1OPENSSL(1)                          OpenSSL                         OPENSSL(1)
2
3
4

NAME

6       openssl - OpenSSL command line tool
7

SYNOPSIS

9       openssl command [ command_opts ] [ command_args ]
10
11       openssl list [ standard-commands | digest-commands | cipher-commands |
12       cipher-algorithms | digest-algorithms | public-key-algorithms]
13
14       openssl no-XXX [ arbitrary options ]
15

DESCRIPTION

17       OpenSSL is a cryptography toolkit implementing the Secure Sockets Layer
18       (SSL v2/v3) and Transport Layer Security (TLS v1) network protocols and
19       related cryptography standards required by them.
20
21       The openssl program is a command line tool for using the various
22       cryptography functions of OpenSSL's crypto library from the shell.  It
23       can be used for
24
25        o  Creation and management of private keys, public keys and parameters
26        o  Public key cryptographic operations
27        o  Creation of X.509 certificates, CSRs and CRLs
28        o  Calculation of Message Digests
29        o  Encryption and Decryption with Ciphers
30        o  SSL/TLS Client and Server Tests
31        o  Handling of S/MIME signed or encrypted mail
32        o  Time Stamp requests, generation and verification
33

COMMAND SUMMARY

35       The openssl program provides a rich variety of commands (command in the
36       SYNOPSIS above), each of which often has a wealth of options and
37       arguments (command_opts and command_args in the SYNOPSIS).
38
39       Detailed documentation and use cases for most standard subcommands are
40       available (e.g., x509(1) or openssl-x509(1)).
41
42       Many commands use an external configuration file for some or all of
43       their arguments and have a -config option to specify that file.  The
44       environment variable OPENSSL_CONF can be used to specify the location
45       of the file.  If the environment variable is not specified, then the
46       file is named openssl.cnf in the default certificate storage area,
47       whose value depends on the configuration flags specified when the
48       OpenSSL was built.
49
50       The list parameters standard-commands, digest-commands, and cipher-
51       commands output a list (one entry per line) of the names of all
52       standard commands, message digest commands, or cipher commands,
53       respectively, that are available in the present openssl utility.
54
55       The list parameters cipher-algorithms and digest-algorithms list all
56       cipher and message digest names, one entry per line. Aliases are listed
57       as:
58
59        from => to
60
61       The list parameter public-key-algorithms lists all supported public key
62       algorithms.
63
64       The command no-XXX tests whether a command of the specified name is
65       available.  If no command named XXX exists, it returns 0 (success) and
66       prints no-XXX; otherwise it returns 1 and prints XXX.  In both cases,
67       the output goes to stdout and nothing is printed to stderr.  Additional
68       command line arguments are always ignored.  Since for each cipher there
69       is a command of the same name, this provides an easy way for shell
70       scripts to test for the availability of ciphers in the openssl program.
71       (no-XXX is not able to detect pseudo-commands such as quit, list, or
72       no-XXX itself.)
73
74   Standard Commands
75       asn1parse
76           Parse an ASN.1 sequence.
77
78       ca  Certificate Authority (CA) Management.
79
80       ciphers
81           Cipher Suite Description Determination.
82
83       cms CMS (Cryptographic Message Syntax) utility.
84
85       crl Certificate Revocation List (CRL) Management.
86
87       crl2pkcs7
88           CRL to PKCS#7 Conversion.
89
90       dgst
91           Message Digest Calculation.
92
93       dh  Diffie-Hellman Parameter Management.  Obsoleted by dhparam(1).
94
95       dhparam
96           Generation and Management of Diffie-Hellman Parameters. Superseded
97           by genpkey(1) and pkeyparam(1).
98
99       dsa DSA Data Management.
100
101       dsaparam
102           DSA Parameter Generation and Management. Superseded by genpkey(1)
103           and pkeyparam(1).
104
105       ec  EC (Elliptic curve) key processing.
106
107       ecparam
108           EC parameter manipulation and generation.
109
110       enc Encoding with Ciphers.
111
112       engine
113           Engine (loadable module) information and manipulation.
114
115       errstr
116           Error Number to Error String Conversion.
117
118       gendh
119           Generation of Diffie-Hellman Parameters.  Obsoleted by dhparam(1).
120
121       gendsa
122           Generation of DSA Private Key from Parameters. Superseded by
123           genpkey(1) and pkey(1).
124
125       genpkey
126           Generation of Private Key or Parameters.
127
128       genrsa
129           Generation of RSA Private Key. Superseded by genpkey(1).
130
131       nseq
132           Create or examine a Netscape certificate sequence.
133
134       ocsp
135           Online Certificate Status Protocol utility.
136
137       passwd
138           Generation of hashed passwords.
139
140       pkcs12
141           PKCS#12 Data Management.
142
143       pkcs7
144           PKCS#7 Data Management.
145
146       pkcs8
147           PKCS#8 format private key conversion tool.
148
149       pkey
150           Public and private key management.
151
152       pkeyparam
153           Public key algorithm parameter management.
154
155       pkeyutl
156           Public key algorithm cryptographic operation utility.
157
158       prime
159           Compute prime numbers.
160
161       rand
162           Generate pseudo-random bytes.
163
164       rehash
165           Create symbolic links to certificate and CRL files named by the
166           hash values.
167
168       req PKCS#10 X.509 Certificate Signing Request (CSR) Management.
169
170       rsa RSA key management.
171
172       rsautl
173           RSA utility for signing, verification, encryption, and decryption.
174           Superseded by  pkeyutl(1).
175
176       s_client
177           This implements a generic SSL/TLS client which can establish a
178           transparent connection to a remote server speaking SSL/TLS. It's
179           intended for testing purposes only and provides only rudimentary
180           interface functionality but internally uses mostly all
181           functionality of the OpenSSL ssl library.
182
183       s_server
184           This implements a generic SSL/TLS server which accepts connections
185           from remote clients speaking SSL/TLS. It's intended for testing
186           purposes only and provides only rudimentary interface functionality
187           but internally uses mostly all functionality of the OpenSSL ssl
188           library.  It provides both an own command line oriented protocol
189           for testing SSL functions and a simple HTTP response facility to
190           emulate an SSL/TLS-aware webserver.
191
192       s_time
193           SSL Connection Timer.
194
195       sess_id
196           SSL Session Data Management.
197
198       smime
199           S/MIME mail processing.
200
201       speed
202           Algorithm Speed Measurement.
203
204       spkac
205           SPKAC printing and generating utility.
206
207       srp Maintain SRP password file.
208
209       storeutl
210           Utility to list and display certificates, keys, CRLs, etc.
211
212       ts  Time Stamping Authority tool (client/server).
213
214       verify
215           X.509 Certificate Verification.
216
217       version
218           OpenSSL Version Information.
219
220       x509
221           X.509 Certificate Data Management.
222
223   Message Digest Commands
224       blake2b512
225           BLAKE2b-512 Digest
226
227       blake2s256
228           BLAKE2s-256 Digest
229
230       md2 MD2 Digest
231
232       md4 MD4 Digest
233
234       md5 MD5 Digest
235
236       mdc2
237           MDC2 Digest
238
239       rmd160
240           RMD-160 Digest
241
242       sha1
243           SHA-1 Digest
244
245       sha224
246           SHA-2 224 Digest
247
248       sha256
249           SHA-2 256 Digest
250
251       sha384
252           SHA-2 384 Digest
253
254       sha512
255           SHA-2 512 Digest
256
257       sha3-224
258           SHA-3 224 Digest
259
260       sha3-256
261           SHA-3 256 Digest
262
263       sha3-384
264           SHA-3 384 Digest
265
266       sha3-512
267           SHA-3 512 Digest
268
269       shake128
270           SHA-3 SHAKE128 Digest
271
272       shake256
273           SHA-3 SHAKE256 Digest
274
275       sm3 SM3 Digest
276
277   Encoding and Cipher Commands
278       The following aliases provide convenient access to the most used
279       encodings and ciphers.
280
281       Depending on how OpenSSL was configured and built, not all ciphers
282       listed here may be present. See enc(1) for more information and command
283       usage.
284
285       aes128, aes-128-cbc, aes-128-cfb, aes-128-ctr, aes-128-ecb, aes-128-ofb
286           AES-128 Cipher
287
288       aes192, aes-192-cbc, aes-192-cfb, aes-192-ctr, aes-192-ecb, aes-192-ofb
289           AES-192 Cipher
290
291       aes256, aes-256-cbc, aes-256-cfb, aes-256-ctr, aes-256-ecb, aes-256-ofb
292           AES-256 Cipher
293
294       aria128, aria-128-cbc, aria-128-cfb, aria-128-ctr, aria-128-ecb,
295       aria-128-ofb
296           Aria-128 Cipher
297
298       aria192, aria-192-cbc, aria-192-cfb, aria-192-ctr, aria-192-ecb,
299       aria-192-ofb
300           Aria-192 Cipher
301
302       aria256, aria-256-cbc, aria-256-cfb, aria-256-ctr, aria-256-ecb,
303       aria-256-ofb
304           Aria-256 Cipher
305
306       base64
307           Base64 Encoding
308
309       bf, bf-cbc, bf-cfb, bf-ecb, bf-ofb
310           Blowfish Cipher
311
312       camellia128, camellia-128-cbc, camellia-128-cfb, camellia-128-ctr,
313       camellia-128-ecb, camellia-128-ofb
314           Camellia-128 Cipher
315
316       camellia192, camellia-192-cbc, camellia-192-cfb, camellia-192-ctr,
317       camellia-192-ecb, camellia-192-ofb
318           Camellia-192 Cipher
319
320       camellia256, camellia-256-cbc, camellia-256-cfb, camellia-256-ctr,
321       camellia-256-ecb, camellia-256-ofb
322           Camellia-256 Cipher
323
324       cast, cast-cbc
325           CAST Cipher
326
327       cast5-cbc, cast5-cfb, cast5-ecb, cast5-ofb
328           CAST5 Cipher
329
330       chacha20
331           Chacha20 Cipher
332
333       des, des-cbc, des-cfb, des-ecb, des-ede, des-ede-cbc, des-ede-cfb, des-
334       ede-ofb, des-ofb
335           DES Cipher
336
337       des3, desx, des-ede3, des-ede3-cbc, des-ede3-cfb, des-ede3-ofb
338           Triple-DES Cipher
339
340       idea, idea-cbc, idea-cfb, idea-ecb, idea-ofb
341           IDEA Cipher
342
343       rc2, rc2-cbc, rc2-cfb, rc2-ecb, rc2-ofb
344           RC2 Cipher
345
346       rc4 RC4 Cipher
347
348       rc5, rc5-cbc, rc5-cfb, rc5-ecb, rc5-ofb
349           RC5 Cipher
350
351       seed, seed-cbc, seed-cfb, seed-ecb, seed-ofb
352           SEED Cipher
353
354       sm4, sm4-cbc, sm4-cfb, sm4-ctr, sm4-ecb, sm4-ofb
355           SM4 Cipher
356

OPTIONS

358       Details of which options are available depend on the specific command.
359       This section describes some common options with common behavior.
360
361   Common Options
362       -help
363           Provides a terse summary of all options.
364
365   Pass Phrase Options
366       Several commands accept password arguments, typically using -passin and
367       -passout for input and output passwords respectively. These allow the
368       password to be obtained from a variety of sources. Both of these
369       options take a single argument whose format is described below. If no
370       password argument is given and a password is required then the user is
371       prompted to enter one: this will typically be read from the current
372       terminal with echoing turned off.
373
374       Note that character encoding may be relevant, please see
375       passphrase-encoding(7).
376
377       pass:password
378           The actual password is password. Since the password is visible to
379           utilities (like 'ps' under Unix) this form should only be used
380           where security is not important.
381
382       env:var
383           Obtain the password from the environment variable var. Since the
384           environment of other processes is visible on certain platforms
385           (e.g. ps under certain Unix OSes) this option should be used with
386           caution.
387
388       file:pathname
389           The first line of pathname is the password. If the same pathname
390           argument is supplied to -passin and -passout arguments then the
391           first line will be used for the input password and the next line
392           for the output password. pathname need not refer to a regular file:
393           it could for example refer to a device or named pipe.
394
395       fd:number
396           Read the password from the file descriptor number. This can be used
397           to send the data via a pipe for example.
398
399       stdin
400           Read the password from standard input.
401

SEE ALSO

403       asn1parse(1), ca(1), ciphers(1), cms(1), config(5), crl(1),
404       crl2pkcs7(1), dgst(1), dhparam(1), dsa(1), dsaparam(1), ec(1),
405       ecparam(1), enc(1), engine(1), errstr(1), gendsa(1), genpkey(1),
406       genrsa(1), nseq(1), ocsp(1), pkcs12(1), pkcs7(1), pkcs8(1), pkey(1),
407       pkeyparam(1), pkeyutl(1), prime(1), rehash(1), req(1), rsa(1),
408       rsautl(1), s_client(1), s_server(1), s_time(1), sess_id(1), smime(1),
409       speed(1), spkac(1), srp(1), storeutl(1), sslpasswd(1), sslrand(1),
410       ts(1), verify(1), version(1), x509(1), crypto(7), ssl(7),
411       x509v3_config(5)
412

HISTORY

414       The list-XXX-algorithms pseudo-commands were added in OpenSSL 1.0.0;
415       For notes on the availability of other commands, see their individual
416       manual pages.
417
419       Copyright 2000-2018 The OpenSSL Project Authors. All Rights Reserved.
420
421       Licensed under the OpenSSL license (the "License").  You may not use
422       this file except in compliance with the License.  You can obtain a copy
423       in the file LICENSE in the source distribution or at
424       <https://www.openssl.org/source/license.html>.
425
426
427
4281.1.1g                            2020-04-23                        OPENSSL(1)
Impressum