LinuxCommandLibrary

pkeyparam.1s

View or generate public key parameters

SYNOPSIS

openssl pkeyparam [-help] [-in filename] [-out filename] [-inform DER|PEM] [-outform DER|PEM] [-text] [-noout] [-check] [-engine id] [-algorithm algname] [-genparam] [numbits]

PARAMETERS

-help
    Display usage information and quit.

-in filename
    Input file containing parameters (default: stdin).

-out filename
    Output file for parameters (default: stdout).

-inform DER|PEM
    Input format (default: PEM).

-outform DER|PEM
    Output format (default: PEM).

-text
    Print parameters as human-readable text.

-noout
    Do not output encoded parameters.

-check
    Verify parameter integrity and suitability.

-engine id
    Use specified cryptographic engine.

-algorithm algname
    Algorithm name, e.g., DH, DSA (required with -genparam).

-genparam
    Generate new parameters instead of reading from input.

numbits
    Parameter size in bits (e.g., 2048).

DESCRIPTION

The openssl pkeyparam command is a versatile tool in the OpenSSL suite for generating, displaying, and verifying public key parameters used in asymmetric cryptography, particularly for algorithms like Diffie-Hellman (DH) and Digital Signature Algorithm (DSA). These parameters include large primes and generators essential for secure key exchange and digital signatures.

To create new parameters, specify -genparam with the desired -algorithm and bit length via numbits, producing PKCS#8 encoded output suitable for key generation tools like genpkey. Existing parameters from files can be read with -in, inspected in human-readable -text format, validated using -check for mathematical correctness (e.g., safe primes), or converted between formats.

This command supports input/output in PEM or DER formats via -inform and -outform. It leverages OpenSSL's EVP interface for flexibility across engines and providers. Primarily used in server configurations for custom DH groups or legacy DSA setups, it ensures cryptographically strong parameters, replacing older specialized tools like dhparam and dsa.

CAVEATS

Parameter generation can be computationally intensive for large bit sizes; use pre-generated params in production. Limited to supported EVP algorithms.

EXAMPLES

openssl pkeyparam -genparam -algorithm DH 2048 -out dhparams.pem
openssl pkeyparam -in dhparams.pem -text -check
openssl pkeyparam -in params.pem -outform DER -noout

HISTORY

Introduced in OpenSSL 1.0.0 (2007) as part of EVP public key refactoring, unifying parameter handling previously split across dhparam and dsa tools.

SEE ALSO

genpkey(1), pkey(1), dhparam(1), dsa(1)

Copied to clipboard