Sync usage with man page.

[netbsd-mini2440.git] / crypto / external / bsd / openssl / lib / libcrypto / man / openssl_genpkey.1

.\"     $NetBSD: libcrypto.pl,v 1.3 2007/11/27 22:16:03 christos Exp $
.\"
.\" Automatically generated by Pod::Man 2.16 (Pod::Simple 3.05)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sh \" Subsection heading
.br
.if t .Sp
.ne 5
.PP
\fB\\$1\fR
.PP
..
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings.  \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
.    ds -- \(*W-
.    ds PI pi
.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
.    ds L" ""
.    ds R" ""
.    ds C` ""
.    ds C' ""
'br\}
.el\{\
.    ds -- \|\(em\|
.    ds PI \(*p
.    ds L" ``
.    ds R" ''
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el       .ds Aq '
.\"
.\" If the F register is turned on, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and index
.\" entries marked with X<> in POD.  Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.ie \nF \{\
.    de IX
.    tm Index:\\$1\t\\n%\t"\\$2"
..
.    nr % 0
.    rr F
.\}
.el \{\
.    de IX
..
.\}
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
.    \" fudge factors for nroff and troff
.if n \{\
.    ds #H 0
.    ds #V .8m
.    ds #F .3m
.    ds #[ \f1
.    ds #] \fP
.\}
.if t \{\
.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
.    ds #V .6m
.    ds #F 0
.    ds #[ \&
.    ds #] \&
.\}
.    \" simple accents for nroff and troff
.if n \{\
.    ds ' \&
.    ds ` \&
.    ds ^ \&
.    ds , \&
.    ds ~ ~
.    ds /
.\}
.if t \{\
.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
.    \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
.    \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
.    \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
.    ds : e
.    ds 8 ss
.    ds o a
.    ds d- d\h'-1'\(ga
.    ds D- D\h'-1'\(hy
.    ds th \o'bp'
.    ds Th \o'LP'
.    ds ae ae
.    ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "GENPKEY 1"
.TH GENPKEY 1 "2009-04-15" "1.1.0-dev" "OpenSSL"
.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
genpkey \- generate a private key
.SH "LIBRARY"
libcrypto, -lcrypto
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
\&\fBopenssl\fR \fBgenpkey\fR
[\fB\-out filename\fR]
[\fB\-outform PEM|DER\fR]
[\fB\-pass arg\fR]
[\fB\-cipher\fR]
[\fB\-engine id\fR]
[\fB\-paramfile file\fR]
[\fB\-algorithm alg\fR]
[\fB\-pkeyopt opt:value\fR]
[\fB\-genparam\fR]
[\fB\-text\fR]
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
The \fBgenpkey\fR command generates a private key.
.SH "OPTIONS"
.IX Header "OPTIONS"
.IP "\fB\-out filename\fR" 4
.IX Item "-out filename"
the output filename. If this argument is not specified then standard output is
used.
.IP "\fB\-outform DER|PEM\fR" 4
.IX Item "-outform DER|PEM"
This specifies the output format \s-1DER\s0 or \s-1PEM\s0.
.IP "\fB\-pass arg\fR" 4
.IX Item "-pass arg"
the output file password source. For more information about the format of \fBarg\fR
see the \fB\s-1PASS\s0 \s-1PHRASE\s0 \s-1ARGUMENTS\s0\fR section in \fIopenssl\fR\|(1).
.IP "\fB\-cipher\fR" 4
.IX Item "-cipher"
This option encrypts the private key with the supplied cipher. Any algorithm
name accepted by \fIEVP_get_cipherbyname()\fR is acceptable such as \fBdes3\fR.
.IP "\fB\-engine id\fR" 4
.IX Item "-engine id"
specifying an engine (by its unique \fBid\fR string) will cause \fBgenpkey\fR
to attempt to obtain a functional reference to the specified engine,
thus initialising it if needed. The engine will then be set as the default
for all available algorithms. If used this option should precede all other
options.
.IP "\fB\-algorithm alg\fR" 4
.IX Item "-algorithm alg"
public key algorithm to use such as \s-1RSA\s0, \s-1DSA\s0 or \s-1DH\s0. If used this option must
precede any \fB\-pkeyopt\fR options. The options \fB\-paramfile\fR and \fB\-algorithm\fR
are mutually exclusive.
.IP "\fB\-pkeyopt opt:value\fR" 4
.IX Item "-pkeyopt opt:value"
set the public key algorithm option \fBopt\fR to \fBvalue\fR. The precise set of
options supported depends on the public key algorithm used and its
implementation. See \fB\s-1KEY\s0 \s-1GENERATION\s0 \s-1OPTIONS\s0\fR below for more details.
.IP "\fB\-genparam\fR" 4
.IX Item "-genparam"
generate a set of parameters instead of a private key. If used this option must
precede and \fB\-algorithm\fR, \fB\-paramfile\fR or \fB\-pkeyopt\fR options.
.IP "\fB\-paramfile filename\fR" 4
.IX Item "-paramfile filename"
Some public key algorithms generate a private key based on a set of parameters.
They can be supplied using this option. If this option is used the public key
algorithm used is determined by the parameters. If used this option must
precede and \fB\-pkeyopt\fR options. The options \fB\-paramfile\fR and \fB\-algorithm\fR
are mutually exclusive.
.IP "\fB\-text\fR" 4
.IX Item "-text"
Print an (unencrypted) text representation of private and public keys and
parameters along with the \s-1PEM\s0 or \s-1DER\s0 structure.
.SH "KEY GENERATION OPTIONS"
.IX Header "KEY GENERATION OPTIONS"
The options supported by each algorith and indeed each implementation of an
algorithm can vary. The options for the OpenSSL implementations are detailed
below.
.SH "RSA KEY GENERATION OPTIONS"
.IX Header "RSA KEY GENERATION OPTIONS"
.IP "\fBrsa_keygen_bits:numbits\fR" 4
.IX Item "rsa_keygen_bits:numbits"
The number of bits in the generated key. If not specified 1024 is used.
.IP "\fBrsa_keygen_pubexp:value\fR" 4
.IX Item "rsa_keygen_pubexp:value"
The \s-1RSA\s0 public exponent value. This can be a large decimal or
hexadecimal value if preceded by \fB0x\fR. Default value is 65537.
.SH "DSA PARAMETER GENERATION OPTIONS"
.IX Header "DSA PARAMETER GENERATION OPTIONS"
.IP "\fBdsa_paramgen_bits:numbits\fR" 4
.IX Item "dsa_paramgen_bits:numbits"
The number of bits in the generated parameters. If not specified 1024 is used.
.SH "DH PARAMETER GENERATION OPTIONS"
.IX Header "DH PARAMETER GENERATION OPTIONS"
.IP "\fBdh_paramgen_prime_len:numbits\fR" 4
.IX Item "dh_paramgen_prime_len:numbits"
The number of bits in the prime parameter \fBp\fR.
.IP "\fBdh_paramgen_generator:value\fR" 4
.IX Item "dh_paramgen_generator:value"
The value to use for the generator \fBg\fR.
.SH "EC PARAMETER GENERATION OPTIONS"
.IX Header "EC PARAMETER GENERATION OPTIONS"
.IP "\fBec_paramgen_curve:curve\fR" 4
.IX Item "ec_paramgen_curve:curve"
the \s-1EC\s0 curve to use.
.SH "GOST2001 KEY GENERATION AND PARAMETER OPTIONS"
.IX Header "GOST2001 KEY GENERATION AND PARAMETER OPTIONS"
Gost 2001 support is not enabled by default. To enable this algorithm,
one should load the ccgost engine in the OpenSSL configuration file.
See \s-1README\s0.gost file in the engines/ccgost directiry of the source
distribution for more details.
.PP
Use of a parameter file for the \s-1GOST\s0 R 34.10 algorithm is optional.
Parameters can be specified during key generation directly as well as
during generation of parameter file.
.IP "\fBparamset:name\fR" 4
.IX Item "paramset:name"
Specifies \s-1GOST\s0 R 34.10\-2001 parameter set according to \s-1RFC\s0 4357.
Parameter set can be specified using abbreviated name, object short name or
numeric \s-1OID\s0. Following parameter sets are supported:
.Sp
.Vb 7
\&  paramset   OID               Usage
\&  A          1.2.643.2.2.35.1  Signature
\&  B          1.2.643.2.2.35.2  Signature
\&  C          1.2.643.2.2.35.3  Signature
\&  XA         1.2.643.2.2.36.0  Key exchange
\&  XB         1.2.643.2.2.36.1  Key exchange
\&  test       1.2.643.2.2.35.0  Test purposes
.Ve
.SH "NOTES"
.IX Header "NOTES"
The use of the genpkey program is encouraged over the algorithm specific
utilities because additional algorithm options and \s-1ENGINE\s0 provided algorithms
can be used.
.SH "EXAMPLES"
.IX Header "EXAMPLES"
Generate an \s-1RSA\s0 private key using default parameters:
.PP
.Vb 1
\& openssl genpkey \-algorithm RSA \-out key.pem
.Ve
.PP
Encrypt output private key using 128 bit \s-1AES\s0 and the passphrase \*(L"hello\*(R":
.PP
.Vb 1
\& openssl genpkey \-algorithm RSA \-out key.pem \-aes\-128\-cbc \-pass pass:hello
.Ve
.PP
Generate a 2048 bit \s-1RSA\s0 key using 3 as the public exponent:
.PP
.Vb 2
\& openssl genpkey \-algorithm RSA \-out key.pem \-pkeyopt rsa_keygen_bits:2048 \e
\&                                                \-pkeyopt rsa_keygen_pubexp:3
.Ve
.PP
Generate 1024 bit \s-1DSA\s0 parameters:
.PP
.Vb 2
\& openssl genpkey \-genparam \-algorithm DSA \-out dsap.pem \e
\&                                                \-pkeyopt dsa_paramgen_bits:1024
.Ve
.PP
Generate \s-1DSA\s0 key from parameters:
.PP
.Vb 1
\& openssl genpkey \-paramfile dsap.pem \-out dsakey.pem
.Ve
.PP
Generate 1024 bit \s-1DH\s0 parameters:
.PP
.Vb 2
\& openssl genpkey \-genparam \-algorithm DH \-out dhp.pem \e
\&                                        \-pkeyopt dh_paramgen_prime_len:1024
.Ve
.PP
Generate \s-1DH\s0 key from parameters:
.PP
.Vb 1
\& openssl genpkey \-paramfile dhp.pem \-out dhkey.pem
.Ve
.SH "POD ERRORS"
.IX Header "POD ERRORS"
Hey! \fBThe above document had some coding errors, which are explained below:\fR
.IP "Around line 117:" 4
.IX Item "Around line 117:"
You forgot a '=back' before '=head1'