On Thu, Aug 10, 2017 at 02:49:02PM -0400, Robert Moskowitz wrote: > > The command that does is: > > > > $ openssl genpkey -aes256 -algorithm ec \ > > -pkeyopt ec_paramgen_curve:secp256k1 \ > > -pkeyopt ec_param_enc:named_curve \ > > -out private/ca.key.pem > > So I see that I use this for the CA(s) key generation, but what about a > Server or Client key pair to feed into a CSR? I probably do not want those > keys encrypted (well I do, but we sacrifice protection for easy of use, > sigh). Just leave off the "-aes256" option. > > Are you sure you want secp256k1? By far the more common choice is > > prime256r1 (aka P-256 or secp256r1). > > Thanks, I read things wrong and selected the wrong curve. Yes, I want > prime256r1. > > > > openssl ecparam -in private/ca.key.pem -text -noout > > EC keys are read with "openssl ec" not "openssl ecparam". > > Ah. I will give this a try. Better yet, use "openssl pkey". -- Viktor. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
