Annotation of src/usr.bin/openssl/openssl.1, Revision 1.64
1.64 ! jmc 1: .\" $OpenBSD: openssl.1,v 1.63 2016/08/27 20:43:05 jmc Exp $
1.1 jsing 2: .\" ====================================================================
3: .\" Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved.
4: .\"
5: .\" Redistribution and use in source and binary forms, with or without
6: .\" modification, are permitted provided that the following conditions
7: .\" are met:
8: .\"
9: .\" 1. Redistributions of source code must retain the above copyright
10: .\" notice, this list of conditions and the following disclaimer.
11: .\"
12: .\" 2. Redistributions in binary form must reproduce the above copyright
13: .\" notice, this list of conditions and the following disclaimer in
14: .\" the documentation and/or other materials provided with the
15: .\" distribution.
16: .\"
17: .\" 3. All advertising materials mentioning features or use of this
18: .\" software must display the following acknowledgment:
19: .\" "This product includes software developed by the OpenSSL Project
20: .\" for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
21: .\"
22: .\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
23: .\" endorse or promote products derived from this software without
24: .\" prior written permission. For written permission, please contact
25: .\" openssl-core@openssl.org.
26: .\"
27: .\" 5. Products derived from this software may not be called "OpenSSL"
28: .\" nor may "OpenSSL" appear in their names without prior written
29: .\" permission of the OpenSSL Project.
30: .\"
31: .\" 6. Redistributions of any form whatsoever must retain the following
32: .\" acknowledgment:
33: .\" "This product includes software developed by the OpenSSL Project
34: .\" for use in the OpenSSL Toolkit (http://www.openssl.org/)"
35: .\"
36: .\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
37: .\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
38: .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
39: .\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
40: .\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
41: .\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
42: .\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
43: .\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
44: .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
45: .\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
46: .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
47: .\" OF THE POSSIBILITY OF SUCH DAMAGE.
48: .\" ====================================================================
49: .\"
50: .\" This product includes cryptographic software written by Eric Young
51: .\" (eay@cryptsoft.com). This product includes software written by Tim
52: .\" Hudson (tjh@cryptsoft.com).
53: .\"
54: .\"
55: .\" Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
56: .\" All rights reserved.
57: .\"
58: .\" This package is an SSL implementation written
59: .\" by Eric Young (eay@cryptsoft.com).
60: .\" The implementation was written so as to conform with Netscapes SSL.
61: .\"
62: .\" This library is free for commercial and non-commercial use as long as
63: .\" the following conditions are aheared to. The following conditions
64: .\" apply to all code found in this distribution, be it the RC4, RSA,
65: .\" lhash, DES, etc., code; not just the SSL code. The SSL documentation
66: .\" included with this distribution is covered by the same copyright terms
67: .\" except that the holder is Tim Hudson (tjh@cryptsoft.com).
68: .\"
69: .\" Copyright remains Eric Young's, and as such any Copyright notices in
70: .\" the code are not to be removed.
71: .\" If this package is used in a product, Eric Young should be given attribution
72: .\" as the author of the parts of the library used.
73: .\" This can be in the form of a textual message at program startup or
74: .\" in documentation (online or textual) provided with the package.
75: .\"
76: .\" Redistribution and use in source and binary forms, with or without
77: .\" modification, are permitted provided that the following conditions
78: .\" are met:
79: .\" 1. Redistributions of source code must retain the copyright
80: .\" notice, this list of conditions and the following disclaimer.
81: .\" 2. Redistributions in binary form must reproduce the above copyright
82: .\" notice, this list of conditions and the following disclaimer in the
83: .\" documentation and/or other materials provided with the distribution.
84: .\" 3. All advertising materials mentioning features or use of this software
85: .\" must display the following acknowledgement:
86: .\" "This product includes cryptographic software written by
87: .\" Eric Young (eay@cryptsoft.com)"
88: .\" The word 'cryptographic' can be left out if the rouines from the library
89: .\" being used are not cryptographic related :-).
90: .\" 4. If you include any Windows specific code (or a derivative thereof) from
91: .\" the apps directory (application code) you must include an
92: .\" acknowledgement:
93: .\" "This product includes software written by Tim Hudson
94: .\" (tjh@cryptsoft.com)"
95: .\"
96: .\" THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
97: .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
98: .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
99: .\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
100: .\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
101: .\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
102: .\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
103: .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
104: .\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
105: .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
106: .\" SUCH DAMAGE.
107: .\"
108: .\" The licence and distribution terms for any publically available version or
109: .\" derivative of this code cannot be changed. i.e. this code cannot simply be
110: .\" copied and put under another distribution licence
111: .\" [including the GNU Public Licence.]
112: .\"
113: .\" OPENSSL
114: .\"
1.64 ! jmc 115: .Dd $Mdocdate: August 27 2016 $
1.1 jsing 116: .Dt OPENSSL 1
117: .Os
118: .Sh NAME
119: .Nm openssl
120: .Nd OpenSSL command line tool
121: .Sh SYNOPSIS
122: .Nm
123: .Cm command
124: .Op Ar command_opts
125: .Op Ar command_args
126: .Pp
127: .Nm
1.13 bentley 128: .Cm list-standard-commands |
129: .Cm list-message-digest-commands |
130: .Cm list-cipher-commands |
131: .Cm list-cipher-algorithms |
132: .Cm list-message-digest-algorithms |
1.1 jsing 133: .Cm list-public-key-algorithms
134: .Pp
135: .Nm
1.39 jmc 136: .Cm no- Ns Ar command
1.1 jsing 137: .Sh DESCRIPTION
138: .Nm OpenSSL
1.31 jmc 139: is a cryptography toolkit implementing the
140: Transport Layer Security
1.1 jsing 141: .Pq TLS v1
1.31 jmc 142: network protocol,
143: as well as related cryptography standards.
1.1 jsing 144: .Pp
145: The
146: .Nm
147: program is a command line tool for using the various
148: cryptography functions of
1.39 jmc 149: .Nm openssl Ns 's
1.33 jmc 150: crypto library from the shell.
1.1 jsing 151: .Pp
152: The pseudo-commands
153: .Cm list-standard-commands , list-message-digest-commands ,
154: and
155: .Cm list-cipher-commands
156: output a list
157: .Pq one entry per line
158: of the names of all standard commands, message digest commands,
159: or cipher commands, respectively, that are available in the present
160: .Nm
161: utility.
162: .Pp
163: The pseudo-commands
164: .Cm list-cipher-algorithms
165: and
166: .Cm list-message-digest-algorithms
167: list all cipher and message digest names,
168: one entry per line.
169: Aliases are listed as:
170: .Pp
1.33 jmc 171: .D1 from => to
1.1 jsing 172: .Pp
173: The pseudo-command
174: .Cm list-public-key-algorithms
175: lists all supported public key algorithms.
176: .Pp
177: The pseudo-command
1.39 jmc 178: .Cm no- Ns Ar command
1.1 jsing 179: tests whether a command of the
180: specified name is available.
1.39 jmc 181: If
182: .Ar command
183: does not exist,
1.1 jsing 184: it returns 0
185: and prints
1.39 jmc 186: .Cm no- Ns Ar command ;
1.1 jsing 187: otherwise it returns 1 and prints
1.39 jmc 188: .Ar command .
189: In both cases, the output goes to stdout and nothing is printed to stderr.
1.1 jsing 190: Additional command line arguments are always ignored.
191: Since for each cipher there is a command of the same name,
192: this provides an easy way for shell scripts to test for the
193: availability of ciphers in the
194: .Nm
195: program.
196: .Pp
197: .Sy Note :
1.39 jmc 198: .Cm no- Ns Ar command
1.1 jsing 199: is not able to detect pseudo-commands such as
200: .Cm quit ,
201: .Cm list- Ns Ar ... Ns Cm -commands ,
202: or
1.39 jmc 203: .Cm no- Ns Ar command
1.1 jsing 204: itself.
205: .Sh ASN1PARSE
206: .nr nS 1
207: .Nm "openssl asn1parse"
208: .Op Fl i
209: .Op Fl dlimit Ar number
210: .Op Fl dump
211: .Op Fl genconf Ar file
212: .Op Fl genstr Ar str
213: .Op Fl in Ar file
1.34 jmc 214: .Op Fl inform Cm der | pem | txt
1.1 jsing 215: .Op Fl length Ar number
216: .Op Fl noout
217: .Op Fl offset Ar number
218: .Op Fl oid Ar file
219: .Op Fl out Ar file
220: .Op Fl strparse Ar offset
221: .nr nS 0
222: .Pp
223: The
224: .Nm asn1parse
225: command is a diagnostic utility that can parse ASN.1 structures.
226: It can also be used to extract data from ASN.1 formatted data.
227: .Pp
228: The options are as follows:
229: .Bl -tag -width Ds
230: .It Fl dlimit Ar number
231: Dump the first
232: .Ar number
233: bytes of unknown data in hex form.
234: .It Fl dump
235: Dump unknown data in hex form.
236: .It Fl genconf Ar file , Fl genstr Ar str
237: Generate encoded data based on string
238: .Ar str ,
239: file
240: .Ar file ,
1.34 jmc 241: or both, using the format described in
242: .Xr ASN1_generate_nconf 3 .
1.1 jsing 243: If only
244: .Ar file
245: is present then the string is obtained from the default section
246: using the name
247: .Dq asn1 .
248: The encoded data is passed through the ASN1 parser and printed out as
249: though it came from a file;
250: the contents can thus be examined and written to a file using the
251: .Fl out
252: option.
253: .It Fl i
1.34 jmc 254: Indent the output according to the
1.1 jsing 255: .Qq depth
256: of the structures.
257: .It Fl in Ar file
1.41 jmc 258: The input file to read from, or standard input if not specified.
1.34 jmc 259: .It Fl inform Cm der | pem | txt
1.1 jsing 260: The input format.
261: .It Fl length Ar number
1.34 jmc 262: Number of bytes to parse; the default is until end of file.
1.1 jsing 263: .It Fl noout
1.46 jmc 264: Do not output the parsed version of the input file.
1.1 jsing 265: .It Fl offset Ar number
1.34 jmc 266: Starting offset to begin parsing; the default is start of file.
1.1 jsing 267: .It Fl oid Ar file
268: A file containing additional object identifiers
269: .Pq OIDs .
270: If an OID
271: .Pq object identifier
272: is not part of
1.34 jmc 273: .Nm openssl Ns 's
1.1 jsing 274: internal table it will be represented in
275: numerical form
276: .Pq for example 1.2.3.4 .
1.34 jmc 277: .Pp
1.1 jsing 278: Each line consists of three columns:
279: the first column is the OID in numerical format and should be followed by
280: whitespace.
281: The second column is the
1.34 jmc 282: .Qq short name ,
1.1 jsing 283: which is a single word followed by whitespace.
284: The final column is the rest of the line and is the
285: .Qq long name .
286: .Nm asn1parse
287: displays the long name.
1.34 jmc 288: .It Fl out Ar file
289: The DER-encoded output file; the default is no encoded output
290: (useful when combined with
291: .Fl strparse ) .
292: .It Fl strparse Ar offset
293: Parse the content octets of the ASN.1 object starting at
294: .Ar offset .
295: This option can be used multiple times to
296: .Qq drill down
297: into a nested structure.
298: .El
1.1 jsing 299: .Sh CA
300: .nr nS 1
301: .Nm "openssl ca"
302: .Op Fl batch
303: .Op Fl cert Ar file
304: .Op Fl config Ar file
305: .Op Fl crl_CA_compromise Ar time
306: .Op Fl crl_compromise Ar time
307: .Op Fl crl_hold Ar instruction
308: .Op Fl crl_reason Ar reason
309: .Op Fl crldays Ar days
310: .Op Fl crlexts Ar section
311: .Op Fl crlhours Ar hours
312: .Op Fl days Ar arg
313: .Op Fl enddate Ar date
314: .Op Fl extensions Ar section
315: .Op Fl extfile Ar section
316: .Op Fl gencrl
317: .Op Fl in Ar file
318: .Op Fl infiles
319: .Op Fl key Ar keyfile
320: .Op Fl keyfile Ar arg
1.22 bcook 321: .Op Fl keyform Ar PEM
1.1 jsing 322: .Op Fl md Ar arg
323: .Op Fl msie_hack
324: .Op Fl name Ar section
325: .Op Fl noemailDN
326: .Op Fl notext
327: .Op Fl out Ar file
328: .Op Fl outdir Ar dir
329: .Op Fl passin Ar arg
330: .Op Fl policy Ar arg
331: .Op Fl preserveDN
332: .Op Fl revoke Ar file
333: .Op Fl spkac Ar file
334: .Op Fl ss_cert Ar file
335: .Op Fl startdate Ar date
336: .Op Fl status Ar serial
337: .Op Fl subj Ar arg
338: .Op Fl updatedb
339: .Op Fl verbose
340: .nr nS 0
341: .Pp
342: The
343: .Nm ca
1.35 jmc 344: command is a minimal certificate authority (CA) application.
1.1 jsing 345: It can be used to sign certificate requests in a variety of forms
1.35 jmc 346: and generate certificate revocation lists (CRLs).
1.1 jsing 347: It also maintains a text database of issued certificates and their status.
348: .Pp
1.35 jmc 349: The options relevant to CAs are as follows:
1.1 jsing 350: .Bl -tag -width "XXXX"
351: .It Fl batch
1.41 jmc 352: Batch mode.
1.1 jsing 353: In this mode no questions will be asked
354: and all certificates will be certified automatically.
355: .It Fl cert Ar file
356: The CA certificate file.
357: .It Fl config Ar file
358: Specifies the configuration file to use.
359: .It Fl days Ar arg
360: The number of days to certify the certificate for.
361: .It Fl enddate Ar date
1.41 jmc 362: Set the expiry date.
1.1 jsing 363: The format of the date is YYMMDDHHMMSSZ
364: .Pq the same as an ASN1 UTCTime structure .
365: .It Fl extensions Ar section
366: The section of the configuration file containing certificate extensions
367: to be added when a certificate is issued (defaults to
1.35 jmc 368: .Cm x509_extensions
1.1 jsing 369: unless the
370: .Fl extfile
371: option is used).
372: If no extension section is present, a V1 certificate is created.
373: If the extension section is present
374: .Pq even if it is empty ,
375: then a V3 certificate is created.
376: .It Fl extfile Ar file
377: An additional configuration
378: .Ar file
379: to read certificate extensions from
380: (using the default section unless the
381: .Fl extensions
382: option is also used).
383: .It Fl in Ar file
384: An input
385: .Ar file
386: containing a single certificate request to be signed by the CA.
387: .It Fl infiles
388: If present, this should be the last option; all subsequent arguments
389: are assumed to be the names of files containing certificate requests.
390: .It Fl key Ar keyfile
391: The password used to encrypt the private key.
1.35 jmc 392: Since on some systems the command line arguments are visible,
393: this option should be used with caution.
1.1 jsing 394: .It Fl keyfile Ar file
395: The private key to sign requests with.
1.22 bcook 396: .It Fl keyform Ar PEM
1.1 jsing 397: Private key file format.
398: .It Fl md Ar alg
399: The message digest to use.
400: Possible values include
401: .Ar md5
402: and
403: .Ar sha1 .
404: This option also applies to CRLs.
405: .It Fl msie_hack
406: This is a legacy option to make
407: .Nm ca
408: work with very old versions of the IE certificate enrollment control
409: .Qq certenr3 .
410: It used UniversalStrings for almost everything.
411: Since the old control has various security bugs,
412: its use is strongly discouraged.
413: The newer control
414: .Qq Xenroll
415: does not need this option.
416: .It Fl name Ar section
417: Specifies the configuration file
418: .Ar section
419: to use (overrides
420: .Cm default_ca
421: in the
422: .Cm ca
423: section).
424: .It Fl noemailDN
425: The DN of a certificate can contain the EMAIL field if present in the
1.30 mmcc 426: request DN, however it is good policy just having the email set into
1.1 jsing 427: the
1.35 jmc 428: .Cm altName
1.1 jsing 429: extension of the certificate.
430: When this option is set, the EMAIL field is removed from the certificate's
431: subject and set only in the, eventually present, extensions.
432: The
433: .Ar email_in_dn
434: keyword can be used in the configuration file to enable this behaviour.
435: .It Fl notext
436: Don't output the text form of a certificate to the output file.
437: .It Fl out Ar file
438: The output file to output certificates to.
439: The default is standard output.
440: The certificate details will also be printed out to this file.
441: .It Fl outdir Ar directory
442: The
443: .Ar directory
444: to output certificates to.
445: The certificate will be written to a file consisting of the
446: serial number in hex with
447: .Qq .pem
448: appended.
449: .It Fl passin Ar arg
450: The key password source.
451: .It Fl policy Ar arg
1.41 jmc 452: Define the CA
1.1 jsing 453: .Qq policy
454: to use.
1.35 jmc 455: The policy section in the configuration file
456: consists of a set of variables corresponding to certificate DN fields.
457: The values may be one of
458: .Qq match
459: (the value must match the same field in the CA certificate),
460: .Qq supplied
461: (the value must be present), or
462: .Qq optional
463: (the value may be present).
464: Any fields not mentioned in the policy section
465: are silently deleted, unless the
466: .Fl preserveDN
467: option is set,
468: but this can be regarded more of a quirk than intended behaviour.
1.1 jsing 469: .It Fl preserveDN
470: Normally, the DN order of a certificate is the same as the order of the
471: fields in the relevant policy section.
472: When this option is set, the order is the same as the request.
473: This is largely for compatibility with the older IE enrollment control
474: which would only accept certificates if their DNs matched the order of the
475: request.
476: This is not needed for Xenroll.
477: .It Fl spkac Ar file
478: A file containing a single Netscape signed public key and challenge,
479: and additional field values to be signed by the CA.
1.35 jmc 480: This will usually come from the
481: KEYGEN tag in an HTML form to create a new private key.
482: It is, however, possible to create SPKACs using the
483: .Nm spkac
484: utility.
485: .Pp
486: The file should contain the variable SPKAC set to the value of
487: the SPKAC and also the required DN components as name value pairs.
488: If it's necessary to include the same component twice,
489: then it can be preceded by a number and a
490: .Sq \&. .
1.1 jsing 491: .It Fl ss_cert Ar file
492: A single self-signed certificate to be signed by the CA.
493: .It Fl startdate Ar date
1.41 jmc 494: Set the start date.
1.1 jsing 495: The format of the date is YYMMDDHHMMSSZ
496: .Pq the same as an ASN1 UTCTime structure .
497: .It Fl status Ar serial
1.35 jmc 498: Show the status of the certificate with serial number
1.1 jsing 499: .Ar serial .
500: .It Fl updatedb
501: Update database for expired certificates.
502: .It Fl verbose
1.41 jmc 503: Print extra details about the operations being performed.
1.1 jsing 504: .El
1.35 jmc 505: .Pp
506: The options relevant to CRLs are as follows:
1.1 jsing 507: .Bl -tag -width "XXXX"
508: .It Fl crl_CA_compromise Ar time
509: This is the same as
510: .Fl crl_compromise ,
511: except the revocation reason is set to CACompromise.
512: .It Fl crl_compromise Ar time
1.41 jmc 513: Set the revocation reason to keyCompromise and the compromise time to
1.1 jsing 514: .Ar time .
515: .Ar time
516: should be in GeneralizedTime format, i.e. YYYYMMDDHHMMSSZ.
517: .It Fl crl_hold Ar instruction
1.41 jmc 518: Set the CRL revocation reason code to certificateHold and the hold
1.1 jsing 519: instruction to
520: .Ar instruction
521: which must be an OID.
522: Although any OID can be used, only holdInstructionNone
523: (the use of which is discouraged by RFC 2459), holdInstructionCallIssuer or
524: holdInstructionReject will normally be used.
525: .It Fl crl_reason Ar reason
526: Revocation reason, where
527: .Ar reason
528: is one of:
529: unspecified, keyCompromise, CACompromise, affiliationChanged, superseded,
530: cessationOfOperation, certificateHold or removeFromCRL.
531: The matching of
532: .Ar reason
533: is case insensitive.
534: Setting any revocation reason will make the CRL v2.
535: In practice, removeFromCRL is not particularly useful because it is only used
536: in delta CRLs which are not currently implemented.
537: .It Fl crldays Ar num
538: The number of days before the next CRL is due.
539: This is the days from now to place in the CRL
1.35 jmc 540: .Cm nextUpdate
1.1 jsing 541: field.
542: .It Fl crlexts Ar section
543: The
544: .Ar section
545: of the configuration file containing CRL extensions to include.
546: If no CRL extension section is present then a V1 CRL is created;
547: if the CRL extension section is present
548: .Pq even if it is empty
549: then a V2 CRL is created.
550: The CRL extensions specified are CRL extensions and
551: .Em not
552: CRL entry extensions.
553: It should be noted that some software
554: .Pq for example Netscape
555: can't handle V2 CRLs.
556: .It Fl crlhours Ar num
557: The number of hours before the next CRL is due.
558: .It Fl gencrl
1.41 jmc 559: Generate a CRL based on information in the index file.
1.1 jsing 560: .It Fl revoke Ar file
561: A
562: .Ar file
563: containing a certificate to revoke.
564: .It Fl subj Ar arg
565: Supersedes the subject name given in the request.
566: The
567: .Ar arg
568: must be formatted as
569: .Ar /type0=value0/type1=value1/type2=... ;
570: characters may be escaped by
571: .Sq \e
572: .Pq backslash ,
573: no spaces are skipped.
574: .El
575: .Pp
1.35 jmc 576: Many of the options can be set in the
577: .Cm ca
578: section of the configuration file
579: (or in the default section of the configuration file),
580: specified using
581: .Cm default_ca
582: or
583: .Fl name .
584: The options
585: .Cm preserve
586: and
587: .Cm msie_hack
588: are read directly from the
589: .Cm ca
590: section.
1.1 jsing 591: .Pp
592: Many of the configuration file options are identical to command line
593: options.
594: Where the option is present in the configuration file and the command line,
595: the command line value is used.
596: Where an option is described as mandatory, then it must be present in
597: the configuration file or the command line equivalent
598: .Pq if any
599: used.
600: .Bl -tag -width "XXXX"
1.35 jmc 601: .It Cm certificate
1.1 jsing 602: The same as
603: .Fl cert .
604: It gives the file containing the CA certificate.
605: Mandatory.
1.35 jmc 606: .It Cm copy_extensions
1.1 jsing 607: Determines how extensions in certificate requests should be handled.
608: If set to
1.35 jmc 609: .Cm none
1.1 jsing 610: or this option is not present, then extensions are
611: ignored and not copied to the certificate.
612: If set to
1.35 jmc 613: .Cm copy ,
1.1 jsing 614: then any extensions present in the request that are not already present
615: are copied to the certificate.
616: If set to
1.35 jmc 617: .Cm copyall ,
1.1 jsing 618: then all extensions in the request are copied to the certificate:
619: if the extension is already present in the certificate it is deleted first.
1.35 jmc 620: .Pp
621: The
622: .Cm copy_extensions
623: option should be used with caution.
624: If care is not taken, it can be a security risk.
625: For example, if a certificate request contains a
626: .Cm basicConstraints
627: extension with CA:TRUE and the
628: .Cm copy_extensions
629: value is set to
630: .Cm copyall
631: and the user does not spot
632: this when the certificate is displayed, then this will hand the requestor
633: a valid CA certificate.
634: .Pp
635: This situation can be avoided by setting
636: .Cm copy_extensions
637: to
638: .Cm copy
639: and including
640: .Cm basicConstraints
641: with CA:FALSE in the configuration file.
642: Then if the request contains a
643: .Cm basicConstraints
644: extension, it will be ignored.
1.1 jsing 645: .Pp
646: The main use of this option is to allow a certificate request to supply
647: values for certain extensions such as
1.35 jmc 648: .Cm subjectAltName .
649: .It Cm crl_extensions
1.1 jsing 650: The same as
651: .Fl crlexts .
1.35 jmc 652: .It Cm crlnumber
1.1 jsing 653: A text file containing the next CRL number to use in hex.
654: The CRL number will be inserted in the CRLs only if this file exists.
655: If this file is present, it must contain a valid CRL number.
1.35 jmc 656: .It Cm database
1.1 jsing 657: The text database file to use.
658: Mandatory.
659: This file must be present, though initially it will be empty.
1.35 jmc 660: .It Cm default_crl_hours , default_crl_days
1.1 jsing 661: The same as the
662: .Fl crlhours
663: and
664: .Fl crldays
665: options.
666: These will only be used if neither command line option is present.
667: At least one of these must be present to generate a CRL.
1.35 jmc 668: .It Cm default_days
1.1 jsing 669: The same as the
670: .Fl days
671: option.
672: The number of days to certify a certificate for.
1.35 jmc 673: .It Cm default_enddate
1.1 jsing 674: The same as the
675: .Fl enddate
676: option.
677: Either this option or
1.35 jmc 678: .Cm default_days
1.1 jsing 679: .Pq or the command line equivalents
680: must be present.
1.35 jmc 681: .It Cm default_md
1.1 jsing 682: The same as the
683: .Fl md
684: option.
685: The message digest to use.
686: Mandatory.
1.35 jmc 687: .It Cm default_startdate
1.1 jsing 688: The same as the
689: .Fl startdate
690: option.
691: The start date to certify a certificate for.
692: If not set, the current time is used.
1.35 jmc 693: .It Cm email_in_dn
1.1 jsing 694: The same as
695: .Fl noemailDN .
696: If the EMAIL field is to be removed from the DN of the certificate,
697: simply set this to
698: .Qq no .
699: If not present, the default is to allow for the EMAIL field in the
700: certificate's DN.
1.35 jmc 701: .It Cm msie_hack
1.1 jsing 702: The same as
703: .Fl msie_hack .
1.35 jmc 704: .It Cm name_opt , cert_opt
1.1 jsing 705: These options allow the format used to display the certificate details
706: when asking the user to confirm signing.
707: All the options supported by the
708: .Nm x509
709: utilities'
710: .Fl nameopt
711: and
712: .Fl certopt
713: switches can be used here, except that
1.35 jmc 714: .Cm no_signame
1.1 jsing 715: and
1.35 jmc 716: .Cm no_sigdump
1.1 jsing 717: are permanently set and cannot be disabled
718: (this is because the certificate signature cannot be displayed because
719: the certificate has not been signed at this point).
720: .Pp
721: For convenience, the value
1.35 jmc 722: .Cm ca_default
1.1 jsing 723: is accepted by both to produce a reasonable output.
724: .Pp
725: If neither option is present, the format used in earlier versions of
1.35 jmc 726: .Nm openssl
1.1 jsing 727: is used.
728: Use of the old format is
729: .Em strongly
730: discouraged because it only displays fields mentioned in the
1.35 jmc 731: .Cm policy
1.1 jsing 732: section,
733: mishandles multicharacter string types and does not display extensions.
1.35 jmc 734: .It Cm new_certs_dir
1.1 jsing 735: The same as the
736: .Fl outdir
737: command line option.
738: It specifies the directory where new certificates will be placed.
739: Mandatory.
1.35 jmc 740: .It Cm oid_file
1.1 jsing 741: This specifies a file containing additional object identifiers.
742: Each line of the file should consist of the numerical form of the
743: object identifier followed by whitespace, then the short name followed
744: by whitespace and finally the long name.
1.35 jmc 745: .It Cm oid_section
1.1 jsing 746: This specifies a section in the configuration file containing extra
747: object identifiers.
748: Each line should consist of the short name of the object identifier
749: followed by
750: .Sq =
751: and the numerical form.
752: The short and long names are the same when this option is used.
1.35 jmc 753: .It Cm policy
1.1 jsing 754: The same as
755: .Fl policy .
756: Mandatory.
1.35 jmc 757: .It Cm preserve
1.1 jsing 758: The same as
759: .Fl preserveDN .
1.35 jmc 760: .It Cm private_key
1.1 jsing 761: Same as the
762: .Fl keyfile
763: option.
764: The file containing the CA private key.
765: Mandatory.
1.35 jmc 766: .It Cm serial
1.1 jsing 767: A text file containing the next serial number to use in hex.
768: Mandatory.
769: This file must be present and contain a valid serial number.
1.35 jmc 770: .It Cm unique_subject
1.1 jsing 771: If the value
1.35 jmc 772: .Cm yes
1.1 jsing 773: is given, the valid certificate entries in the
774: database must have unique subjects.
775: If the value
1.35 jmc 776: .Cm no
1.1 jsing 777: is given,
778: several valid certificate entries may have the exact same subject.
779: The default value is
1.35 jmc 780: .Cm yes .
781: .It Cm x509_extensions
1.1 jsing 782: The same as
783: .Fl extensions .
784: .El
785: .Sh CIPHERS
786: .Nm openssl ciphers
787: .Op Fl hVv
1.18 jmc 788: .Op Fl tls1
1.1 jsing 789: .Op Ar cipherlist
790: .Pp
791: The
792: .Nm ciphers
793: command converts
1.36 jmc 794: .Nm openssl
1.1 jsing 795: cipher lists into ordered SSL cipher preference lists.
1.41 jmc 796: It can be used as a way to determine the appropriate cipher list.
1.1 jsing 797: .Pp
798: The options are as follows:
799: .Bl -tag -width Ds
800: .It Fl h , \&?
801: Print a brief usage message.
802: .It Fl tls1
803: Only include TLS v1 ciphers.
804: .It Fl V
1.36 jmc 805: Verbose.
806: List ciphers with a complete description of protocol version,
807: key exchange, authentication, encryption and mac algorithms,
808: any key size restrictions,
809: and cipher suite codes (hex format).
810: .It Fl v
1.1 jsing 811: Like
1.36 jmc 812: .Fl V ,
813: but without cipher suite codes.
1.1 jsing 814: .It Ar cipherlist
815: A cipher list to convert to a cipher preference list.
816: If it is not included, the default cipher list will be used.
1.36 jmc 817: .Pp
818: The cipher list consists of one or more cipher strings
1.1 jsing 819: separated by colons.
820: Commas or spaces are also acceptable separators, but colons are normally used.
821: .Pp
1.36 jmc 822: The actual cipher string can take several different forms:
1.1 jsing 823: .Pp
1.36 jmc 824: It can consist of a single cipher suite, such as RC4-SHA.
1.1 jsing 825: .Pp
826: It can represent a list of cipher suites containing a certain algorithm,
827: or cipher suites of a certain type.
1.36 jmc 828: For example SHA1 represents all cipher suites using the digest algorithm SHA1.
829: .Pp
830: Lists of cipher suites can be combined in a single cipher string using the
1.1 jsing 831: .Sq +
1.36 jmc 832: character
833: (logical AND operation).
834: For example, SHA1+DES represents all cipher suites
835: containing the SHA1 and DES algorithms.
1.1 jsing 836: .Pp
837: Each cipher string can be optionally preceded by the characters
838: .Sq \&! ,
839: .Sq - ,
840: or
841: .Sq + .
842: If
843: .Sq !\&
844: is used, then the ciphers are permanently deleted from the list.
845: The ciphers deleted can never reappear in the list even if they are
846: explicitly stated.
847: If
848: .Sq -
849: is used, then the ciphers are deleted from the list, but some or
850: all of the ciphers can be added again by later options.
851: If
852: .Sq +
853: is used, then the ciphers are moved to the end of the list.
854: This option doesn't add any new ciphers, it just moves matching existing ones.
855: .Pp
856: If none of these characters is present, the string is just interpreted
857: as a list of ciphers to be appended to the current preference list.
858: If the list includes any ciphers already present, they will be ignored;
859: that is, they will not be moved to the end of the list.
860: .Pp
861: Additionally, the cipher string
1.36 jmc 862: .Cm @STRENGTH
1.1 jsing 863: can be used at any point to sort the current cipher list in order of
864: encryption algorithm key length.
1.36 jmc 865: .El
866: .Pp
1.1 jsing 867: The following is a list of all permitted cipher strings and their meanings.
868: .Bl -tag -width "XXXX"
1.36 jmc 869: .It Cm DEFAULT
1.1 jsing 870: The default cipher list.
871: This is determined at compile time and is currently
1.36 jmc 872: .Cm ALL:!aNULL:!eNULL:!SSLv2 .
873: This must be the first cipher string specified.
874: .It Cm COMPLEMENTOFDEFAULT
1.1 jsing 875: The ciphers included in
1.36 jmc 876: .Cm ALL ,
1.1 jsing 877: but not enabled by default.
878: Currently this is
1.36 jmc 879: .Cm ADH .
1.1 jsing 880: Note that this rule does not cover
1.36 jmc 881: .Cm eNULL ,
1.1 jsing 882: which is not included by
1.36 jmc 883: .Cm ALL
1.1 jsing 884: (use
1.36 jmc 885: .Cm COMPLEMENTOFALL
1.1 jsing 886: if necessary).
1.36 jmc 887: .It Cm ALL
1.1 jsing 888: All cipher suites except the
1.36 jmc 889: .Cm eNULL
890: ciphers, which must be explicitly enabled.
891: .It Cm COMPLEMENTOFALL
1.1 jsing 892: The cipher suites not enabled by
1.36 jmc 893: .Cm ALL ,
1.1 jsing 894: currently being
1.36 jmc 895: .Cm eNULL .
896: .It Cm HIGH
1.1 jsing 897: .Qq High
898: encryption cipher suites.
899: This currently means those with key lengths larger than 128 bits.
1.36 jmc 900: .It Cm MEDIUM
1.1 jsing 901: .Qq Medium
902: encryption cipher suites, currently those using 128-bit encryption.
1.36 jmc 903: .It Cm LOW
1.1 jsing 904: .Qq Low
905: encryption cipher suites, currently those using 64- or 56-bit encryption
1.9 lteo 906: algorithms.
1.36 jmc 907: .It Cm eNULL , NULL
1.1 jsing 908: The
909: .Qq NULL
910: ciphers; that is, those offering no encryption.
911: Because these offer no encryption at all and are a security risk,
912: they are disabled unless explicitly included.
1.36 jmc 913: .It Cm aNULL
1.1 jsing 914: The cipher suites offering no authentication.
915: This is currently the anonymous DH algorithms.
916: These cipher suites are vulnerable to a
917: .Qq man in the middle
918: attack, so their use is normally discouraged.
1.36 jmc 919: .It Cm kRSA , RSA
1.1 jsing 920: Cipher suites using RSA key exchange.
1.36 jmc 921: .It Cm kEDH
1.1 jsing 922: Cipher suites using ephemeral DH key agreement.
1.36 jmc 923: .It Cm aRSA
1.1 jsing 924: Cipher suites using RSA authentication, i.e. the certificates carry RSA keys.
1.36 jmc 925: .It Cm aDSS , DSS
1.1 jsing 926: Cipher suites using DSS authentication, i.e. the certificates carry DSS keys.
1.36 jmc 927: .It Cm TLSv1
1.18 jmc 928: TLS v1.0 cipher suites.
1.36 jmc 929: .It Cm DH
1.1 jsing 930: Cipher suites using DH, including anonymous DH.
1.36 jmc 931: .It Cm ADH
1.1 jsing 932: Anonymous DH cipher suites.
1.36 jmc 933: .It Cm AES
1.1 jsing 934: Cipher suites using AES.
1.36 jmc 935: .It Cm 3DES
1.1 jsing 936: Cipher suites using triple DES.
1.36 jmc 937: .It Cm DES
1.1 jsing 938: Cipher suites using DES
939: .Pq not triple DES .
1.36 jmc 940: .It Cm RC4
1.1 jsing 941: Cipher suites using RC4.
1.36 jmc 942: .It Cm CAMELLIA
1.9 lteo 943: Cipher suites using Camellia.
1.36 jmc 944: .It Cm CHACHA20
1.9 lteo 945: Cipher suites using ChaCha20.
1.36 jmc 946: .It Cm IDEA
1.9 lteo 947: Cipher suites using IDEA.
1.36 jmc 948: .It Cm MD5
1.1 jsing 949: Cipher suites using MD5.
1.36 jmc 950: .It Cm SHA1 , SHA
1.1 jsing 951: Cipher suites using SHA1.
952: .El
953: .Sh CRL
954: .nr nS 1
955: .Nm "openssl crl"
956: .Op Fl CAfile Ar file
957: .Op Fl CApath Ar dir
958: .Op Fl fingerprint
959: .Op Fl hash
960: .Op Fl in Ar file
1.38 jmc 961: .Op Fl inform Cm der | pem
1.1 jsing 962: .Op Fl issuer
963: .Op Fl lastupdate
964: .Op Fl nextupdate
965: .Op Fl noout
966: .Op Fl out Ar file
1.38 jmc 967: .Op Fl outform Cm der | pem
1.1 jsing 968: .Op Fl text
969: .nr nS 0
970: .Pp
971: The
972: .Nm crl
973: command processes CRL files in DER or PEM format.
1.37 jmc 974: .Pp
1.1 jsing 975: The options are as follows:
976: .Bl -tag -width Ds
977: .It Fl CAfile Ar file
978: Verify the signature on a CRL by looking up the issuing certificate in
979: .Ar file .
980: .It Fl CApath Ar directory
981: Verify the signature on a CRL by looking up the issuing certificate in
982: .Ar dir .
983: This directory must be a standard certificate directory,
984: i.e. a hash of each subject name (using
985: .Cm x509 Fl hash )
986: should be linked to each certificate.
987: .It Fl fingerprint
988: Print the CRL fingerprint.
989: .It Fl hash
990: Output a hash of the issuer name.
991: This can be used to look up CRLs in a directory by issuer name.
992: .It Fl in Ar file
1.37 jmc 993: The input file to read from, or standard input if not specified.
1.38 jmc 994: .It Fl inform Cm der | pem
1.37 jmc 995: The input format.
1.1 jsing 996: .It Fl issuer
997: Output the issuer name.
998: .It Fl lastupdate
999: Output the
1.37 jmc 1000: .Cm lastUpdate
1.1 jsing 1001: field.
1002: .It Fl nextupdate
1003: Output the
1.37 jmc 1004: .Cm nextUpdate
1.1 jsing 1005: field.
1006: .It Fl noout
1.46 jmc 1007: Do not output the encoded version of the CRL.
1.1 jsing 1008: .It Fl out Ar file
1.37 jmc 1009: The output file to write to, or standard output if not specified.
1.38 jmc 1010: .It Fl outform Cm der | pem
1.37 jmc 1011: The output format.
1.1 jsing 1012: .It Fl text
1.64 ! jmc 1013: Print the CRL in plain text.
1.1 jsing 1014: .El
1015: .Sh CRL2PKCS7
1016: .nr nS 1
1017: .Nm "openssl crl2pkcs7"
1018: .Op Fl certfile Ar file
1019: .Op Fl in Ar file
1.40 jmc 1020: .Op Fl inform Cm der | pem
1.1 jsing 1021: .Op Fl nocrl
1022: .Op Fl out Ar file
1.40 jmc 1023: .Op Fl outform Cm der | pem
1.1 jsing 1024: .nr nS 0
1025: .Pp
1026: The
1027: .Nm crl2pkcs7
1028: command takes an optional CRL and one or more
1029: certificates and converts them into a PKCS#7 degenerate
1030: .Qq certificates only
1031: structure.
1032: .Pp
1033: The options are as follows:
1034: .Bl -tag -width Ds
1035: .It Fl certfile Ar file
1.40 jmc 1036: Add the certificates in PEM
1.1 jsing 1037: .Ar file
1.40 jmc 1038: to the PKCS#7 structure.
1039: This option can be used more than once
1040: to read certificates from multiple files.
1.1 jsing 1041: .It Fl in Ar file
1.40 jmc 1042: Read the CRL from
1043: .Ar file ,
1044: or standard input if not specified.
1045: .It Fl inform Cm der | pem
1.64 ! jmc 1046: The input format.
1.1 jsing 1047: .It Fl nocrl
1048: Normally, a CRL is included in the output file.
1049: With this option, no CRL is
1050: included in the output file and a CRL is not read from the input file.
1051: .It Fl out Ar file
1.40 jmc 1052: Write the PKCS#7 structure to
1053: .Ar file ,
1054: or standard output if not specified.
1055: .It Fl outform Cm der | pem
1.64 ! jmc 1056: The output format.
1.1 jsing 1057: .El
1058: .Sh DGST
1059: .nr nS 1
1060: .Nm "openssl dgst"
1.43 jmc 1061: .Op Fl cd
1.1 jsing 1062: .Op Fl binary
1.43 jmc 1063: .Op Fl Ar digest
1.1 jsing 1064: .Op Fl hex
1065: .Op Fl hmac Ar key
1.43 jmc 1066: .Op Fl keyform Cm pem
1.1 jsing 1067: .Op Fl mac Ar algorithm
1068: .Op Fl macopt Ar nm : Ns Ar v
1069: .Op Fl out Ar file
1070: .Op Fl passin Ar arg
1071: .Op Fl prverify Ar file
1072: .Op Fl sign Ar file
1073: .Op Fl signature Ar file
1074: .Op Fl sigopt Ar nm : Ns Ar v
1075: .Op Fl verify Ar file
1076: .Op Ar
1077: .nr nS 0
1078: .Pp
1079: The digest functions output the message digest of a supplied
1080: .Ar file
1081: or
1082: .Ar files
1083: in hexadecimal form.
1084: They can also be used for digital signing and verification.
1085: .Pp
1086: The options are as follows:
1087: .Bl -tag -width Ds
1088: .It Fl binary
1089: Output the digest or signature in binary form.
1090: .It Fl c
1.48 jmc 1091: Print the digest in two-digit groups separated by colons.
1.1 jsing 1092: .It Fl d
1.48 jmc 1093: Print BIO debugging information.
1.43 jmc 1094: .It Fl Ar digest
1095: Use the specified message
1096: .Ar digest .
1097: The default is MD5.
1098: The available digests can be displayed using
1099: .Nm openssl
1100: .Cm list-message-digest-commands .
1101: The following are equivalent:
1102: .Nm openssl dgst
1103: .Fl md5
1104: and
1105: .Nm openssl
1106: .Cm md5 .
1.1 jsing 1107: .It Fl hex
1108: Digest is to be output as a hex dump.
1109: This is the default case for a
1110: .Qq normal
1111: digest as opposed to a digital signature.
1112: .It Fl hmac Ar key
1113: Create a hashed MAC using
1114: .Ar key .
1.43 jmc 1115: .It Fl keyform Cm pem
1.1 jsing 1116: Specifies the key format to sign the digest with.
1117: .It Fl mac Ar algorithm
1118: Create a keyed Message Authentication Code (MAC).
1119: The most popular MAC algorithm is HMAC (hash-based MAC),
1120: but there are other MAC algorithms which are not based on hash.
1121: MAC keys and other options should be set via the
1122: .Fl macopt
1123: parameter.
1124: .It Fl macopt Ar nm : Ns Ar v
1125: Passes options to the MAC algorithm, specified by
1126: .Fl mac .
1127: The following options are supported by HMAC:
1128: .Bl -tag -width Ds
1.43 jmc 1129: .It Cm key : Ns Ar string
1.1 jsing 1130: Specifies the MAC key as an alphanumeric string
1131: (use if the key contain printable characters only).
1132: String length must conform to any restrictions of the MAC algorithm.
1.43 jmc 1133: .It Cm hexkey : Ns Ar string
1.1 jsing 1134: Specifies the MAC key in hexadecimal form (two hex digits per byte).
1135: Key length must conform to any restrictions of the MAC algorithm.
1136: .El
1137: .It Fl out Ar file
1.43 jmc 1138: The output file to write to,
1139: or standard output if not specified.
1.1 jsing 1140: .It Fl passin Ar arg
1141: The key password source.
1142: .It Fl prverify Ar file
1143: Verify the signature using the private key in
1144: .Ar file .
1145: The output is either
1146: .Qq Verification OK
1147: or
1148: .Qq Verification Failure .
1149: .It Fl sign Ar file
1150: Digitally sign the digest using the private key in
1151: .Ar file .
1152: .It Fl signature Ar file
1153: The actual signature to verify.
1154: .It Fl sigopt Ar nm : Ns Ar v
1155: Pass options to the signature algorithm during sign or verify operations.
1156: The names and values of these options are algorithm-specific.
1157: .It Fl verify Ar file
1158: Verify the signature using the public key in
1159: .Ar file .
1160: The output is either
1161: .Qq Verification OK
1162: or
1163: .Qq Verification Failure .
1164: .It Ar
1165: File or files to digest.
1166: If no files are specified then standard input is used.
1167: .El
1168: .Sh DHPARAM
1169: .nr nS 1
1170: .Nm "openssl dhparam"
1171: .Op Fl 2 | 5
1172: .Op Fl C
1173: .Op Fl check
1174: .Op Fl dsaparam
1175: .Op Fl in Ar file
1.44 jmc 1176: .Op Fl inform Cm der | pem
1.1 jsing 1177: .Op Fl noout
1178: .Op Fl out Ar file
1.44 jmc 1179: .Op Fl outform Cm der | pem
1.1 jsing 1180: .Op Fl text
1181: .Op Ar numbits
1182: .nr nS 0
1183: .Pp
1184: The
1185: .Nm dhparam
1186: command is used to manipulate DH parameter files.
1.44 jmc 1187: Only the older PKCS#3 DH is supported,
1188: not the newer X9.42 DH.
1.1 jsing 1189: .Pp
1190: The options are as follows:
1191: .Bl -tag -width Ds
1192: .It Fl 2 , 5
1.44 jmc 1193: The generator to use;
1.1 jsing 1194: 2 is the default.
1195: If present, the input file is ignored and parameters are generated instead.
1196: .It Fl C
1.44 jmc 1197: Convert the parameters into C code.
1.1 jsing 1198: The parameters can then be loaded by calling the
1.44 jmc 1199: .No get_dh Ns Ar numbits
1.1 jsing 1200: function.
1201: .It Fl check
1202: Check the DH parameters.
1203: .It Fl dsaparam
1.44 jmc 1204: Read or create DSA parameters,
1205: converted to DH format on output.
1.1 jsing 1206: Otherwise,
1207: .Qq strong
1208: primes
1209: .Pq such that (p-1)/2 is also prime
1210: will be used for DH parameter generation.
1211: .Pp
1212: DH parameter generation with the
1213: .Fl dsaparam
1214: option is much faster,
1215: and the recommended exponent length is shorter,
1216: which makes DH key exchange more efficient.
1217: Beware that with such DSA-style DH parameters,
1218: a fresh DH key should be created for each use to
1219: avoid small-subgroup attacks that may be possible otherwise.
1220: .It Fl in Ar file
1.44 jmc 1221: The input file to read from,
1222: or standard input if not specified.
1223: .It Fl inform Cm der | pem
1224: The input format.
1.1 jsing 1225: .It Fl noout
1.46 jmc 1226: Do not output the encoded version of the parameters.
1.44 jmc 1227: .It Fl out Ar file
1228: The output file to write to,
1229: or standard output if not specified.
1230: .It Fl outform Cm der | pem
1231: The output format.
1232: .It Fl text
1.64 ! jmc 1233: Print the DH parameters in plain text.
1.1 jsing 1234: .It Ar numbits
1.44 jmc 1235: Generate a parameter set of size
1.1 jsing 1236: .Ar numbits .
1237: It must be the last option.
1.16 sthen 1238: If not present, a value of 2048 is used.
1.1 jsing 1239: If this value is present, the input file is ignored and
1240: parameters are generated instead.
1241: .El
1242: .Sh DSA
1243: .nr nS 1
1244: .Nm "openssl dsa"
1245: .Oo
1246: .Fl aes128 | aes192 | aes256 |
1247: .Fl des | des3
1248: .Oc
1249: .Op Fl in Ar file
1.45 jmc 1250: .Op Fl inform Cm der | pem
1.1 jsing 1251: .Op Fl modulus
1252: .Op Fl noout
1253: .Op Fl out Ar file
1.45 jmc 1254: .Op Fl outform Cm der | pem
1.1 jsing 1255: .Op Fl passin Ar arg
1256: .Op Fl passout Ar arg
1257: .Op Fl pubin
1258: .Op Fl pubout
1259: .Op Fl text
1260: .nr nS 0
1261: .Pp
1262: The
1263: .Nm dsa
1264: command processes DSA keys.
1265: They can be converted between various forms and their components printed out.
1266: .Pp
1267: .Sy Note :
1268: This command uses the traditional
1269: .Nm SSLeay
1270: compatible format for private key encryption:
1271: newer applications should use the more secure PKCS#8 format using the
1272: .Nm pkcs8
1273: command.
1274: .Pp
1275: The options are as follows:
1276: .Bl -tag -width Ds
1277: .It Xo
1278: .Fl aes128 | aes192 | aes256 |
1279: .Fl des | des3
1280: .Xc
1.45 jmc 1281: Encrypt the private key with the AES, DES, or the triple DES
1.1 jsing 1282: ciphers, respectively, before outputting it.
1283: A pass phrase is prompted for.
1.45 jmc 1284: If none of these options are specified, the key is written in plain text.
1.1 jsing 1285: This means that using the
1286: .Nm dsa
1.45 jmc 1287: utility to read an encrypted key with no encryption option can be used to
1.1 jsing 1288: remove the pass phrase from a key,
1.45 jmc 1289: or by setting the encryption options it can be used to add or change
1.1 jsing 1290: the pass phrase.
1291: These options can only be used with PEM format output files.
1292: .It Fl in Ar file
1.45 jmc 1293: The input file to read from,
1294: or standard input if not specified.
1.1 jsing 1295: If the key is encrypted, a pass phrase will be prompted for.
1.45 jmc 1296: .It Fl inform Cm der | pem
1297: The input format.
1.1 jsing 1298: .It Fl modulus
1.45 jmc 1299: Print the value of the public key component of the key.
1.1 jsing 1300: .It Fl noout
1.46 jmc 1301: Do not output the encoded version of the key.
1.1 jsing 1302: .It Fl out Ar file
1.45 jmc 1303: The output file to write to,
1304: or standard output if not specified.
1.1 jsing 1305: If any encryption options are set then a pass phrase will be
1306: prompted for.
1.45 jmc 1307: .It Fl outform Cm der | pem
1308: The output format.
1.1 jsing 1309: .It Fl passin Ar arg
1310: The key password source.
1311: .It Fl passout Ar arg
1312: The output file password source.
1313: .It Fl pubin
1.60 jmc 1314: Read in a public key, not a private key.
1.1 jsing 1315: .It Fl pubout
1.60 jmc 1316: Output a public key, not a private key.
1317: Automatically set if the input is a public key.
1.1 jsing 1318: .It Fl text
1.64 ! jmc 1319: Print the public/private key in plain text.
1.1 jsing 1320: .El
1321: .Sh DSAPARAM
1322: .nr nS 1
1323: .Nm "openssl dsaparam"
1324: .Op Fl C
1325: .Op Fl genkey
1326: .Op Fl in Ar file
1.46 jmc 1327: .Op Fl inform Cm der | pem
1.1 jsing 1328: .Op Fl noout
1329: .Op Fl out Ar file
1.46 jmc 1330: .Op Fl outform Cm der | pem
1.1 jsing 1331: .Op Fl text
1332: .Op Ar numbits
1333: .nr nS 0
1334: .Pp
1335: The
1336: .Nm dsaparam
1337: command is used to manipulate or generate DSA parameter files.
1338: .Pp
1339: The options are as follows:
1340: .Bl -tag -width Ds
1341: .It Fl C
1.46 jmc 1342: Convert the parameters into C code.
1.1 jsing 1343: The parameters can then be loaded by calling the
1.46 jmc 1344: .No get_dsa Ns Ar XXX
1.1 jsing 1345: function.
1346: .It Fl genkey
1.46 jmc 1347: Generate a DSA key either using the specified or generated
1.1 jsing 1348: parameters.
1349: .It Fl in Ar file
1.46 jmc 1350: The input file to read from,
1351: or standard input if not specified.
1.1 jsing 1352: If the
1353: .Ar numbits
1.46 jmc 1354: parameter is included, then this option is ignored.
1355: .It Fl inform Cm der | pem
1356: The input format.
1.1 jsing 1357: .It Fl noout
1.46 jmc 1358: Do not output the encoded version of the parameters.
1359: .It Fl out Ar file
1360: The output file to write to,
1361: or standard output if not specified.
1362: .It Fl outform Cm der | pem
1363: The output format.
1364: .It Fl text
1.64 ! jmc 1365: Print the DSA parameters in plain text.
1.1 jsing 1366: .It Ar numbits
1.46 jmc 1367: Generate a parameter set of size
1.1 jsing 1368: .Ar numbits .
1.46 jmc 1369: If this option is included, the input file is ignored.
1.1 jsing 1370: .El
1371: .Sh EC
1372: .nr nS 1
1373: .Nm "openssl ec"
1374: .Op Fl conv_form Ar arg
1375: .Op Fl des
1376: .Op Fl des3
1377: .Op Fl in Ar file
1.47 jmc 1378: .Op Fl inform Cm der | pem
1.1 jsing 1379: .Op Fl noout
1380: .Op Fl out Ar file
1.47 jmc 1381: .Op Fl outform Cm der | pem
1.1 jsing 1382: .Op Fl param_enc Ar arg
1383: .Op Fl param_out
1384: .Op Fl passin Ar arg
1385: .Op Fl passout Ar arg
1386: .Op Fl pubin
1387: .Op Fl pubout
1388: .Op Fl text
1389: .nr nS 0
1390: .Pp
1391: The
1392: .Nm ec
1393: command processes EC keys.
1394: They can be converted between various
1395: forms and their components printed out.
1.47 jmc 1396: .Nm openssl
1.1 jsing 1397: uses the private key format specified in
1398: .Dq SEC 1: Elliptic Curve Cryptography
1399: .Pq Lk http://www.secg.org/ .
1400: To convert an
1401: EC private key into the PKCS#8 private key format use the
1402: .Nm pkcs8
1403: command.
1404: .Pp
1405: The options are as follows:
1406: .Bl -tag -width Ds
1407: .It Fl conv_form Ar arg
1.47 jmc 1408: Specify how the points on the elliptic curve are converted
1.1 jsing 1409: into octet strings.
1410: Possible values are:
1411: .Cm compressed
1.47 jmc 1412: (the default),
1.1 jsing 1413: .Cm uncompressed ,
1414: and
1415: .Cm hybrid .
1416: For more information regarding
1.47 jmc 1417: the point conversion forms see the X9.62 standard.
1.1 jsing 1418: Note:
1419: Due to patent issues the
1420: .Cm compressed
1421: option is disabled by default for binary curves
1422: and can be enabled by defining the preprocessor macro
1.47 jmc 1423: .Dv OPENSSL_EC_BIN_PT_COMP
1.1 jsing 1424: at compile time.
1425: .It Fl des | des3
1.47 jmc 1426: Encrypt the private key with DES, triple DES, or
1.1 jsing 1427: any other cipher supported by
1.47 jmc 1428: .Nm openssl .
1.1 jsing 1429: A pass phrase is prompted for.
1430: If none of these options is specified the key is written in plain text.
1431: This means that using the
1432: .Nm ec
1433: utility to read in an encrypted key with no
1434: encryption option can be used to remove the pass phrase from a key,
1435: or by setting the encryption options
1436: it can be use to add or change the pass phrase.
1437: These options can only be used with PEM format output files.
1438: .It Fl in Ar file
1.47 jmc 1439: The input file to read a key from,
1440: or standard input if not specified.
1.1 jsing 1441: If the key is encrypted a pass phrase will be prompted for.
1.47 jmc 1442: .It Fl inform Cm der | pem
1443: The input format.
1.1 jsing 1444: .It Fl noout
1.47 jmc 1445: Do not output the encoded version of the key.
1.1 jsing 1446: .It Fl out Ar file
1.47 jmc 1447: The output filename to write to,
1448: or standard output if not specified.
1.1 jsing 1449: If any encryption options are set then a pass phrase will be prompted for.
1.47 jmc 1450: .It Fl outform Cm der | pem
1451: The output format.
1.1 jsing 1452: .It Fl param_enc Ar arg
1.47 jmc 1453: Specify how the elliptic curve parameters are encoded.
1.1 jsing 1454: Possible value are:
1455: .Cm named_curve ,
1456: i.e. the EC parameters are specified by an OID; or
1457: .Cm explicit ,
1458: where the EC parameters are explicitly given
1459: (see RFC 3279 for the definition of the EC parameter structures).
1460: The default value is
1461: .Cm named_curve .
1462: Note: the
1463: .Cm implicitlyCA
1464: alternative,
1465: as specified in RFC 3279,
1.47 jmc 1466: is currently not implemented.
1.1 jsing 1467: .It Fl passin Ar arg
1468: The key password source.
1469: .It Fl passout Ar arg
1470: The output file password source.
1471: .It Fl pubin
1.60 jmc 1472: Read in a public key, not a private key.
1.1 jsing 1473: .It Fl pubout
1.60 jmc 1474: Output a public key, not a private key.
1475: Automatically set if the input is a public key.
1.1 jsing 1476: .It Fl text
1.64 ! jmc 1477: Print the public/private key in plain text.
1.1 jsing 1478: .El
1479: .Sh ECPARAM
1480: .nr nS 1
1481: .Nm "openssl ecparam"
1482: .Op Fl C
1483: .Op Fl check
1484: .Op Fl conv_form Ar arg
1485: .Op Fl genkey
1486: .Op Fl in Ar file
1.48 jmc 1487: .Op Fl inform Cm der | pem
1.1 jsing 1488: .Op Fl list_curves
1489: .Op Fl name Ar arg
1490: .Op Fl no_seed
1491: .Op Fl noout
1492: .Op Fl out Ar file
1.48 jmc 1493: .Op Fl outform Cm der | pem
1.1 jsing 1494: .Op Fl param_enc Ar arg
1495: .Op Fl text
1496: .nr nS 0
1497: .Pp
1.48 jmc 1498: The
1499: .Nm ecparam
1500: command is used to manipulate or generate EC parameter files.
1501: .Nm openssl
1502: is not able to generate new groups so
1503: .Nm ecparam
1504: can only create EC parameters from known (named) curves.
1505: .Pp
1.1 jsing 1506: The options are as follows:
1507: .Bl -tag -width Ds
1508: .It Fl C
1509: Convert the EC parameters into C code.
1510: The parameters can then be loaded by calling the
1.48 jmc 1511: .No get_ec_group_ Ns Ar XXX
1.1 jsing 1512: function.
1513: .It Fl check
1514: Validate the elliptic curve parameters.
1515: .It Fl conv_form Ar arg
1516: Specify how the points on the elliptic curve are converted
1517: into octet strings.
1518: Possible values are:
1519: .Cm compressed
1.48 jmc 1520: (the default),
1.1 jsing 1521: .Cm uncompressed ,
1522: and
1523: .Cm hybrid .
1524: For more information regarding
1.48 jmc 1525: the point conversion forms see the X9.62 standard.
1.1 jsing 1526: Note:
1527: Due to patent issues the
1528: .Cm compressed
1529: option is disabled by default for binary curves
1530: and can be enabled by defining the preprocessor macro
1.48 jmc 1531: .Dv OPENSSL_EC_BIN_PT_COMP
1.1 jsing 1532: at compile time.
1533: .It Fl genkey
1534: Generate an EC private key using the specified parameters.
1535: .It Fl in Ar file
1.48 jmc 1536: The input file to read from,
1537: or standard input if not specified.
1538: .It Fl inform Cm der | pem
1539: The input format.
1.1 jsing 1540: .It Fl list_curves
1.48 jmc 1541: Print a list of all
1.1 jsing 1542: currently implemented EC parameter names and exit.
1543: .It Fl name Ar arg
1.48 jmc 1544: Use the EC parameters with the specified "short" name.
1.1 jsing 1545: .It Fl no_seed
1.48 jmc 1546: Do not include the seed for the parameter generation
1547: in the ECParameters structure (see RFC 3279).
1.1 jsing 1548: .It Fl noout
1.48 jmc 1549: Do not output the encoded version of the parameters.
1.1 jsing 1550: .It Fl out Ar file
1.48 jmc 1551: The output file to write to,
1552: or standard output if not specified.
1553: .It Fl outform Cm der | pem
1554: The output format.
1.1 jsing 1555: .It Fl param_enc Ar arg
1.48 jmc 1556: Specify how the elliptic curve parameters are encoded.
1.1 jsing 1557: Possible value are:
1558: .Cm named_curve ,
1559: i.e. the EC parameters are specified by an OID, or
1560: .Cm explicit ,
1561: where the EC parameters are explicitly given
1562: (see RFC 3279 for the definition of the EC parameter structures).
1563: The default value is
1564: .Cm named_curve .
1565: Note: the
1566: .Cm implicitlyCA
1567: alternative, as specified in RFC 3279,
1.48 jmc 1568: is currently not implemented.
1.1 jsing 1569: .It Fl text
1.64 ! jmc 1570: Print the EC parameters in plain text.
1.1 jsing 1571: .El
1572: .Sh ENC
1573: .nr nS 1
1574: .Nm "openssl enc"
1575: .Fl ciphername
1576: .Op Fl AadePp
1577: .Op Fl base64
1578: .Op Fl bufsize Ar number
1579: .Op Fl debug
1580: .Op Fl in Ar file
1581: .Op Fl iv Ar IV
1582: .Op Fl K Ar key
1583: .Op Fl k Ar password
1584: .Op Fl kfile Ar file
1585: .Op Fl md Ar digest
1586: .Op Fl none
1587: .Op Fl nopad
1588: .Op Fl nosalt
1589: .Op Fl out Ar file
1590: .Op Fl pass Ar arg
1591: .Op Fl S Ar salt
1592: .Op Fl salt
1593: .nr nS 0
1594: .Pp
1595: The symmetric cipher commands allow data to be encrypted or decrypted
1596: using various block and stream ciphers using keys based on passwords
1597: or explicitly provided.
1598: Base64 encoding or decoding can also be performed either by itself
1599: or in addition to the encryption or decryption.
1.49 jmc 1600: The program can be called either as
1601: .Nm openssl Ar ciphername
1602: or
1603: .Nm openssl enc - Ns Ar ciphername .
1604: .Pp
1605: Some of the ciphers do not have large keys and others have security
1606: implications if not used correctly.
1607: All the block ciphers normally use PKCS#5 padding,
1608: also known as standard block padding.
1609: If padding is disabled, the input data must be a multiple of the cipher
1610: block length.
1.1 jsing 1611: .Pp
1612: The options are as follows:
1613: .Bl -tag -width Ds
1614: .It Fl A
1615: If the
1616: .Fl a
1617: option is set, then base64 process the data on one line.
1618: .It Fl a , base64
1619: Base64 process the data.
1620: This means that if encryption is taking place, the data is base64-encoded
1621: after encryption.
1.49 jmc 1622: If decryption is set, the input data is base64-decoded before
1.1 jsing 1623: being decrypted.
1624: .It Fl bufsize Ar number
1625: Set the buffer size for I/O.
1626: .It Fl d
1627: Decrypt the input data.
1628: .It Fl debug
1629: Debug the BIOs used for I/O.
1630: .It Fl e
1.49 jmc 1631: Encrypt the input data.
1632: This is the default.
1.1 jsing 1633: .It Fl in Ar file
1.49 jmc 1634: The input file to read from,
1.57 jmc 1635: or standard input if not specified.
1.1 jsing 1636: .It Fl iv Ar IV
1637: The actual
1638: .Ar IV
1639: .Pq initialisation vector
1640: to use:
1641: this must be represented as a string comprised only of hex digits.
1642: When only the
1643: .Ar key
1644: is specified using the
1645: .Fl K
1.49 jmc 1646: option,
1647: the IV must explicitly be defined.
1.1 jsing 1648: When a password is being specified using one of the other options,
1.49 jmc 1649: the IV is generated from this password.
1.1 jsing 1650: .It Fl K Ar key
1651: The actual
1652: .Ar key
1653: to use:
1654: this must be represented as a string comprised only of hex digits.
1.49 jmc 1655: If only the key is specified,
1656: the IV must also be specified using the
1.1 jsing 1657: .Fl iv
1658: option.
1659: When both a
1660: .Ar key
1661: and a
1662: .Ar password
1663: are specified, the
1664: .Ar key
1665: given with the
1666: .Fl K
1.49 jmc 1667: option will be used and the IV generated from the password will be taken.
1.1 jsing 1668: It probably does not make much sense to specify both
1669: .Ar key
1670: and
1671: .Ar password .
1672: .It Fl k Ar password
1673: The
1674: .Ar password
1675: to derive the key from.
1676: Superseded by the
1677: .Fl pass
1678: option.
1679: .It Fl kfile Ar file
1680: Read the password to derive the key from the first line of
1681: .Ar file .
1682: Superseded by the
1683: .Fl pass
1684: option.
1685: .It Fl md Ar digest
1686: Use
1687: .Ar digest
1688: to create a key from a pass phrase.
1689: .Ar digest
1690: may be one of
1.49 jmc 1691: .Cm md5
1.1 jsing 1692: or
1.49 jmc 1693: .Cm sha1 .
1.1 jsing 1694: .It Fl none
1695: Use NULL cipher (no encryption or decryption of input).
1696: .It Fl nopad
1697: Disable standard block padding.
1698: .It Fl nosalt
1.49 jmc 1699: Don't use a salt in the key derivation routines.
1.1 jsing 1700: This option should
1701: .Em NEVER
1.49 jmc 1702: be used
1703: since it makes it possible to perform efficient dictionary
1704: attacks on the password and to attack stream cipher encrypted data.
1.1 jsing 1705: .It Fl out Ar file
1.51 jmc 1706: The output file to write to,
1.57 jmc 1707: or standard output if not specified.
1.1 jsing 1708: .It Fl P
1.49 jmc 1709: Print out the salt, key, and IV used, then immediately exit;
1.1 jsing 1710: don't do any encryption or decryption.
1711: .It Fl p
1.49 jmc 1712: Print out the salt, key, and IV used.
1.1 jsing 1713: .It Fl pass Ar arg
1714: The password source.
1715: .It Fl S Ar salt
1716: The actual
1717: .Ar salt
1718: to use:
1719: this must be represented as a string comprised only of hex digits.
1720: .It Fl salt
1.49 jmc 1721: Use a salt in the key derivation routines (the default).
1722: When the salt is being used
1723: the first eight bytes of the encrypted data are reserved for the salt:
1724: it is randomly generated when encrypting a file and read from the
1725: encrypted file when it is decrypted.
1.1 jsing 1726: .El
1727: .Sh ERRSTR
1728: .Nm openssl errstr
1729: .Op Fl stats
1730: .Ar errno ...
1731: .Pp
1732: The
1733: .Nm errstr
1734: command performs error number to error string conversion,
1735: generating a human-readable string representing the error code
1736: .Ar errno .
1737: The string is obtained through the
1738: .Xr ERR_error_string_n 3
1739: function and has the following format:
1740: .Pp
1741: .Dl error:[error code]:[library name]:[function name]:[reason string]
1742: .Pp
1743: .Bq error code
1744: is an 8-digit hexadecimal number.
1745: The remaining fields
1746: .Bq library name ,
1747: .Bq function name ,
1748: and
1749: .Bq reason string
1750: are all ASCII text.
1751: .Pp
1752: The options are as follows:
1753: .Bl -tag -width Ds
1754: .It Fl stats
1755: Print debugging statistics about various aspects of the hash table.
1756: .El
1757: .Sh GENDSA
1758: .nr nS 1
1759: .Nm "openssl gendsa"
1760: .Oo
1761: .Fl aes128 | aes192 | aes256 |
1762: .Fl des | des3
1763: .Oc
1764: .Op Fl out Ar file
1765: .Op Ar paramfile
1766: .nr nS 0
1767: .Pp
1768: The
1769: .Nm gendsa
1770: command generates a DSA private key from a DSA parameter file
1.51 jmc 1771: (typically generated by the
1.1 jsing 1772: .Nm openssl dsaparam
1773: command).
1.51 jmc 1774: DSA key generation is little more than random number generation so it is
1775: much quicker than,
1776: for example,
1777: RSA key generation.
1.1 jsing 1778: .Pp
1779: The options are as follows:
1780: .Bl -tag -width Ds
1781: .It Xo
1782: .Fl aes128 | aes192 | aes256 |
1783: .Fl des | des3
1784: .Xc
1.51 jmc 1785: Encrypt the private key with the AES, DES,
1.1 jsing 1786: or the triple DES ciphers, respectively, before outputting it.
1787: A pass phrase is prompted for.
1788: If none of these options are specified, no encryption is used.
1789: .It Fl out Ar file
1.51 jmc 1790: The output file to write to,
1.57 jmc 1791: or standard output if not specified.
1.1 jsing 1792: .It Ar paramfile
1.51 jmc 1793: Specify the DSA parameter file to use.
1.1 jsing 1794: The parameters in this file determine the size of the private key.
1795: .El
1796: .Sh GENPKEY
1797: .nr nS 1
1798: .Nm "openssl genpkey"
1799: .Op Fl algorithm Ar alg
1800: .Op Ar cipher
1801: .Op Fl genparam
1802: .Op Fl out Ar file
1.52 jmc 1803: .Op Fl outform Cm der | pem
1.1 jsing 1804: .Op Fl paramfile Ar file
1805: .Op Fl pass Ar arg
1806: .Op Fl pkeyopt Ar opt : Ns Ar value
1807: .Op Fl text
1808: .nr nS 0
1809: .Pp
1810: The
1811: .Nm genpkey
1812: command generates private keys.
1813: The use of this
1814: program is encouraged over the algorithm specific utilities
1.22 bcook 1815: because additional algorithm options can be used.
1.1 jsing 1816: .Pp
1817: The options are as follows:
1818: .Bl -tag -width Ds
1819: .It Fl algorithm Ar alg
1820: The public key algorithm to use,
1821: such as RSA, DSA, or DH.
1.52 jmc 1822: This option must precede any
1.1 jsing 1823: .Fl pkeyopt
1824: options.
1825: The options
1826: .Fl paramfile
1827: and
1828: .Fl algorithm
1829: are mutually exclusive.
1830: .It Ar cipher
1831: Encrypt the private key with the supplied cipher.
1832: Any algorithm name accepted by
1.52 jmc 1833: .Xr EVP_get_cipherbyname 3
1834: is acceptable.
1.1 jsing 1835: .It Fl genparam
1836: Generate a set of parameters instead of a private key.
1.52 jmc 1837: This option must precede any
1.1 jsing 1838: .Fl algorithm ,
1839: .Fl paramfile ,
1840: or
1841: .Fl pkeyopt
1842: options.
1843: .It Fl out Ar file
1.52 jmc 1844: The output file to write to,
1.57 jmc 1845: or standard output if not specified.
1.52 jmc 1846: .It Fl outform Cm der | pem
1847: The output format.
1.1 jsing 1848: .It Fl paramfile Ar file
1.52 jmc 1849: Some public key algorithms generate a private key based on a set of parameters,
1850: which can be supplied using this option.
1.1 jsing 1851: If this option is used the public key
1852: algorithm used is determined by the parameters.
1.52 jmc 1853: This option must precede any
1.1 jsing 1854: .Fl pkeyopt
1855: options.
1856: The options
1857: .Fl paramfile
1858: and
1859: .Fl algorithm
1860: are mutually exclusive.
1861: .It Fl pass Ar arg
1862: The output file password source.
1863: .It Fl pkeyopt Ar opt : Ns Ar value
1864: Set the public key algorithm option
1865: .Ar opt
1866: to
1.52 jmc 1867: .Ar value ,
1868: as follows:
1.1 jsing 1869: .Bl -tag -width Ds -offset indent
1870: .It rsa_keygen_bits : Ns Ar numbits
1871: (RSA)
1872: The number of bits in the generated key.
1.52 jmc 1873: The default is 2048.
1.1 jsing 1874: .It rsa_keygen_pubexp : Ns Ar value
1875: (RSA)
1876: The RSA public exponent value.
1877: This can be a large decimal or hexadecimal value if preceded by 0x.
1.52 jmc 1878: The default is 65537.
1.1 jsing 1879: .It dsa_paramgen_bits : Ns Ar numbits
1880: (DSA)
1881: The number of bits in the generated parameters.
1.52 jmc 1882: The default is 1024.
1.1 jsing 1883: .It dh_paramgen_prime_len : Ns Ar numbits
1884: (DH)
1885: The number of bits in the prime parameter
1886: .Ar p .
1887: .It dh_paramgen_generator : Ns Ar value
1888: (DH)
1889: The value to use for the generator
1890: .Ar g .
1891: .It ec_paramgen_curve : Ns Ar curve
1892: (EC)
1893: The EC curve to use.
1894: .El
1.52 jmc 1895: .It Fl text
1.64 ! jmc 1896: Print the private/public key in plain text.
1.52 jmc 1897: .El
1.1 jsing 1898: .Sh GENRSA
1899: .nr nS 1
1900: .Nm "openssl genrsa"
1901: .Op Fl 3 | f4
1.53 jmc 1902: .Op Fl aes128 | aes192 | aes256 | des | des3
1.1 jsing 1903: .Op Fl out Ar file
1904: .Op Fl passout Ar arg
1905: .Op Ar numbits
1906: .nr nS 0
1907: .Pp
1908: The
1909: .Nm genrsa
1.53 jmc 1910: command generates an RSA private key,
1911: which essentially involves the generation of two prime numbers.
1912: When generating the key,
1913: various symbols will be output to indicate the progress of the generation.
1914: A
1915: .Sq \&.
1916: represents each number which has passed an initial sieve test;
1917: .Sq +
1918: means a number has passed a single round of the Miller-Rabin primality test.
1919: A newline means that the number has passed all the prime tests
1920: (the actual number depends on the key size).
1.1 jsing 1921: .Pp
1922: The options are as follows:
1923: .Bl -tag -width Ds
1924: .It Fl 3 | f4
1925: The public exponent to use, either 3 or 65537.
1926: The default is 65537.
1.53 jmc 1927: .It Fl aes128 | aes192 | aes256 | des | des3
1928: Encrypt the private key with the AES, DES,
1.1 jsing 1929: or the triple DES ciphers, respectively, before outputting it.
1930: If none of these options are specified, no encryption is used.
1931: If encryption is used, a pass phrase is prompted for,
1932: if it is not supplied via the
1933: .Fl passout
1934: option.
1935: .It Fl out Ar file
1.53 jmc 1936: The output file to write to,
1.57 jmc 1937: or standard output if not specified.
1.1 jsing 1938: .It Fl passout Ar arg
1939: The output file password source.
1940: .It Ar numbits
1941: The size of the private key to generate in bits.
1942: This must be the last option specified.
1943: The default is 2048.
1944: .El
1945: .Sh NSEQ
1946: .Nm openssl nseq
1947: .Op Fl in Ar file
1948: .Op Fl out Ar file
1949: .Op Fl toseq
1950: .Pp
1951: The
1952: .Nm nseq
1.54 jmc 1953: command takes a file containing a Netscape certificate sequence
1954: (an alternative to the standard PKCS#7 format)
1955: and prints out the certificates contained in it,
1956: or takes a file of certificates
1957: and converts it into a Netscape certificate sequence.
1958: .Pp
1959: The PEM-encoded form uses the same headers and footers as a certificate:
1960: .Bd -unfilled -offset indent
1961: -----BEGIN CERTIFICATE-----
1962: -----END CERTIFICATE-----
1963: .Ed
1.1 jsing 1964: .Pp
1965: The options are as follows:
1966: .Bl -tag -width Ds
1967: .It Fl in Ar file
1.54 jmc 1968: The input file to read from,
1969: or standard input if not specified.
1.1 jsing 1970: .It Fl out Ar file
1.54 jmc 1971: The output file to write to,
1972: or standard output if not specified.
1.1 jsing 1973: .It Fl toseq
1974: Normally, a Netscape certificate sequence will be input and the output
1975: is the certificates contained in it.
1976: With the
1977: .Fl toseq
1978: option the situation is reversed:
1979: a Netscape certificate sequence is created from a file of certificates.
1980: .El
1981: .Sh OCSP
1982: .nr nS 1
1983: .Nm "openssl ocsp"
1984: .Op Fl CA Ar file
1985: .Op Fl CAfile Ar file
1986: .Op Fl CApath Ar directory
1987: .Op Fl cert Ar file
1988: .Op Fl dgst Ar alg
1.55 jmc 1989: .Op Fl host Ar hostname : Ns Ar port
1.1 jsing 1990: .Op Fl index Ar indexfile
1991: .Op Fl issuer Ar file
1992: .Op Fl ndays Ar days
1993: .Op Fl nmin Ar minutes
1994: .Op Fl no_cert_checks
1995: .Op Fl no_cert_verify
1996: .Op Fl no_certs
1997: .Op Fl no_chain
1998: .Op Fl no_intern
1999: .Op Fl no_nonce
2000: .Op Fl no_signature_verify
2001: .Op Fl nonce
2002: .Op Fl noverify
2003: .Op Fl nrequest Ar number
2004: .Op Fl out Ar file
2005: .Op Fl path Ar path
2006: .Op Fl port Ar portnum
2007: .Op Fl req_text
2008: .Op Fl reqin Ar file
2009: .Op Fl reqout Ar file
2010: .Op Fl resp_key_id
2011: .Op Fl resp_no_certs
2012: .Op Fl resp_text
2013: .Op Fl respin Ar file
2014: .Op Fl respout Ar file
2015: .Op Fl rkey Ar file
2016: .Op Fl rother Ar file
2017: .Op Fl rsigner Ar file
2018: .Op Fl serial Ar number
2019: .Op Fl sign_other Ar file
2020: .Op Fl signer Ar file
2021: .Op Fl signkey Ar file
2022: .Op Fl status_age Ar age
2023: .Op Fl text
2024: .Op Fl trust_other
2025: .Op Fl url Ar responder_url
2026: .Op Fl VAfile Ar file
2027: .Op Fl validity_period Ar nsec
2028: .Op Fl verify_other Ar file
2029: .nr nS 0
2030: .Pp
1.55 jmc 2031: The Online Certificate Status Protocol (OCSP)
2032: enables applications to determine the (revocation) state
2033: of an identified certificate (RFC 2560).
1.1 jsing 2034: .Pp
2035: The
2036: .Nm ocsp
2037: command performs many common OCSP tasks.
2038: It can be used to print out requests and responses,
2039: create requests and send queries to an OCSP responder,
2040: and behave like a mini OCSP server itself.
2041: .Pp
2042: The options are as follows:
2043: .Bl -tag -width Ds
2044: .It Fl CAfile Ar file , Fl CApath Ar directory
1.55 jmc 2045: A file or path containing trusted CA certificates,
2046: used to verify the signature on the OCSP response.
1.1 jsing 2047: .It Fl cert Ar file
2048: Add the certificate
2049: .Ar file
2050: to the request.
2051: The issuer certificate is taken from the previous
2052: .Fl issuer
2053: option, or an error occurs if no issuer certificate is specified.
2054: .It Fl dgst Ar alg
1.55 jmc 2055: Use the digest algorithm
2056: .Ar alg
2057: for certificate identification in the OCSP request.
1.1 jsing 2058: By default SHA-1 is used.
2059: .It Xo
2060: .Fl host Ar hostname : Ns Ar port ,
2061: .Fl path Ar path
2062: .Xc
1.55 jmc 2063: Send
2064: the OCSP request to
1.1 jsing 2065: .Ar hostname
1.55 jmc 2066: on
1.1 jsing 2067: .Ar port .
2068: .Fl path
2069: specifies the HTTP path name to use, or
1.55 jmc 2070: .Pa /
1.1 jsing 2071: by default.
2072: .It Fl issuer Ar file
1.55 jmc 2073: The current issuer certificate,
2074: in PEM format.
2075: Can be used multiple times
2076: and must come before any
1.1 jsing 2077: .Fl cert
2078: options.
2079: .It Fl no_cert_checks
2080: Don't perform any additional checks on the OCSP response signer's certificate.
2081: That is, do not make any checks to see if the signer's certificate is
2082: authorised to provide the necessary status information:
2083: as a result this option should only be used for testing purposes.
2084: .It Fl no_cert_verify
2085: Don't verify the OCSP response signer's certificate at all.
2086: Since this option allows the OCSP response to be signed by any certificate,
2087: it should only be used for testing purposes.
2088: .It Fl no_certs
1.55 jmc 2089: Don't include any certificates in the signed request.
1.1 jsing 2090: .It Fl no_chain
2091: Do not use certificates in the response as additional untrusted CA
2092: certificates.
2093: .It Fl no_intern
2094: Ignore certificates contained in the OCSP response
2095: when searching for the signer's certificate.
1.55 jmc 2096: The signer's certificate must be specified with either the
1.1 jsing 2097: .Fl verify_other
2098: or
2099: .Fl VAfile
2100: options.
2101: .It Fl no_signature_verify
2102: Don't check the signature on the OCSP response.
2103: Since this option tolerates invalid signatures on OCSP responses,
2104: it will normally only be used for testing purposes.
2105: .It Fl nonce , no_nonce
1.55 jmc 2106: Add an OCSP nonce extension to a request,
2107: or disable an OCSP nonce addition.
1.1 jsing 2108: Normally, if an OCSP request is input using the
2109: .Fl respin
1.55 jmc 2110: option no nonce is added:
1.1 jsing 2111: using the
2112: .Fl nonce
1.55 jmc 2113: option will force the addition of a nonce.
1.1 jsing 2114: If an OCSP request is being created (using the
2115: .Fl cert
2116: and
2117: .Fl serial
2118: options)
1.55 jmc 2119: a nonce is automatically added; specifying
1.1 jsing 2120: .Fl no_nonce
2121: overrides this.
2122: .It Fl noverify
1.55 jmc 2123: Don't attempt to verify the OCSP response signature or the nonce values.
2124: This is normally only be used for debugging
1.1 jsing 2125: since it disables all verification of the responder's certificate.
2126: .It Fl out Ar file
1.55 jmc 2127: Specify the output file to write to,
1.57 jmc 2128: or standard output if not specified.
1.1 jsing 2129: .It Fl req_text , resp_text , text
2130: Print out the text form of the OCSP request, response, or both, respectively.
2131: .It Fl reqin Ar file , Fl respin Ar file
2132: Read an OCSP request or response file from
2133: .Ar file .
2134: These options are ignored
2135: if an OCSP request or response creation is implied by other options
2136: (for example with the
2137: .Fl serial , cert ,
2138: and
2139: .Fl host
2140: options).
2141: .It Fl reqout Ar file , Fl respout Ar file
2142: Write out the DER-encoded certificate request or response to
2143: .Ar file .
2144: .It Fl serial Ar num
2145: Same as the
2146: .Fl cert
2147: option except the certificate with serial number
2148: .Ar num
2149: is added to the request.
2150: The serial number is interpreted as a decimal integer unless preceded by
2151: .Sq 0x .
1.55 jmc 2152: Negative integers can also be specified
2153: by preceding the value with a minus sign.
1.1 jsing 2154: .It Fl sign_other Ar file
2155: Additional certificates to include in the signed request.
2156: .It Fl signer Ar file , Fl signkey Ar file
2157: Sign the OCSP request using the certificate specified in the
2158: .Fl signer
2159: option and the private key specified by the
2160: .Fl signkey
2161: option.
2162: If the
2163: .Fl signkey
2164: option is not present, then the private key is read from the same file
2165: as the certificate.
2166: If neither option is specified, the OCSP request is not signed.
2167: .It Fl trust_other
2168: The certificates specified by the
2169: .Fl verify_other
2170: option should be explicitly trusted and no additional checks will be
2171: performed on them.
2172: This is useful when the complete responder certificate chain is not available
2173: or trusting a root CA is not appropriate.
2174: .It Fl url Ar responder_url
2175: Specify the responder URL.
2176: Both HTTP and HTTPS
2177: .Pq SSL/TLS
2178: URLs can be specified.
2179: .It Fl VAfile Ar file
1.55 jmc 2180: A file containing explicitly trusted responder certificates.
1.1 jsing 2181: Equivalent to the
2182: .Fl verify_other
2183: and
2184: .Fl trust_other
2185: options.
2186: .It Fl validity_period Ar nsec , Fl status_age Ar age
1.55 jmc 2187: The range of times, in seconds, which will be tolerated in an OCSP response.
2188: Each certificate status response includes a notBefore time
2189: and an optional notAfter time.
1.1 jsing 2190: The current time should fall between these two values,
2191: but the interval between the two times may be only a few seconds.
2192: In practice the OCSP responder and clients' clocks may not be precisely
2193: synchronised and so such a check may fail.
2194: To avoid this the
2195: .Fl validity_period
2196: option can be used to specify an acceptable error range in seconds,
1.55 jmc 2197: the default value being 5 minutes.
1.1 jsing 2198: .Pp
1.55 jmc 2199: If the notAfter time is omitted from a response,
2200: it means that new status information is immediately available.
2201: In this case the age of the notBefore field is checked
2202: to see it is not older than
1.1 jsing 2203: .Ar age
2204: seconds old.
2205: By default, this additional check is not performed.
2206: .It Fl verify_other Ar file
1.55 jmc 2207: A file containing additional certificates to search
2208: when attempting to locate the OCSP response signing certificate.
2209: Some responders omit the actual signer's certificate from the response,
2210: so this can be used to supply the necessary certificate.
1.1 jsing 2211: .El
1.55 jmc 2212: .Pp
2213: The options for the OCSP server are as follows:
1.1 jsing 2214: .Bl -tag -width "XXXX"
2215: .It Fl CA Ar file
2216: CA certificate corresponding to the revocation information in
2217: .Ar indexfile .
2218: .It Fl index Ar indexfile
2219: .Ar indexfile
1.55 jmc 2220: is a text index file in ca format
2221: containing certificate revocation information.
1.1 jsing 2222: .Pp
1.55 jmc 2223: If this option is specified,
1.1 jsing 2224: .Nm ocsp
1.55 jmc 2225: is in responder mode, otherwise it is in client mode.
2226: The requests the responder processes can be either specified on
1.1 jsing 2227: the command line (using the
2228: .Fl issuer
2229: and
2230: .Fl serial
2231: options), supplied in a file (using the
2232: .Fl respin
1.55 jmc 2233: option), or via external OCSP clients (if
1.1 jsing 2234: .Ar port
2235: or
2236: .Ar url
2237: is specified).
2238: .Pp
1.55 jmc 2239: If this option is present, then the
1.1 jsing 2240: .Fl CA
2241: and
2242: .Fl rsigner
2243: options must also be present.
2244: .It Fl nmin Ar minutes , Fl ndays Ar days
2245: Number of
2246: .Ar minutes
2247: or
2248: .Ar days
1.55 jmc 2249: when fresh revocation information is available:
2250: used in the nextUpdate field.
2251: If neither option is present,
2252: the nextUpdate field is omitted,
2253: meaning fresh revocation information is immediately available.
1.1 jsing 2254: .It Fl nrequest Ar number
1.55 jmc 2255: Exit after receiving
1.1 jsing 2256: .Ar number
1.55 jmc 2257: requests (the default is unlimited).
1.1 jsing 2258: .It Fl port Ar portnum
2259: Port to listen for OCSP requests on.
1.55 jmc 2260: May also be specified using the
1.1 jsing 2261: .Fl url
2262: option.
2263: .It Fl resp_key_id
2264: Identify the signer certificate using the key ID;
1.55 jmc 2265: the default is to use the subject name.
1.1 jsing 2266: .It Fl resp_no_certs
2267: Don't include any certificates in the OCSP response.
2268: .It Fl rkey Ar file
2269: The private key to sign OCSP responses with;
2270: if not present, the file specified in the
2271: .Fl rsigner
2272: option is used.
2273: .It Fl rother Ar file
2274: Additional certificates to include in the OCSP response.
2275: .It Fl rsigner Ar file
2276: The certificate to sign OCSP responses with.
2277: .El
2278: .Pp
2279: Initially the OCSP responder certificate is located and the signature on
2280: the OCSP request checked using the responder certificate's public key.
2281: Then a normal certificate verify is performed on the OCSP responder certificate
2282: building up a certificate chain in the process.
2283: The locations of the trusted certificates used to build the chain can be
2284: specified by the
2285: .Fl CAfile
2286: and
2287: .Fl CApath
2288: options or they will be looked for in the standard
1.55 jmc 2289: .Nm openssl
2290: certificates directory.
1.1 jsing 2291: .Pp
1.55 jmc 2292: If the initial verify fails, the OCSP verify process halts with an error.
1.1 jsing 2293: Otherwise the issuing CA certificate in the request is compared to the OCSP
2294: responder certificate: if there is a match then the OCSP verify succeeds.
2295: .Pp
2296: Otherwise the OCSP responder certificate's CA is checked against the issuing
2297: CA certificate in the request.
2298: If there is a match and the OCSPSigning extended key usage is present
2299: in the OCSP responder certificate, then the OCSP verify succeeds.
2300: .Pp
2301: Otherwise the root CA of the OCSP responder's CA is checked to see if it
2302: is trusted for OCSP signing.
2303: If it is, the OCSP verify succeeds.
2304: .Pp
2305: If none of these checks is successful, the OCSP verify fails.
2306: What this effectively means is that if the OCSP responder certificate is
2307: authorised directly by the CA it is issuing revocation information about
1.55 jmc 2308: (and it is correctly configured),
1.1 jsing 2309: then verification will succeed.
2310: .Pp
1.55 jmc 2311: If the OCSP responder is a global responder,
2312: which can give details about multiple CAs
2313: and has its own separate certificate chain,
2314: then its root CA can be trusted for OCSP signing.
1.1 jsing 2315: For example:
2316: .Bd -literal -offset indent
2317: $ openssl x509 -in ocspCA.pem -addtrust OCSPSigning \e
2318: -out trustedCA.pem
2319: .Ed
2320: .Pp
2321: Alternatively, the responder certificate itself can be explicitly trusted
2322: with the
2323: .Fl VAfile
2324: option.
2325: .Sh PASSWD
2326: .nr nS 1
2327: .Nm "openssl passwd"
2328: .Op Fl 1 | apr1 | crypt
2329: .Op Fl in Ar file
2330: .Op Fl noverify
2331: .Op Fl quiet
2332: .Op Fl reverse
2333: .Op Fl salt Ar string
2334: .Op Fl stdin
2335: .Op Fl table
2336: .Op Ar password
2337: .nr nS 0
2338: .Pp
2339: The
2340: .Nm passwd
1.56 jmc 2341: command computes the hash of a password.
1.1 jsing 2342: .Pp
2343: The options are as follows:
2344: .Bl -tag -width Ds
2345: .It Fl 1
2346: Use the MD5 based
2347: .Bx
2348: password algorithm
1.56 jmc 2349: .Qq 1 .
1.1 jsing 2350: .It Fl apr1
2351: Use the
1.56 jmc 2352: .Qq apr1
1.1 jsing 2353: algorithm
1.56 jmc 2354: .Po
2355: Apache variant of the
1.1 jsing 2356: .Bx
1.56 jmc 2357: algorithm
2358: .Pc .
1.1 jsing 2359: .It Fl crypt
2360: Use the
1.56 jmc 2361: .Qq crypt
2362: algorithm (the default).
1.1 jsing 2363: .It Fl in Ar file
2364: Read passwords from
2365: .Ar file .
2366: .It Fl noverify
2367: Don't verify when reading a password from the terminal.
2368: .It Fl quiet
2369: Don't output warnings when passwords given on the command line are truncated.
2370: .It Fl reverse
2371: Switch table columns.
2372: This only makes sense in conjunction with the
2373: .Fl table
2374: option.
2375: .It Fl salt Ar string
1.56 jmc 2376: Use the salt specified by
2377: .Ar string .
1.1 jsing 2378: When reading a password from the terminal, this implies
2379: .Fl noverify .
2380: .It Fl stdin
1.56 jmc 2381: Read passwords from standard input.
1.1 jsing 2382: .It Fl table
2383: In the output list, prepend the cleartext password and a TAB character
2384: to each password hash.
2385: .El
2386: .Sh PKCS7
2387: .nr nS 1
2388: .Nm "openssl pkcs7"
2389: .Op Fl in Ar file
1.57 jmc 2390: .Op Fl inform Cm der | pem
1.1 jsing 2391: .Op Fl noout
2392: .Op Fl out Ar file
1.57 jmc 2393: .Op Fl outform Cm der | pem
1.1 jsing 2394: .Op Fl print_certs
2395: .Op Fl text
2396: .nr nS 0
2397: .Pp
2398: The
2399: .Nm pkcs7
2400: command processes PKCS#7 files in DER or PEM format.
1.57 jmc 2401: The PKCS#7 routines only understand PKCS#7 v 1.5 as specified in RFC 2315.
2402: They cannot currently parse, for example, the new CMS as described in RFC 2630.
2403: .Pp
1.1 jsing 2404: The options are as follows:
2405: .Bl -tag -width Ds
2406: .It Fl in Ar file
1.57 jmc 2407: The input file to read from,
2408: or standard input if not specified.
2409: .It Fl inform Cm der | pem
2410: The input format.
1.1 jsing 2411: .It Fl noout
2412: Don't output the encoded version of the PKCS#7 structure
2413: (or certificates if
2414: .Fl print_certs
2415: is set).
2416: .It Fl out Ar file
1.57 jmc 2417: The output to write to,
2418: or standard output if not specified.
2419: .It Fl outform Cm der | pem
2420: The output format.
1.1 jsing 2421: .It Fl print_certs
1.57 jmc 2422: Print any certificates or CRLs contained in the file,
2423: preceded by their subject and issuer names in a one-line format.
1.1 jsing 2424: .It Fl text
1.57 jmc 2425: Print certificate details in full rather than just subject and issuer names.
1.1 jsing 2426: .El
2427: .Sh PKCS8
2428: .nr nS 1
2429: .Nm "openssl pkcs8"
2430: .Op Fl embed
2431: .Op Fl in Ar file
1.58 jmc 2432: .Op Fl inform Cm der | pem
1.1 jsing 2433: .Op Fl nocrypt
2434: .Op Fl noiter
2435: .Op Fl nooct
2436: .Op Fl nsdb
2437: .Op Fl out Ar file
1.58 jmc 2438: .Op Fl outform Cm der | pem
1.1 jsing 2439: .Op Fl passin Ar arg
2440: .Op Fl passout Ar arg
2441: .Op Fl topk8
2442: .Op Fl v1 Ar alg
2443: .Op Fl v2 Ar alg
2444: .nr nS 0
2445: .Pp
2446: The
2447: .Nm pkcs8
1.58 jmc 2448: command processes private keys
2449: (both encrypted and unencrypted)
2450: in PKCS#8 format
2451: with a variety of PKCS#5 (v1.5 and v2.0) and PKCS#12 algorithms.
2452: The default encryption is only 56 bits;
2453: keys encrypted using PKCS#5 v2.0 algorithms and high iteration counts
2454: are more secure.
2455: .Pp
2456: The encrypted form of a PEM-encoded PKCS#8 file uses the following
2457: headers and footers:
2458: .Bd -unfilled -offset indent
2459: -----BEGIN ENCRYPTED PRIVATE KEY-----
2460: -----END ENCRYPTED PRIVATE KEY-----
2461: .Ed
2462: .Pp
2463: The unencrypted form uses:
2464: .Bd -unfilled -offset indent
2465: -----BEGIN PRIVATE KEY-----
2466: -----END PRIVATE KEY-----
2467: .Ed
1.1 jsing 2468: .Pp
2469: The options are as follows:
2470: .Bl -tag -width Ds
2471: .It Fl embed
1.58 jmc 2472: Generate DSA keys in a broken format.
2473: The DSA parameters are embedded inside the PrivateKey structure.
1.1 jsing 2474: In this form the OCTET STRING contains an ASN1 SEQUENCE consisting of
2475: two structures:
2476: a SEQUENCE containing the parameters and an ASN1 INTEGER containing
2477: the private key.
2478: .It Fl in Ar file
1.58 jmc 2479: The input file to read from,
2480: or standard input if not specified.
1.1 jsing 2481: If the key is encrypted, a pass phrase will be prompted for.
1.58 jmc 2482: .It Fl inform Cm der | pem
2483: The input format.
1.1 jsing 2484: .It Fl nocrypt
1.58 jmc 2485: Generate an unencrypted PrivateKeyInfo structure.
2486: This option does not encrypt private keys at all
2487: and should only be used when absolutely necessary.
1.1 jsing 2488: .It Fl noiter
2489: Use an iteration count of 1.
2490: See the
2491: .Sx PKCS12
2492: section below for a detailed explanation of this option.
2493: .It Fl nooct
1.58 jmc 2494: Generate RSA private keys in a broken format that some software uses.
1.1 jsing 2495: Specifically the private key should be enclosed in an OCTET STRING,
2496: but some software just includes the structure itself without the
2497: surrounding OCTET STRING.
2498: .It Fl nsdb
1.58 jmc 2499: Generate DSA keys in a broken format compatible with Netscape
1.1 jsing 2500: private key databases.
1.58 jmc 2501: The PrivateKey contains a SEQUENCE
2502: consisting of the public and private keys, respectively.
1.1 jsing 2503: .It Fl out Ar file
1.58 jmc 2504: The output file to write to,
2505: or standard output if none is specified.
1.1 jsing 2506: If any encryption options are set, a pass phrase will be prompted for.
1.58 jmc 2507: .It Fl outform Cm der | pem
2508: The output format.
1.1 jsing 2509: .It Fl passin Ar arg
2510: The key password source.
2511: .It Fl passout Ar arg
2512: The output file password source.
2513: .It Fl topk8
1.58 jmc 2514: Read a traditional format private key and write a PKCS#8 format key.
1.1 jsing 2515: .It Fl v1 Ar alg
1.58 jmc 2516: Specify a PKCS#5 v1.5 or PKCS#12 algorithm to use.
2517: .Pp
2518: .Bl -tag -width "XXXX" -compact
2519: .It PBE-MD5-DES
2520: 56-bit DES.
2521: .It PBE-SHA1-RC2-64 | PBE-MD5-RC2-64 | PBE-SHA1-DES
2522: 64-bit RC2 or 56-bit DES.
2523: .It PBE-SHA1-RC4-128 | PBE-SHA1-RC4-40 | PBE-SHA1-3DES
2524: .It PBE-SHA1-2DES | PBE-SHA1-RC2-128 | PBE-SHA1-RC2-40
2525: PKCS#12 password-based encryption algorithm,
2526: which allow strong encryption algorithms like triple DES or 128-bit RC2.
2527: .El
1.1 jsing 2528: .It Fl v2 Ar alg
1.58 jmc 2529: Use PKCS#5 v2.0 algorithms.
2530: Supports algorithms such as 168-bit triple DES or 128-bit RC2,
2531: however not many implementations support PKCS#5 v2.0 yet
2532: (if using private keys with
2533: .Nm openssl
2534: this doesn't matter).
1.1 jsing 2535: .Pp
2536: .Ar alg
1.58 jmc 2537: is the encryption algorithm to use;
2538: valid values include des, des3, and rc2.
2539: It is recommended that des3 is used.
1.1 jsing 2540: .El
2541: .Sh PKCS12
2542: .nr nS 1
2543: .Nm "openssl pkcs12"
1.59 jmc 2544: .Op Fl aes128 | aes192 | aes256 | des | des3
1.1 jsing 2545: .Op Fl cacerts
2546: .Op Fl CAfile Ar file
2547: .Op Fl caname Ar name
2548: .Op Fl CApath Ar directory
2549: .Op Fl certfile Ar file
2550: .Op Fl certpbe Ar alg
2551: .Op Fl chain
2552: .Op Fl clcerts
2553: .Op Fl CSP Ar name
2554: .Op Fl descert
2555: .Op Fl export
2556: .Op Fl in Ar file
2557: .Op Fl info
2558: .Op Fl inkey Ar file
2559: .Op Fl keyex
2560: .Op Fl keypbe Ar alg
2561: .Op Fl keysig
2562: .Op Fl macalg Ar alg
2563: .Op Fl maciter
2564: .Op Fl name Ar name
2565: .Op Fl nocerts
2566: .Op Fl nodes
2567: .Op Fl noiter
2568: .Op Fl nokeys
2569: .Op Fl nomac
2570: .Op Fl nomaciter
2571: .Op Fl nomacver
2572: .Op Fl noout
2573: .Op Fl out Ar file
2574: .Op Fl passin Ar arg
2575: .Op Fl passout Ar arg
2576: .Op Fl twopass
2577: .nr nS 0
2578: .Pp
2579: The
2580: .Nm pkcs12
2581: command allows PKCS#12 files
2582: .Pq sometimes referred to as PFX files
2583: to be created and parsed.
2584: By default, a PKCS#12 file is parsed;
2585: a PKCS#12 file can be created by using the
2586: .Fl export
1.59 jmc 2587: option.
2588: .Pp
2589: The options for parsing a PKCS12 file are as follows:
1.1 jsing 2590: .Bl -tag -width "XXXX"
1.59 jmc 2591: .It Fl aes128 | aes192 | aes256 | des | des3
2592: Encrypt private keys
2593: using AES, DES, or triple DES, respectively.
1.1 jsing 2594: The default is triple DES.
2595: .It Fl cacerts
2596: Only output CA certificates
2597: .Pq not client certificates .
2598: .It Fl clcerts
2599: Only output client certificates
2600: .Pq not CA certificates .
2601: .It Fl in Ar file
1.59 jmc 2602: The input file to read from,
2603: or standard input if not specified.
1.1 jsing 2604: .It Fl info
2605: Output additional information about the PKCS#12 file structure,
2606: algorithms used, and iteration counts.
2607: .It Fl nocerts
1.59 jmc 2608: Do not output certificates.
1.1 jsing 2609: .It Fl nodes
1.59 jmc 2610: Do not encrypt private keys.
1.1 jsing 2611: .It Fl nokeys
1.59 jmc 2612: Do not output private keys.
1.1 jsing 2613: .It Fl nomacver
1.59 jmc 2614: Do not attempt to verify the integrity MAC before reading the file.
1.1 jsing 2615: .It Fl noout
1.59 jmc 2616: Do not output the keys and certificates to the output file
1.1 jsing 2617: version of the PKCS#12 file.
2618: .It Fl out Ar file
1.59 jmc 2619: The output file to write to,
2620: or standard output if not specified.
1.1 jsing 2621: .It Fl passin Ar arg
2622: The key password source.
2623: .It Fl passout Ar arg
2624: The output file password source.
2625: .It Fl twopass
2626: Prompt for separate integrity and encryption passwords: most software
2627: always assumes these are the same so this option will render such
2628: PKCS#12 files unreadable.
2629: .El
1.59 jmc 2630: .Pp
2631: The options for PKCS12 file creation are as follows:
1.1 jsing 2632: .Bl -tag -width "XXXX"
2633: .It Fl CAfile Ar file
2634: CA storage as a file.
2635: .It Fl CApath Ar directory
2636: CA storage as a directory.
1.59 jmc 2637: The directory must be a standard certificate directory:
1.1 jsing 2638: that is, a hash of each subject name (using
1.59 jmc 2639: .Nm x509 Fl hash )
1.1 jsing 2640: should be linked to each certificate.
2641: .It Fl caname Ar name
1.59 jmc 2642: Specify the
1.1 jsing 2643: .Qq friendly name
2644: for other certificates.
1.59 jmc 2645: May be used multiple times to specify names for all certificates
1.1 jsing 2646: in the order they appear.
2647: .It Fl certfile Ar file
2648: A file to read additional certificates from.
2649: .It Fl certpbe Ar alg , Fl keypbe Ar alg
1.59 jmc 2650: Specify the algorithm used to encrypt the private key and
1.1 jsing 2651: certificates to be selected.
1.59 jmc 2652: Any PKCS#5 v1.5 or PKCS#12 PBE algorithm name can be used.
1.1 jsing 2653: If a cipher name
2654: (as output by the
2655: .Cm list-cipher-algorithms
2656: command) is specified then it
2657: is used with PKCS#5 v2.0.
2658: For interoperability reasons it is advisable to only use PKCS#12 algorithms.
2659: .It Fl chain
1.59 jmc 2660: Include the entire certificate chain of the user certificate.
1.1 jsing 2661: The standard CA store is used for this search.
2662: If the search fails, it is considered a fatal error.
2663: .It Fl CSP Ar name
2664: Write
2665: .Ar name
2666: as a Microsoft CSP name.
2667: .It Fl descert
2668: Encrypt the certificate using triple DES; this may render the PKCS#12
2669: file unreadable by some
2670: .Qq export grade
2671: software.
2672: By default, the private key is encrypted using triple DES and the
2673: certificate using 40-bit RC2.
2674: .It Fl export
1.59 jmc 2675: Create a PKCS#12 file (rather than parsing one).
1.1 jsing 2676: .It Fl in Ar file
1.59 jmc 2677: The input file to read from,
2678: or standard input if not specified,
2679: in PEM format.
1.1 jsing 2680: The order doesn't matter but one private key and its corresponding
2681: certificate should be present.
2682: If additional certificates are present, they will also be included
2683: in the PKCS#12 file.
2684: .It Fl inkey Ar file
1.59 jmc 2685: File to read a private key from.
1.1 jsing 2686: If not present, a private key must be present in the input file.
2687: .It Fl keyex | keysig
1.59 jmc 2688: Specify whether the private key is to be used for key exchange or just signing.
1.1 jsing 2689: Normally,
2690: .Qq export grade
2691: software will only allow 512-bit RSA keys to be
2692: used for encryption purposes, but arbitrary length keys for signing.
2693: The
2694: .Fl keysig
2695: option marks the key for signing only.
2696: Signing only keys can be used for S/MIME signing, authenticode
2697: .Pq ActiveX control signing
1.59 jmc 2698: and SSL client authentication.
1.1 jsing 2699: .It Fl macalg Ar alg
2700: Specify the MAC digest algorithm.
1.59 jmc 2701: The default is SHA1.
1.1 jsing 2702: .It Fl maciter
1.59 jmc 2703: Included for compatability only:
2704: it used to be needed to use MAC iterations counts
2705: but they are now used by default.
1.1 jsing 2706: .It Fl name Ar name
1.59 jmc 2707: Specify the
1.1 jsing 2708: .Qq friendly name
2709: for the certificate and private key.
2710: This name is typically displayed in list boxes by software importing the file.
2711: .It Fl nomac
2712: Don't attempt to provide the MAC integrity.
2713: .It Fl nomaciter , noiter
1.59 jmc 2714: Affect the iteration counts on the MAC and key algorithms.
1.1 jsing 2715: Unless you wish to produce files compatible with MSIE 4.0, you should leave
2716: these options alone.
2717: .Pp
2718: To discourage attacks by using large dictionaries of common passwords,
2719: the algorithm that derives keys from passwords can have an iteration count
2720: applied to it: this causes a certain part of the algorithm to be repeated
2721: and slows it down.
2722: The MAC is used to check the file integrity but since it will normally
2723: have the same password as the keys and certificates it could also be attacked.
2724: By default, both MAC and encryption iteration counts are set to 2048;
2725: using these options the MAC and encryption iteration counts can be set to 1.
2726: Since this reduces the file security you should not use these options
2727: unless you really have to.
2728: Most software supports both MAC and key iteration counts.
2729: MSIE 4.0 doesn't support MAC iteration counts, so it needs the
2730: .Fl nomaciter
2731: option.
2732: .It Fl out Ar file
1.59 jmc 2733: The output file to write to,
2734: or standard output if not specified.
1.1 jsing 2735: .It Fl passin Ar arg
2736: The key password source.
2737: .It Fl passout Ar arg
2738: The output file password source.
2739: .El
2740: .Sh PKEY
2741: .nr nS 1
2742: .Nm "openssl pkey"
2743: .Op Ar cipher
2744: .Op Fl in Ar file
1.60 jmc 2745: .Op Fl inform Cm der | pem
1.1 jsing 2746: .Op Fl noout
2747: .Op Fl out Ar file
1.60 jmc 2748: .Op Fl outform Cm der | pem
1.1 jsing 2749: .Op Fl passin Ar arg
2750: .Op Fl passout Ar arg
2751: .Op Fl pubin
2752: .Op Fl pubout
2753: .Op Fl text
2754: .Op Fl text_pub
2755: .nr nS 0
2756: .Pp
2757: The
2758: .Nm pkey
2759: command processes public or private keys.
2760: They can be converted between various forms
2761: and their components printed out.
2762: .Pp
2763: The options are as follows:
2764: .Bl -tag -width Ds
2765: .It Ar cipher
1.60 jmc 2766: Encrypt the private key with the specified cipher.
1.1 jsing 2767: Any algorithm name accepted by
1.60 jmc 2768: .Xr EVP_get_cipherbyname 3
1.1 jsing 2769: is acceptable, such as
2770: .Cm des3 .
2771: .It Fl in Ar file
1.60 jmc 2772: The input file to read from,
2773: or standard input if not specified.
1.1 jsing 2774: If the key is encrypted a pass phrase will be prompted for.
1.60 jmc 2775: .It Fl inform Cm der | pem
2776: The input format.
1.1 jsing 2777: .It Fl noout
2778: Do not output the encoded version of the key.
2779: .It Fl out Ar file
1.60 jmc 2780: The output file to write to,
2781: or standard output if not specified.
1.1 jsing 2782: If any encryption options are set then a pass phrase
2783: will be prompted for.
1.60 jmc 2784: .It Fl outform Cm der | pem
2785: The output format.
1.1 jsing 2786: .It Fl passin Ar arg
2787: The key password source.
2788: .It Fl passout Ar arg
2789: The output file password source.
2790: .It Fl pubin
1.60 jmc 2791: Read in a public key, not a private key.
1.1 jsing 2792: .It Fl pubout
1.60 jmc 2793: Output a public key, not a private key.
2794: Automatically set if the input is a public key.
1.1 jsing 2795: .It Fl text
1.64 ! jmc 2796: Print the public/private key in plain text.
1.1 jsing 2797: .It Fl text_pub
2798: Print out only public key components
2799: even if a private key is being processed.
2800: .El
2801: .Sh PKEYPARAM
2802: .Cm openssl pkeyparam
2803: .Op Fl in Ar file
2804: .Op Fl noout
2805: .Op Fl out Ar file
2806: .Op Fl text
2807: .Pp
2808: The
1.61 jmc 2809: .Nm pkeyparam
1.1 jsing 2810: command processes public or private keys.
1.61 jmc 2811: The key type is determined by the PEM headers.
1.1 jsing 2812: .Pp
2813: The options are as follows:
2814: .Bl -tag -width Ds
2815: .It Fl in Ar file
1.61 jmc 2816: The input file to read from,
2817: or standard input if not specified.
1.1 jsing 2818: .It Fl noout
2819: Do not output the encoded version of the parameters.
2820: .It Fl out Ar file
1.61 jmc 2821: The output file to write to,
2822: or standard output if not specified.
1.1 jsing 2823: .It Fl text
1.64 ! jmc 2824: Print the parameters in plain text.
1.1 jsing 2825: .El
2826: .Sh PKEYUTL
2827: .nr nS 1
2828: .Nm "openssl pkeyutl"
2829: .Op Fl asn1parse
2830: .Op Fl certin
2831: .Op Fl decrypt
2832: .Op Fl derive
2833: .Op Fl encrypt
2834: .Op Fl hexdump
2835: .Op Fl in Ar file
2836: .Op Fl inkey Ar file
1.62 jmc 2837: .Op Fl keyform Cm der | pem
1.1 jsing 2838: .Op Fl out Ar file
2839: .Op Fl passin Ar arg
1.62 jmc 2840: .Op Fl peerform Cm der | pem
1.1 jsing 2841: .Op Fl peerkey Ar file
2842: .Op Fl pkeyopt Ar opt : Ns Ar value
2843: .Op Fl pubin
2844: .Op Fl rev
2845: .Op Fl sigfile Ar file
2846: .Op Fl sign
2847: .Op Fl verify
2848: .Op Fl verifyrecover
2849: .nr nS 0
2850: .Pp
2851: The
2852: .Nm pkeyutl
2853: command can be used to perform public key operations using
2854: any supported algorithm.
2855: .Pp
2856: The options are as follows:
2857: .Bl -tag -width Ds
2858: .It Fl asn1parse
2859: ASN1parse the output data.
2860: This is useful when combined with the
2861: .Fl verifyrecover
2862: option when an ASN1 structure is signed.
2863: .It Fl certin
2864: The input is a certificate containing a public key.
2865: .It Fl decrypt
2866: Decrypt the input data using a private key.
2867: .It Fl derive
2868: Derive a shared secret using the peer key.
2869: .It Fl encrypt
2870: Encrypt the input data using a public key.
2871: .It Fl hexdump
2872: Hex dump the output data.
2873: .It Fl in Ar file
1.62 jmc 2874: The input file to read from,
2875: or standard input if not specified.
1.1 jsing 2876: .It Fl inkey Ar file
2877: The input key file.
2878: By default it should be a private key.
1.62 jmc 2879: .It Fl keyform Cm der | pem
2880: The key format.
1.1 jsing 2881: .It Fl out Ar file
1.62 jmc 2882: The output file to write to,
2883: or standard output if not specified.
1.1 jsing 2884: .It Fl passin Ar arg
2885: The key password source.
1.62 jmc 2886: .It Fl peerform Cm der | pem
2887: The peer key format.
1.1 jsing 2888: .It Fl peerkey Ar file
2889: The peer key file, used by key derivation (agreement) operations.
2890: .It Fl pkeyopt Ar opt : Ns Ar value
1.62 jmc 2891: Set the public key algorithm option
2892: .Ar opt
2893: to
2894: .Ar value .
2895: Unless otherwise mentioned, all algorithms support the format
2896: .Ar digest : Ns Ar alg ,
2897: which specifies the digest to use
1.1 jsing 2898: for sign, verify, and verifyrecover operations.
2899: The value
2900: .Ar alg
2901: should represent a digest name as used in the
1.62 jmc 2902: .Xr EVP_get_digestbyname 3
2903: function.
2904: .Pp
1.1 jsing 2905: The RSA algorithm supports the
2906: encrypt, decrypt, sign, verify, and verifyrecover operations in general.
2907: Some padding modes only support some of these
2908: operations however.
2909: .Bl -tag -width Ds
2910: .It rsa_padding_mode : Ns Ar mode
2911: This sets the RSA padding mode.
2912: Acceptable values for
2913: .Ar mode
2914: are
2915: .Cm pkcs1
2916: for PKCS#1 padding;
2917: .Cm none
2918: for no padding;
2919: .Cm oaep
2920: for OAEP mode;
2921: .Cm x931
2922: for X9.31 mode;
2923: and
2924: .Cm pss
2925: for PSS.
2926: .Pp
2927: In PKCS#1 padding if the message digest is not set then the supplied data is
2928: signed or verified directly instead of using a DigestInfo structure.
2929: If a digest is set then a DigestInfo
2930: structure is used and its length
2931: must correspond to the digest type.
2932: For oeap mode only encryption and decryption is supported.
2933: For x931 if the digest type is set it is used to format the block data;
2934: otherwise the first byte is used to specify the X9.31 digest ID.
2935: Sign, verify, and verifyrecover can be performed in this mode.
2936: For pss mode only sign and verify are supported and the digest type must be
2937: specified.
2938: .It rsa_pss_saltlen : Ns Ar len
2939: For pss
2940: mode only this option specifies the salt length.
2941: Two special values are supported:
2942: -1 sets the salt length to the digest length.
2943: When signing -2 sets the salt length to the maximum permissible value.
2944: When verifying -2 causes the salt length to be automatically determined
2945: based on the PSS block structure.
2946: .El
1.62 jmc 2947: .Pp
1.1 jsing 2948: The DSA algorithm supports the sign and verify operations.
2949: Currently there are no additional options other than
2950: .Ar digest .
2951: Only the SHA1 digest can be used and this digest is assumed by default.
1.62 jmc 2952: .Pp
1.1 jsing 2953: The DH algorithm supports the derive operation
2954: and no additional options.
1.62 jmc 2955: .Pp
1.1 jsing 2956: The EC algorithm supports the sign, verify, and derive operations.
2957: The sign and verify operations use ECDSA and derive uses ECDH.
2958: Currently there are no additional options other than
2959: .Ar digest .
2960: Only the SHA1 digest can be used and this digest is assumed by default.
1.62 jmc 2961: .It Fl pubin
2962: The input file is a public key.
2963: .It Fl rev
2964: Reverse the order of the input buffer.
2965: .It Fl sigfile Ar file
2966: Signature file (verify operation only).
2967: .It Fl sign
2968: Sign the input data and output the signed result.
2969: This requires a private key.
2970: .It Fl verify
2971: Verify the input data against the signature file and indicate if the
2972: verification succeeded or failed.
2973: .It Fl verifyrecover
2974: Verify the input data and output the recovered data.
2975: .El
1.1 jsing 2976: .Sh PRIME
2977: .Cm openssl prime
2978: .Op Fl bits Ar n
2979: .Op Fl checks Ar n
2980: .Op Fl generate
2981: .Op Fl hex
2982: .Op Fl safe
2983: .Ar p
2984: .Pp
2985: The
2986: .Nm prime
2987: command is used to generate prime numbers,
2988: or to check numbers for primality.
2989: Results are probabilistic:
2990: they have an exceedingly high likelihood of being correct,
2991: but are not guaranteed.
2992: .Pp
2993: The options are as follows:
2994: .Bl -tag -width Ds
2995: .It Fl bits Ar n
2996: Specify the number of bits in the generated prime number.
2997: Must be used in conjunction with
2998: .Fl generate .
2999: .It Fl checks Ar n
3000: Perform a Miller-Rabin probabilistic primality test with
3001: .Ar n
3002: iterations.
3003: The default is 20.
3004: .It Fl generate
3005: Generate a pseudo-random prime number.
3006: Must be used in conjunction with
3007: .Fl bits .
3008: .It Fl hex
3009: Output in hex format.
3010: .It Fl safe
3011: Generate only
3012: .Qq safe
3013: prime numbers
3014: (i.e. a prime p so that (p-1)/2 is also prime).
3015: .It Ar p
3016: Test if number
3017: .Ar p
3018: is prime.
3019: .El
3020: .Sh RAND
3021: .nr nS 1
3022: .Nm "openssl rand"
3023: .Op Fl base64
3024: .Op Fl hex
3025: .Op Fl out Ar file
3026: .Ar num
3027: .nr nS 0
3028: .Pp
3029: The
3030: .Nm rand
3031: command outputs
3032: .Ar num
3033: pseudo-random bytes.
3034: .Pp
3035: The options are as follows:
3036: .Bl -tag -width Ds
3037: .It Fl base64
3038: Perform
3039: .Em base64
3040: encoding on the output.
3041: .It Fl hex
3042: Specify hexadecimal output.
3043: .It Fl out Ar file
1.63 jmc 3044: The output file to write to,
3045: or standard output if not specified.
1.1 jsing 3046: .El
3047: .Sh REQ
3048: .nr nS 1
3049: .Nm "openssl req"
3050: .Op Fl asn1-kludge
3051: .Op Fl batch
3052: .Op Fl config Ar file
3053: .Op Fl days Ar n
3054: .Op Fl extensions Ar section
3055: .Op Fl in Ar file
1.63 jmc 3056: .Op Fl inform Cm der | pem
1.1 jsing 3057: .Op Fl key Ar keyfile
1.63 jmc 3058: .Op Fl keyform Cm der | pem
1.1 jsing 3059: .Op Fl keyout Ar file
1.28 doug 3060: .Op Fl md4 | md5 | sha1
1.1 jsing 3061: .Op Fl modulus
3062: .Op Fl nameopt Ar option
3063: .Op Fl new
3064: .Op Fl newhdr
3065: .Op Fl newkey Ar arg
3066: .Op Fl no-asn1-kludge
3067: .Op Fl nodes
3068: .Op Fl noout
3069: .Op Fl out Ar file
1.63 jmc 3070: .Op Fl outform Cm der | pem
1.1 jsing 3071: .Op Fl passin Ar arg
3072: .Op Fl passout Ar arg
3073: .Op Fl pubkey
3074: .Op Fl reqexts Ar section
3075: .Op Fl reqopt Ar option
3076: .Op Fl set_serial Ar n
3077: .Op Fl subj Ar arg
3078: .Op Fl subject
3079: .Op Fl text
3080: .Op Fl utf8
3081: .Op Fl verbose
3082: .Op Fl verify
3083: .Op Fl x509
3084: .nr nS 0
3085: .Pp
3086: The
3087: .Nm req
3088: command primarily creates and processes certificate requests
3089: in PKCS#10 format.
3090: It can additionally create self-signed certificates,
3091: for use as root CAs, for example.
3092: .Pp
3093: The options are as follows:
3094: .Bl -tag -width Ds
3095: .It Fl asn1-kludge
1.63 jmc 3096: Produce requests in an invalid format for certain picky CAs.
3097: Very few CAs still require the use of this option.
1.1 jsing 3098: .It Fl batch
3099: Non-interactive mode.
3100: .It Fl config Ar file
1.63 jmc 3101: Specify an alternative configuration file.
1.1 jsing 3102: .It Fl days Ar n
1.63 jmc 3103: Specify the number of days to certify the certificate for.
3104: The default is 30 days.
3105: Used with the
1.1 jsing 3106: .Fl x509
1.63 jmc 3107: option.
1.1 jsing 3108: .It Fl extensions Ar section , Fl reqexts Ar section
1.63 jmc 3109: Specify alternative sections to include certificate
3110: extensions (with
3111: .Fl x509 )
3112: or certificate request extensions,
3113: allowing several different sections to be used in the same configuration file.
1.1 jsing 3114: .It Fl in Ar file
1.63 jmc 3115: The input file to read a request from,
3116: or standard input if not specified.
1.1 jsing 3117: A request is only read if the creation options
3118: .Fl new
3119: and
3120: .Fl newkey
3121: are not specified.
1.63 jmc 3122: .It Fl inform Cm der | pem
3123: The input format.
1.1 jsing 3124: .It Fl key Ar keyfile
1.63 jmc 3125: The file to read the private key from.
1.1 jsing 3126: It also accepts PKCS#8 format private keys for PEM format files.
1.63 jmc 3127: .It Fl keyform Cm der | pem
1.1 jsing 3128: The format of the private key file specified in the
3129: .Fl key
3130: argument.
1.63 jmc 3131: The default is PEM.
1.1 jsing 3132: .It Fl keyout Ar file
1.63 jmc 3133: The file to write the newly created private key to.
3134: If this option is not specified,
3135: the filename present in the configuration file is used.
1.4 sthen 3136: .It Fl md5 | sha1 | sha256
1.63 jmc 3137: The message digest to sign the request with.
1.1 jsing 3138: This overrides the digest algorithm specified in the configuration file.
3139: .Pp
3140: Some public key algorithms may override this choice.
3141: For instance, DSA signatures always use SHA1.
3142: .It Fl modulus
1.63 jmc 3143: Print the value of the modulus of the public key contained in the request.
1.1 jsing 3144: .It Fl nameopt Ar option , Fl reqopt Ar option
1.63 jmc 3145: Determine how the subject or issuer names are displayed.
1.1 jsing 3146: .Ar option
1.63 jmc 3147: can be a single option or multiple options separated by commas.
1.1 jsing 3148: Alternatively, these options may be used more than once to set multiple options.
3149: See the
3150: .Sx X509
3151: section below for details.
3152: .It Fl new
1.63 jmc 3153: Generate a new certificate request.
3154: The user is prompted for the relevant field values.
1.1 jsing 3155: The actual fields prompted for and their maximum and minimum sizes
3156: are specified in the configuration file and any requested extensions.
3157: .Pp
3158: If the
3159: .Fl key
3160: option is not used, it will generate a new RSA private
3161: key using information specified in the configuration file.
3162: .It Fl newhdr
1.63 jmc 3163: Add the word NEW to the PEM file header and footer lines
1.1 jsing 3164: on the outputed request.
1.63 jmc 3165: Some software and CAs need this.
1.1 jsing 3166: .It Fl newkey Ar arg
1.63 jmc 3167: Create a new certificate request and a new private key.
1.1 jsing 3168: The argument takes one of several forms.
1.63 jmc 3169: .Pp
3170: .No rsa : Ns Ar nbits
3171: generates an RSA key
1.1 jsing 3172: .Ar nbits
3173: in size.
3174: If
3175: .Ar nbits
1.63 jmc 3176: is omitted
3177: the default key size is used.
3178: .Pp
3179: .No dsa : Ns Ar file
3180: generates a DSA key using the parameters in
3181: .Ar file .
3182: .Pp
3183: .No param : Ns Ar file
3184: generates a key using the parameters or certificate in
3185: .Ar file .
3186: .Pp
3187: All other algorithms support the form
3188: .Ar algorithm : Ns Ar file ,
1.1 jsing 3189: where file may be an algorithm parameter file,
3190: created by the
3191: .Cm genpkey -genparam
1.14 jmc 3192: command or an X.509 certificate for a key with appropriate algorithm.
1.63 jmc 3193: .Ar file
3194: can be omitted,
3195: in which case any parameters can be specified via the
1.1 jsing 3196: .Fl pkeyopt
3197: option.
3198: .It Fl no-asn1-kludge
1.63 jmc 3199: Reverse the effect of
1.1 jsing 3200: .Fl asn1-kludge .
3201: .It Fl nodes
1.63 jmc 3202: Do not encrypt the private key.
1.1 jsing 3203: .It Fl noout
1.63 jmc 3204: Do not output the encoded version of the request.
1.1 jsing 3205: .It Fl out Ar file
1.63 jmc 3206: The output file to write to,
3207: or standard output if not spceified.
3208: .It Fl outform Cm der | pem
3209: The output format.
1.1 jsing 3210: .It Fl passin Ar arg
3211: The key password source.
3212: .It Fl passout Ar arg
3213: The output file password source.
3214: .It Fl pubkey
1.63 jmc 3215: Output the public key.
1.1 jsing 3216: .It Fl reqopt Ar option
3217: Customise the output format used with
3218: .Fl text .
3219: The
3220: .Ar option
3221: argument can be a single option or multiple options separated by commas.
1.63 jmc 3222: See also the discussion of
1.1 jsing 3223: .Fl certopt
1.63 jmc 3224: in the
1.1 jsing 3225: .Nm x509
3226: command.
3227: .It Fl set_serial Ar n
3228: Serial number to use when outputting a self-signed certificate.
3229: This may be specified as a decimal value or a hex value if preceded by
3230: .Sq 0x .
3231: It is possible to use negative serial numbers but this is not recommended.
3232: .It Fl subj Ar arg
1.63 jmc 3233: Replaces the subject field of an input request
3234: with the specified data and output the modified request.
3235: .Ar arg
3236: must be formatted as /type0=value0/type1=value1/type2=...;
1.1 jsing 3237: characters may be escaped by
3238: .Sq \e
1.63 jmc 3239: (backslash);
1.1 jsing 3240: no spaces are skipped.
3241: .It Fl subject
1.63 jmc 3242: Print the request subject (or certificate subject if
1.1 jsing 3243: .Fl x509
1.63 jmc 3244: is specified).
1.1 jsing 3245: .It Fl text
1.64 ! jmc 3246: Print the certificate request in plain text.
1.1 jsing 3247: .It Fl utf8
1.63 jmc 3248: Interpret field values as UTF8 strings, not ASCII.
1.1 jsing 3249: .It Fl verbose
3250: Print extra details about the operations being performed.
3251: .It Fl verify
1.63 jmc 3252: Verify the signature on the request.
1.1 jsing 3253: .It Fl x509
1.63 jmc 3254: Output a self-signed certificate instead of a certificate request.
3255: This is typically used to generate a test certificate or a self-signed root CA.
3256: The extensions added to the certificate (if any)
1.1 jsing 3257: are specified in the configuration file.
3258: Unless specified using the
3259: .Fl set_serial
1.63 jmc 3260: option, 0 is used for the serial number.
1.1 jsing 3261: .El
1.63 jmc 3262: .Pp
1.1 jsing 3263: The configuration options are specified in the
1.63 jmc 3264: .Qq req
1.1 jsing 3265: section of the configuration file.
3266: As with all configuration files, if no value is specified in the specific
1.63 jmc 3267: section then the initial unnamed or default section is searched too.
1.1 jsing 3268: .Pp
1.63 jmc 3269: The options available are as follows:
1.1 jsing 3270: .Bl -tag -width "XXXX"
1.63 jmc 3271: .It Cm attributes
3272: The section containing any request attributes: its format
1.1 jsing 3273: is the same as
1.63 jmc 3274: .Cm distinguished_name .
3275: Typically these may contain the challengePassword or unstructuredName types.
3276: They are currently ignored by the
3277: .Nm openssl
1.1 jsing 3278: request signing utilities, but some CAs might want them.
1.63 jmc 3279: .It Cm default_bits
3280: The default key size, in bits.
3281: The default is 2048.
1.1 jsing 3282: It is used if the
3283: .Fl new
1.63 jmc 3284: option is used and can be overridden by using the
1.1 jsing 3285: .Fl newkey
3286: option.
1.63 jmc 3287: .It Cm default_keyfile
3288: The default file to write a private key to,
3289: or standard output if not specified.
3290: It can be overridden by the
1.1 jsing 3291: .Fl keyout
3292: option.
1.63 jmc 3293: .It Cm default_md
3294: The digest algorithm to use.
1.1 jsing 3295: Possible values include
1.63 jmc 3296: .Cm md5 ,
3297: .Cm sha1
1.1 jsing 3298: and
1.63 jmc 3299: .Cm sha256
3300: (the default).
3301: It can be overridden on the command line.
3302: .It Cm distinguished_name
3303: The section containing the distinguished name fields to
1.1 jsing 3304: prompt for when generating a certificate or certificate request.
1.63 jmc 3305: The format is described below.
3306: .It Cm encrypt_key
3307: If set to
3308: .Qq no
3309: and a private key is generated, it is not encrypted.
3310: It is equivalent to the
1.1 jsing 3311: .Fl nodes
1.63 jmc 3312: option.
1.1 jsing 3313: For compatibility,
1.63 jmc 3314: .Cm encrypt_rsa_key
1.1 jsing 3315: is an equivalent option.
1.63 jmc 3316: .It Cm input_password | output_password
3317: The passwords for the input private key file (if present)
3318: and the output private key file (if one will be created).
1.1 jsing 3319: The command line options
3320: .Fl passin
3321: and
3322: .Fl passout
3323: override the configuration file values.
1.63 jmc 3324: .It Cm oid_file
3325: A file containing additional OBJECT IDENTIFIERS.
1.1 jsing 3326: Each line of the file should consist of the numerical form of the
3327: object identifier, followed by whitespace, then the short name followed
3328: by whitespace and finally the long name.
1.63 jmc 3329: .It Cm oid_section
3330: Specify a section in the configuration file containing extra
1.1 jsing 3331: object identifiers.
3332: Each line should consist of the short name of the
3333: object identifier followed by
3334: .Sq =
3335: and the numerical form.
3336: The short and long names are the same when this option is used.
1.63 jmc 3337: .It Cm prompt
3338: If set to
3339: .Qq no ,
3340: it disables prompting of certificate fields
1.1 jsing 3341: and just takes values from the config file directly.
3342: It also changes the expected format of the
1.63 jmc 3343: .Cm distinguished_name
1.1 jsing 3344: and
1.63 jmc 3345: .Cm attributes
1.1 jsing 3346: sections.
1.63 jmc 3347: .It Cm req_extensions
3348: The configuration file section containing a list of
1.1 jsing 3349: extensions to add to the certificate request.
3350: It can be overridden by the
3351: .Fl reqexts
1.63 jmc 3352: option.
3353: .It Cm string_mask
3354: Limit the string types for encoding certain fields.
1.1 jsing 3355: The following values may be used, limiting strings to the indicated types:
3356: .Bl -tag -width "MASK:number"
1.63 jmc 3357: .It Cm utf8only
3358: UTF8String.
1.1 jsing 3359: This is the default, as recommended by PKIX in RFC 2459.
1.63 jmc 3360: .It Cm default
3361: PrintableString, IA5String, T61String, BMPString, UTF8String.
3362: .It Cm pkix
3363: PrintableString, IA5String, BMPString, UTF8String.
3364: Inspired by the PKIX recommendation in RFC 2459 for certificates
3365: generated before 2004, but differs by also permitting IA5String.
3366: .It Cm nombstr
3367: PrintableString, IA5String, T61String, UniversalString.
3368: A workaround for some ancient software that had problems
3369: with the variable-sized BMPString and UTF8String types.
1.1 jsing 3370: .It Cm MASK : Ns Ar number
1.63 jmc 3371: An explicit bitmask of permitted types, where
1.1 jsing 3372: .Ar number
3373: is a C-style hex, decimal, or octal number that's a bit-wise OR of
3374: .Dv B_ASN1_*
3375: values from
3376: .In openssl/asn1.h .
3377: .El
1.63 jmc 3378: .It Cm utf8
3379: If set to
3380: .Qq yes ,
3381: field values are interpreted as UTF8 strings, not ASCII.
3382: .It Cm x509_extensions
3383: The configuration file section containing a list of
1.1 jsing 3384: extensions to add to a certificate generated when the
3385: .Fl x509
3386: switch is used.
3387: It can be overridden by the
3388: .Fl extensions
1.63 jmc 3389: option.
1.1 jsing 3390: .El
1.63 jmc 3391: .Pp
1.1 jsing 3392: There are two separate formats for the distinguished name and attribute
3393: sections.
3394: If the
3395: .Fl prompt
3396: option is set to
1.63 jmc 3397: .Qq no ,
3398: the sections consist of just field names and values,
3399: which allows external programs to generate a template file
3400: with all the field names and values and just pass it to
1.1 jsing 3401: .Nm req .
3402: .Pp
3403: Alternatively if the
3404: .Fl prompt
3405: option is absent or not set to
1.63 jmc 3406: .Qq no ,
1.1 jsing 3407: then the file contains field prompting information.
3408: It consists of lines of the form:
3409: .Bd -unfilled -offset indent
3410: fieldName="prompt"
3411: fieldName_default="default field value"
3412: fieldName_min= 2
3413: fieldName_max= 4
3414: .Ed
3415: .Pp
3416: .Qq fieldName
3417: is the field name being used, for example
1.63 jmc 3418: .Cm commonName
3419: (or CN).
1.1 jsing 3420: The
3421: .Qq prompt
3422: string is used to ask the user to enter the relevant details.
3423: If the user enters nothing, the default value is used;
3424: if no default value is present, the field is omitted.
3425: A field can still be omitted if a default value is present,
3426: if the user just enters the
3427: .Sq \&.
3428: character.
3429: .Pp
3430: The number of characters entered must be between the
1.63 jmc 3431: fieldName_min and fieldName_max limits:
1.1 jsing 3432: there may be additional restrictions based on the field being used
3433: (for example
1.63 jmc 3434: .Cm countryName
1.1 jsing 3435: can only ever be two characters long and must fit in a
1.63 jmc 3436: .Cm PrintableString ) .
1.1 jsing 3437: .Pp
3438: Some fields (such as
1.63 jmc 3439: .Cm organizationName )
1.1 jsing 3440: can be used more than once in a DN.
3441: This presents a problem because configuration files will
3442: not recognize the same name occurring twice.
3443: To avoid this problem, if the
1.63 jmc 3444: .Cm fieldName
1.1 jsing 3445: contains some characters followed by a full stop, they will be ignored.
3446: So, for example, a second
1.63 jmc 3447: .Cm organizationName
1.1 jsing 3448: can be input by calling it
3449: .Qq 1.organizationName .
3450: .Pp
3451: The actual permitted field names are any object identifier short or
3452: long names.
3453: These are compiled into
1.63 jmc 3454: .Nm openssl
1.1 jsing 3455: and include the usual values such as
1.63 jmc 3456: .Cm commonName , countryName , localityName , organizationName ,
3457: .Cm organizationUnitName , stateOrProvinceName .
1.1 jsing 3458: Additionally,
1.63 jmc 3459: .Cm emailAddress
1.1 jsing 3460: is included as well as
1.63 jmc 3461: .Cm name , surname , givenName , initials
1.1 jsing 3462: and
1.63 jmc 3463: .Cm dnQualifier .
1.1 jsing 3464: .Pp
3465: Additional object identifiers can be defined with the
1.63 jmc 3466: .Cm oid_file
1.1 jsing 3467: or
1.63 jmc 3468: .Cm oid_section
1.1 jsing 3469: options in the configuration file.
3470: Any additional fields will be treated as though they were a
1.63 jmc 3471: .Cm DirectoryString .
1.1 jsing 3472: .Pp
3473: The following messages are frequently asked about:
3474: .Bd -unfilled -offset indent
3475: Using configuration from /some/path/openssl.cnf
3476: Unable to load config info
1.63 jmc 3477: \&...
1.1 jsing 3478: unable to find 'distinguished_name' in config
3479: problems making Certificate Request
3480: .Ed
3481: .Pp
1.63 jmc 3482: In this case it can't find the configuration file!
1.1 jsing 3483: .Pp
1.63 jmc 3484: Another puzzling message is:
1.1 jsing 3485: .Bd -unfilled -offset indent
3486: Attributes:
3487: a0:00
3488: .Ed
3489: .Pp
3490: This is displayed when no attributes are present and the request includes
3491: the correct empty SET OF structure
1.63 jmc 3492: (the DER encoding of which is 0xa0 0x00).
3493: If the message is instead:
1.1 jsing 3494: .Pp
3495: .D1 Attributes:
3496: .Pp
3497: then the SET OF is missing and the encoding is technically invalid
1.63 jmc 3498: (but it is tolerated).
3499: See the description
1.1 jsing 3500: .Fl asn1-kludge
3501: for more information.
3502: .Sh RSA
3503: .nr nS 1
3504: .Nm "openssl rsa"
1.64 ! jmc 3505: .Op Fl aes128 | aes192 | aes256 | des | des3
1.1 jsing 3506: .Op Fl check
3507: .Op Fl in Ar file
1.64 ! jmc 3508: .Op Fl inform Cm der | net | pem
1.1 jsing 3509: .Op Fl modulus
3510: .Op Fl noout
3511: .Op Fl out Ar file
1.64 ! jmc 3512: .Op Fl outform Cm der | net | pem
1.1 jsing 3513: .Op Fl passin Ar arg
3514: .Op Fl passout Ar arg
3515: .Op Fl pubin
3516: .Op Fl pubout
3517: .Op Fl sgckey
3518: .Op Fl text
3519: .nr nS 0
3520: .Pp
3521: The
3522: .Nm rsa
3523: command processes RSA keys.
3524: They can be converted between various forms and their components printed out.
1.64 ! jmc 3525: .Nm rsa
! 3526: uses the traditional
1.1 jsing 3527: .Nm SSLeay
3528: compatible format for private key encryption:
3529: newer applications should use the more secure PKCS#8 format using the
3530: .Nm pkcs8
3531: utility.
3532: .Pp
3533: The options are as follows:
3534: .Bl -tag -width Ds
1.64 ! jmc 3535: .It Fl aes128 | aes192 | aes256 | des | des3
! 3536: Encrypt the private key with the AES, DES,
1.1 jsing 3537: or the triple DES ciphers, respectively, before outputting it.
3538: A pass phrase is prompted for.
3539: If none of these options are specified, the key is written in plain text.
3540: This means that using the
3541: .Nm rsa
3542: utility to read in an encrypted key with no encryption option can be used
3543: to remove the pass phrase from a key, or by setting the encryption options
3544: it can be used to add or change the pass phrase.
3545: These options can only be used with PEM format output files.
3546: .It Fl check
1.64 ! jmc 3547: Check the consistency of an RSA private key.
1.1 jsing 3548: .It Fl in Ar file
1.64 ! jmc 3549: The input file to read from,
! 3550: or standard input if not specified.
1.1 jsing 3551: If the key is encrypted, a pass phrase will be prompted for.
1.64 ! jmc 3552: .It Fl inform Cm der | net | pem
! 3553: The input format.
1.1 jsing 3554: .It Fl noout
1.64 ! jmc 3555: Do not output the encoded version of the key.
1.1 jsing 3556: .It Fl modulus
1.64 ! jmc 3557: Print the value of the modulus of the key.
1.1 jsing 3558: .It Fl out Ar file
1.64 ! jmc 3559: The output file to write to,
! 3560: or standard output if not specified.
! 3561: .It Fl outform Cm der | net | pem
! 3562: The output format.
1.1 jsing 3563: .It Fl passin Ar arg
3564: The key password source.
3565: .It Fl passout Ar arg
3566: The output file password source.
3567: .It Fl pubin
1.64 ! jmc 3568: Read in a public key,
! 3569: not a private key.
1.1 jsing 3570: .It Fl pubout
1.64 ! jmc 3571: Output a public key,
! 3572: not a private key.
! 3573: Automatically set if the input is a public key.
1.1 jsing 3574: .It Fl sgckey
1.64 ! jmc 3575: Use the modified NET algorithm used with some versions of Microsoft IIS
! 3576: and SGC keys.
1.1 jsing 3577: .It Fl text
1.64 ! jmc 3578: Print the public/private key components in plain text.
1.1 jsing 3579: .El
3580: .\"
3581: .\" RSAUTL
3582: .\"
3583: .Sh RSAUTL
3584: .nr nS 1
3585: .Nm "openssl rsautl"
3586: .Bk -words
3587: .Op Fl asn1parse
3588: .Op Fl certin
3589: .Op Fl decrypt
3590: .Op Fl encrypt
3591: .Op Fl hexdump
3592: .Op Fl in Ar file
3593: .Op Fl inkey Ar file
3594: .Op Fl keyform Ar DER | PEM
3595: .Op Fl oaep | pkcs | raw | ssl
3596: .Op Fl out Ar file
3597: .Op Fl pubin
3598: .Op Fl sign
3599: .Op Fl verify
3600: .Ek
3601: .nr nS 0
3602: .Pp
3603: The
3604: .Nm rsautl
3605: command can be used to sign, verify, encrypt and decrypt
3606: data using the RSA algorithm.
3607: .Pp
3608: The options are as follows:
3609: .Bl -tag -width Ds
3610: .It Fl asn1parse
3611: Asn1parse the output data; this is useful when combined with the
3612: .Fl verify
3613: option.
3614: .It Fl certin
3615: The input is a certificate containing an RSA public key.
3616: .It Fl decrypt
3617: Decrypt the input data using an RSA private key.
3618: .It Fl encrypt
3619: Encrypt the input data using an RSA public key.
3620: .It Fl hexdump
3621: Hex dump the output data.
3622: .It Fl in Ar file
3623: This specifies the input
3624: .Ar file
3625: to read data from, or standard input
3626: if this option is not specified.
3627: .It Fl inkey Ar file
3628: The input key file, by default it should be an RSA private key.
3629: .It Fl keyform Ar DER | PEM
3630: Private ket format.
3631: Default is
3632: .Ar PEM .
3633: .It Fl oaep | pkcs | raw | ssl
3634: The padding to use:
3635: PKCS#1 OAEP, PKCS#1 v1.5
3636: .Pq the default ,
3637: or no padding, respectively.
3638: For signatures, only
3639: .Fl pkcs
3640: and
3641: .Fl raw
3642: can be used.
3643: .It Fl out Ar file
3644: Specifies the output
3645: .Ar file
3646: to write to, or standard output by
3647: default.
3648: .It Fl pubin
3649: The input file is an RSA public key.
3650: .It Fl sign
3651: Sign the input data and output the signed result.
3652: This requires an RSA private key.
3653: .It Fl verify
3654: Verify the input data and output the recovered data.
3655: .El
3656: .Sh RSAUTL NOTES
3657: .Nm rsautl ,
3658: because it uses the RSA algorithm directly, can only be
3659: used to sign or verify small pieces of data.
3660: .Sh RSAUTL EXAMPLES
3661: Sign some data using a private key:
3662: .Pp
3663: .Dl "$ openssl rsautl -sign -in file -inkey key.pem -out sig"
3664: .Pp
3665: Recover the signed data:
3666: .Pp
3667: .Dl $ openssl rsautl -verify -in sig -inkey key.pem
3668: .Pp
3669: Examine the raw signed data:
3670: .Pp
3671: .Li "\ \&$ openssl rsautl -verify -in file -inkey key.pem -raw -hexdump"
3672: .Bd -unfilled
3673: \& 0000 - 00 01 ff ff ff ff ff ff-ff ff ff ff ff ff ff ff ................
3674: \& 0010 - ff ff ff ff ff ff ff ff-ff ff ff ff ff ff ff ff ................
3675: \& 0020 - ff ff ff ff ff ff ff ff-ff ff ff ff ff ff ff ff ................
3676: \& 0030 - ff ff ff ff ff ff ff ff-ff ff ff ff ff ff ff ff ................
3677: \& 0040 - ff ff ff ff ff ff ff ff-ff ff ff ff ff ff ff ff ................
3678: \& 0050 - ff ff ff ff ff ff ff ff-ff ff ff ff ff ff ff ff ................
3679: \& 0060 - ff ff ff ff ff ff ff ff-ff ff ff ff ff ff ff ff ................
3680: \& 0070 - ff ff ff ff 00 68 65 6c-6c 6f 20 77 6f 72 6c 64 .....hello world
3681: .Ed
3682: .Pp
3683: The PKCS#1 block formatting is evident from this.
3684: If this was done using encrypt and decrypt, the block would have been of type 2
3685: .Pq the second byte
3686: and random padding data visible instead of the 0xff bytes.
3687: .Pp
3688: It is possible to analyse the signature of certificates using this
3689: utility in conjunction with
3690: .Nm asn1parse .
3691: Consider the self-signed example in
3692: .Pa certs/pca-cert.pem :
3693: running
3694: .Nm asn1parse
3695: as follows yields:
3696: .Pp
3697: .Li "\ \&$ openssl asn1parse -in pca-cert.pem"
3698: .Bd -unfilled
3699: \& 0:d=0 hl=4 l= 742 cons: SEQUENCE
3700: \& 4:d=1 hl=4 l= 591 cons: SEQUENCE
3701: \& 8:d=2 hl=2 l= 3 cons: cont [ 0 ]
3702: \& 10:d=3 hl=2 l= 1 prim: INTEGER :02
3703: \& 13:d=2 hl=2 l= 1 prim: INTEGER :00
3704: \& 16:d=2 hl=2 l= 13 cons: SEQUENCE
3705: \& 18:d=3 hl=2 l= 9 prim: OBJECT :md5WithRSAEncryption
3706: \& 29:d=3 hl=2 l= 0 prim: NULL
3707: \& 31:d=2 hl=2 l= 92 cons: SEQUENCE
3708: \& 33:d=3 hl=2 l= 11 cons: SET
3709: \& 35:d=4 hl=2 l= 9 cons: SEQUENCE
3710: \& 37:d=5 hl=2 l= 3 prim: OBJECT :countryName
3711: \& 42:d=5 hl=2 l= 2 prim: PRINTABLESTRING :AU
3712: \& ....
3713: \& 599:d=1 hl=2 l= 13 cons: SEQUENCE
3714: \& 601:d=2 hl=2 l= 9 prim: OBJECT :md5WithRSAEncryption
3715: \& 612:d=2 hl=2 l= 0 prim: NULL
3716: \& 614:d=1 hl=3 l= 129 prim: BIT STRING
3717: .Ed
3718: .Pp
3719: The final BIT STRING contains the actual signature.
3720: It can be extracted with:
3721: .Pp
3722: .Dl "$ openssl asn1parse -in pca-cert.pem -out sig -noout -strparse 614"
3723: .Pp
3724: The certificate public key can be extracted with:
3725: .Pp
3726: .Dl $ openssl x509 -in test/testx509.pem -pubkey -noout \*(Gtpubkey.pem
3727: .Pp
3728: The signature can be analysed with:
3729: .Pp
3730: .Li "\ \&$ openssl rsautl -in sig -verify -asn1parse -inkey pubkey.pem -pubin"
3731: .Bd -unfilled
3732: \& 0:d=0 hl=2 l= 32 cons: SEQUENCE
3733: \& 2:d=1 hl=2 l= 12 cons: SEQUENCE
3734: \& 4:d=2 hl=2 l= 8 prim: OBJECT :md5
3735: \& 14:d=2 hl=2 l= 0 prim: NULL
3736: \& 16:d=1 hl=2 l= 16 prim: OCTET STRING
3737: \& 0000 - f3 46 9e aa 1a 4a 73 c9-37 ea 93 00 48 25 08 b5 .F...Js.7...H%..
3738: .Ed
3739: .Pp
3740: This is the parsed version of an ASN1
3741: .Em DigestInfo
3742: structure.
3743: It can be seen that the digest used was MD5.
3744: The actual part of the certificate that was signed can be extracted with:
3745: .Pp
3746: .Dl "$ openssl asn1parse -in pca-cert.pem -out tbs -noout -strparse 4"
3747: .Pp
3748: and its digest computed with:
3749: .Pp
3750: .Dl $ openssl md5 -c tbs
3751: .D1 MD5(tbs)= f3:46:9e:aa:1a:4a:73:c9:37:ea:93:00:48:25:08:b5
3752: .Pp
3753: which it can be seen agrees with the recovered value above.
3754: .\"
3755: .\" S_CLIENT
3756: .\"
3757: .Sh S_CLIENT
3758: .nr nS 1
3759: .Nm "openssl s_client"
3760: .Bk -words
3761: .Op Fl 4 | 6
3762: .Op Fl bugs
3763: .Op Fl CAfile Ar file
3764: .Op Fl CApath Ar directory
3765: .Op Fl cert Ar file
3766: .Op Fl check_ss_sig
3767: .Op Fl cipher Ar cipherlist
3768: .Oo
3769: .Fl connect Ar host : Ns Ar port |
3770: .Ar host Ns / Ns Ar port
3771: .Oc
3772: .Op Fl crl_check
3773: .Op Fl crl_check_all
3774: .Op Fl crlf
3775: .Op Fl debug
3776: .Op Fl extended_crl
3777: .Op Fl ign_eof
3778: .Op Fl ignore_critical
3779: .Op Fl issuer_checks
3780: .Op Fl key Ar keyfile
3781: .Op Fl msg
3782: .Op Fl nbio
3783: .Op Fl nbio_test
3784: .Op Fl no_ticket
3785: .Op Fl no_tls1
1.6 guenther 3786: .Op Fl no_tls1_1
3787: .Op Fl no_tls1_2
1.1 jsing 3788: .Op Fl pause
3789: .Op Fl policy_check
3790: .Op Fl prexit
1.11 bluhm 3791: .Op Fl proxy Ar host : Ns Ar port
1.1 jsing 3792: .Op Fl psk Ar key
3793: .Op Fl psk_identity Ar identity
3794: .Op Fl quiet
3795: .Op Fl reconnect
1.5 jsing 3796: .Op Fl servername Ar name
1.1 jsing 3797: .Op Fl showcerts
3798: .Op Fl starttls Ar protocol
3799: .Op Fl state
3800: .Op Fl tls1
1.31 jmc 3801: .Op Fl tls1_1
3802: .Op Fl tls1_2
1.1 jsing 3803: .Op Fl tlsextdebug
3804: .Op Fl verify Ar depth
3805: .Op Fl x509_strict
1.19 landry 3806: .Op Fl xmpphost Ar host
1.1 jsing 3807: .Ek
3808: .nr nS 0
3809: .Pp
3810: The
3811: .Nm s_client
3812: command implements a generic SSL/TLS client which connects
3813: to a remote host using SSL/TLS.
3814: It is a
3815: .Em very
3816: useful diagnostic tool for SSL servers.
3817: .Pp
3818: The options are as follows:
3819: .Bl -tag -width Ds
3820: .It Fl 4
3821: Specify that
3822: .Nm s_client
3823: should attempt connections using IPv4 only.
3824: .It Fl 6
3825: Specify that
3826: .Nm s_client
3827: should attempt connections using IPv6 only.
3828: .It Fl bugs
3829: There are several known bugs in SSL and TLS implementations.
3830: Adding this option enables various workarounds.
3831: .It Fl CAfile Ar file
3832: A
3833: .Ar file
3834: containing trusted certificates to use during server authentication
3835: and to use when attempting to build the client certificate chain.
3836: .It Fl CApath Ar directory
3837: The
3838: .Ar directory
3839: to use for server certificate verification.
3840: This directory must be in
3841: .Qq hash format ;
3842: see
3843: .Fl verify
3844: for more information.
3845: These are also used when building the client certificate chain.
3846: .It Fl cert Ar file
3847: The certificate to use, if one is requested by the server.
3848: The default is not to use a certificate.
3849: .It Xo
3850: .Fl check_ss_sig ,
3851: .Fl crl_check ,
3852: .Fl crl_check_all ,
3853: .Fl extended_crl ,
3854: .Fl ignore_critical ,
3855: .Fl issuer_checks ,
3856: .Fl policy_check ,
3857: .Fl x509_strict
3858: .Xc
3859: Set various certificate chain validation options.
3860: See the
3861: .Nm VERIFY
3862: command for details.
3863: .It Fl cipher Ar cipherlist
3864: This allows the cipher list sent by the client to be modified.
3865: Although the server determines which cipher suite is used, it should take
3866: the first supported cipher in the list sent by the client.
3867: See the
3868: .Sx CIPHERS
3869: section above for more information.
3870: .It Xo
3871: .Fl connect Ar host : Ns Ar port |
3872: .Ar host Ns / Ns Ar port
3873: .Xc
3874: This specifies the
3875: .Ar host
3876: and optional
3877: .Ar port
3878: to connect to.
3879: If not specified, an attempt is made to connect to the local host
3880: on port 4433.
3881: Alternatively, the host and port pair may be separated using a forward-slash
3882: character.
3883: This form is useful for numeric IPv6 addresses.
3884: .It Fl crlf
3885: This option translates a line feed from the terminal into CR+LF as required
3886: by some servers.
3887: .It Fl debug
3888: Print extensive debugging information including a hex dump of all traffic.
3889: .It Fl ign_eof
3890: Inhibit shutting down the connection when end of file is reached in the
3891: input.
3892: .It Fl key Ar keyfile
3893: The private key to use.
3894: If not specified, the certificate file will be used.
3895: .It Fl msg
3896: Show all protocol messages with hex dump.
3897: .It Fl nbio
3898: Turns on non-blocking I/O.
3899: .It Fl nbio_test
3900: Tests non-blocking I/O.
1.31 jmc 3901: .It Fl no_tls1 | no_tls1_1 | no_tls1_2
1.1 jsing 3902: By default, the initial handshake uses a method which should be compatible
1.31 jmc 3903: with servers supporting any version of TLS.
3904: These options disable the use of TLS1.0, 1.1, and 1.2, respectively.
1.1 jsing 3905: .Pp
3906: Unfortunately there are a lot of ancient and broken servers in use which
3907: cannot handle this technique and will fail to connect.
3908: .It Fl no_ticket
3909: Disable RFC 4507 session ticket support.
3910: .It Fl pause
3911: Pauses 1 second between each read and write call.
3912: .It Fl prexit
3913: Print session information when the program exits.
3914: This will always attempt
3915: to print out information even if the connection fails.
3916: Normally, information will only be printed out once if the connection succeeds.
3917: This option is useful because the cipher in use may be renegotiated
3918: or the connection may fail because a client certificate is required or is
3919: requested only after an attempt is made to access a certain URL.
3920: .Sy Note :
3921: the output produced by this option is not always accurate because a
3922: connection might never have been established.
1.11 bluhm 3923: .It Fl proxy Ar host : Ns Ar port
3924: Use the HTTP proxy at
3925: .Ar host
3926: and
3927: .Ar port .
3928: The connection to the proxy is done in cleartext and the
3929: .Fl connect
3930: argument is given to the proxy.
3931: If not specified, localhost is used as final destination.
3932: After that, switch the connection through the proxy to the destination
3933: to TLS.
1.1 jsing 3934: .It Fl psk Ar key
3935: Use the PSK key
3936: .Ar key
3937: when using a PSK cipher suite.
3938: The key is given as a hexadecimal number without the leading 0x,
3939: for example -psk 1a2b3c4d.
3940: .It Fl psk_identity Ar identity
3941: Use the PSK identity
3942: .Ar identity
3943: when using a PSK cipher suite.
3944: .It Fl quiet
3945: Inhibit printing of session and certificate information.
3946: This implicitly turns on
3947: .Fl ign_eof
3948: as well.
3949: .It Fl reconnect
3950: Reconnects to the same server 5 times using the same session ID; this can
3951: be used as a test that session caching is working.
1.5 jsing 3952: .It Fl servername Ar name
3953: Include the TLS Server Name Indication (SNI) extension in the ClientHello
3954: message, using the specified server
3955: .Ar name .
1.1 jsing 3956: .It Fl showcerts
3957: Display the whole server certificate chain: normally only the server
3958: certificate itself is displayed.
3959: .It Fl starttls Ar protocol
3960: Send the protocol-specific message(s) to switch to TLS for communication.
3961: .Ar protocol
3962: is a keyword for the intended protocol.
3963: Currently, the supported keywords are
3964: .Qq ftp ,
3965: .Qq imap ,
3966: .Qq smtp ,
3967: .Qq pop3 ,
3968: and
3969: .Qq xmpp .
3970: .It Fl state
3971: Prints out the SSL session states.
1.31 jmc 3972: .It Fl tls1 | tls1_1 | tls1_2
3973: Permit only TLS1.0, 1.1, or 1.2, respectively.
1.1 jsing 3974: .It Fl tlsextdebug
3975: Print out a hex dump of any TLS extensions received from the server.
3976: .It Fl verify Ar depth
3977: The verify
3978: .Ar depth
3979: to use.
3980: This specifies the maximum length of the
3981: server certificate chain and turns on server certificate verification.
3982: Currently the verify operation continues after errors so all the problems
3983: with a certificate chain can be seen.
3984: As a side effect the connection will never fail due to a server
3985: certificate verify failure.
1.19 landry 3986: .It Fl xmpphost Ar hostname
3987: This option, when used with
3988: .Fl starttls Ar xmpp ,
3989: specifies the host for the "to" attribute of the stream element.
3990: If this option is not specified then the host specified with
3991: .Fl connect
3992: will be used.
1.1 jsing 3993: .El
3994: .Sh S_CLIENT CONNECTED COMMANDS
3995: If a connection is established with an SSL server, any data received
3996: from the server is displayed and any key presses will be sent to the
3997: server.
3998: When used interactively (which means neither
3999: .Fl quiet
4000: nor
4001: .Fl ign_eof
4002: have been given), the session will be renegotiated if the line begins with an
4003: .Em R ;
4004: if the line begins with a
4005: .Em Q
4006: or if end of file is reached, the connection will be closed down.
4007: .Sh S_CLIENT NOTES
4008: .Nm s_client
4009: can be used to debug SSL servers.
4010: To connect to an SSL HTTP server the command:
4011: .Pp
4012: .Dl $ openssl s_client -connect servername:443
4013: .Pp
4014: would typically be used
4015: .Pq HTTPS uses port 443 .
4016: If the connection succeeds, an HTTP command can be given such as
4017: .Qq GET
4018: to retrieve a web page.
4019: .Pp
4020: If the handshake fails, there are several possible causes; if it is
4021: nothing obvious like no client certificate, then the
1.31 jmc 4022: .Fl bugs , tls1 , tls1_1, tls1_2 , no_tls1 , no_tls1_1 ,
1.1 jsing 4023: and
1.6 guenther 4024: .Fl no_tls1_2
1.1 jsing 4025: options can be tried in case it is a buggy server.
4026: .Pp
4027: A frequent problem when attempting to get client certificates working
4028: is that a web client complains it has no certificates or gives an empty
4029: list to choose from.
4030: This is normally because the server is not sending the client's certificate
4031: authority in its
4032: .Qq acceptable CA list
4033: when it requests a certificate.
4034: By using
4035: .Nm s_client
4036: the CA list can be viewed and checked.
4037: However some servers only request client authentication
4038: after a specific URL is requested.
4039: To obtain the list in this case it is necessary to use the
4040: .Fl prexit
4041: option and send an HTTP request for an appropriate page.
4042: .Pp
4043: If a certificate is specified on the command line using the
4044: .Fl cert
4045: option, it will not be used unless the server specifically requests
4046: a client certificate.
4047: Therefore merely including a client certificate
4048: on the command line is no guarantee that the certificate works.
4049: .Pp
4050: If there are problems verifying a server certificate, the
4051: .Fl showcerts
4052: option can be used to show the whole chain.
4053: .Pp
4054: Compression methods are only supported for
4055: .Fl tls1 .
4056: .Sh S_CLIENT BUGS
4057: Because this program has a lot of options and also because some of
4058: the techniques used are rather old, the C source of
4059: .Nm s_client
4060: is rather hard to read and not a model of how things should be done.
4061: A typical SSL client program would be much simpler.
4062: .Pp
4063: The
4064: .Fl verify
4065: option should really exit if the server verification fails.
4066: .Pp
4067: The
4068: .Fl prexit
4069: option is a bit of a hack.
4070: We should really report information whenever a session is renegotiated.
4071: .\"
4072: .\" S_SERVER
4073: .\"
4074: .Sh S_SERVER
4075: .nr nS 1
4076: .Nm "openssl s_server"
4077: .Bk -words
4078: .Op Fl accept Ar port
4079: .Op Fl bugs
4080: .Op Fl CAfile Ar file
4081: .Op Fl CApath Ar directory
4082: .Op Fl cert Ar file
4083: .Op Fl cipher Ar cipherlist
4084: .Op Fl context Ar id
4085: .Op Fl crl_check
4086: .Op Fl crl_check_all
4087: .Op Fl crlf
4088: .Op Fl dcert Ar file
4089: .Op Fl debug
4090: .Op Fl dhparam Ar file
4091: .Op Fl dkey Ar file
4092: .Op Fl hack
4093: .Op Fl HTTP
4094: .Op Fl id_prefix Ar arg
4095: .Op Fl key Ar keyfile
4096: .Op Fl msg
4097: .Op Fl nbio
4098: .Op Fl nbio_test
4099: .Op Fl no_dhe
4100: .Op Fl no_tls1
1.6 guenther 4101: .Op Fl no_tls1_1
4102: .Op Fl no_tls1_2
1.1 jsing 4103: .Op Fl no_tmp_rsa
4104: .Op Fl nocert
4105: .Op Fl psk Ar key
4106: .Op Fl psk_hint Ar hint
4107: .Op Fl quiet
4108: .Op Fl serverpref
4109: .Op Fl state
4110: .Op Fl tls1
1.31 jmc 4111: .Op Fl tls1_1
4112: .Op Fl tls1_2
1.1 jsing 4113: .Op Fl Verify Ar depth
4114: .Op Fl verify Ar depth
4115: .Op Fl WWW
4116: .Op Fl www
4117: .Ek
4118: .nr nS 0
4119: .Pp
4120: The
4121: .Nm s_server
4122: command implements a generic SSL/TLS server which listens
4123: for connections on a given port using SSL/TLS.
4124: .Pp
4125: The options are as follows:
4126: .Bl -tag -width Ds
4127: .It Fl accept Ar port
4128: The TCP
4129: .Ar port
4130: to listen on for connections.
4131: If not specified, 4433 is used.
4132: .It Fl bugs
4133: There are several known bugs in SSL and TLS implementations.
4134: Adding this option enables various workarounds.
4135: .It Fl CAfile Ar file
4136: A file containing trusted certificates to use during client authentication
4137: and to use when attempting to build the server certificate chain.
4138: The list is also used in the list of acceptable client CAs passed to the
4139: client when a certificate is requested.
4140: .It Fl CApath Ar directory
4141: The
4142: .Ar directory
4143: to use for client certificate verification.
4144: This directory must be in
4145: .Qq hash format ;
4146: see
4147: .Fl verify
4148: for more information.
4149: These are also used when building the server certificate chain.
4150: .It Fl cert Ar file
4151: The certificate to use; most server's cipher suites require the use of a
4152: certificate and some require a certificate with a certain public key type:
4153: for example the DSS cipher suites require a certificate containing a DSS
4154: .Pq DSA
4155: key.
4156: If not specified, the file
4157: .Pa server.pem
4158: will be used.
4159: .It Fl cipher Ar cipherlist
4160: This allows the cipher list used by the server to be modified.
4161: When the client sends a list of supported ciphers, the first client cipher
4162: also included in the server list is used.
4163: Because the client specifies the preference order, the order of the server
4164: cipherlist is irrelevant.
4165: See the
4166: .Sx CIPHERS
4167: section for more information.
4168: .It Fl context Ar id
4169: Sets the SSL context ID.
4170: It can be given any string value.
4171: If this option is not present, a default value will be used.
4172: .It Fl crl_check , crl_check_all
4173: Check the peer certificate has not been revoked by its CA.
4174: The CRLs are appended to the certificate file.
4175: With the
4176: .Fl crl_check_all
4177: option, all CRLs of all CAs in the chain are checked.
4178: .It Fl crlf
4179: This option translates a line feed from the terminal into CR+LF.
4180: .It Fl dcert Ar file , Fl dkey Ar file
4181: Specify an additional certificate and private key; these behave in the
4182: same manner as the
4183: .Fl cert
4184: and
4185: .Fl key
4186: options except there is no default if they are not specified
4187: .Pq no additional certificate or key is used .
4188: As noted above some cipher suites require a certificate containing a key of
4189: a certain type.
4190: Some cipher suites need a certificate carrying an RSA key
4191: and some a DSS
4192: .Pq DSA
4193: key.
4194: By using RSA and DSS certificates and keys,
4195: a server can support clients which only support RSA or DSS cipher suites
4196: by using an appropriate certificate.
4197: .It Fl debug
4198: Print extensive debugging information including a hex dump of all traffic.
4199: .It Fl dhparam Ar file
4200: The DH parameter file to use.
4201: The ephemeral DH cipher suites generate keys
4202: using a set of DH parameters.
4203: If not specified, an attempt is made to
4204: load the parameters from the server certificate file.
4205: If this fails, a static set of parameters hard coded into the
4206: .Nm s_server
4207: program will be used.
4208: .It Fl hack
4209: This option enables a further workaround for some early Netscape
4210: SSL code
4211: .Pq \&? .
4212: .It Fl HTTP
4213: Emulates a simple web server.
4214: Pages will be resolved relative to the current directory;
4215: for example if the URL
4216: .Pa https://myhost/page.html
4217: is requested, the file
4218: .Pa ./page.html
4219: will be loaded.
4220: The files loaded are assumed to contain a complete and correct HTTP
4221: response (lines that are part of the HTTP response line and headers
4222: must end with CRLF).
4223: .It Fl id_prefix Ar arg
4224: Generate SSL/TLS session IDs prefixed by
4225: .Ar arg .
4226: This is mostly useful for testing any SSL/TLS code
4227: .Pq e.g. proxies
4228: that wish to deal with multiple servers, when each of which might be
4229: generating a unique range of session IDs
4230: .Pq e.g. with a certain prefix .
4231: .It Fl key Ar keyfile
4232: The private key to use.
4233: If not specified, the certificate file will be used.
4234: .It Fl msg
4235: Show all protocol messages with hex dump.
4236: .It Fl nbio
4237: Turns on non-blocking I/O.
4238: .It Fl nbio_test
4239: Tests non-blocking I/O.
4240: .It Fl no_dhe
4241: If this option is set, no DH parameters will be loaded, effectively
4242: disabling the ephemeral DH cipher suites.
1.31 jmc 4243: .It Fl no_tls1 | no_tls1_1 | no_tls1_2
1.1 jsing 4244: By default, the initial handshake uses a method which should be compatible
1.32 jmc 4245: with clients supporting any version of TLS.
1.31 jmc 4246: These options disable the use of TLS1.0, 1.1, and 1.2, respectively.
1.1 jsing 4247: .It Fl no_tmp_rsa
4248: Certain export cipher suites sometimes use a temporary RSA key; this option
4249: disables temporary RSA key generation.
4250: .It Fl nocert
4251: If this option is set, no certificate is used.
4252: This restricts the cipher suites available to the anonymous ones
4253: .Pq currently just anonymous DH .
4254: .It Fl psk Ar key
4255: Use the PSK key
4256: .Ar key
4257: when using a PSK cipher suite.
4258: The key is given as a hexadecimal number without the leading 0x,
4259: for example -psk 1a2b3c4d.
4260: .It Fl psk_hint Ar hint
4261: Use the PSK identity hint
4262: .Ar hint
4263: when using a PSK cipher suite.
4264: .It Fl quiet
4265: Inhibit printing of session and certificate information.
4266: .It Fl serverpref
4267: Use server's cipher preferences.
4268: .It Fl state
4269: Prints out the SSL session states.
1.31 jmc 4270: .It Fl tls1 | tls1_1 | tls1_2
4271: Permit only TLS1.0, 1.1, or 1.2, respectively.
1.1 jsing 4272: .It Fl WWW
4273: Emulates a simple web server.
4274: Pages will be resolved relative to the current directory;
4275: for example if the URL
4276: .Pa https://myhost/page.html
4277: is requested, the file
4278: .Pa ./page.html
4279: will be loaded.
4280: .It Fl www
4281: Sends a status message back to the client when it connects.
4282: This includes lots of information about the ciphers used and various
4283: session parameters.
4284: The output is in HTML format so this option will normally be used with a
4285: web browser.
4286: .It Fl Verify Ar depth , Fl verify Ar depth
4287: The verify
4288: .Ar depth
4289: to use.
4290: This specifies the maximum length of the client certificate chain
4291: and makes the server request a certificate from the client.
4292: With the
4293: .Fl Verify
4294: option, the client must supply a certificate or an error occurs.
4295: With the
4296: .Fl verify
4297: option, a certificate is requested but the client does not have to send one.
4298: .El
4299: .Sh S_SERVER CONNECTED COMMANDS
4300: If a connection request is established with an SSL client and neither the
4301: .Fl www
4302: nor the
4303: .Fl WWW
4304: option has been used, then normally any data received
4305: from the client is displayed and any key presses will be sent to the client.
4306: .Pp
4307: Certain single letter commands are also recognized which perform special
4308: operations: these are listed below.
4309: .Bl -tag -width "XXXX"
4310: .It Ar P
4311: Send some plain text down the underlying TCP connection: this should
4312: cause the client to disconnect due to a protocol violation.
4313: .It Ar Q
4314: End the current SSL connection and exit.
4315: .It Ar q
4316: End the current SSL connection, but still accept new connections.
4317: .It Ar R
4318: Renegotiate the SSL session and request a client certificate.
4319: .It Ar r
4320: Renegotiate the SSL session.
4321: .It Ar S
4322: Print out some session cache status information.
4323: .El
4324: .Sh S_SERVER NOTES
4325: .Nm s_server
4326: can be used to debug SSL clients.
4327: To accept connections from a web browser the command:
4328: .Pp
4329: .Dl $ openssl s_server -accept 443 -www
4330: .Pp
4331: can be used, for example.
4332: .Pp
4333: Most web browsers
4334: .Pq in particular Netscape and MSIE
4335: only support RSA cipher suites, so they cannot connect to servers
4336: which don't use a certificate carrying an RSA key or a version of
4337: .Nm OpenSSL
4338: with RSA disabled.
4339: .Pp
4340: Although specifying an empty list of CAs when requesting a client certificate
4341: is strictly speaking a protocol violation, some SSL
4342: clients interpret this to mean any CA is acceptable.
4343: This is useful for debugging purposes.
4344: .Pp
4345: The session parameters can printed out using the
4346: .Nm sess_id
4347: program.
4348: .Sh S_SERVER BUGS
4349: Because this program has a lot of options and also because some of
4350: the techniques used are rather old, the C source of
4351: .Nm s_server
4352: is rather hard to read and not a model of how things should be done.
4353: A typical SSL server program would be much simpler.
4354: .Pp
4355: The output of common ciphers is wrong: it just gives the list of ciphers that
4356: .Nm OpenSSL
4357: recognizes and the client supports.
4358: .Pp
4359: There should be a way for the
4360: .Nm s_server
4361: program to print out details of any
4362: unknown cipher suites a client says it supports.
4363: .\"
4364: .\" S_TIME
4365: .\"
4366: .Sh S_TIME
4367: .nr nS 1
4368: .Nm "openssl s_time"
4369: .Bk -words
4370: .Op Fl bugs
4371: .Op Fl CAfile Ar file
4372: .Op Fl CApath Ar directory
4373: .Op Fl cert Ar file
4374: .Op Fl cipher Ar cipherlist
4375: .Op Fl connect Ar host : Ns Ar port
4376: .Op Fl key Ar keyfile
4377: .Op Fl nbio
4378: .Op Fl new
1.20 lteo 4379: .Op Fl no_shutdown
1.1 jsing 4380: .Op Fl reuse
4381: .Op Fl time Ar seconds
4382: .Op Fl verify Ar depth
4383: .Op Fl www Ar page
4384: .Ek
4385: .nr nS 0
4386: .Pp
4387: The
4388: .Nm s_client
4389: command implements a generic SSL/TLS client which connects to a
4390: remote host using SSL/TLS.
4391: It can request a page from the server and includes
4392: the time to transfer the payload data in its timing measurements.
4393: It measures the number of connections within a given timeframe,
4394: the amount of data transferred
4395: .Pq if any ,
4396: and calculates the average time spent for one connection.
4397: .Pp
4398: The options are as follows:
4399: .Bl -tag -width Ds
4400: .It Fl bugs
4401: There are several known bugs in SSL and TLS implementations.
4402: Adding this option enables various workarounds.
4403: .It Fl CAfile Ar file
4404: A file containing trusted certificates to use during server authentication
4405: and to use when attempting to build the client certificate chain.
4406: .It Fl CApath Ar directory
4407: The directory to use for server certificate verification.
4408: This directory must be in
4409: .Qq hash format ;
4410: see
4411: .Nm verify
4412: for more information.
4413: These are also used when building the client certificate chain.
4414: .It Fl cert Ar file
4415: The certificate to use, if one is requested by the server.
4416: The default is not to use a certificate.
4417: The file is in PEM format.
4418: .It Fl cipher Ar cipherlist
4419: This allows the cipher list sent by the client to be modified.
4420: Although the server determines which cipher suite is used,
4421: it should take the first supported cipher in the list sent by the client.
4422: See the
4423: .Nm ciphers
4424: command for more information.
4425: .It Fl connect Ar host : Ns Ar port
4426: This specifies the host and optional port to connect to.
4427: .It Fl key Ar keyfile
4428: The private key to use.
4429: If not specified, the certificate file will be used.
4430: The file is in PEM format.
4431: .It Fl nbio
4432: Turns on non-blocking I/O.
4433: .It Fl new
4434: Performs the timing test using a new session ID for each connection.
4435: If neither
4436: .Fl new
4437: nor
4438: .Fl reuse
4439: are specified,
4440: they are both on by default and executed in sequence.
1.20 lteo 4441: .It Fl no_shutdown
1.21 jmc 4442: Shut down the connection without sending a
1.20 lteo 4443: .Dq close notify
4444: shutdown alert to the server.
1.1 jsing 4445: .It Fl reuse
4446: Performs the timing test using the same session ID;
4447: this can be used as a test that session caching is working.
4448: If neither
4449: .Fl new
4450: nor
4451: .Fl reuse
4452: are specified,
4453: they are both on by default and executed in sequence.
4454: .It Fl time Ar seconds
4455: Specifies how long
4456: .Pq in seconds
4457: .Nm s_time
4458: should establish connections and
4459: optionally transfer payload data from a server.
4460: The default is 30 seconds.
4461: Server and client performance and the link speed
4462: determine how many connections
4463: .Nm s_time
4464: can establish.
4465: .It Fl verify Ar depth
4466: The verify depth to use.
4467: This specifies the maximum length of the server certificate chain
4468: and turns on server certificate verification.
4469: Currently the verify operation continues after errors, so all the problems
4470: with a certificate chain can be seen.
4471: As a side effect,
4472: the connection will never fail due to a server certificate verify failure.
4473: .It Fl www Ar page
4474: This specifies the page to GET from the server.
4475: A value of
4476: .Sq /
4477: gets the index.htm[l] page.
4478: If this parameter is not specified,
4479: .Nm s_time
4480: will only perform the handshake to establish SSL connections
4481: but not transfer any payload data.
4482: .El
4483: .Sh S_TIME NOTES
4484: .Nm s_client
4485: can be used to measure the performance of an SSL connection.
4486: To connect to an SSL HTTP server and get the default page the command
4487: .Bd -literal -offset indent
4488: $ openssl s_time -connect servername:443 -www / -CApath yourdir \e
1.18 jmc 4489: -CAfile yourfile.pem -cipher commoncipher
1.1 jsing 4490: .Ed
4491: .Pp
4492: would typically be used
4493: .Pq HTTPS uses port 443 .
4494: .Dq commoncipher
4495: is a cipher to which both client and server can agree;
4496: see the
4497: .Nm ciphers
4498: command for details.
4499: .Pp
4500: If the handshake fails, there are several possible causes:
4501: if it is nothing obvious like no client certificate, the
4502: .Fl bugs
1.18 jmc 4503: option can be tried in case it is a buggy server.
1.1 jsing 4504: .Pp
4505: A frequent problem when attempting to get client certificates working
4506: is that a web client complains it has no certificates or gives an empty
4507: list to choose from.
4508: This is normally because the server is not sending
4509: the clients certificate authority in its
4510: .Qq acceptable CA list
4511: when it requests a certificate.
4512: By using
4513: .Nm s_client ,
4514: the CA list can be viewed and checked.
4515: However some servers only request client authentication
4516: after a specific URL is requested.
4517: To obtain the list in this case, it is necessary to use the
4518: .Fl prexit
4519: option of
4520: .Nm s_client
4521: and send an HTTP request for an appropriate page.
4522: .Pp
4523: If a certificate is specified on the command line using the
4524: .Fl cert
4525: option,
4526: it will not be used unless the server specifically requests
4527: a client certificate.
4528: Therefore merely including a client certificate
4529: on the command line is no guarantee that the certificate works.
4530: .Sh S_TIME BUGS
4531: Because this program does not have all the options of the
4532: .Nm s_client
4533: program to turn protocols on and off,
4534: you may not be able to measure the performance
4535: of all protocols with all servers.
4536: .Pp
4537: The
4538: .Fl verify
4539: option should really exit if the server verification fails.
4540: .\"
4541: .\" SESS_ID
4542: .\"
4543: .Sh SESS_ID
4544: .nr nS 1
4545: .Nm "openssl sess_id"
4546: .Bk -words
4547: .Op Fl cert
4548: .Op Fl context Ar ID
4549: .Op Fl in Ar file
4550: .Op Fl inform Ar DER | PEM
4551: .Op Fl noout
4552: .Op Fl out Ar file
4553: .Op Fl outform Ar DER | PEM
4554: .Op Fl text
4555: .Ek
4556: .nr nS 0
4557: .Pp
4558: The
4559: .Nm sess_id
4560: program processes the encoded version of the SSL session structure and
4561: optionally prints out SSL session details
4562: .Pq for example the SSL session master key
4563: in human readable format.
4564: Since this is a diagnostic tool that needs some knowledge of the SSL
4565: protocol to use properly, most users will not need to use it.
4566: .Pp
4567: The options are as follows:
4568: .Bl -tag -width Ds
4569: .It Fl cert
4570: If a certificate is present in the session,
4571: it will be output using this option;
4572: if the
4573: .Fl text
4574: option is also present, then it will be printed out in text form.
4575: .It Fl context Ar ID
4576: This option can set the session ID so the output session information uses the
4577: supplied
4578: .Ar ID .
4579: The
4580: .Ar ID
4581: can be any string of characters.
4582: This option won't normally be used.
4583: .It Fl in Ar file
4584: This specifies the input
4585: .Ar file
4586: to read session information from, or standard input by default.
4587: .It Fl inform Ar DER | PEM
4588: This specifies the input format.
4589: The
4590: .Ar DER
4591: argument uses an ASN1 DER-encoded
4592: format containing session details.
4593: The precise format can vary from one version to the next.
4594: The
4595: .Ar PEM
4596: form is the default format: it consists of the DER
4597: format base64-encoded with additional header and footer lines.
4598: .It Fl noout
4599: This option prevents output of the encoded version of the session.
4600: .It Fl out Ar file
4601: This specifies the output
4602: .Ar file
4603: to write session information to, or standard
4604: output if this option is not specified.
4605: .It Fl outform Ar DER | PEM
4606: This specifies the output format; the options have the same meaning as the
4607: .Fl inform
4608: option.
4609: .It Fl text
4610: Prints out the various public or private key components in
4611: plain text in addition to the encoded version.
4612: .El
4613: .Sh SESS_ID OUTPUT
4614: Typical output:
4615: .Bd -literal
4616: SSL-Session:
4617: Protocol : TLSv1
4618: Cipher : 0016
4619: Session-ID: 871E62626C554CE95488823752CBD5F3673A3EF3DCE9C67BD916C809914B40ED
4620: Session-ID-ctx: 01000000
4621: Master-Key: A7CEFC571974BE02CAC305269DC59F76EA9F0B180CB6642697A68251F2D2BB57E51DBBB4C7885573192AE9AEE220FACD
4622: Key-Arg : None
4623: Start Time: 948459261
4624: Timeout : 300 (sec)
4625: Verify return code 0 (ok)
4626: .Ed
4627: .Pp
4628: These are described below in more detail.
4629: .Pp
4630: .Bl -tag -width "Verify return code " -compact
4631: .It Ar Protocol
1.18 jmc 4632: This is the protocol in use.
1.1 jsing 4633: .It Ar Cipher
4634: The cipher used is the actual raw SSL or TLS cipher code;
4635: see the SSL or TLS specifications for more information.
4636: .It Ar Session-ID
4637: The SSL session ID in hex format.
4638: .It Ar Session-ID-ctx
4639: The session ID context in hex format.
4640: .It Ar Master-Key
4641: This is the SSL session master key.
4642: .It Ar Key-Arg
4643: The key argument; this is only used in SSL v2.
4644: .It Ar Start Time
4645: This is the session start time, represented as an integer in standard
4646: .Ux
4647: format.
4648: .It Ar Timeout
4649: The timeout in seconds.
4650: .It Ar Verify return code
4651: This is the return code when an SSL client certificate is verified.
4652: .El
4653: .Sh SESS_ID NOTES
4654: The PEM-encoded session format uses the header and footer lines:
4655: .Bd -unfilled -offset indent
4656: -----BEGIN SSL SESSION PARAMETERS-----
4657: -----END SSL SESSION PARAMETERS-----
4658: .Ed
4659: .Pp
4660: Since the SSL session output contains the master key, it is possible to read
4661: the contents of an encrypted session using this information.
4662: Therefore appropriate security precautions
4663: should be taken if the information is being output by a
4664: .Qq real
4665: application.
4666: This is, however, strongly discouraged and should only be used for
4667: debugging purposes.
4668: .Sh SESS_ID BUGS
4669: The cipher and start time should be printed out in human readable form.
4670: .\"
4671: .\" SMIME
4672: .\"
4673: .Sh SMIME
4674: .nr nS 1
4675: .Nm "openssl smime"
4676: .Bk -words
4677: .Oo
4678: .Fl aes128 | aes192 | aes256 | des |
4679: .Fl des3 | rc2-40 | rc2-64 | rc2-128
4680: .Oc
4681: .Op Fl binary
4682: .Op Fl CAfile Ar file
4683: .Op Fl CApath Ar directory
4684: .Op Fl certfile Ar file
4685: .Op Fl check_ss_sig
4686: .Op Fl content Ar file
4687: .Op Fl crl_check
4688: .Op Fl crl_check_all
4689: .Op Fl decrypt
4690: .Op Fl encrypt
4691: .Op Fl extended_crl
4692: .Op Fl from Ar addr
4693: .Op Fl ignore_critical
4694: .Op Fl in Ar file
4695: .Op Fl indef
4696: .Op Fl inform Ar DER | PEM | SMIME
4697: .Op Fl inkey Ar file
4698: .Op Fl issuer_checks
1.22 bcook 4699: .Op Fl keyform Ar PEM
1.1 jsing 4700: .Op Fl md Ar digest
4701: .Op Fl noattr
4702: .Op Fl nocerts
4703: .Op Fl nochain
4704: .Op Fl nodetach
4705: .Op Fl noindef
4706: .Op Fl nointern
4707: .Op Fl nosigs
4708: .Op Fl noverify
4709: .Op Fl out Ar file
4710: .Op Fl outform Ar DER | PEM | SMIME
4711: .Op Fl passin Ar arg
4712: .Op Fl pk7out
4713: .Op Fl policy_check
4714: .Op Fl recip Ar file
4715: .Op Fl resign
4716: .Op Fl sign
4717: .Op Fl signer Ar file
4718: .Op Fl stream
4719: .Op Fl subject Ar s
4720: .Op Fl text
4721: .Op Fl to Ar addr
4722: .Op Fl verify
4723: .Op Fl x509_strict
4724: .Op Ar cert.pem ...
4725: .Ek
4726: .nr nS 0
4727: .Pp
4728: The
4729: .Nm smime
4730: command handles
4731: .Em S/MIME
4732: mail.
4733: It can encrypt, decrypt, sign, and verify
4734: .Em S/MIME
4735: messages.
4736: .Pp
4737: There are six operation options that set the type of operation to be performed.
4738: The meaning of the other options varies according to the operation type.
4739: .Pp
4740: The six operation options are as follows:
4741: .Bl -tag -width "XXXX"
4742: .It Fl decrypt
4743: Decrypt mail using the supplied certificate and private key.
4744: Expects an encrypted mail message in
4745: .Em MIME
4746: format for the input file.
4747: The decrypted mail is written to the output file.
4748: .It Fl encrypt
4749: Encrypt mail for the given recipient certificates.
4750: Input file is the message to be encrypted.
4751: The output file is the encrypted mail in
4752: .Em MIME
4753: format.
4754: .It Fl pk7out
4755: Takes an input message and writes out a PEM-encoded PKCS#7 structure.
4756: .It Fl resign
4757: Resign a message: take an existing message and one or more new signers.
4758: .It Fl sign
4759: Sign mail using the supplied certificate and private key.
4760: Input file is the message to be signed.
4761: The signed message in
4762: .Em MIME
4763: format is written to the output file.
4764: .It Fl verify
4765: Verify signed mail.
4766: Expects a signed mail message on input and outputs the signed data.
4767: Both clear text and opaque signing is supported.
4768: .El
4769: .Pp
1.14 jmc 4770: The remaining options are as follows:
1.1 jsing 4771: .Bl -tag -width "XXXX"
4772: .It Xo
4773: .Fl aes128 | aes192 | aes256 | des |
4774: .Fl des3 | rc2-40 | rc2-64 | rc2-128
4775: .Xc
4776: The encryption algorithm to use.
4777: 128-, 192-, or 256-bit AES,
4778: DES
4779: .Pq 56 bits ,
4780: triple DES
4781: .Pq 168 bits ,
4782: or 40-, 64-, or 128-bit RC2, respectively;
4783: if not specified, 40-bit RC2 is
4784: used.
4785: Only used with
4786: .Fl encrypt .
4787: .It Fl binary
4788: Normally, the input message is converted to
4789: .Qq canonical
4790: format which is effectively using CR and LF as end of line \-
4791: as required by the
4792: .Em S/MIME
4793: specification.
4794: When this option is present no translation occurs.
4795: This is useful when handling binary data which may not be in
4796: .Em MIME
4797: format.
4798: .It Fl CAfile Ar file
4799: A
4800: .Ar file
4801: containing trusted CA certificates; only used with
4802: .Fl verify .
4803: .It Fl CApath Ar directory
4804: A
4805: .Ar directory
4806: containing trusted CA certificates; only used with
4807: .Fl verify .
4808: This directory must be a standard certificate directory:
4809: that is, a hash of each subject name (using
4810: .Nm x509 -hash )
4811: should be linked to each certificate.
4812: .It Ar cert.pem ...
4813: One or more certificates of message recipients: used when encrypting
4814: a message.
4815: .It Fl certfile Ar file
4816: Allows additional certificates to be specified.
4817: When signing, these will be included with the message.
4818: When verifying, these will be searched for the signers' certificates.
4819: The certificates should be in PEM format.
4820: .It Xo
4821: .Fl check_ss_sig ,
4822: .Fl crl_check ,
4823: .Fl crl_check_all ,
4824: .Fl extended_crl ,
4825: .Fl ignore_critical ,
4826: .Fl issuer_checks ,
4827: .Fl policy_check ,
4828: .Fl x509_strict
4829: .Xc
4830: Set various certificate chain validation options.
4831: See the
4832: .Nm VERIFY
4833: command for details.
4834: .It Fl content Ar file
4835: This specifies a file containing the detached content.
4836: This is only useful with the
4837: .Fl verify
4838: command.
4839: This is only usable if the PKCS#7 structure is using the detached
4840: signature form where the content is not included.
4841: This option will override any content if the input format is
4842: .Em S/MIME
4843: and it uses the multipart/signed
4844: .Em MIME
4845: content type.
4846: .It Xo
4847: .Fl from Ar addr ,
4848: .Fl subject Ar s ,
4849: .Fl to Ar addr
4850: .Xc
4851: The relevant mail headers.
4852: These are included outside the signed
4853: portion of a message so they may be included manually.
4854: When signing, many
4855: .Em S/MIME
4856: mail clients check that the signer's certificate email
4857: address matches the From: address.
4858: .It Fl in Ar file
4859: The input message to be encrypted or signed or the
4860: .Em MIME
4861: message to
4862: be decrypted or verified.
4863: .It Fl indef
4864: Enable streaming I/O for encoding operations.
4865: This permits single pass processing of data without
4866: the need to hold the entire contents in memory,
4867: potentially supporting very large files.
4868: Streaming is automatically set for S/MIME signing with detached
4869: data if the output format is SMIME;
4870: it is currently off by default for all other operations.
4871: .It Fl inform Ar DER | PEM | SMIME
4872: This specifies the input format for the PKCS#7 structure.
4873: The default is
4874: .Em SMIME ,
4875: which reads an
4876: .Em S/MIME
4877: format message.
4878: .Ar PEM
4879: and
4880: .Ar DER
4881: format change this to expect PEM and DER format PKCS#7 structures
4882: instead.
4883: This currently only affects the input format of the PKCS#7
4884: structure; if no PKCS#7 structure is being input (for example with
4885: .Fl encrypt
4886: or
4887: .Fl sign ) ,
4888: this option has no effect.
4889: .It Fl inkey Ar file
4890: The private key to use when signing or decrypting.
4891: This must match the corresponding certificate.
4892: If this option is not specified, the private key must be included
4893: in the certificate file specified with
4894: the
4895: .Fl recip
4896: or
4897: .Fl signer
4898: file.
4899: When signing,
4900: this option can be used multiple times to specify successive keys.
1.22 bcook 4901: .It Fl keyform Ar PEM
1.1 jsing 4902: Input private key format.
4903: .It Fl md Ar digest
4904: The digest algorithm to use when signing or resigning.
4905: If not present then the default digest algorithm for the signing key is used
4906: (usually SHA1).
4907: .It Fl noattr
4908: Normally, when a message is signed a set of attributes are included which
4909: include the signing time and supported symmetric algorithms.
4910: With this option they are not included.
4911: .It Fl nocerts
4912: When signing a message, the signer's certificate is normally included;
4913: with this option it is excluded.
4914: This will reduce the size of the signed message but the verifier must
4915: have a copy of the signer's certificate available locally (passed using the
4916: .Fl certfile
4917: option, for example).
4918: .It Fl nochain
4919: Do not do chain verification of signers' certificates: that is,
4920: don't use the certificates in the signed message as untrusted CAs.
4921: .It Fl nodetach
4922: When signing a message use opaque signing: this form is more resistant
4923: to translation by mail relays but it cannot be read by mail agents that
4924: do not support
4925: .Em S/MIME .
4926: Without this option cleartext signing with the
4927: .Em MIME
4928: type multipart/signed is used.
4929: .It Fl noindef
4930: Disable streaming I/O where it would produce an encoding of indefinite length.
4931: This option currently has no effect.
4932: In future streaming will be enabled by default on all relevant operations
4933: and this option will disable it.
4934: .It Fl nointern
4935: When verifying a message, normally certificates
4936: .Pq if any
4937: included in the message are searched for the signing certificate.
4938: With this option, only the certificates specified in the
4939: .Fl certfile
4940: option are used.
4941: The supplied certificates can still be used as untrusted CAs however.
4942: .It Fl nosigs
4943: Don't try to verify the signatures on the message.
4944: .It Fl noverify
4945: Do not verify the signer's certificate of a signed message.
4946: .It Fl out Ar file
4947: The message text that has been decrypted or verified, or the output
4948: .Em MIME
4949: format message that has been signed or verified.
4950: .It Fl outform Ar DER | PEM | SMIME
4951: This specifies the output format for the PKCS#7 structure.
4952: The default is
4953: .Em SMIME ,
4954: which writes an
4955: .Em S/MIME
4956: format message.
4957: .Ar PEM
4958: and
4959: .Ar DER
4960: format change this to write PEM and DER format PKCS#7 structures
4961: instead.
4962: This currently only affects the output format of the PKCS#7
4963: structure; if no PKCS#7 structure is being output (for example with
4964: .Fl verify
4965: or
4966: .Fl decrypt )
4967: this option has no effect.
4968: .It Fl passin Ar arg
4969: The key password source.
4970: .It Fl recip Ar file
4971: The recipients certificate when decrypting a message.
4972: This certificate
4973: must match one of the recipients of the message or an error occurs.
4974: .It Fl signer Ar file
4975: A signing certificate when signing or resigning a message;
4976: this option can be used multiple times if more than one signer is required.
4977: If a message is being verified, the signer's certificates will be
4978: written to this file if the verification was successful.
4979: .It Fl stream
4980: The same as
4981: .Fl indef .
4982: .It Fl text
4983: This option adds plain text
4984: .Pq text/plain
4985: .Em MIME
4986: headers to the supplied message if encrypting or signing.
4987: If decrypting or verifying, it strips off text headers:
4988: if the decrypted or verified message is not of
4989: .Em MIME
4990: type text/plain then an error occurs.
4991: .El
4992: .Sh SMIME NOTES
4993: The
4994: .Em MIME
4995: message must be sent without any blank lines between the
4996: headers and the output.
4997: Some mail programs will automatically add a blank line.
1.3 jmc 4998: Piping the mail directly to an MTA is one way to
1.1 jsing 4999: achieve the correct format.
5000: .Pp
5001: The supplied message to be signed or encrypted must include the
5002: necessary
5003: .Em MIME
5004: headers or many
5005: .Em S/MIME
5006: clients won't display it properly
5007: .Pq if at all .
5008: You can use the
5009: .Fl text
5010: option to automatically add plain text headers.
5011: .Pp
5012: A
5013: .Qq signed and encrypted
5014: message is one where a signed message is then encrypted.
5015: This can be produced by encrypting an already signed message:
5016: see the
5017: .Sx SMIME EXAMPLES
5018: section.
5019: .Pp
5020: This version of the program only allows one signer per message, but it
5021: will verify multiple signers on received messages.
5022: Some
5023: .Em S/MIME
5024: clients choke if a message contains multiple signers.
5025: It is possible to sign messages
5026: .Qq in parallel
5027: by signing an already signed message.
5028: .Pp
5029: The options
5030: .Fl encrypt
5031: and
5032: .Fl decrypt
5033: reflect common usage in
5034: .Em S/MIME
5035: clients.
5036: Strictly speaking these process PKCS#7 enveloped data: PKCS#7
5037: encrypted data is used for other purposes.
5038: .Pp
5039: The
5040: .Fl resign
5041: option uses an existing message digest when adding a new signer.
5042: This means that attributes must be present in at least one existing
5043: signer using the same message digest or this operation will fail.
5044: .Pp
5045: The
5046: .Fl stream
5047: and
5048: .Fl indef
5049: options enable experimental streaming I/O support.
5050: As a result the encoding is BER using indefinite length constructed encoding
5051: and no longer DER.
5052: Streaming is supported for the
5053: .Fl encrypt
5054: and
5055: .Fl sign
5056: operations if the content is not detached.
5057: .Pp
5058: Streaming is always used for the
5059: .Fl sign
5060: operation with detached data
5061: but since the content is no longer part of the PKCS#7 structure
5062: the encoding remains DER.
5063: .Sh SMIME EXIT CODES
5064: .Bl -tag -width "XXXX"
5065: .It Ar 0
5066: The operation was completely successful.
5067: .It Ar 1
5068: An error occurred parsing the command options.
5069: .It Ar 2
5070: One of the input files could not be read.
5071: .It Ar 3
5072: An error occurred creating the PKCS#7 file or when reading the
5073: .Em MIME
5074: message.
5075: .It Ar 4
5076: An error occurred decrypting or verifying the message.
5077: .It Ar 5
5078: The message was verified correctly, but an error occurred writing out
5079: the signer's certificates.
5080: .El
5081: .Sh SMIME EXAMPLES
5082: Create a cleartext signed message:
5083: .Bd -literal -offset indent
5084: $ openssl smime -sign -in message.txt -text -out mail.msg \e
5085: -signer mycert.pem
5086: .Ed
5087: .Pp
5088: Create an opaque signed message:
5089: .Bd -literal -offset indent
5090: $ openssl smime -sign -in message.txt -text -out mail.msg \e
5091: -nodetach -signer mycert.pem
5092: .Ed
5093: .Pp
5094: Create a signed message, include some additional certificates and
5095: read the private key from another file:
5096: .Bd -literal -offset indent
5097: $ openssl smime -sign -in in.txt -text -out mail.msg \e
5098: -signer mycert.pem -inkey mykey.pem -certfile mycerts.pem
5099: .Ed
5100: .Pp
5101: Create a signed message with two signers:
5102: .Bd -literal -offset indent
5103: openssl smime -sign -in message.txt -text -out mail.msg \e
5104: -signer mycert.pem -signer othercert.pem
5105: .Ed
5106: .Pp
5107: Send a signed message under
5108: .Ux
5109: directly to
5110: .Xr sendmail 8 ,
5111: including headers:
5112: .Bd -literal -offset indent
5113: $ openssl smime -sign -in in.txt -text -signer mycert.pem \e
5114: -from steve@openssl.org -to someone@somewhere \e
5115: -subject "Signed message" | sendmail someone@somewhere
5116: .Ed
5117: .Pp
5118: Verify a message and extract the signer's certificate if successful:
5119: .Bd -literal -offset indent
5120: $ openssl smime -verify -in mail.msg -signer user.pem \e
5121: -out signedtext.txt
5122: .Ed
5123: .Pp
5124: Send encrypted mail using triple DES:
5125: .Bd -literal -offset indent
5126: $ openssl smime -encrypt -in in.txt -from steve@openssl.org \e
5127: -to someone@somewhere -subject "Encrypted message" \e
5128: -des3 -out mail.msg user.pem
5129: .Ed
5130: .Pp
5131: Sign and encrypt mail:
5132: .Bd -literal -offset indent
5133: $ openssl smime -sign -in ml.txt -signer my.pem -text | \e
5134: openssl smime -encrypt -out mail.msg \e
5135: -from steve@openssl.org -to someone@somewhere \e
5136: -subject "Signed and Encrypted message" -des3 user.pem
5137: .Ed
5138: .Pp
5139: .Sy Note :
5140: The encryption command does not include the
5141: .Fl text
5142: option because the message being encrypted already has
5143: .Em MIME
5144: headers.
5145: .Pp
5146: Decrypt mail:
5147: .Bd -literal -offset indent
5148: $ openssl smime -decrypt -in mail.msg -recip mycert.pem \e
5149: -inkey key.pem"
5150: .Ed
5151: .Pp
5152: The output from Netscape form signing is a PKCS#7 structure with the
5153: detached signature format.
5154: You can use this program to verify the signature by line wrapping the
5155: base64-encoded structure and surrounding it with:
5156: .Bd -unfilled -offset indent
5157: -----BEGIN PKCS7-----
5158: -----END PKCS7-----
5159: .Ed
5160: .Pp
5161: and using the command:
5162: .Bd -literal -offset indent
5163: $ openssl smime -verify -inform PEM -in signature.pem \e
5164: -content content.txt
5165: .Ed
5166: .Pp
5167: Alternatively, you can base64 decode the signature and use:
5168: .Bd -literal -offset indent
5169: $ openssl smime -verify -inform DER -in signature.der \e
5170: -content content.txt
5171: .Ed
5172: .Pp
5173: Create an encrypted message using 128-bit AES:
5174: .Bd -literal -offset indent
5175: openssl smime -encrypt -in plain.txt -aes128 \e
5176: -out mail.msg cert.pem
5177: .Ed
5178: .Pp
5179: Add a signer to an existing message:
5180: .Bd -literal -offset indent
5181: openssl smime -resign -in mail.msg -signer newsign.pem \e
5182: -out mail2.msg
5183: .Ed
5184: .Sh SMIME BUGS
5185: The
5186: .Em MIME
5187: parser isn't very clever: it seems to handle most messages that I've thrown
5188: at it, but it may choke on others.
5189: .Pp
5190: The code currently will only write out the signer's certificate to a file:
5191: if the signer has a separate encryption certificate this must be manually
5192: extracted.
5193: There should be some heuristic that determines the correct encryption
5194: certificate.
5195: .Pp
5196: Ideally, a database should be maintained of a certificate for each email
5197: address.
5198: .Pp
5199: The code doesn't currently take note of the permitted symmetric encryption
5200: algorithms as supplied in the
5201: .Em SMIMECapabilities
5202: signed attribute.
5203: This means the user has to manually include the correct encryption algorithm.
5204: It should store the list of permitted ciphers in a database and only use those.
5205: .Pp
5206: No revocation checking is done on the signer's certificate.
5207: .Pp
5208: The current code can only handle
5209: .Em S/MIME
5210: v2 messages; the more complex
5211: .Em S/MIME
5212: v3 structures may cause parsing errors.
5213: .Sh SMIME HISTORY
5214: The use of multiple
5215: .Fl signer
5216: options and the
5217: .Fl resign
5218: command were first added in
5219: .Nm OpenSSL
5220: 1.0.0.
5221: .\"
5222: .\" SPEED
5223: .\"
5224: .Sh SPEED
5225: .nr nS 1
5226: .Nm "openssl speed"
5227: .Bk -words
5228: .Op Cm aes
5229: .Op Cm aes-128-cbc
5230: .Op Cm aes-192-cbc
5231: .Op Cm aes-256-cbc
1.25 bcook 5232: .Op Cm aes-128-gcm
5233: .Op Cm aes-256-gcm
1.1 jsing 5234: .Op Cm blowfish
5235: .Op Cm bf-cbc
5236: .Op Cm cast
5237: .Op Cm cast-cbc
1.25 bcook 5238: .Op Cm chacha20-poly1305
1.1 jsing 5239: .Op Cm des
5240: .Op Cm des-cbc
5241: .Op Cm des-ede3
5242: .Op Cm dsa
5243: .Op Cm dsa512
5244: .Op Cm dsa1024
5245: .Op Cm dsa2048
5246: .Op Cm hmac
1.28 doug 5247: .Op Cm md4
1.1 jsing 5248: .Op Cm md5
5249: .Op Cm rc2
5250: .Op Cm rc2-cbc
5251: .Op Cm rc4
5252: .Op Cm rmd160
5253: .Op Cm rsa
5254: .Op Cm rsa512
5255: .Op Cm rsa1024
5256: .Op Cm rsa2048
5257: .Op Cm rsa4096
5258: .Op Cm sha1
5259: .Op Fl decrypt
5260: .Op Fl elapsed
5261: .Op Fl evp Ar e
5262: .Op Fl mr
5263: .Op Fl multi Ar number
5264: .Ek
5265: .nr nS 0
5266: .Pp
5267: The
5268: .Nm speed
5269: command is used to test the performance of cryptographic algorithms.
5270: .Bl -tag -width "XXXX"
5271: .It Bq Cm zero or more test algorithms
5272: If any options are given,
5273: .Nm speed
5274: tests those algorithms, otherwise all of the above are tested.
5275: .It Fl decrypt
5276: Time decryption instead of encryption
5277: .Pq only EVP .
5278: .It Fl elapsed
5279: Measure time in real time instead of CPU user time.
5280: .It Fl evp Ar e
5281: Use EVP
5282: .Ar e .
5283: .It Fl mr
5284: Produce machine readable output.
5285: .It Fl multi Ar number
5286: Run
5287: .Ar number
5288: benchmarks in parallel.
5289: .El
5290: .\"
5291: .\" TS
5292: .\"
5293: .Sh TS
5294: .nr nS 1
5295: .Nm "openssl ts"
5296: .Bk -words
5297: .Fl query
1.29 bcook 5298: .Op Fl md4 | md5 | ripemd160 | sha1
1.1 jsing 5299: .Op Fl cert
5300: .Op Fl config Ar configfile
5301: .Op Fl data Ar file_to_hash
5302: .Op Fl digest Ar digest_bytes
5303: .Op Fl in Ar request.tsq
5304: .Op Fl no_nonce
5305: .Op Fl out Ar request.tsq
5306: .Op Fl policy Ar object_id
5307: .Op Fl text
5308: .Ek
5309: .nr nS 0
5310: .Pp
5311: .nr nS 1
5312: .Nm "openssl ts"
5313: .Bk -words
5314: .Fl reply
5315: .Op Fl chain Ar certs_file.pem
5316: .Op Fl config Ar configfile
5317: .Op Fl in Ar response.tsr
5318: .Op Fl inkey Ar private.pem
5319: .Op Fl out Ar response.tsr
5320: .Op Fl passin Ar arg
5321: .Op Fl policy Ar object_id
5322: .Op Fl queryfile Ar request.tsq
5323: .Op Fl section Ar tsa_section
5324: .Op Fl signer Ar tsa_cert.pem
5325: .Op Fl text
5326: .Op Fl token_in
5327: .Op Fl token_out
5328: .Ek
5329: .nr nS 0
5330: .Pp
5331: .nr nS 1
5332: .Nm "openssl ts"
5333: .Bk -words
5334: .Fl verify
5335: .Op Fl CAfile Ar trusted_certs.pem
5336: .Op Fl CApath Ar trusted_cert_path
5337: .Op Fl data Ar file_to_hash
5338: .Op Fl digest Ar digest_bytes
5339: .Op Fl in Ar response.tsr
5340: .Op Fl queryfile Ar request.tsq
5341: .Op Fl token_in
5342: .Op Fl untrusted Ar cert_file.pem
5343: .Ek
5344: .nr nS 0
5345: .Pp
5346: The
5347: .Nm ts
5348: command is a basic Time Stamping Authority (TSA) client and server
5349: application as specified in RFC 3161 (Time-Stamp Protocol, TSP).
5350: A TSA can be part of a PKI deployment and its role is to provide long
5351: term proof of the existence of a certain datum before a particular time.
5352: Here is a brief description of the protocol:
5353: .Bl -enum
5354: .It
5355: The TSA client computes a one-way hash value for a data file and sends
5356: the hash to the TSA.
5357: .It
5358: The TSA attaches the current date and time to the received hash value,
5359: signs them and sends the time stamp token back to the client.
5360: By creating this token the TSA certifies the existence of the original
5361: data file at the time of response generation.
5362: .It
5363: The TSA client receives the time stamp token and verifies the
5364: signature on it.
5365: It also checks if the token contains the same hash
5366: value that it had sent to the TSA.
5367: .El
5368: .Pp
5369: There is one DER-encoded protocol data unit defined for transporting a time
5370: stamp request to the TSA and one for sending the time stamp response
5371: back to the client.
5372: The
5373: .Nm ts
5374: command has three main functions:
5375: creating a time stamp request based on a data file;
5376: creating a time stamp response based on a request;
5377: and verifying if a response corresponds
5378: to a particular request or a data file.
5379: .Pp
5380: There is no support for sending the requests/responses automatically
5381: over HTTP or TCP yet as suggested in RFC 3161.
5382: Users must send the requests either by FTP or email.
5383: .Pp
5384: The
5385: .Fl query
5386: switch can be used for creating and printing a time stamp
5387: request with the following options:
5388: .Bl -tag -width Ds
5389: .It Fl cert
5390: The TSA is expected to include its signing certificate in the
5391: response.
5392: .It Fl config Ar configfile
5393: The configuration file to use.
5394: This option overrides the
5395: .Ev OPENSSL_CONF
5396: environment variable.
5397: Only the OID section of the config file is used with the
5398: .Fl query
5399: command.
5400: .It Fl data Ar file_to_hash
5401: The data file for which the time stamp request needs to be created.
5402: stdin is the default if neither the
5403: .Fl data
5404: nor the
5405: .Fl digest
5406: option is specified.
5407: .It Fl digest Ar digest_bytes
5408: It is possible to specify the message imprint explicitly without the data
5409: file.
5410: The imprint must be specified in a hexadecimal format,
5411: two characters per byte,
5412: the bytes optionally separated by colons (e.g. 1A:F6:01:... or 1AF601...).
5413: The number of bytes must match the message digest algorithm in use.
5414: .It Fl in Ar request.tsq
5415: This option specifies a previously created time stamp request in DER
5416: format that will be printed into the output file.
5417: Useful when you need to examine the content of a request in human-readable
5418: format.
1.28 doug 5419: .It Fl md4|md5|ripemd160|sha|sha1
1.1 jsing 5420: The message digest to apply to the data file.
5421: It supports all the message digest algorithms that are supported by the
5422: .Nm dgst
5423: command.
5424: The default is SHA-1.
5425: .It Fl no_nonce
5426: No nonce is specified in the request if this option is given.
5427: Otherwise a 64-bit long pseudo-random none is
5428: included in the request.
5429: It is recommended to use nonce to protect against replay-attacks.
5430: .It Fl out Ar request.tsq
5431: Name of the output file to which the request will be written.
5432: The default is stdout.
5433: .It Fl policy Ar object_id
5434: The policy that the client expects the TSA to use for creating the
5435: time stamp token.
5436: Either the dotted OID notation or OID names defined
5437: in the config file can be used.
5438: If no policy is requested the TSA will
5439: use its own default policy.
5440: .It Fl text
5441: If this option is specified the output is in human-readable text format
5442: instead of DER.
5443: .El
5444: .Pp
5445: A time stamp response (TimeStampResp) consists of a response status
5446: and the time stamp token itself (ContentInfo),
5447: if the token generation was successful.
5448: The
5449: .Fl reply
5450: command is for creating a time stamp
5451: response or time stamp token based on a request and printing the
5452: response/token in human-readable format.
5453: If
5454: .Fl token_out
5455: is not specified the output is always a time stamp response (TimeStampResp),
5456: otherwise it is a time stamp token (ContentInfo).
5457: .Bl -tag -width Ds
5458: .It Fl chain Ar certs_file.pem
5459: The collection of certificates, in PEM format,
5460: that will be included in the response
5461: in addition to the signer certificate if the
5462: .Fl cert
5463: option was used for the request.
5464: This file is supposed to contain the certificate chain
5465: for the signer certificate from its issuer upwards.
5466: The
5467: .Fl reply
5468: command does not build a certificate chain automatically.
5469: .It Fl config Ar configfile
5470: The configuration file to use.
5471: This option overrides the
5472: .Ev OPENSSL_CONF
5473: environment variable.
5474: See
5475: .Sx TS CONFIGURATION FILE OPTIONS
5476: for configurable variables.
5477: .It Fl in Ar response.tsr
5478: Specifies a previously created time stamp response or time stamp token, if
5479: .Fl token_in
5480: is also specified,
5481: in DER format that will be written to the output file.
5482: This option does not require a request;
5483: it is useful, for example,
5484: when you need to examine the content of a response or token
5485: or you want to extract the time stamp token from a response.
5486: If the input is a token and the output is a time stamp response a default
5487: .Dq granted
5488: status info is added to the token.
5489: .It Fl inkey Ar private.pem
5490: The signer private key of the TSA in PEM format.
5491: Overrides the
5492: .Cm signer_key
5493: config file option.
5494: .It Fl out Ar response.tsr
5495: The response is written to this file.
5496: The format and content of the file depends on other options (see
5497: .Fl text
5498: and
5499: .Fl token_out ) .
5500: The default is stdout.
5501: .It Fl passin Ar arg
5502: The key password source.
5503: .It Fl policy Ar object_id
5504: The default policy to use for the response unless the client
5505: explicitly requires a particular TSA policy.
5506: The OID can be specified either in dotted notation or with its name.
5507: Overrides the
5508: .Cm default_policy
5509: config file option.
5510: .It Fl queryfile Ar request.tsq
5511: The name of the file containing a DER-encoded time stamp request.
5512: .It Fl section Ar tsa_section
5513: The name of the config file section containing the settings for the
5514: response generation.
5515: If not specified the default TSA section is used; see
5516: .Sx TS CONFIGURATION FILE OPTIONS
5517: for details.
5518: .It Fl signer Ar tsa_cert.pem
5519: The signer certificate of the TSA in PEM format.
5520: The TSA signing certificate must have exactly one extended key usage
5521: assigned to it: timeStamping.
5522: The extended key usage must also be critical,
5523: otherwise the certificate is going to be refused.
5524: Overrides the
5525: .Cm signer_cert
5526: variable of the config file.
5527: .It Fl text
5528: If this option is specified the output is human-readable text format
5529: instead of DER.
5530: .It Fl token_in
5531: This flag can be used together with the
5532: .Fl in
5533: option and indicates that the input is a DER-encoded time stamp token
5534: (ContentInfo) instead of a time stamp response (TimeStampResp).
5535: .It Fl token_out
5536: The output is a time stamp token (ContentInfo) instead of time stamp
5537: response (TimeStampResp).
5538: .El
5539: .Pp
5540: The
5541: .Fl verify
5542: command is for verifying if a time stamp response or time stamp token
5543: is valid and matches a particular time stamp request or data file.
5544: The
5545: .Fl verify
5546: command does not use the configuration file.
5547: .Bl -tag -width Ds
5548: .It Fl CAfile Ar trusted_certs.pem
5549: The name of the file containing a set of trusted self-signed CA
5550: certificates in PEM format.
5551: See the similar option of
5552: .Nm verify
5553: for additional details.
5554: Either this option or
5555: .Fl CApath
5556: must be specified.
5557: .It Fl CApath Ar trusted_cert_path
5558: The name of the directory containing the trused CA certificates of the
5559: client.
5560: See the similar option of
5561: .Nm verify
5562: for additional details.
5563: Either this option or
5564: .Fl CAfile
5565: must be specified.
5566: .It Fl data Ar file_to_hash
5567: The response or token must be verified against
5568: .Ar file_to_hash .
5569: The file is hashed with the message digest algorithm specified in the token.
5570: The
5571: .Fl digest
5572: and
5573: .Fl queryfile
5574: options must not be specified with this one.
5575: .It Fl digest Ar digest_bytes
5576: The response or token must be verified against the message digest specified
5577: with this option.
5578: The number of bytes must match the message digest algorithm
5579: specified in the token.
5580: The
5581: .Fl data
5582: and
5583: .Fl queryfile
5584: options must not be specified with this one.
5585: .It Fl in Ar response.tsr
5586: The time stamp response that needs to be verified, in DER format.
5587: This option in mandatory.
5588: .It Fl queryfile Ar request.tsq
5589: The original time stamp request, in DER format.
5590: The
5591: .Fl data
5592: and
5593: .Fl digest
5594: options must not be specified with this one.
5595: .It Fl token_in
5596: This flag can be used together with the
5597: .Fl in
5598: option and indicates that the input is a DER-encoded time stamp token
5599: (ContentInfo) instead of a time stamp response (TimeStampResp).
5600: .It Fl untrusted Ar cert_file.pem
5601: Set of additional untrusted certificates in PEM format which may be
5602: needed when building the certificate chain for the TSA's signing
5603: certificate.
5604: This file must contain the TSA signing certificate and
5605: all intermediate CA certificates unless the response includes them.
5606: .El
5607: .Sh TS CONFIGURATION FILE OPTIONS
5608: The
5609: .Fl query
5610: and
5611: .Fl reply
5612: options make use of a configuration file defined by the
5613: .Ev OPENSSL_CONF
5614: environment variable.
5615: The
5616: .Fl query
5617: option uses only the symbolic OID names section
5618: and it can work without it.
5619: However, the
5620: .Fl reply
5621: option needs the config file for its operation.
5622: .Pp
5623: When there is a command line switch equivalent of a variable the
5624: switch always overrides the settings in the config file.
5625: .Bl -tag -width Ds
5626: .It Cm tsa Ar section , Cm default_tsa
5627: This is the main section and it specifies the name of another section
5628: that contains all the options for the
5629: .Fl reply
5630: option.
5631: This default section can be overridden with the
5632: .Fl section
5633: command line switch.
5634: .It Cm oid_file
5635: See
5636: .Nm ca
5637: for a description.
5638: .It Cm oid_section
5639: See
5640: .Nm ca
5641: for a description.
5642: .It Cm serial
5643: The name of the file containing the hexadecimal serial number of the
5644: last time stamp response created.
5645: This number is incremented by 1 for each response.
5646: If the file does not exist at the time of response
5647: generation a new file is created with serial number 1.
5648: This parameter is mandatory.
5649: .It Cm signer_cert
5650: TSA signing certificate, in PEM format.
5651: The same as the
5652: .Fl signer
5653: command line option.
5654: .It Cm certs
5655: A file containing a set of PEM-encoded certificates that need to be
5656: included in the response.
5657: The same as the
5658: .Fl chain
5659: command line option.
5660: .It Cm signer_key
5661: The private key of the TSA, in PEM format.
5662: The same as the
5663: .Fl inkey
5664: command line option.
5665: .It Cm default_policy
5666: The default policy to use when the request does not mandate any policy.
5667: The same as the
5668: .Fl policy
5669: command line option.
5670: .It Cm other_policies
5671: Comma separated list of policies that are also acceptable by the TSA
5672: and used only if the request explicitly specifies one of them.
5673: .It Cm digests
5674: The list of message digest algorithms that the TSA accepts.
5675: At least one algorithm must be specified.
5676: This parameter is mandatory.
5677: .It Cm accuracy
5678: The accuracy of the time source of the TSA in seconds, milliseconds
5679: and microseconds.
5680: For example, secs:1, millisecs:500, microsecs:100.
5681: If any of the components is missing,
5682: zero is assumed for that field.
5683: .It Cm clock_precision_digits
5684: Specifies the maximum number of digits, which represent the fraction of
5685: seconds, that need to be included in the time field.
5686: The trailing zeroes must be removed from the time,
5687: so there might actually be fewer digits,
5688: or no fraction of seconds at all.
5689: The maximum value is 6;
5690: the default is 0.
5691: .It Cm ordering
5692: If this option is yes,
5693: the responses generated by this TSA can always be ordered,
5694: even if the time difference between two responses is less
5695: than the sum of their accuracies.
5696: The default is no.
5697: .It Cm tsa_name
5698: Set this option to yes if the subject name of the TSA must be included in
5699: the TSA name field of the response.
5700: The default is no.
5701: .It Cm ess_cert_id_chain
5702: The SignedData objects created by the TSA always contain the
5703: certificate identifier of the signing certificate in a signed
5704: attribute (see RFC 2634, Enhanced Security Services).
5705: If this option is set to yes and either the
5706: .Cm certs
5707: variable or the
5708: .Fl chain
5709: option is specified then the certificate identifiers of the chain will also
5710: be included in the SigningCertificate signed attribute.
5711: If this variable is set to no,
5712: only the signing certificate identifier is included.
5713: The default is no.
5714: .El
5715: .Sh TS ENVIRONMENT VARIABLES
5716: .Ev OPENSSL_CONF
5717: contains the path of the configuration file and can be
5718: overridden by the
5719: .Fl config
5720: command line option.
5721: .Sh TS EXAMPLES
5722: All the examples below presume that
5723: .Ev OPENSSL_CONF
5724: is set to a proper configuration file,
5725: e.g. the example configuration file
5726: .Pa openssl/apps/openssl.cnf
5727: will do.
5728: .Pp
5729: To create a time stamp request for design1.txt with SHA-1
5730: without nonce and policy and no certificate is required in the response:
5731: .Bd -literal -offset indent
5732: $ openssl ts -query -data design1.txt -no_nonce \e
5733: -out design1.tsq
5734: .Ed
5735: .Pp
5736: To create a similar time stamp request but specifying the message imprint
5737: explicitly:
5738: .Bd -literal -offset indent
5739: $ openssl ts -query \e
5740: -digest b7e5d3f93198b38379852f2c04e78d73abdd0f4b \e
5741: -no_nonce -out design1.tsq
5742: .Ed
5743: .Pp
5744: To print the content of the previous request in human readable format:
5745: .Bd -literal -offset indent
5746: $ openssl ts -query -in design1.tsq -text
5747: .Ed
5748: .Pp
5749: To create a time stamp request which includes the MD5 digest
5750: of design2.txt, requests the signer certificate and nonce,
5751: specifies a policy ID
5752: (assuming the tsa_policy1 name is defined in the
5753: OID section of the config file):
5754: .Bd -literal -offset indent
5755: $ openssl ts -query -data design2.txt -md5 \e
5756: -policy tsa_policy1 -cert -out design2.tsq
5757: .Ed
5758: .Pp
5759: Before generating a response,
5760: a signing certificate must be created for the TSA that contains the
5761: .Cm timeStamping
5762: critical extended key usage extension
5763: without any other key usage extensions.
5764: You can add the
5765: .Dq extendedKeyUsage = critical,timeStamping
5766: line to the user certificate section
5767: of the config file to generate a proper certificate.
5768: See the
5769: .Nm req ,
5770: .Nm ca ,
5771: and
5772: .Nm x509
5773: commands for instructions.
5774: The examples below assume that cacert.pem contains the certificate of the CA,
5775: tsacert.pem is the signing certificate issued by cacert.pem and
5776: tsakey.pem is the private key of the TSA.
5777: .Pp
5778: To create a time stamp response for a request:
5779: .Bd -literal -offset indent
5780: $ openssl ts -reply -queryfile design1.tsq -inkey tsakey.pem \e
5781: -signer tsacert.pem -out design1.tsr
5782: .Ed
5783: .Pp
5784: If you want to use the settings in the config file you could just write:
5785: .Bd -literal -offset indent
5786: $ openssl ts -reply -queryfile design1.tsq -out design1.tsr
5787: .Ed
5788: .Pp
5789: To print a time stamp reply to stdout in human readable format:
5790: .Bd -literal -offset indent
5791: $ openssl ts -reply -in design1.tsr -text
5792: .Ed
5793: .Pp
5794: To create a time stamp token instead of time stamp response:
5795: .Bd -literal -offset indent
5796: $ openssl ts -reply -queryfile design1.tsq \e
5797: -out design1_token.der -token_out
5798: .Ed
5799: .Pp
5800: To print a time stamp token to stdout in human readable format:
5801: .Bd -literal -offset indent
5802: $ openssl ts -reply -in design1_token.der -token_in \e
5803: -text -token_out
5804: .Ed
5805: .Pp
5806: To extract the time stamp token from a response:
5807: .Bd -literal -offset indent
5808: $ openssl ts -reply -in design1.tsr -out design1_token.der \e
5809: -token_out
5810: .Ed
5811: .Pp
5812: To add
5813: .Dq granted
5814: status info to a time stamp token thereby creating a valid response:
5815: .Bd -literal -offset indent
5816: $ openssl ts -reply -in design1_token.der \e
5817: -token_in -out design1.tsr
5818: .Ed
5819: .Pp
5820: To verify a time stamp reply against a request:
5821: .Bd -literal -offset indent
5822: $ openssl ts -verify -queryfile design1.tsq -in design1.tsr \e
5823: -CAfile cacert.pem -untrusted tsacert.pem
5824: .Ed
5825: .Pp
5826: To verify a time stamp reply that includes the certificate chain:
5827: .Bd -literal -offset indent
5828: $ openssl ts -verify -queryfile design2.tsq -in design2.tsr \e
5829: -CAfile cacert.pem
5830: .Ed
5831: .Pp
5832: To verify a time stamp token against the original data file:
5833: .Bd -literal -offset indent
5834: $ openssl ts -verify -data design2.txt -in design2.tsr \e
5835: -CAfile cacert.pem
5836: .Ed
5837: .Pp
5838: To verify a time stamp token against a message imprint:
5839: .Bd -literal -offset indent
5840: $ openssl ts -verify \e
5841: -digest b7e5d3f93198b38379852f2c04e78d73abdd0f4b \e
5842: -in design2.tsr -CAfile cacert.pem
5843: .Ed
5844: .Sh TS BUGS
5845: No support for time stamps over SMTP, though it is quite easy
5846: to implement an automatic email-based TSA with
5847: .Xr procmail
5848: and
5849: .Xr perl 1 .
5850: Pure TCP/IP is not supported.
5851: .Pp
5852: The file containing the last serial number of the TSA is not
5853: locked when being read or written.
5854: This is a problem if more than one instance of
5855: .Nm OpenSSL
5856: is trying to create a time stamp
5857: response at the same time.
5858: .Pp
5859: Look for the FIXME word in the source files.
5860: .Pp
5861: The source code should really be reviewed by somebody else, too.
5862: .Pp
5863: More testing is needed.
5864: .Sh TS AUTHORS
5865: .An Zoltan Glozik Aq Mt zglozik@opentsa.org ,
5866: OpenTSA project
5867: .Pq Lk http://www.opentsa.org .
5868: .\"
5869: .\" SPKAC
5870: .\"
5871: .Sh SPKAC
5872: .nr nS 1
5873: .Nm "openssl spkac"
5874: .Bk -words
5875: .Op Fl challenge Ar string
5876: .Op Fl in Ar file
5877: .Op Fl key Ar keyfile
5878: .Op Fl noout
5879: .Op Fl out Ar file
5880: .Op Fl passin Ar arg
5881: .Op Fl pubkey
5882: .Op Fl spkac Ar spkacname
5883: .Op Fl spksect Ar section
5884: .Op Fl verify
5885: .Ek
5886: .nr nS 0
5887: .Pp
5888: The
5889: .Nm spkac
5890: command processes Netscape signed public key and challenge
5891: .Pq SPKAC
5892: files.
5893: It can print out their contents, verify the signature,
5894: and produce its own SPKACs from a supplied private key.
5895: .Pp
5896: The options are as follows:
5897: .Bl -tag -width Ds
5898: .It Fl challenge Ar string
5899: Specifies the challenge string if an SPKAC is being created.
5900: .It Fl in Ar file
5901: This specifies the input
5902: .Ar file
5903: to read from, or standard input if this option is not specified.
5904: Ignored if the
5905: .Fl key
5906: option is used.
5907: .It Fl key Ar keyfile
5908: Create an SPKAC file using the private key in
5909: .Ar keyfile .
5910: The
5911: .Fl in , noout , spksect ,
5912: and
5913: .Fl verify
5914: options are ignored if present.
5915: .It Fl noout
5916: Don't output the text version of the SPKAC
5917: .Pq not used if an SPKAC is being created .
5918: .It Fl out Ar file
5919: Specifies the output
5920: .Ar file
5921: to write to, or standard output by default.
5922: .It Fl passin Ar arg
5923: The key password source.
5924: .It Fl pubkey
5925: Output the public key of an SPKAC
5926: .Pq not used if an SPKAC is being created .
5927: .It Fl spkac Ar spkacname
5928: Allows an alternative name for the variable containing the SPKAC.
5929: The default is "SPKAC".
5930: This option affects both generated and input SPKAC files.
5931: .It Fl spksect Ar section
5932: Allows an alternative name for the
5933: .Ar section
5934: containing the SPKAC.
5935: The default is the default section.
5936: .It Fl verify
5937: Verifies the digital signature on the supplied SPKAC.
5938: .El
5939: .Sh SPKAC EXAMPLES
5940: Print out the contents of an SPKAC:
5941: .Pp
5942: .Dl $ openssl spkac -in spkac.cnf
5943: .Pp
5944: Verify the signature of an SPKAC:
5945: .Pp
5946: .Dl $ openssl spkac -in spkac.cnf -noout -verify
5947: .Pp
5948: Create an SPKAC using the challenge string
5949: .Qq hello :
5950: .Pp
5951: .Dl $ openssl spkac -key key.pem -challenge hello -out spkac.cnf
5952: .Pp
5953: Example of an SPKAC,
5954: .Pq long lines split up for clarity :
5955: .Bd -unfilled -offset indent
5956: SPKAC=MIG5MGUwXDANBgkqhkiG9w0BAQEFAANLADBIAkEA1cCoq2Wa3Ixs47uI7F\e
5957: PVwHVIPDx5yso105Y6zpozam135a8R0CpoRvkkigIyXfcCjiVi5oWk+6FfPaD03u\e
5958: PFoQIDAQABFgVoZWxsbzANBgkqhkiG9w0BAQQFAANBAFpQtY/FojdwkJh1bEIYuc\e
5959: 2EeM2KHTWPEepWYeawvHD0gQ3DngSC75YCWnnDdq+NQ3F+X4deMx9AaEglZtULwV\e
5960: 4=
5961: .Ed
5962: .Sh SPKAC NOTES
5963: A created SPKAC with suitable DN components appended can be fed into
5964: the
5965: .Nm ca
5966: utility.
5967: .Pp
5968: SPKACs are typically generated by Netscape when a form is submitted
5969: containing the
5970: .Em KEYGEN
5971: tag as part of the certificate enrollment process.
5972: .Pp
5973: The challenge string permits a primitive form of proof of possession
5974: of private key.
5975: By checking the SPKAC signature and a random challenge
5976: string, some guarantee is given that the user knows the private key
5977: corresponding to the public key being certified.
5978: This is important in some applications.
5979: Without this it is possible for a previous SPKAC
5980: to be used in a
5981: .Qq replay attack .
5982: .\"
5983: .\" VERIFY
5984: .\"
5985: .Sh VERIFY
5986: .nr nS 1
5987: .Nm "openssl verify"
5988: .Bk -words
5989: .Op Fl CAfile Ar file
5990: .Op Fl CApath Ar directory
5991: .Op Fl check_ss_sig
5992: .Op Fl crl_check
5993: .Op Fl crl_check_all
5994: .Op Fl explicit_policy
5995: .Op Fl extended_crl
5996: .Op Fl help
5997: .Op Fl ignore_critical
5998: .Op Fl inhibit_any
5999: .Op Fl inhibit_map
6000: .Op Fl issuer_checks
6001: .Op Fl policy_check
6002: .Op Fl purpose Ar purpose
6003: .Op Fl untrusted Ar file
6004: .Op Fl verbose
6005: .Op Fl x509_strict
6006: .Op Fl
6007: .Op Ar certificates
6008: .Ek
6009: .nr nS 0
6010: .Pp
6011: The
6012: .Nm verify
6013: command verifies certificate chains.
6014: .Pp
6015: The options are as follows:
6016: .Bl -tag -width Ds
6017: .It Fl check_ss_sig
6018: Verify the signature on the self-signed root CA.
6019: This is disabled by default
6020: because it doesn't add any security.
6021: .It Fl CAfile Ar file
6022: A
6023: .Ar file
6024: of trusted certificates.
6025: The
6026: .Ar file
6027: should contain multiple certificates in PEM format, concatenated together.
6028: .It Fl CApath Ar directory
6029: A
6030: .Ar directory
6031: of trusted certificates.
6032: The certificates should have names of the form
6033: .Em hash.0 ,
6034: or have symbolic links to them of this form
6035: ("hash" is the hashed certificate subject name: see the
6036: .Fl hash
6037: option of the
6038: .Nm x509
6039: utility).
6040: The
6041: .Nm c_rehash
6042: script distributed with OpenSSL
6043: will automatically create symbolic links to a directory of certificates.
6044: .It Fl crl_check
6045: Checks end entity certificate validity by attempting to look up a valid CRL.
6046: If a valid CRL cannot be found an error occurs.
6047: .It Fl crl_check_all
6048: Checks the validity of all certificates in the chain by attempting
6049: to look up valid CRLs.
6050: .It Fl explicit_policy
6051: Set policy variable require-explicit-policy (see RFC 3280 et al).
6052: .It Fl extended_crl
6053: Enable extended CRL features such as indirect CRLs and alternate CRL
6054: signing keys.
6055: .It Fl help
6056: Prints out a usage message.
6057: .It Fl ignore_critical
6058: Normally if an unhandled critical extension is present which is not
6059: supported by
6060: .Nm OpenSSL ,
6061: the certificate is rejected (as required by RFC 3280 et al).
6062: If this option is set, critical extensions are ignored.
6063: .It Fl inhibit_any
6064: Set policy variable inhibit-any-policy (see RFC 3280 et al).
6065: .It Fl inhibit_map
6066: Set policy variable inhibit-policy-mapping (see RFC 3280 et al).
6067: .It Fl issuer_checks
6068: Print out diagnostics relating to searches for the issuer certificate
6069: of the current certificate.
6070: This shows why each candidate issuer certificate was rejected.
6071: However the presence of rejection messages
6072: does not itself imply that anything is wrong: during the normal
6073: verify process several rejections may take place.
6074: .It Fl policy_check
6075: Enables certificate policy processing.
6076: .It Fl purpose Ar purpose
6077: The intended use for the certificate.
6078: Without this option no chain verification will be done.
6079: Currently accepted uses are
6080: .Ar sslclient , sslserver ,
6081: .Ar nssslserver , smimesign ,
6082: .Ar smimeencrypt , crlsign ,
6083: .Ar any ,
6084: and
6085: .Ar ocsphelper .
6086: See the
6087: .Sx VERIFY OPERATION
6088: section for more information.
6089: .It Fl untrusted Ar file
6090: A
6091: .Ar file
6092: of untrusted certificates.
6093: The
6094: .Ar file
6095: should contain multiple certificates.
6096: .It Fl verbose
6097: Print extra information about the operations being performed.
6098: .It Fl x509_strict
6099: Disable workarounds for broken certificates which have to be disabled
6100: for strict X.509 compliance.
6101: .It Fl
6102: Marks the last option.
6103: All arguments following this are assumed to be certificate files.
6104: This is useful if the first certificate filename begins with a
6105: .Sq - .
6106: .It Ar certificates
6107: One or more
6108: .Ar certificates
6109: to verify.
6110: If no certificate files are included, an attempt is made to read
6111: a certificate from standard input.
6112: They should all be in PEM format.
6113: .El
6114: .Sh VERIFY OPERATION
6115: The
6116: .Nm verify
6117: program uses the same functions as the internal SSL and S/MIME verification,
6118: therefore this description applies to these verify operations too.
6119: .Pp
6120: There is one crucial difference between the verify operations performed
6121: by the
6122: .Nm verify
6123: program: wherever possible an attempt is made to continue
6124: after an error, whereas normally the verify operation would halt on the
6125: first error.
6126: This allows all the problems with a certificate chain to be determined.
6127: .Pp
6128: The verify operation consists of a number of separate steps:
6129: .Pp
6130: Firstly a certificate chain is built up starting from the supplied certificate
6131: and ending in the root CA.
6132: It is an error if the whole chain cannot be built up.
6133: The chain is built up by looking up the issuer's certificate of the current
6134: certificate.
6135: If a certificate is found which is its own issuer, it is assumed
6136: to be the root CA.
6137: .Pp
6138: The process of
6139: .Qq looking up the issuer's certificate
6140: itself involves a number of steps.
6141: In versions of
6142: .Nm OpenSSL
6143: before 0.9.5a the first certificate whose subject name matched the issuer
6144: of the current certificate was assumed to be the issuer's certificate.
6145: In
6146: .Nm OpenSSL
6147: 0.9.6 and later all certificates whose subject name matches the issuer name
6148: of the current certificate are subject to further tests.
6149: The relevant authority key identifier components of the current certificate
6150: .Pq if present
6151: must match the subject key identifier
6152: .Pq if present
6153: and issuer and serial number of the candidate issuer; in addition the
6154: .Em keyUsage
6155: extension of the candidate issuer
6156: .Pq if present
6157: must permit certificate signing.
6158: .Pp
6159: The lookup first looks in the list of untrusted certificates and if no match
6160: is found the remaining lookups are from the trusted certificates.
6161: The root CA is always looked up in the trusted certificate list: if the
6162: certificate to verify is a root certificate, then an exact match must be
6163: found in the trusted list.
6164: .Pp
6165: The second operation is to check every untrusted certificate's extensions for
6166: consistency with the supplied purpose.
6167: If the
6168: .Fl purpose
6169: option is not included, then no checks are done.
6170: The supplied or
6171: .Qq leaf
6172: certificate must have extensions compatible with the supplied purpose
6173: and all other certificates must also be valid CA certificates.
6174: The precise extensions required are described in more detail in
6175: the
6176: .Sx X.509 CERTIFICATE EXTENSIONS
6177: section below.
6178: .Pp
6179: The third operation is to check the trust settings on the root CA.
6180: The root CA should be trusted for the supplied purpose.
6181: For compatibility with previous versions of
6182: .Nm SSLeay
6183: and
6184: .Nm OpenSSL ,
6185: a certificate with no trust settings is considered to be valid for
6186: all purposes.
6187: .Pp
6188: The final operation is to check the validity of the certificate chain.
6189: The validity period is checked against the current system time and the
6190: .Em notBefore
6191: and
6192: .Em notAfter
6193: dates in the certificate.
6194: The certificate signatures are also checked at this point.
6195: .Pp
6196: If all operations complete successfully, the certificate is considered
6197: valid.
6198: If any operation fails then the certificate is not valid.
6199: .Sh VERIFY DIAGNOSTICS
6200: When a verify operation fails, the output messages can be somewhat cryptic.
6201: The general form of the error message is:
6202: .Bd -unfilled
6203: \& server.pem: /C=AU/ST=Queensland/O=CryptSoft Pty Ltd/CN=Test CA (1024-bit)
6204: \& error 24 at 1 depth lookup:invalid CA certificate
6205: .Ed
6206: .Pp
6207: The first line contains the name of the certificate being verified, followed by
6208: the subject name of the certificate.
6209: The second line contains the error number and the depth.
6210: The depth is the number of the certificate being verified when a
6211: problem was detected starting with zero for the certificate being verified
6212: itself, then 1 for the CA that signed the certificate and so on.
6213: Finally a text version of the error number is presented.
6214: .Pp
6215: An exhaustive list of the error codes and messages is shown below; this also
6216: includes the name of the error code as defined in the header file
1.12 bentley 6217: .In openssl/x509_vfy.h .
1.1 jsing 6218: Some of the error codes are defined but never returned: these are described
6219: as
6220: .Qq unused .
6221: .Bl -tag -width "XXXX"
6222: .It Ar "0 X509_V_OK: ok"
6223: The operation was successful.
6224: .It Ar 2 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT: unable to get issuer certificate
6225: The issuer certificate could not be found: this occurs if the issuer certificate
6226: of an untrusted certificate cannot be found.
6227: .It Ar 3 X509_V_ERR_UNABLE_TO_GET_CRL: unable to get certificate CRL
6228: The CRL of a certificate could not be found.
6229: .It Ar 4 X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE: unable to decrypt certificate's signature
6230: The certificate signature could not be decrypted.
6231: This means that the actual signature value could not be determined rather
6232: than it not matching the expected value.
6233: This is only meaningful for RSA keys.
6234: .It Ar 5 X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE: unable to decrypt CRL's signature
6235: The CRL signature could not be decrypted: this means that the actual
6236: signature value could not be determined rather than it not matching the
6237: expected value.
6238: Unused.
6239: .It Ar 6 X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY: unable to decode issuer public key
6240: The public key in the certificate
6241: .Em SubjectPublicKeyInfo
6242: could not be read.
6243: .It Ar 7 X509_V_ERR_CERT_SIGNATURE_FAILURE: certificate signature failure
6244: The signature of the certificate is invalid.
6245: .It Ar 8 X509_V_ERR_CRL_SIGNATURE_FAILURE: CRL signature failure
6246: The signature of the certificate is invalid.
6247: .It Ar 9 X509_V_ERR_CERT_NOT_YET_VALID: certificate is not yet valid
6248: The certificate is not yet valid: the
6249: .Em notBefore
6250: date is after the current time.
6251: .It Ar 10 X509_V_ERR_CERT_HAS_EXPIRED: certificate has expired
6252: The certificate has expired; that is, the
6253: .Em notAfter
6254: date is before the current time.
6255: .It Ar 11 X509_V_ERR_CRL_NOT_YET_VALID: CRL is not yet valid
6256: The CRL is not yet valid.
6257: .It Ar 12 X509_V_ERR_CRL_HAS_EXPIRED: CRL has expired
6258: The CRL has expired.
6259: .It Ar 13 X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD: format error in certificate's notBefore field
6260: The certificate
6261: .Em notBefore
6262: field contains an invalid time.
6263: .It Ar 14 X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD: format error in certificate's notAfter field
6264: The certificate
6265: .Em notAfter
6266: field contains an invalid time.
6267: .It Ar 15 X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD: format error in CRL's lastUpdate field
6268: The CRL
6269: .Em lastUpdate
6270: field contains an invalid time.
6271: .It Ar 16 X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD: format error in CRL's nextUpdate field
6272: The CRL
6273: .Em nextUpdate
6274: field contains an invalid time.
6275: .It Ar 17 X509_V_ERR_OUT_OF_MEM: out of memory
6276: An error occurred trying to allocate memory.
6277: This should never happen.
6278: .It Ar 18 X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT: self signed certificate
6279: The passed certificate is self-signed and the same certificate cannot be
6280: found in the list of trusted certificates.
6281: .It Ar 19 X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN: self signed certificate in certificate chain
6282: The certificate chain could be built up using the untrusted certificates but
6283: the root could not be found locally.
6284: .It Ar 20 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY: unable to get local issuer certificate
6285: The issuer certificate of a locally looked up certificate could not be found.
6286: This normally means the list of trusted certificates is not complete.
6287: .It Ar 21 X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE: unable to verify the first certificate
6288: No signatures could be verified because the chain contains only one
6289: certificate and it is not self-signed.
6290: .It Ar 22 X509_V_ERR_CERT_CHAIN_TOO_LONG: certificate chain too long
6291: The certificate chain length is greater than the supplied maximum depth.
6292: Unused.
6293: .It Ar 23 X509_V_ERR_CERT_REVOKED: certificate revoked
6294: The certificate has been revoked.
6295: .It Ar 24 X509_V_ERR_INVALID_CA: invalid CA certificate
6296: A CA certificate is invalid.
6297: Either it is not a CA or its extensions are not consistent
6298: with the supplied purpose.
6299: .It Ar 25 X509_V_ERR_PATH_LENGTH_EXCEEDED: path length constraint exceeded
6300: The
6301: .Em basicConstraints
6302: pathlength parameter has been exceeded.
6303: .It Ar 26 X509_V_ERR_INVALID_PURPOSE: unsupported certificate purpose
6304: The supplied certificate cannot be used for the specified purpose.
6305: .It Ar 27 X509_V_ERR_CERT_UNTRUSTED: certificate not trusted
6306: The root CA is not marked as trusted for the specified purpose.
6307: .It Ar 28 X509_V_ERR_CERT_REJECTED: certificate rejected
6308: The root CA is marked to reject the specified purpose.
6309: .It Ar 29 X509_V_ERR_SUBJECT_ISSUER_MISMATCH: subject issuer mismatch
6310: The current candidate issuer certificate was rejected because its subject name
6311: did not match the issuer name of the current certificate.
6312: Only displayed when the
6313: .Fl issuer_checks
6314: option is set.
6315: .It Ar 30 X509_V_ERR_AKID_SKID_MISMATCH: authority and subject key identifier mismatch
6316: The current candidate issuer certificate was rejected because its subject key
6317: identifier was present and did not match the authority key identifier current
6318: certificate.
6319: Only displayed when the
6320: .Fl issuer_checks
6321: option is set.
6322: .It Ar 31 X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH: authority and issuer serial number mismatch
6323: The current candidate issuer certificate was rejected because its issuer name
6324: and serial number were present and did not match the authority key identifier
6325: of the current certificate.
6326: Only displayed when the
6327: .Fl issuer_checks
6328: option is set.
6329: .It Ar 32 X509_V_ERR_KEYUSAGE_NO_CERTSIGN:key usage does not include certificate signing
6330: The current candidate issuer certificate was rejected because its
6331: .Em keyUsage
6332: extension does not permit certificate signing.
6333: .It Ar 50 X509_V_ERR_APPLICATION_VERIFICATION: application verification failure
6334: An application specific error.
6335: Unused.
6336: .El
6337: .Sh VERIFY BUGS
6338: Although the issuer checks are a considerable improvement over the old
6339: technique, they still suffer from limitations in the underlying
6340: X509_LOOKUP API.
6341: One consequence of this is that trusted certificates with matching subject
6342: name must either appear in a file (as specified by the
6343: .Fl CAfile
6344: option) or a directory (as specified by
6345: .Fl CApath ) .
6346: If they occur in both, only the certificates in the file will
6347: be recognised.
6348: .Pp
6349: Previous versions of
6350: .Nm OpenSSL
6351: assumed certificates with matching subject name were identical and
6352: mishandled them.
6353: .\"
6354: .\" VERSION
6355: .\"
6356: .Sh VERSION
6357: .Nm openssl version
6358: .Op Fl abdfopv
6359: .Pp
6360: The
6361: .Nm version
6362: command is used to print out version information about
6363: .Nm OpenSSL .
6364: .Pp
6365: The options are as follows:
6366: .Bl -tag -width Ds
6367: .It Fl a
6368: All information: this is the same as setting all the other flags.
6369: .It Fl b
6370: The date the current version of
6371: .Nm OpenSSL
6372: was built.
6373: .It Fl d
6374: .Ev OPENSSLDIR
6375: setting.
6376: .It Fl f
6377: Compilation flags.
6378: .It Fl o
6379: Option information: various options set when the library was built.
6380: .It Fl p
6381: Platform setting.
6382: .It Fl v
6383: The current
6384: .Nm OpenSSL
6385: version.
6386: .El
6387: .Sh VERSION NOTES
6388: The output of
6389: .Nm openssl version -a
6390: would typically be used when sending in a bug report.
6391: .Sh VERSION HISTORY
6392: The
6393: .Fl d
6394: option was added in
6395: .Nm OpenSSL
6396: 0.9.7.
6397: .\"
6398: .\" X509
6399: .\"
6400: .Sh X509
6401: .nr nS 1
6402: .Nm "openssl x509"
6403: .Bk -words
6404: .Op Fl C
6405: .Op Fl addreject Ar arg
6406: .Op Fl addtrust Ar arg
6407: .Op Fl alias
6408: .Op Fl CA Ar file
6409: .Op Fl CAcreateserial
6410: .Op Fl CAform Ar DER | PEM
6411: .Op Fl CAkey Ar file
6412: .Op Fl CAkeyform Ar DER | PEM
6413: .Op Fl CAserial Ar file
6414: .Op Fl certopt Ar option
6415: .Op Fl checkend Ar arg
6416: .Op Fl clrext
6417: .Op Fl clrreject
6418: .Op Fl clrtrust
6419: .Op Fl dates
6420: .Op Fl days Ar arg
6421: .Op Fl email
6422: .Op Fl enddate
6423: .Op Fl extensions Ar section
6424: .Op Fl extfile Ar file
6425: .Op Fl fingerprint
6426: .Op Fl hash
6427: .Op Fl in Ar file
6428: .Op Fl inform Ar DER | NET | PEM
6429: .Op Fl issuer
6430: .Op Fl issuer_hash
6431: .Op Fl issuer_hash_old
6432: .Op Fl keyform Ar DER | PEM
1.29 bcook 6433: .Op Fl md5 | sha1
1.1 jsing 6434: .Op Fl modulus
6435: .Op Fl nameopt Ar option
6436: .Op Fl noout
6437: .Op Fl ocsp_uri
6438: .Op Fl ocspid
6439: .Op Fl out Ar file
6440: .Op Fl outform Ar DER | NET | PEM
6441: .Op Fl passin Ar arg
6442: .Op Fl pubkey
6443: .Op Fl purpose
6444: .Op Fl req
6445: .Op Fl serial
6446: .Op Fl set_serial Ar n
6447: .Op Fl setalias Ar arg
6448: .Op Fl signkey Ar file
6449: .Op Fl startdate
6450: .Op Fl subject
6451: .Op Fl subject_hash
6452: .Op Fl subject_hash_old
6453: .Op Fl text
6454: .Op Fl trustout
6455: .Op Fl x509toreq
6456: .Ek
6457: .nr nS 0
6458: .Pp
6459: The
6460: .Nm x509
6461: command is a multi-purpose certificate utility.
6462: It can be used to display certificate information, convert certificates to
6463: various forms, sign certificate requests like a
6464: .Qq mini CA ,
6465: or edit certificate trust settings.
6466: .Pp
6467: Since there are a large number of options, they are split up into
6468: various sections.
6469: .Sh X509 INPUT, OUTPUT, AND GENERAL PURPOSE OPTIONS
6470: .Bl -tag -width "XXXX"
6471: .It Fl in Ar file
6472: This specifies the input
6473: .Ar file
6474: to read a certificate from, or standard input if this option is not specified.
6475: .It Fl inform Ar DER | NET | PEM
6476: This specifies the input format.
6477: Normally, the command will expect an X.509 certificate,
6478: but this can change if other options such as
6479: .Fl req
6480: are present.
6481: The
6482: .Ar DER
6483: format is the DER encoding of the certificate and
6484: .Ar PEM
6485: is the base64 encoding of the DER encoding with header and footer lines added.
6486: The
6487: .Ar NET
6488: option is an obscure Netscape server format that is now
6489: obsolete.
1.29 bcook 6490: .It Fl md5 | sha1
1.1 jsing 6491: The digest to use.
6492: This affects any signing or display option that uses a message digest,
6493: such as the
6494: .Fl fingerprint , signkey ,
6495: and
6496: .Fl CA
6497: options.
6498: If not specified, MD5 is used.
6499: If the key being used to sign with is a DSA key,
6500: this option has no effect: SHA1 is always used with DSA keys.
6501: .It Fl out Ar file
6502: This specifies the output
6503: .Ar file
6504: to write to, or standard output by default.
6505: .It Fl outform Ar DER | NET | PEM
6506: This specifies the output format; the options have the same meaning as the
6507: .Fl inform
6508: option.
6509: .It Fl passin Ar arg
6510: The key password source.
6511: .El
6512: .Sh X509 DISPLAY OPTIONS
6513: .Sy Note :
6514: The
6515: .Fl alias
6516: and
6517: .Fl purpose
6518: options are also display options but are described in the
6519: .Sx X509 TRUST SETTINGS
6520: section.
6521: .Bl -tag -width "XXXX"
6522: .It Fl C
6523: This outputs the certificate in the form of a C source file.
6524: .It Fl certopt Ar option
6525: Customise the output format used with
6526: .Fl text .
6527: The
6528: .Ar option
6529: argument can be a single option or multiple options separated by commas.
6530: The
6531: .Fl certopt
6532: switch may also be used more than once to set multiple options.
6533: See the
6534: .Sx X509 TEXT OPTIONS
6535: section for more information.
6536: .It Fl dates
6537: Prints out the start and expiry dates of a certificate.
6538: .It Fl email
6539: Outputs the email address(es), if any.
6540: .It Fl enddate
6541: Prints out the expiry date of the certificate; that is, the
6542: .Em notAfter
6543: date.
6544: .It Fl fingerprint
6545: Prints out the digest of the DER-encoded version of the whole certificate
6546: (see
6547: .Sx DIGEST OPTIONS ) .
6548: .It Fl hash
6549: A synonym for
6550: .Fl subject_hash ,
6551: for backwards compatibility.
6552: .It Fl issuer
6553: Outputs the issuer name.
6554: .It Fl issuer_hash
6555: Outputs the
6556: .Qq hash
6557: of the certificate issuer name.
6558: .It Fl issuer_hash_old
6559: Outputs the
6560: .Qq hash
6561: of the certificate issuer name using the older algorithm
6562: as used by
6563: .Nm OpenSSL
6564: versions before 1.0.0.
6565: .It Fl modulus
6566: This option prints out the value of the modulus of the public key
6567: contained in the certificate.
6568: .It Fl nameopt Ar option
6569: Option which determines how the subject or issuer names are displayed.
6570: The
6571: .Ar option
6572: argument can be a single option or multiple options separated by commas.
6573: Alternatively, the
6574: .Fl nameopt
6575: switch may be used more than once to set multiple options.
6576: See the
6577: .Sx X509 NAME OPTIONS
6578: section for more information.
6579: .It Fl noout
6580: This option prevents output of the encoded version of the request.
6581: .It Fl ocsp_uri
6582: Outputs the OCSP responder addresses, if any.
6583: .It Fl ocspid
6584: Print OCSP hash values for the subject name and public key.
6585: .It Fl pubkey
6586: Output the public key.
6587: .It Fl serial
6588: Outputs the certificate serial number.
6589: .It Fl startdate
6590: Prints out the start date of the certificate; that is, the
6591: .Em notBefore
6592: date.
6593: .It Fl subject
6594: Outputs the subject name.
6595: .It Fl subject_hash
6596: Outputs the
6597: .Qq hash
6598: of the certificate subject name.
6599: This is used in
6600: .Nm OpenSSL
6601: to form an index to allow certificates in a directory to be looked up
6602: by subject name.
6603: .It Fl subject_hash_old
6604: Outputs the
6605: .Qq hash
6606: of the certificate subject name using the older algorithm
6607: as used by
6608: .Nm OpenSSL
6609: versions before 1.0.0.
6610: .It Fl text
6611: Prints out the certificate in text form.
6612: Full details are output including the public key, signature algorithms,
6613: issuer and subject names, serial number, any extensions present,
6614: and any trust settings.
6615: .El
6616: .Sh X509 TRUST SETTINGS
6617: Please note these options are currently experimental and may well change.
6618: .Pp
6619: A
6620: .Em trusted certificate
6621: is an ordinary certificate which has several
6622: additional pieces of information attached to it such as the permitted
6623: and prohibited uses of the certificate and an
6624: .Qq alias .
6625: .Pp
6626: Normally, when a certificate is being verified at least one certificate
6627: must be
6628: .Qq trusted .
6629: By default, a trusted certificate must be stored
6630: locally and must be a root CA: any certificate chain ending in this CA
6631: is then usable for any purpose.
6632: .Pp
6633: Trust settings currently are only used with a root CA.
6634: They allow a finer control over the purposes the root CA can be used for.
6635: For example, a CA may be trusted for an SSL client but not for
6636: SSL server use.
6637: .Pp
6638: See the description of the
6639: .Nm verify
6640: utility for more information on the meaning of trust settings.
6641: .Pp
6642: Future versions of
6643: .Nm OpenSSL
6644: will recognize trust settings on any certificate: not just root CAs.
6645: .Bl -tag -width "XXXX"
6646: .It Fl addreject Ar arg
6647: Adds a prohibited use.
6648: It accepts the same values as the
6649: .Fl addtrust
6650: option.
6651: .It Fl addtrust Ar arg
6652: Adds a trusted certificate use.
6653: Any object name can be used here, but currently only
6654: .Ar clientAuth
6655: .Pq SSL client use ,
6656: .Ar serverAuth
6657: .Pq SSL server use ,
6658: and
6659: .Ar emailProtection
6660: .Pq S/MIME email
6661: are used.
6662: Other
6663: .Nm OpenSSL
6664: applications may define additional uses.
6665: .It Fl alias
6666: Outputs the certificate alias, if any.
6667: .It Fl clrreject
6668: Clears all the prohibited or rejected uses of the certificate.
6669: .It Fl clrtrust
6670: Clears all the permitted or trusted uses of the certificate.
6671: .It Fl purpose
6672: This option performs tests on the certificate extensions and outputs
6673: the results.
6674: For a more complete description, see the
6675: .Sx X.509 CERTIFICATE EXTENSIONS
6676: section.
6677: .It Fl setalias Ar arg
6678: Sets the alias of the certificate.
6679: This will allow the certificate to be referred to using a nickname,
6680: for example
6681: .Qq Steve's Certificate .
6682: .It Fl trustout
6683: This causes
6684: .Nm x509
6685: to output a
6686: .Em trusted certificate .
6687: An ordinary or trusted certificate can be input, but by default an ordinary
6688: certificate is output and any trust settings are discarded.
6689: With the
6690: .Fl trustout
6691: option a trusted certificate is output.
6692: A trusted certificate is automatically output if any trust settings
6693: are modified.
6694: .El
6695: .Sh X509 SIGNING OPTIONS
6696: The
6697: .Nm x509
6698: utility can be used to sign certificates and requests: it
6699: can thus behave like a
6700: .Qq mini CA .
6701: .Bl -tag -width "XXXX"
6702: .It Fl CA Ar file
6703: Specifies the CA certificate to be used for signing.
6704: When this option is present,
6705: .Nm x509
6706: behaves like a
6707: .Qq mini CA .
6708: The input file is signed by the CA using this option;
6709: that is, its issuer name is set to the subject name of the CA and it is
6710: digitally signed using the CA's private key.
6711: .Pp
6712: This option is normally combined with the
6713: .Fl req
6714: option.
6715: Without the
6716: .Fl req
6717: option, the input is a certificate which must be self-signed.
6718: .It Fl CAcreateserial
6719: With this option the CA serial number file is created if it does not exist:
6720: it will contain the serial number
6721: .Sq 02
6722: and the certificate being signed will have
6723: .Sq 1
6724: as its serial number.
6725: Normally, if the
6726: .Fl CA
6727: option is specified and the serial number file does not exist, it is an error.
6728: .It Fl CAform Ar DER | PEM
6729: The format of the CA certificate file.
6730: The default is
6731: .Ar PEM .
6732: .It Fl CAkey Ar file
6733: Sets the CA private key to sign a certificate with.
6734: If this option is not specified, it is assumed that the CA private key
6735: is present in the CA certificate file.
6736: .It Fl CAkeyform Ar DER | PEM
6737: The format of the CA private key.
6738: The default is
6739: .Ar PEM .
6740: .It Fl CAserial Ar file
6741: Sets the CA serial number file to use.
6742: .Pp
6743: When the
6744: .Fl CA
6745: option is used to sign a certificate,
6746: it uses a serial number specified in a file.
6747: This file consists of one line containing an even number of hex digits
6748: with the serial number to use.
6749: After each use the serial number is incremented and written out
6750: to the file again.
6751: .Pp
6752: The default filename consists of the CA certificate file base name with
6753: .Pa .srl
6754: appended.
6755: For example, if the CA certificate file is called
6756: .Pa mycacert.pem ,
6757: it expects to find a serial number file called
6758: .Pa mycacert.srl .
6759: .It Fl checkend Ar arg
6760: Check whether the certificate expires in the next
6761: .Ar arg
6762: seconds.
6763: If so, exit with return value 1;
6764: otherwise exit with return value 0.
6765: .It Fl clrext
6766: Delete any extensions from a certificate.
6767: This option is used when a certificate is being created from another
6768: certificate (for example with the
6769: .Fl signkey
6770: or the
6771: .Fl CA
6772: options).
6773: Normally, all extensions are retained.
6774: .It Fl days Ar arg
6775: Specifies the number of days to make a certificate valid for.
6776: The default is 30 days.
6777: .It Fl extensions Ar section
6778: The section to add certificate extensions from.
6779: If this option is not specified, the extensions should either be
6780: contained in the unnamed
6781: .Pq default
6782: section or the default section should contain a variable called
6783: .Qq extensions
6784: which contains the section to use.
6785: .It Fl extfile Ar file
6786: File containing certificate extensions to use.
6787: If not specified, no extensions are added to the certificate.
6788: .It Fl keyform Ar DER | PEM
6789: Specifies the format
6790: .Pq DER or PEM
6791: of the private key file used in the
6792: .Fl signkey
6793: option.
6794: .It Fl req
6795: By default, a certificate is expected on input.
6796: With this option a certificate request is expected instead.
6797: .It Fl set_serial Ar n
6798: Specifies the serial number to use.
6799: This option can be used with either the
6800: .Fl signkey
6801: or
6802: .Fl CA
6803: options.
6804: If used in conjunction with the
6805: .Fl CA
6806: option, the serial number file (as specified by the
6807: .Fl CAserial
6808: or
6809: .Fl CAcreateserial
6810: options) is not used.
6811: .Pp
6812: The serial number can be decimal or hex (if preceded by
6813: .Sq 0x ) .
6814: Negative serial numbers can also be specified but their use is not recommended.
6815: .It Fl signkey Ar file
6816: This option causes the input file to be self-signed using the supplied
6817: private key.
6818: .Pp
6819: If the input file is a certificate, it sets the issuer name to the
6820: subject name
6821: .Pq i.e. makes it self-signed ,
6822: changes the public key to the supplied value,
6823: and changes the start and end dates.
6824: The start date is set to the current time and the end date is set to
6825: a value determined by the
6826: .Fl days
6827: option.
6828: Any certificate extensions are retained unless the
6829: .Fl clrext
6830: option is supplied.
6831: .Pp
6832: If the input is a certificate request, a self-signed certificate
6833: is created using the supplied private key using the subject name in
6834: the request.
6835: .It Fl x509toreq
6836: Converts a certificate into a certificate request.
6837: The
6838: .Fl signkey
6839: option is used to pass the required private key.
6840: .El
6841: .Sh X509 NAME OPTIONS
6842: The
6843: .Fl nameopt
6844: command line switch determines how the subject and issuer
6845: names are displayed.
6846: If no
6847: .Fl nameopt
6848: switch is present, the default
6849: .Qq oneline
6850: format is used which is compatible with previous versions of
6851: .Nm OpenSSL .
6852: Each option is described in detail below; all options can be preceded by a
6853: .Sq -
6854: to turn the option off.
6855: Only
6856: .Ar compat ,
6857: .Ar RFC2253 ,
6858: .Ar oneline ,
6859: and
6860: .Ar multiline
6861: will normally be used.
6862: .Bl -tag -width "XXXX"
6863: .It Ar align
6864: Align field values for a more readable output.
6865: Only usable with
6866: .Ar sep_multiline .
6867: .It Ar compat
6868: Use the old format.
6869: This is equivalent to specifying no name options at all.
6870: .It Ar dn_rev
6871: Reverse the fields of the DN.
6872: This is required by RFC 2253.
6873: As a side effect, this also reverses the order of multiple AVAs but this is
6874: permissible.
6875: .It Ar dump_all
6876: Dump all fields.
6877: This option, when used with
6878: .Ar dump_der ,
6879: allows the DER encoding of the structure to be unambiguously determined.
6880: .It Ar dump_der
6881: When this option is set, any fields that need to be hexdumped will
6882: be dumped using the DER encoding of the field.
6883: Otherwise just the content octets will be displayed.
6884: Both options use the RFC 2253 #XXXX... format.
6885: .It Ar dump_nostr
6886: Dump non-character string types
6887: .Pq for example OCTET STRING ;
6888: if this option is not set, non-character string types will be displayed
6889: as though each content octet represents a single character.
6890: .It Ar dump_unknown
6891: Dump any field whose OID is not recognised by
6892: .Nm OpenSSL .
6893: .It Ar esc_2253
6894: Escape the
6895: .Qq special
6896: characters required by RFC 2253 in a field that is
6897: .Dq \& ,+"\*(Lt\*(Gt; .
6898: Additionally,
6899: .Sq #
6900: is escaped at the beginning of a string
6901: and a space character at the beginning or end of a string.
6902: .It Ar esc_ctrl
6903: Escape control characters.
6904: That is, those with ASCII values less than 0x20
6905: .Pq space
6906: and the delete
6907: .Pq 0x7f
6908: character.
6909: They are escaped using the RFC 2253 \eXX notation (where XX are two hex
6910: digits representing the character value).
6911: .It Ar esc_msb
6912: Escape characters with the MSB set; that is, with ASCII values larger than
6913: 127.
6914: .It Ar multiline
6915: A multiline format.
6916: It is equivalent to
6917: .Ar esc_ctrl , esc_msb , sep_multiline ,
6918: .Ar space_eq , lname ,
6919: and
6920: .Ar align .
6921: .It Ar no_type
6922: This option does not attempt to interpret multibyte characters in any
6923: way.
6924: That is, their content octets are merely dumped as though one octet
6925: represents each character.
6926: This is useful for diagnostic purposes but will result in rather odd
6927: looking output.
6928: .It Ar nofname , sname , lname , oid
6929: These options alter how the field name is displayed.
6930: .Ar nofname
6931: does not display the field at all.
6932: .Ar sname
6933: uses the
6934: .Qq short name
6935: form (CN for
6936: .Ar commonName ,
6937: for example).
6938: .Ar lname
6939: uses the long form.
6940: .Ar oid
6941: represents the OID in numerical form and is useful for diagnostic purpose.
6942: .It Ar oneline
6943: A oneline format which is more readable than
6944: .Ar RFC2253 .
6945: It is equivalent to specifying the
6946: .Ar esc_2253 , esc_ctrl , esc_msb , utf8 ,
6947: .Ar dump_nostr , dump_der , use_quote , sep_comma_plus_spc ,
6948: .Ar space_eq ,
6949: and
6950: .Ar sname
6951: options.
6952: .It Ar RFC2253
6953: Displays names compatible with RFC 2253; equivalent to
6954: .Ar esc_2253 , esc_ctrl ,
6955: .Ar esc_msb , utf8 , dump_nostr , dump_unknown ,
6956: .Ar dump_der , sep_comma_plus , dn_rev ,
6957: and
6958: .Ar sname .
6959: .It Ar sep_comma_plus , sep_comma_plus_space , sep_semi_plus_space , sep_multiline
6960: These options determine the field separators.
6961: The first character is between RDNs and the second between multiple AVAs
6962: (multiple AVAs are very rare and their use is discouraged).
6963: The options ending in
6964: .Qq space
6965: additionally place a space after the separator to make it more readable.
6966: The
6967: .Ar sep_multiline
6968: uses a linefeed character for the RDN separator and a spaced
6969: .Sq +
6970: for the AVA separator.
6971: It also indents the fields by four characters.
6972: .It Ar show_type
6973: Show the type of the ASN1 character string.
6974: The type precedes the field contents.
6975: For example
6976: .Qq BMPSTRING: Hello World .
6977: .It Ar space_eq
6978: Places spaces round the
6979: .Sq =
6980: character which follows the field name.
6981: .It Ar use_quote
6982: Escapes some characters by surrounding the whole string with
6983: .Sq \&"
6984: characters.
6985: Without the option, all escaping is done with the
6986: .Sq \e
6987: character.
6988: .It Ar utf8
6989: Convert all strings to UTF8 format first.
6990: This is required by RFC 2253.
6991: If you are lucky enough to have a UTF8 compatible terminal,
6992: the use of this option (and
6993: .Em not
6994: setting
6995: .Ar esc_msb )
6996: may result in the correct display of multibyte
6997: .Pq international
6998: characters.
6999: If this option is not present, multibyte characters larger than 0xff
7000: will be represented using the format \eUXXXX for 16 bits and \eWXXXXXXXX
7001: for 32 bits.
7002: Also, if this option is off, any UTF8Strings will be converted to their
7003: character form first.
7004: .El
7005: .Sh X509 TEXT OPTIONS
7006: As well as customising the name output format, it is also possible to
7007: customise the actual fields printed using the
7008: .Fl certopt
7009: options when the
7010: .Fl text
7011: option is present.
7012: The default behaviour is to print all fields.
7013: .Bl -tag -width "XXXX"
7014: .It Ar ca_default
7015: The value used by the
7016: .Nm ca
7017: utility; equivalent to
7018: .Ar no_issuer , no_pubkey , no_header ,
7019: .Ar no_version , no_sigdump ,
7020: and
7021: .Ar no_signame .
7022: .It Ar compatible
7023: Use the old format.
7024: This is equivalent to specifying no output options at all.
7025: .It Ar ext_default
7026: Retain default extension behaviour: attempt to print out unsupported
7027: certificate extensions.
7028: .It Ar ext_dump
7029: Hex dump unsupported extensions.
7030: .It Ar ext_error
7031: Print an error message for unsupported certificate extensions.
7032: .It Ar ext_parse
7033: ASN1 parse unsupported extensions.
7034: .It Ar no_aux
7035: Don't print out certificate trust information.
7036: .It Ar no_extensions
7037: Don't print out any X509V3 extensions.
7038: .It Ar no_header
7039: Don't print header information: that is, the lines saying
7040: .Qq Certificate
7041: and
7042: .Qq Data .
7043: .It Ar no_issuer
7044: Don't print out the issuer name.
7045: .It Ar no_pubkey
7046: Don't print out the public key.
7047: .It Ar no_serial
7048: Don't print out the serial number.
7049: .It Ar no_sigdump
7050: Don't give a hexadecimal dump of the certificate signature.
7051: .It Ar no_signame
7052: Don't print out the signature algorithm used.
7053: .It Ar no_subject
7054: Don't print out the subject name.
7055: .It Ar no_validity
7056: Don't print the validity; that is, the
7057: .Em notBefore
7058: and
7059: .Em notAfter
7060: fields.
7061: .It Ar no_version
7062: Don't print out the version number.
7063: .El
7064: .Sh X509 EXAMPLES
7065: Display the contents of a certificate:
7066: .Pp
7067: .Dl $ openssl x509 -in cert.pem -noout -text
7068: .Pp
7069: Display the certificate serial number:
7070: .Pp
7071: .Dl $ openssl x509 -in cert.pem -noout -serial
7072: .Pp
7073: Display the certificate subject name:
7074: .Pp
7075: .Dl $ openssl x509 -in cert.pem -noout -subject
7076: .Pp
7077: Display the certificate subject name in RFC 2253 form:
7078: .Pp
7079: .Dl $ openssl x509 -in cert.pem -noout -subject -nameopt RFC2253
7080: .Pp
7081: Display the certificate subject name in oneline form on a terminal
7082: supporting UTF8:
7083: .Bd -literal -offset indent
7084: $ openssl x509 -in cert.pem -noout -subject \e
7085: -nameopt oneline,-esc_msb
7086: .Ed
7087: .Pp
7088: Display the certificate MD5 fingerprint:
7089: .Pp
7090: .Dl $ openssl x509 -in cert.pem -noout -fingerprint
7091: .Pp
7092: Display the certificate SHA1 fingerprint:
7093: .Pp
7094: .Dl $ openssl x509 -sha1 -in cert.pem -noout -fingerprint
7095: .Pp
7096: Convert a certificate from PEM to DER format:
7097: .Pp
7098: .Dl "$ openssl x509 -in cert.pem -inform PEM -out cert.der -outform DER"
7099: .Pp
7100: Convert a certificate to a certificate request:
7101: .Bd -literal -offset indent
7102: $ openssl x509 -x509toreq -in cert.pem -out req.pem \e
7103: -signkey key.pem
7104: .Ed
7105: .Pp
7106: Convert a certificate request into a self-signed certificate using
7107: extensions for a CA:
7108: .Bd -literal -offset indent
7109: $ openssl x509 -req -in careq.pem -extfile openssl.cnf -extensions \e
7110: v3_ca -signkey key.pem -out cacert.pem
7111: .Ed
7112: .Pp
7113: Sign a certificate request using the CA certificate above and add user
7114: certificate extensions:
7115: .Bd -literal -offset indent
7116: $ openssl x509 -req -in req.pem -extfile openssl.cnf -extensions \e
7117: v3_usr -CA cacert.pem -CAkey key.pem -CAcreateserial
7118: .Ed
7119: .Pp
7120: Set a certificate to be trusted for SSL
7121: client use and set its alias to
7122: .Qq Steve's Class 1 CA :
7123: .Bd -literal -offset indent
7124: $ openssl x509 -in cert.pem -addtrust clientAuth \e
7125: -setalias "Steve's Class 1 CA" -out trust.pem
7126: .Ed
7127: .Sh X509 NOTES
7128: The PEM format uses the header and footer lines:
7129: .Bd -unfilled -offset indent
7130: -----BEGIN CERTIFICATE-----
7131: -----END CERTIFICATE-----
7132: .Ed
7133: .Pp
7134: It will also handle files containing:
7135: .Bd -unfilled -offset indent
7136: -----BEGIN X509 CERTIFICATE-----
7137: -----END X509 CERTIFICATE-----
7138: .Ed
7139: .Pp
7140: Trusted certificates have the lines:
7141: .Bd -unfilled -offset indent
7142: -----BEGIN TRUSTED CERTIFICATE-----
7143: -----END TRUSTED CERTIFICATE-----
7144: .Ed
7145: .Pp
7146: The conversion to UTF8 format used with the name options assumes that
7147: T61Strings use the ISO 8859-1 character set.
7148: This is wrong, but Netscape and MSIE do this, as do many certificates.
7149: So although this is incorrect
7150: it is more likely to display the majority of certificates correctly.
7151: .Pp
7152: The
7153: .Fl fingerprint
7154: option takes the digest of the DER-encoded certificate.
7155: This is commonly called a
7156: .Qq fingerprint .
7157: Because of the nature of message digests, the fingerprint of a certificate
7158: is unique to that certificate and two certificates with the same fingerprint
7159: can be considered to be the same.
7160: .Pp
7161: The Netscape fingerprint uses MD5, whereas MSIE uses SHA1.
7162: .Pp
7163: The
7164: .Fl email
7165: option searches the subject name and the subject alternative
7166: name extension.
7167: Only unique email addresses will be printed out: it will
7168: not print the same address more than once.
7169: .Sh X.509 CERTIFICATE EXTENSIONS
7170: The
7171: .Fl purpose
7172: option checks the certificate extensions and determines
7173: what the certificate can be used for.
7174: The actual checks done are rather
7175: complex and include various hacks and workarounds to handle broken
7176: certificates and software.
7177: .Pp
7178: The same code is used when verifying untrusted certificates in chains,
7179: so this section is useful if a chain is rejected by the verify code.
7180: .Pp
7181: The
7182: .Em basicConstraints
7183: extension CA flag is used to determine whether the
7184: certificate can be used as a CA.
7185: If the CA flag is true, it is a CA;
7186: if the CA flag is false, it is not a CA.
7187: .Em All
7188: CAs should have the CA flag set to true.
7189: .Pp
7190: If the
7191: .Em basicConstraints
7192: extension is absent, then the certificate is
7193: considered to be a
7194: .Qq possible CA ;
7195: other extensions are checked according to the intended use of the certificate.
7196: A warning is given in this case because the certificate should really not
7197: be regarded as a CA: however,
7198: it is allowed to be a CA to work around some broken software.
7199: .Pp
7200: If the certificate is a V1 certificate
7201: .Pq and thus has no extensions
7202: and it is self-signed, it is also assumed to be a CA but a warning is again
7203: given: this is to work around the problem of Verisign roots which are V1
7204: self-signed certificates.
7205: .Pp
7206: If the
7207: .Em keyUsage
7208: extension is present, then additional restraints are
7209: made on the uses of the certificate.
7210: A CA certificate
7211: .Em must
7212: have the
7213: .Em keyCertSign
7214: bit set if the
7215: .Em keyUsage
7216: extension is present.
7217: .Pp
7218: The extended key usage extension places additional restrictions on the
7219: certificate uses.
7220: If this extension is present
7221: .Pq whether critical or not ,
7222: the key can only be used for the purposes specified.
7223: .Pp
7224: A complete description of each test is given below.
7225: The comments about
7226: .Em basicConstraints
7227: and
7228: .Em keyUsage
7229: and V1 certificates above apply to
7230: .Em all
7231: CA certificates.
7232: .Bl -tag -width "XXXX"
7233: .It Ar SSL Client
7234: The extended key usage extension must be absent or include the
7235: .Qq web client authentication
7236: OID.
7237: .Ar keyUsage
7238: must be absent or it must have the
7239: .Em digitalSignature
7240: bit set.
7241: Netscape certificate type must be absent or it must have the SSL
7242: client bit set.
7243: .It Ar SSL Client CA
7244: The extended key usage extension must be absent or include the
7245: .Qq web client authentication
7246: OID.
7247: Netscape certificate type must be absent or it must have the SSL CA
7248: bit set: this is used as a work around if the
7249: .Em basicConstraints
7250: extension is absent.
7251: .It Ar SSL Server
7252: The extended key usage extension must be absent or include the
7253: .Qq web server authentication
7254: and/or one of the SGC OIDs.
7255: .Em keyUsage
7256: must be absent or it must have the
7257: .Em digitalSignature
7258: set, the
7259: .Em keyEncipherment
7260: set, or both bits set.
7261: Netscape certificate type must be absent or have the SSL server bit set.
7262: .It Ar SSL Server CA
7263: The extended key usage extension must be absent or include the
7264: .Qq web server authentication
7265: and/or one of the SGC OIDs.
7266: Netscape certificate type must be absent or the SSL CA
7267: bit must be set: this is used as a work around if the
7268: .Em basicConstraints
7269: extension is absent.
7270: .It Ar Netscape SSL Server
7271: For Netscape SSL clients to connect to an SSL server; it must have the
7272: .Em keyEncipherment
7273: bit set if the
7274: .Em keyUsage
7275: extension is present.
7276: This isn't always valid because some cipher suites use the key for
7277: digital signing.
7278: Otherwise it is the same as a normal SSL server.
7279: .It Ar Common S/MIME Client Tests
7280: The extended key usage extension must be absent or include the
7281: .Qq email protection
7282: OID.
7283: Netscape certificate type must be absent or should have the
7284: .Em S/MIME
7285: bit set.
7286: If the
7287: .Em S/MIME
7288: bit is not set in Netscape certificate type, then the SSL
7289: client bit is tolerated as an alternative but a warning is shown:
7290: this is because some Verisign certificates don't set the
7291: .Em S/MIME
7292: bit.
7293: .It Ar S/MIME Signing
7294: In addition to the common
7295: .Em S/MIME
7296: client tests, the
7297: .Em digitalSignature
7298: bit must be set if the
7299: .Em keyUsage
7300: extension is present.
7301: .It Ar S/MIME Encryption
7302: In addition to the common
7303: .Em S/MIME
7304: tests, the
7305: .Em keyEncipherment
7306: bit must be set if the
7307: .Em keyUsage
7308: extension is present.
7309: .It Ar S/MIME CA
7310: The extended key usage extension must be absent or include the
7311: .Qq email protection
7312: OID.
7313: Netscape certificate type must be absent or must have the
7314: .Em S/MIME CA
7315: bit set: this is used as a work around if the
7316: .Em basicConstraints
7317: extension is absent.
7318: .It Ar CRL Signing
7319: The
7320: .Em keyUsage
7321: extension must be absent or it must have the
7322: .Em CRL
7323: signing bit set.
7324: .It Ar CRL Signing CA
7325: The normal CA tests apply.
7326: Except in this case the
7327: .Em basicConstraints
7328: extension must be present.
7329: .El
7330: .Sh X509 BUGS
7331: Extensions in certificates are not transferred to certificate requests and
7332: vice versa.
7333: .Pp
7334: It is possible to produce invalid certificates or requests by specifying the
7335: wrong private key or using inconsistent options in some cases: these should
7336: be checked.
7337: .Pp
7338: There should be options to explicitly set such things as start and end dates,
7339: rather than an offset from the current time.
7340: .Pp
7341: The code to implement the verify behaviour described in the
7342: .Sx X509 TRUST SETTINGS
7343: is currently being developed.
7344: It thus describes the intended behaviour rather than the current behaviour.
7345: It is hoped that it will represent reality in
7346: .Nm OpenSSL
7347: 0.9.5 and later.
7348: .Sh X509 HISTORY
7349: Before
7350: .Nm OpenSSL
7351: 0.9.8,
7352: the default digest for RSA keys was MD5.
7353: .Pp
7354: The hash algorithm used in the
7355: .Fl subject_hash
7356: and
7357: .Fl issuer_hash
7358: options before
7359: .Nm OpenSSL
7360: 1.0.0 was based on the deprecated MD5 algorithm and the encoding
7361: of the distinguished name.
7362: In
7363: .Nm OpenSSL
7364: 1.0.0 and later it is based on a canonical version of the DN using SHA1.
7365: This means that any directories using the old form
7366: must have their links rebuilt using
7367: .Ar c_rehash
7368: or similar.
1.38 jmc 7369: .Sh COMMON NOTATION
7370: Several commands share a common syntax,
7371: as detailed below.
7372: .Pp
7373: Password arguments, typically specified using
1.33 jmc 7374: .Fl passin
7375: and
7376: .Fl passout
1.38 jmc 7377: for input and output passwords,
7378: allow passwords to be obtained from a variety of sources.
7379: Both of these options take a single argument, described below.
1.33 jmc 7380: If no password argument is given and a password is required,
7381: then the user is prompted to enter one:
7382: this will typically be read from the current terminal with echoing turned off.
1.38 jmc 7383: .Bl -tag -width "pass:password" -offset indent
7384: .It Cm pass : Ns Ar password
1.33 jmc 7385: The actual password is
7386: .Ar password .
1.38 jmc 7387: Since the password is visible to utilities,
1.33 jmc 7388: this form should only be used where security is not important.
1.38 jmc 7389: .It Cm env : Ns Ar var
1.33 jmc 7390: Obtain the password from the environment variable
7391: .Ar var .
1.38 jmc 7392: Since the environment of other processes is visible,
7393: this option should be used with caution.
7394: .It Cm file : Ns Ar path
1.33 jmc 7395: The first line of
7396: .Ar path
7397: is the password.
7398: If the same
7399: .Ar path
7400: argument is supplied to
7401: .Fl passin
7402: and
7403: .Fl passout ,
7404: then the first line will be used for the input password and the next line
7405: for the output password.
7406: .Ar path
7407: need not refer to a regular file:
7408: it could, for example, refer to a device or named pipe.
1.38 jmc 7409: .It Cm fd : Ns Ar number
1.33 jmc 7410: Read the password from the file descriptor
7411: .Ar number .
1.38 jmc 7412: This can be used to send the data via a pipe, for example.
7413: .It Cm stdin
1.33 jmc 7414: Read the password from standard input.
1.35 jmc 7415: .El
1.38 jmc 7416: .Pp
1.64 ! jmc 7417: Input/output formats,
1.38 jmc 7418: typically specified using
7419: .Fl inform
7420: and
7421: .Fl outform ,
1.64 ! jmc 7422: indicate the format being read from or written to.
1.38 jmc 7423: The argument is case insensitive.
7424: .Pp
7425: .Bl -tag -width Ds -offset indent -compact
7426: .It Cm der
7427: Distinguished Encoding Rules (DER)
7428: is a binary format.
1.64 ! jmc 7429: .It Cm net
! 7430: Insecure legacy format.
1.38 jmc 7431: .It Cm pem
7432: Privacy Enhanced Mail (PEM)
7433: is base64-encoded.
7434: .It Cm txt
7435: Plain ASCII text.
7436: .El
1.35 jmc 7437: .Sh ENVIRONMENT
7438: The following environment variables affect the execution of
7439: .Nm openssl :
1.38 jmc 7440: .Bl -tag -width "/etc/ssl/openssl.cnf"
1.35 jmc 7441: .It Ev OPENSSL_CONF
7442: The location of the master configuration file.
1.33 jmc 7443: .El
1.1 jsing 7444: .\"
7445: .\" FILES
7446: .\"
7447: .Sh FILES
7448: .Bl -tag -width "/etc/ssl/openssl.cnf" -compact
1.17 sobrado 7449: .It Pa /etc/ssl/
1.1 jsing 7450: Default config directory for
7451: .Nm openssl .
1.17 sobrado 7452: .It Pa /etc/ssl/lib/
1.1 jsing 7453: Unused.
1.17 sobrado 7454: .It Pa /etc/ssl/private/
1.1 jsing 7455: Default private key directory.
1.17 sobrado 7456: .It Pa /etc/ssl/openssl.cnf
1.1 jsing 7457: Default configuration file for
7458: .Nm openssl .
1.17 sobrado 7459: .It Pa /etc/ssl/x509v3.cnf
1.1 jsing 7460: Default configuration file for
7461: .Nm x509
7462: certificates.
7463: .El
7464: .\"
7465: .\" SEE ALSO
7466: .\"
7467: .Sh SEE ALSO
1.26 jmc 7468: .Xr nc 1 ,
1.1 jsing 7469: .Xr ssl 8 ,
7470: .Xr starttls 8
7471: .Sh STANDARDS
7472: .Rs
7473: .%D February 1995
7474: .%Q Netscape Communications Corp.
7475: .%T The SSL Protocol
7476: .Re
7477: .Pp
7478: .Rs
7479: .%D November 1996
7480: .%Q Netscape Communications Corp.
7481: .%T The SSL 3.0 Protocol
7482: .Re
7483: .Pp
7484: .Rs
7485: .%A T. Dierks
7486: .%A C. Allen
7487: .%D January 1999
7488: .%R RFC 2246
7489: .%T The TLS Protocol Version 1.0
7490: .Re
7491: .Pp
7492: .Rs
7493: .%A M. Wahl
7494: .%A S. Killie
7495: .%A T. Howes
7496: .%D December 1997
7497: .%R RFC 2253
7498: .%T Lightweight Directory Access Protocol (v3): UTF-8 String Representation of Distinguished Names
7499: .Re
7500: .Pp
7501: .Rs
7502: .%A B. Kaliski
7503: .%D March 1998
7504: .%R RFC 2315
7505: .%T PKCS #7: Cryptographic Message Syntax Version 1.5
7506: .Re
7507: .Pp
7508: .Rs
7509: .%A R. Housley
7510: .%A W. Ford
7511: .%A W. Polk
7512: .%A D. Solo
7513: .%D January 1999
7514: .%R RFC 2459
7515: .%T Internet X.509 Public Key Infrastructure Certificate and CRL Profile
7516: .Re
7517: .Pp
7518: .Rs
7519: .%A M. Myers
7520: .%A R. Ankney
7521: .%A A. Malpani
7522: .%A S. Galperin
7523: .%A C. Adams
7524: .%D June 1999
7525: .%R RFC 2560
7526: .%T X.509 Internet Public Key Infrastructure Online Certificate Status Protocol \(en OCSP
7527: .Re
7528: .Pp
7529: .Rs
7530: .%A R. Housley
7531: .%D June 1999
7532: .%R RFC 2630
7533: .%T Cryptographic Message Syntax
7534: .Re
7535: .Pp
7536: .Rs
7537: .%A P. Chown
7538: .%D June 2002
7539: .%R RFC 3268
1.24 jmc 7540: .%T Advanced Encryption Standard (AES) Ciphersuites for Transport Layer Security (TLS)
1.1 jsing 7541: .Re