5 openssl - OpenSSL command line tool
14 B<openssl> B<list> [ B<standard-commands> | B<digest-commands> | B<cipher-commands> | B<cipher-algorithms> | B<digest-algorithms> | B<public-key-algorithms>]
16 B<openssl> B<no->I<XXX> [ I<arbitrary options> ]
20 OpenSSL is a cryptography toolkit implementing the Secure Sockets Layer (SSL
21 v2/v3) and Transport Layer Security (TLS v1) network protocols and related
22 cryptography standards required by them.
24 The B<openssl> program is a command line tool for using the various
25 cryptography functions of OpenSSL's B<crypto> library from the shell.
28 o Creation and management of private keys, public keys and parameters
29 o Public key cryptographic operations
30 o Creation of X.509 certificates, CSRs and CRLs
31 o Calculation of Message Digests
32 o Encryption and Decryption with Ciphers
33 o SSL/TLS Client and Server Tests
34 o Handling of S/MIME signed or encrypted mail
35 o Time Stamp requests, generation and verification
37 =head1 COMMAND SUMMARY
39 The B<openssl> program provides a rich variety of commands (I<command> in the
40 SYNOPSIS above), each of which often has a wealth of options and arguments
41 (I<command_opts> and I<command_args> in the SYNOPSIS).
43 The list parameters B<standard-commands>, B<digest-commands>,
44 and B<cipher-commands> output a list (one entry per line) of the names
45 of all standard commands, message digest commands, or cipher commands,
46 respectively, that are available in the present B<openssl> utility.
48 The list parameters B<cipher-algorithms> and
49 B<digest-algorithms> list all cipher and message digest names, one entry per line. Aliases are listed as:
53 The list parameter B<public-key-algorithms> lists all supported public
56 The command B<no->I<XXX> tests whether a command of the
57 specified name is available. If no command named I<XXX> exists, it
58 returns 0 (success) and prints B<no->I<XXX>; otherwise it returns 1
59 and prints I<XXX>. In both cases, the output goes to B<stdout> and
60 nothing is printed to B<stderr>. Additional command line arguments
61 are always ignored. Since for each cipher there is a command of the
62 same name, this provides an easy way for shell scripts to test for the
63 availability of ciphers in the B<openssl> program. (B<no->I<XXX> is
64 not able to detect pseudo-commands such as B<quit>,
65 B<list>, or B<no->I<XXX> itself.)
67 =head2 Standard Commands
71 =item L<B<asn1parse>|asn1parse(1)>
73 Parse an ASN.1 sequence.
77 Certificate Authority (CA) Management.
79 =item L<B<ciphers>|ciphers(1)>
81 Cipher Suite Description Determination.
83 =item L<B<cms>|cms(1)>
85 CMS (Cryptographic Message Syntax) utility
87 =item L<B<crl>|crl(1)>
89 Certificate Revocation List (CRL) Management.
91 =item L<B<crl2pkcs7>|crl2pkcs7(1)>
93 CRL to PKCS#7 Conversion.
95 =item L<B<dgst>|dgst(1)>
97 Message Digest Calculation.
101 Diffie-Hellman Parameter Management.
102 Obsoleted by L<B<dhparam>|dhparam(1)>.
104 =item L<B<dhparam>|dhparam(1)>
106 Generation and Management of Diffie-Hellman Parameters. Superseded by
107 L<B<genpkey>|genpkey(1)> and L<B<pkeyparam>|pkeyparam(1)>
110 =item L<B<dsa>|dsa(1)>
114 =item L<B<dsaparam>|dsaparam(1)>
116 DSA Parameter Generation and Management. Superseded by
117 L<B<genpkey>|genpkey(1)> and L<B<pkeyparam>|pkeyparam(1)>
121 EC (Elliptic curve) key processing
123 =item L<B<ecparam>|ecparam(1)>
125 EC parameter manipulation and generation
127 =item L<B<enc>|enc(1)>
129 Encoding with Ciphers.
131 =item L<B<engine>|engine(1)>
133 Engine (loadable module) information and manipulation.
135 =item L<B<errstr>|errstr(1)>
137 Error Number to Error String Conversion.
141 Generation of Diffie-Hellman Parameters.
142 Obsoleted by L<B<dhparam>|dhparam(1)>.
144 =item L<B<gendsa>|gendsa(1)>
146 Generation of DSA Private Key from Parameters. Superseded by
147 L<B<genpkey>|genpkey(1)> and L<B<pkey>|pkey(1)>
149 =item L<B<genpkey>|genpkey(1)>
151 Generation of Private Key or Parameters.
153 =item L<B<genrsa>|genrsa(1)>
155 Generation of RSA Private Key. Superseded by L<B<genpkey>|genpkey(1)>.
157 =item L<B<nseq>|nseq(1)>
159 Create or examine a netscape certificate sequence
161 =item L<B<ocsp>|ocsp(1)>
163 Online Certificate Status Protocol utility.
165 =item L<B<passwd>|passwd(1)>
167 Generation of hashed passwords.
169 =item L<B<pkcs12>|pkcs12(1)>
171 PKCS#12 Data Management.
173 =item L<B<pkcs7>|pkcs7(1)>
175 PKCS#7 Data Management.
177 =item L<B<pkey>|pkey(1)>
179 Public and private key management.
181 =item L<B<pkeyparam>|pkeyparam(1)>
183 Public key algorithm parameter management.
185 =item L<B<pkeyutl>|pkeyutl(1)>
187 Public key algorithm cryptographic operation utility.
189 =item L<B<rand>|rand(1)>
191 Generate pseudo-random bytes.
193 =item L<B<req>|req(1)>
195 PKCS#10 X.509 Certificate Signing Request (CSR) Management.
197 =item L<B<rsa>|rsa(1)>
202 =item L<B<rsautl>|rsautl(1)>
204 RSA utility for signing, verification, encryption, and decryption. Superseded
205 by L<B<pkeyutl>|pkeyutl(1)>
207 =item L<B<s_client>|s_client(1)>
209 This implements a generic SSL/TLS client which can establish a transparent
210 connection to a remote server speaking SSL/TLS. It's intended for testing
211 purposes only and provides only rudimentary interface functionality but
212 internally uses mostly all functionality of the OpenSSL B<ssl> library.
214 =item L<B<s_server>|s_server(1)>
216 This implements a generic SSL/TLS server which accepts connections from remote
217 clients speaking SSL/TLS. It's intended for testing purposes only and provides
218 only rudimentary interface functionality but internally uses mostly all
219 functionality of the OpenSSL B<ssl> library. It provides both an own command
220 line oriented protocol for testing SSL functions and a simple HTTP response
221 facility to emulate an SSL/TLS-aware webserver.
223 =item L<B<s_time>|s_time(1)>
225 SSL Connection Timer.
227 =item L<B<sess_id>|sess_id(1)>
229 SSL Session Data Management.
231 =item L<B<smime>|smime(1)>
233 S/MIME mail processing.
235 =item L<B<speed>|speed(1)>
237 Algorithm Speed Measurement.
239 =item L<B<spkac>|spkac(1)>
241 SPKAC printing and generating utility
245 Time Stamping Authority tool (client/server)
247 =item L<B<verify>|verify(1)>
249 X.509 Certificate Verification.
251 =item L<B<version>|version(1)>
253 OpenSSL Version Information.
255 =item L<B<x509>|x509(1)>
257 X.509 Certificate Data Management.
261 =head2 Message Digest Commands
307 =head2 Encoding and Cipher Commands
315 =item B<bf bf-cbc bf-cfb bf-ecb bf-ofb>
319 =item B<cast cast-cbc>
323 =item B<cast5-cbc cast5-cfb cast5-ecb cast5-ofb>
327 =item B<des des-cbc des-cfb des-ecb des-ede des-ede-cbc des-ede-cfb des-ede-ofb des-ofb>
331 =item B<des3 desx des-ede3 des-ede3-cbc des-ede3-cfb des-ede3-ofb>
335 =item B<idea idea-cbc idea-cfb idea-ecb idea-ofb>
339 =item B<rc2 rc2-cbc rc2-cfb rc2-ecb rc2-ofb>
347 =item B<rc5 rc5-cbc rc5-cfb rc5-ecb rc5-ofb>
353 =head1 PASS PHRASE ARGUMENTS
355 Several commands accept password arguments, typically using B<-passin>
356 and B<-passout> for input and output passwords respectively. These allow
357 the password to be obtained from a variety of sources. Both of these
358 options take a single argument whose format is described below. If no
359 password argument is given and a password is required then the user is
360 prompted to enter one: this will typically be read from the current
361 terminal with echoing turned off.
365 =item B<pass:password>
367 the actual password is B<password>. Since the password is visible
368 to utilities (like 'ps' under Unix) this form should only be used
369 where security is not important.
373 obtain the password from the environment variable B<var>. Since
374 the environment of other processes is visible on certain platforms
375 (e.g. ps under certain Unix OSes) this option should be used with caution.
377 =item B<file:pathname>
379 the first line of B<pathname> is the password. If the same B<pathname>
380 argument is supplied to B<-passin> and B<-passout> arguments then the first
381 line will be used for the input password and the next line for the output
382 password. B<pathname> need not refer to a regular file: it could for example
383 refer to a device or named pipe.
387 read the password from the file descriptor B<number>. This can be used to
388 send the data via a pipe for example.
392 read the password from standard input.
398 L<asn1parse(1)>, L<ca(1)>, L<config(5)>,
399 L<crl(1)>, L<crl2pkcs7(1)>, L<dgst(1)>,
400 L<dhparam(1)>, L<dsa(1)>, L<dsaparam(1)>,
401 L<enc(1)>, L<engine(1)>, L<gendsa(1)>, L<genpkey(1)>,
402 L<genrsa(1)>, L<nseq(1)>, L<openssl(1)>,
404 L<pkcs12(1)>, L<pkcs7(1)>, L<pkcs8(1)>,
405 L<rand(1)>, L<req(1)>, L<rsa(1)>,
406 L<rsautl(1)>, L<s_client(1)>,
407 L<s_server(1)>, L<s_time(1)>,
408 L<smime(1)>, L<spkac(1)>,
409 L<verify(1)>, L<version(1)>, L<x509(1)>,
410 L<crypto(3)>, L<ssl(3)>, L<x509v3_config(5)>
414 The B<list->I<XXX>B<-algorithms> pseudo-commands were added in OpenSSL 1.0.0;
415 For notes on the availability of other commands, see their individual
420 Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.
422 Licensed under the OpenSSL license (the "License"). You may not use
423 this file except in compliance with the License. You can obtain a copy
424 in the file LICENSE in the source distribution or at
425 L<https://www.openssl.org/source/license.html>.