xref: /openssl/doc/man1/openssl-ec.pod.in (revision da1c088f)
1=pod
2
3=begin comment
4{- join("\n", @autowarntext) -}
5
6=end comment
7
8=head1 NAME
9
10openssl-ec - EC key processing
11
12=head1 SYNOPSIS
13
14B<openssl> B<ec>
15[B<-help>]
16[B<-inform> B<DER>|B<PEM>|B<P12>|B<ENGINE>]
17[B<-outform> B<DER>|B<PEM>]
18[B<-in> I<filename>|I<uri>]
19[B<-passin> I<arg>]
20[B<-out> I<filename>]
21[B<-passout> I<arg>]
22[B<-des>]
23[B<-des3>]
24[B<-idea>]
25[B<-text>]
26[B<-noout>]
27[B<-param_out>]
28[B<-pubin>]
29[B<-pubout>]
30[B<-conv_form> I<arg>]
31[B<-param_enc> I<arg>]
32[B<-no_public>]
33[B<-check>]
34{- $OpenSSL::safe::opt_engine_synopsis -}{- $OpenSSL::safe::opt_provider_synopsis -}
35
36=head1 DESCRIPTION
37
38The L<openssl-ec(1)> command processes EC keys. They can be converted between
39various forms and their components printed out. B<Note> OpenSSL uses the
40private key format specified in 'SEC 1: Elliptic Curve Cryptography'
41(http://www.secg.org/). To convert an OpenSSL EC private key into the
42PKCS#8 private key format use the L<openssl-pkcs8(1)> command.
43
44=head1 OPTIONS
45
46=over 4
47
48=item B<-help>
49
50Print out a usage message.
51
52=item B<-inform> B<DER>|B<PEM>|B<P12>|B<ENGINE>
53
54The key input format; unspecified by default.
55See L<openssl-format-options(1)> for details.
56
57=item B<-outform> B<DER>|B<PEM>
58
59The key output format; the default is B<PEM>.
60See L<openssl-format-options(1)> for details.
61
62Private keys are an SEC1 private key or PKCS#8 format.
63Public keys are a B<SubjectPublicKeyInfo> as specified in IETF RFC 3280.
64
65=item B<-in> I<filename>|I<uri>
66
67This specifies the input to read a key from or standard input if this
68option is not specified. If the key is encrypted a pass phrase will be
69prompted for.
70
71=item B<-out> I<filename>
72
73This specifies the output filename to write a key to or standard output by
74is not specified. If any encryption options are set then a pass phrase will be
75prompted for. The output filename should B<not> be the same as the input
76filename.
77
78=item B<-passin> I<arg>, B<-passout> I<arg>
79
80The password source for the input and output file.
81For more information about the format of B<arg>
82see L<openssl-passphrase-options(1)>.
83
84=item B<-des>|B<-des3>|B<-idea>
85
86These options encrypt the private key with the DES, triple DES, IDEA or
87any other cipher supported by OpenSSL before outputting it. A pass phrase is
88prompted for.
89If none of these options is specified the key is written in plain text. This
90means that using this command to read in an encrypted key with no
91encryption option can be used to remove the pass phrase from a key, or by
92setting the encryption options it can be use to add or change the pass phrase.
93These options can only be used with PEM format output files.
94
95=item B<-text>
96
97Prints out the public, private key components and parameters.
98
99=item B<-noout>
100
101This option prevents output of the encoded version of the key.
102
103=item B<-param_out>
104
105Print the elliptic curve parameters.
106
107=item B<-pubin>
108
109By default a private key is read from the input.
110With this option a public key is read instead.
111If the input contains no public key but a private key, its public part is used.
112
113=item B<-pubout>
114
115By default a private key is output. With this option a public
116key will be output instead. This option is automatically set if the input is
117a public key.
118
119=item B<-conv_form> I<arg>
120
121This specifies how the points on the elliptic curve are converted
122into octet strings. Possible values are: B<compressed>, B<uncompressed> (the
123default value) and B<hybrid>. For more information regarding
124the point conversion forms please read the X9.62 standard.
125B<Note> Due to patent issues the B<compressed> option is disabled
126by default for binary curves and can be enabled by defining
127the preprocessor macro B<OPENSSL_EC_BIN_PT_COMP> at compile time.
128
129=item B<-param_enc> I<arg>
130
131This specifies how the elliptic curve parameters are encoded.
132Possible value are: B<named_curve>, i.e. the ec parameters are
133specified by an OID, or B<explicit> where the ec parameters are
134explicitly given (see RFC 3279 for the definition of the
135EC parameters structures). The default value is B<named_curve>.
136B<Note> the B<implicitlyCA> alternative, as specified in RFC 3279,
137is currently not implemented in OpenSSL.
138
139=item B<-no_public>
140
141This option omits the public key components from the private key output.
142
143=item B<-check>
144
145This option checks the consistency of an EC private or public key.
146
147{- $OpenSSL::safe::opt_engine_item -}
148
149{- $OpenSSL::safe::opt_provider_item -}
150
151=back
152
153The L<openssl-pkey(1)> command is capable of performing all the operations
154this command can, as well as supporting other public key types.
155
156=head1 EXAMPLES
157
158The documentation for the L<openssl-pkey(1)> command contains examples
159equivalent to the ones listed here.
160
161To encrypt a private key using triple DES:
162
163 openssl ec -in key.pem -des3 -out keyout.pem
164
165To convert a private key from PEM to DER format:
166
167 openssl ec -in key.pem -outform DER -out keyout.der
168
169To print out the components of a private key to standard output:
170
171 openssl ec -in key.pem -text -noout
172
173To just output the public part of a private key:
174
175 openssl ec -in key.pem -pubout -out pubkey.pem
176
177To change the parameters encoding to B<explicit>:
178
179 openssl ec -in key.pem -param_enc explicit -out keyout.pem
180
181To change the point conversion form to B<compressed>:
182
183 openssl ec -in key.pem -conv_form compressed -out keyout.pem
184
185=head1 SEE ALSO
186
187L<openssl(1)>,
188L<openssl-pkey(1)>,
189L<openssl-ecparam(1)>,
190L<openssl-dsa(1)>,
191L<openssl-rsa(1)>
192
193=head1 HISTORY
194
195The B<-engine> option was deprecated in OpenSSL 3.0.
196
197The B<-conv_form> and B<-no_public> options are no longer supported
198with keys loaded from an engine in OpenSSL 3.0.
199
200=head1 COPYRIGHT
201
202Copyright 2003-2023 The OpenSSL Project Authors. All Rights Reserved.
203
204Licensed under the Apache License 2.0 (the "License").  You may not use
205this file except in compliance with the License.  You can obtain a copy
206in the file LICENSE in the source distribution or at
207L<https://www.openssl.org/source/license.html>.
208
209=cut
210