1=pod 2 3=begin comment 4{- join("\n", @autowarntext) -} 5 6=end comment 7 8=head1 NAME 9 10openssl-rsa - RSA key processing command 11 12=head1 SYNOPSIS 13 14B<openssl> B<rsa> 15[B<-help>] 16[B<-inform> B<DER>|B<PEM>|B<P12>|B<ENGINE>] 17[B<-outform> B<DER>|B<PEM>] 18[B<-in> I<filename>|I<uri>] 19[B<-passin> I<arg>] 20[B<-out> I<filename>] 21[B<-passout> I<arg>] 22[B<-aes128>] 23[B<-aes192>] 24[B<-aes256>] 25[B<-aria128>] 26[B<-aria192>] 27[B<-aria256>] 28[B<-camellia128>] 29[B<-camellia192>] 30[B<-camellia256>] 31[B<-des>] 32[B<-des3>] 33[B<-idea>] 34[B<-text>] 35[B<-noout>] 36[B<-modulus>] 37[B<-traditional>] 38[B<-check>] 39[B<-pubin>] 40[B<-pubout>] 41[B<-RSAPublicKey_in>] 42[B<-RSAPublicKey_out>] 43[B<-pvk-strong>] 44[B<-pvk-weak>] 45[B<-pvk-none>] 46{- $OpenSSL::safe::opt_engine_synopsis -}{- $OpenSSL::safe::opt_provider_synopsis -} 47 48=head1 DESCRIPTION 49 50This command processes RSA keys. They can be converted between 51various forms and their components printed out. 52 53=head1 OPTIONS 54 55=over 4 56 57=item B<-help> 58 59Print out a usage message. 60 61=item B<-inform> B<DER>|B<PEM>|B<P12>|B<ENGINE> 62 63The key input format; unspecified by default. 64See L<openssl-format-options(1)> for details. 65 66=item B<-outform> B<DER>|B<PEM> 67 68The key output format; the default is B<PEM>. 69See L<openssl-format-options(1)> for details. 70 71=item B<-traditional> 72 73When writing a private key, use the traditional PKCS#1 format 74instead of the PKCS#8 format. 75 76=item B<-in> I<filename>|I<uri> 77 78This specifies the input to read a key from or standard input if this 79option is not specified. If the key is encrypted a pass phrase will be 80prompted for. 81 82=item B<-passin> I<arg>, B<-passout> I<arg> 83 84The password source for the input and output file. 85For more information about the format of B<arg> 86see L<openssl-passphrase-options(1)>. 87 88=item B<-out> I<filename> 89 90This specifies the output filename to write a key to or standard output if this 91option is not specified. If any encryption options are set then a pass phrase 92will be prompted for. The output filename should B<not> be the same as the input 93filename. 94 95=item B<-aes128>, B<-aes192>, B<-aes256>, B<-aria128>, B<-aria192>, B<-aria256>, B<-camellia128>, B<-camellia192>, B<-camellia256>, B<-des>, B<-des3>, B<-idea> 96 97These options encrypt the private key with the specified 98cipher before outputting it. A pass phrase is prompted for. 99If none of these options is specified the key is written in plain text. This 100means that this command can be used to remove the pass phrase from a key 101by not giving any encryption option is given, or to add or change the pass 102phrase by setting them. 103These options can only be used with PEM format output files. 104 105=item B<-text> 106 107Prints out the various public or private key components in 108plain text in addition to the encoded version. 109 110=item B<-noout> 111 112This option prevents output of the encoded version of the key. 113 114=item B<-modulus> 115 116This option prints out the value of the modulus of the key. 117 118=item B<-check> 119 120This option checks the consistency of an RSA private key. 121 122=item B<-pubin> 123 124By default a private key is read from the input file: with this 125option a public key is read instead. 126 127=item B<-pubout> 128 129By default a private key is output: with this option a public 130key will be output instead. This option is automatically set if 131the input is a public key. 132 133=item B<-RSAPublicKey_in>, B<-RSAPublicKey_out> 134 135Like B<-pubin> and B<-pubout> except B<RSAPublicKey> format is used instead. 136 137=item B<-pvk-strong> 138 139Enable 'Strong' PVK encoding level (default). 140 141=item B<-pvk-weak> 142 143Enable 'Weak' PVK encoding level. 144 145=item B<-pvk-none> 146 147Don't enforce PVK encoding. 148 149{- $OpenSSL::safe::opt_engine_item -} 150 151{- $OpenSSL::safe::opt_provider_item -} 152 153=back 154 155=head1 NOTES 156 157The L<openssl-pkey(1)> command is capable of performing all the operations 158this command can, as well as supporting other public key types. 159 160=head1 EXAMPLES 161 162The documentation for the L<openssl-pkey(1)> command contains examples 163equivalent to the ones listed here. 164 165To remove the pass phrase on an RSA private key: 166 167 openssl rsa -in key.pem -out keyout.pem 168 169To encrypt a private key using triple DES: 170 171 openssl rsa -in key.pem -des3 -out keyout.pem 172 173To convert a private key from PEM to DER format: 174 175 openssl rsa -in key.pem -outform DER -out keyout.der 176 177To print out the components of a private key to standard output: 178 179 openssl rsa -in key.pem -text -noout 180 181To just output the public part of a private key: 182 183 openssl rsa -in key.pem -pubout -out pubkey.pem 184 185Output the public part of a private key in B<RSAPublicKey> format: 186 187 openssl rsa -in key.pem -RSAPublicKey_out -out pubkey.pem 188 189=head1 BUGS 190 191There should be an option that automatically handles F<.key> files, 192without having to manually edit them. 193 194=head1 SEE ALSO 195 196L<openssl(1)>, 197L<openssl-pkey(1)>, 198L<openssl-pkcs8(1)>, 199L<openssl-dsa(1)>, 200L<openssl-genrsa(1)>, 201L<openssl-gendsa(1)> 202 203=head1 HISTORY 204 205The B<-engine> option was deprecated in OpenSSL 3.0. 206 207=head1 COPYRIGHT 208 209Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved. 210 211Licensed under the Apache License 2.0 (the "License"). You may not use 212this file except in compliance with the License. You can obtain a copy 213in the file LICENSE in the source distribution or at 214L<https://www.openssl.org/source/license.html>. 215 216=cut 217