The openssl ec command and utility can be used to process your EC (Elliptic Curve) keys. This article will walk you through examples on processing EC keys with the openssl ec utility as well as the openssl ecparam utility.

An EC private key header and footer is formatted as follows:

```
-----BEGIN EC PRIVATE KEY-----
-----END EC PRIVATE KEY-----
```

This format may be converted to PKCS8 by running the following command with the openssl pkcs8 utility:

`openssl pkcs8 -topk8 -in key.pem -out key-pkcs8.pem`

Where `-topk8`

means to convert to PKCS8, `-in key.pem`

is the EC private key, and `-out key-pkcs8.pem`

will be the file storing the PKCS8 EC private key.

On the other hand, the EC public key header and footer is formatted this way:

```
-----BEGIN PUBLIC KEY-----
-----END PUBLIC KEY-----
```

As you maintain and process different key material you will notice that many of the commands are very much the same or similar in nature.

Private keys should be stored encrypted at rest if at all possible. To encrypt an EC private key, run the following command:

`openssl ec -in key.pem -aes256 -out encrypted-key.pem`

Where `in key.pem`

is the plain text EC private key, `-aes256`

is the symmetric key encryption algorithm to encrypt the private key with, and `-out encrypted-key.pem`

is file storing the encrypted EC private key.

To convert the EC private key from PEM format to DER format, run the following command:

`openssl ec -in key.pem -outform DER -out key.der`

Where `-in key.pem`

is the PEM formatted EC private key, `-outform DER`

is the format to convert to, and `-out key.der`

will be the DER formatted EC private key.

To extract the EC public key from the private key, run the following command:

`openssl ec -in key.pem -pubout -out public-key.pem`

Where `-in key.pem`

is the EC private key, `-pubout`

means extract the public key, and `-out public-key.pem`

is the file storing the EC public key.

## openssl ecparam

To generate an EC private key, run the following command with the openssl ecparam utility:

`openssl ecparam -name prime256v1 -genkey -noout -out key.pem`

Where `-name prime256v1`

is the parameter group, `-genkey`

means to generate an EC private key, `noout -out key.pem`

means to store the generated EC private key in the key.pem file and do not print it out.

You may use the EC public key for encryption and the EC private key for decryption, or digital signatures. The EC private key can be used just the same as any other private key. See our article on openssl dgst for examples on digitally signing messages using the generated EC private key.

EC parameter header and footer is formatted as the following:

```
-----BEGIN EC PARAMETERS-----
-----END EC PARAMETERS-----
```

To print the EC parameters, run the following command:

`openssl ecparam -in ec_param.pem -noout -text`

Where `-in ec_param.pem`

are the EC parameters in PEM format, and `-noout -text`

is text format.

## Leave a Reply