xref: /freebsd/crypto/openssl/doc/man1/openssl-pkey.pod.in (revision 4b15965daa99044daf184221b7c283bf7f2d7e66)
1=pod
2
3=begin comment
4{- join("\n", @autowarntext) -}
5
6=end comment
7
8=head1 NAME
9
10openssl-pkey - public or private key processing command
11
12=head1 SYNOPSIS
13
14B<openssl> B<pkey>
15[B<-help>]
16{- $OpenSSL::safe::opt_engine_synopsis -}{- $OpenSSL::safe::opt_provider_synopsis -}
17[B<-check>]
18[B<-pubcheck>]
19[B<-in> I<filename>|I<uri>]
20[B<-inform> B<DER>|B<PEM>|B<P12>|B<ENGINE>]
21[B<-passin> I<arg>]
22[B<-pubin>]
23[B<-out> I<filename>]
24[B<-outform> B<DER>|B<PEM>]
25[B<-I<cipher>>]
26[B<-passout> I<arg>]
27[B<-traditional>]
28[B<-pubout>]
29[B<-noout>]
30[B<-text>]
31[B<-text_pub>]
32[B<-ec_conv_form> I<arg>]
33[B<-ec_param_enc> I<arg>]
34
35=head1 DESCRIPTION
36
37This command processes public or private keys. They can be
38converted between various forms and their components printed.
39
40=head1 OPTIONS
41
42=head2 General options
43
44=over 4
45
46=item B<-help>
47
48Print out a usage message.
49
50{- $OpenSSL::safe::opt_engine_item -}
51
52{- $OpenSSL::safe::opt_provider_item -}
53
54=item B<-check>
55
56This option checks the consistency of a key pair for both public and private
57components.
58
59=item B<-pubcheck>
60
61This option checks the correctness of either a public key
62or the public component of a key pair.
63
64=back
65
66=head2 Input options
67
68=over 4
69
70=item B<-in> I<filename>|I<uri>
71
72This specifies the input file to read a key from
73or standard input if this option is not specified.
74
75If the key input is encrypted and B<-passin> is not given
76a pass phrase will be prompted for.
77
78=item B<-inform> B<DER>|B<PEM>|B<P12>|B<ENGINE>
79
80The key input format; unspecified by default.
81See L<openssl-format-options(1)> for details.
82
83=item B<-passin> I<arg>
84
85The password source for the key input.
86
87For more information about the format of B<arg>
88see L<openssl-passphrase-options(1)>.
89
90=item B<-pubin>
91
92By default a private key is read from the input.
93With this option a public key is read instead.
94If the input contains no public key but a private key, its public part is used.
95
96=back
97
98=head2 Output options
99
100=over 4
101
102=item B<-out> I<filename>
103
104This specifies the output file to save the encoded and/or text output of key
105or standard output if this option is not specified.
106The output filename can be the same as the input filename,
107which leads to replacing the file contents.
108Note that file I/O is not atomic. The output file is truncated and then written.
109
110If any cipher option is set but no B<-passout> is given
111then a pass phrase will be prompted for.
112When password input is interrupted, the output file is not touched.
113
114=item B<-outform> B<DER>|B<PEM>
115
116The key output format; the default is B<PEM>.
117See L<openssl-format-options(1)> for details.
118
119=item B<-I<cipher>>
120
121Encrypt the PEM encoded private key with the supplied cipher. Any algorithm
122name accepted by EVP_get_cipherbyname() is acceptable such as B<aes128>.
123Encryption is not supported for DER output.
124
125=item B<-passout> I<arg>
126
127The password source for the output file.
128
129For more information about the format of B<arg>
130see L<openssl-passphrase-options(1)>.
131
132=item B<-traditional>
133
134Normally a private key is written using standard format: this is PKCS#8 form
135with the appropriate encryption algorithm (if any). If the B<-traditional>
136option is specified then the older "traditional" format is used instead.
137
138=item B<-pubout>
139
140By default the private and public key is output;
141this option restricts the output to the public components.
142This option is automatically set if the input is a public key.
143
144When combined with B<-text>, this is equivalent to B<-text_pub>.
145
146=item B<-noout>
147
148Do not output the key in encoded form.
149
150=item B<-text>
151
152Output the various key components in plain text
153(possibly in addition to the PEM encoded form).
154This cannot be combined with encoded output in DER format.
155
156=item B<-text_pub>
157
158Output in text form only the public key components (also for private keys).
159This cannot be combined with encoded output in DER format.
160
161=item B<-ec_conv_form> I<arg>
162
163This option only applies to elliptic-curve based keys.
164
165This specifies how the points on the elliptic curve are converted
166into octet strings. Possible values are: B<compressed> (the default
167value), B<uncompressed> and B<hybrid>. For more information regarding
168the point conversion forms please read the X9.62 standard.
169B<Note> Due to patent issues the B<compressed> option is disabled
170by default for binary curves and can be enabled by defining
171the preprocessor macro B<OPENSSL_EC_BIN_PT_COMP> at compile time.
172
173=item B<-ec_param_enc> I<arg>
174
175This option only applies to elliptic curve based public and private keys.
176
177This specifies how the elliptic curve parameters are encoded.
178Possible value are: B<named_curve>, i.e. the ec parameters are
179specified by an OID, or B<explicit> where the ec parameters are
180explicitly given (see RFC 3279 for the definition of the
181EC parameters structures). The default value is B<named_curve>.
182B<Note> the B<implicitlyCA> alternative, as specified in RFC 3279,
183is currently not implemented in OpenSSL.
184
185=back
186
187=head1 EXAMPLES
188
189To remove the pass phrase on a private key:
190
191 openssl pkey -in key.pem -out keyout.pem
192
193To encrypt a private key using triple DES:
194
195 openssl pkey -in key.pem -des3 -out keyout.pem
196
197To convert a private key from PEM to DER format:
198
199 openssl pkey -in key.pem -outform DER -out keyout.der
200
201To print out the components of a private key to standard output:
202
203 openssl pkey -in key.pem -text -noout
204
205To print out the public components of a private key to standard output:
206
207 openssl pkey -in key.pem -text_pub -noout
208
209To just output the public part of a private key:
210
211 openssl pkey -in key.pem -pubout -out pubkey.pem
212
213To change the EC parameters encoding to B<explicit>:
214
215 openssl pkey -in key.pem -ec_param_enc explicit -out keyout.pem
216
217To change the EC point conversion form to B<compressed>:
218
219 openssl pkey -in key.pem -ec_conv_form compressed -out keyout.pem
220
221=head1 SEE ALSO
222
223L<openssl(1)>,
224L<openssl-genpkey(1)>,
225L<openssl-rsa(1)>,
226L<openssl-pkcs8(1)>,
227L<openssl-dsa(1)>,
228L<openssl-genrsa(1)>,
229L<openssl-gendsa(1)>
230
231=head1 HISTORY
232
233The B<-engine> option was deprecated in OpenSSL 3.0.
234
235=head1 COPYRIGHT
236
237Copyright 2006-2023 The OpenSSL Project Authors. All Rights Reserved.
238
239Licensed under the Apache License 2.0 (the "License").  You may not use
240this file except in compliance with the License.  You can obtain a copy
241in the file LICENSE in the source distribution or at
242L<https://www.openssl.org/source/license.html>.
243
244=cut
245