> From: openssl-users On Behalf Of openssl at lists.killian.com > Sent: Wednesday, February 18, 2015 13:26 > I noticed that openssl(1) says that various things have been superseded by > genpkey, so I tried changing my scripts to use it. It works fine for RSA, but the > man page is not very helpful on EC. I tried > > openssl genpkey -out key.new -algorithm EC -pkeyopt > ec_paramgen_curve:secp384r1 > > and got > > parameter setting error > 139638314907280:error:06089094:digital envelope > routines:EVP_PKEY_CTX_ctrl:invalid operation:pmeth_lib.c:404: <snip> genpkey has a standard idea, across all algorithms that have parameters (which RSA does not), to generate parameters and key(s) as separate steps with a file in between. For DSA and DH this is good; you may want to generate your own params, or you may want to use existing ones (in an existing file) e.g. Oakley or SSH-non-GEX. For EC it makes less sense, as generating your own curve is complicated (OpenSSL certainly doesn't do it) and in practice everyone* uses the named curves. Nonetheless you still do: openssl genpkey -genparam -algorithm EC -pkeyopt ec_paramgen_curve:x >pfile openssl genpkey -paramfile pfile >keyfile Depending on your OS and shell you may be able to combine these like openssl genpkey -genparam | openssl genpkey -paramfile /dev/fd/0 or openssl genpkey -paramfile <<<$(openssl genpkey -genparam) * Well, everybody except the crowd around Dan Bernstein, and they use non-Weierstrauss curves that OpenSSL can't even represent (now?).
