]>
Commit | Line | Data |
---|---|---|
49131a7d DSH |
1 | =pod |
2 | ||
018aaeb4 RS |
3 | =begin comment |
4 | {- join("\n", @autowarntext) -} | |
5 | ||
6 | =end comment | |
7 | ||
49131a7d DSH |
8 | =head1 NAME |
9 | ||
4b537191 | 10 | openssl-pkey - public or private key processing command |
49131a7d DSH |
11 | |
12 | =head1 SYNOPSIS | |
13 | ||
14 | B<openssl> B<pkey> | |
169394d4 | 15 | [B<-help>] |
1f7643e8 DDO |
16 | {- $OpenSSL::safe::opt_engine_synopsis -}{- $OpenSSL::safe::opt_provider_synopsis -} |
17 | [B<-check>] | |
18 | [B<-pubcheck>] | |
f91d003a | 19 | [B<-in> I<filename>|I<uri>] |
1f7643e8 | 20 | [B<-inform> B<DER>|B<PEM>|B<P12>|B<ENGINE>] |
e8769719 | 21 | [B<-passin> I<arg>] |
1f7643e8 | 22 | [B<-pubin>] |
e8769719 | 23 | [B<-out> I<filename>] |
1f7643e8 DDO |
24 | [B<-outform> B<DER>|B<PEM>] |
25 | [B<-I<cipher>>] | |
e8769719 | 26 | [B<-passout> I<arg>] |
05dba815 | 27 | [B<-traditional>] |
49131a7d | 28 | [B<-pubout>] |
1f7643e8 | 29 | [B<-noout>] |
1f7643e8 | 30 | [B<-text>] |
046a7aaa | 31 | [B<-text_pub>] |
92fee421 P |
32 | [B<-ec_conv_form> I<arg>] |
33 | [B<-ec_param_enc> I<arg>] | |
49131a7d DSH |
34 | |
35 | =head1 DESCRIPTION | |
36 | ||
35a810bb | 37 | This command processes public or private keys. They can be |
1f7643e8 | 38 | converted between various forms and their components printed. |
49131a7d | 39 | |
3dfda1a6 | 40 | =head1 OPTIONS |
49131a7d | 41 | |
1f7643e8 DDO |
42 | =head2 General options |
43 | ||
49131a7d DSH |
44 | =over 4 |
45 | ||
169394d4 MR |
46 | =item B<-help> |
47 | ||
48 | Print out a usage message. | |
49 | ||
1f7643e8 DDO |
50 | {- $OpenSSL::safe::opt_engine_item -} |
51 | ||
52 | {- $OpenSSL::safe::opt_provider_item -} | |
53 | ||
54 | =item B<-check> | |
55 | ||
56 | This option checks the consistency of a key pair for both public and private | |
57 | components. | |
58 | ||
59 | =item B<-pubcheck> | |
60 | ||
61 | This option checks the correctness of either a public key | |
62 | or the public component of a key pair. | |
63 | ||
64 | =back | |
65 | ||
66 | =head2 Input options | |
67 | ||
68 | =over 4 | |
69 | ||
70 | =item B<-in> I<filename>|I<uri> | |
71 | ||
72 | This specifies the input to read a key from | |
73 | or standard input if this option is not specified. | |
046a7aaa | 74 | If the key input is encrypted and B<-passin> is not given |
1f7643e8 DDO |
75 | a pass phrase will be prompted for. |
76 | ||
6d382c74 | 77 | =item B<-inform> B<DER>|B<PEM>|B<P12>|B<ENGINE> |
49131a7d | 78 | |
bee3f389 | 79 | The key input format; unspecified by default. |
46949153 | 80 | See L<openssl-format-options(1)> for details. |
6d382c74 | 81 | |
1f7643e8 | 82 | =item B<-passin> I<arg> |
6d382c74 | 83 | |
1f7643e8 | 84 | The password source for the key input. |
49131a7d | 85 | |
1f7643e8 DDO |
86 | For more information about the format of B<arg> |
87 | see L<openssl-passphrase-options(1)>. | |
49131a7d | 88 | |
1f7643e8 | 89 | =item B<-pubin> |
49131a7d | 90 | |
046a7aaa | 91 | By default a private key is read from the input. |
0e89b396 DDO |
92 | With this option a public key is read instead. |
93 | If the input contains no public key but a private key, its public part is used. | |
49131a7d | 94 | |
1f7643e8 | 95 | =back |
475d1002 | 96 | |
1f7643e8 DDO |
97 | =head2 Output options |
98 | ||
99 | =over 4 | |
49131a7d | 100 | |
e8769719 | 101 | =item B<-out> I<filename> |
49131a7d | 102 | |
046a7aaa | 103 | This specifies the output filename to save the encoded and/or text output of key |
1f7643e8 | 104 | or standard output if this option is not specified. |
046a7aaa | 105 | If any cipher option is set but no B<-passout> is given |
1f7643e8 DDO |
106 | then a pass phrase will be prompted for. |
107 | The output filename should B<not> be the same as the input filename. | |
49131a7d | 108 | |
1f7643e8 | 109 | =item B<-outform> B<DER>|B<PEM> |
05dba815 | 110 | |
1f7643e8 DDO |
111 | The key output format; the default is B<PEM>. |
112 | See L<openssl-format-options(1)> for details. | |
05dba815 | 113 | |
8dc57d76 | 114 | =item B<-I<cipher>> |
49131a7d | 115 | |
046a7aaa | 116 | Encrypt the PEM encoded private key with the supplied cipher. Any algorithm |
1f7643e8 | 117 | name accepted by EVP_get_cipherbyname() is acceptable such as B<aes128>. |
046a7aaa | 118 | Encryption is not supported for DER output. |
49131a7d | 119 | |
1f7643e8 | 120 | =item B<-passout> I<arg> |
49131a7d | 121 | |
1f7643e8 | 122 | The password source for the output file. |
49131a7d | 123 | |
1f7643e8 DDO |
124 | For more information about the format of B<arg> |
125 | see L<openssl-passphrase-options(1)>. | |
49131a7d | 126 | |
1f7643e8 | 127 | =item B<-traditional> |
49131a7d | 128 | |
1f7643e8 DDO |
129 | Normally a private key is written using standard format: this is PKCS#8 form |
130 | with the appropriate encryption algorithm (if any). If the B<-traditional> | |
131 | option is specified then the older "traditional" format is used instead. | |
49131a7d | 132 | |
1f7643e8 | 133 | =item B<-pubout> |
49131a7d | 134 | |
5ac6d7d2 RL |
135 | By default the private and public key is output; |
136 | this option restricts the output to the public components. | |
1f7643e8 | 137 | This option is automatically set if the input is a public key. |
49131a7d | 138 | |
5ac6d7d2 RL |
139 | When combined with B<-text>, this is equivalent to B<-text_pub>. |
140 | ||
1f7643e8 | 141 | =item B<-noout> |
49131a7d | 142 | |
046a7aaa | 143 | Do not output the key in encoded form. |
49131a7d | 144 | |
1f7643e8 | 145 | =item B<-text> |
2aee35d3 | 146 | |
046a7aaa DDO |
147 | Output the various key components in plain text |
148 | (possibly in addition to the PEM encoded form). | |
149 | This cannot be combined with encoded output in DER format. | |
2aee35d3 | 150 | |
1f7643e8 | 151 | =item B<-text_pub> |
b0004708 | 152 | |
046a7aaa DDO |
153 | Output in text form only the public key components (also for private keys). |
154 | This cannot be combined with encoded output in DER format. | |
b0004708 | 155 | |
92fee421 P |
156 | =item B<-ec_conv_form> I<arg> |
157 | ||
1f7643e8 | 158 | This option only applies to elliptic-curve based keys. |
92fee421 P |
159 | |
160 | This specifies how the points on the elliptic curve are converted | |
161 | into octet strings. Possible values are: B<compressed> (the default | |
162 | value), B<uncompressed> and B<hybrid>. For more information regarding | |
163 | the point conversion forms please read the X9.62 standard. | |
164 | B<Note> Due to patent issues the B<compressed> option is disabled | |
165 | by default for binary curves and can be enabled by defining | |
166 | the preprocessor macro B<OPENSSL_EC_BIN_PT_COMP> at compile time. | |
167 | ||
168 | =item B<-ec_param_enc> I<arg> | |
169 | ||
170 | This option only applies to elliptic curve based public and private keys. | |
171 | ||
172 | This specifies how the elliptic curve parameters are encoded. | |
173 | Possible value are: B<named_curve>, i.e. the ec parameters are | |
174 | specified by an OID, or B<explicit> where the ec parameters are | |
175 | explicitly given (see RFC 3279 for the definition of the | |
176 | EC parameters structures). The default value is B<named_curve>. | |
177 | B<Note> the B<implicitlyCA> alternative, as specified in RFC 3279, | |
178 | is currently not implemented in OpenSSL. | |
179 | ||
49131a7d DSH |
180 | =back |
181 | ||
182 | =head1 EXAMPLES | |
183 | ||
35eb4588 | 184 | To remove the pass phrase on a private key: |
49131a7d DSH |
185 | |
186 | openssl pkey -in key.pem -out keyout.pem | |
187 | ||
188 | To encrypt a private key using triple DES: | |
189 | ||
190 | openssl pkey -in key.pem -des3 -out keyout.pem | |
191 | ||
1bc74519 | 192 | To convert a private key from PEM to DER format: |
49131a7d DSH |
193 | |
194 | openssl pkey -in key.pem -outform DER -out keyout.der | |
195 | ||
196 | To print out the components of a private key to standard output: | |
197 | ||
198 | openssl pkey -in key.pem -text -noout | |
199 | ||
200 | To print out the public components of a private key to standard output: | |
201 | ||
202 | openssl pkey -in key.pem -text_pub -noout | |
203 | ||
204 | To just output the public part of a private key: | |
205 | ||
206 | openssl pkey -in key.pem -pubout -out pubkey.pem | |
207 | ||
92fee421 P |
208 | To change the EC parameters encoding to B<explicit>: |
209 | ||
210 | openssl pkey -in key.pem -ec_param_enc explicit -out keyout.pem | |
211 | ||
212 | To change the EC point conversion form to B<compressed>: | |
213 | ||
214 | openssl pkey -in key.pem -ec_conv_form compressed -out keyout.pem | |
215 | ||
49131a7d DSH |
216 | =head1 SEE ALSO |
217 | ||
b6b66573 DMSP |
218 | L<openssl(1)>, |
219 | L<openssl-genpkey(1)>, | |
220 | L<openssl-rsa(1)>, | |
221 | L<openssl-pkcs8(1)>, | |
222 | L<openssl-dsa(1)>, | |
223 | L<openssl-genrsa(1)>, | |
224 | L<openssl-gendsa(1)> | |
49131a7d | 225 | |
0f221d9c P |
226 | =head1 HISTORY |
227 | ||
228 | The B<-engine> option was deprecated in OpenSSL 3.0. | |
229 | ||
e2f92610 RS |
230 | =head1 COPYRIGHT |
231 | ||
da1c088f | 232 | Copyright 2006-2023 The OpenSSL Project Authors. All Rights Reserved. |
e2f92610 | 233 | |
449040b4 | 234 | Licensed under the Apache License 2.0 (the "License"). You may not use |
e2f92610 RS |
235 | this file except in compliance with the License. You can obtain a copy |
236 | in the file LICENSE in the source distribution or at | |
237 | L<https://www.openssl.org/source/license.html>. | |
238 | ||
239 | =cut |