Default cipher that OpenSSL used to encrypt a PEM file

Having generated couple of PEM files with OpenSSL for testing and writing tutorial purpose. Sometimes I wonder if OpenSSL has a default cipher selected just in case there is no cipher given as parameter.

For example, running this command below

 openssl req -x509 -days 365 -newkey rsa:2048 -keyout key.pem -out cert.pem

will prompt me for password to be used for encrypting the key.pem files... but with which type of encryption cipher ?

One way to find out is to look into the generated key.pem file.

more key.pem

 Proc-Type: 4,ENCRYPTED 

From the information, it seems that the default cipher is DES-EDE3-CBC and this is confirmed to be true after digging through the OpenSSL's source code at

line 198 to 199 :


Depending on what you are trying to achieve... you can change the encryption cipher by processing the key.pem file and produce a new file encrypted with different cipher.

For example :

 openssl pkcs8 -in key.pem -topk8 -v2 aes-256-cbc -out aes256key.pem

will produce a AES-256 encrypted pem file. (See more examples at

  See also : nginx: [emerg] unknown directive "ssl"

By Adam Ng

IF you gain some knowledge or the information here solved your programming problem. Please consider donating to the less fortunate or some charities that you like. Apart from donation, planting trees, volunteering or reducing your carbon footprint will be great too.