5 openssl - OpenSSL command line program
16 B<-standard-commands> |
19 B<-cipher-algorithms> |
20 B<-digest-algorithms> |
22 B<-public-key-algorithms>
24 B<openssl> B<no->I<XXX> [ I<options> ]
28 OpenSSL is a cryptography toolkit implementing the Secure Sockets Layer (SSL
29 v2/v3) and Transport Layer Security (TLS v1) network protocols and related
30 cryptography standards required by them.
32 The B<openssl> program is a command line program for using the various
33 cryptography functions of OpenSSL's B<crypto> library from the shell.
36 o Creation and management of private keys, public keys and parameters
37 o Public key cryptographic operations
38 o Creation of X.509 certificates, CSRs and CRLs
39 o Calculation of Message Digests and Message Authentication Codes
40 o Encryption and Decryption with Ciphers
41 o SSL/TLS Client and Server Tests
42 o Handling of S/MIME signed or encrypted mail
43 o Timestamp requests, generation and verification
45 =head1 COMMAND SUMMARY
47 The B<openssl> program provides a rich variety of commands (I<command> in
48 the L</SYNOPSIS> above).
49 Each command can have many options and argument parameters, shown above as
50 I<options> and I<parameters>.
52 Detailed documentation and use cases for most standard subcommands are available
53 (e.g., L<openssl-x509(1)>).
55 The list options B<-standard-commands>, B<-digest-commands>,
56 and B<-cipher-commands> output a list (one entry per line) of the names
57 of all standard commands, message digest commands, or cipher commands,
58 respectively, that are available.
60 The list parameters B<-cipher-algorithms>, B<-digest-algorithms>,
61 and B<-mac-algorithms> list all cipher, message digest, and message
62 authentication code names, one entry per line. Aliases are listed as:
66 The list parameter B<-public-key-algorithms> lists all supported public
69 The command B<no->I<XXX> tests whether a command of the
70 specified name is available. If no command named I<XXX> exists, it
71 returns 0 (success) and prints B<no->I<XXX>; otherwise it returns 1
72 and prints I<XXX>. In both cases, the output goes to B<stdout> and
73 nothing is printed to B<stderr>. Additional command line arguments
74 are always ignored. Since for each cipher there is a command of the
75 same name, this provides an easy way for shell scripts to test for the
76 availability of ciphers in the B<openssl> program. (B<no->I<XXX> is
77 not able to detect pseudo-commands such as B<quit>,
78 B<list>, or B<no->I<XXX> itself.)
80 =head2 Configuration Option
82 Many commands use an external configuration file for some or all of their
83 arguments and have a B<-config> option to specify that file.
84 The default name of the file is F<openssl.cnf> in the default certificate
85 storage area, which can be determined from the L<openssl-version(1)>
86 command using the B<-d> or B<-a> option.
87 The environment variable B<OPENSSL_CONF> can be used to specify a different
88 file location or to disable loading a configuration (using the empty string).
90 Among others, the configuration file can be used to load modules
91 and to specify parameters for generating certificates and random numbers.
92 See L<config(5)> for details.
94 =head2 Standard Commands
100 Parse an ASN.1 sequence.
104 Certificate Authority (CA) Management.
108 Cipher Suite Description Determination.
112 CMS (Cryptographic Message Syntax) command.
116 Certificate Revocation List (CRL) Management.
120 CRL to PKCS#7 Conversion.
124 Message Digest calculation. MAC calculations are superseded by
129 Generation and Management of Diffie-Hellman Parameters. Superseded by
130 L<openssl-genpkey(1)> and L<openssl-pkeyparam(1)>.
138 DSA Parameter Generation and Management. Superseded by
139 L<openssl-genpkey(1)> and L<openssl-pkeyparam(1)>.
143 EC (Elliptic curve) key processing.
147 EC parameter manipulation and generation.
151 Encryption, decryption, and encoding.
155 Engine (loadable module) information and manipulation.
159 Error Number to Error String Conversion.
163 FIPS configuration installation.
167 Generation of DSA Private Key from Parameters. Superseded by
168 L<openssl-genpkey(1)> and L<openssl-pkey(1)>.
172 Generation of Private Key or Parameters.
176 Generation of RSA Private Key. Superseded by L<openssl-genpkey(1)>.
180 Display information about a command's options.
184 Display diverse information built into the OpenSSL libraries.
188 Key Derivation Functions.
192 List algorithms and features.
196 Message Authentication Code Calculation.
200 Create or examine a Netscape certificate sequence.
204 Online Certificate Status Protocol command.
208 Generation of hashed passwords.
212 PKCS#12 Data Management.
216 PKCS#7 Data Management.
220 PKCS#8 format private key conversion command.
224 Public and private key management.
228 Public key algorithm parameter management.
232 Public key algorithm cryptographic operation command.
236 Compute prime numbers.
240 Generate pseudo-random bytes.
244 Create symbolic links to certificate and CRL files named by the hash values.
248 PKCS#10 X.509 Certificate Signing Request (CSR) Management.
256 RSA command for signing, verification, encryption, and decryption. Superseded
257 by L<openssl-pkeyutl(1)>.
261 This implements a generic SSL/TLS client which can establish a transparent
262 connection to a remote server speaking SSL/TLS. It's intended for testing
263 purposes only and provides only rudimentary interface functionality but
264 internally uses mostly all functionality of the OpenSSL B<ssl> library.
268 This implements a generic SSL/TLS server which accepts connections from remote
269 clients speaking SSL/TLS. It's intended for testing purposes only and provides
270 only rudimentary interface functionality but internally uses mostly all
271 functionality of the OpenSSL B<ssl> library. It provides both an own command
272 line oriented protocol for testing SSL functions and a simple HTTP response
273 facility to emulate an SSL/TLS-aware webserver.
277 SSL Connection Timer.
281 SSL Session Data Management.
285 S/MIME mail processing.
289 Algorithm Speed Measurement.
293 SPKAC printing and generating command.
297 Maintain SRP password file. This command is deprecated.
301 Command to list and display certificates, keys, CRLs, etc.
305 Time Stamping Authority command.
309 X.509 Certificate Verification.
310 See also the L<openssl-verification-options(1)> manual page.
314 OpenSSL Version Information.
318 X.509 Certificate Data Management.
322 =head2 Message Digest Commands
392 SHA-3 SHAKE128 Digest
396 SHA-3 SHAKE256 Digest
404 =head2 Encryption, Decryption, and Encoding Commands
406 The following aliases provide convenient access to the most used encodings
409 Depending on how OpenSSL was configured and built, not all ciphers listed
410 here may be present. See L<openssl-enc(1)> for more information.
414 =item B<aes128>, B<aes-128-cbc>, B<aes-128-cfb>, B<aes-128-ctr>, B<aes-128-ecb>, B<aes-128-ofb>
418 =item B<aes192>, B<aes-192-cbc>, B<aes-192-cfb>, B<aes-192-ctr>, B<aes-192-ecb>, B<aes-192-ofb>
422 =item B<aes256>, B<aes-256-cbc>, B<aes-256-cfb>, B<aes-256-ctr>, B<aes-256-ecb>, B<aes-256-ofb>
426 =item B<aria128>, B<aria-128-cbc>, B<aria-128-cfb>, B<aria-128-ctr>, B<aria-128-ecb>, B<aria-128-ofb>
430 =item B<aria192>, B<aria-192-cbc>, B<aria-192-cfb>, B<aria-192-ctr>, B<aria-192-ecb>, B<aria-192-ofb>
434 =item B<aria256>, B<aria-256-cbc>, B<aria-256-cfb>, B<aria-256-ctr>, B<aria-256-ecb>, B<aria-256-ofb>
442 =item B<bf>, B<bf-cbc>, B<bf-cfb>, B<bf-ecb>, B<bf-ofb>
446 =item B<camellia128>, B<camellia-128-cbc>, B<camellia-128-cfb>, B<camellia-128-ctr>, B<camellia-128-ecb>, B<camellia-128-ofb>
450 =item B<camellia192>, B<camellia-192-cbc>, B<camellia-192-cfb>, B<camellia-192-ctr>, B<camellia-192-ecb>, B<camellia-192-ofb>
454 =item B<camellia256>, B<camellia-256-cbc>, B<camellia-256-cfb>, B<camellia-256-ctr>, B<camellia-256-ecb>, B<camellia-256-ofb>
458 =item B<cast>, B<cast-cbc>
462 =item B<cast5-cbc>, B<cast5-cfb>, B<cast5-ecb>, B<cast5-ofb>
470 =item B<des>, B<des-cbc>, B<des-cfb>, B<des-ecb>, B<des-ede>, B<des-ede-cbc>, B<des-ede-cfb>, B<des-ede-ofb>, B<des-ofb>
474 =item B<des3>, B<desx>, B<des-ede3>, B<des-ede3-cbc>, B<des-ede3-cfb>, B<des-ede3-ofb>
478 =item B<idea>, B<idea-cbc>, B<idea-cfb>, B<idea-ecb>, B<idea-ofb>
482 =item B<rc2>, B<rc2-cbc>, B<rc2-cfb>, B<rc2-ecb>, B<rc2-ofb>
490 =item B<rc5>, B<rc5-cbc>, B<rc5-cfb>, B<rc5-ecb>, B<rc5-ofb>
494 =item B<seed>, B<seed-cbc>, B<seed-cfb>, B<seed-ecb>, B<seed-ofb>
498 =item B<sm4>, B<sm4-cbc>, B<sm4-cfb>, B<sm4-ctr>, B<sm4-ecb>, B<sm4-ofb>
506 Details of which options are available depend on the specific command.
507 This section describes some common options with common behavior.
509 =head2 Common Options
515 Provides a terse summary of all options.
516 If an option takes an argument, the "type" of argument is also given.
520 This terminates the list of options. It is mostly useful if any filename
521 parameters start with a minus sign:
523 openssl verify [flags...] -- -cert1.pem...
527 =head2 Format Options
529 See L<openssl-format-options(1)> for manual page.
531 =head2 Pass Phrase Options
533 See the L<openssl-passphrase-options(1)> manual page.
535 =head2 Random State Options
537 Prior to OpenSSL 1.1.1, it was common for applications to store information
538 about the state of the random-number generator in a file that was loaded
539 at startup and rewritten upon exit. On modern operating systems, this is
540 generally no longer necessary as OpenSSL will seed itself from a trusted
541 entropy source provided by the operating system. These flags are still
542 supported for special platforms or circumstances that might require them.
544 It is generally an error to use the same seed file more than once and
545 every use of B<-rand> should be paired with B<-writerand>.
549 =item B<-rand> I<files>
551 A file or files containing random data used to seed the random number
553 Multiple files can be specified separated by an OS-dependent character.
554 The separator is C<;> for MS-Windows, C<,> for OpenVMS, and C<:> for
555 all others. Another way to specify multiple files is to repeat this flag
556 with different filenames.
558 =item B<-writerand> I<file>
560 Writes the seed data to the specified I<file> upon exit.
561 This file can be used in a subsequent command invocation.
565 =head2 Certificate Verification Options
567 See the L<openssl-verification-options(1)> manual page.
569 =head2 Name Format Options
571 See the L<openssl-namedisplay-options(1)> manual page.
573 =head2 TLS Version Options
575 Several commands use SSL, TLS, or DTLS. By default, the commands use TLS and
576 clients will offer the lowest and highest protocol version they support,
577 and servers will pick the highest version that the client offers that is also
578 supported by the server.
580 The options below can be used to limit which protocol versions are used,
581 and whether TCP (SSL and TLS) or UDP (DTLS) is used.
582 Note that not all protocols and flags may be available, depending on how
587 =item B<-ssl3>, B<-tls1>, B<-tls1_1>, B<-tls1_2>, B<-tls1_3>, B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2>, B<-no_tls1_3>
589 These options require or disable the use of the specified SSL or TLS protocols.
590 When a specific TLS version is required, only that version will be offered or
592 Only one specific protocol can be given and it cannot be combined with any of
595 =item B<-dtls>, B<-dtls1>, B<-dtls1_2>
597 These options specify to use DTLS instead of DLTS.
598 With B<-dtls>, clients will negotiate any supported DTLS protocol version.
599 Use the B<-dtls1> or B<-dtls1_2> options to support only DTLS1.0 or DTLS1.2,
604 =head2 Engine Options
608 =item B<-engine> I<id>
610 Load the engine identified by I<id> and use all the methods it implements
611 (algorithms, key storage, etc.), unless specified otherwise in the
612 command-specific documentation or it is configured to do so, as described in
613 L<config(5)/Engine Configuration>.
615 The engine will be used for key ids specified with B<-key> and similar
616 options when an option like B<-keyform engine> is given.
618 A special case is the C<loader_attic> engine, which
619 is meant just for internal OpenSSL testing purposes and
620 supports loading keys, parameters, certificates, and CRLs from files.
621 When this engine is used, files with such credentials are read via this engine.
622 Using the C<file:> schema is optional; a plain file (path) name will do.
626 Options specifying keys, like B<-key> and similar, can use the generic
627 OpenSSL engine key loading URI scheme C<org.openssl.engine:> to retrieve
628 private keys and public keys. The URI syntax is as follows, in simplified
631 org.openssl.engine:{engineid}:{keyid}
633 Where C<{engineid}> is the identity/name of the engine, and C<{keyid}> is a
634 key identifier that's acceptable by that engine. For example, when using an
635 engine that interfaces against a PKCS#11 implementation, the generic key URI
636 would be something like this (this happens to be an example for the PKCS#11
637 engine that's part of OpenSC):
639 -key org.openssl.engine:pkcs11:label_some-private-key
641 As a third possibility, for engines and providers that have implemented
642 their own L<OSSL_STORE_LOADER(3)>, C<org.openssl.engine:> should not be
643 necessary. For a PKCS#11 implementation that has implemented such a loader,
644 the PKCS#11 URI as defined in RFC 7512 should be possible to use directly:
646 -key pkcs11:object=some-private-key;pin-value=1234
648 =head2 Provider Options
652 =item B<-provider> I<name>
654 Load and initialize the provider identified by I<name>.
655 See L<provider(7)> for a more detailed description.
657 =item B<-provider-path> I<path>
659 Specifies the search path that is to be used for looking for providers.
660 Equivalently, the B<OPENSSL_MODULES> environment variable may be set.
662 =item B<-propquery> I<propq>
664 Specifies the I<property query clause> to be used when fetching algorithms
665 from the loaded providers.
666 See L<property(7)> for a more detailed description.
672 The OpenSSL library can be take some configuration parameters from the
673 environment. Some of these variables are listed below. For information
674 about specific commands, see L<openssl-engine(1)>,
675 L<openssl-rehash(1)>, and L<tsget(1)>.
677 For information about the use of environment variables in configuration,
678 see L<config(5)/ENVIRONMENT>.
680 For information about querying or specifying CPU architecture flags, see
681 L<OPENSSL_ia32cap(3)>, and L<OPENSSL_s390xcap(3)>.
683 For information about all environment variables used by the OpenSSL libraries,
684 see L<openssl-env(7)>.
688 =item B<OPENSSL_TRACE=>I<name>[,...]
690 Enable tracing output of OpenSSL library, by name.
691 This output will only make sense if you know OpenSSL internals well.
692 Also, it might not give you any output at all, depending on how
695 The value is a comma separated list of names, with the following
702 The tracing functionality.
714 Show details about provider and engine configuration.
716 =item B<ENGINE_TABLE>
718 The function that is used by RSA, DSA (etc) code to select registered
719 ENGINEs, cache defaults and functional references (etc), will generate
722 =item B<ENGINE_REF_COUNT>
724 Reference counts in the ENGINE structure will be monitored with a line
725 of generated for each change.
731 =item B<PKCS12_KEYGEN>
733 PKCS#12 key generation.
735 =item B<PKCS12_DECRYPT>
739 =item B<X509V3_POLICY>
741 Generates the complete policy tree at various point during X.509 v3
754 L<openssl-asn1parse(1)>,
756 L<openssl-ciphers(1)>,
759 L<openssl-crl2pkcs7(1)>,
761 L<openssl-dhparam(1)>,
763 L<openssl-dsaparam(1)>,
765 L<openssl-ecparam(1)>,
767 L<openssl-engine(1)>,
768 L<openssl-errstr(1)>,
769 L<openssl-gendsa(1)>,
770 L<openssl-genpkey(1)>,
771 L<openssl-genrsa(1)>,
776 L<openssl-passwd(1)>,
777 L<openssl-pkcs12(1)>,
781 L<openssl-pkeyparam(1)>,
782 L<openssl-pkeyutl(1)>,
785 L<openssl-rehash(1)>,
788 L<openssl-rsautl(1)>,
789 L<openssl-s_client(1)>,
790 L<openssl-s_server(1)>,
791 L<openssl-s_time(1)>,
792 L<openssl-sess_id(1)>,
797 L<openssl-storeutl(1)>,
799 L<openssl-verify(1)>,
800 L<openssl-version(1)>,
811 The B<list> -I<XXX>B<-algorithms> options were added in OpenSSL 1.0.0;
812 For notes on the availability of other commands, see their individual
815 The B<-issuer_checks> option is deprecated as of OpenSSL 1.1.0 and
818 The B<-xcertform> and B<-xkeyform> options
819 are obsolete since OpenSSL 3.0 and have no effect.
821 The interactive mode, which could be invoked by running C<openssl>
822 with no further arguments, was removed in OpenSSL 3.0, and running
823 that program with no arguments is now equivalent to C<openssl help>.
827 Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved.
829 Licensed under the Apache License 2.0 (the "License"). You may not use
830 this file except in compliance with the License. You can obtain a copy
831 in the file LICENSE in the source distribution or at
832 L<https://www.openssl.org/source/license.html>.