Skip to content
Latchkey

openssl pkey: Inspect Any Private Key

openssl pkey reads, inspects, and re-emits private or public keys of any supported algorithm.

pkey is to rsa/ec what genpkey is to genrsa/ecparam: one command for every key type. Prefer it in new scripts.

What it does

openssl pkey processes a private or public key regardless of algorithm. It can print components (-text), validate (-check), extract the public key (-pubout), or convert formats, working for RSA, EC, and Ed25519 alike.

Common usage

Terminal
openssl pkey -in key.pem -text -noout
openssl pkey -in key.pem -pubout -out pub.pem
openssl pkey -in ec.pem -check -noout

Options

FlagWhat it does
-puboutOutput only the public key
-textPrint key parameters in text
-checkValidate the key consistency
-nooutSuppress the encoded key
-passin pass:<x>Passphrase for an encrypted key
-outform der|pemOutput encoding

Common errors in CI

"unable to load key" or "Could not read key" usually means a wrong passphrase or that the file holds a certificate, not a key. On OpenSSL 3.x, "fetch failed" or "unsupported" on an older algorithm points at the legacy provider being inactive; load it with -provider legacy -provider default.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →