openssl-genrsa(1)
Generate RSA private keys for cryptographic operations.
Synopsis
openssl genrsa [OPTIONS] [numbits]Description
The genrsa command generates an RSA private key of the specified bit length. The private key is output in PEM format by default, suitable for use with SSL/TLS servers, code signing, and encryption workflows.
The numbits argument specifies the key size in bits (typically 2048, 3072, or 4096). Larger keys provide stronger security but are slower to generate and use. Modern security standards recommend a minimum of 2048 bits.
The private key must be kept secret; if you need to share the public key, extract it separately using openssl rsa -pubout.
Common options
| Flag | What it does |
|---|---|
-out FILE | Write the private key to FILE instead of stdout |
-passout ARG | Encrypt the private key with a password (pass, env, file, or fd methods) |
-aes256 | Encrypt the output private key using AES-256-CBC cipher |
-aes128 | Encrypt the output private key using AES-128-CBC cipher |
-traditional | Use traditional OpenSSL private key format (PKCS#1) instead of PKCS#8 |
-f4 | Use Fermat number F4 (65537) as the public exponent (faster, default) |
-3 | Use 3 as the public exponent instead of 65537 |
-verbose | Print progress messages during key generation |
Examples
Generate a 2048-bit RSA private key and save to private.pem
openssl genrsa -out private.pem 2048Generate a 4096-bit key encrypted with AES-256 and prompt for password
openssl genrsa -out private.pem -aes256 4096Generate an encrypted 2048-bit key with password provided on command line
openssl genrsa -passout pass:mypassword -aes256 -out key.pem 2048Generate a private key and pipe it to extract the public key
openssl genrsa 2048 | openssl rsa -pubout -out public.pemGenerate a 3072-bit key in traditional PKCS#1 format for legacy systems
openssl genrsa -out server.key -traditional 3072Generate with verbose output showing progress information
openssl genrsa -verbose -out mykey.pem 2048 2>&1 | head