Skip to content
Latchkey

openssl rsa: Inspect and Convert RSA Keys

openssl rsa reads an RSA private or public key and re-emits, inspects, or transforms it.

Use rsa to strip a passphrase, extract the public key, or check that a key file is well formed before a deploy step trusts it.

What it does

openssl rsa processes RSA keys: it can validate them (-check), print their components (-text), export the public half (-pubout), or write the key without its passphrase by reading with -passin and omitting an output cipher.

Common usage

Terminal
openssl rsa -in key.pem -check -noout
openssl rsa -in key.pem -pubout -out pub.pem
# remove a passphrase
openssl rsa -in enc-key.pem -passin pass:secret -out plain-key.pem

Options

FlagWhat it does
-checkVerify the key is consistent
-puboutOutput the public key only
-textPrint the key components
-nooutDo not output the encoded key
-passin pass:<x>Passphrase for an encrypted input key
-traditionalOpenSSL 3.x: emit PKCS#1 (RSA PRIVATE KEY) format

Common errors in CI

"unable to load Private Key" with "bad decrypt" or "bad password read" means the wrong or missing -passin passphrase. "Expecting: ANY PRIVATE KEY" means you fed it a certificate or public key. On OpenSSL 3.x a key tool expecting the old PKCS#1 header needs -traditional, otherwise it sees the PKCS#8 PRIVATE KEY header it cannot parse.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →