openssl(1ssl)

1OPENSSL(1)                          OpenSSL                         OPENSSL(1)
2
3
4

NAME

6       openssl - OpenSSL command line tool
7

SYNOPSIS

9       openssl command [ command_opts ] [ command_args ]
10
11       openssl list [ standard-commands | digest-commands | cipher-commands |
12       cipher-algorithms | digest-algorithms | public-key-algorithms]
13
14       openssl no-XXX [ arbitrary options ]
15

DESCRIPTION

17       OpenSSL is a cryptography toolkit implementing the Secure Sockets Layer
18       (SSL v2/v3) and Transport Layer Security (TLS v1) network protocols and
19       related cryptography standards required by them.
20
21       The openssl program is a command line tool for using the various
22       cryptography functions of OpenSSL's crypto library from the shell.  It
23       can be used for
24
25        o  Creation and management of private keys, public keys and parameters
26        o  Public key cryptographic operations
27        o  Creation of X.509 certificates, CSRs and CRLs
28        o  Calculation of Message Digests
29        o  Encryption and Decryption with Ciphers
30        o  SSL/TLS Client and Server Tests
31        o  Handling of S/MIME signed or encrypted mail
32        o  Time Stamp requests, generation and verification
33

COMMAND SUMMARY

35       The openssl program provides a rich variety of commands (command in the
36       SYNOPSIS above), each of which often has a wealth of options and
37       arguments (command_opts and command_args in the SYNOPSIS).
38
39       Many commands use an external configuration file for some or all of
40       their arguments and have a -config option to specify that file.  The
41       environment variable OPENSSL_CONF can be used to specify the location
42       of the file.  If the environment variable is not specified, then the
43       file is named openssl.cnf in the default certificate storage area,
44       whose value depends on the configuration flags specified when the
45       OpenSSL was built.
46
47       The list parameters standard-commands, digest-commands, and cipher-
48       commands output a list (one entry per line) of the names of all
49       standard commands, message digest commands, or cipher commands,
50       respectively, that are available in the present openssl utility.
51
52       The list parameters cipher-algorithms and digest-algorithms list all
53       cipher and message digest names, one entry per line. Aliases are listed
54       as:
55
56        from => to
57
58       The list parameter public-key-algorithms lists all supported public key
59       algorithms.
60
61       The command no-XXX tests whether a command of the specified name is
62       available.  If no command named XXX exists, it returns 0 (success) and
63       prints no-XXX; otherwise it returns 1 and prints XXX.  In both cases,
64       the output goes to stdout and nothing is printed to stderr.  Additional
65       command line arguments are always ignored.  Since for each cipher there
66       is a command of the same name, this provides an easy way for shell
67       scripts to test for the availability of ciphers in the openssl program.
68       (no-XXX is not able to detect pseudo-commands such as quit, list, or
69       no-XXX itself.)
70
71   Standard Commands
72       asn1parse
73           Parse an ASN.1 sequence.
74
75       ca  Certificate Authority (CA) Management.
76
77       ciphers
78           Cipher Suite Description Determination.
79
80       cms CMS (Cryptographic Message Syntax) utility.
81
82       crl Certificate Revocation List (CRL) Management.
83
84       crl2pkcs7
85           CRL to PKCS#7 Conversion.
86
87       dgst
88           Message Digest Calculation.
89
90       dh  Diffie-Hellman Parameter Management.  Obsoleted by dhparam(1).
91
92       dhparam
93           Generation and Management of Diffie-Hellman Parameters. Superseded
94           by genpkey(1) and pkeyparam(1).
95
96       dsa DSA Data Management.
97
98       dsaparam
99           DSA Parameter Generation and Management. Superseded by genpkey(1)
100           and pkeyparam(1).
101
102       ec  EC (Elliptic curve) key processing.
103
104       ecparam
105           EC parameter manipulation and generation.
106
107       enc Encoding with Ciphers.
108
109       engine
110           Engine (loadable module) information and manipulation.
111
112       errstr
113           Error Number to Error String Conversion.
114
115       gendh
116           Generation of Diffie-Hellman Parameters.  Obsoleted by dhparam(1).
117
118       gendsa
119           Generation of DSA Private Key from Parameters. Superseded by
120           genpkey(1) and pkey(1).
121
122       genpkey
123           Generation of Private Key or Parameters.
124
125       genrsa
126           Generation of RSA Private Key. Superseded by genpkey(1).
127
128       nseq
129           Create or examine a Netscape certificate sequence.
130
131       ocsp
132           Online Certificate Status Protocol utility.
133
134       passwd
135           Generation of hashed passwords.
136
137       pkcs12
138           PKCS#12 Data Management.
139
140       pkcs7
141           PKCS#7 Data Management.
142
143       pkcs8
144           PKCS#8 format private key conversion tool.
145
146       pkey
147           Public and private key management.
148
149       pkeyparam
150           Public key algorithm parameter management.
151
152       pkeyutl
153           Public key algorithm cryptographic operation utility.
154
155       prime
156           Compute prime numbers.
157
158       rand
159           Generate pseudo-random bytes.
160
161       rehash
162           Create symbolic links to certificate and CRL files named by the
163           hash values.
164
165       req PKCS#10 X.509 Certificate Signing Request (CSR) Management.
166
167       rsa RSA key management.
168
169       rsautl
170           RSA utility for signing, verification, encryption, and decryption.
171           Superseded by  pkeyutl(1).
172
173       s_client
174           This implements a generic SSL/TLS client which can establish a
175           transparent connection to a remote server speaking SSL/TLS. It's
176           intended for testing purposes only and provides only rudimentary
177           interface functionality but internally uses mostly all
178           functionality of the OpenSSL ssl library.
179
180       s_server
181           This implements a generic SSL/TLS server which accepts connections
182           from remote clients speaking SSL/TLS. It's intended for testing
183           purposes only and provides only rudimentary interface functionality
184           but internally uses mostly all functionality of the OpenSSL ssl
185           library.  It provides both an own command line oriented protocol
186           for testing SSL functions and a simple HTTP response facility to
187           emulate an SSL/TLS-aware webserver.
188
189       s_time
190           SSL Connection Timer.
191
192       sess_id
193           SSL Session Data Management.
194
195       smime
196           S/MIME mail processing.
197
198       speed
199           Algorithm Speed Measurement.
200
201       spkac
202           SPKAC printing and generating utility.
203
204       srp Maintain SRP password file.
205
206       storeutl
207           Utility to list and display certificates, keys, CRLs, etc.
208
209       ts  Time Stamping Authority tool (client/server).
210
211       verify
212           X.509 Certificate Verification.
213
214       version
215           OpenSSL Version Information.
216
217       x509
218           X.509 Certificate Data Management.
219
220   Message Digest Commands
221       blake2b512
222           BLAKE2b-512 Digest
223
224       blake2s256
225           BLAKE2s-256 Digest
226
227       md2 MD2 Digest
228
229       md4 MD4 Digest
230
231       md5 MD5 Digest
232
233       mdc2
234           MDC2 Digest
235
236       rmd160
237           RMD-160 Digest
238
239       sha1
240           SHA-1 Digest
241
242       sha224
243           SHA-2 224 Digest
244
245       sha256
246           SHA-2 256 Digest
247
248       sha384
249           SHA-2 384 Digest
250
251       sha512
252           SHA-2 512 Digest
253
254       sha3-224
255           SHA-3 224 Digest
256
257       sha3-256
258           SHA-3 256 Digest
259
260       sha3-384
261           SHA-3 384 Digest
262
263       sha3-512
264           SHA-3 512 Digest
265
266       shake128
267           SHA-3 SHAKE128 Digest
268
269       shake256
270           SHA-3 SHAKE256 Digest
271
272       sm3 SM3 Digest
273
274   Encoding and Cipher Commands
275       base64
276           Base64 Encoding
277
278       bf, bf-cbc, bf-cfb, bf-ecb, bf-ofb
279           Blowfish Cipher
280
281       cast, cast-cbc
282           CAST Cipher
283
284       cast5-cbc, cast5-cfb, cast5-ecb, cast5-ofb
285           CAST5 Cipher
286
287       des, des-cbc, des-cfb, des-ecb, des-ede, des-ede-cbc, des-ede-cfb, des-
288       ede-ofb, des-ofb
289           DES Cipher
290
291       des3, desx, des-ede3, des-ede3-cbc, des-ede3-cfb, des-ede3-ofb
292           Triple-DES Cipher
293
294       idea, idea-cbc, idea-cfb, idea-ecb, idea-ofb
295           IDEA Cipher
296
297       rc2, rc2-cbc, rc2-cfb, rc2-ecb, rc2-ofb
298           RC2 Cipher
299
300       rc4 RC4 Cipher
301
302       rc5, rc5-cbc, rc5-cfb, rc5-ecb, rc5-ofb
303           RC5 Cipher
304

OPTIONS

306       Details of which options are available depend on the specific command.
307       This section describes some common options with common behavior.
308
309   Common Options
310       -help
311           Provides a terse summary of all options.
312
313   Pass Phrase Options
314       Several commands accept password arguments, typically using -passin and
315       -passout for input and output passwords respectively. These allow the
316       password to be obtained from a variety of sources. Both of these
317       options take a single argument whose format is described below. If no
318       password argument is given and a password is required then the user is
319       prompted to enter one: this will typically be read from the current
320       terminal with echoing turned off.
321
322       Note that character encoding may be relevant, please see
323       passphrase-encoding(7).
324
325       pass:password
326           The actual password is password. Since the password is visible to
327           utilities (like 'ps' under Unix) this form should only be used
328           where security is not important.
329
330       env:var
331           Obtain the password from the environment variable var. Since the
332           environment of other processes is visible on certain platforms
333           (e.g. ps under certain Unix OSes) this option should be used with
334           caution.
335
336       file:pathname
337           The first line of pathname is the password. If the same pathname
338           argument is supplied to -passin and -passout arguments then the
339           first line will be used for the input password and the next line
340           for the output password. pathname need not refer to a regular file:
341           it could for example refer to a device or named pipe.
342
343       fd:number
344           Read the password from the file descriptor number. This can be used
345           to send the data via a pipe for example.
346
347       stdin
348           Read the password from standard input.
349

HISTORY

362       The list-XXX-algorithms pseudo-commands were added in OpenSSL 1.0.0;
363       For notes on the availability of other commands, see their individual
364       manual pages.
365

COPYRIGHT

367       Copyright 2000-2018 The OpenSSL Project Authors. All Rights Reserved.
368
369       Licensed under the OpenSSL license (the "License").  You may not use
370       this file except in compliance with the License.  You can obtain a copy
371       in the file LICENSE in the source distribution or at
372       <https://www.openssl.org/source/license.html>.
373
374
375
3761.1.1                             2019-05-11                        OPENSSL(1)