]>
Commit | Line | Data |
---|---|---|
aba3e65f DSH |
1 | =pod |
2 | ||
3 | =head1 NAME | |
4 | ||
4b537191 | 5 | openssl - OpenSSL command line program |
aba3e65f DSH |
6 | |
7 | =head1 SYNOPSIS | |
8 | ||
9 | B<openssl> | |
10 | I<command> | |
d86925e6 RS |
11 | [ I<options> ... ] |
12 | [ I<parameters> ... ] | |
aba3e65f | 13 | |
b2bdfb63 RL |
14 | B<openssl> |
15 | B<list> | |
16 | B<-standard-commands> | | |
17 | B<-digest-commands> | | |
18 | B<-cipher-commands> | | |
19 | B<-cipher-algorithms> | | |
20 | B<-digest-algorithms> | | |
21 | B<-mac-algorithms> | | |
22 | B<-public-key-algorithms> | |
88220dcb | 23 | |
d86925e6 | 24 | B<openssl> B<no->I<XXX> [ I<options> ] |
88220dcb | 25 | |
aba3e65f DSH |
26 | =head1 DESCRIPTION |
27 | ||
28 | OpenSSL is a cryptography toolkit implementing the Secure Sockets Layer (SSL | |
29 | v2/v3) and Transport Layer Security (TLS v1) network protocols and related | |
30 | cryptography standards required by them. | |
31 | ||
4b537191 | 32 | The B<openssl> program is a command line program for using the various |
4c583c36 AM |
33 | cryptography functions of OpenSSL's B<crypto> library from the shell. |
34 | It can be used for | |
aba3e65f | 35 | |
e4549295 DSH |
36 | o Creation and management of private keys, public keys and parameters |
37 | o Public key cryptographic operations | |
4c583c36 | 38 | o Creation of X.509 certificates, CSRs and CRLs |
4d768e96 | 39 | o Calculation of Message Digests and Message Authentication Codes |
aba3e65f DSH |
40 | o Encryption and Decryption with Ciphers |
41 | o SSL/TLS Client and Server Tests | |
54a34aec | 42 | o Handling of S/MIME signed or encrypted mail |
9c0586d5 | 43 | o Timestamp requests, generation and verification |
aba3e65f DSH |
44 | |
45 | =head1 COMMAND SUMMARY | |
46 | ||
22bb8c25 | 47 | The B<openssl> program provides a rich variety of commands (I<command> in |
d86925e6 RS |
48 | the L</SYNOPSIS> above). |
49 | Each command can have many options and argument parameters, shown above as | |
50 | I<options> and I<parameters>. | |
aba3e65f | 51 | |
1362190b | 52 | Detailed documentation and use cases for most standard subcommands are available |
1903a9b7 | 53 | (e.g., L<openssl-x509(1)>). |
1362190b | 54 | |
e9681f83 RS |
55 | Many commands use an external configuration file for some or all of their |
56 | arguments and have a B<-config> option to specify that file. | |
22bb8c25 RS |
57 | The default name of the file is F<openssl.cnf> in the default certificate |
58 | storage area, which can be determined from the L<openssl-version(1)> | |
59 | command. | |
e9681f83 | 60 | The environment variable B<OPENSSL_CONF> can be used to specify |
22bb8c25 RS |
61 | a different location of the file. |
62 | See L<openssl-env(7)>. | |
e9681f83 | 63 | |
2f0ea936 RL |
64 | The list options B<-standard-commands>, B<-digest-commands>, |
65 | and B<-cipher-commands> output a list (one entry per line) of the names | |
88220dcb | 66 | of all standard commands, message digest commands, or cipher commands, |
35a810bb | 67 | respectively, that are available. |
88220dcb | 68 | |
2f0ea936 RL |
69 | The list parameters B<-cipher-algorithms>, B<-digest-algorithms>, |
70 | and B<-mac-algorithms> list all cipher, message digest, and message | |
4d768e96 | 71 | authentication code names, one entry per line. Aliases are listed as: |
112161bd DSH |
72 | |
73 | from => to | |
74 | ||
2f0ea936 | 75 | The list parameter B<-public-key-algorithms> lists all supported public |
112161bd DSH |
76 | key algorithms. |
77 | ||
c03726ca | 78 | The command B<no->I<XXX> tests whether a command of the |
88220dcb BM |
79 | specified name is available. If no command named I<XXX> exists, it |
80 | returns 0 (success) and prints B<no->I<XXX>; otherwise it returns 1 | |
81 | and prints I<XXX>. In both cases, the output goes to B<stdout> and | |
82 | nothing is printed to B<stderr>. Additional command line arguments | |
83 | are always ignored. Since for each cipher there is a command of the | |
84 | same name, this provides an easy way for shell scripts to test for the | |
85 | availability of ciphers in the B<openssl> program. (B<no->I<XXX> is | |
86 | not able to detect pseudo-commands such as B<quit>, | |
c03726ca | 87 | B<list>, or B<no->I<XXX> itself.) |
88220dcb | 88 | |
22bb8c25 | 89 | =head2 Standard Commands |
aba3e65f | 90 | |
e1271ac2 | 91 | =over 4 |
aba3e65f | 92 | |
dfee8626 | 93 | =item B<asn1parse> |
aba3e65f DSH |
94 | |
95 | Parse an ASN.1 sequence. | |
96 | ||
dfee8626 | 97 | =item B<ca> |
aba3e65f | 98 | |
4c583c36 | 99 | Certificate Authority (CA) Management. |
aba3e65f | 100 | |
dfee8626 | 101 | =item B<ciphers> |
aba3e65f DSH |
102 | |
103 | Cipher Suite Description Determination. | |
104 | ||
dfee8626 | 105 | =item B<cms> |
e5fa864f | 106 | |
4b537191 | 107 | CMS (Cryptographic Message Syntax) command. |
e5fa864f | 108 | |
dfee8626 | 109 | =item B<crl> |
aba3e65f DSH |
110 | |
111 | Certificate Revocation List (CRL) Management. | |
112 | ||
dfee8626 | 113 | =item B<crl2pkcs7> |
aba3e65f DSH |
114 | |
115 | CRL to PKCS#7 Conversion. | |
116 | ||
dfee8626 | 117 | =item B<dgst> |
aba3e65f | 118 | |
4d768e96 | 119 | Message Digest calculation. MAC calculations are superseded by |
8bc93d2f | 120 | L<openssl-mac(1)>. |
aba3e65f | 121 | |
dfee8626 | 122 | =item B<dhparam> |
e5fa864f | 123 | |
4c583c36 | 124 | Generation and Management of Diffie-Hellman Parameters. Superseded by |
8bc93d2f | 125 | L<openssl-genpkey(1)> and L<openssl-pkeyparam(1)>. |
e5fa864f | 126 | |
dfee8626 | 127 | =item B<dsa> |
aba3e65f DSH |
128 | |
129 | DSA Data Management. | |
130 | ||
dfee8626 | 131 | =item B<dsaparam> |
aba3e65f | 132 | |
4c583c36 | 133 | DSA Parameter Generation and Management. Superseded by |
8bc93d2f | 134 | L<openssl-genpkey(1)> and L<openssl-pkeyparam(1)>. |
aba3e65f | 135 | |
dfee8626 | 136 | =item B<ec> |
e5fa864f | 137 | |
c4de074e | 138 | EC (Elliptic curve) key processing. |
e5fa864f | 139 | |
dfee8626 | 140 | =item B<ecparam> |
e5fa864f | 141 | |
c4de074e | 142 | EC parameter manipulation and generation. |
e5fa864f | 143 | |
dfee8626 | 144 | =item B<enc> |
aba3e65f | 145 | |
22bb8c25 | 146 | Encryption, decryption, and encoding. |
aba3e65f | 147 | |
dfee8626 | 148 | =item B<engine> |
aba3e65f | 149 | |
4c583c36 | 150 | Engine (loadable module) information and manipulation. |
aba3e65f | 151 | |
dfee8626 | 152 | =item B<errstr> |
727daea7 | 153 | |
e5fa864f | 154 | Error Number to Error String Conversion. |
727daea7 | 155 | |
d333c311 | 156 | =item B<fipsinstall> |
aba3e65f | 157 | |
d333c311 | 158 | FIPS configuration installation. |
aba3e65f | 159 | |
dfee8626 | 160 | =item B<gendsa> |
aba3e65f | 161 | |
4c583c36 | 162 | Generation of DSA Private Key from Parameters. Superseded by |
8bc93d2f | 163 | L<openssl-genpkey(1)> and L<openssl-pkey(1)>. |
e4549295 | 164 | |
dfee8626 | 165 | =item B<genpkey> |
e4549295 DSH |
166 | |
167 | Generation of Private Key or Parameters. | |
aba3e65f | 168 | |
dfee8626 | 169 | =item B<genrsa> |
aba3e65f | 170 | |
8bc93d2f | 171 | Generation of RSA Private Key. Superseded by L<openssl-genpkey(1)>. |
aba3e65f | 172 | |
d333c311 RS |
173 | =item B<help> |
174 | ||
175 | Display information about a command's options. | |
176 | ||
0109e030 RL |
177 | =item B<info> |
178 | ||
179 | Display diverse information built into the OpenSSL libraries. | |
180 | ||
c54492ec SL |
181 | =item B<kdf> |
182 | ||
183 | Key Derivation Functions. | |
184 | ||
d333c311 RS |
185 | =item B<list> |
186 | ||
187 | List algorithms and features. | |
188 | ||
4d768e96 SL |
189 | =item B<mac> |
190 | ||
191 | Message Authentication Code Calculation. | |
192 | ||
dfee8626 | 193 | =item B<nseq> |
e5fa864f | 194 | |
c4de074e | 195 | Create or examine a Netscape certificate sequence. |
e5fa864f | 196 | |
dfee8626 | 197 | =item B<ocsp> |
a068630a | 198 | |
4b537191 | 199 | Online Certificate Status Protocol command. |
a068630a | 200 | |
dfee8626 | 201 | =item B<passwd> |
5160448b RL |
202 | |
203 | Generation of hashed passwords. | |
204 | ||
dfee8626 | 205 | =item B<pkcs12> |
3f1c4e49 BM |
206 | |
207 | PKCS#12 Data Management. | |
208 | ||
dfee8626 | 209 | =item B<pkcs7> |
aba3e65f DSH |
210 | |
211 | PKCS#7 Data Management. | |
212 | ||
dfee8626 | 213 | =item B<pkcs8> |
f0b843c1 | 214 | |
4b537191 | 215 | PKCS#8 format private key conversion command. |
f0b843c1 | 216 | |
dfee8626 | 217 | =item B<pkey> |
e4549295 DSH |
218 | |
219 | Public and private key management. | |
220 | ||
dfee8626 | 221 | =item B<pkeyparam> |
e4549295 DSH |
222 | |
223 | Public key algorithm parameter management. | |
224 | ||
dfee8626 | 225 | =item B<pkeyutl> |
e5fa864f | 226 | |
4b537191 | 227 | Public key algorithm cryptographic operation command. |
e5fa864f | 228 | |
dfee8626 | 229 | =item B<prime> |
f0b843c1 RL |
230 | |
231 | Compute prime numbers. | |
232 | ||
d333c311 RS |
233 | =item B<provider> |
234 | ||
235 | Load and query providers. | |
236 | ||
dfee8626 | 237 | =item B<rand> |
afbd0746 BM |
238 | |
239 | Generate pseudo-random bytes. | |
240 | ||
dfee8626 | 241 | =item B<rehash> |
f0b843c1 | 242 | |
24c34608 | 243 | Create symbolic links to certificate and CRL files named by the hash values. |
f0b843c1 | 244 | |
dfee8626 | 245 | =item B<req> |
aba3e65f | 246 | |
e4549295 | 247 | PKCS#10 X.509 Certificate Signing Request (CSR) Management. |
aba3e65f | 248 | |
dfee8626 | 249 | =item B<rsa> |
aba3e65f | 250 | |
e4549295 | 251 | RSA key management. |
aba3e65f | 252 | |
dfee8626 | 253 | =item B<rsautl> |
34417732 | 254 | |
4b537191 | 255 | RSA command for signing, verification, encryption, and decryption. Superseded |
8bc93d2f | 256 | by L<openssl-pkeyutl(1)>. |
34417732 | 257 | |
dfee8626 | 258 | =item B<s_client> |
aba3e65f DSH |
259 | |
260 | This implements a generic SSL/TLS client which can establish a transparent | |
261 | connection to a remote server speaking SSL/TLS. It's intended for testing | |
262 | purposes only and provides only rudimentary interface functionality but | |
263 | internally uses mostly all functionality of the OpenSSL B<ssl> library. | |
264 | ||
dfee8626 | 265 | =item B<s_server> |
aba3e65f DSH |
266 | |
267 | This implements a generic SSL/TLS server which accepts connections from remote | |
268 | clients speaking SSL/TLS. It's intended for testing purposes only and provides | |
269 | only rudimentary interface functionality but internally uses mostly all | |
270 | functionality of the OpenSSL B<ssl> library. It provides both an own command | |
271 | line oriented protocol for testing SSL functions and a simple HTTP response | |
272 | facility to emulate an SSL/TLS-aware webserver. | |
273 | ||
dfee8626 | 274 | =item B<s_time> |
aba3e65f DSH |
275 | |
276 | SSL Connection Timer. | |
277 | ||
dfee8626 | 278 | =item B<sess_id> |
aba3e65f DSH |
279 | |
280 | SSL Session Data Management. | |
281 | ||
dfee8626 | 282 | =item B<smime> |
54a34aec DSH |
283 | |
284 | S/MIME mail processing. | |
285 | ||
dfee8626 | 286 | =item B<speed> |
aba3e65f DSH |
287 | |
288 | Algorithm Speed Measurement. | |
289 | ||
dfee8626 | 290 | =item B<spkac> |
e5fa864f | 291 | |
4b537191 | 292 | SPKAC printing and generating command. |
e5fa864f | 293 | |
dfee8626 | 294 | =item B<srp> |
f0b843c1 RL |
295 | |
296 | Maintain SRP password file. | |
297 | ||
dfee8626 | 298 | =item B<storeutl> |
f0b843c1 | 299 | |
4b537191 | 300 | Command to list and display certificates, keys, CRLs, etc. |
f0b843c1 | 301 | |
dfee8626 | 302 | =item B<ts> |
21e8bbf2 | 303 | |
4b537191 | 304 | Time Stamping Authority command. |
21e8bbf2 | 305 | |
dfee8626 | 306 | =item B<verify> |
aba3e65f DSH |
307 | |
308 | X.509 Certificate Verification. | |
309 | ||
dfee8626 | 310 | =item B<version> |
aba3e65f DSH |
311 | |
312 | OpenSSL Version Information. | |
313 | ||
dfee8626 | 314 | =item B<x509> |
aba3e65f DSH |
315 | |
316 | X.509 Certificate Data Management. | |
317 | ||
318 | =back | |
319 | ||
05ea606a | 320 | =head2 Message Digest Commands |
aba3e65f | 321 | |
e1271ac2 | 322 | =over 4 |
aba3e65f | 323 | |
4b7c6385 KR |
324 | =item B<blake2b512> |
325 | ||
326 | BLAKE2b-512 Digest | |
327 | ||
328 | =item B<blake2s256> | |
329 | ||
330 | BLAKE2s-256 Digest | |
331 | ||
aba3e65f DSH |
332 | =item B<md2> |
333 | ||
334 | MD2 Digest | |
335 | ||
4b7c6385 KR |
336 | =item B<md4> |
337 | ||
338 | MD4 Digest | |
339 | ||
aba3e65f DSH |
340 | =item B<md5> |
341 | ||
342 | MD5 Digest | |
343 | ||
344 | =item B<mdc2> | |
345 | ||
346 | MDC2 Digest | |
347 | ||
348 | =item B<rmd160> | |
349 | ||
350 | RMD-160 Digest | |
351 | ||
4c583c36 | 352 | =item B<sha1> |
aba3e65f DSH |
353 | |
354 | SHA-1 Digest | |
355 | ||
c7503f52 AP |
356 | =item B<sha224> |
357 | ||
4b7c6385 | 358 | SHA-2 224 Digest |
c7503f52 AP |
359 | |
360 | =item B<sha256> | |
361 | ||
4b7c6385 | 362 | SHA-2 256 Digest |
c7503f52 AP |
363 | |
364 | =item B<sha384> | |
365 | ||
4b7c6385 | 366 | SHA-2 384 Digest |
c7503f52 AP |
367 | |
368 | =item B<sha512> | |
369 | ||
4b7c6385 KR |
370 | SHA-2 512 Digest |
371 | ||
372 | =item B<sha3-224> | |
373 | ||
374 | SHA-3 224 Digest | |
375 | ||
376 | =item B<sha3-256> | |
377 | ||
378 | SHA-3 256 Digest | |
379 | ||
380 | =item B<sha3-384> | |
381 | ||
382 | SHA-3 384 Digest | |
383 | ||
384 | =item B<sha3-512> | |
385 | ||
386 | SHA-3 512 Digest | |
387 | ||
388 | =item B<shake128> | |
389 | ||
390 | SHA-3 SHAKE128 Digest | |
391 | ||
392 | =item B<shake256> | |
393 | ||
394 | SHA-3 SHAKE256 Digest | |
395 | ||
396 | =item B<sm3> | |
397 | ||
398 | SM3 Digest | |
c7503f52 | 399 | |
677741f8 AP |
400 | =back |
401 | ||
22bb8c25 | 402 | =head2 Encryption, Decryption, and Encoding Commands |
aba3e65f | 403 | |
1362190b AS |
404 | The following aliases provide convenient access to the most used encodings |
405 | and ciphers. | |
406 | ||
407 | Depending on how OpenSSL was configured and built, not all ciphers listed | |
d86925e6 | 408 | here may be present. See L<openssl-enc(1)> for more information. |
1362190b | 409 | |
e1271ac2 | 410 | =over 4 |
aba3e65f | 411 | |
1362190b AS |
412 | =item B<aes128>, B<aes-128-cbc>, B<aes-128-cfb>, B<aes-128-ctr>, B<aes-128-ecb>, B<aes-128-ofb> |
413 | ||
414 | AES-128 Cipher | |
415 | ||
416 | =item B<aes192>, B<aes-192-cbc>, B<aes-192-cfb>, B<aes-192-ctr>, B<aes-192-ecb>, B<aes-192-ofb> | |
417 | ||
418 | AES-192 Cipher | |
419 | ||
420 | =item B<aes256>, B<aes-256-cbc>, B<aes-256-cfb>, B<aes-256-ctr>, B<aes-256-ecb>, B<aes-256-ofb> | |
421 | ||
422 | AES-256 Cipher | |
423 | ||
424 | =item B<aria128>, B<aria-128-cbc>, B<aria-128-cfb>, B<aria-128-ctr>, B<aria-128-ecb>, B<aria-128-ofb> | |
425 | ||
426 | Aria-128 Cipher | |
427 | ||
428 | =item B<aria192>, B<aria-192-cbc>, B<aria-192-cfb>, B<aria-192-ctr>, B<aria-192-ecb>, B<aria-192-ofb> | |
429 | ||
430 | Aria-192 Cipher | |
431 | ||
432 | =item B<aria256>, B<aria-256-cbc>, B<aria-256-cfb>, B<aria-256-ctr>, B<aria-256-ecb>, B<aria-256-ofb> | |
433 | ||
434 | Aria-256 Cipher | |
435 | ||
aba3e65f DSH |
436 | =item B<base64> |
437 | ||
438 | Base64 Encoding | |
439 | ||
dfee8626 | 440 | =item B<bf>, B<bf-cbc>, B<bf-cfb>, B<bf-ecb>, B<bf-ofb> |
aba3e65f DSH |
441 | |
442 | Blowfish Cipher | |
443 | ||
1362190b AS |
444 | =item B<camellia128>, B<camellia-128-cbc>, B<camellia-128-cfb>, B<camellia-128-ctr>, B<camellia-128-ecb>, B<camellia-128-ofb> |
445 | ||
446 | Camellia-128 Cipher | |
447 | ||
448 | =item B<camellia192>, B<camellia-192-cbc>, B<camellia-192-cfb>, B<camellia-192-ctr>, B<camellia-192-ecb>, B<camellia-192-ofb> | |
449 | ||
450 | Camellia-192 Cipher | |
451 | ||
452 | =item B<camellia256>, B<camellia-256-cbc>, B<camellia-256-cfb>, B<camellia-256-ctr>, B<camellia-256-ecb>, B<camellia-256-ofb> | |
453 | ||
454 | Camellia-256 Cipher | |
455 | ||
dfee8626 | 456 | =item B<cast>, B<cast-cbc> |
aba3e65f DSH |
457 | |
458 | CAST Cipher | |
459 | ||
dfee8626 | 460 | =item B<cast5-cbc>, B<cast5-cfb>, B<cast5-ecb>, B<cast5-ofb> |
aba3e65f DSH |
461 | |
462 | CAST5 Cipher | |
463 | ||
1362190b AS |
464 | =item B<chacha20> |
465 | ||
466 | Chacha20 Cipher | |
467 | ||
dfee8626 | 468 | =item B<des>, B<des-cbc>, B<des-cfb>, B<des-ecb>, B<des-ede>, B<des-ede-cbc>, B<des-ede-cfb>, B<des-ede-ofb>, B<des-ofb> |
aba3e65f DSH |
469 | |
470 | DES Cipher | |
471 | ||
dfee8626 | 472 | =item B<des3>, B<desx>, B<des-ede3>, B<des-ede3-cbc>, B<des-ede3-cfb>, B<des-ede3-ofb> |
aba3e65f DSH |
473 | |
474 | Triple-DES Cipher | |
475 | ||
dfee8626 | 476 | =item B<idea>, B<idea-cbc>, B<idea-cfb>, B<idea-ecb>, B<idea-ofb> |
aba3e65f DSH |
477 | |
478 | IDEA Cipher | |
479 | ||
dfee8626 | 480 | =item B<rc2>, B<rc2-cbc>, B<rc2-cfb>, B<rc2-ecb>, B<rc2-ofb> |
aba3e65f DSH |
481 | |
482 | RC2 Cipher | |
483 | ||
484 | =item B<rc4> | |
485 | ||
486 | RC4 Cipher | |
487 | ||
dfee8626 | 488 | =item B<rc5>, B<rc5-cbc>, B<rc5-cfb>, B<rc5-ecb>, B<rc5-ofb> |
aba3e65f DSH |
489 | |
490 | RC5 Cipher | |
491 | ||
1362190b AS |
492 | =item B<seed>, B<seed-cbc>, B<seed-cfb>, B<seed-ecb>, B<seed-ofb> |
493 | ||
494 | SEED Cipher | |
495 | ||
496 | =item B<sm4>, B<sm4-cbc>, B<sm4-cfb>, B<sm4-ctr>, B<sm4-ecb>, B<sm4-ofb> | |
497 | ||
498 | SM4 Cipher | |
499 | ||
aba3e65f DSH |
500 | =back |
501 | ||
3dfda1a6 | 502 | =head1 OPTIONS |
0634424f RS |
503 | |
504 | Details of which options are available depend on the specific command. | |
77a795e4 | 505 | This section describes some common options with common behavior. |
0634424f RS |
506 | |
507 | =head2 Common Options | |
508 | ||
e1271ac2 | 509 | =over 4 |
0634424f RS |
510 | |
511 | =item B<-help> | |
512 | ||
513 | Provides a terse summary of all options. | |
a397aca4 RS |
514 | If an option takes an argument, the "type" of argument is also given. |
515 | ||
516 | =item B<--> | |
517 | ||
518 | This terminates the list of options. It is mostly useful if any filename | |
519 | parameters start with a minus sign: | |
520 | ||
521 | openssl verify [flags...] -- -cert1.pem... | |
0634424f RS |
522 | |
523 | =back | |
524 | ||
777182a0 RS |
525 | =head2 Format Options |
526 | ||
527 | Several OpenSSL commands can take input or generate output in a variety | |
528 | of formats. The list of acceptable formats, and the default, is | |
529 | described in each command documentation. The list of formats is | |
530 | described below. Both uppercase and lowercase are accepted. | |
531 | ||
532 | =over 4 | |
533 | ||
534 | =item B<DER> | |
535 | ||
536 | A binary format, encoded or parsed according to Distinguished Encoding Rules | |
537 | (DER) of the ASN.1 data language. | |
538 | ||
539 | =item B<ENGINE> | |
540 | ||
541 | Used to specify that the cryptographic material is in an OpenSSL B<engine>. | |
542 | An engine must be configured or specified using the B<-engine> option. | |
543 | In addition, the B<-input> flag can be used to name a specific object in | |
544 | the engine. | |
545 | A password, such as the B<-passin> flag often must be specified as well. | |
546 | ||
547 | =item B<P12> | |
548 | ||
549 | A DER-encoded file containing a PKCS#12 object. | |
550 | It might be necessary to provide a decryption password to retrieve | |
551 | the private key. | |
552 | ||
553 | =item B<PEM> | |
554 | ||
555 | A text format defined in IETF RFC 1421 and IETF RFC 7468. Briefly, this is | |
556 | a block of base-64 encoding (defined in IETF RFC 4648), with specific | |
557 | lines used to mark the start and end: | |
558 | ||
559 | Text before the BEGIN line is ignored. | |
560 | ----- BEGIN object-type ----- | |
561 | OT43gQKBgQC/2OHZoko6iRlNOAQ/tMVFNq7fL81GivoQ9F1U0Qr+DH3ZfaH8eIkX | |
562 | xT0ToMPJUzWAn8pZv0snA0um6SIgvkCuxO84OkANCVbttzXImIsL7pFzfcwV/ERK | |
563 | UM6j0ZuSMFOCr/lGPAoOQU0fskidGEHi1/kW+suSr28TqsyYZpwBDQ== | |
564 | ----- END object-type ----- | |
565 | Text after the END line is also ignored | |
566 | ||
567 | The I<object-type> must match the type of object that is expected. | |
568 | For example a C<BEGIN X509 CERTIFICATE> will not match if the command | |
569 | is trying to read a private key. The types supported include: | |
570 | ||
571 | ANY PRIVATE KEY | |
572 | CERTIFICATE | |
573 | CERTIFICATE REQUEST | |
574 | CMS | |
575 | DH PARAMETERS | |
576 | DSA PARAMETERS | |
577 | DSA PUBLIC KEY | |
578 | EC PARAMETERS | |
579 | EC PRIVATE KEY | |
580 | ECDSA PUBLIC KEY | |
581 | ENCRYPTED PRIVATE KEY | |
582 | PARAMETERS | |
583 | PKCS #7 SIGNED DATA | |
584 | PKCS7 | |
585 | PRIVATE KEY | |
586 | PUBLIC KEY | |
587 | RSA PRIVATE KEY | |
588 | SSL SESSION PARAMETERS | |
589 | TRUSTED CERTIFICATE | |
590 | X509 CRL | |
591 | X9.42 DH PARAMETERS | |
592 | ||
593 | The following legacy I<object-type>'s are also supported for compatibility | |
594 | with earlier releases: | |
595 | ||
596 | DSA PRIVATE KEY | |
597 | NEW CERTIFICATE REQUEST | |
598 | RSA PUBLIC KEY | |
599 | X509 CERTIFICATE | |
600 | ||
601 | =item B<SMIME> | |
602 | ||
603 | An S/MIME object as described in IETF RFC 8551. | |
604 | Earlier versions were known as CMS and are compatible. | |
605 | Note that the parsing is simple and might fail to parse some legal data. | |
606 | ||
607 | =back | |
608 | ||
609 | The options to specify the format are as follows. Refer to the individual | |
610 | manpage to see which options are accepted. | |
611 | ||
612 | =over 4 | |
613 | ||
614 | =item B<-inform> I<format>, B<-outform> I<format> | |
615 | ||
616 | The format of the input or output streams. | |
617 | ||
618 | =item B<-keyform> I<format> | |
619 | ||
620 | Format of a private key input source. | |
621 | ||
9fcb9702 | 622 | =item B<-CRLform> I<format> |
777182a0 RS |
623 | |
624 | Format of a CRL input source. | |
625 | ||
626 | =back | |
627 | ||
0634424f | 628 | =head2 Pass Phrase Options |
a3fe382e DSH |
629 | |
630 | Several commands accept password arguments, typically using B<-passin> | |
631 | and B<-passout> for input and output passwords respectively. These allow | |
632 | the password to be obtained from a variety of sources. Both of these | |
633 | options take a single argument whose format is described below. If no | |
634 | password argument is given and a password is required then the user is | |
635 | prompted to enter one: this will typically be read from the current | |
636 | terminal with echoing turned off. | |
637 | ||
84814344 RL |
638 | Note that character encoding may be relevant, please see |
639 | L<passphrase-encoding(7)>. | |
640 | ||
e1271ac2 | 641 | =over 4 |
a3fe382e | 642 | |
2f0ea936 | 643 | =item B<pass:>I<password> |
a3fe382e | 644 | |
2f0ea936 | 645 | The actual password is I<password>. Since the password is visible |
a3fe382e DSH |
646 | to utilities (like 'ps' under Unix) this form should only be used |
647 | where security is not important. | |
648 | ||
2f0ea936 | 649 | =item B<env:>I<var> |
a3fe382e | 650 | |
2f0ea936 | 651 | Obtain the password from the environment variable I<var>. Since |
a3fe382e DSH |
652 | the environment of other processes is visible on certain platforms |
653 | (e.g. ps under certain Unix OSes) this option should be used with caution. | |
654 | ||
2f0ea936 | 655 | =item B<file:>I<pathname> |
a3fe382e | 656 | |
2f0ea936 | 657 | The first line of I<pathname> is the password. If the same I<pathname> |
a3fe382e DSH |
658 | argument is supplied to B<-passin> and B<-passout> arguments then the first |
659 | line will be used for the input password and the next line for the output | |
2f0ea936 | 660 | password. I<pathname> need not refer to a regular file: it could for example |
a3fe382e DSH |
661 | refer to a device or named pipe. |
662 | ||
2f0ea936 | 663 | =item B<fd:>I<number> |
a3fe382e | 664 | |
2f0ea936 | 665 | Read the password from the file descriptor I<number>. This can be used to |
a3fe382e DSH |
666 | send the data via a pipe for example. |
667 | ||
668 | =item B<stdin> | |
669 | ||
c4de074e | 670 | Read the password from standard input. |
a3fe382e DSH |
671 | |
672 | =back | |
673 | ||
a397aca4 RS |
674 | =head2 Trusted Certificate Options |
675 | ||
676 | Part of validating a certificate includes verifying that the chain of CA's | |
677 | can be traced up to an existing trusted root. The following options specify | |
678 | how to list the trusted roots, also known as trust anchors. A collection | |
679 | of trusted roots is called a I<trust store>. | |
680 | ||
681 | Note that OpenSSL does not provide a default set of trust anchors. Many | |
682 | Linux distributions include a system default and configure OpenSSL to point | |
683 | to that. Mozilla maintains an influential trust store that can be found at | |
684 | L<https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/>. | |
685 | ||
686 | =over 4 | |
687 | ||
688 | =item B<-CAfile> I<file> | |
689 | ||
690 | Load the specified file which contains one or more PEM-format certificates | |
691 | of CA's that are trusted. | |
692 | ||
693 | =item B<-no-CAfile> | |
694 | ||
695 | Do not load the default file of trusted certificates. | |
696 | ||
697 | =item B<-CApath> I<dir> | |
698 | ||
699 | Use the specified directory as a list of trust certificates. That is, | |
700 | files should be named with the hash of the X.509 SubjectName of each | |
701 | certificate. This is so that the library can extract the IssuerName, | |
702 | hash it, and directly lookup the file to get the issuer certificate. | |
703 | See L<openssl-rehash(1)> for information on creating this type of directory. | |
704 | ||
705 | =item B<-no-CApath> | |
706 | ||
707 | Do not use the default directory of trusted certificates. | |
708 | ||
fd3397fc RL |
709 | =item B<-CAstore> I<uri> |
710 | ||
711 | Use I<uri> as a store of trusted CA certificates. The URI may | |
712 | indicate a single certificate, as well as a collection of them. | |
713 | With URIs in the C<file:> scheme, this acts as B<-CAfile> or | |
714 | B<-CApath>, depending on if the URI indicates a single file or | |
715 | directory. | |
716 | See L<ossl_store-file(7)> for more information on the C<file:> scheme. | |
717 | ||
718 | These certificates are also used when building the server certificate | |
719 | chain (for example with L<openssl-s_server(1)>) or client certificate | |
720 | chain (for example with L<openssl-s_time(1)>). | |
721 | ||
722 | =item B<-no-CAstore> | |
723 | ||
724 | Do not use the default store. | |
725 | ||
a397aca4 RS |
726 | =back |
727 | ||
728 | =head2 Random State Options | |
729 | ||
a08e2bf5 | 730 | Prior to OpenSSL 1.1.1, it was common for applications to store information |
a397aca4 RS |
731 | about the state of the random-number generator in a file that was loaded |
732 | at startup and rewritten upon exit. On modern operating systems, this is | |
a08e2bf5 DMSP |
733 | generally no longer necessary as OpenSSL will seed itself from a trusted |
734 | entropy source provided by the operating system. These flags are still | |
a397aca4 RS |
735 | supported for special platforms or circumstances that might require them. |
736 | ||
737 | It is generally an error to use the same seed file more than once and | |
738 | every use of B<-rand> should be paired with B<-writerand>. | |
739 | ||
740 | =over 4 | |
741 | ||
742 | =item B<-rand> I<files> | |
743 | ||
744 | A file or files containing random data used to seed the random number | |
745 | generator. | |
746 | Multiple files can be specified separated by an OS-dependent character. | |
747 | The separator is C<;> for MS-Windows, C<,> for OpenVMS, and C<:> for | |
748 | all others. Another way to specify multiple files is to repeat this flag | |
749 | with different filenames. | |
750 | ||
751 | =item B<-writerand> I<file> | |
752 | ||
753 | Writes the seed data to the specified I<file> upon exit. | |
754 | This file can be used in a subsequent command invocation. | |
755 | ||
756 | =back | |
757 | ||
6bd4e3f2 P |
758 | =head2 Provider Options |
759 | ||
760 | With the move to provider based cryptographic operations in OpenSSL 3.0, | |
761 | options were added to allow specific providers or sets of providers to be used. | |
762 | ||
763 | =over 4 | |
764 | ||
765 | =item B<-provider> I<name> | |
766 | ||
767 | Use the provider identified by I<name> and use all the methods it | |
768 | implements (algorithms, key storage, etc.). This option can be specified | |
769 | multiple time to load more than one provider. | |
770 | ||
771 | =item B<-provider_path> I<path> | |
772 | ||
773 | Specify the search I<path> that is used to locate provider modules. The format | |
774 | of I<path> varies depending on the operating system being used. | |
775 | ||
776 | =back | |
777 | ||
9fcb9702 RS |
778 | =head2 Extended Verification Options |
779 | ||
780 | Sometimes there may be more than one certificate chain leading to an | |
781 | end-entity certificate. | |
782 | This usually happens when a root or intermediate CA signs a certificate | |
783 | for another a CA in other organization. | |
784 | Another reason is when a CA might have intermediates that use two different | |
785 | signature formats, such as a SHA-1 and a SHA-256 digest. | |
786 | ||
787 | The following options can be used to provide data that will allow the | |
788 | OpenSSL command to generate an alternative chain. | |
789 | ||
790 | =over 4 | |
791 | ||
792 | =item B<-xchain_build> | |
793 | ||
794 | Specify whether the application should build the certificate chain to be | |
795 | provided to the server for the extra certificates via the B<-xkey>, | |
796 | B<-xcert>, and B<-xchain> options. | |
797 | ||
798 | =item B<-xkey> I<infile>, B<-xcert> I<infile>, B<-xchain> | |
799 | ||
800 | Specify an extra certificate, private key and certificate chain. These behave | |
801 | in the same manner as the B<-cert>, B<-key> and B<-cert_chain> options. When | |
802 | specified, the callback returning the first valid chain will be in use by the | |
803 | client. | |
804 | ||
805 | =item B<-xcertform> B<DER>|B<PEM>, B<-xkeyform> B<DER>|B<PEM> | |
806 | ||
79c44b4e | 807 | The input format for the extra certificate and key, respectively. |
9fcb9702 RS |
808 | See L<openssl(1)/Format Options> for details. |
809 | ||
21d08b9e RS |
810 | =item B<-xchain_build> |
811 | ||
812 | Specify whether the application should build the certificate chain to be | |
813 | provided to the server for the extra certificates via the B<-xkey>, | |
814 | B<-xcert>, and B<-xchain> options. | |
815 | ||
816 | =item B<-xcertform> B<DER>|B<PEM>, B<-xkeyform> B<DER>|B<PEM> | |
817 | ||
e02b13ad | 818 | The input format for the extra certificate and key, respectively. |
21d08b9e RS |
819 | See L<openssl(1)/Format Options> for details. |
820 | ||
821 | =back | |
822 | ||
823 | =head2 Verification Options | |
824 | ||
825 | Many OpenSSL commands verify certificates. The details of how each | |
826 | command handles errors are documented on the specific command page. | |
827 | ||
828 | Verification is a complicated process, consisting of a number of separate | |
829 | steps that are detailed in the following paragraphs. | |
830 | ||
831 | First, a certificate chain is built up starting from the supplied certificate | |
832 | and ending in a root CA. It is an error if the whole chain cannot be | |
833 | built up. The chain is built up by looking up the certificate that | |
834 | signed (or issued) the certificate. It then repeats the process, until | |
835 | it gets to a certificate that is self-issued. | |
836 | ||
837 | The process of looking up the issuer's certificate itself involves a number | |
838 | of steps. After all certificates whose subject name matches the issuer | |
839 | name of the current certificate are subject to further tests. The relevant | |
840 | authority key identifier components of the current certificate (if present) | |
841 | must match the subject key identifier (if present) and issuer and serial | |
842 | number of the candidate issuer, in addition the keyUsage extension of the | |
843 | candidate issuer (if present) must permit certificate signing. | |
844 | ||
845 | The lookup first looks in the list of untrusted certificates and if no match | |
846 | is found the remaining lookups are from the trusted certificates. The root CA | |
847 | is always looked up in the trusted certificate list: if the certificate to | |
848 | verify is a root certificate then an exact match must be found in the trusted | |
849 | list. | |
850 | ||
851 | The second step is to check every untrusted certificate's extensions | |
852 | for consistency with the supplied purpose. If the B<-purpose> option is | |
853 | not included then no checks are done. The supplied or "leaf" certificate | |
854 | must have extensions compatible with the supplied purpose and all other | |
855 | certificates must also be valid CA certificates. The precise extensions | |
856 | required are described in more detail in | |
857 | L<openssl-x509(1)/CERTIFICATE EXTENSIONS>. | |
858 | ||
859 | The third step is to check the trust settings on the root CA. The root | |
860 | CA should be trusted for the supplied purpose. For compatibility with | |
861 | previous versions of OpenSSL, a certificate with no trust settings is | |
862 | considered to be valid for all purposes. | |
863 | ||
864 | The fourth, and final, step is to check the validity of the certificate | |
865 | chain. The validity period is checked against the system time | |
866 | and the C<notBefore> and C<notAfter> dates in the certificate. The certificate | |
867 | signatures are also checked at this point. The B<-attime> flag may be | |
868 | used to specify a time other than "now." | |
869 | ||
870 | If all operations complete successfully then certificate is considered | |
871 | valid. If any operation fails then the certificate is not valid. | |
872 | ||
873 | The details of the processing steps can be fine-tuned with the | |
874 | following flags. | |
875 | ||
876 | =over 4 | |
877 | ||
878 | =item B<-verbose> | |
879 | ||
880 | Print extra information about the operations being performed. | |
881 | ||
882 | =item B<-attime> I<timestamp> | |
883 | ||
884 | Perform validation checks using time specified by I<timestamp> and not | |
885 | current system time. I<timestamp> is the number of seconds since | |
886 | January 1, 1970 (i.e., the Unix Epoch). | |
887 | ||
888 | =item B<-no_check_time> | |
889 | ||
890 | This option suppresses checking the validity period of certificates and CRLs | |
891 | against the current time. If option B<-attime> is used to specify | |
892 | a verification time, the check is not suppressed. | |
893 | ||
894 | =item B<-x509_strict> | |
895 | ||
896 | This disables non-compliant workarounds for broken certificates. | |
897 | ||
898 | =item B<-ignore_critical> | |
899 | ||
900 | Normally if an unhandled critical extension is present which is not | |
901 | supported by OpenSSL the certificate is rejected (as required by RFC5280). | |
902 | If this option is set critical extensions are ignored. | |
903 | ||
904 | =item B<-issuer_checks> | |
905 | ||
906 | Ignored. | |
907 | ||
908 | =item B<-crl_check> | |
909 | ||
910 | Checks end entity certificate validity by attempting to look up a valid CRL. | |
911 | If a valid CRL cannot be found an error occurs. | |
912 | ||
913 | =item B<-crl_check_all> | |
914 | ||
915 | Checks the validity of B<all> certificates in the chain by attempting | |
916 | to look up valid CRLs. | |
917 | ||
918 | =item B<-use_deltas> | |
919 | ||
920 | Enable support for delta CRLs. | |
921 | ||
922 | =item B<-extended_crl> | |
923 | ||
924 | Enable extended CRL features such as indirect CRLs and alternate CRL | |
925 | signing keys. | |
926 | ||
927 | =item B<-suiteB_128_only>, B<-suiteB_128>, B<-suiteB_192> | |
928 | ||
929 | Enable the Suite B mode operation at 128 bit Level of Security, 128 bit or | |
930 | 192 bit, or only 192 bit Level of Security respectively. | |
931 | See RFC6460 for details. In particular the supported signature algorithms are | |
932 | reduced to support only ECDSA and SHA256 or SHA384 and only the elliptic curves | |
933 | P-256 and P-384. | |
934 | ||
935 | =item B<-auth_level> I<level> | |
936 | ||
937 | Set the certificate chain authentication security level to I<level>. | |
938 | The authentication security level determines the acceptable signature and | |
939 | public key strength when verifying certificate chains. For a certificate | |
940 | chain to validate, the public keys of all the certificates must meet the | |
941 | specified security I<level>. The signature algorithm security level is | |
942 | enforced for all the certificates in the chain except for the chain's | |
943 | I<trust anchor>, which is either directly trusted or validated by means | |
944 | other than its signature. See L<SSL_CTX_set_security_level(3)> for the | |
945 | definitions of the available levels. The default security level is -1, | |
946 | or "not set". At security level 0 or lower all algorithms are acceptable. | |
947 | Security level 1 requires at least 80-bit-equivalent security and is broadly | |
948 | interoperable, though it will, for example, reject MD5 signatures or RSA | |
949 | keys shorter than 1024 bits. | |
950 | ||
951 | =item B<-partial_chain> | |
952 | ||
953 | Allow verification to succeed even if a I<complete> chain cannot be built to a | |
954 | self-signed trust-anchor, provided it is possible to construct a chain to a | |
955 | trusted certificate that might not be self-signed. | |
956 | ||
957 | =item B<-check_ss_sig> | |
958 | ||
959 | Verify the signature on the self-signed root CA. This is disabled by default | |
960 | because it doesn't add any security. | |
961 | ||
962 | =item B<-allow_proxy_certs> | |
963 | ||
964 | Allow the verification of proxy certificates. | |
965 | ||
966 | =item B<-trusted_first> | |
967 | ||
968 | As of OpenSSL 1.1.0 this option is on by default and cannot be disabled. | |
969 | ||
970 | =item B<-no_alt_chains> | |
971 | ||
972 | As of OpenSSL 1.1.0, since B<-trusted_first> always on, this option has no | |
973 | effect. | |
974 | ||
975 | =item B<-trusted> I<file> | |
976 | ||
977 | Parse I<file> as a set of one or more certificates in PEM format. | |
978 | All certificates must be self-signed, unless the | |
979 | B<-partial_chain> option is specified. | |
2b264aee DDO |
980 | This option implies the B<-no-CAfile>, B<-no-CApath>, and B<-no-CAstore> options |
981 | and it cannot be used with the B<-CAfile>, B<-CApath> or B<-CAstore> options, so | |
21d08b9e RS |
982 | only certificates in the file are trust anchors. |
983 | This option may be used multiple times. | |
984 | ||
985 | =item B<-untrusted> I<file> | |
986 | ||
987 | Parse I<file> as a set of one or more certificates in PEM format. | |
988 | All certificates are untrusted certificates that may be used to | |
989 | construct a certificate chain from the subject certificate to a trust anchor. | |
990 | This option may be used multiple times. | |
991 | ||
992 | =item B<-policy> I<arg> | |
993 | ||
994 | Enable policy processing and add I<arg> to the user-initial-policy-set (see | |
995 | RFC5280). The policy I<arg> can be an object name an OID in numeric form. | |
996 | This argument can appear more than once. | |
997 | ||
998 | =item B<-explicit_policy> | |
999 | ||
1000 | Set policy variable require-explicit-policy (see RFC5280). | |
1001 | ||
1002 | =item B<-policy_check> | |
1003 | ||
1004 | Enables certificate policy processing. | |
1005 | ||
1006 | =item B<-policy_print> | |
1007 | ||
1008 | Print out diagnostics related to policy processing. | |
1009 | ||
1010 | =item B<-inhibit_any> | |
1011 | ||
1012 | Set policy variable inhibit-any-policy (see RFC5280). | |
1013 | ||
1014 | =item B<-inhibit_map> | |
1015 | ||
1016 | Set policy variable inhibit-policy-mapping (see RFC5280). | |
1017 | ||
1018 | =item B<-purpose> I<purpose> | |
1019 | ||
1020 | The intended use for the certificate. If this option is not specified, this | |
1021 | command will not consider certificate purpose during chain verification. | |
1022 | Currently accepted uses are B<sslclient>, B<sslserver>, B<nssslserver>, | |
1023 | B<smimesign>, B<smimeencrypt>. | |
1024 | ||
1025 | =item B<-verify_depth> I<num> | |
1026 | ||
1027 | Limit the certificate chain to I<num> intermediate CA certificates. | |
1028 | A maximal depth chain can have up to I<num>+2 certificates, since neither the | |
1029 | end-entity certificate nor the trust-anchor certificate count against the | |
1030 | B<-verify_depth> limit. | |
1031 | ||
1032 | =item B<-verify_email> I<email> | |
1033 | ||
1034 | Verify if I<email> matches the email address in Subject Alternative Name or | |
1035 | the email in the subject Distinguished Name. | |
1036 | ||
1037 | =item B<-verify_hostname> I<hostname> | |
1038 | ||
1039 | Verify if I<hostname> matches DNS name in Subject Alternative Name or | |
1040 | Common Name in the subject certificate. | |
1041 | ||
1042 | =item B<-verify_ip> I<ip> | |
1043 | ||
1044 | Verify if I<ip> matches the IP address in Subject Alternative Name of | |
1045 | the subject certificate. | |
1046 | ||
1047 | =item B<-verify_name> I<name> | |
1048 | ||
1049 | Use default verification policies like trust model and required certificate | |
1050 | policies identified by I<name>. | |
1051 | The trust model determines which auxiliary trust or reject OIDs are applicable | |
1052 | to verifying the given certificate chain. | |
1053 | See the B<-addtrust> and B<-addreject> options for L<openssl-x509(1)>. | |
1054 | Supported policy names include: B<default>, B<pkcs7>, B<smime_sign>, | |
1055 | B<ssl_client>, B<ssl_server>. | |
1056 | These mimics the combinations of purpose and trust settings used in SSL, CMS | |
1057 | and S/MIME. | |
1058 | As of OpenSSL 1.1.0, the trust model is inferred from the purpose when not | |
1059 | specified, so the B<-verify_name> options are functionally equivalent to the | |
1060 | corresponding B<-purpose> settings. | |
1061 | ||
9fcb9702 RS |
1062 | =back |
1063 | ||
bc24e3ee RS |
1064 | =head2 Name Format Options |
1065 | ||
1066 | OpenSSL provides fine-grain control over how the subject and issuer DN's are | |
1067 | displayed. | |
1068 | This is specified by using the B<-nameopt> option, which takes a | |
1069 | comma-separated list of options from the following set. | |
e02b13ad | 1070 | An option may be preceded by a minus sign, C<->, to turn it off. |
bc24e3ee RS |
1071 | The default value is C<oneline>. |
1072 | The first four are the most commonly used. | |
1073 | ||
1074 | =over 4 | |
1075 | ||
1076 | =item B<compat> | |
1077 | ||
1078 | Display the name using an old format from previous OpenSSL versions. | |
1079 | ||
1080 | =item B<RFC2253> | |
1081 | ||
1082 | Display the name using the format defined in RFC 2253. | |
1083 | It is equivalent to B<esc_2253>, B<esc_ctrl>, B<esc_msb>, B<utf8>, | |
1084 | B<dump_nostr>, B<dump_unknown>, B<dump_der>, B<sep_comma_plus>, B<dn_rev> | |
1085 | and B<sname>. | |
1086 | ||
1087 | =item B<oneline> | |
1088 | ||
1089 | Display the name in one line, using a format that is more readable | |
1090 | RFC 2253. | |
1091 | It is equivalent to B<esc_2253>, B<esc_ctrl>, B<esc_msb>, B<utf8>, | |
1092 | B<dump_nostr>, B<dump_der>, B<use_quote>, B<sep_comma_plus_space>, | |
1093 | B<space_eq> and B<sname> options. | |
1094 | ||
1095 | =item B<multiline> | |
1096 | ||
1097 | Display the name using multiple lines. | |
1098 | It is equivalent to B<esc_ctrl>, B<esc_msb>, B<sep_multiline>, B<space_eq>, | |
1099 | B<lname> and B<align>. | |
1100 | ||
1101 | =item B<esc_2253> | |
1102 | ||
1103 | Escape the "special" characters in a field, as required by RFC 2253. | |
1104 | That is, any of the characters C<,+"E<lt>E<gt>;>, C<#> at the beginning of | |
1105 | a string and leading or trailing spaces. | |
1106 | ||
1107 | =item B<esc_2254> | |
1108 | ||
1109 | Escape the "special" characters in a field as required by RFC 2254 in a field. | |
1110 | That is, the B<NUL> character and and of C<()*>. | |
1111 | ||
1112 | =item B<esc_ctrl> | |
1113 | ||
1114 | Escape non-printable ASCII characters, codes less than 0x20 (space) | |
1115 | or greater than 0x7F (DELETE). They are displayed using RFC 2253 C<\XX> | |
1116 | notation where B<XX> are the two hex digits representing the character value. | |
1117 | ||
1118 | =item B<esc_msb> | |
1119 | ||
1120 | Escape any characters with the most significant bit set, that is with | |
1121 | values larger than 127, as described in B<esc_ctrl>. | |
1122 | ||
1123 | =item B<use_quote> | |
1124 | ||
1125 | Escapes some characters by surrounding the entire string with quotation | |
1126 | marks, C<">. | |
1127 | Without this option, individual special characters are preceeded with | |
1128 | a backslash character, C<\>. | |
1129 | ||
1130 | =item B<utf8> | |
1131 | ||
1132 | Convert all strings to UTF-8 format first as required by RFC 2253. | |
1133 | If the output device is UTF-8 compatible, then using this option (and | |
1134 | not setting B<esc_msb>) may give the correct display of multibyte | |
1135 | characters. | |
1136 | If this option is not set, then multibyte characters larger than 0xFF | |
1137 | will be output as C<\UXXXX> for 16 bits or C<\WXXXXXXXX> for 32 bits. | |
1138 | In addition, any UTF8Strings will be converted to their character form first. | |
1139 | ||
1140 | =item B<ignore_type> | |
1141 | ||
1142 | This option does not attempt to interpret multibyte characters in any | |
1143 | way. That is, the content octets are merely dumped as though one octet | |
1144 | represents each character. This is useful for diagnostic purposes but | |
1145 | will result in rather odd looking output. | |
1146 | ||
1147 | =item B<show_type> | |
1148 | ||
1149 | Display the type of the ASN1 character string before the value, | |
1150 | such as C<BMPSTRING: Hello World>. | |
1151 | ||
1152 | =item B<dump_der> | |
1153 | ||
1154 | Any fields that would be output in hex format are displayed using | |
1155 | the DER encoding of the field. | |
1156 | If not set, just the content octets are displayed. | |
1157 | Either way, the B<#XXXX...> format of RFC 2253 is used. | |
1158 | ||
1159 | =item B<dump_nostr> | |
1160 | ||
1161 | Dump non-character strings, such as ASN.1 B<OCTET STRING>. | |
1162 | If this option is not set, then non character string types will be displayed | |
1163 | as though each content octet represents a single character. | |
1164 | ||
1165 | =item B<dump_all> | |
1166 | ||
1167 | Dump all fields. When this used with B<dump_der>, this allows the | |
1168 | DER encoding of the structure to be unambiguously determined. | |
1169 | ||
1170 | =item B<dump_unknown> | |
1171 | ||
1172 | Dump any field whose OID is not recognised by OpenSSL. | |
1173 | ||
1174 | =item B<sep_comma_plus>, B<sep_comma_plus_space>, B<sep_semi_plus_space>, | |
1175 | B<sep_multiline> | |
1176 | ||
1177 | Specify the field separators. The first word is used between the | |
1178 | Relative Distinguished Names (RDNs) and the second is between | |
1179 | multiple Attribute Value Assertions (AVAs). Multiple AVAs are | |
1180 | very rare and their use is discouraged. | |
1181 | The options ending in "space" additionally place a space after the separator to make it more readable. | |
1182 | The B<sep_multiline> starts each field on its own line, and uses "plus space" | |
1183 | for the AVA separator. | |
1184 | It also indents the fields by four characters. | |
1185 | The default value is B<sep_comma_plus_space>. | |
1186 | ||
1187 | =item B<dn_rev> | |
1188 | ||
1189 | Reverse the fields of the DN as required by RFC 2253. | |
1190 | This also reverses the order of multiple AVAs in a field, but this is | |
1191 | permissible as there is no ordering on values. | |
1192 | ||
1193 | =item B<nofname>, B<sname>, B<lname>, B<oid> | |
1194 | ||
1195 | Specify how the field name is displayed. | |
1196 | B<nofname> does not display the field at all. | |
1197 | B<sname> uses the "short name" form (CN for commonName for example). | |
1198 | B<lname> uses the long form. | |
1199 | B<oid> represents the OID in numerical form and is useful for | |
1200 | diagnostic purpose. | |
1201 | ||
1202 | =item B<align> | |
1203 | ||
1204 | Align field values for a more readable output. Only usable with | |
1205 | B<sep_multiline>. | |
1206 | ||
1207 | =item B<space_eq> | |
1208 | ||
1209 | Places spaces round the equal sign, C<=>, character which follows the field | |
1210 | name. | |
1211 | ||
0b3b2b33 RS |
1212 | =back |
1213 | ||
d4bff20d RS |
1214 | =head2 TLS Version Options |
1215 | ||
1216 | Several commands use SSL, TLS, or DTLS. By default, the commands use TLS and | |
1217 | clients will offer the lowest and highest protocol version they support, | |
1218 | and servers will pick the highest version that the client offers that is also | |
1219 | supported by the server. | |
1220 | ||
1221 | The options below can be used to limit which protocol versions are used, | |
1222 | and whether TCP (SSL and TLS) or UDP (DTLS) is used. | |
1223 | Note that not all protocols and flags may be available, depending on how | |
1224 | OpenSSL was built. | |
1225 | ||
1226 | =over 4 | |
1227 | ||
1228 | =item B<-ssl3>, B<-tls1>, B<-tls1_1>, B<-tls1_2>, B<-tls1_3>, B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2>, B<-no_tls1_3> | |
1229 | ||
1230 | These options require or disable the use of the specified SSL or TLS protocols. | |
1231 | When a specific TLS version is required, only that version will be offered or | |
1232 | accepted. | |
1233 | Only one specific protocol can be given and it cannot be combined with any of | |
1234 | the B<no_> options. | |
1235 | ||
1236 | =item B<-dtls>, B<-dtls1>, B<-dtls1_2> | |
1237 | ||
1238 | These options specify to use DTLS instead of DLTS. | |
1239 | With B<-dtls>, clients will negotiate any supported DTLS protocol version. | |
1240 | Use the B<-dtls1> or B<-dtls1_2> options to support only DTLS1.0 or DTLS1.2, | |
1241 | respectively. | |
1242 | ||
bc24e3ee RS |
1243 | =back |
1244 | ||
018aaeb4 RS |
1245 | =head2 Engine Options |
1246 | ||
1247 | =over 4 | |
1248 | ||
1249 | =item B<-engine> I<id> | |
1250 | ||
1251 | Use the engine identified by I<id> and use all the methods it | |
1252 | implements (algorithms, key storage, etc.), unless specified otherwise in | |
1253 | the command-specific documentation or it is configured to do so, as described | |
1254 | in L<config(5)/Engine Configuration Module>. | |
1255 | ||
1256 | =back | |
1257 | ||
0b836c21 RL |
1258 | =head1 ENVIRONMENT |
1259 | ||
22bb8c25 RS |
1260 | The OpenSSL library can be take some configuration parameters from the |
1261 | environment. Some of these variables are listed below. For information | |
1262 | about specific commands, see L<openssl-engine(1)>, L<openssl-provider(1)>, | |
1263 | L<openssl-rehash(1)>, and L<tsget(1)>. | |
1264 | ||
1265 | For information about the use of environment variables in configuration, | |
1266 | see L<config(5)/ENVIRONMENT>. | |
1267 | ||
1268 | For information about querying or specifying CPU architecture flags, see | |
1269 | L<OPENSSL_ia32cap(3)>, and L<OPENSSL_s390xcap(3)>. | |
1270 | ||
1271 | For information about all environment variables used by the OpenSSL libraries, | |
1272 | see L<openssl-env(7)>. | |
1273 | ||
0b836c21 RL |
1274 | =over 4 |
1275 | ||
fed8bd90 | 1276 | =item B<OPENSSL_TRACE=>I<name>[,...] |
0b836c21 RL |
1277 | |
1278 | Enable tracing output of OpenSSL library, by name. | |
1279 | This output will only make sense if you know OpenSSL internals well. | |
1280 | Also, it might not give you any output at all, depending on how | |
1281 | OpenSSL was built. | |
1282 | ||
1283 | The value is a comma separated list of names, with the following | |
1284 | available: | |
1285 | ||
1286 | =over 4 | |
1287 | ||
1288 | =item B<TRACE> | |
1289 | ||
1290 | The tracing functionality. | |
1291 | ||
1292 | =item B<TLS> | |
1293 | ||
1294 | General SSL/TLS. | |
1295 | ||
1296 | =item B<TLS_CIPHER> | |
1297 | ||
1298 | SSL/TLS cipher. | |
1299 | ||
1300 | =item B<ENGINE_CONF> | |
1301 | ||
1302 | ENGINE configuration. | |
1303 | ||
1304 | =item B<ENGINE_TABLE> | |
1305 | ||
1306 | The function that is used by RSA, DSA (etc) code to select registered | |
1307 | ENGINEs, cache defaults and functional references (etc), will generate | |
1308 | debugging summaries. | |
1309 | ||
1310 | =item B<ENGINE_REF_COUNT> | |
1311 | ||
1312 | Reference counts in the ENGINE structure will be monitored with a line | |
1313 | of generated for each change. | |
1314 | ||
1315 | =item B<PKCS5V2> | |
1316 | ||
1317 | PKCS#5 v2 keygen. | |
1318 | ||
1319 | =item B<PKCS12_KEYGEN> | |
1320 | ||
1321 | PKCS#12 key generation. | |
1322 | ||
1323 | =item B<PKCS12_DECRYPT> | |
1324 | ||
1325 | PKCS#12 decryption. | |
1326 | ||
1327 | =item B<X509V3_POLICY> | |
1328 | ||
1329 | Generates the complete policy tree at various point during X.509 v3 | |
1330 | policy evaluation. | |
1331 | ||
1332 | =item B<BN_CTX> | |
1333 | ||
1334 | BIGNUM context. | |
1335 | ||
1336 | =back | |
1337 | ||
1338 | =back | |
1339 | ||
aba3e65f DSH |
1340 | =head1 SEE ALSO |
1341 | ||
b6b66573 DMSP |
1342 | L<openssl-asn1parse(1)>, |
1343 | L<openssl-ca(1)>, | |
1344 | L<openssl-ciphers(1)>, | |
1345 | L<openssl-cms(1)>, | |
1346 | L<openssl-crl(1)>, | |
1347 | L<openssl-crl2pkcs7(1)>, | |
1348 | L<openssl-dgst(1)>, | |
1349 | L<openssl-dhparam(1)>, | |
1350 | L<openssl-dsa(1)>, | |
1351 | L<openssl-dsaparam(1)>, | |
1352 | L<openssl-ec(1)>, | |
1353 | L<openssl-ecparam(1)>, | |
1354 | L<openssl-enc(1)>, | |
1355 | L<openssl-engine(1)>, | |
1356 | L<openssl-errstr(1)>, | |
1357 | L<openssl-gendsa(1)>, | |
1358 | L<openssl-genpkey(1)>, | |
1359 | L<openssl-genrsa(1)>, | |
1360 | L<openssl-kdf(1)>, | |
1361 | L<openssl-mac(1)>, | |
1362 | L<openssl-nseq(1)>, | |
1363 | L<openssl-ocsp(1)>, | |
1364 | L<openssl-passwd(1)>, | |
1365 | L<openssl-pkcs12(1)>, | |
1366 | L<openssl-pkcs7(1)>, | |
1367 | L<openssl-pkcs8(1)>, | |
1368 | L<openssl-pkey(1)>, | |
1369 | L<openssl-pkeyparam(1)>, | |
1370 | L<openssl-pkeyutl(1)>, | |
1371 | L<openssl-prime(1)>, | |
1372 | L<openssl-rand(1)>, | |
1373 | L<openssl-rehash(1)>, | |
1374 | L<openssl-req(1)>, | |
1375 | L<openssl-rsa(1)>, | |
1376 | L<openssl-rsautl(1)>, | |
1377 | L<openssl-s_client(1)>, | |
1378 | L<openssl-s_server(1)>, | |
1379 | L<openssl-s_time(1)>, | |
1380 | L<openssl-sess_id(1)>, | |
1381 | L<openssl-smime(1)>, | |
1382 | L<openssl-speed(1)>, | |
1383 | L<openssl-spkac(1)>, | |
1384 | L<openssl-srp(1)>, | |
1385 | L<openssl-storeutl(1)>, | |
1386 | L<openssl-ts(1)>, | |
1387 | L<openssl-verify(1)>, | |
1388 | L<openssl-version(1)>, | |
1389 | L<openssl-x509(1)>, | |
1390 | L<config(5)>, | |
1391 | L<crypto(7)>, | |
22bb8c25 | 1392 | L<openssl-env(7)>. |
b6b66573 DMSP |
1393 | L<ssl(7)>, |
1394 | L<x509v3_config(5)> | |
1395 | ||
aba3e65f DSH |
1396 | |
1397 | =head1 HISTORY | |
1398 | ||
2f0ea936 | 1399 | The B<list> -I<XXX>B<-algorithms> options were added in OpenSSL 1.0.0; |
88220dcb BM |
1400 | For notes on the availability of other commands, see their individual |
1401 | manual pages. | |
aba3e65f | 1402 | |
21d08b9e RS |
1403 | The B<-issuer_checks> option is deprecated as of OpenSSL 1.1.0 and |
1404 | is silently ignored. | |
1405 | ||
e2f92610 RS |
1406 | =head1 COPYRIGHT |
1407 | ||
33388b44 | 1408 | Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved. |
e2f92610 | 1409 | |
449040b4 | 1410 | Licensed under the Apache License 2.0 (the "License"). You may not use |
e2f92610 RS |
1411 | this file except in compliance with the License. You can obtain a copy |
1412 | in the file LICENSE in the source distribution or at | |
1413 | L<https://www.openssl.org/source/license.html>. | |
1414 | ||
1415 | =cut |