=head1 NAME
-openssl - OpenSSL command line tool
+openssl - OpenSSL command line program
=head1 SYNOPSIS
v2/v3) and Transport Layer Security (TLS v1) network protocols and related
cryptography standards required by them.
-The B<openssl> program is a command line tool for using the various
+The B<openssl> program is a command line program for using the various
cryptography functions of OpenSSL's B<crypto> library from the shell.
It can be used for
=item B<cms>
-CMS (Cryptographic Message Syntax) utility.
+CMS (Cryptographic Message Syntax) command.
=item B<crl>
Message Digest calculation. MAC calculations are superseded by
L<openssl-mac(1)>.
-=item B<dh>
-
-Diffie-Hellman Parameter Management.
-Obsoleted by L<openssl-dhparam(1)>.
-
=item B<dhparam>
Generation and Management of Diffie-Hellman Parameters. Superseded by
Error Number to Error String Conversion.
-=item B<gendh>
+=item B<fipsinstall>
-Generation of Diffie-Hellman Parameters.
-Obsoleted by L<openssl-dhparam(1)>.
+FIPS configuration installation.
=item B<gendsa>
Generation of RSA Private Key. Superseded by L<openssl-genpkey(1)>.
+=item B<help>
+
+Display information about a command's options.
+
=item B<info>
Display diverse information built into the OpenSSL libraries.
Key Derivation Functions.
+=item B<list>
+
+List algorithms and features.
+
=item B<mac>
Message Authentication Code Calculation.
=item B<ocsp>
-Online Certificate Status Protocol utility.
+Online Certificate Status Protocol command.
=item B<passwd>
=item B<pkcs8>
-PKCS#8 format private key conversion tool.
+PKCS#8 format private key conversion command.
=item B<pkey>
=item B<pkeyutl>
-Public key algorithm cryptographic operation utility.
+Public key algorithm cryptographic operation command.
=item B<prime>
Compute prime numbers.
+=item B<provider>
+
+Load and query providers.
+
=item B<rand>
Generate pseudo-random bytes.
=item B<rsautl>
-RSA utility for signing, verification, encryption, and decryption. Superseded
+RSA command for signing, verification, encryption, and decryption. Superseded
by L<openssl-pkeyutl(1)>.
=item B<s_client>
=item B<spkac>
-SPKAC printing and generating utility.
+SPKAC printing and generating command.
=item B<srp>
=item B<storeutl>
-Utility to list and display certificates, keys, CRLs, etc.
+Command to list and display certificates, keys, CRLs, etc.
=item B<ts>
-Time Stamping Authority tool (client/server).
+Time Stamping Authority command.
=item B<verify>
=head2 Format Options
Several OpenSSL commands can take input or generate output in a variety
-of formats. The list of acceptable formats, and the default, is
+of formats.
+Since OpenSSL 3.0 keys, single certificates, and CRLs can be read from
+files in any of the B<DER>, B<PEM>, or B<P12> formats,
+while specifying their input format is no more needed.
+
+The list of acceptable formats, and the default, is
described in each command documentation. The list of formats is
described below. Both uppercase and lowercase are accepted.
=item B<-keyform> I<format>
Format of a private key input source.
+The only value with effect is B<ENGINE>; all others have become obsolete.
+See L<openssl(1)/Format Options> for details.
=item B<-CRLform> I<format>
=head2 Random State Options
-Prior to OpenSSL 3.0, it was common for applications to store information
+Prior to OpenSSL 1.1.1, it was common for applications to store information
about the state of the random-number generator in a file that was loaded
at startup and rewritten upon exit. On modern operating systems, this is
-generally no longer necessary as OpenSSL will seed itself from the
-appropriate CPU flags, device files, and so on. These flags are still
+generally no longer necessary as OpenSSL will seed itself from a trusted
+entropy source provided by the operating system. These flags are still
supported for special platforms or circumstances that might require them.
It is generally an error to use the same seed file more than once and
=back
+=head2 Provider Options
+
+With the move to provider based cryptographic operations in OpenSSL 3.0,
+options were added to allow specific providers or sets of providers to be used.
+
+=over 4
+
+=item B<-provider> I<name>
+
+Use the provider identified by I<name> and use all the methods it
+implements (algorithms, key storage, etc.). This option can be specified
+multiple time to load more than one provider.
+
+=item B<-provider_path> I<path>
+
+Specify the search I<path> that is used to locate provider modules. The format
+of I<path> varies depending on the operating system being used.
+
+=back
+
=head2 Extended Verification Options
Sometimes there may be more than one certificate chain leading to an
=over 4
-=item B<-xchain_build>
-
-Specify whether the application should build the certificate chain to be
-provided to the server for the extra certificates via the B<-xkey>,
-B<-xcert>, and B<-xchain> options.
-
=item B<-xkey> I<infile>, B<-xcert> I<infile>, B<-xchain>
Specify an extra certificate, private key and certificate chain. These behave
specified, the callback returning the first valid chain will be in use by the
client.
-=item B<-xcertform> B<DER>|B<PEM>, B<-xkeyform> B<DER>|B<PEM>
-
-The input format for the extra certificate and key, respectively.
-See L<openssl(1)/Format Options> for details.
-
=item B<-xchain_build>
Specify whether the application should build the certificate chain to be
provided to the server for the extra certificates via the B<-xkey>,
B<-xcert>, and B<-xchain> options.
-=item B<-xcertform> B<DER>|B<PEM>, B<-xkeyform> B<DER>|B<PEM>
+=item B<-xcertform> B<DER>|B<PEM>|B<P12>
-The input format for the extra certifcate and key, respectively.
-See L<openssl(1)/Format Options> for details.
+The input format for the extra certificate.
+This option has no effect and is retained for backward compatibility only.
+
+=item B<-xkeyform> B<DER>|B<PEM>|B<P12>
+
+The input format for the extra key.
+This option has no effect and is retained for backward compatibility only.
=back
Parse I<file> as a set of one or more certificates in PEM format.
All certificates must be self-signed, unless the
B<-partial_chain> option is specified.
-This option implies the B<-no-CAfile> and B<-no-CApath> options and it
-cannot be used with either the B<-CAfile> or B<-CApath> options, so
+This option implies the B<-no-CAfile>, B<-no-CApath>, and B<-no-CAstore> options
+and it cannot be used with the B<-CAfile>, B<-CApath> or B<-CAstore> options, so
only certificates in the file are trust anchors.
This option may be used multiple times.
displayed.
This is specified by using the B<-nameopt> option, which takes a
comma-separated list of options from the following set.
-An option may be preceeded by a minus sign, C<->, to turn it off.
+An option may be preceded by a minus sign, C<->, to turn it off.
The default value is C<oneline>.
The first four are the most commonly used.
Escapes some characters by surrounding the entire string with quotation
marks, C<">.
-Without this option, individual special characters are preceeded with
+Without this option, individual special characters are preceded with
a backslash character, C<\>.
=item B<utf8>
SSL/TLS cipher.
-=item B<ENGINE_CONF>
+=item B<CONF>
-ENGINE configuration.
+Show details about provider and engine configuration.
=item B<ENGINE_TABLE>
The B<-issuer_checks> option is deprecated as of OpenSSL 1.1.0 and
is silently ignored.
+The B<-xcertform> and B<-xkeyform> options
+are obsolete since OpenSSL 3.0 and have no effect.
+
+The interactive mode, which could be invoked by running C<openssl>
+with no further arguments, was removed in OpenSSL 3.0, and running
+that program with no arguments is now equivalent to C<openssl help>.
+
=head1 COPYRIGHT
-Copyright 2000-2019 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
projects / openssl.git / blobdiff