OpenSSL has evolved its key generation tools over time. The older genrsa command was specifically designed for RSA key generation, while genpkey (introduced in OpenSSL 1.0.0) provides a more generalized approach for various algorithm types including RSA, DSA, and EC.
While both can generate RSA keys, genpkey offers several advantages:
# Using genrsa (traditional approach)
openssl genrsa -aes256 -out private.key 2048
# Equivalent using genpkey
openssl genpkey -algorithm RSA -aes-256-cbc -out private.key -pkeyopt rsa_keygen_bits:2048
The encryption syntax differs between the two commands:
# genrsa style encryption
-des3 (for triple DES)
-aes256 (for AES-256)
# genpkey style encryption
-aes-256-cbc
-camellia-256-cbc
genpkey requires explicit parameter setting through -pkeyopt:
# For 4096-bit RSA key
openssl genpkey -algorithm RSA \
-out private.key \
-pkeyopt rsa_keygen_bits:4096 \
-aes-256-cbc
While genpkey is the recommended modern approach, many existing scripts still use genrsa. The output formats are compatible, so migration can be gradual.
For new development, prefer genpkey as it:
- Supports more algorithms consistently
- Provides better control through
-pkeyopt - Follows OpenSSL's modern parameter passing approach
The OpenSSL toolkit has evolved significantly over the years, leading to some overlapping functionality between commands. The genrsa command was the original way to generate RSA private keys, while genpkey was introduced later as a more generic private key generation utility.
As mentioned in the Debian documentation, genpkey is indeed intended to supersede genrsa, though both remain available for backward compatibility.
While both commands generate RSA private keys, they differ in several important ways:
# Traditional genrsa approach
openssl genrsa -aes256 -out private.key 2048
# Modern genpkey equivalent
openssl genpkey -algorithm RSA -aes-256-cbc -out private.key -pkeyopt rsa_keygen_bits:2048
The encryption syntax differs between the two commands:
# genrsa uses simple cipher names
openssl genrsa -des3 -out key.pem 4096
# genpkey requires explicit cipher specifications
openssl genpkey -algorithm RSA -out key.pem -aes-256-cbc -pkeyopt rsa_keygen_bits:4096
genpkey offers more flexibility through the -pkeyopt parameter:
# Setting RSA exponent with genpkey
openssl genpkey -algorithm RSA \
-out key.pem \
-pkeyopt rsa_keygen_bits:3072 \
-pkeyopt rsa_keygen_pubexp:65537
For new development, prefer genpkey because:
- It supports multiple algorithms (RSA, EC, DH, etc.)
- Offers more granular control through
-pkeyopt - Follows OpenSSL's modern parameter passing conventions
Generating various key types with genpkey:
# 2048-bit RSA key with password
openssl genpkey -algorithm RSA -aes-128-cbc \
-out rsa_key.pem \
-pkeyopt rsa_keygen_bits:2048
# EC private key (secp256r1)
openssl genpkey -algorithm EC \
-out ec_key.pem \
-pkeyopt ec_paramgen_curve:P-256
# DH parameters
openssl genpkey -genparam -algorithm DH \
-out dhparams.pem \
-pkeyopt dh_paramgen_prime_len:2048
The coexistence of both commands is primarily for:
- Backward compatibility with existing scripts
- Easier transition for users familiar with the older syntax
- Specialized use cases where
genrsamight be slightly more convenient