LinuxCommandLibrary

genrsa.1s

Generate an RSA private key

SYNOPSIS

openssl genrsa [options] [numbits]

PARAMETERS

-help
    Display help information

-out filename
    Output file for the private key

-passout arg
    Passphrase for encrypting the output key

-aes128 | -aes192 | -aes256
    Encrypt output with specified AES cipher

-camellia128 | -camellia192 | -camellia256
    Encrypt with Camellia cipher

-des | -des3
    Encrypt with DES or triple DES

-idea
    Encrypt with IDEA cipher

-text
    Print key in text form

-noout
    Do not output the key

-modulus
    Print the RSA key modulus

-check
    Verify key integrity

-pubout
    Output public key only

-RSAPublicKey_out
    Output unencrypted RSA public key

-RSAPrivateKey_out
    Output unencrypted RSA private key

-PKCS8
    Output PKCS#8 format

-pkcs8pass arg
    Passphrase for PKCS#8 encryption

-3
    Use public exponent 3 (default for < 768 bits)

-F4
    Use public exponent 65537 (F4)

-engine id
    Use specified engine

-provider name
    Use specified provider (OpenSSL 3+)

DESCRIPTION

The openssl genrsa command is a key generation utility within the OpenSSL toolkit, specifically designed to create RSA private keys. It supports generating keys of specified bit lengths, typically 2048 or 4096 bits for modern security standards.

RSA (Rivest-Shamir-Adleman) keys are fundamental for asymmetric cryptography, used in SSL/TLS certificates, SSH authentication, and secure email. The command outputs the private key in PEM format by default, which can be encrypted with symmetric ciphers like AES or DES for added protection.

Key features include customizable key sizes, public exponent selection (-3 or -F4), output formatting (PEM/DER), and options for password-protected keys via -passout. It also allows checking key validity, extracting moduli, or outputting public keys.

Usage is straightforward: specify bit length and optional output file. For example, generating a 2048-bit key: openssl genrsa -out private.key 2048. Encrypted variant: openssl genrsa -aes256 -out private.key 2048. This command is deprecated in favor of openssl genpkey in OpenSSL 3.0+, but remains widely used for compatibility.

Primarily invoked in certificate authority workflows or server setups, it ensures secure key generation without external dependencies.

CAVEATS

Deprecated in OpenSSL 3.0+; use openssl genpkey instead. Avoid DES ciphers due to insecurity. Generate at least 2048-bit keys for security.

EXAMPLE

openssl genrsa -out key.pem 2048
openssl genrsa -aes256 -passout pass:mypass -out key.pem 4096

SECURITY NOTE

Always protect private keys; use strong passphrases and secure storage. Key size < 2048 bits is insecure.

HISTORY

Introduced in early OpenSSL versions (1998+), based on SSLeay library. Evolved with cipher support and formatting options. Marked legacy in OpenSSL 3.0 (2022) favoring provider-based genpkey.

SEE ALSO

openssl(1), genpkey(1), rsa(1), req(1ssl)

Copied to clipboard