Home | History | Annotate | Line # | Download | only in man1 
      1 =pod
      2 
      3 =begin comment
      4 {- join("\n", @autowarntext) -}
      5 
      6 =end comment
      7 
      8 =head1 NAME
      9 
     10 openssl-pkey - public or private key processing command
     11 
     12 =head1 SYNOPSIS
     13 
     14 B<openssl> B<pkey>
     15 [B<-help>]
     16 {- $OpenSSL::safe::opt_engine_synopsis -}{- $OpenSSL::safe::opt_provider_synopsis -}
     17 [B<-check>]
     18 [B<-pubcheck>]
     19 [B<-in> I<filename>|I<uri>]
     20 [B<-inform> B<DER>|B<PEM>|B<P12>|B<ENGINE>]
     21 [B<-passin> I<arg>]
     22 [B<-pubin>]
     23 [B<-out> I<filename>]
     24 [B<-outform> B<DER>|B<PEM>]
     25 [B<-I<cipher>>]
     26 [B<-passout> I<arg>]
     27 [B<-traditional>]
     28 [B<-pubout>]
     29 [B<-noout>]
     30 [B<-text>]
     31 [B<-text_pub>]
     32 [B<-ec_conv_form> I<arg>]
     33 [B<-ec_param_enc> I<arg>]
     34 
     35 =head1 DESCRIPTION
     36 
     37 This command processes public or private keys. They can be
     38 converted between various forms and their components printed.
     39 
     40 =head1 OPTIONS
     41 
     42 =head2 General options
     43 
     44 =over 4
     45 
     46 =item B<-help>
     47 
     48 Print out a usage message.
     49 
     50 {- $OpenSSL::safe::opt_engine_item -}
     51 
     52 {- $OpenSSL::safe::opt_provider_item -}
     53 
     54 =item B<-check>
     55 
     56 This option checks the consistency of a key pair for both public and private
     57 components.
     58 
     59 =item B<-pubcheck>
     60 
     61 This option checks the correctness of either a public key
     62 or the public component of a key pair.
     63 
     64 =back
     65 
     66 =head2 Input options
     67 
     68 =over 4
     69 
     70 =item B<-in> I<filename>|I<uri>
     71 
     72 This specifies the input to read a key from
     73 or standard input if this option is not specified.
     74 If the key input is encrypted and B<-passin> is not given
     75 a pass phrase will be prompted for.
     76 
     77 =item B<-inform> B<DER>|B<PEM>|B<P12>|B<ENGINE>
     78 
     79 The key input format; unspecified by default.
     80 See L<openssl-format-options(1)> for details.
     81 
     82 =item B<-passin> I<arg>
     83 
     84 The password source for the key input.
     85 
     86 For more information about the format of B<arg>
     87 see L<openssl-passphrase-options(1)>.
     88 
     89 =item B<-pubin>
     90 
     91 By default a private key is read from the input.
     92 With this option only the public components are read.
     93 
     94 =back
     95 
     96 =head2 Output options
     97 
     98 =over 4
     99 
    100 =item B<-out> I<filename>
    101 
    102 This specifies the output filename to save the encoded and/or text output of key
    103 or standard output if this option is not specified.
    104 If any cipher option is set but no B<-passout> is given
    105 then a pass phrase will be prompted for.
    106 The output filename should B<not> be the same as the input filename.
    107 
    108 =item B<-outform> B<DER>|B<PEM>
    109 
    110 The key output format; the default is B<PEM>.
    111 See L<openssl-format-options(1)> for details.
    112 
    113 =item B<-I<cipher>>
    114 
    115 Encrypt the PEM encoded private key with the supplied cipher. Any algorithm
    116 name accepted by EVP_get_cipherbyname() is acceptable such as B<aes128>.
    117 Encryption is not supported for DER output.
    118 
    119 =item B<-passout> I<arg>
    120 
    121 The password source for the output file.
    122 
    123 For more information about the format of B<arg>
    124 see L<openssl-passphrase-options(1)>.
    125 
    126 =item B<-traditional>
    127 
    128 Normally a private key is written using standard format: this is PKCS#8 form
    129 with the appropriate encryption algorithm (if any). If the B<-traditional>
    130 option is specified then the older "traditional" format is used instead.
    131 
    132 =item B<-pubout>
    133 
    134 By default the private and public key is output;
    135 this option restricts the output to the public components.
    136 This option is automatically set if the input is a public key.
    137 
    138 When combined with B<-text>, this is equivalent to B<-text_pub>.
    139 
    140 =item B<-noout>
    141 
    142 Do not output the key in encoded form.
    143 
    144 =item B<-text>
    145 
    146 Output the various key components in plain text
    147 (possibly in addition to the PEM encoded form).
    148 This cannot be combined with encoded output in DER format.
    149 
    150 =item B<-text_pub>
    151 
    152 Output in text form only the public key components (also for private keys).
    153 This cannot be combined with encoded output in DER format.
    154 
    155 =item B<-ec_conv_form> I<arg>
    156 
    157 This option only applies to elliptic-curve based keys.
    158 
    159 This specifies how the points on the elliptic curve are converted
    160 into octet strings. Possible values are: B<compressed> (the default
    161 value), B<uncompressed> and B<hybrid>. For more information regarding
    162 the point conversion forms please read the X9.62 standard.
    163 B<Note> Due to patent issues the B<compressed> option is disabled
    164 by default for binary curves and can be enabled by defining
    165 the preprocessor macro B<OPENSSL_EC_BIN_PT_COMP> at compile time.
    166 
    167 =item B<-ec_param_enc> I<arg>
    168 
    169 This option only applies to elliptic curve based public and private keys.
    170 
    171 This specifies how the elliptic curve parameters are encoded.
    172 Possible value are: B<named_curve>, i.e. the ec parameters are
    173 specified by an OID, or B<explicit> where the ec parameters are
    174 explicitly given (see RFC 3279 for the definition of the
    175 EC parameters structures). The default value is B<named_curve>.
    176 B<Note> the B<implicitlyCA> alternative, as specified in RFC 3279,
    177 is currently not implemented in OpenSSL.
    178 
    179 =back
    180 
    181 =head1 EXAMPLES
    182 
    183 To remove the pass phrase on a private key:
    184 
    185  openssl pkey -in key.pem -out keyout.pem
    186 
    187 To encrypt a private key using triple DES:
    188 
    189  openssl pkey -in key.pem -des3 -out keyout.pem
    190 
    191 To convert a private key from PEM to DER format:
    192 
    193  openssl pkey -in key.pem -outform DER -out keyout.der
    194 
    195 To print out the components of a private key to standard output:
    196 
    197  openssl pkey -in key.pem -text -noout
    198 
    199 To print out the public components of a private key to standard output:
    200 
    201  openssl pkey -in key.pem -text_pub -noout
    202 
    203 To just output the public part of a private key:
    204 
    205  openssl pkey -in key.pem -pubout -out pubkey.pem
    206 
    207 To change the EC parameters encoding to B<explicit>:
    208 
    209  openssl pkey -in key.pem -ec_param_enc explicit -out keyout.pem
    210 
    211 To change the EC point conversion form to B<compressed>:
    212 
    213  openssl pkey -in key.pem -ec_conv_form compressed -out keyout.pem
    214 
    215 =head1 SEE ALSO
    216 
    217 L<openssl(1)>,
    218 L<openssl-genpkey(1)>,
    219 L<openssl-rsa(1)>,
    220 L<openssl-pkcs8(1)>,
    221 L<openssl-dsa(1)>,
    222 L<openssl-genrsa(1)>,
    223 L<openssl-gendsa(1)>
    224 
    225 =head1 HISTORY
    226 
    227 The B<-engine> option was deprecated in OpenSSL 3.0.
    228 
    229 =head1 COPYRIGHT
    230 
    231 Copyright 2006-2021 The OpenSSL Project Authors. All Rights Reserved.
    232 
    233 Licensed under the Apache License 2.0 (the "License").  You may not use
    234 this file except in compliance with the License.  You can obtain a copy
    235 in the file LICENSE in the source distribution or at
    236 L<https://www.openssl.org/source/license.html>.
    237 
    238 =cut
    239