1=pod
2
3=head1 NAME
4
5openssl-rsa,
6rsa - RSA key processing tool
7
8=head1 SYNOPSIS
9
10B<openssl> B<rsa>
11[B<-help>]
12[B<-inform PEM|DER>]
13[B<-outform PEM|DER>]
14[B<-in filename>]
15[B<-passin arg>]
16[B<-out filename>]
17[B<-passout arg>]
18[B<-aes128>]
19[B<-aes192>]
20[B<-aes256>]
21[B<-aria128>]
22[B<-aria192>]
23[B<-aria256>]
24[B<-camellia128>]
25[B<-camellia192>]
26[B<-camellia256>]
27[B<-des>]
28[B<-des3>]
29[B<-idea>]
30[B<-text>]
31[B<-noout>]
32[B<-modulus>]
33[B<-check>]
34[B<-pubin>]
35[B<-pubout>]
36[B<-RSAPublicKey_in>]
37[B<-RSAPublicKey_out>]
38[B<-engine id>]
39
40=head1 DESCRIPTION
41
42The B<rsa> command processes RSA keys. They can be converted between various
43forms and their components printed out. B<Note> this command uses the
44traditional SSLeay compatible format for private key encryption: newer
45applications should use the more secure PKCS#8 format using the B<pkcs8>
46utility.
47
48=head1 OPTIONS
49
50=over 4
51
52=item B<-help>
53
54Print out a usage message.
55
56=item B<-inform DER|PEM>
57
58This specifies the input format. The B<DER> option uses an ASN1 DER encoded
59form compatible with the PKCS#1 RSAPrivateKey or SubjectPublicKeyInfo format.
60The B<PEM> form is the default format: it consists of the B<DER> format base64
61encoded with additional header and footer lines. On input PKCS#8 format private
62keys are also accepted.
63
64=item B<-outform DER|PEM>
65
66This specifies the output format, the options have the same meaning and default
67as the B<-inform> option.
68
69=item B<-in filename>
70
71This specifies the input filename to read a key from or standard input if this
72option is not specified. If the key is encrypted a pass phrase will be
73prompted for.
74
75=item B<-passin arg>
76
77The input file password source. For more information about the format of B<arg>
78see L<openssl(1)/Pass Phrase Options>.
79
80=item B<-out filename>
81
82This specifies the output filename to write a key to or standard output if this
83option is not specified. If any encryption options are set then a pass phrase
84will be prompted for. The output filename should B<not> be the same as the input
85filename.
86
87=item B<-passout password>
88
89The output file password source. For more information about the format of B<arg>
90see L<openssl(1)/Pass Phrase Options>.
91
92=item B<-aes128>, B<-aes192>, B<-aes256>, B<-aria128>, B<-aria192>, B<-aria256>, B<-camellia128>, B<-camellia192>, B<-camellia256>, B<-des>, B<-des3>, B<-idea>
93
94These options encrypt the private key with the specified
95cipher before outputting it. A pass phrase is prompted for.
96If none of these options is specified the key is written in plain text. This
97means that using the B<rsa> utility to read in an encrypted key with no
98encryption option can be used to remove the pass phrase from a key, or by
99setting the encryption options it can be use to add or change the pass phrase.
100These options can only be used with PEM format output files.
101
102=item B<-text>
103
104Prints out the various public or private key components in
105plain text in addition to the encoded version.
106
107=item B<-noout>
108
109This option prevents output of the encoded version of the key.
110
111=item B<-modulus>
112
113This option prints out the value of the modulus of the key.
114
115=item B<-check>
116
117This option checks the consistency of an RSA private key.
118
119=item B<-pubin>
120
121By default a private key is read from the input file: with this
122option a public key is read instead.
123
124=item B<-pubout>
125
126By default a private key is output: with this option a public
127key will be output instead. This option is automatically set if
128the input is a public key.
129
130=item B<-RSAPublicKey_in>, B<-RSAPublicKey_out>
131
132Like B<-pubin> and B<-pubout> except B<RSAPublicKey> format is used instead.
133
134=item B<-engine id>
135
136Specifying an engine (by its unique B<id> string) will cause B<rsa>
137to attempt to obtain a functional reference to the specified engine,
138thus initialising it if needed. The engine will then be set as the default
139for all available algorithms.
140
141=back
142
143=head1 NOTES
144
145The PEM private key format uses the header and footer lines:
146
147 -----BEGIN RSA PRIVATE KEY-----
148 -----END RSA PRIVATE KEY-----
149
150The PEM public key format uses the header and footer lines:
151
152 -----BEGIN PUBLIC KEY-----
153 -----END PUBLIC KEY-----
154
155The PEM B<RSAPublicKey> format uses the header and footer lines:
156
157 -----BEGIN RSA PUBLIC KEY-----
158 -----END RSA PUBLIC KEY-----
159
160=head1 EXAMPLES
161
162To remove the pass phrase on an RSA private key:
163
164 openssl rsa -in key.pem -out keyout.pem
165
166To encrypt a private key using triple DES:
167
168 openssl rsa -in key.pem -des3 -out keyout.pem
169
170To convert a private key from PEM to DER format:
171
172 openssl rsa -in key.pem -outform DER -out keyout.der
173
174To print out the components of a private key to standard output:
175
176 openssl rsa -in key.pem -text -noout
177
178To just output the public part of a private key:
179
180 openssl rsa -in key.pem -pubout -out pubkey.pem
181
182Output the public part of a private key in B<RSAPublicKey> format:
183
184 openssl rsa -in key.pem -RSAPublicKey_out -out pubkey.pem
185
186=head1 BUGS
187
188There should be an option that automatically handles .key files,
189without having to manually edit them.
190
191=head1 SEE ALSO
192
193L<pkcs8(1)>, L<dsa(1)>, L<genrsa(1)>,
194L<gendsa(1)>
195
196=head1 COPYRIGHT
197
198Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved.
199
200Licensed under the OpenSSL license (the "License").  You may not use
201this file except in compliance with the License.  You can obtain a copy
202in the file LICENSE in the source distribution or at
203L<https://www.openssl.org/source/license.html>.
204
205=cut
206