version 1.32, 2016/02/12 13:03:19 |
version 1.33, 2016/07/16 07:27:53 |
|
|
.Nm |
.Nm |
program is a command line tool for using the various |
program is a command line tool for using the various |
cryptography functions of |
cryptography functions of |
.Nm OpenSSL Ns Li 's |
.Nm OpenSSL Ns 's |
.Em crypto |
crypto library from the shell. |
library from the shell. |
|
It can be used for |
|
.Pp |
.Pp |
.Bl -bullet -offset indent -compact |
|
.It |
|
Creation and management of private keys, public keys, and parameters |
|
.It |
|
Public key cryptographic operations |
|
.It |
|
Creation of X.509 certificates, CSRs and CRLs |
|
.It |
|
Calculation of Message Digests |
|
.It |
|
Encryption and Decryption with Ciphers |
|
.It |
|
SSL/TLS Client and Server Tests |
|
.It |
|
Handling of S/MIME signed or encrypted mail |
|
.It |
|
Time stamp requests, generation, and verification |
|
.El |
|
.Sh COMMAND SUMMARY |
|
The |
|
.Nm |
|
program provides a rich variety of commands |
|
.Pf ( Cm command |
|
in the |
|
.Sx SYNOPSIS |
|
above), |
|
each of which often has a wealth of options and arguments |
|
.Pf ( Ar command_opts |
|
and |
|
.Ar command_args |
|
in the |
|
.Sx SYNOPSIS ) . |
|
.Pp |
|
The pseudo-commands |
The pseudo-commands |
.Cm list-standard-commands , list-message-digest-commands , |
.Cm list-standard-commands , list-message-digest-commands , |
and |
and |
|
|
one entry per line. |
one entry per line. |
Aliases are listed as: |
Aliases are listed as: |
.Pp |
.Pp |
.D1 from =\*(Gt to |
.D1 from => to |
.Pp |
.Pp |
The pseudo-command |
The pseudo-command |
.Cm list-public-key-algorithms |
.Cm list-public-key-algorithms |
|
|
or |
or |
.Cm no- Ns Ar XXX |
.Cm no- Ns Ar XXX |
itself. |
itself. |
.Sh STANDARD COMMANDS |
|
.Bl -tag -width "asn1parse" |
|
.It Cm asn1parse |
|
Parse an ASN.1 sequence. |
|
.It Cm ca |
|
Certificate Authority |
|
.Pq CA |
|
management. |
|
.It Cm ciphers |
|
Cipher suite description determination. |
|
.It Cm crl |
|
Certificate Revocation List |
|
.Pq CRL |
|
management. |
|
.It Cm crl2pkcs7 |
|
CRL to PKCS#7 conversion. |
|
.It Cm dgst |
|
Message digest calculation. |
|
.It Cm dh |
|
Diffie-Hellman parameter management. |
|
Obsoleted by |
|
.Cm dhparam . |
|
.It Cm dhparam |
|
Generation and management of Diffie-Hellman parameters. |
|
Superseded by |
|
.Cm genpkey |
|
and |
|
.Cm pkeyparam . |
|
.It Cm dsa |
|
DSA data management. |
|
.It Cm dsaparam |
|
DSA parameter generation and management. |
|
Superseded by |
|
.Cm genpkey |
|
and |
|
.Cm pkeyparam . |
|
.It Cm ec |
|
Elliptic curve (EC) key processing. |
|
.It Cm ecparam |
|
EC parameter manipulation and generation. |
|
.It Cm enc |
|
Encoding with ciphers. |
|
.It Cm errstr |
|
Error number to error string conversion. |
|
.It Cm gendh |
|
Generation of Diffie-Hellman parameters. |
|
Obsoleted by |
|
.Cm dhparam . |
|
.It Cm gendsa |
|
Generation of DSA private key from parameters. |
|
Superseded by |
|
.Cm genpkey |
|
and |
|
.Cm pkey . |
|
.It Cm genpkey |
|
Generation of private keys or parameters. |
|
.It Cm genrsa |
|
Generation of RSA private key. |
|
Superseded by |
|
.Cm genpkey . |
|
.It Cm nseq |
|
Create or examine a Netscape certificate sequence. |
|
.It Cm ocsp |
|
Online Certificate Status Protocol utility. |
|
.It Cm passwd |
|
Generation of hashed passwords. |
|
.It Cm pkcs7 |
|
PKCS#7 data management. |
|
.It Cm pkcs8 |
|
PKCS#8 data management. |
|
.It Cm pkcs12 |
|
PKCS#12 data management. |
|
.It Cm pkey |
|
Public and private key management. |
|
.It Cm pkeyparam |
|
Public key algorithm parameter management. |
|
.It Cm pkeyutl |
|
Public key algorithm cryptographic operation utility. |
|
.It Cm prime |
|
Generate prime numbers or test numbers for primality. |
|
.It Cm rand |
|
Generate pseudo-random bytes. |
|
.It Cm req |
|
PKCS#10 X.509 Certificate Signing Request |
|
.Pq CSR |
|
management. |
|
.It Cm rsa |
|
RSA key management. |
|
.It Cm rsautl |
|
RSA utility for signing, verification, encryption, and decryption. |
|
Superseded by |
|
.Cm pkeyutl . |
|
.It Cm s_client |
|
This implements a generic SSL/TLS client which can establish a transparent |
|
connection to a remote server speaking SSL/TLS. |
|
It's intended for testing purposes only and provides only rudimentary |
|
interface functionality but internally uses mostly all functionality of the |
|
.Nm OpenSSL |
|
.Em ssl |
|
library. |
|
.It Cm s_server |
|
This implements a generic SSL/TLS server which accepts connections from remote |
|
clients speaking SSL/TLS. |
|
It's intended for testing purposes only and provides only rudimentary |
|
interface functionality but internally uses mostly all functionality of the |
|
.Nm OpenSSL |
|
.Em ssl |
|
library. |
|
It provides both an own command line oriented protocol for testing |
|
SSL functions and a simple HTTP response |
|
facility to emulate an SSL/TLS-aware webserver. |
|
.It Cm s_time |
|
SSL connection timer. |
|
.It Cm sess_id |
|
SSL session data management. |
|
.It Cm smime |
|
S/MIME mail processing. |
|
.It Cm speed |
|
Algorithm speed measurement. |
|
.It Cm spkac |
|
SPKAC printing and generating utility. |
|
.It Cm ts |
|
Time stamping authority tool (client/server). |
|
.It Cm verify |
|
X.509 certificate verification. |
|
.It Cm version |
|
.Nm OpenSSL |
|
version information. |
|
.It Cm x509 |
|
X.509 certificate data management. |
|
.El |
|
.Sh MESSAGE DIGEST COMMANDS |
|
.Bl -tag -width "streebog512" |
|
.It Cm gost-mac |
|
GOST-MAC digest. |
|
.It Cm streebog256 |
|
Streebog-256 digest. |
|
.It Cm streebog512 |
|
Streebog-512 digest. |
|
.It Cm md_gost94 |
|
GOST R 34.11-94 digest. |
|
.It Cm md4 |
|
MD4 digest. |
|
.It Cm md5 |
|
MD5 digest. |
|
.It Cm ripemd160 |
|
RIPEMD-160 digest. |
|
.It Cm sha |
|
SHA digest. |
|
.It Cm sha1 |
|
SHA-1 digest. |
|
.It Cm sha224 |
|
SHA-224 digest. |
|
.It Cm sha256 |
|
SHA-256 digest. |
|
.It Cm sha384 |
|
SHA-384 digest. |
|
.It Cm sha512 |
|
SHA-512 digest. |
|
.It Cm whirlpool |
|
Whirlpool digest. |
|
.El |
|
.Sh ENCODING AND CIPHER COMMANDS |
|
.Bl -tag -width Ds -compact |
|
.It Cm aes-128-cbc | aes-128-ecb | aes-192-cbc | aes-192-ecb |
|
.It Cm aes-256-cbc | aes-256-ecb |
|
AES cipher. |
|
.Pp |
|
.It Cm base64 |
|
Base64 encoding. |
|
.Pp |
|
.It Xo |
|
.Cm bf | bf-cbc | bf-cfb | |
|
.Cm bf-ecb | bf-ofb |
|
.Xc |
|
Blowfish cipher. |
|
.Pp |
|
.It Cm cast | cast-cbc |
|
CAST cipher. |
|
.Pp |
|
.It Cm cast5-cbc | cast5-cfb | cast5-ecb | cast5-ofb |
|
CAST5 cipher. |
|
.Pp |
|
.It Xo |
|
.Cm des | des-cbc | des-cfb | des-ecb | |
|
.Cm des-ede | des-ede-cbc |
|
.Xc |
|
.It Cm des-ede-cfb | des-ede-ofb | des-ofb |
|
DES cipher. |
|
.Pp |
|
.It Xo |
|
.Cm des3 | desx | des-ede3 | |
|
.Cm des-ede3-cbc | des-ede3-cfb | des-ede3-ofb |
|
.Xc |
|
Triple DES cipher. |
|
.Pp |
|
.It Xo |
|
.Cm rc2 | rc2-40-cbc | rc2-64-cbc | rc2-cbc | |
|
.Cm rc2-cfb | rc2-ecb | rc2-ofb |
|
.Xc |
|
RC2 cipher. |
|
.Pp |
|
.It Cm rc4 | rc4-40 |
|
RC4 cipher. |
|
.El |
|
.Sh PASS PHRASE ARGUMENTS |
|
Several commands accept password arguments, typically using |
|
.Fl passin |
|
and |
|
.Fl passout |
|
for input and output passwords, respectively. |
|
These allow the password to be obtained from a variety of sources. |
|
Both of these options take a single argument whose format is described below. |
|
If no password argument is given and a password is required, |
|
then the user is prompted to enter one: |
|
this will typically be read from the current terminal with echoing turned off. |
|
.Bl -tag -width "fd:number" |
|
.It Ar pass : Ns Ar password |
|
The actual password is |
|
.Ar password . |
|
Since the password is visible to utilities |
|
(like |
|
.Xr ps 1 |
|
under |
|
.Ux ) |
|
this form should only be used where security is not important. |
|
.It Ar env : Ns Ar var |
|
Obtain the password from the environment variable |
|
.Ar var . |
|
Since the environment of other processes is visible on certain platforms |
|
(e.g.\& |
|
.Xr ps 1 |
|
under certain |
|
.Ux |
|
OSes) this option should be used with caution. |
|
.It Ar file : Ns Ar path |
|
The first line of |
|
.Ar path |
|
is the password. |
|
If the same |
|
.Ar path |
|
argument is supplied to |
|
.Fl passin |
|
and |
|
.Fl passout , |
|
then the first line will be used for the input password and the next line |
|
for the output password. |
|
.Ar path |
|
need not refer to a regular file: |
|
it could, for example, refer to a device or named pipe. |
|
.It Ar fd : Ns Ar number |
|
Read the password from the file descriptor |
|
.Ar number . |
|
This can be used to send the data via a pipe for example. |
|
.It Ar stdin |
|
Read the password from standard input. |
|
.El |
|
.\" |
.\" |
.\" ASN1PARSE |
.\" ASN1PARSE |
.\" |
.\" |
|
|
appended. |
appended. |
.It Fl passin Ar arg |
.It Fl passin Ar arg |
The key password source. |
The key password source. |
For more information about the format of |
|
.Ar arg , |
|
see the |
|
.Sx PASS PHRASE ARGUMENTS |
|
section above. |
|
.It Fl policy Ar arg |
.It Fl policy Ar arg |
This option defines the CA |
This option defines the CA |
.Qq policy |
.Qq policy |
|
|
The file to output to, or standard output by default. |
The file to output to, or standard output by default. |
.It Fl passin Ar arg |
.It Fl passin Ar arg |
The key password source. |
The key password source. |
For more information about the format of |
|
.Ar arg , |
|
see the |
|
.Sx PASS PHRASE ARGUMENTS |
|
section above. |
|
.It Fl prverify Ar file |
.It Fl prverify Ar file |
Verify the signature using the private key in |
Verify the signature using the private key in |
.Ar file . |
.Ar file . |
|
|
option. |
option. |
.It Fl passin Ar arg |
.It Fl passin Ar arg |
The key password source. |
The key password source. |
For more information about the format of |
|
.Ar arg , |
|
see the |
|
.Sx PASS PHRASE ARGUMENTS |
|
section above. |
|
.It Fl passout Ar arg |
.It Fl passout Ar arg |
The output file password source. |
The output file password source. |
For more information about the format of |
|
.Ar arg , |
|
see the |
|
.Sx PASS PHRASE ARGUMENTS |
|
section above. |
|
.It Fl pubin |
.It Fl pubin |
By default, a private key is read from the input file. |
By default, a private key is read from the input file. |
With this option a public key is read instead. |
With this option a public key is read instead. |
|
|
.Nm OpenSSL . |
.Nm OpenSSL . |
.It Fl passin Ar arg |
.It Fl passin Ar arg |
The key password source. |
The key password source. |
For more information about the format of |
|
.Ar arg , |
|
see the |
|
.Sx PASS PHRASE ARGUMENTS |
|
section above. |
|
.It Fl passout Ar arg |
.It Fl passout Ar arg |
The output file password source. |
The output file password source. |
For more information about the format of |
|
.Ar arg , |
|
see the |
|
.Sx PASS PHRASE ARGUMENTS |
|
section above. |
|
.It Fl pubin |
.It Fl pubin |
By default a private key is read from the input file; |
By default a private key is read from the input file; |
with this option a public key is read instead. |
with this option a public key is read instead. |
|
|
used. |
used. |
.It Fl pass Ar arg |
.It Fl pass Ar arg |
The password source. |
The password source. |
For more information about the format of |
|
.Ar arg , |
|
see the |
|
.Sx PASS PHRASE ARGUMENTS |
|
section above. |
|
.It Fl S Ar salt |
.It Fl S Ar salt |
The actual |
The actual |
.Ar salt |
.Ar salt |
|
|
are mutually exclusive. |
are mutually exclusive. |
.It Fl pass Ar arg |
.It Fl pass Ar arg |
The output file password source. |
The output file password source. |
For more information about the format of |
|
.Ar arg , |
|
see the |
|
.Sx PASS PHRASE ARGUMENTS |
|
section above. |
|
.It Fl pkeyopt Ar opt : Ns Ar value |
.It Fl pkeyopt Ar opt : Ns Ar value |
Set the public key algorithm option |
Set the public key algorithm option |
.Ar opt |
.Ar opt |
|
|
If this argument is not specified, standard output is used. |
If this argument is not specified, standard output is used. |
.It Fl passout Ar arg |
.It Fl passout Ar arg |
The output file password source. |
The output file password source. |
For more information about the format of |
|
.Ar arg , |
|
see the |
|
.Sx PASS PHRASE ARGUMENTS |
|
section above. |
|
.It Ar numbits |
.It Ar numbits |
The size of the private key to generate in bits. |
The size of the private key to generate in bits. |
This must be the last option specified. |
This must be the last option specified. |
|
|
option. |
option. |
.It Fl passin Ar arg |
.It Fl passin Ar arg |
The key password source. |
The key password source. |
For more information about the format of |
|
.Ar arg , |
|
see the |
|
.Sx PASS PHRASE ARGUMENTS |
|
section above. |
|
.It Fl passout Ar arg |
.It Fl passout Ar arg |
The output file password source. |
The output file password source. |
For more information about the format of |
|
.Ar arg , |
|
see the |
|
.Sx PASS PHRASE ARGUMENTS |
|
section above. |
|
.It Fl topk8 |
.It Fl topk8 |
Normally, a PKCS#8 private key is expected on input and a traditional format |
Normally, a PKCS#8 private key is expected on input and a traditional format |
private key will be written. |
private key will be written. |
|
|
They are all written in PEM format. |
They are all written in PEM format. |
.It Fl passin Ar arg |
.It Fl passin Ar arg |
The key password source. |
The key password source. |
For more information about the format of |
|
.Ar arg , |
|
see the |
|
.Sx PASS PHRASE ARGUMENTS |
|
section above. |
|
.It Fl passout Ar arg |
.It Fl passout Ar arg |
The output file password source. |
The output file password source. |
For more information about the format of |
|
.Ar arg , |
|
see the |
|
.Sx PASS PHRASE ARGUMENTS |
|
section above. |
|
.It Fl twopass |
.It Fl twopass |
Prompt for separate integrity and encryption passwords: most software |
Prompt for separate integrity and encryption passwords: most software |
always assumes these are the same so this option will render such |
always assumes these are the same so this option will render such |
|
|
Standard output is used by default. |
Standard output is used by default. |
.It Fl passin Ar arg |
.It Fl passin Ar arg |
The key password source. |
The key password source. |
For more information about the format of |
|
.Ar arg , |
|
see the |
|
.Sx PASS PHRASE ARGUMENTS |
|
section above. |
|
.It Fl passout Ar arg |
.It Fl passout Ar arg |
The output file password source. |
The output file password source. |
For more information about the format of |
|
.Ar arg , |
|
see the |
|
.Sx PASS PHRASE ARGUMENTS |
|
section above. |
|
.El |
.El |
.Sh PKCS12 NOTES |
.Sh PKCS12 NOTES |
Although there are a large number of options, |
Although there are a large number of options, |
|
|
option. |
option. |
.It Fl passin Ar arg |
.It Fl passin Ar arg |
The key password source. |
The key password source. |
For more information about the format of |
|
.Ar arg , |
|
see the |
|
.Sx PASS PHRASE ARGUMENTS |
|
section above. |
|
.It Fl passout Ar arg |
.It Fl passout Ar arg |
The output file password source. |
The output file password source. |
For more information about the format of |
|
.Ar arg |
|
see the |
|
.Sx PASS PHRASE ARGUMENTS |
|
section above. |
|
.It Fl pubin |
.It Fl pubin |
By default a private key is read from the input file: |
By default a private key is read from the input file: |
with this option a public key is read instead. |
with this option a public key is read instead. |
|
|
or standard output by default. |
or standard output by default. |
.It Fl passin Ar arg |
.It Fl passin Ar arg |
The key password source. |
The key password source. |
For more information about the format of |
|
.Ar arg , |
|
see the |
|
.Sx PASS PHRASE ARGUMENTS |
|
section above. |
|
.It Fl peerform Ar DER | PEM |
.It Fl peerform Ar DER | PEM |
The peer key format DER or PEM. |
The peer key format DER or PEM. |
.It Fl peerkey Ar file |
.It Fl peerkey Ar file |
|
|
option. |
option. |
.It Fl passin Ar arg |
.It Fl passin Ar arg |
The key password source. |
The key password source. |
For more information about the format of |
|
.Ar arg , |
|
see the |
|
.Sx PASS PHRASE ARGUMENTS |
|
section above. |
|
.It Fl passout Ar arg |
.It Fl passout Ar arg |
The output file password source. |
The output file password source. |
For more information about the format of |
|
.Ar arg , |
|
see the |
|
.Sx PASS PHRASE ARGUMENTS |
|
section above. |
|
.It Fl pubkey |
.It Fl pubkey |
Outputs the public key. |
Outputs the public key. |
.It Fl reqopt Ar option |
.It Fl reqopt Ar option |
|
|
option. |
option. |
.It Fl passin Ar arg |
.It Fl passin Ar arg |
The key password source. |
The key password source. |
For more information about the format of |
|
.Ar arg , |
|
see the |
|
.Sx PASS PHRASE ARGUMENTS |
|
section above. |
|
.It Fl passout Ar arg |
.It Fl passout Ar arg |
The output file password source. |
The output file password source. |
For more information about the format of |
|
.Ar arg , |
|
see the |
|
.Sx PASS PHRASE ARGUMENTS |
|
section above. |
|
.It Fl pubin |
.It Fl pubin |
By default, a private key is read from the input file; with this |
By default, a private key is read from the input file; with this |
option a public key is read instead. |
option a public key is read instead. |
|
|
this option has no effect. |
this option has no effect. |
.It Fl passin Ar arg |
.It Fl passin Ar arg |
The key password source. |
The key password source. |
For more information about the format of |
|
.Ar arg , |
|
see the |
|
.Sx PASS PHRASE ARGUMENTS |
|
section above. |
|
.It Fl recip Ar file |
.It Fl recip Ar file |
The recipients certificate when decrypting a message. |
The recipients certificate when decrypting a message. |
This certificate |
This certificate |
|
|
The default is stdout. |
The default is stdout. |
.It Fl passin Ar arg |
.It Fl passin Ar arg |
The key password source. |
The key password source. |
For more information about the format of |
|
.Ar arg , |
|
see the |
|
.Sx PASS PHRASE ARGUMENTS |
|
section above. |
|
.It Fl policy Ar object_id |
.It Fl policy Ar object_id |
The default policy to use for the response unless the client |
The default policy to use for the response unless the client |
explicitly requires a particular TSA policy. |
explicitly requires a particular TSA policy. |
|
|
to write to, or standard output by default. |
to write to, or standard output by default. |
.It Fl passin Ar arg |
.It Fl passin Ar arg |
The key password source. |
The key password source. |
For more information about the format of |
|
.Ar arg , |
|
see the |
|
.Sx PASS PHRASE ARGUMENTS |
|
section above. |
|
.It Fl pubkey |
.It Fl pubkey |
Output the public key of an SPKAC |
Output the public key of an SPKAC |
.Pq not used if an SPKAC is being created . |
.Pq not used if an SPKAC is being created . |
|
|
option. |
option. |
.It Fl passin Ar arg |
.It Fl passin Ar arg |
The key password source. |
The key password source. |
For more information about the format of |
|
.Ar arg , |
|
see the |
|
.Sx PASS PHRASE ARGUMENTS |
|
section above. |
|
.El |
.El |
.Sh X509 DISPLAY OPTIONS |
.Sh X509 DISPLAY OPTIONS |
.Sy Note : |
.Sy Note : |
|
|
must have their links rebuilt using |
must have their links rebuilt using |
.Ar c_rehash |
.Ar c_rehash |
or similar. |
or similar. |
|
.Sh NOTES |
|
Several commands accept password arguments, typically using |
|
.Fl passin |
|
and |
|
.Fl passout |
|
for input and output passwords, respectively. |
|
These allow the password to be obtained from a variety of sources. |
|
Both of these options take a single argument whose format is described below. |
|
If no password argument is given and a password is required, |
|
then the user is prompted to enter one: |
|
this will typically be read from the current terminal with echoing turned off. |
|
.Bl -tag -width "fd:number" |
|
.It Ar pass : Ns Ar password |
|
The actual password is |
|
.Ar password . |
|
Since the password is visible to utilities |
|
(like |
|
.Xr ps 1 |
|
under |
|
.Ux ) |
|
this form should only be used where security is not important. |
|
.It Ar env : Ns Ar var |
|
Obtain the password from the environment variable |
|
.Ar var . |
|
Since the environment of other processes is visible on certain platforms |
|
(e.g.\& |
|
.Xr ps 1 |
|
under certain |
|
.Ux |
|
OSes) this option should be used with caution. |
|
.It Ar file : Ns Ar path |
|
The first line of |
|
.Ar path |
|
is the password. |
|
If the same |
|
.Ar path |
|
argument is supplied to |
|
.Fl passin |
|
and |
|
.Fl passout , |
|
then the first line will be used for the input password and the next line |
|
for the output password. |
|
.Ar path |
|
need not refer to a regular file: |
|
it could, for example, refer to a device or named pipe. |
|
.It Ar fd : Ns Ar number |
|
Read the password from the file descriptor |
|
.Ar number . |
|
This can be used to send the data via a pipe for example. |
|
.It Ar stdin |
|
Read the password from standard input. |
|
.El |
.\" |
.\" |
.\" FILES |
.\" FILES |
.\" |
.\" |