Skip to Content

4 Examples to Create Private Key with openssl genrsa

Use the openssl genrsa command to generate an RSA private key. The generated RSA private key can be customized by specifying the cipher algorithm and key size.

openssl genpkey vs genrsa

The openssl genpkey utility has superseded the genrsa utility. While the genrsa command is still valid and in use today, it is recommended to start using genpkey. For more information, read our post on openssl genpkey.

openssl genrsa 2048 example without passphrase

  • openssl genrsa -out key.pem 2048

Where -out key.pem is the file containing the plain text private key, and 2048 is the numbits or keysize in bits. Completion of running this command will result in a 2048 key generated by openssl genrsa.

openssl genrsa 4096 example without passphrase

  • openssl genrsa -out key.pem 4096

Where -out key.pem is the file containing the plain text private key, and 4096 is the numbits or keysize in bits. Completion of running this command will result in a 4096 key generated by openssl genrsa.

openssl genrsa password example

  • openssl genrsa -out key.pem -aes256

Where -out key.pem is the file containing the AES encrypted private key, and -aes256 is the chosen cipher. With this cipher, AES CBC 256 encryption is the type of encryption.

Note that other ciphers are also supported, including aria, camellia, des, des3, and idea.

Completion of running the above command will result in an aes256 key generated by openssl genrsa.

How to determine and verify the private key is encrypted?

List the private key file which shows the following:

cat key.pem
—–BEGIN RSA PRIVATE KEY—–
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-256-CBC,B26F7007EB3543EF0EEF4EBB0F508F6E

1SUT8Dv40Ay78zl26xJJrpkP1cDPsLk1V4eVoRQuGceS7hIo8gmKxbAVWdn15lPY
Q1fcifRaTINXg6tDH4WNhxBLbgF+Yqd3ouP7kS978LlFUZq3cAC8UAekvIcnJwzx
aqsHBG7+mC1Adk3TqlJt+5JELo5r8apwChkxRzeFaybcRD6xUmb8GGJj/FTpatAT
VAMh1SrkQsaJhucByHxxt9EVUT2GaITsebwdyTRxtGnam5m+ZrspaAkvXCwXgvfV
wZEN5wbvwU5dcZ5279KCPZY/HnW9s8SlS8qbTst5z248l0cALe+hyNkNC1Y05u3u
EUlhsJ1AD0MLCjBlroHNjvWrWRDoz93qEbakuPb9/Rr0Z6l09V6exmJ2PXGnSUtV
1hYo2DAQbOklQZdEZBkhsY4wirsCTKhOainF5UvtLljHDtap9UaMXtoT6g/gazq4
lnQBIYQRQndO7lcEOW0ZprWhp0pn/PLmnj45/H17ZoWTbqSz6Lb0hyFbIuD/FTS0
Xt8FJ9DabClKG1D6+DsoS3kVn47SaX0w6Rzj2RLW8bOmt+uyO5WqsqWJZVgRzzb9
5eIA9IBYj+kADfSepVOvCMaHSWv9v/qRL5cEtNevLVhuIWKnLy1mZlMLYccbVs7g
EnJy7wmw5ed1DpMZi2NPlShYOdk20hmv+4NzRlT0IvRkhitus39xHOj1cl2Jin2v
YzZnApdKzU6Bp3PKS/Phom9obCikDP/C94C+TrSSvocuJRuYhmAvDUmT9GneVeZM
ULJ4hdzxN4fwAnXee8KDopb0QTINIp+p1Dkmd4OhGPeA0q0rXuBtbT2HKLJZzQ5J
XYnnWXfwIh2ytHcFyK+L1/TzEtobzs5taYc5ltrxhXXwTh50KYzQfJPIzHlCqf5Y
Sbgko8IEeHh6SrSchEY5R+/wOBnNNVVvWeyP3aWSLHTWspnIBSdMySFVsSNTEary
PxLVczwwqatuIBMkbKnj4qfmDxJEMHqaduhzHTTaL9XAn0LZEiWT22PbcWbHXKbq
YmWu2mzcQ061SOc5saf8+SqfaJTOx+ypUCukpAbKEFHt4mRunbE9WeumHCvBwRqF
BCVESJnxXkTycVmGFCZpeDTA9sZvIAQVBgmW6Xlv7mc8deKlF07/0pE5jH2y6eBR
qgiJosDcLb+08PoCGqT+8lZcOS312omfar4s3UrsX2kShPLFlfYNm/IuhCSJVP7X
SYHD3QiybWbIGudZsy9jk42B4dWu7h58aGosXbKgLIANgXhQmw6KDV0Lhi+te6vg
cEaN3wWwHampQVFogaYB6emEhgT7Gwy/rZ57+icq/i6ezsKvKa0jGwTGbe/uN0sE
cLyUcEuGYoiRabyjZ4UF/Zh38Nar2BHbgeUoghrSBVTMHPJRJDUuuiD50s5/a62O
J/BnVNSMh9qiKdORvEJNyll6SKXDSjHRCgWExg/QmmD9mCl35PMk/FATZouy8n1N
jG0k8/NuzQNspwHs4S+d0ykMiQM+m4xegNvWxGLyOPMsCKBPFspg21kavcniCcK3
/LBlhkupf+owXTlqwulo6igP/esdaoNQ+2o13Cz5E3Ex+ShpJvByRLjP+5bVQSsj
—–END RSA PRIVATE KEY—–
Proc-Type: 4,ENCRYPTED indicates the key is encrypted.

DEK-Info: AES-256-CBC indicates the AES cipher used for encryption.

If the private key is not encrypted, the previous two lines will not be included in the file. If security is important, note that a private key should almost always be encrypted AND kept in a secure place.

openssl genrsa example with passphrase

openssl genrsa -passout
The -passout flag looks for an argument containing the file or variable holding the password. The following are options for the -passout argument:

  • pass:password – password will be the actual password. This should only be used when security is not critical because the password will be available in history and other OS utilities.
  • env:var – var will be the name of the environment variable.
  • file:pathname – pathname of the file containing the password. The first line of the file should be the password.
  • fd:number – This can be used to send the password with a pipe.
  • stdin – Read the password from standard input.

Example of openssl genrsa -passout with a 2048 bit key size reading the password from a file or from foobar:

  • openssl genrsa -aes128 -passout pass:foobar 2048
  • openssl genrsa -aes128 -passout file:passphrase.txt 2048

How to remove a private key password using openssl.

If it is necessary to store the decrypted version of your private key, run this openssl rsa command to decrypt your private key. Removing the encryption from your private key makes it more vulnerable to theft and is not recommend if the security of the key is important. In any instance, if the private key is stolen while encrypted or not, it should immediately be replaced, any associated public key or certificate should be revoked, and a security review of your system should be conducted to ensure the new private key cannot be stolen again.

openssl rsa -in key.pem -out decrypted-key.pem
Where rsa is the RSA algorithm, -in key.pem is the encrypted RSA private key file, and -out decrypted-key.pem is the file that will contain the decrypted private key.

A much more technical description of an RSA private key can be read here, https://tools.ietf.org/html/rfc3447#section-3.2, in RFC 3447.

Further of OpenSSL genrsa

genrsa will been replaced by genpkey. The use of the genpkey program is encouraged over the algorithm specific utilities because additional algorithm options and ENGINE provided algorithms can be used.

genpkey allows us to generate the following key types: RSA RSA-PSS EC X25519 X448 ED25519 ED448