]>
Commit | Line | Data |
---|---|---|
aba3e65f DSH |
1 | =pod |
2 | ||
3 | =head1 NAME | |
4 | ||
b6b66573 | 5 | openssl-rsa - RSA key processing tool |
aba3e65f DSH |
6 | |
7 | =head1 SYNOPSIS | |
8 | ||
9 | B<openssl> B<rsa> | |
169394d4 | 10 | [B<-help>] |
e8769719 RS |
11 | [B<-inform> B<DER>|B<PEM>] |
12 | [B<-outform> B<DER>|B<PEM>] | |
13 | [B<-in> I<filename>] | |
14 | [B<-passin> I<arg>] | |
15 | [B<-out> I<filename>] | |
16 | [B<-passout> I<arg>] | |
fc1d88f0 RS |
17 | [B<-aes128>] |
18 | [B<-aes192>] | |
19 | [B<-aes256>] | |
d42d0a4d P |
20 | [B<-aria128>] |
21 | [B<-aria192>] | |
22 | [B<-aria256>] | |
fc1d88f0 RS |
23 | [B<-camellia128>] |
24 | [B<-camellia192>] | |
25 | [B<-camellia256>] | |
aba3e65f DSH |
26 | [B<-des>] |
27 | [B<-des3>] | |
28 | [B<-idea>] | |
29 | [B<-text>] | |
30 | [B<-noout>] | |
31 | [B<-modulus>] | |
32 | [B<-check>] | |
33 | [B<-pubin>] | |
34 | [B<-pubout>] | |
9c75461b DSH |
35 | [B<-RSAPublicKey_in>] |
36 | [B<-RSAPublicKey_out>] | |
e8769719 | 37 | [B<-engine> I<id>] |
aba3e65f | 38 | |
1738c0ce RS |
39 | =for comment ifdef pvk-strong pvk-weak pvk-none engine |
40 | ||
aba3e65f DSH |
41 | =head1 DESCRIPTION |
42 | ||
43 | The B<rsa> command processes RSA keys. They can be converted between various | |
44 | forms and their components printed out. B<Note> this command uses the | |
45 | traditional SSLeay compatible format for private key encryption: newer | |
46 | applications should use the more secure PKCS#8 format using the B<pkcs8> | |
47 | utility. | |
48 | ||
3dfda1a6 | 49 | =head1 OPTIONS |
aba3e65f DSH |
50 | |
51 | =over 4 | |
52 | ||
169394d4 MR |
53 | =item B<-help> |
54 | ||
55 | Print out a usage message. | |
56 | ||
e8769719 | 57 | =item B<-inform> B<DER>|B<PEM> |
aba3e65f DSH |
58 | |
59 | This specifies the input format. The B<DER> option uses an ASN1 DER encoded | |
13938ace DSH |
60 | form compatible with the PKCS#1 RSAPrivateKey or SubjectPublicKeyInfo format. |
61 | The B<PEM> form is the default format: it consists of the B<DER> format base64 | |
62 | encoded with additional header and footer lines. On input PKCS#8 format private | |
d91d443f | 63 | keys are also accepted. |
aba3e65f | 64 | |
e8769719 | 65 | =item B<-outform> B<DER>|B<PEM> |
aba3e65f | 66 | |
7477c83e TM |
67 | This specifies the output format, the options have the same meaning and default |
68 | as the B<-inform> option. | |
aba3e65f | 69 | |
e8769719 | 70 | =item B<-in> I<filename> |
aba3e65f DSH |
71 | |
72 | This specifies the input filename to read a key from or standard input if this | |
73 | option is not specified. If the key is encrypted a pass phrase will be | |
74 | prompted for. | |
75 | ||
e8769719 | 76 | =item B<-passin> I<arg> |
af29811e | 77 | |
2f0ea936 | 78 | The input file password source. For more information about the format of I<arg> |
e8769719 | 79 | see L<openssl(1)/Pass phrase options>. |
af29811e | 80 | |
e8769719 | 81 | =item B<-out> I<filename> |
aba3e65f | 82 | |
cc8709a0 DSH |
83 | This specifies the output filename to write a key to or standard output if this |
84 | option is not specified. If any encryption options are set then a pass phrase | |
85 | will be prompted for. The output filename should B<not> be the same as the input | |
aba3e65f DSH |
86 | filename. |
87 | ||
2f0ea936 | 88 | =item B<-passout> I<arg> |
af29811e | 89 | |
2f0ea936 | 90 | The output file password source. For more information about the format of I<arg> |
9b86974e | 91 | see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>. |
af29811e | 92 | |
dfee8626 | 93 | =item B<-aes128>, B<-aes192>, B<-aes256>, B<-aria128>, B<-aria192>, B<-aria256>, B<-camellia128>, B<-camellia192>, B<-camellia256>, B<-des>, B<-des3>, B<-idea> |
aba3e65f | 94 | |
fc1d88f0 RS |
95 | These options encrypt the private key with the specified |
96 | cipher before outputting it. A pass phrase is prompted for. | |
aba3e65f DSH |
97 | If none of these options is specified the key is written in plain text. This |
98 | means that using the B<rsa> utility to read in an encrypted key with no | |
99 | encryption option can be used to remove the pass phrase from a key, or by | |
100 | setting the encryption options it can be use to add or change the pass phrase. | |
101 | These options can only be used with PEM format output files. | |
102 | ||
103 | =item B<-text> | |
104 | ||
c4de074e | 105 | Prints out the various public or private key components in |
1bc74519 | 106 | plain text in addition to the encoded version. |
aba3e65f DSH |
107 | |
108 | =item B<-noout> | |
109 | ||
c4de074e | 110 | This option prevents output of the encoded version of the key. |
aba3e65f DSH |
111 | |
112 | =item B<-modulus> | |
113 | ||
c4de074e | 114 | This option prints out the value of the modulus of the key. |
aba3e65f DSH |
115 | |
116 | =item B<-check> | |
117 | ||
c4de074e | 118 | This option checks the consistency of an RSA private key. |
aba3e65f DSH |
119 | |
120 | =item B<-pubin> | |
121 | ||
c4de074e | 122 | By default a private key is read from the input file: with this |
0cd4498b | 123 | option a public key is read instead. |
aba3e65f DSH |
124 | |
125 | =item B<-pubout> | |
126 | ||
c4de074e | 127 | By default a private key is output: with this option a public |
0cd4498b DSH |
128 | key will be output instead. This option is automatically set if |
129 | the input is a public key. | |
aba3e65f | 130 | |
9c75461b DSH |
131 | =item B<-RSAPublicKey_in>, B<-RSAPublicKey_out> |
132 | ||
c4de074e | 133 | Like B<-pubin> and B<-pubout> except B<RSAPublicKey> format is used instead. |
9c75461b | 134 | |
e8769719 | 135 | =item B<-engine> I<id> |
bfa35550 | 136 | |
2f0ea936 | 137 | Specifying an engine (by its unique I<id> string) will cause B<rsa> |
bfa35550 RL |
138 | to attempt to obtain a functional reference to the specified engine, |
139 | thus initialising it if needed. The engine will then be set as the default | |
140 | for all available algorithms. | |
141 | ||
aba3e65f DSH |
142 | =back |
143 | ||
0286d944 DSH |
144 | =head1 NOTES |
145 | ||
146 | The PEM private key format uses the header and footer lines: | |
147 | ||
148 | -----BEGIN RSA PRIVATE KEY----- | |
149 | -----END RSA PRIVATE KEY----- | |
150 | ||
0cd4498b DSH |
151 | The PEM public key format uses the header and footer lines: |
152 | ||
153 | -----BEGIN PUBLIC KEY----- | |
154 | -----END PUBLIC KEY----- | |
155 | ||
9c75461b DSH |
156 | The PEM B<RSAPublicKey> format uses the header and footer lines: |
157 | ||
158 | -----BEGIN RSA PUBLIC KEY----- | |
159 | -----END RSA PUBLIC KEY----- | |
160 | ||
aba3e65f DSH |
161 | =head1 EXAMPLES |
162 | ||
163 | To remove the pass phrase on an RSA private key: | |
164 | ||
1675f6eb | 165 | openssl rsa -in key.pem -out keyout.pem |
aba3e65f DSH |
166 | |
167 | To encrypt a private key using triple DES: | |
168 | ||
1675f6eb | 169 | openssl rsa -in key.pem -des3 -out keyout.pem |
aba3e65f | 170 | |
1bc74519 | 171 | To convert a private key from PEM to DER format: |
aba3e65f | 172 | |
1675f6eb | 173 | openssl rsa -in key.pem -outform DER -out keyout.der |
aba3e65f DSH |
174 | |
175 | To print out the components of a private key to standard output: | |
176 | ||
1675f6eb | 177 | openssl rsa -in key.pem -text -noout |
aba3e65f DSH |
178 | |
179 | To just output the public part of a private key: | |
180 | ||
1675f6eb | 181 | openssl rsa -in key.pem -pubout -out pubkey.pem |
aba3e65f | 182 | |
9c75461b DSH |
183 | Output the public part of a private key in B<RSAPublicKey> format: |
184 | ||
185 | openssl rsa -in key.pem -RSAPublicKey_out -out pubkey.pem | |
186 | ||
d3ed8ceb DSH |
187 | =head1 BUGS |
188 | ||
d3ed8ceb DSH |
189 | There should be an option that automatically handles .key files, |
190 | without having to manually edit them. | |
191 | ||
aba3e65f DSH |
192 | =head1 SEE ALSO |
193 | ||
b6b66573 DMSP |
194 | L<openssl(1)>, |
195 | L<openssl-pkcs8(1)>, | |
196 | L<openssl-dsa(1)>, | |
197 | L<openssl-genrsa(1)>, | |
198 | L<openssl-gendsa(1)> | |
aba3e65f | 199 | |
e2f92610 RS |
200 | =head1 COPYRIGHT |
201 | ||
b6b66573 | 202 | Copyright 2000-2019 The OpenSSL Project Authors. All Rights Reserved. |
e2f92610 | 203 | |
449040b4 | 204 | Licensed under the Apache License 2.0 (the "License"). You may not use |
e2f92610 RS |
205 | this file except in compliance with the License. You can obtain a copy |
206 | in the file LICENSE in the source distribution or at | |
207 | L<https://www.openssl.org/source/license.html>. | |
208 | ||
209 | =cut |