6 openssl - OpenSSL command line tool
15 B<openssl> [ B<list-standard-commands> | B<list-message-digest-commands> | B<list-cipher-commands> | B<list-cipher-algorithms> | B<list-message-digest-algorithms> | B<list-public-key-algorithms>]
17 B<openssl> B<no->I<XXX> [ I<arbitrary options> ]
21 OpenSSL is a cryptography toolkit implementing the Secure Sockets Layer (SSL
22 v2/v3) and Transport Layer Security (TLS v1) network protocols and related
23 cryptography standards required by them.
25 The B<openssl> program is a command line tool for using the various
26 cryptography functions of OpenSSL's B<crypto> library from the shell.
29 o Creation and management of private keys, public keys and parameters
30 o Public key cryptographic operations
31 o Creation of X.509 certificates, CSRs and CRLs
32 o Calculation of Message Digests
33 o Encryption and Decryption with Ciphers
34 o SSL/TLS Client and Server Tests
35 o Handling of S/MIME signed or encrypted mail
36 o Time Stamp requests, generation and verification
38 =head1 COMMAND SUMMARY
40 The B<openssl> program provides a rich variety of commands (I<command> in the
41 SYNOPSIS above), each of which often has a wealth of options and arguments
42 (I<command_opts> and I<command_args> in the SYNOPSIS).
44 The pseudo-commands B<list-standard-commands>, B<list-message-digest-commands>,
45 and B<list-cipher-commands> output a list (one entry per line) of the names
46 of all standard commands, message digest commands, or cipher commands,
47 respectively, that are available in the present B<openssl> utility.
49 The pseudo-commands B<list-cipher-algorithms> and
50 B<list-message-digest-algorithms> list all cipher and message digest names, one entry per line. Aliases are listed as:
54 The pseudo-command B<list-public-key-algorithms> lists all supported public
57 The pseudo-command B<no->I<XXX> tests whether a command of the
58 specified name is available. If no command named I<XXX> exists, it
59 returns 0 (success) and prints B<no->I<XXX>; otherwise it returns 1
60 and prints I<XXX>. In both cases, the output goes to B<stdout> and
61 nothing is printed to B<stderr>. Additional command line arguments
62 are always ignored. Since for each cipher there is a command of the
63 same name, this provides an easy way for shell scripts to test for the
64 availability of ciphers in the B<openssl> program. (B<no->I<XXX> is
65 not able to detect pseudo-commands such as B<quit>,
66 B<list->I<...>B<-commands>, or B<no->I<XXX> itself.)
68 =head2 STANDARD COMMANDS
72 =item L<B<asn1parse>|asn1parse(1)>
74 Parse an ASN.1 sequence.
78 Certificate Authority (CA) Management.
80 =item L<B<ciphers>|ciphers(1)>
82 Cipher Suite Description Determination.
84 =item L<B<crl>|crl(1)>
86 Certificate Revocation List (CRL) Management.
88 =item L<B<crl2pkcs7>|crl2pkcs7(1)>
90 CRL to PKCS#7 Conversion.
92 =item L<B<dgst>|dgst(1)>
94 Message Digest Calculation.
98 Diffie-Hellman Parameter Management.
99 Obsoleted by L<B<dhparam>|dhparam(1)>.
101 =item L<B<dsa>|dsa(1)>
105 =item L<B<dsaparam>|dsaparam(1)>
107 DSA Parameter Generation and Management. Superseded by
108 L<B<genpkey>|genpkey(1)> and L<B<pkeyparam>|pkeyparam(1)>
110 =item L<B<enc>|enc(1)>
112 Encoding with Ciphers.
114 =item L<B<errstr>|errstr(1)>
116 Error Number to Error String Conversion.
118 =item L<B<dhparam>|dhparam(1)>
120 Generation and Management of Diffie-Hellman Parameters. Superseded by
121 L<B<genpkey>|genpkey(1)> and L<B<pkeyparam>|pkeyparam(1)>
125 Generation of Diffie-Hellman Parameters.
126 Obsoleted by L<B<dhparam>|dhparam(1)>.
128 =item L<B<gendsa>|gendsa(1)>
130 Generation of DSA Private Key from Parameters. Superseded by
131 L<B<genpkey>|genpkey(1)> and L<B<pkey>|pkey(1)>
133 =item L<B<genpkey>|genpkey(1)>
135 Generation of Private Key or Parameters.
137 =item L<B<genrsa>|genrsa(1)>
139 Generation of RSA Private Key. Superceded by L<B<genpkey>|genpkey(1)>.
141 =item L<B<ocsp>|ocsp(1)>
143 Online Certificate Status Protocol utility.
145 =item L<B<passwd>|passwd(1)>
147 Generation of hashed passwords.
149 =item L<B<pkcs12>|pkcs12(1)>
151 PKCS#12 Data Management.
153 =item L<B<pkcs7>|pkcs7(1)>
155 PKCS#7 Data Management.
157 =item L<B<pkey>|pkey(1)>
159 Public and private key management.
161 =item L<B<pkeyutl>|pkeyutl(1)>
163 Public key algorithm cryptographic operation utility.
165 =item L<B<pkeyparam>|pkeyparam(1)>
167 Public key algorithm parameter management.
169 =item L<B<rand>|rand(1)>
171 Generate pseudo-random bytes.
173 =item L<B<req>|req(1)>
175 PKCS#10 X.509 Certificate Signing Request (CSR) Management.
177 =item L<B<rsa>|rsa(1)>
181 =item L<B<rsautl>|rsautl(1)>
183 RSA utility for signing, verification, encryption, and decryption. Superseded
184 by L<B<pkeyutl>|pkeyutl(1)>
186 =item L<B<s_client>|s_client(1)>
188 This implements a generic SSL/TLS client which can establish a transparent
189 connection to a remote server speaking SSL/TLS. It's intended for testing
190 purposes only and provides only rudimentary interface functionality but
191 internally uses mostly all functionality of the OpenSSL B<ssl> library.
193 =item L<B<s_server>|s_server(1)>
195 This implements a generic SSL/TLS server which accepts connections from remote
196 clients speaking SSL/TLS. It's intended for testing purposes only and provides
197 only rudimentary interface functionality but internally uses mostly all
198 functionality of the OpenSSL B<ssl> library. It provides both an own command
199 line oriented protocol for testing SSL functions and a simple HTTP response
200 facility to emulate an SSL/TLS-aware webserver.
202 =item L<B<s_time>|s_time(1)>
204 SSL Connection Timer.
206 =item L<B<sess_id>|sess_id(1)>
208 SSL Session Data Management.
210 =item L<B<smime>|smime(1)>
212 S/MIME mail processing.
214 =item L<B<speed>|speed(1)>
216 Algorithm Speed Measurement.
218 =item L<B<ts>|<ts(1)>
220 Time Stamping Authority tool (client/server)
222 =item L<B<verify>|verify(1)>
224 X.509 Certificate Verification.
226 =item L<B<version>|version(1)>
228 OpenSSL Version Information.
230 =item L<B<x509>|x509(1)>
232 X.509 Certificate Data Management.
236 =head2 MESSAGE DIGEST COMMANDS
266 =head2 ENCODING AND CIPHER COMMANDS
274 =item B<bf bf-cbc bf-cfb bf-ecb bf-ofb>
278 =item B<cast cast-cbc>
282 =item B<cast5-cbc cast5-cfb cast5-ecb cast5-ofb>
286 =item B<des des-cbc des-cfb des-ecb des-ede des-ede-cbc des-ede-cfb des-ede-ofb des-ofb>
290 =item B<des3 desx des-ede3 des-ede3-cbc des-ede3-cfb des-ede3-ofb>
294 =item B<idea idea-cbc idea-cfb idea-ecb idea-ofb>
298 =item B<rc2 rc2-cbc rc2-cfb rc2-ecb rc2-ofb>
306 =item B<rc5 rc5-cbc rc5-cfb rc5-ecb rc5-ofb>
312 =head1 PASS PHRASE ARGUMENTS
314 Several commands accept password arguments, typically using B<-passin>
315 and B<-passout> for input and output passwords respectively. These allow
316 the password to be obtained from a variety of sources. Both of these
317 options take a single argument whose format is described below. If no
318 password argument is given and a password is required then the user is
319 prompted to enter one: this will typically be read from the current
320 terminal with echoing turned off.
324 =item B<pass:password>
326 the actual password is B<password>. Since the password is visible
327 to utilities (like 'ps' under Unix) this form should only be used
328 where security is not important.
332 obtain the password from the environment variable B<var>. Since
333 the environment of other processes is visible on certain platforms
334 (e.g. ps under certain Unix OSes) this option should be used with caution.
336 =item B<file:pathname>
338 the first line of B<pathname> is the password. If the same B<pathname>
339 argument is supplied to B<-passin> and B<-passout> arguments then the first
340 line will be used for the input password and the next line for the output
341 password. B<pathname> need not refer to a regular file: it could for example
342 refer to a device or named pipe.
346 read the password from the file descriptor B<number>. This can be used to
347 send the data via a pipe for example.
351 read the password from standard input.
357 L<asn1parse(1)|asn1parse(1)>, L<ca(1)|ca(1)>, L<config(5)|config(5)>,
358 L<crl(1)|crl(1)>, L<crl2pkcs7(1)|crl2pkcs7(1)>, L<dgst(1)|dgst(1)>,
359 L<dhparam(1)|dhparam(1)>, L<dsa(1)|dsa(1)>, L<dsaparam(1)|dsaparam(1)>,
360 L<enc(1)|enc(1)>, L<gendsa(1)|gendsa(1)>, L<genpkey(1)|genpkey(1)>,
361 L<genrsa(1)|genrsa(1)>, L<nseq(1)|nseq(1)>, L<openssl(1)|openssl(1)>,
362 L<passwd(1)|passwd(1)>,
363 L<pkcs12(1)|pkcs12(1)>, L<pkcs7(1)|pkcs7(1)>, L<pkcs8(1)|pkcs8(1)>,
364 L<rand(1)|rand(1)>, L<req(1)|req(1)>, L<rsa(1)|rsa(1)>,
365 L<rsautl(1)|rsautl(1)>, L<s_client(1)|s_client(1)>,
366 L<s_server(1)|s_server(1)>, L<s_time(1)|s_time(1)>,
367 L<smime(1)|smime(1)>, L<spkac(1)|spkac(1)>,
368 L<verify(1)|verify(1)>, L<version(1)|version(1)>, L<x509(1)|x509(1)>,
369 L<crypto(3)|crypto(3)>, L<ssl(3)|ssl(3)>, L<x509v3_config(5)|x509v3_config(5)>
373 The openssl(1) document appeared in OpenSSL 0.9.2.
374 The B<list->I<XXX>B<-commands> pseudo-commands were added in OpenSSL 0.9.3;
375 The B<list->I<XXX>B<-algorithms> pseudo-commands were added in OpenSSL 0.9.9;
376 the B<no->I<XXX> pseudo-commands were added in OpenSSL 0.9.5a.
377 For notes on the availability of other commands, see their individual