1=pod 2 3=begin comment 4{- join("\n", @autowarntext) -} 5 6=end comment 7 8=head1 NAME 9 10openssl-rsa - RSA key processing command 11 12=head1 SYNOPSIS 13 14B<openssl> B<rsa> 15[B<-help>] 16[B<-inform> B<DER>|B<PEM>|B<P12>|B<ENGINE>] 17[B<-outform> B<DER>|B<PEM>] 18[B<-in> I<filename>|I<uri>] 19[B<-passin> I<arg>] 20[B<-out> I<filename>] 21[B<-passout> I<arg>] 22[B<-aes128>] 23[B<-aes192>] 24[B<-aes256>] 25[B<-aria128>] 26[B<-aria192>] 27[B<-aria256>] 28[B<-camellia128>] 29[B<-camellia192>] 30[B<-camellia256>] 31[B<-des>] 32[B<-des3>] 33[B<-idea>] 34[B<-text>] 35[B<-noout>] 36[B<-modulus>] 37[B<-traditional>] 38[B<-check>] 39[B<-pubin>] 40[B<-pubout>] 41[B<-RSAPublicKey_in>] 42[B<-RSAPublicKey_out>] 43[B<-pvk-strong>] 44[B<-pvk-weak>] 45[B<-pvk-none>] 46{- $OpenSSL::safe::opt_engine_synopsis -}{- $OpenSSL::safe::opt_provider_synopsis -} 47 48=head1 DESCRIPTION 49 50This command processes RSA keys. They can be converted between 51various forms and their components printed out. 52 53=head1 OPTIONS 54 55=over 4 56 57=item B<-help> 58 59Print out a usage message. 60 61=item B<-inform> B<DER>|B<PEM>|B<P12>|B<ENGINE> 62 63The key input format; unspecified by default. 64See L<openssl-format-options(1)> for details. 65 66=item B<-outform> B<DER>|B<PEM> 67 68The key output format; the default is B<PEM>. 69See L<openssl-format-options(1)> for details. 70 71=item B<-traditional> 72 73When writing a private key, use the traditional PKCS#1 format 74instead of the PKCS#8 format. 75 76=item B<-in> I<filename>|I<uri> 77 78This specifies the input to read a key from or standard input if this 79option is not specified. If the key is encrypted a pass phrase will be 80prompted for. 81 82=item B<-passin> I<arg>, B<-passout> I<arg> 83 84The password source for the input and output file. 85For more information about the format of B<arg> 86see L<openssl-passphrase-options(1)>. 87 88=item B<-out> I<filename> 89 90This specifies the output filename to write a key to or standard output if this 91option is not specified. If any encryption options are set then a pass phrase 92will be prompted for. The output filename should B<not> be the same as the input 93filename. 94 95=item B<-aes128>, B<-aes192>, B<-aes256>, B<-aria128>, B<-aria192>, B<-aria256>, B<-camellia128>, B<-camellia192>, B<-camellia256>, B<-des>, B<-des3>, B<-idea> 96 97These options encrypt the private key with the specified 98cipher before outputting it. A pass phrase is prompted for. 99If none of these options is specified the key is written in plain text. This 100means that this command can be used to remove the pass phrase from a key 101by not giving any encryption option is given, or to add or change the pass 102phrase by setting them. 103These options can only be used with PEM format output files. 104 105=item B<-text> 106 107Prints out the various public or private key components in 108plain text in addition to the encoded version. 109 110=item B<-noout> 111 112This option prevents output of the encoded version of the key. 113 114=item B<-modulus> 115 116This option prints out the value of the modulus of the key. 117 118=item B<-check> 119 120This option checks the consistency of an RSA private key. 121 122=item B<-pubin> 123 124By default a private key is read from the input. 125With this option a public key is read instead. 126If the input contains no public key but a private key, its public part is used. 127 128=item B<-pubout> 129 130By default a private key is output: with this option a public 131key will be output instead. This option is automatically set if 132the input is a public key. 133 134=item B<-RSAPublicKey_in>, B<-RSAPublicKey_out> 135 136Like B<-pubin> and B<-pubout> except B<RSAPublicKey> format is used instead. 137 138=item B<-pvk-strong> 139 140Enable 'Strong' PVK encoding level (default). 141 142=item B<-pvk-weak> 143 144Enable 'Weak' PVK encoding level. 145 146=item B<-pvk-none> 147 148Don't enforce PVK encoding. 149 150{- $OpenSSL::safe::opt_engine_item -} 151 152{- $OpenSSL::safe::opt_provider_item -} 153 154=back 155 156=head1 NOTES 157 158The L<openssl-pkey(1)> command is capable of performing all the operations 159this command can, as well as supporting other public key types. 160 161=head1 EXAMPLES 162 163The documentation for the L<openssl-pkey(1)> command contains examples 164equivalent to the ones listed here. 165 166To remove the pass phrase on an RSA private key: 167 168 openssl rsa -in key.pem -out keyout.pem 169 170To encrypt a private key using triple DES: 171 172 openssl rsa -in key.pem -des3 -out keyout.pem 173 174To convert a private key from PEM to DER format: 175 176 openssl rsa -in key.pem -outform DER -out keyout.der 177 178To print out the components of a private key to standard output: 179 180 openssl rsa -in key.pem -text -noout 181 182To just output the public part of a private key: 183 184 openssl rsa -in key.pem -pubout -out pubkey.pem 185 186Output the public part of a private key in B<RSAPublicKey> format: 187 188 openssl rsa -in key.pem -RSAPublicKey_out -out pubkey.pem 189 190=head1 BUGS 191 192There should be an option that automatically handles F<.key> files, 193without having to manually edit them. 194 195=head1 SEE ALSO 196 197L<openssl(1)>, 198L<openssl-pkey(1)>, 199L<openssl-pkcs8(1)>, 200L<openssl-dsa(1)>, 201L<openssl-genrsa(1)>, 202L<openssl-gendsa(1)> 203 204=head1 HISTORY 205 206The B<-engine> option was deprecated in OpenSSL 3.0. 207 208=head1 COPYRIGHT 209 210Copyright 2000-2023 The OpenSSL Project Authors. All Rights Reserved. 211 212Licensed under the Apache License 2.0 (the "License"). You may not use 213this file except in compliance with the License. You can obtain a copy 214in the file LICENSE in the source distribution or at 215L<https://www.openssl.org/source/license.html>. 216 217=cut 218
