Re: Password protect EC private key

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Thank you, Viktor.

On 08/10/2017 02:27 PM, Viktor Dukhovni wrote:
On Thu, Aug 10, 2017 at 12:03:31PM -0400, Robert Moskowitz wrote:

openssl ecparam -name secp256k1 -genkey -noout -out private/ca.key.pem

But openssl ecparam does not have any option equivalent (that I can find) to -aes256
Yes, this command does not currently support key encryption.

What am I missing.
The command that does is:

    $  openssl genpkey -aes256 -algorithm ec \
	-pkeyopt ec_paramgen_curve:secp256k1 \
	-pkeyopt ec_param_enc:named_curve \
	-out private/ca.key.pem

So I see that I use this for the CA(s) key generation, but what about a Server or Client key pair to feed into a CSR? I probably do not want those keys encrypted (well I do, but we sacrifice protection for easy of use, sigh).


Are you sure you want secp256k1?  By far the more common choice is
prime256r1 (aka P-256 or secp256r1).

Thanks, I read things wrong and selected the wrong curve. Yes, I want prime256r1.


openssl ecparam -in private/ca.key.pem -text -noout
EC keys are read with "openssl ec" not "openssl ecparam".


Ah.  I will give this a try.

Bob

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users



[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux