Generate Pem Keys with OpenSSL on macOS

Photo by Silas Köhler on Unsplash

Recently, I had a situation where I need to create private and public keys with the .pem extention to build an authentication server using NodeJS and JWT. In this article, I will show you how I did it.

0. My Environment

• macOS Catalina: Version 10.15.1
• OpenSSL version: OpenSSL 1.0.2t

1. Update OpenSSL

First, update the OpenSSL to use the latest features.

Since High Sierra, Mac adopts LibreSSL instead of OpenSSL by default. In this article, I stick with the classic OpenSSL. First, check the version of OpenSSL with the following command.

// Check OpenSSL version
openssl version

This should return something like OpenSSL 1.0.2t 10 Sep 2019. If it returns something like LibreSSL 2.8.3 , go to check Case 2 of this section.

Case 1: You are already using OpenSSL

// Update homebrew itself
brew update
// Update OpenSSL
brew upgrade openssl

Case 2: You are currently using LibreSSL

First, update the homebrew itself.

brew update

Next, check if you have OpenSSL installed with the following command. If it returns something, you already have OpenSSL.

brew list openssl

Finally, update OpenSSL. If you don’t have OpenSSL installed, use brew install openssl instead.

// Only if you don't have OpenSSL installed
brew install openssl
// If you already have OpenSSL, update the package
brew upgrade openssl

After installing or upgrading OpenSSL, we need to specify the path in .bash_profile. Run the following command and find the line saying something like If you need to have this software first in your PATH run: ... . Then, just copy the command there and run it.

brew info openssl
// Will return...
openssl: stable 1.0.2t (bottled) [keg-only]
SSL/TLS cryptography library
...
If you need to have openssl first in your PATH run:
  echo 'export PATH="/usr/local/opt/openssl/bin:$PATH"' >> ~/.bash_profile
...

Now check the version of OpenSSL. You need to press ‘⌘ + T’ to change the tab to see the updated result.

// Check OpenSSL version again
openssl version

2. Generate

At this point, you should be ready. Use the following command to generate the key bundle. You will be asked to input a password. Remember the password to use the key to decrypt the necessary information later in your apps.

openssl genpkey -algorithm RSA -aes-256-cbc -outform PEM -out private_key.pem -pkeyopt rsa_keygen_bits:2048

• genpkey
  This command generates a private key. This command is not supported in the old versions of OpenSSL.
• -algorithm RSA
  Specifies the algorithm to use it for the key. You can use other algorithms such as DH, EC and DSA. This website is good for roughly understanding the differences between each algorithm.
• -aes-256-cbc
  This option specifies the cypher used to encrypt the private key. A cypher is an algorithm for performing encryption or decryption. According to the OpenSSL documentation, any algorithm accepted by EVP_get_cipherbyname() is acceptable. The -aes-256-cbc cypher will encrypt the key and asks for a password to use.
• -outform PEM
  Specifies the output format. The DER format is also available.
• -out private_key.pem
Output the key with the specified file. In this case, the filename would be ‘private_key.pem’.
• -pkeyopt rsa_keygen_bits:2048
The -pkeyopt option sets the public key algorithm. Available options for the command are listed here. In this case, rsa_keygen_bits:2048 specifies the length of the generated key. If not 2048 is used by default. The longer length will enhance the security, however, it will take more time to process.

2. Permission

Once the key has been generated, change the file permission to protect such sensitive information. Use the following command to change the file permission.

chmod 0400 private_key.pem

Note: 0400 means that only the user can read the file. (No permission to write or execute even for the user.)

3. Export the public key

Currently, there is only a private key available. The following command exports a public key that is paired with the private key.

ssh-keygen -e -f private_key.pem > public_key.pem

• ssh-keygen
This is the command to generate, manage and convert authentication keys for ssh. This command is available in macOS by default.
• -e
  This option reads a private or public key and allows exporting keys.
• -f
This is the option to specify the source filename.

Now you should have both public key and private key. That’s everything for this article.

References:

• Using OpenSSL to create keys for Mac OS X:
  https://gist.github.com/colinstein/8e1a0b12465561d71e91
• OpenSSL documentation — genpkey:
  https://www.openssl.org/docs/man1.1.0/man1/genpkey.html
• Diffie-Hellman, RSA, DSA, ECC and ECDSA — Asymmetric Key Algorithms:
  https://www.ssl2buy.com/wiki/diffie-hellman-rsa-dsa-ecc-and-ecdsa-asymmetric-key-algorithms
• ssh-keygen(1) — Linux man page:
  https://linux.die.net/man/1/ssh-keygen