openssl-genpkey

Generate an RSA private key of 2048 bits, saving it to a specific file

$ openssl genpkey -algorithm rsa -pkeyopt rsa_keygen_bits:[2048] -out [filename.key]

$ openssl genpkey -algorithm EC -pkeyopt ec_paramgen_curve:[prime256v1] -out [filename.key]

$ openssl genpkey -algorithm [ED25519] -out [filename.key]

openssl genpkey [options] -out filename

-out filename
    Specifies the output file for the generated private key. If not specified, the key is written to standard output.

-algorithm alg
    Specifies the algorithm for the key generation. Common algorithms include RSA, EC, ED25519, X25519, DSA. This option is mandatory.

-pkeyopt opt:value
    Provides algorithm-specific key generation options. For example, for RSA keys, rsa_keygen_bits:2048 sets the key length. For EC keys, ec_paramgen_curve:prime256v1 specifies the elliptic curve.

-passout arg
    Specifies the source of the passphrase for encrypting the private key. Can be stdin, pass:, env:, etc.

-aes128 | -aes192 | -aes256 | -camellia128 | ...
    Encrypts the output private key with the specified symmetric encryption algorithm. A passphrase must be provided via -passout or interactively.

-cipher alg
    A generic way to specify the symmetric encryption algorithm for the private key, similar to -aes256 etc.

-rand files
    Specifies one or more files containing random data to seed the PRNG (Pseudo-Random Number Generator).

-text
    Prints the public and private components of the key in a human-readable text format in addition to the encoded output.

-noout
    Prevents the output of the encoded private key to the specified file or standard output. Useful when only -text or other side effects are desired.

-verbose
    Prints extra information about the key generation process, such as algorithm parameters and progress.

The openssl genpkey command is a versatile utility used to generate a private key for various cryptographic algorithms, such as RSA, EC (Elliptic Curve), ED25519, and X25519. It was introduced to provide a unified interface for key generation, superseding older, algorithm-specific commands like genrsa, gendsa, and genec.

The generated private key is typically output in PEM (Privacy-Enhanced Mail) format, which is a Base64-encoded representation of the DER (Distinguished Encoding Rules) encoded key. Users can specify the key algorithm and provide algorithm-specific parameters like key length for RSA or curve name for EC keys. For enhanced security, the private key can be encrypted with a passphrase using various symmetric encryption algorithms (e.g., AES256) when written to disk, preventing unauthorized access.

When generating keys, especially for production environments, ensure that your system has sufficient entropy (randomness) to produce cryptographically strong keys. Lack of entropy can lead to predictable keys and security vulnerabilities.

Always protect your generated private keys with strong passphrases and appropriate file system permissions (e.g., chmod 600) to prevent unauthorized access.

The -pkeyopt parameters are highly algorithm-dependent; referring to the openssl man page for specific algorithm requirements is crucial.

The -pkeyopt option is critical for configuring algorithm-specific properties. For example:

• For RSA keys: Use rsa_keygen_bits:length (e.g., 2048, 4096) to specify the key modulus size.
• For EC keys: Use ec_paramgen_curve:name (e.g., prime256v1, secp384r1, secp521r1) to specify the elliptic curve.
• For ED25519 and X25519 keys: These algorithms typically do not require additional parameters as their properties are fixed by the algorithm definition.

When encrypting a private key with a passphrase, openssl genpkey will prompt interactively if -passout is not used. Using -passout is recommended for scripting, but care must be taken not to expose passphrases in plain text in scripts or command history. For example, -passout stdin reads the passphrase from standard input, making it suitable for piping or secure interactive entry.

The openssl genpkey command was introduced in OpenSSL 0.9.8. Its primary motivation was to provide a unified, generic interface for private key generation, which could support new cryptographic algorithms without requiring a new, dedicated command for each. Prior to genpkey, users had to rely on separate commands like openssl genrsa for RSA keys, openssl gendsa for DSA keys, and openssl genec for EC keys. This unification streamlined key management and made OpenSSL more flexible for future cryptographic developments.

openssl req(1), openssl rsa(1), openssl ec(1), openssl pkcs8(1), openssl genrsa(1), openssl gendsa(1), openssl genec(1)