genrsa Command in Linux
OpenSSL genrsa is a Linux command that generates an RSA private key. The term genrsa is derived from "gen" for generate and "rsa" for Rivest-Shamir-Adleman algorithm. While it was once widely used in cryptography for key generation, the command is now deprecated and has been replaced by openssl genpkey in modern OpenSSL versions.
Genrsa may still be available in some Linux distributions for backward compatibility, but it's recommended to use genpkey for generating RSA keys in new projects.
Read this tutorial to learn how to install and use the genrsa command in Linux to generate RSA private keys.
Table of Contents
Here is a comprehensive guide to the options available with the genrsa command −
- How to Install genrsa Command?
- How to Check the Genrsa Version?
- How to Access the Man Page of genrsa?
- How to Use genrsa Command in Linux?
- genrsa Command Options
- Examples of genrsa Command in Linux
How to Install genrsa Command?
The genrsa command is part of the OpenSSL toolkit and is used to generate RSA private keys. These private keys can then be utilized to derive public keys, create certificates, or sign data in various cryptographic processes.
You can install it in Linux using one of the following commands depending upon the Linux distribution you are using −
#Installing genrsa on Debian-based Systems sudo apt install openssl #Installing genrsa on Red Hat-based Systems sudo yum install openssl #Installing genrsa on Arch Linux sudo pacman -S openssl
Since we are using Ubuntu 24.04, so we use the apt package manager to install it on our system −
sudo apt install openssl
The OpenSSL installation will need additional disk space. Press y and hit Enter to proceed with the installation −
Note − Although you can still install and use genrsa in Linux, it is deprecated and not recommended. Therefore, it's better to use the openssl genpkey command instead.
How to Check the Genrsa Version?
To verify the OpenSSL installation on your Linux system, run the following command −
openssl version
The output confirms that we are using the "3.0.13" version of OpenSSL −
How to Access the Man Page of genrsa?
You can also check the manual page for the genrsa command to confirm its installation or to get a basic understanding of how it works. To do this, run the following command −
man gendsa
This command opens the manual page of the OpenSSL, which provides all the information like name, synopsis, description, options, etc.
How to Use genrsa Command in Linux?
To use the genrsa command in Linux, you must type openssl genrsa followed by a valid option and then hit the enter key −
openssl genrsa [-out filename] [-passout arg] [-des] [-des3] [-idea] [-f4] [-3] [-rand file(s)] [-engine id] [numbits]
Here, file_name is the output file that contains the generated private key. However, if you donât specify the file_name, then the key will be printed to the terminal/standard output.
genrsa Command Options
Let's explore the valid options accepted by the openssl genrsa command, as illustrated in the table below −
| Option | Description |
|---|---|
| -passout arg | This option specifies the passphrase for encrypting the private key. For instance, "-passout pass:password" sets the passphrase directly. |
| -des|-des3|-idea |
These options encrypt the private key with ciphers before saving it. For instance, the "des" option encrypts the private key with Data Encryption Standard. The "des3" option encrypts the private key with triple DES. The "idea" option encrypts the private key with the IDEA (International Data Encryption Algorithm) cipher. However, if you didn't specify any of these options, the private key will be saved without encryption. |
| -F4|-3 | You can specify the public exponent to use with the -f4 or -3 options. The default public exponent is 65537 (used with -f4). Alternatively, you can use 3 by specifying -3. |
| -rand file(s) |
This option lets us specify one or more files that contain random data to seed the random number generator. This can help improve the quality of the randomness used in key generation. On Unix-like systems, you can separate multiple files with a colon (:). On Windows, you use a semicolon (;). On OpenVMS, you can use a comma (,) to separate multiple files. Additionally, you can use an Entropy Gathering Daemon (EGD) socket for specifying random data. |
| -engine id | It selects and initializes a cryptographic engine by its unique ID. This engine becomes the default for all supported algorithms during the session. |
| numbits | It specifies the size of the private key in bits. This should be the last option specified, with a typical default of 512 bits (though 2048 or 4096 bits are recommended for security). |
How to Access the Help Page of genrsa Command?
To understand the genrsa command better, run openssl genrsa --help.
openssl genrsa --help
This command provides details about general options, output options, random state options, provider options, and parameters −
Examples of genrsa Command in Linux
Now letâs learn how to generate the RSA key, import the RSA public key to a file, and create a certificate using the following example.
Generating an RSA Private Key Using OpenSSL gendsa
Let's generate an RSA key by specifying an encryption option such as -des, -des3, or -idea. The command will then prompt you for a passphrase −
openssl genrsa -des3 -out rsa_private_key.pem 2048
This command generates a 2048-bit RSA private key, encrypts it using triple DES (-des3), and saves it to the file "rsa_private_key.pem" −
You can check the generated RSA key by running the cat command followed by the file name that contains your RSA private key −
cat gen_private_key.pem
When we run this command, it shows the following result for the specified private key file −
Exporting the RSA Public Key to a File
Letâs run the following command to export an RSA public key to a file −
openssl rsa -in rsa_private_key.pem -outform PEM -pubout -out rsa_public_key.pem
This command extracts the public key from the RSA private key (rsa_private_key.pem), formats it in PEM, and saves it to "rsa_public_key.pem" −
Creating a Certificate Using the RSA Private Key
The following command creates a new self-signed X.509 certificate using the RSA private key rsa_private_key.pem and saves it to rsa_certificate.pem −
openssl req -new -x509 -key rsa_private_key.pem -out rsa_certificate.pem
Provide the necessary information to create a certificate −
Thatâs all about using the genrsa command in Linux.
Conclusion
genrsa is a legacy command in Linux that is used in OpenSSL to generate RSA private keys. Although genrsa has been replaced by the newer "openssl genpkey" command, it's still useful to understand how it works, especially for older systems.
In this tutorial, we explained how to install genrsa on various Linux distributions, check its installed version, and access its manual and help pages. We also showed how to use it to generate RSA private keys, export public keys, and create certificates. Even though genrsa is still available on some systems, it's better to use openssl genpkey for improved security and compatibility.