[openssl-users] Generate ECC key with password protection

Ken Goldman kgoldman at us.ibm.com
Fri Jan 13 18:06:10 UTC 2017

Thanks for the help.  Am I getting closer?

On 1/13/2017 9:44 AM, Viktor Dukhovni wrote:
>>> Also, take a look at test/certs/mkcert.sh:
>> I looked at that, but what is $bits?
> The curve name.
> You're sure fond of leaving off the leading "-" in option names.
> You'll also really want the "ec_param_enc" option when you get
> the rest of the syntax right.

OK, sorry, hyphen-o-phobia.

I gather now that there are two -pkeyopt:


I tried prime256v1 for each, and also named_curve and explicit
for the second, in many combinations.

It's also not 100% clear whether I specify -pkeyopt each time, or once 
and then pairs of opt:value.

In all combinations, I now get:

openssl genpkey -out cakeyecc.pem -outform pem -pass pass:rrrr -aes256 
-algorithm ec -pkeyopt ec_paramgen_curve:prime256v1 
ec_param_enc:explicit -text

parameter setting error
140171547424584:error:06089094:digital envelope 
routines:EVP_PKEY_CTX_ctrl:invalid operation:pmeth_lib.c:404:

More information about the openssl-users mailing list