1c1
< .\" Automatically generated by Pod::Man 4.07 (Pod::Simple 3.35)
---
> .\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35)
132c132
< .TH GENPKEY 1 "2018-03-27" "1.0.2o" "OpenSSL"
---
> .TH GENPKEY 1 "2018-08-14" "1.0.2p" "OpenSSL"
146c146
< [\fB\-cipher\fR]
---
> [\fB\-\f(BIcipher\fB\fR]
164c164
< This specifies the output format \s-1DER\s0 or \s-1PEM.\s0
---
> This specifies the output format \s-1DER\s0 or \s-1PEM.\s0 The default format is \s-1PEM.\s0
167c167
< the output file password source. For more information about the format of \fBarg\fR
---
> The output file password source. For more information about the format of \fBarg\fR
169c169
< .IP "\fB\-cipher\fR" 4
---
> .IP "\fB\-\f(BIcipher\fB\fR" 4
175c175
< specifying an engine (by its unique \fBid\fR string) will cause \fBgenpkey\fR
---
> Specifying an engine (by its unique \fBid\fR string) will cause \fBgenpkey\fR
182c182
< public key algorithm to use such as \s-1RSA, DSA\s0 or \s-1DH.\s0 If used this option must
---
> Public key algorithm to use such as \s-1RSA, DSA\s0 or \s-1DH.\s0 If used this option must
184c184,196
< are mutually exclusive.
---
> are mutually exclusive. Engines may add algorithms in addition to the standard
> built-in ones.
> .Sp
> Valid built-in algorithm names for private key generation are \s-1RSA\s0 and \s-1EC.\s0
> .Sp
> Valid built-in algorithm names for parameter generation (see the \fB\-genparam\fR
> option) are \s-1DH, DSA\s0 and \s-1EC.\s0
> .Sp
> Note that the algorithm name X9.42 \s-1DH\s0 may be used as a synonym for the \s-1DH\s0
> algorithm. These are identical and do not indicate the type of parameters that
> will be generated. Use the \fBdh_paramgen_type\fR option to indicate whether PKCS#3
> or X9.42 \s-1DH\s0 parameters are required. See \*(L"\s-1DH\s0 Parameter Generation Options\*(R"
> below for more details.
187c199
< set the public key algorithm option \fBopt\fR to \fBvalue\fR. The precise set of
---
> Set the public key algorithm option \fBopt\fR to \fBvalue\fR. The precise set of
189c201,202
< implementation. See \fB\s-1KEY GENERATION OPTIONS\s0\fR below for more details.
---
> implementation. See \*(L"\s-1KEY GENERATION OPTIONS\*(R"\s0 and
> \&\*(L"\s-1PARAMETER GENERATION OPTIONS\*(R"\s0 below for more details.
192,193c205,206
< generate a set of parameters instead of a private key. If used this option must
< precede and \fB\-algorithm\fR, \fB\-paramfile\fR or \fB\-pkeyopt\fR options.
---
> Generate a set of parameters instead of a private key. If used this option must
> precede any \fB\-algorithm\fR, \fB\-paramfile\fR or \fB\-pkeyopt\fR options.
210,211c223,224
< .SH "RSA KEY GENERATION OPTIONS"
< .IX Header "RSA KEY GENERATION OPTIONS"
---
> .SS "\s-1RSA\s0 Key Generation Options"
> .IX Subsection "RSA Key Generation Options"
219,220c232,248
< .SH "DSA PARAMETER GENERATION OPTIONS"
< .IX Header "DSA PARAMETER GENERATION OPTIONS"
---
> .SS "\s-1EC\s0 Key Generation Options"
> .IX Subsection "EC Key Generation Options"
> The \s-1EC\s0 key generation options can also be used for parameter generation.
> .IP "\fBec_paramgen_curve:curve\fR" 4
> .IX Item "ec_paramgen_curve:curve"
> The \s-1EC\s0 curve to use. OpenSSL supports \s-1NIST\s0 curve names such as \*(L"P\-256\*(R".
> .IP "\fBec_param_enc:encoding\fR" 4
> .IX Item "ec_param_enc:encoding"
> The encoding to use for parameters. The \*(L"encoding\*(R" parameter must be either
> \&\*(L"named_curve\*(R" or \*(L"explicit\*(R". The default value is \*(L"named_curve\*(R".
> .SH "PARAMETER GENERATION OPTIONS"
> .IX Header "PARAMETER GENERATION OPTIONS"
> The options supported by each algorithm and indeed each implementation of an
> algorithm can vary. The options for the OpenSSL implementations are detailed
> below.
> .SS "\s-1DSA\s0 Parameter Generation Options"
> .IX Subsection "DSA Parameter Generation Options"
223,225c251,265
< The number of bits in the generated parameters. If not specified 1024 is used.
< .SH "DH PARAMETER GENERATION OPTIONS"
< .IX Header "DH PARAMETER GENERATION OPTIONS"
---
> The number of bits in the generated prime. If not specified 1024 is used.
> .IP "\fBdsa_paramgen_q_bits:numbits\fR" 4
> .IX Item "dsa_paramgen_q_bits:numbits"
> The number of bits in the q parameter. Must be one of 160, 224 or 256. If not
> specified 160 is used.
> .IP "\fBdsa_paramgen_md:digest\fR" 4
> .IX Item "dsa_paramgen_md:digest"
> The digest to use during parameter generation. Must be one of \fBsha1\fR, \fBsha224\fR
> or \fBsha256\fR. If set, then the number of bits in \fBq\fR will match the output size
> of the specified digest and the \fBdsa_paramgen_q_bits\fR parameter will be
> ignored. If not set, then a digest will be used that gives an output matching
> the number of bits in \fBq\fR, i.e. \fBsha1\fR if q length is 160, \fBsha224\fR if it 224
> or \fBsha256\fR if it is 256.
> .SS "\s-1DH\s0 Parameter Generation Options"
> .IX Subsection "DH Parameter Generation Options"
228c268,273
< The number of bits in the prime parameter \fBp\fR.
---
> The number of bits in the prime parameter \fBp\fR. The default is 1024.
> .IP "\fBdh_paramgen_subprime_len:numbits\fR" 4
> .IX Item "dh_paramgen_subprime_len:numbits"
> The number of bits in the sub prime parameter \fBq\fR. The default is 256 if the
> prime is at least 2048 bits long or 160 otherwise. Only relevant if used in
> conjunction with the \fBdh_paramgen_type\fR option to generate X9.42 \s-1DH\s0 parameters.
231c276,280
< The value to use for the generator \fBg\fR.
---
> The value to use for the generator \fBg\fR. The default is 2.
> .IP "\fBdh_paramgen_type:value\fR" 4
> .IX Item "dh_paramgen_type:value"
> The type of \s-1DH\s0 parameters to generate. Use 0 for PKCS#3 \s-1DH\s0 and 1 for X9.42 \s-1DH.\s0
> The default is 0.
234c283
< If this option is set then the appropriate \s-1RFC5114\s0 parameters are used
---
> If this option is set, then the appropriate \s-1RFC5114\s0 parameters are used
239,244c288,293
< 2.1, 2.2 and 2.3 respectively.
< .SH "EC PARAMETER GENERATION OPTIONS"
< .IX Header "EC PARAMETER GENERATION OPTIONS"
< .IP "\fBec_paramgen_curve:curve\fR" 4
< .IX Item "ec_paramgen_curve:curve"
< the \s-1EC\s0 curve to use.
---
> 2.1, 2.2 and 2.3 respectively. If present this overrides all other \s-1DH\s0 parameter
> options.
> .SS "\s-1EC\s0 Parameter Generation Options"
> .IX Subsection "EC Parameter Generation Options"
> The \s-1EC\s0 parameter generation options are the same as for key generation. See
> \&\*(L"\s-1EC\s0 Key Generation Options\*(R" above.
296c345
< Generate 1024 bit \s-1DSA\s0 parameters:
---
> Generate 2048 bit \s-1DSA\s0 parameters:
300c349
< \& \-pkeyopt dsa_paramgen_bits:1024
---
> \& \-pkeyopt dsa_paramgen_bits:2048
309c358
< Generate 1024 bit \s-1DH\s0 parameters:
---
> Generate 2048 bit \s-1DH\s0 parameters:
313c362
< \& \-pkeyopt dh_paramgen_prime_len:1024
---
> \& \-pkeyopt dh_paramgen_prime_len:2048
315a365,372
> Generate 2048 bit X9.42 \s-1DH\s0 parameters:
> .PP
> .Vb 3
> \& openssl genpkey \-genparam \-algorithm DH \-out dhpx.pem \e
> \& \-pkeyopt dh_paramgen_prime_len:2048 \e
> \& \-pkeyopt dh_paramgen_type:1
> .Ve
> .PP
326a384,395
> .PP
> Generate \s-1EC\s0 key directly:
> .PP
> .Vb 3
> \& openssl genpkey \-algorithm EC \-out eckey.pem \e
> \& \-pkeyopt ec_paramgen_curve:P\-384 \e
> \& \-pkeyopt ec_param_enc:named_curve
> .Ve
> .SH "HISTORY"
> .IX Header "HISTORY"
> The ability to use \s-1NIST\s0 curve names, and to generate an \s-1EC\s0 key directly,
> were added in OpenSSL 1.0.2.
< .\" Automatically generated by Pod::Man 4.07 (Pod::Simple 3.35)
---
> .\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35)
132c132
< .TH GENPKEY 1 "2018-03-27" "1.0.2o" "OpenSSL"
---
> .TH GENPKEY 1 "2018-08-14" "1.0.2p" "OpenSSL"
146c146
< [\fB\-cipher\fR]
---
> [\fB\-\f(BIcipher\fB\fR]
164c164
< This specifies the output format \s-1DER\s0 or \s-1PEM.\s0
---
> This specifies the output format \s-1DER\s0 or \s-1PEM.\s0 The default format is \s-1PEM.\s0
167c167
< the output file password source. For more information about the format of \fBarg\fR
---
> The output file password source. For more information about the format of \fBarg\fR
169c169
< .IP "\fB\-cipher\fR" 4
---
> .IP "\fB\-\f(BIcipher\fB\fR" 4
175c175
< specifying an engine (by its unique \fBid\fR string) will cause \fBgenpkey\fR
---
> Specifying an engine (by its unique \fBid\fR string) will cause \fBgenpkey\fR
182c182
< public key algorithm to use such as \s-1RSA, DSA\s0 or \s-1DH.\s0 If used this option must
---
> Public key algorithm to use such as \s-1RSA, DSA\s0 or \s-1DH.\s0 If used this option must
184c184,196
< are mutually exclusive.
---
> are mutually exclusive. Engines may add algorithms in addition to the standard
> built-in ones.
> .Sp
> Valid built-in algorithm names for private key generation are \s-1RSA\s0 and \s-1EC.\s0
> .Sp
> Valid built-in algorithm names for parameter generation (see the \fB\-genparam\fR
> option) are \s-1DH, DSA\s0 and \s-1EC.\s0
> .Sp
> Note that the algorithm name X9.42 \s-1DH\s0 may be used as a synonym for the \s-1DH\s0
> algorithm. These are identical and do not indicate the type of parameters that
> will be generated. Use the \fBdh_paramgen_type\fR option to indicate whether PKCS#3
> or X9.42 \s-1DH\s0 parameters are required. See \*(L"\s-1DH\s0 Parameter Generation Options\*(R"
> below for more details.
187c199
< set the public key algorithm option \fBopt\fR to \fBvalue\fR. The precise set of
---
> Set the public key algorithm option \fBopt\fR to \fBvalue\fR. The precise set of
189c201,202
< implementation. See \fB\s-1KEY GENERATION OPTIONS\s0\fR below for more details.
---
> implementation. See \*(L"\s-1KEY GENERATION OPTIONS\*(R"\s0 and
> \&\*(L"\s-1PARAMETER GENERATION OPTIONS\*(R"\s0 below for more details.
192,193c205,206
< generate a set of parameters instead of a private key. If used this option must
< precede and \fB\-algorithm\fR, \fB\-paramfile\fR or \fB\-pkeyopt\fR options.
---
> Generate a set of parameters instead of a private key. If used this option must
> precede any \fB\-algorithm\fR, \fB\-paramfile\fR or \fB\-pkeyopt\fR options.
210,211c223,224
< .SH "RSA KEY GENERATION OPTIONS"
< .IX Header "RSA KEY GENERATION OPTIONS"
---
> .SS "\s-1RSA\s0 Key Generation Options"
> .IX Subsection "RSA Key Generation Options"
219,220c232,248
< .SH "DSA PARAMETER GENERATION OPTIONS"
< .IX Header "DSA PARAMETER GENERATION OPTIONS"
---
> .SS "\s-1EC\s0 Key Generation Options"
> .IX Subsection "EC Key Generation Options"
> The \s-1EC\s0 key generation options can also be used for parameter generation.
> .IP "\fBec_paramgen_curve:curve\fR" 4
> .IX Item "ec_paramgen_curve:curve"
> The \s-1EC\s0 curve to use. OpenSSL supports \s-1NIST\s0 curve names such as \*(L"P\-256\*(R".
> .IP "\fBec_param_enc:encoding\fR" 4
> .IX Item "ec_param_enc:encoding"
> The encoding to use for parameters. The \*(L"encoding\*(R" parameter must be either
> \&\*(L"named_curve\*(R" or \*(L"explicit\*(R". The default value is \*(L"named_curve\*(R".
> .SH "PARAMETER GENERATION OPTIONS"
> .IX Header "PARAMETER GENERATION OPTIONS"
> The options supported by each algorithm and indeed each implementation of an
> algorithm can vary. The options for the OpenSSL implementations are detailed
> below.
> .SS "\s-1DSA\s0 Parameter Generation Options"
> .IX Subsection "DSA Parameter Generation Options"
223,225c251,265
< The number of bits in the generated parameters. If not specified 1024 is used.
< .SH "DH PARAMETER GENERATION OPTIONS"
< .IX Header "DH PARAMETER GENERATION OPTIONS"
---
> The number of bits in the generated prime. If not specified 1024 is used.
> .IP "\fBdsa_paramgen_q_bits:numbits\fR" 4
> .IX Item "dsa_paramgen_q_bits:numbits"
> The number of bits in the q parameter. Must be one of 160, 224 or 256. If not
> specified 160 is used.
> .IP "\fBdsa_paramgen_md:digest\fR" 4
> .IX Item "dsa_paramgen_md:digest"
> The digest to use during parameter generation. Must be one of \fBsha1\fR, \fBsha224\fR
> or \fBsha256\fR. If set, then the number of bits in \fBq\fR will match the output size
> of the specified digest and the \fBdsa_paramgen_q_bits\fR parameter will be
> ignored. If not set, then a digest will be used that gives an output matching
> the number of bits in \fBq\fR, i.e. \fBsha1\fR if q length is 160, \fBsha224\fR if it 224
> or \fBsha256\fR if it is 256.
> .SS "\s-1DH\s0 Parameter Generation Options"
> .IX Subsection "DH Parameter Generation Options"
228c268,273
< The number of bits in the prime parameter \fBp\fR.
---
> The number of bits in the prime parameter \fBp\fR. The default is 1024.
> .IP "\fBdh_paramgen_subprime_len:numbits\fR" 4
> .IX Item "dh_paramgen_subprime_len:numbits"
> The number of bits in the sub prime parameter \fBq\fR. The default is 256 if the
> prime is at least 2048 bits long or 160 otherwise. Only relevant if used in
> conjunction with the \fBdh_paramgen_type\fR option to generate X9.42 \s-1DH\s0 parameters.
231c276,280
< The value to use for the generator \fBg\fR.
---
> The value to use for the generator \fBg\fR. The default is 2.
> .IP "\fBdh_paramgen_type:value\fR" 4
> .IX Item "dh_paramgen_type:value"
> The type of \s-1DH\s0 parameters to generate. Use 0 for PKCS#3 \s-1DH\s0 and 1 for X9.42 \s-1DH.\s0
> The default is 0.
234c283
< If this option is set then the appropriate \s-1RFC5114\s0 parameters are used
---
> If this option is set, then the appropriate \s-1RFC5114\s0 parameters are used
239,244c288,293
< 2.1, 2.2 and 2.3 respectively.
< .SH "EC PARAMETER GENERATION OPTIONS"
< .IX Header "EC PARAMETER GENERATION OPTIONS"
< .IP "\fBec_paramgen_curve:curve\fR" 4
< .IX Item "ec_paramgen_curve:curve"
< the \s-1EC\s0 curve to use.
---
> 2.1, 2.2 and 2.3 respectively. If present this overrides all other \s-1DH\s0 parameter
> options.
> .SS "\s-1EC\s0 Parameter Generation Options"
> .IX Subsection "EC Parameter Generation Options"
> The \s-1EC\s0 parameter generation options are the same as for key generation. See
> \&\*(L"\s-1EC\s0 Key Generation Options\*(R" above.
296c345
< Generate 1024 bit \s-1DSA\s0 parameters:
---
> Generate 2048 bit \s-1DSA\s0 parameters:
300c349
< \& \-pkeyopt dsa_paramgen_bits:1024
---
> \& \-pkeyopt dsa_paramgen_bits:2048
309c358
< Generate 1024 bit \s-1DH\s0 parameters:
---
> Generate 2048 bit \s-1DH\s0 parameters:
313c362
< \& \-pkeyopt dh_paramgen_prime_len:1024
---
> \& \-pkeyopt dh_paramgen_prime_len:2048
315a365,372
> Generate 2048 bit X9.42 \s-1DH\s0 parameters:
> .PP
> .Vb 3
> \& openssl genpkey \-genparam \-algorithm DH \-out dhpx.pem \e
> \& \-pkeyopt dh_paramgen_prime_len:2048 \e
> \& \-pkeyopt dh_paramgen_type:1
> .Ve
> .PP
326a384,395
> .PP
> Generate \s-1EC\s0 key directly:
> .PP
> .Vb 3
> \& openssl genpkey \-algorithm EC \-out eckey.pem \e
> \& \-pkeyopt ec_paramgen_curve:P\-384 \e
> \& \-pkeyopt ec_param_enc:named_curve
> .Ve
> .SH "HISTORY"
> .IX Header "HISTORY"
> The ability to use \s-1NIST\s0 curve names, and to generate an \s-1EC\s0 key directly,
> were added in OpenSSL 1.0.2.