B<-signcert> |
B<-crl> |
B<-newca>
-[B<-extra-cmd> extra-params]
+[B<-extra-cmd> I<extra-params>]
-B<CA.pl> B<-pkcs12> [B<-extra-pkcs12> extra-params] [B<certname>]
+B<CA.pl> B<-pkcs12> [B<-extra-pkcs12> I<extra-params>] [I<certname>]
-B<CA.pl> B<-verify> [B<-extra-verify> extra-params] B<certfile>...
+B<CA.pl> B<-verify> [B<-extra-verify> I<extra-params>] I<certfile>...
-B<CA.pl> B<-revoke> [B<-extra-ca> extra-params] B<certfile> [B<reason>]
+B<CA.pl> B<-revoke> [B<-extra-ca> I<extra-params>] I<certfile> [I<reason>]
=head1 DESCRIPTION
Generate a CRL. Executes B<openssl ca> command.
-=item B<-revoke certfile [reason]>
+=item B<-revoke> I<certfile> [I<reason>]
Revoke the certificate contained in the specified B<certfile>. An optional
reason may be specified, and must be one of: B<unspecified>,
B<openssl> B<asn1parse>
[B<-help>]
-[B<-inform PEM|DER>]
-[B<-in filename>]
-[B<-out filename>]
+[B<-inform> B<DER>|B<PEM>]
+[B<-in> I<filename>]
+[B<-out> I<filename>]
[B<-noout>]
-[B<-offset number>]
-[B<-length number>]
+[B<-offset> I<number>]
+[B<-length> I<number>]
[B<-i>]
-[B<-oid filename>]
+[B<-oid> I<filename>]
[B<-dump>]
-[B<-dlimit num>]
-[B<-strparse offset>]
-[B<-genstr string>]
-[B<-genconf file>]
+[B<-dlimit> I<num>]
+[B<-strparse> I<offset>]
+[B<-genstr> I<string>]
+[B<-genconf> I<file>]
[B<-strictpem>]
-[B<-item name>]
+[B<-item> I<name>]
=head1 DESCRIPTION
Print out a usage message.
-=item B<-inform> B<DER|PEM>
+=item B<-inform> B<DER>|B<PEM>
-The input format.
B<DER> is binary format and B<PEM> (the default) is base64
+The input format.
I<DER> is binary format and I<PEM> (the default) is base64
encoded.
-=item B<-in filename>
+=item B<-in> I<filename>
The input file, default is standard input.
-=item B<-out filename>
+=item B<-out> I<filename>
Output file to place the DER encoded data into. If this
option is not present then no data will be output. This is most useful when
Don't output the parsed version of the input file.
-=item B<-offset number>
+=item B<-offset> I<number>
Starting offset to begin parsing, default is start of file.
-=item B<-length number>
+=item B<-length> I<number>
Number of bytes to parse, default is until end of file.
Indents the output according to the "depth" of the structures.
-=item B<-oid filename>
+=item B<-oid> I<filename>
A file containing additional OBJECT IDENTIFIERs (OIDs). The format of this
file is described in the NOTES section below.
Dump unknown data in hex format.
-=item B<-dlimit num>
+=item B<-dlimit> I<num>
Like B<-dump>, but only the first B<num> bytes are output.
-=item B<-strparse offset>
+=item B<-strparse> I<offset>
Parse the contents octets of the ASN.1 object starting at B<offset>. This
option can be used multiple times to "drill down" into a nested structure.
-=item B<-genstr string>, B<-genconf file>
+=item B<-genstr> I<string>, B<-genconf> I<file>
Generate encoded data based on B<string>, B<file> or both using
L<ASN1_generate_nconf(3)> format. If B<file> only is
option will ignore any data prior to the start of the BEGIN marker, or after an
END marker in a PEM file.
-=item B<-item name>
+=item B<-item> I<name>
Attempt to decode and print the data as B<ASN1_ITEM name>. This can be used to
print out the fields of any supported ASN.1 structure if the type is known.
In this example the BIT STRING at offset 229 is the certificate public key.
The contents octets of this will contain the public key information. This can
-be examined using the option B<-strparse 229> to yield:
+be examined using the option C<-strparse 229> to yield:
0:d=0 hl=3 l= 137 cons: SEQUENCE
3:d=1 hl=3 l= 129 prim: INTEGER :E5D21E1F5C8D208EA7A2166C7FAF9F6BDF2059669C60876DDB70840F1A5AAFA59699FE471F379F1DD6A487E7D5409AB6A88D4A9746E24B91D8CF55DB3521015460C8EDE44EE8A4189F7A7BE77D6CD3A9AF2696F486855CF58BF0EDF2B4068058C7A947F52548DDF7E15E96B385F86422BEA9064A3EE9E1158A56E4A6F47E5897
B<openssl> B<ca>
[B<-help>]
[B<-verbose>]
-[B<-config filename>]
-[B<-name section>]
+[B<-config> I<filename>]
+[B<-name> I<section>]
[B<-gencrl>]
-[B<-revoke file>]
-[B<-valid file>]
-[B<-status serial>]
+[B<-revoke> I<file>]
+[B<-valid> I<file>]
+[B<-status> I<serial>]
[B<-updatedb>]
-[B<-crl_reason reason>]
-[B<-crl_hold instruction>]
-[B<-crl_compromise time>]
-[B<-crl_CA_compromise time>]
-[B<-crldays days>]
-[B<-crlhours hours>]
-[B<-crlexts section>]
-[B<-startdate date>]
-[B<-enddate date>]
-[B<-days arg>]
-[B<-md arg>]
-[B<-policy arg>]
-[B<-keyfile arg>]
-[B<-keyform PEM|DER>]
-[B<-key arg>]
-[B<-passin arg>]
-[B<-cert file>]
+[B<-crl_reason> I<reason>]
+[B<-crl_hold> I<instruction>]
+[B<-crl_compromise> I<time>]
+[B<-crl_CA_compromise> I<time>]
+[B<-crldays> I<days>]
+[B<-crlhours> I<hours>]
+[B<-crlexts> I<section>]
+[B<-startdate> I<date>]
+[B<-enddate> I<date>]
+[B<-days> I<arg>]
+[B<-md> I<arg>]
+[B<-policy> I<arg>]
+[B<-keyfile> I<arg>]
+[B<-keyform> B<DER>|B<PEM>]
+[B<-key> I<arg>]
+[B<-passin> I<arg>]
+[B<-cert> I<file>]
[B<-selfsign>]
-[B<-in file>]
-[B<-out file>]
+[B<-in> I<file>]
+[B<-out> I<file>]
[B<-notext>]
-[B<-outdir dir>]
+[B<-outdir> I<dir>]
[B<-infiles>]
-[B<-spkac file>]
-[B<-ss_cert file>]
+[B<-spkac> I<file>]
+[B<-ss_cert> I<file>]
[B<-preserveDN>]
[B<-noemailDN>]
[B<-batch>]
[B<-msie_hack>]
-[B<-extensions section>]
-[B<-extfile section>]
-[B<-engine id>]
-[B<-subj arg>]
+[B<-extensions> I<section>]
+[B<-extfile> I<section>]
+[B<-engine> I<id>]
+[B<-subj> I<arg>]
[B<-utf8>]
-[B<-sigopt nm:v>]
+[B<-sigopt> I<nm>:I<v>]
[B<-create_serial>]
[B<-rand_serial>]
[B<-multivalue-rdn>]
-[B<-rand file...>]
-[B<-writerand file>]
-[B<-sm2-id string>]
-[B<-sm2-hex-id hex-string>]
+[B<-rand> I<file>]
+[B<-writerand> I<file>]
+[B<-sm2-id> I<string>]
+[B<-sm2-hex-id> I<hex-string>]
=head1 DESCRIPTION
This prints extra details about the operations being performed.
-=item B<-config filename>
+=item B<-config> I<filename>
Specifies the configuration file to use.
Optional; for a description of the default value,
see L<openssl(1)/COMMAND SUMMARY>.
-=item B<-name section>
+=item B<-name> I<section>
Specifies the configuration file section to use (overrides
B<default_ca> in the B<ca> section).
-=item B<-in filename>
+=item B<-in> I<filename>
An input filename containing a single certificate request to be
signed by the CA.
-=item B<-ss_cert filename>
+=item B<-ss_cert> I<filename>
A single self-signed certificate to be signed by the CA.
-=item B<-spkac filename>
+=item B<-spkac> I<filename>
A file containing a single Netscape signed public key and challenge
and additional field values to be signed by the CA. See the B<SPKAC FORMAT>
If present this should be the last option, all subsequent arguments
are taken as the names of files containing certificate requests.
-=item B<-out filename>
+=item B<-out> I<filename>
The output file to output certificates to. The default is standard
output. The certificate details will also be printed out to this
file in PEM format (except that B<-spkac> outputs DER format).
-=item B<-outdir directory>
+=item B<-outdir> I<directory>
The directory to output certificates to. The certificate will be
written to a filename consisting of the serial number in hex with
The CA certificate file.
-=item B<-keyfile filename>
+=item B<-keyfile> I<filename>
The private key to sign requests with.
-=item B<-keyform PEM|DER>
+=item B<-keyform> B<DER>|B<PEM>
The format of the data in the private key file.
The default is PEM.
-=item B<-sigopt nm:v>
+=item B<-sigopt> I<nm>:I<v>
Pass options to the signature algorithm during sign or verify operations.
Names and values of these options are algorithm-specific.
-=item B<-key password>
+=item B<-key> I<password>
The password used to encrypt the private key. Since on some
systems the command line arguments are visible (e.g. Unix with
serial number counter as all other certificates sign with the
self-signed certificate.
-=item B<-passin arg>
+=item B<-passin> I<arg>
The key password source. For more information about the format of B<arg>
-see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
+see L<openssl(1)/Pass phrase options>.
=item B<-notext>
Don't output the text form of a certificate to the output file.
-=item B<-startdate date>
+=item B<-startdate> I<date>
This allows the start date to be explicitly set. The format of the
date is YYMMDDHHMMSSZ (the same as an ASN1 UTCTime structure), or
YYYYMMDDHHMMSSZ (the same as an ASN1 GeneralizedTime structure). In
both formats, seconds SS and timezone Z must be present.
-=item B<-enddate date>
+=item B<-enddate> I<date>
This allows the expiry date to be explicitly set. The format of the
date is YYMMDDHHMMSSZ (the same as an ASN1 UTCTime structure), or
YYYYMMDDHHMMSSZ (the same as an ASN1 GeneralizedTime structure). In
both formats, seconds SS and timezone Z must be present.
-=item B<-days arg>
+=item B<-days> I<arg>
The number of days to certify the certificate for.
-=item B<-md alg>
+=item B<-md> I<alg>
The message digest to use.
Any digest supported by the OpenSSL B<dgst> command can be used. For signing
algorithms that do not support a digest (i.e. Ed25519 and Ed448) any message
digest that is set is ignored. This option also applies to CRLs.
-=item B<-policy arg>
+=item B<-policy> I<arg>
This option defines the CA "policy" to use. This is a section in
the configuration file which decides which fields should be mandatory
This sets the batch mode. In this mode no questions will be asked
and all certificates will be certified automatically.
-=item B<-extensions section>
+=item B<-extensions> I<section>
The section of the configuration file containing certificate extensions
to be added when a certificate is issued (defaults to B<x509_extensions>
L<x509v3_config(5)> manual page for details of the
extension section format.
-=item B<-extfile file>
+=item B<-extfile> I<file>
An additional configuration file to read certificate extensions from
(using the default section unless the B<-extensions> option is also
used).
-=item B<-engine id>
+=item B<-engine> I<id>
Specifying an engine (by its unique B<id> string) will cause B<ca>
to attempt to obtain a functional reference to the specified engine,
thus initialising it if needed. The engine will then be set as the default
for all available algorithms.
-=item B<-subj arg>
+=item B<-subj> I<arg>
Supersedes subject name given in the request.
The arg must be formatted as I</type0=value0/type1=value1/type2=...>.
If -multi-rdn is not used then the UID value is I<123456+CN=John Doe>.
-=item B<-rand file...>
+=item B<-rand> I<file>
A file or files containing random data used to seed the random number
generator.
The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
all others.
-=item [B<-writerand file>]
+=item B<-writerand> I<file>
Writes random data to the specified I<file> upon exit.
This can be used with a subsequent B<-rand> flag.
-=item B<-sm2-id>
+=item B<-sm2-id> I<string>
Specify the ID string to use when verifying an SM2 certificate. The ID string is
required by the SM2 signature algorithm for signing and verification.
-=item B<-sm2-hex-id>
+=item B<-sm2-hex-id> I<hex-string>
Specify a binary ID string to use when signing or verifying using an SM2
certificate. The argument for this option is string of hexadecimal digits.
This option generates a CRL based on information in the index file.
-=item B<-crldays num>
+=item B<-crldays> I<num>
The number of days before the next CRL is due. That is the days from
now to place in the CRL nextUpdate field.
-=item B<-crlhours num>
+=item B<-crlhours> I<num>
The number of hours before the next CRL is due.
-=item B<-revoke filename>
+=item B<-revoke> I<filename>
A filename containing a certificate to revoke.
-=item B<-valid filename>
+=item B<-valid> I<filename>
A filename containing a certificate to add a Valid certificate entry.
-=item B<-status serial>
+=item B<-status> I<serial>
Displays the revocation status of the certificate with the specified
serial number and exits.
Updates the database index to purge expired certificates.
-=item B<-crl_reason reason>
+=item B<-crl_reason> I<reason>
Revocation reason, where B<reason> is one of: B<unspecified>, B<keyCompromise>,
B<CACompromise>, B<affiliationChanged>, B<superseded>, B<cessationOfOperation>,
In practice B<removeFromCRL> is not particularly useful because it is only used
in delta CRLs which are not currently implemented.
-=item B<-crl_hold instruction>
+=item B<-crl_hold> I<instruction>
This sets the CRL revocation reason code to B<certificateHold> and the hold
instruction to B<instruction> which must be an OID. Although any OID can be
used only B<holdInstructionNone> (the use of which is discouraged by RFC2459)
B<holdInstructionCallIssuer> or B<holdInstructionReject> will normally be used.
-=item B<-crl_compromise time>
+=item B<-crl_compromise> I<time>
This sets the revocation reason to B<keyCompromise> and the compromise time to
B<time>. B<time> should be in GeneralizedTime format that is B<YYYYMMDDHHMMSSZ>.
-=item B<-crl_CA_compromise time>
+=item B<-crl_CA_compromise> I<time>
This is the same as B<crl_compromise> except the revocation reason is set to
B<CACompromise>.
-=item B<-crlexts section>
+=item B<-crlexts> I<section>
The section of the configuration file containing CRL extensions to
include. If no CRL extension section is present then a V1 CRL is
[B<-psk>]
[B<-srp>]
[B<-stdname>]
-[B<-convert name>]
-[B<-ciphersuites val>]
+[B<-convert> I<name>]
+[B<-ciphersuites> I<val>]
[B<cipherlist>]
=head1 DESCRIPTION
Precede each cipher suite by its standard name.
-=item B<-convert name>
+=item B<-convert> I<name>
Convert a standard cipher B<name> to its OpenSSL name.
-=item B<-ciphersuites val>
+=item B<-ciphersuites> I<val>
Sets the list of TLSv1.3 ciphersuites. This list will be combined with any
TLSv1.2 and below ciphersuites that have been configured. The format for this
[B<-uncompress>]
[B<-EncryptedData_encrypt>]
[B<-sign_receipt>]
-[B<-verify_receipt receipt>]
-[B<-in filename>]
-[B<-inform SMIME|PEM|DER>]
-[B<-rctform SMIME|PEM|DER>]
-[B<-out filename>]
-[B<-outform SMIME|PEM|DER>]
-[B<-stream -indef -noindef>]
+[B<-verify_receipt> I<receipt>]
+[B<-in> I<filename>]
+[B<-inform> B<DER>|B<PEM>|B<SMIME>]
+[B<-rctform> B<DER>|B<PEM>|B<SMIME>]
+[B<-out> I<filename>]
+[B<-outform> B<DER>|B<PEM>|B<SMIME>]
+[B<-stream>]
+[B<-indef>]
[B<-noindef>]
-[B<-content filename>]
+[B<-noindef>]
+[B<-content> I<filename>]
[B<-text>]
[B<-noout>]
[B<-print>]
-[B<-CAfile file>]
-[B<-CApath dir>]
+[B<-CAfile> I<file>]
+[B<-CApath> I<dir>]
[B<-no-CAfile>]
[B<-no-CApath>]
-[B<-attime timestamp>]
+[B<-attime> I<timestamp>]
[B<-check_ss_sig>]
[B<-crl_check>]
[B<-crl_check_all>]
[B<-inhibit_map>]
[B<-no_check_time>]
[B<-partial_chain>]
-[B<-policy arg>]
+[B<-policy> I<arg>]
[B<-policy_check>]
[B<-policy_print>]
-[B<-purpose purpose>]
+[B<-purpose> I<purpose>]
[B<-suiteB_128>]
[B<-suiteB_128_only>]
[B<-suiteB_192>]
[B<-trusted_first>]
[B<-no_alt_chains>]
[B<-use_deltas>]
-[B<-auth_level num>]
-[B<-verify_depth num>]
-[B<-verify_email email>]
-[B<-verify_hostname hostname>]
-[B<-verify_ip ip>]
-[B<-verify_name name>]
+[B<-auth_level> I<num>]
+[B<-verify_depth> I<num>]
+[B<-verify_email> I<email>]
+[B<-verify_hostname> I<hostname>]
+[B<-verify_ip> I<ip>]
+[B<-verify_name> I<name>]
[B<-x509_strict>]
-[B<-md digest>]
-[B<-I<cipher>>]
+[B<-md> I<digest>]
+[B<->I<cipher>]
[B<-nointern>]
[B<-noverify>]
[B<-nocerts>]
[B<-crlfeol>]
[B<-asciicrlf>]
[B<-nodetach>]
-[B<-certfile file>]
-[B<-certsout file>]
-[B<-signer file>]
-[B<-recip file>]
+[B<-certfile> I<file>]
+[B<-certsout> I<file>]
+[B<-signer> I<file>]
+[B<-recip> I<file>]
[B<-keyid>]
[B<-receipt_request_all>]
[B<-receipt_request_first>]
-[B<-receipt_request_from emailaddress>]
-[B<-receipt_request_to emailaddress>]
+[B<-receipt_request_from> I<emailaddress>]
+[B<-receipt_request_to> I<emailaddress>]
[B<-receipt_request_print>]
-[B<-secretkey key>]
-[B<-secretkeyid id>]
-[B<-econtent_type type>]
-[B<-inkey file>]
-[B<-keyopt name:parameter>]
-[B<-passin arg>]
-[B<-rand file...>]
-[B<-writerand file>]
-[B<cert.pem...>]
-[B<-to addr>]
-[B<-from addr>]
-[B<-subject subj>]
-[cert.pem]...
+[B<-secretkey> I<key>]
+[B<-secretkeyid> I<id>]
+[B<-econtent_type> I<type>]
+[B<-inkey> I<file>]
+[B<-keyopt> I<name>:I<parameter>]
+[B<-passin> I<arg>]
+[B<-rand> I<file...>]
+[B<-writerand> I<file>]
+[B<-to> I<addr>]
+[B<-from> I<addr>]
+[B<-subject> I<subj>]
+[I<cert.pem ...>]
=head1 DESCRIPTION
message B<must> contain a signed receipt request. Functionality is otherwise
similar to the B<-sign> operation.
-=item B<-verify_receipt receipt>
+=item B<-verify_receipt> I<receipt>
Verify a signed receipt in filename B<receipt>. The input message B<must>
contain the original receipt request. Functionality is otherwise similar
to the B<-verify> operation.
-=item B<-in filename>
+=item B<-in> I<filename>
The input message to be encrypted or signed or the message to be decrypted
or verified.
-=item B<-inform SMIME|PEM|DER>
+=item B<-inform> B<DER>|B<PEM>|B<SMIME>
This specifies the input format for the CMS structure. The default
is B<SMIME> which reads an S/MIME format message. B<PEM> and B<DER>
structure, if no CMS structure is being input (for example with
B<-encrypt> or B<-sign>) this option has no effect.
-=item B<-rctform SMIME|PEM|DER>
+=item B<-rctform> B<DER>|B<PEM>|B<SMIME>
Specify the format for a signed receipt for use with the B<-receipt_verify>
operation.
-=item B<-out filename>
+=item B<-out> I<filename>
The message text that has been decrypted or verified or the output MIME
format message that has been signed or verified.
-=item B<-outform SMIME|PEM|DER>
+=item B<-outform> B<DER>|B<PEM>|B<SMIME>
This specifies the output format for the CMS structure. The default
is B<SMIME> which writes an S/MIME format message. B<PEM> and B<DER>
structure, if no CMS structure is being output (for example with
B<-verify> or B<-decrypt>) this option has no effect.
-=item B<-stream -indef -noindef>
+=item B<-stream>, B<-indef>, B<-noindef>
The B<-stream> and B<-indef> options are equivalent and enable streaming I/O
for encoding operations. This permits single pass processing of data without
encoding. This option currently has no effect. In future streaming will be
enabled by default on all relevant operations and this option will disable it.
-=item B<-content filename>
+=item B<-content> I<filename>
This specifies a file containing the detached content, this is only
useful with the B<-verify> command. This is only usable if the CMS
For the B<-cmsout> operation print out all fields of the CMS structure. This
is mainly useful for testing purposes.
-=item B<-CAfile file>
+=item B<-CAfile> I<file>
A file containing trusted CA certificates, only used with B<-verify>.
-=item B<-CApath dir>
+=item B<-CApath> I<dir>
A directory containing trusted CA certificates, only used with
B<-verify>. This directory must be a standard certificate directory: that
-is a hash of each subject name (using B<x509 -hash>) should be linked
+is a hash of each subject name (using C<x509 -hash>) should be linked
to each certificate.
=item B<-no-CAfile>
Do not load the trusted CA certificates from the default directory location
-=item B<-md digest>
+=item B<-md> I<digest>
Digest algorithm to use when signing or resigning. If not present then the
default digest algorithm for the signing key will be used (usually SHA1).
-=item B<-I<cipher>>
+=item B<->I<cipher>
The encryption algorithm to use. For example triple DES (168 bits) - B<-des3>
or 256 bit AES - B<-aes256>. Any standard algorithm name (as used by the
do not support S/MIME. Without this option cleartext signing with
the MIME type multipart/signed is used.
-=item B<-certfile file>
+=item B<-certfile> I<file>
Allows additional certificates to be specified. When signing these will
be included with the message. When verifying these will be searched for
the signers certificates. The certificates should be in PEM format.
-=item B<-certsout file>
+=item B<-certsout> I<file>
Any certificates contained in the message are written to B<file>.
-=item B<-signer file>
+=item B<-signer> I<file>
A signing certificate when signing or resigning a message, this option can be
used multiple times if more than one signer is required. If a message is being
verified then the signers certificates will be written to this file if the
verification was successful.
-=item B<-recip file>
+=item B<-recip> I<file>
When decrypting a message this specifies the recipients certificate. The
certificate must match one of the recipients of the message or an error
be provided by all recipient or first tier recipients (those mailed directly
and not from a mailing list). Ignored it B<-receipt_request_from> is included.
-=item B<-receipt_request_from emailaddress>
+=item B<-receipt_request_from> I<emailaddress>
For B<-sign> option include a signed receipt request. Add an explicit email
address where receipts should be supplied.
-=item B<-receipt_request_to emailaddress>
+=item B<-receipt_request_to> I<emailaddress>
Add an explicit email address where signed receipts should be sent to. This
option B<must> but supplied if a signed receipt it requested.
For the B<-verify> operation print out the contents of any signed receipt
requests.
-=item B<-secretkey key>
+=item B<-secretkey> I<key>
Specify symmetric key to use. The key must be supplied in hex format and be
consistent with the algorithm used. Supported by the B<-EncryptedData_encrypt>
with B<-encrypt> or B<-decrypt> the supplied key is used to wrap or unwrap the
content encryption key using an AES key in the B<KEKRecipientInfo> type.
-=item B<-secretkeyid id>
+=item B<-secretkeyid> I<id>
The key identifier for the supplied symmetric key for B<KEKRecipientInfo> type.
This option B<must> be present if the B<-secretkey> option is used with
relevant key if it is not supplied then an attempt is used to decrypt any
B<KEKRecipientInfo> structures.
-=item B<-econtent_type type>
+=item B<-econtent_type> I<type>
Set the encapsulated content type to B<type> if not supplied the B<Data> type
is used. The B<type> argument can be any valid OID name in either text or
numerical format.
-=item B<-inkey file>
+=item B<-inkey> I<file>
The private key to use when signing or decrypting. This must match the
corresponding certificate. If this option is not specified then the
the B<-recip> or B<-signer> file. When signing this option can be used
multiple times to specify successive keys.
-=item B<-keyopt name:opt>
+=item B<-keyopt> I<name>:I<parameter>
For signing and encryption this option can be used multiple times to
set customised parameters for the preceding key or certificate. It can
currently be used to set RSA-PSS for signing, RSA-OAEP for encryption
or to modify default parameters for ECDH.
-=item B<-passin arg>
+=item B<-passin> I<arg>
The private key password source. For more information about the format of B<arg>
-see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
+see L<openssl(1)/Pass phrase options>.
-=item B<-rand file...>
+=item B<-rand> I<file...>
A file or files containing random data used to seed the random number
generator.
The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
all others.
-=item [B<-writerand file>]
+=item B<-writerand> I<file>
Writes random data to the specified I<file> upon exit.
This can be used with a subsequent B<-rand> flag.
-=item B<cert.pem...>
+=item I<cert.pem...>
One or more certificates of message recipients: used when encrypting
a message.
-=item B<-to, -from, -subject>
+=item B<-to>, B<-from>, B<-subject>
The relevant mail headers. These are included outside the signed
portion of a message so they may be included manually. If signing
The use of the B<-keyid> option with B<-sign> or B<-encrypt>.
-The B<-outform PEM> option uses different headers.
+The B<-outform> I<PEM> option uses different headers.
The B<-compress> option.
B<openssl> B<crl>
[B<-help>]
-[B<-inform PEM|DER>]
-[B<-outform PEM|DER>]
+[B<-inform> B<DER>|B<PEM>]
+[B<-informout> B<DER>|B<PEM>]
[B<-text>]
-[B<-in filename>]
-[B<-out filename>]
-[B<-nameopt option>]
+[B<-in> I<filename>]
+[B<-out> I<filename>]
+[B<-nameopt> I<option>]
[B<-noout>]
[B<-hash>]
[B<-issuer>]
[B<-lastupdate>]
[B<-nextupdate>]
-[B<-CAfile file>]
-[B<-CApath dir>]
+[B<-CAfile> I<file>]
+[B<-CApath> I<dir>]
=head1 DESCRIPTION
Print out a usage message.
-=item B<-inform DER|PEM>
+=item B<-inform> B<DER>|B<PEM>
This specifies the input format. B<DER> format is DER encoded CRL
structure. B<PEM> (the default) is a base64 encoded version of
the DER form with header and footer lines.
-=item B<-outform DER|PEM>
+=item B<-outform> B<DER>|B<PEM>
This specifies the output format, the options have the same meaning and default
as the B<-inform> option.
-=item B<-in filename>
+=item B<-in> I<filename>
This specifies the input filename to read from or standard input if this
option is not specified.
-=item B<-out filename>
+=item B<-out> I<filename>
Specifies the output filename to write to or standard output by
default.
Print out the CRL in text form.
-=item B<-nameopt option>
+=item B<-nameopt> I<option>
Option which determines how the subject or issuer names are displayed. See
the description of B<-nameopt> in L<x509(1)>.
Output the nextUpdate field.
-=item B<-CAfile file>
+=item B<-CAfile> I<file>
Verify the signature on a CRL by looking up the issuing certificate in
B<file>.
-=item B<-CApath dir>
+=item B<-CApath> I<dir>
Verify the signature on a CRL by looking up the issuing certificate in
B<dir>. This directory must be a standard certificate directory: that
B<openssl> B<crl2pkcs7>
[B<-help>]
-[B<-inform PEM|DER>]
-[B<-outform PEM|DER>]
-[B<-in filename>]
-[B<-out filename>]
-[B<-certfile filename>]
+[B<-inform> B<DER>|B<PEM>]
+[B<-outform> B<DER>|B<PEM>]
+[B<-in> I<filename>]
+[B<-out> I<filename>]
+[B<-certfile> I<filename>]
[B<-nocrl>]
=head1 DESCRIPTION
Print out a usage message.
-=item B<-inform DER|PEM>
+=item B<-inform> B<DER>|B<PEM>
This specifies the CRL input format. B<DER> format is DER encoded CRL
structure.B<PEM> (the default) is a base64 encoded version of
the DER form with header and footer lines. The default format is PEM.
-=item B<-outform DER|PEM>
+=item B<-outform> B<DER>|B<PEM>
This specifies the PKCS#7 structure output format. B<DER> format is DER
encoded PKCS#7 structure.B<PEM> (the default) is a base64 encoded version of
the DER form with header and footer lines. The default format is PEM.
-=item B<-in filename>
+=item B<-in> I<filename>
This specifies the input filename to read a CRL from or standard input if this
option is not specified.
-=item B<-out filename>
+=item B<-out> I<filename>
Specifies the output filename to write the PKCS#7 structure to or standard
output by default.
-=item B<-certfile filename>
+=item B<-certfile> I<filename>
Specifies a filename containing one or more certificates in B<PEM> format.
All certificates in the file will be added to the PKCS#7 structure. This
=head1 SYNOPSIS
B<openssl dgst>
-[B<-I<digest>>]
+[B<->I<digest>]
[B<-help>]
[B<-c>]
[B<-d>]
[B<-hex>]
[B<-binary>]
[B<-r>]
-[B<-out filename>]
-[B<-sign filename>]
-[B<-keyform arg>]
-[B<-passin arg>]
-[B<-verify filename>]
-[B<-prverify filename>]
-[B<-signature filename>]
-[B<-sigopt nm:v>]
-[B<-hmac key>]
+[B<-out> I<filename>]
+[B<-sign> I<filename>]
+[B<-keyform> I<arg>]
+[B<-passin> I<arg>]
+[B<-verify> I<filename>]
+[B<-prverify> I<filename>]
+[B<-signature> I<filename>]
+[B<-sigopt> I<nm>:I<v>]
+[B<-hmac> I<key>]
[B<-fips-fingerprint>]
-[B<-rand file...>]
-[B<-engine id>]
+[B<-rand> I<file...>]
+[B<-engine> I<id>]
[B<-engine_impl>]
[B<file...>]
Print out a usage message.
-=item B<-I<digest>>
+=item B<->I<digest>
Specifies name of a supported digest to be used. To see the list of
-supported digests, use the command I<list --digest-commands>.
+supported digests, use the command C<list --digest-commands>.
=item B<-c>
Output the digest in the "coreutils" format, including newlines.
Used by programs like B<sha1sum>.
-=item B<-out filename>
+=item B<-out> I<filename>
Filename to output to, or standard output by default.
-=item B<-sign filename>
+=item B<-sign> I<filename>
Digitally sign the digest using the private key in "filename". Note this option
does not support Ed25519 or Ed448 private keys. Use the B<pkeyutl> command
instead for this.
-=item B<-keyform arg>
+=item B<-keyform> I<arg>
Specifies the key format to sign digest with. The DER, PEM, P12,
and ENGINE formats are supported.
-=item B<-sigopt nm:v>
+=item B<-sigopt> I<nm>:I<v>
Pass options to the signature algorithm during sign or verify operations.
Names and values of these options are algorithm-specific.
-=item B<-passin arg>
+=item B<-passin> I<arg>
The private key password source. For more information about the format of B<arg>
-see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
+see L<openssl(1)/Pass phrase options>.
-=item B<-verify filename>
+=item B<-verify> I<filename>
Verify the signature using the public key in "filename".
The output is either "Verification OK" or "Verification Failure".
-=item B<-prverify filename>
+=item B<-prverify> I<filename>
Verify the signature using the private key in "filename".
-=item B<-signature filename>
+=item B<-signature> I<filename>
The actual signature to verify.
-=item B<-hmac key>
+=item B<-hmac> I<key>
Create a hashed MAC using "key".
The L<openssl-mac(1)> command should be preferred to using this command line
option.
-=item B<-mac alg>
+=item B<-mac> I<alg>
Create MAC (keyed Message Authentication Code). The most popular MAC
algorithm is HMAC (hash-based MAC), but there are other MAC algorithms
The L<openssl-mac(1)> command should be preferred to using this command line
option.
-=item B<-macopt nm:v>
+=item B<-macopt> I<nm>:I<v>
Passes options to MAC algorithm, specified by B<-mac> key.
Following options are supported by both by B<HMAC> and B<gost-mac>:
The L<openssl-mac(1)> command should be preferred to using this command line
option.
-=item B<-rand file...>
+=item B<-rand> I<file...>
A file or files containing random data used to seed the random number
generator.
The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
all others.
-=item [B<-writerand file>]
+=item B<-writerand> I<file>
Writes random data to the specified I<file> upon exit.
This can be used with a subsequent B<-rand> flag.
Compute HMAC using a specific key for certain OpenSSL-FIPS operations.
-=item B<-engine id>
+=item B<-engine> I<id>
Use engine B<id> for operations (including private key storage).
This engine is not used as source for digest algorithms, unless it is
B<openssl dhparam>
[B<-help>]
-[B<-inform DER|PEM>]
-[B<-outform DER|PEM>]
+[B<-inform> B<DER>|B<PEM>]
+[B<-outform> B<DER>|B<PEM>]
[B<-in> I<filename>]
[B<-out> I<filename>]
[B<-dsaparam>]
[B<-2>]
[B<-3>]
[B<-5>]
-[B<-rand file...>]
-[B<-writerand file>]
-[B<-engine id>]
+[B<-rand> I<file...>]
+[B<-writerand> I<file>]
+[B<-engine> I<id>]
[I<numbits>]
=head1 DESCRIPTION
Print out a usage message.
-=item B<-inform DER|PEM>
+=item B<-inform> B<DER>|B<PEM>
This specifies the input format. The B<DER> option uses an ASN1 DER encoded
form compatible with the PKCS#3 DHparameter structure. The PEM form is the
default format: it consists of the B<DER> format base64 encoded with
additional header and footer lines.
-=item B<-outform DER|PEM>
+=item B<-outform> B<DER>|B<PEM>
This specifies the output format, the options have the same meaning and default
as the B<-inform> option.
present but B<numbits> is present, parameters are generated with the
default generator 2.
-=item B<-rand file...>
+=item B<-rand> I<file...>
A file or files containing random data used to seed the random number
generator.
The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
all others.
-=item [B<-writerand file>]
+=item B<-writerand> I<file>
Writes random data to the specified I<file> upon exit.
This can be used with a subsequent B<-rand> flag.
This option converts the parameters into C code. The parameters can then
be loaded by calling the get_dhNNNN() function.
-=item B<-engine id>
+=item B<-engine> I<id>
Specifying an engine (by its unique B<id> string) will cause B<dhparam>
to attempt to obtain a functional reference to the specified engine,
B<openssl> B<dsa>
[B<-help>]
-[B<-inform PEM|DER>]
-[B<-outform PEM|DER>]
-[B<-in filename>]
-[B<-passin arg>]
-[B<-out filename>]
-[B<-passout arg>]
+[B<-inform> B<DER>|B<PEM>]
+[B<-outform> B<DER>|B<PEM>]
+[B<-in> I<filename>]
+[B<-passin> I<arg>]
+[B<-out> I<filename>]
+[B<-passout> I<arg>]
[B<-aes128>]
[B<-aes192>]
[B<-aes256>]
[B<-modulus>]
[B<-pubin>]
[B<-pubout>]
-[B<-engine id>]
+[B<-engine> I<id>]
=head1 DESCRIPTION
Print out a usage message.
-=item B<-inform DER|PEM>
+=item B<-inform> B<DER>|B<PEM>
This specifies the input format. The B<DER> option with a private key uses
an ASN1 DER encoded form of an ASN.1 SEQUENCE consisting of the values of
encoded with additional header and footer lines. In the case of a private key
PKCS#8 format is also accepted.
-=item B<-outform DER|PEM>
+=item B<-outform> B<DER>|B<PEM>
This specifies the output format, the options have the same meaning and default
as the B<-inform> option.
-=item B<-in filename>
+=item B<-in> I<filename>
This specifies the input filename to read a key from or standard input if this
option is not specified. If the key is encrypted a pass phrase will be
prompted for.
-=item B<-passin arg>
+=item B<-passin> I<arg>
The input file password source. For more information about the format of B<arg>
-see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
+see L<openssl(1)/Pass phrase options>.
-=item B<-out filename>
+=item B<-out> I<filename>
This specifies the output filename to write a key to or standard output by
is not specified. If any encryption options are set then a pass phrase will be
prompted for. The output filename should B<not> be the same as the input
filename.
-=item B<-passout arg>
+=item B<-passout> I<arg>
The output file password source. For more information about the format of B<arg>
see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
key will be output instead. This option is automatically set if the input is
a public key.
-=item B<-engine id>
+=item B<-engine> I<id>
Specifying an engine (by its unique B<id> string) will cause B<dsa>
to attempt to obtain a functional reference to the specified engine,
B<openssl dsaparam>
[B<-help>]
-[B<-inform DER|PEM>]
-[B<-outform DER|PEM>]
-[B<-in filename>]
-[B<-out filename>]
+[B<-inform> B<DER>|B<PEM>]
+[B<-outform> B<DER>|B<PEM>]
+[B<-in> I<filename>]
+[B<-out> I<filename>]
[B<-noout>]
[B<-text>]
[B<-C>]
-[B<-rand file...>]
-[B<-writerand file>]
+[B<-rand> I<file...>]
+[B<-writerand> I<file>]
[B<-genkey>]
-[B<-engine id>]
+[B<-engine> I<id>]
[B<-verbose>]
-[B<numbits>]
+[I<numbits>]
=head1 DESCRIPTION
Print out a usage message.
-=item B<-inform DER|PEM>
+=item B<-inform> B<DER>|B<PEM>
This specifies the input format. The B<DER> option uses an ASN1 DER encoded
form compatible with RFC2459 (PKIX) DSS-Parms that is a SEQUENCE consisting
of p, q and g respectively. The PEM form is the default format: it consists
of the B<DER> format base64 encoded with additional header and footer lines.
-=item B<-outform DER|PEM>
+=item B<-outform> B<DER>|B<PEM>
This specifies the output format, the options have the same meaning and default
as the B<-inform> option.
-=item B<-in filename>
+=item B<-in> I<filename>
This specifies the input filename to read parameters from or standard input if
this option is not specified. If the B<numbits> parameter is included then
this option will be ignored.
-=item B<-out filename>
+=item B<-out> I<filename>
This specifies the output filename parameters to. Standard output is used
if this option is not present. The output filename should B<not> be the same
This option will generate a DSA either using the specified or generated
parameters.
-=item B<-rand file...>
+=item B<-rand> I<file...>
A file or files containing random data used to seed the random number
generator.
The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
all others.
-=item [B<-writerand file>]
+=item B<-writerand> I<file>
Writes random data to the specified I<file> upon exit.
This can be used with a subsequent B<-rand> flag.
-=item B<-engine id>
+=item B<-engine> I<id>
Specifying an engine (by its unique B<id> string) will cause B<dsaparam>
to attempt to obtain a functional reference to the specified engine,
B<openssl> B<ec>
[B<-help>]
-[B<-inform PEM|DER>]
-[B<-outform PEM|DER>]
-[B<-in filename>]
-[B<-passin arg>]
-[B<-out filename>]
-[B<-passout arg>]
+[B<-inform> B<DER>|B<PEM>]
+[B<-outform> B<DER>|B<PEM>]
+[B<-in> I<filename>]
+[B<-passin> I<arg>]
+[B<-out> I<filename>]
+[B<-passout> I<arg>]
[B<-des>]
[B<-des3>]
[B<-idea>]
[B<-param_out>]
[B<-pubin>]
[B<-pubout>]
-[B<-conv_form arg>]
-[B<-param_enc arg>]
+[B<-conv_form> I<arg>]
+[B<-param_enc> I<arg>]
[B<-no_public>]
[B<-check>]
-[B<-engine id>]
+[B<-engine> I<id>]
=head1 DESCRIPTION
Print out a usage message.
-=item B<-inform DER|PEM>
+=item B<-inform> B<DER>|B<PEM>
This specifies the input format. The B<DER> option with a private key uses
an ASN.1 DER encoded SEC1 private key. When used with a public key it
encoded with additional header and footer lines. In the case of a private key
PKCS#8 format is also accepted.
-=item B<-outform DER|PEM>
+=item B<-outform> B<DER>|B<PEM>
This specifies the output format, the options have the same meaning and default
as the B<-inform> option.
-=item B<-in filename>
+=item B<-in> I<filename>
This specifies the input filename to read a key from or standard input if this
option is not specified. If the key is encrypted a pass phrase will be
prompted for.
-=item B<-passin arg>
+=item B<-passin> I<arg>
The input file password source. For more information about the format of B<arg>
-see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
+see L<openssl(1)/Pass phrase options>.
-=item B<-out filename>
+=item B<-out> I<filename>
This specifies the output filename to write a key to or standard output by
is not specified. If any encryption options are set then a pass phrase will be
prompted for. The output filename should B<not> be the same as the input
filename.
-=item B<-passout arg>
+=item B<-passout> I<arg>
The output file password source. For more information about the format of B<arg>
see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
-=item B<-des|-des3|-idea>
+=item B<-des>|B<-des3>|B<-idea>
These options encrypt the private key with the DES, triple DES, IDEA or
any other cipher supported by OpenSSL before outputting it. A pass phrase is
by default for binary curves and can be enabled by defining
the preprocessor macro B<OPENSSL_EC_BIN_PT_COMP> at compile time.
-=item B<-param_enc arg>
+=item B<-param_enc> I<arg>
This specifies how the elliptic curve parameters are encoded.
Possible value are: B<named_curve>, i.e. the ec parameters are
This option checks the consistency of an EC private or public key.
-=item B<-engine id>
+=item B<-engine> I<id>
Specifying an engine (by its unique B<id> string) will cause B<ec>
to attempt to obtain a functional reference to the specified engine,
B<openssl ecparam>
[B<-help>]
-[B<-inform DER|PEM>]
-[B<-outform DER|PEM>]
-[B<-in filename>]
-[B<-out filename>]
+[B<-inform> B<DER>|B<PEM>]
+[B<-outform> B<DER>|B<PEM>]
+[B<-in> I<filename>]
+[B<-out> I<filename>]
[B<-noout>]
[B<-text>]
[B<-C>]
[B<-check>]
[B<-check_named>]
-[B<-name arg>]
+[B<-name> I<arg>]
[B<-list_curves>]
-[B<-conv_form arg>]
-[B<-param_enc arg>]
+[B<-conv_form> I<arg>]
+[B<-param_enc> I<arg>]
[B<-no_seed>]
-[B<-rand file...>]
-[B<-writerand file>]
+[B<-rand> I<file...>]
+[B<-writerand> I<file>]
[B<-genkey>]
-[B<-engine id>]
+[B<-engine> I<id>]
=head1 DESCRIPTION
Print out a usage message.
-=item B<-inform DER|PEM>
+=item B<-inform> B<DER>|B<PEM>
This specifies the input format. The B<DER> option uses an ASN.1 DER encoded
form compatible with RFC 3279 EcpkParameters. The PEM form is the default
format: it consists of the B<DER> format base64 encoded with additional
header and footer lines.
-=item B<-outform DER|PEM>
+=item B<-outform> B<DER>|B<PEM>
This specifies the output format, the options have the same meaning and default
as the B<-inform> option.
-=item B<-in filename>
+=item B<-in> I<filename>
This specifies the input filename to read parameters from or standard input if
this option is not specified.
-=item B<-out filename>
+=item B<-out> I<filename>
This specifies the output filename parameters to. Standard output is used
if this option is not present. The output filename should B<not> be the same
Validate the elliptic name curve parameters by checking if the curve parameters
match any built-in curves.
-=item B<-name arg>
+=item B<-name> I<arg>
Use the EC parameters with the specified 'short' name. Use B<-list_curves>
to get a list of all currently implemented EC parameters.
by default for binary curves and can be enabled by defining
the preprocessor macro B<OPENSSL_EC_BIN_PT_COMP> at compile time.
-=item B<-param_enc arg>
+=item B<-param_enc> I<arg>
This specifies how the elliptic curve parameters are encoded.
Possible value are: B<named_curve>, i.e. the ec parameters are
This option will generate an EC private key using the specified parameters.
-=item B<-rand file...>
+=item B<-rand> I<file...>
A file or files containing random data used to seed the random number
generator.
The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
all others.
-=item [B<-writerand file>]
+=item B<-writerand> I<file>
Writes random data to the specified I<file> upon exit.
This can be used with a subsequent B<-rand> flag.
-=item B<-engine id>
+=item B<-engine> I<id>
Specifying an engine (by its unique B<id> string) will cause B<ecparam>
to attempt to obtain a functional reference to the specified engine,
=head1 SYNOPSIS
-B<openssl enc -I<cipher>>
+B<openssl>
+[B<->I<cipher>]
[B<-help>]
[B<-ciphers>]
-[B<-in filename>]
-[B<-out filename>]
-[B<-pass arg>]
+[B<-in> I<filename>]
+[B<-out> I<filename>]
+[B<-pass> I<arg>]
[B<-e>]
[B<-d>]
[B<-a>]
[B<-base64>]
[B<-A>]
-[B<-k password>]
-[B<-kfile filename>]
-[B<-K key>]
-[B<-iv IV>]
-[B<-S salt>]
+[B<-k> I<password>]
+[B<-kfile> I<filename>]
+[B<-K> I<key>]
+[B<-iv> I<IV>]
+[B<-S> I<salt>]
[B<-salt>]
[B<-nosalt>]
[B<-z>]
-[B<-md digest>]
-[B<-iter count>]
+[B<-md> I<digest>]
+[B<-iter> I<count>]
[B<-pbkdf2>]
[B<-p>]
[B<-P>]
-[B<-bufsize number>]
+[B<-bufsize> I<number>]
[B<-nopad>]
[B<-debug>]
[B<-none>]
-[B<-rand file...>]
-[B<-writerand file>]
-[B<-engine id>]
+[B<-rand> I<file...>]
+[B<-writerand> I<file>]
+[B<-engine> I<id>]
-B<openssl> I<[cipher]> [B<...>]
+B<openssl> I<cipher> [B<...>]
=head1 DESCRIPTION
List all supported ciphers.
-=item B<-in filename>
+=item B<-in> I<filename>
The input filename, standard input by default.
-=item B<-out filename>
+=item B<-out> I<filename>
The output filename, standard output by default.
-=item B<-pass arg>
+=item B<-pass> I<arg>
The password source. For more information about the format of B<arg>
-see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
+see L<openssl(1)/Pass phrase options>.
=item B<-e>
If the B<-a> option is set then base64 process the data on one line.
-=item B<-k password>
+=item B<-k> I<password>
The password to derive the key from. This is for compatibility with previous
versions of OpenSSL. Superseded by the B<-pass> argument.
-=item B<-kfile filename>
+=item B<-kfile> I<filename>
Read the password to derive the key from the first line of B<filename>.
This is for compatibility with previous versions of OpenSSL. Superseded by
the B<-pass> argument.
-=item B<-md digest>
+=item B<-md> I<digest>
Use the specified digest to create the key from the passphrase.
The default algorithm is sha-256.
-=item B<-iter count>
+=item B<-iter> I<count>
Use a given number of iterations on the password in deriving the encryption key.
High values increase the time required to brute-force the resulting file.
Use salt (randomly generated or provide with B<-S> option) when
encrypting, this is the default.
-=item B<-S salt>
+=item B<-S> I<salt>
The actual salt to use: this must be represented as a string of hex digits.
-=item B<-K key>
+=item B<-K> I<key>
The actual key to use: this must be represented as a string comprised only
of hex digits. If only the key is specified, the IV must additionally specified
password will be taken. It does not make much sense to specify both key
and password.
-=item B<-iv IV>
+=item B<-iv> I<IV>
The actual IV to use: this must be represented as a string comprised only
of hex digits. When only the key is specified using the B<-K> option, the
Print out the key and IV used then immediately exit: don't do any encryption
or decryption.
-=item B<-bufsize number>
+=item B<-bufsize> I<number>
Set the buffer size for I/O.
Use NULL cipher (no encryption or decryption of input).
-=item B<-rand file...>
+=item B<-rand> I<file...>
A file or files containing random data used to seed the random number
generator.
The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
all others.
-=item [B<-writerand file>]
+=item B<-writerand> I<file>
Writes random data to the specified I<file> upon exit.
This can be used with a subsequent B<-rand> flag.
B<openssl fipsinstall>
[B<-help>]
-[B<-in configfilename>]
-[B<-out configfilename>]
-[B<-module modulefilename>]
-[B<-provider_name providername>]
-[B<-section_name sectionname>]
+[B<-in> I<configfilename>]
+[B<-out> I<configfilename>]
+[B<-module> I<modulefilename>]
+[B<-provider_name> I<providername>]
+[B<-section_name> I<sectionname>]
[B<-verify>]
-[B<-mac_name macname>]
-[B<-macopt>]
+[B<-mac_name> I<macname>]
+[B<-macopt> I<nm>:I<v>]
B<openssl> I<fipsinstall> [B<...>]
Print a usage message.
-=item B<-module filename>
+=item B<-module> I<filename>
Filename of a fips module to perform an integrity check on.
-=item B<-out configfilename>
+=item B<-out> I<configfilename>
Filename to output the configuration data to, or standard output by default.
-=item B<-in configfilename>
+=item B<-in> I<configfilename>
Input filename to load configuration data from. Used with the '-verify' option.
Standard input is used if the filename is '-'.
Verify that the input configuration file contains the correct information
-=item B<-provider_name providername>
+=item B<-provider_name> I<providername>
Name of the provider inside the configuration file.
-=item B<-section_name sectionname>
+=item B<-section_name> I<sectionname>
Name of the section inside the configuration file.
-=item B<-mac_name name>
+=item B<-mac_name> I<name>
Specifies the name of a supported MAC algorithm which will be used.
To see the list of supported MAC's use the command I<list -mac-algorithms>.
The default is "HMAC".
-=item B<-macopt nm:v>
+=item B<-macopt> I<nm>:I<v>
Passes options to the MAC algorithm.
A comprehensive list of controls can be found in the EVP_MAC implementation
B<openssl> B<gendsa>
[B<-help>]
-[B<-out filename>]
+[B<-out> I<filename>]
[B<-aes128>]
[B<-aes192>]
[B<-aes256>]
[B<-des>]
[B<-des3>]
[B<-idea>]
-[B<-rand file...>]
-[B<-writerand file>]
-[B<-engine id>]
+[B<-rand> I<file...>]
+[B<-writerand> I<file>]
+[B<-engine> I<id>]
[B<-verbose>]
[B<paramfile>]
Print out a usage message.
-=item B<-out filename>
+=item B<-out> I<filename>
Output the key to the specified file. If this argument is not specified then
standard output is used.
cipher before outputting it. A pass phrase is prompted for.
If none of these options is specified no encryption is used.
-=item B<-rand file...>
+=item B<-rand> I<file...>
A file or files containing random data used to seed the random number
generator.
The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
all others.
-=item [B<-writerand file>]
+=item B<-writerand> I<file>
Writes random data to the specified I<file> upon exit.
This can be used with a subsequent B<-rand> flag.
-=item B<-engine id>
+=item B<-engine> I<id>
Specifying an engine (by its unique B<id> string) will cause B<gendsa>
to attempt to obtain a functional reference to the specified engine,
B<openssl> B<genpkey>
[B<-help>]
-[B<-out filename>]
-[B<-outform PEM|DER>]
-[B<-pass arg>]
-[B<-I<cipher>>]
-[B<-engine id>]
-[B<-paramfile file>]
-[B<-algorithm alg>]
-[B<-pkeyopt opt:value>]
+[B<-out> I<filename>]
+[B<-outform> B<DER>|B<PEM>]
+[B<-pass> I<arg>]
+[B<->I<cipher>]
+[B<-engine> I<id>]
+[B<-paramfile> I<file>]
+[B<-algorithm> I<alg>]
+[B<-pkeyopt> I<opt:value>]
[B<-genparam>]
[B<-text>]
Print out a usage message.
-=item B<-out filename>
+=item B<-out> I<filename>
Output the key to the specified file. If this argument is not specified then
standard output is used.
-=item B<-outform DER|PEM>
+=item B<-outform> B<DER>|B<PEM>
This specifies the output format DER or PEM. The default format is PEM.
-=item B<-pass arg>
+=item B<-pass> I<arg>
The output file password source. For more information about the format of B<arg>
-see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
+see L<openssl(1)/Pass phrase options>.
-=item B<-I<cipher>>
+=item B<->I<cipher>
This option encrypts the private key with the supplied cipher. Any algorithm
name accepted by EVP_get_cipherbyname() is acceptable such as B<des3>.
-=item B<-engine id>
+=item B<-engine> I<id>
Specifying an engine (by its unique B<id> string) will cause B<genpkey>
to attempt to obtain a functional reference to the specified engine,
for all available algorithms. If used this option should precede all other
options.
-=item B<-algorithm alg>
+=item B<-algorithm> I<alg>
Public key algorithm to use such as RSA, DSA or DH. If used this option must
precede any B<-pkeyopt> options. The options B<-paramfile> and B<-algorithm>
or X9.42 DH parameters are required. See L<DH Parameter Generation Options>
below for more details.
-=item B<-pkeyopt opt:value>
+=item B<-pkeyopt> I<opt:value>
Set the public key algorithm option B<opt> to B<value>. The precise set of
options supported depends on the public key algorithm used and its
Generate a set of parameters instead of a private key. If used this option must
precede any B<-algorithm>, B<-paramfile> or B<-pkeyopt> options.
-=item B<-paramfile filename>
+=item B<-paramfile> I<filename>
Some public key algorithms generate a private key based on a set of parameters.
They can be supplied using this option. If this option is used the public key
B<openssl> B<genrsa>
[B<-help>]
-[B<-out filename>]
-[B<-passout arg>]
+[B<-out> I<filename>]
+[B<-passout> I<arg>]
[B<-aes128>]
[B<-aes192>]
[B<-aes256>]
[B<-idea>]
[B<-f4>]
[B<-3>]
-[B<-rand file...>]
-[B<-writerand file>]
-[B<-engine id>]
-[B<-primes num>]
+[B<-rand> I<file...>]
+[B<-writerand> I<file>]
+[B<-engine> I<id>]
+[B<-primes> I<num>]
[B<-verbose>]
[B<numbits>]
Print out a usage message.
-=item B<-out filename>
+=item B<-out> I<filename>
Output the key to the specified file. If this argument is not specified then
standard output is used.
-=item B<-passout arg>
+=item B<-passout> I<arg>
The output file password source. For more information about the format
-of B<arg> see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
+see L<openssl(1)/Pass phrase options>.
=item B<-aes128>, B<-aes192>, B<-aes256>, B<-aria128>, B<-aria192>, B<-aria256>, B<-camellia128>, B<-camellia192>, B<-camellia256>, B<-des>, B<-des3>, B<-idea>
specified no encryption is used. If encryption is used a pass phrase is prompted
for if it is not supplied via the B<-passout> argument.
-=item B<-F4|-3>
+=item B<-F4>|B<-3>
The public exponent to use, either 65537 or 3. The default is 65537.
-=item B<-rand file...>
+=item B<-rand> I<file...>
A file or files containing random data used to seed the random number
generator.
The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
all others.
-=item [B<-writerand file>]
+=item B<-writerand> I<file>
Writes random data to the specified I<file> upon exit.
This can be used with a subsequent B<-rand> flag.
-=item B<-engine id>
+=item B<-engine> I<id>
Specifying an engine (by its unique B<id> string) will cause B<genrsa>
to attempt to obtain a functional reference to the specified engine,
thus initialising it if needed. The engine will then be set as the default
for all available algorithms.
-=item B<-primes num>
+=item B<-primes> I<num>
Specify the number of primes to use while generating the RSA key. The B<num>
parameter must be a positive integer that is greater than 1 and less than 16.
B<openssl kdf>
[B<-help>]
-[B<-kdfopt> I<nm:v>]
+[B<-kdfopt> I<nm>:I<v>]
[B<-keylen> I<num>]
[B<-out> I<filename>]
[B<-binary>]
Output the derived key in binary form. Uses hexadecimal text format if not specified.
-=item B<-kdfopt> I<nm:v>
+=item B<-kdfopt> I<nm>:I<v>
Passes options to the KDF algorithm.
A comprehensive list of parameters can be found in the EVP_KDF_CTX
B<openssl mac>
[B<-help>]
[B<-macopt>]
-[B<-in filename>]
-[B<-out filename>]
+[B<-in> I<filename>]
+[B<-out> I<filename>]
[B<-binary>]
B<mac_name>
Print a usage message.
-=item B<-in filename>
+=item B<-in> I<filename>
Input filename to calculate a MAC for, or standard input by default.
Standard input is used if the filename is '-'.
Files are expected to be in binary format, standard input uses hexadecimal text
format.
-=item B<-out filename>
+=item B<-out> I<filename>
Filename to output to, or standard output by default.
Output the MAC in binary form. Uses hexadecimal text format if not specified.
-=item B<-macopt nm:v>
+=item B<-macopt> I<nm>:I<v>
Passes options to the MAC algorithm.
A comprehensive list of controls can be found in the EVP_MAC implementation
B<openssl> B<nseq>
[B<-help>]
-[B<-in filename>]
-[B<-out filename>]
+[B<-in> I<filename>]
+[B<-out> I<filename>]
[B<-toseq>]
=head1 DESCRIPTION
Print out a usage message.
-=item B<-in filename>
+=item B<-in> I<filename>
This specifies the input filename to read or standard input if this
option is not specified.
-=item B<-out filename>
+=item B<-out> I<filename>
Specifies the output filename or standard output by default.
B<openssl> B<ocsp>
[B<-help>]
-[B<-out file>]
-[B<-issuer file>]
-[B<-cert file>]
-[B<-serial n>]
-[B<-signer file>]
-[B<-signkey file>]
-[B<-sign_other file>]
+[B<-out> I<file>]
+[B<-issuer> I<file>]
+[B<-cert> I<file>]
+[B<-serial> I<n>]
+[B<-signer> I<file>]
+[B<-signkey> I<file>]
+[B<-sign_other> I<file>]
[B<-no_certs>]
[B<-req_text>]
[B<-resp_text>]
[B<-text>]
-[B<-reqout file>]
-[B<-respout file>]
-[B<-reqin file>]
-[B<-respin file>]
+[B<-reqout> I<file>]
+[B<-respout> I<file>]
+[B<-reqin> I<file>]
+[B<-respin> I<file>]
[B<-nonce>]
[B<-no_nonce>]
-[B<-url URL>]
-[B<-host host:port>]
-[B<-multi process-count>]
+[B<-url> I<URL>]
+[B<-host> I<host:port>]
+[B<-multi> I<process-count>]
[B<-header>]
[B<-path>]
-[B<-CApath dir>]
-[B<-CAfile file>]
+[B<-CApath> I<dir>]
+[B<-CAfile> I<file>]
[B<-no-CAfile>]
[B<-no-CApath>]
-[B<-attime timestamp>]
+[B<-attime> I<timestamp>]
[B<-check_ss_sig>]
[B<-crl_check>]
[B<-crl_check_all>]
[B<-inhibit_map>]
[B<-no_check_time>]
[B<-partial_chain>]
-[B<-policy arg>]
+[B<-policy> I<arg>]
[B<-policy_check>]
[B<-policy_print>]
-[B<-purpose purpose>]
+[B<-purpose> I<purpose>]
[B<-suiteB_128>]
[B<-suiteB_128_only>]
[B<-suiteB_192>]
[B<-trusted_first>]
[B<-no_alt_chains>]
[B<-use_deltas>]
-[B<-auth_level num>]
-[B<-verify_depth num>]
-[B<-verify_email email>]
-[B<-verify_hostname hostname>]
-[B<-verify_ip ip>]
-[B<-verify_name name>]
+[B<-auth_level> I<num>]
+[B<-verify_depth> I<num>]
+[B<-verify_email> I<email>]
+[B<-verify_hostname> I<hostname>]
+[B<-verify_ip> I<ip>]
+[B<-verify_name> I<name>]
[B<-x509_strict>]
-[B<-VAfile file>]
-[B<-validity_period n>]
-[B<-status_age n>]
+[B<-VAfile> I<file>]
+[B<-validity_period> I<n>]
+[B<-status_age> I<n>]
[B<-noverify>]
-[B<-verify_other file>]
+[B<-verify_other> I<file>]
[B<-trust_other>]
[B<-no_intern>]
[B<-no_signature_verify>]
[B<-no_chain>]
[B<-no_cert_checks>]
[B<-no_explicit>]
-[B<-port num>]
+[B<-port> I<num>]
[B<-ignore_err>]
-[B<-index file>]
-[B<-CA file>]
-[B<-rsigner file>]
-[B<-rkey file>]
-[B<-rother file>]
-[B<-rsigopt nm:v>]
+[B<-index> I<file>]
+[B<-CA> I<file>]
+[B<-rsigner> I<file>]
+[B<-rkey> I<file>]
+[B<-rother> I<file>]
+[B<-rsigopt> I<nm>:I<v>]
[B<-resp_no_certs>]
-[B<-nmin n>]
-[B<-ndays n>]
+[B<-nmin> I<n>]
+[B<-ndays> I<n>]
[B<-resp_key_id>]
-[B<-nrequest n>]
-[B<-rcid I<digest>>]
-[B<-I<digest>>]
+[B<-nrequest> I<n>]
+[B<-rcid> I<digest>]
+[B<->I<digest>]
=head1 DESCRIPTION
Print out a usage message.
-=item B<-out filename>
+=item B<-out> I<filename>
specify output filename, default is standard output.
-=item B<-issuer filename>
+=item B<-issuer> I<filename>
This specifies the current issuer certificate. This option can be used
multiple times. The certificate specified in B<filename> must be in
PEM format. This option B<MUST> come before any B<-cert> options.
-=item B<-cert filename>
+=item B<-cert> I<filename>
Add the certificate B<filename> to the request. The issuer certificate
is taken from the previous B<issuer> option, or an error occurs if no
issuer certificate is specified.
-=item B<-serial num>
+=item B<-serial> I<num>
Same as the B<cert> option except the certificate with serial number
B<num> is added to the request. The serial number is interpreted as a
decimal integer unless preceded by B<0x>. Negative integers can also
be specified by preceding the value by a B<-> sign.
-=item B<-signer filename>, B<-signkey filename>
+=item B<-signer> I<filename>, B<-signkey> I<filename>
Sign the OCSP request using the certificate specified in the B<signer>
option and the private key specified by the B<signkey> option. If
from the same file as the certificate. If neither option is specified then
the OCSP request is not signed.
-=item B<-sign_other filename>
+=item B<-sign_other> I<filename>
Additional certificates to include in the signed request.
Print out the text form of the OCSP request, response or both respectively.
-=item B<-reqout file>, B<-respout file>
+=item B<-reqout> I<file>, B<-respout> I<file>
Write out the DER encoded certificate request or response to B<file>.
-=item B<-reqin file>, B<-respin file>
+=item B<-reqin> I<file>, B<-respin> I<file>
Read OCSP request or response file from B<file>. These option are ignored
if OCSP request or response creation is implied by other options (for example
with B<serial>, B<cert> and B<host> options).
-=item B<-url responder_url>
+=item B<-url> I<responder_url>
Specify the responder URL. Both HTTP and HTTPS (SSL/TLS) URLs can be specified.
-=item B<-host hostname:port>, B<-path pathname>
+=item B<-host> I<hostname:port>, B<-path> I<pathname>
If the B<host> option is present then the OCSP request is sent to the host
B<hostname> on port B<port>. B<path> specifies the HTTP path name to use
or "/" by default. This is equivalent to specifying B<-url> with scheme
http:// and the given hostname, port, and pathname.
-=item B<-header name=value>
+=item B<-header> I<name=value>
Adds the header B<name> with the specified B<value> to the OCSP request
that is sent to the responder.
This may be repeated.
-=item B<-timeout seconds>
+=item B<-timeout> I<seconds>
Connection timeout to the OCSP responder in seconds.
On POSIX systems, when running as an OCSP responder, this option also limits
This time is measured from the time the responder accepts the connection until
the complete request is received.
-=item B<-multi process-count>
+=item B<-multi> I<process-count>
Run the specified number of OCSP responder child processes, with the parent
process respawning child processes as needed.
This option is available on POSIX systems (that support the fork() and other
required unix system-calls).
-=item B<-CAfile file>, B<-CApath pathname>
+=item B<-CAfile> I<file>, B<-CApath> I<pathname>
File or pathname containing trusted CA certificates. These are used to verify
the signature on the OCSP response.
Set different certificate verification options.
See L<verify(1)> manual page for details.
-=item B<-verify_other file>
+=item B<-verify_other> I<file>
File containing additional certificates to search when attempting to locate
the OCSP response signing certificate. Some responders omit the actual signer's
when the complete responder certificate chain is not available or trusting a
root CA is not appropriate.
-=item B<-VAfile file>
+=item B<-VAfile> I<file>
File containing explicitly trusted responder certificates. Equivalent to the
B<-verify_other> and B<-trust_other> options.
to provide the necessary status information: as a result this option should
only be used for testing purposes.
-=item B<-validity_period nsec>, B<-status_age age>
+=item B<-validity_period> I<nsec>, B<-status_age> I<age>
These options specify the range of times, in seconds, which will be tolerated
in an OCSP response. Each certificate status response includes a B<notBefore>
B<notBefore> field is checked to see it is not older than B<age> seconds old.
By default this additional check is not performed.
-=item B<-rcid I<digest>>
+=item B<-rcid> I<digest>
This option sets the digest algorithm to use for certificate identification
in the OCSP response. Any digest supported by the OpenSSL B<dgst> command can
be used. The default is the same digest algorithm used in the request.
-=item B<-I<digest>>
+=item B<->I<digest>
This option sets digest algorithm to use for certificate identification in the
OCSP request. Any digest supported by the OpenSSL B<dgst> command can be used.
=over 4
-=item B<-index indexfile>
+=item B<-index> I<indexfile>
The B<indexfile> parameter is the name of a text index file in B<ca>
format containing certificate revocation information.
If the B<index> option is present then the B<CA> and B<rsigner> options
must also be present.
-=item B<-CA file>
+=item B<-CA> I<file>
CA certificate corresponding to the revocation information in B<indexfile>.
-=item B<-rsigner file>
+=item B<-rsigner> I<file>
The certificate to sign OCSP responses with.
-=item B<-rother file>
+=item B<-rother> I<file>
Additional certificates to include in the OCSP response.
Identify the signer certificate using the key ID, default is to use the
subject name.
-=item B<-rkey file>
+=item B<-rkey> I<file>
The private key to sign OCSP responses with: if not present the file
specified in the B<rsigner> option is used.
-=item B<-rsigopt nm:v>
+=item B<-rsigopt> I<nm>:I<v>
Pass options to the signature algorithm when signing OCSP responses.
Names and values of these options are algorithm-specific.
-=item B<-port portnum>
+=item B<-port> I<portnum>
Port to listen for OCSP requests on. The port may also be specified
using the B<url> option.
a malformed response is received. When acting as an OCSP responder, continue
running instead of terminating upon receiving a malformed request.
-=item B<-nrequest number>
+=item B<-nrequest> I<number>
The OCSP server will exit after receiving B<number> requests, default unlimited.
-=item B<-nmin minutes>, B<-ndays days>
+=item B<-nmin> I<minutes>, B<-ndays> I<days>
Number of minutes or days when fresh revocation information is available:
used in the B<nextUpdate> field. If neither option is present then the
[B<-noverify>]
[B<-quiet>]
[B<-table>]
-[B<-rand file...>]
-[B<-writerand file>]
+[B<-rand> I<file...>]
+[B<-writerand> I<file>]
{I<password>}
=head1 DESCRIPTION
The B<passwd> command computes the hash of a password typed at
run-time or the hash of each password in a list. The password list is
-taken from the named file for option B<-in file>, from stdin for
+taken from the named file for option B<-in>, from stdin for
option B<-stdin>, or from the command line, or from the terminal otherwise.
The Unix standard algorithm B<crypt> and the MD5-based BSD password
algorithm B<1>, its Apache variant B<apr1>, and its AIX variant are available.
In the output list, prepend the cleartext password and a TAB character
to each password hash.
-=item B<-rand file...>
+=item B<-rand> I<file...>
A file or files containing random data used to seed the random number
generator.
The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
all others.
-=item [B<-writerand file>]
+=item B<-writerand> I<file>
Writes random data to the specified I<file> upon exit.
This can be used with a subsequent B<-rand> flag.
[B<-help>]
[B<-export>]
[B<-chain>]
-[B<-inkey file_or_id>]
-[B<-certfile filename>]
-[B<-name name>]
-[B<-caname name>]
-[B<-in filename>]
-[B<-out filename>]
+[B<-inkey> I<file_or_id>]
+[B<-certfile> I<filename>]
+[B<-name> I<name>]
+[B<-caname> I<name>]
+[B<-in> I<filename>]
+[B<-out> I<filename>]
[B<-noout>]
[B<-nomacver>]
[B<-nocerts>]
[B<-cacerts>]
[B<-nokeys>]
[B<-info>]
-[B<-des | -des3 | -idea | -aes128 | -aes192 | -aes256 | -aria128 | -aria192 | -aria256 | -camellia128 | -camellia192 | -camellia256 | -nodes>]
+[B<-des> B<-des3> B<-idea> B<-aes128> B<-aes192> B<-aes256> B<-aria128> B<-aria192> B<-aria256> B<-camellia128> B<-camellia192> B<-camellia256> B<-nodes>]
[B<-noiter>]
-[B<-maciter | -nomaciter | -nomac>]
+[B<-maciter> | B<-nomaciter> | B<-nomac>]
[B<-twopass>]
[B<-descert>]
-[B<-certpbe cipher>]
-[B<-keypbe cipher>]
-[B<-macalg digest>]
+[B<-certpbe> I<cipher>]
+[B<-keypbe> I<cipher>]
+[B<-macalg> I<digest>]
[B<-keyex>]
[B<-keysig>]
-[B<-password arg>]
-[B<-passin arg>]
-[B<-passout arg>]
-[B<-rand file...>]
-[B<-writerand file>]
-[B<-CAfile file>]
-[B<-CApath dir>]
+[B<-password> I<arg>]
+[B<-passin> I<arg>]
+[B<-passout> I<arg>]
+[B<-rand> I<file...>]
+[B<-writerand> I<file>]
+[B<-CAfile> I<file>]
+[B<-CApath> I<dir>]
[B<-no-CAfile>]
[B<-no-CApath>]
-[B<-CSP name>]
+[B<-CSP> I<name>]
=head1 DESCRIPTION
Print out a usage message.
-=item B<-in filename>
+=item B<-in> I<filename>
This specifies filename of the PKCS#12 file to be parsed. Standard input is used
by default.
-=item B<-out filename>
+=item B<-out> I<filename>
The filename to write certificates and private keys to, standard output by
default. They are all written in PEM format.
-=item B<-passin arg>
+=item B<-passin> I<arg>
The PKCS#12 file (i.e. input file) password source. For more information about
-the format of B<arg> see the B<PASS PHRASE ARGUMENTS> section in
-L<openssl(1)>.
+the format of B<arg>
+see L<openssl(1)/Pass phrase options>.
-=item B<-passout arg>
+=item B<-passout> I<arg>
Pass phrase source to encrypt any outputted private keys with. For more
information about the format of B<arg> see the B<PASS PHRASE ARGUMENTS> section
in L<openssl(1)>.
-=item B<-password arg>
+=item B<-password> I<arg>
With -export, -password is equivalent to -passout.
Otherwise, -password is equivalent to -passin.
This option specifies that a PKCS#12 file will be created rather than
parsed.
-=item B<-out filename>
+=item B<-out> I<filename>
This specifies filename to write the PKCS#12 file to. Standard output is used
by default.
-=item B<-in filename>
+=item B<-in> I<filename>
The filename to read certificates and private keys from, standard input by
default. They must all be in PEM format. The order doesn't matter but one
private key and its corresponding certificate should be present. If additional
certificates are present they will also be included in the PKCS#12 file.
-=item B<-inkey file_or_id>
+=item B<-inkey> I<file_or_id>
File to read private key from. If not present then a private key must be present
in the input file.
If no engine is used, the argument is taken as a file; if an engine is
specified, the argument is given to the engine as a key identifier.
-=item B<-name friendlyname>
+=item B<-name> I<friendlyname>
This specifies the "friendly name" for the certificate and private key. This
name is typically displayed in list boxes by software importing the file.
-=item B<-certfile filename>
+=item B<-certfile> I<filename>
A filename to read additional certificates from.
-=item B<-caname friendlyname>
+=item B<-caname> I<friendlyname>
This specifies the "friendly name" for other certificates. This option may be
used multiple times to specify names for all certificates in the order they
appear. Netscape ignores friendly names on other certificates whereas MSIE
displays them.
-=item B<-pass arg>, B<-passout arg>
+=item B<-pass> I<arg>, B<-passout> I<arg>
The PKCS#12 file (i.e. output file) password source. For more information about
the format of B<arg> see the B<PASS PHRASE ARGUMENTS> section in
L<openssl(1)>.
-=item B<-passin password>
+=item B<-passin> I<password>
Pass phrase source to decrypt any input private keys with. For more information
about the format of B<arg> see the B<PASS PHRASE ARGUMENTS> section in
key is encrypted using triple DES and the certificate using 40 bit RC2
unless RC2 is disabled in which case triple DES is used.
-=item B<-keypbe alg>, B<-certpbe alg>
+=item B<-keypbe> I<alg>, B<-certpbe> I<alg>
These options allow the algorithm used to encrypt the private key and
certificates to be selected. Any PKCS#5 v1.5 or PKCS#12 PBE algorithm name
is used with PKCS#5 v2.0. For interoperability reasons it is advisable to only
use PKCS#12 algorithms.
-=item B<-keyex|-keysig>
+=item B<-keyex>|B<-keysig>
Specifies that the private key is to be used for key exchange or just signing.
This option is only interpreted by MSIE and similar MS software. Normally
authentication, however due to a bug only MSIE 5.0 and later support
the use of signing only keys for SSL client authentication.
-=item B<-macalg digest>
+=item B<-macalg> I<digest>
Specify the MAC digest algorithm. If not included them SHA1 will be used.
Don't attempt to provide the MAC integrity.
-=item B<-rand file...>
+=item B<-rand> I<file...>
A file or files containing random data used to seed the random number
generator.
The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
all others.
-=item [B<-writerand file>]
+=item B<-writerand> I<file>
Writes random data to the specified I<file> upon exit.
This can be used with a subsequent B<-rand> flag.
-=item B<-CAfile file>
+=item B<-CAfile> I<file>
CA storage as a file.
-=item B<-CApath dir>
+=item B<-CApath> I<dir>
CA storage as a directory. This directory must be a standard certificate
directory: that is a hash of each subject name (using B<x509 -hash>) should be
Do not load the trusted CA certificates from the default directory location.
-=item B<-CSP name>
+=item B<-CSP> I<name>
Write B<name> as a Microsoft CSP name.
be the case. Using the B<-clcerts> option will solve this problem by only
outputting the certificate corresponding to the private key. If the CA
certificates are required then they can be output to a separate file using
-the B<-nokeys -cacerts> options to just output CA certificates.
+the B<-nokeys> B<-cacerts> options to just output CA certificates.
The B<-keypbe> and B<-certpbe> algorithms allow the precise encryption
algorithms for private keys and certificates to be specified. Normally
the defaults are fine but occasionally software can't handle triple DES
-encrypted private keys, then the option B<-keypbe PBE-SHA1-RC2-40> can
+encrypted private keys, then the option B<-keypbe> I<PBE-SHA1-RC2-40> can
be used to reduce the private key encryption to 40 bit RC2. A complete
description of all algorithms is contained in the B<pkcs8> manual page.
B<openssl> B<pkcs7>
[B<-help>]
-[B<-inform PEM|DER>]
-[B<-outform PEM|DER>]
-[B<-in filename>]
-[B<-out filename>]
+[B<-inform> B<DER>|B<PEM>]
+[B<-outform> B<DER>|B<PEM>]
+[B<-in> I<filename>]
+[B<-out> I<filename>]
[B<-print_certs>]
[B<-text>]
[B<-noout>]
-[B<-engine id>]
+[B<-engine> I<id>]
=head1 DESCRIPTION
Print out a usage message.
-=item B<-inform DER|PEM>
+=item B<-inform> B<DER>|B<PEM>
This specifies the input format. B<DER> format is DER encoded PKCS#7
v1.5 structure.B<PEM> (the default) is a base64 encoded version of
the DER form with header and footer lines.
-=item B<-outform DER|PEM>
+=item B<-outform> B<DER>|B<PEM>
This specifies the output format, the options have the same meaning and default
as the B<-inform> option.
-=item B<-in filename>
+=item B<-in> I<filename>
This specifies the input filename to read from or standard input if this
option is not specified.
-=item B<-out filename>
+=item B<-out> I<filename>
Specifies the output filename to write to or standard output by
default.
Don't output the encoded version of the PKCS#7 structure (or certificates
is B<-print_certs> is set).
-=item B<-engine id>
+=item B<-engine> I<id>
Specifying an engine (by its unique B<id> string) will cause B<pkcs7>
to attempt to obtain a functional reference to the specified engine,
B<openssl> B<pkcs8>
[B<-help>]
[B<-topk8>]
-[B<-inform PEM|DER>]
-[B<-outform PEM|DER>]
-[B<-in filename>]
-[B<-passin arg>]
-[B<-out filename>]
-[B<-passout arg>]
-[B<-iter count>]
+[B<-inform> B<DER>|B<PEM>]
+[B<-outform> B<DER>|B<PEM>]
+[B<-in> I<filename>]
+[B<-passin> I<arg>]
+[B<-out> I<filename>]
+[B<-passout> I<arg>]
+[B<-iter> I<count>]
[B<-noiter>]
-[B<-rand file...>]
-[B<-writerand file>]
+[B<-rand> I<file...>]
+[B<-writerand> I<file>]
[B<-nocrypt>]
[B<-traditional>]
[B<-v2 alg>]
[B<-v2prf alg>]
[B<-v1 alg>]
-[B<-engine id>]
+[B<-engine> I<id>]
[B<-scrypt>]
-[B<-scrypt_N N>]
-[B<-scrypt_r r>]
-[B<-scrypt_p p>]
+[B<-scrypt_N> I<N>]
+[B<-scrypt_r> I<r>]
+[B<-scrypt_p> I<p>]
=head1 DESCRIPTION
written to the output file. With the B<-topk8> option the situation is
reversed: it reads a private key and writes a PKCS#8 format key.
-=item B<-inform DER|PEM>
+=item B<-inform> B<DER>|B<PEM>
This specifies the input format: see L<KEY FORMATS> for more details. The default
format is PEM.
-=item B<-outform DER|PEM>
+=item B<-outform> B<DER>|B<PEM>
This specifies the output format: see L<KEY FORMATS> for more details. The default
format is PEM.
When this option is present and B<-topk8> is not a traditional format private
key is written.
-=item B<-in filename>
+=item B<-in> I<filename>
This specifies the input filename to read a key from or standard input if this
option is not specified. If the key is encrypted a pass phrase will be
prompted for.
-=item B<-passin arg>
+=item B<-passin> I<arg>
The input file password source. For more information about the format of B<arg>
-see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
+see L<openssl(1)/Pass phrase options>.
-=item B<-out filename>
+=item B<-out> I<filename>
This specifies the output filename to write a key to or standard output by
default. If any encryption options are set then a pass phrase will be
prompted for. The output filename should B<not> be the same as the input
filename.
-=item B<-passout arg>
+=item B<-passout> I<arg>
The output file password source. For more information about the format of B<arg>
see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
-=item B<-iter count>
+=item B<-iter> I<count>
When creating new PKCS#8 containers, use a given number of iterations on
the password in deriving the encryption key for the PKCS#8 output.
when absolutely necessary. Certain software such as some versions of Java
code signing software used unencrypted private keys.
-=item B<-rand file...>
+=item B<-rand> I<file...>
A file or files containing random data used to seed the random number
generator.
The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
all others.
-=item [B<-writerand file>]
+=item B<-writerand> I<file>
Writes random data to the specified I<file> upon exit.
This can be used with a subsequent B<-rand> flag.
older implementations may not support PKCS#5 v2.0 and may require this option.
If not specified PKCS#5 v2.0 form is used.
-=item B<-engine id>
+=item B<-engine> I<id>
Specifying an engine (by its unique B<id> string) will cause B<pkcs8>
to attempt to obtain a functional reference to the specified engine,
key. These parameters can be modified using the B<-scrypt_N>, B<-scrypt_r>,
B<-scrypt_p> and B<-v2> options.
-=item B<-scrypt_N N> B<-scrypt_r r> B<-scrypt_p p>
+=item B<-scrypt_N> I<N>, B<-scrypt_r> I<r>, B<-scrypt_p> I<p>
Sets the scrypt B<N>, B<r> or B<p> parameters.
B<openssl> B<pkey>
[B<-help>]
-[B<-inform PEM|DER>]
-[B<-outform PEM|DER>]
-[B<-in filename>]
-[B<-passin arg>]
-[B<-out filename>]
-[B<-passout arg>]
+[B<-inform> B<DER>|B<PEM>]
+[B<-outform> B<DER>|B<PEM>]
+[B<-in> I<filename>]
+[B<-passin> I<arg>]
+[B<-out> I<filename>]
+[B<-passout> I<arg>]
[B<-traditional>]
-[B<-I<cipher>>]
+[B<->I<cipher>]
[B<-text>]
[B<-text_pub>]
[B<-noout>]
[B<-pubin>]
[B<-pubout>]
-[B<-engine id>]
+[B<-engine> I<id>]
[B<-check>]
[B<-pubcheck>]
Print out a usage message.
-=item B<-inform DER|PEM>
+=item B<-inform> B<DER>|B<PEM>
This specifies the input format DER or PEM. The default format is PEM.
-=item B<-outform DER|PEM>
+=item B<-outform> B<DER>|B<PEM>
This specifies the output format, the options have the same meaning and default
as the B<-inform> option.
-=item B<-in filename>
+=item B<-in> I<filename>
This specifies the input filename to read a key from or standard input if this
option is not specified. If the key is encrypted a pass phrase will be
prompted for.
-=item B<-passin arg>
+=item B<-passin> I<arg>
The input file password source. For more information about the format of B<arg>
-see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
+see L<openssl(1)/Pass phrase options>.
-=item B<-out filename>
+=item B<-out> I<filename>
This specifies the output filename to write a key to or standard output if this
option is not specified. If any encryption options are set then a pass phrase
will be prompted for. The output filename should B<not> be the same as the input
filename.
-=item B<-passout password>
+=item B<-passout> I<password>
The output file password source. For more information about the format of B<arg>
see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
with the appropriate encryption algorithm (if any). If the B<-traditional>
option is specified then the older "traditional" format is used instead.
-=item B<-I<cipher>>
+=item B<->I<cipher>
These options encrypt the private key with the supplied cipher. Any algorithm
name accepted by EVP_get_cipherbyname() is acceptable such as B<des3>.
key will be output instead. This option is automatically set if
the input is a public key.
-=item B<-engine id>
+=item B<-engine> I<id>
Specifying an engine (by its unique B<id> string) will cause B<pkey>
to attempt to obtain a functional reference to the specified engine,
B<openssl> B<pkeyparam>
[B<-help>]
-[B<-in filename>]
-[B<-out filename>]
+[B<-in> I<filename>]
+[B<-out> I<filename>]
[B<-text>]
[B<-noout>]
-[B<-engine id>]
+[B<-engine> I<id>]
[B<-check>]
=head1 DESCRIPTION
Print out a usage message.
-=item B<-in filename>
+=item B<-in> I<filename>
This specifies the input filename to read parameters from or standard input if
this option is not specified.
-=item B<-out filename>
+=item B<-out> I<filename>
This specifies the output filename to write parameters to or standard output if
this option is not specified.
Do not output the encoded version of the parameters.
-=item B<-engine id>
+=item B<-engine> I<id>
Specifying an engine (by its unique B<id> string) will cause B<pkeyparam>
to attempt to obtain a functional reference to the specified engine,
B<openssl> B<pkeyutl>
[B<-help>]
-[B<-in file>]
+[B<-in> I<file>]
[B<-rawin>]
-[B<-digest algorithm>]
-[B<-out file>]
-[B<-sigfile file>]
-[B<-inkey file>]
-[B<-keyform PEM|DER|ENGINE>]
-[B<-passin arg>]
-[B<-peerkey file>]
-[B<-peerform PEM|DER|ENGINE>]
+[B<-digest> I<algorithm>]
+[B<-out> I<file>]
+[B<-sigfile> I<file>]
+[B<-inkey> I<file>]
+[B<-keyform> B<DER>|B<PEM>|B<ENGINE>]
+[B<-passin> I<arg>]
+[B<-peerkey> I<file>]
+[B<-peerform> B<DER>|B<PEM>|B<ENGINE>]
[B<-pubin>]
[B<-certin>]
[B<-rev>]
[B<-encrypt>]
[B<-decrypt>]
[B<-derive>]
-[B<-kdf algorithm>]
-[B<-kdflen length>]
-[B<-pkeyopt opt:value>]
-[B<-pkeyopt_passin opt:passarg>]
+[B<-kdf> I<algorithm>]
+[B<-kdflen> I<length>]
+[B<-pkeyopt> I<opt:value>]
+[B<-pkeyopt_passin> I<opt:passarg>]
[B<-hexdump>]
[B<-asn1parse>]
-[B<-rand file...>]
-[B<-writerand file>]
-[B<-engine id>]
+[B<-rand> I<file...>]
+[B<-writerand> I<file>]
+[B<-engine> I<id>]
[B<-engine_impl>]
=head1 DESCRIPTION
Print out a usage message.
-=item B<-in filename>
+=item B<-in> I<filename>
This specifies the input filename to read data from or standard input
if this option is not specified.
the B<-digest> option. This option can only be used with B<-sign> and
B<-verify> and must be used with the Ed25519 and Ed448 algorithms.
-=item B<-digest algorithm>
+=item B<-digest> I<algorithm>
This specifies the digest algorithm which is used to hash the input data before
signing or verifying it with the input key. This option could be omitted if the
default digest algorithm. For SM2, it will be SM3. If this option is present,
then the B<-rawin> option must be also specified to B<pkeyutl>.
-=item B<-out filename>
+=item B<-out> I<filename>
Specifies the output filename to write to or standard output by
default.
-=item B<-sigfile file>
+=item B<-sigfile> I<file>
Signature file, required for B<verify> operations only
-=item B<-inkey file>
+=item B<-inkey> I<file>
The input key file, by default it should be a private key.
-=item B<-keyform PEM|DER|ENGINE>
+=item B<-keyform> B<DER>|B<PEM>|B<ENGINE>
The key format PEM, DER or ENGINE. Default is PEM.
-=item B<-passin arg>
+=item B<-passin> I<arg>
The input key password source. For more information about the format of B<arg>
-see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
+see L<openssl(1)/Pass phrase options>.
-=item B<-peerkey file>
+=item B<-peerkey> I<file>
The peer key file, used by key derivation (agreement) operations.
-=item B<-peerform PEM|DER|ENGINE>
+=item B<-peerform> B<DER>|B<PEM>|B<ENGINE>
The peer key format PEM, DER or ENGINE. Default is PEM.
Derive a shared secret using the peer key.
-=item B<-kdf algorithm>
+=item B<-kdf> I<algorithm>
Use key derivation function B<algorithm>. The supported algorithms are
at present B<TLS1-PRF> and B<HKDF>.
See L<EVP_PKEY_CTX_set_hkdf_md(3)> and L<EVP_PKEY_CTX_set_tls1_prf_md(3)>
for the supported string parameters of each algorithm.
-=item B<-kdflen length>
+=item B<-kdflen> I<length>
Set the output length for KDF.
-=item B<-pkeyopt opt:value>
+=item B<-pkeyopt> I<opt:value>
Public key options specified as opt:value. See NOTES below for more details.
-=item B<-pkeyopt_passin opt:passarg>
+=item B<-pkeyopt_passin> I<opt:passarg>
Allows reading a public key option B<opt> from stdin or a password source. If
only opt is specified, the user will be prompted to enter the value on stdin.
Parse the ASN.1 output data, this is useful when combined with the
B<-verifyrecover> option when an ASN1 structure is signed.
-=item B<-rand file...>
+=item B<-rand> I<file...>
A file or files containing random data used to seed the random number
generator.
The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
all others.
-=item [B<-writerand file>]
+=item B<-writerand> I<file>
Writes random data to the specified I<file> upon exit.
This can be used with a subsequent B<-rand> flag.
-=item B<-engine id>
+=item B<-engine> I<id>
Specifying an engine (by its unique B<id> string) will cause B<pkeyutl>
to attempt to obtain a functional reference to the specified engine,
[B<-help>]
[B<-hex>]
[B<-generate>]
-[B<-bits>]
+[B<-bits> I<num>]
[B<-safe>]
-[B<-checks>]
+[B<-checks> I<num>]
[I<number...>]
=head1 DESCRIPTION
=over 4
-=item [B<-help>]
+=item B<-help>
Display an option summary.
-=item [B<-hex>]
+=item B<-hex>
Generate hex output.
-=item [B<-generate>]
+=item B<-generate>
Generate a prime number.
-=item [B<-bits num>]
+=item B<-bits> I<num>
Generate a prime with B<num> bits.
-=item [B<-safe>]
+=item B<-safe>
When used with B<-generate>, generates a "safe" prime. If the number
generated is B<n>, then check that B<(n-1)/2> is also prime.
-=item [B<-checks num>]
+=item B<-checks> I<num>
Perform the checks B<num> times to see that the generated number
is prime. The default is 20.
B<openssl rand>
[B<-help>]
[B<-out> I<file>]
-[B<-rand file...>]
-[B<-writerand file>]
+[B<-rand> I<file...>]
+[B<-writerand> I<file>]
[B<-base64>]
[B<-hex>]
I<num>
Print out a usage message.
-=item B<-out file>
+=item B<-out> I<file>
Write to I<file> instead of standard output.
-=item B<-rand file...>
+=item B<-rand> I<file...>
A file or files containing random data used to seed the random number
generator.
The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
all others.
-=item [B<-writerand file>]
+=item B<-writerand> I<file>
Writes random data to the specified I<file> upon exit.
This can be used with a subsequent B<-rand> flag.
B<openssl>
B<rehash>
-B<[-h]>
-B<[-help]>
-B<[-old]>
-B<[-n]>
-B<[-v]>
-[ I<directory>...]
+[B<-h>]
+[B<-help>]
+[B<-old>]
+[B<-n>]
+[B<-v>]
+[I<directory>...]
B<c_rehash>
I<flags...>
B<openssl> B<req>
[B<-help>]
-[B<-inform PEM|DER>]
-[B<-outform PEM|DER>]
-[B<-in filename>]
-[B<-passin arg>]
-[B<-out filename>]
-[B<-passout arg>]
+[B<-inform> B<DER>|B<PEM>]
+[B<-outform> B<DER>|B<PEM>]
+[B<-in> I<filename>]
+[B<-passin> I<arg>]
+[B<-out> I<filename>]
+[B<-passout> I<arg>]
[B<-text>]
[B<-pubkey>]
[B<-noout>]
[B<-verify>]
[B<-modulus>]
[B<-new>]
-[B<-rand file...>]
-[B<-writerand file>]
-[B<-newkey rsa:bits>]
-[B<-newkey alg:file>]
+[B<-rand> I<file...>]
+[B<-writerand> I<file>]
+[B<-newkey> I<rsa:bits>]
+[B<-newkey> I<alg:file>]
[B<-nodes>]
-[B<-key filename>]
-[B<-keyform PEM|DER>]
-[B<-keyout filename>]
-[B<-keygen_engine id>]
-[B<-I<digest>>]
-[B<-config filename>]
+[B<-key> I<filename>]
+[B<-keyform> B<DER>|B<PEM>]
+[B<-keyout> I<filename>]
+[B<-keygen_engine> I<id>]
+[B<-> I<digest>]
+[B<-config> I<filename>]
[B<-multivalue-rdn>]
[B<-x509>]
-[B<-days n>]
-[B<-set_serial n>]
+[B<-days> I<n>]
+[B<-set_serial> I<n>]
[B<-newhdr>]
-[B<-addext ext>]
-[B<-extensions section>]
-[B<-reqexts section>]
+[B<-addext> I<ext>]
+[B<-extensions> I<section>]
+[B<-reqexts> I<section>]
[B<-precert>]
[B<-utf8>]
[B<-nameopt>]
[B<-reqopt>]
[B<-subject>]
-[B<-subj arg>]
-[B<-sigopt nm:v>]
+[B<-subj> I<arg>]
+[B<-sigopt> I<nm>:I<v>]
[B<-batch>]
[B<-verbose>]
-[B<-engine id>]
-[B<-sm2-id string>]
-[B<-sm2-hex-id hex-string>]
+[B<-engine> I<id>]
+[B<-sm2-id> I<string>]
+[B<-sm2-hex-id> I<hex-string>]
=head1 DESCRIPTION
Print out a usage message.
-=item B<-inform DER|PEM>
+=item B<-inform> B<DER>|B<PEM>
This specifies the input format. The B<DER> option uses an ASN1 DER encoded
form compatible with the PKCS#10. The B<PEM> form is the default format: it
consists of the B<DER> format base64 encoded with additional header and
footer lines.
-=item B<-outform DER|PEM>
+=item B<-outform> B<DER>|B<PEM>
This specifies the output format, the options have the same meaning and default
as the B<-inform> option.
-=item B<-in filename>
+=item B<-in> I<filename>
This specifies the input filename to read a request from or standard input
if this option is not specified. A request is only read if the creation
options (B<-new> and B<-newkey>) are not specified.
-=item B<-sigopt nm:v>
+=item B<-sigopt> I<nm>:I<v>
Pass options to the signature algorithm during sign or verify operations.
Names and values of these options are algorithm-specific.
-=item B<-passin arg>
+=item B<-passin> I<arg>
The input file password source. For more information about the format of B<arg>
-see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
+see L<openssl(1)/Pass phrase options>.
-=item B<-out filename>
+=item B<-out> I<filename>
This specifies the output filename to write to or standard output by
default.
-=item B<-passout arg>
+=item B<-passout> I<arg>
The output file password source. For more information about the format of B<arg>
see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
If the B<-key> option is not used it will generate a new RSA private
key using information specified in the configuration file.
-=item B<-rand file...>
+=item B<-rand> I<file...>
A file or files containing random data used to seed the random number
generator.
The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
all others.
-=item [B<-writerand file>]
+=item B<-writerand> I<file>
Writes random data to the specified I<file> upon exit.
This can be used with a subsequent B<-rand> flag.
-=item B<-newkey arg>
+=item B<-newkey> I<arg>
This option creates a new certificate request and a new private
key. The argument takes one of several forms. B<rsa:nbits>, where
B<nbits> is the number of bits, generates an RSA key B<nbits>
-in size. If B<nbits> is omitted, i.e. B<-newkey rsa> specified,
+in size. If B<nbits> is omitted, i.e. B<-newkey> I<rsa> specified,
the default key size, specified in the configuration file is used.
-All other algorithms support the B<-newkey alg:file> form, where file may be
+All other algorithms support the B<-newkey> I<alg:file> form, where file may be
an algorithm parameter file, created by the B<genpkey -genparam> command
or and X.509 certificate for a key with appropriate algorithm.
ECDSA or ECDH algorithms), B<gost2001:filename> generates GOST R
34.10-2001 key (requires B<ccgost> engine configured in the configuration
file). If just B<gost2001> is specified a parameter set should be
-specified by B<-pkeyopt paramset:X>
+specified by B<-pkeyopt> I<paramset:X>
-=item B<-pkeyopt opt:value>
+=item B<-pkeyopt> I<opt:value>
Set the public key algorithm option B<opt> to B<value>. The precise set of
options supported depends on the public key algorithm used and its
implementation. See B<KEY GENERATION OPTIONS> in the B<genpkey> manual page
for more details.
-=item B<-key filename>
+=item B<-key> I<filename>
This specifies the file to read the private key from. It also
accepts PKCS#8 format private keys for PEM format files.
-=item B<-keyform PEM|DER>
+=item B<-keyform> B<DER>|B<PEM>
The format of the private key file specified in the B<-key>
argument. PEM is the default.
-=item B<-keyout filename>
+=item B<-keyout> I<filename>
This gives the filename to write the newly created private key to.
If this option is not specified then the filename present in the
If this option is specified then if a private key is created it
will not be encrypted.
-=item B<-I<digest>>
+=item B<->I<digest>
This specifies the message digest to sign the request.
Any digest supported by the OpenSSL B<dgst> command can be used.
signatures always use SHA1, GOST R 34.10 signatures always use
GOST R 34.11-94 (B<-md_gost94>), Ed25519 and Ed448 never use any digest.
-=item B<-config filename>
+=item B<-config> I<filename>
This allows an alternative configuration file to be specified.
Optional; for a description of the default value,
see L<openssl(1)/COMMAND SUMMARY>.
-=item B<-subj arg>
+=item B<-subj> I<arg>
Sets subject name for new request or supersedes the subject name
when processing a request.
If existing request is specified with the B<-in> option, it is converted
to the self signed certificate otherwise new request is created.
-=item B<-days n>
+=item B<-days> I<n>
When the B<-x509> option is being used this specifies the number of
days to certify the certificate for, otherwise it is ignored. B<n> should
be a positive integer. The default is 30 days.
-=item B<-set_serial n>
+=item B<-set_serial> I<n>
Serial number to use when outputting a self signed certificate. This
may be specified as a decimal value or a hex value if preceded by B<0x>.
-=item B<-addext ext>
+=item B<-addext> I<ext>
Add a specific extension to the certificate (if the B<-x509> option is
present) or certificate request. The argument must have the form of
This option can be given multiple times.
-=item B<-extensions section>
+=item B<-extensions> I<section>
-=item B<-reqexts section>
+=item B<-reqexts> I<section>
These options specify alternative sections to include certificate
extensions (if the B<-x509> option is present) or certificate
values, whether prompted from a terminal or obtained from a
configuration file, must be valid UTF8 strings.
-=item B<-nameopt option>
+=item B<-nameopt> I<option>
Option which determines how the subject or issuer names are displayed. The
B<option> argument can be a single option or multiple options separated by
Print extra details about the operations being performed.
-=item B<-engine id>
+=item B<-engine> I<id>
Specifying an engine (by its unique B<id> string) will cause B<req>
to attempt to obtain a functional reference to the specified engine,
thus initialising it if needed. The engine will then be set as the default
for all available algorithms.
-=item B<-keygen_engine id>
+=item B<-keygen_engine> I<id>
Specifies an engine (by its unique B<id> string) which would be used
for key generation operations.
B<openssl> B<rsa>
[B<-help>]
-[B<-inform PEM|DER>]
-[B<-outform PEM|DER>]
-[B<-in filename>]
-[B<-passin arg>]
-[B<-out filename>]
-[B<-passout arg>]
+[B<-inform> B<DER>|B<PEM>]
+[B<-outform> B<DER>|B<PEM>]
+[B<-in> I<filename>]
+[B<-passin> I<arg>]
+[B<-out> I<filename>]
+[B<-passout> I<arg>]
[B<-aes128>]
[B<-aes192>]
[B<-aes256>]
[B<-pubout>]
[B<-RSAPublicKey_in>]
[B<-RSAPublicKey_out>]
-[B<-engine id>]
+[B<-engine> I<id>]
=head1 DESCRIPTION
Print out a usage message.
-=item B<-inform DER|PEM>
+=item B<-inform> B<DER>|B<PEM>
This specifies the input format. The B<DER> option uses an ASN1 DER encoded
form compatible with the PKCS#1 RSAPrivateKey or SubjectPublicKeyInfo format.
encoded with additional header and footer lines. On input PKCS#8 format private
keys are also accepted.
-=item B<-outform DER|PEM>
+=item B<-outform> B<DER>|B<PEM>
This specifies the output format, the options have the same meaning and default
as the B<-inform> option.
-=item B<-in filename>
+=item B<-in> I<filename>
This specifies the input filename to read a key from or standard input if this
option is not specified. If the key is encrypted a pass phrase will be
prompted for.
-=item B<-passin arg>
+=item B<-passin> I<arg>
The input file password source. For more information about the format of B<arg>
-see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
+see L<openssl(1)/Pass phrase options>.
-=item B<-out filename>
+=item B<-out> I<filename>
This specifies the output filename to write a key to or standard output if this
option is not specified. If any encryption options are set then a pass phrase
will be prompted for. The output filename should B<not> be the same as the input
filename.
-=item B<-passout password>
+=item B<-passout> I<password>
The output file password source. For more information about the format of B<arg>
see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
Like B<-pubin> and B<-pubout> except B<RSAPublicKey> format is used instead.
-=item B<-engine id>
+=item B<-engine> I<id>
Specifying an engine (by its unique B<id> string) will cause B<rsa>
to attempt to obtain a functional reference to the specified engine,
B<openssl> B<rsautl>
[B<-help>]
-[B<-in file>]
-[B<-out file>]
-[B<-inkey file>]
-[B<-keyform PEM|DER|ENGINE>]
+[B<-in> I<file>]
+[B<-out> I<file>]
+[B<-inkey> I<file>]
+[B<-keyform> B<DER>|B<PEM>|B<ENGINE>]
[B<-pubin>]
[B<-certin>]
[B<-sign>]
[B<-verify>]
[B<-encrypt>]
[B<-decrypt>]
-[B<-rand file...>]
-[B<-writerand file>]
+[B<-rand> I<file...>]
+[B<-writerand> I<file>]
[B<-pkcs>]
[B<-ssl>]
[B<-raw>]
Print out a usage message.
-=item B<-in filename>
+=item B<-in> I<filename>
This specifies the input filename to read data from or standard input
if this option is not specified.
-=item B<-out filename>
+=item B<-out> I<filename>
Specifies the output filename to write to or standard output by
default.
-=item B<-inkey file>
+=item B<-inkey> I<file>
The input key file, by default it should be an RSA private key.
-=item B<-keyform PEM|DER|ENGINE>
+=item B<-keyform> B<DER>|B<PEM>|B<ENGINE>
The key format PEM, DER or ENGINE.
Decrypt the input data using an RSA private key.
-=item B<-rand file...>
+=item B<-rand> I<file...>
A file or files containing random data used to seed the random number
generator.
The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
all others.
-=item [B<-writerand file>]
+=item B<-writerand> I<file>
Writes random data to the specified I<file> upon exit.
This can be used with a subsequent B<-rand> flag.
B<openssl> B<s_client>
[B<-help>]
-[B<-connect host:port>]
-[B<-bind host:port>]
-[B<-proxy host:port>]
-[B<-proxy_user userid>]
-[B<-proxy_pass arg>]
-[B<-unix path>]
+[B<-connect> I<host:port>]
+[B<-bind> I<host:port>]
+[B<-proxy> I<host:port>]
+[B<-proxy_user> I<userid>]
+[B<-proxy_pass> I<arg>]
+[B<-unix> I<path>]
[B<-4>]
[B<-6>]
-[B<-servername name>]
+[B<-servername> I<name>]
[B<-noservername>]
-[B<-verify depth>]
+[B<-verify> I<depth>]
[B<-verify_return_error>]
-[B<-cert filename>]
-[B<-certform DER|PEM>]
-[B<-key filename>]
-[B<-keyform DER|PEM>]
-[B<-cert_chain filename>]
+[B<-cert> I<filename>]
+[B<-certform> B<DER>|B<PEM>]
+[B<-key> I<filename>]
+[B<-keyform> B<DER>|B<PEM>]
+[B<-cert_chain> I<filename>]
[B<-build_chain>]
[B<-xkey>]
[B<-xcert>]
[B<-xchain>]
[B<-xchain_build>]
-[B<-xcertform PEM|DER>]
-[B<-xkeyform PEM|DER>]
-[B<-pass arg>]
-[B<-CApath directory>]
-[B<-CAfile filename>]
-[B<-chainCApath directory>]
-[B<-chainCAfile filename>]
+[B<-xcertform> B<DER>|B<PEM>]
+[B<-xkeyform> B<DER>|B<PEM>]
+[B<-pass> I<arg>]
+[B<-CApath> I<directory>]
+[B<-CAfile> I<filename>]
+[B<-chainCApath> I<directory>]
+[B<-chainCAfile> I<filename>]
[B<-no-CAfile>]
[B<-no-CApath>]
-[B<-requestCAfile filename>]
-[B<-dane_tlsa_domain domain>]
-[B<-dane_tlsa_rrdata rrdata>]
+[B<-requestCAfile> I<filename>]
+[B<-dane_tlsa_domain> I<domain>]
+[B<-dane_tlsa_rrdata> I<rrdata>]
[B<-dane_ee_no_namechecks>]
-[B<-attime timestamp>]
+[B<-attime> I<timestamp>]
[B<-check_ss_sig>]
[B<-crl_check>]
[B<-crl_check_all>]
[B<-inhibit_map>]
[B<-no_check_time>]
[B<-partial_chain>]
-[B<-policy arg>]
+[B<-policy> I<arg>]
[B<-policy_check>]
[B<-policy_print>]
-[B<-purpose purpose>]
+[B<-purpose> I<purpose>]
[B<-suiteB_128>]
[B<-suiteB_128_only>]
[B<-suiteB_192>]
[B<-trusted_first>]
[B<-no_alt_chains>]
[B<-use_deltas>]
-[B<-auth_level num>]
-[B<-nameopt option>]
-[B<-verify_depth num>]
-[B<-verify_email email>]
-[B<-verify_hostname hostname>]
-[B<-verify_ip ip>]
-[B<-verify_name name>]
+[B<-auth_level> I<num>]
+[B<-nameopt> I<option>]
+[B<-verify_depth> I<num>]
+[B<-verify_email> I<email>]
+[B<-verify_hostname> I<hostname>]
+[B<-verify_ip> I<ip>]
+[B<-verify_name> I<name>]
[B<-build_chain>]
[B<-x509_strict>]
[B<-reconnect>]
[B<-crlf>]
[B<-ign_eof>]
[B<-no_ign_eof>]
-[B<-psk_identity identity>]
-[B<-psk key>]
-[B<-psk_session file>]
+[B<-psk_identity> I<identity>]
+[B<-psk> I<key>]
+[B<-psk_session> I<file>]
[B<-quiet>]
[B<-ssl3>]
[B<-tls1>]
[B<-comp>]
[B<-no_comp>]
[B<-allow_no_dhe_kex>]
-[B<-sigalgs sigalglist>]
-[B<-curves curvelist>]
-[B<-cipher cipherlist>]
-[B<-ciphersuites val>]
+[B<-sigalgs> I<sigalglist>]
+[B<-curves> I<curvelist>]
+[B<-cipher> I<cipherlist>]
+[B<-ciphersuites> I<val>]
[B<-serverpref>]
-[B<-starttls protocol>]
-[B<-xmpphost hostname>]
-[B<-name hostname>]
-[B<-engine id>]
+[B<-starttls> I<protocol>]
+[B<-xmpphost> I<hostname>]
+[B<-name> I<hostname>]
+[B<-engine> I<id>]
[B<-tlsextdebug>]
[B<-no_ticket>]
-[B<-sess_out filename>]
-[B<-sess_in filename>]
-[B<-rand file...>]
-[B<-writerand file>]
-[B<-serverinfo types>]
+[B<-sess_out> I<filename>]
+[B<-sess_in> I<filename>]
+[B<-rand> I<file...>]
+[B<-writerand> I<file>]
+[B<-serverinfo> I<types>]
[B<-status>]
-[B<-alpn protocols>]
-[B<-nextprotoneg protocols>]
+[B<-alpn> I<protocols>]
+[B<-nextprotoneg> I<protocols>]
[B<-ct>]
[B<-noct>]
[B<-ctlogfile>]
-[B<-keylogfile file>]
-[B<-early_data file>]
+[B<-keylogfile> I<file>]
+[B<-early_data> I<file>]
[B<-enable_pha>]
-[B<target>]
+[I<host>:I<port>]
=head1 DESCRIPTION
Print out a usage message.
-=item B<-connect host:port>
+=item B<-connect> I<host>:I<port>
This specifies the host and optional port to connect to. It is possible to
select the host and port using the optional target positional argument instead.
If neither this nor the target positional argument are specified then an attempt
is made to connect to the local host on port 4433.
-=item B<-bind host:port>]
+=item B<-bind> I<host:port>]
This specifies the host address and or port to bind as the source for the
connection. For Unix-domain sockets the port is ignored and the host is
used as the source socket address.
-=item B<-proxy host:port>
+=item B<-proxy> I<host:port>
When used with the B<-connect> flag, the program uses the host and port
specified with this flag and issues an HTTP CONNECT command to connect
to the desired server.
-=item B<-proxy_user userid>
+=item B<-proxy_user> I<userid>
When used with the B<-proxy> flag, the program will attempt to authenticate
with the specified proxy using basic (base64) authentication.
Therefore these credentials are easily recovered by anyone able to sniff/trace
the network. Use with caution.
-=item B<-proxy_pass arg>
+=item B<-proxy_pass> I<arg>
The proxy password source, used with the B<-proxy_user> flag.
-For more information about the format of B<arg> see the B<PASS PHRASE ARGUMENTS>
-section in L<openssl(1)>.
+For more information about the format of B<arg>
+see L<openssl(1)/Pass phrase options>.
-=item B<-unix path>
+=item B<-unix> I<path>
Connect over the specified Unix-domain socket.
Use IPv6 only.
-=item B<-servername name>
+=item B<-servername> I<name>
Set the TLS SNI (Server Name Indication) extension in the ClientHello message to
the given value.
ClientHello message. Cannot be used in conjunction with the B<-servername> or
<-dane_tlsa_domain> options.
-=item B<-cert certname>
+=item B<-cert> I<certname>
The certificate to use, if one is requested by the server. The default is
not to use a certificate.
-=item B<-certform format>
+=item B<-certform> I<format>
The certificate format to use: DER or PEM. PEM is the default.
-=item B<-key keyfile>
+=item B<-key> I<keyfile>
The private key to use. If not specified then the certificate file will
be used.
-=item B<-keyform format>
+=item B<-keyform> I<format>
The private format to use: DER or PEM. PEM is the default.
Specify whether the application should build the certificate chain to be
provided to the server.
-=item B<-xkey infile>, B<-xcert infile>, B<-xchain>
+=item B<-xkey> I<infile>, B<-xcert> I<infile>, B<-xchain>
Specify an extra certificate, private key and certificate chain. These behave
in the same manner as the B<-cert>, B<-key> and B<-cert_chain> options. When
=item B<-xchain_build>
Specify whether the application should build the certificate chain to be
-provided to the server for the extra certificates provided via B<-xkey infile>,
-B<-xcert infile>, B<-xchain> options.
+provided to the server for the extra certificates provided via B<-xkey> I<infile>,
+B<-xcert> I<infile>, B<-xchain> options.
-=item B<-xcertform PEM|DER>, B<-xkeyform PEM|DER>
+=item B<-xcertform> B<DER>|B<PEM>, B<-xkeyform> B<DER>|B<PEM>
Extra certificate and private key format respectively.
-=item B<-pass arg>
+=item B<-pass> I<arg>
the private key password source. For more information about the format of B<arg>
see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
-=item B<-verify depth>
+=item B<-verify> I<depth>
The verify depth to use. This specifies the maximum length of the
server certificate chain and turns on server certificate verification.
Return verification errors instead of continuing. This will typically
abort the handshake with a fatal error.
-=item B<-nameopt option>
+=item B<-nameopt> I<option>
Option which determines how the subject or issuer names are displayed. The
B<option> argument can be a single option or multiple options separated by
commas. Alternatively the B<-nameopt> switch may be used more than once to
set multiple options. See the L<x509(1)> manual page for details.
-=item B<-CApath directory>
+=item B<-CApath> I<directory>
The directory to use for server certificate verification. This directory
must be in "hash format", see L<verify(1)> for more information. These are
also used when building the client certificate chain.
-=item B<-CAfile file>
+=item B<-CAfile> I<file>
A file containing trusted certificates to use during server authentication
and to use when attempting to build the client certificate chain.
-=item B<-chainCApath directory>
+=item B<-chainCApath> I<directory>
The directory to use for building the chain provided to the server. This
directory must be in "hash format", see L<verify(1)> for more information.
-=item B<-chainCAfile file>
+=item B<-chainCAfile> I<file>
A file containing trusted certificates to use when attempting to build the
client certificate chain.
Do not load the trusted CA certificates from the default directory location
-=item B<-requestCAfile file>
+=item B<-requestCAfile> I<file>
A file containing a list of certificates whose subject names will be sent
to the server in the B<certificate_authorities> extension. Only supported
for TLS 1.3
-=item B<-dane_tlsa_domain domain>
+=item B<-dane_tlsa_domain> I<domain>
Enable RFC6698/RFC7671 DANE TLSA authentication and specify the
TLSA base domain which becomes the default SNI hint and the primary
verified". Otherwise, either the TLSA record "matched TA certificate"
at a positive depth or else "matched EE certificate" at depth 0.
-=item B<-dane_tlsa_rrdata rrdata>
+=item B<-dane_tlsa_rrdata> I<rrdata>
Use one or more times to specify the RRDATA fields of the DANE TLSA
RRset associated with the target service. The B<rrdata> value is
Shut down the connection when end of file is reached in the input.
Can be used to override the implicit B<-ign_eof> after B<-quiet>.
-=item B<-psk_identity identity>
+=item B<-psk_identity> I<identity>
Use the PSK identity B<identity> when using a PSK cipher suite.
The default value is "Client_identity" (without the quotes).
-=item B<-psk key>
+=item B<-psk> I<key>
Use the PSK key B<key> when using a PSK cipher suite. The key is
given as a hexadecimal number without leading 0x, for example -psk
1a2b3c4d.
This option must be provided in order to use a PSK cipher.
-=item B<-psk_session file>
+=item B<-psk_session> I<file>
Use the pem encoded SSL_SESSION data stored in B<file> as the basis of a PSK.
Note that this will only work if TLSv1.3 is negotiated.
is also used via the B<-engine> option. For test purposes the dummy async engine
(dasync) can be used (if available).
-=item B<-max_send_frag int>
+=item B<-max_send_frag> I<int>
The maximum size of data fragment to send.
See L<SSL_CTX_set_max_send_fragment(3)> for further information.
-=item B<-split_send_frag int>
+=item B<-split_send_frag> I<int>
The size used to split data for encrypt pipelines. If more data is written in
one go than this value then it will be split into multiple pipelines, up to the
has been loaded, and max_pipelines is greater than 1. See
L<SSL_CTX_set_split_send_fragment(3)> for further information.
-=item B<-max_pipelines int>
+=item B<-max_pipelines> I<int>
The maximum number of encrypt/decrypt pipelines to be used. This will only have
an effect if an engine has been loaded that supports pipelining (e.g. the dasync
engine) and a suitable cipher suite has been negotiated. The default value is 1.
See L<SSL_CTX_set_max_pipelines(3)> for further information.
-=item B<-read_buf int>
+=item B<-read_buf> I<int>
The default read buffer size to be used for connections. This will only have an
effect if the buffer size is larger than the size that would otherwise be used
Only provide a brief summary of connection parameters instead of the
normal verbose output.
-=item B<-sigalgs sigalglist>
+=item B<-sigalgs> I<sigalglist>
Specifies the list of signature algorithms that are sent by the client.
The server selects one entry in the list based on its preferences.
For example strings, see L<SSL_CTX_set1_sigalgs(3)>
-=item B<-curves curvelist>
+=item B<-curves> I<curvelist>
Specifies the list of supported curves to be sent by the client. The curve is
ultimately selected by the server. For a list of all curves, use:
$ openssl ecparam -list_curves
-=item B<-cipher cipherlist>
+=item B<-cipher> I<cipherlist>
This allows the TLSv1.2 and below cipher list sent by the client to be modified.
This list will be combined with any TLSv1.3 ciphersuites that have been
take the first supported cipher in the list sent by the client. See the
B<ciphers> command for more information.
-=item B<-ciphersuites val>
+=item B<-ciphersuites> I<val>
This allows the TLSv1.3 ciphersuites sent by the client to be modified. This
list will be combined with any TLSv1.2 and below ciphersuites that have been
B<ciphers> command for more information. The format for this list is a simple
colon (":") separated list of TLSv1.3 ciphersuite names.
-=item B<-starttls protocol>
+=item B<-starttls> I<protocol>
Send the protocol-specific message(s) to switch to TLS for communication.
B<protocol> is a keyword for the intended protocol. Currently, the only
supported keywords are "smtp", "pop3", "imap", "ftp", "xmpp", "xmpp-server",
"irc", "postgres", "mysql", "lmtp", "nntp", "sieve" and "ldap".
-=item B<-xmpphost hostname>
+=item B<-xmpphost> I<hostname>
This option, when used with "-starttls xmpp" or "-starttls xmpp-server",
specifies the host for the "to" attribute of the stream element.
This option is an alias of the B<-name> option for "xmpp" and "xmpp-server".
-=item B<-name hostname>
+=item B<-name> I<hostname>
This option is used to specify hostname information for various protocols
used with B<-starttls> option. Currently only "xmpp", "xmpp-server",
Disable RFC4507bis session ticket support.
-=item B<-sess_out filename>
+=item B<-sess_out> I<filename>
Output SSL session to B<filename>.
-=item B<-sess_in sess.pem>
+=item B<-sess_in> I<sess.pem>
Load SSL session from B<filename>. The client will attempt to resume a
connection from this session.
-=item B<-engine id>
+=item B<-engine> I<id>
Specifying an engine (by its unique B<id> string) will cause B<s_client>
to attempt to obtain a functional reference to the specified engine,
thus initialising it if needed. The engine will then be set as the default
for all available algorithms.
-=item B<-rand file...>
+=item B<-rand> I<file...>
A file or files containing random data used to seed the random number
generator.
The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
all others.
-=item [B<-writerand file>]
+=item B<-writerand> I<file>
Writes random data to the specified I<file> upon exit.
This can be used with a subsequent B<-rand> flag.
-=item B<-serverinfo types>
+=item B<-serverinfo> I<types>
A list of comma-separated TLS Extension Types (numbers between 0 and
65535). Each type will be sent as an empty ClientHello TLS Extension.
Sends a certificate status request to the server (OCSP stapling). The server
response (if any) is printed out.
-=item B<-alpn protocols>, B<-nextprotoneg protocols>
+=item B<-alpn> I<protocols>, B<-nextprotoneg> I<protocols>
These flags enable the Enable the Application-Layer Protocol Negotiation
or Next Protocol Negotiation (NPN) extension, respectively. ALPN is the
A file containing a list of known Certificate Transparency logs. See
L<SSL_CTX_set_ctlog_list_file(3)> for the expected file format.
-=item B<-keylogfile file>
+=item B<-keylogfile> I<file>
Appends TLS secrets to the specified keylog file such that external programs
(like Wireshark) can decrypt TLS connections.
-=item B<-early_data file>
+=item B<-early_data> I<file>
Reads the contents of the specified file and attempts to send it as early data
to the server. This will only work with resumed sessions that support early
For TLSv1.3 only, send the Post-Handshake Authentication extension. This will
happen whether or not a certificate has been provided via B<-cert>.
-=item B<[target]>
+=item I<host>:I<port>
Rather than providing B<-connect>, the target hostname and optional port may
be provided as a single positional argument after all options. If neither this
-nor B<-connect> are provided, falls back to attempting to connect to localhost
-on port 4433.
+nor B<-connect> are provided, falls back to attempting to connect to
+I<localhost> on port I<4433>.
=back
B<openssl> B<s_server>
[B<-help>]
-[B<-port +int>]
-[B<-accept val>]
-[B<-unix val>]
+[B<-port> I<+int>]
+[B<-accept> I<val>]
+[B<-unix> I<val>]
[B<-4>]
[B<-6>]
[B<-unlink>]
-[B<-context val>]
-[B<-verify int>]
-[B<-Verify int>]
-[B<-cert infile>]
-[B<-nameopt val>]
-[B<-naccept +int>]
-[B<-serverinfo val>]
-[B<-certform PEM|DER>]
-[B<-key infile>]
-[B<-keyform format>]
-[B<-pass val>]
-[B<-dcert infile>]
-[B<-dcertform PEM|DER>]
-[B<-dkey infile>]
-[B<-dkeyform PEM|DER>]
-[B<-dpass val>]
+[B<-context> I<val>]
+[B<-verify> I<int>]
+[B<-Verify> I<int>]
+[B<-cert> I<infile>]
+[B<-nameopt> I<val>]
+[B<-naccept> I<+int>]
+[B<-serverinfo> I<val>]
+[B<-certform> B<DER>|B<PEM>]
+[B<-key> I<infile>]
+[B<-keyform> I<format>]
+[B<-pass> I<val>]
+[B<-dcert> I<infile>]
+[B<-dcertform> B<DER>|B<PEM>]
+[B<-dkey> I<infile>]
+[B<-dkeyform> B<DER>|B<PEM>]
+[B<-dpass> I<val>]
[B<-nbio_test>]
[B<-crlf>]
[B<-debug>]
[B<-msg>]
-[B<-msgfile outfile>]
+[B<-msgfile> I<outfile>]
[B<-state>]
-[B<-CAfile infile>]
-[B<-CApath dir>]
+[B<-CAfile> I<infile>]
+[B<-CApath> I<dir>]
[B<-no-CAfile>]
[B<-no-CApath>]
[B<-nocert>]
[B<-key2 infile>]
[B<-tlsextdebug>]
[B<-HTTP>]
-[B<-id_prefix val>]
-[B<-rand file...>]
-[B<-writerand file>]
-[B<-keymatexport val>]
-[B<-keymatexportlen +int>]
-[B<-CRL infile>]
+[B<-id_prefix> I<val>]
+[B<-rand> I<file...>]
+[B<-writerand> I<file>]
+[B<-keymatexport> I<val>]
+[B<-keymatexportlen> I<+int>]
+[B<-CRL> I<infile>]
[B<-crl_download>]
-[B<-cert_chain infile>]
-[B<-dcert_chain infile>]
-[B<-chainCApath dir>]
-[B<-verifyCApath dir>]
+[B<-cert_chain> I<infile>]
+[B<-dcert_chain> I<infile>]
+[B<-chainCApath> I<dir>]
+[B<-verifyCApath> I<dir>]
[B<-no_cache>]
[B<-ext_cache>]
-[B<-CRLform PEM|DER>]
+[B<-CRLform> B<DER>|B<PEM>]
[B<-verify_return_error>]
[B<-verify_quiet>]
[B<-build_chain>]
-[B<-chainCAfile infile>]
-[B<-verifyCAfile infile>]
+[B<-chainCAfile> I<infile>]
+[B<-verifyCAfile> I<infile>]
[B<-ign_eof>]
[B<-no_ign_eof>]
[B<-status>]
[B<-status_verbose>]
-[B<-status_timeout int>]
-[B<-status_url val>]
-[B<-status_file infile>]
+[B<-status_timeout> I<int>]
+[B<-status_url> I<val>]
+[B<-status_file> I<infile>]
[B<-trace>]
[B<-security_debug>]
[B<-security_debug_verbose>]
[B<-brief>]
[B<-rev>]
[B<-async>]
-[B<-ssl_config val>]
-[B<-max_send_frag +int>]
-[B<-split_send_frag +int>]
-[B<-max_pipelines +int>]
-[B<-read_buf +int>]
+[B<-ssl_config> I<val>]
+[B<-max_send_frag> I<+int>]
+[B<-split_send_frag> I<+int>]
+[B<-max_pipelines> I<+int>]
+[B<-read_buf> I<+int>]
[B<-no_ssl3>]
[B<-no_tls1>]
[B<-no_tls1_1>]
[B<-allow_no_dhe_kex>]
[B<-prioritize_chacha>]
[B<-strict>]
-[B<-sigalgs val>]
-[B<-client_sigalgs val>]
-[B<-groups val>]
-[B<-curves val>]
-[B<-named_curve val>]
-[B<-cipher val>]
-[B<-ciphersuites val>]
-[B<-dhparam infile>]
-[B<-record_padding val>]
+[B<-sigalgs> I<val>]
+[B<-client_sigalgs> I<val>]
+[B<-groups> I<val>]
+[B<-curves> I<val>]
+[B<-named_curve> I<val>]
+[B<-cipher> I<val>]
+[B<-ciphersuites> I<val>]
+[B<-dhparam> I<infile>]
+[B<-record_padding> I<val>]
[B<-debug_broken_protocol>]
-[B<-policy val>]
-[B<-purpose val>]
-[B<-verify_name val>]
-[B<-verify_depth int>]
-[B<-auth_level int>]
-[B<-attime intmax>]
-[B<-verify_hostname val>]
-[B<-verify_email val>]
+[B<-policy> I<val>]
+[B<-purpose> I<val>]
+[B<-verify_name> I<val>]
+[B<-verify_depth> I<int>]
+[B<-auth_level> I<int>]
+[B<-attime> I<intmax>]
+[B<-verify_hostname> I<val>]
+[B<-verify_email> I<val>]
[B<-verify_ip>]
[B<-ignore_critical>]
[B<-issuer_checks>]
[B<-xcert>]
[B<-xchain>]
[B<-xchain_build>]
-[B<-xcertform PEM|DER>]
-[B<-xkeyform PEM|DER>]
+[B<-xcertform> B<DER>|B<PEM>]
+[B<-xkeyform> B<DER>|B<PEM>]
[B<-nbio>]
-[B<-psk_identity val>]
-[B<-psk_hint val>]
-[B<-psk val>]
-[B<-psk_session file>]
-[B<-srpvfile infile>]
-[B<-srpuserseed val>]
+[B<-psk_identity> I<val>]
+[B<-psk_hint> I<val>]
+[B<-psk> I<val>]
+[B<-psk_session> I<file>]
+[B<-srpvfile> I<infile>]
+[B<-srpuserseed> I<val>]
[B<-ssl3>]
[B<-tls1>]
[B<-tls1_1>]
[B<-tls1_3>]
[B<-dtls>]
[B<-timeout>]
-[B<-mtu +int>]
+[B<-mtu> I<+int>]
[B<-listen>]
[B<-dtls1>]
[B<-dtls1_2>]
[B<-sctp>]
[B<-sctp_label_bug>]
[B<-no_dhe>]
-[B<-nextprotoneg val>]
-[B<-use_srtp val>]
-[B<-alpn val>]
-[B<-engine val>]
-[B<-keylogfile outfile>]
-[B<-max_early_data int>]
+[B<-nextprotoneg> I<val>]
+[B<-use_srtp> I<val>]
+[B<-alpn> I<val>]
+[B<-engine> I<val>]
+[B<-keylogfile> I<outfile>]
+[B<-max_early_data> I<int>]
[B<-early_data>]
[B<-anti_replay>]
[B<-no_anti_replay>]
Print out a usage message.
-=item B<-port +int>
+=item B<-port> I<+int>
The TCP port to listen on for connections. If not specified 4433 is used.
-=item B<-accept val>
+=item B<-accept> I<val>
The optional TCP host and port to listen on for connections. If not specified, *:4433 is used.
-=item B<-unix val>
+=item B<-unix> I<val>
Unix domain socket to accept on.
For -unix, unlink any existing socket first.
-=item B<-context val>
+=item B<-context> I<val>
Sets the SSL context id. It can be given any string value. If this option
is not present a default value will be used.
-=item B<-verify int>, B<-Verify int>
+=item B<-verify> I<int>, B<-Verify> I<int>
The verify depth to use. This specifies the maximum length of the
client certificate chain and makes the server request a certificate from
If the cipher suite cannot request a client certificate (for example an
anonymous cipher suite or PSK) this option has no effect.
-=item B<-cert infile>
+=item B<-cert> I<infile>
The certificate to use, most servers cipher suites require the use of a
certificate and some require a certificate with a certain public key type:
Specify whether the application should build the certificate chain to be
provided to the client.
-=item B<-nameopt val>
+=item B<-nameopt> I<val>
Option which determines how the subject or issuer names are displayed. The
B<val> argument can be a single option or multiple options separated by
commas. Alternatively the B<-nameopt> switch may be used more than once to
set multiple options. See the L<x509(1)> manual page for details.
-=item B<-naccept +int>
+=item B<-naccept> I<+int>
The server will exit after receiving the specified number of connections,
default unlimited.
-=item B<-serverinfo val>
+=item B<-serverinfo> I<val>
A file containing one or more blocks of PEM data. Each PEM block
must encode a TLS ServerHello extension (2 bytes type, 2 bytes length,
an empty TLS ClientHello extension matching the type, the corresponding
ServerHello extension will be returned.
-=item B<-certform PEM|DER>
+=item B<-certform> B<DER>|B<PEM>
The certificate format to use: DER or PEM. PEM is the default.
-=item B<-key infile>
+=item B<-key> I<infile>
The private key to use. If not specified then the certificate file will
be used.
-=item B<-keyform format>
+=item B<-keyform> I<format>
The private format to use: DER or PEM. PEM is the default.
-=item B<-pass val>
+=item B<-pass> I<val>
The private key password source. For more information about the format of B<val>
-see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
+see L<openssl(1)/Pass phrase options>.
-=item B<-dcert infile>, B<-dkey infile>
+=item B<-dcert> I<infile>, B<-dkey> I<infile>
Specify an additional certificate and private key, these behave in the
same manner as the B<-cert> and B<-key> options except there is no default
server certificate chain when a certificate specified via the B<-dcert> option
is in use.
-=item B<-dcertform PEM|DER>, B<-dkeyform PEM|DER>, B<-dpass val>
+=item B<-dcertform> B<DER>|B<PEM>, B<-dkeyform> B<DER>|B<PEM>, B<-dpass> I<val>
Additional certificate and private key format and passphrase respectively.
-=item B<-xkey infile>, B<-xcert infile>, B<-xchain>
+=item B<-xkey> I<infile>, B<-xcert> I<infile>, B<-xchain>
Specify an extra certificate, private key and certificate chain. These behave
in the same manner as the B<-cert>, B<-key> and B<-cert_chain> options. When
=item B<-xchain_build>
Specify whether the application should build the certificate chain to be
-provided to the client for the extra certificates provided via B<-xkey infile>,
-B<-xcert infile>, B<-xchain> options.
+provided to the client for the extra certificates provided via B<-xkey> I<infile>,
+B<-xcert> I<infile>, B<-xchain> options.
-=item B<-xcertform PEM|DER>, B<-xkeyform PEM|DER>
+=item B<-xcertform> B<DER>|B<PEM>, B<-xkeyform> B<DER>|B<PEM>
Extra certificate and private key format respectively.
Show all protocol messages with hex dump.
-=item B<-msgfile outfile>
+=item B<-msgfile> I<outfile>
File to send output of B<-msg> or B<-trace> to, default standard output.
Prints the SSL session states.
-=item B<-CAfile infile>
+=item B<-CAfile> I<infile>
A file containing trusted certificates to use during client authentication
and to use when attempting to build the server certificate chain. The list
is also used in the list of acceptable client CAs passed to the client when
a certificate is requested.
-=item B<-CApath dir>
+=item B<-CApath> I<dir>
The directory to use for client certificate verification. This directory
must be in "hash format", see L<verify(1)> for more information. These are
also used when building the server certificate chain.
-=item B<-chainCApath dir>
+=item B<-chainCApath> I<dir>
The directory to use for building the chain provided to the client. This
directory must be in "hash format", see L<verify(1)> for more information.
-=item B<-chainCAfile file>
+=item B<-chainCAfile> I<file>
A file containing trusted certificates to use when attempting to build the
server certificate chain.
are part of the HTTP response line and headers must end with CRLF). Cannot be
used in conjunction with B<-early_data>.
-=item B<-id_prefix val>
+=item B<-id_prefix> I<val>
Generate SSL/TLS session IDs prefixed by B<val>. This is mostly useful
for testing any SSL/TLS code (eg. proxies) that wish to deal with multiple
servers, when each of which might be generating a unique range of session
IDs (eg. with a certain prefix).
-=item B<-rand file...>
+=item B<-rand> I<file...>
A file or files containing random data used to seed the random number
generator.
The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
all others.
-=item [B<-writerand file>]
+=item B<-writerand> I<file>
Writes random data to the specified I<file> upon exit.
This can be used with a subsequent B<-rand> flag.
Enables certificate status request support (aka OCSP stapling) and gives
a verbose printout of the OCSP response.
-=item B<-status_timeout int>
+=item B<-status_timeout> I<int>
Sets the timeout for OCSP response to B<int> seconds.
-=item B<-status_url val>
+=item B<-status_url> I<val>
Sets a fallback responder URL to use if no responder URL is present in the
server certificate. Without this option an error is returned if the server
certificate does not contain a responder address.
-=item B<-status_file infile>
+=item B<-status_file> I<infile>
Overrides any OCSP responder URLs from the certificate and always provides the
OCSP Response stored in the file. The file must be in DER format.
is also used via the B<-engine> option. For test purposes the dummy async engine
(dasync) can be used (if available).
-=item B<-max_send_frag +int>
+=item B<-max_send_frag> I<+int>
The maximum size of data fragment to send.
See L<SSL_CTX_set_max_send_fragment(3)> for further information.
-=item B<-split_send_frag +int>
+=item B<-split_send_frag> I<+int>
The size used to split data for encrypt pipelines. If more data is written in
one go than this value then it will be split into multiple pipelines, up to the
has been loaded, and max_pipelines is greater than 1. See
L<SSL_CTX_set_split_send_fragment(3)> for further information.
-=item B<-max_pipelines +int>
+=item B<-max_pipelines> I<+int>
The maximum number of encrypt/decrypt pipelines to be used. This will only have
an effect if an engine has been loaded that supports pipelining (e.g. the dasync
engine) and a suitable cipher suite has been negotiated. The default value is 1.
See L<SSL_CTX_set_max_pipelines(3)> for further information.
-=item B<-read_buf +int>
+=item B<-read_buf> I<+int>
The default read buffer size to be used for connections. This will only have an
effect if the buffer size is larger than the size that would otherwise be used
Set the B<SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION> option.
-=item B<-client_sigalgs val>
+=item B<-client_sigalgs> I<val>
Signature algorithms to support for client certificate authentication
(colon-separated list).
-=item B<-named_curve val>
+=item B<-named_curve> I<val>
Specifies the elliptic curve to use. NOTE: this is single curve, not a list.
For a list of all possible curves, use:
$ openssl ecparam -list_curves
-=item B<-cipher val>
+=item B<-cipher> I<val>
This allows the list of TLSv1.2 and below ciphersuites used by the server to be
modified. This list is combined with any TLSv1.3 ciphersuites that have been
the preference order, the order of the server cipherlist is irrelevant. See
the B<ciphers> command for more information.
-=item B<-ciphersuites val>
+=item B<-ciphersuites> I<val>
This allows the list of TLSv1.3 ciphersuites used by the server to be modified.
This list is combined with any TLSv1.2 and below ciphersuites that have been
the B<ciphers> command for more information. The format for this list is a
simple colon (":") separated list of TLSv1.3 ciphersuite names.
-=item B<-dhparam infile>
+=item B<-dhparam> I<infile>
The DH parameter file to use. The ephemeral DH cipher suites generate keys
using a set of DH parameters. If not specified then an attempt is made to
Turns on non blocking I/O.
-=item B<-psk_identity val>
+=item B<-psk_identity> I<val>
Expect the client to send PSK identity B<val> when using a PSK
cipher suite, and warn if they do not. By default, the expected PSK
identity is the string "Client_identity".
-=item B<-psk_hint val>
+=item B<-psk_hint> I<val>
Use the PSK identity hint B<val> when using a PSK cipher suite.
-=item B<-psk val>
+=item B<-psk> I<val>
Use the PSK key B<val> when using a PSK cipher suite. The key is
given as a hexadecimal number without leading 0x, for example -psk
1a2b3c4d.
This option must be provided in order to use a PSK cipher.
-=item B<-psk_session file>
+=item B<-psk_session> I<file>
Use the pem encoded SSL_SESSION data stored in B<file> as the basis of a PSK.
Note that this will only work if TLSv1.3 is negotiated.
If this option is set then no DH parameters will be loaded effectively
disabling the ephemeral DH cipher suites.
-=item B<-alpn val>, B<-nextprotoneg val>
+=item B<-alpn> I<val>, B<-nextprotoneg> I<val>
These flags enable the Enable the Application-Layer Protocol Negotiation
or Next Protocol Negotiation (NPN) extension, respectively. ALPN is the
"spdy/3".
The flag B<-nextprotoneg> cannot be specified if B<-tls1_3> is used.
-=item B<-engine val>
+=item B<-engine> I<val>
Specifying an engine (by its unique id string in B<val>) will cause B<s_server>
to attempt to obtain a functional reference to the specified engine,
thus initialising it if needed. The engine will then be set as the default
for all available algorithms.
-=item B<-keylogfile outfile>
+=item B<-keylogfile> I<outfile>
Appends TLS secrets to the specified keylog file such that external programs
(like Wireshark) can decrypt TLS connections.
-=item B<-max_early_data int>
+=item B<-max_early_data> I<int>
Change the default maximum early data bytes that are specified for new sessions
and any incoming early data (when used in conjunction with the B<-early_data>
B<openssl> B<s_time>
[B<-help>]
-[B<-connect host:port>]
-[B<-www page>]
-[B<-cert filename>]
-[B<-key filename>]
-[B<-CApath directory>]
-[B<-cafile filename>]
+[B<-connect> I<host:port>]
+[B<-www> I<page>]
+[B<-cert> I<filename>]
+[B<-key> I<filename>]
+[B<-CApath> I<directory>]
+[B<-cafile> I<filename>]
[B<-no-CAfile>]
[B<-no-CApath>]
[B<-reuse>]
[B<-new>]
-[B<-verify depth>]
-[B<-nameopt option>]
-[B<-time seconds>]
+[B<-verify> I<depth>]
+[B<-nameopt> I<option>]
+[B<-time> I<seconds>]
[B<-ssl3>]
[B<-tls1>]
[B<-tls1_1>]
[B<-tls1_2>]
[B<-tls1_3>]
[B<-bugs>]
-[B<-cipher cipherlist>]
-[B<-ciphersuites val>]
+[B<-cipher> I<cipherlist>]
+[B<-ciphersuites> I<val>]
=head1 DESCRIPTION
Print out a usage message.
-=item B<-connect host:port>
+=item B<-connect> I<host:port>
This specifies the host and optional port to connect to.
-=item B<-www page>
+=item B<-www> I<page>
This specifies the page to GET from the server. A value of '/' gets the
index.htm[l] page. If this parameter is not specified, then B<s_time> will only
perform the handshake to establish SSL connections but not transfer any
payload data.
-=item B<-cert certname>
+=item B<-cert> I<certname>
The certificate to use, if one is requested by the server. The default is
not to use a certificate. The file is in PEM format.
-=item B<-key keyfile>
+=item B<-key> I<keyfile>
The private key to use. If not specified then the certificate file will
be used. The file is in PEM format.
-=item B<-verify depth>
+=item B<-verify> I<depth>
The verify depth to use. This specifies the maximum length of the
server certificate chain and turns on server certificate verification.
with a certificate chain can be seen. As a side effect the connection
will never fail due to a server certificate verify failure.
-=item B<-nameopt option>
+=item B<-nameopt> I<option>
Option which determines how the subject or issuer names are displayed. The
B<option> argument can be a single option or multiple options separated by
commas. Alternatively the B<-nameopt> switch may be used more than once to
set multiple options. See the L<x509(1)> manual page for details.
-=item B<-CApath directory>
+=item B<-CApath> I<directory>
The directory to use for server certificate verification. This directory
must be in "hash format", see B<verify> for more information. These are
also used when building the client certificate chain.
-=item B<-CAfile file>
+=item B<-CAfile> I<file>
A file containing trusted certificates to use during server authentication
and to use when attempting to build the client certificate chain.
There are several known bugs in SSL and TLS implementations. Adding this
option enables various workarounds.
-=item B<-cipher cipherlist>
+=item B<-cipher> I<cipherlist>
This allows the TLSv1.2 and below cipher list sent by the client to be modified.
This list will be combined with any TLSv1.3 ciphersuites that have been
take the first supported cipher in the list sent by the client. See
L<ciphers(1)> for more information.
-=item B<-ciphersuites val>
+=item B<-ciphersuites> I<val>
This allows the TLSv1.3 ciphersuites sent by the client to be modified. This
list will be combined with any TLSv1.2 and below ciphersuites that have been
L<ciphers(1)> for more information. The format for this list is a simple
colon (":") separated list of TLSv1.3 ciphersuite names.
-=item B<-time length>
+=item B<-time> I<length>
Specifies how long (in seconds) B<s_time> should establish connections and
optionally transfer payload data from a server. Server and client performance
B<openssl> B<sess_id>
[B<-help>]
-[B<-inform PEM|DER>]
-[B<-outform PEM|DER|NSS>]
-[B<-in filename>]
-[B<-out filename>]
+[B<-inform> B<DER>|B<PEM>]
+[B<-outform> B<DER>|B<PEM>|B<MSS>]
+[B<-in> I<filename>]
+[B<-out> I<filename>]
[B<-text>]
[B<-noout>]
-[B<-context ID>]
+[B<-context> I<ID>]
=head1 DESCRIPTION
Print out a usage message.
-=item B<-inform DER|PEM>
+=item B<-inform> B<DER>|B<PEM>
This specifies the input format. The B<DER> option uses an ASN1 DER encoded
format containing session details. The precise format can vary from one version
to the next. The B<PEM> form is the default format: it consists of the B<DER>
format base64 encoded with additional header and footer lines.
-=item B<-outform DER|PEM|NSS>
+=item B<-outform> B<DER>|B<PEM>|B<NSS>
This specifies the output format. The B<PEM> and B<DER> options have the same meaning
and default as the B<-inform> option. The B<NSS> option outputs the session id and
the master key in NSS keylog format.
-=item B<-in filename>
+=item B<-in> I<filename>
This specifies the input filename to read session information from or standard
input by default.
-=item B<-out filename>
+=item B<-out> I<filename>
This specifies the output filename to write session information to or standard
output if this option is not specified.
This option prevents output of the encoded version of the session.
-=item B<-context ID>
+=item B<-context> I<ID>
This option can set the session id so the output session information uses the
supplied ID. The ID can be any string of characters. This option won't normally
[B<-pk7out>]
[B<-binary>]
[B<-crlfeol>]
-[B<-I<cipher>>]
-[B<-in file>]
-[B<-CAfile file>]
-[B<-CApath dir>]
+[B<->I<cipher>]
+[B<-in> I<file>]
+[B<-CAfile> I<file>]
+[B<-CApath> I<dir>]
[B<-no-CAfile>]
[B<-no-CApath>]
-[B<-attime timestamp>]
+[B<-attime> I<timestamp>]
[B<-check_ss_sig>]
[B<-crl_check>]
[B<-crl_check_all>]
[B<-inhibit_any>]
[B<-inhibit_map>]
[B<-partial_chain>]
-[B<-policy arg>]
+[B<-policy> I<arg>]
[B<-policy_check>]
[B<-policy_print>]
-[B<-purpose purpose>]
+[B<-purpose> I<purpose>]
[B<-suiteB_128>]
[B<-suiteB_128_only>]
[B<-suiteB_192>]
[B<-trusted_first>]
[B<-no_alt_chains>]
[B<-use_deltas>]
-[B<-auth_level num>]
-[B<-verify_depth num>]
-[B<-verify_email email>]
-[B<-verify_hostname hostname>]
-[B<-verify_ip ip>]
-[B<-verify_name name>]
+[B<-auth_level> I<num>]
+[B<-verify_depth> I<num>]
+[B<-verify_email> I<email>]
+[B<-verify_hostname> I<hostname>]
+[B<-verify_ip> I<ip>]
+[B<-verify_name> I<name>]
[B<-x509_strict>]
-[B<-certfile file>]
-[B<-signer file>]
-[B<-recip file>]
-[B<-inform SMIME|PEM|DER>]
-[B<-passin arg>]
-[B<-inkey file_or_id>]
-[B<-out file>]
-[B<-outform SMIME|PEM|DER>]
-[B<-content file>]
-[B<-to addr>]
-[B<-from ad>]
-[B<-subject s>]
+[B<-certfile> I<file>]
+[B<-signer> I<file>]
+[B<-recip> I< file>]
+[B<-inform> B<DER>|B<PEM>|B<SMIME>]
+[B<-passin> I<arg>]
+[B<-inkey> I<file_or_id>]
+[B<-out> I<file>]
+[B<-outform> B<DER>|B<PEM>|B<SMIME>]
+[B<-content> I<file>]
+[B<-to> I<addr>]
+[B<-from> I<ad>]
+[B<-subject> I<s>]
[B<-text>]
[B<-indef>]
[B<-noindef>]
[B<-stream>]
-[B<-rand file...>]
-[B<-writerand file>]
-[B<-md digest>]
+[B<-rand> I<file...>]
+[B<-writerand> I<file>]
+[B<-md> I<digest>]
[cert.pem]...
=head1 DESCRIPTION
Resign a message: take an existing message and one or more new signers.
-=item B<-in filename>
+=item B<-in> I<filename>
The input message to be encrypted or signed or the MIME message to
be decrypted or verified.
-=item B<-inform SMIME|PEM|DER>
+=item B<-inform> B<DER>|B<PEM>|B<SMIME>
This specifies the input format for the PKCS#7 structure. The default
is B<SMIME> which reads an S/MIME format message. B<PEM> and B<DER>
structure, if no PKCS#7 structure is being input (for example with
B<-encrypt> or B<-sign>) this option has no effect.
-=item B<-out filename>
+=item B<-out> I<filename>
The message text that has been decrypted or verified or the output MIME
format message that has been signed or verified.
-=item B<-outform SMIME|PEM|DER>
+=item B<-outform> B<DER>|B<PEM>|B<SMIME>
This specifies the output format for the PKCS#7 structure. The default
is B<SMIME> which write an S/MIME format message. B<PEM> and B<DER>
structure, if no PKCS#7 structure is being output (for example with
B<-verify> or B<-decrypt>) this option has no effect.
-=item B<-stream -indef -noindef>
+=item B<-stream>, B<-indef>, B<-noindef>
The B<-stream> and B<-indef> options are equivalent and enable streaming I/O
for encoding operations. This permits single pass processing of data without
encoding. This option currently has no effect. In future streaming will be
enabled by default on all relevant operations and this option will disable it.
-=item B<-content filename>
+=item B<-content> I<filename>
This specifies a file containing the detached content, this is only
useful with the B<-verify> command. This is only usable if the PKCS#7
off text headers: if the decrypted or verified message is not of MIME
type text/plain then an error occurs.
-=item B<-CAfile file>
+=item B<-CAfile> I<file>
A file containing trusted CA certificates, only used with B<-verify>.
-=item B<-CApath dir>
+=item B<-CApath> I<dir>
A directory containing trusted CA certificates, only used with
B<-verify>. This directory must be a standard certificate directory: that
Do not load the trusted CA certificates from the default directory location.
-=item B<-md digest>
+=item B<-md> I<digest>
Digest algorithm to use when signing or resigning. If not present then the
default digest algorithm for the signing key will be used (usually SHA1).
-=item B<-I<cipher>>
+=item B<->I<cipher>
The encryption algorithm to use. For example DES (56 bits) - B<-des>,
triple DES (168 bits) - B<-des3>,
do not support S/MIME. Without this option cleartext signing with
the MIME type multipart/signed is used.
-=item B<-certfile file>
+=item B<-certfile> I<file>
Allows additional certificates to be specified. When signing these will
be included with the message. When verifying these will be searched for
the signers certificates. The certificates should be in PEM format.
-=item B<-signer file>
+=item B<-signer> I<file>
A signing certificate when signing or resigning a message, this option can be
used multiple times if more than one signer is required. If a message is being
verified then the signers certificates will be written to this file if the
verification was successful.
-=item B<-recip file>
+=item B<-recip> I<file>
The recipients certificate when decrypting a message. This certificate
must match one of the recipients of the message or an error occurs.
-=item B<-inkey file_or_id>
+=item B<-inkey> I<file_or_id>
The private key to use when signing or decrypting. This must match the
corresponding certificate. If this option is not specified then the
If no engine is used, the argument is taken as a file; if an engine is
specified, the argument is given to the engine as a key identifier.
-=item B<-passin arg>
+=item B<-passin> I<arg>
The private key password source. For more information about the format of B<arg>
-see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
+see L<openssl(1)/Pass phrase options>.
-=item B<-rand file...>
+=item B<-rand> I<file...>
A file or files containing random data used to seed the random number
generator.
The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
all others.
-=item [B<-writerand file>]
+=item B<-writerand> I<file>
Writes random data to the specified I<file> upon exit.
This can be used with a subsequent B<-rand> flag.
B<openssl speed>
[B<-help>]
-[B<-engine id>]
+[B<-engine> I<id>]
[B<-elapsed>]
-[B<-evp algo>]
-[B<-hmac algo>]
-[B<-cmac algo>]
+[B<-evp> I<algo>]
+[B<-hmac> I<algo>]
+[B<-cmac> I<algo>]
[B<-decrypt>]
-[B<-rand file...>]
-[B<-writerand file>]
-[B<-primes num>]
-[B<-seconds num>]
-[B<-bytes num>]
+[B<-rand> I<file...>]
+[B<-writerand> I<file>]
+[B<-primes> I<num>]
+[B<-seconds> I<num>]
+[B<-bytes> I<num>]
[B<algorithm...>]
=head1 DESCRIPTION
Print out a usage message.
-=item B<-engine id>
+=item B<-engine> I<id>
Specifying an engine (by its unique B<id> string) will cause B<speed>
to attempt to obtain a functional reference to the specified engine,
instead of CPU user time as divisor. It can be useful when testing speed
of hardware engines.
-=item B<-evp algo>
+=item B<-evp> I<algo>
Use the specified cipher or message digest algorithm via the EVP interface.
If B<algo> is an AEAD cipher, then you can pass <-aead> to benchmark a
TLS-like sequence. And if B<algo> is a multi-buffer capable cipher, e.g.
aes-128-cbc-hmac-sha1, then B<-mb> will time multi-buffer operation.
-=item B<-hmac digest>
+=item B<-hmac> I<digest>
Time the HMAC algorithm using the specified message digest.
-=item B<-cmac cipher>
+=item B<-cmac> I<cipher>
Time the CMAC algorithm using the specified cipher e.g. B<speed -cmac aes128>.
Time the decryption instead of encryption. Affects only the EVP testing.
-=item B<-rand file...>
+=item B<-rand> I<file...>
A file or files containing random data used to seed the random number
generator.
The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
all others.
-=item [B<-writerand file>]
+=item B<-writerand> I<file>
Writes random data to the specified I<file> upon exit.
This can be used with a subsequent B<-rand> flag.
-=item B<-primes num>
+=item B<-primes> I<num>
Generate a B<num>-prime RSA key and use it to run the benchmarks. This option
is only effective if RSA algorithm is specified to test.
-=item B<-seconds num>
+=item B<-seconds> I<num>
Run benchmarks for B<num> seconds.
-=item B<-bytes num>
+=item B<-bytes> I<num>
Run benchmarks on B<num>-byte buffers. Affects ciphers, digests and the CSPRNG.
-=item B<[zero or more test algorithms]>
+=item B<algorithm...>
If any options are given, B<speed> tests those algorithms, otherwise a
pre-compiled grand selection is tested.
B<openssl> B<spkac>
[B<-help>]
-[B<-in filename>]
-[B<-out filename>]
-[B<-key keyfile>]
-[B<-keyform PEM|DER|ENGINE>]
-[B<-passin arg>]
-[B<-challenge string>]
+[B<-in> I<filename>]
+[B<-out> I<filename>]
+[B<-key> I<keyfile>]
+[B<-keyform> B<DER>|B<PEM>|B<ENGINE>]
+[B<-passin> I<arg>]
+[B<-challenge> I<string>]
[B<-pubkey>]
-[B<-spkac spkacname>]
-[B<-spksect section>]
+[B<-spkac> I<spkacname>]
+[B<-spksect> I<section>]
[B<-noout>]
[B<-verify>]
-[B<-engine id>]
+[B<-engine> I<id>]
=head1 DESCRIPTION
Print out a usage message.
-=item B<-in filename>
+=item B<-in> I<filename>
This specifies the input filename to read from or standard input if this
option is not specified. Ignored if the B<-key> option is used.
-=item B<-out filename>
+=item B<-out> I<filename>
Specifies the output filename to write to or standard output by
default.
-=item B<-key keyfile>
+=item B<-key> I<keyfile>
Create an SPKAC file using the private key in B<keyfile>. The
B<-in>, B<-noout>, B<-spksect> and B<-verify> options are ignored if
present.
-=item B<-keyform PEM|DER|ENGINE>
+=item B<-keyform> B<DER>|B<PEM>|B<ENGINE>
Whether the key format is PEM, DER, or an engine-backed key.
The default is PEM.
-=item B<-passin password>
+=item B<-passin> I<password>
The input file password source. For more information about the format of B<arg>
-see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
+see L<openssl(1)/Pass phrase options>.
-=item B<-challenge string>
+=item B<-challenge> I<string>
Specifies the challenge string if an SPKAC is being created.
-=item B<-spkac spkacname>
+=item B<-spkac> I<spkacname>
Allows an alternative name form the variable containing the
SPKAC. The default is "SPKAC". This option affects both
generated and input SPKAC files.
-=item B<-spksect section>
+=item B<-spksect> I<section>
Allows an alternative name form the section containing the
SPKAC. The default is the default section.
Verifies the digital signature on the supplied SPKAC.
-=item B<-engine id>
+=item B<-engine> I<id>
Specifying an engine (by its unique B<id> string) will cause B<spkac>
to attempt to obtain a functional reference to the specified engine,
[B<-modify>]
[B<-delete>]
[B<-list>]
-[B<-name section>]
-[B<-config file>]
-[B<-srpvfile file>]
-[B<-gn identifier>]
-[B<-userinfo text...>]
-[B<-passin arg>]
-[B<-passout arg>]
+[B<-name> I<section>]
+[B<-config> I<file>]
+[B<-srpvfile> I<file>]
+[B<-gn> I<identifier>]
+[B<-userinfo> I<text...>]
+[B<-passin> I<arg>]
+[B<-passout> I<arg>]
[I<user...>]
=head1 DESCRIPTION
=over 4
-=item [B<-help>]
+=item B<-help>
Display an option summary.
-=item [B<-verbose>]
+=item B<-verbose>
Generate verbose output while processing.
B<openssl> B<storeutl>
[B<-help>]
-[B<-out file>]
+[B<-out> I<file>]
[B<-noout>]
-[B<-passin arg>]
-[B<-text arg>]
-[B<-engine id>]
+[B<-passin> I<arg>]
+[B<-text> I<arg>]
+[B<-engine> I<id>]
[B<-r>]
[B<-certs>]
[B<-keys>]
[B<-crls>]
-[B<-subject arg>]
-[B<-issuer arg>]
-[B<-serial arg>]
-[B<-alias arg>]
-[B<-fingerprint arg>]
-[B<-I<digest>>]
+[B<-subject> I<arg>]
+[B<-issuer> I<arg>]
+[B<-serial> I<arg>]
+[B<-alias> I<arg>]
+[B<-fingerprint> I<arg>]
+[B<->I<digest>]
B<uri> ...
=head1 DESCRIPTION
Print out a usage message.
-=item B<-out filename>
+=item B<-out> I<filename>
specifies the output filename to write to or standard output by
default.
this option prevents output of the PEM data.
-=item B<-passin arg>
+=item B<-passin> I<arg>
the key password source. For more information about the format of B<arg>
-see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
+see L<openssl(1)/Pass phrase options>.
=item B<-text>
Prints out the objects in text form, similarly to the B<-text> output from
B<openssl x509>, B<openssl pkey>, etc.
-=item B<-engine id>
+=item B<-engine> I<id>
specifying an engine (by its unique B<id> string) will cause B<storeutl>
to attempt to obtain a functional reference to the specified engine,
However, if this URI would return a set of names (URIs), those are always
returned.
-=item B<-subject arg>
+=item B<-subject> I<arg>
Search for an object having the subject name B<arg>.
The arg must be formatted as I</type0=value0/type1=value1/type2=...>.
a search with an empty value will have the same effect as not specifying
the type at all.
-=item B<-issuer arg>
+=item B<-issuer> I<arg>
-=item B<-serial arg>
+=item B<-serial> I<arg>
Search for an object having the given issuer name and serial number.
These two options I<must> be used together.
The serial arg may be specified as a decimal value or a hex value if preceded
by B<0x>.
-=item B<-alias arg>
+=item B<-alias> I<arg>
Search for an object having the given alias.
-=item B<-fingerprint arg>
+=item B<-fingerprint> I<arg>
Search for an object having the given fingerprint.
-=item B<-I<digest>>
+=item B<->I<digest>
The digest that was used to compute the fingerprint given with B<-fingerprint>.
B<openssl> B<ts>
B<-query>
-[B<-rand file...>]
-[B<-writerand file>]
-[B<-config> configfile]
-[B<-data> file_to_hash]
-[B<-digest> digest_bytes]
-[B<-I<digest>>]
-[B<-tspolicy> object_id]
+[B<-rand> I<file...>]
+[B<-writerand> I<file>]
+[B<-config> I<configfile>]
+[B<-data> I<file_to_hash>]
+[B<-digest> I<digest_bytes>]
+[B<->I<digest>]
+[B<-tspolicy> I<object_id>]
[B<-no_nonce>]
[B<-cert>]
-[B<-in> request.tsq]
-[B<-out> request.tsq]
+[B<-in> I<request.tsq>]
+[B<-out> I<request.tsq>]
[B<-text>]
B<openssl> B<ts>
B<-reply>
-[B<-config> configfile]
-[B<-section> tsa_section]
-[B<-queryfile> request.tsq]
-[B<-passin> password_src]
-[B<-signer> tsa_cert.pem]
-[B<-inkey> file_or_id]
-[B<-I<digest>>]
-[B<-chain> certs_file.pem]
-[B<-tspolicy> object_id]
-[B<-in> response.tsr]
+[B<-config> I<configfile>]
+[B<-section> I<tsa_section>]
+[B<-queryfile> I<request.tsq>]
+[B<-passin> I<password_src>]
+[B<-signer> I<tsa_cert.pem>]
+[B<-inkey> I<file_or_id>]
+[B<->I<digest>]
+[B<-chain> I<certs_file.pem>]
+[B<-tspolicy> I<object_id>]
+[B<-in> I<response.tsr>]
[B<-token_in>]
-[B<-out> response.tsr]
+[B<-out> I<response.tsr>]
[B<-token_out>]
[B<-text>]
-[B<-engine> id]
+[B<-engine> I<id>]
B<openssl> B<ts>
B<-verify>
-[B<-data> file_to_hash]
-[B<-digest> digest_bytes]
-[B<-queryfile> request.tsq]
-[B<-in> response.tsr]
+[B<-data> I<file_to_hash>]
+[B<-digest> I<digest_bytes>]
+[B<-queryfile> I<request.tsq>]
+[B<-in> I<response.tsr>]
[B<-token_in>]
-[B<-CApath> trusted_cert_path]
-[B<-CAfile> trusted_certs.pem]
-[B<-untrusted> cert_file.pem]
+[B<-CApath> I<trusted_cert_path>]
+[B<-CAfile> I<trusted_certs.pem>]
+[B<-untrusted> I<cert_file.pem>]
[I<verify options>]
I<verify options:>
-[-attime timestamp]
-[-check_ss_sig]
-[-crl_check]
-[-crl_check_all]
-[-explicit_policy]
-[-extended_crl]
-[-ignore_critical]
-[-inhibit_any]
-[-inhibit_map]
-[-issuer_checks]
-[-no_alt_chains]
-[-no_check_time]
-[-partial_chain]
-[-policy arg]
-[-policy_check]
-[-policy_print]
-[-purpose purpose]
-[-suiteB_128]
-[-suiteB_128_only]
-[-suiteB_192]
-[-trusted_first]
-[-use_deltas]
-[-auth_level num]
-[-verify_depth num]
-[-verify_email email]
-[-verify_hostname hostname]
-[-verify_ip ip]
-[-verify_name name]
-[-x509_strict]
+[B<-attime> I<timestamp>]
+[B<-check_ss_sig>]
+[B<-crl_check>]
+[B<-crl_check_all>]
+[B<-explicit_policy>]
+[B<-extended_crl>]
+[B<-ignore_critical>]
+[B<-inhibit_any>]
+[B<-inhibit_map>]
+[B<-issuer_checks>]
+[B<-no_alt_chains>]
+[B<-no_check_time>]
+[B<-partial_chain>]
+[B<-policy> I<arg>]
+[B<-policy_check>]
+[B<-policy_print>]
+[B<-purpose> I<purpose>]
+[B<-suiteB_128>]
+[B<-suiteB_128_only>]
+[B<-suiteB_192>]
+[B<-trusted_first>]
+[B<-use_deltas>]
+[B<-auth_level> I<num>]
+[B<-verify_depth> I<num>]
+[B<-verify_email> I<email>]
+[B<-verify_hostname> I<hostname>]
+[B<-verify_ip> I<ip>]
+[B<-verify_name> I<name>]
+[B<-x509_strict>]
=head1 DESCRIPTION
=over 4
-=item B<-rand file...>
+=item B<-rand> I<file...>
A file or files containing random data used to seed the random number
generator.
The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
all others.
-=item [B<-writerand file>]
+=item B<-writerand> I<file>
Writes random data to the specified I<file> upon exit.
This can be used with a subsequent B<-rand> flag.
-=item B<-config> configfile
+=item B<-config> I<configfile>
The configuration file to use.
Optional; for a description of the default value,
see L<openssl(1)/COMMAND SUMMARY>.
-=item B<-data> file_to_hash
+=item B<-data> I<file_to_hash>
The data file for which the time stamp request needs to be
created. stdin is the default if neither the B<-data> nor the B<-digest>
parameter is specified. (Optional)
-=item B<-digest> digest_bytes
+=item B<-digest> I<digest_bytes>
It is possible to specify the message imprint explicitly without the data
file. The imprint must be specified in a hexadecimal format, two characters
1AF601...). The number of bytes must match the message digest algorithm
in use. (Optional)
-=item B<-I<digest>>
+=item B<->I<digest>
The message digest to apply to the data file.
Any digest supported by the OpenSSL B<dgst> command can be used.
The default is SHA-256. (Optional)
-=item B<-tspolicy> object_id
+=item B<-tspolicy> I<object_id>
The policy that the client expects the TSA to use for creating the
time stamp token. Either the dotted OID notation or OID names defined
The TSA is expected to include its signing certificate in the
response. (Optional)
-=item B<-in> request.tsq
+=item B<-in> I<request.tsq>
This option specifies a previously created time stamp request in DER
format that will be printed into the output file. Useful when you need
to examine the content of a request in human-readable
format. (Optional)
-=item B<-out> request.tsq
+=item B<-out> I<request.tsq>
Name of the output file to which the request will be written. Default
is stdout. (Optional)
=over 4
-=item B<-config> configfile
+=item B<-config> I<configfile>
The configuration file to use.
Optional; for a description of the default value,
see L<openssl(1)/COMMAND SUMMARY>.
-See B<CONFIGURATION FILE OPTIONS> for configurable variables.
+See L</CONFIGURATION FILE OPTIONS> for configurable variables.
-=item B<-section> tsa_section
+=item B<-section> I<tsa_section>
The name of the config file section containing the settings for the
response generation. If not specified the default TSA section is
-used, see B<CONFIGURATION FILE OPTIONS> for details. (Optional)
+used, see L</CONFIGURATION FILE OPTIONS> for details. (Optional)
-=item B<-queryfile> request.tsq
+=item B<-queryfile> I<request.tsq>
The name of the file containing a DER encoded time stamp request. (Optional)
-=item B<-passin> password_src
+=item B<-passin> I<password_src>
Specifies the password source for the private key of the TSA. See
-B<PASS PHRASE ARGUMENTS> in L<openssl(1)>. (Optional)
+description in L<openssl(1)>. (Optional)
-=item B<-signer> tsa_cert.pem
+=item B<-signer> I<tsa_cert.pem>
The signer certificate of the TSA in PEM format. The TSA signing
certificate must have exactly one extended key usage assigned to it:
the certificate is going to be refused. Overrides the B<signer_cert>
variable of the config file. (Optional)
-=item B<-inkey> file_or_id
+=item B<-inkey> I<file_or_id>
The signer private key of the TSA in PEM format. Overrides the
B<signer_key> config file option. (Optional)
If no engine is used, the argument is taken as a file; if an engine is
specified, the argument is given to the engine as a key identifier.
-=item B<-I<digest>>
+=item B<->I<digest>
Signing digest to use. Overrides the B<signer_digest> config file
option. (Mandatory unless specified in the config file)
-=item B<-chain> certs_file.pem
+=item B<-chain> I<certs_file.pem>
The collection of certificates in PEM format that will all
be included in the response in addition to the signer certificate if
issuer upwards. The B<-reply> command does not build a certificate
chain automatically. (Optional)
-=item B<-tspolicy> object_id
+=item B<-tspolicy> I<object_id>
The default policy to use for the response unless the client
explicitly requires a particular TSA policy. The OID can be specified
either in dotted notation or with its name. Overrides the
B<default_policy> config file option. (Optional)
-=item B<-in> response.tsr
+=item B<-in> I<response.tsr>
Specifies a previously created time stamp response or time stamp token
(if B<-token_in> is also specified) in DER format that will be written
that the input is a DER encoded time stamp token (ContentInfo) instead
of a time stamp response (TimeStampResp). (Optional)
-=item B<-out> response.tsr
+=item B<-out> I<response.tsr>
The response is written to this file. The format and content of the
file depends on other options (see B<-text>, B<-token_out>). The default is
If this option is specified the output is human-readable text format
instead of DER. (Optional)
-=item B<-engine> id
+=item B<-engine> I<id>
Specifying an engine (by its unique B<id> string) will cause B<ts>
to attempt to obtain a functional reference to the specified engine,
=over 4
-=item B<-data> file_to_hash
+=item B<-data> I<file_to_hash>
The response or token must be verified against file_to_hash. The file
is hashed with the message digest algorithm specified in the token.
The B<-digest> and B<-queryfile> options must not be specified with this one.
(Optional)
-=item B<-digest> digest_bytes
+=item B<-digest> I<digest_bytes>
The response or token must be verified against the message digest specified
with this option. The number of bytes must match the message digest algorithm
specified in the token. The B<-data> and B<-queryfile> options must not be
specified with this one. (Optional)
-=item B<-queryfile> request.tsq
+=item B<-queryfile> I<request.tsq>
The original time stamp request in DER format. The B<-data> and B<-digest>
options must not be specified with this one. (Optional)
-=item B<-in> response.tsr
+=item B<-in> I<response.tsr>
The time stamp response that needs to be verified in DER format. (Mandatory)
that the input is a DER encoded time stamp token (ContentInfo) instead
of a time stamp response (TimeStampResp). (Optional)
-=item B<-CApath> trusted_cert_path
+=item B<-CApath> I<trusted_cert_path>
The name of the directory containing the trusted CA certificates of the
client. See the similar option of L<verify(1)> for additional
details. Either this option or B<-CAfile> must be specified. (Optional)
-=item B<-CAfile> trusted_certs.pem
+=item B<-CAfile> I<trusted_certs.pem>
The name of the file containing a set of trusted self-signed CA
certificates in PEM format. See the similar option of
or B<-CApath> must be specified.
(Optional)
-=item B<-untrusted> cert_file.pem
+=item B<-untrusted> I<cert_file.pem>
Set of additional untrusted certificates in PEM format which may be
needed when building the certificate chain for the TSA's signing
=item I<verify options>
-The options B<-attime timestamp>, B<-check_ss_sig>, B<-crl_check>,
+The options B<-attime>, B<-check_ss_sig>, B<-crl_check>,
B<-crl_check_all>, B<-explicit_policy>, B<-extended_crl>, B<-ignore_critical>,
B<-inhibit_any>, B<-inhibit_map>, B<-issuer_checks>, B<-no_alt_chains>,
B<-no_check_time>, B<-partial_chain>, B<-policy>, B<-policy_check>,
=item B<signer_digest>
Signing digest to use. The same as the
-B<-I<digest>> command line option. (Mandatory unless specified on the command
+B<->I<digest> command line option. (Mandatory unless specified on the command
line)
=item B<default_policy>
[B<-P> CA_path]
[B<-r> file:file...]
[B<-g> EGD_socket]
-[request]...
+[B<request...>
=head1 DESCRIPTION
The name of an EGD socket to get random data from. (Optional)
-=item [request]...
+=item B<request...>
List of files containing B<RFC 3161> DER-encoded time stamp requests. If no
requests are specified only one request will be sent to the server and it will be
B<openssl> B<verify>
[B<-help>]
-[B<-CAfile file>]
-[B<-CApath directory>]
+[B<-CAfile> I<file>]
+[B<-CApath> I<directory>]
[B<-no-CAfile>]
[B<-no-CApath>]
[B<-allow_proxy_certs>]
-[B<-attime timestamp>]
+[B<-attime> I<timestamp>]
[B<-check_ss_sig>]
-[B<-CRLfile file>]
+[B<-CRLfile> I<file>]
[B<-crl_download>]
[B<-crl_check>]
[B<-crl_check_all>]
-[B<-engine id>]
+[B<-engine> I<id>]
[B<-explicit_policy>]
[B<-extended_crl>]
[B<-ignore_critical>]
[B<-inhibit_any>]
[B<-inhibit_map>]
-[B<-nameopt option>]
+[B<-nameopt> I<option>]
[B<-no_check_time>]
[B<-partial_chain>]
-[B<-policy arg>]
+[B<-policy> I<arg>]
[B<-policy_check>]
[B<-policy_print>]
-[B<-purpose purpose>]
+[B<-purpose> I<purpose>]
[B<-suiteB_128>]
[B<-suiteB_128_only>]
[B<-suiteB_192>]
[B<-trusted_first>]
[B<-no_alt_chains>]
-[B<-untrusted file>]
-[B<-trusted file>]
+[B<-untrusted> I<file>]
+[B<-trusted> I<file>]
[B<-use_deltas>]
[B<-verbose>]
-[B<-auth_level level>]
-[B<-verify_depth num>]
-[B<-verify_email email>]
-[B<-verify_hostname hostname>]
-[B<-verify_ip ip>]
-[B<-verify_name name>]
+[B<-auth_level> I<level>]
+[B<-verify_depth> I<num>]
+[B<-verify_email> I<email>]
+[B<-verify_hostname> I<hostname>]
+[B<-verify_ip> I<ip>]
+[B<-verify_name> I<name>]
[B<-x509_strict>]
[B<-show_chain>]
[B<-sm2-id string>]
Print out a usage message.
-=item B<-CAfile file>
+=item B<-CAfile> I<file>
A B<file> of trusted certificates.
The file should contain one or more certificates in PEM format.
-=item B<-CApath directory>
+=item B<-CApath> I<directory>
A directory of trusted certificates. The certificates should have names
of the form: hash.0 or have symbolic links to them of this
Allow the verification of proxy certificates.
-=item B<-attime timestamp>
+=item B<-attime> I<timestamp>
Perform validation checks using time specified by B<timestamp> and not
current system time. B<timestamp> is the number of seconds since
Verify the signature on the self-signed root CA. This is disabled by default
because it doesn't add any security.
-=item B<-CRLfile file>
+=item B<-CRLfile> I<file>
The B<file> should contain one or more CRLs in PEM format.
This option can be specified more than once to include CRLs from multiple
Checks the validity of B<all> certificates in the chain by attempting
to look up valid CRLs.
-=item B<-engine id>
+=item B<-engine> I<id>
Specifying an engine B<id> will cause L<verify(1)> to attempt to load the
specified engine.
Set policy variable inhibit-policy-mapping (see RFC5280).
-=item B<-nameopt option>
+=item B<-nameopt> I<option>
Option which determines how the subject or issuer names are displayed. The
B<option> argument can be a single option or multiple options separated by
=item B<-no_check_time>
This option suppresses checking the validity period of certificates and CRLs
-against the current time. If option B<-attime timestamp> is used to specify
+against the current time. If option B<-attime> is used to specify
a verification time, the check is not suppressed.
=item B<-partial_chain>
self-signed trust-anchor, provided it is possible to construct a chain to a
trusted certificate that might not be self-signed.
-=item B<-policy arg>
+=item B<-policy> I<arg>
Enable policy processing and add B<arg> to the user-initial-policy-set (see
RFC5280). The policy B<arg> can be an object name an OID in numeric form.
Print out diagnostics related to policy processing.
-=item B<-purpose purpose>
+=item B<-purpose> I<purpose>
The intended use for the certificate. If this option is not specified,
B<verify> will not consider certificate purpose during chain verification.
As of OpenSSL 1.1.0, with B<-trusted_first> always on, this option has no
effect.
-=item B<-untrusted file>
+=item B<-untrusted> I<file>
A B<file> of additional untrusted certificates (intermediate issuer CAs) used
to construct a certificate chain from the subject certificate to a trust-anchor.
This option can be specified more than once to include untrusted certificates
from multiple B<files>.
-=item B<-trusted file>
+=item B<-trusted> I<file>
A B<file> of trusted certificates, which must be self-signed, unless the
B<-partial_chain> option is specified.
Print extra information about the operations being performed.
-=item B<-auth_level level>
+=item B<-auth_level> I<level>
Set the certificate chain authentication security level to B<level>.
The authentication security level determines the acceptable signature and
interoperable, though it will, for example, reject MD5 signatures or RSA keys
shorter than 1024 bits.
-=item B<-verify_depth num>
+=item B<-verify_depth> I<num>
Limit the certificate chain to B<num> intermediate CA certificates.
A maximal depth chain can have up to B<num+2> certificates, since neither the
end-entity certificate nor the trust-anchor certificate count against the
B<-verify_depth> limit.
-=item B<-verify_email email>
+=item B<-verify_email> I<email>
Verify if the B<email> matches the email address in Subject Alternative Name or
the email in the subject Distinguished Name.
-=item B<-verify_hostname hostname>
+=item B<-verify_hostname> I<hostname>
Verify if the B<hostname> matches DNS name in Subject Alternative Name or
Common Name in the subject certificate.
-=item B<-verify_ip ip>
+=item B<-verify_ip> I<ip>
Verify if the B<ip> matches the IP address in Subject Alternative Name of
the subject certificate.
-=item B<-verify_name name>
+=item B<-verify_name> I<name>
Use default verification policies like trust model and required certificate
policies identified by B<name>.
B<openssl> B<x509>
[B<-help>]
-[B<-inform DER|PEM>]
-[B<-outform DER|PEM>]
-[B<-keyform DER|PEM>]
-[B<-CAform DER|PEM>]
-[B<-CAkeyform DER|PEM>]
-[B<-in filename>]
-[B<-out filename>]
+[B<-inform> B<DER>|B<PEM>]
+[B<-outform> B<DER>|B<PEM>]
+[B<-keyform> B<DER>|B<PEM>]
+[B<-CAform> B<DER>|B<PEM>]
+[B<-CAkeyform> B<DER>|B<PEM>]
+[B<-in> I<filename>]
+[B<-out> I<filename>]
[B<-serial>]
[B<-hash>]
[B<-subject_hash>]
[B<-ocspid>]
[B<-subject>]
[B<-issuer>]
-[B<-nameopt option>]
+[B<-nameopt> I<option>]
[B<-email>]
[B<-ocsp_uri>]
[B<-startdate>]
[B<-enddate>]
[B<-purpose>]
[B<-dates>]
-[B<-checkend num>]
+[B<-checkend> I<num>]
[B<-modulus>]
[B<-pubkey>]
[B<-fingerprint>]
[B<-trustout>]
[B<-clrtrust>]
[B<-clrreject>]
-[B<-addtrust arg>]
-[B<-addreject arg>]
-[B<-setalias arg>]
-[B<-days arg>]
-[B<-set_serial n>]
-[B<-signkey filename>]
-[B<-passin arg>]
+[B<-addtrust> I<arg>]
+[B<-addreject> I<arg>]
+[B<-setalias> I<arg>]
+[B<-days> I<arg>]
+[B<-set_serial> I<n>]
+[B<-signkey> I<filename>]
+[B<-passin> I<arg>]
[B<-x509toreq>]
[B<-req>]
-[B<-CA filename>]
-[B<-CAkey filename>]
+[B<-CA> I<filename>]
+[B<-CAkey> I<filename>]
[B<-CAcreateserial>]
-[B<-CAserial filename>]
+[B<-CAserial> I<filename>]
[B<-new>]
-[B<-force_pubkey filename>]
-[B<-subj arg>]
+[B<-force_pubkey> I<filename>]
+[B<-subj> I<arg>]
[B<-text>]
-[B<-ext extensions>]
-[B<-certopt option>]
+[B<-ext> I<extensions>]
+[B<-certopt> I<option>]
[B<-C>]
-[B<-I<digest>>]
+[B<->I<digest>]
[B<-clrext>]
-[B<-extfile filename>]
-[B<-extensions section>]
-[B<-sigopt nm:v>]
-[B<-rand file...>]
-[B<-writerand file>]
-[B<-engine id>]
+[B<-extfile> I<filename>]
+[B<-extensions> I<section>]
+[B<-sigopt> I<nm>:I<v>]
+[B<-rand> I<file...>]
+[B<-writerand> I<file>]
+[B<-engine> I<id>]
[B<-preserve_dates>]
=head1 DESCRIPTION
Print out a usage message.
-=item B<-inform DER|PEM>
+=item B<-inform> B<DER>|B<PEM>
This specifies the input format normally the command will expect an X509
certificate but this can change if other options such as B<-req> are
is the base64 encoding of the DER encoding with header and footer lines
added. The default format is PEM.
-=item B<-outform DER|PEM>
+=item B<-outform> B<DER>|B<PEM>
This specifies the output format, the options have the same meaning and default
as the B<-inform> option.
-=item B<-in filename>
+=item B<-in> I<filename>
This specifies the input filename to read a certificate from or standard input
if this option is not specified.
-=item B<-out filename>
+=item B<-out> I<filename>
This specifies the output filename to write to or standard output by
default.
-=item B<-I<digest>>
+=item B<->I<digest>
The digest to use.
This affects any signing or display option that uses a message
If not specified then SHA1 is used with B<-fingerprint> or
the default digest for the signing algorithm is used, typically SHA256.
-=item B<-rand file...>
+=item B<-rand> I<file...>
A file or files containing random data used to seed the random number
generator.
The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
all others.
-=item [B<-writerand file>]
+=item B<-writerand> I<file>
Writes random data to the specified I<file> upon exit.
This can be used with a subsequent B<-rand> flag.
-=item B<-engine id>
+=item B<-engine> I<id>
Specifying an engine (by its unique B<id> string) will cause B<x509>
to attempt to obtain a functional reference to the specified engine,
public key, signature algorithms, issuer and subject names, serial number
any extensions present and any trust settings.
-=item B<-ext extensions>
+=item B<-ext> I<extensions>
Prints out the certificate extensions in text form. Extensions are specified
with a comma separated string, e.g., "subjectAltName,subjectKeyIdentifier".
See the L<x509v3_config(5)> manual page for the extension names.
-=item B<-certopt option>
+=item B<-certopt> I<option>
Customise the output format used with B<-text>. The B<option> argument
can be a single option or multiple options separated by commas. The
Outputs the issuer name.
-=item B<-nameopt option>
+=item B<-nameopt> I<option>
Option which determines how the subject or issuer names are displayed. The
B<option> argument can be a single option or multiple options separated by
Prints out the start and expiry dates of a certificate.
-=item B<-checkend arg>
+=item B<-checkend> I<arg>
Checks if the certificate expires within the next B<arg> seconds and exits
non-zero if yes it will expire or zero if not.
B<-trustout> option a trusted certificate is output. A trusted
certificate is automatically output if any trust settings are modified.
-=item B<-setalias arg>
+=item B<-setalias> I<arg>
Sets the alias of the certificate. This will allow the certificate
to be referred to using a nickname for example "Steve's Certificate".
Clears all the prohibited or rejected uses of the certificate.
-=item B<-addtrust arg>
+=item B<-addtrust> I<arg>
Adds a trusted certificate use.
Any object name can be used here but currently only B<clientAuth> (SSL client
enables all purposes when trusted.
Other OpenSSL applications may define additional uses.
-=item B<-addreject arg>
+=item B<-addreject> I<arg>
Adds a prohibited use. It accepts the same values as the B<-addtrust>
option.
=over 4
-=item B<-signkey filename>
+=item B<-signkey> I<filename>
This option causes the input file to be self signed using the supplied
private key.
It retains any certificate extensions unless the B<-clrext> option is supplied;
this includes, for example, any existing key identifier extensions.
-=item B<-sigopt nm:v>
+=item B<-sigopt> I<nm>:I<v>
Pass options to the signature algorithm during sign or verify operations.
Names and values of these options are algorithm-specific.
-=item B<-passin arg>
+=item B<-passin> I<arg>
The key password source. For more information about the format of B<arg>
-see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
+see L<openssl(1)/Pass phrase options>.
=item B<-clrext>
the B<-signkey> or the B<-CA> options). Normally all extensions are
retained.
-=item B<-keyform PEM|DER>
+=item B<-keyform> B<DER>|B<PEM>
Specifies the format (DER or PEM) of the private key file used in the
B<-signkey> option.
-=item B<-days arg>
+=item B<-days> I<arg>
Specifies the number of days to make a certificate valid for. The default
is 30 days. Cannot be used with the B<-preserve_dates> option.
By default a certificate is expected on input. With this option a
certificate request is expected instead.
-=item B<-set_serial n>
+=item B<-set_serial> I<n>
Specifies the serial number to use. This option can be used with either
the B<-signkey> or B<-CA> options. If used in conjunction with the B<-CA>
The serial number can be decimal or hex (if preceded by B<0x>).
-=item B<-CA filename>
+=item B<-CA> I<filename>
Specifies the CA certificate to be used for signing. When this option is
present B<x509> behaves like a "mini CA". The input file is signed by this
This option is normally combined with the B<-req> option. Without the
B<-req> option the input is a certificate which must be self signed.
-=item B<-CAkey filename>
+=item B<-CAkey> I<filename>
Sets the CA private key to sign a certificate with. If this option is
not specified then it is assumed that the CA private key is present in
the CA certificate file.
-=item B<-CAserial filename>
+=item B<-CAserial> I<filename>
Sets the CA serial number file to use.
and the serial number file does not exist a random number is generated;
this is the recommended practice.
-=item B<-extfile filename>
+=item B<-extfile> I<filename>
File containing certificate extensions to use. If not specified then
no extensions are added to the certificate.
-=item B<-extensions section>
+=item B<-extensions> I<section>
The section to add certificate extensions from. If this option is not
specified then the extensions should either be contained in the unnamed
or certificate request. So the B<-in> option must not be used in this case.
Instead, the B<-subj> and <-force_pubkey> options need to be given.
-=item B<-force_pubkey filename>
+=item B<-force_pubkey> I<filename>
When a certificate is created set its public key to the key in B<filename>
instead of the key contained in the input or given with the B<-signkey> option.
The format of the key file can be specified using the B<-keyform> option.
-=item B<-subj arg>
+=item B<-subj> I<arg>
When a certificate is created set its subject name to the given value.
The arg must be formatted as I</type0=value0/type1=value1/type2=...>.
In case this creates a B<AF_UNIX> B<BIO_ADDR>, B<wherelen> is expected
to be the length of the path string (not including the terminating
NUL, such as the result of a call to strlen()).
-I<Read on about the addresses in L</RAW ADDRESSES> below>.
+Read on about the addresses in L</RAW ADDRESSES> below.
BIO_ADDR_family() returns the protocol family of the given
B<BIO_ADDR>. The possible non-error results are one of the
In case this is a B<AF_UNIX> B<BIO_ADDR>, B<l> gets the length of the
path string (not including the terminating NUL, such as the result of
a call to strlen()).
-I<Read on about the addresses in L</RAW ADDRESSES> below>.
+Read on about the addresses in L</RAW ADDRESSES> below.
BIO_ADDR_rawport() returns the raw port of the given B<BIO_ADDR>.
The raw port will be in network byte order.
signer cannot be found.
Care should be taken when modifying the default verify behaviour, for example
-setting
B<PKCS7_NOVERIFY|PKCS7_NOSIGS> will totally disable all verification
+setting
C<PKCS7_NOVERIFY|PKCS7_NOSIGS> will totally disable all verification
and any signed message will be considered valid. This combination is however
useful if one merely wishes to write the content to B<out> and its validity
is not considered important.
B<XN_FLAG_RFC2253> sets options which produce an output compatible with RFC2253 it
is equivalent to:
-
B<ASN1_STRFLGS_RFC2253 | XN_FLAG_SEP_COMMA_PLUS | XN_FLAG_DN_REV | XN_FLAG_FN_SN | XN_FLAG_DUMP_UNKNOWN_FIELDS>
+
C<ASN1_STRFLGS_RFC2253 | XN_FLAG_SEP_COMMA_PLUS | XN_FLAG_DN_REV | XN_FLAG_FN_SN | XN_FLAG_DUMP_UNKNOWN_FIELDS>
B<XN_FLAG_ONELINE> is a more readable one line format which is the same as:
-
B<ASN1_STRFLGS_RFC2253 | ASN1_STRFLGS_ESC_QUOTE | XN_FLAG_SEP_CPLUS_SPC | XN_FLAG_SPC_EQ | XN_FLAG_FN_SN>
+
C<ASN1_STRFLGS_RFC2253 | ASN1_STRFLGS_ESC_QUOTE | XN_FLAG_SEP_CPLUS_SPC | XN_FLAG_SPC_EQ | XN_FLAG_FN_SN>
B<XN_FLAG_MULTILINE> is a multiline format which is the same as:
-
B<ASN1_STRFLGS_ESC_CTRL | ASN1_STRFLGS_ESC_MSB | XN_FLAG_SEP_MULTILINE | XN_FLAG_SPC_EQ | XN_FLAG_FN_LN | XN_FLAG_FN_ALIGN>
+
C<ASN1_STRFLGS_ESC_CTRL | ASN1_STRFLGS_ESC_MSB | XN_FLAG_SEP_MULTILINE | XN_FLAG_SPC_EQ | XN_FLAG_FN_LN | XN_FLAG_FN_ALIGN>
B<XN_FLAG_COMPAT> uses a format identical to X509_NAME_print(): in fact it calls X509_NAME_print() internally.
CONF library for their own purposes.
A configuration file is divided into a number of sections. Each section
-starts with a line B<[ section_name ]> and ends when a new section is
+starts with a line C<[section_name]> and ends when a new section is
started or end of file is reached. A section name can consist of
-alphanumeric characters and underscores.
+alphanumeric characters and underscores. The brackets are required.
The first section of a configuration file is special and is referred
to as the B<default> section. This section is usually unnamed and spans from the
Normally the I<type> argument is supplied by a function which returns a
pointer to a BIO_METHOD. There is a naming convention for such functions:
-a source/sink BIO is normally called B<BIO_s_I<*>>() and a filter BIO
-B<BIO_f_I<*>>();
+a source/sink BIO typically starts with I<BIO_s_> and
+a filter BIO with I<BIO_f_>.
=head1 EXAMPLES
if $contents =~ /=over([^ ][^24])/;
err($id, "Possible version style issue")
if $contents =~ /OpenSSL version [019]/;
+ err($id, "Brackets on item line")
+ if $contents =~ /=item \[/;
+ if ( $contents !~ /=for comment generic/) {
+ # Some API pages have B<foo<I<TYPE>bar>.
+ err($id, "Bad flag formatting inside B<>")
+ if $contents =~ /B<-[A-Za-z_ ]+ /;
+ while ( $contents =~ /([BI])<([^>]*)>/g ) {
+ my $B = $1;
+ my $T = $2;
+ next if $T =~ /E</; # Assume it's E<lt>
+ err($id, "Bad content inside $B<$T>")
+ if $T =~ /[<|]/;
+ }
+ }
if ( $contents !~ /=for comment multiple includes/ ) {
# Look for multiple consecutive openssl #include lines
projects / oweals / openssl.git / commitdiff