Skip to content
Latchkey

openssl genpkey: Modern Private Key Generation

openssl genpkey generates a private key for any supported algorithm with one consistent interface.

genpkey supersedes genrsa and ecparam for new scripts. It always emits PKCS#8 and works the same across RSA, EC, and Ed25519.

What it does

openssl genpkey creates a private key for the algorithm you name with -algorithm, applying any algorithm options via -pkeyopt. Output is PEM PKCS#8 by default.

Common usage

Terminal
openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -out key.pem
openssl genpkey -algorithm EC -pkeyopt ec_paramgen_curve:P-256 -out ec.pem
openssl genpkey -algorithm Ed25519 -out ed.pem

Options

FlagWhat it does
-algorithm <name>Key type: RSA, EC, Ed25519, X25519, etc.
-pkeyopt <opt:value>Algorithm parameter, e.g. rsa_keygen_bits:4096
-out <file>Write the key to a file
-aes256Encrypt the output key
-pass pass:<x>Supply the encryption passphrase non-interactively

Common errors in CI

"Algorithm <X> not found" means the provider for that algorithm is not loaded; on OpenSSL 3.x check that the default provider is active. "ec_paramgen_curve: parameter setting error" usually means a misspelled curve name (use P-256, not prime256v1, here). Entropy/RANDFILE errors are the same as with genrsa: set HOME or RANDFILE to a writable path.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →