[openssl-users] genpkey usage for openssl-1.0.1k on openSUSE-13.2

Dr. Stephen Henson steve at openssl.org
Thu Feb 19 13:36:47 UTC 2015

On Thu, Feb 19, 2015, Dave Thompson wrote:

> > From: openssl-users On Behalf Of openssl at lists.killian.com
> > Sent: Wednesday, February 18, 2015 13:26
> > I noticed that openssl(1) says that various things have been superseded by
> > genpkey, so I tried changing my scripts to use it. It works fine for RSA,
> but the
> > man page is not very helpful on EC. I tried
> > 
> >     openssl genpkey -out key.new -algorithm EC -pkeyopt
> > ec_paramgen_curve:secp384r1
> > 
> > and got
> > 
> >     parameter setting error
> >     139638314907280:error:06089094:digital envelope
> > routines:EVP_PKEY_CTX_ctrl:invalid operation:pmeth_lib.c:404:
> <snip>
> genpkey has a standard idea, across all algorithms that have parameters 
> (which RSA does not), to generate parameters and key(s) as separate 
> steps with a file in between. For DSA and DH this is good; you may want 
> to generate your own params, or you may want to use existing ones 
> (in an existing file) e.g. Oakley or SSH-non-GEX. For EC it makes less
> sense, 
> as generating your own curve is complicated (OpenSSL certainly doesn't do
> it) 
> and in practice everyone* uses the named curves. Nonetheless you still do:
> openssl genpkey -genparam -algorithm EC -pkeyopt ec_paramgen_curve:x >pfile
> openssl genpkey -paramfile pfile >keyfile 
> Depending on your OS and shell you may be able to combine these like
> openssl genpkey -genparam | openssl genpkey -paramfile /dev/fd/0
> or openssl genpkey -paramfile <<<$(openssl genpkey -genparam)

For OpenSSL 1.0.2 you can specify the parameters when a key is generated. So
the OPs command should work with 1.0.2.

It's also common to use the named curve form of encoding which isn't the
default in 1.0.x branches (for compatiblity reasons). So in 1.0.2 you can do:

  openssl genpkey -algorithm EC -pkeyopt ec_paramgen_curve:P-256 -pkeyopt \

Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org

More information about the openssl-users mailing list