[openssl-users] genpkey usage for openssl-1.0.1k on openSUSE-13.2
Dave Thompson
dthompson at prinpay.com
Thu Feb 19 08:22:09 UTC 2015
> From: openssl-users On Behalf Of openssl at lists.killian.com
> Sent: Wednesday, February 18, 2015 13:26
> I noticed that openssl(1) says that various things have been superseded by
> genpkey, so I tried changing my scripts to use it. It works fine for RSA,
but the
> man page is not very helpful on EC. I tried
>
> openssl genpkey -out key.new -algorithm EC -pkeyopt
> ec_paramgen_curve:secp384r1
>
> and got
>
> parameter setting error
> 139638314907280:error:06089094:digital envelope
> routines:EVP_PKEY_CTX_ctrl:invalid operation:pmeth_lib.c:404:
<snip>
genpkey has a standard idea, across all algorithms that have parameters
(which RSA does not), to generate parameters and key(s) as separate
steps with a file in between. For DSA and DH this is good; you may want
to generate your own params, or you may want to use existing ones
(in an existing file) e.g. Oakley or SSH-non-GEX. For EC it makes less
sense,
as generating your own curve is complicated (OpenSSL certainly doesn't do
it)
and in practice everyone* uses the named curves. Nonetheless you still do:
openssl genpkey -genparam -algorithm EC -pkeyopt ec_paramgen_curve:x >pfile
openssl genpkey -paramfile pfile >keyfile
Depending on your OS and shell you may be able to combine these like
openssl genpkey -genparam | openssl genpkey -paramfile /dev/fd/0
or openssl genpkey -paramfile <<<$(openssl genpkey -genparam)
* Well, everybody except the crowd around Dan Bernstein, and they use
non-Weierstrauss curves that OpenSSL can't even represent (now?).
More information about the openssl-users
mailing list