]>
Commit | Line | Data |
---|---|---|
aba3e65f DSH |
1 | =pod |
2 | ||
3 | =head1 NAME | |
4 | ||
5 | openssl - OpenSSL command line tool | |
6 | ||
7 | =head1 SYNOPSIS | |
8 | ||
9 | B<openssl> | |
10 | I<command> | |
11 | [ I<command_opts> ] | |
12 | [ I<command_args> ] | |
13 | ||
c03726ca | 14 | B<openssl> B<list> [ B<standard-commands> | B<digest-commands> | B<cipher-commands> | B<cipher-algorithms> | B<digest-algorithms> | B<public-key-algorithms>] |
88220dcb BM |
15 | |
16 | B<openssl> B<no->I<XXX> [ I<arbitrary options> ] | |
17 | ||
aba3e65f DSH |
18 | =head1 DESCRIPTION |
19 | ||
20 | OpenSSL is a cryptography toolkit implementing the Secure Sockets Layer (SSL | |
21 | v2/v3) and Transport Layer Security (TLS v1) network protocols and related | |
22 | cryptography standards required by them. | |
23 | ||
24 | The B<openssl> program is a command line tool for using the various | |
4c583c36 AM |
25 | cryptography functions of OpenSSL's B<crypto> library from the shell. |
26 | It can be used for | |
aba3e65f | 27 | |
e4549295 DSH |
28 | o Creation and management of private keys, public keys and parameters |
29 | o Public key cryptographic operations | |
4c583c36 | 30 | o Creation of X.509 certificates, CSRs and CRLs |
aba3e65f DSH |
31 | o Calculation of Message Digests |
32 | o Encryption and Decryption with Ciphers | |
33 | o SSL/TLS Client and Server Tests | |
54a34aec | 34 | o Handling of S/MIME signed or encrypted mail |
21e8bbf2 | 35 | o Time Stamp requests, generation and verification |
aba3e65f DSH |
36 | |
37 | =head1 COMMAND SUMMARY | |
38 | ||
39 | The B<openssl> program provides a rich variety of commands (I<command> in the | |
40 | SYNOPSIS above), each of which often has a wealth of options and arguments | |
41 | (I<command_opts> and I<command_args> in the SYNOPSIS). | |
42 | ||
e9681f83 RS |
43 | Many commands use an external configuration file for some or all of their |
44 | arguments and have a B<-config> option to specify that file. | |
45 | The environment variable B<OPENSSL_CONF> can be used to specify | |
46 | the location of the file. | |
47 | If the environment variable is not specified, then the file is named | |
48 | B<openssl.cnf> in the default certificate storage area, whose value | |
49 | depends on the configuration flags specified when the OpenSSL | |
50 | was built. | |
51 | ||
c03726ca RS |
52 | The list parameters B<standard-commands>, B<digest-commands>, |
53 | and B<cipher-commands> output a list (one entry per line) of the names | |
88220dcb BM |
54 | of all standard commands, message digest commands, or cipher commands, |
55 | respectively, that are available in the present B<openssl> utility. | |
56 | ||
c03726ca RS |
57 | The list parameters B<cipher-algorithms> and |
58 | B<digest-algorithms> list all cipher and message digest names, one entry per line. Aliases are listed as: | |
112161bd DSH |
59 | |
60 | from => to | |
61 | ||
c03726ca | 62 | The list parameter B<public-key-algorithms> lists all supported public |
112161bd DSH |
63 | key algorithms. |
64 | ||
c03726ca | 65 | The command B<no->I<XXX> tests whether a command of the |
88220dcb BM |
66 | specified name is available. If no command named I<XXX> exists, it |
67 | returns 0 (success) and prints B<no->I<XXX>; otherwise it returns 1 | |
68 | and prints I<XXX>. In both cases, the output goes to B<stdout> and | |
69 | nothing is printed to B<stderr>. Additional command line arguments | |
70 | are always ignored. Since for each cipher there is a command of the | |
71 | same name, this provides an easy way for shell scripts to test for the | |
72 | availability of ciphers in the B<openssl> program. (B<no->I<XXX> is | |
73 | not able to detect pseudo-commands such as B<quit>, | |
c03726ca | 74 | B<list>, or B<no->I<XXX> itself.) |
88220dcb | 75 | |
05ea606a | 76 | =head2 Standard Commands |
aba3e65f | 77 | |
e1271ac2 | 78 | =over 4 |
aba3e65f | 79 | |
c1ce32f1 | 80 | =item L<B<asn1parse>|asn1parse(1)> |
aba3e65f DSH |
81 | |
82 | Parse an ASN.1 sequence. | |
83 | ||
c1ce32f1 | 84 | =item L<B<ca>|ca(1)> |
aba3e65f | 85 | |
4c583c36 | 86 | Certificate Authority (CA) Management. |
aba3e65f | 87 | |
c1ce32f1 | 88 | =item L<B<ciphers>|ciphers(1)> |
aba3e65f DSH |
89 | |
90 | Cipher Suite Description Determination. | |
91 | ||
e5fa864f DSH |
92 | =item L<B<cms>|cms(1)> |
93 | ||
c4de074e | 94 | CMS (Cryptographic Message Syntax) utility. |
e5fa864f | 95 | |
c1ce32f1 | 96 | =item L<B<crl>|crl(1)> |
aba3e65f DSH |
97 | |
98 | Certificate Revocation List (CRL) Management. | |
99 | ||
c1ce32f1 | 100 | =item L<B<crl2pkcs7>|crl2pkcs7(1)> |
aba3e65f DSH |
101 | |
102 | CRL to PKCS#7 Conversion. | |
103 | ||
c1ce32f1 | 104 | =item L<B<dgst>|dgst(1)> |
aba3e65f DSH |
105 | |
106 | Message Digest Calculation. | |
107 | ||
727daea7 | 108 | =item B<dh> |
aba3e65f | 109 | |
727daea7 BM |
110 | Diffie-Hellman Parameter Management. |
111 | Obsoleted by L<B<dhparam>|dhparam(1)>. | |
aba3e65f | 112 | |
e5fa864f DSH |
113 | =item L<B<dhparam>|dhparam(1)> |
114 | ||
4c583c36 | 115 | Generation and Management of Diffie-Hellman Parameters. Superseded by |
c4de074e | 116 | L<B<genpkey>|genpkey(1)> and L<B<pkeyparam>|pkeyparam(1)>. |
e5fa864f | 117 | |
c1ce32f1 | 118 | =item L<B<dsa>|dsa(1)> |
aba3e65f DSH |
119 | |
120 | DSA Data Management. | |
121 | ||
c1ce32f1 | 122 | =item L<B<dsaparam>|dsaparam(1)> |
aba3e65f | 123 | |
4c583c36 | 124 | DSA Parameter Generation and Management. Superseded by |
c4de074e | 125 | L<B<genpkey>|genpkey(1)> and L<B<pkeyparam>|pkeyparam(1)>. |
aba3e65f | 126 | |
e5fa864f DSH |
127 | =item L<B<ec>|ec(1)> |
128 | ||
c4de074e | 129 | EC (Elliptic curve) key processing. |
e5fa864f DSH |
130 | |
131 | =item L<B<ecparam>|ecparam(1)> | |
132 | ||
c4de074e | 133 | EC parameter manipulation and generation. |
e5fa864f | 134 | |
c1ce32f1 | 135 | =item L<B<enc>|enc(1)> |
aba3e65f DSH |
136 | |
137 | Encoding with Ciphers. | |
138 | ||
e5fa864f | 139 | =item L<B<engine>|engine(1)> |
aba3e65f | 140 | |
4c583c36 | 141 | Engine (loadable module) information and manipulation. |
aba3e65f | 142 | |
e5fa864f | 143 | =item L<B<errstr>|errstr(1)> |
727daea7 | 144 | |
e5fa864f | 145 | Error Number to Error String Conversion. |
727daea7 BM |
146 | |
147 | =item B<gendh> | |
aba3e65f DSH |
148 | |
149 | Generation of Diffie-Hellman Parameters. | |
727daea7 | 150 | Obsoleted by L<B<dhparam>|dhparam(1)>. |
aba3e65f | 151 | |
c1ce32f1 | 152 | =item L<B<gendsa>|gendsa(1)> |
aba3e65f | 153 | |
4c583c36 | 154 | Generation of DSA Private Key from Parameters. Superseded by |
c4de074e | 155 | L<B<genpkey>|genpkey(1)> and L<B<pkey>|pkey(1)>. |
e4549295 DSH |
156 | |
157 | =item L<B<genpkey>|genpkey(1)> | |
158 | ||
159 | Generation of Private Key or Parameters. | |
aba3e65f | 160 | |
c1ce32f1 | 161 | =item L<B<genrsa>|genrsa(1)> |
aba3e65f | 162 | |
478b50cf | 163 | Generation of RSA Private Key. Superseded by L<B<genpkey>|genpkey(1)>. |
aba3e65f | 164 | |
3243698f | 165 | =item L<B<nseq>|nseq(1)> |
e5fa864f | 166 | |
c4de074e | 167 | Create or examine a Netscape certificate sequence. |
e5fa864f | 168 | |
a068630a UM |
169 | =item L<B<ocsp>|ocsp(1)> |
170 | ||
171 | Online Certificate Status Protocol utility. | |
172 | ||
c1ce32f1 | 173 | =item L<B<passwd>|passwd(1)> |
5160448b RL |
174 | |
175 | Generation of hashed passwords. | |
176 | ||
3f1c4e49 BM |
177 | =item L<B<pkcs12>|pkcs12(1)> |
178 | ||
179 | PKCS#12 Data Management. | |
180 | ||
c1ce32f1 | 181 | =item L<B<pkcs7>|pkcs7(1)> |
aba3e65f DSH |
182 | |
183 | PKCS#7 Data Management. | |
184 | ||
f0b843c1 RL |
185 | =item L<B<pkcs8>|pkcs8(1)> |
186 | ||
187 | PKCS#8 format private key conversion tool. | |
188 | ||
e4549295 DSH |
189 | =item L<B<pkey>|pkey(1)> |
190 | ||
191 | Public and private key management. | |
192 | ||
e4549295 DSH |
193 | =item L<B<pkeyparam>|pkeyparam(1)> |
194 | ||
195 | Public key algorithm parameter management. | |
196 | ||
e5fa864f DSH |
197 | =item L<B<pkeyutl>|pkeyutl(1)> |
198 | ||
199 | Public key algorithm cryptographic operation utility. | |
200 | ||
f0b843c1 RL |
201 | =item L<B<prime>|prime(1)> |
202 | ||
203 | Compute prime numbers. | |
204 | ||
afbd0746 BM |
205 | =item L<B<rand>|rand(1)> |
206 | ||
207 | Generate pseudo-random bytes. | |
208 | ||
f0b843c1 RL |
209 | =item L<B<rehash>|rehash(1)> |
210 | ||
24c34608 | 211 | Create symbolic links to certificate and CRL files named by the hash values. |
f0b843c1 | 212 | |
c1ce32f1 | 213 | =item L<B<req>|req(1)> |
aba3e65f | 214 | |
e4549295 | 215 | PKCS#10 X.509 Certificate Signing Request (CSR) Management. |
aba3e65f | 216 | |
c1ce32f1 | 217 | =item L<B<rsa>|rsa(1)> |
aba3e65f | 218 | |
e4549295 | 219 | RSA key management. |
aba3e65f | 220 | |
e5fa864f | 221 | |
34417732 BM |
222 | =item L<B<rsautl>|rsautl(1)> |
223 | ||
e4549295 | 224 | RSA utility for signing, verification, encryption, and decryption. Superseded |
c4de074e | 225 | by L<B<pkeyutl>|pkeyutl(1)>. |
34417732 | 226 | |
c1ce32f1 | 227 | =item L<B<s_client>|s_client(1)> |
aba3e65f DSH |
228 | |
229 | This implements a generic SSL/TLS client which can establish a transparent | |
230 | connection to a remote server speaking SSL/TLS. It's intended for testing | |
231 | purposes only and provides only rudimentary interface functionality but | |
232 | internally uses mostly all functionality of the OpenSSL B<ssl> library. | |
233 | ||
c1ce32f1 | 234 | =item L<B<s_server>|s_server(1)> |
aba3e65f DSH |
235 | |
236 | This implements a generic SSL/TLS server which accepts connections from remote | |
237 | clients speaking SSL/TLS. It's intended for testing purposes only and provides | |
238 | only rudimentary interface functionality but internally uses mostly all | |
239 | functionality of the OpenSSL B<ssl> library. It provides both an own command | |
240 | line oriented protocol for testing SSL functions and a simple HTTP response | |
241 | facility to emulate an SSL/TLS-aware webserver. | |
242 | ||
c1ce32f1 | 243 | =item L<B<s_time>|s_time(1)> |
aba3e65f DSH |
244 | |
245 | SSL Connection Timer. | |
246 | ||
c1ce32f1 | 247 | =item L<B<sess_id>|sess_id(1)> |
aba3e65f DSH |
248 | |
249 | SSL Session Data Management. | |
250 | ||
c1ce32f1 | 251 | =item L<B<smime>|smime(1)> |
54a34aec DSH |
252 | |
253 | S/MIME mail processing. | |
254 | ||
c1ce32f1 | 255 | =item L<B<speed>|speed(1)> |
aba3e65f DSH |
256 | |
257 | Algorithm Speed Measurement. | |
258 | ||
e5fa864f DSH |
259 | =item L<B<spkac>|spkac(1)> |
260 | ||
c4de074e | 261 | SPKAC printing and generating utility. |
e5fa864f | 262 | |
f0b843c1 RL |
263 | =item L<B<srp>|srp(1)> |
264 | ||
265 | Maintain SRP password file. | |
266 | ||
267 | =item L<B<storeutl>|storeutl(1)> | |
268 | ||
269 | Utility to list and display certificates, keys, CRLs, etc. | |
270 | ||
f1845cbe | 271 | =item L<B<ts>|ts(1)> |
21e8bbf2 | 272 | |
c4de074e | 273 | Time Stamping Authority tool (client/server). |
21e8bbf2 | 274 | |
c1ce32f1 | 275 | =item L<B<verify>|verify(1)> |
aba3e65f DSH |
276 | |
277 | X.509 Certificate Verification. | |
278 | ||
c1ce32f1 | 279 | =item L<B<version>|version(1)> |
aba3e65f DSH |
280 | |
281 | OpenSSL Version Information. | |
282 | ||
c1ce32f1 | 283 | =item L<B<x509>|x509(1)> |
aba3e65f DSH |
284 | |
285 | X.509 Certificate Data Management. | |
286 | ||
287 | =back | |
288 | ||
05ea606a | 289 | =head2 Message Digest Commands |
aba3e65f | 290 | |
e1271ac2 | 291 | =over 4 |
aba3e65f DSH |
292 | |
293 | =item B<md2> | |
294 | ||
295 | MD2 Digest | |
296 | ||
297 | =item B<md5> | |
298 | ||
299 | MD5 Digest | |
300 | ||
301 | =item B<mdc2> | |
302 | ||
303 | MDC2 Digest | |
304 | ||
305 | =item B<rmd160> | |
306 | ||
307 | RMD-160 Digest | |
308 | ||
4c583c36 | 309 | =item B<sha> |
aba3e65f DSH |
310 | |
311 | SHA Digest | |
312 | ||
4c583c36 | 313 | =item B<sha1> |
aba3e65f DSH |
314 | |
315 | SHA-1 Digest | |
316 | ||
c7503f52 AP |
317 | =item B<sha224> |
318 | ||
319 | SHA-224 Digest | |
320 | ||
321 | =item B<sha256> | |
322 | ||
323 | SHA-256 Digest | |
324 | ||
325 | =item B<sha384> | |
326 | ||
327 | SHA-384 Digest | |
328 | ||
329 | =item B<sha512> | |
330 | ||
331 | SHA-512 Digest | |
332 | ||
677741f8 AP |
333 | =back |
334 | ||
05ea606a | 335 | =head2 Encoding and Cipher Commands |
aba3e65f | 336 | |
e1271ac2 | 337 | =over 4 |
aba3e65f DSH |
338 | |
339 | =item B<base64> | |
340 | ||
341 | Base64 Encoding | |
342 | ||
343 | =item B<bf bf-cbc bf-cfb bf-ecb bf-ofb> | |
344 | ||
345 | Blowfish Cipher | |
346 | ||
347 | =item B<cast cast-cbc> | |
348 | ||
349 | CAST Cipher | |
350 | ||
351 | =item B<cast5-cbc cast5-cfb cast5-ecb cast5-ofb> | |
352 | ||
353 | CAST5 Cipher | |
354 | ||
355 | =item B<des des-cbc des-cfb des-ecb des-ede des-ede-cbc des-ede-cfb des-ede-ofb des-ofb> | |
356 | ||
357 | DES Cipher | |
358 | ||
359 | =item B<des3 desx des-ede3 des-ede3-cbc des-ede3-cfb des-ede3-ofb> | |
360 | ||
361 | Triple-DES Cipher | |
362 | ||
363 | =item B<idea idea-cbc idea-cfb idea-ecb idea-ofb> | |
364 | ||
365 | IDEA Cipher | |
366 | ||
367 | =item B<rc2 rc2-cbc rc2-cfb rc2-ecb rc2-ofb> | |
368 | ||
369 | RC2 Cipher | |
370 | ||
371 | =item B<rc4> | |
372 | ||
373 | RC4 Cipher | |
374 | ||
375 | =item B<rc5 rc5-cbc rc5-cfb rc5-ecb rc5-ofb> | |
376 | ||
377 | RC5 Cipher | |
378 | ||
379 | =back | |
380 | ||
3dfda1a6 | 381 | =head1 OPTIONS |
0634424f RS |
382 | |
383 | Details of which options are available depend on the specific command. | |
77a795e4 | 384 | This section describes some common options with common behavior. |
0634424f RS |
385 | |
386 | =head2 Common Options | |
387 | ||
e1271ac2 | 388 | =over 4 |
0634424f RS |
389 | |
390 | =item B<-help> | |
391 | ||
392 | Provides a terse summary of all options. | |
393 | ||
394 | =back | |
395 | ||
396 | =head2 Pass Phrase Options | |
a3fe382e DSH |
397 | |
398 | Several commands accept password arguments, typically using B<-passin> | |
399 | and B<-passout> for input and output passwords respectively. These allow | |
400 | the password to be obtained from a variety of sources. Both of these | |
401 | options take a single argument whose format is described below. If no | |
402 | password argument is given and a password is required then the user is | |
403 | prompted to enter one: this will typically be read from the current | |
404 | terminal with echoing turned off. | |
405 | ||
e1271ac2 | 406 | =over 4 |
a3fe382e DSH |
407 | |
408 | =item B<pass:password> | |
409 | ||
c4de074e | 410 | The actual password is B<password>. Since the password is visible |
a3fe382e DSH |
411 | to utilities (like 'ps' under Unix) this form should only be used |
412 | where security is not important. | |
413 | ||
414 | =item B<env:var> | |
415 | ||
c4de074e | 416 | Obtain the password from the environment variable B<var>. Since |
a3fe382e DSH |
417 | the environment of other processes is visible on certain platforms |
418 | (e.g. ps under certain Unix OSes) this option should be used with caution. | |
419 | ||
420 | =item B<file:pathname> | |
421 | ||
c4de074e | 422 | The first line of B<pathname> is the password. If the same B<pathname> |
a3fe382e DSH |
423 | argument is supplied to B<-passin> and B<-passout> arguments then the first |
424 | line will be used for the input password and the next line for the output | |
425 | password. B<pathname> need not refer to a regular file: it could for example | |
426 | refer to a device or named pipe. | |
427 | ||
428 | =item B<fd:number> | |
429 | ||
c4de074e | 430 | Read the password from the file descriptor B<number>. This can be used to |
a3fe382e DSH |
431 | send the data via a pipe for example. |
432 | ||
433 | =item B<stdin> | |
434 | ||
c4de074e | 435 | Read the password from standard input. |
a3fe382e DSH |
436 | |
437 | =back | |
438 | ||
aba3e65f DSH |
439 | =head1 SEE ALSO |
440 | ||
f0b843c1 | 441 | L<asn1parse(1)>, L<ca(1)>, L<ciphers(1)>, L<cms(1)>, L<config(5)>, |
9b86974e RS |
442 | L<crl(1)>, L<crl2pkcs7(1)>, L<dgst(1)>, |
443 | L<dhparam(1)>, L<dsa(1)>, L<dsaparam(1)>, | |
f0b843c1 RL |
444 | L<ec(1)>, L<ecparam(1)>, |
445 | L<enc(1)>, L<engine(1)>, L<errstr(1)>, L<gendsa(1)>, L<genpkey(1)>, | |
446 | L<genrsa(1)>, L<nseq(1)>, L<ocsp(1)>, | |
9b86974e RS |
447 | L<passwd(1)>, |
448 | L<pkcs12(1)>, L<pkcs7(1)>, L<pkcs8(1)>, | |
f0b843c1 RL |
449 | L<pkey(1)>, L<pkeyparam(1)>, L<pkeyutl(1)>, L<prime(1)>, |
450 | L<rand(1)>, L<rehash(1)>, L<req(1)>, L<rsa(1)>, | |
9b86974e | 451 | L<rsautl(1)>, L<s_client(1)>, |
f0b843c1 RL |
452 | L<s_server(1)>, L<s_time(1)>, L<sess_id(1)>, |
453 | L<smime(1)>, L<speed(1)>, L<spkac(1)>, L<srp(1)>, L<storeutl(1)>, | |
454 | L<ts(1)>, | |
9b86974e | 455 | L<verify(1)>, L<version(1)>, L<x509(1)>, |
b275f3b6 | 456 | L<crypto(7)>, L<ssl(7)>, L<x509v3_config(5)> |
aba3e65f DSH |
457 | |
458 | =head1 HISTORY | |
459 | ||
fb552ac6 | 460 | The B<list->I<XXX>B<-algorithms> pseudo-commands were added in OpenSSL 1.0.0; |
88220dcb BM |
461 | For notes on the availability of other commands, see their individual |
462 | manual pages. | |
aba3e65f | 463 | |
e2f92610 RS |
464 | =head1 COPYRIGHT |
465 | ||
b0edda11 | 466 | Copyright 2000-2018 The OpenSSL Project Authors. All Rights Reserved. |
e2f92610 RS |
467 | |
468 | Licensed under the OpenSSL license (the "License"). You may not use | |
469 | this file except in compliance with the License. You can obtain a copy | |
470 | in the file LICENSE in the source distribution or at | |
471 | L<https://www.openssl.org/source/license.html>. | |
472 | ||
473 | =cut |