On 2015/2/19 00:22, Dave Thompson wrote: > genpkey has a standard idea, across all algorithms that have parameters > (which RSA does not), to generate parameters and key(s) as separate > steps with a file in between. For DSA and DH this is good; you may want > to generate your own params, or you may want to use existing ones > (in an existing file) e.g. Oakley or SSH-non-GEX. For EC it makes less > sense, > as generating your own curve is complicated (OpenSSL certainly doesn't do > it) > and in practice everyone* uses the named curves. Nonetheless you still do: > > openssl genpkey -genparam -algorithm EC -pkeyopt ec_paramgen_curve:x >pfile > openssl genpkey -paramfile pfile >keyfile Thank you, this is clear now. It might be worth adding an example to the man page to prevent others from being similarly confused.
