| 1 | =pod
|
|---|
| 2 |
|
|---|
| 3 | =begin comment
|
|---|
| 4 | {- join("\n", @autowarntext) -}
|
|---|
| 5 |
|
|---|
| 6 | =end comment
|
|---|
| 7 |
|
|---|
| 8 | =head1 NAME
|
|---|
| 9 |
|
|---|
| 10 | openssl-pkey - public or private key processing command
|
|---|
| 11 |
|
|---|
| 12 | =head1 SYNOPSIS
|
|---|
| 13 |
|
|---|
| 14 | B<openssl> B<pkey>
|
|---|
| 15 | [B<-help>]
|
|---|
| 16 | {- $OpenSSL::safe::opt_engine_synopsis -}{- $OpenSSL::safe::opt_provider_synopsis -}
|
|---|
| 17 | [B<-check>]
|
|---|
| 18 | [B<-pubcheck>]
|
|---|
| 19 | [B<-in> I<filename>|I<uri>]
|
|---|
| 20 | [B<-inform> B<DER>|B<PEM>|B<P12>|B<ENGINE>]
|
|---|
| 21 | [B<-passin> I<arg>]
|
|---|
| 22 | [B<-pubin>]
|
|---|
| 23 | [B<-out> I<filename>]
|
|---|
| 24 | [B<-outform> B<DER>|B<PEM>]
|
|---|
| 25 | [B<-I<cipher>>]
|
|---|
| 26 | [B<-passout> I<arg>]
|
|---|
| 27 | [B<-traditional>]
|
|---|
| 28 | [B<-pubout>]
|
|---|
| 29 | [B<-noout>]
|
|---|
| 30 | [B<-text>]
|
|---|
| 31 | [B<-text_pub>]
|
|---|
| 32 | [B<-ec_conv_form> I<arg>]
|
|---|
| 33 | [B<-ec_param_enc> I<arg>]
|
|---|
| 34 |
|
|---|
| 35 | =head1 DESCRIPTION
|
|---|
| 36 |
|
|---|
| 37 | This command processes public or private keys. They can be
|
|---|
| 38 | converted between various forms and their components printed.
|
|---|
| 39 |
|
|---|
| 40 | =head1 OPTIONS
|
|---|
| 41 |
|
|---|
| 42 | =head2 General options
|
|---|
| 43 |
|
|---|
| 44 | =over 4
|
|---|
| 45 |
|
|---|
| 46 | =item B<-help>
|
|---|
| 47 |
|
|---|
| 48 | Print out a usage message.
|
|---|
| 49 |
|
|---|
| 50 | {- $OpenSSL::safe::opt_engine_item -}
|
|---|
| 51 |
|
|---|
| 52 | {- $OpenSSL::safe::opt_provider_item -}
|
|---|
| 53 |
|
|---|
| 54 | =item B<-check>
|
|---|
| 55 |
|
|---|
| 56 | This option checks the consistency of a key pair for both public and private
|
|---|
| 57 | components.
|
|---|
| 58 |
|
|---|
| 59 | =item B<-pubcheck>
|
|---|
| 60 |
|
|---|
| 61 | This option checks the correctness of either a public key
|
|---|
| 62 | or the public component of a key pair.
|
|---|
| 63 |
|
|---|
| 64 | =back
|
|---|
| 65 |
|
|---|
| 66 | =head2 Input options
|
|---|
| 67 |
|
|---|
| 68 | =over 4
|
|---|
| 69 |
|
|---|
| 70 | =item B<-in> I<filename>|I<uri>
|
|---|
| 71 |
|
|---|
| 72 | This specifies the input to read a key from
|
|---|
| 73 | or standard input if this option is not specified.
|
|---|
| 74 | If the key input is encrypted and B<-passin> is not given
|
|---|
| 75 | a pass phrase will be prompted for.
|
|---|
| 76 |
|
|---|
| 77 | =item B<-inform> B<DER>|B<PEM>|B<P12>|B<ENGINE>
|
|---|
| 78 |
|
|---|
| 79 | The key input format; unspecified by default.
|
|---|
| 80 | See L<openssl-format-options(1)> for details.
|
|---|
| 81 |
|
|---|
| 82 | =item B<-passin> I<arg>
|
|---|
| 83 |
|
|---|
| 84 | The password source for the key input.
|
|---|
| 85 |
|
|---|
| 86 | For more information about the format of B<arg>
|
|---|
| 87 | see L<openssl-passphrase-options(1)>.
|
|---|
| 88 |
|
|---|
| 89 | =item B<-pubin>
|
|---|
| 90 |
|
|---|
| 91 | By default a private key is read from the input.
|
|---|
| 92 | With this option only the public components are read.
|
|---|
| 93 |
|
|---|
| 94 | =back
|
|---|
| 95 |
|
|---|
| 96 | =head2 Output options
|
|---|
| 97 |
|
|---|
| 98 | =over 4
|
|---|
| 99 |
|
|---|
| 100 | =item B<-out> I<filename>
|
|---|
| 101 |
|
|---|
| 102 | This specifies the output filename to save the encoded and/or text output of key
|
|---|
| 103 | or standard output if this option is not specified.
|
|---|
| 104 | If any cipher option is set but no B<-passout> is given
|
|---|
| 105 | then a pass phrase will be prompted for.
|
|---|
| 106 | The output filename should B<not> be the same as the input filename.
|
|---|
| 107 |
|
|---|
| 108 | =item B<-outform> B<DER>|B<PEM>
|
|---|
| 109 |
|
|---|
| 110 | The key output format; the default is B<PEM>.
|
|---|
| 111 | See L<openssl-format-options(1)> for details.
|
|---|
| 112 |
|
|---|
| 113 | =item B<-I<cipher>>
|
|---|
| 114 |
|
|---|
| 115 | Encrypt the PEM encoded private key with the supplied cipher. Any algorithm
|
|---|
| 116 | name accepted by EVP_get_cipherbyname() is acceptable such as B<aes128>.
|
|---|
| 117 | Encryption is not supported for DER output.
|
|---|
| 118 |
|
|---|
| 119 | =item B<-passout> I<arg>
|
|---|
| 120 |
|
|---|
| 121 | The password source for the output file.
|
|---|
| 122 |
|
|---|
| 123 | For more information about the format of B<arg>
|
|---|
| 124 | see L<openssl-passphrase-options(1)>.
|
|---|
| 125 |
|
|---|
| 126 | =item B<-traditional>
|
|---|
| 127 |
|
|---|
| 128 | Normally a private key is written using standard format: this is PKCS#8 form
|
|---|
| 129 | with the appropriate encryption algorithm (if any). If the B<-traditional>
|
|---|
| 130 | option is specified then the older "traditional" format is used instead.
|
|---|
| 131 |
|
|---|
| 132 | =item B<-pubout>
|
|---|
| 133 |
|
|---|
| 134 | By default the private and public key is output;
|
|---|
| 135 | this option restricts the output to the public components.
|
|---|
| 136 | This option is automatically set if the input is a public key.
|
|---|
| 137 |
|
|---|
| 138 | When combined with B<-text>, this is equivalent to B<-text_pub>.
|
|---|
| 139 |
|
|---|
| 140 | =item B<-noout>
|
|---|
| 141 |
|
|---|
| 142 | Do not output the key in encoded form.
|
|---|
| 143 |
|
|---|
| 144 | =item B<-text>
|
|---|
| 145 |
|
|---|
| 146 | Output the various key components in plain text
|
|---|
| 147 | (possibly in addition to the PEM encoded form).
|
|---|
| 148 | This cannot be combined with encoded output in DER format.
|
|---|
| 149 |
|
|---|
| 150 | =item B<-text_pub>
|
|---|
| 151 |
|
|---|
| 152 | Output in text form only the public key components (also for private keys).
|
|---|
| 153 | This cannot be combined with encoded output in DER format.
|
|---|
| 154 |
|
|---|
| 155 | =item B<-ec_conv_form> I<arg>
|
|---|
| 156 |
|
|---|
| 157 | This option only applies to elliptic-curve based keys.
|
|---|
| 158 |
|
|---|
| 159 | This specifies how the points on the elliptic curve are converted
|
|---|
| 160 | into octet strings. Possible values are: B<compressed> (the default
|
|---|
| 161 | value), B<uncompressed> and B<hybrid>. For more information regarding
|
|---|
| 162 | the point conversion forms please read the X9.62 standard.
|
|---|
| 163 | B<Note> Due to patent issues the B<compressed> option is disabled
|
|---|
| 164 | by default for binary curves and can be enabled by defining
|
|---|
| 165 | the preprocessor macro B<OPENSSL_EC_BIN_PT_COMP> at compile time.
|
|---|
| 166 |
|
|---|
| 167 | =item B<-ec_param_enc> I<arg>
|
|---|
| 168 |
|
|---|
| 169 | This option only applies to elliptic curve based public and private keys.
|
|---|
| 170 |
|
|---|
| 171 | This specifies how the elliptic curve parameters are encoded.
|
|---|
| 172 | Possible value are: B<named_curve>, i.e. the ec parameters are
|
|---|
| 173 | specified by an OID, or B<explicit> where the ec parameters are
|
|---|
| 174 | explicitly given (see RFC 3279 for the definition of the
|
|---|
| 175 | EC parameters structures). The default value is B<named_curve>.
|
|---|
| 176 | B<Note> the B<implicitlyCA> alternative, as specified in RFC 3279,
|
|---|
| 177 | is currently not implemented in OpenSSL.
|
|---|
| 178 |
|
|---|
| 179 | =back
|
|---|
| 180 |
|
|---|
| 181 | =head1 EXAMPLES
|
|---|
| 182 |
|
|---|
| 183 | To remove the pass phrase on a private key:
|
|---|
| 184 |
|
|---|
| 185 | openssl pkey -in key.pem -out keyout.pem
|
|---|
| 186 |
|
|---|
| 187 | To encrypt a private key using triple DES:
|
|---|
| 188 |
|
|---|
| 189 | openssl pkey -in key.pem -des3 -out keyout.pem
|
|---|
| 190 |
|
|---|
| 191 | To convert a private key from PEM to DER format:
|
|---|
| 192 |
|
|---|
| 193 | openssl pkey -in key.pem -outform DER -out keyout.der
|
|---|
| 194 |
|
|---|
| 195 | To print out the components of a private key to standard output:
|
|---|
| 196 |
|
|---|
| 197 | openssl pkey -in key.pem -text -noout
|
|---|
| 198 |
|
|---|
| 199 | To print out the public components of a private key to standard output:
|
|---|
| 200 |
|
|---|
| 201 | openssl pkey -in key.pem -text_pub -noout
|
|---|
| 202 |
|
|---|
| 203 | To just output the public part of a private key:
|
|---|
| 204 |
|
|---|
| 205 | openssl pkey -in key.pem -pubout -out pubkey.pem
|
|---|
| 206 |
|
|---|
| 207 | To change the EC parameters encoding to B<explicit>:
|
|---|
| 208 |
|
|---|
| 209 | openssl pkey -in key.pem -ec_param_enc explicit -out keyout.pem
|
|---|
| 210 |
|
|---|
| 211 | To change the EC point conversion form to B<compressed>:
|
|---|
| 212 |
|
|---|
| 213 | openssl pkey -in key.pem -ec_conv_form compressed -out keyout.pem
|
|---|
| 214 |
|
|---|
| 215 | =head1 SEE ALSO
|
|---|
| 216 |
|
|---|
| 217 | L<openssl(1)>,
|
|---|
| 218 | L<openssl-genpkey(1)>,
|
|---|
| 219 | L<openssl-rsa(1)>,
|
|---|
| 220 | L<openssl-pkcs8(1)>,
|
|---|
| 221 | L<openssl-dsa(1)>,
|
|---|
| 222 | L<openssl-genrsa(1)>,
|
|---|
| 223 | L<openssl-gendsa(1)>
|
|---|
| 224 |
|
|---|
| 225 | =head1 HISTORY
|
|---|
| 226 |
|
|---|
| 227 | The B<-engine> option was deprecated in OpenSSL 3.0.
|
|---|
| 228 |
|
|---|
| 229 | =head1 COPYRIGHT
|
|---|
| 230 |
|
|---|
| 231 | Copyright 2006-2021 The OpenSSL Project Authors. All Rights Reserved.
|
|---|
| 232 |
|
|---|
| 233 | Licensed under the Apache License 2.0 (the "License"). You may not use
|
|---|
| 234 | this file except in compliance with the License. You can obtain a copy
|
|---|
| 235 | in the file LICENSE in the source distribution or at
|
|---|
| 236 | L<https://www.openssl.org/source/license.html>.
|
|---|
| 237 |
|
|---|
| 238 | =cut
|
|---|
