Lines Matching +full:key +full:-
6 Keys are the basis of public key algorithms and PKI. Keys usually
7 come in pairs, with one half being the public key and the other half
8 being the private key. With OpenSSL, the private key contains the
9 public key information as well, so a public key doesn't need to be
17 2. To generate an RSA key
19 An RSA key can be used both for encryption and for signing.
21 Generating a key for the RSA algorithm is quite easy, all you have to
24 openssl genrsa -des3 -out privkey.pem 2048
27 you don't want your key to be protected by a password, remove the flag
28 '-des3' from the command line above.
30 The number 2048 is the size of the key, in bits. Today, 2048 or
35 3. To generate a DSA key
37 A DSA key can be used for signing only. It is important to
38 know what a certificate request with a DSA key can really be used for.
40 Generating a key for the DSA algorithm is a two-step process. First,
41 you have to generate parameters from which to generate the key:
43 openssl dsaparam -out dsaparam.pem 2048
45 The number 2048 is the size of the key, in bits. Today, 2048 or
49 When that is done, you can generate a key using the parameters in
53 openssl gendsa -des3 -out privkey.pem dsaparam.pem
56 you don't want your key to be protected by a password, remove the flag
57 '-des3' from the command line above.
60 4. To generate an EC key
62 An EC key can be used both for key agreement (ECDH) and signing (ECDSA).
64 Generating a key for ECC is similar to generating a DSA key. These are
65 two-step processes. First, you have to get the EC parameters from which
66 the key will be generated:
68 openssl ecparam -name prime256v1 -out prime256v1.pem
70 The prime256v1, or NIST P-256, which stands for 'X9.62/SECG curve over
71 a 256-bit prime field', is the name of an elliptic curve which generates the
74 openssl ecparam -list_curves
76 When that is done, you can generate a key using the created parameters (several
79 openssl genpkey -des3 -paramfile prime256v1.pem -out private.key
81 With this variant, you will be prompted for a password to protect your key.
82 If you don't want your key to be protected by a password, remove the flag
83 '-des3' from the command line above.
85 You can also directly generate the key in one step:
87 openssl ecparam -genkey -name prime256v1 -out private.key
91 openssl genpkey -algorithm EC -pkeyopt ec_paramgen_curve:P-256
93 5. To generate an ML-DSA key
95 An ML-DSA key can be used for signing (and verification via the public key)
98 Generating a key for the ML-DSA algorithm is a one-step process.
100 openssl genpkey -algorithm ML-DSA-44 -out key.pem
101 openssl genpkey -algorithm ML-DSA-65 -out key.pem
102 openssl genpkey -algorithm ML-DSA-87 -out key.pem
104 See L<EVP_PKEY-ML-DSA(7)> for more detail.
106 6. To generate an ML-KEM key
108 An ML-KEM key can be used for decapsulation (and encapsulation via the public
109 key) only.
111 Generating a key for the ML-KEM algorithm is a one-step process.
113 openssl genpkey -algorithm ML-KEM-512 -out key.pem
114 openssl genpkey -algorithm ML-KEM-768 -out key.pem
115 openssl genpkey -algorithm ML-KEM-1024 -out key.pem
117 See L<EVP_PKEY-ML-KEM(7)> for more detail.
121 If you intend to use the key together with a server certificate,
124 server needs to access the key.
127 one of the EC curves listed with 'ecparam -list_curves' option. You can use the
128 following command to generate an X25519 key:
130 openssl genpkey -algorithm X25519 -out xkey.pem