xref: /freebsd/crypto/openssl/doc/man1/openssl.pod (revision ab1e0d2410ece7d391a5b1e2cbc9d1e9857c2fdb)
1=pod
2
3=head1 NAME
4
5openssl - OpenSSL command line tool
6
7=head1 SYNOPSIS
8
9B<openssl>
10I<command>
11[ I<command_opts> ]
12[ I<command_args> ]
13
14B<openssl> B<list> [ B<standard-commands> | B<digest-commands> | B<cipher-commands> | B<cipher-algorithms> | B<digest-algorithms> | B<public-key-algorithms>]
15
16B<openssl> B<no->I<XXX> [ I<arbitrary options> ]
17
18=head1 DESCRIPTION
19
20OpenSSL is a cryptography toolkit implementing the Secure Sockets Layer (SSL
21v2/v3) and Transport Layer Security (TLS v1) network protocols and related
22cryptography standards required by them.
23
24The B<openssl> program is a command line tool for using the various
25cryptography functions of OpenSSL's B<crypto> library from the shell.
26It can be used for
27
28 o  Creation and management of private keys, public keys and parameters
29 o  Public key cryptographic operations
30 o  Creation of X.509 certificates, CSRs and CRLs
31 o  Calculation of Message Digests
32 o  Encryption and Decryption with Ciphers
33 o  SSL/TLS Client and Server Tests
34 o  Handling of S/MIME signed or encrypted mail
35 o  Time Stamp requests, generation and verification
36
37=head1 COMMAND SUMMARY
38
39The B<openssl> program provides a rich variety of commands (I<command> in the
40SYNOPSIS above), each of which often has a wealth of options and arguments
41(I<command_opts> and I<command_args> in the SYNOPSIS).
42
43Detailed documentation and use cases for most standard subcommands are available
44(e.g., L<x509(1)> or L<openssl-x509(1)>).
45
46Many commands use an external configuration file for some or all of their
47arguments and have a B<-config> option to specify that file.
48The environment variable B<OPENSSL_CONF> can be used to specify
49the location of the file.
50If the environment variable is not specified, then the file is named
51B<openssl.cnf> in the default certificate storage area, whose value
52depends on the configuration flags specified when the OpenSSL
53was built.
54
55The list parameters B<standard-commands>, B<digest-commands>,
56and B<cipher-commands> output a list (one entry per line) of the names
57of all standard commands, message digest commands, or cipher commands,
58respectively, that are available in the present B<openssl> utility.
59
60The list parameters B<cipher-algorithms> and
61B<digest-algorithms> list all cipher and message digest names, one entry per line. Aliases are listed as:
62
63 from => to
64
65The list parameter B<public-key-algorithms> lists all supported public
66key algorithms.
67
68The command B<no->I<XXX> tests whether a command of the
69specified name is available.  If no command named I<XXX> exists, it
70returns 0 (success) and prints B<no->I<XXX>; otherwise it returns 1
71and prints I<XXX>.  In both cases, the output goes to B<stdout> and
72nothing is printed to B<stderr>.  Additional command line arguments
73are always ignored.  Since for each cipher there is a command of the
74same name, this provides an easy way for shell scripts to test for the
75availability of ciphers in the B<openssl> program.  (B<no->I<XXX> is
76not able to detect pseudo-commands such as B<quit>,
77B<list>, or B<no->I<XXX> itself.)
78
79=head2 Standard Commands
80
81=over 4
82
83=item B<asn1parse>
84
85Parse an ASN.1 sequence.
86
87=item B<ca>
88
89Certificate Authority (CA) Management.
90
91=item B<ciphers>
92
93Cipher Suite Description Determination.
94
95=item B<cms>
96
97CMS (Cryptographic Message Syntax) utility.
98
99=item B<crl>
100
101Certificate Revocation List (CRL) Management.
102
103=item B<crl2pkcs7>
104
105CRL to PKCS#7 Conversion.
106
107=item B<dgst>
108
109Message Digest Calculation.
110
111=item B<dh>
112
113Diffie-Hellman Parameter Management.
114Obsoleted by L<dhparam(1)>.
115
116=item B<dhparam>
117
118Generation and Management of Diffie-Hellman Parameters. Superseded by
119L<genpkey(1)> and L<pkeyparam(1)>.
120
121=item B<dsa>
122
123DSA Data Management.
124
125=item B<dsaparam>
126
127DSA Parameter Generation and Management. Superseded by
128L<genpkey(1)> and L<pkeyparam(1)>.
129
130=item B<ec>
131
132EC (Elliptic curve) key processing.
133
134=item B<ecparam>
135
136EC parameter manipulation and generation.
137
138=item B<enc>
139
140Encoding with Ciphers.
141
142=item B<engine>
143
144Engine (loadable module) information and manipulation.
145
146=item B<errstr>
147
148Error Number to Error String Conversion.
149
150=item B<gendh>
151
152Generation of Diffie-Hellman Parameters.
153Obsoleted by L<dhparam(1)>.
154
155=item B<gendsa>
156
157Generation of DSA Private Key from Parameters. Superseded by
158L<genpkey(1)> and L<pkey(1)>.
159
160=item B<genpkey>
161
162Generation of Private Key or Parameters.
163
164=item B<genrsa>
165
166Generation of RSA Private Key. Superseded by L<genpkey(1)>.
167
168=item B<nseq>
169
170Create or examine a Netscape certificate sequence.
171
172=item B<ocsp>
173
174Online Certificate Status Protocol utility.
175
176=item B<passwd>
177
178Generation of hashed passwords.
179
180=item B<pkcs12>
181
182PKCS#12 Data Management.
183
184=item B<pkcs7>
185
186PKCS#7 Data Management.
187
188=item B<pkcs8>
189
190PKCS#8 format private key conversion tool.
191
192=item B<pkey>
193
194Public and private key management.
195
196=item B<pkeyparam>
197
198Public key algorithm parameter management.
199
200=item B<pkeyutl>
201
202Public key algorithm cryptographic operation utility.
203
204=item B<prime>
205
206Compute prime numbers.
207
208=item B<rand>
209
210Generate pseudo-random bytes.
211
212=item B<rehash>
213
214Create symbolic links to certificate and CRL files named by the hash values.
215
216=item B<req>
217
218PKCS#10 X.509 Certificate Signing Request (CSR) Management.
219
220=item B<rsa>
221
222RSA key management.
223
224=item B<rsautl>
225
226RSA utility for signing, verification, encryption, and decryption. Superseded
227by  L<pkeyutl(1)>.
228
229=item B<s_client>
230
231This implements a generic SSL/TLS client which can establish a transparent
232connection to a remote server speaking SSL/TLS. It's intended for testing
233purposes only and provides only rudimentary interface functionality but
234internally uses mostly all functionality of the OpenSSL B<ssl> library.
235
236=item B<s_server>
237
238This implements a generic SSL/TLS server which accepts connections from remote
239clients speaking SSL/TLS. It's intended for testing purposes only and provides
240only rudimentary interface functionality but internally uses mostly all
241functionality of the OpenSSL B<ssl> library.  It provides both an own command
242line oriented protocol for testing SSL functions and a simple HTTP response
243facility to emulate an SSL/TLS-aware webserver.
244
245=item B<s_time>
246
247SSL Connection Timer.
248
249=item B<sess_id>
250
251SSL Session Data Management.
252
253=item B<smime>
254
255S/MIME mail processing.
256
257=item B<speed>
258
259Algorithm Speed Measurement.
260
261=item B<spkac>
262
263SPKAC printing and generating utility.
264
265=item B<srp>
266
267Maintain SRP password file.
268
269=item B<storeutl>
270
271Utility to list and display certificates, keys, CRLs, etc.
272
273=item B<ts>
274
275Time Stamping Authority tool (client/server).
276
277=item B<verify>
278
279X.509 Certificate Verification.
280
281=item B<version>
282
283OpenSSL Version Information.
284
285=item B<x509>
286
287X.509 Certificate Data Management.
288
289=back
290
291=head2 Message Digest Commands
292
293=over 4
294
295=item B<blake2b512>
296
297BLAKE2b-512 Digest
298
299=item B<blake2s256>
300
301BLAKE2s-256 Digest
302
303=item B<md2>
304
305MD2 Digest
306
307=item B<md4>
308
309MD4 Digest
310
311=item B<md5>
312
313MD5 Digest
314
315=item B<mdc2>
316
317MDC2 Digest
318
319=item B<rmd160>
320
321RMD-160 Digest
322
323=item B<sha1>
324
325SHA-1 Digest
326
327=item B<sha224>
328
329SHA-2 224 Digest
330
331=item B<sha256>
332
333SHA-2 256 Digest
334
335=item B<sha384>
336
337SHA-2 384 Digest
338
339=item B<sha512>
340
341SHA-2 512 Digest
342
343=item B<sha3-224>
344
345SHA-3 224 Digest
346
347=item B<sha3-256>
348
349SHA-3 256 Digest
350
351=item B<sha3-384>
352
353SHA-3 384 Digest
354
355=item B<sha3-512>
356
357SHA-3 512 Digest
358
359=item B<shake128>
360
361SHA-3 SHAKE128 Digest
362
363=item B<shake256>
364
365SHA-3 SHAKE256 Digest
366
367=item B<sm3>
368
369SM3 Digest
370
371=back
372
373=head2 Encoding and Cipher Commands
374
375The following aliases provide convenient access to the most used encodings
376and ciphers.
377
378Depending on how OpenSSL was configured and built, not all ciphers listed
379here may be present. See L<enc(1)> for more information and command usage.
380
381=over 4
382
383=item B<aes128>, B<aes-128-cbc>, B<aes-128-cfb>, B<aes-128-ctr>, B<aes-128-ecb>, B<aes-128-ofb>
384
385AES-128 Cipher
386
387=item B<aes192>, B<aes-192-cbc>, B<aes-192-cfb>, B<aes-192-ctr>, B<aes-192-ecb>, B<aes-192-ofb>
388
389AES-192 Cipher
390
391=item B<aes256>, B<aes-256-cbc>, B<aes-256-cfb>, B<aes-256-ctr>, B<aes-256-ecb>, B<aes-256-ofb>
392
393AES-256 Cipher
394
395=item B<aria128>, B<aria-128-cbc>, B<aria-128-cfb>, B<aria-128-ctr>, B<aria-128-ecb>, B<aria-128-ofb>
396
397Aria-128 Cipher
398
399=item B<aria192>, B<aria-192-cbc>, B<aria-192-cfb>, B<aria-192-ctr>, B<aria-192-ecb>, B<aria-192-ofb>
400
401Aria-192 Cipher
402
403=item B<aria256>, B<aria-256-cbc>, B<aria-256-cfb>, B<aria-256-ctr>, B<aria-256-ecb>, B<aria-256-ofb>
404
405Aria-256 Cipher
406
407=item B<base64>
408
409Base64 Encoding
410
411=item B<bf>, B<bf-cbc>, B<bf-cfb>, B<bf-ecb>, B<bf-ofb>
412
413Blowfish Cipher
414
415=item B<camellia128>, B<camellia-128-cbc>, B<camellia-128-cfb>, B<camellia-128-ctr>, B<camellia-128-ecb>, B<camellia-128-ofb>
416
417Camellia-128 Cipher
418
419=item B<camellia192>, B<camellia-192-cbc>, B<camellia-192-cfb>, B<camellia-192-ctr>, B<camellia-192-ecb>, B<camellia-192-ofb>
420
421Camellia-192 Cipher
422
423=item B<camellia256>, B<camellia-256-cbc>, B<camellia-256-cfb>, B<camellia-256-ctr>, B<camellia-256-ecb>, B<camellia-256-ofb>
424
425Camellia-256 Cipher
426
427=item B<cast>, B<cast-cbc>
428
429CAST Cipher
430
431=item B<cast5-cbc>, B<cast5-cfb>, B<cast5-ecb>, B<cast5-ofb>
432
433CAST5 Cipher
434
435=item B<chacha20>
436
437Chacha20 Cipher
438
439=item B<des>, B<des-cbc>, B<des-cfb>, B<des-ecb>, B<des-ede>, B<des-ede-cbc>, B<des-ede-cfb>, B<des-ede-ofb>, B<des-ofb>
440
441DES Cipher
442
443=item B<des3>, B<desx>, B<des-ede3>, B<des-ede3-cbc>, B<des-ede3-cfb>, B<des-ede3-ofb>
444
445Triple-DES Cipher
446
447=item B<idea>, B<idea-cbc>, B<idea-cfb>, B<idea-ecb>, B<idea-ofb>
448
449IDEA Cipher
450
451=item B<rc2>, B<rc2-cbc>, B<rc2-cfb>, B<rc2-ecb>, B<rc2-ofb>
452
453RC2 Cipher
454
455=item B<rc4>
456
457RC4 Cipher
458
459=item B<rc5>, B<rc5-cbc>, B<rc5-cfb>, B<rc5-ecb>, B<rc5-ofb>
460
461RC5 Cipher
462
463=item B<seed>, B<seed-cbc>, B<seed-cfb>, B<seed-ecb>, B<seed-ofb>
464
465SEED Cipher
466
467=item B<sm4>, B<sm4-cbc>, B<sm4-cfb>, B<sm4-ctr>, B<sm4-ecb>, B<sm4-ofb>
468
469SM4 Cipher
470
471=back
472
473=head1 OPTIONS
474
475Details of which options are available depend on the specific command.
476This section describes some common options with common behavior.
477
478=head2 Common Options
479
480=over 4
481
482=item B<-help>
483
484Provides a terse summary of all options.
485
486=back
487
488=head2 Pass Phrase Options
489
490Several commands accept password arguments, typically using B<-passin>
491and B<-passout> for input and output passwords respectively. These allow
492the password to be obtained from a variety of sources. Both of these
493options take a single argument whose format is described below. If no
494password argument is given and a password is required then the user is
495prompted to enter one: this will typically be read from the current
496terminal with echoing turned off.
497
498Note that character encoding may be relevant, please see
499L<passphrase-encoding(7)>.
500
501=over 4
502
503=item B<pass:password>
504
505The actual password is B<password>. Since the password is visible
506to utilities (like 'ps' under Unix) this form should only be used
507where security is not important.
508
509=item B<env:var>
510
511Obtain the password from the environment variable B<var>. Since
512the environment of other processes is visible on certain platforms
513(e.g. ps under certain Unix OSes) this option should be used with caution.
514
515=item B<file:pathname>
516
517The first line of B<pathname> is the password. If the same B<pathname>
518argument is supplied to B<-passin> and B<-passout> arguments then the first
519line will be used for the input password and the next line for the output
520password. B<pathname> need not refer to a regular file: it could for example
521refer to a device or named pipe.
522
523=item B<fd:number>
524
525Read the password from the file descriptor B<number>. This can be used to
526send the data via a pipe for example.
527
528=item B<stdin>
529
530Read the password from standard input.
531
532=back
533
534=head1 SEE ALSO
535
536L<asn1parse(1)>, L<ca(1)>, L<ciphers(1)>, L<cms(1)>, L<config(5)>,
537L<crl(1)>, L<crl2pkcs7(1)>, L<dgst(1)>,
538L<dhparam(1)>, L<dsa(1)>, L<dsaparam(1)>,
539L<ec(1)>, L<ecparam(1)>,
540L<enc(1)>, L<engine(1)>, L<errstr(1)>, L<gendsa(1)>, L<genpkey(1)>,
541L<genrsa(1)>, L<nseq(1)>, L<ocsp(1)>,
542L<passwd(1)>,
543L<pkcs12(1)>, L<pkcs7(1)>, L<pkcs8(1)>,
544L<pkey(1)>, L<pkeyparam(1)>, L<pkeyutl(1)>, L<prime(1)>,
545L<rand(1)>, L<rehash(1)>, L<req(1)>, L<rsa(1)>,
546L<rsautl(1)>, L<s_client(1)>,
547L<s_server(1)>, L<s_time(1)>, L<sess_id(1)>,
548L<smime(1)>, L<speed(1)>, L<spkac(1)>, L<srp(1)>, L<storeutl(1)>,
549L<ts(1)>,
550L<verify(1)>, L<version(1)>, L<x509(1)>,
551L<crypto(7)>, L<ssl(7)>, L<x509v3_config(5)>
552
553=head1 HISTORY
554
555The B<list->I<XXX>B<-algorithms> pseudo-commands were added in OpenSSL 1.0.0;
556For notes on the availability of other commands, see their individual
557manual pages.
558
559=head1 COPYRIGHT
560
561Copyright 2000-2018 The OpenSSL Project Authors. All Rights Reserved.
562
563Licensed under the OpenSSL license (the "License").  You may not use
564this file except in compliance with the License.  You can obtain a copy
565in the file LICENSE in the source distribution or at
566L<https://www.openssl.org/source/license.html>.
567
568=cut
569