1OPENSSL(1) OpenSSL OPENSSL(1)
2
6 openssl - OpenSSL command line tool
7
9 openssl command [ command_opts ] [ command_args ]
10 openssl [ list-standard-commands ⎪ list-message-digest-commands ⎪ list-
12 cipher-commands ]
13 openssl no-XXX [ arbitrary options ]
15
17 OpenSSL is a cryptography toolkit implementing the Secure Sockets Layer
18 (SSL v2/v3) and Transport Layer Security (TLS v1) network protocols and
19 related cryptography standards required by them.
20 The openssl program is a command line tool for using the various cryp‐
22 tography functions of OpenSSL's crypto library from the shell. It can
23 be used for
24 o Creation of RSA, DH and DSA key parameters
26 o Creation of X.509 certificates, CSRs and CRLs
27 o Calculation of Message Digests
28 o Encryption and Decryption with Ciphers
29 o SSL/TLS Client and Server Tests
30 o Handling of S/MIME signed or encrypted mail
31
33 The openssl program provides a rich variety of commands (command in the
34 SYNOPSIS above), each of which often has a wealth of options and argu‐
35 ments (command_opts and command_args in the SYNOPSIS).
36 The pseudo-commands list-standard-commands, list-message-digest-com‐
38 mands, and list-cipher-commands output a list (one entry per line) of
39 the names of all standard commands, message digest commands, or cipher
40 commands, respectively, that are available in the present openssl util‐
41 ity.
42 The pseudo-command no-XXX tests whether a command of the specified name
44 is available. If no command named XXX exists, it returns 0 (success)
45 and prints no-XXX; otherwise it returns 1 and prints XXX. In both
46 cases, the output goes to stdout and nothing is printed to stderr.
47 Additional command line arguments are always ignored. Since for each
48 cipher there is a command of the same name, this provides an easy way
49 for shell scripts to test for the availability of ciphers in the
50 openssl program. (no-XXX is not able to detect pseudo-commands such as
51 quit, list-...-commands, or no-XXX itself.)
52 STANDARD COMMANDS
54 asn1parse Parse an ASN.1 sequence.
56 ca Certificate Authority (CA) Management.
58 ciphers Cipher Suite Description Determination.
60 crl Certificate Revocation List (CRL) Management.
62 crl2pkcs7 CRL to PKCS#7 Conversion.
64 dgst Message Digest Calculation.
66 dh Diffie-Hellman Parameter Management. Obsoleted by dhparam.
68 dsa DSA Data Management.
70 dsaparam DSA Parameter Generation.
72 enc Encoding with Ciphers.
74 errstr Error Number to Error String Conversion.
76 dhparam Generation and Management of Diffie-Hellman Parameters.
78 gendh Generation of Diffie-Hellman Parameters. Obsoleted by
80 dhparam.
81 gendsa Generation of DSA Parameters.
83 genrsa Generation of RSA Parameters.
85 ocsp Online Certificate Status Protocol utility.
87 passwd Generation of hashed passwords.
89 pkcs12 PKCS#12 Data Management.
91 pkcs7 PKCS#7 Data Management.
93 rand Generate pseudo-random bytes.
95 req X.509 Certificate Signing Request (CSR) Management.
97 rsa RSA Data Management.
99 rsautl RSA utility for signing, verification, encryption, and
101 decryption.
102 s_client This implements a generic SSL/TLS client which can establish
104 a transparent connection to a remote server speaking SSL/TLS.
105 It's intended for testing purposes only and provides only
106 rudimentary interface functionality but internally uses
107 mostly all functionality of the OpenSSL ssl library.
108 s_server This implements a generic SSL/TLS server which accepts con‐
110 nections from remote clients speaking SSL/TLS. It's intended
111 for testing purposes only and provides only rudimentary
112 interface functionality but internally uses mostly all func‐
113 tionality of the OpenSSL ssl library. It provides both an
114 own command line oriented protocol for testing SSL functions
115 and a simple HTTP response facility to emulate an
116 SSL/TLS-aware webserver.
117 s_time SSL Connection Timer.
119 sess_id SSL Session Data Management.
121 smime S/MIME mail processing.
123 speed Algorithm Speed Measurement.
125 verify X.509 Certificate Verification.
127 version OpenSSL Version Information.
129 x509 X.509 Certificate Data Management.
131 MESSAGE DIGEST COMMANDS
133 md2 MD2 Digest
135 md5 MD5 Digest
137 mdc2 MDC2 Digest
139 rmd160 RMD-160 Digest
141 sha SHA Digest
143 sha1 SHA-1 Digest
145 ENCODING AND CIPHER COMMANDS
147 base64 Base64 Encoding
149 bf bf-cbc bf-cfb bf-ecb bf-ofb
151 Blowfish Cipher
152 cast cast-cbc
154 CAST Cipher
155 cast5-cbc cast5-cfb cast5-ecb cast5-ofb
157 CAST5 Cipher
158 des des-cbc des-cfb des-ecb des-ede des-ede-cbc des-ede-cfb des-ede-ofb
160 des-ofb
161 DES Cipher
162 des3 desx des-ede3 des-ede3-cbc des-ede3-cfb des-ede3-ofb
164 Triple-DES Cipher
165 idea idea-cbc idea-cfb idea-ecb idea-ofb
167 IDEA Cipher
168 rc2 rc2-cbc rc2-cfb rc2-ecb rc2-ofb
170 RC2 Cipher
171 rc4 RC4 Cipher
173 rc5 rc5-cbc rc5-cfb rc5-ecb rc5-ofb
175 RC5 Cipher
176
178 Several commands accept password arguments, typically using -passin and
179 -passout for input and output passwords respectively. These allow the
180 password to be obtained from a variety of sources. Both of these
181 options take a single argument whose format is described below. If no
182 password argument is given and a password is required then the user is
183 prompted to enter one: this will typically be read from the current
184 terminal with echoing turned off.
185 pass:password
187 the actual password is password. Since the password is visi‐
188 ble to utilities (like 'ps' under Unix) this form should only
189 be used where security is not important.
190 env:var obtain the password from the environment variable var. Since
192 the environment of other processes is visible on certain
193 platforms (e.g. ps under certain Unix OSes) this option
194 should be used with caution.
195 file:pathname
197 the first line of pathname is the password. If the same path‐
198 name argument is supplied to -passin and -passout arguments
199 then the first line will be used for the input password and
200 the next line for the output password. pathname need not
201 refer to a regular file: it could for example refer to a
202 device or named pipe.
203 fd:number read the password from the file descriptor number. This can
205 be used to send the data via a pipe for example.
206 stdin read the password from standard input.
208
210 asn1parse(1), ca(1), config(5), crl(1), crl2pkcs7(1), dgst(1),
211 dhparam(1), dsa(1), dsaparam(1), enc(1), gendsa(1), genrsa(1), nseq(1),
212 openssl(1), passwd(1), pkcs12(1), pkcs7(1), pkcs8(1), rand(1), req(1),
213 rsa(1), rsautl(1), s_client(1), s_server(1), s_time(1), smime(1),
214 spkac(1), verify(1), version(1), x509(1), crypto(3), ssl(3)
215
217 The openssl(1) document appeared in OpenSSL 0.9.2. The list-XXX-com‐
218 mands pseudo-commands were added in OpenSSL 0.9.3; the no-XXX pseudo-
219 commands were added in OpenSSL 0.9.5a. For notes on the availability
220 of other commands, see their individual manual pages.
2210.9.8b 2004-01-04 OPENSSL(1)