"openssl genpkey -algorithm EC"

PKI Certificate Tutorials - Herong's Tutorial Examples

∟"openssl genpkey -algorithm EC" - EC Private Key

This section describes the 'openssl genpkey -algorithm EC' command, which generates an EC private/public key pair. It replaces the old 'openssl ecparam -genkey' command

EC (Elliptic-Curve) algorithm provides a new approach to private/public key cryptography based on the algebraic structure of elliptic curves over finite fields. It allows smaller keys to provide equivalent security, compared to RSA algorithm. The use of elliptic curves in cryptography was suggested independently by Neal Koblitz and Victor S. Miller in 1985.

You can generate private/public key pairs using the "openssl genpkey -algorithm EC" command as shown in the this tutorial.

1. Generate an EC private/public key pair using the "secp384r1" curve.

herong$ openssl genpkey -algorithm EC -out key.pem \
  -pkeyopt ec_paramgen_curve:secp384r1

2. Look at the generated key file. It is written in PEM format. Both the private key and the public key are included in the file, even it is marked as "PRIVATE KEY".

herong$ more key.pem

-----BEGIN PRIVATE KEY-----
MIG2AgEAMBAGByqGSM49AgEGBSuBBAAiBIGeMIGbAgEBBDDNtgXxvPMawxT8qrte
LLZP3V5yExTcgsNIG06geKHfvY6VMr6UcJmkeTrmk+xHIS2hZANiAAR9BX24vKCu
B9g7ELdXLxjLBZpWHPJS2iY7Cs6XRpTdTe0X4LHz+gRple5DadQ+s52DE8Fnjh5j
gqMb5Q/VOq+5DnFkuYh7VA7aV6Oju0jTUgP4I9RbanhQ0XtMJoOhKso=
-----END PRIVATE KEY-----

3. Generate a RSA private/public key pair and encrypt the key file with a given password using the "aes-128-cbc" algorithm.

herong$ openssl genpkey -algorithm EC -out key.pem \
  -pkeyopt ec_paramgen_curve:secp384r1 \
  -aes-128-cbc -pass pass:TopSecret

4. Look at the encrypted key file. It is written in PEM format and marked as "ENCRYPTED PRIVATE KEY". It is important to encrypt all private key files to protect your identity.

herong$ more key.pem

-----BEGIN ENCRYPTED PRIVATE KEY-----
MIIBHDBXBgkqhkiG9w0BBQ0wSjApBgkqhkiG9w0BBQwwHAQIhppgR4adBVYCAggA
MAwGCCqGSIb3DQIJBQAwHQYJYIZIAWUDBAECBBC00xoAK/fcMliMhyRhMCXIBIHA
B9ZkIM5JWSo3FfWOg0clAxOBjro6R29YK52MVum8cXEBP/RhdzgQc04v9UtW2h2Q
Of+ums6ZqDWmLJL6rN37SiDJ7ghgScKlBddJWugBTRL8zV2+vr8PDwG/gi1vHnMS
Ax6qP5/jOQBuBr9mHStLdVRZln27VvVJrTIPsk6FD2fPRhfiPUy8TGb4b90rVLVS
Ci83ZA+4VfA9mA34xZ6eNPQ92b8p3c1KUsl9RipYPZqvWKd1kJab6wR9AmpA/sPS
-----END ENCRYPTED PRIVATE KEY-----

5. Print out information from an EC key file. It actually stores the components used to construct the private key and the public key.

herong$ openssl ec -in key.pem -text -noout 

read EC key
Enter PEM pass phrase: TopSecret

Private-Key: (384 bit)
priv:
    57:11:a5:c2:59:79:af:d8:9a:e4:31:d6:21:9d:15:
    3c:6a:84:8f:14:75:b1:6f:87:2f:1f:49:88:0d:09:
    87:c8:d1:ed:1c:d8:4c:f5:75:71:b9:ad:ef:6f:dc:
    6e:13:47
pub:
    04:56:44:9a:fc:20:f4:6a:71:b6:4f:27:a0:80:dc:
    b4:ae:fc:55:3a:e2:6d:bd:85:94:56:f5:a3:3d:0d:
    3a:61:b4:3b:72:b1:0b:1d:cf:8f:f0:6e:21:7f:45:
    23:83:fe:4a:e4:43:4d:9e:06:f3:0d:b7:0e:15:9b:
    6d:23:3b:f8:f1:7b:81:0f:9d:a6:e2:2f:bb:32:14:
    bc:af:31:90:66:01:e0:9a:dd:93:0d:56:f3:76:7e:
    76:f5:98:11:87:c5:66
ASN1 OID: secp384r1
NIST CURVE: P-384

6. Extract the public key from a RSA key file.

herong$ openssl ec -in key.pem -pubout -out public.pem

read EC key
Enter pass phrase for key.pem: TopSecret
writing EC key

7. Look at the public key file. It is written in PEM format and marked as "PUBLIC KEY".

herong$ more public.pem

-----BEGIN PUBLIC KEY-----
MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEVkSa/CD0anG2TyeggNy0rvxVOuJtvYWU
VvWjPQ06YbQ7crELHc+P8G4hf0Ujg/5K5ENNngbzDbcOFZttIzv48XuBD52m4i+7
MhS8rzGQZgHgmt2TDVbzdn529ZgRh8Vm
-----END PUBLIC KEY-----

8. Print out information from the EC public key file. It stores only the components used to construct the public key.

herong$ openssl ec -pubin -in public.pem -text -noout 

read EC key
Public-Key: (384 bit)
pub:
    04:56:44:9a:fc:20:f4:6a:71:b6:4f:27:a0:80:dc:
    b4:ae:fc:55:3a:e2:6d:bd:85:94:56:f5:a3:3d:0d:
    3a:61:b4:3b:72:b1:0b:1d:cf:8f:f0:6e:21:7f:45:
    23:83:fe:4a:e4:43:4d:9e:06:f3:0d:b7:0e:15:9b:
    6d:23:3b:f8:f1:7b:81:0f:9d:a6:e2:2f:bb:32:14:
    bc:af:31:90:66:01:e0:9a:dd:93:0d:56:f3:76:7e:
    76:f5:98:11:87:c5:66
ASN1 OID: secp384r1
NIST CURVE: P-384

My EC private/public key file is ready for generating CSRs (Certificate Signing Requests).

If you are still using an older release of OpenSSL, you need to the "openssl ecparam -genkey" command to generate EC private/public key pairs. Here are some examples:

1. Generate an EC private/public key pair using the "openssl ecparam -genkey" command. Note that the curve name "P-384" is an alias of "secp384r1".

herong$ openssl ecparam -genkey -name P-384 -noout -out key.pem

2. Encrypt key file with a given password using the "aes-128-cbc" algorithm.

herong$ openssl ec -in key.pem -out encrypted-key.pem \
  -aes128 -passout pass:TopSecret

read EC key
writing EC key

3. Look at the encrypted key file. It is written in PEM format and marked as "RSA PRIVATE KEY". It also contains information on the encryption algorithm.

herong$ more encrypted-key.pem

-----BEGIN EC PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,5B6581063E686110836783BC5D51D747

TTJO80PEHcxr+X8rGxrgfFCz+2P5pJSs/aziXLRhQFleKAUBCn6gDNTMYO7/H/ga
zwEPT5buHQV6XOVI0AAP+YR7EQTnvbLfa5kfat+FVp00j8RRo2ub0raAFLRwdovP
sLGpyvaj400tnhSaPJLqLm/YKMydrFlKtEi+ClVmqS/znfVen7utTevF1Ih+LUSF
IDi1c7tpDtu+RbrE6jzbhlEJ1BHT6VPQKTu6as/W7IA=
-----END EC PRIVATE KEY-----