diff options
Diffstat (limited to 'secure/usr.bin/openssl/man/genpkey.1')
-rw-r--r-- | secure/usr.bin/openssl/man/genpkey.1 | 430 |
1 files changed, 430 insertions, 0 deletions
diff --git a/secure/usr.bin/openssl/man/genpkey.1 b/secure/usr.bin/openssl/man/genpkey.1 new file mode 100644 index 000000000000..1fd374770d10 --- /dev/null +++ b/secure/usr.bin/openssl/man/genpkey.1 @@ -0,0 +1,430 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "GENPKEY 1" +.TH GENPKEY 1 "2018-11-20" "1.1.1a" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +openssl\-genpkey, genpkey \- generate a private key +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +\&\fBopenssl\fR \fBgenpkey\fR +[\fB\-help\fR] +[\fB\-out filename\fR] +[\fB\-outform PEM|DER\fR] +[\fB\-pass arg\fR] +[\fB\-\f(BIcipher\fB\fR] +[\fB\-engine id\fR] +[\fB\-paramfile file\fR] +[\fB\-algorithm alg\fR] +[\fB\-pkeyopt opt:value\fR] +[\fB\-genparam\fR] +[\fB\-text\fR] +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +The \fBgenpkey\fR command generates a private key. +.SH "OPTIONS" +.IX Header "OPTIONS" +.IP "\fB\-help\fR" 4 +.IX Item "-help" +Print out a usage message. +.IP "\fB\-out filename\fR" 4 +.IX Item "-out filename" +Output the key to the specified file. If this argument is not specified then +standard output is used. +.IP "\fB\-outform DER|PEM\fR" 4 +.IX Item "-outform DER|PEM" +This specifies the output format \s-1DER\s0 or \s-1PEM.\s0 The default format is \s-1PEM.\s0 +.IP "\fB\-pass arg\fR" 4 +.IX Item "-pass arg" +The output file password source. For more information about the format of \fBarg\fR +see the \fB\s-1PASS PHRASE ARGUMENTS\s0\fR section in \fIopenssl\fR\|(1). +.IP "\fB\-\f(BIcipher\fB\fR" 4 +.IX Item "-cipher" +This option encrypts the private key with the supplied cipher. Any algorithm +name accepted by \fIEVP_get_cipherbyname()\fR is acceptable such as \fBdes3\fR. +.IP "\fB\-engine id\fR" 4 +.IX Item "-engine id" +Specifying an engine (by its unique \fBid\fR string) will cause \fBgenpkey\fR +to attempt to obtain a functional reference to the specified engine, +thus initialising it if needed. The engine will then be set as the default +for all available algorithms. If used this option should precede all other +options. +.IP "\fB\-algorithm alg\fR" 4 +.IX Item "-algorithm alg" +Public key algorithm to use such as \s-1RSA, DSA\s0 or \s-1DH.\s0 If used this option must +precede any \fB\-pkeyopt\fR options. The options \fB\-paramfile\fR and \fB\-algorithm\fR +are mutually exclusive. Engines may add algorithms in addition to the standard +built-in ones. +.Sp +Valid built-in algorithm names for private key generation are \s-1RSA,\s0 RSA-PSS, \s-1EC, +X25519, X448, ED25519\s0 and \s-1ED448.\s0 +.Sp +Valid built-in algorithm names for parameter generation (see the \fB\-genparam\fR +option) are \s-1DH, DSA\s0 and \s-1EC.\s0 +.Sp +Note that the algorithm name X9.42 \s-1DH\s0 may be used as a synonym for the \s-1DH\s0 +algorithm. These are identical and do not indicate the type of parameters that +will be generated. Use the \fBdh_paramgen_type\fR option to indicate whether PKCS#3 +or X9.42 \s-1DH\s0 parameters are required. See \*(L"\s-1DH\s0 Parameter Generation Options\*(R" +below for more details. +.IP "\fB\-pkeyopt opt:value\fR" 4 +.IX Item "-pkeyopt opt:value" +Set the public key algorithm option \fBopt\fR to \fBvalue\fR. The precise set of +options supported depends on the public key algorithm used and its +implementation. See \*(L"\s-1KEY GENERATION OPTIONS\*(R"\s0 and +\&\*(L"\s-1PARAMETER GENERATION OPTIONS\*(R"\s0 below for more details. +.IP "\fB\-genparam\fR" 4 +.IX Item "-genparam" +Generate a set of parameters instead of a private key. If used this option must +precede any \fB\-algorithm\fR, \fB\-paramfile\fR or \fB\-pkeyopt\fR options. +.IP "\fB\-paramfile filename\fR" 4 +.IX Item "-paramfile filename" +Some public key algorithms generate a private key based on a set of parameters. +They can be supplied using this option. If this option is used the public key +algorithm used is determined by the parameters. If used this option must +precede any \fB\-pkeyopt\fR options. The options \fB\-paramfile\fR and \fB\-algorithm\fR +are mutually exclusive. +.IP "\fB\-text\fR" 4 +.IX Item "-text" +Print an (unencrypted) text representation of private and public keys and +parameters along with the \s-1PEM\s0 or \s-1DER\s0 structure. +.SH "KEY GENERATION OPTIONS" +.IX Header "KEY GENERATION OPTIONS" +The options supported by each algorithm and indeed each implementation of an +algorithm can vary. The options for the OpenSSL implementations are detailed +below. There are no key generation options defined for the X25519, X448, \s-1ED25519\s0 +or \s-1ED448\s0 algorithms. +.SS "\s-1RSA\s0 Key Generation Options" +.IX Subsection "RSA Key Generation Options" +.IP "\fBrsa_keygen_bits:numbits\fR" 4 +.IX Item "rsa_keygen_bits:numbits" +The number of bits in the generated key. If not specified 1024 is used. +.IP "\fBrsa_keygen_primes:numprimes\fR" 4 +.IX Item "rsa_keygen_primes:numprimes" +The number of primes in the generated key. If not specified 2 is used. +.IP "\fBrsa_keygen_pubexp:value\fR" 4 +.IX Item "rsa_keygen_pubexp:value" +The \s-1RSA\s0 public exponent value. This can be a large decimal or +hexadecimal value if preceded by \fB0x\fR. Default value is 65537. +.SS "RSA-PSS Key Generation Options" +.IX Subsection "RSA-PSS Key Generation Options" +Note: by default an \fBRSA-PSS\fR key has no parameter restrictions. +.IP "\fBrsa_keygen_bits:numbits\fR, \fBrsa_keygen_primes:numprimes\fR, \fBrsa_keygen_pubexp:value\fR" 4 +.IX Item "rsa_keygen_bits:numbits, rsa_keygen_primes:numprimes, rsa_keygen_pubexp:value" +These options have the same meaning as the \fB\s-1RSA\s0\fR algorithm. +.IP "\fBrsa_pss_keygen_md:digest\fR" 4 +.IX Item "rsa_pss_keygen_md:digest" +If set the key is restricted and can only use \fBdigest\fR for signing. +.IP "\fBrsa_pss_keygen_mgf1_md:digest\fR" 4 +.IX Item "rsa_pss_keygen_mgf1_md:digest" +If set the key is restricted and can only use \fBdigest\fR as it's \s-1MGF1\s0 +parameter. +.IP "\fBrsa_pss_keygen_saltlen:len\fR" 4 +.IX Item "rsa_pss_keygen_saltlen:len" +If set the key is restricted and \fBlen\fR specifies the minimum salt length. +.SS "\s-1EC\s0 Key Generation Options" +.IX Subsection "EC Key Generation Options" +The \s-1EC\s0 key generation options can also be used for parameter generation. +.IP "\fBec_paramgen_curve:curve\fR" 4 +.IX Item "ec_paramgen_curve:curve" +The \s-1EC\s0 curve to use. OpenSSL supports \s-1NIST\s0 curve names such as \*(L"P\-256\*(R". +.IP "\fBec_param_enc:encoding\fR" 4 +.IX Item "ec_param_enc:encoding" +The encoding to use for parameters. The \*(L"encoding\*(R" parameter must be either +\&\*(L"named_curve\*(R" or \*(L"explicit\*(R". The default value is \*(L"named_curve\*(R". +.SH "PARAMETER GENERATION OPTIONS" +.IX Header "PARAMETER GENERATION OPTIONS" +The options supported by each algorithm and indeed each implementation of an +algorithm can vary. The options for the OpenSSL implementations are detailed +below. +.SS "\s-1DSA\s0 Parameter Generation Options" +.IX Subsection "DSA Parameter Generation Options" +.IP "\fBdsa_paramgen_bits:numbits\fR" 4 +.IX Item "dsa_paramgen_bits:numbits" +The number of bits in the generated prime. If not specified 1024 is used. +.IP "\fBdsa_paramgen_q_bits:numbits\fR" 4 +.IX Item "dsa_paramgen_q_bits:numbits" +The number of bits in the q parameter. Must be one of 160, 224 or 256. If not +specified 160 is used. +.IP "\fBdsa_paramgen_md:digest\fR" 4 +.IX Item "dsa_paramgen_md:digest" +The digest to use during parameter generation. Must be one of \fBsha1\fR, \fBsha224\fR +or \fBsha256\fR. If set, then the number of bits in \fBq\fR will match the output size +of the specified digest and the \fBdsa_paramgen_q_bits\fR parameter will be +ignored. If not set, then a digest will be used that gives an output matching +the number of bits in \fBq\fR, i.e. \fBsha1\fR if q length is 160, \fBsha224\fR if it 224 +or \fBsha256\fR if it is 256. +.SS "\s-1DH\s0 Parameter Generation Options" +.IX Subsection "DH Parameter Generation Options" +.IP "\fBdh_paramgen_prime_len:numbits\fR" 4 +.IX Item "dh_paramgen_prime_len:numbits" +The number of bits in the prime parameter \fBp\fR. The default is 1024. +.IP "\fBdh_paramgen_subprime_len:numbits\fR" 4 +.IX Item "dh_paramgen_subprime_len:numbits" +The number of bits in the sub prime parameter \fBq\fR. The default is 256 if the +prime is at least 2048 bits long or 160 otherwise. Only relevant if used in +conjunction with the \fBdh_paramgen_type\fR option to generate X9.42 \s-1DH\s0 parameters. +.IP "\fBdh_paramgen_generator:value\fR" 4 +.IX Item "dh_paramgen_generator:value" +The value to use for the generator \fBg\fR. The default is 2. +.IP "\fBdh_paramgen_type:value\fR" 4 +.IX Item "dh_paramgen_type:value" +The type of \s-1DH\s0 parameters to generate. Use 0 for PKCS#3 \s-1DH\s0 and 1 for X9.42 \s-1DH.\s0 +The default is 0. +.IP "\fBdh_rfc5114:num\fR" 4 +.IX Item "dh_rfc5114:num" +If this option is set, then the appropriate \s-1RFC5114\s0 parameters are used +instead of generating new parameters. The value \fBnum\fR can take the +values 1, 2 or 3 corresponding to \s-1RFC5114 DH\s0 parameters consisting of +1024 bit group with 160 bit subgroup, 2048 bit group with 224 bit subgroup +and 2048 bit group with 256 bit subgroup as mentioned in \s-1RFC5114\s0 sections +2.1, 2.2 and 2.3 respectively. If present this overrides all other \s-1DH\s0 parameter +options. +.SS "\s-1EC\s0 Parameter Generation Options" +.IX Subsection "EC Parameter Generation Options" +The \s-1EC\s0 parameter generation options are the same as for key generation. See +\&\*(L"\s-1EC\s0 Key Generation Options\*(R" above. +.SH "NOTES" +.IX Header "NOTES" +The use of the genpkey program is encouraged over the algorithm specific +utilities because additional algorithm options and \s-1ENGINE\s0 provided algorithms +can be used. +.SH "EXAMPLES" +.IX Header "EXAMPLES" +Generate an \s-1RSA\s0 private key using default parameters: +.PP +.Vb 1 +\& openssl genpkey \-algorithm RSA \-out key.pem +.Ve +.PP +Encrypt output private key using 128 bit \s-1AES\s0 and the passphrase \*(L"hello\*(R": +.PP +.Vb 1 +\& openssl genpkey \-algorithm RSA \-out key.pem \-aes\-128\-cbc \-pass pass:hello +.Ve +.PP +Generate a 2048 bit \s-1RSA\s0 key using 3 as the public exponent: +.PP +.Vb 2 +\& openssl genpkey \-algorithm RSA \-out key.pem \e +\& \-pkeyopt rsa_keygen_bits:2048 \-pkeyopt rsa_keygen_pubexp:3 +.Ve +.PP +Generate 2048 bit \s-1DSA\s0 parameters: +.PP +.Vb 2 +\& openssl genpkey \-genparam \-algorithm DSA \-out dsap.pem \e +\& \-pkeyopt dsa_paramgen_bits:2048 +.Ve +.PP +Generate \s-1DSA\s0 key from parameters: +.PP +.Vb 1 +\& openssl genpkey \-paramfile dsap.pem \-out dsakey.pem +.Ve +.PP +Generate 2048 bit \s-1DH\s0 parameters: +.PP +.Vb 2 +\& openssl genpkey \-genparam \-algorithm DH \-out dhp.pem \e +\& \-pkeyopt dh_paramgen_prime_len:2048 +.Ve +.PP +Generate 2048 bit X9.42 \s-1DH\s0 parameters: +.PP +.Vb 3 +\& openssl genpkey \-genparam \-algorithm DH \-out dhpx.pem \e +\& \-pkeyopt dh_paramgen_prime_len:2048 \e +\& \-pkeyopt dh_paramgen_type:1 +.Ve +.PP +Output \s-1RFC5114 2048\s0 bit \s-1DH\s0 parameters with 224 bit subgroup: +.PP +.Vb 1 +\& openssl genpkey \-genparam \-algorithm DH \-out dhp.pem \-pkeyopt dh_rfc5114:2 +.Ve +.PP +Generate \s-1DH\s0 key from parameters: +.PP +.Vb 1 +\& openssl genpkey \-paramfile dhp.pem \-out dhkey.pem +.Ve +.PP +Generate \s-1EC\s0 parameters: +.PP +.Vb 3 +\& openssl genpkey \-genparam \-algorithm EC \-out ecp.pem \e +\& \-pkeyopt ec_paramgen_curve:secp384r1 \e +\& \-pkeyopt ec_param_enc:named_curve +.Ve +.PP +Generate \s-1EC\s0 key from parameters: +.PP +.Vb 1 +\& openssl genpkey \-paramfile ecp.pem \-out eckey.pem +.Ve +.PP +Generate \s-1EC\s0 key directly: +.PP +.Vb 3 +\& openssl genpkey \-algorithm EC \-out eckey.pem \e +\& \-pkeyopt ec_paramgen_curve:P\-384 \e +\& \-pkeyopt ec_param_enc:named_curve +.Ve +.PP +Generate an X25519 private key: +.PP +.Vb 1 +\& openssl genpkey \-algorithm X25519 \-out xkey.pem +.Ve +.PP +Generate an \s-1ED448\s0 private key: +.PP +.Vb 1 +\& openssl genpkey \-algorithm ED448 \-out xkey.pem +.Ve +.SH "HISTORY" +.IX Header "HISTORY" +The ability to use \s-1NIST\s0 curve names, and to generate an \s-1EC\s0 key directly, +were added in OpenSSL 1.0.2. The ability to generate X25519 keys was added in +OpenSSL 1.1.0. The ability to generate X448, \s-1ED25519\s0 and \s-1ED448\s0 keys was added in +OpenSSL 1.1.1. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2006\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +<https://www.openssl.org/source/license.html>. |