{
    "mode": "man",
    "parameter": "EVP_KEYMGMT-RSA",
    "section": "7ssl",
    "url": "https://www.chedong.com/phpMan.php/man/EVP_KEYMGMT-RSA/7ssl/json",
    "generated": "2026-06-15T13:39:05Z",
    "sections": {
        "NAME": {
            "content": "EVPPKEY-RSA, EVPKEYMGMT-RSA, RSA - EVPPKEY RSA keytype and algorithm support\n",
            "subsections": []
        },
        "DESCRIPTION": {
            "content": "The RSA keytype is implemented in OpenSSL's default and FIPS providers.  That implementation\nsupports the basic RSA keys, containing the modulus n, the public exponent e, the private\nexponent d, and a collection of prime factors, exponents and coefficient for CRT\ncalculations, of which the first few are known as p and q, dP and dQ, and qInv.\n",
            "subsections": [
                {
                    "name": "Common RSA parameters",
                    "content": "In addition to the common parameters that all keytypes should support (see \"Common\nparameters\" in provider-keymgmt(7)), the RSA keytype implementation supports the following.\n\n\"n\" (OSSLPKEYPARAMRSAN) <unsigned integer>\nThe RSA \"n\" value.\n\n\"e\" (OSSLPKEYPARAMRSAE) <unsigned integer>\nThe RSA \"e\" value.\n\n\"d\" (OSSLPKEYPARAMRSAD) <unsigned integer>\nThe RSA \"d\" value.\n\n\"rsa-factor1\" (OSSLPKEYPARAMRSAFACTOR1) <unsigned integer>\n\"rsa-factor2\" (OSSLPKEYPARAMRSAFACTOR2) <unsigned integer>\n\"rsa-factor3\" (OSSLPKEYPARAMRSAFACTOR3) <unsigned integer>\n\"rsa-factor4\" (OSSLPKEYPARAMRSAFACTOR4) <unsigned integer>\n\"rsa-factor5\" (OSSLPKEYPARAMRSAFACTOR5) <unsigned integer>\n\"rsa-factor6\" (OSSLPKEYPARAMRSAFACTOR6) <unsigned integer>\n\"rsa-factor7\" (OSSLPKEYPARAMRSAFACTOR7) <unsigned integer>\n\"rsa-factor8\" (OSSLPKEYPARAMRSAFACTOR8) <unsigned integer>\n\"rsa-factor9\" (OSSLPKEYPARAMRSAFACTOR9) <unsigned integer>\n\"rsa-factor10\" (OSSLPKEYPARAMRSAFACTOR10) <unsigned integer>\nRSA prime factors. The factors are known as \"p\", \"q\" and \"ri\" in RFC8017.  Up to eight\nadditional \"ri\" prime factors are supported.\n\n\"rsa-exponent1\" (OSSLPKEYPARAMRSAEXPONENT1) <unsigned integer>\n\"rsa-exponent2\" (OSSLPKEYPARAMRSAEXPONENT2) <unsigned integer>\n\"rsa-exponent3\" (OSSLPKEYPARAMRSAEXPONENT3) <unsigned integer>\n\"rsa-exponent4\" (OSSLPKEYPARAMRSAEXPONENT4) <unsigned integer>\n\"rsa-exponent5\" (OSSLPKEYPARAMRSAEXPONENT5) <unsigned integer>\n\"rsa-exponent6\" (OSSLPKEYPARAMRSAEXPONENT6) <unsigned integer>\n\"rsa-exponent7\" (OSSLPKEYPARAMRSAEXPONENT7) <unsigned integer>\n\"rsa-exponent8\" (OSSLPKEYPARAMRSAEXPONENT8) <unsigned integer>\n\"rsa-exponent9\" (OSSLPKEYPARAMRSAEXPONENT9) <unsigned integer>\n\"rsa-exponent10\" (OSSLPKEYPARAMRSAEXPONENT10) <unsigned integer>\nRSA CRT (Chinese Remainder Theorem) exponents. The exponents are known as \"dP\", \"dQ\" and\n\"di in RFC8017\".  Up to eight additional \"di\" exponents are supported.\n\n\"rsa-coefficient1\" (OSSLPKEYPARAMRSACOEFFICIENT1) <unsigned integer>\n\"rsa-coefficient2\" (OSSLPKEYPARAMRSACOEFFICIENT2) <unsigned integer>\n\"rsa-coefficient3\" (OSSLPKEYPARAMRSACOEFFICIENT3) <unsigned integer>\n\"rsa-coefficient4\" (OSSLPKEYPARAMRSACOEFFICIENT4) <unsigned integer>\n\"rsa-coefficient5\" (OSSLPKEYPARAMRSACOEFFICIENT5) <unsigned integer>\n\"rsa-coefficient6\" (OSSLPKEYPARAMRSACOEFFICIENT6) <unsigned integer>\n\"rsa-coefficient7\" (OSSLPKEYPARAMRSACOEFFICIENT7) <unsigned integer>\n\"rsa-coefficient8\" (OSSLPKEYPARAMRSACOEFFICIENT8) <unsigned integer>\n\"rsa-coefficient9\" (OSSLPKEYPARAMRSACOEFFICIENT9) <unsigned integer>\nRSA CRT (Chinese Remainder Theorem) coefficients. The coefficients are known as \"qInv\"\nand \"ti\".  Up to eight additional \"ti\" exponents are supported.\n"
                },
                {
                    "name": "RSA key generation parameters",
                    "content": "When generating RSA keys, the following key generation parameters may be used.\n\n\"bits\" (OSSLPKEYPARAMRSABITS) <unsigned integer>\nThe value should be the cryptographic length for the RSA cryptosystem, in bits.\n\n\"primes\" (OSSLPKEYPARAMRSAPRIMES) <unsigned integer>\nThe value should be the number of primes for the generated RSA key.  The default is 2.\nIt isn't permitted to specify a larger number of primes than 10.  Additionally, the\nnumber of primes is limited by the length of the key being generated so the maximum\nnumber could be less.  Some providers may only support a value of 2.\n\n\"e\" (OSSLPKEYPARAMRSAE) <unsigned integer>\nThe RSA \"e\" value. The value may be any odd number greater than or equal to 65537. The\ndefault value is 65537.  For legacy reasons a value of 3 is currently accepted but is\ndeprecated.\n"
                },
                {
                    "name": "RSA key generation parameters for FIPS module testing",
                    "content": "When generating RSA keys, the following additional key generation parameters may be used for\nalgorithm testing purposes only. Do not use these to generate RSA keys for a production\nenvironment.\n\n\"xp\" (OSSLPKEYPARAMRSATESTXP) <unsigned integer>\n\"xq\" (OSSLPKEYPARAMRSATESTXQ) <unsigned integer>\nThese 2 fields are normally randomly generated and are used to generate \"p\" and \"q\".\n\n\"xp1\" (OSSLPKEYPARAMRSATESTXP1) <unsigned integer>\n\"xp2\" (OSSLPKEYPARAMRSATESTXP2) <unsigned integer>\n\"xq1\" (OSSLPKEYPARAMRSATESTXQ1) <unsigned integer>\n\"xq2\" (OSSLPKEYPARAMRSATESTXQ2) <unsigned integer>\nThese 4 fields are normally randomly generated. The prime factors \"p1\", \"p2\", \"q1\" and\n\"q2\" are determined from these values.\n"
                },
                {
                    "name": "RSA key parameters for FIPS module testing",
                    "content": "The following intermediate values can be retrieved only if the values specified in \"RSA key\ngeneration parameters for FIPS module testing\" are set.  These should not be accessed in a\nproduction environment.\n\n\"p1\" (OSSLPKEYPARAMRSATESTP1) <unsigned integer>\n\"p2\" (OSSLPKEYPARAMRSATESTP2) <unsigned integer>\n\"q1\" (OSSLPKEYPARAMRSATESTQ1) <unsigned integer>\n\"q2\" (OSSLPKEYPARAMRSATESTQ2) <unsigned integer>\nThe auxiliary probable primes.\n"
                }
            ]
        },
        "CONFORMING TO": {
            "content": "FIPS186-4\nSection B.3.6  Generation of Probable Primes with Conditions Based on Auxiliary Probable\nPrimes\n\nRFC 8017, excluding RSA-PSS and RSA-OAEP\n",
            "subsections": []
        },
        "EXAMPLES": {
            "content": "An EVPPKEY context can be obtained by calling:\n\nEVPPKEYCTX *pctx =\nEVPPKEYCTXnewfromname(NULL, \"RSA\", NULL);\n\nAn RSA key can be generated simply like this:\n\npkey = EVPRSAgen(4096);\n\nor like this:\n\nEVPPKEY *pkey = NULL;\nEVPPKEYCTX *pctx =\nEVPPKEYCTXnewfromname(NULL, \"RSA\", NULL);\n\nEVPPKEYkeygeninit(pctx);\nEVPPKEYgenerate(pctx, &pkey);\nEVPPKEYCTXfree(pctx);\n\nAn RSA key can be generated with key generation parameters:\n\nunsigned int primes = 3;\nunsigned int bits = 4096;\nOSSLPARAM params[3];\nEVPPKEY *pkey = NULL;\nEVPPKEYCTX *pctx = EVPPKEYCTXnewfromname(NULL, \"RSA\", NULL);\n\nEVPPKEYkeygeninit(pctx);\n\nparams[0] = OSSLPARAMconstructuint(\"bits\", &bits);\nparams[1] = OSSLPARAMconstructuint(\"primes\", &primes);\nparams[2] = OSSLPARAMconstructend();\nEVPPKEYCTXsetparams(pctx, params);\n\nEVPPKEYgenerate(pctx, &pkey);\nEVPPKEYprintprivate(bioout, pkey, 0, NULL);\nEVPPKEYCTXfree(pctx);\n",
            "subsections": []
        },
        "SEE ALSO": {
            "content": "EVPRSAgen(3), EVPKEYMGMT(3), EVPPKEY(3), provider-keymgmt(7)\n",
            "subsections": []
        },
        "COPYRIGHT": {
            "content": "Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved.\n\nLicensed under the Apache License 2.0 (the \"License\").  You may not use this file except in\ncompliance with the License.  You can obtain a copy in the file LICENSE in the source\ndistribution or at <https://www.openssl.org/source/license.html>.\n\n\n\n3.0.2                                        2026-06-02                           EVPPKEY-RSA(7SSL)",
            "subsections": []
        }
    },
    "summary": "EVPPKEY-RSA, EVPKEYMGMT-RSA, RSA - EVPPKEY RSA keytype and algorithm support",
    "flags": [],
    "examples": [
        "An EVPPKEY context can be obtained by calling:",
        "EVPPKEYCTX *pctx =",
        "EVPPKEYCTXnewfromname(NULL, \"RSA\", NULL);",
        "An RSA key can be generated simply like this:",
        "pkey = EVPRSAgen(4096);",
        "or like this:",
        "EVPPKEY *pkey = NULL;",
        "EVPPKEYCTX *pctx =",
        "EVPPKEYCTXnewfromname(NULL, \"RSA\", NULL);",
        "EVPPKEYkeygeninit(pctx);",
        "EVPPKEYgenerate(pctx, &pkey);",
        "EVPPKEYCTXfree(pctx);",
        "An RSA key can be generated with key generation parameters:",
        "unsigned int primes = 3;",
        "unsigned int bits = 4096;",
        "OSSLPARAM params[3];",
        "EVPPKEY *pkey = NULL;",
        "EVPPKEYCTX *pctx = EVPPKEYCTXnewfromname(NULL, \"RSA\", NULL);",
        "EVPPKEYkeygeninit(pctx);",
        "params[0] = OSSLPARAMconstructuint(\"bits\", &bits);",
        "params[1] = OSSLPARAMconstructuint(\"primes\", &primes);",
        "params[2] = OSSLPARAMconstructend();",
        "EVPPKEYCTXsetparams(pctx, params);",
        "EVPPKEYgenerate(pctx, &pkey);",
        "EVPPKEYprintprivate(bioout, pkey, 0, NULL);",
        "EVPPKEYCTXfree(pctx);"
    ],
    "see_also": [
        {
            "name": "EVPRSAgen",
            "section": "3",
            "url": "https://www.chedong.com/phpMan.php/man/EVPRSAgen/3/json"
        },
        {
            "name": "EVPKEYMGMT",
            "section": "3",
            "url": "https://www.chedong.com/phpMan.php/man/EVPKEYMGMT/3/json"
        },
        {
            "name": "EVPPKEY",
            "section": "3",
            "url": "https://www.chedong.com/phpMan.php/man/EVPPKEY/3/json"
        },
        {
            "name": "provider-keymgmt",
            "section": "7",
            "url": "https://www.chedong.com/phpMan.php/man/provider-keymgmt/7/json"
        }
    ]
}