Openssl ECDSA : private key passphrase

It would seem that ecparam doesn't have a built-in option for encrypting the generated key. Instead, you can simply do the following:

openssl ec -in myprivatekey.pem -out myprivatekey_encrypted.pem -aes256

Compared to genrsa, an extra step is required, but this basically does the same thing.

Now as far as the certificate request, the command is pretty much the same regardless of the type of private key used:

openssl req -new -sha256 -key myprivatekey.pem -out mycertrequest.pem

You can then take the resulting mycertrequest.pem and send it to a CA for signing.


If you have concerns about writing the unencrypted private key to disk, you can do both the generation and encryption of the key in one step like so:

openssl ecparam -genkey -name secp256k1 | openssl ec -aes256 -out privatekey.pem

This generates a P-256 key, then prompts you for a passphrase. The key is then encrypted using AES256 and saved into privatekey.pem.