genpkey.1s

openssl genpkey [-help] [-out filename] [-pass arg] [-cipher alg] [-engine id] [-paramfile file] [-algorithm alg] [-pkeyopt opt:value] [-genparam] [-text] [-noout] [-traditional]

-help
    Display a brief usage summary.

-out filename
    Specify the output filename for the generated key. If not specified, output goes to standard output.

-pass arg
    Specify the password source for encrypting the private key. arg can take several forms detailed in the openssl(1) man page.

-cipher alg
    Encrypt the private key with the specified cipher alg. See openssl enc -ciphers for available algorithms. If not specified, the key is not encrypted.

-engine id
    Specify the engine to use for key generation.

-paramfile file
    Use parameters from file to generate the key. Useful for DSA and DH keys, where pre-generated parameters are often needed.

-algorithm alg
    Specify the algorithm to use for key generation. Common algorithms include RSA, DSA, EC (for Elliptic Curve), Ed25519, and Ed448.

-pkeyopt opt:value
    Specify algorithm-specific options. Available options depend on the chosen algorithm. Use `openssl pkeyparam -help -algorithm alg` to list the options

-genparam
    Only generate parameters, do not generate a key. Useful with algorithms like DH and DSA where the parameters might be reused.

-text
    Print the key in text format.

-noout
    Do not output the key itself. Useful if only parameter generation is desired.

-traditional
    Use a more traditional (less secure) method for generating RSA keys.

The genpkey command generates private keys for use with various cryptographic algorithms. It supports generating keys using different methods, including traditional algorithms like RSA and DSA, as well as Elliptic Curve Cryptography (ECC) based algorithms like ECDSA and Ed25519.

It is a versatile tool often used in scripting and automation for creating key pairs used for encryption, digital signatures, and authentication purposes. The type of key generated and its parameters are controlled by command-line options. The generated key can be output in various formats, such as PEM or DER, allowing for easy integration with other OpenSSL tools and applications. The main advantage is flexibility and the ability to generate a wide variety of private key types from a single tool. It is part of the OpenSSL suite of command-line tools.

Common use cases involve preparing secure communication channels (TLS/SSL), generating keys for code signing, and setting up secure authentication schemes.

When generating private keys, it's crucial to ensure the system's entropy source is sufficient to produce truly random numbers. Weak entropy can lead to predictable keys that are easily compromised. Use strong passwords for encrypting the key when possible. Back up your keys in a secure location. Use of strong algorithms like Ed25519 or RSA with appropriate key sizes are recommended. Avoid the -traditional option for RSA unless compatibility dictates.

For ECC algorithms, the curve to use can be specified with the `-pkeyopt ec_paramgen_curve:curve_name` option (e.g., `-pkeyopt ec_paramgen_curve:P-256`). Common curves include `P-256`, `P-384`, and `P-521`. Ed25519 and Ed448 do not require a specific curve option. Example: `openssl genpkey -algorithm EC -pkeyopt ec_paramgen_curve:P-256 -out key.pem`

RSA keys can specify the key size with the `-pkeyopt rsa_keygen_bits:bits` option, where bits is the desired key length in bits (e.g., `-pkeyopt rsa_keygen_bits:2048`). Larger key sizes offer greater security but require more computational resources. A minimum of 2048 bits is highly recommended. Example: `openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -out key.pem`

openssl(1), openssl-pkey(1), openssl-req(1)