=head1 NAME
-openssl - OpenSSL command line tool
+openssl - OpenSSL command line program
=head1 SYNOPSIS
v2/v3) and Transport Layer Security (TLS v1) network protocols and related
cryptography standards required by them.
-The B<openssl> program is a command line tool for using the various
+The B<openssl> program is a command line program for using the various
cryptography functions of OpenSSL's B<crypto> library from the shell.
It can be used for
=item B<cms>
-CMS (Cryptographic Message Syntax) utility.
+CMS (Cryptographic Message Syntax) command.
=item B<crl>
Message Digest calculation. MAC calculations are superseded by
L<openssl-mac(1)>.
-=item B<dh>
-
-Diffie-Hellman Parameter Management.
-Obsoleted by L<openssl-dhparam(1)>.
-
=item B<dhparam>
Generation and Management of Diffie-Hellman Parameters. Superseded by
Error Number to Error String Conversion.
-=item B<gendh>
+=item B<fipsinstall>
-Generation of Diffie-Hellman Parameters.
-Obsoleted by L<openssl-dhparam(1)>.
+FIPS configuration installation.
=item B<gendsa>
Generation of RSA Private Key. Superseded by L<openssl-genpkey(1)>.
+=item B<help>
+
+Display information about a command's options.
+
=item B<info>
Display diverse information built into the OpenSSL libraries.
Key Derivation Functions.
+=item B<list>
+
+List algorithms and features.
+
=item B<mac>
Message Authentication Code Calculation.
=item B<ocsp>
-Online Certificate Status Protocol utility.
+Online Certificate Status Protocol command.
=item B<passwd>
=item B<pkcs8>
-PKCS#8 format private key conversion tool.
+PKCS#8 format private key conversion command.
=item B<pkey>
=item B<pkeyutl>
-Public key algorithm cryptographic operation utility.
+Public key algorithm cryptographic operation command.
=item B<prime>
Compute prime numbers.
+=item B<provider>
+
+Load and query providers.
+
=item B<rand>
Generate pseudo-random bytes.
=item B<rsautl>
-RSA utility for signing, verification, encryption, and decryption. Superseded
+RSA command for signing, verification, encryption, and decryption. Superseded
by L<openssl-pkeyutl(1)>.
=item B<s_client>
=item B<spkac>
-SPKAC printing and generating utility.
+SPKAC printing and generating command.
=item B<srp>
=item B<storeutl>
-Utility to list and display certificates, keys, CRLs, etc.
+Command to list and display certificates, keys, CRLs, etc.
=item B<ts>
-Time Stamping Authority tool (client/server).
+Time Stamping Authority command.
=item B<verify>
=head2 Random State Options
-Prior to OpenSSL 3.0, it was common for applications to store information
+Prior to OpenSSL 1.1.1, it was common for applications to store information
about the state of the random-number generator in a file that was loaded
at startup and rewritten upon exit. On modern operating systems, this is
-generally no longer necessary as OpenSSL will seed itself from the
-appropriate CPU flags, device files, and so on. These flags are still
+generally no longer necessary as OpenSSL will seed itself from a trusted
+entropy source provided by the operating system. These flags are still
supported for special platforms or circumstances that might require them.
It is generally an error to use the same seed file more than once and
=back
+=head2 Provider Options
+
+With the move to provider based cryptographic operations in OpenSSL 3.0,
+options were added to allow specific providers or sets of providers to be used.
+
+=over 4
+
+=item B<-provider> I<name>
+
+Use the provider identified by I<name> and use all the methods it
+implements (algorithms, key storage, etc.). This option can be specified
+multiple time to load more than one provider.
+
+=item B<-provider_path> I<path>
+
+Specify the search I<path> that is used to locate provider modules. The format
+of I<path> varies depending on the operating system being used.
+
+=back
+
=head2 Extended Verification Options
Sometimes there may be more than one certificate chain leading to an
=item B<-xcertform> B<DER>|B<PEM>, B<-xkeyform> B<DER>|B<PEM>
-The input format for the extra certifcate and key, respectively.
+The input format for the extra certificate and key, respectively.
See L<openssl(1)/Format Options> for details.
=back
Parse I<file> as a set of one or more certificates in PEM format.
All certificates must be self-signed, unless the
B<-partial_chain> option is specified.
-This option implies the B<-no-CAfile> and B<-no-CApath> options and it
-cannot be used with either the B<-CAfile> or B<-CApath> options, so
+This option implies the B<-no-CAfile>, B<-no-CApath>, and B<-no-CAstore> options
+and it cannot be used with the B<-CAfile>, B<-CApath> or B<-CAstore> options, so
only certificates in the file are trust anchors.
This option may be used multiple times.
displayed.
This is specified by using the B<-nameopt> option, which takes a
comma-separated list of options from the following set.
-An option may be preceeded by a minus sign, C<->, to turn it off.
+An option may be preceded by a minus sign, C<->, to turn it off.
The default value is C<oneline>.
The first four are the most commonly used.
Escapes some characters by surrounding the entire string with quotation
marks, C<">.
-Without this option, individual special characters are preceeded with
+Without this option, individual special characters are preceded with
a backslash character, C<\>.
=item B<utf8>
=head1 COPYRIGHT
-Copyright 2000-2019 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
projects / openssl.git / blobdiff