[openssl-users] genpkey usage for openssl-1.0.1k on openSUSE-13.2

Dave Thompson dthompson at prinpay.com
Thu Feb 19 08:22:09 UTC 2015

> From: openssl-users On Behalf Of openssl at lists.killian.com
> Sent: Wednesday, February 18, 2015 13:26

> I noticed that openssl(1) says that various things have been superseded by
> genpkey, so I tried changing my scripts to use it. It works fine for RSA,
but the
> man page is not very helpful on EC. I tried
>     openssl genpkey -out key.new -algorithm EC -pkeyopt
> ec_paramgen_curve:secp384r1
> and got
>     parameter setting error
>     139638314907280:error:06089094:digital envelope
> routines:EVP_PKEY_CTX_ctrl:invalid operation:pmeth_lib.c:404:

genpkey has a standard idea, across all algorithms that have parameters 
(which RSA does not), to generate parameters and key(s) as separate 
steps with a file in between. For DSA and DH this is good; you may want 
to generate your own params, or you may want to use existing ones 
(in an existing file) e.g. Oakley or SSH-non-GEX. For EC it makes less
as generating your own curve is complicated (OpenSSL certainly doesn't do
and in practice everyone* uses the named curves. Nonetheless you still do:

openssl genpkey -genparam -algorithm EC -pkeyopt ec_paramgen_curve:x >pfile
openssl genpkey -paramfile pfile >keyfile 

Depending on your OS and shell you may be able to combine these like
openssl genpkey -genparam | openssl genpkey -paramfile /dev/fd/0
or openssl genpkey -paramfile <<<$(openssl genpkey -genparam)

* Well, everybody except the crowd around Dan Bernstein, and they use 
non-Weierstrauss curves that OpenSSL can't even represent (now?).

More information about the openssl-users mailing list