Skip to content
Latchkey

openssl genrsa: Generate RSA Private Keys in CI

openssl genrsa creates an RSA private key of the size you specify and writes it as PEM.

When a test needs a throwaway RSA key, genrsa is the quickest way to get one. The defaults are sensible; the size argument is the main knob.

What it does

openssl genrsa generates an RSA private key and prints it in PEM format to stdout (or a file with -out). By default it is unencrypted unless you pass a cipher flag such as -aes256.

Common usage

Terminal
openssl genrsa -out key.pem 2048
openssl genrsa -out key.pem 4096
openssl genrsa -aes256 -out key.pem 2048   # prompts for a passphrase

Options

FlagWhat it does
-out <file>Write the key to a file instead of stdout
numbitsKey size in bits as the last argument (default 2048)
-aes256 / -aes128Encrypt the key with the given cipher (prompts for passphrase)
-passout pass:<x>Supply the passphrase non-interactively
-traditionalOpenSSL 3.x: emit the old PKCS#1 RSA PRIVATE KEY format

In CI

genrsa is fine for tests, but newer guidance prefers openssl genpkey. On OpenSSL 3.x, genrsa writes a PKCS#8 PRIVATE KEY header by default, while 1.1.1 wrote an RSA PRIVATE KEY (PKCS#1) header. If a tool expects the old header, add -traditional on 3.x.

Common errors in CI

unable to write 'random state' or "Can't load /root/.rnd into RNG" appears on minimal images where $HOME or the RANDFILE path is not writable. Set RANDFILE=/dev/null or HOME=/tmp. "Permission denied" on -out means the target directory is read-only; write to /tmp instead.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →