Generating keys using OpenSSL (2024)

Table of Contents
Generating a private RSA key Generating a private EC key FAQs

There are two ways of getting private keys into a YubiKey: You can eithergenerate the keys directly on the YubiKey, or generate them outside of thedevice, and then importing them into the YubiKey. Reasons for importing keysinclude wanting to make a backup of a private key (generated keys arenon-exportable, for security reasons), or if the private key is provided by anexternal source. This document will guide you through using the OpenSSL commandline tool to generate a key pair which you can then import into a YubiKey. Twodifferent types of keys are supported: RSA and EC (elliptic curve).

Note

When generating a key pair on a PC, you must take care not to expose theprivate key. Ensure that you only do so on a system you consider to be secure.

Generating a private RSA key

  1. Generate an RSA private key, of size 2048, and output it to a file named key.pem:

    openssl genrsa -out key.pem 2048Generating RSA private key, 2048 bit long modulus..........+++..........................................................................+++e is 65537 (0x10001)

  2. Extract the public key from the key pair, which can be used in a certificate:

    See Also
    PEM, DER, CRT, and CER: X.509 Encodings and Conversions - SSL.com

    openssl rsa -in key.pem -outform PEM -pubout -out public.pemwriting RSA key
See Also
Understanding and Using Secure Shell (SSH) and Secure File Transfer Protocol (SFTP)Setting Up SFTP Public Key Authentication On The Command Line | JSCAPEWhat is SSH Public Key Authentication?Logging In to a Remote System to Copy a File (sftp)

Generating a private EC key

  1. Generate an EC private key, of size 256, and output it to a file named key.pem:

    openssl ecparam -name prime256v1 -genkey -noout -out key.pem

  2. Extract the public key from the key pair, which can be used in a certificate:

    openssl ec -in key.pem -pubout -out public.pemread EC keywriting EC key

After running these two commands you end up with two files: key.pem andpublic.pem. These files are referenced in various other guides on this pagewhen dealing with key import.

Generating keys using OpenSSL (2024)

FAQs

How to generate keys in OpenSSL? ›

Procedure
  1. Once installed, run the OpenSSL command prompt. Type openssl to start the application.
  2. To generate a new RSA private key, type: genrsa -out {path_to_pem_file} 2048. ...
  3. To generate a public key, type: rsa -pubout -in {path_private_pem} -out (path_public_pem)

Read On
How to generate private key with OpenSSL Windows? ›

Right-click the openssl.exe file and select Run as administrator. Enter the following command to begin generating a certificate and private key: req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout privateKey. key -out certificate.

Discover More Details
How to generate a .key file? ›

To create a KeyFile:
  1. Download OpenSSL and extract the files to your machine.
  2. Open the Command Prompt and navigate to your bin folder of your OpenSSL directory, for example, .../Openssl/bin.
  3. Run the command: openssl rand -base64 756 > <path-to-keyfile> Example: openssl rand -base64 756 > c:\openSSL\key.

Continue Reading
How to generate an ecdsa key using OpenSSL? ›

Generate ECDSA keys
  1. Create a private key. openssl ecparam -name secp256k1 -genkey -noout -out ec-secp256k1-priv-key.pem. ...
  2. Create a public key by extracting it from the private key. openssl ec -in ec-secp256k1-priv-key.pem -pubout > ec-secp256k1-pub-key.pem.

See Details
How to generate PEM keys? ›

How to generate an RSA PEM (asymmetric) key pair?
  1. openssl genrsa -aes256 -out private-key.pem 4096.
  2. openssl rsa -in private-key.pem -pubout > public-key.pem.
  3. cat public-key.pem.
Jan 24, 2023

Find Out More
How to generate keys for SSH? ›

For Windows 10 & 11
  1. Press the Windows key or open up the Start Menu. Type “cmd”.
  2. Under “Best Match”, click “Command Prompt”.
  3. In the command prompt, use the ssh-keygen command: ...
  4. The system will now generate the key pair and display the key fingerprint and a randomart image. ...
  5. Open your file explorer.

Tell Me More
How do I generate a CSR and private key using OpenSSL? ›

In the above command:
  1. openssl - activates the OpenSSL software.
  2. req - indicates that we want a CSR.
  3. -new -newkey - generates a new key.
  4. rsa:2048 - generates a 2048-bit RSA mathematical key.
  5. -nodes - no DES, meaning do not encrypt the private key in a PKCS#12 file.
Mar 7, 2024

Show Me More
How to generate private key from PEM file using OpenSSL? ›

Generating a private EC key
  1. Generate an EC private key, of size 256, and output it to a file named key.pem: openssl ecparam -name prime256v1 -genkey -noout -out key.pem.
  2. Extract the public key from the key pair, which can be used in a certificate: openssl ec -in key.pem -pubout -out public.pem read EC key writing EC key.

Explore More
How do I generate a public and private SSH key? ›

Procedure
  1. In a terminal, run the ssh-keygen command.
  2. Generate the public/private RSA key pair.
  3. Specify the directory in which to save the key pair. For example, /Users/mymac/. ssh/id_rsa... mysftpkey.
  4. Enter the passphrase. Then, enter the same passphrase again. Enter empty if you don't want to use a passphrase.

Continue Reading
How to generate private key from certificate openssl? ›

Procedure
  1. Open the command line.
  2. Create a new private key in the PKCS#1 format. openssl genrsa -des3 -out key_name .key key_strength For example: openssl genrsa -des3 -out private_key.key 2048. ...
  3. Create a certificate signing request (CSR).

Show Me More

How to generate private key from certificate windows? ›

In the console tree, navigate to the certificate you want to export. Right-click the certificate, select All Tasks, and then select Export. On the screen Welcome to the Certificate Export Wizard, select Next. To export the private key, select Yes, export the private key, then select Next.

Read The Full Story
How to get private key from certificate using OpenSSL? ›

Follow these steps to extract the private key using OpenSSL:
  1. Open the command-line tool and navigate to the directory that contains the PKCS12 certificate.
  2. Enter this command: openssl pkcs12 -in [certificate name] -nodes -nocerts -out [private key name]
  3. Enter the passcode for the certificate.

See Details
How to generate private key pem? ›

Creating a .pem with the Private Key and Entire Trust Chain

Open a text editor (such as wordpad) and paste the entire body of each certificate into one text file in the following order: The Private Key - your_domain_name.key. The Primary Certificate - your_domain_name.crt. The Intermediate Certificate - DigiCertCA.crt.

Get More Info Here
What is a .pem file? ›

Privacy Enhanced Mail (PEM) files are a type of Public Key Infrastructure (PKI) file used for keys and certificates. PEM, initially invented to make e-mail secure, is now an Internet security standard.

Continue Reading
What is OpenSSL genrsa? ›

The genrsa command is used to generate an RSA private key file. The most basic form of the genrsa command specifies the name of the output file containing the key and specifies AES256 encryption (required). Windows. Openssl> genrsa -out key-filename.pem -aes256.

View More
How to generate OpenSSL key in Linux? ›

The public key is saved in a file named rsa. public located in the same folder.
  1. Open the Terminal.
  2. Navigate to the folder with the ListManager directory.
  3. Type the following: openssl genrsa -out rsa.private 1024.
  4. Press ENTER. The private key is generated and saved in a file named "rsa. private" located in the same folder.

View Details
How to generate a private key for a certificate in OpenSSL? ›

Procedure
  1. Open the command line.
  2. Create a new private key in the PKCS#1 format. openssl genrsa -des3 -out key_name .key key_strength For example: openssl genrsa -des3 -out private_key.key 2048. ...
  3. Create a certificate signing request (CSR).

See More
How to generate session key in SSL? ›

How is session key generated for TLS?
  1. The Client wants to establish a connection - ClientHello.
  2. The server answers with a ServerHello. ...
  3. The client creates a "pre master secret" and sends it encrypted to the server using its public key.
  4. Both parties create a session key from random number and pre master secret.
Dec 16, 2016

Learn More
How to generate a public key? ›

the key.
  1. Generating public/private rsa key pair. Enter file in which to save the key (/Users/[user_dir]/. ...
  2. Enter passphrase (empty for no passphrase): [passphrase] Enter same passphrase again: [passphrase]
  3. Generating public/private rsa key pair. Your identification has been saved in /Users/[user_dir]/.ssh/id_rsa.
Apr 16, 2024

Discover More Details
Top Articles
TikTok's new monetization feature invites creators to make video ads for a chance to earn money | TechCrunch
Private Equity Investment - Pros, Cons and How to Do It
What to Do For Dog Upset Stomach
What Dog Food is Most Recommended by Veterinarians?
Latest Posts
Build a Strong Community: In-App Chat vs. Third-Party Messaging
What is a Seed Phrase (Secret Recovery Phrase)? | Ledger
Article information

Author: Lakeisha Bayer VM

Last Updated:

Views: 5715

Rating: 4.9 / 5 (69 voted)

Reviews: 92% of readers found this page helpful

Author information

Name: Lakeisha Bayer VM

Birthday: 1997-10-17

Address: Suite 835 34136 Adrian Mountains, Floydton, UT 81036

Phone: +3571527672278

Job: Manufacturing Agent

Hobby: Skimboarding, Photography, Roller skating, Knife making, Paintball, Embroidery, Gunsmithing

Introduction: My name is Lakeisha Bayer VM, I am a brainy, kind, enchanting, healthy, lovely, clean, witty person who loves writing and wants to share my knowledge and understanding with you.