From 49131a7d942d85bc3a8d649e23ff14f0da18ee4c Mon Sep 17 00:00:00 2001 From: "Dr. Stephen Henson" Date: Sat, 8 Jul 2006 00:24:47 +0000 Subject: [PATCH] Docs for new utilities. --- doc/apps/genpkey.pod | 171 +++++++++++++++++++++++++++++++++++++++++++ doc/apps/pkey.pod | 135 ++++++++++++++++++++++++++++++++++ doc/apps/req.pod | 16 +++- 3 files changed, 320 insertions(+), 2 deletions(-) create mode 100644 doc/apps/genpkey.pod create mode 100644 doc/apps/pkey.pod diff --git a/doc/apps/genpkey.pod b/doc/apps/genpkey.pod new file mode 100644 index 0000000000..b6f5fe1b10 --- /dev/null +++ b/doc/apps/genpkey.pod @@ -0,0 +1,171 @@ +=pod + +=head1 NAME + +genpkey - generate a private key + +=head1 SYNOPSIS + +B B +[B<-out filename>] +[B<-outform PEM|DER>] +[B<-pass arg>] +[B<-cipher>] +[B<-engine id>] +[B<-paramfile file>] +[B<-algorithm alg>] +[B<-pkeyopt opt:value>] +[B<-genparam>] +[B<-text>] + +=head1 DESCRIPTION + +The B command generates a private key. + +=head1 OPTIONS + +=over 4 + +=item B<-out filename> + +the output filename. If this argument is not specified then standard output is +used. + +=item B<-outform DER|PEM> + +This specifies the output format DER or PEM. + +=item B<-pass arg> + +the output file password source. For more information about the format of B +see the B section in L. + +=item B<-cipher> + +These options encrypt the private key with the supplied cipher. Any algorithm +name accepted by EVP_get_cipherbyname() is acceptable such as B. + +=item B<-engine id> + +specifying an engine (by it's unique B string) will cause B +to attempt to obtain a functional reference to the specified engine, +thus initialising it if needed. The engine will then be set as the default +for all available algorithms. + +=item B<-algorithm alg> + +public key algorithm to use such as RSA, DSA or DH. + +=item B<-pkeyopt opt:value> + +set the public key algorithm option B to B. The precise set of +options supported depends on the public key algorithm used and its +implementation. See B below for more details. + +=item B<-genparam> + +generate a set of parameters instead of a private key. + +=item B<-paramfile filename> + +Some public key algorithms generate a private key based on a set of parameters. +They can be supplied using this option. If this option is used the public +key algorithm used is determined by the parameters. + +=back + +=head1 KEY GENERATION OPTIONS + +The options supported by each algorith and indeed each implementation of an +algorithm can vary. The options for the OpenSSL implementations are detailed +below. + +=head1 RSA KEY GENERATION OPTIONS + +=over 4 + +=item B + +The number of bits in the generated key. If not specified 1024 is used. + +=item B + +The RSA public exponent value. This can be a large decimal or +hexadecimal value if preceded by B<0x>. Default value is 65537. + +=back + +=head1 DSA PARAMETER GENERATION OPTIONS + +=over 4 + +=item B + +The number of bits in the generated parameters. If not specified 1024 is used. + +=head1 DH PARAMETER GENERATION OPTIONS + +=over 4 + +=item B + +The number of bits in the prime parameter B

. + +=item B + +The value to use for the generator B. + +=back + +=head1 EC PARAMETER GENERATION OPTIONS + +=over 4 + +=item B + +the EC curve to use. + +=back + +=head1 NOTES + +The use of the genpkey program is encouraged over the algorithm specific +utilities because additional algorithm options and ENGINE provided algorithms +can be used. + +=head1 EXAMPLES + +Generate an RSA private key using default parameters: + + openssl genpkey -algoritm RSA -out key.pem + +Encrypt output private key using 128 bit AES and the passphrase "hello": + + openssl genpkey -algoritm RSA -out key.pem -aes-128-cbc -pass pass:hello + +Generate a 2048 bit RSA key using 3 as the public exponent: + + openssl genpkey -algoritm RSA -out key.pem -pkeyopt rsa_keygen_bits:2048 \ + -pkeyopt rsa_keygen_pubexp:3 + +Generate 1024 bit DSA parameters: + + openssl genpkey -genparam -algorithm DSA -out dsap.pem \ + -pkeyopt dsa_paramgen_bits:1024 + +Generate DSA key from parameters: + + openssl genpkey -paramfile dsap.pem -out dsakey.pem + +Generate 1024 bit DH parameters: + + openssl genpkey -genparam -algorithm DH -out dhp.pem \ + -pkeyopt dh_paramgen_prime_len:1024 + +Generate DH key from parameters: + + openssl genpkey -paramfile dhp.pem -out dhkey.pem + + +=cut + diff --git a/doc/apps/pkey.pod b/doc/apps/pkey.pod new file mode 100644 index 0000000000..6bd1fc1ba4 --- /dev/null +++ b/doc/apps/pkey.pod @@ -0,0 +1,135 @@ + +=pod + +=head1 NAME + +pkey - public or private key processing tool + +=head1 SYNOPSIS + +B B +[B<-inform PEM|DER>] +[B<-outform PEM|DER>] +[B<-in filename>] +[B<-passin arg>] +[B<-out filename>] +[B<-passout arg>] +[B<-cipher>] +[B<-text>] +[B<-text_pub>] +[B<-noout>] +[B<-pubin>] +[B<-pubout>] +[B<-engine id>] + +=head1 DESCRIPTION + +The B command processes public or private keys. They can be converted +between various forms and their components printed out. + +=head1 COMMAND OPTIONS + +=over 4 + +=item B<-inform DER|PEM> + +This specifies the input format DER or PEM. + +=item B<-outform DER|PEM> + +This specifies the output format, the options have the same meaning as the +B<-inform> option. + +=item B<-in filename> + +This specifies the input filename to read a key from or standard input if this +option is not specified. If the key is encrypted a pass phrase will be +prompted for. + +=item B<-passin arg> + +the input file password source. For more information about the format of B +see the B section in L. + +=item B<-out filename> + +This specifies the output filename to write a key to or standard output if this +option is not specified. If any encryption options are set then a pass phrase +will be prompted for. The output filename should B be the same as the input +filename. + +=item B<-passout password> + +the output file password source. For more information about the format of B +see the B section in L. + +=item B<-cipher> + +These options encrypt the private key with the supplied cipher. Any algorithm +name accepted by EVP_get_cipherbyname() is acceptable such as B. + +=item B<-text> + +prints out the various public or private key components in +plain text in addition to the encoded version. + +=item B<-text_pub> + +print out only public key components even if a private key is being processed. + +=item B<-noout> + +do not output the encoded version of the key. + +=item B<-pubin> + +by default a private key is read from the input file: with this +option a public key is read instead. + +=item B<-pubout> + +by default a private key is output: with this option a public +key will be output instead. This option is automatically set if +the input is a public key. + +=item B<-engine id> + +specifying an engine (by it's unique B string) will cause B +to attempt to obtain a functional reference to the specified engine, +thus initialising it if needed. The engine will then be set as the default +for all available algorithms. + +=back + +=head1 EXAMPLES + +To remove the pass phrase on an RSA private key: + + openssl pkey -in key.pem -out keyout.pem + +To encrypt a private key using triple DES: + + openssl pkey -in key.pem -des3 -out keyout.pem + +To convert a private key from PEM to DER format: + + openssl pkey -in key.pem -outform DER -out keyout.der + +To print out the components of a private key to standard output: + + openssl pkey -in key.pem -text -noout + +To print out the public components of a private key to standard output: + + openssl pkey -in key.pem -text_pub -noout + +To just output the public part of a private key: + + openssl pkey -in key.pem -pubout -out pubkey.pem + +=head1 SEE ALSO + +L, L, L, +L, L, L + +=cut diff --git a/doc/apps/req.pod b/doc/apps/req.pod index 82b565c9d4..65584d1de2 100644 --- a/doc/apps/req.pod +++ b/doc/apps/req.pod @@ -23,6 +23,7 @@ B B [B<-rand file(s)>] [B<-newkey rsa:bits>] [B<-newkey dsa:file>] +[B<-newkey alg:file>] [B<-nodes>] [B<-key filename>] [B<-keyform PEM|DER>] @@ -129,10 +130,21 @@ all others. =item B<-newkey arg> this option creates a new certificate request and a new private -key. The argument takes one of two forms. B, where +key. The argument takes one of several forms. B, where B is the number of bits, generates an RSA key B in size. B generates a DSA key using the parameters -in the file B. +in the file B. B generates a key using the +parameter file B, the algorithm is determined by the +parameters. B use algorithm B and parameter file +B the two algorithms must match or an error occurs. B just +uses algorithm B. + +=item B<-pkeyopt opt:value> + +set the public key algorithm option B to B. The precise set of +options supported depends on the public key algorithm used and its +implementation. See B in the B manual page +for more details. =item B<-key filename> -- 2.25.1