6 openssl - OpenSSL command line tool
17 OpenSSL is a cryptography toolkit implementing the Secure Sockets Layer (SSL
18 v2/v3) and Transport Layer Security (TLS v1) network protocols and related
19 cryptography standards required by them.
21 The B<openssl> program is a command line tool for using the various
22 cryptography functions of OpenSSL's B<crypto> library from the shell.
25 o Creation of RSA, DH and DSA key parameters
26 o Creation of X.509 certificates, CSRs and CRLs
27 o Calculation of Message Digests
28 o Encryption and Decryption with Ciphers
29 o SSL/TLS Client and Server Tests
30 o Handling of S/MIME signed or encrypted mail
32 =head1 COMMAND SUMMARY
34 The B<openssl> program provides a rich variety of commands (I<command> in the
35 SYNOPSIS above), each of which often has a wealth of options and arguments
36 (I<command_opts> and I<command_args> in the SYNOPSIS).
38 =head2 STANDARD COMMANDS
42 =item L<B<asn1parse>|asn1parse(1)>
44 Parse an ASN.1 sequence.
48 Certificate Authority (CA) Management.
50 =item L<B<ciphers>|ciphers(1)>
52 Cipher Suite Description Determination.
54 =item L<B<crl>|crl(1)>
56 Certificate Revocation List (CRL) Management.
58 =item L<B<crl2pkcs7>|crl2pkcs7(1)>
60 CRL to PKCS#7 Conversion.
62 =item L<B<dgst>|dgst(1)>
64 Message Digest Calculation.
68 Diffie-Hellman Data Management.
70 =item L<B<dsa>|dsa(1)>
74 =item L<B<dsaparam>|dsaparam(1)>
76 DSA Parameter Generation.
78 =item L<B<enc>|enc(1)>
80 Encoding with Ciphers.
82 =item L<B<errstr>|errstr(1)>
84 Error Number to Error String Conversion.
86 =item L<B<gendh>|gendh(1)>
88 Generation of Diffie-Hellman Parameters.
90 =item L<B<gendsa>|gendsa(1)>
92 Generation of DSA Parameters.
94 =item L<B<genrsa>|genrsa(1)>
96 Generation of RSA Parameters.
98 =item L<B<passwd>|passwd(1)>
100 Generation of hashed passwords.
102 =item L<B<pkcs7>|pkcs7(1)>
104 PKCS#7 Data Management.
106 =item L<B<rand>|rand(1)>
108 Generate pseudo-random bytes.
110 =item L<B<req>|req(1)>
112 X.509 Certificate Signing Request (CSR) Management.
114 =item L<B<rsa>|rsa(1)>
118 =item L<B<s_client>|s_client(1)>
120 This implements a generic SSL/TLS client which can establish a transparent
121 connection to a remote server speaking SSL/TLS. It's intended for testing
122 purposes only and provides only rudimentary interface functionality but
123 internally uses mostly all functionality of the OpenSSL B<ssl> library.
125 =item L<B<s_server>|s_server(1)>
127 This implements a generic SSL/TLS server which accepts connections from remote
128 clients speaking SSL/TLS. It's intended for testing purposes only and provides
129 only rudimentary interface functionality but internally uses mostly all
130 functionality of the OpenSSL B<ssl> library. It provides both an own command
131 line oriented protocol for testing SSL functions and a simple HTTP response
132 facility to emulate an SSL/TLS-aware webserver.
134 =item L<B<s_time>|s_time(1)>
136 SSL Connection Timer.
138 =item L<B<sess_id>|sess_id(1)>
140 SSL Session Data Management.
142 =item L<B<smime>|smime(1)>
144 S/MIME mail processing.
146 =item L<B<speed>|speed(1)>
148 Algorithm Speed Measurement.
150 =item L<B<verify>|verify(1)>
152 X.509 Certificate Verification.
154 =item L<B<version>|version(1)>
156 OpenSSL Version Information.
158 =item L<B<x509>|x509(1)>
160 X.509 Certificate Data Management.
164 =head2 MESSAGE DIGEST COMMANDS
194 =head2 ENCODING AND CIPHER COMMANDS
202 =item B<bf bf-cbc bf-cfb bf-ecb bf-ofb>
206 =item B<cast cast-cbc>
210 =item B<cast5-cbc cast5-cfb cast5-ecb cast5-ofb>
214 =item B<des des-cbc des-cfb des-ecb des-ede des-ede-cbc des-ede-cfb des-ede-ofb des-ofb>
218 =item B<des3 desx des-ede3 des-ede3-cbc des-ede3-cfb des-ede3-ofb>
222 =item B<idea idea-cbc idea-cfb idea-ecb idea-ofb>
226 =item B<rc2 rc2-cbc rc2-cfb rc2-ecb rc2-ofb>
234 =item B<rc5 rc5-cbc rc5-cfb rc5-ecb rc5-ofb>
240 =head1 PASS PHRASE ARGUMENTS
242 Several commands accept password arguments, typically using B<-passin>
243 and B<-passout> for input and output passwords respectively. These allow
244 the password to be obtained from a variety of sources. Both of these
245 options take a single argument whose format is described below. If no
246 password argument is given and a password is required then the user is
247 prompted to enter one: this will typically be read from the current
248 terminal with echoing turned off.
252 =item B<pass:password>
254 the actual password is B<password>. Since the password is visible
255 to utilities (like 'ps' under Unix) this form should only be used
256 where security is not important.
260 obtain the password from the environment variable B<var>. Since
261 the environment of other processes is visible on certain platforms
262 (e.g. ps under certain Unix OSes) this option should be used with caution.
264 =item B<file:pathname>
266 the first line of B<pathname> is the password. If the same B<pathname>
267 argument is supplied to B<-passin> and B<-passout> arguments then the first
268 line will be used for the input password and the next line for the output
269 password. B<pathname> need not refer to a regular file: it could for example
270 refer to a device or named pipe.
274 read the password from the file descriptor B<number>. This can be used to
275 send the data via a pipe for example.
279 read the password from standard input.
285 L<asn1parse(1)|asn1parse(1)>, L<ca(1)|ca(1)>, L<config(5)|config(5)>,
286 L<crl(1)|crl(1)>, L<crl2pkcs7(1)|crl2pkcs7(1)>, L<dgst(1)|dgst(1)>,
287 L<dhparam(1)|dhparam(1)>, L<dsa(1)|dsa(1)>, L<dsaparam(1)|dsaparam(1)>,
288 L<enc(1)|enc(1)>, L<gendsa(1)|gendsa(1)>,
289 L<genrsa(1)|genrsa(1)>, L<nseq(1)|nseq(1)>, L<openssl(1)|openssl(1)>,
290 L<passwd(1)|passwd(1)>,
291 L<pkcs12(1)|pkcs12(1)>, L<pkcs7(1)|pkcs7(1)>, L<pkcs8(1)|pkcs8(1)>,
292 L<rand(1)|rand(1)>, L<req(1)|req(1)>, L<rsa(1)|rsa(1)>, L<s_client(1)|s_client(1)>,
293 L<s_server(1)|s_server(1)>, L<smime(1)|smime(1)>, L<spkac(1)|spkac(1)>,
294 L<verify(1)|verify(1)>, L<version(1)|version(1)>, L<x509(1)|x509(1)>,
295 L<crypto(3)|crypto(3)>, L<ssl(3)|ssl(3)>
299 The openssl(1) document appeared in OpenSSL 0.9.2