pkeyparam.1s

openssl pkeyparam [-inform DER|PEM] [-outform DER|PEM] [-in filename] [-out filename] [-noout] [-text] [-genkey] [-check] [-dsaparam] [-dsa_generate_prime] [-paramfile file] [-curve name] [-group name] [-pkeyopt opt:value] [-engine id] [-provider name] [-propquery propq]

-inform DER|PEM
    Specifies the input format; either DER (binary) or PEM (base64 encoded).

-outform DER|PEM
    Specifies the output format; either DER (binary) or PEM (base64 encoded).

-in filename
    Specifies the input file containing the parameters to be processed.

-out filename
    Specifies the output file to which the processed parameters will be written.

-noout
    Suppresses the output of the encoded parameters. Useful with -text.

-text
    Prints the parameters in human-readable text format.

-genkey
    Generates a private key using the generated parameters (only for DH). Do not confuse with genpkey. Use genpkey instead of this command for key generation.

-check
    Checks the integrity of the parameters.

-dsaparam
    Generates DSA parameters. Note: It is preferred to use a stronger algorithm such as ECDSA.

-dsa_generate_prime
    Generate DSA primes. It can be used together with -dsaparam flag.

-paramfile file
    Read parameters from the specified file.

-curve name
    Specifies the elliptic curve to use for ECDH or ECDSA.

-group name
    Specifies the named group to use (alias for -curve).

-pkeyopt opt:value
    Sets public key algorithm options.

-engine id
    Specifies the engine to use.

-provider name
    Specifies the provider to use.

-propquery propq
    Specifies the property query to use.

The `pkeyparam` command-line tool, part of the OpenSSL suite, is used to generate, examine, and manipulate parameters for public key algorithms like Diffie-Hellman (DH) and Elliptic Curve Diffie-Hellman (ECDH). It allows users to create parameter files that can be used with other OpenSSL tools, such as `openssl genpkey` or configuration files. The command supports a variety of options to specify the desired parameters, including prime sizes for DH and named curves for ECDH.
These parameters are crucial for establishing secure communication channels and are used in various cryptographic protocols like TLS/SSL.
Proper use of `pkeyparam` is essential for ensuring the security of cryptographic operations as insecure or improperly configured parameters can weaken or break the underlying encryption. The command can also verify the correctness of existing parameter files, which is an important step in maintaining a secure system. The command is similar to genpkey but handles parameter generation, not the key generation itself.

Generate DH parameters and print them in text format:
openssl pkeyparam -gen -out dhparams.pem -paramfile /path/to/primes.txt -text

Generate ECDH parameters using the prime256v1 curve:
openssl pkeyparam -gen -out ecparams.pem -curve prime256v1

Check the validity of DH parameters:
openssl pkeyparam -in dhparams.pem -check

openssl(1), openssl-genpkey(1), openssl-dhparam(1)