You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
215 lines
5.3 KiB
215 lines
5.3 KiB
=pod |
|
|
|
=head1 NAME |
|
|
|
genpkey - generate a private key |
|
|
|
=head1 SYNOPSIS |
|
|
|
B<openssl> B<genpkey> |
|
[B<-out filename>] |
|
[B<-outform PEM|DER>] |
|
[B<-pass arg>] |
|
[B<-cipher>] |
|
[B<-engine id>] |
|
[B<-paramfile file>] |
|
[B<-algorithm alg>] |
|
[B<-pkeyopt opt:value>] |
|
[B<-genparam>] |
|
[B<-text>] |
|
|
|
=head1 DESCRIPTION |
|
|
|
The B<genpkey> command generates a private key. |
|
|
|
=head1 OPTIONS |
|
|
|
=over 4 |
|
|
|
=item B<-out filename> |
|
|
|
the output filename. If this argument is not specified then standard output is |
|
used. |
|
|
|
=item B<-outform DER|PEM> |
|
|
|
This specifies the output format DER or PEM. |
|
|
|
=item B<-pass arg> |
|
|
|
the output file password source. For more information about the format of B<arg> |
|
see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)|openssl(1)>. |
|
|
|
=item B<-cipher> |
|
|
|
This option encrypts the private key with the supplied cipher. Any algorithm |
|
name accepted by EVP_get_cipherbyname() is acceptable such as B<des3>. |
|
|
|
=item B<-engine id> |
|
|
|
specifying an engine (by its unique B<id> string) will cause B<genpkey> |
|
to attempt to obtain a functional reference to the specified engine, |
|
thus initialising it if needed. The engine will then be set as the default |
|
for all available algorithms. If used this option should precede all other |
|
options. |
|
|
|
=item B<-algorithm alg> |
|
|
|
public key algorithm to use such as RSA, DSA or DH. If used this option must |
|
precede any B<-pkeyopt> options. The options B<-paramfile> and B<-algorithm> |
|
are mutually exclusive. |
|
|
|
=item B<-pkeyopt opt:value> |
|
|
|
set the public key algorithm option B<opt> to B<value>. The precise set of |
|
options supported depends on the public key algorithm used and its |
|
implementation. See B<KEY GENERATION OPTIONS> below for more details. |
|
|
|
=item B<-genparam> |
|
|
|
generate a set of parameters instead of a private key. If used this option must |
|
precede and B<-algorithm>, B<-paramfile> or B<-pkeyopt> options. |
|
|
|
=item B<-paramfile filename> |
|
|
|
Some public key algorithms generate a private key based on a set of parameters. |
|
They can be supplied using this option. If this option is used the public key |
|
algorithm used is determined by the parameters. If used this option must |
|
precede and B<-pkeyopt> options. The options B<-paramfile> and B<-algorithm> |
|
are mutually exclusive. |
|
|
|
=item B<-text> |
|
|
|
Print an (unencrypted) text representation of private and public keys and |
|
parameters along with the PEM or DER structure. |
|
|
|
=back |
|
|
|
=head1 KEY GENERATION OPTIONS |
|
|
|
The options supported by each algorith and indeed each implementation of an |
|
algorithm can vary. The options for the OpenSSL implementations are detailed |
|
below. |
|
|
|
=head1 RSA KEY GENERATION OPTIONS |
|
|
|
=over 4 |
|
|
|
=item B<rsa_keygen_bits:numbits> |
|
|
|
The number of bits in the generated key. If not specified 1024 is used. |
|
|
|
=item B<rsa_keygen_pubexp:value> |
|
|
|
The RSA public exponent value. This can be a large decimal or |
|
hexadecimal value if preceded by B<0x>. Default value is 65537. |
|
|
|
=back |
|
|
|
=head1 DSA PARAMETER GENERATION OPTIONS |
|
|
|
=over 4 |
|
|
|
=item B<dsa_paramgen_bits:numbits> |
|
|
|
The number of bits in the generated parameters. If not specified 1024 is used. |
|
|
|
=back |
|
|
|
=head1 DH PARAMETER GENERATION OPTIONS |
|
|
|
=over 4 |
|
|
|
=item B<dh_paramgen_prime_len:numbits> |
|
|
|
The number of bits in the prime parameter B<p>. |
|
|
|
=item B<dh_paramgen_generator:value> |
|
|
|
The value to use for the generator B<g>. |
|
|
|
=back |
|
|
|
=head1 EC PARAMETER GENERATION OPTIONS |
|
|
|
=over 4 |
|
|
|
=item B<ec_paramgen_curve:curve> |
|
|
|
the EC curve to use. |
|
|
|
=back |
|
|
|
=head1 GOST2001 KEY GENERATION AND PARAMETER OPTIONS |
|
|
|
Gost 2001 support is not enabled by default. To enable this algorithm, |
|
one should load the ccgost engine in the OpenSSL configuration file. |
|
See README.gost file in the engines/ccgost directiry of the source |
|
distribution for more details. |
|
|
|
Use of a parameter file for the GOST R 34.10 algorithm is optional. |
|
Parameters can be specified during key generation directly as well as |
|
during generation of parameter file. |
|
|
|
=over 4 |
|
|
|
=item B<paramset:name> |
|
|
|
Specifies GOST R 34.10-2001 parameter set according to RFC 4357. |
|
Parameter set can be specified using abbreviated name, object short name or |
|
numeric OID. Following parameter sets are supported: |
|
|
|
paramset OID Usage |
|
A 1.2.643.2.2.35.1 Signature |
|
B 1.2.643.2.2.35.2 Signature |
|
C 1.2.643.2.2.35.3 Signature |
|
XA 1.2.643.2.2.36.0 Key exchange |
|
XB 1.2.643.2.2.36.1 Key exchange |
|
test 1.2.643.2.2.35.0 Test purposes |
|
|
|
=back |
|
|
|
|
|
|
|
=head1 NOTES |
|
|
|
The use of the genpkey program is encouraged over the algorithm specific |
|
utilities because additional algorithm options and ENGINE provided algorithms |
|
can be used. |
|
|
|
=head1 EXAMPLES |
|
|
|
Generate an RSA private key using default parameters: |
|
|
|
openssl genpkey -algorithm RSA -out key.pem |
|
|
|
Encrypt output private key using 128 bit AES and the passphrase "hello": |
|
|
|
openssl genpkey -algorithm RSA -out key.pem -aes-128-cbc -pass pass:hello |
|
|
|
Generate a 2048 bit RSA key using 3 as the public exponent: |
|
|
|
openssl genpkey -algorithm RSA -out key.pem -pkeyopt rsa_keygen_bits:2048 \ |
|
-pkeyopt rsa_keygen_pubexp:3 |
|
|
|
Generate 1024 bit DSA parameters: |
|
|
|
openssl genpkey -genparam -algorithm DSA -out dsap.pem \ |
|
-pkeyopt dsa_paramgen_bits:1024 |
|
|
|
Generate DSA key from parameters: |
|
|
|
openssl genpkey -paramfile dsap.pem -out dsakey.pem |
|
|
|
Generate 1024 bit DH parameters: |
|
|
|
openssl genpkey -genparam -algorithm DH -out dhp.pem \ |
|
-pkeyopt dh_paramgen_prime_len:1024 |
|
|
|
Generate DH key from parameters: |
|
|
|
openssl genpkey -paramfile dhp.pem -out dhkey.pem |
|
|
|
|
|
=cut |
|
|
|
|