openssl pkey: Inspect Any Private Key
openssl pkey reads, inspects, and re-emits private or public keys of any supported algorithm.
pkey is to rsa/ec what genpkey is to genrsa/ecparam: one command for every key type. Prefer it in new scripts.
What it does
openssl pkey processes a private or public key regardless of algorithm. It can print components (-text), validate (-check), extract the public key (-pubout), or convert formats, working for RSA, EC, and Ed25519 alike.
Common usage
openssl pkey -in key.pem -text -noout
openssl pkey -in key.pem -pubout -out pub.pem
openssl pkey -in ec.pem -check -nooutOptions
| Flag | What it does |
|---|---|
| -pubout | Output only the public key |
| -text | Print key parameters in text |
| -check | Validate the key consistency |
| -noout | Suppress the encoded key |
| -passin pass:<x> | Passphrase for an encrypted key |
| -outform der|pem | Output encoding |
Common errors in CI
"unable to load key" or "Could not read key" usually means a wrong passphrase or that the file holds a certificate, not a key. On OpenSSL 3.x, "fetch failed" or "unsupported" on an older algorithm points at the legacy provider being inactive; load it with -provider legacy -provider default.