rsa(1ssl)rsa(1ssl)NAME
rsa - RSA key processing tool
SYNOPSIS
openssl rsa [-inform PEM | NET | DER] [-outform PEM | NET | DER] [-in
filename] [-passin arg] [-out filename] [-passoutarg] [-sgckey] [-des]
[-des3] [-idea] [-text] [-noout] [-modulus] [-check] [-pubin] [-pubout]
OPTIONS
Specifies the input format. The DER option uses an ASN1 DER encoded
form compatible with the PKCS#1 RSAPrivateKey or SubjectPublicKeyInfo
format. The PEM form is the default format. It consists of the DER for‐
mat base64 encoded with additional header and footer lines. On input
PKCS#8 format private keys are also accepted. The NET form is described
in the Notes section. Specifies the output format. The options have
the same meaning as the -inform option. Specifies the input filename
to read a key from or standard input if this option is not specified.
If the key is encrypted, there will be a prompt for a pass phrase.
Input file password source. For more information about the format of
arg, see the Pass Phrase Arguments section in openssl(1ssl). Specifies
the output filename to write a key to or standard output if this option
is not specified. If any encryption options are set, there will bea
prompt for a pass phrase. The output filename should not be the same
as the input filename. Output file password source. For more informa‐
tion about the format of arg, see the Pass Phrase Arguments section in
openssl(1ssl). Uses the modified NET algorithm used with some versions
of Microsoft IIS and SGC keys. These options encrypt the private key
with the DES, triple DES, or the IDEA ciphers respectively before out‐
putting it. There is a prompt for a pass phrase. If none of these
options is specified the key is written in plain text. This means that
using the rsa utility to read in an encrypted key with no encryption
option can be used to remove the pass phrase from a key, or by setting
the encryption options it can be used to add or change the pass phrase.
These options can only be used with PEM format output files. Prints
out the various public or private key components in plain text in addi‐
tion to the encoded version. Prevents output of the encoded version of
the key. Prints out the value of the modulus of the key. Checks the
consistency of an RSA private key. By default a private key is read
from the input file. With this option a public key is read instead. By
default a private key is output. With this option a public key will be
output instead. This option is automatically set if the input is a pub‐
lic key.
DESCRIPTION
The rsa command processes RSA keys. They can be converted between vari‐
ous forms and their components printed out. This command uses the tra‐
ditional SSLeay compatible format for private key encryption. Newer
applications should use the more secure PKCS#8 format using the pkcs8
command.
NOTES
The PEM private key format uses the following header and footer lines:
-----BEGINRSA PRIVATE KEY-----
-----ENDRSA PRIVATE KEY-----
The PEM public key format uses the following header and footer lines:
-----BEGIN PUBLIC KEY-----
-----END PUBLIC KEY-----
The NET form is a format compatible with older Netscape servers and Mi‐
crosoft IIS files. It uses unsalted RC4 for its encryption. It is not
very secure and should only be used when necessary.
Some newer version of IIS have additional data in the exported files.
To use these with the utility, view the file with a binary editor and
look for the string private-key, then trace back to the byte sequence
0x30, 0x82. (This is an ASN1 sequence.) Copy all the data from this
point onwards to another file and use that as the input to the rsa
utility with the -inform NET option. If you get an error after entering
the password try the -sgckey option.
RESTRICTIONS
The command line password arguments do not work with the NET format.
There should be an option that automatically handles files, without
having to manually edit them.
EXAMPLES
Remove the pass phrase on an RSA private key: openssl rsa -in key.pem
-out keyout.pem
Encrypt a private key using triple DES: openssl rsa -in key.pem -des3
-out keyout.pem
Convert a private key from PEM to DER format: openssl rsa -in key.pem
-outform DER -out keyout.der
Print the components of a private key to standard output: openssl rsa
-in key.pem -text -noout
Output the public part of a private key: openssl rsa -in key.pem -pub‐
out -out pubkey.pem
SEE ALSO
Commands: pkcs8(1ssl), dsa(1ssl), genrsa(1ssl), gendsa(1ssl)rsa(1ssl)