When working with cryptographic keys, determining the key length is essential for security compliance and system compatibility. OpenSSL provides straightforward commands to examine both public and private keys.
For RSA public keys in PEM format:
openssl rsa -in public_key.pem -pubin -text -nooutThis outputs detailed information including the modulus, which directly indicates key length. Look for the "Modulus" line showing bits like "2048 bit".
For private key inspection:
openssl rsa -in private_key.pem -text -nooutThe output similarly displays the modulus information. Example output snippet:
Private-Key: (2048 bit)
modulus:
00:c2:3d:...
...
publicExponent: 65537 (0x10001)
...For scripting purposes, extract just the key length:
openssl rsa -in key.pem -text -noout | grep "Private-Key" | awk -F'[()]' '{print $2}'For DER format keys, add the -inform DER flag:
openssl rsa -in key.der -inform DER -text -nooutWhen encountering "unable to load Private Key" errors:
- Verify the key is in correct PEM format (should start with
-----BEGIN RSA PRIVATE KEY-----) - Check for proper file permissions (recommended 400 for private keys)
- Confirm the key isn't password-protected (or use
-passinparameter)
For EC keys, use:
openssl ec -in ec_key.pem -text -nooutThe output will show the curve name which implies the key strength (e.g., "prime256v1" = 256-bit).
When working with cryptographic keys, knowing the key length is crucial for security compliance and system compatibility. OpenSSL provides several straightforward methods to inspect this information.
For PEM-encoded public keys:
openssl rsa -pubin -in public_key.pem -text -noout
For DER-encoded public keys:
openssl rsa -pubin -inform der -in public_key.der -text -noout
For PEM-encoded private keys:
openssl rsa -in private_key.pem -text -noout
For password-protected private keys:
openssl rsa -in encrypted_key.pem -passin pass:yourpassword -text -noout
For scripting purposes, you can parse the modulus directly:
openssl rsa -in key.pem -noout -text | grep "Modulus" -A 10
Or get just the bit length:
openssl rsa -in key.pem -noout -text | grep "Private-Key" | awk '{print $2}'
Sample output for a 2048-bit key:
Private-Key: (2048 bit)
modulus:
00:aa:bb:cc:dd:ee:ff:11:22:33:44:55:66:77:88:
...
publicExponent: 65537 (0x10001)
For PKCS#8 format private keys:
openssl pkey -in private_key.p8 -noout -text
For EC keys (elliptic curve):
openssl ec -in ec_key.pem -text -noout
Here's a Bash function to validate key length:
validate_key_length() {
local key_file=$1
local expected_bits=$2
actual_bits=$(openssl rsa -in "$key_file" -noout -text |
grep "Private-Key" | awk '{print $2}')
if [ "$actual_bits" -ne "$expected_bits" ]; then
echo "ERROR: Key length mismatch. Expected $expected_bits, got $actual_bits"
return 1
fi
return 0
}
- Ensure you have proper file permissions when accessing private keys
- Remember that encrypted keys require the passphrase
- Different OpenSSL versions might show slightly different output formats
- For EC keys, the "bit length" concept differs from RSA