1OPENSSL(1) OpenSSL OPENSSL(1)
2
3
4
6 openssl - OpenSSL command line tool
7
9 openssl command [ command_opts ] [ command_args ]
10
11 openssl list [ standard-commands | digest-commands | cipher-commands |
12 cipher-algorithms | digest-algorithms | public-key-algorithms]
13
14 openssl no-XXX [ arbitrary options ]
15
17 OpenSSL is a cryptography toolkit implementing the Secure Sockets Layer
18 (SSL v2/v3) and Transport Layer Security (TLS v1) network protocols and
19 related cryptography standards required by them.
20
21 The openssl program is a command line tool for using the various
22 cryptography functions of OpenSSL's crypto library from the shell. It
23 can be used for
24
25 o Creation and management of private keys, public keys and parameters
26 o Public key cryptographic operations
27 o Creation of X.509 certificates, CSRs and CRLs
28 o Calculation of Message Digests
29 o Encryption and Decryption with Ciphers
30 o SSL/TLS Client and Server Tests
31 o Handling of S/MIME signed or encrypted mail
32 o Time Stamp requests, generation and verification
33
35 The openssl program provides a rich variety of commands (command in the
36 SYNOPSIS above), each of which often has a wealth of options and
37 arguments (command_opts and command_args in the SYNOPSIS).
38
39 Detailed documentation and use cases for most standard subcommands are
40 available (e.g., x509(1) or openssl-x509(1)).
41
42 Many commands use an external configuration file for some or all of
43 their arguments and have a -config option to specify that file. The
44 environment variable OPENSSL_CONF can be used to specify the location
45 of the file. If the environment variable is not specified, then the
46 file is named openssl.cnf in the default certificate storage area,
47 whose value depends on the configuration flags specified when the
48 OpenSSL was built.
49
50 The list parameters standard-commands, digest-commands, and cipher-
51 commands output a list (one entry per line) of the names of all
52 standard commands, message digest commands, or cipher commands,
53 respectively, that are available in the present openssl utility.
54
55 The list parameters cipher-algorithms and digest-algorithms list all
56 cipher and message digest names, one entry per line. Aliases are listed
57 as:
58
59 from => to
60
61 The list parameter public-key-algorithms lists all supported public key
62 algorithms.
63
64 The command no-XXX tests whether a command of the specified name is
65 available. If no command named XXX exists, it returns 0 (success) and
66 prints no-XXX; otherwise it returns 1 and prints XXX. In both cases,
67 the output goes to stdout and nothing is printed to stderr. Additional
68 command line arguments are always ignored. Since for each cipher there
69 is a command of the same name, this provides an easy way for shell
70 scripts to test for the availability of ciphers in the openssl program.
71 (no-XXX is not able to detect pseudo-commands such as quit, list, or
72 no-XXX itself.)
73
74 Standard Commands
75 asn1parse
76 Parse an ASN.1 sequence.
77
78 ca Certificate Authority (CA) Management.
79
80 ciphers
81 Cipher Suite Description Determination.
82
83 cms CMS (Cryptographic Message Syntax) utility.
84
85 crl Certificate Revocation List (CRL) Management.
86
87 crl2pkcs7
88 CRL to PKCS#7 Conversion.
89
90 dgst
91 Message Digest Calculation.
92
93 dh Diffie-Hellman Parameter Management. Obsoleted by dhparam(1).
94
95 dhparam
96 Generation and Management of Diffie-Hellman Parameters. Superseded
97 by genpkey(1) and pkeyparam(1).
98
99 dsa DSA Data Management.
100
101 dsaparam
102 DSA Parameter Generation and Management. Superseded by genpkey(1)
103 and pkeyparam(1).
104
105 ec EC (Elliptic curve) key processing.
106
107 ecparam
108 EC parameter manipulation and generation.
109
110 enc Encoding with Ciphers.
111
112 engine
113 Engine (loadable module) information and manipulation.
114
115 errstr
116 Error Number to Error String Conversion.
117
118 gendh
119 Generation of Diffie-Hellman Parameters. Obsoleted by dhparam(1).
120
121 gendsa
122 Generation of DSA Private Key from Parameters. Superseded by
123 genpkey(1) and pkey(1).
124
125 genpkey
126 Generation of Private Key or Parameters.
127
128 genrsa
129 Generation of RSA Private Key. Superseded by genpkey(1).
130
131 nseq
132 Create or examine a Netscape certificate sequence.
133
134 ocsp
135 Online Certificate Status Protocol utility.
136
137 passwd
138 Generation of hashed passwords.
139
140 pkcs12
141 PKCS#12 Data Management.
142
143 pkcs7
144 PKCS#7 Data Management.
145
146 pkcs8
147 PKCS#8 format private key conversion tool.
148
149 pkey
150 Public and private key management.
151
152 pkeyparam
153 Public key algorithm parameter management.
154
155 pkeyutl
156 Public key algorithm cryptographic operation utility.
157
158 prime
159 Compute prime numbers.
160
161 rand
162 Generate pseudo-random bytes.
163
164 rehash
165 Create symbolic links to certificate and CRL files named by the
166 hash values.
167
168 req PKCS#10 X.509 Certificate Signing Request (CSR) Management.
169
170 rsa RSA key management.
171
172 rsautl
173 RSA utility for signing, verification, encryption, and decryption.
174 Superseded by pkeyutl(1).
175
176 s_client
177 This implements a generic SSL/TLS client which can establish a
178 transparent connection to a remote server speaking SSL/TLS. It's
179 intended for testing purposes only and provides only rudimentary
180 interface functionality but internally uses mostly all
181 functionality of the OpenSSL ssl library.
182
183 s_server
184 This implements a generic SSL/TLS server which accepts connections
185 from remote clients speaking SSL/TLS. It's intended for testing
186 purposes only and provides only rudimentary interface functionality
187 but internally uses mostly all functionality of the OpenSSL ssl
188 library. It provides both an own command line oriented protocol
189 for testing SSL functions and a simple HTTP response facility to
190 emulate an SSL/TLS-aware webserver.
191
192 s_time
193 SSL Connection Timer.
194
195 sess_id
196 SSL Session Data Management.
197
198 smime
199 S/MIME mail processing.
200
201 speed
202 Algorithm Speed Measurement.
203
204 spkac
205 SPKAC printing and generating utility.
206
207 srp Maintain SRP password file.
208
209 storeutl
210 Utility to list and display certificates, keys, CRLs, etc.
211
212 ts Time Stamping Authority tool (client/server).
213
214 verify
215 X.509 Certificate Verification.
216
217 version
218 OpenSSL Version Information.
219
220 x509
221 X.509 Certificate Data Management.
222
223 Message Digest Commands
224 blake2b512
225 BLAKE2b-512 Digest
226
227 blake2s256
228 BLAKE2s-256 Digest
229
230 md2 MD2 Digest
231
232 md4 MD4 Digest
233
234 md5 MD5 Digest
235
236 mdc2
237 MDC2 Digest
238
239 rmd160
240 RMD-160 Digest
241
242 sha1
243 SHA-1 Digest
244
245 sha224
246 SHA-2 224 Digest
247
248 sha256
249 SHA-2 256 Digest
250
251 sha384
252 SHA-2 384 Digest
253
254 sha512
255 SHA-2 512 Digest
256
257 sha3-224
258 SHA-3 224 Digest
259
260 sha3-256
261 SHA-3 256 Digest
262
263 sha3-384
264 SHA-3 384 Digest
265
266 sha3-512
267 SHA-3 512 Digest
268
269 shake128
270 SHA-3 SHAKE128 Digest
271
272 shake256
273 SHA-3 SHAKE256 Digest
274
275 sm3 SM3 Digest
276
277 Encoding and Cipher Commands
278 The following aliases provide convenient access to the most used
279 encodings and ciphers.
280
281 Depending on how OpenSSL was configured and built, not all ciphers
282 listed here may be present. See enc(1) for more information and command
283 usage.
284
285 aes128, aes-128-cbc, aes-128-cfb, aes-128-ctr, aes-128-ecb, aes-128-ofb
286 AES-128 Cipher
287
288 aes192, aes-192-cbc, aes-192-cfb, aes-192-ctr, aes-192-ecb, aes-192-ofb
289 AES-192 Cipher
290
291 aes256, aes-256-cbc, aes-256-cfb, aes-256-ctr, aes-256-ecb, aes-256-ofb
292 AES-256 Cipher
293
294 aria128, aria-128-cbc, aria-128-cfb, aria-128-ctr, aria-128-ecb,
295 aria-128-ofb
296 Aria-128 Cipher
297
298 aria192, aria-192-cbc, aria-192-cfb, aria-192-ctr, aria-192-ecb,
299 aria-192-ofb
300 Aria-192 Cipher
301
302 aria256, aria-256-cbc, aria-256-cfb, aria-256-ctr, aria-256-ecb,
303 aria-256-ofb
304 Aria-256 Cipher
305
306 base64
307 Base64 Encoding
308
309 bf, bf-cbc, bf-cfb, bf-ecb, bf-ofb
310 Blowfish Cipher
311
312 camellia128, camellia-128-cbc, camellia-128-cfb, camellia-128-ctr,
313 camellia-128-ecb, camellia-128-ofb
314 Camellia-128 Cipher
315
316 camellia192, camellia-192-cbc, camellia-192-cfb, camellia-192-ctr,
317 camellia-192-ecb, camellia-192-ofb
318 Camellia-192 Cipher
319
320 camellia256, camellia-256-cbc, camellia-256-cfb, camellia-256-ctr,
321 camellia-256-ecb, camellia-256-ofb
322 Camellia-256 Cipher
323
324 cast, cast-cbc
325 CAST Cipher
326
327 cast5-cbc, cast5-cfb, cast5-ecb, cast5-ofb
328 CAST5 Cipher
329
330 chacha20
331 Chacha20 Cipher
332
333 des, des-cbc, des-cfb, des-ecb, des-ede, des-ede-cbc, des-ede-cfb, des-
334 ede-ofb, des-ofb
335 DES Cipher
336
337 des3, desx, des-ede3, des-ede3-cbc, des-ede3-cfb, des-ede3-ofb
338 Triple-DES Cipher
339
340 idea, idea-cbc, idea-cfb, idea-ecb, idea-ofb
341 IDEA Cipher
342
343 rc2, rc2-cbc, rc2-cfb, rc2-ecb, rc2-ofb
344 RC2 Cipher
345
346 rc4 RC4 Cipher
347
348 rc5, rc5-cbc, rc5-cfb, rc5-ecb, rc5-ofb
349 RC5 Cipher
350
351 seed, seed-cbc, seed-cfb, seed-ecb, seed-ofb
352 SEED Cipher
353
354 sm4, sm4-cbc, sm4-cfb, sm4-ctr, sm4-ecb, sm4-ofb
355 SM4 Cipher
356
358 Details of which options are available depend on the specific command.
359 This section describes some common options with common behavior.
360
361 Common Options
362 -help
363 Provides a terse summary of all options.
364
365 Pass Phrase Options
366 Several commands accept password arguments, typically using -passin and
367 -passout for input and output passwords respectively. These allow the
368 password to be obtained from a variety of sources. Both of these
369 options take a single argument whose format is described below. If no
370 password argument is given and a password is required then the user is
371 prompted to enter one: this will typically be read from the current
372 terminal with echoing turned off.
373
374 Note that character encoding may be relevant, please see
375 passphrase-encoding(7).
376
377 pass:password
378 The actual password is password. Since the password is visible to
379 utilities (like 'ps' under Unix) this form should only be used
380 where security is not important.
381
382 env:var
383 Obtain the password from the environment variable var. Since the
384 environment of other processes is visible on certain platforms
385 (e.g. ps under certain Unix OSes) this option should be used with
386 caution.
387
388 file:pathname
389 The first line of pathname is the password. If the same pathname
390 argument is supplied to -passin and -passout arguments then the
391 first line will be used for the input password and the next line
392 for the output password. pathname need not refer to a regular file:
393 it could for example refer to a device or named pipe.
394
395 fd:number
396 Read the password from the file descriptor number. This can be used
397 to send the data via a pipe for example.
398
399 stdin
400 Read the password from standard input.
401
403 asn1parse(1), ca(1), ciphers(1), cms(1), config(5), crl(1),
404 crl2pkcs7(1), dgst(1), dhparam(1), dsa(1), dsaparam(1), ec(1),
405 ecparam(1), enc(1), engine(1), errstr(1), gendsa(1), genpkey(1),
406 genrsa(1), nseq(1), ocsp(1), pkcs12(1), pkcs7(1), pkcs8(1), pkey(1),
407 pkeyparam(1), pkeyutl(1), prime(1), rehash(1), req(1), rsa(1),
408 rsautl(1), s_client(1), s_server(1), s_time(1), sess_id(1), smime(1),
409 speed(1), spkac(1), srp(1), storeutl(1), sslpasswd(1), sslrand(1),
410 ts(1), verify(1), version(1), x509(1), crypto(7), ssl(7),
411 x509v3_config(5)
412
414 The list-XXX-algorithms pseudo-commands were added in OpenSSL 1.0.0;
415 For notes on the availability of other commands, see their individual
416 manual pages.
417
419 Copyright 2000-2018 The OpenSSL Project Authors. All Rights Reserved.
420
421 Licensed under the OpenSSL license (the "License"). You may not use
422 this file except in compliance with the License. You can obtain a copy
423 in the file LICENSE in the source distribution or at
424 <https://www.openssl.org/source/license.html>.
425
426
427
4281.1.1c 2019-06-03 OPENSSL(1)