[openssl-users] ed25519 key generation

Matt Caswell matt at openssl.org
Mon Mar 26 10:46:09 UTC 2018

On 25/03/18 12:46, Jeremy Harris wrote:
> On 25/03/18 02:05, Viktor Dukhovni wrote:
>>> Is there a way yet to get the raw public-key out,
>>> documented or not?  As you may guess, this is for DKIM.
>> Not sure what format DKIM wants the key in, but if it is SKPI
>> in base64 form 
> It is not.  The _raw_ pubkey, base64'd is what is wanted.
> No ASN.1 wrapping; that's why I said "raw".

I just had the exact same conversation off-list...

To generate an Ed25519 private key:

$ openssl genpkey -algorithm ed25519 -outform PEM -out test25519.pem

OpenSSL does not support outputting only the raw key from the command
line. You *can* get it in SubjectPublicKeyInfo format which, for an
Ed25519 key will always consist of 12 bytes of ASN.1 header followed by
32 bytes of raw key. Therefore to get a base64 encoded raw public key:

$ openssl pkey -outform DER -pubout -in test25519.pem | tail -c +13 |
openssl base64


More information about the openssl-users mailing list