Creating Key Pairs
The following instructions show how to create public/private key pairs. In the examples provided, the creation of a key pair is treated as an atomic operation so that the process can be described and elements can be called out for better understanding. Often, this step is incorporated into other commands for efficiency.
- Generate an RSA Key
To generate an RSA key, use the
openssl genrsacommand, for example:sudo openssl genrsa -out private.key 2048 Generating RSA private key, 2048 bit long modulus ................................................... .................................................... ...................................................+++ ................................+++ e is 65537 (0x10001)This command generates an unencrypted key in the local directory, named private.key. The contents of the key look similar to the following example:
cat private.key -----BEGIN RSA PRIVATE KEY----- ...[certificate text] -----END RSA PRIVATE KEY-----Note that even though the file is called
private.keyand the file contains some text that suggests that this is only the private key, the public key is also embedded within this file. So the single file represents the complete key pair. Thus, obtaining a copy of the public key is easier because the key is stored on the same file as the private key. - Using a passphrase
To create an encrypted key with a passphrase, run the same command but specify a cipher to use to encrypt the key with, for example:
sudo openssl genrsa -aes256 -out private.key 2048 Generating RSA private key, 2048 bit long modulus ............+++ .............................................................+++ e is 65537 (0x10001) Enter pass phrase for private.key: Verifying - Enter pass phrase for private.key:In the previous example, the AES cipher is used with a 256 bit key. The command prompts you to enter a passphrase and verify it. The contents of the key file indicate that the key is encrypted, as shown in the following example:
cat private.key -----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: AES-256-CBC,2417E359B45960CD107A390748945752 key-content -----END RSA PRIVATE KEY----- - Decrypting a key
If you create an encrypted key file and then decide that you would prefer a file that's not encrypted or doesn't require a passphrase, you can decrypt it by running the following command:
sudo openssl rsa -in private.key -out unencrypted.key Enter pass phrase for private.key: writing RSA keyYou're prompted for the passphrase on the encrypted key, which is stored in
private.key, and the unencrypted version of the same key is written to the fileunencrypted.key.All OpenSSL keys are generated in Privacy Enhanced Mail (PEM) format, which is a plain text format that encapsulates the content of the key as a base64 encoded string. Certificates can be encoded by using several different formatting conventions. For more information about changing the format of a certificate, see Changing Key or Certificate Format.
- Inspect the private key
You can view the contents of a private key as follows:
sudo openssl rsa -text -in private.key - Display the public key
Notably, a private key also contains its public key counterpart. This public key component is used when submitting a CSR or when creating a self-signed certificate. The public key component can be viewed by using the following command:
sudo openssl rsa -pubout -in private.key