Generate EC KeyPair from OpenSSL command line

Question

I would like to be able to generate a key pair private and public key in command line with openssl, but I don't know exactly how to do it. What I have done so far was to do the following command line but this only prints me this which I don't know exactly what it is:s

FROM OPENSSL PAGE: To create EC parameters with explicit parameters:

openssl ecparam -out ec_param.pem -name prime192v1 -param_enc explicit

-----BEGIN EC PARAMETERS-----
MIHHAgEBMCQGByqGSM49AQECGQD////////////////////+//////////8wSwQY
/////////////////////v/////////8BBhkIQUZ5ZyA5w+n6atyJDBJ/rje7MFG
ubEDFQAwRa5vyEIvZO1XlSjTgSDq4SGW1QQxBBiNqA6wMJD2fL8g60OhiAD0/wr9
gv8QEgcZK5X/yNp4YxAR7WskzdVz+XehHnlIEQIZAP///////////////5ne+DYU
a8mxtNIoMQIBAQ==
-----END EC PARAMETERS-----

can some one tell me how to get something like this:

//-----------------Generated Key Pair----------------------------------//
char privkey[]=
    "-----BEGIN EC PARAMETERS-----\n"
    "BgUrgQQACQ==\n"
    "-----END EC PARAMETERS-----\n"
    "-----BEGIN EC PRIVATE KEY-----\n"
    "MFACAQEEFI9sfpfTk0YlZx8JaCZnLsy4T6HYoAcGBSuBBAAJoSwDKgAEIlzYflxD\n"
    "0396M0i6dGfSY3khTU7kiNyEv/B1EoyGmqvH7tjhSmpP1A==\n"
    "-----END EC PRIVATE KEY-----\n";
char pubkey[] =
    "-----BEGIN PUBLIC KEY-----\n"
    "MD4wEAYHKoZIzj0CAQYFK4EEAAkDKgAEIlzYflxD0396M0i6dGfSY3khTU7kiNyE\n"
    "v/B1EoyGmqvH7tjhSmpP1A==\n"
    "-----END PUBLIC KEY-----\n";
//---------------------------------------------------------------------//

I got this from a code I got online which uses this key pair to sign messages with ECDSA, but now I would like to be able to generate my own key pair(from openssl command line) and use it in the code like this, to change this key pair for mine.

In my case I would like to use NIST P225 which is "prime256v1".

Can someone help me?

Thanks, Best Regards

Answer 1

Private Key

Assuming an UX platform such as OS X or Linux. Also omit the $ when testing. Generate a private ECDSA key:

 $ openssl ecparam -name prime256v1 -genkey -noout -out private.ec.key

Convert and encrypt the private key with a pass phrase:

 $ openssl pkcs8 -topk8 -in private.ec.key -out private.pem

You can now securely delete private.ec.key as long as you remember the pass phrase.

Public Key

Generate public ECDSA key:

 $ openssl ec -in private.pem -pubout -out public.pem

Testing

Make a small text file for testing:

 $ touch msg.txt | echo "hello world" > msg.txt

Make a hash digest:

 $ openssl dgst -sha256 -out msg.digest.txt msg.txt

Make a signature file out of the digest:

 $ openssl dgst -sha256 -sign private.pem -out msg.signature.txt msg.digest.txt

Verify the signature:

 $ openssl dgst -sha256 -verify public.pem -signature msg.signature.txt msg.digest.txt

Additionally you may want to encode the signature to base64 before mailing it, and then decode it to bin before verifying after you receive it.

Here's how you do that:

Encode:

 $ openssl base64 -in msg.signature.txt -out msg.base64.sig.txt

Decode:

 $ openssl base64 -d -in msg.base64.sig.txt -out msg.signature.txt