certificates are specified on the command line it tries to verify the file
"newcert.pem". Invokes B<openssl verify> command.
-=item B<-extra-req> | B<-extra-ca> | B<-extra-pkcs12> | B<-extra-x509> | B<-extra-verify> <extra-params>
+=item B<-extra-req> | B<-extra-ca> | B<-extra-pkcs12> | B<-extra-x509> | B<-extra-verify> I<extra-params>
The purpose of these parameters is to allow optional parameters to be supplied
to B<openssl> that this command executes. The B<-extra-cmd> are specific to the
=item B<-inform> B<DER>|B<PEM>
-The input format.
I<DER> is binary format and I<PEM> (the default) is base64
+The input format.
B<DER> is binary format and B<PEM> (the default) is base64
encoded.
=item B<-in> I<filename>
=item B<-genstr> I<string>, B<-genconf> I<file>
-Generate encoded data based on B<string>, B<file> or both using
-L<ASN1_generate_nconf(3)> format. If B<file> only is
+Generate encoded data based on I<string>, I<file> or both using
+L<ASN1_generate_nconf(3)> format. If I<file> only is
present then the string is obtained from the default section using the name
B<asn1>. The encoded data is passed through the ASN1 parser and printed out as
though it came from a file, the contents can thus be examined and written to a
-file using the B<out> option.
+file using the B<-out> option.
=item B<-strictpem>
=item B<-item> I<name>
-Attempt to decode and print the data as B<ASN1_ITEM name>. This can be used to
-print out the fields of any supported ASN.1 structure if the type is known.
+Attempt to decode and print the data as B<ASN1_ITEM> I<name>. This can be used
+to print out the fields of any supported ASN.1 structure if the type is known.
=back
=item B<-engine> I<id>
-Specifying an engine (by its unique B<id> string) will cause B<ca>
+Specifying an engine (by its unique I<id> string) will cause B<ca>
to attempt to obtain a functional reference to the specified engine,
thus initialising it if needed. The engine will then be set as the default
for all available algorithms.
=item B<-subj> I<arg>
Supersedes subject name given in the request.
-The arg must be formatted as I</type0=value0/type1=value1/type2=...>.
+The arg must be formatted as C</type0=value0/type1=value1/type2=...>.
Keyword characters may be escaped by \ (backslash), and whitespace is retained.
Empty values are permitted, but the corresponding type will not be included
in the resulting certificate.
I</DC=org/DC=OpenSSL/DC=users/UID=123456+CN=John Doe>
-If -multi-rdn is not used then the UID value is I<123456+CN=John Doe>.
+If B<-multi-rdn> is not used then the UID value is I<123456+CN=John Doe>.
=item B<-rand> I<files>
=item B<-crl_reason> I<reason>
-Revocation reason, where B<reason> is one of: B<unspecified>, B<keyCompromise>,
+Revocation reason, where I<reason> is one of: B<unspecified>, B<keyCompromise>,
B<CACompromise>, B<affiliationChanged>, B<superseded>, B<cessationOfOperation>,
-B<certificateHold> or B<removeFromCRL>. The matching of B<reason> is case
+B<certificateHold> or B<removeFromCRL>. The matching of I<reason> is case
insensitive. Setting any revocation reason will make the CRL v2.
In practice B<removeFromCRL> is not particularly useful because it is only used
=item B<-crl_hold> I<instruction>
This sets the CRL revocation reason code to B<certificateHold> and the hold
-instruction to B<instruction> which must be an OID. Although any OID can be
+instruction to I<instruction> which must be an OID. Although any OID can be
used only B<holdInstructionNone> (the use of which is discouraged by RFC2459)
B<holdInstructionCallIssuer> or B<holdInstructionReject> will normally be used.
=item B<-crl_compromise> I<time>
This sets the revocation reason to B<keyCompromise> and the compromise time to
-B<time>. B<time> should be in GeneralizedTime format that is B<YYYYMMDDHHMMSSZ>.
+I<time>. I<time> should be in GeneralizedTime format that is I<YYYYMMDDHHMMSSZ>.
=item B<-crl_CA_compromise> I<time>
[B<-stdname>]
[B<-convert> I<name>]
[B<-ciphersuites> I<val>]
-[B<cipherlist>]
+[I<cipherlist>]
=for comment ifdef ssl3 tls1 tls1_1 tls1_2 tls1_3 psk srp
=item B<-convert> I<name>
-Convert a standard cipher B<name> to its OpenSSL name.
+Convert a standard cipher I<name> to its OpenSSL name.
=item B<-ciphersuites> I<val>
The cipher string B<@STRENGTH> can be used at any point to sort the current
cipher list in order of encryption algorithm key length.
-The cipher string B<@SECLEVEL=n> can be used at any point to set the security
-level to B<n>, which should be a number between zero and five, inclusive.
+The cipher string B<@SECLEVEL>=I<n> can be used at any point to set the security
+level to I<n>, which should be a number between zero and five, inclusive.
See L<SSL_CTX_set_security_level> for a description of what each level means.
The cipher list can be prefixed with the B<DEFAULT> keyword, which enables
=for comment generic
-B<openssl> B<cmd> [B<-help>] [B<...>]
+B<openssl> I<cmd> B<-help> | [I<-option> | I<-option> I<arg>] ... [I<arg>] ...
=head1 DESCRIPTION
-Every B<cmd> listed above is a (sub-)command of the L<openssl(1)> application.
-It has its own detailed manual page at B<openssl-cmd(1)>. For example, to view
-the manual page for the B<openssl dgst> command, type B<man openssl-dgst>.
+Every I<cmd> listed above is a (sub-)command of the L<openssl(1)> application.
+It has its own detailed manual page at B<openssl-I<cmd>>(1). For example, to
+view the manual page for the B<openssl dgst> command, type C<man openssl-dgst>.
=head1 OPTIONS
=head1 HISTORY
-Initially, the manual page entry for the B<openssl cmd> command used
-to be available at B<cmd(1)>. Later, the alias B<openssl-cmd(1)> was
+Initially, the manual page entry for the C<openssl I<cmd>> command used
+to be available at I<cmd>(1). Later, the alias B<openssl-I<cmd>>(1) was
introduced, which made it easier to group the openssl commands using
the L<apropos(1)> command or the shell's tab completion.
=item B<-certsout> I<file>
-Any certificates contained in the message are written to B<file>.
+Any certificates contained in the message are written to I<file>.
=item B<-signer> I<file>
The key identifier for the supplied symmetric key for B<KEKRecipientInfo> type.
This option B<must> be present if the B<-secretkey> option is used with
-B<-encrypt>. With B<-decrypt> operations the B<id> is used to locate the
+B<-encrypt>. With B<-decrypt> operations the I<id> is used to locate the
relevant key if it is not supplied then an attempt is used to decrypt any
B<KEKRecipientInfo> structures.
=item B<-econtent_type> I<type>
-Set the encapsulated content type to B<type> if not supplied the B<Data> type
-is used. The B<type> argument can be any valid OID name in either text or
+Set the encapsulated content type to I<type> if not supplied the B<Data> type
+is used. The I<type> argument can be any valid OID name in either text or
numerical format.
=item B<-inkey> I<file>
The use of multiple B<-signer> options and the B<-resign> command were first
added in OpenSSL 1.0.0.
-The B<keyopt> option was added in OpenSSL 1.0.2.
+The B<-keyopt> option was added in OpenSSL 1.0.2.
Support for RSA-OAEP and RSA-PSS was added in OpenSSL 1.0.2.
=item B<-CAfile> I<file>
Verify the signature on a CRL by looking up the issuing certificate in
-B<file>.
+I<file>.
=item B<-CApath> I<dir>
Verify the signature on a CRL by looking up the issuing certificate in
-B<dir>. This directory must be a standard certificate directory: that
+I<dir>. This directory must be a standard certificate directory: that
is a hash of each subject name (using B<x509 -hash>) should be linked
to each certificate.
The generic name, B<dgst>, may be used with an option specifying the
algorithm to be used.
-The default digest is I<sha256>.
+The default digest is B<sha256>.
A supported I<digest> name may also be used as the command name.
To see the list of supported algorithms, use the I<list --digest-commands>
command.
=item B<-c>
Print out the digest in two digit groups separated by colons, only relevant if
-B<hex> format output is used.
+the B<-hex> option is given as well.
=item B<-d>
=item B<-passin> I<arg>
-The private key password source. For more information about the format of
B<arg>
+The private key password source. For more information about the format of
I<arg>
see L<openssl(1)/Pass phrase options>.
=item B<-verify> I<filename>
=over 4
-=item B<key:string>
+=item B<key>:I<string>
Specifies MAC key as alphanumeric string (use if key contain printable
characters only). String length must conform to any restrictions of
the MAC algorithm for example exactly 32 chars for gost-mac.
-=item B<hexkey:string>
+=item B<hexkey>:I<string>
Specifies MAC key in hexadecimal form (two hex digits per byte).
Key length must conform to any restrictions of the MAC algorithm
=item B<-engine> I<id>
-Use engine B<id> for operations (including private key storage).
+Use engine I<id> for operations (including private key storage).
This engine is not used as source for digest algorithms, unless it is
also specified in the configuration file or B<-engine_impl> is also
specified.
=item B<-engine_impl>
When used with the B<-engine> option, it specifies to also use
-engine B<id> for digest operations.
+engine I<id> for digest operations.
=item I<file> ...
The generator to use, either 2, 3 or 5. If present then the
input file is ignored and parameters are generated instead. If not
-present but B<numbits> is present, parameters are generated with the
+present but I<numbits> is present, parameters are generated with the
default generator 2.
=item B<-rand> I<files>
=item B<-engine> I<id>
-Specifying an engine (by its unique B<id> string) will cause B<dhparam>
+Specifying an engine (by its unique I<id> string) will cause B<dhparam>
to attempt to obtain a functional reference to the specified engine,
thus initialising it if needed. The engine will then be set as the default
for all available algorithms.
=item B<-passin> I<arg>
-The input file password source. For more information about the format of
B<arg>
+The input file password source. For more information about the format of
I<arg>
see L<openssl(1)/Pass phrase options>.
=item B<-out> I<filename>
=item B<-passout> I<arg>
-The output file password source. For more information about the format of
B<arg>
+The output file password source. For more information about the format of
I<arg>
see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
=item B<-aes128>, B<-aes192>, B<-aes256>, B<-aria128>, B<-aria192>, B<-aria256>, B<-camellia128>, B<-camellia192>, B<-camellia256>, B<-des>, B<-des3>, B<-idea>
=item B<-engine> I<id>
-Specifying an engine (by its unique B<id> string) will cause B<dsa>
+Specifying an engine (by its unique I<id> string) will cause B<dsa>
to attempt to obtain a functional reference to the specified engine,
thus initialising it if needed. The engine will then be set as the default
for all available algorithms.
=item B<-in> I<filename>
This specifies the input filename to read parameters from or standard input if
-this option is not specified. If the B<numbits> parameter is included then
+this option is not specified. If the I<numbits> parameter is included then
this option will be ignored.
=item B<-out> I<filename>
=item B<-engine> I<id>
-Specifying an engine (by its unique B<id> string) will cause B<dsaparam>
+Specifying an engine (by its unique I<id> string) will cause B<dsaparam>
to attempt to obtain a functional reference to the specified engine,
thus initialising it if needed. The engine will then be set as the default
for all available algorithms.
Print extra details about the operations being performed.
-=item B<numbits>
+=item I<numbits>
This option specifies that a parameter set should be generated of size
-B<numbits>. It must be the last option. If this option is included then
+I<numbits>. It must be the last option. If this option is included then
the input file (if any) is ignored.
=back
=item B<-passin> I<arg>
-The input file password source. For more information about the format of
B<arg>
+The input file password source. For more information about the format of
I<arg>
see L<openssl(1)/Pass phrase options>.
=item B<-out> I<filename>
=item B<-passout> I<arg>
-The output file password source. For more information about the format of
B<arg>
+The output file password source. For more information about the format of
I<arg>
see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
=item B<-des>|B<-des3>|B<-idea>
key will be output instead. This option is automatically set if the input is
a public key.
-=item B<-conv_form>
+=item B<-conv_form> I<arg>
This specifies how the points on the elliptic curve are converted
into octet strings. Possible values are: B<compressed> (the default
=item B<-engine> I<id>
-Specifying an engine (by its unique B<id> string) will cause B<ec>
+Specifying an engine (by its unique I<id> string) will cause B<ec>
to attempt to obtain a functional reference to the specified engine,
thus initialising it if needed. The engine will then be set as the default
for all available algorithms.
If this options is specified B<ecparam> will print out a list of all
currently implemented EC parameters names and exit.
-=item B<-conv_form>
+=item B<-conv_form> I<arg>
This specifies how the points on the elliptic curve are converted
into octet strings. Possible values are: B<compressed>, B<uncompressed> (the
=item B<-engine> I<id>
-Specifying an engine (by its unique B<id> string) will cause B<ecparam>
+Specifying an engine (by its unique I<id> string) will cause B<ecparam>
to attempt to obtain a functional reference to the specified engine,
thus initialising it if needed. The engine will then be set as the default
for all available algorithms.
=item B<-pass> I<arg>
-The password source. For more information about the format of
B<arg>
+The password source. For more information about the format of
I<arg>
see L<openssl(1)/Pass phrase options>.
=item B<-e>
=item B<-kfile> I<filename>
-Read the password to derive the key from the first line of B<filename>.
+Read the password to derive the key from the first line of I<filename>.
This is for compatibility with previous versions of OpenSSL. Superseded by
the B<-pass> argument.
=head1 NOTES
The program can be called either as B<openssl cipher> or
-B<openssl enc -cipher>. The first form doesn't work with
+B<openssl enc -I<cipher>>. The first form doesn't work with
engine-provided ciphers, because this form is processed before the
configuration file is read and any ENGINEs loaded.
Use the B<list> command to get a list of supported ciphers.
Note that some of these ciphers can be disabled at compile time
and some are available only if an appropriate engine is configured
in the configuration file. The output of the B<enc> command run with
-the B<-ciphers> option (that is B<openssl enc -ciphers>) produces a
+the B<-I<ciphers>> option (that is B<openssl enc -I<ciphers>>) produces a
list of ciphers, supported by your version of OpenSSL, including
ones provided by configured engines.
[B<-c>]
[B<-t>]
[B<-tt>]
-[B<-pre> I<command>]
-[B<-post> I<command>]
+[B<-pre> I<command>] ...
+[B<-post> I<command>] ...
[I<engine> ...]
=head1 DESCRIPTION
The B<engine> command is used to query the status and capabilities
-of the specified B<engine>'s.
+of the specified I<engine>'s.
Engines may be specified before and after all other command-line flags.
Only those specified are queried.
Command-line configuration of engines.
The B<-pre> command is given to the engine before it is loaded and
the B<-post> command is given after the engine is loaded.
-The I<command> is of the form I<cmd:val> where I<cmd> is the command,
+The I<command> is of the form I<cmd>:I<val> where I<cmd> is the command,
and I<val> is the value for the command.
See the example below.
+These two options are cumulative, so they may be given more than once in the
+same command.
+
=back
=head1 EXAMPLES
=head1 SYNOPSIS
-B<openssl errstr error_code>
+B<openssl errstr> I<error_code>
=head1 DESCRIPTION
=over 4
-=item B<key:string>
+=item B<key>:I<string>
Specifies the MAC key as an alphanumeric string (use if the key contains
printable characters only).
The string length must conform to any restrictions of the MAC algorithm.
A key must be specified for every MAC algorithm.
-=item B<hexkey:string>
+=item B<hexkey>:I<string>
Specifies the MAC key in hexadecimal form (two hex digits per byte).
The key length must conform to any restrictions of the MAC algorithm.
A key must be specified for every MAC algorithm.
-=item B<digest:string>
+=item B<digest>:I<string>
Used by HMAC as an alphanumeric string (use if the key contains printable
characters only).
[B<-writerand> I<file>]
[B<-engine> I<id>]
[B<-verbose>]
=for comment ifdef engine
=item B<-engine> I<id>
-Specifying an engine (by its unique B<id> string) will cause B<gendsa>
+Specifying an engine (by its unique I<id> string) will cause B<gendsa>
to attempt to obtain a functional reference to the specified engine,
thus initialising it if needed. The engine will then be set as the default
for all available algorithms.
Print extra details about the operations being performed.
-This option specifies the DSA parameter file to use. The parameters in this
-file determine the size of the private key. DSA parameters can be generated
-and examined using the B<openssl dsaparam> command.
+The DSA parameter file to use. The parameters in this file determine
+the size of the private key. DSA parameters can be generated and
+examined using the B<openssl dsaparam> command.
=back
[B<-engine> I<id>]
[B<-paramfile> I<file>]
[B<-algorithm> I<alg>]
-[B<-pkeyopt> I<opt:value>]
+[B<-pkeyopt> I<opt>:I<value>]
[B<-genparam>]
[B<-text>]
=item B<-pass> I<arg>
-The output file password source. For more information about the format of
B<arg>
+The output file password source. For more information about the format of
I<arg>
see L<openssl(1)/Pass phrase options>.
=item B<-I<cipher>>
=item B<-engine> I<id>
-Specifying an engine (by its unique B<id> string) will cause B<genpkey>
+Specifying an engine (by its unique I<id> string) will cause B<genpkey>
to attempt to obtain a functional reference to the specified engine,
thus initialising it if needed. The engine will then be set as the default
for all available algorithms. If used this option should precede all other
or X9.42 DH parameters are required. See L<DH Parameter Generation Options>
below for more details.
-=item B<-pkeyopt> I<opt:value>
+=item B<-pkeyopt> I<opt>:I<value>
-Set the public key algorithm option B<opt> to B<value>. The precise set of
+Set the public key algorithm option I<opt> to I<value>. The precise set of
options supported depends on the public key algorithm used and its
implementation. See L<KEY GENERATION OPTIONS> and
L<PARAMETER GENERATION OPTIONS> below for more details.
=over 4
-=item B<rsa_keygen_bits:numbits>, B<rsa_keygen_primes:numprimes>, B<rsa_keygen_pubexp:value>
+=item B<rsa_keygen_bits>:I<numbits>, B<rsa_keygen_primes>:I<numprimes>,
+B<rsa_keygen_pubexp>:I<value>
These options have the same meaning as the B<RSA> algorithm.
-=item B<rsa_pss_keygen_md:digest>
+=item B<rsa_pss_keygen_md>:I<digest>
-If set the key is restricted and can only use B<digest> for signing.
+If set the key is restricted and can only use I<digest> for signing.
-=item B<rsa_pss_keygen_mgf1_md:digest>
+=item B<rsa_pss_keygen_mgf1_md>:I<digest>
-If set the key is restricted and can only use B<digest> as it's MGF1
+If set the key is restricted and can only use I<digest> as it's MGF1
parameter.
-=item B<rsa_pss_keygen_saltlen:len>
+=item B<rsa_pss_keygen_saltlen>:I<len>
-If set the key is restricted and B<len> specifies the minimum salt length.
+If set the key is restricted and I<len> specifies the minimum salt length.
=back
=over 4
-=item B<ec_paramgen_curve:curve>
+=item B<ec_paramgen_curve>:I<curve>
The EC curve to use. OpenSSL supports NIST curve names such as "P-256".
-=item B<ec_param_enc:encoding>
+=item B<ec_param_enc>:I<encoding>
-The encoding to use for parameters. The "encoding" parameter must be either
-"named_curve" or "explicit". The default value is "named_curve".
+The encoding to use for parameters. The I<encoding> parameter must be either
+B<named_curve> or B<explicit>. The default value is B<named_curve>.
=back
=over 4
-=item B<dsa_paramgen_bits:numbits>
+=item B<dsa_paramgen_bits>:I<numbits>
The number of bits in the generated prime. If not specified 2048 is used.
-=item B<dsa_paramgen_q_bits:numbits>
+=item B<dsa_paramgen_q_bits>:I<numbits>
The number of bits in the q parameter. Must be one of 160, 224 or 256. If not
specified 224 is used.
-=item B<dsa_paramgen_md:digest>
+=item B<dsa_paramgen_md>:I<digest>
The digest to use during parameter generation. Must be one of B<sha1>, B<sha224>
or B<sha256>. If set, then the number of bits in B<q> will match the output size
=over 4
-=item B<dh_paramgen_prime_len:numbits>
+=item B<dh_paramgen_prime_len>:I<numbits>
-The number of bits in the prime parameter
B<p>. The default is 2048.
+The number of bits in the prime parameter
I<p>. The default is 2048.
-=item B<dh_paramgen_subprime_len:numbits>
+=item B<dh_paramgen_subprime_len>:I<numbits>
-The number of bits in the sub prime parameter B<q>. The default is 256 if the
+The number of bits in the sub prime parameter I<q>. The default is 256 if the
prime is at least 2048 bits long or 160 otherwise. Only relevant if used in
conjunction with the B<dh_paramgen_type> option to generate X9.42 DH parameters.
-=item B<dh_paramgen_generator:value>
+=item B<dh_paramgen_generator>:I<value>
-The value to use for the generator B<g>. The default is 2.
+The value to use for the generator I<g>. The default is 2.
-=item B<dh_paramgen_type:value>
+=item B<dh_paramgen_type>:I<value>
The type of DH parameters to generate. Use 0 for PKCS#3 DH and 1 for X9.42 DH.
The default is 0.
-=item B<dh_rfc5114:num>
+=item B<dh_rfc5114>:I<num>
If this option is set, then the appropriate RFC5114 parameters are used
-instead of generating new parameters. The value B<num> can take the
-values 1, 2 or 3 corresponding to RFC5114 DH parameters consisting of
+instead of generating new parameters. The value I<num> can be one of
+1, 2 or 3 corresponding to RFC5114 DH parameters consisting of
1024 bit group with 160 bit subgroup, 2048 bit group with 224 bit subgroup
and 2048 bit group with 256 bit subgroup as mentioned in RFC5114 sections
2.1, 2.2 and 2.3 respectively. If present this overrides all other DH parameter
[B<-des>]
[B<-des3>]
[B<-idea>]
-[B<-f4>]
-[B<-3>]
+[B<-f4>|B<-3>]
[B<-rand> I<files>]
[B<-writerand> I<file>]
[B<-engine> I<id>]
=item B<-engine> I<id>
-Specifying an engine (by its unique B<id> string) will cause B<genrsa>
+Specifying an engine (by its unique I<id> string) will cause B<genrsa>
to attempt to obtain a functional reference to the specified engine,
thus initialising it if needed. The engine will then be set as the default
for all available algorithms.
=item B<-primes> I<num>
-Specify the number of primes to use while generating the RSA key. The B<num>
+Specify the number of primes to use while generating the RSA key. The I<num>
parameter must be a positive integer that is greater than 1 and less than 16.
-If B<num> is greater than 2, then the generated key is called a 'multi-prime'
+If I<num> is greater than 2, then the generated key is called a 'multi-prime'
RSA key, which is defined in RFC 8017.
=item B<-verbose>
[B<-in> I<filename>]
[B<-out> I<filename>]
[B<-binary>]
-B<mac_name>
+I<mac_name>
=head1 DESCRIPTION
=over 4
-=item B<key:string>
+=item B<key:>I<string>
Specifies the MAC key as an alphanumeric string (use if the key contains
printable characters only).
The string length must conform to any restrictions of the MAC algorithm.
A key must be specified for every MAC algorithm.
-=item B<hexkey:string>
+=item B<hexkey:>I<string>
Specifies the MAC key in hexadecimal form (two hex digits per byte).
The key length must conform to any restrictions of the MAC algorithm.
A key must be specified for every MAC algorithm.
-=item B<digest:string>
+=item B<digest:>I<string>
Used by HMAC as an alphanumeric string (use if the key contains printable
characters only).
The string length must conform to any restrictions of the MAC algorithm.
To see the list of supported digests, use the command I<list -digest-commands>.
-=item B<cipher:string>
+=item B<cipher:>I<string>
Used by CMAC and GMAC to specify the cipher algorithm.
For CMAC it must be one of AES-128-CBC, AES-192-CBC, AES-256-CBC or
DES-EDE3-CBC.
For GMAC it should be a GCM mode cipher e.g. AES-128-GCM.
-=item B<iv:string>
+=item B<iv:>I<string>
Used by GMAC to specify an IV as an alphanumeric string (use if the IV contains
printable characters only).
-=item B<hexiv:string>
+=item B<hexiv:>I<string>
Used by GMAC to specify an IV in hexadecimal form (two hex digits per byte).
-=item B<outlen:int>
+=item B<outlen:>I<int>
Used by KMAC128 or KMAC256 to specify an output length.
The default sizes are 32 or 64 bytes respectively.
-=item B<custom:string>
+=item B<custom:>I<string>
Used by KMAC128 or KMAC256 to specify a customization string.
The default is the empty string "".
=back
-=item B<mac_name>
+=item I<mac_name>
Specifies the name of a supported MAC algorithm which will be used.
To see the list of supported MAC's use the command I<list -mac-algorithms>.
[B<-nonce>]
[B<-no_nonce>]
[B<-url> I<URL>]
-[B<-host> I<host:port>]
+[B<-host> I<host>:I<port>]
[B<-multi> I<process-count>]
[B<-header>]
[B<-path>]
=item B<-issuer> I<filename>
This specifies the current issuer certificate. This option can be used
-multiple times. The certificate specified in B<filename> must be in
+multiple times. The certificate specified in I<filename> must be in
PEM format. This option B<MUST> come before any B<-cert> options.
=item B<-cert> I<filename>
-Add the certificate B<filename> to the request. The issuer certificate
-is taken from the previous B<issuer> option, or an error occurs if no
+Add the certificate I<filename> to the request. The issuer certificate
+is taken from the previous B<-issuer> option, or an error occurs if no
issuer certificate is specified.
=item B<-serial> I<num>
-Same as the B<cert> option except the certificate with serial number
+Same as the B<-cert> option except the certificate with serial number
B<num> is added to the request. The serial number is interpreted as a
decimal integer unless preceded by B<0x>. Negative integers can also
be specified by preceding the value by a B<-> sign.
=item B<-signer> I<filename>, B<-signkey> I<filename>
-Sign the OCSP request using the certificate specified in the B<signer>
-option and the private key specified by the B<signkey> option. If
-the B<signkey> option is not present then the private key is read
+Sign the OCSP request using the certificate specified in the B<-signer>
+option and the private key specified by the B<-signkey> option. If
+the B<-signkey> option is not present then the private key is read
from the same file as the certificate. If neither option is specified then
the OCSP request is not signed.
=item B<-nonce>, B<-no_nonce>
Add an OCSP nonce extension to a request or disable OCSP nonce addition.
-Normally if an OCSP request is input using the B<reqin> option no
-nonce is added: using the B<nonce> option will force addition of a nonce.
-If an OCSP request is being created (using B<cert> and B<serial> options)
-a nonce is automatically added specifying B<no_nonce> overrides this.
+Normally if an OCSP request is input using the B<-reqin> option no
+nonce is added: using the B<-nonce> option will force addition of a nonce.
+If an OCSP request is being created (using B<-cert> and B<-serial> options)
+a nonce is automatically added specifying B<-no_nonce> overrides this.
=item B<-req_text>, B<-resp_text>, B<-text>
=item B<-reqout> I<file>, B<-respout> I<file>
-Write out the DER encoded certificate request or response to B<file>.
+Write out the DER encoded certificate request or response to I<file>.
=item B<-reqin> I<file>, B<-respin> I<file>
-Read OCSP request or response file from B<file>. These option are ignored
+Read OCSP request or response file from I<file>. These option are ignored
if OCSP request or response creation is implied by other options (for example
-with B<serial>, B<cert> and B<host> options).
+with B<-serial>, B<-cert> and B<-host> options).
=item B<-url> I<responder_url>
Specify the responder URL. Both HTTP and HTTPS (SSL/TLS) URLs can be specified.
-=item B<-host> I<hostname
:port>, B<-path> I<pathname>
+=item B<-host> I<hostname
>:I<port>, B<-path> I<pathname>
-If the B<host> option is present then the OCSP request is sent to the host
-B<hostname> on port B<port>. B<path> specifies the HTTP pathname to use
-or "/" by default. This is equivalent to specifying B<-url> with scheme
+If the B<-host> option is present then the OCSP request is sent to the host
+I<hostname> on port I<port>. The B<-path> option specifies the HTTP pathname
+to use or "/" by default. This is equivalent to specifying B<-url> with scheme
http:// and the given hostname, port, and pathname.
-=item B<-header> I<name=value>
+=item B<-header> I<name>=I<value>
-Adds the header B<name> with the specified B<value> to the OCSP request
+Adds the header I<name> with the specified I<value> to the OCSP request
that is sent to the responder.
This may be repeated.
If the B<notAfter> time is omitted from a response then this means that new
status information is immediately available. In this case the age of the
-B<notBefore> field is checked to see it is not older than
B<age> seconds old.
+B<notBefore> field is checked to see it is not older than
I<age> seconds old.
By default this additional check is not performed.
=item B<-rcid> I<digest>
=item B<-index> I<indexfile>
-The B<indexfile> parameter is the name of a text index file in B<ca>
+The I<indexfile> parameter is the name of a text index file in B<ca>
format containing certificate revocation information.
-If the B<index> option is specified the B<ocsp> utility is in responder
+If the B<-index> option is specified the B<ocsp> utility is in responder
mode, otherwise it is in client mode. The request(s) the responder
-processes can be either specified on the command line (using B<issuer>
-and B<serial> options), supplied in a file (using the B<reqin> option)
-or via external OCSP clients (if B<port> or B<url> is specified).
+processes can be either specified on the command line (using B<-issuer>
+and B<-serial> options), supplied in a file (using the B<-reqin> option)
+or via external OCSP clients (if B<-port> or B<-url> is specified).
-If the B<index> option is present then the B<CA> and B<rsigner> options
+If the B<-index> option is present then the B<-CA> and B<-rsigner> options
must also be present.
=item B<-CA> I<file>
-CA certificate corresponding to the revocation information in B<indexfile>.
+CA certificate corresponding to the revocation information in the index
+file given with B<-index>.
=item B<-rsigner> I<file>
=item B<-rkey> I<file>
The private key to sign OCSP responses with: if not present the file
-specified in the B<rsigner> option is used.
+specified in the B<-rsigner> option is used.
=item B<-rsigopt> I<nm>:I<v>
=item B<-nrequest> I<number>
-The OCSP server will exit after receiving B<number> requests, default unlimited.
+The OCSP server will exit after receiving I<number> requests, default unlimited.
=item B<-nmin> I<minutes>, B<-ndays> I<days>
Then a normal certificate verify is performed on the OCSP responder certificate
building up a certificate chain in the process. The locations of the trusted
-certificates used to build the chain can be specified by the B<CAfile>
-and B<CApath> options or they will be looked for in the standard OpenSSL
+certificates used to build the chain can be specified by the B<-CAfile>
+and B<-CApath> options or they will be looked for in the standard OpenSSL
certificates directory.
If the initial verify fails then the OCSP verify process halts with an
data.
It is possible to run the B<ocsp> application in responder mode via a CGI
-script using the B<reqin> and B<respout> options.
+script using the B<-reqin> and B<-respout> options.
=head1 EXAMPLES
run-time or the hash of each password in a list. The password list is
taken from the named file for option B<-in>, from stdin for
option B<-stdin>, or from the command line, or from the terminal otherwise.
-The Unix standard algorithm B<crypt> and the MD5-based BSD password
-algorithm B<1>, its Apache variant B<apr1>, and its AIX variant are available.
+The Unix standard algorithm B<-crypt> and the MD5-based BSD password
+algorithm B<-1>, its Apache variant B<-apr1>, and its AIX variant are
+available.
=head1 OPTIONS
=item B<-passin> I<arg>
The PKCS#12 file (i.e. input file) password source. For more information about
see L<openssl(1)/Pass phrase options>.
=item B<-passout> I<arg>
Pass phrase source to encrypt any outputted private keys with. For more
-information about the format of
B<arg> see the B<PASS PHRASE ARGUMENTS> section
+information about the format of
I<arg> see the B<PASS PHRASE ARGUMENTS> section
in L<openssl(1)>.
=item B<-password> I<arg>
=item B<-pass> I<arg>, B<-passout> I<arg>
The PKCS#12 file (i.e. output file) password source. For more information about
-the format of
B<arg> see the B<PASS PHRASE ARGUMENTS> section in
+the format of
I<arg> see the B<PASS PHRASE ARGUMENTS> section in
L<openssl(1)>.
=item B<-passin> I<password>
Pass phrase source to decrypt any input private keys with. For more information
-about the format of
B<arg> see the B<PASS PHRASE ARGUMENTS> section in
+about the format of
I<arg> see the B<PASS PHRASE ARGUMENTS> section in
L<openssl(1)>.
=item B<-chain>
=item B<-CSP> I<name>
-Write B<name> as a Microsoft CSP name.
+Write I<name> as a Microsoft CSP name.
=back
=item B<-passin> I<arg>
-The input file password source. For more information about the format of
B<arg>
+The input file password source. For more information about the format of
I<arg>
see L<openssl(1)/Pass phrase options>.
=item B<-out> I<filename>
=item B<-passout> I<arg>
-The output file password source. For more information about the format of
B<arg>
+The output file password source. For more information about the format of
I<arg>
see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
=item B<-iter> I<count>
This option sets the PKCS#5 v2.0 algorithm.
-The
B<alg> argument is the encryption algorithm to use, valid values include
+The
I<alg> argument is the encryption algorithm to use, valid values include
B<aes128>, B<aes256> and B<des3>. If this option isn't specified then B<aes256>
is used.
=item B<-engine> I<id>
-Specifying an engine (by its unique
B<id> string) will cause B<pkcs8>
+Specifying an engine (by its unique
I<id> string) will cause B<pkcs8>
to attempt to obtain a functional reference to the specified engine,
thus initialising it if needed. The engine will then be set as the default
for all available algorithms.
=item B<-scrypt_N> I<N>, B<-scrypt_r> I<r>, B<-scrypt_p> I<p>
-Sets the scrypt
B<N>, B<r> or B<p> parameters.
+Sets the scrypt
I<N>, I<r> or I<p> parameters.
=back
=item B<-passin> I<arg>
-The input file password source. For more information about the format of
B<arg>
+The input file password source. For more information about the format of
I<arg>
see L<openssl(1)/Pass phrase options>.
=item B<-out> I<filename>
will be prompted for. The output filename should B<not> be the same as the input
filename.
-=item B<-passout> I<password>
+=item B<-passout> I<arg>
-The output file password source. For more information about the format of
B<arg>
+The output file password source. For more information about the format of
I<arg>
see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
=item B<-traditional>
=item B<-engine> I<id>
-Specifying an engine (by its unique
B<id> string) will cause B<pkey>
+Specifying an engine (by its unique
I<id> string) will cause B<pkey>
to attempt to obtain a functional reference to the specified engine,
thus initialising it if needed. The engine will then be set as the default
for all available algorithms.
=item B<-engine> I<id>
-Specifying an engine (by its unique
B<id> string) will cause B<pkeyparam>
+Specifying an engine (by its unique
I<id> string) will cause B<pkeyparam>
to attempt to obtain a functional reference to the specified engine,
thus initialising it if needed. The engine will then be set as the default
for all available algorithms.
[B<-derive>]
[B<-kdf> I<algorithm>]
[B<-kdflen> I<length>]
-[B<-pkeyopt> I<opt:value>]
-[B<-pkeyopt_passin> I<opt:passarg>]
+[B<-pkeyopt> I<opt>:I<value>]
+[B<-pkeyopt_passin> I<opt>[:I<passarg>]]
[B<-hexdump>]
[B<-asn1parse>]
[B<-rand> I<files>]
=item B<-sigfile> I<file>
-Signature file, required for B<verify> operations only
+Signature file, required for B<-verify> operations only
=item B<-inkey> I<file>
=item B<-passin> I<arg>
-The input key password source. For more information about the format of
B<arg>
+The input key password source. For more information about the format of
I<arg>
see L<openssl(1)/Pass phrase options>.
=item B<-peerkey> I<file>
=item B<-peerform> B<DER>|B<PEM>|B<ENGINE>
-The peer key format PEM, DER or ENGINE. Default is PEM.
+The peer key format B<PEM>, B<DER> or B<ENGINE>. Default is B<PEM>.
=item B<-pubin>
=item B<-kdf> I<algorithm>
-Use key derivation function
B<algorithm>. The supported algorithms are
+Use key derivation function
I<algorithm>. The supported algorithms are
at present B<TLS1-PRF> and B<HKDF>.
Note: additional parameters and the KDF output length will normally have to be
set for this to work.
Set the output length for KDF.
-=item B<-pkeyopt> I<opt:value>
+=item B<-pkeyopt> I<opt>:I<value>
Public key options specified as opt:value. See NOTES below for more details.
-=item B<-pkeyopt_passin> I<opt:passarg>
+=item B<-pkeyopt_passin> I<opt>[:I<passarg>]
-Allows reading a public key option B<opt> from stdin or a password source. If
-only opt is specified, the user will be prompted to enter the value on stdin.
-Alternatively, passarg can be specified which can be any value supported by
-B<PASS PHRASE ARGUMENTS> in L<openssl(1)>.
+Allows reading a public key option I<opt> from stdin or a password source.
+If only I<opt> is specified, the user will be prompted to enter a password on
+stdin. Alternatively, I<passarg> can be specified which can be any value
+
supported by B<PASS PHRASE ARGUMENTS> in L<openssl(1)>.
=item B<-hexdump>
=item B<-engine> I<id>
-Specifying an engine (by its unique
B<id> string) will cause B<pkeyutl>
+Specifying an engine (by its unique
I<id> string) will cause B<pkeyutl>
to attempt to obtain a functional reference to the specified engine,
thus initialising it if needed. The engine will then be set as the default
for all available algorithms.
=item B<-engine_impl>
When used with the B<-engine> option, it specifies to also use
-engine B<id> for crypto operations.
+engine I<id> for crypto operations.
=back
The operations and options supported vary according to the key algorithm
and its implementation. The OpenSSL operations and options are indicated below.
-Unless otherwise mentioned all algorithms support the B<digest:alg> option
+Unless otherwise mentioned all algorithms support the B<digest:>I<alg> option
which specifies the digest in use for sign, verify and verifyrecover operations.
-The value
B<alg> should represent a digest name as used in the
+The value
I<alg> should represent a digest name as used in the
EVP_get_digestbyname() function for example B<sha1>. This value is not used to
hash the input data. It is used (by some algorithms) for sanity-checking the
lengths of data passed in to the B<pkeyutl> and for creating the structures that
=over 4
-=item B<rsa_padding_mode:mode>
+=item B<rsa_padding_mode:>I<mode>
-This sets the RSA padding mode. Acceptable values for
B<mode> are B<pkcs1> for
+This sets the RSA padding mode. Acceptable values for
I<mode> are B<pkcs1> for
PKCS#1 padding, B<sslv23> for SSLv23 padding, B<none> for no padding, B<oaep>
for B<OAEP> mode, B<x931> for X9.31 mode and B<pss> for PSS.
For B<pss> mode only sign and verify are supported and the digest type must be
specified.
-=item B<rsa_pss_saltlen:len>
+=item B<rsa_pss_saltlen:>I<len>
For B<pss> mode only this option specifies the salt length. Three special
-values are supported: "digest" sets the salt length to the digest length,
-"max" sets the salt length to the maximum permissible value. When verifying
-"auto" causes the salt length to be automatically determined based on the
+values are supported: B<digest> sets the salt length to the digest length,
+B<max> sets the salt length to the maximum permissible value. When verifying
+B<auto> causes the salt length to be automatically determined based on the
B<PSS> block structure.
-=item B<rsa_mgf1_md:digest>
+=item B<rsa_mgf1_md:>I<digest>
For PSS and OAEP padding sets the MGF1 digest. If the MGF1 digest is not
explicitly set in PSS mode then the signing digest is used.
The RSA-PSS algorithm is a restricted version of the RSA algorithm which only
supports the sign and verify operations with PSS padding. The following
-additional B<pkeyopt> values are supported:
+additional B<-pkeyopt> values are supported:
=over 4
-=item B<rsa_padding_mode:mode>, B<rsa_pss_saltlen:len>, B<rsa_mgf1_md:digest>
+=item B<rsa_padding_mode:>I<mode>, B<rsa_pss_saltlen:>I<len>,
+B<rsa_mgf1_md:>I<digest>
These have the same meaning as the B<RSA> algorithm with some additional
restrictions. The padding mode can only be set to B<pss> which is the
These algorithms only support signing and verifying. OpenSSL only implements the
"pure" variants of these algorithms so raw data can be passed directly to them
-without hashing them first. The option "-rawin" must be used with these
-algorithms with no "-digest" specified. Additionally OpenSSL only supports
+without hashing them first. The option B<-rawin> must be used with these
+algorithms with no B<-digest> specified. Additionally OpenSSL only supports
"oneshot" operation with these algorithms. This means that the entire file to
be signed/verified must be read into memory before processing it. Signing or
Verifying very large files should be avoided. Additionally the size of the file
The SM2 algorithm supports sign, verify, encrypt and decrypt operations. For
the sign and verify operations, SM2 requires an ID string to be passed in. The
-following B<pkeyopt> value is supported:
+following B<-pkeyopt> value is supported:
=over 4
-=item B<sm2_id:string>
+=item B<sm2_id:>I<string>
This sets the ID string used in SM2 sign or verify operations. While verifying
an SM2 signature, the ID string must be the same one used when signing the data.
Otherwise the verification will fail.
-=item B<sm2_hex_id:hex_string>
+=item B<sm2_hex_id:>I<hex_string>
This sets the ID string used in SM2 sign or verify operations. While verifying
an SM2 signature, the ID string must be the same one used when signing the data.
=item B<-bits> I<num>
-Generate a prime with B<num> bits.
+Generate a prime with I<num> bits.
=item B<-safe>
When used with B<-generate>, generates a "safe" prime. If the number
-generated is B<n>, then check that B<(n-1)/2> is also prime.
+generated is I<n>, then check that C<(I<n>-1)/2> is also prime.
=item B<-checks> I<num>
-Perform the checks B<num> times to see that the generated number
+Perform the checks I<num> times to see that the generated number
is prime. The default is 20.
=back
In order for a directory to be processed, the user must have write
permissions on that directory, otherwise an error will be generated.
-The links created are of the form C<HHHHHHHH.D>, where each B<H>
-is a hexadecimal character and B<D> is a single decimal digit.
+The links created are of the form I<HHHHHHHH.D>, where each I<H>
+is a hexadecimal character and I<D> is a single decimal digit.
When processing a directory, B<rehash> will first remove all links
that have a name in that syntax, even if they are being used for some
other purpose.
To skip the removal step, use the B<-n> flag.
Hashes for CRL's look similar except the letter B<r> appears after
-the period, like this: C<HHHHHHHH.rD>.
+the period, like this: I<HHHHHHHH.>B<r>I<D>.
Multiple objects may have the same hash; they will be indicated by
-incrementing the B<D> value. Duplicates are found by comparing the
+incrementing the I<D> value. Duplicates are found by comparing the
full SHA-1 fingerprint. A warning will be displayed if a duplicate
is found.
$OPENSSL x509 -hash -fingerprint -noout -in FILENAME
$OPENSSL crl -hash -fingerprint -noout -in FILENAME
-where B<FILENAME> is the filename. It must output the hash of the
+where I<FILENAME> is the filename. It must output the hash of the
file on the first line, and the fingerprint on the second,
optionally prefixed with some text and an equals sign.
[B<-new>]
[B<-rand> I<files>]
[B<-writerand> I<file>]
-[B<-newkey> I<rsa:bits>]
-[B<-newkey> I<alg:file>]
+[B<-newkey> I<arg>]
[B<-nodes>]
[B<-key> I<filename>]
[B<-keyform> B<DER>|B<PEM>]
=item B<-passout> I<arg>
-The output file password source. For more information about the format of
B<arg>
+The output file password source. For more information about the format of
I<arg>
see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
=item B<-text>
=item B<-newkey> I<arg>
This option creates a new certificate request and a new private
-key. The argument takes one of several forms. B<rsa:nbits>, where
-B<nbits> is the number of bits, generates an RSA key B<nbits>
-in size. If B<nbits> is omitted, i.e. B<-newkey> I<rsa> specified,
+key. The argument takes one of several forms.
+
+B<rsa:>I<nbits>, where
+I<nbits> is the number of bits, generates an RSA key I<nbits>
+in size. If I<nbits> is omitted, i.e. B<-newkey> I<rsa> specified,
the default key size, specified in the configuration file is used.
-All other algorithms support the B<-newkey> I<alg:file> form, where file may be
-an algorithm parameter file, created by the B<genpkey -genparam> command
-or and X.509 certificate for a key with appropriate algorithm.
+All other algorithms support the B<-newkey> I<alg>:I<file> form, where file
+may be an algorithm parameter file, created with B<genpkey -genparam>
+or an X.509 certificate for a key with appropriate algorithm.
-B<param:file> generates a key using the parameter file or certificate B<file>,
-the algorithm is determined by the parameters. B<algname:file> use algorithm
-B<algname> and parameter file B<file>: the two algorithms must match or an
-error occurs. B<algname> just uses algorithm B<algname>, and parameters,
-if necessary should be specified via B<-pkeyopt> parameter.
+B<param:>I<file> generates a key using the parameter file or certificate
+I<file>, the algorithm is determined by the parameters. I<algname>:I<file>
+use algorithm I<algname> and parameter file I<file>: the two algorithms must
+match or an error occurs. I<algname> just uses algorithm I<algname>, and
+parameters, if necessary should be specified via B<-pkeyopt> parameter.
-B<dsa:filename> generates a DSA key using the parameters
-in the file B<filename>. B<ec:filename> generates EC key (usable both with
-ECDSA or ECDH algorithms), B<gost2001:filename> generates GOST R
-34.10-2001 key (requires B<ccgost> engine configured in the configuration
+B<dsa:>I<filename> generates a DSA key using the parameters
+in the file I<filename>. B<ec:>I<filename> generates EC key (usable both with
+ECDSA or ECDH algorithms), B<gost2001:>I<filename> generates GOST R
+34.10-2001 key (requires B<gost> engine configured in the configuration
file). If just B<gost2001> is specified a parameter set should be
specified by B<-pkeyopt> I<paramset:X>
+=item B<-pkeyopt> I<opt>:I<value>
-=item B<-pkeyopt> I<opt:value>
-
-Set the public key algorithm option B<opt> to B<value>. The precise set of
+Set the public key algorithm option I<opt> to I<value>. The precise set of
options supported depends on the public key algorithm used and its
implementation. See B<KEY GENERATION OPTIONS> in the B<genpkey> manual page
for more details.
request. This is typically used to generate a test certificate or
a self signed root CA. The extensions added to the certificate
(if any) are specified in the configuration file. Unless specified
-using the B<set_serial> option, a large random number will be used for
+using the B<-set_serial> option, a large random number will be used for
the serial number.
If existing request is specified with the B<-in> option, it is converted
=item B<-days> I<n>
When the B<-x509> option is being used this specifies the number of
-days to certify the certificate for, otherwise it is ignored. B<n> should
+days to certify the certificate for, otherwise it is ignored. I<n> should
be a positive integer. The default is 30 days.
=item B<-set_serial> I<n>
=item B<-nameopt> I<option>
Option which determines how the subject or issuer names are displayed. The
-B<option> argument can be a single option or multiple options separated by
+I<option> argument can be a single option or multiple options separated by
commas. Alternatively the B<-nameopt> switch may be used more than once to
set multiple options. See the L<x509(1)> manual page for details.
-=item B<-reqopt>
+=item B<-reqopt> I<option>
-Customise the output format used with B<-text>. The B<option> argument can be
+Customise the output format used with B<-text>. The I<option> argument can be
a single option or multiple options separated by commas.
See discussion of the B<-certopt> parameter in the L<x509(1)>
=item B<-engine> I<id>
-Specifying an engine (by its unique B<id> string) will cause B<req>
+Specifying an engine (by its unique I<id> string) will cause B<req>
to attempt to obtain a functional reference to the specified engine,
thus initialising it if needed. The engine will then be set as the default
for all available algorithms.
=item B<-keygen_engine> I<id>
-Specifies an engine (by its unique B<id> string) which would be used
+Specifies an engine (by its unique I<id> string) which would be used
for key generation operations.
=item B<-sm2-id>
=item B<-passin> I<arg>
-The input file password source. For more information about the format of
B<arg>
+The input file password source. For more information about the format of
I<arg>
see L<openssl(1)/Pass phrase options>.
=item B<-out> I<filename>
will be prompted for. The output filename should B<not> be the same as the input
filename.
-=item B<-passout> I<password>
+=item B<-passout> I<arg>
-The output file password source. For more information about the format of
B<arg>
+The output file password source. For more information about the format of
I<arg>
see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
=item B<-aes128>, B<-aes192>, B<-aes256>, B<-aria128>, B<-aria192>, B<-aria256>, B<-camellia128>, B<-camellia192>, B<-camellia256>, B<-des>, B<-des3>, B<-idea>
=item B<-engine> I<id>
-Specifying an engine (by its unique B<id> string) will cause B<rsa>
+Specifying an engine (by its unique I<id> string) will cause B<rsa>
to attempt to obtain a functional reference to the specified engine,
thus initialising it if needed. The engine will then be set as the default
for all available algorithms.
=item B<-pass> I<arg>
-the private key password source. For more information about the format of
B<arg>
+the private key password source. For more information about the format of
I<arg>
see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
=item B<-verify> I<depth>
=item B<-nameopt> I<option>
Option which determines how the subject or issuer names are displayed. The
-B<option> argument can be a single option or multiple options separated by
+I<option> argument can be a single option or multiple options separated by
commas. Alternatively the B<-nameopt> switch may be used more than once to
set multiple options. See the L<x509(1)> manual page for details.
=item B<-dane_tlsa_rrdata> I<rrdata>
Use one or more times to specify the RRDATA fields of the DANE TLSA
-RRset associated with the target service. The B<rrdata> value is
+RRset associated with the target service. The I<rrdata> value is
specied in "presentation form", that is four whitespace separated
fields that specify the usage, selector, matching type and associated
data, with the last of these encoded in hexadecimal. Optional
=item B<-psk_identity> I<identity>
-Use the PSK identity B<identity> when using a PSK cipher suite.
+Use the PSK identity I<identity> when using a PSK cipher suite.
The default value is "Client_identity" (without the quotes).
=item B<-psk> I<key>
-Use the PSK key B<key> when using a PSK cipher suite. The key is
+Use the PSK key I<key> when using a PSK cipher suite. The key is
given as a hexadecimal number without leading 0x, for example -psk
1a2b3c4d.
This option must be provided in order to use a PSK cipher.
=item B<-psk_session> I<file>
-Use the pem encoded SSL_SESSION data stored in B<file> as the basis of a PSK.
+Use the pem encoded SSL_SESSION data stored in I<file> as the basis of a PSK.
Note that this will only work if TLSv1.3 is negotiated.
=item B<-ssl3>, B<-tls1>, B<-tls1_1>, B<-tls1_2>, B<-tls1_3>, B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2>, B<-no_tls1_3>
=item B<-starttls> I<protocol>
Send the protocol-specific message(s) to switch to TLS for communication.
-
B<protocol> is a keyword for the intended protocol. Currently, the only
+
I<protocol> is a keyword for the intended protocol. Currently, the only
supported keywords are "smtp", "pop3", "imap", "ftp", "xmpp", "xmpp-server",
"irc", "postgres", "mysql", "lmtp", "nntp", "sieve" and "ldap".
=item B<-sess_out> I<filename>
-Output SSL session to B<filename>.
+Output SSL session to I<filename>.
-=item B<-sess_in> I<sess.pem>
+=item B<-sess_in> I<filename>
-Load SSL session from B<filename>. The client will attempt to resume a
+Load SSL session from I<filename>. The client will attempt to resume a
connection from this session.
=item B<-engine> I<id>
-Specifying an engine (by its unique B<id> string) will cause B<s_client>
+Specifying an engine (by its unique I<id> string) will cause B<s_client>
to attempt to obtain a functional reference to the specified engine,
thus initialising it if needed. The engine will then be set as the default
for all available algorithms.
These flags enable the Enable the Application-Layer Protocol Negotiation
or Next Protocol Negotiation (NPN) extension, respectively. ALPN is the
IETF standard and replaces NPN.
-The
B<protocols> list is a comma-separated list of protocol names that
+The
I<protocols> list is a comma-separated list of protocol names that
the client should advertise support for. The list should contain the most
desirable protocols first. Protocol names are printable ASCII strings,
for example "http/1.1" or "spdy/3".
=item B<-nameopt> I<val>
Option which determines how the subject or issuer names are displayed. The
-B<val> argument can be a single option or multiple options separated by
+I<val> argument can be a single option or multiple options separated by
commas. Alternatively the B<-nameopt> switch may be used more than once to
set multiple options. See the L<x509(1)> manual page for details.
=item B<-id_prefix> I<val>
-Generate SSL/TLS session IDs prefixed by B<val>. This is mostly useful
+Generate SSL/TLS session IDs prefixed by I<val>. This is mostly useful
for testing any SSL/TLS code (eg. proxies) that wish to deal with multiple
servers, when each of which might be generating a unique range of session
IDs (eg. with a certain prefix).
=item B<-status_timeout> I<int>
-Sets the timeout for OCSP response to B<int> seconds.
+Sets the timeout for OCSP response to I<int> seconds.
=item B<-status_url> I<val>
=item B<-psk_identity> I<val>
-Expect the client to send PSK identity B<val> when using a PSK
+Expect the client to send PSK identity I<val> when using a PSK
cipher suite, and warn if they do not. By default, the expected PSK
identity is the string "Client_identity".
=item B<-psk_hint> I<val>
-Use the PSK identity hint B<val> when using a PSK cipher suite.
+Use the PSK identity hint I<val> when using a PSK cipher suite.
=item B<-psk> I<val>
-Use the PSK key B<val> when using a PSK cipher suite. The key is
+Use the PSK key I<val> when using a PSK cipher suite. The key is
given as a hexadecimal number without leading 0x, for example -psk
1a2b3c4d.
This option must be provided in order to use a PSK cipher.
=item B<-psk_session> I<file>
-Use the pem encoded SSL_SESSION data stored in B<file> as the basis of a PSK.
+Use the pem encoded SSL_SESSION data stored in I<file> as the basis of a PSK.
Note that this will only work if TLSv1.3 is negotiated.
=item B<-listen>
These flags enable the Enable the Application-Layer Protocol Negotiation
or Next Protocol Negotiation (NPN) extension, respectively. ALPN is the
IETF standard and replaces NPN.
-The B<val> list is a comma-separated list of supported protocol
+The I<val> list is a comma-separated list of supported protocol
names. The list should contain the most desirable protocols first.
Protocol names are printable ASCII strings, for example "http/1.1" or
"spdy/3".
=item B<-engine> I<val>
-Specifying an engine (by its unique id string in B<val>) will cause B<s_server>
+Specifying an engine (by its unique id string in I<val>) will cause B<s_server>
to attempt to obtain a functional reference to the specified engine,
thus initialising it if needed. The engine will then be set as the default
for all available algorithms.
B<openssl> B<s_time>
[B<-help>]
-[B<-connect> I<host:port>]
+[B<-connect> I<host>:I<port>]
[B<-www> I<page>]
[B<-cert> I<filename>]
[B<-key> I<filename>]
Print out a usage message.
-=item B<-connect> I<host:port>
+=item B<-connect> I<host>:I<port>
This specifies the host and optional port to connect to.
=item B<-nameopt> I<option>
Option which determines how the subject or issuer names are displayed. The
-B<option> argument can be a single option or multiple options separated by
+I<option> argument can be a single option or multiple options separated by
commas. Alternatively the B<-nameopt> switch may be used more than once to
set multiple options. See the L<x509(1)> manual page for details.
openssl s_time -connect servername:443 -www / -CApath yourdir -CAfile yourfile.pem -cipher commoncipher [-ssl3]
-would typically be used (https uses port 443). 'commoncipher' is a cipher to
+would typically be used (https uses port 443). I<commoncipher> is a cipher to
which both client and server can agree, see the L<ciphers(1)> command
for details.
B<openssl> B<sess_id>
[B<-help>]
[B<-inform> B<DER>|B<PEM>]
-[B<-outform> B<DER>|B<PEM>|B<MSS>]
+[B<-outform> B<DER>|B<PEM>|B<NSS>]
[B<-in> I<filename>]
[B<-out> I<filename>]
[B<-text>]
=item B<-outform> B<DER>|B<PEM>|B<NSS>
-This specifies the output format. The B<PEM> and B<DER> options have the same meaning
-and default as the B<-inform> option. The B<NSS> option outputs the session id and
-the master key in NSS keylog format.
+This specifies the output format. The B<PEM> and B<DER> options have the same
+meaning and default as the B<-inform> option. The B<NSS> option outputs the
+session id and the master key in NSS keylog format.
=item B<-in> I<filename>
=item B<-passin> I<arg>
-The private key password source. For more information about the format of
B<arg>
+The private key password source. For more information about the format of
I<arg>
see L<openssl(1)/Pass phrase options>.
=item B<-rand> I<files>
This command is used to test the performance of cryptographic algorithms.
To see the list of supported algorithms, use the I<list --digest-commands>
or I<list --cipher-commands> command. The global CSPRNG is denoted by
-the I<rand> algorithm name.
+the B<rand> algorithm name.
=head1 OPTIONS
=item B<-engine> I<id>
-Specifying an engine (by its unique B<id> string) will cause B<speed>
+Specifying an engine (by its unique I<id> string) will cause B<speed>
to attempt to obtain a functional reference to the specified engine,
thus initialising it if needed. The engine will then be set as the default
for all available algorithms.
=item B<-evp> I<algo>
Use the specified cipher or message digest algorithm via the EVP interface.
-If B<algo> is an AEAD cipher, then you can pass <-aead> to benchmark a
-TLS-like sequence. And if
B<algo> is a multi-buffer capable cipher, e.g.
+If I<algo> is an AEAD cipher, then you can pass B<-aead> to benchmark a
+TLS-like sequence. And if
I<algo> is a multi-buffer capable cipher, e.g.
aes-128-cbc-hmac-sha1, then B<-mb> will time multi-buffer operation.
=item B<-hmac> I<digest>
=item B<-primes> I<num>
-Generate a B<num>-prime RSA key and use it to run the benchmarks. This option
+Generate a I<num>-prime RSA key and use it to run the benchmarks. This option
is only effective if RSA algorithm is specified to test.
=item B<-seconds> I<num>
-Run benchmarks for B<num> seconds.
+Run benchmarks for I<num> seconds.
=item B<-bytes> I<num>
-Run benchmarks on B<num>-byte buffers. Affects ciphers, digests and the CSPRNG.
+Run benchmarks on I<num>-byte buffers. Affects ciphers, digests and the CSPRNG.
=item I<algorithm> ...
=item B<-key> I<keyfile>
-Create an SPKAC file using the private key in B<keyfile>. The
+Create an SPKAC file using the private key in I<keyfile>. The
B<-in>, B<-noout>, B<-spksect> and B<-verify> options are ignored if
present.
Whether the key format is PEM, DER, or an engine-backed key.
The default is PEM.
-=item B<-passin> I<password>
+=item B<-passin> I<arg>
-The input file password source. For more information about the format of
B<arg>
+The input file password source. For more information about the format of
I<arg>
see L<openssl(1)/Pass phrase options>.
=item B<-challenge> I<string>
=item B<-engine> I<id>
-Specifying an engine (by its unique B<id> string) will cause B<spkac>
+Specifying an engine (by its unique I<id> string) will cause B<spkac>
to attempt to obtain a functional reference to the specified engine,
thus initialising it if needed. The engine will then be set as the default
for all available algorithms.
can be specified.
These options take zero or more usernames as parameters and perform the
appropriate operation on the SRP file.
-For B<-list>, if no B<user> is given then all users are displayed.
+For B<-list>, if no I<user> is given then all users are displayed.
The configuration file to use, and the section within the file, can be
specified with the B<-config> and B<-name> flags, respectively.
The B<-userinfo> option specifies additional information to add when
adding or modifying a user.
-The B<-gn> flag specifies the B<g> and B<N> values, using one of
+The B<-gn> flag specifies the I<g> and I<N> values, using one of
the strengths defined in IETF RFC 5054.
The B<-passin> and B<-passout> arguments are parsed as described in
=item B<-passin> I<arg>
-the key password source. For more information about the format of
B<arg>
+the key password source. For more information about the format of
I<arg>
see L<openssl(1)/Pass phrase options>.
=item B<-text>
=item B<-engine> I<id>
-specifying an engine (by its unique B<id> string) will cause B<storeutl>
+specifying an engine (by its unique I<id> string) will cause B<storeutl>
to attempt to obtain a functional reference to the specified engine,
thus initialising it if needed.
The engine will then be set as the default for all available algorithms.
=item B<-subject> I<arg>
-Search for an object having the subject name
B<arg>.
+Search for an object having the subject name
I<arg>.
The arg must be formatted as I</type0=value0/type1=value1/type2=...>.
Keyword characters may be escaped by \ (backslash), and whitespace is retained.
Empty values are permitted but are ignored for the search. That is,
=item B<-engine> I<id>
-Specifying an engine (by its unique B<id> string) will cause B<ts>
+Specifying an engine (by its unique I<id> string) will cause B<ts>
to attempt to obtain a functional reference to the specified engine,
thus initialising it if needed. The engine will then be set as the default
for all available algorithms. Default is built-in. (Optional)
[B<-sm2-id> I<string>]
[B<-sm2-hex-id> I<hex-string>]
[B<-->]
-[certificates]
+[I<certificate> ...]
=for comment ifdef engine sm2-id sm2-hex-id
=item B<-CAfile> I<file>
-A B<file> of trusted certificates.
+A I<file> of trusted certificates.
The file should contain one or more certificates in PEM format.
=item B<-CApath> I<directory>
A directory of trusted certificates. The certificates should have names
-of the form: hash.0 or have symbolic links to them of this
-form ("hash" is the hashed certificate subject name: see the B<-hash> option
+of the form: F<I<hash>.0> or have symbolic links to them of this
+form (I<hash> is the hashed certificate subject name: see the B<-hash> option
of the B<x509> utility). Under Unix the B<c_rehash> script will automatically
create symbolic links to a directory of certificates.
=item B<-attime> I<timestamp>
-Perform validation checks using time specified by B<timestamp> and not
-current system time. B<timestamp> is the number of seconds since
+Perform validation checks using time specified by I<timestamp> and not
+current system time. I<timestamp> is the number of seconds since
01.01.1970 (UNIX time).
=item B<-check_ss_sig>
=item B<-CRLfile> I<file>
-The B<file> should contain one or more CRLs in PEM format.
+The I<file> should contain one or more CRLs in PEM format.
This option can be specified more than once to include CRLs from multiple
-B<files>.
+I<file>s.
=item B<-crl_download>
=item B<-engine> I<id>
-Specifying an engine B<id> will cause L<verify(1)> to attempt to load the
+Specifying an engine I<id> will cause L<verify(1)> to attempt to load the
specified engine.
The engine will then be set as the default for all its supported algorithms.
If you want to load certificates or CRLs that require engine support via any of
=item B<-nameopt> I<option>
Option which determines how the subject or issuer names are displayed. The
-B<option> argument can be a single option or multiple options separated by
+I<option> argument can be a single option or multiple options separated by
commas. Alternatively the B<-nameopt> switch may be used more than once to
set multiple options. See the L<x509(1)> manual page for details.
=item B<-policy> I<arg>
-Enable policy processing and add
B<arg> to the user-initial-policy-set (see
-RFC5280). The policy
B<arg> can be an object name an OID in numeric form.
+Enable policy processing and add
I<arg> to the user-initial-policy-set (see
+RFC5280). The policy
I<arg> can be an object name an OID in numeric form.
This argument can appear more than once.
=item B<-policy_check>
=item B<-untrusted> I<file>
-A B<file> of additional untrusted certificates (intermediate issuer CAs) used
+A I<file> of additional untrusted certificates (intermediate issuer CAs) used
to construct a certificate chain from the subject certificate to a trust-anchor.
-The B<file> should contain one or more certificates in PEM format.
+The I<file> should contain one or more certificates in PEM format.
This option can be specified more than once to include untrusted certificates
-from multiple B<files>.
+from multiple I<file>s.
=item B<-trusted> I<file>
-A B<file> of trusted certificates, which must be self-signed, unless the
+A I<file> of trusted certificates, which must be self-signed, unless the
B<-partial_chain> option is specified.
-The B<file> contains one or more certificates in PEM format.
+The I<file> contains one or more certificates in PEM format.
With this option, no additional (e.g., default) certificate lists are
consulted.
-That is, the only trust-anchors are those listed in B<file>.
+That is, the only trust-anchors are those listed in I<file>.
This option can be specified more than once to include trusted certificates
-from multiple B<files>.
+from multiple I<file>s.
This option implies the B<-no-CAfile> and B<-no-CApath> options.
This option cannot be used in combination with either of the B<-CAfile> or
B<-CApath> options.
=item B<-auth_level> I<level>
-Set the certificate chain authentication security level to B<level>.
+Set the certificate chain authentication security level to I<level>.
The authentication security level determines the acceptable signature and
public key strength when verifying certificate chains.
For a certificate chain to validate, the public keys of all the certificates
-must meet the specified security B<level>.
+must meet the specified security I<level>.
The signature algorithm security level is enforced for all the certificates in
the chain except for the chain's I<trust anchor>, which is either directly
trusted or validated by means other than its signature.
=item B<-verify_depth> I<num>
-Limit the certificate chain to B<num> intermediate CA certificates.
-A maximal depth chain can have up to B<num+2> certificates, since neither the
+Limit the certificate chain to I<num> intermediate CA certificates.
+A maximal depth chain can have up to I<num>+2 certificates, since neither the
end-entity certificate nor the trust-anchor certificate count against the
B<-verify_depth> limit.
=item B<-verify_email> I<email>
-Verify if the B<email> matches the email address in Subject Alternative Name or
+Verify if I<email> matches the email address in Subject Alternative Name or
the email in the subject Distinguished Name.
=item B<-verify_hostname> I<hostname>
-Verify if the B<hostname> matches DNS name in Subject Alternative Name or
+Verify if I<hostname> matches DNS name in Subject Alternative Name or
Common Name in the subject certificate.
=item B<-verify_ip> I<ip>
-Verify if the B<ip> matches the IP address in Subject Alternative Name of
+Verify if I<ip> matches the IP address in Subject Alternative Name of
the subject certificate.
=item B<-verify_name> I<name>
Use default verification policies like trust model and required certificate
-policies identified by B<name>.
+policies identified by I<name>.
The trust model determines which auxiliary trust or reject OIDs are applicable
to verifying the given certificate chain.
See the B<-addtrust> and B<-addreject> options of the L<x509(1)> command-line
certificate files. This is useful if the first certificate filename begins
with a B<->.
-=item B<certificates>
+=item I<certificate> ...
One or more certificates to verify. If no certificates are given, B<verify>
will attempt to read a certificate from standard input. Certificates must be
=item B<-engine> I<id>
-Specifying an engine (by its unique B<id> string) will cause B<x509>
+Specifying an engine (by its unique I<id> string) will cause B<x509>
to attempt to obtain a functional reference to the specified engine,
thus initialising it if needed. The engine will then be set as the default
for all available algorithms.
=item B<-certopt> I<option>
-Customise the output format used with B<-text>. The B<option> argument
+Customise the output format used with B<-text>. The I<option> argument
can be a single option or multiple options separated by commas. The
B<-certopt> switch may be also be used more than once to set multiple
options. See the B<TEXT OPTIONS> section for more information.
=item B<-nameopt> I<option>
Option which determines how the subject or issuer names are displayed. The
-B<option> argument can be a single option or multiple options separated by
+I<option> argument can be a single option or multiple options separated by
commas. Alternatively the B<-nameopt> switch may be used more than once to
set multiple options. See the B<NAME OPTIONS> section for more information.
=item B<-checkend> I<arg>
-Checks if the certificate expires within the next
B<arg> seconds and exits
+Checks if the certificate expires within the next
I<arg> seconds and exits
nonzero if yes it will expire or zero if not.
=item B<-fingerprint>
=item B<-passin> I<arg>
-The key password source. For more information about the format of
B<arg>
+The key password source. For more information about the format of
I<arg>
see L<openssl(1)/Pass phrase options>.
=item B<-clrext>
=item B<-force_pubkey> I<filename>
-When a certificate is created set its public key to the key in B<filename>
+When a certificate is created set its public key to the key in I<filename>
instead of the key contained in the input or given with the B<-signkey> option.
This option is useful for creating self-issued certificates that are not
=head2 Name Options
-The B<nameopt> command line switch determines how the subject and issuer
-names are displayed. If no B<nameopt> switch is present the default "oneline"
+The B<-nameopt> command line switch determines how the subject and issuer
+names are displayed. If no B<-nameopt> switch is present the default "oneline"
format is used which is compatible with previous versions of OpenSSL.
Each option is described in detail below, all options can be preceded by
a B<-> to turn the option off. Only the first four will normally be used.
B<openssl>
I<command>
-[ I<command_opts> ]
-[ I<command_args> ]
+[ I<command_opts> ... ]
+[ I<command_args> ... ]
-B<openssl> B<list> [ B<standard-commands> | B<digest-commands> | B<cipher-commands> | B<cipher-algorithms> | B<digest-algorithms> | B<mac-algorithms> | B<public-key-algorithms>]
+B<openssl> B<list> [ B<-standard-commands> | B<-digest-commands> | B<-cipher-commands> | B<-cipher-algorithms> | B<-digest-algorithms> | B<-mac-algorithms> | B<-public-key-algorithms>]
B<openssl> B<no->I<XXX> [ I<arbitrary options> ]
depends on the configuration flags specified when the OpenSSL
was built.
-The list parameters B<standard-commands>, B<digest-commands>,
-and B<cipher-commands> output a list (one entry per line) of the names
+The list options B<-standard-commands>, B<-digest-commands>,
+and B<-cipher-commands> output a list (one entry per line) of the names
of all standard commands, message digest commands, or cipher commands,
respectively, that are available in the present B<openssl> utility.
-The list parameters B<cipher-algorithms>, B<digest-algorithms>,
-and B<mac-algorithms> list all cipher, message digest, and message
+The list parameters B<-cipher-algorithms>, B<-digest-algorithms>,
+and B<-mac-algorithms> list all cipher, message digest, and message
authentication code names, one entry per line. Aliases are listed as:
from => to
-The list parameter B<public-key-algorithms> lists all supported public
+The list parameter B<-public-key-algorithms> lists all supported public
key algorithms.
The command B<no->I<XXX> tests whether a command of the
=over 4
-=item B<pass:password>
+=item B<pass:>I<password>
-The actual password is
B<password>. Since the password is visible
+The actual password is
I<password>. Since the password is visible
to utilities (like 'ps' under Unix) this form should only be used
where security is not important.
-=item B<env:var>
+=item B<env:>I<var>
-Obtain the password from the environment variable B<var>. Since
+Obtain the password from the environment variable I<var>. Since
the environment of other processes is visible on certain platforms
(e.g. ps under certain Unix OSes) this option should be used with caution.
-=item B<file:pathname>
+=item B<file:>I<pathname>
-The first line of
B<pathname> is the password. If the same B<pathname>
+The first line of
I<pathname> is the password. If the same I<pathname>
argument is supplied to B<-passin> and B<-passout> arguments then the first
line will be used for the input password and the next line for the output
-password.
B<pathname> need not refer to a regular file: it could for example
+password.
I<pathname> need not refer to a regular file: it could for example
refer to a device or named pipe.
-=item B<fd:number>
+=item B<fd:>I<number>
-Read the password from the file descriptor B<number>. This can be used to
+Read the password from the file descriptor I<number>. This can be used to
send the data via a pipe for example.
=item B<stdin>
=head1 HISTORY
-The B<list->I<XXX>B<-algorithms> pseudo-commands were added in OpenSSL 1.0.0;
+The B<list> -I<XXX>B<-algorithms> options were added in OpenSSL 1.0.0;
For notes on the availability of other commands, see their individual
manual pages.
projects / oweals / openssl.git / commitdiff