5 openssl - OpenSSL command line tool
14 B<openssl> B<list> [ B<standard-commands> | B<digest-commands> | B<cipher-commands> | B<cipher-algorithms> | B<digest-algorithms> | B<mac-algorithms> | B<public-key-algorithms>]
16 B<openssl> B<no->I<XXX> [ I<arbitrary options> ]
20 OpenSSL is a cryptography toolkit implementing the Secure Sockets Layer (SSL
21 v2/v3) and Transport Layer Security (TLS v1) network protocols and related
22 cryptography standards required by them.
24 The B<openssl> program is a command line tool for using the various
25 cryptography functions of OpenSSL's B<crypto> library from the shell.
28 o Creation and management of private keys, public keys and parameters
29 o Public key cryptographic operations
30 o Creation of X.509 certificates, CSRs and CRLs
31 o Calculation of Message Digests and Message Authentication Codes
32 o Encryption and Decryption with Ciphers
33 o SSL/TLS Client and Server Tests
34 o Handling of S/MIME signed or encrypted mail
35 o Time Stamp requests, generation and verification
37 =head1 COMMAND SUMMARY
39 The B<openssl> program provides a rich variety of commands (I<command> in the
40 SYNOPSIS above), each of which often has a wealth of options and arguments
41 (I<command_opts> and I<command_args> in the SYNOPSIS).
43 Detailed documentation and use cases for most standard subcommands are available
44 (e.g., L<x509(1)> or L<openssl-x509(1)>).
46 Many commands use an external configuration file for some or all of their
47 arguments and have a B<-config> option to specify that file.
48 The environment variable B<OPENSSL_CONF> can be used to specify
49 the location of the file.
50 If the environment variable is not specified, then the file is named
51 B<openssl.cnf> in the default certificate storage area, whose value
52 depends on the configuration flags specified when the OpenSSL
55 The list parameters B<standard-commands>, B<digest-commands>,
56 and B<cipher-commands> output a list (one entry per line) of the names
57 of all standard commands, message digest commands, or cipher commands,
58 respectively, that are available in the present B<openssl> utility.
60 The list parameters B<cipher-algorithms>, B<digest-algorithms>,
61 and B<mac-algorithms> list all cipher, message digest, and message
62 authentication code names, one entry per line. Aliases are listed as:
66 The list parameter B<public-key-algorithms> lists all supported public
69 The command B<no->I<XXX> tests whether a command of the
70 specified name is available. If no command named I<XXX> exists, it
71 returns 0 (success) and prints B<no->I<XXX>; otherwise it returns 1
72 and prints I<XXX>. In both cases, the output goes to B<stdout> and
73 nothing is printed to B<stderr>. Additional command line arguments
74 are always ignored. Since for each cipher there is a command of the
75 same name, this provides an easy way for shell scripts to test for the
76 availability of ciphers in the B<openssl> program. (B<no->I<XXX> is
77 not able to detect pseudo-commands such as B<quit>,
78 B<list>, or B<no->I<XXX> itself.)
80 =head2 Standard Commands
86 Parse an ASN.1 sequence.
90 Certificate Authority (CA) Management.
94 Cipher Suite Description Determination.
98 CMS (Cryptographic Message Syntax) utility.
102 Certificate Revocation List (CRL) Management.
106 CRL to PKCS#7 Conversion.
110 Message Digest calculation. MAC calculations are superseded by
115 Diffie-Hellman Parameter Management.
116 Obsoleted by L<dhparam(1)>.
120 Generation and Management of Diffie-Hellman Parameters. Superseded by
121 L<genpkey(1)> and L<pkeyparam(1)>.
129 DSA Parameter Generation and Management. Superseded by
130 L<genpkey(1)> and L<pkeyparam(1)>.
134 EC (Elliptic curve) key processing.
138 EC parameter manipulation and generation.
142 Encoding with Ciphers.
146 Engine (loadable module) information and manipulation.
150 Error Number to Error String Conversion.
154 Generation of Diffie-Hellman Parameters.
155 Obsoleted by L<dhparam(1)>.
159 Generation of DSA Private Key from Parameters. Superseded by
160 L<genpkey(1)> and L<pkey(1)>.
164 Generation of Private Key or Parameters.
168 Generation of RSA Private Key. Superseded by L<genpkey(1)>.
172 Display diverse information built into the OpenSSL libraries.
176 Key Derivation Functions.
180 Message Authentication Code Calculation.
184 Create or examine a Netscape certificate sequence.
188 Online Certificate Status Protocol utility.
192 Generation of hashed passwords.
196 PKCS#12 Data Management.
200 PKCS#7 Data Management.
204 PKCS#8 format private key conversion tool.
208 Public and private key management.
212 Public key algorithm parameter management.
216 Public key algorithm cryptographic operation utility.
220 Compute prime numbers.
224 Generate pseudo-random bytes.
228 Create symbolic links to certificate and CRL files named by the hash values.
232 PKCS#10 X.509 Certificate Signing Request (CSR) Management.
240 RSA utility for signing, verification, encryption, and decryption. Superseded
245 This implements a generic SSL/TLS client which can establish a transparent
246 connection to a remote server speaking SSL/TLS. It's intended for testing
247 purposes only and provides only rudimentary interface functionality but
248 internally uses mostly all functionality of the OpenSSL B<ssl> library.
252 This implements a generic SSL/TLS server which accepts connections from remote
253 clients speaking SSL/TLS. It's intended for testing purposes only and provides
254 only rudimentary interface functionality but internally uses mostly all
255 functionality of the OpenSSL B<ssl> library. It provides both an own command
256 line oriented protocol for testing SSL functions and a simple HTTP response
257 facility to emulate an SSL/TLS-aware webserver.
261 SSL Connection Timer.
265 SSL Session Data Management.
269 S/MIME mail processing.
273 Algorithm Speed Measurement.
277 SPKAC printing and generating utility.
281 Maintain SRP password file.
285 Utility to list and display certificates, keys, CRLs, etc.
289 Time Stamping Authority tool (client/server).
293 X.509 Certificate Verification.
297 OpenSSL Version Information.
301 X.509 Certificate Data Management.
305 =head2 Message Digest Commands
375 SHA-3 SHAKE128 Digest
379 SHA-3 SHAKE256 Digest
387 =head2 Encoding and Cipher Commands
389 The following aliases provide convenient access to the most used encodings
392 Depending on how OpenSSL was configured and built, not all ciphers listed
393 here may be present. See L<enc(1)> for more information and command usage.
397 =item B<aes128>, B<aes-128-cbc>, B<aes-128-cfb>, B<aes-128-ctr>, B<aes-128-ecb>, B<aes-128-ofb>
401 =item B<aes192>, B<aes-192-cbc>, B<aes-192-cfb>, B<aes-192-ctr>, B<aes-192-ecb>, B<aes-192-ofb>
405 =item B<aes256>, B<aes-256-cbc>, B<aes-256-cfb>, B<aes-256-ctr>, B<aes-256-ecb>, B<aes-256-ofb>
409 =item B<aria128>, B<aria-128-cbc>, B<aria-128-cfb>, B<aria-128-ctr>, B<aria-128-ecb>, B<aria-128-ofb>
413 =item B<aria192>, B<aria-192-cbc>, B<aria-192-cfb>, B<aria-192-ctr>, B<aria-192-ecb>, B<aria-192-ofb>
417 =item B<aria256>, B<aria-256-cbc>, B<aria-256-cfb>, B<aria-256-ctr>, B<aria-256-ecb>, B<aria-256-ofb>
425 =item B<bf>, B<bf-cbc>, B<bf-cfb>, B<bf-ecb>, B<bf-ofb>
429 =item B<camellia128>, B<camellia-128-cbc>, B<camellia-128-cfb>, B<camellia-128-ctr>, B<camellia-128-ecb>, B<camellia-128-ofb>
433 =item B<camellia192>, B<camellia-192-cbc>, B<camellia-192-cfb>, B<camellia-192-ctr>, B<camellia-192-ecb>, B<camellia-192-ofb>
437 =item B<camellia256>, B<camellia-256-cbc>, B<camellia-256-cfb>, B<camellia-256-ctr>, B<camellia-256-ecb>, B<camellia-256-ofb>
441 =item B<cast>, B<cast-cbc>
445 =item B<cast5-cbc>, B<cast5-cfb>, B<cast5-ecb>, B<cast5-ofb>
453 =item B<des>, B<des-cbc>, B<des-cfb>, B<des-ecb>, B<des-ede>, B<des-ede-cbc>, B<des-ede-cfb>, B<des-ede-ofb>, B<des-ofb>
457 =item B<des3>, B<desx>, B<des-ede3>, B<des-ede3-cbc>, B<des-ede3-cfb>, B<des-ede3-ofb>
461 =item B<idea>, B<idea-cbc>, B<idea-cfb>, B<idea-ecb>, B<idea-ofb>
465 =item B<rc2>, B<rc2-cbc>, B<rc2-cfb>, B<rc2-ecb>, B<rc2-ofb>
473 =item B<rc5>, B<rc5-cbc>, B<rc5-cfb>, B<rc5-ecb>, B<rc5-ofb>
477 =item B<seed>, B<seed-cbc>, B<seed-cfb>, B<seed-ecb>, B<seed-ofb>
481 =item B<sm4>, B<sm4-cbc>, B<sm4-cfb>, B<sm4-ctr>, B<sm4-ecb>, B<sm4-ofb>
489 Details of which options are available depend on the specific command.
490 This section describes some common options with common behavior.
492 =head2 Common Options
498 Provides a terse summary of all options.
502 =head2 Pass Phrase Options
504 Several commands accept password arguments, typically using B<-passin>
505 and B<-passout> for input and output passwords respectively. These allow
506 the password to be obtained from a variety of sources. Both of these
507 options take a single argument whose format is described below. If no
508 password argument is given and a password is required then the user is
509 prompted to enter one: this will typically be read from the current
510 terminal with echoing turned off.
512 Note that character encoding may be relevant, please see
513 L<passphrase-encoding(7)>.
517 =item B<pass:password>
519 The actual password is B<password>. Since the password is visible
520 to utilities (like 'ps' under Unix) this form should only be used
521 where security is not important.
525 Obtain the password from the environment variable B<var>. Since
526 the environment of other processes is visible on certain platforms
527 (e.g. ps under certain Unix OSes) this option should be used with caution.
529 =item B<file:pathname>
531 The first line of B<pathname> is the password. If the same B<pathname>
532 argument is supplied to B<-passin> and B<-passout> arguments then the first
533 line will be used for the input password and the next line for the output
534 password. B<pathname> need not refer to a regular file: it could for example
535 refer to a device or named pipe.
539 Read the password from the file descriptor B<number>. This can be used to
540 send the data via a pipe for example.
544 Read the password from standard input.
552 =item B<OPENSSL_TRACE=>I<name,...>
554 Enable tracing output of OpenSSL library, by name.
555 This output will only make sense if you know OpenSSL internals well.
556 Also, it might not give you any output at all, depending on how
559 The value is a comma separated list of names, with the following
566 The tracing functionality.
578 ENGINE configuration.
580 =item B<ENGINE_TABLE>
582 The function that is used by RSA, DSA (etc) code to select registered
583 ENGINEs, cache defaults and functional references (etc), will generate
586 =item B<ENGINE_REF_COUNT>
588 Reference counts in the ENGINE structure will be monitored with a line
589 of generated for each change.
595 =item B<PKCS12_KEYGEN>
597 PKCS#12 key generation.
599 =item B<PKCS12_DECRYPT>
603 =item B<X509V3_POLICY>
605 Generates the complete policy tree at various point during X.509 v3
618 L<asn1parse(1)>, L<ca(1)>, L<ciphers(1)>, L<cms(1)>, L<config(5)>,
619 L<crl(1)>, L<crl2pkcs7(1)>, L<dgst(1)>,
620 L<dhparam(1)>, L<dsa(1)>, L<dsaparam(1)>,
621 L<ec(1)>, L<ecparam(1)>,
622 L<enc(1)>, L<engine(1)>, L<errstr(1)>, L<gendsa(1)>, L<genpkey(1)>,
623 L<genrsa(1)>, L<kdf(1)>, L<mac(1)>, L<nseq(1)>, L<ocsp(1)>,
625 L<pkcs12(1)>, L<pkcs7(1)>, L<pkcs8(1)>,
626 L<pkey(1)>, L<pkeyparam(1)>, L<pkeyutl(1)>, L<prime(1)>,
627 L<rand(1)>, L<rehash(1)>, L<req(1)>, L<rsa(1)>,
628 L<rsautl(1)>, L<s_client(1)>,
629 L<s_server(1)>, L<s_time(1)>, L<sess_id(1)>,
630 L<smime(1)>, L<speed(1)>, L<spkac(1)>, L<srp(1)>, L<storeutl(1)>,
632 L<verify(1)>, L<version(1)>, L<x509(1)>,
633 L<crypto(7)>, L<ssl(7)>, L<x509v3_config(5)>
637 The B<list->I<XXX>B<-algorithms> pseudo-commands were added in OpenSSL 1.0.0;
638 For notes on the availability of other commands, see their individual
643 Copyright 2000-2019 The OpenSSL Project Authors. All Rights Reserved.
645 Licensed under the Apache License 2.0 (the "License"). You may not use
646 this file except in compliance with the License. You can obtain a copy
647 in the file LICENSE in the source distribution or at
648 L<https://www.openssl.org/source/license.html>.