=pod =head1 NAME rsa - RSA key processing tool =head1 SYNOPSIS B B [B<-inform PEM|NET|DER>] [B<-outform PEM|NET|DER>] [B<-in filename>] [B<-passin password>] [B<-envpassin var>] [B<-out filename>] [B<-passout password>] [B<-envpassout var>] [B<-des>] [B<-des3>] [B<-idea>] [B<-text>] [B<-noout>] [B<-modulus>] [B<-check>] [B<-pubin>] [B<-pubout>] =head1 DESCRIPTION The B command processes RSA keys. They can be converted between various forms and their components printed out. B this command uses the traditional SSLeay compatible format for private key encryption: newer applications should use the more secure PKCS#8 format using the B utility. =head1 COMMAND OPTIONS =over 4 =item B<-inform DER|NET|PEM> This specifies the input format. The B option uses an ASN1 DER encoded form compatible with the PKCS#1 RSAPrivateKey or SubjectPublicKeyInfo format. The B form is the default format: it consists of the B format base64 encoded with additional header and footer lines. On input PKCS#8 format private keys are also accepted. The B form is a format compatible with older Netscape servers and MS IIS, this uses unsalted RC4 for its encryption. It is not very secure and so should only be used when necessary. =item B<-outform DER|NET|PEM> This specifies the output format, the options have the same meaning as the B<-inform> option. =item B<-in filename> This specifies the input filename to read a key from or standard input if this option is not specified. If the key is encrypted a pass phrase will be prompted for. =item B<-passin password> the input file password. Since certain utilities like "ps" make the command line visible this option should be used with caution. =item B<-envpassin var> read the input file password from the environment variable B. =item B<-out filename> This specifies the output filename to write a key to or standard output if this option is not specified. If any encryption options are set then a pass phrase will be prompted for. The output filename should B be the same as the input filename. =item B<-passout password> the output file password. Since certain utilities like "ps" make the command line visible this option should be used with caution. =item B<-envpassout var> read the output file password from the environment variable B. =item B<-des|-des3|-idea> These options encrypt the private key with the DES, triple DES, or the IDEA ciphers respectively before outputting it. A pass phrase is prompted for. If none of these options is specified the key is written in plain text. This means that using the B utility to read in an encrypted key with no encryption option can be used to remove the pass phrase from a key, or by setting the encryption options it can be use to add or change the pass phrase. These options can only be used with PEM format output files. =item B<-text> prints out the various public or private key components in plain text in addition to the encoded version. =item B<-noout> this option prevents output of the encoded version of the key. =item B<-modulus> this option prints out the value of the modulus of the key. =item B<-check> this option checks the consistency of an RSA private key. =item B<-pubin> by default a private key is read from the input file: with this option a public key is read instead. =item B<-pubout> by default a private key is output: with this option a public key will be output instead. This option is automatically set if the input is a public key. =back =head1 NOTES The PEM private key format uses the header and footer lines: -----BEGIN RSA PRIVATE KEY----- -----END RSA PRIVATE KEY----- The PEM public key format uses the header and footer lines: -----BEGIN PUBLIC KEY----- -----END PUBLIC KEY----- =head1 EXAMPLES To remove the pass phrase on an RSA private key: openssl rsa -in key.pem -out keyout.pem To encrypt a private key using triple DES: openssl rsa -in key.pem -des3 -out keyout.pem To convert a private key from PEM to DER format: openssl rsa -in key.pem -outform DER -out keyout.der To print out the components of a private key to standard output: openssl rsa -in key.pem -text -noout To just output the public part of a private key: openssl rsa -in key.pem -pubout -out pubkey.pem =head1 SEE ALSO L, L, L, L =cut