<DRAFT!>
			HOWTO keys

1. Introduction

Keys are the basis of public key algorithms and PKI.  Keys usually
come in pairs, with one half being the public key and the other half
being the private key.  With OpenSSL, the private key contains the
public key information as well, so a public key doesn't need to be
generated separately.

Public keys come in several flavors, using different cryptographic
algorithms.  The most popular ones associated with certificates are
RSA and ECDSA, and this HOWTO will show how to generate each of them.

2. To generate an RSA key

An RSA key can be used both for encryption and for signing.

Generating a key for the RSA algorithm is quite easy, all you have to
do is the following:

  openssl genrsa -aes256 -out privkey.pem 2048

With this variant, you will be prompted for a protecting password.  If
you don't want your key to be protected by a password, remove the flag
'-aes256' from the command line above.

The number 2048 is the size of the key, in bits.  Today, 2048 or
higher is recommended for RSA keys, as fewer amount of bits is
considered to be insecure.

3. To generate an EC key

An EC key can be used for either key agreement (ECDH), signing (ECDSA) or
key encapsulation (KEM) purposes.
(A key should only be used for one of these purposes)

An EC key can be generated by specifying a curve name such as P-256 using:

  openssl genpkey -algorithm EC -pkeyopt group:P-256 -aes256 -out private.key

With this variant, you will be prompted for a password to protect your key.
If you don't want your key to be protected by a password, remove the flag
'-aes256' from the command line above.

Each curve name is associated with a group of fixed parameters.
Curve names containing numbers lower than 256 are no longer considered
secure.

The NIST P-256 curve name (which is an alias for prime256v1), stands for
'X9.62/SECG curve over a 256-bit prime field'.

4. To generate a X25519 or X448 Key for Key Agreement

X25519, X448, Ed25519 and Ed448 are treated as distinct algorithms and not as
one of the EC curves listed with 'ecparam -list_curves' option.
Unlike other algorithms there are separate key types for signing and
key agreement.

You can use the following command to generate an X25519 key:

  openssl genpkey -algorithm X25519 -out xkey.pem

5. To generate a Ed25519 or Ed448 Key

An Ed25519 or Ed448 key can be used for signing and verification purposes.

You can use the following command to generate an Ed25519 key:
  openssl genpkey -algorithm Ed25519 -out xkey.pem

6. To generate an ML-DSA key

An ML-DSA key can be used for signing (and verification via the public key)
only.

Generating a key for the ML-DSA algorithm is a one-step process.

  openssl genpkey -algorithm ML-DSA-44 -out key.pem
  openssl genpkey -algorithm ML-DSA-65 -out key.pem
  openssl genpkey -algorithm ML-DSA-87 -out key.pem

See L<EVP_PKEY-ML-DSA(7)> for more detail.

7. To generate an ML-KEM key

An ML-KEM key can be used for decapsulation (and encapsulation via the public
key) only.

Generating a key for the ML-KEM algorithm is a one-step process.

  openssl genpkey -algorithm ML-KEM-512 -out key.pem
  openssl genpkey -algorithm ML-KEM-768 -out key.pem
  openssl genpkey -algorithm ML-KEM-1024 -out key.pem

See L<EVP_PKEY-ML-KEM(7)> for more detail.

8. NOTE

If you intend to use the key together with a server certificate,
it may be reasonable to avoid protecting it with a password, since
otherwise someone would have to type in the password every time the
server needs to access the key.

To generate keys using C code refer to the demos located in
https://github.com/openssl/openssl/blob/master/demos/pkey.