[B<-inform PEM|NET|DER>]
[B<-outform PEM|NET|DER>]
[B<-in filename>]
-[B<-passin password>]
-[B<-envpassin var>]
+[B<-passin arg>]
[B<-out filename>]
-[B<-passout password>]
-[B<-envpassout var>]
+[B<-passout arg>]
+[B<-sgckey>]
[B<-des>]
[B<-des3>]
[B<-idea>]
[B<-check>]
[B<-pubin>]
[B<-pubout>]
+[B<-engine id>]
=head1 DESCRIPTION
form compatible with the PKCS#1 RSAPrivateKey or SubjectPublicKeyInfo format.
The B<PEM> form is the default format: it consists of the B<DER> format base64
encoded with additional header and footer lines. On input PKCS#8 format private
-keys are also accepted. The B<NET> form is a format compatible with older Netscape
-servers and MS IIS, this uses unsalted RC4 for its encryption. It is not very
-secure and so should only be used when necessary.
+keys are also accepted. The B<NET> form is a format is described in the B<NOTES>
+section.
=item B<-outform DER|NET|PEM>
option is not specified. If the key is encrypted a pass phrase will be
prompted for.
-=item B<-passin password>
+=item B<-passin arg>
-the input file password. Since certain utilities like "ps" make the command line
-visible this option should be used with caution.
-
-=item B<-envpassin var>
-
-read the input file password from the environment variable B<var>.
+the input file password source. For more information about the format of B<arg>
+see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)|openssl(1)>.
=item B<-out filename>
-This specifies the output filename to write a key to or standard output by
-is not specified. If any encryption options are set then a pass phrase will be
-prompted for. The output filename should B<not> be the same as the input
+This specifies the output filename to write a key to or standard output if this
+option is not specified. If any encryption options are set then a pass phrase
+will be prompted for. The output filename should B<not> be the same as the input
filename.
=item B<-passout password>
-the output file password. Since certain utilities like "ps" make the command line
-visible this option should be used with caution.
+the output file password source. For more information about the format of B<arg>
+see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)|openssl(1)>.
-=item B<-envpassout var>
+=item B<-sgckey>
-read the output file password from the environment variable B<var>.
+use the modified NET algorithm used with some versions of Microsoft IIS and SGC
+keys.
=item B<-des|-des3|-idea>
=item B<-pubin>
-by default a private key is input file with this option a public key is input
-instead.
+by default a private key is read from the input file: with this
+option a public key is read instead.
=item B<-pubout>
-by default a private key is output with this option a public
-key will be output instead. This option is automatically set if the input is
-a public key.
+by default a private key is output: with this option a public
+key will be output instead. This option is automatically set if
+the input is a public key.
+
+=item B<-engine id>
+
+specifying an engine (by its unique B<id> string) will cause B<rsa>
+to attempt to obtain a functional reference to the specified engine,
+thus initialising it if needed. The engine will then be set as the default
+for all available algorithms.
=back
-----BEGIN RSA PRIVATE KEY-----
-----END RSA PRIVATE KEY-----
+The PEM public key format uses the header and footer lines:
+
+ -----BEGIN PUBLIC KEY-----
+ -----END PUBLIC KEY-----
+
+The B<NET> form is a format compatible with older Netscape servers
+and Microsoft IIS .key files, this uses unsalted RC4 for its encryption.
+It is not very secure and so should only be used when necessary.
+
+Some newer version of IIS have additional data in the exported .key
+files. To use these with the utility, view the file with a binary editor
+and look for the string "private-key", then trace back to the byte
+sequence 0x30, 0x82 (this is an ASN1 SEQUENCE). Copy all the data
+from this point onwards to another file and use that as the input
+to the B<rsa> utility with the B<-inform NET> option. If you get
+an error after entering the password try the B<-sgckey> option.
+
=head1 EXAMPLES
To remove the pass phrase on an RSA private key:
-C<openssl rsa -in key.pem -out keyout.pem>
+ openssl rsa -in key.pem -out keyout.pem
To encrypt a private key using triple DES:
-C<openssl rsa -in key.pem -des3 -out keyout.pem>
+ openssl rsa -in key.pem -des3 -out keyout.pem
To convert a private key from PEM to DER format:
-C<openssl rsa -in key.pem -outform DER -out keyout.der>
+ openssl rsa -in key.pem -outform DER -out keyout.der
To print out the components of a private key to standard output:
-C<openssl rsa -in key.pem -text -noout>
+ openssl rsa -in key.pem -text -noout
To just output the public part of a private key:
-C<openssl rsa -in key.pem -pubout -out pubkey.pem>
+ openssl rsa -in key.pem -pubout -out pubkey.pem
+
+=head1 BUGS
+
+The command line password arguments don't currently work with
+B<NET> format.
+
+There should be an option that automatically handles .key files,
+without having to manually edit them.
=head1 SEE ALSO
-pkcs8(1), dsa(1), genrsa(1), gendsa(1)
+L<pkcs8(1)|pkcs8(1)>, L<dsa(1)|dsa(1)>, L<genrsa(1)|genrsa(1)>,
+L<gendsa(1)|gendsa(1)>
=cut