1 | |
---|
2 | =pod |
---|
3 | |
---|
4 | =head1 NAME |
---|
5 | |
---|
6 | rsa - RSA key processing tool |
---|
7 | |
---|
8 | =head1 SYNOPSIS |
---|
9 | |
---|
10 | B<openssl> B<rsa> |
---|
11 | [B<-inform PEM|NET|DER>] |
---|
12 | [B<-outform PEM|NET|DER>] |
---|
13 | [B<-in filename>] |
---|
14 | [B<-passin arg>] |
---|
15 | [B<-out filename>] |
---|
16 | [B<-passout arg>] |
---|
17 | [B<-sgckey>] |
---|
18 | [B<-des>] |
---|
19 | [B<-des3>] |
---|
20 | [B<-idea>] |
---|
21 | [B<-text>] |
---|
22 | [B<-noout>] |
---|
23 | [B<-modulus>] |
---|
24 | [B<-check>] |
---|
25 | [B<-pubin>] |
---|
26 | [B<-pubout>] |
---|
27 | |
---|
28 | =head1 DESCRIPTION |
---|
29 | |
---|
30 | The B<rsa> command processes RSA keys. They can be converted between various |
---|
31 | forms and their components printed out. B<Note> this command uses the |
---|
32 | traditional SSLeay compatible format for private key encryption: newer |
---|
33 | applications should use the more secure PKCS#8 format using the B<pkcs8> |
---|
34 | utility. |
---|
35 | |
---|
36 | =head1 COMMAND OPTIONS |
---|
37 | |
---|
38 | =over 4 |
---|
39 | |
---|
40 | =item B<-inform DER|NET|PEM> |
---|
41 | |
---|
42 | This specifies the input format. The B<DER> option uses an ASN1 DER encoded |
---|
43 | form compatible with the PKCS#1 RSAPrivateKey or SubjectPublicKeyInfo format. |
---|
44 | The B<PEM> form is the default format: it consists of the B<DER> format base64 |
---|
45 | encoded with additional header and footer lines. On input PKCS#8 format private |
---|
46 | keys are also accepted. The B<NET> form is a format is described in the B<NOTES> |
---|
47 | section. |
---|
48 | |
---|
49 | =item B<-outform DER|NET|PEM> |
---|
50 | |
---|
51 | This specifies the output format, the options have the same meaning as the |
---|
52 | B<-inform> option. |
---|
53 | |
---|
54 | =item B<-in filename> |
---|
55 | |
---|
56 | This specifies the input filename to read a key from or standard input if this |
---|
57 | option is not specified. If the key is encrypted a pass phrase will be |
---|
58 | prompted for. |
---|
59 | |
---|
60 | =item B<-passin arg> |
---|
61 | |
---|
62 | the input file password source. For more information about the format of B<arg> |
---|
63 | see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)|openssl(1)>. |
---|
64 | |
---|
65 | =item B<-out filename> |
---|
66 | |
---|
67 | This specifies the output filename to write a key to or standard output if this |
---|
68 | option is not specified. If any encryption options are set then a pass phrase |
---|
69 | will be prompted for. The output filename should B<not> be the same as the input |
---|
70 | filename. |
---|
71 | |
---|
72 | =item B<-passout password> |
---|
73 | |
---|
74 | the output file password source. For more information about the format of B<arg> |
---|
75 | see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)|openssl(1)>. |
---|
76 | |
---|
77 | =item B<-sgckey> |
---|
78 | |
---|
79 | use the modified NET algorithm used with some versions of Microsoft IIS and SGC |
---|
80 | keys. |
---|
81 | |
---|
82 | =item B<-des|-des3|-idea> |
---|
83 | |
---|
84 | These options encrypt the private key with the DES, triple DES, or the |
---|
85 | IDEA ciphers respectively before outputting it. A pass phrase is prompted for. |
---|
86 | If none of these options is specified the key is written in plain text. This |
---|
87 | means that using the B<rsa> utility to read in an encrypted key with no |
---|
88 | encryption option can be used to remove the pass phrase from a key, or by |
---|
89 | setting the encryption options it can be use to add or change the pass phrase. |
---|
90 | These options can only be used with PEM format output files. |
---|
91 | |
---|
92 | =item B<-text> |
---|
93 | |
---|
94 | prints out the various public or private key components in |
---|
95 | plain text in addition to the encoded version. |
---|
96 | |
---|
97 | =item B<-noout> |
---|
98 | |
---|
99 | this option prevents output of the encoded version of the key. |
---|
100 | |
---|
101 | =item B<-modulus> |
---|
102 | |
---|
103 | this option prints out the value of the modulus of the key. |
---|
104 | |
---|
105 | =item B<-check> |
---|
106 | |
---|
107 | this option checks the consistency of an RSA private key. |
---|
108 | |
---|
109 | =item B<-pubin> |
---|
110 | |
---|
111 | by default a private key is read from the input file: with this |
---|
112 | option a public key is read instead. |
---|
113 | |
---|
114 | =item B<-pubout> |
---|
115 | |
---|
116 | by default a private key is output: with this option a public |
---|
117 | key will be output instead. This option is automatically set if |
---|
118 | the input is a public key. |
---|
119 | |
---|
120 | =back |
---|
121 | |
---|
122 | =head1 NOTES |
---|
123 | |
---|
124 | The PEM private key format uses the header and footer lines: |
---|
125 | |
---|
126 | -----BEGIN RSA PRIVATE KEY----- |
---|
127 | -----END RSA PRIVATE KEY----- |
---|
128 | |
---|
129 | The PEM public key format uses the header and footer lines: |
---|
130 | |
---|
131 | -----BEGIN PUBLIC KEY----- |
---|
132 | -----END PUBLIC KEY----- |
---|
133 | |
---|
134 | The B<NET> form is a format compatible with older Netscape servers |
---|
135 | and Microsoft IIS .key files, this uses unsalted RC4 for its encryption. |
---|
136 | It is not very secure and so should only be used when necessary. |
---|
137 | |
---|
138 | Some newer version of IIS have additional data in the exported .key |
---|
139 | files. To use thse with the utility view the file with a binary editor |
---|
140 | and look for the string "private-key", then trace back to the byte |
---|
141 | sequence 0x30, 0x82 (this is an ASN1 SEQUENCE). Copy all the data |
---|
142 | from this point onwards to another file and use that as the input |
---|
143 | to the B<rsa> utility with the B<-inform NET> option. If you get |
---|
144 | an error after entering the password try the B<-sgckey> option. |
---|
145 | |
---|
146 | =head1 EXAMPLES |
---|
147 | |
---|
148 | To remove the pass phrase on an RSA private key: |
---|
149 | |
---|
150 | openssl rsa -in key.pem -out keyout.pem |
---|
151 | |
---|
152 | To encrypt a private key using triple DES: |
---|
153 | |
---|
154 | openssl rsa -in key.pem -des3 -out keyout.pem |
---|
155 | |
---|
156 | To convert a private key from PEM to DER format: |
---|
157 | |
---|
158 | openssl rsa -in key.pem -outform DER -out keyout.der |
---|
159 | |
---|
160 | To print out the components of a private key to standard output: |
---|
161 | |
---|
162 | openssl rsa -in key.pem -text -noout |
---|
163 | |
---|
164 | To just output the public part of a private key: |
---|
165 | |
---|
166 | openssl rsa -in key.pem -pubout -out pubkey.pem |
---|
167 | |
---|
168 | =head1 BUGS |
---|
169 | |
---|
170 | The command line password arguments don't currently work with |
---|
171 | B<NET> format. |
---|
172 | |
---|
173 | There should be an option that automatically handles .key files, |
---|
174 | without having to manually edit them. |
---|
175 | |
---|
176 | =head1 SEE ALSO |
---|
177 | |
---|
178 | L<pkcs8(1)|pkcs8(1)>, L<dsa(1)|dsa(1)>, L<genrsa(1)|genrsa(1)>, |
---|
179 | L<gendsa(1)|gendsa(1)> |
---|
180 | |
---|
181 | =cut |
---|