Sign in Subscribe
Security

Unlocking Digital Security: A Developer’s Guide to Generating RSA and EC Key Pairs with OpenSSL

Unlocking Digital Security: A Developer’s Guide to Generating RSA and EC Key Pairs with OpenSSL
Photo by Raimond Klavins / Unsplash

In today’s security-first development landscape, generating cryptographic key pairs is more than just a technical necessity—it’s a critical component of building secure systems. Whether you’re working with HTTPS, JWT, SSH, or mutual TLS, understanding how to generate RSA and Elliptic Curve (EC) key pairs using OpenSSL gives you full control over your cryptographic operations.

This guide provides a comprehensive, developer-friendly walkthrough for generating both RSA and EC key pairs using OpenSSL. It also includes practical advice, additional configuration options, and important considerations for real-world applications.

🔐 Why Use RSA or EC Keys?

Before diving into the command line, let’s briefly review the difference between these two algorithms:

Algorithm Strengths Common Use Cases
RSA Widely adopted, simple TLS/SSL certificates, digital signatures
EC (Elliptic Curve) Strong security with smaller key sizes Mobile apps, IoT, JWT tokens, modern TLS

🧰 Prerequisites

Ensure you have OpenSSL installed. Most UNIX-based systems (Linux/macOS) already have it. To verify:

openssl version

If not installed, you can get it via:

🔑 Generating RSA Key Pairs

✅ Step 1: Generate a Private Key

openssl genpkey -algorithm RSA -out private_key.pem -pkeyopt rsa_keygen_bits:2048
  • 2048 is the common minimum; use 4096 for extra security.
  • Important: genpkey is the recommended command over the older genrsa.

✅ Step 2: Extract the Public Key

openssl rsa -pubout -in private_key.pem -out public_key.pem

✅ Optional: Encrypt the Private Key with a Passphrase

openssl genpkey -algorithm RSA -aes256 -out private_key_enc.pem -pkeyopt rsa_keygen_bits:2048
  • Adds AES-256 encryption to the private key.
  • You’ll be prompted to enter a passphrase.

⚡ Generating EC Key Pairs

✅ Step 1: Choose a Curve

You can list available curves using:

openssl ecparam -list_curves

Common curves:

  • prime256v1 (also known as secp256r1)
  • secp384r1
  • secp521r1

✅ Step 2: Generate EC Private Key

openssl ecparam -name prime256v1 -genkey -noout -out ec_private_key.pem
  • -noout: prevents printing the key to stdout.
  • -genkey: tells OpenSSL to generate a private key using the curve.

✅ Step 3: Extract the EC Public Key

openssl ec -in ec_private_key.pem -pubout -out ec_public_key.pem

📦 Output Formats: PEM vs DER

You can specify the format using the -outform option:

  • PEM: Base64-encoded, readable, used for most tools.
  • DER: Binary format, used in some applications or embedded systems.

Example:

openssl rsa -in private_key.pem -outform DER -out private_key.der

🔍 Verifying Keys

To inspect and verify a private key:

openssl pkey -in private_key.pem -text -noout

To verify a public key:

openssl pkey -pubin -in public_key.pem -text -noout

🧠 Additional Tips and Considerations

🔒 1. Always Protect Your Private Keys

  • Use filesystem permissions (chmod 600) to secure them.
  • Consider encrypting keys at rest using OpenSSL or external tools like Vault or AWS KMS.

📁 2. Organize Key Storage

  • Use folders like keys/private/ and keys/public/.
  • Maintain a naming convention (service-name_algo_bits.pem) for clarity.

🔑 3. Use Hardware Security Modules (HSMs) or TPMs

For production systems handling critical data, consider offloading key operations to secure hardware.

⏳ 4. Rotate Keys Periodically

  • Periodic key rotation reduces the damage of a compromised key.
  • Keep track of key usage metadata (e.g., created_at, expires_at).

📋 5. Compatibility

  • RSA is still more widely supported in older systems.
  • EC is faster and more compact, but may need validation for legacy clients.

🔧 6. For JWT (JSON Web Tokens)

  • Make sure the key format matches what your JWT library expects.
  • Tools like pem-jwk help convert formats.

✅ Summary

Feature RSA EC
Key Size 2048/3072/4096 bits 256/384/521 bits
Performance Slower Faster
Output File Sizes Larger Smaller
Use Case Fit Legacy systems, TLS certs Modern apps, JWT, mobile

🎯 Finally

Using OpenSSL for generating key pairs gives you complete flexibility and security control over your cryptographic workflow. Whether you're managing TLS certificates, signing JWTs, or building an internal CA system, understanding how to generate and handle RSA and EC key pairs is foundational knowledge every developer should master.

Security starts with you—generate wisely, store safely, and audit regularly.

Support Us

Read next

Comments ()