Commit 003ef7ef authored by Paul Yang's avatar Paul Yang Committed by Andy Polyakov
Browse files

Add EC key generation paragraph in doc/HOWTO/keys.txt 



Seems this documentation is not dead, so add this missing part

Reviewed-by: default avatarRich Salz <rsalz@openssl.org>
Reviewed-by: default avatarAndy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4037)
parent 07c54e59

doc/HOWTO/keys.txt

+46 −13
Original line number Diff line number Diff line
@@ -27,12 +27,6 @@ With this variant, you will be prompted for a protecting password. If 
you don't want your key to be protected by a password, remove the flag

'-des3' from the command line above.



    NOTE: if you intend to use the key together with a server

    certificate, it may be a good thing to avoid protecting it

    with a password, since that would mean someone would have to

    type in the password every time the server needs to access

    the key.



The number 2048 is the size of the key, in bits.  Today, 2048 or

higher is recommended for RSA keys, as fewer amount of bits is

consider insecure or to be insecure pretty soon.
@@ -62,11 +56,50 @@ With this variant, you will be prompted for a protecting password. If 
you don't want your key to be protected by a password, remove the flag

'-des3' from the command line above.



    NOTE: if you intend to use the key together with a server

    certificate, it may be a good thing to avoid protecting it

    with a password, since that would mean someone would have to

    type in the password every time the server needs to access

    the key.



-- 

Richard Levitte
 
4. To generate an EC key



An EC key can be used both for key agreement (ECDH) and signing (ECDSA).



Generating a key for ECC is similar to generating a DSA key. These are

two-step processes. First, you have to get the EC parameters from which

the key will be generated:



  openssl ecparam -name prime256v1 -out prime256v1.pem



The prime256v1, or NIST P-256, which stands for 'X9.62/SECG curve over

a 256-bit prime field', is the name of an elliptic curve which generates the

parameters. You can use the following command to list all supported curves:



  openssl ecparam -list_curves



When that is done, you can generate a key using the created parameters (several

keys can be produced from the same parameters):



  openssl genpkey -des3 -paramfile prime256v1.pem -out private.key



With this variant, you will be prompted for a password to protect your key.

If you don't want your key to be protected by a password, remove the flag

'-des3' from the command line above.



You can also directly generate the key in one step:



  openssl ecparam -genkey -name prime256v1 -out private.key



or



  openssl genpkey -algorithm EC -pkeyopt ec_paramgen_curve:P-256





5. NOTE



If you intend to use the key together with a server certificate,

it may be reasonable to avoid protecting it with a password, since

otherwise someone would have to type in the password every time the

server needs to access the key.



For X25519, it's treated as a distinct algorithm but not as one of

the curves listed with 'ecparam -list_curves' option. You can use

the following command to generate an X25519 key:



  openssl genpkey -algorithm X25519 -out xkey.pem