genpkey.1s

genpkey [options]

-algorithm
    Specifies the public key algorithm to use (e.g., RSA, DSA, EC, X25519, X448).

-pkeyopt
    Set a private key algorithm option, e.g., rsa_keygen_bits:2048 for key length or ec_paramgen_curve:prime256v1 for EC curves.

-out
    Output the generated private key to the specified file. Defaults to standard output.

-pass
    The password source for encrypting the output key. Can be pass:, file:, env:, etc.

-aes128|-aes192|-aes256|-camellia128|-camellia192|-camellia256|-des|-des3|-idea
    Encrypts the output key using the specified symmetric cipher algorithm.

-genparam
    Generates algorithm parameters rather than a private key. Useful for DSA or EC.

-paramfile
    Uses algorithm parameters from the specified file to generate the key.

-rand
    Specifies one or more files or an EGD socket for seeding the random number generator.

-writerand
    Writes additional random data to the specified file after key generation.

-verbose
    Prints extra information and progress during the key generation process.

-traditional
    Outputs the key in the traditional format (e.g., PKCS#1 for RSA/DSA/DH, SECP for EC).

-f4
    Uses 65537 (0x10001) as the RSA public exponent (default for RSA key generation).

-pubexp
    Specifies an alternative RSA public exponent, e.g., 3.

-noout
    Prevents printing of the encoded key to standard output or file.

-text
    Prints the private key in plain text form (including public key components).

-engine
    Specifies a hardware cryptographic engine to use for operations.

-old
    Uses the old PKCS#8 format for encrypted private keys (less common now).

genpkey is a utility command in the OpenSSL toolkit used for generating private keys. It supports various algorithms including RSA, DSA, EC, and X25519/X448. The command provides options for specifying the algorithm, key length (where applicable), public exponent for RSA, and parameters for EC keys. It can also encrypt the generated private key using a passphrase. The output can be written to a file or standard output. This tool is fundamental for cryptographic operations, secure communication, and digital certificate management, forming the basis for Public Key Infrastructure (PKI). It replaces older, algorithm-specific key generation commands like genrsa and gendsa by providing a unified interface for key generation across different cryptographic algorithms.

The security of generated keys heavily depends on the quality of the random number source; ensure sufficient entropy using -rand.
Keys generated with non-standard public exponents (for RSA) might face compatibility issues with some legacy systems.
Generating parameters with -genparam can be computationally intensive and time-consuming, especially for large key sizes or complex algorithms.
The default output format is PKCS#8, which is generally preferred over traditional formats for its versatility and standardization.

genpkey uses the -pkeyopt option to specify algorithm-specific parameters. For RSA, common options include rsa_keygen_bits: (e.g., rsa_keygen_bits:2048 for a 2048-bit key) and rsa_keygen_pubexp:. For DSA, it's typically dsa_paramgen_bits:. For EC, it's often ec_paramgen_curve: (e.g., ec_paramgen_curve:prime256v1 or secp384r1).

By default, genpkey outputs the private key in PKCS#8 format, a standard for storing private key information. The -traditional option can be used to output in older, algorithm-specific formats (e.g., PKCS#1 for RSA). For encrypted keys, the default is PKCS#8 encrypted. The -old option can be used to output encrypted keys in the traditional PKCS#8 old format, though this is less common now.

The genpkey command was introduced in OpenSSL to provide a unified and more flexible interface for generating private keys across different cryptographic algorithms. Prior to genpkey, users typically relied on algorithm-specific commands such as genrsa for RSA keys, gendsa for DSA keys, and gensec for EC keys. These separate commands sometimes had inconsistent option sets and required users to learn multiple interfaces. genpkey streamlines the process by allowing the algorithm to be specified as an option (-algorithm), consolidating key generation into a single command. This unification simplifies scripting and improves user experience by offering a consistent syntax for all supported private key types. It reflects OpenSSL's ongoing effort to modernize its command-line utilities and improve cryptographic flexibility.

openssl(1), pkey(1), pkcs8(1), rsa(1), dsa(1), ec(1), passwd(1ssl)