5 openssl - OpenSSL command line tool
14 B<openssl> B<list> [ B<standard-commands> | B<digest-commands> | B<cipher-commands> | B<cipher-algorithms> | B<digest-algorithms> | B<public-key-algorithms>]
16 B<openssl> B<no->I<XXX> [ I<arbitrary options> ]
20 OpenSSL is a cryptography toolkit implementing the Secure Sockets Layer (SSL
21 v2/v3) and Transport Layer Security (TLS v1) network protocols and related
22 cryptography standards required by them.
24 The B<openssl> program is a command line tool for using the various
25 cryptography functions of OpenSSL's B<crypto> library from the shell.
28 o Creation and management of private keys, public keys and parameters
29 o Public key cryptographic operations
30 o Creation of X.509 certificates, CSRs and CRLs
31 o Calculation of Message Digests
32 o Encryption and Decryption with Ciphers
33 o SSL/TLS Client and Server Tests
34 o Handling of S/MIME signed or encrypted mail
35 o Time Stamp requests, generation and verification
37 =head1 COMMAND SUMMARY
39 The B<openssl> program provides a rich variety of commands (I<command> in the
40 SYNOPSIS above), each of which often has a wealth of options and arguments
41 (I<command_opts> and I<command_args> in the SYNOPSIS).
43 Many commands use an external configuration file for some or all of their
44 arguments and have a B<-config> option to specify that file.
45 The environment variable B<OPENSSL_CONF> can be used to specify
46 the location of the file.
47 If the environment variable is not specified, then the file is named
48 B<openssl.cnf> in the default certificate storage area, whose value
49 depends on the configuration flags specified when the OpenSSL
52 The list parameters B<standard-commands>, B<digest-commands>,
53 and B<cipher-commands> output a list (one entry per line) of the names
54 of all standard commands, message digest commands, or cipher commands,
55 respectively, that are available in the present B<openssl> utility.
57 The list parameters B<cipher-algorithms> and
58 B<digest-algorithms> list all cipher and message digest names, one entry per line. Aliases are listed as:
62 The list parameter B<public-key-algorithms> lists all supported public
65 The command B<no->I<XXX> tests whether a command of the
66 specified name is available. If no command named I<XXX> exists, it
67 returns 0 (success) and prints B<no->I<XXX>; otherwise it returns 1
68 and prints I<XXX>. In both cases, the output goes to B<stdout> and
69 nothing is printed to B<stderr>. Additional command line arguments
70 are always ignored. Since for each cipher there is a command of the
71 same name, this provides an easy way for shell scripts to test for the
72 availability of ciphers in the B<openssl> program. (B<no->I<XXX> is
73 not able to detect pseudo-commands such as B<quit>,
74 B<list>, or B<no->I<XXX> itself.)
76 =head2 Standard Commands
82 Parse an ASN.1 sequence.
86 Certificate Authority (CA) Management.
90 Cipher Suite Description Determination.
94 CMS (Cryptographic Message Syntax) utility.
98 Certificate Revocation List (CRL) Management.
102 CRL to PKCS#7 Conversion.
106 Message Digest Calculation.
110 Diffie-Hellman Parameter Management.
111 Obsoleted by L<dhparam(1)>.
115 Generation and Management of Diffie-Hellman Parameters. Superseded by
116 L<genpkey(1)> and L<pkeyparam(1)>.
124 DSA Parameter Generation and Management. Superseded by
125 L<genpkey(1)> and L<pkeyparam(1)>.
129 EC (Elliptic curve) key processing.
133 EC parameter manipulation and generation.
137 Encoding with Ciphers.
141 Engine (loadable module) information and manipulation.
145 Error Number to Error String Conversion.
149 Generation of Diffie-Hellman Parameters.
150 Obsoleted by L<dhparam(1)>.
154 Generation of DSA Private Key from Parameters. Superseded by
155 L<genpkey(1)> and L<pkey(1)>.
159 Generation of Private Key or Parameters.
163 Generation of RSA Private Key. Superseded by L<genpkey(1)>.
167 Create or examine a Netscape certificate sequence.
171 Online Certificate Status Protocol utility.
175 Generation of hashed passwords.
179 PKCS#12 Data Management.
183 PKCS#7 Data Management.
187 PKCS#8 format private key conversion tool.
191 Public and private key management.
195 Public key algorithm parameter management.
199 Public key algorithm cryptographic operation utility.
203 Compute prime numbers.
207 Generate pseudo-random bytes.
211 Create symbolic links to certificate and CRL files named by the hash values.
215 PKCS#10 X.509 Certificate Signing Request (CSR) Management.
223 RSA utility for signing, verification, encryption, and decryption. Superseded
228 This implements a generic SSL/TLS client which can establish a transparent
229 connection to a remote server speaking SSL/TLS. It's intended for testing
230 purposes only and provides only rudimentary interface functionality but
231 internally uses mostly all functionality of the OpenSSL B<ssl> library.
235 This implements a generic SSL/TLS server which accepts connections from remote
236 clients speaking SSL/TLS. It's intended for testing purposes only and provides
237 only rudimentary interface functionality but internally uses mostly all
238 functionality of the OpenSSL B<ssl> library. It provides both an own command
239 line oriented protocol for testing SSL functions and a simple HTTP response
240 facility to emulate an SSL/TLS-aware webserver.
244 SSL Connection Timer.
248 SSL Session Data Management.
252 S/MIME mail processing.
256 Algorithm Speed Measurement.
260 SPKAC printing and generating utility.
264 Maintain SRP password file.
268 Utility to list and display certificates, keys, CRLs, etc.
272 Time Stamping Authority tool (client/server).
276 X.509 Certificate Verification.
280 OpenSSL Version Information.
284 X.509 Certificate Data Management.
288 =head2 Message Digest Commands
358 SHA-3 SHAKE128 Digest
362 SHA-3 SHAKE256 Digest
370 =head2 Encoding and Cipher Commands
378 =item B<bf>, B<bf-cbc>, B<bf-cfb>, B<bf-ecb>, B<bf-ofb>
382 =item B<cast>, B<cast-cbc>
386 =item B<cast5-cbc>, B<cast5-cfb>, B<cast5-ecb>, B<cast5-ofb>
390 =item B<des>, B<des-cbc>, B<des-cfb>, B<des-ecb>, B<des-ede>, B<des-ede-cbc>, B<des-ede-cfb>, B<des-ede-ofb>, B<des-ofb>
394 =item B<des3>, B<desx>, B<des-ede3>, B<des-ede3-cbc>, B<des-ede3-cfb>, B<des-ede3-ofb>
398 =item B<idea>, B<idea-cbc>, B<idea-cfb>, B<idea-ecb>, B<idea-ofb>
402 =item B<rc2>, B<rc2-cbc>, B<rc2-cfb>, B<rc2-ecb>, B<rc2-ofb>
410 =item B<rc5>, B<rc5-cbc>, B<rc5-cfb>, B<rc5-ecb>, B<rc5-ofb>
418 Details of which options are available depend on the specific command.
419 This section describes some common options with common behavior.
421 =head2 Common Options
427 Provides a terse summary of all options.
431 =head2 Pass Phrase Options
433 Several commands accept password arguments, typically using B<-passin>
434 and B<-passout> for input and output passwords respectively. These allow
435 the password to be obtained from a variety of sources. Both of these
436 options take a single argument whose format is described below. If no
437 password argument is given and a password is required then the user is
438 prompted to enter one: this will typically be read from the current
439 terminal with echoing turned off.
441 Note that character encoding may be relevant, please see
442 L<passphrase-encoding(7)>.
446 =item B<pass:password>
448 The actual password is B<password>. Since the password is visible
449 to utilities (like 'ps' under Unix) this form should only be used
450 where security is not important.
454 Obtain the password from the environment variable B<var>. Since
455 the environment of other processes is visible on certain platforms
456 (e.g. ps under certain Unix OSes) this option should be used with caution.
458 =item B<file:pathname>
460 The first line of B<pathname> is the password. If the same B<pathname>
461 argument is supplied to B<-passin> and B<-passout> arguments then the first
462 line will be used for the input password and the next line for the output
463 password. B<pathname> need not refer to a regular file: it could for example
464 refer to a device or named pipe.
468 Read the password from the file descriptor B<number>. This can be used to
469 send the data via a pipe for example.
473 Read the password from standard input.
479 L<asn1parse(1)>, L<ca(1)>, L<ciphers(1)>, L<cms(1)>, L<config(5)>,
480 L<crl(1)>, L<crl2pkcs7(1)>, L<dgst(1)>,
481 L<dhparam(1)>, L<dsa(1)>, L<dsaparam(1)>,
482 L<ec(1)>, L<ecparam(1)>,
483 L<enc(1)>, L<engine(1)>, L<errstr(1)>, L<gendsa(1)>, L<genpkey(1)>,
484 L<genrsa(1)>, L<nseq(1)>, L<ocsp(1)>,
486 L<pkcs12(1)>, L<pkcs7(1)>, L<pkcs8(1)>,
487 L<pkey(1)>, L<pkeyparam(1)>, L<pkeyutl(1)>, L<prime(1)>,
488 L<rand(1)>, L<rehash(1)>, L<req(1)>, L<rsa(1)>,
489 L<rsautl(1)>, L<s_client(1)>,
490 L<s_server(1)>, L<s_time(1)>, L<sess_id(1)>,
491 L<smime(1)>, L<speed(1)>, L<spkac(1)>, L<srp(1)>, L<storeutl(1)>,
493 L<verify(1)>, L<version(1)>, L<x509(1)>,
494 L<crypto(7)>, L<ssl(7)>, L<x509v3_config(5)>
498 The B<list->I<XXX>B<-algorithms> pseudo-commands were added in OpenSSL 1.0.0;
499 For notes on the availability of other commands, see their individual
504 Copyright 2000-2018 The OpenSSL Project Authors. All Rights Reserved.
506 Licensed under the OpenSSL license (the "License"). You may not use
507 this file except in compliance with the License. You can obtain a copy
508 in the file LICENSE in the source distribution or at
509 L<https://www.openssl.org/source/license.html>.