How to create an RSA public / private key pair using OpenSSL on Linux

Home > Search > How-to

Use  apt-get or yum to install OpenSSL.

~]# yum install openssl


Private key

A public / private key pair can be used to encrypt packets being transmitted over the Internet. One of the most popular uses of a public / private key pair is to encrypt the resources being transmitted to clients from a web server. The first step is to create the private key. In this example, the private key is placed on the web server so that HTTPS can be used. As the name implies, a private key is private, and should never ever be made public.


Move to the /etc/pki/tls/private directory and create the  private key. In this example, the private key will be named and have a 2048-bit RSA algorithm.

~]# cd /etc/pki/tls/private
~]# openssl genrsa -out 2048


Ensure only you can read the private key file.

~]# chmod 400


Certificate Signing Request (CSR)

The certificate signing request (CSR) file is used to add personal information to the public certificate, such as your company name and location. The CSR also contains a reference to the private key. This is what it means to sign the certificate.


Move the the /etc/pki/tls directory, and then create the CSR file. By default, SHA-1 will be used. You can add -sha2, -sha256, or -sha512 after req. There will be a series of prompts, asking for personal information, such as your organization name and location.

Important - If your private key is, you would enter as the common name, and not just

~]# cd /etc/pki/tls
~]# openssl req -new -key /etc/pki/tls/private/ -out


The CSR can be viewed.

~]# openssl req -text -noout -verify -in
Subject: C=US, ST=WI, L=Appleton, O=Example, OU=Example, CN=John Doe
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bits)
Signature Algorithm: sha256WithRSAEncryption


Public certificate (aka X.509)

The public certificate is what is provided to the clients. There is a mathmatical relationship between the public certificate and private key. Both are needed in order for encryption to work.


Change to the certs directory, and create the public certificate. The public certificate is signed using the CSR file.

~]# cd /etc/pki/tls/certs
~]# openssl x509 
    -days 365 
    -in /etc/pki/tls/ 
    -out /etc/pki/tls/certs/ 


The certificate can also be viewed.

~]# openssl x509 -in -text -noout
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, ST=WI, L=Appleton, O=Example, OU=Example,
Not Before: Jul 15 03:06:31 2017 GMT
Not After: July 15 03:06:31 2018 GMT
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)


Using the public / private key pair

You can now use the public / private key pair. In this example, the private key and public certificate are placed on the web server. The CSR file is not used by the web server. 

Internet facing production applications should use a certificate from a trusted CA, such as For non-production applications, a self-signed certificate can be used.  Applications, such as a web browser, will complain when a self-signed certificate is used.


When the client navigates to an HTTPS page, the client will request the public certificate from the web server, and then the public certificate will reside on the clients browser for a period of time. The certificate can be viewed by the client.

Add a Comment

We will never share your name or email with anyone. Enter your email if you would like to be notified when we respond to your comment.

Please enter in the box below so that we can be sure you are a human.