1OPENSSL(1ossl)                      OpenSSL                     OPENSSL(1ossl)
2
3
4

NAME

6       openssl - OpenSSL command line program
7

SYNOPSIS

9       openssl command [ options ... ] [ parameters ... ]
10
11       openssl no-XXX [ options ]
12

DESCRIPTION

14       OpenSSL is a cryptography toolkit implementing the Secure Sockets Layer
15       (SSL v2/v3) and Transport Layer Security (TLS v1) network protocols and
16       related cryptography standards required by them.
17
18       The openssl program is a command line program for using the various
19       cryptography functions of OpenSSL's crypto library from the shell.  It
20       can be used for
21
22        o  Creation and management of private keys, public keys and parameters
23        o  Public key cryptographic operations
24        o  Creation of X.509 certificates, CSRs and CRLs
25        o  Calculation of Message Digests and Message Authentication Codes
26        o  Encryption and Decryption with Ciphers
27        o  SSL/TLS Client and Server Tests
28        o  Handling of S/MIME signed or encrypted mail
29        o  Timestamp requests, generation and verification
30

COMMAND SUMMARY

32       The openssl program provides a rich variety of commands (command in the
33       "SYNOPSIS" above).  Each command can have many options and argument
34       parameters, shown above as options and parameters.
35
36       Detailed documentation and use cases for most standard subcommands are
37       available (e.g., openssl-x509(1)). The subcommand openssl-list(1) may
38       be used to list subcommands.
39
40       The command no-XXX tests whether a command of the specified name is
41       available.  If no command named XXX exists, it returns 0 (success) and
42       prints no-XXX; otherwise it returns 1 and prints XXX.  In both cases,
43       the output goes to stdout and nothing is printed to stderr.  Additional
44       command line arguments are always ignored.  Since for each cipher there
45       is a command of the same name, this provides an easy way for shell
46       scripts to test for the availability of ciphers in the openssl program.
47       (no-XXX is not able to detect pseudo-commands such as quit, list, or
48       no-XXX itself.)
49
50   Configuration Option
51       Many commands use an external configuration file for some or all of
52       their arguments and have a -config option to specify that file.  The
53       default name of the file is openssl.cnf in the default certificate
54       storage area, which can be determined from the openssl-version(1)
55       command using the -d or -a option.  The environment variable
56       OPENSSL_CONF can be used to specify a different file location or to
57       disable loading a configuration (using the empty string).
58
59       Among others, the configuration file can be used to load modules and to
60       specify parameters for generating certificates and random numbers.  See
61       config(5) for details.
62
63   Standard Commands
64       asn1parse
65           Parse an ASN.1 sequence.
66
67       ca  Certificate Authority (CA) Management.
68
69       ciphers
70           Cipher Suite Description Determination.
71
72       cms CMS (Cryptographic Message Syntax) command.
73
74       crl Certificate Revocation List (CRL) Management.
75
76       crl2pkcs7
77           CRL to PKCS#7 Conversion.
78
79       dgst
80           Message Digest calculation. MAC calculations are superseded by
81           openssl-mac(1).
82
83       dhparam
84           Generation and Management of Diffie-Hellman Parameters. Superseded
85           by openssl-genpkey(1) and openssl-pkeyparam(1).
86
87       dsa DSA Data Management.
88
89       dsaparam
90           DSA Parameter Generation and Management. Superseded by
91           openssl-genpkey(1) and openssl-pkeyparam(1).
92
93       ec  EC (Elliptic curve) key processing.
94
95       ecparam
96           EC parameter manipulation and generation.
97
98       enc Encryption, decryption, and encoding.
99
100       engine
101           Engine (loadable module) information and manipulation.
102
103       errstr
104           Error Number to Error String Conversion.
105
106       gendsa
107           Generation of DSA Private Key from Parameters. Superseded by
108           openssl-genpkey(1) and openssl-pkey(1).
109
110       genpkey
111           Generation of Private Key or Parameters.
112
113       genrsa
114           Generation of RSA Private Key. Superseded by openssl-genpkey(1).
115
116       help
117           Display information about a command's options.
118
119       info
120           Display diverse information built into the OpenSSL libraries.
121
122       kdf Key Derivation Functions.
123
124       list
125           List algorithms and features.
126
127       mac Message Authentication Code Calculation.
128
129       nseq
130           Create or examine a Netscape certificate sequence.
131
132       ocsp
133           Online Certificate Status Protocol command.
134
135       passwd
136           Generation of hashed passwords.
137
138       pkcs12
139           PKCS#12 Data Management.
140
141       pkcs7
142           PKCS#7 Data Management.
143
144       pkcs8
145           PKCS#8 format private key conversion command.
146
147       pkey
148           Public and private key management.
149
150       pkeyparam
151           Public key algorithm parameter management.
152
153       pkeyutl
154           Public key algorithm cryptographic operation command.
155
156       prime
157           Compute prime numbers.
158
159       rand
160           Generate pseudo-random bytes.
161
162       rehash
163           Create symbolic links to certificate and CRL files named by the
164           hash values.
165
166       req PKCS#10 X.509 Certificate Signing Request (CSR) Management.
167
168       rsa RSA key management.
169
170       rsautl
171           RSA command for signing, verification, encryption, and decryption.
172           Superseded by  openssl-pkeyutl(1).
173
174       s_client
175           This implements a generic SSL/TLS client which can establish a
176           transparent connection to a remote server speaking SSL/TLS. It's
177           intended for testing purposes only and provides only rudimentary
178           interface functionality but internally uses mostly all
179           functionality of the OpenSSL ssl library.
180
181       s_server
182           This implements a generic SSL/TLS server which accepts connections
183           from remote clients speaking SSL/TLS. It's intended for testing
184           purposes only and provides only rudimentary interface functionality
185           but internally uses mostly all functionality of the OpenSSL ssl
186           library.  It provides both an own command line oriented protocol
187           for testing SSL functions and a simple HTTP response facility to
188           emulate an SSL/TLS-aware webserver.
189
190       s_time
191           SSL Connection Timer.
192
193       sess_id
194           SSL Session Data Management.
195
196       smime
197           S/MIME mail processing.
198
199       speed
200           Algorithm Speed Measurement.
201
202       spkac
203           SPKAC printing and generating command.
204
205       srp Maintain SRP password file. This command is deprecated.
206
207       storeutl
208           Command to list and display certificates, keys, CRLs, etc.
209
210       ts  Time Stamping Authority command.
211
212       verify
213           X.509 Certificate Verification.  See also the
214           openssl-verification-options(1) manual page.
215
216       version
217           OpenSSL Version Information.
218
219       x509
220           X.509 Certificate Data Management.
221
222   Message Digest Commands
223       blake2b512
224           BLAKE2b-512 Digest
225
226       blake2s256
227           BLAKE2s-256 Digest
228
229       md2 MD2 Digest
230
231       md4 MD4 Digest
232
233       md5 MD5 Digest
234
235       mdc2
236           MDC2 Digest
237
238       rmd160
239           RMD-160 Digest
240
241       sha1
242           SHA-1 Digest
243
244       sha224
245           SHA-2 224 Digest
246
247       sha256
248           SHA-2 256 Digest
249
250       sha384
251           SHA-2 384 Digest
252
253       sha512
254           SHA-2 512 Digest
255
256       sha3-224
257           SHA-3 224 Digest
258
259       sha3-256
260           SHA-3 256 Digest
261
262       sha3-384
263           SHA-3 384 Digest
264
265       sha3-512
266           SHA-3 512 Digest
267
268       shake128
269           SHA-3 SHAKE128 Digest
270
271       shake256
272           SHA-3 SHAKE256 Digest
273
274       sm3 SM3 Digest
275
276   Encryption, Decryption, and Encoding Commands
277       The following aliases provide convenient access to the most used
278       encodings and ciphers.
279
280       Depending on how OpenSSL was configured and built, not all ciphers
281       listed here may be present. See openssl-enc(1) for more information.
282
283       aes128, aes-128-cbc, aes-128-cfb, aes-128-ctr, aes-128-ecb, aes-128-ofb
284           AES-128 Cipher
285
286       aes192, aes-192-cbc, aes-192-cfb, aes-192-ctr, aes-192-ecb, aes-192-ofb
287           AES-192 Cipher
288
289       aes256, aes-256-cbc, aes-256-cfb, aes-256-ctr, aes-256-ecb, aes-256-ofb
290           AES-256 Cipher
291
292       aria128, aria-128-cbc, aria-128-cfb, aria-128-ctr, aria-128-ecb,
293       aria-128-ofb
294           Aria-128 Cipher
295
296       aria192, aria-192-cbc, aria-192-cfb, aria-192-ctr, aria-192-ecb,
297       aria-192-ofb
298           Aria-192 Cipher
299
300       aria256, aria-256-cbc, aria-256-cfb, aria-256-ctr, aria-256-ecb,
301       aria-256-ofb
302           Aria-256 Cipher
303
304       base64
305           Base64 Encoding
306
307       bf, bf-cbc, bf-cfb, bf-ecb, bf-ofb
308           Blowfish Cipher
309
310       camellia128, camellia-128-cbc, camellia-128-cfb, camellia-128-ctr,
311       camellia-128-ecb, camellia-128-ofb
312           Camellia-128 Cipher
313
314       camellia192, camellia-192-cbc, camellia-192-cfb, camellia-192-ctr,
315       camellia-192-ecb, camellia-192-ofb
316           Camellia-192 Cipher
317
318       camellia256, camellia-256-cbc, camellia-256-cfb, camellia-256-ctr,
319       camellia-256-ecb, camellia-256-ofb
320           Camellia-256 Cipher
321
322       cast, cast-cbc
323           CAST Cipher
324
325       cast5-cbc, cast5-cfb, cast5-ecb, cast5-ofb
326           CAST5 Cipher
327
328       chacha20
329           Chacha20 Cipher
330
331       des, des-cbc, des-cfb, des-ecb, des-ede, des-ede-cbc, des-ede-cfb, des-
332       ede-ofb, des-ofb
333           DES Cipher
334
335       des3, desx, des-ede3, des-ede3-cbc, des-ede3-cfb, des-ede3-ofb
336           Triple-DES Cipher
337
338       idea, idea-cbc, idea-cfb, idea-ecb, idea-ofb
339           IDEA Cipher
340
341       rc2, rc2-cbc, rc2-cfb, rc2-ecb, rc2-ofb
342           RC2 Cipher
343
344       rc4 RC4 Cipher
345
346       rc5, rc5-cbc, rc5-cfb, rc5-ecb, rc5-ofb
347           RC5 Cipher
348
349       seed, seed-cbc, seed-cfb, seed-ecb, seed-ofb
350           SEED Cipher
351
352       sm4, sm4-cbc, sm4-cfb, sm4-ctr, sm4-ecb, sm4-ofb
353           SM4 Cipher
354

OPTIONS

356       Details of which options are available depend on the specific command.
357       This section describes some common options with common behavior.
358
359   Common Options
360       -help
361           Provides a terse summary of all options.  If an option takes an
362           argument, the "type" of argument is also given.
363
364       --  This terminates the list of options. It is mostly useful if any
365           filename parameters start with a minus sign:
366
367            openssl verify [flags...] -- -cert1.pem...
368
369   Format Options
370       See openssl-format-options(1) for manual page.
371
372   Pass Phrase Options
373       See the openssl-passphrase-options(1) manual page.
374
375   Random State Options
376       Prior to OpenSSL 1.1.1, it was common for applications to store
377       information about the state of the random-number generator in a file
378       that was loaded at startup and rewritten upon exit. On modern operating
379       systems, this is generally no longer necessary as OpenSSL will seed
380       itself from a trusted entropy source provided by the operating system.
381       These flags are still supported for special platforms or circumstances
382       that might require them.
383
384       It is generally an error to use the same seed file more than once and
385       every use of -rand should be paired with -writerand.
386
387       -rand files
388           A file or files containing random data used to seed the random
389           number generator.  Multiple files can be specified separated by an
390           OS-dependent character.  The separator is ";" for MS-Windows, ","
391           for OpenVMS, and ":" for all others. Another way to specify
392           multiple files is to repeat this flag with different filenames.
393
394       -writerand file
395           Writes the seed data to the specified file upon exit.  This file
396           can be used in a subsequent command invocation.
397
398   Certificate Verification Options
399       See the openssl-verification-options(1) manual page.
400
401   Name Format Options
402       See the openssl-namedisplay-options(1) manual page.
403
404   TLS Version Options
405       Several commands use SSL, TLS, or DTLS. By default, the commands use
406       TLS and clients will offer the lowest and highest protocol version they
407       support, and servers will pick the highest version that the client
408       offers that is also supported by the server.
409
410       The options below can be used to limit which protocol versions are
411       used, and whether TCP (SSL and TLS) or UDP (DTLS) is used.  Note that
412       not all protocols and flags may be available, depending on how OpenSSL
413       was built.
414
415       -ssl3, -tls1, -tls1_1, -tls1_2, -tls1_3, -no_ssl3, -no_tls1,
416       -no_tls1_1, -no_tls1_2, -no_tls1_3
417           These options require or disable the use of the specified SSL or
418           TLS protocols.  When a specific TLS version is required, only that
419           version will be offered or accepted.  Only one specific protocol
420           can be given and it cannot be combined with any of the no_ options.
421           The no_* options do not work with s_time and ciphers commands but
422           work with s_client and s_server commands.
423
424       -dtls, -dtls1, -dtls1_2
425           These options specify to use DTLS instead of TLS.  With -dtls,
426           clients will negotiate any supported DTLS protocol version.  Use
427           the -dtls1 or -dtls1_2 options to support only DTLS1.0 or DTLS1.2,
428           respectively.
429
430   Engine Options
431       -engine id
432           Load the engine identified by id and use all the methods it
433           implements (algorithms, key storage, etc.), unless specified
434           otherwise in the command-specific documentation or it is configured
435           to do so, as described in "Engine Configuration" in config(5).
436
437           The engine will be used for key ids specified with -key and similar
438           options when an option like -keyform engine is given.
439
440           A special case is the "loader_attic" engine, which is meant just
441           for internal OpenSSL testing purposes and supports loading keys,
442           parameters, certificates, and CRLs from files.  When this engine is
443           used, files with such credentials are read via this engine.  Using
444           the "file:" schema is optional; a plain file (path) name will do.
445
446       Options specifying keys, like -key and similar, can use the generic
447       OpenSSL engine key loading URI scheme "org.openssl.engine:" to retrieve
448       private keys and public keys.  The URI syntax is as follows, in
449       simplified form:
450
451           org.openssl.engine:{engineid}:{keyid}
452
453       Where "{engineid}" is the identity/name of the engine, and "{keyid}" is
454       a key identifier that's acceptable by that engine.  For example, when
455       using an engine that interfaces against a PKCS#11 implementation, the
456       generic key URI would be something like this (this happens to be an
457       example for the PKCS#11 engine that's part of OpenSC):
458
459           -key org.openssl.engine:pkcs11:label_some-private-key
460
461       As a third possibility, for engines and providers that have implemented
462       their own OSSL_STORE_LOADER(3), "org.openssl.engine:" should not be
463       necessary.  For a PKCS#11 implementation that has implemented such a
464       loader, the PKCS#11 URI as defined in RFC 7512 should be possible to
465       use directly:
466
467           -key pkcs11:object=some-private-key;pin-value=1234
468
469   Provider Options
470       -provider name
471           Load and initialize the provider identified by name. The name can
472           be also a path to the provider module. In that case the provider
473           name will be the specified path and not just the provider module
474           name.  Interpretation of relative paths is platform specific. The
475           configured "MODULESDIR" path, OPENSSL_MODULES environment variable,
476           or the path specified by -provider-path is prepended to relative
477           paths.  See provider(7) for a more detailed description.
478
479       -provider-path path
480           Specifies the search path that is to be used for looking for
481           providers.  Equivalently, the OPENSSL_MODULES environment variable
482           may be set.
483
484       -propquery propq
485           Specifies the property query clause to be used when fetching
486           algorithms from the loaded providers.  See property(7) for a more
487           detailed description.
488

ENVIRONMENT

490       The OpenSSL library can be take some configuration parameters from the
491       environment.  Some of these variables are listed below.  For
492       information about specific commands, see openssl-engine(1),
493       openssl-rehash(1), and tsget(1).
494
495       For information about the use of environment variables in
496       configuration, see "ENVIRONMENT" in config(5).
497
498       For information about querying or specifying CPU architecture flags,
499       see OPENSSL_ia32cap(3), and OPENSSL_s390xcap(3).
500
501       For information about all environment variables used by the OpenSSL
502       libraries, see openssl-env(7).
503
504       OPENSSL_TRACE=name[,...]
505           Enable tracing output of OpenSSL library, by name.  This output
506           will only make sense if you know OpenSSL internals well.  Also, it
507           might not give you any output at all if OpenSSL was built without
508           tracing support.
509
510           The value is a comma separated list of names, with the following
511           available:
512
513           TRACE
514               Traces the OpenSSL trace API itself.
515
516           INIT
517               Traces OpenSSL library initialization and cleanup.
518
519           TLS Traces the TLS/SSL protocol.
520
521           TLS_CIPHER
522               Traces the ciphers used by the TLS/SSL protocol.
523
524           CONF
525               Show details about provider and engine configuration.
526
527           ENGINE_TABLE
528               The function that is used by RSA, DSA (etc) code to select
529               registered ENGINEs, cache defaults and functional references
530               (etc), will generate debugging summaries.
531
532           ENGINE_REF_COUNT
533               Reference counts in the ENGINE structure will be monitored with
534               a line of generated for each change.
535
536           PKCS5V2
537               Traces PKCS#5 v2 key generation.
538
539           PKCS12_KEYGEN
540               Traces PKCS#12 key generation.
541
542           PKCS12_DECRYPT
543               Traces PKCS#12 decryption.
544
545           X509V3_POLICY
546               Generates the complete policy tree at various points during
547               X.509 v3 policy evaluation.
548
549           BN_CTX
550               Traces BIGNUM context operations.
551
552           CMP Traces CMP client and server activity.
553
554           STORE
555               Traces STORE operations.
556
557           DECODER
558               Traces decoder operations.
559
560           ENCODER
561               Traces encoder operations.
562
563           REF_COUNT
564               Traces decrementing certain ASN.1 structure references.
565
566           HTTP
567               HTTP client diagnostics
568

SEE ALSO

570       openssl-asn1parse(1), openssl-ca(1), openssl-ciphers(1),
571       openssl-cms(1), openssl-crl(1), openssl-crl2pkcs7(1), openssl-dgst(1),
572       openssl-dhparam(1), openssl-dsa(1), openssl-dsaparam(1), openssl-ec(1),
573       openssl-ecparam(1), openssl-enc(1), openssl-engine(1),
574       openssl-errstr(1), openssl-gendsa(1), openssl-genpkey(1),
575       openssl-genrsa(1), openssl-kdf(1), openssl-list(1), openssl-mac(1),
576       openssl-nseq(1), openssl-ocsp(1), openssl-passwd(1), openssl-pkcs12(1),
577       openssl-pkcs7(1), openssl-pkcs8(1), openssl-pkey(1),
578       openssl-pkeyparam(1), openssl-pkeyutl(1), openssl-prime(1),
579       openssl-rand(1), openssl-rehash(1), openssl-req(1), openssl-rsa(1),
580       openssl-rsautl(1), openssl-s_client(1), openssl-s_server(1),
581       openssl-s_time(1), openssl-sess_id(1), openssl-smime(1),
582       openssl-speed(1), openssl-spkac(1), openssl-srp(1),
583       openssl-storeutl(1), openssl-ts(1), openssl-verify(1),
584       openssl-version(1), openssl-x509(1), config(5), crypto(7),
585       openssl-env(7).  ssl(7), x509v3_config(5)
586

HISTORY

588       The list -XXX-algorithms options were added in OpenSSL 1.0.0; For notes
589       on the availability of other commands, see their individual manual
590       pages.
591
592       The -issuer_checks option is deprecated as of OpenSSL 1.1.0 and is
593       silently ignored.
594
595       The -xcertform and -xkeyform options are obsolete since OpenSSL 3.0 and
596       have no effect.
597
598       The interactive mode, which could be invoked by running "openssl" with
599       no further arguments, was removed in OpenSSL 3.0, and running that
600       program with no arguments is now equivalent to "openssl help".
601
603       Copyright 2000-2023 The OpenSSL Project Authors. All Rights Reserved.
604
605       Licensed under the Apache License 2.0 (the "License").  You may not use
606       this file except in compliance with the License.  You can obtain a copy
607       in the file LICENSE in the source distribution or at
608       <https://www.openssl.org/source/license.html>.
609
610
611
6123.1.1                             2023-08-31                    OPENSSL(1ossl)
Impressum