[openssl-users] Password protect EC private key

Viktor Dukhovni openssl-users at dukhovni.org
Thu Aug 10 18:57:27 UTC 2017


On Thu, Aug 10, 2017 at 02:49:02PM -0400, Robert Moskowitz wrote:

> > The command that does is:
> > 
> >     $  openssl genpkey -aes256 -algorithm ec \
> > 	-pkeyopt ec_paramgen_curve:secp256k1 \
> > 	-pkeyopt ec_param_enc:named_curve \
> > 	-out private/ca.key.pem
> 
> So I see that I use this for the CA(s) key generation, but what about a
> Server or Client key pair to feed into a CSR?  I probably do not want those
> keys encrypted (well I do, but we sacrifice protection for easy of use,
> sigh).

Just leave off the "-aes256" option.

> > Are you sure you want secp256k1?  By far the more common choice is
> > prime256r1 (aka P-256 or secp256r1).
> 
> Thanks, I read things wrong and selected the wrong curve.  Yes, I want
> prime256r1.
> 
> > > openssl ecparam -in private/ca.key.pem -text -noout
> > EC keys are read with "openssl ec" not "openssl ecparam".
> 
> Ah.  I will give this a try.

Better yet, use "openssl pkey".

-- 
	Viktor.


More information about the openssl-users mailing list