=pod

=head1 NAME

genpkey - generate a private key

=head1 SYNOPSIS

B<openssl> B<genpkey>
[B<-out filename>]
[B<-outform PEM|DER>]
[B<-pass arg>]
[B<-cipher>]
[B<-engine id>]
[B<-paramfile file>]
[B<-algorithm alg>]
[B<-pkeyopt opt:value>]
[B<-genparam>]
[B<-text>]

=head1 DESCRIPTION

The B<genpkey> command generates a private key.

=head1 OPTIONS

=over 4

=item B<-out filename>

the output filename. If this argument is not specified then standard output is
used.  

=item B<-outform DER|PEM>

This specifies the output format DER or PEM.

=item B<-pass arg>

the output file password source. For more information about the format of B<arg>
see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)|openssl(1)>.

=item B<-cipher>

This option encrypts the private key with the supplied cipher. Any algorithm
name accepted by EVP_get_cipherbyname() is acceptable such as B<des3>.

=item B<-engine id>

specifying an engine (by it's unique B<id> string) will cause B<req>
to attempt to obtain a functional reference to the specified engine,
thus initialising it if needed. The engine will then be set as the default
for all available algorithms.

=item B<-algorithm alg>

public key algorithm to use such as RSA, DSA or DH.

=item B<-pkeyopt opt:value>

set the public key algorithm option B<opt> to B<value>. The precise set of
options supported depends on the public key algorithm used and its
implementation. See B<KEY GENERATION OPTIONS> below for more details.

=item B<-genparam>

generate a set of parameters instead of a private key.

=item B<-paramfile filename>

Some public key algorithms generate a private key based on a set of parameters.
They can be supplied using this option. If this option is used the public
key algorithm used is determined by the parameters.

=back

=head1 KEY GENERATION OPTIONS

The options supported by each algorith and indeed each implementation of an
algorithm can vary. The options for the OpenSSL implementations are detailed
below.

=head1 RSA KEY GENERATION OPTIONS

=over 4

=item B<rsa_keygen_bits:numbits>

The number of bits in the generated key. If not specified 1024 is used.

=item B<rsa_keygen_pubexp:value>

The RSA public exponent value. This can be a large decimal or
hexadecimal value if preceded by B<0x>. Default value is 65537.

=back

=head1 DSA PARAMETER GENERATION OPTIONS

=over 4

=item B<dsa_paramgen_bits:numbits>

The number of bits in the generated parameters. If not specified 1024 is used.

=head1 DH PARAMETER GENERATION OPTIONS

=over 4

=item B<dh_paramgen_prime_len:numbits>

The number of bits in the prime parameter B<p>.

=item B<dh_paramgen_generator:value>

The value to use for the generator B<g>.

=back

=head1 EC PARAMETER GENERATION OPTIONS

=over 4

=item B<ec_paramgen_curve:curve>

the EC curve to use.

=back

=head1 NOTES

The use of the genpkey program is encouraged over the algorithm specific
utilities because additional algorithm options and ENGINE provided algorithms
can be used.

=head1 EXAMPLES

Generate an RSA private key using default parameters:

 openssl genpkey -algoritm RSA -out key.pem 

Encrypt output private key using 128 bit AES and the passphrase "hello":

 openssl genpkey -algoritm RSA -out key.pem -aes-128-cbc -pass pass:hello

Generate a 2048 bit RSA key using 3 as the public exponent:

 openssl genpkey -algoritm RSA -out key.pem -pkeyopt rsa_keygen_bits:2048 \
 						-pkeyopt rsa_keygen_pubexp:3

Generate 1024 bit DSA parameters:

 openssl genpkey -genparam -algorithm DSA -out dsap.pem \
						-pkeyopt dsa_paramgen_bits:1024

Generate DSA key from parameters:

 openssl genpkey -paramfile dsap.pem -out dsakey.pem 

Generate 1024 bit DH parameters:

 openssl genpkey -genparam -algorithm DH -out dhp.pem \
					-pkeyopt dh_paramgen_prime_len:1024

Generate DH key from parameters:

 openssl genpkey -paramfile dhp.pem -out dhkey.pem 


=cut