-
-
Notifications
You must be signed in to change notification settings - Fork 9.8k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
3 changed files
with
320 additions
and
2 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,171 @@ | ||
=pod | ||
|
||
=head1 NAME | ||
|
||
genpkey - generate a private key | ||
|
||
=head1 SYNOPSIS | ||
|
||
B<openssl> B<genpkey> | ||
[B<-out filename>] | ||
[B<-outform PEM|DER>] | ||
[B<-pass arg>] | ||
[B<-cipher>] | ||
[B<-engine id>] | ||
[B<-paramfile file>] | ||
[B<-algorithm alg>] | ||
[B<-pkeyopt opt:value>] | ||
[B<-genparam>] | ||
[B<-text>] | ||
|
||
=head1 DESCRIPTION | ||
|
||
The B<genpkey> command generates a private key. | ||
|
||
=head1 OPTIONS | ||
|
||
=over 4 | ||
|
||
=item B<-out filename> | ||
|
||
the output filename. If this argument is not specified then standard output is | ||
used. | ||
|
||
=item B<-outform DER|PEM> | ||
|
||
This specifies the output format DER or PEM. | ||
|
||
=item B<-pass arg> | ||
|
||
the output file password source. For more information about the format of B<arg> | ||
see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)|openssl(1)>. | ||
|
||
=item B<-cipher> | ||
|
||
These options encrypt the private key with the supplied cipher. Any algorithm | ||
name accepted by EVP_get_cipherbyname() is acceptable such as B<des3>. | ||
|
||
=item B<-engine id> | ||
|
||
specifying an engine (by it's unique B<id> string) will cause B<req> | ||
to attempt to obtain a functional reference to the specified engine, | ||
thus initialising it if needed. The engine will then be set as the default | ||
for all available algorithms. | ||
|
||
=item B<-algorithm alg> | ||
|
||
public key algorithm to use such as RSA, DSA or DH. | ||
|
||
=item B<-pkeyopt opt:value> | ||
|
||
set the public key algorithm option B<opt> to B<value>. The precise set of | ||
options supported depends on the public key algorithm used and its | ||
implementation. See B<KEY GENERATION OPTIONS> below for more details. | ||
|
||
=item B<-genparam> | ||
|
||
generate a set of parameters instead of a private key. | ||
|
||
=item B<-paramfile filename> | ||
|
||
Some public key algorithms generate a private key based on a set of parameters. | ||
They can be supplied using this option. If this option is used the public | ||
key algorithm used is determined by the parameters. | ||
|
||
=back | ||
|
||
=head1 KEY GENERATION OPTIONS | ||
|
||
The options supported by each algorith and indeed each implementation of an | ||
algorithm can vary. The options for the OpenSSL implementations are detailed | ||
below. | ||
|
||
=head1 RSA KEY GENERATION OPTIONS | ||
|
||
=over 4 | ||
|
||
=item B<rsa_keygen_bits:numbits> | ||
|
||
The number of bits in the generated key. If not specified 1024 is used. | ||
|
||
=item B<rsa_keygen_pubexp:value> | ||
|
||
The RSA public exponent value. This can be a large decimal or | ||
hexadecimal value if preceded by B<0x>. Default value is 65537. | ||
|
||
=back | ||
|
||
=head1 DSA PARAMETER GENERATION OPTIONS | ||
|
||
=over 4 | ||
|
||
=item B<dsa_paramgen_bits:numbits> | ||
|
||
The number of bits in the generated parameters. If not specified 1024 is used. | ||
|
||
=head1 DH PARAMETER GENERATION OPTIONS | ||
|
||
=over 4 | ||
|
||
=item B<dh_paramgen_prime_len:numbits> | ||
|
||
The number of bits in the prime parameter B<p>. | ||
|
||
=item B<dh_paramgen_generator:value> | ||
|
||
The value to use for the generator B<g>. | ||
|
||
=back | ||
|
||
=head1 EC PARAMETER GENERATION OPTIONS | ||
|
||
=over 4 | ||
|
||
=item B<ec_paramgen_curve:curve> | ||
|
||
the EC curve to use. | ||
|
||
=back | ||
|
||
=head1 NOTES | ||
|
||
The use of the genpkey program is encouraged over the algorithm specific | ||
utilities because additional algorithm options and ENGINE provided algorithms | ||
can be used. | ||
|
||
=head1 EXAMPLES | ||
|
||
Generate an RSA private key using default parameters: | ||
|
||
openssl genpkey -algoritm RSA -out key.pem | ||
|
||
Encrypt output private key using 128 bit AES and the passphrase "hello": | ||
|
||
openssl genpkey -algoritm RSA -out key.pem -aes-128-cbc -pass pass:hello | ||
|
||
Generate a 2048 bit RSA key using 3 as the public exponent: | ||
|
||
openssl genpkey -algoritm RSA -out key.pem -pkeyopt rsa_keygen_bits:2048 \ | ||
-pkeyopt rsa_keygen_pubexp:3 | ||
|
||
Generate 1024 bit DSA parameters: | ||
|
||
openssl genpkey -genparam -algorithm DSA -out dsap.pem \ | ||
-pkeyopt dsa_paramgen_bits:1024 | ||
|
||
Generate DSA key from parameters: | ||
|
||
openssl genpkey -paramfile dsap.pem -out dsakey.pem | ||
|
||
Generate 1024 bit DH parameters: | ||
|
||
openssl genpkey -genparam -algorithm DH -out dhp.pem \ | ||
-pkeyopt dh_paramgen_prime_len:1024 | ||
|
||
Generate DH key from parameters: | ||
|
||
openssl genpkey -paramfile dhp.pem -out dhkey.pem | ||
|
||
|
||
=cut | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,135 @@ | ||
|
||
=pod | ||
|
||
=head1 NAME | ||
|
||
pkey - public or private key processing tool | ||
|
||
=head1 SYNOPSIS | ||
|
||
B<openssl> B<pkey> | ||
[B<-inform PEM|DER>] | ||
[B<-outform PEM|DER>] | ||
[B<-in filename>] | ||
[B<-passin arg>] | ||
[B<-out filename>] | ||
[B<-passout arg>] | ||
[B<-cipher>] | ||
[B<-text>] | ||
[B<-text_pub>] | ||
[B<-noout>] | ||
[B<-pubin>] | ||
[B<-pubout>] | ||
[B<-engine id>] | ||
|
||
=head1 DESCRIPTION | ||
|
||
The B<pkey> command processes public or private keys. They can be converted | ||
between various forms and their components printed out. | ||
|
||
=head1 COMMAND OPTIONS | ||
|
||
=over 4 | ||
|
||
=item B<-inform DER|PEM> | ||
|
||
This specifies the input format DER or PEM. | ||
|
||
=item B<-outform DER|PEM> | ||
|
||
This specifies the output format, the options have the same meaning as the | ||
B<-inform> option. | ||
|
||
=item B<-in filename> | ||
|
||
This specifies the input filename to read a key from or standard input if this | ||
option is not specified. If the key is encrypted a pass phrase will be | ||
prompted for. | ||
|
||
=item B<-passin arg> | ||
|
||
the input file password source. For more information about the format of B<arg> | ||
see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)|openssl(1)>. | ||
|
||
=item B<-out filename> | ||
|
||
This specifies the output filename to write a key to or standard output if this | ||
option is not specified. If any encryption options are set then a pass phrase | ||
will be prompted for. The output filename should B<not> be the same as the input | ||
filename. | ||
|
||
=item B<-passout password> | ||
|
||
the output file password source. For more information about the format of B<arg> | ||
see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)|openssl(1)>. | ||
|
||
=item B<-cipher> | ||
|
||
These options encrypt the private key with the supplied cipher. Any algorithm | ||
name accepted by EVP_get_cipherbyname() is acceptable such as B<des3>. | ||
|
||
=item B<-text> | ||
|
||
prints out the various public or private key components in | ||
plain text in addition to the encoded version. | ||
|
||
=item B<-text_pub> | ||
|
||
print out only public key components even if a private key is being processed. | ||
|
||
=item B<-noout> | ||
|
||
do not output the encoded version of the key. | ||
|
||
=item B<-pubin> | ||
|
||
by default a private key is read from the input file: with this | ||
option a public key is read instead. | ||
|
||
=item B<-pubout> | ||
|
||
by default a private key is output: with this option a public | ||
key will be output instead. This option is automatically set if | ||
the input is a public key. | ||
|
||
=item B<-engine id> | ||
|
||
specifying an engine (by it's unique B<id> string) will cause B<req> | ||
to attempt to obtain a functional reference to the specified engine, | ||
thus initialising it if needed. The engine will then be set as the default | ||
for all available algorithms. | ||
|
||
=back | ||
|
||
=head1 EXAMPLES | ||
|
||
To remove the pass phrase on an RSA private key: | ||
|
||
openssl pkey -in key.pem -out keyout.pem | ||
|
||
To encrypt a private key using triple DES: | ||
|
||
openssl pkey -in key.pem -des3 -out keyout.pem | ||
|
||
To convert a private key from PEM to DER format: | ||
|
||
openssl pkey -in key.pem -outform DER -out keyout.der | ||
|
||
To print out the components of a private key to standard output: | ||
|
||
openssl pkey -in key.pem -text -noout | ||
|
||
To print out the public components of a private key to standard output: | ||
|
||
openssl pkey -in key.pem -text_pub -noout | ||
|
||
To just output the public part of a private key: | ||
|
||
openssl pkey -in key.pem -pubout -out pubkey.pem | ||
|
||
=head1 SEE ALSO | ||
|
||
L<genpkey(1)|genpkey(1)>, L<rsa(1)|rsa(1)>, L<pkcs8(1)|pkcs8(1)>, | ||
L<dsa(1)|dsa(1)>, L<genrsa(1)|genrsa(1)>, L<gendsa(1)|gendsa(1)> | ||
|
||
=cut |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters