1238384Sjkim=pod 2238384Sjkim 3238384Sjkim=head1 NAME 4238384Sjkim 5238384Sjkimgenpkey - generate a private key 6238384Sjkim 7238384Sjkim=head1 SYNOPSIS 8238384Sjkim 9238384SjkimB<openssl> B<genpkey> 10238384Sjkim[B<-out filename>] 11238384Sjkim[B<-outform PEM|DER>] 12238384Sjkim[B<-pass arg>] 13238384Sjkim[B<-cipher>] 14238384Sjkim[B<-engine id>] 15238384Sjkim[B<-paramfile file>] 16238384Sjkim[B<-algorithm alg>] 17238384Sjkim[B<-pkeyopt opt:value>] 18238384Sjkim[B<-genparam>] 19238384Sjkim[B<-text>] 20238384Sjkim 21238384Sjkim=head1 DESCRIPTION 22238384Sjkim 23238384SjkimThe B<genpkey> command generates a private key. 24238384Sjkim 25238384Sjkim=head1 OPTIONS 26238384Sjkim 27238384Sjkim=over 4 28238384Sjkim 29238384Sjkim=item B<-out filename> 30238384Sjkim 31238384Sjkimthe output filename. If this argument is not specified then standard output is 32238384Sjkimused. 33238384Sjkim 34238384Sjkim=item B<-outform DER|PEM> 35238384Sjkim 36238384SjkimThis specifies the output format DER or PEM. 37238384Sjkim 38238384Sjkim=item B<-pass arg> 39238384Sjkim 40238384Sjkimthe output file password source. For more information about the format of B<arg> 41238384Sjkimsee the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)|openssl(1)>. 42238384Sjkim 43238384Sjkim=item B<-cipher> 44238384Sjkim 45238384SjkimThis option encrypts the private key with the supplied cipher. Any algorithm 46238384Sjkimname accepted by EVP_get_cipherbyname() is acceptable such as B<des3>. 47238384Sjkim 48238384Sjkim=item B<-engine id> 49238384Sjkim 50238384Sjkimspecifying an engine (by its unique B<id> string) will cause B<genpkey> 51238384Sjkimto attempt to obtain a functional reference to the specified engine, 52238384Sjkimthus initialising it if needed. The engine will then be set as the default 53238384Sjkimfor all available algorithms. If used this option should precede all other 54238384Sjkimoptions. 55238384Sjkim 56238384Sjkim=item B<-algorithm alg> 57238384Sjkim 58238384Sjkimpublic key algorithm to use such as RSA, DSA or DH. If used this option must 59238384Sjkimprecede any B<-pkeyopt> options. The options B<-paramfile> and B<-algorithm> 60238384Sjkimare mutually exclusive. 61238384Sjkim 62238384Sjkim=item B<-pkeyopt opt:value> 63238384Sjkim 64238384Sjkimset the public key algorithm option B<opt> to B<value>. The precise set of 65238384Sjkimoptions supported depends on the public key algorithm used and its 66238384Sjkimimplementation. See B<KEY GENERATION OPTIONS> below for more details. 67238384Sjkim 68238384Sjkim=item B<-genparam> 69238384Sjkim 70238384Sjkimgenerate a set of parameters instead of a private key. If used this option must 71238384Sjkimprecede and B<-algorithm>, B<-paramfile> or B<-pkeyopt> options. 72238384Sjkim 73238384Sjkim=item B<-paramfile filename> 74238384Sjkim 75238384SjkimSome public key algorithms generate a private key based on a set of parameters. 76238384SjkimThey can be supplied using this option. If this option is used the public key 77238384Sjkimalgorithm used is determined by the parameters. If used this option must 78238384Sjkimprecede and B<-pkeyopt> options. The options B<-paramfile> and B<-algorithm> 79238384Sjkimare mutually exclusive. 80238384Sjkim 81238384Sjkim=item B<-text> 82238384Sjkim 83238384SjkimPrint an (unencrypted) text representation of private and public keys and 84238384Sjkimparameters along with the PEM or DER structure. 85238384Sjkim 86238384Sjkim=back 87238384Sjkim 88238384Sjkim=head1 KEY GENERATION OPTIONS 89238384Sjkim 90238384SjkimThe options supported by each algorith and indeed each implementation of an 91238384Sjkimalgorithm can vary. The options for the OpenSSL implementations are detailed 92238384Sjkimbelow. 93238384Sjkim 94238384Sjkim=head1 RSA KEY GENERATION OPTIONS 95238384Sjkim 96238384Sjkim=over 4 97238384Sjkim 98238384Sjkim=item B<rsa_keygen_bits:numbits> 99238384Sjkim 100238384SjkimThe number of bits in the generated key. If not specified 1024 is used. 101238384Sjkim 102238384Sjkim=item B<rsa_keygen_pubexp:value> 103238384Sjkim 104238384SjkimThe RSA public exponent value. This can be a large decimal or 105238384Sjkimhexadecimal value if preceded by B<0x>. Default value is 65537. 106238384Sjkim 107238384Sjkim=back 108238384Sjkim 109238384Sjkim=head1 DSA PARAMETER GENERATION OPTIONS 110238384Sjkim 111238384Sjkim=over 4 112238384Sjkim 113238384Sjkim=item B<dsa_paramgen_bits:numbits> 114238384Sjkim 115238384SjkimThe number of bits in the generated parameters. If not specified 1024 is used. 116238384Sjkim 117238384Sjkim=back 118238384Sjkim 119238384Sjkim=head1 DH PARAMETER GENERATION OPTIONS 120238384Sjkim 121238384Sjkim=over 4 122238384Sjkim 123238384Sjkim=item B<dh_paramgen_prime_len:numbits> 124238384Sjkim 125238384SjkimThe number of bits in the prime parameter B<p>. 126238384Sjkim 127238384Sjkim=item B<dh_paramgen_generator:value> 128238384Sjkim 129238384SjkimThe value to use for the generator B<g>. 130238384Sjkim 131238384Sjkim=back 132238384Sjkim 133238384Sjkim=head1 EC PARAMETER GENERATION OPTIONS 134238384Sjkim 135238384Sjkim=over 4 136238384Sjkim 137238384Sjkim=item B<ec_paramgen_curve:curve> 138238384Sjkim 139238384Sjkimthe EC curve to use. 140238384Sjkim 141238384Sjkim=back 142238384Sjkim 143238384Sjkim=head1 GOST2001 KEY GENERATION AND PARAMETER OPTIONS 144238384Sjkim 145238384SjkimGost 2001 support is not enabled by default. To enable this algorithm, 146238384Sjkimone should load the ccgost engine in the OpenSSL configuration file. 147238384SjkimSee README.gost file in the engines/ccgost directiry of the source 148238384Sjkimdistribution for more details. 149238384Sjkim 150238384SjkimUse of a parameter file for the GOST R 34.10 algorithm is optional. 151238384SjkimParameters can be specified during key generation directly as well as 152238384Sjkimduring generation of parameter file. 153238384Sjkim 154238384Sjkim=over 4 155238384Sjkim 156238384Sjkim=item B<paramset:name> 157238384Sjkim 158238384SjkimSpecifies GOST R 34.10-2001 parameter set according to RFC 4357. 159238384SjkimParameter set can be specified using abbreviated name, object short name or 160238384Sjkimnumeric OID. Following parameter sets are supported: 161238384Sjkim 162238384Sjkim paramset OID Usage 163238384Sjkim A 1.2.643.2.2.35.1 Signature 164238384Sjkim B 1.2.643.2.2.35.2 Signature 165238384Sjkim C 1.2.643.2.2.35.3 Signature 166238384Sjkim XA 1.2.643.2.2.36.0 Key exchange 167238384Sjkim XB 1.2.643.2.2.36.1 Key exchange 168238384Sjkim test 1.2.643.2.2.35.0 Test purposes 169238384Sjkim 170238384Sjkim=back 171238384Sjkim 172238384Sjkim 173238384Sjkim 174238384Sjkim=head1 NOTES 175238384Sjkim 176238384SjkimThe use of the genpkey program is encouraged over the algorithm specific 177238384Sjkimutilities because additional algorithm options and ENGINE provided algorithms 178238384Sjkimcan be used. 179238384Sjkim 180238384Sjkim=head1 EXAMPLES 181238384Sjkim 182238384SjkimGenerate an RSA private key using default parameters: 183238384Sjkim 184238384Sjkim openssl genpkey -algorithm RSA -out key.pem 185238384Sjkim 186238384SjkimEncrypt output private key using 128 bit AES and the passphrase "hello": 187238384Sjkim 188238384Sjkim openssl genpkey -algorithm RSA -out key.pem -aes-128-cbc -pass pass:hello 189238384Sjkim 190238384SjkimGenerate a 2048 bit RSA key using 3 as the public exponent: 191238384Sjkim 192238384Sjkim openssl genpkey -algorithm RSA -out key.pem -pkeyopt rsa_keygen_bits:2048 \ 193238384Sjkim -pkeyopt rsa_keygen_pubexp:3 194238384Sjkim 195238384SjkimGenerate 1024 bit DSA parameters: 196238384Sjkim 197238384Sjkim openssl genpkey -genparam -algorithm DSA -out dsap.pem \ 198238384Sjkim -pkeyopt dsa_paramgen_bits:1024 199238384Sjkim 200238384SjkimGenerate DSA key from parameters: 201238384Sjkim 202238384Sjkim openssl genpkey -paramfile dsap.pem -out dsakey.pem 203238384Sjkim 204238384SjkimGenerate 1024 bit DH parameters: 205238384Sjkim 206238384Sjkim openssl genpkey -genparam -algorithm DH -out dhp.pem \ 207238384Sjkim -pkeyopt dh_paramgen_prime_len:1024 208238384Sjkim 209238384SjkimGenerate DH key from parameters: 210238384Sjkim 211238384Sjkim openssl genpkey -paramfile dhp.pem -out dhkey.pem 212238384Sjkim 213238384Sjkim 214238384Sjkim=cut 215238384Sjkim 216