1OPENSSL(1) OpenSSL OPENSSL(1)
2
6 openssl - OpenSSL command line tool
7
9 openssl command [ command_opts ] [ command_args ]
10 openssl list [ standard-commands | digest-commands | cipher-commands |
12 cipher-algorithms | digest-algorithms | public-key-algorithms]
13 openssl no-XXX [ arbitrary options ]
15
17 OpenSSL is a cryptography toolkit implementing the Secure Sockets Layer
18 (SSL v2/v3) and Transport Layer Security (TLS v1) network protocols and
19 related cryptography standards required by them.
20 The openssl program is a command line tool for using the various
22 cryptography functions of OpenSSL's crypto library from the shell. It
23 can be used for
24 o Creation and management of private keys, public keys and parameters
26 o Public key cryptographic operations
27 o Creation of X.509 certificates, CSRs and CRLs
28 o Calculation of Message Digests
29 o Encryption and Decryption with Ciphers
30 o SSL/TLS Client and Server Tests
31 o Handling of S/MIME signed or encrypted mail
32 o Time Stamp requests, generation and verification
33
35 The openssl program provides a rich variety of commands (command in the
36 SYNOPSIS above), each of which often has a wealth of options and
37 arguments (command_opts and command_args in the SYNOPSIS).
38 Detailed documentation and use cases for most standard subcommands are
40 available (e.g., x509(1) or openssl-x509(1)).
41 Many commands use an external configuration file for some or all of
43 their arguments and have a -config option to specify that file. The
44 environment variable OPENSSL_CONF can be used to specify the location
45 of the file. If the environment variable is not specified, then the
46 file is named openssl.cnf in the default certificate storage area,
47 whose value depends on the configuration flags specified when the
48 OpenSSL was built.
49 The list parameters standard-commands, digest-commands, and cipher-
51 commands output a list (one entry per line) of the names of all
52 standard commands, message digest commands, or cipher commands,
53 respectively, that are available in the present openssl utility.
54 The list parameters cipher-algorithms and digest-algorithms list all
56 cipher and message digest names, one entry per line. Aliases are listed
57 as:
58 from => to
60 The list parameter public-key-algorithms lists all supported public key
62 algorithms.
63 The command no-XXX tests whether a command of the specified name is
65 available. If no command named XXX exists, it returns 0 (success) and
66 prints no-XXX; otherwise it returns 1 and prints XXX. In both cases,
67 the output goes to stdout and nothing is printed to stderr. Additional
68 command line arguments are always ignored. Since for each cipher there
69 is a command of the same name, this provides an easy way for shell
70 scripts to test for the availability of ciphers in the openssl program.
71 (no-XXX is not able to detect pseudo-commands such as quit, list, or
72 no-XXX itself.)
73 Standard Commands
75 asn1parse
76 Parse an ASN.1 sequence.
77 ca Certificate Authority (CA) Management.
79 ciphers
81 Cipher Suite Description Determination.
82 cms CMS (Cryptographic Message Syntax) utility.
84 crl Certificate Revocation List (CRL) Management.
86 crl2pkcs7
88 CRL to PKCS#7 Conversion.
89 dgst
91 Message Digest Calculation.
92 dh Diffie-Hellman Parameter Management. Obsoleted by dhparam(1).
94 dhparam
96 Generation and Management of Diffie-Hellman Parameters. Superseded
97 by genpkey(1) and pkeyparam(1).
98 dsa DSA Data Management.
100 dsaparam
102 DSA Parameter Generation and Management. Superseded by genpkey(1)
103 and pkeyparam(1).
104 ec EC (Elliptic curve) key processing.
106 ecparam
108 EC parameter manipulation and generation.
109 enc Encoding with Ciphers.
111 engine
113 Engine (loadable module) information and manipulation.
114 errstr
116 Error Number to Error String Conversion.
117 gendh
119 Generation of Diffie-Hellman Parameters. Obsoleted by dhparam(1).
120 gendsa
122 Generation of DSA Private Key from Parameters. Superseded by
123 genpkey(1) and pkey(1).
124 genpkey
126 Generation of Private Key or Parameters.
127 genrsa
129 Generation of RSA Private Key. Superseded by genpkey(1).
130 nseq
132 Create or examine a Netscape certificate sequence.
133 ocsp
135 Online Certificate Status Protocol utility.
136 passwd
138 Generation of hashed passwords.
139 pkcs12
141 PKCS#12 Data Management.
142 pkcs7
144 PKCS#7 Data Management.
145 pkcs8
147 PKCS#8 format private key conversion tool.
148 pkey
150 Public and private key management.
151 pkeyparam
153 Public key algorithm parameter management.
154 pkeyutl
156 Public key algorithm cryptographic operation utility.
157 prime
159 Compute prime numbers.
160 rand
162 Generate pseudo-random bytes.
163 rehash
165 Create symbolic links to certificate and CRL files named by the
166 hash values.
167 req PKCS#10 X.509 Certificate Signing Request (CSR) Management.
169 rsa RSA key management.
171 rsautl
173 RSA utility for signing, verification, encryption, and decryption.
174 Superseded by pkeyutl(1).
175 s_client
177 This implements a generic SSL/TLS client which can establish a
178 transparent connection to a remote server speaking SSL/TLS. It's
179 intended for testing purposes only and provides only rudimentary
180 interface functionality but internally uses mostly all
181 functionality of the OpenSSL ssl library.
182 s_server
184 This implements a generic SSL/TLS server which accepts connections
185 from remote clients speaking SSL/TLS. It's intended for testing
186 purposes only and provides only rudimentary interface functionality
187 but internally uses mostly all functionality of the OpenSSL ssl
188 library. It provides both an own command line oriented protocol
189 for testing SSL functions and a simple HTTP response facility to
190 emulate an SSL/TLS-aware webserver.
191 s_time
193 SSL Connection Timer.
194 sess_id
196 SSL Session Data Management.
197 smime
199 S/MIME mail processing.
200 speed
202 Algorithm Speed Measurement.
203 spkac
205 SPKAC printing and generating utility.
206 srp Maintain SRP password file.
208 storeutl
210 Utility to list and display certificates, keys, CRLs, etc.
211 ts Time Stamping Authority tool (client/server).
213 verify
215 X.509 Certificate Verification.
216 version
218 OpenSSL Version Information.
219 x509
221 X.509 Certificate Data Management.
222 Message Digest Commands
224 blake2b512
225 BLAKE2b-512 Digest
226 blake2s256
228 BLAKE2s-256 Digest
229 md2 MD2 Digest
231 md4 MD4 Digest
233 md5 MD5 Digest
235 mdc2
237 MDC2 Digest
238 rmd160
240 RMD-160 Digest
241 sha1
243 SHA-1 Digest
244 sha224
246 SHA-2 224 Digest
247 sha256
249 SHA-2 256 Digest
250 sha384
252 SHA-2 384 Digest
253 sha512
255 SHA-2 512 Digest
256 sha3-224
258 SHA-3 224 Digest
259 sha3-256
261 SHA-3 256 Digest
262 sha3-384
264 SHA-3 384 Digest
265 sha3-512
267 SHA-3 512 Digest
268 shake128
270 SHA-3 SHAKE128 Digest
271 shake256
273 SHA-3 SHAKE256 Digest
274 sm3 SM3 Digest
276 Encoding and Cipher Commands
278 The following aliases provide convenient access to the most used
279 encodings and ciphers.
280 Depending on how OpenSSL was configured and built, not all ciphers
282 listed here may be present. See enc(1) for more information and command
283 usage.
284 aes128, aes-128-cbc, aes-128-cfb, aes-128-ctr, aes-128-ecb, aes-128-ofb
286 AES-128 Cipher
287 aes192, aes-192-cbc, aes-192-cfb, aes-192-ctr, aes-192-ecb, aes-192-ofb
289 AES-192 Cipher
290 aes256, aes-256-cbc, aes-256-cfb, aes-256-ctr, aes-256-ecb, aes-256-ofb
292 AES-256 Cipher
293 aria128, aria-128-cbc, aria-128-cfb, aria-128-ctr, aria-128-ecb,
295 aria-128-ofb
296 Aria-128 Cipher
297 aria192, aria-192-cbc, aria-192-cfb, aria-192-ctr, aria-192-ecb,
299 aria-192-ofb
300 Aria-192 Cipher
301 aria256, aria-256-cbc, aria-256-cfb, aria-256-ctr, aria-256-ecb,
303 aria-256-ofb
304 Aria-256 Cipher
305 base64
307 Base64 Encoding
308 bf, bf-cbc, bf-cfb, bf-ecb, bf-ofb
310 Blowfish Cipher
311 camellia128, camellia-128-cbc, camellia-128-cfb, camellia-128-ctr,
313 camellia-128-ecb, camellia-128-ofb
314 Camellia-128 Cipher
315 camellia192, camellia-192-cbc, camellia-192-cfb, camellia-192-ctr,
317 camellia-192-ecb, camellia-192-ofb
318 Camellia-192 Cipher
319 camellia256, camellia-256-cbc, camellia-256-cfb, camellia-256-ctr,
321 camellia-256-ecb, camellia-256-ofb
322 Camellia-256 Cipher
323 cast, cast-cbc
325 CAST Cipher
326 cast5-cbc, cast5-cfb, cast5-ecb, cast5-ofb
328 CAST5 Cipher
329 chacha20
331 Chacha20 Cipher
332 des, des-cbc, des-cfb, des-ecb, des-ede, des-ede-cbc, des-ede-cfb, des-
334 ede-ofb, des-ofb
335 DES Cipher
336 des3, desx, des-ede3, des-ede3-cbc, des-ede3-cfb, des-ede3-ofb
338 Triple-DES Cipher
339 idea, idea-cbc, idea-cfb, idea-ecb, idea-ofb
341 IDEA Cipher
342 rc2, rc2-cbc, rc2-cfb, rc2-ecb, rc2-ofb
344 RC2 Cipher
345 rc4 RC4 Cipher
347 rc5, rc5-cbc, rc5-cfb, rc5-ecb, rc5-ofb
349 RC5 Cipher
350 seed, seed-cbc, seed-cfb, seed-ecb, seed-ofb
352 SEED Cipher
353 sm4, sm4-cbc, sm4-cfb, sm4-ctr, sm4-ecb, sm4-ofb
355 SM4 Cipher
356
358 Details of which options are available depend on the specific command.
359 This section describes some common options with common behavior.
360 Common Options
362 -help
363 Provides a terse summary of all options.
364 Pass Phrase Options
366 Several commands accept password arguments, typically using -passin and
367 -passout for input and output passwords respectively. These allow the
368 password to be obtained from a variety of sources. Both of these
369 options take a single argument whose format is described below. If no
370 password argument is given and a password is required then the user is
371 prompted to enter one: this will typically be read from the current
372 terminal with echoing turned off.
373 Note that character encoding may be relevant, please see
375 passphrase-encoding(7).
376 pass:password
378 The actual password is password. Since the password is visible to
379 utilities (like 'ps' under Unix) this form should only be used
380 where security is not important.
381 env:var
383 Obtain the password from the environment variable var. Since the
384 environment of other processes is visible on certain platforms
385 (e.g. ps under certain Unix OSes) this option should be used with
386 caution.
387 file:pathname
389 The first line of pathname is the password. If the same pathname
390 argument is supplied to -passin and -passout arguments then the
391 first line will be used for the input password and the next line
392 for the output password. pathname need not refer to a regular file:
393 it could for example refer to a device or named pipe.
394 fd:number
396 Read the password from the file descriptor number. This can be used
397 to send the data via a pipe for example.
398 stdin
400 Read the password from standard input.
401
403 asn1parse(1), ca(1), ciphers(1), cms(1), config(5), crl(1),
404 crl2pkcs7(1), dgst(1), dhparam(1), dsa(1), dsaparam(1), ec(1),
405 ecparam(1), enc(1), engine(1), errstr(1), gendsa(1), genpkey(1),
406 genrsa(1), nseq(1), ocsp(1), pkcs12(1), pkcs7(1), pkcs8(1), pkey(1),
407 pkeyparam(1), pkeyutl(1), prime(1), rehash(1), req(1), rsa(1),
408 rsautl(1), s_client(1), s_server(1), s_time(1), sess_id(1), smime(1),
409 speed(1), spkac(1), srp(1), storeutl(1), sslpasswd(1), sslrand(1),
410 ts(1), verify(1), version(1), x509(1), crypto(7), ssl(7),
411 x509v3_config(5)
412
414 The list-XXX-algorithms pseudo-commands were added in OpenSSL 1.0.0;
415 For notes on the availability of other commands, see their individual
416 manual pages.
417
419 Copyright 2000-2018 The OpenSSL Project Authors. All Rights Reserved.
420 Licensed under the OpenSSL license (the "License"). You may not use
422 this file except in compliance with the License. You can obtain a copy
423 in the file LICENSE in the source distribution or at
424 <https://www.openssl.org/source/license.html>.
4251.1.1g 2020-04-23 OPENSSL(1)