]>
Commit | Line | Data |
---|---|---|
aba3e65f DSH |
1 | =pod |
2 | ||
3 | =head1 NAME | |
4 | ||
4b537191 | 5 | openssl - OpenSSL command line program |
aba3e65f DSH |
6 | |
7 | =head1 SYNOPSIS | |
8 | ||
9 | B<openssl> | |
10 | I<command> | |
d86925e6 RS |
11 | [ I<options> ... ] |
12 | [ I<parameters> ... ] | |
aba3e65f | 13 | |
d86925e6 | 14 | B<openssl> B<no->I<XXX> [ I<options> ] |
88220dcb | 15 | |
831ef534 MB |
16 | B<openssl> B<-help> | B<-version> |
17 | ||
aba3e65f DSH |
18 | =head1 DESCRIPTION |
19 | ||
5272fdca | 20 | OpenSSL is a cryptography toolkit implementing the Secure Sockets Layer (SSL) |
21 | and Transport Layer Security (TLS) network protocols and related | |
aba3e65f DSH |
22 | cryptography standards required by them. |
23 | ||
4b537191 | 24 | The B<openssl> program is a command line program for using the various |
4c583c36 AM |
25 | cryptography functions of OpenSSL's B<crypto> library from the shell. |
26 | It can be used for | |
aba3e65f | 27 | |
e4549295 DSH |
28 | o Creation and management of private keys, public keys and parameters |
29 | o Public key cryptographic operations | |
4c583c36 | 30 | o Creation of X.509 certificates, CSRs and CRLs |
4d768e96 | 31 | o Calculation of Message Digests and Message Authentication Codes |
aba3e65f DSH |
32 | o Encryption and Decryption with Ciphers |
33 | o SSL/TLS Client and Server Tests | |
54a34aec | 34 | o Handling of S/MIME signed or encrypted mail |
9c0586d5 | 35 | o Timestamp requests, generation and verification |
aba3e65f DSH |
36 | |
37 | =head1 COMMAND SUMMARY | |
38 | ||
22bb8c25 | 39 | The B<openssl> program provides a rich variety of commands (I<command> in |
d86925e6 RS |
40 | the L</SYNOPSIS> above). |
41 | Each command can have many options and argument parameters, shown above as | |
42 | I<options> and I<parameters>. | |
aba3e65f | 43 | |
1362190b | 44 | Detailed documentation and use cases for most standard subcommands are available |
a148f864 TS |
45 | (e.g., L<openssl-x509(1)>). The subcommand L<openssl-list(1)> may be used to list |
46 | subcommands. | |
112161bd | 47 | |
c03726ca | 48 | The command B<no->I<XXX> tests whether a command of the |
88220dcb BM |
49 | specified name is available. If no command named I<XXX> exists, it |
50 | returns 0 (success) and prints B<no->I<XXX>; otherwise it returns 1 | |
51 | and prints I<XXX>. In both cases, the output goes to B<stdout> and | |
52 | nothing is printed to B<stderr>. Additional command line arguments | |
53 | are always ignored. Since for each cipher there is a command of the | |
54 | same name, this provides an easy way for shell scripts to test for the | |
55 | availability of ciphers in the B<openssl> program. (B<no->I<XXX> is | |
56 | not able to detect pseudo-commands such as B<quit>, | |
c03726ca | 57 | B<list>, or B<no->I<XXX> itself.) |
88220dcb | 58 | |
ae89578b SL |
59 | =head2 Configuration Option |
60 | ||
61 | Many commands use an external configuration file for some or all of their | |
62 | arguments and have a B<-config> option to specify that file. | |
63 | The default name of the file is F<openssl.cnf> in the default certificate | |
64 | storage area, which can be determined from the L<openssl-version(1)> | |
15795943 DDO |
65 | command using the B<-d> or B<-a> option. |
66 | The environment variable B<OPENSSL_CONF> can be used to specify a different | |
67 | file location or to disable loading a configuration (using the empty string). | |
68 | ||
69 | Among others, the configuration file can be used to load modules | |
70 | and to specify parameters for generating certificates and random numbers. | |
71 | See L<config(5)> for details. | |
ae89578b | 72 | |
22bb8c25 | 73 | =head2 Standard Commands |
aba3e65f | 74 | |
e1271ac2 | 75 | =over 4 |
aba3e65f | 76 | |
dfee8626 | 77 | =item B<asn1parse> |
aba3e65f DSH |
78 | |
79 | Parse an ASN.1 sequence. | |
80 | ||
dfee8626 | 81 | =item B<ca> |
aba3e65f | 82 | |
4c583c36 | 83 | Certificate Authority (CA) Management. |
aba3e65f | 84 | |
dfee8626 | 85 | =item B<ciphers> |
aba3e65f DSH |
86 | |
87 | Cipher Suite Description Determination. | |
88 | ||
dfee8626 | 89 | =item B<cms> |
e5fa864f | 90 | |
4b537191 | 91 | CMS (Cryptographic Message Syntax) command. |
e5fa864f | 92 | |
dfee8626 | 93 | =item B<crl> |
aba3e65f DSH |
94 | |
95 | Certificate Revocation List (CRL) Management. | |
96 | ||
dfee8626 | 97 | =item B<crl2pkcs7> |
aba3e65f DSH |
98 | |
99 | CRL to PKCS#7 Conversion. | |
100 | ||
dfee8626 | 101 | =item B<dgst> |
aba3e65f | 102 | |
4d768e96 | 103 | Message Digest calculation. MAC calculations are superseded by |
8bc93d2f | 104 | L<openssl-mac(1)>. |
aba3e65f | 105 | |
dfee8626 | 106 | =item B<dhparam> |
e5fa864f | 107 | |
4c583c36 | 108 | Generation and Management of Diffie-Hellman Parameters. Superseded by |
8bc93d2f | 109 | L<openssl-genpkey(1)> and L<openssl-pkeyparam(1)>. |
e5fa864f | 110 | |
dfee8626 | 111 | =item B<dsa> |
aba3e65f DSH |
112 | |
113 | DSA Data Management. | |
114 | ||
dfee8626 | 115 | =item B<dsaparam> |
aba3e65f | 116 | |
4c583c36 | 117 | DSA Parameter Generation and Management. Superseded by |
8bc93d2f | 118 | L<openssl-genpkey(1)> and L<openssl-pkeyparam(1)>. |
aba3e65f | 119 | |
dfee8626 | 120 | =item B<ec> |
e5fa864f | 121 | |
c4de074e | 122 | EC (Elliptic curve) key processing. |
e5fa864f | 123 | |
dfee8626 | 124 | =item B<ecparam> |
e5fa864f | 125 | |
c4de074e | 126 | EC parameter manipulation and generation. |
e5fa864f | 127 | |
dfee8626 | 128 | =item B<enc> |
aba3e65f | 129 | |
22bb8c25 | 130 | Encryption, decryption, and encoding. |
aba3e65f | 131 | |
dfee8626 | 132 | =item B<engine> |
aba3e65f | 133 | |
4c583c36 | 134 | Engine (loadable module) information and manipulation. |
aba3e65f | 135 | |
dfee8626 | 136 | =item B<errstr> |
727daea7 | 137 | |
e5fa864f | 138 | Error Number to Error String Conversion. |
727daea7 | 139 | |
d333c311 | 140 | =item B<fipsinstall> |
aba3e65f | 141 | |
d333c311 | 142 | FIPS configuration installation. |
aba3e65f | 143 | |
dfee8626 | 144 | =item B<gendsa> |
aba3e65f | 145 | |
4c583c36 | 146 | Generation of DSA Private Key from Parameters. Superseded by |
8bc93d2f | 147 | L<openssl-genpkey(1)> and L<openssl-pkey(1)>. |
e4549295 | 148 | |
dfee8626 | 149 | =item B<genpkey> |
e4549295 DSH |
150 | |
151 | Generation of Private Key or Parameters. | |
aba3e65f | 152 | |
dfee8626 | 153 | =item B<genrsa> |
aba3e65f | 154 | |
8bc93d2f | 155 | Generation of RSA Private Key. Superseded by L<openssl-genpkey(1)>. |
aba3e65f | 156 | |
d333c311 RS |
157 | =item B<help> |
158 | ||
159 | Display information about a command's options. | |
160 | ||
0109e030 RL |
161 | =item B<info> |
162 | ||
163 | Display diverse information built into the OpenSSL libraries. | |
164 | ||
c54492ec SL |
165 | =item B<kdf> |
166 | ||
167 | Key Derivation Functions. | |
168 | ||
d333c311 RS |
169 | =item B<list> |
170 | ||
171 | List algorithms and features. | |
172 | ||
4d768e96 SL |
173 | =item B<mac> |
174 | ||
175 | Message Authentication Code Calculation. | |
176 | ||
dfee8626 | 177 | =item B<nseq> |
e5fa864f | 178 | |
c4de074e | 179 | Create or examine a Netscape certificate sequence. |
e5fa864f | 180 | |
dfee8626 | 181 | =item B<ocsp> |
a068630a | 182 | |
4b537191 | 183 | Online Certificate Status Protocol command. |
a068630a | 184 | |
dfee8626 | 185 | =item B<passwd> |
5160448b RL |
186 | |
187 | Generation of hashed passwords. | |
188 | ||
dfee8626 | 189 | =item B<pkcs12> |
3f1c4e49 BM |
190 | |
191 | PKCS#12 Data Management. | |
192 | ||
dfee8626 | 193 | =item B<pkcs7> |
aba3e65f DSH |
194 | |
195 | PKCS#7 Data Management. | |
196 | ||
dfee8626 | 197 | =item B<pkcs8> |
f0b843c1 | 198 | |
4b537191 | 199 | PKCS#8 format private key conversion command. |
f0b843c1 | 200 | |
dfee8626 | 201 | =item B<pkey> |
e4549295 DSH |
202 | |
203 | Public and private key management. | |
204 | ||
dfee8626 | 205 | =item B<pkeyparam> |
e4549295 DSH |
206 | |
207 | Public key algorithm parameter management. | |
208 | ||
dfee8626 | 209 | =item B<pkeyutl> |
e5fa864f | 210 | |
4b537191 | 211 | Public key algorithm cryptographic operation command. |
e5fa864f | 212 | |
dfee8626 | 213 | =item B<prime> |
f0b843c1 RL |
214 | |
215 | Compute prime numbers. | |
216 | ||
dfee8626 | 217 | =item B<rand> |
afbd0746 BM |
218 | |
219 | Generate pseudo-random bytes. | |
220 | ||
dfee8626 | 221 | =item B<rehash> |
f0b843c1 | 222 | |
24c34608 | 223 | Create symbolic links to certificate and CRL files named by the hash values. |
f0b843c1 | 224 | |
dfee8626 | 225 | =item B<req> |
aba3e65f | 226 | |
e4549295 | 227 | PKCS#10 X.509 Certificate Signing Request (CSR) Management. |
aba3e65f | 228 | |
dfee8626 | 229 | =item B<rsa> |
aba3e65f | 230 | |
e4549295 | 231 | RSA key management. |
aba3e65f | 232 | |
dfee8626 | 233 | =item B<rsautl> |
34417732 | 234 | |
4b537191 | 235 | RSA command for signing, verification, encryption, and decryption. Superseded |
8bc93d2f | 236 | by L<openssl-pkeyutl(1)>. |
34417732 | 237 | |
dfee8626 | 238 | =item B<s_client> |
aba3e65f DSH |
239 | |
240 | This implements a generic SSL/TLS client which can establish a transparent | |
241 | connection to a remote server speaking SSL/TLS. It's intended for testing | |
242 | purposes only and provides only rudimentary interface functionality but | |
243 | internally uses mostly all functionality of the OpenSSL B<ssl> library. | |
244 | ||
dfee8626 | 245 | =item B<s_server> |
aba3e65f DSH |
246 | |
247 | This implements a generic SSL/TLS server which accepts connections from remote | |
248 | clients speaking SSL/TLS. It's intended for testing purposes only and provides | |
249 | only rudimentary interface functionality but internally uses mostly all | |
250 | functionality of the OpenSSL B<ssl> library. It provides both an own command | |
251 | line oriented protocol for testing SSL functions and a simple HTTP response | |
252 | facility to emulate an SSL/TLS-aware webserver. | |
253 | ||
dfee8626 | 254 | =item B<s_time> |
aba3e65f DSH |
255 | |
256 | SSL Connection Timer. | |
257 | ||
dfee8626 | 258 | =item B<sess_id> |
aba3e65f DSH |
259 | |
260 | SSL Session Data Management. | |
261 | ||
dfee8626 | 262 | =item B<smime> |
54a34aec DSH |
263 | |
264 | S/MIME mail processing. | |
265 | ||
dfee8626 | 266 | =item B<speed> |
aba3e65f DSH |
267 | |
268 | Algorithm Speed Measurement. | |
269 | ||
dfee8626 | 270 | =item B<spkac> |
e5fa864f | 271 | |
4b537191 | 272 | SPKAC printing and generating command. |
e5fa864f | 273 | |
dfee8626 | 274 | =item B<srp> |
f0b843c1 | 275 | |
13888e79 | 276 | Maintain SRP password file. This command is deprecated. |
f0b843c1 | 277 | |
dfee8626 | 278 | =item B<storeutl> |
f0b843c1 | 279 | |
4b537191 | 280 | Command to list and display certificates, keys, CRLs, etc. |
f0b843c1 | 281 | |
dfee8626 | 282 | =item B<ts> |
21e8bbf2 | 283 | |
4b537191 | 284 | Time Stamping Authority command. |
21e8bbf2 | 285 | |
dfee8626 | 286 | =item B<verify> |
aba3e65f DSH |
287 | |
288 | X.509 Certificate Verification. | |
b6f18ed2 | 289 | See also the L<openssl-verification-options(1)> manual page. |
aba3e65f | 290 | |
dfee8626 | 291 | =item B<version> |
aba3e65f DSH |
292 | |
293 | OpenSSL Version Information. | |
294 | ||
dfee8626 | 295 | =item B<x509> |
aba3e65f DSH |
296 | |
297 | X.509 Certificate Data Management. | |
298 | ||
299 | =back | |
300 | ||
05ea606a | 301 | =head2 Message Digest Commands |
aba3e65f | 302 | |
e1271ac2 | 303 | =over 4 |
aba3e65f | 304 | |
4b7c6385 KR |
305 | =item B<blake2b512> |
306 | ||
307 | BLAKE2b-512 Digest | |
308 | ||
309 | =item B<blake2s256> | |
310 | ||
311 | BLAKE2s-256 Digest | |
312 | ||
aba3e65f DSH |
313 | =item B<md2> |
314 | ||
315 | MD2 Digest | |
316 | ||
4b7c6385 KR |
317 | =item B<md4> |
318 | ||
319 | MD4 Digest | |
320 | ||
aba3e65f DSH |
321 | =item B<md5> |
322 | ||
323 | MD5 Digest | |
324 | ||
325 | =item B<mdc2> | |
326 | ||
327 | MDC2 Digest | |
328 | ||
329 | =item B<rmd160> | |
330 | ||
331 | RMD-160 Digest | |
332 | ||
4c583c36 | 333 | =item B<sha1> |
aba3e65f DSH |
334 | |
335 | SHA-1 Digest | |
336 | ||
c7503f52 AP |
337 | =item B<sha224> |
338 | ||
4b7c6385 | 339 | SHA-2 224 Digest |
c7503f52 AP |
340 | |
341 | =item B<sha256> | |
342 | ||
4b7c6385 | 343 | SHA-2 256 Digest |
c7503f52 AP |
344 | |
345 | =item B<sha384> | |
346 | ||
4b7c6385 | 347 | SHA-2 384 Digest |
c7503f52 AP |
348 | |
349 | =item B<sha512> | |
350 | ||
4b7c6385 KR |
351 | SHA-2 512 Digest |
352 | ||
353 | =item B<sha3-224> | |
354 | ||
355 | SHA-3 224 Digest | |
356 | ||
357 | =item B<sha3-256> | |
358 | ||
359 | SHA-3 256 Digest | |
360 | ||
361 | =item B<sha3-384> | |
362 | ||
363 | SHA-3 384 Digest | |
364 | ||
365 | =item B<sha3-512> | |
366 | ||
367 | SHA-3 512 Digest | |
368 | ||
524f1261 UM |
369 | =item B<keccak-224> |
370 | ||
371 | KECCAK 224 Digest | |
372 | ||
373 | =item B<keccak-256> | |
374 | ||
375 | KECCAK 256 Digest | |
376 | ||
377 | =item B<keccak-384> | |
378 | ||
379 | KECCAK 384 Digest | |
380 | ||
381 | =item B<keccak-512> | |
382 | ||
383 | KECCAK 512 Digest | |
384 | ||
4b7c6385 KR |
385 | =item B<shake128> |
386 | ||
387 | SHA-3 SHAKE128 Digest | |
388 | ||
389 | =item B<shake256> | |
390 | ||
391 | SHA-3 SHAKE256 Digest | |
392 | ||
393 | =item B<sm3> | |
394 | ||
395 | SM3 Digest | |
c7503f52 | 396 | |
677741f8 AP |
397 | =back |
398 | ||
22bb8c25 | 399 | =head2 Encryption, Decryption, and Encoding Commands |
aba3e65f | 400 | |
1362190b AS |
401 | The following aliases provide convenient access to the most used encodings |
402 | and ciphers. | |
403 | ||
404 | Depending on how OpenSSL was configured and built, not all ciphers listed | |
d86925e6 | 405 | here may be present. See L<openssl-enc(1)> for more information. |
1362190b | 406 | |
e1271ac2 | 407 | =over 4 |
aba3e65f | 408 | |
1362190b AS |
409 | =item B<aes128>, B<aes-128-cbc>, B<aes-128-cfb>, B<aes-128-ctr>, B<aes-128-ecb>, B<aes-128-ofb> |
410 | ||
411 | AES-128 Cipher | |
412 | ||
413 | =item B<aes192>, B<aes-192-cbc>, B<aes-192-cfb>, B<aes-192-ctr>, B<aes-192-ecb>, B<aes-192-ofb> | |
414 | ||
415 | AES-192 Cipher | |
416 | ||
417 | =item B<aes256>, B<aes-256-cbc>, B<aes-256-cfb>, B<aes-256-ctr>, B<aes-256-ecb>, B<aes-256-ofb> | |
418 | ||
419 | AES-256 Cipher | |
420 | ||
421 | =item B<aria128>, B<aria-128-cbc>, B<aria-128-cfb>, B<aria-128-ctr>, B<aria-128-ecb>, B<aria-128-ofb> | |
422 | ||
423 | Aria-128 Cipher | |
424 | ||
425 | =item B<aria192>, B<aria-192-cbc>, B<aria-192-cfb>, B<aria-192-ctr>, B<aria-192-ecb>, B<aria-192-ofb> | |
426 | ||
427 | Aria-192 Cipher | |
428 | ||
429 | =item B<aria256>, B<aria-256-cbc>, B<aria-256-cfb>, B<aria-256-ctr>, B<aria-256-ecb>, B<aria-256-ofb> | |
430 | ||
431 | Aria-256 Cipher | |
432 | ||
aba3e65f DSH |
433 | =item B<base64> |
434 | ||
435 | Base64 Encoding | |
436 | ||
dfee8626 | 437 | =item B<bf>, B<bf-cbc>, B<bf-cfb>, B<bf-ecb>, B<bf-ofb> |
aba3e65f DSH |
438 | |
439 | Blowfish Cipher | |
440 | ||
1362190b AS |
441 | =item B<camellia128>, B<camellia-128-cbc>, B<camellia-128-cfb>, B<camellia-128-ctr>, B<camellia-128-ecb>, B<camellia-128-ofb> |
442 | ||
443 | Camellia-128 Cipher | |
444 | ||
445 | =item B<camellia192>, B<camellia-192-cbc>, B<camellia-192-cfb>, B<camellia-192-ctr>, B<camellia-192-ecb>, B<camellia-192-ofb> | |
446 | ||
447 | Camellia-192 Cipher | |
448 | ||
449 | =item B<camellia256>, B<camellia-256-cbc>, B<camellia-256-cfb>, B<camellia-256-ctr>, B<camellia-256-ecb>, B<camellia-256-ofb> | |
450 | ||
451 | Camellia-256 Cipher | |
452 | ||
dfee8626 | 453 | =item B<cast>, B<cast-cbc> |
aba3e65f DSH |
454 | |
455 | CAST Cipher | |
456 | ||
dfee8626 | 457 | =item B<cast5-cbc>, B<cast5-cfb>, B<cast5-ecb>, B<cast5-ofb> |
aba3e65f DSH |
458 | |
459 | CAST5 Cipher | |
460 | ||
1362190b AS |
461 | =item B<chacha20> |
462 | ||
463 | Chacha20 Cipher | |
464 | ||
dfee8626 | 465 | =item B<des>, B<des-cbc>, B<des-cfb>, B<des-ecb>, B<des-ede>, B<des-ede-cbc>, B<des-ede-cfb>, B<des-ede-ofb>, B<des-ofb> |
aba3e65f DSH |
466 | |
467 | DES Cipher | |
468 | ||
dfee8626 | 469 | =item B<des3>, B<desx>, B<des-ede3>, B<des-ede3-cbc>, B<des-ede3-cfb>, B<des-ede3-ofb> |
aba3e65f DSH |
470 | |
471 | Triple-DES Cipher | |
472 | ||
dfee8626 | 473 | =item B<idea>, B<idea-cbc>, B<idea-cfb>, B<idea-ecb>, B<idea-ofb> |
aba3e65f DSH |
474 | |
475 | IDEA Cipher | |
476 | ||
dfee8626 | 477 | =item B<rc2>, B<rc2-cbc>, B<rc2-cfb>, B<rc2-ecb>, B<rc2-ofb> |
aba3e65f DSH |
478 | |
479 | RC2 Cipher | |
480 | ||
481 | =item B<rc4> | |
482 | ||
483 | RC4 Cipher | |
484 | ||
dfee8626 | 485 | =item B<rc5>, B<rc5-cbc>, B<rc5-cfb>, B<rc5-ecb>, B<rc5-ofb> |
aba3e65f DSH |
486 | |
487 | RC5 Cipher | |
488 | ||
1362190b AS |
489 | =item B<seed>, B<seed-cbc>, B<seed-cfb>, B<seed-ecb>, B<seed-ofb> |
490 | ||
491 | SEED Cipher | |
492 | ||
493 | =item B<sm4>, B<sm4-cbc>, B<sm4-cfb>, B<sm4-ctr>, B<sm4-ecb>, B<sm4-ofb> | |
494 | ||
495 | SM4 Cipher | |
496 | ||
aba3e65f DSH |
497 | =back |
498 | ||
3dfda1a6 | 499 | =head1 OPTIONS |
0634424f RS |
500 | |
501 | Details of which options are available depend on the specific command. | |
77a795e4 | 502 | This section describes some common options with common behavior. |
0634424f | 503 | |
831ef534 MB |
504 | =head2 Program Options |
505 | ||
506 | These options can be specified without a command specified to get help | |
507 | or version information. | |
0634424f | 508 | |
e1271ac2 | 509 | =over 4 |
0634424f RS |
510 | |
511 | =item B<-help> | |
512 | ||
513 | Provides a terse summary of all options. | |
831ef534 MB |
514 | For more detailed information, each command supports a B<-help> option. |
515 | Accepts B<--help> as well. | |
516 | ||
517 | =item B<-version> | |
518 | ||
519 | Provides a terse summary of the B<openssl> program version. | |
520 | For more detailed information see L<openssl-version(1)>. | |
521 | Accepts B<--version> as well. | |
522 | ||
523 | =back | |
524 | ||
525 | =head2 Common Options | |
526 | ||
527 | =over 4 | |
528 | ||
529 | =item B<-help> | |
530 | ||
a397aca4 RS |
531 | If an option takes an argument, the "type" of argument is also given. |
532 | ||
533 | =item B<--> | |
534 | ||
535 | This terminates the list of options. It is mostly useful if any filename | |
536 | parameters start with a minus sign: | |
537 | ||
538 | openssl verify [flags...] -- -cert1.pem... | |
0634424f RS |
539 | |
540 | =back | |
541 | ||
777182a0 RS |
542 | =head2 Format Options |
543 | ||
ac093b3f | 544 | See L<openssl-format-options(1)> for manual page. |
777182a0 | 545 | |
0634424f | 546 | =head2 Pass Phrase Options |
a3fe382e | 547 | |
ac093b3f | 548 | See the L<openssl-passphrase-options(1)> manual page. |
a397aca4 RS |
549 | |
550 | =head2 Random State Options | |
551 | ||
a08e2bf5 | 552 | Prior to OpenSSL 1.1.1, it was common for applications to store information |
a397aca4 RS |
553 | about the state of the random-number generator in a file that was loaded |
554 | at startup and rewritten upon exit. On modern operating systems, this is | |
a08e2bf5 DMSP |
555 | generally no longer necessary as OpenSSL will seed itself from a trusted |
556 | entropy source provided by the operating system. These flags are still | |
a397aca4 RS |
557 | supported for special platforms or circumstances that might require them. |
558 | ||
559 | It is generally an error to use the same seed file more than once and | |
560 | every use of B<-rand> should be paired with B<-writerand>. | |
561 | ||
562 | =over 4 | |
563 | ||
564 | =item B<-rand> I<files> | |
565 | ||
566 | A file or files containing random data used to seed the random number | |
567 | generator. | |
568 | Multiple files can be specified separated by an OS-dependent character. | |
569 | The separator is C<;> for MS-Windows, C<,> for OpenVMS, and C<:> for | |
570 | all others. Another way to specify multiple files is to repeat this flag | |
571 | with different filenames. | |
572 | ||
573 | =item B<-writerand> I<file> | |
574 | ||
575 | Writes the seed data to the specified I<file> upon exit. | |
576 | This file can be used in a subsequent command invocation. | |
577 | ||
578 | =back | |
579 | ||
ac093b3f | 580 | =head2 Certificate Verification Options |
21d08b9e | 581 | |
b6f18ed2 | 582 | See the L<openssl-verification-options(1)> manual page. |
9fcb9702 | 583 | |
bc24e3ee RS |
584 | =head2 Name Format Options |
585 | ||
46949153 | 586 | See the L<openssl-namedisplay-options(1)> manual page. |
0b3b2b33 | 587 | |
d4bff20d RS |
588 | =head2 TLS Version Options |
589 | ||
590 | Several commands use SSL, TLS, or DTLS. By default, the commands use TLS and | |
591 | clients will offer the lowest and highest protocol version they support, | |
592 | and servers will pick the highest version that the client offers that is also | |
593 | supported by the server. | |
594 | ||
595 | The options below can be used to limit which protocol versions are used, | |
596 | and whether TCP (SSL and TLS) or UDP (DTLS) is used. | |
597 | Note that not all protocols and flags may be available, depending on how | |
598 | OpenSSL was built. | |
599 | ||
600 | =over 4 | |
601 | ||
602 | =item B<-ssl3>, B<-tls1>, B<-tls1_1>, B<-tls1_2>, B<-tls1_3>, B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2>, B<-no_tls1_3> | |
603 | ||
604 | These options require or disable the use of the specified SSL or TLS protocols. | |
605 | When a specific TLS version is required, only that version will be offered or | |
606 | accepted. | |
607 | Only one specific protocol can be given and it cannot be combined with any of | |
608 | the B<no_> options. | |
06565f36 | 609 | The B<no_*> options do not work with B<s_time> and B<ciphers> commands but work with |
610 | B<s_client> and B<s_server> commands. | |
d4bff20d RS |
611 | |
612 | =item B<-dtls>, B<-dtls1>, B<-dtls1_2> | |
613 | ||
2913b5c0 | 614 | These options specify to use DTLS instead of TLS. |
d4bff20d RS |
615 | With B<-dtls>, clients will negotiate any supported DTLS protocol version. |
616 | Use the B<-dtls1> or B<-dtls1_2> options to support only DTLS1.0 or DTLS1.2, | |
617 | respectively. | |
618 | ||
bc24e3ee RS |
619 | =back |
620 | ||
018aaeb4 RS |
621 | =head2 Engine Options |
622 | ||
623 | =over 4 | |
624 | ||
625 | =item B<-engine> I<id> | |
626 | ||
f91d003a RL |
627 | Load the engine identified by I<id> and use all the methods it implements |
628 | (algorithms, key storage, etc.), unless specified otherwise in the | |
629 | command-specific documentation or it is configured to do so, as described in | |
630 | L<config(5)/Engine Configuration>. | |
631 | ||
632 | The engine will be used for key ids specified with B<-key> and similar | |
633 | options when an option like B<-keyform engine> is given. | |
018aaeb4 | 634 | |
acfccbd5 DDO |
635 | A special case is the C<loader_attic> engine, which |
636 | is meant just for internal OpenSSL testing purposes and | |
637 | supports loading keys, parameters, certificates, and CRLs from files. | |
638 | When this engine is used, files with such credentials are read via this engine. | |
639 | Using the C<file:> schema is optional; a plain file (path) name will do. | |
640 | ||
018aaeb4 RS |
641 | =back |
642 | ||
f91d003a RL |
643 | Options specifying keys, like B<-key> and similar, can use the generic |
644 | OpenSSL engine key loading URI scheme C<org.openssl.engine:> to retrieve | |
645 | private keys and public keys. The URI syntax is as follows, in simplified | |
646 | form: | |
647 | ||
648 | org.openssl.engine:{engineid}:{keyid} | |
649 | ||
650 | Where C<{engineid}> is the identity/name of the engine, and C<{keyid}> is a | |
651 | key identifier that's acceptable by that engine. For example, when using an | |
652 | engine that interfaces against a PKCS#11 implementation, the generic key URI | |
653 | would be something like this (this happens to be an example for the PKCS#11 | |
654 | engine that's part of OpenSC): | |
655 | ||
656 | -key org.openssl.engine:pkcs11:label_some-private-key | |
657 | ||
658 | As a third possibility, for engines and providers that have implemented | |
659 | their own L<OSSL_STORE_LOADER(3)>, C<org.openssl.engine:> should not be | |
660 | necessary. For a PKCS#11 implementation that has implemented such a loader, | |
661 | the PKCS#11 URI as defined in RFC 7512 should be possible to use directly: | |
662 | ||
663 | -key pkcs11:object=some-private-key;pin-value=1234 | |
664 | ||
7dc67708 PG |
665 | =head2 Provider Options |
666 | ||
667 | =over 4 | |
668 | ||
669 | =item B<-provider> I<name> | |
670 | ||
b19fcc66 TM |
671 | Load and initialize the provider identified by I<name>. The I<name> |
672 | can be also a path to the provider module. In that case the provider name | |
673 | will be the specified path and not just the provider module name. | |
674 | Interpretation of relative paths is platform specific. The configured | |
675 | "MODULESDIR" path, B<OPENSSL_MODULES> environment variable, or the path | |
676 | specified by B<-provider-path> is prepended to relative paths. | |
16b8862d | 677 | See L<provider(7)> for a more detailed description. |
7dc67708 PG |
678 | |
679 | =item B<-provider-path> I<path> | |
680 | ||
681 | Specifies the search path that is to be used for looking for providers. | |
16b8862d | 682 | Equivalently, the B<OPENSSL_MODULES> environment variable may be set. |
7dc67708 PG |
683 | |
684 | =item B<-propquery> I<propq> | |
685 | ||
686 | Specifies the I<property query clause> to be used when fetching algorithms | |
687 | from the loaded providers. | |
688 | See L<property(7)> for a more detailed description. | |
689 | ||
690 | =back | |
691 | ||
0b836c21 RL |
692 | =head1 ENVIRONMENT |
693 | ||
22bb8c25 RS |
694 | The OpenSSL library can be take some configuration parameters from the |
695 | environment. Some of these variables are listed below. For information | |
fa9e541d | 696 | about specific commands, see L<openssl-engine(1)>, |
22bb8c25 RS |
697 | L<openssl-rehash(1)>, and L<tsget(1)>. |
698 | ||
699 | For information about the use of environment variables in configuration, | |
700 | see L<config(5)/ENVIRONMENT>. | |
701 | ||
702 | For information about querying or specifying CPU architecture flags, see | |
d3184110 | 703 | L<OPENSSL_ia32cap(3)>, L<OPENSSL_s390xcap(3)> and L<OPENSSL_riscvcap(3)>. |
22bb8c25 RS |
704 | |
705 | For information about all environment variables used by the OpenSSL libraries, | |
706 | see L<openssl-env(7)>. | |
707 | ||
0b836c21 RL |
708 | =over 4 |
709 | ||
fed8bd90 | 710 | =item B<OPENSSL_TRACE=>I<name>[,...] |
0b836c21 RL |
711 | |
712 | Enable tracing output of OpenSSL library, by name. | |
713 | This output will only make sense if you know OpenSSL internals well. | |
e8fdb060 DDO |
714 | Also, it might not give you any output at all |
715 | if OpenSSL was built without tracing support. | |
0b836c21 RL |
716 | |
717 | The value is a comma separated list of names, with the following | |
718 | available: | |
719 | ||
720 | =over 4 | |
721 | ||
722 | =item B<TRACE> | |
723 | ||
6d594fdf DDO |
724 | Traces the OpenSSL trace API itself. |
725 | ||
726 | =item B<INIT> | |
727 | ||
728 | Traces OpenSSL library initialization and cleanup. | |
0b836c21 RL |
729 | |
730 | =item B<TLS> | |
731 | ||
6d594fdf | 732 | Traces the TLS/SSL protocol. |
0b836c21 RL |
733 | |
734 | =item B<TLS_CIPHER> | |
735 | ||
6d594fdf | 736 | Traces the ciphers used by the TLS/SSL protocol. |
0b836c21 | 737 | |
e978ab78 | 738 | =item B<CONF> |
0b836c21 | 739 | |
e978ab78 | 740 | Show details about provider and engine configuration. |
0b836c21 RL |
741 | |
742 | =item B<ENGINE_TABLE> | |
743 | ||
744 | The function that is used by RSA, DSA (etc) code to select registered | |
745 | ENGINEs, cache defaults and functional references (etc), will generate | |
746 | debugging summaries. | |
747 | ||
748 | =item B<ENGINE_REF_COUNT> | |
749 | ||
750 | Reference counts in the ENGINE structure will be monitored with a line | |
751 | of generated for each change. | |
752 | ||
753 | =item B<PKCS5V2> | |
754 | ||
6d594fdf | 755 | Traces PKCS#5 v2 key generation. |
0b836c21 RL |
756 | |
757 | =item B<PKCS12_KEYGEN> | |
758 | ||
6d594fdf | 759 | Traces PKCS#12 key generation. |
0b836c21 RL |
760 | |
761 | =item B<PKCS12_DECRYPT> | |
762 | ||
6d594fdf | 763 | Traces PKCS#12 decryption. |
0b836c21 RL |
764 | |
765 | =item B<X509V3_POLICY> | |
766 | ||
6d594fdf | 767 | Generates the complete policy tree at various points during X.509 v3 |
0b836c21 RL |
768 | policy evaluation. |
769 | ||
770 | =item B<BN_CTX> | |
771 | ||
6d594fdf DDO |
772 | Traces BIGNUM context operations. |
773 | ||
774 | =item B<CMP> | |
775 | ||
776 | Traces CMP client and server activity. | |
777 | ||
778 | =item B<STORE> | |
779 | ||
780 | Traces STORE operations. | |
781 | ||
782 | =item B<DECODER> | |
783 | ||
784 | Traces decoder operations. | |
785 | ||
786 | =item B<ENCODER> | |
787 | ||
788 | Traces encoder operations. | |
789 | ||
790 | =item B<REF_COUNT> | |
791 | ||
792 | Traces decrementing certain ASN.1 structure references. | |
0b836c21 | 793 | |
e8fdb060 DDO |
794 | =item B<HTTP> |
795 | ||
8aff29f0 | 796 | Traces the HTTP client and server, such as messages being sent and received. |
e8fdb060 | 797 | |
0b836c21 RL |
798 | =back |
799 | ||
800 | =back | |
801 | ||
aba3e65f DSH |
802 | =head1 SEE ALSO |
803 | ||
b6b66573 DMSP |
804 | L<openssl-asn1parse(1)>, |
805 | L<openssl-ca(1)>, | |
806 | L<openssl-ciphers(1)>, | |
807 | L<openssl-cms(1)>, | |
808 | L<openssl-crl(1)>, | |
809 | L<openssl-crl2pkcs7(1)>, | |
810 | L<openssl-dgst(1)>, | |
811 | L<openssl-dhparam(1)>, | |
812 | L<openssl-dsa(1)>, | |
813 | L<openssl-dsaparam(1)>, | |
814 | L<openssl-ec(1)>, | |
815 | L<openssl-ecparam(1)>, | |
816 | L<openssl-enc(1)>, | |
817 | L<openssl-engine(1)>, | |
818 | L<openssl-errstr(1)>, | |
819 | L<openssl-gendsa(1)>, | |
820 | L<openssl-genpkey(1)>, | |
821 | L<openssl-genrsa(1)>, | |
822 | L<openssl-kdf(1)>, | |
a148f864 | 823 | L<openssl-list(1)>, |
b6b66573 DMSP |
824 | L<openssl-mac(1)>, |
825 | L<openssl-nseq(1)>, | |
826 | L<openssl-ocsp(1)>, | |
827 | L<openssl-passwd(1)>, | |
828 | L<openssl-pkcs12(1)>, | |
829 | L<openssl-pkcs7(1)>, | |
830 | L<openssl-pkcs8(1)>, | |
831 | L<openssl-pkey(1)>, | |
832 | L<openssl-pkeyparam(1)>, | |
833 | L<openssl-pkeyutl(1)>, | |
834 | L<openssl-prime(1)>, | |
835 | L<openssl-rand(1)>, | |
836 | L<openssl-rehash(1)>, | |
837 | L<openssl-req(1)>, | |
838 | L<openssl-rsa(1)>, | |
839 | L<openssl-rsautl(1)>, | |
840 | L<openssl-s_client(1)>, | |
841 | L<openssl-s_server(1)>, | |
842 | L<openssl-s_time(1)>, | |
843 | L<openssl-sess_id(1)>, | |
844 | L<openssl-smime(1)>, | |
845 | L<openssl-speed(1)>, | |
846 | L<openssl-spkac(1)>, | |
847 | L<openssl-srp(1)>, | |
848 | L<openssl-storeutl(1)>, | |
849 | L<openssl-ts(1)>, | |
850 | L<openssl-verify(1)>, | |
851 | L<openssl-version(1)>, | |
852 | L<openssl-x509(1)>, | |
853 | L<config(5)>, | |
854 | L<crypto(7)>, | |
22bb8c25 | 855 | L<openssl-env(7)>. |
b6b66573 DMSP |
856 | L<ssl(7)>, |
857 | L<x509v3_config(5)> | |
858 | ||
aba3e65f DSH |
859 | |
860 | =head1 HISTORY | |
861 | ||
2f0ea936 | 862 | The B<list> -I<XXX>B<-algorithms> options were added in OpenSSL 1.0.0; |
88220dcb BM |
863 | For notes on the availability of other commands, see their individual |
864 | manual pages. | |
aba3e65f | 865 | |
21d08b9e RS |
866 | The B<-issuer_checks> option is deprecated as of OpenSSL 1.1.0 and |
867 | is silently ignored. | |
868 | ||
6d382c74 | 869 | The B<-xcertform> and B<-xkeyform> options |
eca47139 RL |
870 | are obsolete since OpenSSL 3.0 and have no effect. |
871 | ||
872 | The interactive mode, which could be invoked by running C<openssl> | |
873 | with no further arguments, was removed in OpenSSL 3.0, and running | |
874 | that program with no arguments is now equivalent to C<openssl help>. | |
6d382c74 | 875 | |
e2f92610 RS |
876 | =head1 COPYRIGHT |
877 | ||
da1c088f | 878 | Copyright 2000-2023 The OpenSSL Project Authors. All Rights Reserved. |
e2f92610 | 879 | |
449040b4 | 880 | Licensed under the Apache License 2.0 (the "License"). You may not use |
e2f92610 RS |
881 | this file except in compliance with the License. You can obtain a copy |
882 | in the file LICENSE in the source distribution or at | |
883 | L<https://www.openssl.org/source/license.html>. | |
884 | ||
885 | =cut |