[openssl-users] Password protect EC private key
Robert Moskowitz
rgm at htt-consult.com
Thu Aug 10 18:49:02 UTC 2017
Thank you, Viktor.
On 08/10/2017 02:27 PM, Viktor Dukhovni wrote:
> On Thu, Aug 10, 2017 at 12:03:31PM -0400, Robert Moskowitz wrote:
>
>> openssl ecparam -name secp256k1 -genkey -noout -out private/ca.key.pem
>>
>> But openssl ecparam does not have any option equivalent (that I can find) to -aes256
> Yes, this command does not currently support key encryption.
>
>> What am I missing.
> The command that does is:
>
> $ openssl genpkey -aes256 -algorithm ec \
> -pkeyopt ec_paramgen_curve:secp256k1 \
> -pkeyopt ec_param_enc:named_curve \
> -out private/ca.key.pem
So I see that I use this for the CA(s) key generation, but what about a
Server or Client key pair to feed into a CSR? I probably do not want
those keys encrypted (well I do, but we sacrifice protection for easy of
use, sigh).
> Are you sure you want secp256k1? By far the more common choice is
> prime256r1 (aka P-256 or secp256r1).
Thanks, I read things wrong and selected the wrong curve. Yes, I want
prime256r1.
>
>> openssl ecparam -in private/ca.key.pem -text -noout
> EC keys are read with "openssl ec" not "openssl ecparam".
>
Ah. I will give this a try.
Bob
More information about the openssl-users
mailing list