for connected embedded systems
![[Previous]](../prev.gif) |
![[Contents]](../contents.gif) |
![[Index]](../keyword_index.gif) |
![[Next]](../next.gif) |
openssl
Command-line tool for using the OpenSSL crypto library
Syntax:
openssl command [command_opts] [command_args]
openssl [list-standard-commands | list-message-digest-commands |
list-cipher-commands | list-cipher-algorithms |
list-message-digest-algorithms | list-public-key-algorithms]
openssl no-cmd [arbitrary_options]
Runs on:
All supported hosts.
Options:
None.
Description:
OpenSSL is a cryptography toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) network protocols and related cryptography standards that they require.
The openssl program is a command-line tool for using the various cryptography functions of OpenSSL's crypto library from the shell. You can use it for the following:
- creation and management of private keys, public keys and parameters
- public key cryptographic operations
- creation of X.509 certificates, CSRs and CRLs
- calculation of Message Digests
- encryption and Decryption with Ciphers
- SSL/TLS Client and Server Tests
- handling of S/MIME signed or encrypted mail
- timestamp requests, generation and verification
Command summary
The openssl program provides a rich variety of commands (command in the synopsis above), each of which often has a wealth of options and arguments (command_opts and command_args).
The pseudo-commands list-standard-commands, list-message-digest-commands, and list-cipher-commands output a list (one entry per line) of the names of all standard commands, message digest commands, or cipher commands, respectively, that are available in the present openssl utility.
The pseudo-commands list-cipher-algorithms and list-message-digest-algorithms list all cipher and message digest names, one entry per line. Aliases are listed as:
from => to
The pseudo-command list-public-key-algorithms lists all supported public key algorithms.
The pseudo-command no-cmd tests whether a command of the specified name is available. If no command named cmd exists, openssl returns 0 (success) and prints no-cmd; otherwise it returns 1 and prints cmd. In both cases, the output goes to stdout, and nothing is printed to stderr. Additional command-line arguments are always ignored. Since for each cipher there's a command of the same name, this provides an easy way for shell scripts to test for the availability of ciphers in the openssl program. (The no-cmd can't detect pseudo-commands such as quit, list-...-commands, or no-cmd itself.)
Standard commands
- asn1parse
- Parse an ASN.1 sequence.
- ca
- Certificate Authority (CA) Management.
- ciphers
- Cipher Suite Description Determination.
- crl
- Certificate Revocation List (CRL) Management.
- crl2pkcs7
- CRL to PKCS#7 Conversion.
- dgst
- Message Digest Calculation.
- dh
- Diffie-Hellman Parameter Management; rendered obsolete by dhparam.
- dsa
- DSA Data Management.
- dsaparam
- DSA Parameter Generation and Management. Superseded by genpkey and pkeyparam.
- enc
- Encoding with Ciphers.
- errstr
- Error Number to Error String Conversion.
- dhparam
- Generation and Management of Diffie-Hellman Parameters. Superseded by genpkey and pkeyparam.
- gendh
- Generation of Diffie-Hellman Parameters; rendered obsolete by dhparam.
- gendsa
- Generation of DSA Private Key from Parameters. Superseded by genpkey and pkey.
- genpkey
- Generation of Private Key or Parameters.
- genrsa
- Generation of RSA Private Key. Superseded by genpkey.
- ocsp
- Online Certificate Status Protocol utility.
- passwd
- Generation of hashed passwords.
- pkcs12
- PKCS#12 Data Management.
- pkcs7
- PKCS#7 Data Management.
- pkey
- Public and private key management.
- pkeyutl
- Public key algorithm cryptographic operation utility.
- pkeyparam
- Public key algorithm parameter management.
- rand
- Generate pseudo-random bytes.
- req
- PKCS#10 X.509 Certificate Signing Request (CSR) Management.
- rsa
- RSA key management.
- rsautl
- RSA utility for signing, verification, encryption, and decryption. Superseded by pkeyutl.
- s_client
- This implements a generic SSL/TLS client that can establish a transparent connection to a remote server speaking SSL/TLS. It's intended for testing purposes only and provides only rudimentary interface functionality but internally uses mostly all functionality of the OpenSSL ssl library.
- s_server
- This implements a generic SSL/TLS server that accepts connections from remote clients speaking SSL/TLS. It's intended for testing purposes only and provides only rudimentary interface functionality but internally uses mostly all functionality of the OpenSSL ssl library. It provides both its own command-line-oriented protocol for testing SSL functions and a simple HTTP response facility to emulate an SSL/TLS-aware webserver.
- s_time
- SSL Connection Timer.
- sess_id
- SSL Session Data Management.
- smime
- S/MIME mail processing.
- speed
- Algorithm Speed Measurement.
- ts
- Time Stamping Authority tool (client/server).
- verify
- X.509 Certificate Verification.
- version
- OpenSSL Version Information.
- x509
- X.509 Certificate Data Management.
Message digest commands
- md2
- MD2 Digest.
- md5
- MD5 Digest.
- mdc2
- MDC2 Digest.
- rmd160
- RMD-160 Digest.
- sha
- SHA Digest.
- sha1
- SHA-1 Digest.
- sha224
- SHA-224 Digest.
- sha256
- SHA-256 Digest.
- sha384
- SHA-384 Digest.
- sha512
- SHA-512 Digest.
Encoding and cipher commands
- base64
- Base64 Encoding.
- bf, bf-cbc, bf-cfb, bf-ecb, bf-ofb
- Blowfish Cipher.
- cast, cast-cbc
- CAST Cipher.
- cast5-cbc, cast5-cfb, cast5-ecb, cast5-ofb
- CAST5 Cipher.
- des, des-cbc, des-cfb, des-ecb, des-ede, des-ede-cbc, des-ede-cfb, des-ede-ofb, des-ofb
- DES Cipher.
- des3, desx, des-ede3, des-ede3-cbc, des-ede3-cfb, des-ede3-ofb
- Triple-DES Cipher.
- idea, idea-cbc, idea-cfb, idea-ecb, idea-ofb
- IDEA Cipher.
- rc2, rc2-cbc, rc2-cfb, rc2-ecb, rc2-ofb
- RC2 Cipher.
- rc4
- RC4 Cipher.
- rc5, rc5-cbc, rc5-cfb, rc5-ecb, rc5-ofb
- RC5 Cipher.
Pass phrase arguments
Several commands accept password arguments, typically using -passin and -passout for input and output passwords respectively. These allow the password to be obtained from a variety of sources. Both of these options take a single argument whose format is described below. If no password argument is given and a password is required, you're prompted to enter one: this will typically be read from the current terminal with echoing turned off.
- pass:password
- The actual password is password. Since the password is visible to utilities, you should use this form only where security isn't important.
- env:var
- Obtain the password from the environment variable var. Since the environment of other processes is visible on certain platforms, you should use this option with caution.
- file:pathname
- The first line of pathname is the password. If you supply the same pathname argument to -passin and -passout arguments, the first line is used for the input password, and the next line for the output password. The pathname need not refer to a regular file; it could, for example, refer to a device or named pipe.
- fd:number
- Read the password from the given file descriptor number. You can use this, for example, to send the data via a pipe.
- stdin
- Read the password from standard input.
Exit status:
- 0
- Success.
- 1
- An error occurred.
|
|
|
|