7SexW
VV+HAkAbWe1XRu+mWHQVqsW+xgGovOVSs6/yKHp2khxPkV5WnQJMwBPb98WMRpgb
adXIpp+s/PM5lMK80oU2oeNwV2stAkEAvO03XCfVOetj497kuZDTi5kHzNwxAzot
pa7fmgGLp0h/7giSM9D1LZLZCnXVX02wnMMZB/vwsc748f/vOwp18QJAEMp/jr6h
nvJRFw6VG4YiOMDMtKs68mlMTt26fOZxOcT/e5Jt0KjdDS8wuHENNcW2kV/7Ourw
Kk37ZkJQZx/cFg==
-----END PRIVATE KEY-----The encrypted version of that same is the following:
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,84C98D55C057059E
RPzXU0+ZcauusmBa2bb9P0Fh1r23H294u73EJdig4bXjeDDEiK4ZKgXav3kdej9Q
RD1RIBLpudPJh2sMPy6qTSpFBCvyO9J1sScV3GWMRe58i9SN0kK8jny1tm8y4jZ8
ZBoy9EWGCvrC6LhhtSYf/BTPUMmJW7NwKskO3qHuTZI/8Fp5VrEBHJuGj7F4C5vP
ecMjbXsnCfRbqh30QUk1dRT0q2cIz3jCRZRj223AzttkE/gtGA3jny8hzzqY0jdP
uUDQDvMQf+B8DKDditeznjC82zPyBoooNStGfr8U/k/B+H+TRI7FnERkPlb8Wyrc
JgB+UCJk38qxwzTUnLoZg3QTpgrW5apMrmVFRWKBjF9UPhP3zr5p6aJNeTGL3nDY
puCMKkyfjihMtL50sw9Ndfh7Q82jr1QuYhL839s/PdI6Kq/9mLp68Z+Pb4YD3N4V
LYPUvy2EUHIbHHzFc4wxarSLU36fOIVTEwtMaFss9aXKHI72wn/FI6LU34mhpOh1
+s5AxjxwbrowTnuAC6IpnvJ7p1Ib/ibDADYpTtZGGUvmT2eEVTVCFui0jmOQCNT2
nnUurplcv9B0iiNpLr7UHej7BPr75FrddYoxm1RHX5hPBurki6K1gXKborEorPUm
VfAaz2sSxrIJHTLg4hBHtojkgYoRzWjpLjEQxoc2HSJftMskxiWypXgAKh4M+Dkt
Y/hfewzbnFlMqajNT73cY3vNJdm7jObdDN2SOakEcH3ykbtby1HG0RzxDQjUG8GW
uh34IjgvrxPGWcDEv4eqnc706DajkiJ2VCHYR/lkUoY0wtMb40pjZw==
-----END RSA PRIVATE KEY-----Where DEK-Info: DES-EDE3-CBC,84C98D55C057059E is the encryption algorithm.
If at all possible, you should always store your private key in an encrypted form.
openssl rsa decrypt
To decrypt and to remove the password from the previously encrypted private key back into its plaintext form, run the following command:
openssl rsa -in encrypted-key.pem -out decrypted-key.pemWhere -in encrypted-key.pem is the encrypted RSA private key and -out decrypted-key.pem is the file that will hold the decrypted RSA private key.
When prompted, enter the password used to encrypt the key. If you have lost the password, the key will be unrecoverable.
openssl rsa public key
To get the corresponding RSA public key associated with the RSA private key, run the following command:
openssl rsa -in key.pem -RSAPublicKey_out -out pubkey.pemWhere -in key.pem is the RSA private key, -RSAPublicKey means to out put the corresponding RSA public key, and -out pubkey.pem is the file holding the RSA public key.
The public key is formatted like the following:
-----BEGIN RSA PUBLIC KEY-----
MIGJAoGBANBL+9BH4H8UWf3qfm+/CfnUYKh1SoBIvLCxvJGRO+UtfpSCLzGqHgzf
nq/u2Rj5qhk7R/P+XfTVeI0Hw6bc1EqksNLPlGfAEWY+LV18eC/QkNvHU/uGRiMI
yNzoLrAIB+W3GXR8+fED+SuJHb5Zk1iyWgnwMyWGgNklToNGCMarAgMBAAE=
-----END RSA PUBLIC KEY-----Another way to get the RSA public key is to run the following command:
openssl rsa -in key.pem -pubout -out pubkey.pemNotice the public keys look different. The previous example uses the -----BEGIN RSA PUBLIC KEY----- header, while the latter uses the -----BEGIN PUBLIC KEY----- header.
-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDQS/vQR+B/FFn96n5vvwn51GCo
dUqASLywsbyRkTvlLX6Ugi8xqh4M356v7tkY+aoZO0fz/l301XiNB8Om3NRKpLDS
z5RnwBFmPi1dfHgv0JDbx1P7hkYjCMjc6C6wCAfltxl0fPnxA/kriR2+WZNYsloJ
8DMlhoDZJU6DRgjGqwIDAQAB
-----END PUBLIC KEY-----Additional openssl rsa examples
To convert an RSA private key from PEM to DER format, run the following command:
openssl rsa -in key.pem -outform DER -out keyout.derWhere -in key.pem is the RSA private key, -outform DER is the format to convert to DER, and -out keyout.der is the filename to contain the DER formatted RSA private key.
To print out the contents of an RSA private key, run the following command:
openssl rsa -in key.pem -text -nooutWhere -in key.pem is the RSA private key, and -text -noout prints the contents of the private key including its modulus, public exponent, private exponent, prime1, prime2, and coefficient in plain text.
The contents are the following:
RSA Private-Key: (1024 bit, 2 primes)
modulus:
00:d0:4b:fb:d0:47:e0:7f:14:59:fd:ea:7e:6f:bf:
09:f9:d4:60:a8:75:4a:80:48:bc:b0:b1:bc:91:91:
3b:e5:2d:7e:94:82:2f:31:aa:1e:0c:df:9e:af:ee:
d9:18:f9:aa:19:3b:47:f3:fe:5d:f4:d5:78:8d:07:
c3:a6:dc:d4:4a:a4:b0:d2:cf:94:67:c0:11:66:3e:
2d:5d:7c:78:2f:d0:90:db:c7:53:fb:86:46:23:08:
c8:dc:e8:2e:b0:08:07:e5:b7:19:74:7c:f9:f1:03:
f9:2b:89:1d:be:59:93:58:b2:5a:09:f0:33:25:86:
80:d9:25:4e:83:46:08:c6:ab
publicExponent: 65537 (0x10001)
privateExponent:
16:65:c5:3a:fd:2f:97:9a:91:9e:ab:03:53:72:c0:
58:db:cc:54:f0:df:c4:f1:8d:50:96:9c:07:2f:0d:
b8:b3:ee:a3:7b:68:25:b7:fc:29:38:36:71:06:86:
d3:97:ad:01:af:8d:2a:20:54:ec:09:b4:3f:bd:f0:
fc:d5:4c:02:54:ec:9e:21:9c:f2:66:95:38:60:8d:
7a:6b:9f:0a:55:53:a0:ec:2d:15:bf:3a:57:34:ef:
44:9f:74:c5:2a:2b:a9:7d:2b:b4:bd:d5:92:2a:66:
c7:ee:57:1b:83:94:64:e0:9b:db:0d:cf:02:7c:75:
99:13:c0:9b:14:8d:b8:d9
prime1:
00:f8:c9:d7:0a:47:3c:a0:2d:48:18:b0:5a:ba:d0:
03:5d:c9:24:79:d5:f4:57:23:05:1e:41:d5:a2:c1:
6d:41:be:95:a5:c3:d5:14:8f:2c:18:73:46:99:a2:
2b:81:cf:0c:d0:17:50:da:04:58:99:65:5e:f1:a6:
2e:32:c4:c0:bd
prime2:
00:d6:55:ab:e0:cc:6c:59:7b:e5:44:0b:86:4b:77:
7f:14:82:f9:ae:1f:8b:01:5c:7f:a0:8c:21:5d:47:
9a:5c:c2:e0:83:11:9e:ea:7e:9a:a2:c2:cd:ae:74:
7e:ba:90:13:c1:f9:a4:ef:e4:2c:4e:22:93:fb:49:
ec:56:55:5f:87
exponent1:
1b:59:ed:57:46:ef:a6:58:74:15:aa:c5:be:c6:01:
a8:bc:e5:52:b3:af:f2:28:7a:76:92:1c:4f:91:5e:
56:9d:02:4c:c0:13:db:f7:c5:8c:46:98:1b:69:d5:
c8:a6:9f:ac:fc:f3:39:94:c2:bc:d2:85:36:a1:e3:
70:57:6b:2d
exponent2:
00:bc:ed:37:5c:27:d5:39:eb:63:e3:de:e4:b9:90:
d3:8b:99:07:cc:dc:31:03:3a:2d:a5:ae:df:9a:01:
8b:a7:48:7f:ee:08:92:33:d0:f5:2d:92:d9:0a:75:
d5:5f:4d:b0:9c:c3:19:07:fb:f0:b1:ce:f8:f1:ff:
ef:3b:0a:75:f1
coefficient:
10:ca:7f:8e:be:a1:9e:f2:51:17:0e:95:1b:86:22:
38:c0:cc:b4:ab:3a:f2:69:4c:4e:dd:ba:7c:e6:71:
39:c4:ff:7b:92:6d:d0:a8:dd:0d:2f:30:b8:71:0d:
35:c5:b6:91:5f:fb:3a:ea:f0:2a:4d:fb:66:42:50:
67:1f:dc:16To print the modulus only, run the following command:
openssl rsa -in key.pem -noout -modulusWhere -in key.pem is the RSA private key and -noout -modulus prints out just the modulus.
Remove password from RSA key
To remove a password from your rsa key, run the following command:
openssl rsa -in key.pem -out key.pemThis command takes in the private key, prompting for the password, then overwriting the same file with the same key but without a password. If you want the unprotected key in a different file, not overwriting, simply specify a different filename.
Check validity of RSA private key
To check the validity of your RSA key, run the following command:
openssl rsa -check -in key.pemConclusion
Leave us comments with questions and suggestions for additional openssl rsa commands and examples to cover.
Leave a Reply