Lines Matching +full:group +full:- +full:index +full:- +full:bits

4 {- join("\n", @autowarntext) -}
10 openssl-genpkey - generate a private key or key pair
15 [B<-help>]
16 [B<-out> I<filename>]
17 [B<-outpubkey> I<filename>]
18 [B<-outform> B<DER>|B<PEM>]
19 [B<-verbose>]
20 [B<-quiet>]
21 [B<-pass> I<arg>]
22 [B<-I<cipher>>]
23 [B<-paramfile> I<file>]
24 [B<-algorithm> I<alg>]
25 [B<-pkeyopt> I<opt>:I<value>]
26 [B<-genparam>]
27 [B<-text>]
28 {- $OpenSSL::safe::opt_r_synopsis -}
29 {- $OpenSSL::safe::opt_engine_synopsis -}
30 {- $OpenSSL::safe::opt_provider_synopsis -}
31 {- $OpenSSL::safe::opt_config_synopsis -}
41 =item B<-help>
45 =item B<-out> I<filename>
50 =item B<-outpubkey> I<filename>
55 =item B<-outform> B<DER>|B<PEM>
57 The output format, except when B<-genparam> is given; the default is B<PEM>.
58 See L<openssl-format-options(1)> for details.
60 When B<-genparam> is given, B<-outform> is ignored.
62 =item B<-verbose>
66 =item B<-quiet>
70 =item B<-pass> I<arg>
73 see L<openssl-passphrase-options(1)>.
75 =item B<-I<cipher>>
80 =item B<-algorithm> I<alg>
83 precede any B<-pkeyopt> options. The options B<-paramfile> and B<-algorithm>
85 the standard built-in ones.
87 Valid built-in algorithm names for private key generation are RSA, RSA-PSS, EC,
88 X25519, X448, ED25519, ED448, ML-DSA and ML-KEM.
90 Valid built-in algorithm names for parameter generation (see the B<-genparam>
96 =item B<-pkeyopt> I<opt>:I<value>
104 B<openssl> B<genpkey> -algorithm XXX -help
106 =item B<-genparam>
109 precede any B<-algorithm>, B<-paramfile> or B<-pkeyopt> options.
111 =item B<-paramfile> I<filename>
116 precede any B<-pkeyopt> options. The options B<-paramfile> and B<-algorithm>
119 =item B<-text>
124 {- $OpenSSL::safe::opt_r_item -}
126 {- $OpenSSL::safe::opt_engine_item -}
128 {- $OpenSSL::safe::opt_provider_item -}
130 {- $OpenSSL::safe::opt_config_item -}
147 The number of bits in the generated key. If not specified 2048 is used.
160 =head2 RSA-PSS Key Generation Options
162 Note: by default an B<RSA-PSS> key has no parameter restrictions.
194 The EC curve to use. OpenSSL supports NIST curve names such as "P-256".
203 =head2 ML-DSA Key Generation Options
209 This specifies the optional ML-DSA I<seed> in hexadecimal form.  The seed is 32
213 If other users can see the command-line arguments of the running process, this
214 option may compromise the secret key, it is best avoided, tests-aside.
216 See L<EVP_PKEY-ML-DSA(7)> for more detail.
220 =head2 ML-KEM Key Generation Options
226 This specifies the optional ML-KEM I<seed> in hexadecimal form.  The seed is 64
230 If other users can see the command-line arguments of the running process, this
231 option may compromise the secret key, it is best avoided, tests-aside.
233 See L<EVP_PKEY-ML-KEM(7)> for more detail.
241 =item B<group>:I<name>
243 The B<paramfile> option is not required if a named group is used here.
261 The number of bits in the generated prime. If not specified 2048 is used.
267 The number of bits in the q parameter. Must be one of 160, 224 or 256. If not
275 or B<sha256>. If set, then the number of bits in B<q> will match the output size
278 the number of bits in B<q>, i.e. B<sha1> if q length is 160, B<sha224> if it 224
287 The type of generation to use. Set this to 1 to use legacy FIPS186-2 parameter
288 generation. The default of 0 uses FIPS186-4 parameter generation.
290 =item B<gindex>:I<index>
292 The index to use for canonical generation and verification of the generator g.
295 This I<index> must then be reused during key validation to verify the value of g.
296 If this value is not set then g is not verifiable. The default value is -1.
309 For most use cases it is recommended to use the B<group> option rather than
310 the B<type> options. Note that the B<group> option is not used by default if
315 =item B<group>:I<name>
319 Use a named DH group to select constant values for the DH parameters.
333 1, 2 or 3 that are equivalent to using the option B<group> with one of
341 The number of bits in the prime parameter I<p>. The default is 2048.
347 The number of bits in the sub prime parameter I<q>. The default is 224.
351 =item B<safeprime-generator>:I<value>
371 FIPS186-4 parameter generation.
376 FIPS186-4 parameter generation.
379 =item "group"
398 "generator", "fips186_2", "fips186_4" or "group".
403 or B<sha256>. If set, then the number of bits in B<qbits> will match the output
406 the number of bits in B<q>, i.e. B<sha1> if q length is 160, B<sha224> if it is
415 =item B<gindex>:I<index>
417 The index to use for canonical generation and verification of the generator g.
420 This I<index> must then be reused during key validation to verify the value of g.
421 If this value is not set then g is not verifiable. The default value is -1.
449  openssl genpkey -algorithm RSA -out key.pem
453  openssl genpkey -algorithm RSA -out key.pem -aes-128-cbc -pass pass:hello
457  openssl genpkey -algorithm RSA -out key.pem \
458      -pkeyopt rsa_keygen_bits:2048 -pkeyopt rsa_keygen_pubexp:3
464  openssl genpkey -genparam -algorithm DSA -out dsap.pem -pkeyopt pbits:2048 \
465      -pkeyopt qbits:224 -pkeyopt digest:SHA256 -pkeyopt gindex:1 -text
469  openssl genpkey -paramfile dsap.pem -out dsakey.pem
471 Generate 4096 bit DH Key using safe prime group ffdhe4096:
473  openssl genpkey -algorithm DH -out dhkey.pem -pkeyopt group:ffdhe4096
477  openssl genpkey -algorithm DHX -out dhkey.pem -pkeyopt dh_rfc5114:3
481  openssl genpkey -paramfile dhp.pem -out dhkey.pem
483 Output DH parameters for safe prime group ffdhe2048:
485  openssl genpkey -genparam -algorithm DH -out dhp.pem -pkeyopt group:ffdhe2048
489  openssl genpkey -genparam -algorithm DHX -out dhp.pem -pkeyopt dh_rfc5114:2
491 Output 2048 bit X9.42 DH parameters with 224 bit subgroup using FIP186-4 keygen:
493  openssl genpkey -genparam -algorithm DHX -out dhp.pem -text \
494      -pkeyopt pbits:2048 -pkeyopt qbits:224 -pkeyopt digest:SHA256 \
495      -pkeyopt gindex:1 -pkeyopt dh_paramgen_type:2
497 Output 1024 bit X9.42 DH parameters with 160 bit subgroup using FIP186-2 keygen:
499  openssl genpkey -genparam -algorithm DHX -out dhp.pem -text \
500      -pkeyopt pbits:1024 -pkeyopt qbits:160 -pkeyopt digest:SHA1 \
501      -pkeyopt gindex:1 -pkeyopt dh_paramgen_type:1
505  openssl genpkey -genparam -algorithm DH -out dhp.pem \
506      -pkeyopt dh_paramgen_prime_len:2048
510  openssl genpkey -genparam -algorithm DH -out dhpx.pem \
511      -pkeyopt dh_paramgen_prime_len:2048 \
512      -pkeyopt dh_paramgen_type:1
516  openssl genpkey -genparam -algorithm EC -out ecp.pem \
517         -pkeyopt ec_paramgen_curve:secp384r1 \
518         -pkeyopt ec_param_enc:named_curve
522  openssl genpkey -paramfile ecp.pem -out eckey.pem
526  openssl genpkey -algorithm EC -out eckey.pem \
527         -pkeyopt ec_paramgen_curve:P-384 \
528         -pkeyopt ec_param_enc:named_curve
532  openssl genpkey -algorithm X25519 -out xkey.pem
536  openssl genpkey -algorithm ED448 -out xkey.pem
538 Generate an ML-DSA-65 private key:
540  openssl genpkey -algorithm ML-DSA-65 -out ml-dsa-key.pem
542 Generate an ML-KEM-768 private key:
544  openssl genpkey -algorithm ML-KEM-768 -out ml-kem-key.pem
553 The B<-engine> option was deprecated in OpenSSL 3.0.
555 Support for B<ML-DSA> and B<ML-KEM> was added in OpenSSL 3.5.
559 Copyright 2006-2025 The OpenSSL Project Authors. All Rights Reserved.