22

Is it possible to use openssl to generate a PKCS#8 private key directly, or do I have to first generate a PKCS#1 key with genrsa and then convert it?

Benjy Wiener
  • 1,085
  • 2
  • 9
  • 27

1 Answers1

49

You can do this directly:

$ openssl genpkey -out rsakey.pem -algorithm RSA -pkeyopt rsa_keygen_bits:2048

See the man page here:

https://www.openssl.org/docs/man1.1.1/man1/openssl-genpkey.html

Matt Caswell
  • 8,167
  • 25
  • 28
  • 9
    Where in the documentation does it say that it uses PKCS#8 ? – Kishan B Sep 14 '18 at 10:25
  • 1
    @KishanB Regardless of the documentation, I've tried this myself and the encoding *is* PKCS #8. – AJM Apr 03 '19 at 13:39
  • 3
    A rather baffling update to the above comment - specifying -outform DER doesn't just change from PEM to DER, it also changes the DER from PKCS #8 to PKCS #1. – AJM Apr 03 '19 at 14:10
  • Thanks, that's very valuable information. Question, is it possible to generate PKCS#8 pair with one line command? I need to send public key to the receiver. I looked into the MAN but can't find related information. – Marecky Sep 22 '21 at 12:00
  • 3
    PKCS#8 is a format for private keys. I guess what you want is a PKCS#8 file for the private key and (something like) a SubjectPublicKeyInfo (SPKI) file for the public key. You can't generate both of those in a single command, but you can generate the SPKI file from the PKCS#8 file: `openssl pkey -in rsakey.pem -pubout -out rsapubkey.pem` – Matt Caswell Sep 22 '21 at 14:23