genpkey.pod revision 325337
1=pod 2 3=head1 NAME 4 5openssl-genpkey, 6genpkey - generate a private key 7 8=head1 SYNOPSIS 9 10B<openssl> B<genpkey> 11[B<-out filename>] 12[B<-outform PEM|DER>] 13[B<-pass arg>] 14[B<-cipher>] 15[B<-engine id>] 16[B<-paramfile file>] 17[B<-algorithm alg>] 18[B<-pkeyopt opt:value>] 19[B<-genparam>] 20[B<-text>] 21 22=head1 DESCRIPTION 23 24The B<genpkey> command generates a private key. 25 26=head1 OPTIONS 27 28=over 4 29 30=item B<-out filename> 31 32the output filename. If this argument is not specified then standard output is 33used. 34 35=item B<-outform DER|PEM> 36 37This specifies the output format DER or PEM. 38 39=item B<-pass arg> 40 41the output file password source. For more information about the format of B<arg> 42see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)|openssl(1)>. 43 44=item B<-cipher> 45 46This option encrypts the private key with the supplied cipher. Any algorithm 47name accepted by EVP_get_cipherbyname() is acceptable such as B<des3>. 48 49=item B<-engine id> 50 51specifying an engine (by its unique B<id> string) will cause B<genpkey> 52to attempt to obtain a functional reference to the specified engine, 53thus initialising it if needed. The engine will then be set as the default 54for all available algorithms. If used this option should precede all other 55options. 56 57=item B<-algorithm alg> 58 59public key algorithm to use such as RSA, DSA or DH. If used this option must 60precede any B<-pkeyopt> options. The options B<-paramfile> and B<-algorithm> 61are mutually exclusive. 62 63=item B<-pkeyopt opt:value> 64 65set the public key algorithm option B<opt> to B<value>. The precise set of 66options supported depends on the public key algorithm used and its 67implementation. See B<KEY GENERATION OPTIONS> below for more details. 68 69=item B<-genparam> 70 71generate a set of parameters instead of a private key. If used this option must 72precede and B<-algorithm>, B<-paramfile> or B<-pkeyopt> options. 73 74=item B<-paramfile filename> 75 76Some public key algorithms generate a private key based on a set of parameters. 77They can be supplied using this option. If this option is used the public key 78algorithm used is determined by the parameters. If used this option must 79precede and B<-pkeyopt> options. The options B<-paramfile> and B<-algorithm> 80are mutually exclusive. 81 82=item B<-text> 83 84Print an (unencrypted) text representation of private and public keys and 85parameters along with the PEM or DER structure. 86 87=back 88 89=head1 KEY GENERATION OPTIONS 90 91The options supported by each algorith and indeed each implementation of an 92algorithm can vary. The options for the OpenSSL implementations are detailed 93below. 94 95=head1 RSA KEY GENERATION OPTIONS 96 97=over 4 98 99=item B<rsa_keygen_bits:numbits> 100 101The number of bits in the generated key. If not specified 1024 is used. 102 103=item B<rsa_keygen_pubexp:value> 104 105The RSA public exponent value. This can be a large decimal or 106hexadecimal value if preceded by B<0x>. Default value is 65537. 107 108=back 109 110=head1 DSA PARAMETER GENERATION OPTIONS 111 112=over 4 113 114=item B<dsa_paramgen_bits:numbits> 115 116The number of bits in the generated parameters. If not specified 1024 is used. 117 118=back 119 120=head1 DH PARAMETER GENERATION OPTIONS 121 122=over 4 123 124=item B<dh_paramgen_prime_len:numbits> 125 126The number of bits in the prime parameter B<p>. 127 128=item B<dh_paramgen_generator:value> 129 130The value to use for the generator B<g>. 131 132=item B<dh_rfc5114:num> 133 134If this option is set then the appropriate RFC5114 parameters are used 135instead of generating new parameters. The value B<num> can take the 136values 1, 2 or 3 corresponding to RFC5114 DH parameters consisting of 1371024 bit group with 160 bit subgroup, 2048 bit group with 224 bit subgroup 138and 2048 bit group with 256 bit subgroup as mentioned in RFC5114 sections 1392.1, 2.2 and 2.3 respectively. 140 141=back 142 143=head1 EC PARAMETER GENERATION OPTIONS 144 145=over 4 146 147=item B<ec_paramgen_curve:curve> 148 149the EC curve to use. 150 151=back 152 153=head1 GOST2001 KEY GENERATION AND PARAMETER OPTIONS 154 155Gost 2001 support is not enabled by default. To enable this algorithm, 156one should load the ccgost engine in the OpenSSL configuration file. 157See README.gost file in the engines/ccgost directiry of the source 158distribution for more details. 159 160Use of a parameter file for the GOST R 34.10 algorithm is optional. 161Parameters can be specified during key generation directly as well as 162during generation of parameter file. 163 164=over 4 165 166=item B<paramset:name> 167 168Specifies GOST R 34.10-2001 parameter set according to RFC 4357. 169Parameter set can be specified using abbreviated name, object short name or 170numeric OID. Following parameter sets are supported: 171 172 paramset OID Usage 173 A 1.2.643.2.2.35.1 Signature 174 B 1.2.643.2.2.35.2 Signature 175 C 1.2.643.2.2.35.3 Signature 176 XA 1.2.643.2.2.36.0 Key exchange 177 XB 1.2.643.2.2.36.1 Key exchange 178 test 1.2.643.2.2.35.0 Test purposes 179 180=back 181 182 183 184=head1 NOTES 185 186The use of the genpkey program is encouraged over the algorithm specific 187utilities because additional algorithm options and ENGINE provided algorithms 188can be used. 189 190=head1 EXAMPLES 191 192Generate an RSA private key using default parameters: 193 194 openssl genpkey -algorithm RSA -out key.pem 195 196Encrypt output private key using 128 bit AES and the passphrase "hello": 197 198 openssl genpkey -algorithm RSA -out key.pem -aes-128-cbc -pass pass:hello 199 200Generate a 2048 bit RSA key using 3 as the public exponent: 201 202 openssl genpkey -algorithm RSA -out key.pem -pkeyopt rsa_keygen_bits:2048 \ 203 -pkeyopt rsa_keygen_pubexp:3 204 205Generate 1024 bit DSA parameters: 206 207 openssl genpkey -genparam -algorithm DSA -out dsap.pem \ 208 -pkeyopt dsa_paramgen_bits:1024 209 210Generate DSA key from parameters: 211 212 openssl genpkey -paramfile dsap.pem -out dsakey.pem 213 214Generate 1024 bit DH parameters: 215 216 openssl genpkey -genparam -algorithm DH -out dhp.pem \ 217 -pkeyopt dh_paramgen_prime_len:1024 218 219Output RFC5114 2048 bit DH parameters with 224 bit subgroup: 220 221 openssl genpkey -genparam -algorithm DH -out dhp.pem -pkeyopt dh_rfc5114:2 222 223Generate DH key from parameters: 224 225 openssl genpkey -paramfile dhp.pem -out dhkey.pem 226 227 228=cut 229 230