6
openssl - OpenSSL command line tool
15
B<openssl> [ B<list-standard-commands> | B<list-message-digest-commands> | B<list-cipher-commands> | B<list-cipher-algorithms> | B<list-message-digest-algorithms> | B<list-public-key-algorithms>]
17
B<openssl> B<no->I<XXX> [ I<arbitrary options> ]
21
OpenSSL is a cryptography toolkit implementing the Secure Sockets Layer (SSL
22
v2/v3) and Transport Layer Security (TLS v1) network protocols and related
23
cryptography standards required by them.
25
The B<openssl> program is a command line tool for using the various
26
cryptography functions of OpenSSL's B<crypto> library from the shell.
29
o Creation and management of private keys, public keys and parameters
30
o Public key cryptographic operations
31
o Creation of X.509 certificates, CSRs and CRLs
32
o Calculation of Message Digests
33
o Encryption and Decryption with Ciphers
34
o SSL/TLS Client and Server Tests
35
o Handling of S/MIME signed or encrypted mail
36
o Time Stamp requests, generation and verification
38
=head1 COMMAND SUMMARY
40
The B<openssl> program provides a rich variety of commands (I<command> in the
41
SYNOPSIS above), each of which often has a wealth of options and arguments
42
(I<command_opts> and I<command_args> in the SYNOPSIS).
44
The pseudo-commands B<list-standard-commands>, B<list-message-digest-commands>,
45
and B<list-cipher-commands> output a list (one entry per line) of the names
46
of all standard commands, message digest commands, or cipher commands,
47
respectively, that are available in the present B<openssl> utility.
49
The pseudo-commands B<list-cipher-algorithms> and
50
B<list-message-digest-algorithms> list all cipher and message digest names, one entry per line. Aliases are listed as:
54
The pseudo-command B<list-public-key-algorithms> lists all supported public
57
The pseudo-command B<no->I<XXX> tests whether a command of the
58
specified name is available. If no command named I<XXX> exists, it
59
returns 0 (success) and prints B<no->I<XXX>; otherwise it returns 1
60
and prints I<XXX>. In both cases, the output goes to B<stdout> and
61
nothing is printed to B<stderr>. Additional command line arguments
62
are always ignored. Since for each cipher there is a command of the
63
same name, this provides an easy way for shell scripts to test for the
64
availability of ciphers in the B<openssl> program. (B<no->I<XXX> is
65
not able to detect pseudo-commands such as B<quit>,
66
B<list->I<...>B<-commands>, or B<no->I<XXX> itself.)
68
=head2 STANDARD COMMANDS
72
=item L<B<asn1parse>|asn1parse(1)>
74
Parse an ASN.1 sequence.
78
Certificate Authority (CA) Management.
80
=item L<B<ciphers>|ciphers(1)>
82
Cipher Suite Description Determination.
84
=item L<B<cms>|cms(1)>
86
CMS (Cryptographic Message Syntax) utility
88
=item L<B<crl>|crl(1)>
90
Certificate Revocation List (CRL) Management.
92
=item L<B<crl2pkcs7>|crl2pkcs7(1)>
94
CRL to PKCS#7 Conversion.
96
=item L<B<dgst>|dgst(1)>
98
Message Digest Calculation.
102
Diffie-Hellman Parameter Management.
103
Obsoleted by L<B<dhparam>|dhparam(1)>.
105
=item L<B<dhparam>|dhparam(1)>
107
Generation and Management of Diffie-Hellman Parameters. Superseded by
108
L<B<genpkey>|genpkey(1)> and L<B<pkeyparam>|pkeyparam(1)>
111
=item L<B<dsa>|dsa(1)>
115
=item L<B<dsaparam>|dsaparam(1)>
117
DSA Parameter Generation and Management. Superseded by
118
L<B<genpkey>|genpkey(1)> and L<B<pkeyparam>|pkeyparam(1)>
122
EC (Elliptic curve) key processing
124
=item L<B<ecparam>|ecparam(1)>
126
EC parameter manipulation and generation
128
=item L<B<enc>|enc(1)>
130
Encoding with Ciphers.
132
=item L<B<engine>|engine(1)>
134
Engine (loadble module) information and manipulation.
136
=item L<B<errstr>|errstr(1)>
138
Error Number to Error String Conversion.
142
Generation of Diffie-Hellman Parameters.
143
Obsoleted by L<B<dhparam>|dhparam(1)>.
145
=item L<B<gendsa>|gendsa(1)>
147
Generation of DSA Private Key from Parameters. Superseded by
148
L<B<genpkey>|genpkey(1)> and L<B<pkey>|pkey(1)>
150
=item L<B<genpkey>|genpkey(1)>
152
Generation of Private Key or Parameters.
154
=item L<B<genrsa>|genrsa(1)>
156
Generation of RSA Private Key. Superceded by L<B<genpkey>|genpkey(1)>.
158
=item L<B<nseq>|nseq(1)>
160
Create or examine a netscape certificate sequence
162
=item L<B<ocsp>|ocsp(1)>
164
Online Certificate Status Protocol utility.
166
=item L<B<passwd>|passwd(1)>
168
Generation of hashed passwords.
170
=item L<B<pkcs12>|pkcs12(1)>
172
PKCS#12 Data Management.
174
=item L<B<pkcs7>|pkcs7(1)>
176
PKCS#7 Data Management.
178
=item L<B<pkey>|pkey(1)>
180
Public and private key management.
182
=item L<B<pkeyparam>|pkeyparam(1)>
184
Public key algorithm parameter management.
186
=item L<B<pkeyutl>|pkeyutl(1)>
188
Public key algorithm cryptographic operation utility.
190
=item L<B<rand>|rand(1)>
192
Generate pseudo-random bytes.
194
=item L<B<req>|req(1)>
196
PKCS#10 X.509 Certificate Signing Request (CSR) Management.
198
=item L<B<rsa>|rsa(1)>
203
=item L<B<rsautl>|rsautl(1)>
205
RSA utility for signing, verification, encryption, and decryption. Superseded
206
by L<B<pkeyutl>|pkeyutl(1)>
208
=item L<B<s_client>|s_client(1)>
210
This implements a generic SSL/TLS client which can establish a transparent
211
connection to a remote server speaking SSL/TLS. It's intended for testing
212
purposes only and provides only rudimentary interface functionality but
213
internally uses mostly all functionality of the OpenSSL B<ssl> library.
215
=item L<B<s_server>|s_server(1)>
217
This implements a generic SSL/TLS server which accepts connections from remote
218
clients speaking SSL/TLS. It's intended for testing purposes only and provides
219
only rudimentary interface functionality but internally uses mostly all
220
functionality of the OpenSSL B<ssl> library. It provides both an own command
221
line oriented protocol for testing SSL functions and a simple HTTP response
222
facility to emulate an SSL/TLS-aware webserver.
224
=item L<B<s_time>|s_time(1)>
226
SSL Connection Timer.
228
=item L<B<sess_id>|sess_id(1)>
230
SSL Session Data Management.
232
=item L<B<smime>|smime(1)>
234
S/MIME mail processing.
236
=item L<B<speed>|speed(1)>
238
Algorithm Speed Measurement.
240
=item L<B<spkac>|spkac(1)>
242
SPKAC printing and generating utility
246
Time Stamping Authority tool (client/server)
248
=item L<B<verify>|verify(1)>
250
X.509 Certificate Verification.
252
=item L<B<version>|version(1)>
254
OpenSSL Version Information.
256
=item L<B<x509>|x509(1)>
258
X.509 Certificate Data Management.
262
=head2 MESSAGE DIGEST COMMANDS
308
=head2 ENCODING AND CIPHER COMMANDS
316
=item B<bf bf-cbc bf-cfb bf-ecb bf-ofb>
320
=item B<cast cast-cbc>
324
=item B<cast5-cbc cast5-cfb cast5-ecb cast5-ofb>
328
=item B<des des-cbc des-cfb des-ecb des-ede des-ede-cbc des-ede-cfb des-ede-ofb des-ofb>
332
=item B<des3 desx des-ede3 des-ede3-cbc des-ede3-cfb des-ede3-ofb>
336
=item B<idea idea-cbc idea-cfb idea-ecb idea-ofb>
340
=item B<rc2 rc2-cbc rc2-cfb rc2-ecb rc2-ofb>
348
=item B<rc5 rc5-cbc rc5-cfb rc5-ecb rc5-ofb>
354
=head1 PASS PHRASE ARGUMENTS
356
Several commands accept password arguments, typically using B<-passin>
357
and B<-passout> for input and output passwords respectively. These allow
358
the password to be obtained from a variety of sources. Both of these
359
options take a single argument whose format is described below. If no
360
password argument is given and a password is required then the user is
361
prompted to enter one: this will typically be read from the current
362
terminal with echoing turned off.
366
=item B<pass:password>
368
the actual password is B<password>. Since the password is visible
369
to utilities (like 'ps' under Unix) this form should only be used
370
where security is not important.
374
obtain the password from the environment variable B<var>. Since
375
the environment of other processes is visible on certain platforms
376
(e.g. ps under certain Unix OSes) this option should be used with caution.
378
=item B<file:pathname>
380
the first line of B<pathname> is the password. If the same B<pathname>
381
argument is supplied to B<-passin> and B<-passout> arguments then the first
382
line will be used for the input password and the next line for the output
383
password. B<pathname> need not refer to a regular file: it could for example
384
refer to a device or named pipe.
388
read the password from the file descriptor B<number>. This can be used to
389
send the data via a pipe for example.
393
read the password from standard input.
399
L<asn1parse(1)|asn1parse(1)>, L<ca(1)|ca(1)>, L<config(5)|config(5)>,
400
L<crl(1)|crl(1)>, L<crl2pkcs7(1)|crl2pkcs7(1)>, L<dgst(1)|dgst(1)>,
401
L<dhparam(1)|dhparam(1)>, L<dsa(1)|dsa(1)>, L<dsaparam(1)|dsaparam(1)>,
402
L<enc(1)|enc(1)>, L<gendsa(1)|gendsa(1)>, L<genpkey(1)|genpkey(1)>,
403
L<genrsa(1)|genrsa(1)>, L<nseq(1)|nseq(1)>, L<openssl(1)|openssl(1)>,
404
L<passwd(1)|passwd(1)>,
405
L<pkcs12(1)|pkcs12(1)>, L<pkcs7(1)|pkcs7(1)>, L<pkcs8(1)|pkcs8(1)>,
406
L<rand(1)|rand(1)>, L<req(1)|req(1)>, L<rsa(1)|rsa(1)>,
407
L<rsautl(1)|rsautl(1)>, L<s_client(1)|s_client(1)>,
408
L<s_server(1)|s_server(1)>, L<s_time(1)|s_time(1)>,
409
L<smime(1)|smime(1)>, L<spkac(1)|spkac(1)>,
410
L<verify(1)|verify(1)>, L<version(1)|version(1)>, L<x509(1)|x509(1)>,
411
L<crypto(3)|crypto(3)>, L<ssl(3)|ssl(3)>, L<x509v3_config(5)|x509v3_config(5)>
415
The openssl(1) document appeared in OpenSSL 0.9.2.
416
The B<list->I<XXX>B<-commands> pseudo-commands were added in OpenSSL 0.9.3;
417
The B<list->I<XXX>B<-algorithms> pseudo-commands were added in OpenSSL 1.0.0;
418
the B<no->I<XXX> pseudo-commands were added in OpenSSL 0.9.5a.
419
For notes on the availability of other commands, see their individual