[thirdparty/openssl.git] / doc / man1 / openssl-pkey.pod.in

=pod

=begin comment
{- join("\n", @autowarntext) -}

=end comment

=head1 NAME

openssl-pkey - public or private key processing command

=head1 SYNOPSIS

B<openssl> B<pkey>
[B<-help>]
{- $OpenSSL::safe::opt_engine_synopsis -}{- $OpenSSL::safe::opt_provider_synopsis -}
[B<-check>]
[B<-pubcheck>]
[B<-in> I<filename>|I<uri>]
[B<-inform> B<DER>|B<PEM>|B<P12>|B<ENGINE>]
[B<-passin> I<arg>]
[B<-pubin>]
[B<-out> I<filename>]
[B<-outform> B<DER>|B<PEM>]
[B<-I<cipher>>]
[B<-passout> I<arg>]
[B<-traditional>]
[B<-pubout>]
[B<-noout>]
[B<-text>]
[B<-text_pub>]
[B<-ec_conv_form> I<arg>]
[B<-ec_param_enc> I<arg>]

=head1 DESCRIPTION

This command processes public or private keys. They can be
converted between various forms and their components printed.

=head1 OPTIONS

=head2 General options

=over 4

=item B<-help>

Print out a usage message.

{- $OpenSSL::safe::opt_engine_item -}

{- $OpenSSL::safe::opt_provider_item -}

=item B<-check>

This option checks the consistency of a key pair for both public and private
components.

=item B<-pubcheck>

This option checks the correctness of either a public key
or the public component of a key pair.

=back

=head2 Input options

=over 4

=item B<-in> I<filename>|I<uri>

This specifies the input to read a key from
or standard input if this option is not specified.
If the key input is encrypted and B<-passin> is not given
a pass phrase will be prompted for.

=item B<-inform> B<DER>|B<PEM>|B<P12>|B<ENGINE>

The key input format; unspecified by default.
See L<openssl-format-options(1)> for details.

=item B<-passin> I<arg>

The password source for the key input.

For more information about the format of B<arg>
see L<openssl-passphrase-options(1)>.

=item B<-pubin>

By default a private key is read from the input.
With this option a public key is read instead.
If the input contains no public key but a private key, its public part is used.

=back

=head2 Output options

=over 4

=item B<-out> I<filename>

This specifies the output filename to save the encoded and/or text output of key
or standard output if this option is not specified.
If any cipher option is set but no B<-passout> is given
then a pass phrase will be prompted for.
The output filename should B<not> be the same as the input filename.

=item B<-outform> B<DER>|B<PEM>

The key output format; the default is B<PEM>.
See L<openssl-format-options(1)> for details.

=item B<-I<cipher>>

Encrypt the PEM encoded private key with the supplied cipher. Any algorithm
name accepted by EVP_get_cipherbyname() is acceptable such as B<aes128>.
Encryption is not supported for DER output.

=item B<-passout> I<arg>

The password source for the output file.

For more information about the format of B<arg>
see L<openssl-passphrase-options(1)>.

=item B<-traditional>

Normally a private key is written using standard format: this is PKCS#8 form
with the appropriate encryption algorithm (if any). If the B<-traditional>
option is specified then the older "traditional" format is used instead.

=item B<-pubout>

By default the private and public key is output;
this option restricts the output to the public components.
This option is automatically set if the input is a public key.

When combined with B<-text>, this is equivalent to B<-text_pub>.

=item B<-noout>

Do not output the key in encoded form.

=item B<-text>

Output the various key components in plain text
(possibly in addition to the PEM encoded form).
This cannot be combined with encoded output in DER format.

=item B<-text_pub>

Output in text form only the public key components (also for private keys).
This cannot be combined with encoded output in DER format.

=item B<-ec_conv_form> I<arg>

This option only applies to elliptic-curve based keys.

This specifies how the points on the elliptic curve are converted
into octet strings. Possible values are: B<compressed> (the default
value), B<uncompressed> and B<hybrid>. For more information regarding
the point conversion forms please read the X9.62 standard.
B<Note> Due to patent issues the B<compressed> option is disabled
by default for binary curves and can be enabled by defining
the preprocessor macro B<OPENSSL_EC_BIN_PT_COMP> at compile time.

=item B<-ec_param_enc> I<arg>

This option only applies to elliptic curve based public and private keys.

This specifies how the elliptic curve parameters are encoded.
Possible value are: B<named_curve>, i.e. the ec parameters are
specified by an OID, or B<explicit> where the ec parameters are
explicitly given (see RFC 3279 for the definition of the
EC parameters structures). The default value is B<named_curve>.
B<Note> the B<implicitlyCA> alternative, as specified in RFC 3279,
is currently not implemented in OpenSSL.

=back

=head1 EXAMPLES

To remove the pass phrase on a private key:

 openssl pkey -in key.pem -out keyout.pem

To encrypt a private key using triple DES:

 openssl pkey -in key.pem -des3 -out keyout.pem

To convert a private key from PEM to DER format:

 openssl pkey -in key.pem -outform DER -out keyout.der

To print out the components of a private key to standard output:

 openssl pkey -in key.pem -text -noout

To print out the public components of a private key to standard output:

 openssl pkey -in key.pem -text_pub -noout

To just output the public part of a private key:

 openssl pkey -in key.pem -pubout -out pubkey.pem

To change the EC parameters encoding to B<explicit>:

 openssl pkey -in key.pem -ec_param_enc explicit -out keyout.pem

To change the EC point conversion form to B<compressed>:

 openssl pkey -in key.pem -ec_conv_form compressed -out keyout.pem

=head1 SEE ALSO

L<openssl(1)>,
L<openssl-genpkey(1)>,
L<openssl-rsa(1)>,
L<openssl-pkcs8(1)>,
L<openssl-dsa(1)>,
L<openssl-genrsa(1)>,
L<openssl-gendsa(1)>

=head1 HISTORY

The B<-engine> option was deprecated in OpenSSL 3.0.

=head1 COPYRIGHT

Copyright 2006-2023 The OpenSSL Project Authors. All Rights Reserved.

Licensed under the Apache License 2.0 (the "License").  You may not use
this file except in compliance with the License.  You can obtain a copy
in the file LICENSE in the source distribution or at
L<https://www.openssl.org/source/license.html>.

=cut
Commit	Line	Data
49131a7d DSH	1	=pod
49131a7d DSH	2
018aaeb4 RS	3	=begin comment
	4	{- join("\n", @autowarntext) -}
	5
	6	=end comment
	7
49131a7d DSH	8	=head1 NAME
49131a7d DSH	9
4b537191	10	openssl-pkey - public or private key processing command
49131a7d DSH	11
	12	=head1 SYNOPSIS
	13
	14	B<openssl> B<pkey>
169394d4	15	[B<-help>]
1f7643e8 DDO	16	{- $OpenSSL::safe::opt_engine_synopsis -}{- $OpenSSL::safe::opt_provider_synopsis -}
	17	[B<-check>]
	18	[B<-pubcheck>]
f91d003a	19	[B<-in> I<filename>\|I<uri>]
1f7643e8	20	[B<-inform> B<DER>\|B<PEM>\|B<P12>\|B<ENGINE>]
e8769719	21	[B<-passin> I<arg>]
1f7643e8	22	[B<-pubin>]
e8769719	23	[B<-out> I<filename>]
1f7643e8 DDO	24	[B<-outform> B<DER>\|B<PEM>]
1f7643e8 DDO	25	[B<-I<cipher>>]
e8769719	26	[B<-passout> I<arg>]
05dba815	27	[B<-traditional>]
49131a7d	28	[B<-pubout>]
1f7643e8	29	[B<-noout>]
1f7643e8	30	[B<-text>]
046a7aaa	31	[B<-text_pub>]
92fee421 P	32	[B<-ec_conv_form> I<arg>]
92fee421 P	33	[B<-ec_param_enc> I<arg>]
49131a7d DSH	34
	35	=head1 DESCRIPTION
	36
35a810bb	37	This command processes public or private keys. They can be
1f7643e8	38	converted between various forms and their components printed.
49131a7d	39
3dfda1a6	40	=head1 OPTIONS
49131a7d	41
1f7643e8 DDO	42	=head2 General options
1f7643e8 DDO	43
49131a7d DSH	44	=over 4
49131a7d DSH	45
169394d4 MR	46	=item B<-help>
	47
	48	Print out a usage message.
	49
1f7643e8 DDO	50	{- $OpenSSL::safe::opt_engine_item -}
	51
	52	{- $OpenSSL::safe::opt_provider_item -}
	53
	54	=item B<-check>
	55
	56	This option checks the consistency of a key pair for both public and private
	57	components.
	58
	59	=item B<-pubcheck>
	60
	61	This option checks the correctness of either a public key
	62	or the public component of a key pair.
	63
	64	=back
	65
	66	=head2 Input options
	67
	68	=over 4
	69
	70	=item B<-in> I<filename>\|I<uri>
	71
	72	This specifies the input to read a key from
	73	or standard input if this option is not specified.
046a7aaa	74	If the key input is encrypted and B<-passin> is not given
1f7643e8 DDO	75	a pass phrase will be prompted for.
1f7643e8 DDO	76
6d382c74	77	=item B<-inform> B<DER>\|B<PEM>\|B<P12>\|B<ENGINE>
49131a7d	78
bee3f389	79	The key input format; unspecified by default.
46949153	80	See L<openssl-format-options(1)> for details.
6d382c74	81
1f7643e8	82	=item B<-passin> I<arg>
6d382c74	83
1f7643e8	84	The password source for the key input.
49131a7d	85
1f7643e8 DDO	86	For more information about the format of B<arg>
1f7643e8 DDO	87	see L<openssl-passphrase-options(1)>.
49131a7d	88
1f7643e8	89	=item B<-pubin>
49131a7d	90
046a7aaa	91	By default a private key is read from the input.
0e89b396 DDO	92	With this option a public key is read instead.
0e89b396 DDO	93	If the input contains no public key but a private key, its public part is used.
49131a7d	94
1f7643e8	95	=back
475d1002	96
1f7643e8 DDO	97	=head2 Output options
	98
	99	=over 4
49131a7d	100
e8769719	101	=item B<-out> I<filename>
49131a7d	102
046a7aaa	103	This specifies the output filename to save the encoded and/or text output of key
1f7643e8	104	or standard output if this option is not specified.
046a7aaa	105	If any cipher option is set but no B<-passout> is given
1f7643e8 DDO	106	then a pass phrase will be prompted for.
1f7643e8 DDO	107	The output filename should B<not> be the same as the input filename.
49131a7d	108
1f7643e8	109	=item B<-outform> B<DER>\|B<PEM>
05dba815	110
1f7643e8 DDO	111	The key output format; the default is B<PEM>.
1f7643e8 DDO	112	See L<openssl-format-options(1)> for details.
05dba815	113
8dc57d76	114	=item B<-I<cipher>>
49131a7d	115
046a7aaa	116	Encrypt the PEM encoded private key with the supplied cipher. Any algorithm
1f7643e8	117	name accepted by EVP_get_cipherbyname() is acceptable such as B<aes128>.
046a7aaa	118	Encryption is not supported for DER output.
49131a7d	119
1f7643e8	120	=item B<-passout> I<arg>
49131a7d	121
1f7643e8	122	The password source for the output file.
49131a7d	123
1f7643e8 DDO	124	For more information about the format of B<arg>
1f7643e8 DDO	125	see L<openssl-passphrase-options(1)>.
49131a7d	126
1f7643e8	127	=item B<-traditional>
49131a7d	128
1f7643e8 DDO	129	Normally a private key is written using standard format: this is PKCS#8 form
	130	with the appropriate encryption algorithm (if any). If the B<-traditional>
	131	option is specified then the older "traditional" format is used instead.
49131a7d	132
1f7643e8	133	=item B<-pubout>
49131a7d	134
5ac6d7d2 RL	135	By default the private and public key is output;
5ac6d7d2 RL	136	this option restricts the output to the public components.
1f7643e8	137	This option is automatically set if the input is a public key.
49131a7d	138
5ac6d7d2 RL	139	When combined with B<-text>, this is equivalent to B<-text_pub>.
5ac6d7d2 RL	140
1f7643e8	141	=item B<-noout>
49131a7d	142
046a7aaa	143	Do not output the key in encoded form.
49131a7d	144
1f7643e8	145	=item B<-text>
2aee35d3	146
046a7aaa DDO	147	Output the various key components in plain text
	148	(possibly in addition to the PEM encoded form).
	149	This cannot be combined with encoded output in DER format.
2aee35d3	150
1f7643e8	151	=item B<-text_pub>
b0004708	152
046a7aaa DDO	153	Output in text form only the public key components (also for private keys).
046a7aaa DDO	154	This cannot be combined with encoded output in DER format.
b0004708	155
92fee421 P	156	=item B<-ec_conv_form> I<arg>
92fee421 P	157
1f7643e8	158	This option only applies to elliptic-curve based keys.
92fee421 P	159
	160	This specifies how the points on the elliptic curve are converted
	161	into octet strings. Possible values are: B<compressed> (the default
	162	value), B<uncompressed> and B<hybrid>. For more information regarding
	163	the point conversion forms please read the X9.62 standard.
	164	B<Note> Due to patent issues the B<compressed> option is disabled
	165	by default for binary curves and can be enabled by defining
	166	the preprocessor macro B<OPENSSL_EC_BIN_PT_COMP> at compile time.
	167
	168	=item B<-ec_param_enc> I<arg>
	169
	170	This option only applies to elliptic curve based public and private keys.
	171
	172	This specifies how the elliptic curve parameters are encoded.
	173	Possible value are: B<named_curve>, i.e. the ec parameters are
	174	specified by an OID, or B<explicit> where the ec parameters are
	175	explicitly given (see RFC 3279 for the definition of the
	176	EC parameters structures). The default value is B<named_curve>.
	177	B<Note> the B<implicitlyCA> alternative, as specified in RFC 3279,
	178	is currently not implemented in OpenSSL.
	179
49131a7d DSH	180	=back
	181
	182	=head1 EXAMPLES
	183
35eb4588	184	To remove the pass phrase on a private key:
49131a7d DSH	185
	186	openssl pkey -in key.pem -out keyout.pem
	187
	188	To encrypt a private key using triple DES:
	189
	190	openssl pkey -in key.pem -des3 -out keyout.pem
	191
1bc74519	192	To convert a private key from PEM to DER format:
49131a7d DSH	193
	194	openssl pkey -in key.pem -outform DER -out keyout.der
	195
	196	To print out the components of a private key to standard output:
	197
	198	openssl pkey -in key.pem -text -noout
	199
	200	To print out the public components of a private key to standard output:
	201
	202	openssl pkey -in key.pem -text_pub -noout
	203
	204	To just output the public part of a private key:
	205
	206	openssl pkey -in key.pem -pubout -out pubkey.pem
	207
92fee421 P	208	To change the EC parameters encoding to B<explicit>:
	209
	210	openssl pkey -in key.pem -ec_param_enc explicit -out keyout.pem
	211
	212	To change the EC point conversion form to B<compressed>:
	213
	214	openssl pkey -in key.pem -ec_conv_form compressed -out keyout.pem
	215
49131a7d DSH	216	=head1 SEE ALSO
49131a7d DSH	217
b6b66573 DMSP	218	L<openssl(1)>,
	219	L<openssl-genpkey(1)>,
	220	L<openssl-rsa(1)>,
	221	L<openssl-pkcs8(1)>,
	222	L<openssl-dsa(1)>,
	223	L<openssl-genrsa(1)>,
	224	L<openssl-gendsa(1)>
49131a7d	225
0f221d9c P	226	=head1 HISTORY
	227
	228	The B<-engine> option was deprecated in OpenSSL 3.0.
	229
e2f92610 RS	230	=head1 COPYRIGHT
e2f92610 RS	231
da1c088f	232	Copyright 2006-2023 The OpenSSL Project Authors. All Rights Reserved.
e2f92610	233
449040b4	234	Licensed under the Apache License 2.0 (the "License"). You may not use
e2f92610 RS	235	this file except in compliance with the License. You can obtain a copy
	236	in the file LICENSE in the source distribution or at
	237	L<https://www.openssl.org/source/license.html>.
	238
	239	=cut