print STDERR <<EOF;
Usage:
CA.pl -newcert | -newreq | -newreq-nodes | -xsign | -sign | -signCA | -signcert | -crl | -newca [-extra-cmd parameter]
- CA.pl -pkcs12 [-extra-pkcs12 parameter] [certname]
- CA.pl -verify [-extra-verify parameter] certfile ...
- CA.pl -revoke [-extra-ca parameter] certfile [reason]
+ CA.pl -pkcs12 [certname]
+ CA.pl -verify certfile ...
+ CA.pl -revoke certfile [reason]
EOF
exit 0;
}
OPT_SECTION("General"),
{"help", OPT_HELP, '-', "Display this summary"},
{"ssl_config", OPT_SSL_CONFIG, 's',
- "Configure SSL_CTX using the configuration 'val'"},
+ "Configure SSL_CTX using the given configuration value"},
#ifndef OPENSSL_NO_SSL_TRACE
{"trace", OPT_TRACE, '-', "trace protocol messages"},
#endif
{"servername", OPT_SERVERNAME, 's',
"Servername for HostName TLS extension"},
{"servername_fatal", OPT_SERVERNAME_FATAL, '-',
- "mismatch send fatal alert (default warning alert)"},
+ "On servername mismatch send fatal alert (default warning alert)"},
{"nbio_test", OPT_NBIO_TEST, '-', "Test with the non-blocking test bio"},
{"crlf", OPT_CRLF, '-', "Convert LF from terminal into CRLF"},
{"quiet", OPT_QUIET, '-', "No server output"},
"use URI as certificate store to verify CA certificate"},
{"no_cache", OPT_NO_CACHE, '-', "Disable session cache"},
{"ext_cache", OPT_EXT_CACHE, '-',
- "Disable internal cache, setup and use external cache"},
+ "Disable internal cache, set up and use external cache"},
{"verify_return_error", OPT_VERIFY_RET_ERROR, '-',
"Close connection on verification error"},
{"verify_quiet", OPT_VERIFY_QUIET, '-',
"No verify output except verify errors"},
- {"ign_eof", OPT_IGN_EOF, '-', "ignore input eof (default when -quiet)"},
- {"no_ign_eof", OPT_NO_IGN_EOF, '-', "Do not ignore input eof"},
+ {"ign_eof", OPT_IGN_EOF, '-', "Ignore input EOF (default when -quiet)"},
+ {"no_ign_eof", OPT_NO_IGN_EOF, '-', "Do not ignore input EOF"},
#ifndef OPENSSL_NO_OCSP
OPT_SECTION("OCSP"),
OPT_SECTION("Network"),
{"nbio", OPT_NBIO, '-', "Use non-blocking IO"},
{"timeout", OPT_TIMEOUT, '-', "Enable timeouts"},
- {"mtu", OPT_MTU, 'p', "Set link layer MTU"},
+ {"mtu", OPT_MTU, 'p', "Set link-layer MTU"},
{"read_buf", OPT_READ_BUF, 'p',
"Default read buffer size to be used for connections"},
{"split_send_frag", OPT_SPLIT_SEND_FRAG, 'p',
#endif
OPT_SECTION("Action"),
- {"add", OPT_ADD, '-', "Add a user and srp verifier"},
- {"modify", OPT_MODIFY, '-', "Modify the srp verifier of an existing user"},
+ {"add", OPT_ADD, '-', "Add a user and SRP verifier"},
+ {"modify", OPT_MODIFY, '-', "Modify the SRP verifier of an existing user"},
{"delete", OPT_DELETE, '-', "Delete user from verifier file"},
{"list", OPT_LIST, '-', "List users"},
B<-newca>
[B<-extra-I<cmd>> I<parameter>]
-B<CA.pl> B<-pkcs12> [B<-extra-pkcs12> I<parameter>] [I<certname>]
+B<CA.pl> B<-pkcs12> [I<certname>]
-B<CA.pl> B<-verify> [B<-extra-verify> I<parameter>] I<certfile> ...
+B<CA.pl> B<-verify> I<certfile> ...
-B<CA.pl> B<-revoke> [B<-extra-ca> I<parameter>] I<certfile> [I<reason>]
+B<CA.pl> B<-revoke> I<certfile> [I<reason>]
=head1 DESCRIPTION
=over 4
-=item B<?>, B<-h>, B<-help>
+=item B<-?>, B<-h>, B<-help>
Prints a usage message.
This option prevents output of the encoded version of the key.
+=item B<-param_out>
+
+Print the elliptic curve parameters.
+
=item B<-pubin>
By default, a private key is read from the input file. With this option a
=over 4
+=item B<-I<cipher>>
+
+The cipher to use.
+
=item B<-help>
Print out a usage message.
[B<-out> I<file>]
[B<-issuer> I<file>]
[B<-cert> I<file>]
+[B<-no_certs>]
[B<-serial> I<n>]
[B<-signer> I<file>]
[B<-signkey> I<file>]
[B<-req_text>]
[B<-resp_text>]
[B<-text>]
-[B<-no_certs>]
[B<-reqout> I<file>]
[B<-respout> I<file>]
[B<-reqin> I<file>]
is taken from the previous B<-issuer> option, or an error occurs if no
issuer certificate is specified.
+=item B<-no_certs>
+
+Don't include any certificates in signed request.
+
=item B<-serial> I<num>
Same as the B<-cert> option except the certificate with serial number
This option is available on POSIX systems (that support the fork() and other
required unix system-calls).
-
=item B<-nmin> I<minutes>, B<-ndays> I<days>
Number of minutes or days when fresh revocation information is available:
the password in deriving the encryption key for the PKCS#8 output.
High values increase the time required to brute-force a PKCS#8 container.
+=item B<-noiter>
+
+When creating new PKCS#8 containers, use 1 as iteration count.
+
=item B<-nocrypt>
PKCS#8 keys generated or input are normally PKCS#8 EncryptedPrivateKeyInfo
[B<-no_proxy> I<addresses>]
[B<-status_url> I<val>]
[B<-status_file> I<infile>]
+[B<-ssl_config> I<val>]
[B<-trace>]
[B<-security_debug>]
[B<-security_debug_verbose>]
[B<-brief>]
[B<-rev>]
[B<-async>]
-[B<-ssl_config> I<val>]
[B<-max_send_frag> I<+int>]
[B<-split_send_frag> I<+int>]
[B<-max_pipelines> I<+int>]
[B<-listen>]
[B<-sctp>]
[B<-sctp_label_bug>]
+[B<-use_srtp> I<val>]
[B<-no_dhe>]
[B<-nextprotoneg> I<val>]
-[B<-use_srtp> I<val>]
[B<-alpn> I<val>]
[B<-sendfile>]
[B<-keylogfile> I<outfile>]
Print extensive debugging information including a hex dump of all traffic.
+=item B<-security_debug>
+
+Print output from SSL/TLS security framework.
+
+=item B<-security_debug_verbose>
+
+Print more output from SSL/TLS security framework
+
=item B<-msg>
Show all protocol messages with hex dump.
Inhibit printing of session and certificate information.
+=item B<-no_resume_ephemeral>
+
+Disable caching and tickets if ephemeral (EC)DH is used.
+
=item B<-tlsextdebug>
Print a hex dump of any TLS extensions received from the server.
closed connection will be treated as if the close_notify alert was received.
For more information on shutting down a connection, see L<SSL_shutdown(3)>.
+=item B<-servername>
+
+Servername for HostName TLS extension.
+
+=item B<-servername_fatal>
+
+On servername mismatch send fatal alert (default: warning alert).
+
=item B<-id_prefix> I<val>
Generate SSL/TLS session IDs prefixed by I<val>. This is mostly useful
servers, when each of which might be generating a unique range of session
IDs (e.g. with a certain prefix).
+=item B<-keymatexport>
+
+Export keying material using label.
+
+=item B<-keymatexportlen>
+
+Export the given number of bytes of keying material; default 20.
+
+=item B<-no_cache>
+
+Disable session cache.
+
+=item B<-ext_cache>.
+
+Disable internal cache, set up and use external cache.
+
=item B<-verify_return_error>
Verification errors normally just print a message but allow the
connection to continue, for debugging purposes.
If this option is used, then verification errors close the connection.
+=item B<-verify_quiet>
+
+No verify output except verify errors.
+
+=item B<-ign_eof>
+
+Ignore input EOF (default: when B<-quiet>).
+
+=item B<-no_ign_eof>
+
+Do not ignore input EOF.
+
=item B<-status>
Enables certificate status request support (aka OCSP stapling).
Overrides any OCSP responder URLs from the certificate and always provides the
OCSP Response stored in the file. The file must be in DER format.
+=item B<-ssl_config> I<val>
+
+Configure SSL_CTX using the given configuration value.
+
=item B<-trace>
Show verbose trace output of protocol messages. OpenSSL needs to be compiled
Turns on non blocking I/O.
+=item B<-timeout>
+
+Enable timeouts.
+
+=item B<-mtu>
+
+Set link-layer MTU.
+
=item B<-psk_identity> I<val>
Expect the client to send PSK identity I<val> when using a PSK
Use the pem encoded SSL_SESSION data stored in I<file> as the basis of a PSK.
Note that this will only work if TLSv1.3 is negotiated.
+=item B<-srpvfile>
+
+The verifier file for SRP.
+This option is deprecated.
+
+=item B<-srpuserseed>
+
+A seed string for a default user salt.
+This option is deprecated.
+
=item B<-listen>
This option can only be used in conjunction with one of the DTLS options above.
implementations. Must be used in conjunction with B<-sctp>. This option is only
available where OpenSSL has support for SCTP enabled.
+=item B<-use_srtp>
+
+Offer SRTP key management with a colon-separated profile list.
+
=item B<-no_dhe>
If this option is set then no DH parameters will be loaded effectively
The
-allow-no-dhe-kex and -prioritize_chacha options were added in OpenSSL 1.1.1.
-The B<-engine> option was deprecated in OpenSSL 3.0.
+The B<-srpvfile>, B<-srpuserseed>, and B<-engine>
+option were deprecated in OpenSSL 3.0.
=head1 COPYRIGHT
Time the decryption instead of encryption. Affects only the EVP testing.
+=item B<-mb>
+
+Enable multi-block mode on EVP-named cipher.
+
+=item B<-aead>
+
+Benchmark EVP-named AEAD cipher in TLS-like sequence.
+
=item B<-primes> I<num>
Generate a I<num>-prime RSA key and use it to run the benchmarks. This option
[B<-delete>]
[B<-list>]
[B<-name> I<section>]
-[B<-config> I<file>]
[B<-srpvfile> I<file>]
[B<-gn> I<identifier>]
[B<-userinfo> I<text>]
[B<-passout> I<arg>]
{- $OpenSSL::safe::opt_engine_synopsis -}{- $OpenSSL::safe::opt_r_synopsis -}
{- $OpenSSL::safe::opt_provider_synopsis -}
+{- $OpenSSL::safe::opt_config_synopsis -}
[I<user> ...]
=head1 DESCRIPTION
Generate verbose output while processing.
+=item B<-add>
+
+Add a user and SRP verifier.
+
+=item B<-modify>
+
+Modify the SRP verifier of an existing user.
+
+=item B<-delete>
+
+Delete user from verifier file.
+
+=item B<-list>
+
+List users.
+
+=item B<-name>
+
+The particular SRP definition to use.
+
=item B<-srpvfile> I<file>
If the config file is not specified,
{- $OpenSSL::safe::opt_engine_item -}
+{- $OpenSSL::safe::opt_r_item -}
+
{- $OpenSSL::safe::opt_provider_item -}
+{- $OpenSSL::safe::opt_config_item -}
+
{- $OpenSSL::safe::opt_r_synopsis -}
=back
Print out a usage message.
+=item B<-query>
+
+Generate a TS query. For details see L</Timestamp Request generation>.
+
+=item B<-reply>
+
+Generate a TS reply. For details see L</Timestamp Response generation>.
+
+=item B<-verify>
+
+Verify a TS response. For details see L</Timestamp Response verification>.
+
=back
=head2 Timestamp Request generation
-The B<-query> switch can be used for creating and printing a timestamp
+The B<-query> command can be used for creating and printing a timestamp
request with the following options:
=over 4
B<openssl>
B<list>
-B<-standard-commands> |
-B<-digest-commands> |
-B<-cipher-commands> |
-B<-cipher-algorithms> |
-B<-digest-algorithms> |
-B<-mac-algorithms> |
-B<-public-key-algorithms>
+B<standard-commands> |
+B<digest-commands> |
+B<cipher-commands> |
+B<cipher-algorithms> |
+B<digest-algorithms> |
+B<mac-algorithms> |
+B<public-key-algorithms>
B<openssl> B<no->I<XXX> [ I<options> ]
# Extended validation options.
$OpenSSL::safe::opt_x_synopsis = ""
-. "[B<-xkey>] I<infile>\n"
+. "[B<-xkey> I<infile>]\n"
. "[B<-xcert> I<file>]\n"
-. "[B<-xchain>] I<file>\n"
-. "[B<-xchain_build>] I<file>\n"
+. "[B<-xchain> I<file>]\n"
+. "[B<-xchain_build> I<file>]\n"
. "[B<-xcertform> B<DER>|B<PEM>]>\n"
. "[B<-xkeyform> B<DER>|B<PEM>]>";
$OpenSSL::safe::opt_x_item = ""
-. "=item B<xkey> I<infile>, B<-xcert> I<file>, B<-xchain> I<file>,\n"
+. "=item B<-xkey> I<infile>, B<-xcert> I<file>, B<-xchain> I<file>,\n"
. "B<-xchain_build> I<file>, B<-xcertform> B<DER>|B<PEM>,\n"
. "B<-xkeyform> B<DER>|B<PEM>\n"
. "\n"
. "[B<-no_middlebox>]";
$OpenSSL::safe::opt_s_item = ""
. "=item B<-bugs>, B<-comp>, B<-no_comp>, B<-no_ticket>, B<-serverpref>,\n"
-. "B<-client_renegotiation>, B<_immediate_renegotiation>\n"
-. "B<-legacy_renegotiation>, B<-no_renegotiation>, B<-no_resumption_on_reneg>,\n"
+. "B<-client_renegotiation>, B<_immediate_renegotiation>,\n"
+. "B<-legacy_renegotiation>, B<-no_renegotiation>,\n"
+. "B<-immediate_renegotiation>, B<-no_resumption_on_reneg>,\n"
. "B<-legacy_server_connect>, B<-no_legacy_server_connect>,\n"
. "B<-allow_no_dhe_kex>, B<-prioritize_chacha>, B<-strict>, B<-sigalgs>\n"
. "I<algs>, B<-client_sigalgs> I<algs>, B<-groups> I<groups>, B<-curves>\n"