123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213 |
- =pod
- =head1 NAME
- genpkey - generate a private key
- =head1 SYNOPSIS
- B<openssl> B<genpkey>
- [B<-out filename>]
- [B<-outform PEM|DER>]
- [B<-pass arg>]
- [B<-cipher>]
- [B<-engine id>]
- [B<-paramfile file>]
- [B<-algorithm alg>]
- [B<-pkeyopt opt:value>]
- [B<-genparam>]
- [B<-text>]
- =head1 DESCRIPTION
- The B<genpkey> command generates a private key.
- =head1 OPTIONS
- =over 4
- =item B<-out filename>
- the output filename. If this argument is not specified then standard output is
- used.
- =item B<-outform DER|PEM>
- This specifies the output format DER or PEM.
- =item B<-pass arg>
- the output file password source. For more information about the format of B<arg>
- see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)|openssl(1)>.
- =item B<-cipher>
- This option encrypts the private key with the supplied cipher. Any algorithm
- name accepted by EVP_get_cipherbyname() is acceptable such as B<des3>.
- =item B<-engine id>
- specifying an engine (by its unique B<id> string) will cause B<genpkey>
- to attempt to obtain a functional reference to the specified engine,
- thus initialising it if needed. The engine will then be set as the default
- for all available algorithms. If used this option should precede all other
- options.
- =item B<-algorithm alg>
- public key algorithm to use such as RSA, DSA or DH. If used this option must
- precede any B<-pkeyopt> options. The options B<-paramfile> and B<-algorithm>
- are mutually exclusive.
- =item B<-pkeyopt opt:value>
- set the public key algorithm option B<opt> to B<value>. The precise set of
- options supported depends on the public key algorithm used and its
- implementation. See B<KEY GENERATION OPTIONS> below for more details.
- =item B<-genparam>
- generate a set of parameters instead of a private key. If used this option must
- precede and B<-algorithm>, B<-paramfile> or B<-pkeyopt> options.
- =item B<-paramfile filename>
- Some public key algorithms generate a private key based on a set of parameters.
- They can be supplied using this option. If this option is used the public key
- algorithm used is determined by the parameters. If used this option must
- precede and B<-pkeyopt> options. The options B<-paramfile> and B<-algorithm>
- are mutually exclusive.
- =item B<-text>
- Print an (unencrypted) text representation of private and public keys and
- parameters along with the PEM or DER structure.
- =back
- =head1 KEY GENERATION OPTIONS
- The options supported by each algorith and indeed each implementation of an
- algorithm can vary. The options for the OpenSSL implementations are detailed
- below.
- =head1 RSA KEY GENERATION OPTIONS
- =over 4
- =item B<rsa_keygen_bits:numbits>
- The number of bits in the generated key. If not specified 1024 is used.
- =item B<rsa_keygen_pubexp:value>
- The RSA public exponent value. This can be a large decimal or
- hexadecimal value if preceded by B<0x>. Default value is 65537.
- =back
- =head1 DSA PARAMETER GENERATION OPTIONS
- =over 4
- =item B<dsa_paramgen_bits:numbits>
- The number of bits in the generated parameters. If not specified 1024 is used.
- =head1 DH PARAMETER GENERATION OPTIONS
- =over 4
- =item B<dh_paramgen_prime_len:numbits>
- The number of bits in the prime parameter B<p>.
- =item B<dh_paramgen_generator:value>
- The value to use for the generator B<g>.
- =back
- =head1 EC PARAMETER GENERATION OPTIONS
- =over 4
- =item B<ec_paramgen_curve:curve>
- the EC curve to use.
- =back
- =head1 GOST2001 KEY GENERATION AND PARAMETER OPTIONS
- Gost 2001 support is not enabled by default. To enable this algorithm,
- one should load the ccgost engine in the OpenSSL configuration file.
- See README.gost file in the engines/ccgost directiry of the source
- distribution for more details.
- Use of a parameter file for the GOST R 34.10 algorithm is optional.
- Parameters can be specified during key generation directly as well as
- during generation of parameter file.
- =over 4
- =item B<paramset:name>
- Specifies GOST R 34.10-2001 parameter set according to RFC 4357.
- Parameter set can be specified using abbreviated name, object short name or
- numeric OID. Following parameter sets are supported:
- paramset OID Usage
- A 1.2.643.2.2.35.1 Signature
- B 1.2.643.2.2.35.2 Signature
- C 1.2.643.2.2.35.3 Signature
- XA 1.2.643.2.2.36.0 Key exchange
- XB 1.2.643.2.2.36.1 Key exchange
- test 1.2.643.2.2.35.0 Test purposes
- =back
- =head1 NOTES
- The use of the genpkey program is encouraged over the algorithm specific
- utilities because additional algorithm options and ENGINE provided algorithms
- can be used.
- =head1 EXAMPLES
- Generate an RSA private key using default parameters:
- openssl genpkey -algorithm RSA -out key.pem
- Encrypt output private key using 128 bit AES and the passphrase "hello":
- openssl genpkey -algorithm RSA -out key.pem -aes-128-cbc -pass pass:hello
- Generate a 2048 bit RSA key using 3 as the public exponent:
- openssl genpkey -algorithm RSA -out key.pem -pkeyopt rsa_keygen_bits:2048 \
- -pkeyopt rsa_keygen_pubexp:3
- Generate 1024 bit DSA parameters:
- openssl genpkey -genparam -algorithm DSA -out dsap.pem \
- -pkeyopt dsa_paramgen_bits:1024
- Generate DSA key from parameters:
- openssl genpkey -paramfile dsap.pem -out dsakey.pem
- Generate 1024 bit DH parameters:
- openssl genpkey -genparam -algorithm DH -out dhp.pem \
- -pkeyopt dh_paramgen_prime_len:1024
- Generate DH key from parameters:
- openssl genpkey -paramfile dhp.pem -out dhkey.pem
- =cut
|