1OPENSSL(1ossl) OpenSSL OPENSSL(1ossl)
2
6 openssl - OpenSSL command line program
7
9 openssl command [ options ... ] [ parameters ... ]
10 openssl no-XXX [ options ]
12
14 OpenSSL is a cryptography toolkit implementing the Secure Sockets Layer
15 (SSL v2/v3) and Transport Layer Security (TLS v1) network protocols and
16 related cryptography standards required by them.
17 The openssl program is a command line program for using the various
19 cryptography functions of OpenSSL's crypto library from the shell. It
20 can be used for
21 o Creation and management of private keys, public keys and parameters
23 o Public key cryptographic operations
24 o Creation of X.509 certificates, CSRs and CRLs
25 o Calculation of Message Digests and Message Authentication Codes
26 o Encryption and Decryption with Ciphers
27 o SSL/TLS Client and Server Tests
28 o Handling of S/MIME signed or encrypted mail
29 o Timestamp requests, generation and verification
30
32 The openssl program provides a rich variety of commands (command in the
33 "SYNOPSIS" above). Each command can have many options and argument
34 parameters, shown above as options and parameters.
35 Detailed documentation and use cases for most standard subcommands are
37 available (e.g., openssl-x509(1)). The subcommand openssl-list(1) may
38 be used to list subcommands.
39 The command no-XXX tests whether a command of the specified name is
41 available. If no command named XXX exists, it returns 0 (success) and
42 prints no-XXX; otherwise it returns 1 and prints XXX. In both cases,
43 the output goes to stdout and nothing is printed to stderr. Additional
44 command line arguments are always ignored. Since for each cipher there
45 is a command of the same name, this provides an easy way for shell
46 scripts to test for the availability of ciphers in the openssl program.
47 (no-XXX is not able to detect pseudo-commands such as quit, list, or
48 no-XXX itself.)
49 Configuration Option
51 Many commands use an external configuration file for some or all of
52 their arguments and have a -config option to specify that file. The
53 default name of the file is openssl.cnf in the default certificate
54 storage area, which can be determined from the openssl-version(1)
55 command using the -d or -a option. The environment variable
56 OPENSSL_CONF can be used to specify a different file location or to
57 disable loading a configuration (using the empty string).
58 Among others, the configuration file can be used to load modules and to
60 specify parameters for generating certificates and random numbers. See
61 config(5) for details.
62 Standard Commands
64 asn1parse
65 Parse an ASN.1 sequence.
66 ca Certificate Authority (CA) Management.
68 ciphers
70 Cipher Suite Description Determination.
71 cms CMS (Cryptographic Message Syntax) command.
73 crl Certificate Revocation List (CRL) Management.
75 crl2pkcs7
77 CRL to PKCS#7 Conversion.
78 dgst
80 Message Digest calculation. MAC calculations are superseded by
81 openssl-mac(1).
82 dhparam
84 Generation and Management of Diffie-Hellman Parameters. Superseded
85 by openssl-genpkey(1) and openssl-pkeyparam(1).
86 dsa DSA Data Management.
88 dsaparam
90 DSA Parameter Generation and Management. Superseded by
91 openssl-genpkey(1) and openssl-pkeyparam(1).
92 ec EC (Elliptic curve) key processing.
94 ecparam
96 EC parameter manipulation and generation.
97 enc Encryption, decryption, and encoding.
99 engine
101 Engine (loadable module) information and manipulation.
102 errstr
104 Error Number to Error String Conversion.
105 gendsa
107 Generation of DSA Private Key from Parameters. Superseded by
108 openssl-genpkey(1) and openssl-pkey(1).
109 genpkey
111 Generation of Private Key or Parameters.
112 genrsa
114 Generation of RSA Private Key. Superseded by openssl-genpkey(1).
115 help
117 Display information about a command's options.
118 info
120 Display diverse information built into the OpenSSL libraries.
121 kdf Key Derivation Functions.
123 list
125 List algorithms and features.
126 mac Message Authentication Code Calculation.
128 nseq
130 Create or examine a Netscape certificate sequence.
131 ocsp
133 Online Certificate Status Protocol command.
134 passwd
136 Generation of hashed passwords.
137 pkcs12
139 PKCS#12 Data Management.
140 pkcs7
142 PKCS#7 Data Management.
143 pkcs8
145 PKCS#8 format private key conversion command.
146 pkey
148 Public and private key management.
149 pkeyparam
151 Public key algorithm parameter management.
152 pkeyutl
154 Public key algorithm cryptographic operation command.
155 prime
157 Compute prime numbers.
158 rand
160 Generate pseudo-random bytes.
161 rehash
163 Create symbolic links to certificate and CRL files named by the
164 hash values.
165 req PKCS#10 X.509 Certificate Signing Request (CSR) Management.
167 rsa RSA key management.
169 rsautl
171 RSA command for signing, verification, encryption, and decryption.
172 Superseded by openssl-pkeyutl(1).
173 s_client
175 This implements a generic SSL/TLS client which can establish a
176 transparent connection to a remote server speaking SSL/TLS. It's
177 intended for testing purposes only and provides only rudimentary
178 interface functionality but internally uses mostly all
179 functionality of the OpenSSL ssl library.
180 s_server
182 This implements a generic SSL/TLS server which accepts connections
183 from remote clients speaking SSL/TLS. It's intended for testing
184 purposes only and provides only rudimentary interface functionality
185 but internally uses mostly all functionality of the OpenSSL ssl
186 library. It provides both an own command line oriented protocol
187 for testing SSL functions and a simple HTTP response facility to
188 emulate an SSL/TLS-aware webserver.
189 s_time
191 SSL Connection Timer.
192 sess_id
194 SSL Session Data Management.
195 smime
197 S/MIME mail processing.
198 speed
200 Algorithm Speed Measurement.
201 spkac
203 SPKAC printing and generating command.
204 srp Maintain SRP password file. This command is deprecated.
206 storeutl
208 Command to list and display certificates, keys, CRLs, etc.
209 ts Time Stamping Authority command.
211 verify
213 X.509 Certificate Verification. See also the
214 openssl-verification-options(1) manual page.
215 version
217 OpenSSL Version Information.
218 x509
220 X.509 Certificate Data Management.
221 Message Digest Commands
223 blake2b512
224 BLAKE2b-512 Digest
225 blake2s256
227 BLAKE2s-256 Digest
228 md2 MD2 Digest
230 md4 MD4 Digest
232 md5 MD5 Digest
234 mdc2
236 MDC2 Digest
237 rmd160
239 RMD-160 Digest
240 sha1
242 SHA-1 Digest
243 sha224
245 SHA-2 224 Digest
246 sha256
248 SHA-2 256 Digest
249 sha384
251 SHA-2 384 Digest
252 sha512
254 SHA-2 512 Digest
255 sha3-224
257 SHA-3 224 Digest
258 sha3-256
260 SHA-3 256 Digest
261 sha3-384
263 SHA-3 384 Digest
264 sha3-512
266 SHA-3 512 Digest
267 shake128
269 SHA-3 SHAKE128 Digest
270 shake256
272 SHA-3 SHAKE256 Digest
273 sm3 SM3 Digest
275 Encryption, Decryption, and Encoding Commands
277 The following aliases provide convenient access to the most used
278 encodings and ciphers.
279 Depending on how OpenSSL was configured and built, not all ciphers
281 listed here may be present. See openssl-enc(1) for more information.
282 aes128, aes-128-cbc, aes-128-cfb, aes-128-ctr, aes-128-ecb, aes-128-ofb
284 AES-128 Cipher
285 aes192, aes-192-cbc, aes-192-cfb, aes-192-ctr, aes-192-ecb, aes-192-ofb
287 AES-192 Cipher
288 aes256, aes-256-cbc, aes-256-cfb, aes-256-ctr, aes-256-ecb, aes-256-ofb
290 AES-256 Cipher
291 aria128, aria-128-cbc, aria-128-cfb, aria-128-ctr, aria-128-ecb,
293 aria-128-ofb
294 Aria-128 Cipher
295 aria192, aria-192-cbc, aria-192-cfb, aria-192-ctr, aria-192-ecb,
297 aria-192-ofb
298 Aria-192 Cipher
299 aria256, aria-256-cbc, aria-256-cfb, aria-256-ctr, aria-256-ecb,
301 aria-256-ofb
302 Aria-256 Cipher
303 base64
305 Base64 Encoding
306 bf, bf-cbc, bf-cfb, bf-ecb, bf-ofb
308 Blowfish Cipher
309 camellia128, camellia-128-cbc, camellia-128-cfb, camellia-128-ctr,
311 camellia-128-ecb, camellia-128-ofb
312 Camellia-128 Cipher
313 camellia192, camellia-192-cbc, camellia-192-cfb, camellia-192-ctr,
315 camellia-192-ecb, camellia-192-ofb
316 Camellia-192 Cipher
317 camellia256, camellia-256-cbc, camellia-256-cfb, camellia-256-ctr,
319 camellia-256-ecb, camellia-256-ofb
320 Camellia-256 Cipher
321 cast, cast-cbc
323 CAST Cipher
324 cast5-cbc, cast5-cfb, cast5-ecb, cast5-ofb
326 CAST5 Cipher
327 chacha20
329 Chacha20 Cipher
330 des, des-cbc, des-cfb, des-ecb, des-ede, des-ede-cbc, des-ede-cfb, des-
332 ede-ofb, des-ofb
333 DES Cipher
334 des3, desx, des-ede3, des-ede3-cbc, des-ede3-cfb, des-ede3-ofb
336 Triple-DES Cipher
337 idea, idea-cbc, idea-cfb, idea-ecb, idea-ofb
339 IDEA Cipher
340 rc2, rc2-cbc, rc2-cfb, rc2-ecb, rc2-ofb
342 RC2 Cipher
343 rc4 RC4 Cipher
345 rc5, rc5-cbc, rc5-cfb, rc5-ecb, rc5-ofb
347 RC5 Cipher
348 seed, seed-cbc, seed-cfb, seed-ecb, seed-ofb
350 SEED Cipher
351 sm4, sm4-cbc, sm4-cfb, sm4-ctr, sm4-ecb, sm4-ofb
353 SM4 Cipher
354
356 Details of which options are available depend on the specific command.
357 This section describes some common options with common behavior.
358 Common Options
360 -help
361 Provides a terse summary of all options. If an option takes an
362 argument, the "type" of argument is also given.
363 -- This terminates the list of options. It is mostly useful if any
365 filename parameters start with a minus sign:
366 openssl verify [flags...] -- -cert1.pem...
368 Format Options
370 See openssl-format-options(1) for manual page.
371 Pass Phrase Options
373 See the openssl-passphrase-options(1) manual page.
374 Random State Options
376 Prior to OpenSSL 1.1.1, it was common for applications to store
377 information about the state of the random-number generator in a file
378 that was loaded at startup and rewritten upon exit. On modern operating
379 systems, this is generally no longer necessary as OpenSSL will seed
380 itself from a trusted entropy source provided by the operating system.
381 These flags are still supported for special platforms or circumstances
382 that might require them.
383 It is generally an error to use the same seed file more than once and
385 every use of -rand should be paired with -writerand.
386 -rand files
388 A file or files containing random data used to seed the random
389 number generator. Multiple files can be specified separated by an
390 OS-dependent character. The separator is ";" for MS-Windows, ","
391 for OpenVMS, and ":" for all others. Another way to specify
392 multiple files is to repeat this flag with different filenames.
393 -writerand file
395 Writes the seed data to the specified file upon exit. This file
396 can be used in a subsequent command invocation.
397 Certificate Verification Options
399 See the openssl-verification-options(1) manual page.
400 Name Format Options
402 See the openssl-namedisplay-options(1) manual page.
403 TLS Version Options
405 Several commands use SSL, TLS, or DTLS. By default, the commands use
406 TLS and clients will offer the lowest and highest protocol version they
407 support, and servers will pick the highest version that the client
408 offers that is also supported by the server.
409 The options below can be used to limit which protocol versions are
411 used, and whether TCP (SSL and TLS) or UDP (DTLS) is used. Note that
412 not all protocols and flags may be available, depending on how OpenSSL
413 was built.
414 -ssl3, -tls1, -tls1_1, -tls1_2, -tls1_3, -no_ssl3, -no_tls1,
416 -no_tls1_1, -no_tls1_2, -no_tls1_3
417 These options require or disable the use of the specified SSL or
418 TLS protocols. When a specific TLS version is required, only that
419 version will be offered or accepted. Only one specific protocol
420 can be given and it cannot be combined with any of the no_ options.
421 The no_* options do not work with s_time and ciphers commands but
422 work with s_client and s_server commands.
423 -dtls, -dtls1, -dtls1_2
425 These options specify to use DTLS instead of TLS. With -dtls,
426 clients will negotiate any supported DTLS protocol version. Use
427 the -dtls1 or -dtls1_2 options to support only DTLS1.0 or DTLS1.2,
428 respectively.
429 Engine Options
431 -engine id
432 Load the engine identified by id and use all the methods it
433 implements (algorithms, key storage, etc.), unless specified
434 otherwise in the command-specific documentation or it is configured
435 to do so, as described in "Engine Configuration" in config(5).
436 The engine will be used for key ids specified with -key and similar
438 options when an option like -keyform engine is given.
439 A special case is the "loader_attic" engine, which is meant just
441 for internal OpenSSL testing purposes and supports loading keys,
442 parameters, certificates, and CRLs from files. When this engine is
443 used, files with such credentials are read via this engine. Using
444 the "file:" schema is optional; a plain file (path) name will do.
445 Options specifying keys, like -key and similar, can use the generic
447 OpenSSL engine key loading URI scheme "org.openssl.engine:" to retrieve
448 private keys and public keys. The URI syntax is as follows, in
449 simplified form:
450 org.openssl.engine:{engineid}:{keyid}
452 Where "{engineid}" is the identity/name of the engine, and "{keyid}" is
454 a key identifier that's acceptable by that engine. For example, when
455 using an engine that interfaces against a PKCS#11 implementation, the
456 generic key URI would be something like this (this happens to be an
457 example for the PKCS#11 engine that's part of OpenSC):
458 -key org.openssl.engine:pkcs11:label_some-private-key
460 As a third possibility, for engines and providers that have implemented
462 their own OSSL_STORE_LOADER(3), "org.openssl.engine:" should not be
463 necessary. For a PKCS#11 implementation that has implemented such a
464 loader, the PKCS#11 URI as defined in RFC 7512 should be possible to
465 use directly:
466 -key pkcs11:object=some-private-key;pin-value=1234
468 Provider Options
470 -provider name
471 Load and initialize the provider identified by name. The name can
472 be also a path to the provider module. In that case the provider
473 name will be the specified path and not just the provider module
474 name. Interpretation of relative paths is platform specific. The
475 configured "MODULESDIR" path, OPENSSL_MODULES environment variable,
476 or the path specified by -provider-path is prepended to relative
477 paths. See provider(7) for a more detailed description.
478 -provider-path path
480 Specifies the search path that is to be used for looking for
481 providers. Equivalently, the OPENSSL_MODULES environment variable
482 may be set.
483 -propquery propq
485 Specifies the property query clause to be used when fetching
486 algorithms from the loaded providers. See property(7) for a more
487 detailed description.
488
490 The OpenSSL library can be take some configuration parameters from the
491 environment. Some of these variables are listed below. For
492 information about specific commands, see openssl-engine(1),
493 openssl-rehash(1), and tsget(1).
494 For information about the use of environment variables in
496 configuration, see "ENVIRONMENT" in config(5).
497 For information about querying or specifying CPU architecture flags,
499 see OPENSSL_ia32cap(3), and OPENSSL_s390xcap(3).
500 For information about all environment variables used by the OpenSSL
502 libraries, see openssl-env(7).
503 OPENSSL_TRACE=name[,...]
505 Enable tracing output of OpenSSL library, by name. This output
506 will only make sense if you know OpenSSL internals well. Also, it
507 might not give you any output at all, depending on how OpenSSL was
508 built.
509 The value is a comma separated list of names, with the following
511 available:
512 TRACE
514 Traces the OpenSSL trace API itself.
515 INIT
517 Traces OpenSSL library initialization and cleanup.
518 TLS Traces the TLS/SSL protocol.
520 TLS_CIPHER
522 Traces the ciphers used by the TLS/SSL protocol.
523 CONF
525 Show details about provider and engine configuration.
526 ENGINE_TABLE
528 The function that is used by RSA, DSA (etc) code to select
529 registered ENGINEs, cache defaults and functional references
530 (etc), will generate debugging summaries.
531 ENGINE_REF_COUNT
533 Reference counts in the ENGINE structure will be monitored with
534 a line of generated for each change.
535 PKCS5V2
537 Traces PKCS#5 v2 key generation.
538 PKCS12_KEYGEN
540 Traces PKCS#12 key generation.
541 PKCS12_DECRYPT
543 Traces PKCS#12 decryption.
544 X509V3_POLICY
546 Generates the complete policy tree at various points during
547 X.509 v3 policy evaluation.
548 BN_CTX
550 Traces BIGNUM context operations.
551 CMP Traces CMP client and server activity.
553 STORE
555 Traces STORE operations.
556 DECODER
558 Traces decoder operations.
559 ENCODER
561 Traces encoder operations.
562 REF_COUNT
564 Traces decrementing certain ASN.1 structure references.
565
567 openssl-asn1parse(1), openssl-ca(1), openssl-ciphers(1),
568 openssl-cms(1), openssl-crl(1), openssl-crl2pkcs7(1), openssl-dgst(1),
569 openssl-dhparam(1), openssl-dsa(1), openssl-dsaparam(1), openssl-ec(1),
570 openssl-ecparam(1), openssl-enc(1), openssl-engine(1),
571 openssl-errstr(1), openssl-gendsa(1), openssl-genpkey(1),
572 openssl-genrsa(1), openssl-kdf(1), openssl-list(1), openssl-mac(1),
573 openssl-nseq(1), openssl-ocsp(1), openssl-passwd(1), openssl-pkcs12(1),
574 openssl-pkcs7(1), openssl-pkcs8(1), openssl-pkey(1),
575 openssl-pkeyparam(1), openssl-pkeyutl(1), openssl-prime(1),
576 openssl-rand(1), openssl-rehash(1), openssl-req(1), openssl-rsa(1),
577 openssl-rsautl(1), openssl-s_client(1), openssl-s_server(1),
578 openssl-s_time(1), openssl-sess_id(1), openssl-smime(1),
579 openssl-speed(1), openssl-spkac(1), openssl-srp(1),
580 openssl-storeutl(1), openssl-ts(1), openssl-verify(1),
581 openssl-version(1), openssl-x509(1), config(5), crypto(7),
582 openssl-env(7). ssl(7), x509v3_config(5)
583
585 The list -XXX-algorithms options were added in OpenSSL 1.0.0; For notes
586 on the availability of other commands, see their individual manual
587 pages.
588 The -issuer_checks option is deprecated as of OpenSSL 1.1.0 and is
590 silently ignored.
591 The -xcertform and -xkeyform options are obsolete since OpenSSL 3.0 and
593 have no effect.
594 The interactive mode, which could be invoked by running "openssl" with
596 no further arguments, was removed in OpenSSL 3.0, and running that
597 program with no arguments is now equivalent to "openssl help".
598
600 Copyright 2000-2023 The OpenSSL Project Authors. All Rights Reserved.
601 Licensed under the Apache License 2.0 (the "License"). You may not use
603 this file except in compliance with the License. You can obtain a copy
604 in the file LICENSE in the source distribution or at
605 <https://www.openssl.org/source/license.html>.
6063.0.9 2023-07-27 OPENSSL(1ossl)