[B<-md> I<arg>]
[B<-policy> I<arg>]
[B<-keyfile> I<filename>|I<uri>]
-[B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>]
+[B<-keyform> B<DER>|B<PEM>|B<P12>]
[B<-key> I<arg>]
[B<-passin> I<arg>]
[B<-cert> I<file>]
[B<-rand_serial>]
[B<-multivalue-rdn>]
{- $OpenSSL::safe::opt_r_synopsis -}
-{- $OpenSSL::safe::opt_engine_synopsis -}{- $OpenSSL::safe::opt_provider_synopsis -}
+{- $OpenSSL::safe::opt_provider_synopsis -}
[I<certreq>...]
=head1 DESCRIPTION
The CA private key to sign certificate requests with.
This must match with B<-cert>.
-=item B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>
+=item B<-keyform> B<DER>|B<PEM>|B<P12>
The format of the private key input file; unspecified by default.
See L<openssl-format-options(1)> for details.
{- $OpenSSL::safe::opt_r_item -}
-{- $OpenSSL::safe::opt_engine_item -}
-
{- $OpenSSL::safe::opt_provider_item -}
=back
When doing so, specific care should be taken to
properly secure the private key(s) used for signing certificates.
It is advisable to keep them in a secure HW storage such as a smart card or HSM
-and access them via a suitable engine or crypto provider.
+and access them via a suitable crypto provider.
This command is effectively a single user command: no locking
is done on the various files and attempts to run more than one B<openssl ca>
The B<-multivalue-rdn> option has become obsolete in OpenSSL 3.0.0 and
has no effect.
-The B<-engine> option was deprecated in OpenSSL 3.0.
-
Since OpenSSL 3.2, generated certificates bear X.509 version 3,
and key identifier extensions are included by default.
+The B<-engine> option was removed in OpenSSL 4.0.
+
=head1 SEE ALSO
L<openssl(1)>,
[B<-crlform> I<PEM|DER>]
[B<-keyform> I<PEM|DER|P12>]
[B<-otherpass> I<arg>]
-{- $OpenSSL::safe::opt_engine_synopsis -}{- $OpenSSL::safe::opt_provider_synopsis -}
+{- $OpenSSL::safe::opt_provider_synopsis -}
Random state options:
For more information about the format of I<arg> see
L<openssl-passphrase-options(1)>.
-{- $OpenSSL::safe::opt_engine_item -}
-
=back
=head2 Provider options
The B<cmp> application was added in OpenSSL 3.0.
-The B<-engine> option was deprecated in OpenSSL 3.0.
-
The B<-oldwithold>, B<-newwithnew>, B<-newwithold>, B<-oldwithnew>,
The B<-srvcertout>, and B<-serial> option were added in OpenSSL 3.2, as well
as an extension of B<-cacertsout> to use when getting CA certificates.
B<-centralkeygen>, B<-newkeyout>, B<-rsp_key> and
B<-rsp_keypass> were added in OpenSSL 3.5.
+The B<-engine> option was removed in OpenSSL 4.0.
+
=head1 COPYRIGHT
Copyright 2007-2025 The OpenSSL Project Authors. All Rights Reserved.
[B<-inkey> I<filename>|I<uri>]
[B<-passin> I<arg>]
[B<-keyopt> I<name>:I<parameter>]
-[B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>]
-{- $OpenSSL::safe::opt_engine_synopsis -}{- $OpenSSL::safe::opt_provider_synopsis -}
+[B<-keyform> B<DER>|B<PEM>|B<P12>]
+{- $OpenSSL::safe::opt_provider_synopsis -}
{- $OpenSSL::safe::opt_r_synopsis -}
Encryption options:
currently be used to set RSA-PSS for signing, RSA-OAEP for encryption
or to modify default parameters for ECDH.
-=item B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>
+=item B<-keyform> B<DER>|B<PEM>|B<P12>
The format of the private key file; unspecified by default.
See L<openssl-format-options(1)> for details.
-{- $OpenSSL::safe::opt_engine_item -}
-
{- $OpenSSL::safe::opt_provider_item -}
{- $OpenSSL::safe::opt_r_item -}
The B<-nameopt> option was added in OpenSSL 3.0.0.
-The B<-engine> option was deprecated in OpenSSL 3.0.
-
The B<-digest> option was added in OpenSSL 3.2.
The B<-recip_kdf> and B<-recip_ukm> options were added in OpenSSL 3.6.
+The B<-engine> option was removed in OpenSSL 4.0.
+
=head1 COPYRIGHT
Copyright 2008-2025 The OpenSSL Project Authors. All Rights Reserved.
[B<-r>]
[B<-out> I<filename>]
[B<-sign> I<filename>|I<uri>]
-[B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>]
+[B<-keyform> B<DER>|B<PEM>|B<P12>]
[B<-passin> I<arg>]
[B<-verify> I<filename>]
[B<-prverify> I<filename>]
[B<-mac> I<alg>]
[B<-macopt> I<nm>:I<v>]
[B<-fips-fingerprint>]
-{- $OpenSSL::safe::opt_engine_synopsis -}{- output_off() if $disabled{"deprecated-3.0"}; ""
--}[B<-engine_impl> I<id>]{-
- output_on() if $disabled{"deprecated-3.0"}; "" -}
{- $OpenSSL::safe::opt_r_synopsis -}
{- $OpenSSL::safe::opt_provider_synopsis -}
[I<file> ...]
signing. For these algorithms, if the input is larger than 16MB an error
will occur.
-=item B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>
+=item B<-keyform> B<DER>|B<PEM>|B<P12>
The format of the key to sign with; unspecified by default.
See L<openssl-format-options(1)> for details.
Create MAC (keyed Message Authentication Code). The most popular MAC
algorithm is HMAC (hash-based MAC), but there are other MAC algorithms
-which are not based on hash, for instance B<gost-mac> algorithm,
-supported by the B<gost> engine. MAC keys and other options should be set
+which are not based on hash. MAC keys and other options should be set
via B<-macopt> parameter.
Cannot be used together with -hmac, -hmac-env and -hmac-stdin.
{- $OpenSSL::safe::opt_r_item -}
-{- $OpenSSL::safe::opt_engine_item -}
-{- output_off() if $disabled{"deprecated-3.0"}; "" -}
-The engine is not used for digests unless the B<-engine_impl> option is
-used or it is configured to do so, see L<config(5)/Engine Configuration Module>.
-
-=item B<-engine_impl> I<id>
-
-When used with the B<-engine> option, it specifies to also use
-engine I<id> for digest operations.
-
-{- output_on() if $disabled{"deprecated-3.0"}; "" -}
{- $OpenSSL::safe::opt_provider_item -}
=item I<file> ...
The default digest was changed from MD5 to SHA256 in OpenSSL 1.1.0.
The FIPS-related options were removed in OpenSSL 1.1.0.
-The B<-engine> and B<-engine_impl> options were deprecated in OpenSSL 3.0.
+The B<-engine> and B<-engine_impl> options were removed in OpenSSL 4.0.
The B<-hmac-env> and B<-hmac-stdin> options were added in OpenSSL 4.0.
[B<-2>]
[B<-3>]
[B<-5>]
-{- $OpenSSL::safe::opt_engine_synopsis -}{- $OpenSSL::safe::opt_r_synopsis -}
+{- $OpenSSL::safe::opt_r_synopsis -}
{- $OpenSSL::safe::opt_provider_synopsis -}
[I<numbits>]
This option prints out the DH parameters in human readable form.
-{- $OpenSSL::safe::opt_engine_item -}
-
{- $OpenSSL::safe::opt_r_item -}
{- $OpenSSL::safe::opt_provider_item -}
=head1 HISTORY
-The B<-engine> option was deprecated in OpenSSL 3.0.
-
The B<-C> option was removed in OpenSSL 3.0.
+The B<-engine> option was removed in OpenSSL 4.0.
+
=head1 COPYRIGHT
Copyright 2000-2023 The OpenSSL Project Authors. All Rights Reserved.
[B<-pvk-strong>]
[B<-pvk-weak>]
[B<-pvk-none>]
-{- $OpenSSL::safe::opt_engine_synopsis -}{- $OpenSSL::safe::opt_provider_synopsis -}
+{- $OpenSSL::safe::opt_provider_synopsis -}
=head1 DESCRIPTION
Don't enforce PVK encoding.
-{- $OpenSSL::safe::opt_engine_item -}
-
{- $OpenSSL::safe::opt_provider_item -}
=back
=head1 HISTORY
-The B<-engine> option was deprecated in OpenSSL 3.0.
+The B<-engine> option was removed in OpenSSL 4.0.
=head1 COPYRIGHT
[B<-verbose>]
[B<-quiet>]
{- $OpenSSL::safe::opt_r_synopsis -}
-{- $OpenSSL::safe::opt_engine_synopsis -}{- $OpenSSL::safe::opt_provider_synopsis -}
+{- $OpenSSL::safe::opt_provider_synopsis -}
[I<numbits>]
[I<numqbits>]
{- $OpenSSL::safe::opt_r_item -}
-{- $OpenSSL::safe::opt_engine_item -}
-
=item I<numbits>
This optional argument specifies that a parameter set should be generated of
=head1 HISTORY
-The B<-engine> option was deprecated in OpenSSL 3.0.
-
The B<-C> option was removed in OpenSSL 3.0.
+The B<-engine> option was removed in OpenSSL 4.0.
+
=head1 COPYRIGHT
Copyright 2000-2025 The OpenSSL Project Authors. All Rights Reserved.
B<openssl> B<ec>
[B<-help>]
-[B<-inform> B<DER>|B<PEM>|B<P12>|B<ENGINE>]
+[B<-inform> B<DER>|B<PEM>|B<P12>]
[B<-outform> B<DER>|B<PEM>]
[B<-in> I<filename>|I<uri>]
[B<-passin> I<arg>]
[B<-param_enc> I<arg>]
[B<-no_public>]
[B<-check>]
-{- $OpenSSL::safe::opt_engine_synopsis -}{- $OpenSSL::safe::opt_provider_synopsis -}
+{- $OpenSSL::safe::opt_provider_synopsis -}
=head1 DESCRIPTION
Print out a usage message.
-=item B<-inform> B<DER>|B<PEM>|B<P12>|B<ENGINE>
+=item B<-inform> B<DER>|B<PEM>|B<P12>
The key input format; unspecified by default.
See L<openssl-format-options(1)> for details.
This option checks the consistency of an EC private or public key.
-{- $OpenSSL::safe::opt_engine_item -}
-
{- $OpenSSL::safe::opt_provider_item -}
=back
=head1 HISTORY
-The B<-engine> option was deprecated in OpenSSL 3.0.
-
The B<-conv_form> and B<-no_public> options are no longer supported
with keys loaded from an engine in OpenSSL 3.0.
+The B<-engine> option was removed in OpenSSL 4.0.
+
=head1 COPYRIGHT
Copyright 2003-2023 The OpenSSL Project Authors. All Rights Reserved.
[B<-param_enc> I<arg>]
[B<-no_seed>]
[B<-genkey>]
-{- $OpenSSL::safe::opt_engine_synopsis -}{- $OpenSSL::safe::opt_r_synopsis -}
+{- $OpenSSL::safe::opt_r_synopsis -}
{- $OpenSSL::safe::opt_provider_synopsis -}
=head1 DESCRIPTION
This option will generate an EC private key using the specified parameters.
-{- $OpenSSL::safe::opt_engine_item -}
-
{- $OpenSSL::safe::opt_r_item -}
{- $OpenSSL::safe::opt_provider_item -}
=head1 HISTORY
-The B<-engine> option was deprecated in OpenSSL 3.0.
-
The B<-C> option was removed in OpenSSL 3.0.
+The B<-engine> option was removed in OpenSSL 4.0.
+
=head1 COPYRIGHT
Copyright 2003-2021 The OpenSSL Project Authors. All Rights Reserved.
[B<-none>]
[B<-skeymgmt> I<skeymgmt>]
[B<-skeyopt> I<opt>:I<value>]
-{- $OpenSSL::safe::opt_engine_synopsis -}{- $OpenSSL::safe::opt_r_synopsis -}
+{- $OpenSSL::safe::opt_r_synopsis -}
{- $OpenSSL::safe::opt_provider_synopsis -}
B<openssl> I<cipher> [B<...>]
{- $OpenSSL::safe::opt_provider_item -}
-{- $OpenSSL::safe::opt_engine_item -}
-
=back
=head1 NOTES
The program can be called either as C<openssl I<cipher>> or
-C<openssl enc -I<cipher>>. The first form doesn't work with
-engine-provided ciphers, because this form is processed before the
-configuration file is read and any ENGINEs loaded.
+C<openssl enc -I<cipher>>.
Use the L<openssl-list(1)> command to get a list of supported ciphers.
-Engines which provide entirely new encryption algorithms (such as the ccgost
-engine which provides gost89 algorithm) should be configured in the
-configuration file. Engines specified on the command line using B<-engine>
-option can only be used for hardware-assisted implementations of
-ciphers which are supported by the OpenSSL core or another engine specified
-in the configuration file.
-
-When the enc command lists supported ciphers, ciphers provided by engines,
+When the enc command lists supported ciphers, ciphers provided by providers,
specified in the configuration files are listed too.
A password will be prompted for to derive the key and IV if necessary.
=head1 SUPPORTED CIPHERS
Note that some of these ciphers can be disabled at compile time
-and some are available only if an appropriate engine is configured
+and some are available only if an appropriate provider is configured
in the configuration file. The output when invoking this command
with the B<-list> option (that is C<openssl enc -list>) is
a list of ciphers, supported by your version of OpenSSL, including
-ones provided by configured engines.
+ones provided by configured providers.
This command does not support authenticated encryption modes
like CCM and GCM, and will not support such modes in the future.
desx DESX algorithm.
- gost89 GOST 28147-89 in CFB mode (provided by ccgost engine)
- gost89-cnt GOST 28147-89 in CNT mode (provided by ccgost engine)
-
idea-cbc IDEA algorithm in CBC mode
idea same as idea-cbc
idea-cfb IDEA in CFB mode
The B<-list> option was added in OpenSSL 1.1.1e.
-The B<-ciphers> and B<-engine> options were deprecated in OpenSSL 3.0.
+The B<-ciphers> option was deprecated in OpenSSL 3.0.
The B<-saltlen> option was added in OpenSSL 3.2.
The B<-skeymgmt> and B<-skeyopt> options were added in OpenSSL 3.5.
+The B<-engine> option was removed in OpenSSL 4.0.
+
=head1 COPYRIGHT
Copyright 2000-2025 The OpenSSL Project Authors. All Rights Reserved.
the possible formats. However if the B<DER> or B<PEM> input format is specified
it will be enforced.
-In order to access a key via an engine the input format B<ENGINE> may be used;
-alternatively the key identifier in the <uri> argument of the respective key
-option may be preceded by C<org.openssl.engine:>.
-See L<openssl(1)/Engine Options> for an example usage of the latter.
-
=head1 OPTIONS
=head2 Format Options
A binary format, encoded or parsed according to Distinguished Encoding Rules
(DER) of the ASN.1 data language.
-=item B<ENGINE>
-
-Used to specify that the cryptographic material is in an OpenSSL B<engine>.
-An engine must be configured or specified using the B<-engine> option.
-A password or PIN may be supplied to the engine using the B<-passin> option.
-
=item B<P12>
A DER-encoded file containing a PKCS#12 object.
[B<-verbose>]
[B<-quiet>]
{- $OpenSSL::safe::opt_r_synopsis -}
-{- $OpenSSL::safe::opt_engine_synopsis -}{- $OpenSSL::safe::opt_provider_synopsis -}
+{- $OpenSSL::safe::opt_provider_synopsis -}
[I<paramfile>]
=head1 DESCRIPTION
{- $OpenSSL::safe::opt_r_item -}
-{- $OpenSSL::safe::opt_engine_item -}
-
=item I<paramfile>
The DSA parameter file to use. The parameters in this file determine
=head1 HISTORY
-The B<-engine> option was deprecated in OpenSSL 3.0.
+The B<-engine> option was removed in OpenSSL 4.0.
=head1 COPYRIGHT
[B<-genparam>]
[B<-text>]
{- $OpenSSL::safe::opt_r_synopsis -}
-{- $OpenSSL::safe::opt_engine_synopsis -}
{- $OpenSSL::safe::opt_provider_synopsis -}
{- $OpenSSL::safe::opt_config_synopsis -}
{- $OpenSSL::safe::opt_r_item -}
-{- $OpenSSL::safe::opt_engine_item -}
-
{- $OpenSSL::safe::opt_provider_item -}
{- $OpenSSL::safe::opt_config_item -}
=head1 NOTES
The use of the genpkey program is encouraged over the algorithm specific
-utilities because additional algorithm options and ENGINE provided algorithms
+utilities because additional algorithm options and provider provided algorithms
can be used.
=head1 EXAMPLES
The ability to generate X25519 keys was added in OpenSSL 1.1.0.
The ability to generate X448, ED25519 and ED448 keys was added in OpenSSL 1.1.1.
-The B<-engine> option was deprecated in OpenSSL 3.0.
-
Support for B<ML-DSA> and B<ML-KEM> was added in OpenSSL 3.5.
+The B<-engine> option was removed in OpenSSL 4.0.
+
=head1 COPYRIGHT
Copyright 2006-2025 The OpenSSL Project Authors. All Rights Reserved.
[B<-quiet>]
[B<-traditional>]
{- $OpenSSL::safe::opt_r_synopsis -}
-{- $OpenSSL::safe::opt_engine_synopsis -}{- $OpenSSL::safe::opt_provider_synopsis -}
+{- $OpenSSL::safe::opt_provider_synopsis -}
[B<numbits>]
=head1 DESCRIPTION
{- $OpenSSL::safe::opt_r_item -}
-{- $OpenSSL::safe::opt_engine_item -}
-
{- $OpenSSL::safe::opt_provider_item -}
=item B<numbits>
L<openssl-genpkey(1)>,
L<openssl-gendsa(1)>
+=head1 HISTORY
+
+The B<-engine> option was removed in OpenSSL 4.0.
+
=head1 COPYRIGHT
Copyright 2000-2023 The OpenSSL Project Authors. All Rights Reserved.
B<openssl info>
[B<-help>]
[B<-configdir>]
-[B<-enginesdir>]
[B<-modulesdir> ]
[B<-dsoext>]
[B<-dirnamesep>]
Outputs the default directory for OpenSSL configuration files.
-=item B<-enginesdir>
-
-Outputs the default directory for OpenSSL engine modules.
-
=item B<-modulesdir>
-Outputs the default directory for OpenSSL dynamically loadable modules
-other than engine modules.
+Outputs the default directory for OpenSSL dynamically loadable modules.
=item B<-dsoext>
The B<-windowscontext> option was added in OpenSSL 3.4.
+The B<-enginesdir> option was removed in OpenSSL 4.0.
+
=head1 COPYRIGHT
Copyright 2019-2020 The OpenSSL Project Authors. All Rights Reserved.
[B<-public-key-methods>]
[B<-store-loaders>]
[B<-providers>]
-{- output_off() if $disabled{"deprecated-3.0"}; ""
--}[B<-engines>]
{- output_on() if $disabled{"deprecated-3.0"}; ""
-}[B<-disabled>]
[B<-objects>]
In verbose mode, the full version and all provider parameters will additionally
be displayed.
-
-=item B<-engines>
-
-This option is deprecated.
-
-Display a list of loaded engines.
-
=item B<-disabled>
Display a list of disabled features, those that were compiled out
=head1 HISTORY
-The B<-engines>, B<-digest-commands>, and B<-cipher-commands> options
+The B<-digest-commands>, and B<-cipher-commands> options
were deprecated in OpenSSL 3.0.
The B<-skey-managers> option was added in OpenSSL 3.5.
+The B<-engines> option was removed in OpenSSL 4.0.
+
=head1 COPYRIGHT
Copyright 2016-2025 The OpenSSL Project Authors. All Rights Reserved.
[B<-nocerts>]
[B<-noout>]
[B<-legacy>]
-{- $OpenSSL::safe::opt_engine_synopsis -}{- $OpenSSL::safe::opt_provider_synopsis -}
+{- $OpenSSL::safe::opt_provider_synopsis -}
{- $OpenSSL::safe::opt_r_synopsis -}
PKCS#12 input (parsing) options:
and the default encryption algorithm for both certificates and private keys is
AES_256_CBC with PBKDF2 for key derivation.
-{- $OpenSSL::safe::opt_engine_item -}
-
{- $OpenSSL::safe::opt_provider_item -}
{- $OpenSSL::safe::opt_r_item -}
=head1 HISTORY
-The B<-engine> option was deprecated in OpenSSL 3.0.
The B<-nodes> option was deprecated in OpenSSL 3.0, too; use B<-noenc> instead.
The B<-macsaltlen> option default changed from 8 to 16 bytes in OpenSSL 3.6.
+The B<-engine> option was removed in OpenSSL 4.0.
+
=head1 COPYRIGHT
Copyright 2000-2025 The OpenSSL Project Authors. All Rights Reserved.
[B<-quiet>]
[B<-text>]
[B<-noout>]
-{- $OpenSSL::safe::opt_engine_synopsis -}{- $OpenSSL::safe::opt_provider_synopsis -}
+{- $OpenSSL::safe::opt_provider_synopsis -}
=head1 DESCRIPTION
Don't output the encoded version of the PKCS#7 structure (or certificates
if B<-print_certs> is set).
-{- $OpenSSL::safe::opt_engine_item -}
-
{- $OpenSSL::safe::opt_provider_item -}
=back
=head1 HISTORY
-The B<-engine> option was deprecated in OpenSSL 3.0.
+The B<-engine> option was removed in OpenSSL 4.0.
=head1 COPYRIGHT
[B<-scrypt_p> I<p>]
[B<-saltlen> I<size>]
{- $OpenSSL::safe::opt_r_synopsis -}
-{- $OpenSSL::safe::opt_engine_synopsis -}{- $OpenSSL::safe::opt_provider_synopsis -}
+{- $OpenSSL::safe::opt_provider_synopsis -}
=head1 DESCRIPTION
{- $OpenSSL::safe::opt_r_item -}
-{- $OpenSSL::safe::opt_engine_item -}
-
{- $OpenSSL::safe::opt_provider_item -}
=back
The B<-iter> option was added in OpenSSL 1.1.0.
-The B<-engine> option was deprecated in OpenSSL 3.0.
+The B<-engine> option was removed in OpenSSL 4.0.
=head1 COPYRIGHT
B<openssl> B<pkey>
[B<-help>]
-{- $OpenSSL::safe::opt_engine_synopsis -}{- $OpenSSL::safe::opt_provider_synopsis -}
+{- $OpenSSL::safe::opt_provider_synopsis -}
[B<-check>]
[B<-pubcheck>]
[B<-in> I<filename>|I<uri>]
-[B<-inform> B<DER>|B<PEM>|B<P12>|B<ENGINE>]
+[B<-inform> B<DER>|B<PEM>|B<P12>]
[B<-passin> I<arg>]
[B<-pubin>]
[B<-out> I<filename>]
Print out a usage message.
-{- $OpenSSL::safe::opt_engine_item -}
-
{- $OpenSSL::safe::opt_provider_item -}
=item B<-check>
If the key input is encrypted and B<-passin> is not given
a pass phrase will be prompted for.
-=item B<-inform> B<DER>|B<PEM>|B<P12>|B<ENGINE>
+=item B<-inform> B<DER>|B<PEM>|B<P12>
The key input format; unspecified by default.
See L<openssl-format-options(1)> for details.
=head1 HISTORY
-The B<-engine> option was deprecated in OpenSSL 3.0.
+The B<-engine> option was removed in OpenSSL 4.0.
=head1 COPYRIGHT
[B<-text>]
[B<-noout>]
[B<-check>]
-{- $OpenSSL::safe::opt_engine_synopsis -}{- $OpenSSL::safe::opt_provider_synopsis -}
+{- $OpenSSL::safe::opt_provider_synopsis -}
=head1 DESCRIPTION
This option checks the correctness of parameters.
-{- $OpenSSL::safe::opt_engine_item -}
-
{- $OpenSSL::safe::opt_provider_item -}
=back
=head1 HISTORY
-The B<-engine> option was deprecated in OpenSSL 3.0.
+The B<-engine> option was removed in OpenSSL 4.0.
=head1 COPYRIGHT
[B<-secret> I<file>]
[B<-sigfile> I<file>]
[B<-inkey> I<filename>|I<uri>]
-[B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>]
+[B<-keyform> B<DER>|B<PEM>|B<P12>]
[B<-passin> I<arg>]
[B<-pubin>]
[B<-certin>]
[B<-decrypt>]
[B<-derive>]
[B<-peerkey> I<file>]
-[B<-peerform> B<DER>|B<PEM>|B<P12>|B<ENGINE>]
+[B<-peerform> B<DER>|B<PEM>|B<P12>]
[B<-encap>]
[B<-decap>]
[B<-kdf> I<algorithm>]
[B<-pkeyopt_passin> I<opt>[:I<passarg>]]
[B<-hexdump>]
[B<-asn1parse>]
-{- $OpenSSL::safe::opt_engine_synopsis -}[B<-engine_impl>]
{- $OpenSSL::safe::opt_r_synopsis -}
{- $OpenSSL::safe::opt_provider_synopsis -}
{- $OpenSSL::safe::opt_config_synopsis -}
The input key, by default it should be a private key.
-=item B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>
+=item B<-keyform> B<DER>|B<PEM>|B<P12>
The key format; unspecified by default.
See L<openssl-format-options(1)> for details.
to use with the key derivation (agreement) operation.
Its type must match the type of the own private key given with B<-inkey>.
-=item B<-peerform> B<DER>|B<PEM>|B<P12>|B<ENGINE>
+=item B<-peerform> B<DER>|B<PEM>|B<P12>
The peer key format; unspecified by default.
See L<openssl-format-options(1)> for details.
an ASN.1 DER-encoded structure had been signed directly (without hashing it)
and when checking a signature in PKCS#1 v1.5 format, which has a DER encoding.
-{- $OpenSSL::safe::opt_engine_item -}
-
-{- output_off() if $disabled{"deprecated-3.0"}; "" -}
-=item B<-engine_impl>
-
-When used with the B<-engine> option, it specifies to also use
-engine I<id> for crypto operations.
-{- output_on() if $disabled{"deprecated-3.0"}; "" -}
-
{- $OpenSSL::safe::opt_r_item -}
{- $OpenSSL::safe::opt_provider_item -}
Also since OpenSSL 3.5, the B<-kemop> option is no longer required for any of
the supported algorithms, the only supported B<mode> is now the default.
-The B<-engine> option was deprecated in OpenSSL 3.0.
+The B<-engine> option was removed in OpenSSL 4.0.
=head1 COPYRIGHT
[B<-out> I<file>]
[B<-base64>]
[B<-hex>]
-{- $OpenSSL::safe::opt_engine_synopsis -}{- $OpenSSL::safe::opt_r_synopsis -}
+{- $OpenSSL::safe::opt_r_synopsis -}
{- $OpenSSL::safe::opt_provider_synopsis -}
I<num>[K|M|G|T]
Show the output as a hex string.
-{- $OpenSSL::safe::opt_engine_item -}
-
{- $OpenSSL::safe::opt_r_item -}
{- $OpenSSL::safe::opt_provider_item -}
=head1 HISTORY
-The B<-engine> option was deprecated in OpenSSL 3.0.
+The B<-engine> option was removed in OpenSSL 4.0.
=head1 COPYRIGHT
[B<-noenc>]
[B<-nodes>]
[B<-key> I<filename>|I<uri>]
-[B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>]
+[B<-keyform> B<DER>|B<PEM>|B<P12>]
[B<-keyout> I<filename>]
-[B<-keygen_engine> I<id>]
[B<-I<digest>>]
[B<-config> I<filename>]
[B<-section> I<name>]
[B<-quiet>]
{- $OpenSSL::safe::opt_name_synopsis -}
{- $OpenSSL::safe::opt_r_synopsis -}
-{- $OpenSSL::safe::opt_engine_synopsis -}{- $OpenSSL::safe::opt_provider_synopsis -}
+{- $OpenSSL::safe::opt_provider_synopsis -}
=head1 DESCRIPTION
B<dsa:>I<filename> generates a DSA key using the parameters
in the file I<filename>. B<ec:>I<filename> generates EC key (usable both with
-ECDSA or ECDH algorithms), B<gost2001:>I<filename> generates GOST R
-34.10-2001 key (requires B<gost> engine configured in the configuration
-file). If just B<gost2001> is specified a parameter set should be
-specified by B<-pkeyopt> I<paramset:X>
+ECDSA or ECDH algorithms).
=item B<-pkeyopt> I<opt>:I<value>
This option also accepts PKCS#8 format private keys for PEM format files.
-=item B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>
+=item B<-keyform> B<DER>|B<PEM>|B<P12>
The format of the private key; unspecified by default.
See L<openssl-format-options(1)> for details.
handy during batch scripts or pipelines (specifically "progress dots"
during key generation are suppressed).
-=item B<-keygen_engine> I<id>
-
-Specifies an engine (by its unique I<id> string) which would be used
-for key generation operations.
-
{- $OpenSSL::safe::opt_name_item -}
{- $OpenSSL::safe::opt_r_item -}
-{- $OpenSSL::safe::opt_engine_item -}
-
{- $OpenSSL::safe::opt_provider_item -}
=back
The B<-multivalue-rdn> option has become obsolete in OpenSSL 3.0.0 and
has no effect.
-The B<-engine> option was deprecated in OpenSSL 3.0.
-The <-nodes> option was deprecated in OpenSSL 3.0, too; use B<-noenc> instead.
+The <-nodes> option was deprecated in OpenSSL 3.0; use B<-noenc> instead.
The B<-reqexts> option has been made an alias of B<-extensions> in OpenSSL 3.2.
Since OpenSSL 3.3, the B<-verify> option will exit with 1 on failure.
+The B<-engine> option was removed in OpenSSL 4.0.
+
=head1 COPYRIGHT
Copyright 2000-2025 The OpenSSL Project Authors. All Rights Reserved.
B<openssl> B<rsa>
[B<-help>]
-[B<-inform> B<DER>|B<PEM>|B<P12>|B<ENGINE>]
+[B<-inform> B<DER>|B<PEM>|B<P12>]
[B<-outform> B<DER>|B<PEM>]
[B<-in> I<filename>|I<uri>]
[B<-passin> I<arg>]
[B<-pvk-strong>]
[B<-pvk-weak>]
[B<-pvk-none>]
-{- $OpenSSL::safe::opt_engine_synopsis -}{- $OpenSSL::safe::opt_provider_synopsis -}
+{- $OpenSSL::safe::opt_provider_synopsis -}
=head1 DESCRIPTION
Print out a usage message.
-=item B<-inform> B<DER>|B<PEM>|B<P12>|B<ENGINE>
+=item B<-inform> B<DER>|B<PEM>|B<P12>
The key input format; unspecified by default.
See L<openssl-format-options(1)> for details.
Don't enforce PVK encoding.
-{- $OpenSSL::safe::opt_engine_item -}
-
{- $OpenSSL::safe::opt_provider_item -}
=back
=head1 HISTORY
-The B<-engine> option was deprecated in OpenSSL 3.0.
+The B<-engine> option was removed in OpenSSL 4.0.
=head1 COPYRIGHT
[B<-rev>]
[B<-out> I<file>]
[B<-inkey> I<filename>|I<uri>]
-[B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>]
+[B<-keyform> B<DER>|B<PEM>|B<P12>]
[B<-pubin>]
[B<-certin>]
[B<-sign>]
[B<-raw>]
[B<-hexdump>]
[B<-asn1parse>]
-{- $OpenSSL::safe::opt_engine_synopsis -}{- $OpenSSL::safe::opt_r_synopsis -}
+{- $OpenSSL::safe::opt_r_synopsis -}
{- $OpenSSL::safe::opt_provider_synopsis -}
=head1 DESCRIPTION
The input key, by default it should be an RSA private key.
-=item B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>
+=item B<-keyform> B<DER>|B<PEM>|B<P12>
The key format; unspecified by default.
See L<openssl-format-options(1)> for details.
Parse the ASN.1 output data, this is useful when combined with the
B<-verify> option.
-{- $OpenSSL::safe::opt_engine_item -}
-
{- $OpenSSL::safe::opt_r_item -}
{- $OpenSSL::safe::opt_provider_item -}
This command was deprecated in OpenSSL 3.0.
-The B<-engine> option was deprecated in OpenSSL 3.0.
+The B<-engine> option was removed in OpenSSL 4.0.
=head1 COPYRIGHT
[B<-CRLform> B<DER>|B<PEM>]
[B<-crl_download>]
[B<-key> I<filename>|I<uri>]
-[B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>]
+[B<-keyform> B<DER>|B<PEM>|B<P12>]
[B<-pass> I<arg>]
[B<-chainCAfile> I<filename>]
[B<-chainCApath> I<directory>]
{- $OpenSSL::safe::opt_s_synopsis -}
{- $OpenSSL::safe::opt_r_synopsis -}
{- $OpenSSL::safe::opt_provider_synopsis -}
-{- $OpenSSL::safe::opt_engine_synopsis -}[B<-ssl_client_engine> I<id>]
{- $OpenSSL::safe::opt_v_synopsis -}
[B<-enable_server_rpk>]
[B<-enable_client_rpk>]
The client private key to use.
If not specified then the certificate file will be used to read also the key.
-=item B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>
+=item B<-keyform> B<DER>|B<PEM>|B<P12>
The key format; unspecified by default.
See L<openssl-format-options(1)> for details.
{- $OpenSSL::safe::opt_provider_item -}
-{- $OpenSSL::safe::opt_engine_item -}
-
-{- output_off() if $disabled{"deprecated-3.0"}; "" -}
-=item B<-ssl_client_engine> I<id>
-
-Specify engine to be used for client certificate operations.
-{- output_on() if $disabled{"deprecated-3.0"}; "" -}
-
{- $OpenSSL::safe::opt_v_item -}
Verification errors are displayed, for debugging, but the command will
The B<-certform> option has become obsolete in OpenSSL 3.0.0 and has no effect.
-The B<-engine> option was deprecated in OpenSSL 3.0.
+The B<-engine> option was removed in OpenSSL 4.0.
The
B<-enable_client_rpk>,
[B<-serverinfo> I<val>]
[B<-key> I<filename>|I<uri>]
[B<-key2> I<filename>|I<uri>]
-[B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>]
+[B<-keyform> B<DER>|B<PEM>|B<P12>]
[B<-pass> I<val>]
[B<-dcert> I<infile>]
[B<-dcertform> B<DER>|B<PEM>|B<P12>]
[B<-dcert_chain> I<infile>]
[B<-dkey> I<filename>|I<uri>]
-[B<-dkeyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>]
+[B<-dkeyform> B<DER>|B<PEM>|B<P12>]
[B<-dpass> I<val>]
[B<-nbio_test>]
[B<-crlf>]
{- $OpenSSL::safe::opt_x_synopsis -}
{- $OpenSSL::safe::opt_trust_synopsis -}
{- $OpenSSL::safe::opt_r_synopsis -}
-{- $OpenSSL::safe::opt_engine_synopsis -}{- $OpenSSL::safe::opt_provider_synopsis -}
+{- $OpenSSL::safe::opt_provider_synopsis -}
[B<-enable_server_rpk>]
[B<-enable_client_rpk>]
The private Key file to use for servername if not given via B<-cert2>.
-=item B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>
+=item B<-keyform> B<DER>|B<PEM>|B<P12>
The key format; unspecified by default.
See L<openssl-format-options(1)> for details.
The format of the additional certificate file; unspecified by default.
See L<openssl-format-options(1)> for details.
-=item B<-dkeyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>
+=item B<-dkeyform> B<DER>|B<PEM>|B<P12>
The format of the additional private key; unspecified by default.
See L<openssl-format-options(1)> for details.
{- $OpenSSL::safe::opt_r_item -}
-{- $OpenSSL::safe::opt_engine_item -}
-
{- $OpenSSL::safe::opt_provider_item -}
{- $OpenSSL::safe::opt_v_item -}
The
-allow-no-dhe-kex and -prioritize_chacha options were added in OpenSSL 1.1.1.
-The B<-srpvfile>, B<-srpuserseed>, and B<-engine>
+The B<-srpvfile> and B<-srpuserseed>
option were deprecated in OpenSSL 3.0.
The
The B<-status_all> option was added in OpenSSL 3.6.
+The B<engine> option was removed in OpenSSL 4.0.
+
=head1 COPYRIGHT
Copyright 2000-2025 The OpenSSL Project Authors. All Rights Reserved.
[B<-recip> I< file>]
[B<-inform> B<DER>|B<PEM>|B<SMIME>]
[B<-outform> B<DER>|B<PEM>|B<SMIME>]
-[B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>]
+[B<-keyform> B<DER>|B<PEM>|B<P12>]
[B<-passin> I<arg>]
[B<-inkey> I<filename>|I<uri>]
[B<-out> I<file>]
[B<-stream>]
[B<-md> I<digest>]
{- $OpenSSL::safe::opt_trust_synopsis -}
-{- $OpenSSL::safe::opt_engine_synopsis -}{- $OpenSSL::safe::opt_r_synopsis -}
+{- $OpenSSL::safe::opt_r_synopsis -}
{- $OpenSSL::safe::opt_v_synopsis -}
{- $OpenSSL::safe::opt_provider_synopsis -}
{- $OpenSSL::safe::opt_config_synopsis -}
the default is B<SMIME>.
See L<openssl-format-options(1)> for details.
-=item B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>
+=item B<-keyform> B<DER>|B<PEM>|B<P12>
The key format; unspecified by default.
See L<openssl-format-options(1)> for details.
{- $OpenSSL::safe::opt_trust_item -}
-{- $OpenSSL::safe::opt_engine_item -}
-
{- $OpenSSL::safe::opt_r_item -}
{- $OpenSSL::safe::opt_provider_item -}
The -no_alt_chains option was added in OpenSSL 1.1.0.
-The B<-engine> option was deprecated in OpenSSL 3.0.
+The B<-engine> option was removed in OpenSSL 4.0.
=head1 COPYRIGHT
[B<-mlock>]
[B<-testmode>]
{- $OpenSSL::safe::opt_r_synopsis -}
-{- $OpenSSL::safe::opt_engine_synopsis -}{- $OpenSSL::safe::opt_provider_synopsis -}
+{- $OpenSSL::safe::opt_provider_synopsis -}
[I<algorithm> ...]
=head1 DESCRIPTION
=item B<-elapsed>
When calculating operations- or bytes-per-second, use wall-clock time
-instead of CPU user time as divisor. It can be useful when testing speed
-of hardware engines.
+instead of CPU user time as divisor.
=item B<-evp> I<algo>
{- $OpenSSL::safe::opt_r_item -}
-{- $OpenSSL::safe::opt_engine_item -}
-
{- $OpenSSL::safe::opt_provider_item -}
=item I<algorithm> ...
The B<-testmode> option was added in OpenSSL 3.4.
+The B<-engine> option was removed in OpenSSL 4.0.
+
=head1 COPYRIGHT
Copyright 2000-2024 The OpenSSL Project Authors. All Rights Reserved.
[B<-out> I<filename>]
[B<-digest> I<digest>]
[B<-key> I<filename>|I<uri>]
-[B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>]
+[B<-keyform> B<DER>|B<PEM>|B<P12>]
[B<-passin> I<arg>]
[B<-challenge> I<string>]
[B<-pubkey>]
[B<-spksect> I<section>]
[B<-noout>]
[B<-verify>]
-{- $OpenSSL::safe::opt_engine_synopsis -}{- $OpenSSL::safe::opt_provider_synopsis -}
+{- $OpenSSL::safe::opt_provider_synopsis -}
=head1 DESCRIPTION
The B<-in>, B<-noout>, B<-spksect> and B<-verify> options are ignored if
present.
-=item B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>
+=item B<-keyform> B<DER>|B<PEM>|B<P12>
The key format; unspecified by default.
See L<openssl-format-options(1)> for details.
Verifies the digital signature on the supplied SPKAC.
-{- $OpenSSL::safe::opt_engine_item -}
-
{- $OpenSSL::safe::opt_provider_item -}
=back
=head1 HISTORY
-The B<-engine> option was deprecated in OpenSSL 3.0.
-
The B<-digest> option was added in OpenSSL 3.0.
+The B<-engine> option was removed in OpenSSL 4.0.
+
=head1 COPYRIGHT
Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved.
[B<-userinfo> I<text>]
[B<-passin> I<arg>]
[B<-passout> I<arg>]
-{- $OpenSSL::safe::opt_engine_synopsis -}{- $OpenSSL::safe::opt_r_synopsis -}
+{- $OpenSSL::safe::opt_r_synopsis -}
{- $OpenSSL::safe::opt_provider_synopsis -}
{- $OpenSSL::safe::opt_config_synopsis -}
[I<user> ...]
For more information about the format of B<arg>
see L<openssl-passphrase-options(1)>.
-{- $OpenSSL::safe::opt_engine_item -}
-
{- $OpenSSL::safe::opt_r_item -}
{- $OpenSSL::safe::opt_provider_item -}
=head1 HISTORY
-The B<-engine> option was deprecated in OpenSSL 3.0.
+The B<-engine> option was removed in OpenSSL 4.0.
=head1 COPYRIGHT
[B<-alias> I<arg>]
[B<-fingerprint> I<arg>]
[B<-I<digest>>]
-{- $OpenSSL::safe::opt_engine_synopsis -}{- $OpenSSL::safe::opt_provider_synopsis -}
+{- $OpenSSL::safe::opt_provider_synopsis -}
I<uri>
=head1 DESCRIPTION
The digest that was used to compute the fingerprint given with B<-fingerprint>.
-{- $OpenSSL::safe::opt_engine_item -}
-
{- $OpenSSL::safe::opt_provider_item -}
=back
This command was added in OpenSSL 1.1.1.
-The B<-engine> option was deprecated in OpenSSL 3.0.
+The B<-engine> option was removed in OpenSSL 4.0.
=head1 COPYRIGHT
[B<-out> I<response.tsr>]
[B<-token_out>]
[B<-text>]
-{- $OpenSSL::safe::opt_engine_synopsis -}{- $OpenSSL::safe::opt_provider_synopsis -}
+{- $OpenSSL::safe::opt_provider_synopsis -}
B<openssl> B<ts>
B<-verify>
If this option is specified the output is human-readable text format
instead of DER. (Optional)
-{- $OpenSSL::safe::opt_engine_item -}
-
{- $OpenSSL::safe::opt_provider_item -}
=back
define a RANDFILE for saving and restoring randomness. This option is
retained mainly for compatibility reasons.
-The B<-engine> option was deprecated in OpenSSL 3.0.
+The B<-engine> option was removed in OpenSSL 4.0.
=head1 SEE ALSO
[B<-vfyopt> I<nm>:I<v>]
{- $OpenSSL::safe::opt_name_synopsis -}
{- $OpenSSL::safe::opt_trust_synopsis -}
-{- $OpenSSL::safe::opt_engine_synopsis -}{- $OpenSSL::safe::opt_v_synopsis -}
+{- $OpenSSL::safe::opt_v_synopsis -}
{- $OpenSSL::safe::opt_provider_synopsis -}
[B<-->]
[I<certificate> ...]
{- $OpenSSL::safe::opt_name_item -}
-{- $OpenSSL::safe::opt_engine_item -}
-{- output_off() if $disabled{"deprecated-3.0"}; "" -}
-To load certificates or CRLs that require engine support, specify the
-B<-engine> option before any of the
-B<-trusted>, B<-untrusted> or B<-CRLfile> options.
-{- output_on() if $disabled{"deprecated-3.0"}; "" -}
-
{- $OpenSSL::safe::opt_trust_item -}
{- $OpenSSL::safe::opt_v_item -}
The B<-show_chain> option was added in OpenSSL 1.1.0.
-The B<-engine option> was deprecated in OpenSSL 3.0.
+The B<-engine> option was removed in OpenSSL 4.0.
=head1 COPYRIGHT
[B<-f>]
[B<-p>]
[B<-d>]
-[B<-e>]
[B<-m>]
[B<-r>]
[B<-c>]
OPENSSLDIR setting.
-=item B<-e>
-
-ENGINESDIR settings.
-
=item B<-m>
MODULESDIR settings.
=head1 HISTORY
In OpenSSL versions prior to 3.4, OpenSSL had a limitation regarding the
-B<OPENSSLDIR>, B<MODULESDIR> and B<ENGINESDIR> build time macros. These macros
+B<OPENSSLDIR> and B<MODULESDIR> build time macros. These macros
were defined at build time, and represented filesystem paths. This is common
practice on unix like systems, as there was an expectation that a given build
would be installed to a pre-determined location. On Windows however, there is
registry keys identified by the name openssl-<version>-<ctx>, in which the
<version> value is derived from the version string in the openssl source, and
the <ctx> extension is derived from the B<OSSL_WINCTX> variable. The values of
-B<OPENSSLDIR>, B<ENGINESDIR> and B<MODULESDIR> can be set to various paths
+B<OPENSSLDIR> and B<MODULESDIR> can be set to various paths
underneath this key to break the requirement to predict the installation path at
build time.
[B<-inform> B<DER>|B<PEM>]
[B<-vfyopt> I<nm>:I<v>]
[B<-key> I<filename>|I<uri>]
-[B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>]
+[B<-keyform> B<DER>|B<PEM>|B<P12>]
[B<-signkey> I<filename>|I<uri>]
[B<-out> I<filename>]
[B<-outform> B<DER>|B<PEM>]
[B<-CA> I<filename>|I<uri>]
[B<-CAform> B<DER>|B<PEM>|B<P12>]
[B<-CAkey> I<filename>|I<uri>]
-[B<-CAkeyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>]
+[B<-CAkeyform> B<DER>|B<PEM>|B<P12>]
[B<-CAserial> I<filename>]
[B<-CAcreateserial>]
[B<-trustout>]
[B<-clrreject>]
[B<-addreject> I<arg>]
{- $OpenSSL::safe::opt_r_synopsis -}
-{- $OpenSSL::safe::opt_engine_synopsis -}{- $OpenSSL::safe::opt_provider_synopsis -}
+{- $OpenSSL::safe::opt_provider_synopsis -}
=head1 DESCRIPTION
This option is an alias of B<-key>.
-=item B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>
+=item B<-keyform> B<DER>|B<PEM>|B<P12>
The key input format; unspecified by default.
See L<openssl-format-options(1)> for details.
The private key must match the public key of the certificate given with B<-CA>.
If this option is not provided then the key must be present in the B<-CA> input.
-=item B<-CAkeyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>
+=item B<-CAkeyform> B<DER>|B<PEM>|B<P12>
The format for the CA key; unspecified by default.
See L<openssl-format-options(1)> for details.
{- $OpenSSL::safe::opt_r_item -}
-{- $OpenSSL::safe::opt_engine_item -}
-
{- $OpenSSL::safe::opt_provider_item -}
=back
The B<-signkey> option has been renamed to B<-key> in OpenSSL 3.0,
keeping the old name as an alias.
-The B<-engine> option was deprecated in OpenSSL 3.0.
-
The B<-C> option was removed in OpenSSL 3.0.
Since OpenSSL 3.2, generated certificates bear X.509 version 3,
and key identifier extensions are included by default.
+The B<-engine> option was removed in OpenSSL 4.0.
+
=head1 COPYRIGHT
Copyright 2000-2025 The OpenSSL Project Authors. All Rights Reserved.
projects / thirdparty / openssl.git / commitdiff
