[openssl-users] Generate ECC key with password protection
Viktor Dukhovni
openssl-users at dukhovni.org
Thu Jan 12 22:47:29 UTC 2017
> On Jan 12, 2017, at 5:34 PM, Ken Goldman <kgoldman at us.ibm.com> wrote:
>
>>> Is there a openssl command that can generate an ECC key pair where the
>>> output file is password protected?
>> openssl genpkey
>
> My latest attempt is this. It gives me a usage error. Any hints?
>
> openssl genpkey -out cakeyecc.pem -outform pem -pass pass:rrrr aes-256-cbc -algorithm ec pkeyopt ec_paramgen_curve:prime256v1 -text
The "aes-256-cbc" argument is wrong. Try "-aes256".
Also, take a look at test/certs/mkcert.sh:
key() {
local key=$1; shift
local alg=rsa
if [ -n "$OPENSSL_KEYALG" ]; then
alg=$OPENSSL_KEYALG
fi
local bits=2048
if [ -n "$OPENSSL_KEYBITS" ]; then
bits=$OPENSSL_KEYBITS
fi
if [ ! -f "${key}.pem" ]; then
args=(-algorithm "$alg")
case $alg in
rsa) args=("${args[@]}" -pkeyopt rsa_keygen_bits:$bits );;
ec) args=("${args[@]}" -pkeyopt "ec_paramgen_curve:$bits")
args=("${args[@]}" -pkeyopt ec_param_enc:named_curve);;
*) printf "Unsupported key algorithm: %s\n" "$alg" >&2; return 1;;
esac
stderr_onerror \
openssl genpkey "${args[@]}" -out "${key}.pem"
fi
}
--
Viktor.
More information about the openssl-users
mailing list