Command-line tool for using the OpenSSL crypto library
Syntax:
openssl command [command_opts] [command_args]
openssl [list-standard-commands |
list-message-digest-commands |
list-cipher-commands |
list-cipher-algorithms |
list-message-digest-algorithms |
list-public-key-algorithms]
openssl no-cmd [arbitrary_options]
Description:
OpenSSL is a cryptography toolkit implementing the Secure Sockets Layer
(SSL v2/v3) and Transport Layer Security (TLS v1) network protocols and
related cryptography standards that they require.
The openssl program is a command-line tool for using the
various cryptography functions of OpenSSL's crypto library from the shell.
You can use it for the following:
- creation and management of private keys, public keys and parameters
- public key cryptographic operations
- creation of X.509 certificates, CSRs and CRLs
- calculation of Message Digests
- encryption and Decryption with Ciphers
- SSL/TLS Client and Server Tests
- handling of S/MIME signed or encrypted mail
- timestamp requests, generation and verification
Note:
In order for
openssl to be fully functional, you must have started
random
with the
-t option.
Command summary
The openssl program provides a rich variety of commands
(command in the synopsis above), each of which often has a
wealth of options and arguments (command_opts and command_args).
The pseudo-commands list-standard-commands,
list-message-digest-commands, and list-cipher-commands
output a list (one entry per line) of the names of all standard commands, message digest commands, or cipher
commands, respectively, that are available in the present openssl utility.
The pseudo-commands list-cipher-algorithms and
list-message-digest-algorithms list all cipher and message digest names, one entry per line.
Aliases are listed as:
from => to
The pseudo-command list-public-key-algorithms lists all supported public key algorithms.
The pseudo-command no-cmd tests whether a command of
the specified name is available.
If no command named cmd exists, openssl returns 0
(success) and prints no-cmd;
otherwise it returns 1 and prints cmd.
In both cases, the output goes to stdout, and nothing is printed to stderr.
Additional command-line arguments are always ignored.
Since for each cipher there's a command of the same name, this provides an easy way
for shell scripts to test for the availability of ciphers in the openssl program.
(The no-cmd can't detect pseudo-commands such as
quit, list-...-commands, or no-cmd
itself.)
Standard commands
- asn1parse
- Parse an ASN.1 sequence.
- ca
- Certificate Authority (CA) Management.
- ciphers
- Cipher Suite Description Determination.
- cms
- Cryptographic Message Syntax utility.
- crl
- Certificate Revocation List (CRL) Management.
- crl2pkcs7
- CRL to PKCS#7 Conversion.
- dgst
- Message Digest Calculation.
- dh
- Diffie-Hellman Parameter Management; rendered obsolete by dhparam.
- dhparam
- Generation and Management of Diffie-Hellman Parameters.
Superseded by genpkey and pkeyparam.
- dsa
- DSA Data Management.
- dsaparam
- DSA Parameter Generation and Management.
Superseded by genpkey and pkeyparam.
- ec
- Elliptical Curve key processing.
- ecparam
- EC parameter manipulation and generation.
- enc
- Encoding with Ciphers.
- engine
- Engine (loadable module) information and manipulation.
- errstr
- Error Number to Error String Conversion.
- gendh
- Generation of Diffie-Hellman Parameters; rendered obsolete by dhparam.
- gendsa
- Generation of DSA Private Key from Parameters. Superseded by
genpkey and pkey.
- genpkey
- Generation of Private Key or Parameters.
- genrsa
- Generation of RSA Private Key.
Superseded by genpkey.
- nseq
- Create or examine a Netscape certificate sequence.
- ocsp
- Online Certificate Status Protocol utility.
- passwd
- Generation of hashed passwords.
- pkcs12
- PKCS#12 Data Management.
- pkcs7
- PKCS#7 Data Management.
- pkey
- Public and private key management.
- pkeyparam
- Public key algorithm parameter management.
- pkeyutl
- Public key algorithm cryptographic operation utility.
- rand
- Generate pseudo-random bytes.
- req
- PKCS#10 X.509 Certificate Signing Request (CSR) Management.
- rsa
- RSA key management.
- rsautl
- RSA utility for signing, verification, encryption, and decryption.
Superseded by pkeyutl.
- s_client
- This implements a generic SSL/TLS client that can establish
a transparent connection to a remote server speaking SSL/TLS.
It's intended for testing purposes only and provides only
rudimentary interface functionality but internally uses
mostly all functionality of the OpenSSL ssl library.
- s_server
- This implements a generic SSL/TLS server that accepts connections from remote clients speaking SSL/TLS.
It's intended for testing purposes only and provides only rudimentary
interface functionality but internally uses mostly all functionality of the OpenSSL ssl library.
It provides both its own command-line-oriented protocol for testing
SSL functions and a simple HTTP response facility to emulate an SSL/TLS-aware webserver.
- s_time
- SSL Connection Timer.
- sess_id
- SSL Session Data Management.
- smime
- S/MIME mail processing.
- speed
- Algorithm Speed Measurement.
- spkac
- SPKAC printing and generating utility.
- ts
- Time Stamping Authority tool (client/server).
- verify
- X.509 Certificate Verification.
- version
- OpenSSL Version Information.
- x509
- X.509 Certificate Data Management.
Message digest commands
- md2
- MD2 Digest.
- md5
- MD5 Digest.
- mdc2
- MDC2 Digest.
- rmd160
- RMD-160 Digest.
- sha
- SHA Digest.
- sha1
- SHA-1 Digest.
- sha224
- SHA-224 Digest.
- sha256
- SHA-256 Digest.
- sha384
- SHA-384 Digest.
- sha512
- SHA-512 Digest.
Encoding and cipher commands
- base64
- Base64 Encoding.
- bf, bf-cbc, bf-cfb, bf-ecb,
bf-ofb
- Blowfish Cipher.
- cast, cast-cbc
- CAST Cipher.
- cast5-cbc, cast5-cfb, cast5-ecb,
cast5-ofb
- CAST5 Cipher.
- des, des-cbc, des-cfb, des-ecb,
des-ede, des-ede-cbc, des-ede-cfb,
des-ede-ofb, des-ofb
- DES Cipher.
- des3, desx, des-ede3,
des-ede3-cbc, des-ede3-cfb, des-ede3-ofb
- Triple-DES Cipher.
- idea, idea-cbc, idea-cfb,
idea-ecb, idea-ofb
- IDEA Cipher.
- rc2, rc2-cbc, rc2-cfb,
rc2-ecb, rc2-ofb
- RC2 Cipher.
- rc4
- RC4 Cipher.
- rc5, rc5-cbc, rc5-cfb,
rc5-ecb, rc5-ofb
- RC5 Cipher.
Pass phrase arguments
Several commands accept password arguments, typically using
-passin and -passout for input and output passwords respectively.
These allow the password to be obtained from a variety of sources.
Both of these options take a single argument whose format is described below.
If no password argument is given and a password is required, you're
prompted to enter one: this will typically be read from the current terminal with echoing turned off.
- pass:password
- The actual password is password.
Since the password is visible to utilities, you should use this form only where security isn't important.
- env:var
- Obtain the password from the environment variable var.
Since the environment of other processes is visible on certain
platforms, you should use this option with caution.
- file:pathname
- The first line of pathname is the password.
If you supply the same pathname argument to -passin
and -passout arguments, the first line is used for the input
password, and the next line for the output password.
The pathname need not refer to a regular file; it could,
for example, refer to a device or named pipe.
- fd:number
- Read the password from the given file descriptor number.
You can use this, for example, to send the data via a pipe.
- stdin
- Read the password from standard input.
Exit status:
- 0
- Success.
- 1
- An error occurred.