]>
Commit | Line | Data |
---|---|---|
aba3e65f DSH |
1 | =pod |
2 | ||
3 | =head1 NAME | |
4 | ||
5 | openssl - OpenSSL command line tool | |
6 | ||
7 | =head1 SYNOPSIS | |
8 | ||
9 | B<openssl> | |
10 | I<command> | |
2f0ea936 RL |
11 | [ I<command_opts> ... ] |
12 | [ I<command_args> ... ] | |
aba3e65f | 13 | |
b2bdfb63 RL |
14 | B<openssl> |
15 | B<list> | |
16 | B<-standard-commands> | | |
17 | B<-digest-commands> | | |
18 | B<-cipher-commands> | | |
19 | B<-cipher-algorithms> | | |
20 | B<-digest-algorithms> | | |
21 | B<-mac-algorithms> | | |
22 | B<-public-key-algorithms> | |
88220dcb BM |
23 | |
24 | B<openssl> B<no->I<XXX> [ I<arbitrary options> ] | |
25 | ||
aba3e65f DSH |
26 | =head1 DESCRIPTION |
27 | ||
28 | OpenSSL is a cryptography toolkit implementing the Secure Sockets Layer (SSL | |
29 | v2/v3) and Transport Layer Security (TLS v1) network protocols and related | |
30 | cryptography standards required by them. | |
31 | ||
32 | The B<openssl> program is a command line tool for using the various | |
4c583c36 AM |
33 | cryptography functions of OpenSSL's B<crypto> library from the shell. |
34 | It can be used for | |
aba3e65f | 35 | |
e4549295 DSH |
36 | o Creation and management of private keys, public keys and parameters |
37 | o Public key cryptographic operations | |
4c583c36 | 38 | o Creation of X.509 certificates, CSRs and CRLs |
4d768e96 | 39 | o Calculation of Message Digests and Message Authentication Codes |
aba3e65f DSH |
40 | o Encryption and Decryption with Ciphers |
41 | o SSL/TLS Client and Server Tests | |
54a34aec | 42 | o Handling of S/MIME signed or encrypted mail |
9c0586d5 | 43 | o Timestamp requests, generation and verification |
aba3e65f DSH |
44 | |
45 | =head1 COMMAND SUMMARY | |
46 | ||
b2bdfb63 RL |
47 | The B<openssl> program provides a rich variety of sub-commands (I<command> in |
48 | the SYNOPSIS above), each of which often has a wealth of options and arguments | |
aba3e65f DSH |
49 | (I<command_opts> and I<command_args> in the SYNOPSIS). |
50 | ||
1362190b | 51 | Detailed documentation and use cases for most standard subcommands are available |
1903a9b7 | 52 | (e.g., L<openssl-x509(1)>). |
1362190b | 53 | |
e9681f83 RS |
54 | Many commands use an external configuration file for some or all of their |
55 | arguments and have a B<-config> option to specify that file. | |
56 | The environment variable B<OPENSSL_CONF> can be used to specify | |
57 | the location of the file. | |
58 | If the environment variable is not specified, then the file is named | |
1948394d | 59 | F<openssl.cnf> in the default certificate storage area, whose value |
e9681f83 RS |
60 | depends on the configuration flags specified when the OpenSSL |
61 | was built. | |
62 | ||
2f0ea936 RL |
63 | The list options B<-standard-commands>, B<-digest-commands>, |
64 | and B<-cipher-commands> output a list (one entry per line) of the names | |
88220dcb | 65 | of all standard commands, message digest commands, or cipher commands, |
35a810bb | 66 | respectively, that are available. |
88220dcb | 67 | |
2f0ea936 RL |
68 | The list parameters B<-cipher-algorithms>, B<-digest-algorithms>, |
69 | and B<-mac-algorithms> list all cipher, message digest, and message | |
4d768e96 | 70 | authentication code names, one entry per line. Aliases are listed as: |
112161bd DSH |
71 | |
72 | from => to | |
73 | ||
2f0ea936 | 74 | The list parameter B<-public-key-algorithms> lists all supported public |
112161bd DSH |
75 | key algorithms. |
76 | ||
c03726ca | 77 | The command B<no->I<XXX> tests whether a command of the |
88220dcb BM |
78 | specified name is available. If no command named I<XXX> exists, it |
79 | returns 0 (success) and prints B<no->I<XXX>; otherwise it returns 1 | |
80 | and prints I<XXX>. In both cases, the output goes to B<stdout> and | |
81 | nothing is printed to B<stderr>. Additional command line arguments | |
82 | are always ignored. Since for each cipher there is a command of the | |
83 | same name, this provides an easy way for shell scripts to test for the | |
84 | availability of ciphers in the B<openssl> program. (B<no->I<XXX> is | |
85 | not able to detect pseudo-commands such as B<quit>, | |
c03726ca | 86 | B<list>, or B<no->I<XXX> itself.) |
88220dcb | 87 | |
b2bdfb63 | 88 | =head2 Standard Sub-commands |
aba3e65f | 89 | |
e1271ac2 | 90 | =over 4 |
aba3e65f | 91 | |
dfee8626 | 92 | =item B<asn1parse> |
aba3e65f DSH |
93 | |
94 | Parse an ASN.1 sequence. | |
95 | ||
dfee8626 | 96 | =item B<ca> |
aba3e65f | 97 | |
4c583c36 | 98 | Certificate Authority (CA) Management. |
aba3e65f | 99 | |
dfee8626 | 100 | =item B<ciphers> |
aba3e65f DSH |
101 | |
102 | Cipher Suite Description Determination. | |
103 | ||
dfee8626 | 104 | =item B<cms> |
e5fa864f | 105 | |
c4de074e | 106 | CMS (Cryptographic Message Syntax) utility. |
e5fa864f | 107 | |
dfee8626 | 108 | =item B<crl> |
aba3e65f DSH |
109 | |
110 | Certificate Revocation List (CRL) Management. | |
111 | ||
dfee8626 | 112 | =item B<crl2pkcs7> |
aba3e65f DSH |
113 | |
114 | CRL to PKCS#7 Conversion. | |
115 | ||
dfee8626 | 116 | =item B<dgst> |
aba3e65f | 117 | |
4d768e96 | 118 | Message Digest calculation. MAC calculations are superseded by |
8bc93d2f | 119 | L<openssl-mac(1)>. |
aba3e65f | 120 | |
727daea7 | 121 | =item B<dh> |
aba3e65f | 122 | |
727daea7 | 123 | Diffie-Hellman Parameter Management. |
8bc93d2f | 124 | Obsoleted by L<openssl-dhparam(1)>. |
aba3e65f | 125 | |
dfee8626 | 126 | =item B<dhparam> |
e5fa864f | 127 | |
4c583c36 | 128 | Generation and Management of Diffie-Hellman Parameters. Superseded by |
8bc93d2f | 129 | L<openssl-genpkey(1)> and L<openssl-pkeyparam(1)>. |
e5fa864f | 130 | |
dfee8626 | 131 | =item B<dsa> |
aba3e65f DSH |
132 | |
133 | DSA Data Management. | |
134 | ||
dfee8626 | 135 | =item B<dsaparam> |
aba3e65f | 136 | |
4c583c36 | 137 | DSA Parameter Generation and Management. Superseded by |
8bc93d2f | 138 | L<openssl-genpkey(1)> and L<openssl-pkeyparam(1)>. |
aba3e65f | 139 | |
dfee8626 | 140 | =item B<ec> |
e5fa864f | 141 | |
c4de074e | 142 | EC (Elliptic curve) key processing. |
e5fa864f | 143 | |
dfee8626 | 144 | =item B<ecparam> |
e5fa864f | 145 | |
c4de074e | 146 | EC parameter manipulation and generation. |
e5fa864f | 147 | |
dfee8626 | 148 | =item B<enc> |
aba3e65f DSH |
149 | |
150 | Encoding with Ciphers. | |
151 | ||
dfee8626 | 152 | =item B<engine> |
aba3e65f | 153 | |
4c583c36 | 154 | Engine (loadable module) information and manipulation. |
aba3e65f | 155 | |
dfee8626 | 156 | =item B<errstr> |
727daea7 | 157 | |
e5fa864f | 158 | Error Number to Error String Conversion. |
727daea7 BM |
159 | |
160 | =item B<gendh> | |
aba3e65f DSH |
161 | |
162 | Generation of Diffie-Hellman Parameters. | |
8bc93d2f | 163 | Obsoleted by L<openssl-dhparam(1)>. |
aba3e65f | 164 | |
dfee8626 | 165 | =item B<gendsa> |
aba3e65f | 166 | |
4c583c36 | 167 | Generation of DSA Private Key from Parameters. Superseded by |
8bc93d2f | 168 | L<openssl-genpkey(1)> and L<openssl-pkey(1)>. |
e4549295 | 169 | |
dfee8626 | 170 | =item B<genpkey> |
e4549295 DSH |
171 | |
172 | Generation of Private Key or Parameters. | |
aba3e65f | 173 | |
dfee8626 | 174 | =item B<genrsa> |
aba3e65f | 175 | |
8bc93d2f | 176 | Generation of RSA Private Key. Superseded by L<openssl-genpkey(1)>. |
aba3e65f | 177 | |
0109e030 RL |
178 | =item B<info> |
179 | ||
180 | Display diverse information built into the OpenSSL libraries. | |
181 | ||
c54492ec SL |
182 | =item B<kdf> |
183 | ||
184 | Key Derivation Functions. | |
185 | ||
4d768e96 SL |
186 | =item B<mac> |
187 | ||
188 | Message Authentication Code Calculation. | |
189 | ||
dfee8626 | 190 | =item B<nseq> |
e5fa864f | 191 | |
c4de074e | 192 | Create or examine a Netscape certificate sequence. |
e5fa864f | 193 | |
dfee8626 | 194 | =item B<ocsp> |
a068630a UM |
195 | |
196 | Online Certificate Status Protocol utility. | |
197 | ||
dfee8626 | 198 | =item B<passwd> |
5160448b RL |
199 | |
200 | Generation of hashed passwords. | |
201 | ||
dfee8626 | 202 | =item B<pkcs12> |
3f1c4e49 BM |
203 | |
204 | PKCS#12 Data Management. | |
205 | ||
dfee8626 | 206 | =item B<pkcs7> |
aba3e65f DSH |
207 | |
208 | PKCS#7 Data Management. | |
209 | ||
dfee8626 | 210 | =item B<pkcs8> |
f0b843c1 RL |
211 | |
212 | PKCS#8 format private key conversion tool. | |
213 | ||
dfee8626 | 214 | =item B<pkey> |
e4549295 DSH |
215 | |
216 | Public and private key management. | |
217 | ||
dfee8626 | 218 | =item B<pkeyparam> |
e4549295 DSH |
219 | |
220 | Public key algorithm parameter management. | |
221 | ||
dfee8626 | 222 | =item B<pkeyutl> |
e5fa864f DSH |
223 | |
224 | Public key algorithm cryptographic operation utility. | |
225 | ||
dfee8626 | 226 | =item B<prime> |
f0b843c1 RL |
227 | |
228 | Compute prime numbers. | |
229 | ||
dfee8626 | 230 | =item B<rand> |
afbd0746 BM |
231 | |
232 | Generate pseudo-random bytes. | |
233 | ||
dfee8626 | 234 | =item B<rehash> |
f0b843c1 | 235 | |
24c34608 | 236 | Create symbolic links to certificate and CRL files named by the hash values. |
f0b843c1 | 237 | |
dfee8626 | 238 | =item B<req> |
aba3e65f | 239 | |
e4549295 | 240 | PKCS#10 X.509 Certificate Signing Request (CSR) Management. |
aba3e65f | 241 | |
dfee8626 | 242 | =item B<rsa> |
aba3e65f | 243 | |
e4549295 | 244 | RSA key management. |
aba3e65f | 245 | |
dfee8626 | 246 | =item B<rsautl> |
34417732 | 247 | |
e4549295 | 248 | RSA utility for signing, verification, encryption, and decryption. Superseded |
8bc93d2f | 249 | by L<openssl-pkeyutl(1)>. |
34417732 | 250 | |
dfee8626 | 251 | =item B<s_client> |
aba3e65f DSH |
252 | |
253 | This implements a generic SSL/TLS client which can establish a transparent | |
254 | connection to a remote server speaking SSL/TLS. It's intended for testing | |
255 | purposes only and provides only rudimentary interface functionality but | |
256 | internally uses mostly all functionality of the OpenSSL B<ssl> library. | |
257 | ||
dfee8626 | 258 | =item B<s_server> |
aba3e65f DSH |
259 | |
260 | This implements a generic SSL/TLS server which accepts connections from remote | |
261 | clients speaking SSL/TLS. It's intended for testing purposes only and provides | |
262 | only rudimentary interface functionality but internally uses mostly all | |
263 | functionality of the OpenSSL B<ssl> library. It provides both an own command | |
264 | line oriented protocol for testing SSL functions and a simple HTTP response | |
265 | facility to emulate an SSL/TLS-aware webserver. | |
266 | ||
dfee8626 | 267 | =item B<s_time> |
aba3e65f DSH |
268 | |
269 | SSL Connection Timer. | |
270 | ||
dfee8626 | 271 | =item B<sess_id> |
aba3e65f DSH |
272 | |
273 | SSL Session Data Management. | |
274 | ||
dfee8626 | 275 | =item B<smime> |
54a34aec DSH |
276 | |
277 | S/MIME mail processing. | |
278 | ||
dfee8626 | 279 | =item B<speed> |
aba3e65f DSH |
280 | |
281 | Algorithm Speed Measurement. | |
282 | ||
dfee8626 | 283 | =item B<spkac> |
e5fa864f | 284 | |
c4de074e | 285 | SPKAC printing and generating utility. |
e5fa864f | 286 | |
dfee8626 | 287 | =item B<srp> |
f0b843c1 RL |
288 | |
289 | Maintain SRP password file. | |
290 | ||
dfee8626 | 291 | =item B<storeutl> |
f0b843c1 RL |
292 | |
293 | Utility to list and display certificates, keys, CRLs, etc. | |
294 | ||
dfee8626 | 295 | =item B<ts> |
21e8bbf2 | 296 | |
c4de074e | 297 | Time Stamping Authority tool (client/server). |
21e8bbf2 | 298 | |
dfee8626 | 299 | =item B<verify> |
aba3e65f DSH |
300 | |
301 | X.509 Certificate Verification. | |
302 | ||
dfee8626 | 303 | =item B<version> |
aba3e65f DSH |
304 | |
305 | OpenSSL Version Information. | |
306 | ||
dfee8626 | 307 | =item B<x509> |
aba3e65f DSH |
308 | |
309 | X.509 Certificate Data Management. | |
310 | ||
311 | =back | |
312 | ||
05ea606a | 313 | =head2 Message Digest Commands |
aba3e65f | 314 | |
e1271ac2 | 315 | =over 4 |
aba3e65f | 316 | |
4b7c6385 KR |
317 | =item B<blake2b512> |
318 | ||
319 | BLAKE2b-512 Digest | |
320 | ||
321 | =item B<blake2s256> | |
322 | ||
323 | BLAKE2s-256 Digest | |
324 | ||
aba3e65f DSH |
325 | =item B<md2> |
326 | ||
327 | MD2 Digest | |
328 | ||
4b7c6385 KR |
329 | =item B<md4> |
330 | ||
331 | MD4 Digest | |
332 | ||
aba3e65f DSH |
333 | =item B<md5> |
334 | ||
335 | MD5 Digest | |
336 | ||
337 | =item B<mdc2> | |
338 | ||
339 | MDC2 Digest | |
340 | ||
341 | =item B<rmd160> | |
342 | ||
343 | RMD-160 Digest | |
344 | ||
4c583c36 | 345 | =item B<sha1> |
aba3e65f DSH |
346 | |
347 | SHA-1 Digest | |
348 | ||
c7503f52 AP |
349 | =item B<sha224> |
350 | ||
4b7c6385 | 351 | SHA-2 224 Digest |
c7503f52 AP |
352 | |
353 | =item B<sha256> | |
354 | ||
4b7c6385 | 355 | SHA-2 256 Digest |
c7503f52 AP |
356 | |
357 | =item B<sha384> | |
358 | ||
4b7c6385 | 359 | SHA-2 384 Digest |
c7503f52 AP |
360 | |
361 | =item B<sha512> | |
362 | ||
4b7c6385 KR |
363 | SHA-2 512 Digest |
364 | ||
365 | =item B<sha3-224> | |
366 | ||
367 | SHA-3 224 Digest | |
368 | ||
369 | =item B<sha3-256> | |
370 | ||
371 | SHA-3 256 Digest | |
372 | ||
373 | =item B<sha3-384> | |
374 | ||
375 | SHA-3 384 Digest | |
376 | ||
377 | =item B<sha3-512> | |
378 | ||
379 | SHA-3 512 Digest | |
380 | ||
381 | =item B<shake128> | |
382 | ||
383 | SHA-3 SHAKE128 Digest | |
384 | ||
385 | =item B<shake256> | |
386 | ||
387 | SHA-3 SHAKE256 Digest | |
388 | ||
389 | =item B<sm3> | |
390 | ||
391 | SM3 Digest | |
c7503f52 | 392 | |
677741f8 AP |
393 | =back |
394 | ||
05ea606a | 395 | =head2 Encoding and Cipher Commands |
aba3e65f | 396 | |
1362190b AS |
397 | The following aliases provide convenient access to the most used encodings |
398 | and ciphers. | |
399 | ||
400 | Depending on how OpenSSL was configured and built, not all ciphers listed | |
8bc93d2f RL |
401 | here may be present. See L<openssl-enc(1)> for more information and command |
402 | usage. | |
1362190b | 403 | |
e1271ac2 | 404 | =over 4 |
aba3e65f | 405 | |
1362190b AS |
406 | =item B<aes128>, B<aes-128-cbc>, B<aes-128-cfb>, B<aes-128-ctr>, B<aes-128-ecb>, B<aes-128-ofb> |
407 | ||
408 | AES-128 Cipher | |
409 | ||
410 | =item B<aes192>, B<aes-192-cbc>, B<aes-192-cfb>, B<aes-192-ctr>, B<aes-192-ecb>, B<aes-192-ofb> | |
411 | ||
412 | AES-192 Cipher | |
413 | ||
414 | =item B<aes256>, B<aes-256-cbc>, B<aes-256-cfb>, B<aes-256-ctr>, B<aes-256-ecb>, B<aes-256-ofb> | |
415 | ||
416 | AES-256 Cipher | |
417 | ||
418 | =item B<aria128>, B<aria-128-cbc>, B<aria-128-cfb>, B<aria-128-ctr>, B<aria-128-ecb>, B<aria-128-ofb> | |
419 | ||
420 | Aria-128 Cipher | |
421 | ||
422 | =item B<aria192>, B<aria-192-cbc>, B<aria-192-cfb>, B<aria-192-ctr>, B<aria-192-ecb>, B<aria-192-ofb> | |
423 | ||
424 | Aria-192 Cipher | |
425 | ||
426 | =item B<aria256>, B<aria-256-cbc>, B<aria-256-cfb>, B<aria-256-ctr>, B<aria-256-ecb>, B<aria-256-ofb> | |
427 | ||
428 | Aria-256 Cipher | |
429 | ||
aba3e65f DSH |
430 | =item B<base64> |
431 | ||
432 | Base64 Encoding | |
433 | ||
dfee8626 | 434 | =item B<bf>, B<bf-cbc>, B<bf-cfb>, B<bf-ecb>, B<bf-ofb> |
aba3e65f DSH |
435 | |
436 | Blowfish Cipher | |
437 | ||
1362190b AS |
438 | =item B<camellia128>, B<camellia-128-cbc>, B<camellia-128-cfb>, B<camellia-128-ctr>, B<camellia-128-ecb>, B<camellia-128-ofb> |
439 | ||
440 | Camellia-128 Cipher | |
441 | ||
442 | =item B<camellia192>, B<camellia-192-cbc>, B<camellia-192-cfb>, B<camellia-192-ctr>, B<camellia-192-ecb>, B<camellia-192-ofb> | |
443 | ||
444 | Camellia-192 Cipher | |
445 | ||
446 | =item B<camellia256>, B<camellia-256-cbc>, B<camellia-256-cfb>, B<camellia-256-ctr>, B<camellia-256-ecb>, B<camellia-256-ofb> | |
447 | ||
448 | Camellia-256 Cipher | |
449 | ||
dfee8626 | 450 | =item B<cast>, B<cast-cbc> |
aba3e65f DSH |
451 | |
452 | CAST Cipher | |
453 | ||
dfee8626 | 454 | =item B<cast5-cbc>, B<cast5-cfb>, B<cast5-ecb>, B<cast5-ofb> |
aba3e65f DSH |
455 | |
456 | CAST5 Cipher | |
457 | ||
1362190b AS |
458 | =item B<chacha20> |
459 | ||
460 | Chacha20 Cipher | |
461 | ||
dfee8626 | 462 | =item B<des>, B<des-cbc>, B<des-cfb>, B<des-ecb>, B<des-ede>, B<des-ede-cbc>, B<des-ede-cfb>, B<des-ede-ofb>, B<des-ofb> |
aba3e65f DSH |
463 | |
464 | DES Cipher | |
465 | ||
dfee8626 | 466 | =item B<des3>, B<desx>, B<des-ede3>, B<des-ede3-cbc>, B<des-ede3-cfb>, B<des-ede3-ofb> |
aba3e65f DSH |
467 | |
468 | Triple-DES Cipher | |
469 | ||
dfee8626 | 470 | =item B<idea>, B<idea-cbc>, B<idea-cfb>, B<idea-ecb>, B<idea-ofb> |
aba3e65f DSH |
471 | |
472 | IDEA Cipher | |
473 | ||
dfee8626 | 474 | =item B<rc2>, B<rc2-cbc>, B<rc2-cfb>, B<rc2-ecb>, B<rc2-ofb> |
aba3e65f DSH |
475 | |
476 | RC2 Cipher | |
477 | ||
478 | =item B<rc4> | |
479 | ||
480 | RC4 Cipher | |
481 | ||
dfee8626 | 482 | =item B<rc5>, B<rc5-cbc>, B<rc5-cfb>, B<rc5-ecb>, B<rc5-ofb> |
aba3e65f DSH |
483 | |
484 | RC5 Cipher | |
485 | ||
1362190b AS |
486 | =item B<seed>, B<seed-cbc>, B<seed-cfb>, B<seed-ecb>, B<seed-ofb> |
487 | ||
488 | SEED Cipher | |
489 | ||
490 | =item B<sm4>, B<sm4-cbc>, B<sm4-cfb>, B<sm4-ctr>, B<sm4-ecb>, B<sm4-ofb> | |
491 | ||
492 | SM4 Cipher | |
493 | ||
aba3e65f DSH |
494 | =back |
495 | ||
3dfda1a6 | 496 | =head1 OPTIONS |
0634424f RS |
497 | |
498 | Details of which options are available depend on the specific command. | |
77a795e4 | 499 | This section describes some common options with common behavior. |
0634424f RS |
500 | |
501 | =head2 Common Options | |
502 | ||
e1271ac2 | 503 | =over 4 |
0634424f RS |
504 | |
505 | =item B<-help> | |
506 | ||
507 | Provides a terse summary of all options. | |
a397aca4 RS |
508 | If an option takes an argument, the "type" of argument is also given. |
509 | ||
510 | =item B<--> | |
511 | ||
512 | This terminates the list of options. It is mostly useful if any filename | |
513 | parameters start with a minus sign: | |
514 | ||
515 | openssl verify [flags...] -- -cert1.pem... | |
0634424f RS |
516 | |
517 | =back | |
518 | ||
777182a0 RS |
519 | =head2 Format Options |
520 | ||
521 | Several OpenSSL commands can take input or generate output in a variety | |
522 | of formats. The list of acceptable formats, and the default, is | |
523 | described in each command documentation. The list of formats is | |
524 | described below. Both uppercase and lowercase are accepted. | |
525 | ||
526 | =over 4 | |
527 | ||
528 | =item B<DER> | |
529 | ||
530 | A binary format, encoded or parsed according to Distinguished Encoding Rules | |
531 | (DER) of the ASN.1 data language. | |
532 | ||
533 | =item B<ENGINE> | |
534 | ||
535 | Used to specify that the cryptographic material is in an OpenSSL B<engine>. | |
536 | An engine must be configured or specified using the B<-engine> option. | |
537 | In addition, the B<-input> flag can be used to name a specific object in | |
538 | the engine. | |
539 | A password, such as the B<-passin> flag often must be specified as well. | |
540 | ||
541 | =item B<P12> | |
542 | ||
543 | A DER-encoded file containing a PKCS#12 object. | |
544 | It might be necessary to provide a decryption password to retrieve | |
545 | the private key. | |
546 | ||
547 | =item B<PEM> | |
548 | ||
549 | A text format defined in IETF RFC 1421 and IETF RFC 7468. Briefly, this is | |
550 | a block of base-64 encoding (defined in IETF RFC 4648), with specific | |
551 | lines used to mark the start and end: | |
552 | ||
553 | Text before the BEGIN line is ignored. | |
554 | ----- BEGIN object-type ----- | |
555 | OT43gQKBgQC/2OHZoko6iRlNOAQ/tMVFNq7fL81GivoQ9F1U0Qr+DH3ZfaH8eIkX | |
556 | xT0ToMPJUzWAn8pZv0snA0um6SIgvkCuxO84OkANCVbttzXImIsL7pFzfcwV/ERK | |
557 | UM6j0ZuSMFOCr/lGPAoOQU0fskidGEHi1/kW+suSr28TqsyYZpwBDQ== | |
558 | ----- END object-type ----- | |
559 | Text after the END line is also ignored | |
560 | ||
561 | The I<object-type> must match the type of object that is expected. | |
562 | For example a C<BEGIN X509 CERTIFICATE> will not match if the command | |
563 | is trying to read a private key. The types supported include: | |
564 | ||
565 | ANY PRIVATE KEY | |
566 | CERTIFICATE | |
567 | CERTIFICATE REQUEST | |
568 | CMS | |
569 | DH PARAMETERS | |
570 | DSA PARAMETERS | |
571 | DSA PUBLIC KEY | |
572 | EC PARAMETERS | |
573 | EC PRIVATE KEY | |
574 | ECDSA PUBLIC KEY | |
575 | ENCRYPTED PRIVATE KEY | |
576 | PARAMETERS | |
577 | PKCS #7 SIGNED DATA | |
578 | PKCS7 | |
579 | PRIVATE KEY | |
580 | PUBLIC KEY | |
581 | RSA PRIVATE KEY | |
582 | SSL SESSION PARAMETERS | |
583 | TRUSTED CERTIFICATE | |
584 | X509 CRL | |
585 | X9.42 DH PARAMETERS | |
586 | ||
587 | The following legacy I<object-type>'s are also supported for compatibility | |
588 | with earlier releases: | |
589 | ||
590 | DSA PRIVATE KEY | |
591 | NEW CERTIFICATE REQUEST | |
592 | RSA PUBLIC KEY | |
593 | X509 CERTIFICATE | |
594 | ||
595 | =item B<SMIME> | |
596 | ||
597 | An S/MIME object as described in IETF RFC 8551. | |
598 | Earlier versions were known as CMS and are compatible. | |
599 | Note that the parsing is simple and might fail to parse some legal data. | |
600 | ||
601 | =back | |
602 | ||
603 | The options to specify the format are as follows. Refer to the individual | |
604 | manpage to see which options are accepted. | |
605 | ||
606 | =over 4 | |
607 | ||
608 | =item B<-inform> I<format>, B<-outform> I<format> | |
609 | ||
610 | The format of the input or output streams. | |
611 | ||
612 | =item B<-keyform> I<format> | |
613 | ||
614 | Format of a private key input source. | |
615 | ||
9fcb9702 | 616 | =item B<-CRLform> I<format> |
777182a0 RS |
617 | |
618 | Format of a CRL input source. | |
619 | ||
620 | =back | |
621 | ||
0634424f | 622 | =head2 Pass Phrase Options |
a3fe382e DSH |
623 | |
624 | Several commands accept password arguments, typically using B<-passin> | |
625 | and B<-passout> for input and output passwords respectively. These allow | |
626 | the password to be obtained from a variety of sources. Both of these | |
627 | options take a single argument whose format is described below. If no | |
628 | password argument is given and a password is required then the user is | |
629 | prompted to enter one: this will typically be read from the current | |
630 | terminal with echoing turned off. | |
631 | ||
84814344 RL |
632 | Note that character encoding may be relevant, please see |
633 | L<passphrase-encoding(7)>. | |
634 | ||
e1271ac2 | 635 | =over 4 |
a3fe382e | 636 | |
2f0ea936 | 637 | =item B<pass:>I<password> |
a3fe382e | 638 | |
2f0ea936 | 639 | The actual password is I<password>. Since the password is visible |
a3fe382e DSH |
640 | to utilities (like 'ps' under Unix) this form should only be used |
641 | where security is not important. | |
642 | ||
2f0ea936 | 643 | =item B<env:>I<var> |
a3fe382e | 644 | |
2f0ea936 | 645 | Obtain the password from the environment variable I<var>. Since |
a3fe382e DSH |
646 | the environment of other processes is visible on certain platforms |
647 | (e.g. ps under certain Unix OSes) this option should be used with caution. | |
648 | ||
2f0ea936 | 649 | =item B<file:>I<pathname> |
a3fe382e | 650 | |
2f0ea936 | 651 | The first line of I<pathname> is the password. If the same I<pathname> |
a3fe382e DSH |
652 | argument is supplied to B<-passin> and B<-passout> arguments then the first |
653 | line will be used for the input password and the next line for the output | |
2f0ea936 | 654 | password. I<pathname> need not refer to a regular file: it could for example |
a3fe382e DSH |
655 | refer to a device or named pipe. |
656 | ||
2f0ea936 | 657 | =item B<fd:>I<number> |
a3fe382e | 658 | |
2f0ea936 | 659 | Read the password from the file descriptor I<number>. This can be used to |
a3fe382e DSH |
660 | send the data via a pipe for example. |
661 | ||
662 | =item B<stdin> | |
663 | ||
c4de074e | 664 | Read the password from standard input. |
a3fe382e DSH |
665 | |
666 | =back | |
667 | ||
a397aca4 RS |
668 | =head2 Trusted Certificate Options |
669 | ||
670 | Part of validating a certificate includes verifying that the chain of CA's | |
671 | can be traced up to an existing trusted root. The following options specify | |
672 | how to list the trusted roots, also known as trust anchors. A collection | |
673 | of trusted roots is called a I<trust store>. | |
674 | ||
675 | Note that OpenSSL does not provide a default set of trust anchors. Many | |
676 | Linux distributions include a system default and configure OpenSSL to point | |
677 | to that. Mozilla maintains an influential trust store that can be found at | |
678 | L<https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/>. | |
679 | ||
680 | =over 4 | |
681 | ||
682 | =item B<-CAfile> I<file> | |
683 | ||
684 | Load the specified file which contains one or more PEM-format certificates | |
685 | of CA's that are trusted. | |
686 | ||
687 | =item B<-no-CAfile> | |
688 | ||
689 | Do not load the default file of trusted certificates. | |
690 | ||
691 | =item B<-CApath> I<dir> | |
692 | ||
693 | Use the specified directory as a list of trust certificates. That is, | |
694 | files should be named with the hash of the X.509 SubjectName of each | |
695 | certificate. This is so that the library can extract the IssuerName, | |
696 | hash it, and directly lookup the file to get the issuer certificate. | |
697 | See L<openssl-rehash(1)> for information on creating this type of directory. | |
698 | ||
699 | =item B<-no-CApath> | |
700 | ||
701 | Do not use the default directory of trusted certificates. | |
702 | ||
fd3397fc RL |
703 | =item B<-CAstore> I<uri> |
704 | ||
705 | Use I<uri> as a store of trusted CA certificates. The URI may | |
706 | indicate a single certificate, as well as a collection of them. | |
707 | With URIs in the C<file:> scheme, this acts as B<-CAfile> or | |
708 | B<-CApath>, depending on if the URI indicates a single file or | |
709 | directory. | |
710 | See L<ossl_store-file(7)> for more information on the C<file:> scheme. | |
711 | ||
712 | These certificates are also used when building the server certificate | |
713 | chain (for example with L<openssl-s_server(1)>) or client certificate | |
714 | chain (for example with L<openssl-s_time(1)>). | |
715 | ||
716 | =item B<-no-CAstore> | |
717 | ||
718 | Do not use the default store. | |
719 | ||
a397aca4 RS |
720 | =back |
721 | ||
722 | =head2 Random State Options | |
723 | ||
724 | Prior to OpenSSL 3.0, it was common for applications to store information | |
725 | about the state of the random-number generator in a file that was loaded | |
726 | at startup and rewritten upon exit. On modern operating systems, this is | |
727 | generally no longer necessary as OpenSSL will seed itself from the | |
728 | appropriate CPU flags, device files, and so on. These flags are still | |
729 | supported for special platforms or circumstances that might require them. | |
730 | ||
731 | It is generally an error to use the same seed file more than once and | |
732 | every use of B<-rand> should be paired with B<-writerand>. | |
733 | ||
734 | =over 4 | |
735 | ||
736 | =item B<-rand> I<files> | |
737 | ||
738 | A file or files containing random data used to seed the random number | |
739 | generator. | |
740 | Multiple files can be specified separated by an OS-dependent character. | |
741 | The separator is C<;> for MS-Windows, C<,> for OpenVMS, and C<:> for | |
742 | all others. Another way to specify multiple files is to repeat this flag | |
743 | with different filenames. | |
744 | ||
745 | =item B<-writerand> I<file> | |
746 | ||
747 | Writes the seed data to the specified I<file> upon exit. | |
748 | This file can be used in a subsequent command invocation. | |
749 | ||
750 | =back | |
751 | ||
9fcb9702 RS |
752 | =head2 Extended Verification Options |
753 | ||
754 | Sometimes there may be more than one certificate chain leading to an | |
755 | end-entity certificate. | |
756 | This usually happens when a root or intermediate CA signs a certificate | |
757 | for another a CA in other organization. | |
758 | Another reason is when a CA might have intermediates that use two different | |
759 | signature formats, such as a SHA-1 and a SHA-256 digest. | |
760 | ||
761 | The following options can be used to provide data that will allow the | |
762 | OpenSSL command to generate an alternative chain. | |
763 | ||
764 | =over 4 | |
765 | ||
766 | =item B<-xchain_build> | |
767 | ||
768 | Specify whether the application should build the certificate chain to be | |
769 | provided to the server for the extra certificates via the B<-xkey>, | |
770 | B<-xcert>, and B<-xchain> options. | |
771 | ||
772 | =item B<-xkey> I<infile>, B<-xcert> I<infile>, B<-xchain> | |
773 | ||
774 | Specify an extra certificate, private key and certificate chain. These behave | |
775 | in the same manner as the B<-cert>, B<-key> and B<-cert_chain> options. When | |
776 | specified, the callback returning the first valid chain will be in use by the | |
777 | client. | |
778 | ||
779 | =item B<-xcertform> B<DER>|B<PEM>, B<-xkeyform> B<DER>|B<PEM> | |
780 | ||
781 | The input format for the extra certifcate and key, respectively. | |
782 | See L<openssl(1)/Format Options> for details. | |
783 | ||
784 | =back | |
785 | ||
0b836c21 RL |
786 | =head1 ENVIRONMENT |
787 | ||
788 | =over 4 | |
789 | ||
fed8bd90 | 790 | =item B<OPENSSL_TRACE=>I<name>[,...] |
0b836c21 RL |
791 | |
792 | Enable tracing output of OpenSSL library, by name. | |
793 | This output will only make sense if you know OpenSSL internals well. | |
794 | Also, it might not give you any output at all, depending on how | |
795 | OpenSSL was built. | |
796 | ||
797 | The value is a comma separated list of names, with the following | |
798 | available: | |
799 | ||
800 | =over 4 | |
801 | ||
802 | =item B<TRACE> | |
803 | ||
804 | The tracing functionality. | |
805 | ||
806 | =item B<TLS> | |
807 | ||
808 | General SSL/TLS. | |
809 | ||
810 | =item B<TLS_CIPHER> | |
811 | ||
812 | SSL/TLS cipher. | |
813 | ||
814 | =item B<ENGINE_CONF> | |
815 | ||
816 | ENGINE configuration. | |
817 | ||
818 | =item B<ENGINE_TABLE> | |
819 | ||
820 | The function that is used by RSA, DSA (etc) code to select registered | |
821 | ENGINEs, cache defaults and functional references (etc), will generate | |
822 | debugging summaries. | |
823 | ||
824 | =item B<ENGINE_REF_COUNT> | |
825 | ||
826 | Reference counts in the ENGINE structure will be monitored with a line | |
827 | of generated for each change. | |
828 | ||
829 | =item B<PKCS5V2> | |
830 | ||
831 | PKCS#5 v2 keygen. | |
832 | ||
833 | =item B<PKCS12_KEYGEN> | |
834 | ||
835 | PKCS#12 key generation. | |
836 | ||
837 | =item B<PKCS12_DECRYPT> | |
838 | ||
839 | PKCS#12 decryption. | |
840 | ||
841 | =item B<X509V3_POLICY> | |
842 | ||
843 | Generates the complete policy tree at various point during X.509 v3 | |
844 | policy evaluation. | |
845 | ||
846 | =item B<BN_CTX> | |
847 | ||
848 | BIGNUM context. | |
849 | ||
850 | =back | |
851 | ||
852 | =back | |
853 | ||
aba3e65f DSH |
854 | =head1 SEE ALSO |
855 | ||
b6b66573 DMSP |
856 | L<openssl-asn1parse(1)>, |
857 | L<openssl-ca(1)>, | |
858 | L<openssl-ciphers(1)>, | |
859 | L<openssl-cms(1)>, | |
860 | L<openssl-crl(1)>, | |
861 | L<openssl-crl2pkcs7(1)>, | |
862 | L<openssl-dgst(1)>, | |
863 | L<openssl-dhparam(1)>, | |
864 | L<openssl-dsa(1)>, | |
865 | L<openssl-dsaparam(1)>, | |
866 | L<openssl-ec(1)>, | |
867 | L<openssl-ecparam(1)>, | |
868 | L<openssl-enc(1)>, | |
869 | L<openssl-engine(1)>, | |
870 | L<openssl-errstr(1)>, | |
871 | L<openssl-gendsa(1)>, | |
872 | L<openssl-genpkey(1)>, | |
873 | L<openssl-genrsa(1)>, | |
874 | L<openssl-kdf(1)>, | |
875 | L<openssl-mac(1)>, | |
876 | L<openssl-nseq(1)>, | |
877 | L<openssl-ocsp(1)>, | |
878 | L<openssl-passwd(1)>, | |
879 | L<openssl-pkcs12(1)>, | |
880 | L<openssl-pkcs7(1)>, | |
881 | L<openssl-pkcs8(1)>, | |
882 | L<openssl-pkey(1)>, | |
883 | L<openssl-pkeyparam(1)>, | |
884 | L<openssl-pkeyutl(1)>, | |
885 | L<openssl-prime(1)>, | |
886 | L<openssl-rand(1)>, | |
887 | L<openssl-rehash(1)>, | |
888 | L<openssl-req(1)>, | |
889 | L<openssl-rsa(1)>, | |
890 | L<openssl-rsautl(1)>, | |
891 | L<openssl-s_client(1)>, | |
892 | L<openssl-s_server(1)>, | |
893 | L<openssl-s_time(1)>, | |
894 | L<openssl-sess_id(1)>, | |
895 | L<openssl-smime(1)>, | |
896 | L<openssl-speed(1)>, | |
897 | L<openssl-spkac(1)>, | |
898 | L<openssl-srp(1)>, | |
899 | L<openssl-storeutl(1)>, | |
900 | L<openssl-ts(1)>, | |
901 | L<openssl-verify(1)>, | |
902 | L<openssl-version(1)>, | |
903 | L<openssl-x509(1)>, | |
904 | L<config(5)>, | |
905 | L<crypto(7)>, | |
906 | L<ssl(7)>, | |
907 | L<x509v3_config(5)> | |
908 | ||
aba3e65f DSH |
909 | |
910 | =head1 HISTORY | |
911 | ||
2f0ea936 | 912 | The B<list> -I<XXX>B<-algorithms> options were added in OpenSSL 1.0.0; |
88220dcb BM |
913 | For notes on the availability of other commands, see their individual |
914 | manual pages. | |
aba3e65f | 915 | |
e2f92610 RS |
916 | =head1 COPYRIGHT |
917 | ||
c54492ec | 918 | Copyright 2000-2019 The OpenSSL Project Authors. All Rights Reserved. |
e2f92610 | 919 | |
449040b4 | 920 | Licensed under the Apache License 2.0 (the "License"). You may not use |
e2f92610 RS |
921 | this file except in compliance with the License. You can obtain a copy |
922 | in the file LICENSE in the source distribution or at | |
923 | L<https://www.openssl.org/source/license.html>. | |
924 | ||
925 | =cut |