rsa.pod revision 279265
178189Sbrian 278189Sbrian=pod 378189Sbrian 478189Sbrian=head1 NAME 578189Sbrian 66059Samurairsa - RSA key processing tool 778189Sbrian 878189Sbrian=head1 SYNOPSIS 978189Sbrian 1078189SbrianB<openssl> B<rsa> 1178189Sbrian[B<-inform PEM|NET|DER>] 1278189Sbrian[B<-outform PEM|NET|DER>] 1378189Sbrian[B<-in filename>] 1478189Sbrian[B<-passin arg>] 156059Samurai[B<-out filename>] 1678189Sbrian[B<-passout arg>] 1778189Sbrian[B<-sgckey>] 1878189Sbrian[B<-aes128>] 1978189Sbrian[B<-aes192>] 2078189Sbrian[B<-aes256>] 2178189Sbrian[B<-camellia128>] 2278189Sbrian[B<-camellia192>] 2378189Sbrian[B<-camellia256>] 2478189Sbrian[B<-des>] 2578189Sbrian[B<-des3>] 2678189Sbrian[B<-idea>] 276059Samurai[B<-text>] 2850479Speter[B<-noout>] 296059Samurai[B<-modulus>] 3078189Sbrian[B<-check>] 3130715Sbrian[B<-pubin>] 326059Samurai[B<-pubout>] 3329048Sbrian[B<-engine id>] 346059Samurai 356059Samurai=head1 DESCRIPTION 366059Samurai 3776492SbrianThe B<rsa> command processes RSA keys. They can be converted between various 3840665Sbrianforms and their components printed out. B<Note> this command uses the 3930715Sbriantraditional SSLeay compatible format for private key encryption: newer 4036285Sbrianapplications should use the more secure PKCS#8 format using the B<pkcs8> 4130715Sbrianutility. 4246085Sbrian 4336285Sbrian=head1 COMMAND OPTIONS 4436285Sbrian 45102500Sbrian=over 4 4632614Sbrian 4730715Sbrian=item B<-inform DER|NET|PEM> 4858044Sbrian 4936285SbrianThis specifies the input format. The B<DER> option uses an ASN1 DER encoded 5030715Sbrianform compatible with the PKCS#1 RSAPrivateKey or SubjectPublicKeyInfo format. 5130715SbrianThe B<PEM> form is the default format: it consists of the B<DER> format base64 5250059Sbrianencoded with additional header and footer lines. On input PKCS#8 format private 5358037Sbriankeys are also accepted. The B<NET> form is a format is described in the B<NOTES> 5458037Sbriansection. 5558037Sbrian 5646086Sbrian=item B<-outform DER|NET|PEM> 5739395Sbrian 5839395SbrianThis specifies the output format, the options have the same meaning as the 5958037SbrianB<-inform> option. 6046686Sbrian 6138814Sbrian=item B<-in filename> 6237009Sbrian 6331343SbrianThis specifies the input filename to read a key from or standard input if this 6430715Sbrianoption is not specified. If the key is encrypted a pass phrase will be 6530715Sbrianprompted for. 6630715Sbrian 6729048Sbrian=item B<-passin arg> 6846686Sbrian 6931690Sbrianthe input file password source. For more information about the format of B<arg> 7036285Sbriansee the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)|openssl(1)>. 7136285Sbrian 7238557Sbrian=item B<-out filename> 7338557Sbrian 7463484SbrianThis specifies the output filename to write a key to or standard output if this 7581634Sbrianoption is not specified. If any encryption options are set then a pass phrase 7681634Sbrianwill be prompted for. The output filename should B<not> be the same as the input 7729048Sbrianfilename. 7836285Sbrian 7936285Sbrian=item B<-passout password> 8030715Sbrian 8136285Sbrianthe output file password source. For more information about the format of B<arg> 8236285Sbriansee the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)|openssl(1)>. 8336285Sbrian 8436285Sbrian=item B<-sgckey> 8536285Sbrian 8643313Sbrianuse the modified NET algorithm used with some versions of Microsoft IIS and SGC 8743313Sbriankeys. 8843313Sbrian 8981634Sbrian=item B<-aes128|-aes192|-aes256|-camellia128|-camellia192|-camellia256|-des|-des3|-idea> 9081634Sbrian 9136285SbrianThese options encrypt the private key with the specified 9236285Sbriancipher before outputting it. A pass phrase is prompted for. 9336285SbrianIf none of these options is specified the key is written in plain text. This 9436285Sbrianmeans that using the B<rsa> utility to read in an encrypted key with no 9536285Sbrianencryption option can be used to remove the pass phrase from a key, or by 9631690Sbriansetting the encryption options it can be use to add or change the pass phrase. 9740561SbrianThese options can only be used with PEM format output files. 986059Samurai 9936285Sbrian=item B<-text> 10036285Sbrian 10136285Sbrianprints out the various public or private key components in 10236285Sbrianplain text in addition to the encoded version. 1036059Samurai 10436285Sbrian=item B<-noout> 10536285Sbrian 10636285Sbrianthis option prevents output of the encoded version of the key. 10736285Sbrian 10836285Sbrian=item B<-modulus> 1096059Samurai 11036285Sbrianthis option prints out the value of the modulus of the key. 11136285Sbrian 11226516Sbrian=item B<-check> 11326516Sbrian 11444305Sbrianthis option checks the consistency of an RSA private key. 11536285Sbrian 11636285Sbrian=item B<-pubin> 11736285Sbrian 11894894Sbrianby default a private key is read from the input file: with this 11936285Sbrianoption a public key is read instead. 1206059Samurai 12136285Sbrian=item B<-pubout> 1226059Samurai 1236059Samuraiby default a private key is output: with this option a public 1246059Samuraikey will be output instead. This option is automatically set if 1256059Samuraithe input is a public key. 1266059Samurai 1276059Samurai=item B<-engine id> 12836285Sbrian 1296059Samuraispecifying an engine (by it's unique B<id> string) will cause B<req> 1306059Samuraito attempt to obtain a functional reference to the specified engine, 13136285Sbrianthus initialising it if needed. The engine will then be set as the default 13236285Sbrianfor all available algorithms. 1336059Samurai 1346059Samurai=back 13558034Sbrian 13658034Sbrian=head1 NOTES 13758034Sbrian 13858034SbrianThe PEM private key format uses the header and footer lines: 13958034Sbrian 14058034Sbrian -----BEGIN RSA PRIVATE KEY----- 14158034Sbrian -----END RSA PRIVATE KEY----- 14258034Sbrian 14358034SbrianThe PEM public key format uses the header and footer lines: 14458034Sbrian 14558034Sbrian -----BEGIN PUBLIC KEY----- 14658034Sbrian -----END PUBLIC KEY----- 14758034Sbrian 14858034SbrianThe B<NET> form is a format compatible with older Netscape servers 14958034Sbrianand Microsoft IIS .key files, this uses unsalted RC4 for its encryption. 15058034SbrianIt is not very secure and so should only be used when necessary. 15158034Sbrian 1526059SamuraiSome newer version of IIS have additional data in the exported .key 15358034Sbrianfiles. To use these with the utility, view the file with a binary editor 15458034Sbrianand look for the string "private-key", then trace back to the byte 15558034Sbriansequence 0x30, 0x82 (this is an ASN1 SEQUENCE). Copy all the data 15631171Sbrianfrom this point onwards to another file and use that as the input 15758034Sbrianto the B<rsa> utility with the B<-inform NET> option. If you get 15858034Sbrianan error after entering the password try the B<-sgckey> option. 15931171Sbrian 16031272Sbrian=head1 EXAMPLES 16136285Sbrian 1626059SamuraiTo remove the pass phrase on an RSA private key: 16336285Sbrian 1646059Samurai openssl rsa -in key.pem -out keyout.pem 1656059Samurai 16631272SbrianTo encrypt a private key using triple DES: 16736285Sbrian 1686059Samurai openssl rsa -in key.pem -des3 -out keyout.pem 16936285Sbrian 1706059SamuraiTo convert a private key from PEM to DER format: 1716059Samurai 17258044Sbrian openssl rsa -in key.pem -outform DER -out keyout.der 17358044Sbrian 1746059SamuraiTo print out the components of a private key to standard output: 17558044Sbrian 1766059Samurai openssl rsa -in key.pem -text -noout 17758044Sbrian 17836285SbrianTo just output the public part of a private key: 17958044Sbrian 18058044Sbrian openssl rsa -in key.pem -pubout -out pubkey.pem 18158044Sbrian 18232614Sbrian=head1 BUGS 18358044Sbrian 18458044SbrianThe command line password arguments don't currently work with 18558044SbrianB<NET> format. 18658044Sbrian 18758044SbrianThere should be an option that automatically handles .key files, 18829048Sbrianwithout having to manually edit them. 18958044Sbrian 19058044Sbrian=head1 SEE ALSO 19126516Sbrian 19258044SbrianL<pkcs8(1)|pkcs8(1)>, L<dsa(1)|dsa(1)>, L<genrsa(1)|genrsa(1)>, 19358044SbrianL<gendsa(1)|gendsa(1)> 19431272Sbrian 19558044Sbrian=cut 19658044Sbrian