openssl rsa: Inspect and Convert RSA Keys
openssl rsa reads an RSA private or public key and re-emits, inspects, or transforms it.
Use rsa to strip a passphrase, extract the public key, or check that a key file is well formed before a deploy step trusts it.
What it does
openssl rsa processes RSA keys: it can validate them (-check), print their components (-text), export the public half (-pubout), or write the key without its passphrase by reading with -passin and omitting an output cipher.
Common usage
openssl rsa -in key.pem -check -noout
openssl rsa -in key.pem -pubout -out pub.pem
# remove a passphrase
openssl rsa -in enc-key.pem -passin pass:secret -out plain-key.pemOptions
| Flag | What it does |
|---|---|
| -check | Verify the key is consistent |
| -pubout | Output the public key only |
| -text | Print the key components |
| -noout | Do not output the encoded key |
| -passin pass:<x> | Passphrase for an encrypted input key |
| -traditional | OpenSSL 3.x: emit PKCS#1 (RSA PRIVATE KEY) format |
Common errors in CI
"unable to load Private Key" with "bad decrypt" or "bad password read" means the wrong or missing -passin passphrase. "Expecting: ANY PRIVATE KEY" means you fed it a certificate or public key. On OpenSSL 3.x a key tool expecting the old PKCS#1 header needs -traditional, otherwise it sees the PKCS#8 PRIVATE KEY header it cannot parse.