$linuxjunkies
>

openssl-genrsa(1)

Generate RSA private keys for cryptographic operations.

UbuntuDebianFedoraArch

Synopsis

openssl genrsa [OPTIONS] [numbits]

Description

The genrsa command generates an RSA private key of the specified bit length. The private key is output in PEM format by default, suitable for use with SSL/TLS servers, code signing, and encryption workflows.

The numbits argument specifies the key size in bits (typically 2048, 3072, or 4096). Larger keys provide stronger security but are slower to generate and use. Modern security standards recommend a minimum of 2048 bits.

The private key must be kept secret; if you need to share the public key, extract it separately using openssl rsa -pubout.

Common options

FlagWhat it does
-out FILEWrite the private key to FILE instead of stdout
-passout ARGEncrypt the private key with a password (pass, env, file, or fd methods)
-aes256Encrypt the output private key using AES-256-CBC cipher
-aes128Encrypt the output private key using AES-128-CBC cipher
-traditionalUse traditional OpenSSL private key format (PKCS#1) instead of PKCS#8
-f4Use Fermat number F4 (65537) as the public exponent (faster, default)
-3Use 3 as the public exponent instead of 65537
-verbosePrint progress messages during key generation

Examples

Generate a 2048-bit RSA private key and save to private.pem

openssl genrsa -out private.pem 2048

Generate a 4096-bit key encrypted with AES-256 and prompt for password

openssl genrsa -out private.pem -aes256 4096

Generate an encrypted 2048-bit key with password provided on command line

openssl genrsa -passout pass:mypassword -aes256 -out key.pem 2048

Generate a private key and pipe it to extract the public key

openssl genrsa 2048 | openssl rsa -pubout -out public.pem

Generate a 3072-bit key in traditional PKCS#1 format for legacy systems

openssl genrsa -out server.key -traditional 3072

Generate with verbose output showing progress information

openssl genrsa -verbose -out mykey.pem 2048 2>&1 | head

Related commands