openssl genpkey: Modern Private Key Generation
openssl genpkey generates a private key for any supported algorithm with one consistent interface.
genpkey supersedes genrsa and ecparam for new scripts. It always emits PKCS#8 and works the same across RSA, EC, and Ed25519.
What it does
openssl genpkey creates a private key for the algorithm you name with -algorithm, applying any algorithm options via -pkeyopt. Output is PEM PKCS#8 by default.
Common usage
openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -out key.pem
openssl genpkey -algorithm EC -pkeyopt ec_paramgen_curve:P-256 -out ec.pem
openssl genpkey -algorithm Ed25519 -out ed.pemOptions
| Flag | What it does |
|---|---|
| -algorithm <name> | Key type: RSA, EC, Ed25519, X25519, etc. |
| -pkeyopt <opt:value> | Algorithm parameter, e.g. rsa_keygen_bits:4096 |
| -out <file> | Write the key to a file |
| -aes256 | Encrypt the output key |
| -pass pass:<x> | Supply the encryption passphrase non-interactively |
Common errors in CI
"Algorithm <X> not found" means the provider for that algorithm is not loaded; on OpenSSL 3.x check that the default provider is active. "ec_paramgen_curve: parameter setting error" usually means a misspelled curve name (use P-256, not prime256v1, here). Entropy/RANDFILE errors are the same as with genrsa: set HOME or RANDFILE to a writable path.