1RSA(1)                              OpenSSL                             RSA(1)
2
3
4

NAME

6       openssl-rsa, rsa - RSA key processing tool
7

SYNOPSIS

9       openssl rsa [-help] [-inform PEM|NET|DER] [-outform PEM|NET|DER] [-in
10       filename] [-passin arg] [-out filename] [-passout arg] [-aes128]
11       [-aes192] [-aes256] [-aria128] [-aria192] [-aria256] [-camellia128]
12       [-camellia192] [-camellia256] [-des] [-des3] [-idea] [-text] [-noout]
13       [-modulus] [-check] [-pubin] [-pubout] [-RSAPublicKey_in]
14       [-RSAPublicKey_out] [-engine id]
15

DESCRIPTION

17       The rsa command processes RSA keys. They can be converted between
18       various forms and their components printed out. Note this command uses
19       the traditional SSLeay compatible format for private key encryption:
20       newer applications should use the more secure PKCS#8 format using the
21       pkcs8 utility.
22

OPTIONS

24       -help
25           Print out a usage message.
26
27       -inform DER|NET|PEM
28           This specifies the input format. The DER option uses an ASN1 DER
29           encoded form compatible with the PKCS#1 RSAPrivateKey or
30           SubjectPublicKeyInfo format.  The PEM form is the default format:
31           it consists of the DER format base64 encoded with additional header
32           and footer lines. On input PKCS#8 format private keys are also
33           accepted. The NET form is a format is described in the NOTES
34           section.
35
36       -outform DER|NET|PEM
37           This specifies the output format, the options have the same meaning
38           and default as the -inform option.
39
40       -in filename
41           This specifies the input filename to read a key from or standard
42           input if this option is not specified. If the key is encrypted a
43           pass phrase will be prompted for.
44
45       -passin arg
46           The input file password source. For more information about the
47           format of arg see the PASS PHRASE ARGUMENTS section in openssl(1).
48
49       -out filename
50           This specifies the output filename to write a key to or standard
51           output if this option is not specified. If any encryption options
52           are set then a pass phrase will be prompted for. The output
53           filename should not be the same as the input filename.
54
55       -passout password
56           The output file password source. For more information about the
57           format of arg see the PASS PHRASE ARGUMENTS section in openssl(1).
58
59       -aes128, -aes192, -aes256, -aria128, -aria192, -aria256, -camellia128,
60       -camellia192, -camellia256, -des, -des3, -idea
61           These options encrypt the private key with the specified cipher
62           before outputting it. A pass phrase is prompted for.  If none of
63           these options is specified the key is written in plain text. This
64           means that using the rsa utility to read in an encrypted key with
65           no encryption option can be used to remove the pass phrase from a
66           key, or by setting the encryption options it can be use to add or
67           change the pass phrase.  These options can only be used with PEM
68           format output files.
69
70       -text
71           Prints out the various public or private key components in plain
72           text in addition to the encoded version.
73
74       -noout
75           This option prevents output of the encoded version of the key.
76
77       -modulus
78           This option prints out the value of the modulus of the key.
79
80       -check
81           This option checks the consistency of an RSA private key.
82
83       -pubin
84           By default a private key is read from the input file: with this
85           option a public key is read instead.
86
87       -pubout
88           By default a private key is output: with this option a public key
89           will be output instead. This option is automatically set if the
90           input is a public key.
91
92       -RSAPublicKey_in, -RSAPublicKey_out
93           Like -pubin and -pubout except RSAPublicKey format is used instead.
94
95       -engine id
96           Specifying an engine (by its unique id string) will cause rsa to
97           attempt to obtain a functional reference to the specified engine,
98           thus initialising it if needed. The engine will then be set as the
99           default for all available algorithms.
100

NOTES

102       The PEM private key format uses the header and footer lines:
103
104        -----BEGIN RSA PRIVATE KEY-----
105        -----END RSA PRIVATE KEY-----
106
107       The PEM public key format uses the header and footer lines:
108
109        -----BEGIN PUBLIC KEY-----
110        -----END PUBLIC KEY-----
111
112       The PEM RSAPublicKey format uses the header and footer lines:
113
114        -----BEGIN RSA PUBLIC KEY-----
115        -----END RSA PUBLIC KEY-----
116
117       The NET form is a format compatible with older Netscape servers and
118       Microsoft IIS .key files, this uses unsalted RC4 for its encryption.
119       It is not very secure and so should only be used when necessary.
120
121       Some newer version of IIS have additional data in the exported .key
122       files. To use these with the utility, view the file with a binary
123       editor and look for the string "private-key", then trace back to the
124       byte sequence 0x30, 0x82 (this is an ASN1 SEQUENCE). Copy all the data
125       from this point onwards to another file and use that as the input to
126       the rsa utility with the -inform NET option.
127

EXAMPLES

129       To remove the pass phrase on an RSA private key:
130
131        openssl rsa -in key.pem -out keyout.pem
132
133       To encrypt a private key using triple DES:
134
135        openssl rsa -in key.pem -des3 -out keyout.pem
136
137       To convert a private key from PEM to DER format:
138
139        openssl rsa -in key.pem -outform DER -out keyout.der
140
141       To print out the components of a private key to standard output:
142
143        openssl rsa -in key.pem -text -noout
144
145       To just output the public part of a private key:
146
147        openssl rsa -in key.pem -pubout -out pubkey.pem
148
149       Output the public part of a private key in RSAPublicKey format:
150
151        openssl rsa -in key.pem -RSAPublicKey_out -out pubkey.pem
152

BUGS

154       The command line password arguments don't currently work with NET
155       format.
156
157       There should be an option that automatically handles .key files,
158       without having to manually edit them.
159

SEE ALSO

161       pkcs8(1), dsa(1), genrsa(1), gendsa(1)
162
164       Copyright 2000-2018 The OpenSSL Project Authors. All Rights Reserved.
165
166       Licensed under the OpenSSL license (the "License").  You may not use
167       this file except in compliance with the License.  You can obtain a copy
168       in the file LICENSE in the source distribution or at
169       <https://www.openssl.org/source/license.html>.
170
171
172
1731.1.1                             2018-09-11                            RSA(1)
Impressum