In this post, we will cover how to create RSA private key, RSA public key, DSA private key, DSA public key with OpenSSL.
Create RSA Private Key with PEM format
RSA private key generation with OpenSSL involves just one step:
- openssl genrsa -out rsaprivkey.pem 2048
This command generates a PEM-encoded private key and stores it in the file rsaprivkey.pem. This example creates a 2048-bit key, which should work for nearly any purpose. The resulting private key should be kept secret and is used to sign and decrypt data.
Create RSA Public Key with PEM format
Extract the public key from the private key, which can be used in a certificate:
- openssl rsa -in rsaprivkey.pem -outform PEM -pubout -out public.pem
Create RSA Public Private Key with DER format
Some implementations, in particular Java-based, might require DER or PKCS8 which can for example be generated using the following additional steps:
- openssl rsa -in rsaprivkey.pem -pubout -outform DER -out rsapubkey.der
- openssl pkcs8 -topk8 -inform PEM -outform DER -in rsaprivkey.pem -out rsaprivkey.der -nocrypt
Step 1 generates the public key in DER format.
Step 2 generates the private key in pkcs8 and DER format. Once generated, we can use these keys (rsapubkey.der and rsaprivkey.der).
Create a DSA Private Key with PEM format
DSA key generation involves two steps:
- openssl dsaparam -out dsaparam.pem 2048
- openssl gendsa -out dsaprivkey.pem dsaparam.pem
The first step creates a DSA parameter file, dsaparam.pem, which in this case instructs OpenSSL to create a 2048-bit key in Step 2. The dsaparam.pem file is not itself a key, and can be discarded after the public and private keys are created.
The second step actually creates the private key in the file dsaprivkey.pem which should be kept secret.
Create a DSA Public Private Key with DER format
To export the key into a DER (binary) format we can use the following steps:
- openssl dsa -in dsaprivkey.pem -outform DER -pubout -out dsapubkey.der
- openssl pkcs8 -topk8 -inform PEM -outform DER -in dsaprivkey.pem -out dsaprivkey.der -nocrypt
Step 1 extracts the public key into a DER format.
Step 2 converts the private key into the pkcs8 and DER format. Once we’ve done this, we can use this public (dsapubkey.der) and private (dsaprivkey.der) key pair