FreeKB - OpenSSL Create private key
OpenSSL - Create private key

The easist way to install the latest stable version of OpenSSL is to use apt-get or yum.

apt-get install openssl
yum install openssl


Private key

A public certificate and it's corresponding private key can be used to encrypt packets being transmitted between hosts. One of the most popular uses of a public certificate and it's corresponding private key is to encrypt the resources being transmitted to clients from a web server, so that HTTPS can be used. The first step is to create the private key. In this example, the private key is placed on the web server. As the name implies, a private key is private, and should never be made public.



The genrsa option is used to create an RSA encrypted private key. In this example, the private key will be named and have a 2048-bit algorithm.

openssl genrsa -out 2048


Including the symmetric cipher (-aes128 in this example) and protecting the private key with a password will create a password protected key.

openssl genrsa -out 2048 -aes128 -passout pass:foobar


The private key file should begin with the following.




The dsaparam option is first used to create the DSA parameters file. In this example, the private key will have a 2048-bit algorithm.

openssl dsaparam -out dsaparam.pem 2048


View the content of the dsaparam file and ensure BEGIN DSA PARAMETERS is displayed.

cat dsaparam.pem


The gendsa option is used to create a DSA encrypted private key. In this example, the private key will be named

openssl gendsa -out dsaparam.pem


Or, the req option with the -newkey and -keyout flags can be used.

openssl req -x509 -newkey dsa:dsaparam.pem -keyout



The ecparam option with the -genkey flag is used to create the ECDSA private key.

openssl ecparam -genkey -out -name prime256v1


View the content of the private key file and ensure BEGIN EC PARAMETERS and BEGIN EC PRIVATE KEY are displayed.

. . .
----------BEGIN EC PARAMETERS-----
. . .
----------BEGIN EC PRIVATE KEY-----



Use the chmod command to update the permissions of the private key to be 400, so that only you can read the private key file.

chmod 400


A private key doesn't contain user specific data, such as an "alias" or "expiration date", so you wouldn't ever decode out data from a private key.

Add a Comment

We will never share your name or email with anyone. Enter your email if you would like to be notified when we respond to your comment.

Please enter b0758 in the box below so that we can be sure you are a human.


Web design by yours truely - me, myself, and I   |   |