How to generate private key

Generate private key for an SSL certificate and verify its consistency.

Generate unecrypted private key

Generate 4096-bit private key using RSA algorithm.

$ openssl genpkey -algorithm RSA -out example.org.key -pkeyopt rsa_keygen_bits:4096

Generate encrypted private key

Basic way to generate encrypted private key

Generate 4096-bit RSA private key, encrypt it using AES-192 cipher and password provided from the application itself as you will be asked for it.

$ openssl genpkey -algorithm RSA -out example.org.key -pkeyopt rsa_keygen_bits:4096 -aes192

Different ways to generate encrypted private key

Generate 4096-bit RSA private key, encrypt it using 3DES cipher and password provided from the command-line.

$ openssl genpkey -algorithm RSA -out example.org.key -pkeyopt rsa_keygen_bits:4096 -des3 -pass pass:keypassword

Generate 4096-bit RSA private key, encrypt it using AES-128 cipher and password provided from the specific file.

$ cat /home/milosz/.pkey_pass
keypassword
$ openssl genpkey -algorithm RSA -out example.org.key -pkeyopt rsa_keygen_bits:4096 -des3 -pass file:/home/milosz/.pkey_pass

Generate 4096-bit RSA private key, encrypt it using CAMELLIA-256 cipher and password provided from the environment variable.

$ export pkey_pass="keypassword"
$ openssl genpkey -algorithm RSA -out example.org.key -pkeyopt rsa_keygen_bits:4096 -camellia256 -pass env:pkey_pass
$ unset pkey_pass

Generate 4096-bit RSA private key, encrypt it using AES-256 cipher and password provided from standard input.

$ echo "keypassword" | openssl genpkey -algorithm RSA -out example.org.key -pkeyopt rsa_keygen_bits:4096 -aes256 -pass stdin

Encrypt or decrypt existing private key

Encrypt existing private key using AES-256 cipher and password provided from the command-line.

$ openssl rsa -in example.org.unc.key -out example.org.enc.key -aes256 -passout pass:keypassword

Re-encrypt existing private key using AES-256 cipher and password provided from the command-line.

$ openssl rsa -in example.org.enc.key -out example.org.enc.new.key -passin pass:keypassword -aes256 -passout pass:newkeypassword

Decrypt existing private key using password provided from the command-line.

$ openssl rsa -in example.org.enc.key -out example.org.unc.key -passin pass:keypassword

Verify consistency of the private key

Verify consistency of the private key using password provided from the command-line.

$ openssl rsa -in example.org.enc.key -check -noout -passin pass:keypassword

Result when private key's integrity is not compromised.

RSA key ok

Result when private key's integrity is compromised.

RSA key error: n does not equal p q

Additional information

You can still use the following command to generate private key.

$ openssl genrsa -out example.org.key 4096

This way is still supported, so existing shell scripts will work without any changes.

Milosz Galazka's Picture

About Milosz Galazka

Milosz is a Linux Foundation Certified Engineer working for a successful Polish company as a system administrator and a long time supporter of Free Software Foundation and Debian operating system. He is also open for new opportunities and challenges.

Gdansk, Poland https://sleeplessbeastie.eu