Share

Creating RSA Keys using OpenSSL

Scott Brady
OpenSSL

Creating a private key for token signing doesn’t need to be a mystery. Recently, I wrote about using OpenSSL to create keys suitable for Elliptical Curve Cryptography (ECC), and in this article, I am going to show you how to do the same for RSA private and public keys, suitable for signature generation with RSASSA-PKCS1-v1_5 and RSASSA-PSS.

tl;dr - OpenSSL RSA Cheat Sheet

# generate a private key with the correct length
openssl genrsa -out private-key.pem 2048

# generate corresponding public key
openssl rsa -in private-key.pem -pubout -out public-key.pem

# optional: create a self-signed certificate
openssl req -new -x509 -key private-key.pem -out cert.pem -days 360

# optional: convert pem to pfx
cat private-key.pem cert.pem > cert-with-private-key
openssl pkcs12 -export -inkey private-key.pem -in cert-with-private-key -out cert.pfx

Generating an RSA Private Key Using OpenSSL

You can generate an RSA private key using the following command:

openssl genrsa -out private-key.pem 2048

In this example, I have used a key length of 2048 bits. This is the minimum key length defined in the JOSE specs and gives you 112-bit security. This also uses an exponent of 65537, which you’ve likely seen serialized as “AQAB”.

This gives you a PEM file containing your RSA private key, which should look something like the following:

-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEApUy18wOzetMBY+Jw7lbXzbfTSRQbWyvIN7YbvLjfJZTF129L
DuWbRSyNd3+bNCqrOmmYFMAuKFbeGyN+fklV1MpdRaB5Ykp8r+P+ZuC4JyWhRv+J
hxT8uV0WTnKIrsg8TZHq3CvHlEE6qJYrNOA6HdrmJ01kHUo2c0KYzkNCqjuaoww8
24dRwpgqjtWkVYMF7BpVi5uLGkm+K2QO6yJhp0ZtbJxI+fOX+0g+PNC18sCzWgof
UTAjF7OGYuFps9GhdXuOE37yUJhirdEhgxGK+DSfd9Wltvq5UDvoAYWxoZTb9zAq
oubKNqOWAV1EGPzy2iJUHeEmJGH8kE3i8lBInwIDAQABAoIBAFASIqj/B/fdMnUy
AUZSpuKtwxlJNh8pzCjAfBsk6mMH9/XtoUwsCNSvSi+yjnnsmVkIQXT7yuAbhCdd
QC7oUz1qcVgC7gmgz1lcdaVcAZhk8AS2T+YxUmJwJxgE/xS7RgrFPiE8y8aS+lkj
tPY+D6jamlY7dN2DT3Dxt5dimW5f/aRguqBcM/Eg+8K0HK6h43A6usL/J9WJwXQv
hNi7LsTrSjKbO9A1eIMmLn1YuAHpXlprn5GvTr4Y/VYaqGBDHmpsAhhC7Cj9wZ8K
v4jrYPAN/ln5NrEPMzS9lqJtcQJOe8PgyYQupcY4yOjtLYw5SoDC1+mfdKeX2XlC
p3dRmMECgYEA0qqEIJn5U0f1rQm0y3Fy1xY8/KXhbohTpp+9sBD2Y/Pcb/NjblDa
aMxN9fkrp2vOgFtf2C8QUxrWsWUIkU3x+mFirJedKqkpJh+3pqfWkkLifTbRTi74
XP1Ge1ggfbFeAJ8qMlI+tZbvLZwlNWxLI8DEJjUL0qU6ldbAxD1xtO8CgYEAyN77
XoRuTNF146EH4tHZnw2eKnNtrJqX1PQSKW8phwey1NTuOfcp61w2Dj1L9GUIrfTc
CGrB/gm8JSOWLzEGtZCuxTm3dOLBCGxCjaXvn2E4yx1URFpV5tDY+sw7MaZy5p1J
5/QUlxetMH99pVjrPCgEdCjNVy56PgZeMpvUh1ECgYA45VyyAWPZHkI37bsqhwVh
Gdx2z8ZGuAL/qXztpGcnL6GFitJ75NJYI3WazSUBHpizCfqkxHFAQKtjVcoulEKa
QNsJihkkgHNgnIhZNlM5RV8uOjPlTcI+OxliDrcXu2OL/3DCDnxpRs5qHxXdi9Xv
Xgyb1Q/QYFemSE3fskiXeQKBgF7YsvaJL4/EI5cs9Q1LqycoBfPjdvjWMjUSXfUE
kSY6I13NgQMLytZgPwHwPYoTnsqM4Mx0pE7wh889g2+bBaD7xRpJS2+8lgsFG1PI
82FdRbTaj2yK/x6ypJGfl5+1CXIM+NW2cXZ6boOE324Qk1pfRuMWVQcCYiQhW58n
521RAoGBAIgHRyRLJ7mK2xX/EnahJYY4EpzIQalRxr6new21bvO7+Js9rxpTvZj+
fztJqiShaXvbByD3zrZ3sLKEsGqonjFanSk4H3Z5vrDXpsdGLMqDfQDCQoTPk6Wi
lmYtyd0RfcqpyNNd+dlTueU0gij9Ulj5Ttj5/ahipVQfRNDKf2u0
-----END RSA PRIVATE KEY-----

Creating an RSA Public Key from a Private Key Using OpenSSL

Now that you have your private key, you can use it to generate another PEM file, containing only your public key.

openssl rsa -in private-key.pem -pubout -out public-key.pem

This should give you another PEM file, containing the public key:

-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApUy18wOzetMBY+Jw7lbX
zbfTSRQbWyvIN7YbvLjfJZTF129LDuWbRSyNd3+bNCqrOmmYFMAuKFbeGyN+fklV
1MpdRaB5Ykp8r+P+ZuC4JyWhRv+JhxT8uV0WTnKIrsg8TZHq3CvHlEE6qJYrNOA6
HdrmJ01kHUo2c0KYzkNCqjuaoww824dRwpgqjtWkVYMF7BpVi5uLGkm+K2QO6yJh
p0ZtbJxI+fOX+0g+PNC18sCzWgofUTAjF7OGYuFps9GhdXuOE37yUJhirdEhgxGK
+DSfd9Wltvq5UDvoAYWxoZTb9zAqoubKNqOWAV1EGPzy2iJUHeEmJGH8kE3i8lBI
nwIDAQAB
-----END PUBLIC KEY-----

Creating an RSA Self-Signed Certificate Using OpenSSL

Now that you have a private key, you can use it to generate a self-signed certificate. This is not required, but it allows you to use the key for server/client authentication, or gain X509 specific functionality in technologies such as JWT and SAML.

openssl req -new -x509 -key private-key.pem -out cert.pem -days 360

This will again generate yet another PEM file, this time containing the certificate created by your private key:

-----BEGIN CERTIFICATE-----
MIIDazCCAlOgAwIBAgIUMcjabfBRwf0zHT3tlIIngCfeV/kwDQYJKoZIhvcNAQEL
BQAwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM
GEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0yMDA4MDMxNTQ3MjVaFw0yMTA3
MjkxNTQ3MjVaMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEw
HwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwggEiMA0GCSqGSIb3DQEB
AQUAA4IBDwAwggEKAoIBAQClTLXzA7N60wFj4nDuVtfNt9NJFBtbK8g3thu8uN8l
lMXXb0sO5ZtFLI13f5s0Kqs6aZgUwC4oVt4bI35+SVXUyl1FoHliSnyv4/5m4Lgn
JaFG/4mHFPy5XRZOcoiuyDxNkercK8eUQTqolis04Dod2uYnTWQdSjZzQpjOQ0Kq
O5qjDDzbh1HCmCqO1aRVgwXsGlWLm4saSb4rZA7rImGnRm1snEj585f7SD480LXy
wLNaCh9RMCMXs4Zi4Wmz0aF1e44TfvJQmGKt0SGDEYr4NJ931aW2+rlQO+gBhbGh
lNv3MCqi5so2o5YBXUQY/PLaIlQd4SYkYfyQTeLyUEifAgMBAAGjUzBRMB0GA1Ud
DgQWBBT/T4XbpUQiaDCdoXIiSOm7fscYXjAfBgNVHSMEGDAWgBT/T4XbpUQiaDCd
oXIiSOm7fscYXjAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQCO
viX8cTrj8pKGtFojDPAo31F+/5WgOAhTLmHIOyOrGYEz5uf2BKI0pNFxX7MbBJJD
s6hqpf0Y1RVyhW6RPZGg3H2jnTrnTJBaXuf+mYWnekobMmalCSjXG6a64nsC8lc/
4jfNtr7cejMuYx918DFRs4Uhlm7v3LSn2dqonv5xN633ou6fDyH6MA/G6D1TO4LO
OK1QXd0ljSldwLPfLia3X10DgddyqL4kb2Xcy4i9Nmve//72WMzvsgymdXJLTGOa
dM/rUby2k+XzeKjeU0mIuBpv1aRPkKq22TsScdMF4YE3cR/3JaIkSKvOV8fY6m/F
giUzuDlljDZxARq+GLKh
-----END CERTIFICATE-----

You could leave things there, but often, when working on Windows, you will need to create a PFX file that contains both the certificate and the private key for you to export and use.

You can do this by first concatenating your private key and certificate into a single file:

cat private-key.pem cert.pem > cert-with-private-key

And then using OpenSSL to create a PFX file:

openssl pkcs12 -export -inkey private-key.pem -in cert-with-private-key -out cert.pfx

OpenSSL will ask you to create a password for the PFX file. Feel free to leave this blank.

This should leave you with a certificate that Windows can both install and export the RSA private key from.

A certificate, opened in Windows 10, showing that a private key corresponding to this certificate is present. A certificate, opened in Windows 10, showing that the key is for RSA with a key length of 2048 bits.