openssl genrsa: Generate RSA Private Keys in CI
openssl genrsa creates an RSA private key of the size you specify and writes it as PEM.
When a test needs a throwaway RSA key, genrsa is the quickest way to get one. The defaults are sensible; the size argument is the main knob.
What it does
openssl genrsa generates an RSA private key and prints it in PEM format to stdout (or a file with -out). By default it is unencrypted unless you pass a cipher flag such as -aes256.
Common usage
openssl genrsa -out key.pem 2048
openssl genrsa -out key.pem 4096
openssl genrsa -aes256 -out key.pem 2048 # prompts for a passphraseOptions
| Flag | What it does |
|---|---|
| -out <file> | Write the key to a file instead of stdout |
| numbits | Key size in bits as the last argument (default 2048) |
| -aes256 / -aes128 | Encrypt the key with the given cipher (prompts for passphrase) |
| -passout pass:<x> | Supply the passphrase non-interactively |
| -traditional | OpenSSL 3.x: emit the old PKCS#1 RSA PRIVATE KEY format |
In CI
genrsa is fine for tests, but newer guidance prefers openssl genpkey. On OpenSSL 3.x, genrsa writes a PKCS#8 PRIVATE KEY header by default, while 1.1.1 wrote an RSA PRIVATE KEY (PKCS#1) header. If a tool expects the old header, add -traditional on 3.x.
Common errors in CI
unable to write 'random state' or "Can't load /root/.rnd into RNG" appears on minimal images where $HOME or the RANDFILE path is not writable. Set RANDFILE=/dev/null or HOME=/tmp. "Permission denied" on -out means the target directory is read-only; write to /tmp instead.