1OPENSSL(1ossl) OpenSSL OPENSSL(1ossl)
2
6 openssl - OpenSSL command line program
7
9 openssl command [ options ... ] [ parameters ... ]
10 openssl list standard-commands | digest-commands | cipher-commands |
12 cipher-algorithms | digest-algorithms | mac-algorithms | public-key-
13 algorithms
14 openssl no-XXX [ options ]
16
18 OpenSSL is a cryptography toolkit implementing the Secure Sockets Layer
19 (SSL v2/v3) and Transport Layer Security (TLS v1) network protocols and
20 related cryptography standards required by them.
21 The openssl program is a command line program for using the various
23 cryptography functions of OpenSSL's crypto library from the shell. It
24 can be used for
25 o Creation and management of private keys, public keys and parameters
27 o Public key cryptographic operations
28 o Creation of X.509 certificates, CSRs and CRLs
29 o Calculation of Message Digests and Message Authentication Codes
30 o Encryption and Decryption with Ciphers
31 o SSL/TLS Client and Server Tests
32 o Handling of S/MIME signed or encrypted mail
33 o Timestamp requests, generation and verification
34
36 The openssl program provides a rich variety of commands (command in the
37 "SYNOPSIS" above). Each command can have many options and argument
38 parameters, shown above as options and parameters.
39 Detailed documentation and use cases for most standard subcommands are
41 available (e.g., openssl-x509(1)).
42 The list options -standard-commands, -digest-commands, and
44 -cipher-commands output a list (one entry per line) of the names of all
45 standard commands, message digest commands, or cipher commands,
46 respectively, that are available.
47 The list parameters -cipher-algorithms, -digest-algorithms, and
49 -mac-algorithms list all cipher, message digest, and message
50 authentication code names, one entry per line. Aliases are listed as:
51 from => to
53 The list parameter -public-key-algorithms lists all supported public
55 key algorithms.
56 The command no-XXX tests whether a command of the specified name is
58 available. If no command named XXX exists, it returns 0 (success) and
59 prints no-XXX; otherwise it returns 1 and prints XXX. In both cases,
60 the output goes to stdout and nothing is printed to stderr. Additional
61 command line arguments are always ignored. Since for each cipher there
62 is a command of the same name, this provides an easy way for shell
63 scripts to test for the availability of ciphers in the openssl program.
64 (no-XXX is not able to detect pseudo-commands such as quit, list, or
65 no-XXX itself.)
66 Configuration Option
68 Many commands use an external configuration file for some or all of
69 their arguments and have a -config option to specify that file. The
70 default name of the file is openssl.cnf in the default certificate
71 storage area, which can be determined from the openssl-version(1)
72 command using the -d or -a option. The environment variable
73 OPENSSL_CONF can be used to specify a different file location or to
74 disable loading a configuration (using the empty string).
75 Among others, the configuration file can be used to load modules and to
77 specify parameters for generating certificates and random numbers. See
78 config(5) for details.
79 Standard Commands
81 asn1parse
82 Parse an ASN.1 sequence.
83 ca Certificate Authority (CA) Management.
85 ciphers
87 Cipher Suite Description Determination.
88 cms CMS (Cryptographic Message Syntax) command.
90 crl Certificate Revocation List (CRL) Management.
92 crl2pkcs7
94 CRL to PKCS#7 Conversion.
95 dgst
97 Message Digest calculation. MAC calculations are superseded by
98 openssl-mac(1).
99 dhparam
101 Generation and Management of Diffie-Hellman Parameters. Superseded
102 by openssl-genpkey(1) and openssl-pkeyparam(1).
103 dsa DSA Data Management.
105 dsaparam
107 DSA Parameter Generation and Management. Superseded by
108 openssl-genpkey(1) and openssl-pkeyparam(1).
109 ec EC (Elliptic curve) key processing.
111 ecparam
113 EC parameter manipulation and generation.
114 enc Encryption, decryption, and encoding.
116 engine
118 Engine (loadable module) information and manipulation.
119 errstr
121 Error Number to Error String Conversion.
122 fipsinstall
124 FIPS configuration installation.
125 gendsa
127 Generation of DSA Private Key from Parameters. Superseded by
128 openssl-genpkey(1) and openssl-pkey(1).
129 genpkey
131 Generation of Private Key or Parameters.
132 genrsa
134 Generation of RSA Private Key. Superseded by openssl-genpkey(1).
135 help
137 Display information about a command's options.
138 info
140 Display diverse information built into the OpenSSL libraries.
141 kdf Key Derivation Functions.
143 list
145 List algorithms and features.
146 mac Message Authentication Code Calculation.
148 nseq
150 Create or examine a Netscape certificate sequence.
151 ocsp
153 Online Certificate Status Protocol command.
154 passwd
156 Generation of hashed passwords.
157 pkcs12
159 PKCS#12 Data Management.
160 pkcs7
162 PKCS#7 Data Management.
163 pkcs8
165 PKCS#8 format private key conversion command.
166 pkey
168 Public and private key management.
169 pkeyparam
171 Public key algorithm parameter management.
172 pkeyutl
174 Public key algorithm cryptographic operation command.
175 prime
177 Compute prime numbers.
178 rand
180 Generate pseudo-random bytes.
181 rehash
183 Create symbolic links to certificate and CRL files named by the
184 hash values.
185 req PKCS#10 X.509 Certificate Signing Request (CSR) Management.
187 rsa RSA key management.
189 rsautl
191 RSA command for signing, verification, encryption, and decryption.
192 Superseded by openssl-pkeyutl(1).
193 s_client
195 This implements a generic SSL/TLS client which can establish a
196 transparent connection to a remote server speaking SSL/TLS. It's
197 intended for testing purposes only and provides only rudimentary
198 interface functionality but internally uses mostly all
199 functionality of the OpenSSL ssl library.
200 s_server
202 This implements a generic SSL/TLS server which accepts connections
203 from remote clients speaking SSL/TLS. It's intended for testing
204 purposes only and provides only rudimentary interface functionality
205 but internally uses mostly all functionality of the OpenSSL ssl
206 library. It provides both an own command line oriented protocol
207 for testing SSL functions and a simple HTTP response facility to
208 emulate an SSL/TLS-aware webserver.
209 s_time
211 SSL Connection Timer.
212 sess_id
214 SSL Session Data Management.
215 smime
217 S/MIME mail processing.
218 speed
220 Algorithm Speed Measurement.
221 spkac
223 SPKAC printing and generating command.
224 srp Maintain SRP password file. This command is deprecated.
226 storeutl
228 Command to list and display certificates, keys, CRLs, etc.
229 ts Time Stamping Authority command.
231 verify
233 X.509 Certificate Verification. See also the
234 openssl-verification-options(1) manual page.
235 version
237 OpenSSL Version Information.
238 x509
240 X.509 Certificate Data Management.
241 Message Digest Commands
243 blake2b512
244 BLAKE2b-512 Digest
245 blake2s256
247 BLAKE2s-256 Digest
248 md2 MD2 Digest
250 md4 MD4 Digest
252 md5 MD5 Digest
254 mdc2
256 MDC2 Digest
257 rmd160
259 RMD-160 Digest
260 sha1
262 SHA-1 Digest
263 sha224
265 SHA-2 224 Digest
266 sha256
268 SHA-2 256 Digest
269 sha384
271 SHA-2 384 Digest
272 sha512
274 SHA-2 512 Digest
275 sha3-224
277 SHA-3 224 Digest
278 sha3-256
280 SHA-3 256 Digest
281 sha3-384
283 SHA-3 384 Digest
284 sha3-512
286 SHA-3 512 Digest
287 shake128
289 SHA-3 SHAKE128 Digest
290 shake256
292 SHA-3 SHAKE256 Digest
293 sm3 SM3 Digest
295 Encryption, Decryption, and Encoding Commands
297 The following aliases provide convenient access to the most used
298 encodings and ciphers.
299 Depending on how OpenSSL was configured and built, not all ciphers
301 listed here may be present. See openssl-enc(1) for more information.
302 aes128, aes-128-cbc, aes-128-cfb, aes-128-ctr, aes-128-ecb, aes-128-ofb
304 AES-128 Cipher
305 aes192, aes-192-cbc, aes-192-cfb, aes-192-ctr, aes-192-ecb, aes-192-ofb
307 AES-192 Cipher
308 aes256, aes-256-cbc, aes-256-cfb, aes-256-ctr, aes-256-ecb, aes-256-ofb
310 AES-256 Cipher
311 aria128, aria-128-cbc, aria-128-cfb, aria-128-ctr, aria-128-ecb,
313 aria-128-ofb
314 Aria-128 Cipher
315 aria192, aria-192-cbc, aria-192-cfb, aria-192-ctr, aria-192-ecb,
317 aria-192-ofb
318 Aria-192 Cipher
319 aria256, aria-256-cbc, aria-256-cfb, aria-256-ctr, aria-256-ecb,
321 aria-256-ofb
322 Aria-256 Cipher
323 base64
325 Base64 Encoding
326 bf, bf-cbc, bf-cfb, bf-ecb, bf-ofb
328 Blowfish Cipher
329 camellia128, camellia-128-cbc, camellia-128-cfb, camellia-128-ctr,
331 camellia-128-ecb, camellia-128-ofb
332 Camellia-128 Cipher
333 camellia192, camellia-192-cbc, camellia-192-cfb, camellia-192-ctr,
335 camellia-192-ecb, camellia-192-ofb
336 Camellia-192 Cipher
337 camellia256, camellia-256-cbc, camellia-256-cfb, camellia-256-ctr,
339 camellia-256-ecb, camellia-256-ofb
340 Camellia-256 Cipher
341 cast, cast-cbc
343 CAST Cipher
344 cast5-cbc, cast5-cfb, cast5-ecb, cast5-ofb
346 CAST5 Cipher
347 chacha20
349 Chacha20 Cipher
350 des, des-cbc, des-cfb, des-ecb, des-ede, des-ede-cbc, des-ede-cfb, des-
352 ede-ofb, des-ofb
353 DES Cipher
354 des3, desx, des-ede3, des-ede3-cbc, des-ede3-cfb, des-ede3-ofb
356 Triple-DES Cipher
357 idea, idea-cbc, idea-cfb, idea-ecb, idea-ofb
359 IDEA Cipher
360 rc2, rc2-cbc, rc2-cfb, rc2-ecb, rc2-ofb
362 RC2 Cipher
363 rc4 RC4 Cipher
365 rc5, rc5-cbc, rc5-cfb, rc5-ecb, rc5-ofb
367 RC5 Cipher
368 seed, seed-cbc, seed-cfb, seed-ecb, seed-ofb
370 SEED Cipher
371 sm4, sm4-cbc, sm4-cfb, sm4-ctr, sm4-ecb, sm4-ofb
373 SM4 Cipher
374
376 Details of which options are available depend on the specific command.
377 This section describes some common options with common behavior.
378 Common Options
380 -help
381 Provides a terse summary of all options. If an option takes an
382 argument, the "type" of argument is also given.
383 -- This terminates the list of options. It is mostly useful if any
385 filename parameters start with a minus sign:
386 openssl verify [flags...] -- -cert1.pem...
388 Format Options
390 See openssl-format-options(1) for manual page.
391 Pass Phrase Options
393 See the openssl-passphrase-options(1) manual page.
394 Random State Options
396 Prior to OpenSSL 1.1.1, it was common for applications to store
397 information about the state of the random-number generator in a file
398 that was loaded at startup and rewritten upon exit. On modern operating
399 systems, this is generally no longer necessary as OpenSSL will seed
400 itself from a trusted entropy source provided by the operating system.
401 These flags are still supported for special platforms or circumstances
402 that might require them.
403 It is generally an error to use the same seed file more than once and
405 every use of -rand should be paired with -writerand.
406 -rand files
408 A file or files containing random data used to seed the random
409 number generator. Multiple files can be specified separated by an
410 OS-dependent character. The separator is ";" for MS-Windows, ","
411 for OpenVMS, and ":" for all others. Another way to specify
412 multiple files is to repeat this flag with different filenames.
413 -writerand file
415 Writes the seed data to the specified file upon exit. This file
416 can be used in a subsequent command invocation.
417 Certificate Verification Options
419 See the openssl-verification-options(1) manual page.
420 Name Format Options
422 See the openssl-namedisplay-options(1) manual page.
423 TLS Version Options
425 Several commands use SSL, TLS, or DTLS. By default, the commands use
426 TLS and clients will offer the lowest and highest protocol version they
427 support, and servers will pick the highest version that the client
428 offers that is also supported by the server.
429 The options below can be used to limit which protocol versions are
431 used, and whether TCP (SSL and TLS) or UDP (DTLS) is used. Note that
432 not all protocols and flags may be available, depending on how OpenSSL
433 was built.
434 -ssl3, -tls1, -tls1_1, -tls1_2, -tls1_3, -no_ssl3, -no_tls1,
436 -no_tls1_1, -no_tls1_2, -no_tls1_3
437 These options require or disable the use of the specified SSL or
438 TLS protocols. When a specific TLS version is required, only that
439 version will be offered or accepted. Only one specific protocol
440 can be given and it cannot be combined with any of the no_ options.
441 -dtls, -dtls1, -dtls1_2
443 These options specify to use DTLS instead of DLTS. With -dtls,
444 clients will negotiate any supported DTLS protocol version. Use
445 the -dtls1 or -dtls1_2 options to support only DTLS1.0 or DTLS1.2,
446 respectively.
447 Engine Options
449 -engine id
450 Load the engine identified by id and use all the methods it
451 implements (algorithms, key storage, etc.), unless specified
452 otherwise in the command-specific documentation or it is configured
453 to do so, as described in "Engine Configuration" in config(5).
454 The engine will be used for key ids specified with -key and similar
456 options when an option like -keyform engine is given.
457 A special case is the "loader_attic" engine, which is meant just
459 for internal OpenSSL testing purposes and supports loading keys,
460 parameters, certificates, and CRLs from files. When this engine is
461 used, files with such credentials are read via this engine. Using
462 the "file:" schema is optional; a plain file (path) name will do.
463 Options specifying keys, like -key and similar, can use the generic
465 OpenSSL engine key loading URI scheme "org.openssl.engine:" to retrieve
466 private keys and public keys. The URI syntax is as follows, in
467 simplified form:
468 org.openssl.engine:{engineid}:{keyid}
470 Where "{engineid}" is the identity/name of the engine, and "{keyid}" is
472 a key identifier that's acceptable by that engine. For example, when
473 using an engine that interfaces against a PKCS#11 implementation, the
474 generic key URI would be something like this (this happens to be an
475 example for the PKCS#11 engine that's part of OpenSC):
476 -key org.openssl.engine:pkcs11:label_some-private-key
478 As a third possibility, for engines and providers that have implemented
480 their own OSSL_STORE_LOADER(3), "org.openssl.engine:" should not be
481 necessary. For a PKCS#11 implementation that has implemented such a
482 loader, the PKCS#11 URI as defined in RFC 7512 should be possible to
483 use directly:
484 -key pkcs11:object=some-private-key;pin-value=1234
486 Provider Options
488 -provider name
489 Load and initialize the provider identified by name. The name can
490 be also a path to the provider module. In that case the provider
491 name will be the specified path and not just the provider module
492 name. Interpretation of relative paths is platform specific. The
493 configured "MODULESDIR" path, OPENSSL_MODULES environment variable,
494 or the path specified by -provider-path is prepended to relative
495 paths. See provider(7) for a more detailed description.
496 -provider-path path
498 Specifies the search path that is to be used for looking for
499 providers. Equivalently, the OPENSSL_MODULES environment variable
500 may be set.
501 -propquery propq
503 Specifies the property query clause to be used when fetching
504 algorithms from the loaded providers. See property(7) for a more
505 detailed description.
506
508 The OpenSSL library can be take some configuration parameters from the
509 environment. Some of these variables are listed below. For
510 information about specific commands, see openssl-engine(1),
511 openssl-rehash(1), and tsget(1).
512 For information about the use of environment variables in
514 configuration, see "ENVIRONMENT" in config(5).
515 For information about querying or specifying CPU architecture flags,
517 see OPENSSL_ia32cap(3), and OPENSSL_s390xcap(3).
518 For information about all environment variables used by the OpenSSL
520 libraries, see openssl-env(7).
521 OPENSSL_TRACE=name[,...]
523 Enable tracing output of OpenSSL library, by name. This output
524 will only make sense if you know OpenSSL internals well. Also, it
525 might not give you any output at all, depending on how OpenSSL was
526 built.
527 The value is a comma separated list of names, with the following
529 available:
530 TRACE
532 The tracing functionality.
533 TLS General SSL/TLS.
535 TLS_CIPHER
537 SSL/TLS cipher.
538 CONF
540 Show details about provider and engine configuration.
541 ENGINE_TABLE
543 The function that is used by RSA, DSA (etc) code to select
544 registered ENGINEs, cache defaults and functional references
545 (etc), will generate debugging summaries.
546 ENGINE_REF_COUNT
548 Reference counts in the ENGINE structure will be monitored with
549 a line of generated for each change.
550 PKCS5V2
552 PKCS#5 v2 keygen.
553 PKCS12_KEYGEN
555 PKCS#12 key generation.
556 PKCS12_DECRYPT
558 PKCS#12 decryption.
559 X509V3_POLICY
561 Generates the complete policy tree at various point during
562 X.509 v3 policy evaluation.
563 BN_CTX
565 BIGNUM context.
566
568 openssl-asn1parse(1), openssl-ca(1), openssl-ciphers(1),
569 openssl-cms(1), openssl-crl(1), openssl-crl2pkcs7(1), openssl-dgst(1),
570 openssl-dhparam(1), openssl-dsa(1), openssl-dsaparam(1), openssl-ec(1),
571 openssl-ecparam(1), openssl-enc(1), openssl-engine(1),
572 openssl-errstr(1), openssl-gendsa(1), openssl-genpkey(1),
573 openssl-genrsa(1), openssl-kdf(1), openssl-mac(1), openssl-nseq(1),
574 openssl-ocsp(1), openssl-passwd(1), openssl-pkcs12(1),
575 openssl-pkcs7(1), openssl-pkcs8(1), openssl-pkey(1),
576 openssl-pkeyparam(1), openssl-pkeyutl(1), openssl-prime(1),
577 openssl-rand(1), openssl-rehash(1), openssl-req(1), openssl-rsa(1),
578 openssl-rsautl(1), openssl-s_client(1), openssl-s_server(1),
579 openssl-s_time(1), openssl-sess_id(1), openssl-smime(1),
580 openssl-speed(1), openssl-spkac(1), openssl-srp(1),
581 openssl-storeutl(1), openssl-ts(1), openssl-verify(1),
582 openssl-version(1), openssl-x509(1), config(5), crypto(7),
583 openssl-env(7). ssl(7), x509v3_config(5)
584
586 The list -XXX-algorithms options were added in OpenSSL 1.0.0; For notes
587 on the availability of other commands, see their individual manual
588 pages.
589 The -issuer_checks option is deprecated as of OpenSSL 1.1.0 and is
591 silently ignored.
592 The -xcertform and -xkeyform options are obsolete since OpenSSL 3.0 and
594 have no effect.
595 The interactive mode, which could be invoked by running "openssl" with
597 no further arguments, was removed in OpenSSL 3.0, and running that
598 program with no arguments is now equivalent to "openssl help".
599
601 Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved.
602 Licensed under the Apache License 2.0 (the "License"). You may not use
604 this file except in compliance with the License. You can obtain a copy
605 in the file LICENSE in the source distribution or at
606 <https://www.openssl.org/source/license.html>.
6073.0.5 2022-07-05 OPENSSL(1ossl)