Openssl ECDSA : private key passphrase
Solution 1
It would seem that ecparam
doesn't have a built-in option for encrypting the generated key. Instead, you can simply do the following:
openssl ec -in myprivatekey.pem -out myprivatekey_encrypted.pem -aes256
Compared to genrsa
, an extra step is required, but this basically does the same thing.
Now as far as the certificate request, the command is pretty much the same regardless of the type of private key used:
openssl req -new -sha256 -key myprivatekey.pem -out mycertrequest.pem
You can then take the resulting mycertrequest.pem
and send it to a CA for signing.
Edit:
If you have concerns about writing the unencrypted private key to disk, you can do both the generation and encryption of the key in one step like so:
openssl ecparam -genkey -name secp256k1 | openssl ec -aes256 -out privatekey.pem
This generates a P-256 key, then prompts you for a passphrase. The key is then encrypted using AES256 and saved into privatekey.pem
.
Solution 2
While ecparam
doesn't have an option to encrypt the generated key, genpkey
can generate ECC private keys and does have such an option:
openssl genpkey -algorithm ec -pkeyopt ec_paramgen_curve:secp160k1 -aes-256-cbc -out myprivatekey_encrypted.pem
The -aes-256-cbc
option specifies to encrypt it (with aes-256-cbc; other options are available for different types of encryption).
You can pass -passin pass:password
or -passin file:mypassword.pass
to specify the password on the commandline.
elpazio
Updated on July 29, 2022Comments
-
elpazio almost 2 years
I am new with Openssl i have generated a private key myprivatekey.pem and a publickey mypublickey.pem with :
openssl ecparam -genkey -name secp160k1 -noout -out myprivatekey.pem
and my public key with :
openssl -ec -in myprivatekey.pem -pubout -out mypublickey.pem
What i want to do next is to encrypte my ecdsa with a passphrase private key and make a certification request for my public key and thank you for your help.