1OPENSSL(1ossl)                      OpenSSL                     OPENSSL(1ossl)
2
3
4

NAME

6       openssl - OpenSSL command line program
7

SYNOPSIS

9       openssl command [ options ... ] [ parameters ... ]
10
11       openssl list standard-commands | digest-commands | cipher-commands |
12       cipher-algorithms | digest-algorithms | mac-algorithms | public-key-
13       algorithms
14
15       openssl no-XXX [ options ]
16

DESCRIPTION

18       OpenSSL is a cryptography toolkit implementing the Secure Sockets Layer
19       (SSL v2/v3) and Transport Layer Security (TLS v1) network protocols and
20       related cryptography standards required by them.
21
22       The openssl program is a command line program for using the various
23       cryptography functions of OpenSSL's crypto library from the shell.  It
24       can be used for
25
26        o  Creation and management of private keys, public keys and parameters
27        o  Public key cryptographic operations
28        o  Creation of X.509 certificates, CSRs and CRLs
29        o  Calculation of Message Digests and Message Authentication Codes
30        o  Encryption and Decryption with Ciphers
31        o  SSL/TLS Client and Server Tests
32        o  Handling of S/MIME signed or encrypted mail
33        o  Timestamp requests, generation and verification
34

COMMAND SUMMARY

36       The openssl program provides a rich variety of commands (command in the
37       "SYNOPSIS" above).  Each command can have many options and argument
38       parameters, shown above as options and parameters.
39
40       Detailed documentation and use cases for most standard subcommands are
41       available (e.g., openssl-x509(1)).
42
43       The list options -standard-commands, -digest-commands, and
44       -cipher-commands output a list (one entry per line) of the names of all
45       standard commands, message digest commands, or cipher commands,
46       respectively, that are available.
47
48       The list parameters -cipher-algorithms, -digest-algorithms, and
49       -mac-algorithms list all cipher, message digest, and message
50       authentication code names, one entry per line. Aliases are listed as:
51
52        from => to
53
54       The list parameter -public-key-algorithms lists all supported public
55       key algorithms.
56
57       The command no-XXX tests whether a command of the specified name is
58       available.  If no command named XXX exists, it returns 0 (success) and
59       prints no-XXX; otherwise it returns 1 and prints XXX.  In both cases,
60       the output goes to stdout and nothing is printed to stderr.  Additional
61       command line arguments are always ignored.  Since for each cipher there
62       is a command of the same name, this provides an easy way for shell
63       scripts to test for the availability of ciphers in the openssl program.
64       (no-XXX is not able to detect pseudo-commands such as quit, list, or
65       no-XXX itself.)
66
67   Configuration Option
68       Many commands use an external configuration file for some or all of
69       their arguments and have a -config option to specify that file.  The
70       default name of the file is openssl.cnf in the default certificate
71       storage area, which can be determined from the openssl-version(1)
72       command using the -d or -a option.  The environment variable
73       OPENSSL_CONF can be used to specify a different file location or to
74       disable loading a configuration (using the empty string).
75
76       Among others, the configuration file can be used to load modules and to
77       specify parameters for generating certificates and random numbers.  See
78       config(5) for details.
79
80   Standard Commands
81       asn1parse
82           Parse an ASN.1 sequence.
83
84       ca  Certificate Authority (CA) Management.
85
86       ciphers
87           Cipher Suite Description Determination.
88
89       cms CMS (Cryptographic Message Syntax) command.
90
91       crl Certificate Revocation List (CRL) Management.
92
93       crl2pkcs7
94           CRL to PKCS#7 Conversion.
95
96       dgst
97           Message Digest calculation. MAC calculations are superseded by
98           openssl-mac(1).
99
100       dhparam
101           Generation and Management of Diffie-Hellman Parameters. Superseded
102           by openssl-genpkey(1) and openssl-pkeyparam(1).
103
104       dsa DSA Data Management.
105
106       dsaparam
107           DSA Parameter Generation and Management. Superseded by
108           openssl-genpkey(1) and openssl-pkeyparam(1).
109
110       ec  EC (Elliptic curve) key processing.
111
112       ecparam
113           EC parameter manipulation and generation.
114
115       enc Encryption, decryption, and encoding.
116
117       engine
118           Engine (loadable module) information and manipulation.
119
120       errstr
121           Error Number to Error String Conversion.
122
123       fipsinstall
124           FIPS configuration installation.
125
126       gendsa
127           Generation of DSA Private Key from Parameters. Superseded by
128           openssl-genpkey(1) and openssl-pkey(1).
129
130       genpkey
131           Generation of Private Key or Parameters.
132
133       genrsa
134           Generation of RSA Private Key. Superseded by openssl-genpkey(1).
135
136       help
137           Display information about a command's options.
138
139       info
140           Display diverse information built into the OpenSSL libraries.
141
142       kdf Key Derivation Functions.
143
144       list
145           List algorithms and features.
146
147       mac Message Authentication Code Calculation.
148
149       nseq
150           Create or examine a Netscape certificate sequence.
151
152       ocsp
153           Online Certificate Status Protocol command.
154
155       passwd
156           Generation of hashed passwords.
157
158       pkcs12
159           PKCS#12 Data Management.
160
161       pkcs7
162           PKCS#7 Data Management.
163
164       pkcs8
165           PKCS#8 format private key conversion command.
166
167       pkey
168           Public and private key management.
169
170       pkeyparam
171           Public key algorithm parameter management.
172
173       pkeyutl
174           Public key algorithm cryptographic operation command.
175
176       prime
177           Compute prime numbers.
178
179       rand
180           Generate pseudo-random bytes.
181
182       rehash
183           Create symbolic links to certificate and CRL files named by the
184           hash values.
185
186       req PKCS#10 X.509 Certificate Signing Request (CSR) Management.
187
188       rsa RSA key management.
189
190       rsautl
191           RSA command for signing, verification, encryption, and decryption.
192           Superseded by  openssl-pkeyutl(1).
193
194       s_client
195           This implements a generic SSL/TLS client which can establish a
196           transparent connection to a remote server speaking SSL/TLS. It's
197           intended for testing purposes only and provides only rudimentary
198           interface functionality but internally uses mostly all
199           functionality of the OpenSSL ssl library.
200
201       s_server
202           This implements a generic SSL/TLS server which accepts connections
203           from remote clients speaking SSL/TLS. It's intended for testing
204           purposes only and provides only rudimentary interface functionality
205           but internally uses mostly all functionality of the OpenSSL ssl
206           library.  It provides both an own command line oriented protocol
207           for testing SSL functions and a simple HTTP response facility to
208           emulate an SSL/TLS-aware webserver.
209
210       s_time
211           SSL Connection Timer.
212
213       sess_id
214           SSL Session Data Management.
215
216       smime
217           S/MIME mail processing.
218
219       speed
220           Algorithm Speed Measurement.
221
222       spkac
223           SPKAC printing and generating command.
224
225       srp Maintain SRP password file. This command is deprecated.
226
227       storeutl
228           Command to list and display certificates, keys, CRLs, etc.
229
230       ts  Time Stamping Authority command.
231
232       verify
233           X.509 Certificate Verification.  See also the
234           openssl-verification-options(1) manual page.
235
236       version
237           OpenSSL Version Information.
238
239       x509
240           X.509 Certificate Data Management.
241
242   Message Digest Commands
243       blake2b512
244           BLAKE2b-512 Digest
245
246       blake2s256
247           BLAKE2s-256 Digest
248
249       md2 MD2 Digest
250
251       md4 MD4 Digest
252
253       md5 MD5 Digest
254
255       mdc2
256           MDC2 Digest
257
258       rmd160
259           RMD-160 Digest
260
261       sha1
262           SHA-1 Digest
263
264       sha224
265           SHA-2 224 Digest
266
267       sha256
268           SHA-2 256 Digest
269
270       sha384
271           SHA-2 384 Digest
272
273       sha512
274           SHA-2 512 Digest
275
276       sha3-224
277           SHA-3 224 Digest
278
279       sha3-256
280           SHA-3 256 Digest
281
282       sha3-384
283           SHA-3 384 Digest
284
285       sha3-512
286           SHA-3 512 Digest
287
288       shake128
289           SHA-3 SHAKE128 Digest
290
291       shake256
292           SHA-3 SHAKE256 Digest
293
294       sm3 SM3 Digest
295
296   Encryption, Decryption, and Encoding Commands
297       The following aliases provide convenient access to the most used
298       encodings and ciphers.
299
300       Depending on how OpenSSL was configured and built, not all ciphers
301       listed here may be present. See openssl-enc(1) for more information.
302
303       aes128, aes-128-cbc, aes-128-cfb, aes-128-ctr, aes-128-ecb, aes-128-ofb
304           AES-128 Cipher
305
306       aes192, aes-192-cbc, aes-192-cfb, aes-192-ctr, aes-192-ecb, aes-192-ofb
307           AES-192 Cipher
308
309       aes256, aes-256-cbc, aes-256-cfb, aes-256-ctr, aes-256-ecb, aes-256-ofb
310           AES-256 Cipher
311
312       aria128, aria-128-cbc, aria-128-cfb, aria-128-ctr, aria-128-ecb,
313       aria-128-ofb
314           Aria-128 Cipher
315
316       aria192, aria-192-cbc, aria-192-cfb, aria-192-ctr, aria-192-ecb,
317       aria-192-ofb
318           Aria-192 Cipher
319
320       aria256, aria-256-cbc, aria-256-cfb, aria-256-ctr, aria-256-ecb,
321       aria-256-ofb
322           Aria-256 Cipher
323
324       base64
325           Base64 Encoding
326
327       bf, bf-cbc, bf-cfb, bf-ecb, bf-ofb
328           Blowfish Cipher
329
330       camellia128, camellia-128-cbc, camellia-128-cfb, camellia-128-ctr,
331       camellia-128-ecb, camellia-128-ofb
332           Camellia-128 Cipher
333
334       camellia192, camellia-192-cbc, camellia-192-cfb, camellia-192-ctr,
335       camellia-192-ecb, camellia-192-ofb
336           Camellia-192 Cipher
337
338       camellia256, camellia-256-cbc, camellia-256-cfb, camellia-256-ctr,
339       camellia-256-ecb, camellia-256-ofb
340           Camellia-256 Cipher
341
342       cast, cast-cbc
343           CAST Cipher
344
345       cast5-cbc, cast5-cfb, cast5-ecb, cast5-ofb
346           CAST5 Cipher
347
348       chacha20
349           Chacha20 Cipher
350
351       des, des-cbc, des-cfb, des-ecb, des-ede, des-ede-cbc, des-ede-cfb, des-
352       ede-ofb, des-ofb
353           DES Cipher
354
355       des3, desx, des-ede3, des-ede3-cbc, des-ede3-cfb, des-ede3-ofb
356           Triple-DES Cipher
357
358       idea, idea-cbc, idea-cfb, idea-ecb, idea-ofb
359           IDEA Cipher
360
361       rc2, rc2-cbc, rc2-cfb, rc2-ecb, rc2-ofb
362           RC2 Cipher
363
364       rc4 RC4 Cipher
365
366       rc5, rc5-cbc, rc5-cfb, rc5-ecb, rc5-ofb
367           RC5 Cipher
368
369       seed, seed-cbc, seed-cfb, seed-ecb, seed-ofb
370           SEED Cipher
371
372       sm4, sm4-cbc, sm4-cfb, sm4-ctr, sm4-ecb, sm4-ofb
373           SM4 Cipher
374

OPTIONS

376       Details of which options are available depend on the specific command.
377       This section describes some common options with common behavior.
378
379   Common Options
380       -help
381           Provides a terse summary of all options.  If an option takes an
382           argument, the "type" of argument is also given.
383
384       --  This terminates the list of options. It is mostly useful if any
385           filename parameters start with a minus sign:
386
387            openssl verify [flags...] -- -cert1.pem...
388
389   Format Options
390       See openssl-format-options(1) for manual page.
391
392   Pass Phrase Options
393       See the openssl-passphrase-options(1) manual page.
394
395   Random State Options
396       Prior to OpenSSL 1.1.1, it was common for applications to store
397       information about the state of the random-number generator in a file
398       that was loaded at startup and rewritten upon exit. On modern operating
399       systems, this is generally no longer necessary as OpenSSL will seed
400       itself from a trusted entropy source provided by the operating system.
401       These flags are still supported for special platforms or circumstances
402       that might require them.
403
404       It is generally an error to use the same seed file more than once and
405       every use of -rand should be paired with -writerand.
406
407       -rand files
408           A file or files containing random data used to seed the random
409           number generator.  Multiple files can be specified separated by an
410           OS-dependent character.  The separator is ";" for MS-Windows, ","
411           for OpenVMS, and ":" for all others. Another way to specify
412           multiple files is to repeat this flag with different filenames.
413
414       -writerand file
415           Writes the seed data to the specified file upon exit.  This file
416           can be used in a subsequent command invocation.
417
418   Certificate Verification Options
419       See the openssl-verification-options(1) manual page.
420
421   Name Format Options
422       See the openssl-namedisplay-options(1) manual page.
423
424   TLS Version Options
425       Several commands use SSL, TLS, or DTLS. By default, the commands use
426       TLS and clients will offer the lowest and highest protocol version they
427       support, and servers will pick the highest version that the client
428       offers that is also supported by the server.
429
430       The options below can be used to limit which protocol versions are
431       used, and whether TCP (SSL and TLS) or UDP (DTLS) is used.  Note that
432       not all protocols and flags may be available, depending on how OpenSSL
433       was built.
434
435       -ssl3, -tls1, -tls1_1, -tls1_2, -tls1_3, -no_ssl3, -no_tls1,
436       -no_tls1_1, -no_tls1_2, -no_tls1_3
437           These options require or disable the use of the specified SSL or
438           TLS protocols.  When a specific TLS version is required, only that
439           version will be offered or accepted.  Only one specific protocol
440           can be given and it cannot be combined with any of the no_ options.
441
442       -dtls, -dtls1, -dtls1_2
443           These options specify to use DTLS instead of DLTS.  With -dtls,
444           clients will negotiate any supported DTLS protocol version.  Use
445           the -dtls1 or -dtls1_2 options to support only DTLS1.0 or DTLS1.2,
446           respectively.
447
448   Engine Options
449       -engine id
450           Load the engine identified by id and use all the methods it
451           implements (algorithms, key storage, etc.), unless specified
452           otherwise in the command-specific documentation or it is configured
453           to do so, as described in "Engine Configuration" in config(5).
454
455           The engine will be used for key ids specified with -key and similar
456           options when an option like -keyform engine is given.
457
458           A special case is the "loader_attic" engine, which is meant just
459           for internal OpenSSL testing purposes and supports loading keys,
460           parameters, certificates, and CRLs from files.  When this engine is
461           used, files with such credentials are read via this engine.  Using
462           the "file:" schema is optional; a plain file (path) name will do.
463
464       Options specifying keys, like -key and similar, can use the generic
465       OpenSSL engine key loading URI scheme "org.openssl.engine:" to retrieve
466       private keys and public keys.  The URI syntax is as follows, in
467       simplified form:
468
469           org.openssl.engine:{engineid}:{keyid}
470
471       Where "{engineid}" is the identity/name of the engine, and "{keyid}" is
472       a key identifier that's acceptable by that engine.  For example, when
473       using an engine that interfaces against a PKCS#11 implementation, the
474       generic key URI would be something like this (this happens to be an
475       example for the PKCS#11 engine that's part of OpenSC):
476
477           -key org.openssl.engine:pkcs11:label_some-private-key
478
479       As a third possibility, for engines and providers that have implemented
480       their own OSSL_STORE_LOADER(3), "org.openssl.engine:" should not be
481       necessary.  For a PKCS#11 implementation that has implemented such a
482       loader, the PKCS#11 URI as defined in RFC 7512 should be possible to
483       use directly:
484
485           -key pkcs11:object=some-private-key;pin-value=1234
486
487   Provider Options
488       -provider name
489           Load and initialize the provider identified by name. The name can
490           be also a path to the provider module. In that case the provider
491           name will be the specified path and not just the provider module
492           name.  Interpretation of relative paths is platform specific. The
493           configured "MODULESDIR" path, OPENSSL_MODULES environment variable,
494           or the path specified by -provider-path is prepended to relative
495           paths.  See provider(7) for a more detailed description.
496
497       -provider-path path
498           Specifies the search path that is to be used for looking for
499           providers.  Equivalently, the OPENSSL_MODULES environment variable
500           may be set.
501
502       -propquery propq
503           Specifies the property query clause to be used when fetching
504           algorithms from the loaded providers.  See property(7) for a more
505           detailed description.
506

ENVIRONMENT

508       The OpenSSL library can be take some configuration parameters from the
509       environment.  Some of these variables are listed below.  For
510       information about specific commands, see openssl-engine(1),
511       openssl-rehash(1), and tsget(1).
512
513       For information about the use of environment variables in
514       configuration, see "ENVIRONMENT" in config(5).
515
516       For information about querying or specifying CPU architecture flags,
517       see OPENSSL_ia32cap(3), and OPENSSL_s390xcap(3).
518
519       For information about all environment variables used by the OpenSSL
520       libraries, see openssl-env(7).
521
522       OPENSSL_TRACE=name[,...]
523           Enable tracing output of OpenSSL library, by name.  This output
524           will only make sense if you know OpenSSL internals well.  Also, it
525           might not give you any output at all, depending on how OpenSSL was
526           built.
527
528           The value is a comma separated list of names, with the following
529           available:
530
531           TRACE
532               The tracing functionality.
533
534           TLS General SSL/TLS.
535
536           TLS_CIPHER
537               SSL/TLS cipher.
538
539           CONF
540               Show details about provider and engine configuration.
541
542           ENGINE_TABLE
543               The function that is used by RSA, DSA (etc) code to select
544               registered ENGINEs, cache defaults and functional references
545               (etc), will generate debugging summaries.
546
547           ENGINE_REF_COUNT
548               Reference counts in the ENGINE structure will be monitored with
549               a line of generated for each change.
550
551           PKCS5V2
552               PKCS#5 v2 keygen.
553
554           PKCS12_KEYGEN
555               PKCS#12 key generation.
556
557           PKCS12_DECRYPT
558               PKCS#12 decryption.
559
560           X509V3_POLICY
561               Generates the complete policy tree at various point during
562               X.509 v3 policy evaluation.
563
564           BN_CTX
565               BIGNUM context.
566

SEE ALSO

568       openssl-asn1parse(1), openssl-ca(1), openssl-ciphers(1),
569       openssl-cms(1), openssl-crl(1), openssl-crl2pkcs7(1), openssl-dgst(1),
570       openssl-dhparam(1), openssl-dsa(1), openssl-dsaparam(1), openssl-ec(1),
571       openssl-ecparam(1), openssl-enc(1), openssl-engine(1),
572       openssl-errstr(1), openssl-gendsa(1), openssl-genpkey(1),
573       openssl-genrsa(1), openssl-kdf(1), openssl-mac(1), openssl-nseq(1),
574       openssl-ocsp(1), openssl-passwd(1), openssl-pkcs12(1),
575       openssl-pkcs7(1), openssl-pkcs8(1), openssl-pkey(1),
576       openssl-pkeyparam(1), openssl-pkeyutl(1), openssl-prime(1),
577       openssl-rand(1), openssl-rehash(1), openssl-req(1), openssl-rsa(1),
578       openssl-rsautl(1), openssl-s_client(1), openssl-s_server(1),
579       openssl-s_time(1), openssl-sess_id(1), openssl-smime(1),
580       openssl-speed(1), openssl-spkac(1), openssl-srp(1),
581       openssl-storeutl(1), openssl-ts(1), openssl-verify(1),
582       openssl-version(1), openssl-x509(1), config(5), crypto(7),
583       openssl-env(7).  ssl(7), x509v3_config(5)
584

HISTORY

586       The list -XXX-algorithms options were added in OpenSSL 1.0.0; For notes
587       on the availability of other commands, see their individual manual
588       pages.
589
590       The -issuer_checks option is deprecated as of OpenSSL 1.1.0 and is
591       silently ignored.
592
593       The -xcertform and -xkeyform options are obsolete since OpenSSL 3.0 and
594       have no effect.
595
596       The interactive mode, which could be invoked by running "openssl" with
597       no further arguments, was removed in OpenSSL 3.0, and running that
598       program with no arguments is now equivalent to "openssl help".
599
601       Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved.
602
603       Licensed under the Apache License 2.0 (the "License").  You may not use
604       this file except in compliance with the License.  You can obtain a copy
605       in the file LICENSE in the source distribution or at
606       <https://www.openssl.org/source/license.html>.
607
608
609
6103.0.5                             2022-11-01                    OPENSSL(1ossl)
Impressum