The openssl ec command and utility can be used to process your EC (Elliptic Curve) keys. This article will walk you through examples on processing EC keys with the openssl ec utility as well as the openssl ecparam utility.
An EC private key header and footer is formatted as follows:
-----BEGIN EC PRIVATE KEY----- -----END EC PRIVATE KEY-----
This format may be converted to PKCS8 by running the following command with the openssl pkcs8 utility:
openssl pkcs8 -topk8 -in key.pem -out key-pkcs8.pem
-topk8 means to convert to PKCS8,
-in key.pem is the EC private key, and
-out key-pkcs8.pem will be the file storing the PKCS8 EC private key.
On the other hand, the EC public key header and footer is formatted this way:
-----BEGIN PUBLIC KEY----- -----END PUBLIC KEY-----
As you maintain and process different key material you will notice that many of the commands are very much the same or similar in nature.
Private keys should be stored encrypted at rest if at all possible. To encrypt an EC private key, run the following command:
openssl ec -in key.pem -aes256 -out encrypted-key.pem
in key.pem is the plain text EC private key,
-aes256 is the symmetric key encryption algorithm to encrypt the private key with, and
-out encrypted-key.pem is file storing the encrypted EC private key.
To convert the EC private key from PEM format to DER format, run the following command:
openssl ec -in key.pem -outform DER -out key.der
-in key.pem is the PEM formatted EC private key,
-outform DER is the format to convert to, and
-out key.der will be the DER formatted EC private key.
To extract the EC public key from the private key, run the following command:
openssl ec -in key.pem -pubout -out public-key.pem
-in key.pem is the EC private key,
-pubout means extract the public key, and
-out public-key.pem is the file storing the EC public key.
To generate an EC private key, run the following command with the openssl ecparam utility:
openssl ecparam -name prime256v1 -genkey -noout -out key.pem
-name prime256v1 is the parameter group,
-genkey means to generate an EC private key,
noout -out key.pem means to store the generated EC private key in the key.pem file and do not print it out.
You may use the EC public key for encryption and the EC private key for decryption, or digital signatures. The EC private key can be used just the same as any other private key. See our article on openssl dgst for examples on digitally signing messages using the generated EC private key.
EC parameter header and footer is formatted as the following:
-----BEGIN EC PARAMETERS----- -----END EC PARAMETERS-----
To print the EC parameters, run the following command:
openssl ecparam -in ec_param.pem -noout -text
-in ec_param.pem are the EC parameters in PEM format, and
-noout -text is text format.