xref: /freebsd/crypto/openssl/doc/man1/openssl-pkey.pod.in (revision fe75646a0234a261c0013bf1840fdac4acaf0cec)
1=pod
2
3=begin comment
4{- join("\n", @autowarntext) -}
5
6=end comment
7
8=head1 NAME
9
10openssl-pkey - public or private key processing command
11
12=head1 SYNOPSIS
13
14B<openssl> B<pkey>
15[B<-help>]
16{- $OpenSSL::safe::opt_engine_synopsis -}{- $OpenSSL::safe::opt_provider_synopsis -}
17[B<-check>]
18[B<-pubcheck>]
19[B<-in> I<filename>|I<uri>]
20[B<-inform> B<DER>|B<PEM>|B<P12>|B<ENGINE>]
21[B<-passin> I<arg>]
22[B<-pubin>]
23[B<-out> I<filename>]
24[B<-outform> B<DER>|B<PEM>]
25[B<-I<cipher>>]
26[B<-passout> I<arg>]
27[B<-traditional>]
28[B<-pubout>]
29[B<-noout>]
30[B<-text>]
31[B<-text_pub>]
32[B<-ec_conv_form> I<arg>]
33[B<-ec_param_enc> I<arg>]
34
35=head1 DESCRIPTION
36
37This command processes public or private keys. They can be
38converted between various forms and their components printed.
39
40=head1 OPTIONS
41
42=head2 General options
43
44=over 4
45
46=item B<-help>
47
48Print out a usage message.
49
50{- $OpenSSL::safe::opt_engine_item -}
51
52{- $OpenSSL::safe::opt_provider_item -}
53
54=item B<-check>
55
56This option checks the consistency of a key pair for both public and private
57components.
58
59=item B<-pubcheck>
60
61This option checks the correctness of either a public key
62or the public component of a key pair.
63
64=back
65
66=head2 Input options
67
68=over 4
69
70=item B<-in> I<filename>|I<uri>
71
72This specifies the input to read a key from
73or standard input if this option is not specified.
74If the key input is encrypted and B<-passin> is not given
75a pass phrase will be prompted for.
76
77=item B<-inform> B<DER>|B<PEM>|B<P12>|B<ENGINE>
78
79The key input format; unspecified by default.
80See L<openssl-format-options(1)> for details.
81
82=item B<-passin> I<arg>
83
84The password source for the key input.
85
86For more information about the format of B<arg>
87see L<openssl-passphrase-options(1)>.
88
89=item B<-pubin>
90
91By default a private key is read from the input.
92With this option only the public components are read.
93
94=back
95
96=head2 Output options
97
98=over 4
99
100=item B<-out> I<filename>
101
102This specifies the output filename to save the encoded and/or text output of key
103or standard output if this option is not specified.
104If any cipher option is set but no B<-passout> is given
105then a pass phrase will be prompted for.
106The output filename should B<not> be the same as the input filename.
107
108=item B<-outform> B<DER>|B<PEM>
109
110The key output format; the default is B<PEM>.
111See L<openssl-format-options(1)> for details.
112
113=item B<-I<cipher>>
114
115Encrypt the PEM encoded private key with the supplied cipher. Any algorithm
116name accepted by EVP_get_cipherbyname() is acceptable such as B<aes128>.
117Encryption is not supported for DER output.
118
119=item B<-passout> I<arg>
120
121The password source for the output file.
122
123For more information about the format of B<arg>
124see L<openssl-passphrase-options(1)>.
125
126=item B<-traditional>
127
128Normally a private key is written using standard format: this is PKCS#8 form
129with the appropriate encryption algorithm (if any). If the B<-traditional>
130option is specified then the older "traditional" format is used instead.
131
132=item B<-pubout>
133
134By default the private and public key is output;
135this option restricts the output to the public components.
136This option is automatically set if the input is a public key.
137
138When combined with B<-text>, this is equivalent to B<-text_pub>.
139
140=item B<-noout>
141
142Do not output the key in encoded form.
143
144=item B<-text>
145
146Output the various key components in plain text
147(possibly in addition to the PEM encoded form).
148This cannot be combined with encoded output in DER format.
149
150=item B<-text_pub>
151
152Output in text form only the public key components (also for private keys).
153This cannot be combined with encoded output in DER format.
154
155=item B<-ec_conv_form> I<arg>
156
157This option only applies to elliptic-curve based keys.
158
159This specifies how the points on the elliptic curve are converted
160into octet strings. Possible values are: B<compressed> (the default
161value), B<uncompressed> and B<hybrid>. For more information regarding
162the point conversion forms please read the X9.62 standard.
163B<Note> Due to patent issues the B<compressed> option is disabled
164by default for binary curves and can be enabled by defining
165the preprocessor macro B<OPENSSL_EC_BIN_PT_COMP> at compile time.
166
167=item B<-ec_param_enc> I<arg>
168
169This option only applies to elliptic curve based public and private keys.
170
171This specifies how the elliptic curve parameters are encoded.
172Possible value are: B<named_curve>, i.e. the ec parameters are
173specified by an OID, or B<explicit> where the ec parameters are
174explicitly given (see RFC 3279 for the definition of the
175EC parameters structures). The default value is B<named_curve>.
176B<Note> the B<implicitlyCA> alternative, as specified in RFC 3279,
177is currently not implemented in OpenSSL.
178
179=back
180
181=head1 EXAMPLES
182
183To remove the pass phrase on a private key:
184
185 openssl pkey -in key.pem -out keyout.pem
186
187To encrypt a private key using triple DES:
188
189 openssl pkey -in key.pem -des3 -out keyout.pem
190
191To convert a private key from PEM to DER format:
192
193 openssl pkey -in key.pem -outform DER -out keyout.der
194
195To print out the components of a private key to standard output:
196
197 openssl pkey -in key.pem -text -noout
198
199To print out the public components of a private key to standard output:
200
201 openssl pkey -in key.pem -text_pub -noout
202
203To just output the public part of a private key:
204
205 openssl pkey -in key.pem -pubout -out pubkey.pem
206
207To change the EC parameters encoding to B<explicit>:
208
209 openssl pkey -in key.pem -ec_param_enc explicit -out keyout.pem
210
211To change the EC point conversion form to B<compressed>:
212
213 openssl pkey -in key.pem -ec_conv_form compressed -out keyout.pem
214
215=head1 SEE ALSO
216
217L<openssl(1)>,
218L<openssl-genpkey(1)>,
219L<openssl-rsa(1)>,
220L<openssl-pkcs8(1)>,
221L<openssl-dsa(1)>,
222L<openssl-genrsa(1)>,
223L<openssl-gendsa(1)>
224
225=head1 HISTORY
226
227The B<-engine> option was deprecated in OpenSSL 3.0.
228
229=head1 COPYRIGHT
230
231Copyright 2006-2021 The OpenSSL Project Authors. All Rights Reserved.
232
233Licensed under the Apache License 2.0 (the "License").  You may not use
234this file except in compliance with the License.  You can obtain a copy
235in the file LICENSE in the source distribution or at
236L<https://www.openssl.org/source/license.html>.
237
238=cut
239