[thirdparty/openssl.git] / doc / man1 / openssl-pkey.pod.in

=pod

=begin comment
{- join("\n", @autowarntext) -}

=end comment

=head1 NAME

openssl-pkey - public or private key processing command

=head1 SYNOPSIS

B<openssl> B<pkey>
[B<-help>]
{- $OpenSSL::safe::opt_engine_synopsis -}{- $OpenSSL::safe::opt_provider_synopsis -}
[B<-check>]
[B<-pubcheck>]
[B<-in> I<filename>|I<uri>]
[B<-inform> B<DER>|B<PEM>|B<P12>|B<ENGINE>]
[B<-passin> I<arg>]
[B<-pubin>]
[B<-out> I<filename>]
[B<-outform> B<DER>|B<PEM>]
[B<-I<cipher>>]
[B<-passout> I<arg>]
[B<-traditional>]
[B<-pubout>]
[B<-noout>]
[B<-text>]
[B<-text_pub>]
[B<-ec_conv_form> I<arg>]
[B<-ec_param_enc> I<arg>]

=for openssl ifdef engine

=head1 DESCRIPTION

This command processes public or private keys. They can be
converted between various forms and their components printed.

=head1 OPTIONS

=head2 General options

=over 4

=item B<-help>

Print out a usage message.

{- $OpenSSL::safe::opt_engine_item -}

{- $OpenSSL::safe::opt_provider_item -}

=item B<-check>

This option checks the consistency of a key pair for both public and private
components.

=item B<-pubcheck>

This option checks the correctness of either a public key
or the public component of a key pair.

=back

=head2 Input options

=over 4

=item B<-in> I<filename>|I<uri>

This specifies the input to read a key from
or standard input if this option is not specified.
If the key input is encrypted and B<-passin> is not given
a pass phrase will be prompted for.

=item B<-inform> B<DER>|B<PEM>|B<P12>|B<ENGINE>

The key input format; the default is B<PEM>.
The only value with effect is B<ENGINE>; all others have become obsolete.
See L<openssl-format-options(1)> for details.

=item B<-passin> I<arg>

The password source for the key input.

For more information about the format of B<arg>
see L<openssl-passphrase-options(1)>.

=item B<-pubin>

By default a private key is read from the input.
With this option only the public components are read.

=back

=head2 Output options

=over 4

=item B<-out> I<filename>

This specifies the output filename to save the encoded and/or text output of key
or standard output if this option is not specified.
If any cipher option is set but no B<-passout> is given
then a pass phrase will be prompted for.
The output filename should B<not> be the same as the input filename.

=item B<-outform> B<DER>|B<PEM>

The key output format; the default is B<PEM>.
See L<openssl-format-options(1)> for details.

=item B<-I<cipher>>

Encrypt the PEM encoded private key with the supplied cipher. Any algorithm
name accepted by EVP_get_cipherbyname() is acceptable such as B<aes128>.
Encryption is not supported for DER output.

=item B<-passout> I<arg>

The password source for the output file.

For more information about the format of B<arg>
see L<openssl-passphrase-options(1)>.

=item B<-traditional>

Normally a private key is written using standard format: this is PKCS#8 form
with the appropriate encryption algorithm (if any). If the B<-traditional>
option is specified then the older "traditional" format is used instead.

=item B<-pubout>

By default the encoded private and public key is output;
this option restricts the encoded output to the public components.
This option is automatically set if the input is a public key.

=item B<-noout>

Do not output the key in encoded form.

=item B<-text>

Output the various key components in plain text
(possibly in addition to the PEM encoded form).
This cannot be combined with encoded output in DER format.

=item B<-text_pub>

Output in text form only the public key components (also for private keys).
This cannot be combined with encoded output in DER format.

=item B<-ec_conv_form> I<arg>

This option only applies to elliptic-curve based keys.

This specifies how the points on the elliptic curve are converted
into octet strings. Possible values are: B<compressed> (the default
value), B<uncompressed> and B<hybrid>. For more information regarding
the point conversion forms please read the X9.62 standard.
B<Note> Due to patent issues the B<compressed> option is disabled
by default for binary curves and can be enabled by defining
the preprocessor macro B<OPENSSL_EC_BIN_PT_COMP> at compile time.

=item B<-ec_param_enc> I<arg>

This option only applies to elliptic curve based public and private keys.

This specifies how the elliptic curve parameters are encoded.
Possible value are: B<named_curve>, i.e. the ec parameters are
specified by an OID, or B<explicit> where the ec parameters are
explicitly given (see RFC 3279 for the definition of the
EC parameters structures). The default value is B<named_curve>.
B<Note> the B<implicitlyCA> alternative, as specified in RFC 3279,
is currently not implemented in OpenSSL.

=back

=head1 EXAMPLES

To remove the pass phrase on a private key:

 openssl pkey -in key.pem -out keyout.pem

To encrypt a private key using triple DES:

 openssl pkey -in key.pem -des3 -out keyout.pem

To convert a private key from PEM to DER format:

 openssl pkey -in key.pem -outform DER -out keyout.der

To print out the components of a private key to standard output:

 openssl pkey -in key.pem -text -noout

To print out the public components of a private key to standard output:

 openssl pkey -in key.pem -text_pub -noout

To just output the public part of a private key:

 openssl pkey -in key.pem -pubout -out pubkey.pem

To change the EC parameters encoding to B<explicit>:

 openssl pkey -in key.pem -ec_param_enc explicit -out keyout.pem

To change the EC point conversion form to B<compressed>:

 openssl pkey -in key.pem -ec_conv_form compressed -out keyout.pem

=head1 SEE ALSO

L<openssl(1)>,
L<openssl-genpkey(1)>,
L<openssl-rsa(1)>,
L<openssl-pkcs8(1)>,
L<openssl-dsa(1)>,
L<openssl-genrsa(1)>,
L<openssl-gendsa(1)>

=head1 HISTORY

The B<-engine> option was deprecated in OpenSSL 3.0.

=head1 COPYRIGHT

Copyright 2006-2021 The OpenSSL Project Authors. All Rights Reserved.

Licensed under the Apache License 2.0 (the "License").  You may not use
this file except in compliance with the License.  You can obtain a copy
in the file LICENSE in the source distribution or at
L<https://www.openssl.org/source/license.html>.

=cut
Commit	Line	Data
49131a7d DSH	1	=pod
49131a7d DSH	2
018aaeb4 RS	3	=begin comment
	4	{- join("\n", @autowarntext) -}
	5
	6	=end comment
	7
49131a7d DSH	8	=head1 NAME
49131a7d DSH	9
4b537191	10	openssl-pkey - public or private key processing command
49131a7d DSH	11
	12	=head1 SYNOPSIS
	13
	14	B<openssl> B<pkey>
169394d4	15	[B<-help>]
1f7643e8 DDO	16	{- $OpenSSL::safe::opt_engine_synopsis -}{- $OpenSSL::safe::opt_provider_synopsis -}
	17	[B<-check>]
	18	[B<-pubcheck>]
f91d003a	19	[B<-in> I<filename>\|I<uri>]
1f7643e8	20	[B<-inform> B<DER>\|B<PEM>\|B<P12>\|B<ENGINE>]
e8769719	21	[B<-passin> I<arg>]
1f7643e8	22	[B<-pubin>]
e8769719	23	[B<-out> I<filename>]
1f7643e8 DDO	24	[B<-outform> B<DER>\|B<PEM>]
1f7643e8 DDO	25	[B<-I<cipher>>]
e8769719	26	[B<-passout> I<arg>]
05dba815	27	[B<-traditional>]
49131a7d	28	[B<-pubout>]
1f7643e8	29	[B<-noout>]
1f7643e8	30	[B<-text>]
046a7aaa	31	[B<-text_pub>]
92fee421 P	32	[B<-ec_conv_form> I<arg>]
92fee421 P	33	[B<-ec_param_enc> I<arg>]
49131a7d	34
9f3c076b	35	=for openssl ifdef engine
1738c0ce	36
49131a7d DSH	37	=head1 DESCRIPTION
49131a7d DSH	38
35a810bb	39	This command processes public or private keys. They can be
1f7643e8	40	converted between various forms and their components printed.
49131a7d	41
3dfda1a6	42	=head1 OPTIONS
49131a7d	43
1f7643e8 DDO	44	=head2 General options
1f7643e8 DDO	45
49131a7d DSH	46	=over 4
49131a7d DSH	47
169394d4 MR	48	=item B<-help>
	49
	50	Print out a usage message.
	51
1f7643e8 DDO	52	{- $OpenSSL::safe::opt_engine_item -}
	53
	54	{- $OpenSSL::safe::opt_provider_item -}
	55
	56	=item B<-check>
	57
	58	This option checks the consistency of a key pair for both public and private
	59	components.
	60
	61	=item B<-pubcheck>
	62
	63	This option checks the correctness of either a public key
	64	or the public component of a key pair.
	65
	66	=back
	67
	68	=head2 Input options
	69
	70	=over 4
	71
	72	=item B<-in> I<filename>\|I<uri>
	73
	74	This specifies the input to read a key from
	75	or standard input if this option is not specified.
046a7aaa	76	If the key input is encrypted and B<-passin> is not given
1f7643e8 DDO	77	a pass phrase will be prompted for.
1f7643e8 DDO	78
6d382c74	79	=item B<-inform> B<DER>\|B<PEM>\|B<P12>\|B<ENGINE>
49131a7d	80
6d382c74 DDO	81	The key input format; the default is B<PEM>.
6d382c74 DDO	82	The only value with effect is B<ENGINE>; all others have become obsolete.
46949153	83	See L<openssl-format-options(1)> for details.
6d382c74	84
1f7643e8	85	=item B<-passin> I<arg>
6d382c74	86
1f7643e8	87	The password source for the key input.
49131a7d	88
1f7643e8 DDO	89	For more information about the format of B<arg>
1f7643e8 DDO	90	see L<openssl-passphrase-options(1)>.
49131a7d	91
1f7643e8	92	=item B<-pubin>
49131a7d	93
046a7aaa DDO	94	By default a private key is read from the input.
046a7aaa DDO	95	With this option only the public components are read.
49131a7d	96
1f7643e8	97	=back
475d1002	98
1f7643e8 DDO	99	=head2 Output options
	100
	101	=over 4
49131a7d	102
e8769719	103	=item B<-out> I<filename>
49131a7d	104
046a7aaa	105	This specifies the output filename to save the encoded and/or text output of key
1f7643e8	106	or standard output if this option is not specified.
046a7aaa	107	If any cipher option is set but no B<-passout> is given
1f7643e8 DDO	108	then a pass phrase will be prompted for.
1f7643e8 DDO	109	The output filename should B<not> be the same as the input filename.
49131a7d	110
1f7643e8	111	=item B<-outform> B<DER>\|B<PEM>
05dba815	112
1f7643e8 DDO	113	The key output format; the default is B<PEM>.
1f7643e8 DDO	114	See L<openssl-format-options(1)> for details.
05dba815	115
8dc57d76	116	=item B<-I<cipher>>
49131a7d	117
046a7aaa	118	Encrypt the PEM encoded private key with the supplied cipher. Any algorithm
1f7643e8	119	name accepted by EVP_get_cipherbyname() is acceptable such as B<aes128>.
046a7aaa	120	Encryption is not supported for DER output.
49131a7d	121
1f7643e8	122	=item B<-passout> I<arg>
49131a7d	123
1f7643e8	124	The password source for the output file.
49131a7d	125
1f7643e8 DDO	126	For more information about the format of B<arg>
1f7643e8 DDO	127	see L<openssl-passphrase-options(1)>.
49131a7d	128
1f7643e8	129	=item B<-traditional>
49131a7d	130
1f7643e8 DDO	131	Normally a private key is written using standard format: this is PKCS#8 form
	132	with the appropriate encryption algorithm (if any). If the B<-traditional>
	133	option is specified then the older "traditional" format is used instead.
49131a7d	134
1f7643e8	135	=item B<-pubout>
49131a7d	136
046a7aaa DDO	137	By default the encoded private and public key is output;
046a7aaa DDO	138	this option restricts the encoded output to the public components.
1f7643e8	139	This option is automatically set if the input is a public key.
49131a7d	140
1f7643e8	141	=item B<-noout>
49131a7d	142
046a7aaa	143	Do not output the key in encoded form.
49131a7d	144
1f7643e8	145	=item B<-text>
2aee35d3	146
046a7aaa DDO	147	Output the various key components in plain text
	148	(possibly in addition to the PEM encoded form).
	149	This cannot be combined with encoded output in DER format.
2aee35d3	150
1f7643e8	151	=item B<-text_pub>
b0004708	152
046a7aaa DDO	153	Output in text form only the public key components (also for private keys).
046a7aaa DDO	154	This cannot be combined with encoded output in DER format.
b0004708	155
92fee421 P	156	=item B<-ec_conv_form> I<arg>
92fee421 P	157
1f7643e8	158	This option only applies to elliptic-curve based keys.
92fee421 P	159
	160	This specifies how the points on the elliptic curve are converted
	161	into octet strings. Possible values are: B<compressed> (the default
	162	value), B<uncompressed> and B<hybrid>. For more information regarding
	163	the point conversion forms please read the X9.62 standard.
	164	B<Note> Due to patent issues the B<compressed> option is disabled
	165	by default for binary curves and can be enabled by defining
	166	the preprocessor macro B<OPENSSL_EC_BIN_PT_COMP> at compile time.
	167
	168	=item B<-ec_param_enc> I<arg>
	169
	170	This option only applies to elliptic curve based public and private keys.
	171
	172	This specifies how the elliptic curve parameters are encoded.
	173	Possible value are: B<named_curve>, i.e. the ec parameters are
	174	specified by an OID, or B<explicit> where the ec parameters are
	175	explicitly given (see RFC 3279 for the definition of the
	176	EC parameters structures). The default value is B<named_curve>.
	177	B<Note> the B<implicitlyCA> alternative, as specified in RFC 3279,
	178	is currently not implemented in OpenSSL.
	179
49131a7d DSH	180	=back
	181
	182	=head1 EXAMPLES
	183
35eb4588	184	To remove the pass phrase on a private key:
49131a7d DSH	185
	186	openssl pkey -in key.pem -out keyout.pem
	187
	188	To encrypt a private key using triple DES:
	189
	190	openssl pkey -in key.pem -des3 -out keyout.pem
	191
1bc74519	192	To convert a private key from PEM to DER format:
49131a7d DSH	193
	194	openssl pkey -in key.pem -outform DER -out keyout.der
	195
	196	To print out the components of a private key to standard output:
	197
	198	openssl pkey -in key.pem -text -noout
	199
	200	To print out the public components of a private key to standard output:
	201
	202	openssl pkey -in key.pem -text_pub -noout
	203
	204	To just output the public part of a private key:
	205
	206	openssl pkey -in key.pem -pubout -out pubkey.pem
	207
92fee421 P	208	To change the EC parameters encoding to B<explicit>:
	209
	210	openssl pkey -in key.pem -ec_param_enc explicit -out keyout.pem
	211
	212	To change the EC point conversion form to B<compressed>:
	213
	214	openssl pkey -in key.pem -ec_conv_form compressed -out keyout.pem
	215
49131a7d DSH	216	=head1 SEE ALSO
49131a7d DSH	217
b6b66573 DMSP	218	L<openssl(1)>,
	219	L<openssl-genpkey(1)>,
	220	L<openssl-rsa(1)>,
	221	L<openssl-pkcs8(1)>,
	222	L<openssl-dsa(1)>,
	223	L<openssl-genrsa(1)>,
	224	L<openssl-gendsa(1)>
49131a7d	225
0f221d9c P	226	=head1 HISTORY
	227
	228	The B<-engine> option was deprecated in OpenSSL 3.0.
	229
e2f92610 RS	230	=head1 COPYRIGHT
e2f92610 RS	231
4333b89f	232	Copyright 2006-2021 The OpenSSL Project Authors. All Rights Reserved.
e2f92610	233
449040b4	234	Licensed under the Apache License 2.0 (the "License"). You may not use
e2f92610 RS	235	this file except in compliance with the License. You can obtain a copy
	236	in the file LICENSE in the source distribution or at
	237	L<https://www.openssl.org/source/license.html>.
	238
	239	=cut