How-to guide

Generate an RSA key with OpenSSL on Windows

Use openssl genrsa to generate an RSA private key on Windows. This guide covers 2048-bit and 4096-bit keys, optional passphrase encryption, and how to inspect the result.

Make sure OpenSSL is installed and on your PATH before running these commands. If openssl is not recognized, see Add to PATH.
Basic usage

Generate a 2048-bit RSA key

Open Command Prompt or PowerShell in your working directory and run:

cmd.exe
C:\keys> openssl genrsa -out private.key 2048
Generating RSA private key, 2048 bit long modulus
..........+++
...+++
e is 65537 (0x10001)

This creates private.key in the current directory — an unencrypted RSA private key in PEM format.

Keep private keys secure. Never commit them to version control. Restrict file permissions so only your user account can read the key.
Key sizes

2048-bit vs 4096-bit

2048-bit

Widely accepted for most use cases. Fast to generate and use. Recommended minimum for new keys. NIST-approved through at least 2030.

cmd.exe
C:\> openssl genrsa -out key.pem 2048

4096-bit stronger

Larger key = stronger security but slower operations. Use for long-lived certificates (10+ years) or high-security CAs. Takes longer to generate.

cmd.exe
C:\> openssl genrsa -out key.pem 4096
Encrypted keys

Generate a key with a passphrase

Add -aes256 to encrypt the key with AES-256. You will be prompted for a passphrase:

cmd.exe
C:\keys> openssl genrsa -aes256 -out private-encrypted.key 2048
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
Generating RSA private key, 2048 bit long modulus
..........+++

The encrypted key requires the passphrase every time it is used. To remove the passphrase later:

cmd.exe
C:\keys> openssl rsa -in private-encrypted.key -out private-decrypted.key
Enter pass phrase for private-encrypted.key:
writing RSA key
Inspect & verify

Inspect the generated key

cmd.exe
# View key details:
C:\keys> openssl rsa -in private.key -text -noout
Private-Key: (2048 bit, 2 primes)
modulus:
00:d4:f2:...
# Extract public key from private key:
C:\keys> openssl rsa -in private.key -pubout -out public.key
writing RSA key
# Check key type and size:
C:\keys> openssl rsa -in private.key -noout -text | findstr "bit"
Private-Key: (2048 bit, 2 primes)
Next steps

What to do with your key

Generate a CSR →
submit to a CA
Self-signed cert →
dev / internal TLS
Check certificate →
inspect PEM / PFX
FAQ

Key generation questions

Where is the key file saved?
In the current working directory when you run the command. Use cd to navigate to your target folder first, or specify a full path: openssl genrsa -out C:\certs\private.key 2048.
Should I use RSA or ECDSA in 2025?
For new keys, ECDSA (P-256 or P-384) offers equivalent security to RSA-2048/3072 with a much smaller key size and faster operations. Generate an ECDSA key with: openssl ecparam -genkey -name prime256v1 -out ec.key. RSA remains widely compatible with legacy systems.
Is the key format PEM or DER?
openssl genrsa outputs PEM format by default (base64-encoded with -----BEGIN RSA PRIVATE KEY----- headers). To generate DER format: add -outform DER to the command.
Can I generate a key non-interactively (no prompts)?
Yes — omit -aes256 (or any -cipher flag) and the command runs without any prompts. The output key will be unencrypted. Useful for scripts and automation.

Need to generate a CSR next?

Use the key you just created to create a Certificate Signing Request.

Generate CSR →

Related guides

Generate CSR →
next step after key
Self-signed cert →
for dev/testing
Commands cheat sheet →
all openssl commands