Asymmetric Cryptography in OpenSSL - Private Key

By Darío Rivera
Posted On in Laravel

In our previous post, we have seen how to encrypt messages with public key in two-key cryptography. Today we will see that this process is also reversed, and messages can be encrypted with the private key and decrypted with the public key.


Asymmetric or two-key cryptography, as its name indicates, is a cryptographic system that uses two keys for sending and receiving messages. These two keys belong to the same person, one of them is public, and the other is private. This person must ensure that their private key never falls into the hands of another person. On the contrary, their public key must be shared with other users to allow the sending or receiving of messages. Asymmetric cryptography ensures two attributes of information, confidentiality (encryption with public key) and authenticity (encryption with private key).

In this post, we will focus on addressing authenticity. That is, a message has been sent by the claimed sender. Let's see the following example.


Let's suppose Emily wants to send an authentic message to Steve. Of course, both chose asymmetric cryptography for this purpose. For this scenario to be possible, only Emily's two keys (public and private) are needed. Below is the series of steps for sending and receiving the mentioned message.

  1. Emily writes the message she will send to Steve.
  2. Emily encrypts the message she will send with her private key.
  3. Emily sends the message through the internet.
  4. Steve receives the encrypted message from Emily.
  5. Steve uses Emily's public key to decrypt the message and read it.

As you can see, this information sending scheme implies that messages are encrypted and sent through an insecure channel like the internet. Secondly, the recipient of the message must have the sender's public key to decrypt the message since, in essence, the public key can be obtained by anyone once shared. You can notice that anyone could decrypt the message. However, the goal of encryption through this method is not confidentiality but authenticity, as a message encrypted with the private key can only be decrypted with the public key that is linked to the private key. This ensures that the sender actually possesses their private key and therefore confirms their authenticity.

Key Generation

To generate a private key, simply execute the following command:

openssl genrsa -out key.pem 1024

The output of executing this command is the file key.pem, and its content will be similar to the following:


It is important that you familiarize yourself with each of the results that an openssl command can produce in order to recognize private keys, public keys, certificates, among others.

By default, the key is created in PEM format. To choose between any of the DER or NET formats, you must use the -outform option to convert the PEM to the chosen format.

openssl genrsa -in key.pem -outform DER -out key.der 1024

From the private key, the part that will be the public key is extracted. To do this, execute the following command:

openssl rsa -in key.pem -pubout -out pub-key.pem

The output of executing this command is the file pub-key.pem, and its content will be similar to the following:

-----END PUBLIC KEY-----

We now have our public key (pub-key.pem) and private key (key.pem). Let's see now how to send an encrypted message following the scheme mentioned earlier.


Let's suppose we want to send a message with our private key key.pem. To encrypt a message with this key, we must use the command openssl rsautl with the option -encrypt.

echo "Hello world" > message.txt
openssl rsautl -inkey key.pem -in message.txt -sign > message.enc

The output of executing this is the file message.enc, which we can send to the recipient. Consequently, the recipient can decrypt the message using essentially the same command as follows, using our public key.

openssl rsautl -inkey pub-key.pem -pubin -in message.enc -out message.dec

The content of the file message.dec will contain the original message.

Acerca de Darío Rivera


Application Architect at Elentra Corp . Quality developer and passionate learner with 10+ years of experience in web technologies. Creator of EasyHttp , an standard way to consume HTTP Clients.

LinkedIn Twitter Instagram

Sólo aquellos que han alcanzado el éxito saben que siempre estuvo a un paso del momento en que pensaron renunciar.