1=pod 2 3=head1 NAME 4 5openssl-pkey, 6pkey - public or private key processing tool 7 8=head1 SYNOPSIS 9 10B<openssl> B<pkey> 11[B<-help>] 12[B<-inform PEM|DER>] 13[B<-outform PEM|DER>] 14[B<-in filename>] 15[B<-passin arg>] 16[B<-out filename>] 17[B<-passout arg>] 18[B<-traditional>] 19[B<-I<cipher>>] 20[B<-text>] 21[B<-text_pub>] 22[B<-noout>] 23[B<-pubin>] 24[B<-pubout>] 25[B<-engine id>] 26[B<-check>] 27[B<-pubcheck>] 28 29=head1 DESCRIPTION 30 31The B<pkey> command processes public or private keys. They can be converted 32between various forms and their components printed out. 33 34=head1 OPTIONS 35 36=over 4 37 38=item B<-help> 39 40Print out a usage message. 41 42=item B<-inform DER|PEM> 43 44This specifies the input format DER or PEM. The default format is PEM. 45 46=item B<-outform DER|PEM> 47 48This specifies the output format, the options have the same meaning and default 49as the B<-inform> option. 50 51=item B<-in filename> 52 53This specifies the input filename to read a key from or standard input if this 54option is not specified. If the key is encrypted a pass phrase will be 55prompted for. 56 57=item B<-passin arg> 58 59The input file password source. For more information about the format of B<arg> 60see L<openssl(1)/Pass Phrase Options>. 61 62=item B<-out filename> 63 64This specifies the output filename to write a key to or standard output if this 65option is not specified. If any encryption options are set then a pass phrase 66will be prompted for. The output filename should B<not> be the same as the input 67filename. 68 69=item B<-passout password> 70 71The output file password source. For more information about the format of B<arg> 72see L<openssl(1)/Pass Phrase Options>. 73 74=item B<-traditional> 75 76Normally a private key is written using standard format: this is PKCS#8 form 77with the appropriate encryption algorithm (if any). If the B<-traditional> 78option is specified then the older "traditional" format is used instead. 79 80=item B<-I<cipher>> 81 82These options encrypt the private key with the supplied cipher. Any algorithm 83name accepted by EVP_get_cipherbyname() is acceptable such as B<des3>. 84 85=item B<-text> 86 87Prints out the various public or private key components in 88plain text in addition to the encoded version. 89 90=item B<-text_pub> 91 92Print out only public key components even if a private key is being processed. 93 94=item B<-noout> 95 96Do not output the encoded version of the key. 97 98=item B<-pubin> 99 100By default a private key is read from the input file: with this 101option a public key is read instead. 102 103=item B<-pubout> 104 105By default a private key is output: with this option a public 106key will be output instead. This option is automatically set if 107the input is a public key. 108 109=item B<-engine id> 110 111Specifying an engine (by its unique B<id> string) will cause B<pkey> 112to attempt to obtain a functional reference to the specified engine, 113thus initialising it if needed. The engine will then be set as the default 114for all available algorithms. 115 116=item B<-check> 117 118This option checks the consistency of a key pair for both public and private 119components. 120 121=item B<-pubcheck> 122 123This option checks the correctness of either a public key or the public component 124of a key pair. 125 126=back 127 128=head1 EXAMPLES 129 130To remove the pass phrase on an RSA private key: 131 132 openssl pkey -in key.pem -out keyout.pem 133 134To encrypt a private key using triple DES: 135 136 openssl pkey -in key.pem -des3 -out keyout.pem 137 138To convert a private key from PEM to DER format: 139 140 openssl pkey -in key.pem -outform DER -out keyout.der 141 142To print out the components of a private key to standard output: 143 144 openssl pkey -in key.pem -text -noout 145 146To print out the public components of a private key to standard output: 147 148 openssl pkey -in key.pem -text_pub -noout 149 150To just output the public part of a private key: 151 152 openssl pkey -in key.pem -pubout -out pubkey.pem 153 154=head1 SEE ALSO 155 156L<genpkey(1)>, L<rsa(1)>, L<pkcs8(1)>, 157L<dsa(1)>, L<genrsa(1)>, L<gendsa(1)> 158 159=head1 COPYRIGHT 160 161Copyright 2006-2021 The OpenSSL Project Authors. All Rights Reserved. 162 163Licensed under the OpenSSL license (the "License"). You may not use 164this file except in compliance with the License. You can obtain a copy 165in the file LICENSE in the source distribution or at 166L<https://www.openssl.org/source/license.html>. 167 168=cut 169