openssl rsa - Mister PKI

The openssl rsa command and utility is used to manage and process RSA keys. Use this command to encrypt decrypt, convert between forms of keys and print contents of the RSA keys.

Generate an RSA key with openssl

See our posts on generating an RSA key with both genpkey and genrsa. genpkey is the most recent and preferred command.

openssl rsa encrypt

To encrypt an rsa key with the openssl rsa utility, run the following command:

openssl rsa -in key.pem -des3 -out encrypted-key.pem

Where -in key.pem is the plaintext private key, -des3 is the encryption algorithm, and -out encrypted-key.pem is the file to hold the encrypted RSA private key.

Note that -des3 can be replaced with other supported algorithms, including -aes256 and others.

Here is an example plaintext key:

The encrypted version of that same is the following:

Where DEK-Info: DES-EDE3-CBC,84C98D55C057059E is the encryption algorithm.

If at all possible, you should always store your private key in an encrypted form.

openssl rsa decrypt

To decrypt and to remove the password from the previously encrypted private key back into its plaintext form, run the following command:

openssl rsa -in encrypted-key.pem -out decrypted-key.pem

Where -in encrypted-key.pem is the encrypted RSA private key and -out decrypted-key.pem is the file that will hold the decrypted RSA private key.

When prompted, enter the password used to encrypt the key. If you have lost the password, the key will be unrecoverable.

openssl rsa public key

To get the corresponding RSA public key associated with the RSA private key, run the following command:

openssl rsa -in key.pem -RSAPublicKey_out -out pubkey.pem

Where -in key.pem is the RSA private key, -RSAPublicKey means to out put the corresponding RSA public key, and -out pubkey.pem is the file holding the RSA public key.

The public key is formatted like the following:

Another way to get the RSA public key is to run the following command:

openssl rsa -in key.pem -pubout -out pubkey.pem

Notice the public keys look different. The previous example uses the -----BEGIN RSA PUBLIC KEY----- header, while the latter uses the -----BEGIN PUBLIC KEY----- header.

Additional openssl rsa examples

To convert an RSA private key from PEM to DER format, run the following command:

openssl rsa -in key.pem -outform DER -out keyout.der

Where -in key.pem is the RSA private key, -outform DER is the format to convert to DER, and -out keyout.der is the filename to contain the DER formatted RSA private key.

To print out the contents of an RSA private key, run the following command:

openssl rsa -in key.pem -text -noout

Where -in key.pem is the RSA private key, and -text -noout prints the contents of the private key including its modulus, public exponent, private exponent, prime1, prime2, and coefficient in plain text.

The contents are the following:

RSA Private-Key: (1024 bit, 2 primes)
modulus:
    00:d0:4b:fb:d0:47:e0:7f:14:59:fd:ea:7e:6f:bf:
    09:f9:d4:60:a8:75:4a:80:48:bc:b0:b1:bc:91:91:
    3b:e5:2d:7e:94:82:2f:31:aa:1e:0c:df:9e:af:ee:
    d9:18:f9:aa:19:3b:47:f3:fe:5d:f4:d5:78:8d:07:
    c3:a6:dc:d4:4a:a4:b0:d2:cf:94:67:c0:11:66:3e:
    2d:5d:7c:78:2f:d0:90:db:c7:53:fb:86:46:23:08:
    c8:dc:e8:2e:b0:08:07:e5:b7:19:74:7c:f9:f1:03:
    f9:2b:89:1d:be:59:93:58:b2:5a:09:f0:33:25:86:
    80:d9:25:4e:83:46:08:c6:ab
publicExponent: 65537 (0x10001)
privateExponent:
    16:65:c5:3a:fd:2f:97:9a:91:9e:ab:03:53:72:c0:
    58:db:cc:54:f0:df:c4:f1:8d:50:96:9c:07:2f:0d:
    b8:b3:ee:a3:7b:68:25:b7:fc:29:38:36:71:06:86:
    d3:97:ad:01:af:8d:2a:20:54:ec:09:b4:3f:bd:f0:
    fc:d5:4c:02:54:ec:9e:21:9c:f2:66:95:38:60:8d:
    7a:6b:9f:0a:55:53:a0:ec:2d:15:bf:3a:57:34:ef:
    44:9f:74:c5:2a:2b:a9:7d:2b:b4:bd:d5:92:2a:66:
    c7:ee:57:1b:83:94:64:e0:9b:db:0d:cf:02:7c:75:
    99:13:c0:9b:14:8d:b8:d9
prime1:
    00:f8:c9:d7:0a:47:3c:a0:2d:48:18:b0:5a:ba:d0:
    03:5d:c9:24:79:d5:f4:57:23:05:1e:41:d5:a2:c1:
    6d:41:be:95:a5:c3:d5:14:8f:2c:18:73:46:99:a2:
    2b:81:cf:0c:d0:17:50:da:04:58:99:65:5e:f1:a6:
    2e:32:c4:c0:bd
prime2:
    00:d6:55:ab:e0:cc:6c:59:7b:e5:44:0b:86:4b:77:
    7f:14:82:f9:ae:1f:8b:01:5c:7f:a0:8c:21:5d:47:
    9a:5c:c2:e0:83:11:9e:ea:7e:9a:a2:c2:cd:ae:74:
    7e:ba:90:13:c1:f9:a4:ef:e4:2c:4e:22:93:fb:49:
    ec:56:55:5f:87
exponent1:
    1b:59:ed:57:46:ef:a6:58:74:15:aa:c5:be:c6:01:
    a8:bc:e5:52:b3:af:f2:28:7a:76:92:1c:4f:91:5e:
    56:9d:02:4c:c0:13:db:f7:c5:8c:46:98:1b:69:d5:
    c8:a6:9f:ac:fc:f3:39:94:c2:bc:d2:85:36:a1:e3:
    70:57:6b:2d
exponent2:
    00:bc:ed:37:5c:27:d5:39:eb:63:e3:de:e4:b9:90:
    d3:8b:99:07:cc:dc:31:03:3a:2d:a5:ae:df:9a:01:
    8b:a7:48:7f:ee:08:92:33:d0:f5:2d:92:d9:0a:75:
    d5:5f:4d:b0:9c:c3:19:07:fb:f0:b1:ce:f8:f1:ff:
    ef:3b:0a:75:f1
coefficient:
    10:ca:7f:8e:be:a1:9e:f2:51:17:0e:95:1b:86:22:
    38:c0:cc:b4:ab:3a:f2:69:4c:4e:dd:ba:7c:e6:71:
    39:c4:ff:7b:92:6d:d0:a8:dd:0d:2f:30:b8:71:0d:
    35:c5:b6:91:5f:fb:3a:ea:f0:2a:4d:fb:66:42:50:
    67:1f:dc:16

To print the modulus only, run the following command:

openssl rsa -in key.pem -noout -modulus

Where -in key.pem is the RSA private key and -noout -modulus prints out just the modulus.

Remove password from RSA key

To remove a password from your rsa key, run the following command:

openssl rsa -in key.pem -out key.pem

This command takes in the private key, prompting for the password, then overwriting the same file with the same key but without a password. If you want the unprotected key in a different file, not overwriting, simply specify a different filename.

Check validity of RSA private key

To check the validity of your RSA key, run the following command:

openssl rsa -check -in key.pem

Conclusion

Leave us comments with questions and suggestions for additional openssl rsa commands and examples to cover.