openssl-genpkey.1 - OpenGrok cross reference for /freebsd/secure/usr.bin/openssl/man/openssl-genpkey.1

Lines Matching +full:output +full:- +full:only
1 .\" -*- mode: troff; coding: utf-8 -*-
36 .\" output yourself in some meaningful fashion.
57 .IX Title "OPENSSL-GENPKEY 1ossl"
58 .TH OPENSSL-GENPKEY 1ossl 2025-09-30 3.5.4 OpenSSL
64 openssl\-genpkey \- generate a private key or key pair
68 [\fB\-help\fR]
69 [\fB\-out\fR \fIfilename\fR]
70 [\fB\-outpubkey\fR \fIfilename\fR]
71 [\fB\-outform\fR \fBDER\fR|\fBPEM\fR]
72 [\fB\-verbose\fR]
73 [\fB\-quiet\fR]
74 [\fB\-pass\fR \fIarg\fR]
75 [\fB\-\fR\f(BIcipher\fR]
76 [\fB\-paramfile\fR \fIfile\fR]
77 [\fB\-algorithm\fR \fIalg\fR]
78 [\fB\-pkeyopt\fR \fIopt\fR:\fIvalue\fR]
79 [\fB\-genparam\fR]
80 [\fB\-text\fR]
81 [\fB\-rand\fR \fIfiles\fR]
82 [\fB\-writerand\fR \fIfile\fR]
83 [\fB\-engine\fR \fIid\fR]
85 [\fB\-provider\fR \fIname\fR]
86 [\fB\-provider\-path\fR \fIpath\fR]
87 [\fB\-provparam\fR \fI[name:]key=value\fR]
88 [\fB\-propquery\fR \fIpropq\fR]
89 [\fB\-config\fR \fIconfigfile\fR]
95 .IP \fB\-help\fR 4
96 .IX Item "-help"
98 .IP "\fB\-out\fR \fIfilename\fR" 4
99 .IX Item "-out filename"
100 Output the private key to the specified file. If this argument is not
101 specified then standard output is used.
102 .IP "\fB\-outpubkey\fR \fIfilename\fR" 4
103 .IX Item "-outpubkey filename"
104 Output the public key to the specified file. If this argument is not
105 specified then the public key is not output.
106 .IP "\fB\-outform\fR \fBDER\fR|\fBPEM\fR" 4
107 .IX Item "-outform DER|PEM"
108 The output format, except when \fB\-genparam\fR is given; the default is \fBPEM\fR.
109 See \fBopenssl\-format\-options\fR\|(1) for details.
111 When \fB\-genparam\fR is given, \fB\-outform\fR is ignored.
112 .IP \fB\-verbose\fR 4
113 .IX Item "-verbose"
114 Output "status dots" while generating keys.
115 .IP \fB\-quiet\fR 4
116 .IX Item "-quiet"
117 Do not output "status dots" while generating keys.
118 .IP "\fB\-pass\fR \fIarg\fR" 4
119 .IX Item "-pass arg"
120 The output file password source. For more information about the format of \fIarg\fR
121 see \fBopenssl\-passphrase\-options\fR\|(1).
122 .IP \fB\-\fR\f(BIcipher\fR 4
123 .IX Item "-cipher"
126 .IP "\fB\-algorithm\fR \fIalg\fR" 4
127 .IX Item "-algorithm alg"
129 precede any \fB\-pkeyopt\fR options. The options \fB\-paramfile\fR and \fB\-algorithm\fR
131 the standard built-in ones.
133 Valid built-in algorithm names for private key generation are RSA, RSA-PSS, EC,
134 X25519, X448, ED25519, ED448, ML-DSA and ML-KEM.
136 Valid built-in algorithm names for parameter generation (see the \fB\-genparam\fR
141 .IP "\fB\-pkeyopt\fR \fIopt\fR:\fIvalue\fR" 4
142 .IX Item "-pkeyopt opt:value"
149 \&\fBopenssl\fR \fBgenpkey\fR \-algorithm XXX \-help
150 .IP \fB\-genparam\fR 4
151 .IX Item "-genparam"
153 precede any \fB\-algorithm\fR, \fB\-paramfile\fR or \fB\-pkeyopt\fR options.
154 .IP "\fB\-paramfile\fR \fIfilename\fR" 4
155 .IX Item "-paramfile filename"
159 precede any \fB\-pkeyopt\fR options. The options \fB\-paramfile\fR and \fB\-algorithm\fR
161 .IP \fB\-text\fR 4
162 .IX Item "-text"
165 .IP "\fB\-rand\fR \fIfiles\fR, \fB\-writerand\fR \fIfile\fR" 4
166 .IX Item "-rand files, -writerand file"
168 .IP "\fB\-engine\fR \fIid\fR" 4
169 .IX Item "-engine id"
172 .IP "\fB\-provider\fR \fIname\fR" 4
173 .IX Item "-provider name"
175 .IP "\fB\-provider\-path\fR \fIpath\fR" 4
176 .IX Item "-provider-path path"
177 .IP "\fB\-provparam\fR \fI[name:]key=value\fR" 4
178 .IX Item "-provparam [name:]key=value"
179 .IP "\fB\-propquery\fR \fIpropq\fR" 4
180 .IX Item "-propquery propq"
183 .IP "\fB\-config\fR \fIconfigfile\fR" 4
184 .IX Item "-config configfile"
204 .SS "RSA-PSS Key Generation Options"
205 .IX Subsection "RSA-PSS Key Generation Options"
206 Note: by default an \fBRSA-PSS\fR key has no parameter restrictions.
212 If set the key is restricted and can only use \fIdigest\fR for signing.
215 If set the key is restricted and can only use \fIdigest\fR as it's MGF1
225 The EC curve to use. OpenSSL supports NIST curve names such as "P\-256".
230 .SS "ML-DSA Key Generation Options"
231 .IX Subsection "ML-DSA Key Generation Options"
234 This specifies the optional ML-DSA \fIseed\fR in hexadecimal form.  The seed is 32
238 If other users can see the command-line arguments of the running process, this
239 option may compromise the secret key, it is best avoided, tests-aside.
241 See \fBEVP_PKEY\-ML\-DSA\fR\|(7) for more detail.
242 .SS "ML-KEM Key Generation Options"
243 .IX Subsection "ML-KEM Key Generation Options"
246 This specifies the optional ML-KEM \fIseed\fR in hexadecimal form.  The seed is 64
250 If other users can see the command-line arguments of the running process, this
251 option may compromise the secret key, it is best avoided, tests-aside.
253 See \fBEVP_PKEY\-ML\-KEM\fR\|(7) for more detail.
285 or \fBsha256\fR. If set, then the number of bits in \fBq\fR will match the output size
287 ignored. If not set, then a digest will be used that gives an output matching
295 The type of generation to use. Set this to 1 to use legacy FIPS186\-2 parameter
296 generation. The default of 0 uses FIPS186\-4 parameter generation.
301 will only use the bottom byte.
303 If this value is not set then g is not verifiable. The default value is \-1.
307 This should be used for testing purposes only. This will either produced fixed
351 Only relevant if used in conjunction with the \fBdh_paramgen_type\fR option to
353 .IP \fBsafeprime-generator\fR:\fIvalue\fR 4
354 .IX Item "safeprime-generator:value"
371 FIPS186\-4 parameter generation.
375 FIPS186\-4 parameter generation.
399 or \fBsha256\fR. If set, then the number of bits in \fBqbits\fR will match the output
401 ignored. If not set, then a digest will be used that gives an output matching
404 This is only used by "fips186_4" and "fips186_2" key generation.
408 This is only used by "fips186_4" and "fips186_2" key generation.
413 will only use the bottom byte.
415 If this value is not set then g is not verifiable. The default value is \-1.
416 This is only used by "fips186_4" and "fips186_2" key generation.
420 This should be used for testing purposes only. This will either produced fixed
423 This is only used by "fips186_4" and "fips186_2" key generation.
438 \& openssl genpkey \-algorithm RSA \-out key.pem
441 Encrypt output private key using 128 bit AES and the passphrase "hello":
444 \& openssl genpkey \-algorithm RSA \-out key.pem \-aes\-128\-cbc \-pass pass:hello
450 \& openssl genpkey \-algorithm RSA \-out key.pem \e
451 \&     \-pkeyopt rsa_keygen_bits:2048 \-pkeyopt rsa_keygen_pubexp:3
454 Generate 2048 bit DSA parameters that can be validated: The output values for
456 the output pem file).
459 \& openssl genpkey \-genparam \-algorithm DSA \-out dsap.pem \-pkeyopt pbits:2048 \e
460 \&     \-pkeyopt qbits:224 \-pkeyopt digest:SHA256 \-pkeyopt gindex:1 \-text
466 \& openssl genpkey \-paramfile dsap.pem \-out dsakey.pem
472 \& openssl genpkey \-algorithm DH \-out dhkey.pem \-pkeyopt group:ffdhe4096
478 \& openssl genpkey \-algorithm DHX \-out dhkey.pem \-pkeyopt dh_rfc5114:3
484 \& openssl genpkey \-paramfile dhp.pem \-out dhkey.pem
487 Output DH parameters for safe prime group ffdhe2048:
490 \& openssl genpkey \-genparam \-algorithm DH \-out dhp.pem \-pkeyopt group:ffdhe2048
493 Output 2048 bit X9.42 DH parameters with 224 bit subgroup using RFC5114 group2:
496 \& openssl genpkey \-genparam \-algorithm DHX \-out dhp.pem \-pkeyopt dh_rfc5114:2
499 Output 2048 bit X9.42 DH parameters with 224 bit subgroup using FIP186\-4 keygen:
502 \& openssl genpkey \-genparam \-algorithm DHX \-out dhp.pem \-text \e
503 \&     \-pkeyopt pbits:2048 \-pkeyopt qbits:224 \-pkeyopt digest:SHA256 \e
504 \&     \-pkeyopt gindex:1 \-pkeyopt dh_paramgen_type:2
507 Output 1024 bit X9.42 DH parameters with 160 bit subgroup using FIP186\-2 keygen:
510 \& openssl genpkey \-genparam \-algorithm DHX \-out dhp.pem \-text \e
511 \&     \-pkeyopt pbits:1024 \-pkeyopt qbits:160 \-pkeyopt digest:SHA1 \e
512 \&     \-pkeyopt gindex:1 \-pkeyopt dh_paramgen_type:1
515 Output 2048 bit DH parameters:
518 \& openssl genpkey \-genparam \-algorithm DH \-out dhp.pem \e
519 \&     \-pkeyopt dh_paramgen_prime_len:2048
522 Output 2048 bit DH parameters using a generator:
525 \& openssl genpkey \-genparam \-algorithm DH \-out dhpx.pem \e
526 \&     \-pkeyopt dh_paramgen_prime_len:2048 \e
527 \&     \-pkeyopt dh_paramgen_type:1
533 \& openssl genpkey \-genparam \-algorithm EC \-out ecp.pem \e
534 \&        \-pkeyopt ec_paramgen_curve:secp384r1 \e
535 \&        \-pkeyopt ec_param_enc:named_curve
541 \& openssl genpkey \-paramfile ecp.pem \-out eckey.pem
547 \& openssl genpkey \-algorithm EC \-out eckey.pem \e
548 \&        \-pkeyopt ec_paramgen_curve:P\-384 \e
549 \&        \-pkeyopt ec_param_enc:named_curve
555 \& openssl genpkey \-algorithm X25519 \-out xkey.pem
561 \& openssl genpkey \-algorithm ED448 \-out xkey.pem
564 Generate an ML\-DSA\-65 private key:
567 \& openssl genpkey \-algorithm ML\-DSA\-65 \-out ml\-dsa\-key.pem
570 Generate an ML\-KEM\-768 private key:
573 \& openssl genpkey \-algorithm ML\-KEM\-768 \-out ml\-kem\-key.pem
582 The \fB\-engine\fR option was deprecated in OpenSSL 3.0.
584 Support for \fBML-DSA\fR and \fBML-KEM\fR was added in OpenSSL 3.5.
587 Copyright 2006\-2025 The OpenSSL Project Authors. All Rights Reserved.