5 openssl - OpenSSL command line program
14 B<openssl> B<no->I<XXX> [ I<options> ]
16 B<openssl> B<-help> | B<-version>
20 OpenSSL is a cryptography toolkit implementing the Secure Sockets Layer (SSL)
21 and Transport Layer Security (TLS) network protocols and related
22 cryptography standards required by them.
24 The B<openssl> program is a command line program for using the various
25 cryptography functions of OpenSSL's B<crypto> library from the shell.
28 o Creation and management of private keys, public keys and parameters
29 o Public key cryptographic operations
30 o Creation of X.509 certificates, CSRs and CRLs
31 o Calculation of Message Digests and Message Authentication Codes
32 o Encryption and Decryption with Ciphers
33 o SSL/TLS Client and Server Tests
34 o Handling of S/MIME signed or encrypted mail
35 o Timestamp requests, generation and verification
37 =head1 COMMAND SUMMARY
39 The B<openssl> program provides a rich variety of commands (I<command> in
40 the L</SYNOPSIS> above).
41 Each command can have many options and argument parameters, shown above as
42 I<options> and I<parameters>.
44 Detailed documentation and use cases for most standard subcommands are available
45 (e.g., L<openssl-x509(1)>). The subcommand L<openssl-list(1)> may be used to list
48 The command B<no->I<XXX> tests whether a command of the
49 specified name is available. If no command named I<XXX> exists, it
50 returns 0 (success) and prints B<no->I<XXX>; otherwise it returns 1
51 and prints I<XXX>. In both cases, the output goes to B<stdout> and
52 nothing is printed to B<stderr>. Additional command line arguments
53 are always ignored. Since for each cipher there is a command of the
54 same name, this provides an easy way for shell scripts to test for the
55 availability of ciphers in the B<openssl> program. (B<no->I<XXX> is
56 not able to detect pseudo-commands such as B<quit>,
57 B<list>, or B<no->I<XXX> itself.)
59 =head2 Configuration Option
61 Many commands use an external configuration file for some or all of their
62 arguments and have a B<-config> option to specify that file.
63 The default name of the file is F<openssl.cnf> in the default certificate
64 storage area, which can be determined from the L<openssl-version(1)>
65 command using the B<-d> or B<-a> option.
66 The environment variable B<OPENSSL_CONF> can be used to specify a different
67 file location or to disable loading a configuration (using the empty string).
69 Among others, the configuration file can be used to load modules
70 and to specify parameters for generating certificates and random numbers.
71 See L<config(5)> for details.
73 =head2 Standard Commands
79 Parse an ASN.1 sequence.
83 Certificate Authority (CA) Management.
87 Cipher Suite Description Determination.
91 CMS (Cryptographic Message Syntax) command.
95 Certificate Revocation List (CRL) Management.
99 CRL to PKCS#7 Conversion.
103 Message Digest calculation. MAC calculations are superseded by
108 Generation and Management of Diffie-Hellman Parameters. Superseded by
109 L<openssl-genpkey(1)> and L<openssl-pkeyparam(1)>.
117 DSA Parameter Generation and Management. Superseded by
118 L<openssl-genpkey(1)> and L<openssl-pkeyparam(1)>.
122 EC (Elliptic curve) key processing.
126 EC parameter manipulation and generation.
130 Encryption, decryption, and encoding.
134 Engine (loadable module) information and manipulation.
138 Error Number to Error String Conversion.
142 FIPS configuration installation.
146 Generation of DSA Private Key from Parameters. Superseded by
147 L<openssl-genpkey(1)> and L<openssl-pkey(1)>.
151 Generation of Private Key or Parameters.
155 Generation of RSA Private Key. Superseded by L<openssl-genpkey(1)>.
159 Display information about a command's options.
163 Display diverse information built into the OpenSSL libraries.
167 Key Derivation Functions.
171 List algorithms and features.
175 Message Authentication Code Calculation.
179 Create or examine a Netscape certificate sequence.
183 Online Certificate Status Protocol command.
187 Generation of hashed passwords.
191 PKCS#12 Data Management.
195 PKCS#7 Data Management.
199 PKCS#8 format private key conversion command.
203 Public and private key management.
207 Public key algorithm parameter management.
211 Public key algorithm cryptographic operation command.
215 Compute prime numbers.
219 Generate pseudo-random bytes.
223 Create symbolic links to certificate and CRL files named by the hash values.
227 PKCS#10 X.509 Certificate Signing Request (CSR) Management.
235 RSA command for signing, verification, encryption, and decryption. Superseded
236 by L<openssl-pkeyutl(1)>.
240 This implements a generic SSL/TLS client which can establish a transparent
241 connection to a remote server speaking SSL/TLS. It's intended for testing
242 purposes only and provides only rudimentary interface functionality but
243 internally uses mostly all functionality of the OpenSSL B<ssl> library.
247 This implements a generic SSL/TLS server which accepts connections from remote
248 clients speaking SSL/TLS. It's intended for testing purposes only and provides
249 only rudimentary interface functionality but internally uses mostly all
250 functionality of the OpenSSL B<ssl> library. It provides both an own command
251 line oriented protocol for testing SSL functions and a simple HTTP response
252 facility to emulate an SSL/TLS-aware webserver.
256 SSL Connection Timer.
260 SSL Session Data Management.
264 S/MIME mail processing.
268 Algorithm Speed Measurement.
272 SPKAC printing and generating command.
276 Maintain SRP password file. This command is deprecated.
280 Command to list and display certificates, keys, CRLs, etc.
284 Time Stamping Authority command.
288 X.509 Certificate Verification.
289 See also the L<openssl-verification-options(1)> manual page.
293 OpenSSL Version Information.
297 X.509 Certificate Data Management.
301 =head2 Message Digest Commands
387 SHA-3 SHAKE128 Digest
391 SHA-3 SHAKE256 Digest
399 =head2 Encryption, Decryption, and Encoding Commands
401 The following aliases provide convenient access to the most used encodings
404 Depending on how OpenSSL was configured and built, not all ciphers listed
405 here may be present. See L<openssl-enc(1)> for more information.
409 =item B<aes128>, B<aes-128-cbc>, B<aes-128-cfb>, B<aes-128-ctr>, B<aes-128-ecb>, B<aes-128-ofb>
413 =item B<aes192>, B<aes-192-cbc>, B<aes-192-cfb>, B<aes-192-ctr>, B<aes-192-ecb>, B<aes-192-ofb>
417 =item B<aes256>, B<aes-256-cbc>, B<aes-256-cfb>, B<aes-256-ctr>, B<aes-256-ecb>, B<aes-256-ofb>
421 =item B<aria128>, B<aria-128-cbc>, B<aria-128-cfb>, B<aria-128-ctr>, B<aria-128-ecb>, B<aria-128-ofb>
425 =item B<aria192>, B<aria-192-cbc>, B<aria-192-cfb>, B<aria-192-ctr>, B<aria-192-ecb>, B<aria-192-ofb>
429 =item B<aria256>, B<aria-256-cbc>, B<aria-256-cfb>, B<aria-256-ctr>, B<aria-256-ecb>, B<aria-256-ofb>
437 =item B<bf>, B<bf-cbc>, B<bf-cfb>, B<bf-ecb>, B<bf-ofb>
441 =item B<camellia128>, B<camellia-128-cbc>, B<camellia-128-cfb>, B<camellia-128-ctr>, B<camellia-128-ecb>, B<camellia-128-ofb>
445 =item B<camellia192>, B<camellia-192-cbc>, B<camellia-192-cfb>, B<camellia-192-ctr>, B<camellia-192-ecb>, B<camellia-192-ofb>
449 =item B<camellia256>, B<camellia-256-cbc>, B<camellia-256-cfb>, B<camellia-256-ctr>, B<camellia-256-ecb>, B<camellia-256-ofb>
453 =item B<cast>, B<cast-cbc>
457 =item B<cast5-cbc>, B<cast5-cfb>, B<cast5-ecb>, B<cast5-ofb>
465 =item B<des>, B<des-cbc>, B<des-cfb>, B<des-ecb>, B<des-ede>, B<des-ede-cbc>, B<des-ede-cfb>, B<des-ede-ofb>, B<des-ofb>
469 =item B<des3>, B<desx>, B<des-ede3>, B<des-ede3-cbc>, B<des-ede3-cfb>, B<des-ede3-ofb>
473 =item B<idea>, B<idea-cbc>, B<idea-cfb>, B<idea-ecb>, B<idea-ofb>
477 =item B<rc2>, B<rc2-cbc>, B<rc2-cfb>, B<rc2-ecb>, B<rc2-ofb>
485 =item B<rc5>, B<rc5-cbc>, B<rc5-cfb>, B<rc5-ecb>, B<rc5-ofb>
489 =item B<seed>, B<seed-cbc>, B<seed-cfb>, B<seed-ecb>, B<seed-ofb>
493 =item B<sm4>, B<sm4-cbc>, B<sm4-cfb>, B<sm4-ctr>, B<sm4-ecb>, B<sm4-ofb>
501 Details of which options are available depend on the specific command.
502 This section describes some common options with common behavior.
504 =head2 Program Options
506 These options can be specified without a command specified to get help
507 or version information.
513 Provides a terse summary of all options.
514 For more detailed information, each command supports a B<-help> option.
515 Accepts B<--help> as well.
519 Provides a terse summary of the B<openssl> program version.
520 For more detailed information see L<openssl-version(1)>.
521 Accepts B<--version> as well.
525 =head2 Common Options
531 If an option takes an argument, the "type" of argument is also given.
535 This terminates the list of options. It is mostly useful if any filename
536 parameters start with a minus sign:
538 openssl verify [flags...] -- -cert1.pem...
542 =head2 Format Options
544 See L<openssl-format-options(1)> for manual page.
546 =head2 Pass Phrase Options
548 See the L<openssl-passphrase-options(1)> manual page.
550 =head2 Random State Options
552 Prior to OpenSSL 1.1.1, it was common for applications to store information
553 about the state of the random-number generator in a file that was loaded
554 at startup and rewritten upon exit. On modern operating systems, this is
555 generally no longer necessary as OpenSSL will seed itself from a trusted
556 entropy source provided by the operating system. These flags are still
557 supported for special platforms or circumstances that might require them.
559 It is generally an error to use the same seed file more than once and
560 every use of B<-rand> should be paired with B<-writerand>.
564 =item B<-rand> I<files>
566 A file or files containing random data used to seed the random number
568 Multiple files can be specified separated by an OS-dependent character.
569 The separator is C<;> for MS-Windows, C<,> for OpenVMS, and C<:> for
570 all others. Another way to specify multiple files is to repeat this flag
571 with different filenames.
573 =item B<-writerand> I<file>
575 Writes the seed data to the specified I<file> upon exit.
576 This file can be used in a subsequent command invocation.
580 =head2 Certificate Verification Options
582 See the L<openssl-verification-options(1)> manual page.
584 =head2 Name Format Options
586 See the L<openssl-namedisplay-options(1)> manual page.
588 =head2 TLS Version Options
590 Several commands use SSL, TLS, or DTLS. By default, the commands use TLS and
591 clients will offer the lowest and highest protocol version they support,
592 and servers will pick the highest version that the client offers that is also
593 supported by the server.
595 The options below can be used to limit which protocol versions are used,
596 and whether TCP (SSL and TLS) or UDP (DTLS) is used.
597 Note that not all protocols and flags may be available, depending on how
602 =item B<-ssl3>, B<-tls1>, B<-tls1_1>, B<-tls1_2>, B<-tls1_3>, B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2>, B<-no_tls1_3>
604 These options require or disable the use of the specified SSL or TLS protocols.
605 When a specific TLS version is required, only that version will be offered or
607 Only one specific protocol can be given and it cannot be combined with any of
609 The B<no_*> options do not work with B<s_time> and B<ciphers> commands but work with
610 B<s_client> and B<s_server> commands.
612 =item B<-dtls>, B<-dtls1>, B<-dtls1_2>
614 These options specify to use DTLS instead of TLS.
615 With B<-dtls>, clients will negotiate any supported DTLS protocol version.
616 Use the B<-dtls1> or B<-dtls1_2> options to support only DTLS1.0 or DTLS1.2,
621 =head2 Engine Options
625 =item B<-engine> I<id>
627 Load the engine identified by I<id> and use all the methods it implements
628 (algorithms, key storage, etc.), unless specified otherwise in the
629 command-specific documentation or it is configured to do so, as described in
630 L<config(5)/Engine Configuration>.
632 The engine will be used for key ids specified with B<-key> and similar
633 options when an option like B<-keyform engine> is given.
635 A special case is the C<loader_attic> engine, which
636 is meant just for internal OpenSSL testing purposes and
637 supports loading keys, parameters, certificates, and CRLs from files.
638 When this engine is used, files with such credentials are read via this engine.
639 Using the C<file:> schema is optional; a plain file (path) name will do.
643 Options specifying keys, like B<-key> and similar, can use the generic
644 OpenSSL engine key loading URI scheme C<org.openssl.engine:> to retrieve
645 private keys and public keys. The URI syntax is as follows, in simplified
648 org.openssl.engine:{engineid}:{keyid}
650 Where C<{engineid}> is the identity/name of the engine, and C<{keyid}> is a
651 key identifier that's acceptable by that engine. For example, when using an
652 engine that interfaces against a PKCS#11 implementation, the generic key URI
653 would be something like this (this happens to be an example for the PKCS#11
654 engine that's part of OpenSC):
656 -key org.openssl.engine:pkcs11:label_some-private-key
658 As a third possibility, for engines and providers that have implemented
659 their own L<OSSL_STORE_LOADER(3)>, C<org.openssl.engine:> should not be
660 necessary. For a PKCS#11 implementation that has implemented such a loader,
661 the PKCS#11 URI as defined in RFC 7512 should be possible to use directly:
663 -key pkcs11:object=some-private-key;pin-value=1234
665 =head2 Provider Options
669 =item B<-provider> I<name>
671 Load and initialize the provider identified by I<name>. The I<name>
672 can be also a path to the provider module. In that case the provider name
673 will be the specified path and not just the provider module name.
674 Interpretation of relative paths is platform specific. The configured
675 "MODULESDIR" path, B<OPENSSL_MODULES> environment variable, or the path
676 specified by B<-provider-path> is prepended to relative paths.
677 See L<provider(7)> for a more detailed description.
679 =item B<-provider-path> I<path>
681 Specifies the search path that is to be used for looking for providers.
682 Equivalently, the B<OPENSSL_MODULES> environment variable may be set.
684 =item B<-propquery> I<propq>
686 Specifies the I<property query clause> to be used when fetching algorithms
687 from the loaded providers.
688 See L<property(7)> for a more detailed description.
694 The OpenSSL library can be take some configuration parameters from the
695 environment. Some of these variables are listed below. For information
696 about specific commands, see L<openssl-engine(1)>,
697 L<openssl-rehash(1)>, and L<tsget(1)>.
699 For information about the use of environment variables in configuration,
700 see L<config(5)/ENVIRONMENT>.
702 For information about querying or specifying CPU architecture flags, see
703 L<OPENSSL_ia32cap(3)>, and L<OPENSSL_s390xcap(3)>.
705 For information about all environment variables used by the OpenSSL libraries,
706 see L<openssl-env(7)>.
710 =item B<OPENSSL_TRACE=>I<name>[,...]
712 Enable tracing output of OpenSSL library, by name.
713 This output will only make sense if you know OpenSSL internals well.
714 Also, it might not give you any output at all
715 if OpenSSL was built without tracing support.
717 The value is a comma separated list of names, with the following
724 Traces the OpenSSL trace API itself.
728 Traces OpenSSL library initialization and cleanup.
732 Traces the TLS/SSL protocol.
736 Traces the ciphers used by the TLS/SSL protocol.
740 Show details about provider and engine configuration.
742 =item B<ENGINE_TABLE>
744 The function that is used by RSA, DSA (etc) code to select registered
745 ENGINEs, cache defaults and functional references (etc), will generate
748 =item B<ENGINE_REF_COUNT>
750 Reference counts in the ENGINE structure will be monitored with a line
751 of generated for each change.
755 Traces PKCS#5 v2 key generation.
757 =item B<PKCS12_KEYGEN>
759 Traces PKCS#12 key generation.
761 =item B<PKCS12_DECRYPT>
763 Traces PKCS#12 decryption.
765 =item B<X509V3_POLICY>
767 Generates the complete policy tree at various points during X.509 v3
772 Traces BIGNUM context operations.
776 Traces CMP client and server activity.
780 Traces STORE operations.
784 Traces decoder operations.
788 Traces encoder operations.
792 Traces decrementing certain ASN.1 structure references.
796 Traces the HTTP client and server, such as messages being sent and received.
804 L<openssl-asn1parse(1)>,
806 L<openssl-ciphers(1)>,
809 L<openssl-crl2pkcs7(1)>,
811 L<openssl-dhparam(1)>,
813 L<openssl-dsaparam(1)>,
815 L<openssl-ecparam(1)>,
817 L<openssl-engine(1)>,
818 L<openssl-errstr(1)>,
819 L<openssl-gendsa(1)>,
820 L<openssl-genpkey(1)>,
821 L<openssl-genrsa(1)>,
827 L<openssl-passwd(1)>,
828 L<openssl-pkcs12(1)>,
832 L<openssl-pkeyparam(1)>,
833 L<openssl-pkeyutl(1)>,
836 L<openssl-rehash(1)>,
839 L<openssl-rsautl(1)>,
840 L<openssl-s_client(1)>,
841 L<openssl-s_server(1)>,
842 L<openssl-s_time(1)>,
843 L<openssl-sess_id(1)>,
848 L<openssl-storeutl(1)>,
850 L<openssl-verify(1)>,
851 L<openssl-version(1)>,
862 The B<list> -I<XXX>B<-algorithms> options were added in OpenSSL 1.0.0;
863 For notes on the availability of other commands, see their individual
866 The B<-issuer_checks> option is deprecated as of OpenSSL 1.1.0 and
869 The B<-xcertform> and B<-xkeyform> options
870 are obsolete since OpenSSL 3.0 and have no effect.
872 The interactive mode, which could be invoked by running C<openssl>
873 with no further arguments, was removed in OpenSSL 3.0, and running
874 that program with no arguments is now equivalent to C<openssl help>.
878 Copyright 2000-2023 The OpenSSL Project Authors. All Rights Reserved.
880 Licensed under the Apache License 2.0 (the "License"). You may not use
881 this file except in compliance with the License. You can obtain a copy
882 in the file LICENSE in the source distribution or at
883 L<https://www.openssl.org/source/license.html>.