1 .\" $OpenBSD: openssl.1,v 1.39 2016/07/21 18:40:26 jmc Exp $
2 .\" ====================================================================
3 .\" Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved.
5 .\" Redistribution and use in source and binary forms, with or without
6 .\" modification, are permitted provided that the following conditions
9 .\" 1. Redistributions of source code must retain the above copyright
10 .\" notice, this list of conditions and the following disclaimer.
12 .\" 2. Redistributions in binary form must reproduce the above copyright
13 .\" notice, this list of conditions and the following disclaimer in
14 .\" the documentation and/or other materials provided with the
17 .\" 3. All advertising materials mentioning features or use of this
18 .\" software must display the following acknowledgment:
19 .\" "This product includes software developed by the OpenSSL Project
20 .\" for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
22 .\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
23 .\" endorse or promote products derived from this software without
24 .\" prior written permission. For written permission, please contact
25 .\" openssl-core@openssl.org.
27 .\" 5. Products derived from this software may not be called "OpenSSL"
28 .\" nor may "OpenSSL" appear in their names without prior written
29 .\" permission of the OpenSSL Project.
31 .\" 6. Redistributions of any form whatsoever must retain the following
33 .\" "This product includes software developed by the OpenSSL Project
34 .\" for use in the OpenSSL Toolkit (http://www.openssl.org/)"
36 .\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
37 .\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
38 .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
39 .\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
40 .\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
41 .\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
42 .\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
43 .\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
44 .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
45 .\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
46 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
47 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
48 .\" ====================================================================
50 .\" This product includes cryptographic software written by Eric Young
51 .\" (eay@cryptsoft.com). This product includes software written by Tim
52 .\" Hudson (tjh@cryptsoft.com).
55 .\" Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
56 .\" All rights reserved.
58 .\" This package is an SSL implementation written
59 .\" by Eric Young (eay@cryptsoft.com).
60 .\" The implementation was written so as to conform with Netscapes SSL.
62 .\" This library is free for commercial and non-commercial use as long as
63 .\" the following conditions are aheared to. The following conditions
64 .\" apply to all code found in this distribution, be it the RC4, RSA,
65 .\" lhash, DES, etc., code; not just the SSL code. The SSL documentation
66 .\" included with this distribution is covered by the same copyright terms
67 .\" except that the holder is Tim Hudson (tjh@cryptsoft.com).
69 .\" Copyright remains Eric Young's, and as such any Copyright notices in
70 .\" the code are not to be removed.
71 .\" If this package is used in a product, Eric Young should be given attribution
72 .\" as the author of the parts of the library used.
73 .\" This can be in the form of a textual message at program startup or
74 .\" in documentation (online or textual) provided with the package.
76 .\" Redistribution and use in source and binary forms, with or without
77 .\" modification, are permitted provided that the following conditions
79 .\" 1. Redistributions of source code must retain the copyright
80 .\" notice, this list of conditions and the following disclaimer.
81 .\" 2. Redistributions in binary form must reproduce the above copyright
82 .\" notice, this list of conditions and the following disclaimer in the
83 .\" documentation and/or other materials provided with the distribution.
84 .\" 3. All advertising materials mentioning features or use of this software
85 .\" must display the following acknowledgement:
86 .\" "This product includes cryptographic software written by
87 .\" Eric Young (eay@cryptsoft.com)"
88 .\" The word 'cryptographic' can be left out if the rouines from the library
89 .\" being used are not cryptographic related :-).
90 .\" 4. If you include any Windows specific code (or a derivative thereof) from
91 .\" the apps directory (application code) you must include an
93 .\" "This product includes software written by Tim Hudson
94 .\" (tjh@cryptsoft.com)"
96 .\" THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
97 .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
98 .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
99 .\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
100 .\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
101 .\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
102 .\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
103 .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
104 .\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
105 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
108 .\" The licence and distribution terms for any publically available version or
109 .\" derivative of this code cannot be changed. i.e. this code cannot simply be
110 .\" copied and put under another distribution licence
111 .\" [including the GNU Public Licence.]
115 .Dd $Mdocdate: July 21 2016 $
120 .Nd OpenSSL command line tool
128 .Cm list-standard-commands |
129 .Cm list-message-digest-commands |
130 .Cm list-cipher-commands |
131 .Cm list-cipher-algorithms |
132 .Cm list-message-digest-algorithms |
133 .Cm list-public-key-algorithms
136 .Cm no- Ns Ar command
139 is a cryptography toolkit implementing the
140 Transport Layer Security
143 as well as related cryptography standards.
147 program is a command line tool for using the various
148 cryptography functions of
150 crypto library from the shell.
153 .Cm list-standard-commands , list-message-digest-commands ,
155 .Cm list-cipher-commands
157 .Pq one entry per line
158 of the names of all standard commands, message digest commands,
159 or cipher commands, respectively, that are available in the present
164 .Cm list-cipher-algorithms
166 .Cm list-message-digest-algorithms
167 list all cipher and message digest names,
169 Aliases are listed as:
174 .Cm list-public-key-algorithms
175 lists all supported public key algorithms.
178 .Cm no- Ns Ar command
179 tests whether a command of the
180 specified name is available.
186 .Cm no- Ns Ar command ;
187 otherwise it returns 1 and prints
189 In both cases, the output goes to stdout and nothing is printed to stderr.
190 Additional command line arguments are always ignored.
191 Since for each cipher there is a command of the same name,
192 this provides an easy way for shell scripts to test for the
193 availability of ciphers in the
198 .Cm no- Ns Ar command
199 is not able to detect pseudo-commands such as
201 .Cm list- Ns Ar ... Ns Cm -commands ,
203 .Cm no- Ns Ar command
207 .Nm "openssl asn1parse"
209 .Op Fl dlimit Ar number
211 .Op Fl genconf Ar file
214 .Op Fl inform Cm der | pem | txt
215 .Op Fl length Ar number
217 .Op Fl offset Ar number
220 .Op Fl strparse Ar offset
225 command is a diagnostic utility that can parse ASN.1 structures.
226 It can also be used to extract data from ASN.1 formatted data.
228 The options are as follows:
230 .It Fl dlimit Ar number
233 bytes of unknown data in hex form.
235 Dump unknown data in hex form.
236 .It Fl genconf Ar file , Fl genstr Ar str
237 Generate encoded data based on string
241 or both, using the format described in
242 .Xr ASN1_generate_nconf 3 .
245 is present then the string is obtained from the default section
248 The encoded data is passed through the ASN1 parser and printed out as
249 though it came from a file;
250 the contents can thus be examined and written to a file using the
254 Indent the output according to the
258 The input file; the default is standard input.
259 .It Fl inform Cm der | pem | txt
261 .It Fl length Ar number
262 Number of bytes to parse; the default is until end of file.
264 Don't output the parsed version of the input file.
265 .It Fl offset Ar number
266 Starting offset to begin parsing; the default is start of file.
268 A file containing additional object identifiers
271 .Pq object identifier
274 internal table it will be represented in
276 .Pq for example 1.2.3.4 .
278 Each line consists of three columns:
279 the first column is the OID in numerical format and should be followed by
281 The second column is the
283 which is a single word followed by whitespace.
284 The final column is the rest of the line and is the
287 displays the long name.
289 The DER-encoded output file; the default is no encoded output
290 (useful when combined with
292 .It Fl strparse Ar offset
293 Parse the content octets of the ASN.1 object starting at
295 This option can be used multiple times to
297 into a nested structure.
304 .Op Fl config Ar file
305 .Op Fl crl_CA_compromise Ar time
306 .Op Fl crl_compromise Ar time
307 .Op Fl crl_hold Ar instruction
308 .Op Fl crl_reason Ar reason
309 .Op Fl crldays Ar days
310 .Op Fl crlexts Ar section
311 .Op Fl crlhours Ar hours
313 .Op Fl enddate Ar date
314 .Op Fl extensions Ar section
315 .Op Fl extfile Ar section
319 .Op Fl key Ar keyfile
320 .Op Fl keyfile Ar arg
321 .Op Fl keyform Ar PEM
324 .Op Fl name Ar section
332 .Op Fl revoke Ar file
334 .Op Fl ss_cert Ar file
335 .Op Fl startdate Ar date
336 .Op Fl status Ar serial
344 command is a minimal certificate authority (CA) application.
345 It can be used to sign certificate requests in a variety of forms
346 and generate certificate revocation lists (CRLs).
347 It also maintains a text database of issued certificates and their status.
349 The options relevant to CAs are as follows:
350 .Bl -tag -width "XXXX"
352 This sets the batch mode.
353 In this mode no questions will be asked
354 and all certificates will be certified automatically.
356 The CA certificate file.
357 .It Fl config Ar file
358 Specifies the configuration file to use.
360 The number of days to certify the certificate for.
361 .It Fl enddate Ar date
362 This allows the expiry date to be explicitly set.
363 The format of the date is YYMMDDHHMMSSZ
364 .Pq the same as an ASN1 UTCTime structure .
365 .It Fl extensions Ar section
366 The section of the configuration file containing certificate extensions
367 to be added when a certificate is issued (defaults to
372 If no extension section is present, a V1 certificate is created.
373 If the extension section is present
374 .Pq even if it is empty ,
375 then a V3 certificate is created.
376 .It Fl extfile Ar file
377 An additional configuration
379 to read certificate extensions from
380 (using the default section unless the
382 option is also used).
386 containing a single certificate request to be signed by the CA.
388 If present, this should be the last option; all subsequent arguments
389 are assumed to be the names of files containing certificate requests.
390 .It Fl key Ar keyfile
391 The password used to encrypt the private key.
392 Since on some systems the command line arguments are visible,
393 this option should be used with caution.
394 .It Fl keyfile Ar file
395 The private key to sign requests with.
396 .It Fl keyform Ar PEM
397 Private key file format.
399 The message digest to use.
400 Possible values include
404 This option also applies to CRLs.
406 This is a legacy option to make
408 work with very old versions of the IE certificate enrollment control
410 It used UniversalStrings for almost everything.
411 Since the old control has various security bugs,
412 its use is strongly discouraged.
415 does not need this option.
416 .It Fl name Ar section
417 Specifies the configuration file
425 The DN of a certificate can contain the EMAIL field if present in the
426 request DN, however it is good policy just having the email set into
429 extension of the certificate.
430 When this option is set, the EMAIL field is removed from the certificate's
431 subject and set only in the, eventually present, extensions.
434 keyword can be used in the configuration file to enable this behaviour.
436 Don't output the text form of a certificate to the output file.
438 The output file to output certificates to.
439 The default is standard output.
440 The certificate details will also be printed out to this file.
441 .It Fl outdir Ar directory
444 to output certificates to.
445 The certificate will be written to a file consisting of the
446 serial number in hex with
450 The key password source.
452 This option defines the CA
455 The policy section in the configuration file
456 consists of a set of variables corresponding to certificate DN fields.
457 The values may be one of
459 (the value must match the same field in the CA certificate),
461 (the value must be present), or
463 (the value may be present).
464 Any fields not mentioned in the policy section
465 are silently deleted, unless the
468 but this can be regarded more of a quirk than intended behaviour.
470 Normally, the DN order of a certificate is the same as the order of the
471 fields in the relevant policy section.
472 When this option is set, the order is the same as the request.
473 This is largely for compatibility with the older IE enrollment control
474 which would only accept certificates if their DNs matched the order of the
476 This is not needed for Xenroll.
478 A file containing a single Netscape signed public key and challenge,
479 and additional field values to be signed by the CA.
480 This will usually come from the
481 KEYGEN tag in an HTML form to create a new private key.
482 It is, however, possible to create SPKACs using the
486 The file should contain the variable SPKAC set to the value of
487 the SPKAC and also the required DN components as name value pairs.
488 If it's necessary to include the same component twice,
489 then it can be preceded by a number and a
491 .It Fl ss_cert Ar file
492 A single self-signed certificate to be signed by the CA.
493 .It Fl startdate Ar date
494 This allows the start date to be explicitly set.
495 The format of the date is YYMMDDHHMMSSZ
496 .Pq the same as an ASN1 UTCTime structure .
497 .It Fl status Ar serial
498 Show the status of the certificate with serial number
501 Update database for expired certificates.
503 This prints extra details about the operations being performed.
506 The options relevant to CRLs are as follows:
507 .Bl -tag -width "XXXX"
508 .It Fl crl_CA_compromise Ar time
511 except the revocation reason is set to CACompromise.
512 .It Fl crl_compromise Ar time
513 This sets the revocation reason to keyCompromise and the compromise time to
516 should be in GeneralizedTime format, i.e. YYYYMMDDHHMMSSZ.
517 .It Fl crl_hold Ar instruction
518 This sets the CRL revocation reason code to certificateHold and the hold
521 which must be an OID.
522 Although any OID can be used, only holdInstructionNone
523 (the use of which is discouraged by RFC 2459), holdInstructionCallIssuer or
524 holdInstructionReject will normally be used.
525 .It Fl crl_reason Ar reason
526 Revocation reason, where
529 unspecified, keyCompromise, CACompromise, affiliationChanged, superseded,
530 cessationOfOperation, certificateHold or removeFromCRL.
534 Setting any revocation reason will make the CRL v2.
535 In practice, removeFromCRL is not particularly useful because it is only used
536 in delta CRLs which are not currently implemented.
537 .It Fl crldays Ar num
538 The number of days before the next CRL is due.
539 This is the days from now to place in the CRL
542 .It Fl crlexts Ar section
545 of the configuration file containing CRL extensions to include.
546 If no CRL extension section is present then a V1 CRL is created;
547 if the CRL extension section is present
548 .Pq even if it is empty
549 then a V2 CRL is created.
550 The CRL extensions specified are CRL extensions and
552 CRL entry extensions.
553 It should be noted that some software
554 .Pq for example Netscape
555 can't handle V2 CRLs.
556 .It Fl crlhours Ar num
557 The number of hours before the next CRL is due.
559 This option generates a CRL based on information in the index file.
560 .It Fl revoke Ar file
563 containing a certificate to revoke.
565 Supersedes the subject name given in the request.
569 .Ar /type0=value0/type1=value1/type2=... ;
570 characters may be escaped by
573 no spaces are skipped.
576 Many of the options can be set in the
578 section of the configuration file
579 (or in the default section of the configuration file),
588 are read directly from the
592 Many of the configuration file options are identical to command line
594 Where the option is present in the configuration file and the command line,
595 the command line value is used.
596 Where an option is described as mandatory, then it must be present in
597 the configuration file or the command line equivalent
600 .Bl -tag -width "XXXX"
604 It gives the file containing the CA certificate.
606 .It Cm copy_extensions
607 Determines how extensions in certificate requests should be handled.
610 or this option is not present, then extensions are
611 ignored and not copied to the certificate.
614 then any extensions present in the request that are not already present
615 are copied to the certificate.
618 then all extensions in the request are copied to the certificate:
619 if the extension is already present in the certificate it is deleted first.
623 option should be used with caution.
624 If care is not taken, it can be a security risk.
625 For example, if a certificate request contains a
627 extension with CA:TRUE and the
631 and the user does not spot
632 this when the certificate is displayed, then this will hand the requestor
633 a valid CA certificate.
635 This situation can be avoided by setting
641 with CA:FALSE in the configuration file.
642 Then if the request contains a
644 extension, it will be ignored.
646 The main use of this option is to allow a certificate request to supply
647 values for certain extensions such as
649 .It Cm crl_extensions
653 A text file containing the next CRL number to use in hex.
654 The CRL number will be inserted in the CRLs only if this file exists.
655 If this file is present, it must contain a valid CRL number.
657 The text database file to use.
659 This file must be present, though initially it will be empty.
660 .It Cm default_crl_hours , default_crl_days
666 These will only be used if neither command line option is present.
667 At least one of these must be present to generate a CRL.
672 The number of days to certify a certificate for.
673 .It Cm default_enddate
677 Either this option or
679 .Pq or the command line equivalents
685 The message digest to use.
687 .It Cm default_startdate
691 The start date to certify a certificate for.
692 If not set, the current time is used.
696 If the EMAIL field is to be removed from the DN of the certificate,
699 If not present, the default is to allow for the EMAIL field in the
704 .It Cm name_opt , cert_opt
705 These options allow the format used to display the certificate details
706 when asking the user to confirm signing.
707 All the options supported by the
713 switches can be used here, except that
717 are permanently set and cannot be disabled
718 (this is because the certificate signature cannot be displayed because
719 the certificate has not been signed at this point).
721 For convenience, the value
723 is accepted by both to produce a reasonable output.
725 If neither option is present, the format used in earlier versions of
728 Use of the old format is
730 discouraged because it only displays fields mentioned in the
733 mishandles multicharacter string types and does not display extensions.
738 It specifies the directory where new certificates will be placed.
741 This specifies a file containing additional object identifiers.
742 Each line of the file should consist of the numerical form of the
743 object identifier followed by whitespace, then the short name followed
744 by whitespace and finally the long name.
746 This specifies a section in the configuration file containing extra
748 Each line should consist of the short name of the object identifier
751 and the numerical form.
752 The short and long names are the same when this option is used.
764 The file containing the CA private key.
767 A text file containing the next serial number to use in hex.
769 This file must be present and contain a valid serial number.
770 .It Cm unique_subject
773 is given, the valid certificate entries in the
774 database must have unique subjects.
778 several valid certificate entries may have the exact same subject.
781 .It Cm x509_extensions
795 cipher lists into ordered SSL cipher preference lists.
796 It can be used as a test tool to determine the appropriate cipherlist.
798 The options are as follows:
801 Print a brief usage message.
803 Only include TLS v1 ciphers.
806 List ciphers with a complete description of protocol version,
807 key exchange, authentication, encryption and mac algorithms,
808 any key size restrictions,
809 and cipher suite codes (hex format).
813 but without cipher suite codes.
815 A cipher list to convert to a cipher preference list.
816 If it is not included, the default cipher list will be used.
818 The cipher list consists of one or more cipher strings
820 Commas or spaces are also acceptable separators, but colons are normally used.
822 The actual cipher string can take several different forms:
824 It can consist of a single cipher suite, such as RC4-SHA.
826 It can represent a list of cipher suites containing a certain algorithm,
827 or cipher suites of a certain type.
828 For example SHA1 represents all cipher suites using the digest algorithm SHA1.
830 Lists of cipher suites can be combined in a single cipher string using the
833 (logical AND operation).
834 For example, SHA1+DES represents all cipher suites
835 containing the SHA1 and DES algorithms.
837 Each cipher string can be optionally preceded by the characters
844 is used, then the ciphers are permanently deleted from the list.
845 The ciphers deleted can never reappear in the list even if they are
849 is used, then the ciphers are deleted from the list, but some or
850 all of the ciphers can be added again by later options.
853 is used, then the ciphers are moved to the end of the list.
854 This option doesn't add any new ciphers, it just moves matching existing ones.
856 If none of these characters is present, the string is just interpreted
857 as a list of ciphers to be appended to the current preference list.
858 If the list includes any ciphers already present, they will be ignored;
859 that is, they will not be moved to the end of the list.
861 Additionally, the cipher string
863 can be used at any point to sort the current cipher list in order of
864 encryption algorithm key length.
867 The following is a list of all permitted cipher strings and their meanings.
868 .Bl -tag -width "XXXX"
870 The default cipher list.
871 This is determined at compile time and is currently
872 .Cm ALL:!aNULL:!eNULL:!SSLv2 .
873 This must be the first cipher string specified.
874 .It Cm COMPLEMENTOFDEFAULT
875 The ciphers included in
877 but not enabled by default.
880 Note that this rule does not cover
882 which is not included by
888 All cipher suites except the
890 ciphers, which must be explicitly enabled.
891 .It Cm COMPLEMENTOFALL
892 The cipher suites not enabled by
898 encryption cipher suites.
899 This currently means those with key lengths larger than 128 bits.
902 encryption cipher suites, currently those using 128-bit encryption.
905 encryption cipher suites, currently those using 64- or 56-bit encryption
910 ciphers; that is, those offering no encryption.
911 Because these offer no encryption at all and are a security risk,
912 they are disabled unless explicitly included.
914 The cipher suites offering no authentication.
915 This is currently the anonymous DH algorithms.
916 These cipher suites are vulnerable to a
917 .Qq man in the middle
918 attack, so their use is normally discouraged.
920 Cipher suites using RSA key exchange.
922 Cipher suites using ephemeral DH key agreement.
924 Cipher suites using RSA authentication, i.e. the certificates carry RSA keys.
926 Cipher suites using DSS authentication, i.e. the certificates carry DSS keys.
928 TLS v1.0 cipher suites.
930 Cipher suites using DH, including anonymous DH.
932 Anonymous DH cipher suites.
934 Cipher suites using AES.
936 Cipher suites using triple DES.
938 Cipher suites using DES
941 Cipher suites using RC4.
943 Cipher suites using Camellia.
945 Cipher suites using ChaCha20.
947 Cipher suites using IDEA.
949 Cipher suites using MD5.
951 Cipher suites using SHA1.
956 .Op Fl CAfile Ar file
961 .Op Fl inform Cm der | pem
967 .Op Fl outform Cm der | pem
973 command processes CRL files in DER or PEM format.
974 The PEM CRL format uses the header and footer lines:
975 .Bd -unfilled -offset indent
976 -----BEGIN X509 CRL-----
977 -----END X509 CRL-----
980 The options are as follows:
982 .It Fl CAfile Ar file
983 Verify the signature on a CRL by looking up the issuing certificate in
985 .It Fl CApath Ar directory
986 Verify the signature on a CRL by looking up the issuing certificate in
988 This directory must be a standard certificate directory,
989 i.e. a hash of each subject name (using
991 should be linked to each certificate.
993 Print the CRL fingerprint.
995 Output a hash of the issuer name.
996 This can be used to look up CRLs in a directory by issuer name.
998 The input file to read from, or standard input if not specified.
999 .It Fl inform Cm der | pem
1002 Output the issuer name.
1012 Don't output the encoded version of the CRL.
1014 The output file to write to, or standard output if not specified.
1015 .It Fl outform Cm der | pem
1018 Print out the CRL in text form.
1022 .Nm "openssl crl2pkcs7"
1023 .Op Fl certfile Ar file
1025 .Op Fl inform Cm der | pem
1028 .Op Fl outform Cm der | pem
1033 command takes an optional CRL and one or more
1034 certificates and converts them into a PKCS#7 degenerate
1035 .Qq certificates only
1038 The options are as follows:
1040 .It Fl certfile Ar file
1041 Add the certificates in PEM
1043 to the PKCS#7 structure.
1044 This option can be used more than once
1045 to read certificates from multiple files.
1049 or standard input if not specified.
1050 .It Fl inform Cm der | pem
1051 Specify the CRL input format.
1053 Normally, a CRL is included in the output file.
1054 With this option, no CRL is
1055 included in the output file and a CRL is not read from the input file.
1057 Write the PKCS#7 structure to
1059 or standard output if not specified.
1060 .It Fl outform Cm der | pem
1061 Specify the PKCS#7 structure output format.
1071 .Fl gost-mac | streebog256 | streebog512 | md_gost94 |
1072 .Fl md4 | md5 | ripemd160 | sha1 |
1073 .Fl sha224 | sha256 | sha384 | sha512 | whirlpool
1079 .Op Fl keyform Ar PEM
1080 .Op Fl mac Ar algorithm
1081 .Op Fl macopt Ar nm : Ns Ar v
1083 .Op Fl passin Ar arg
1084 .Op Fl prverify Ar file
1086 .Op Fl signature Ar file
1087 .Op Fl sigopt Ar nm : Ns Ar v
1088 .Op Fl verify Ar file
1094 .Cm gost-mac | streebog256 | streebog512 | md_gost94 |
1095 .Cm md4 | md5 | ripemd160 | sha1 |
1096 .Cm sha224 | sha256 | sha384 | sha512 | whirlpool
1101 The digest functions output the message digest of a supplied
1105 in hexadecimal form.
1106 They can also be used for digital signing and verification.
1108 The options are as follows:
1111 Output the digest or signature in binary form.
1113 Print out the digest in two-digit groups separated by colons; only relevant if
1115 format output is used.
1117 Print out BIO debugging information.
1119 Digest is to be output as a hex dump.
1120 This is the default case for a
1122 digest as opposed to a digital signature.
1124 Create a hashed MAC using
1126 .It Fl keyform Ar PEM
1127 Specifies the key format to sign the digest with.
1128 .It Fl mac Ar algorithm
1129 Create a keyed Message Authentication Code (MAC).
1130 The most popular MAC algorithm is HMAC (hash-based MAC),
1131 but there are other MAC algorithms which are not based on hash.
1132 MAC keys and other options should be set via the
1135 .It Fl macopt Ar nm : Ns Ar v
1136 Passes options to the MAC algorithm, specified by
1138 The following options are supported by HMAC:
1140 .It Ar key : Ns Ar string
1141 Specifies the MAC key as an alphanumeric string
1142 (use if the key contain printable characters only).
1143 String length must conform to any restrictions of the MAC algorithm.
1144 .It Ar hexkey : Ns Ar string
1145 Specifies the MAC key in hexadecimal form (two hex digits per byte).
1146 Key length must conform to any restrictions of the MAC algorithm.
1149 The file to output to, or standard output by default.
1150 .It Fl passin Ar arg
1151 The key password source.
1152 .It Fl prverify Ar file
1153 Verify the signature using the private key in
1155 The output is either
1158 .Qq Verification Failure .
1160 Digitally sign the digest using the private key in
1162 .It Fl signature Ar file
1163 The actual signature to verify.
1164 .It Fl sigopt Ar nm : Ns Ar v
1165 Pass options to the signature algorithm during sign or verify operations.
1166 The names and values of these options are algorithm-specific.
1167 .It Fl verify Ar file
1168 Verify the signature using the public key in
1170 The output is either
1173 .Qq Verification Failure .
1175 File or files to digest.
1176 If no files are specified then standard input is used.
1179 The digest of choice for all new applications is SHA1.
1180 Other digests are, however, still widely used.
1182 If you wish to sign or verify data using the DSA algorithm, the dss1
1183 digest must be used.
1185 A source of random numbers is required for certain signing algorithms, in
1188 The signing and verify options should only be used if a single file is
1189 being signed or verified.
1194 Diffie-Hellman Parameter Management.
1197 command has been replaced by
1207 .Nm "openssl dhparam"
1214 .Op Fl inform Ar DER | PEM
1217 .Op Fl outform Ar DER | PEM
1225 command is used to manipulate DH parameter files.
1227 The options are as follows:
1230 The generator to use, either 2 or 5.
1232 If present, the input file is ignored and parameters are generated instead.
1234 This option converts the parameters into C code.
1235 The parameters can then be loaded by calling the
1236 .Cm get_dh Ns Ar numbits Ns Li ()
1239 Check the DH parameters.
1241 If this option is used, DSA rather than DH parameters are read or created;
1242 they are converted to DH format.
1246 .Pq such that (p-1)/2 is also prime
1247 will be used for DH parameter generation.
1249 DH parameter generation with the
1251 option is much faster,
1252 and the recommended exponent length is shorter,
1253 which makes DH key exchange more efficient.
1254 Beware that with such DSA-style DH parameters,
1255 a fresh DH key should be created for each use to
1256 avoid small-subgroup attacks that may be possible otherwise.
1258 This specifies the input
1260 to read parameters from, or standard input if this option is not specified.
1261 .It Fl inform Ar DER | PEM
1262 This specifies the input format.
1265 uses an ASN1 DER-encoded form compatible with the PKCS#3 DHparameter
1269 form is the default format:
1270 it consists of the DER format base64-encoded with
1271 additional header and footer lines.
1273 This option inhibits the output of the encoded version of the parameters.
1275 This argument specifies that a parameter set should be generated of size
1277 It must be the last option.
1278 If not present, a value of 2048 is used.
1279 If this value is present, the input file is ignored and
1280 parameters are generated instead.
1282 This specifies the output
1284 to write parameters to.
1285 Standard output is used if this option is not present.
1286 The output filename should
1288 be the same as the input filename.
1289 .It Fl outform Ar DER | PEM
1290 This specifies the output format; the options have the same meaning as the
1294 This option prints out the DH parameters in human readable form.
1296 .Sh DHPARAM WARNINGS
1299 combines the functionality of the programs
1303 in previous versions of
1311 programs are retained for now, but may have different purposes in future
1315 PEM format DH parameters use the header and footer lines:
1316 .Bd -unfilled -offset indent
1317 -----BEGIN DH PARAMETERS-----
1318 -----END DH PARAMETERS-----
1322 currently only supports the older PKCS#3 DH,
1323 not the newer X9.42 DH.
1325 This program manipulates DH parameters not keys.
1327 There should be a way to generate and manipulate DH keys.
1331 command was added in
1347 .Fl aes128 | aes192 | aes256 |
1351 .Op Fl inform Ar DER | PEM
1355 .Op Fl outform Ar DER | PEM
1356 .Op Fl passin Ar arg
1357 .Op Fl passout Ar arg
1366 command processes DSA keys.
1367 They can be converted between various forms and their components printed out.
1370 This command uses the traditional
1372 compatible format for private key encryption:
1373 newer applications should use the more secure PKCS#8 format using the
1377 The options are as follows:
1380 .Fl aes128 | aes192 | aes256 |
1383 These options encrypt the private key with the AES, DES, or the triple DES
1384 ciphers, respectively, before outputting it.
1385 A pass phrase is prompted for.
1386 If none of these options is specified, the key is written in plain text.
1387 This means that using the
1389 utility to read in an encrypted key with no encryption option can be used to
1390 remove the pass phrase from a key,
1391 or by setting the encryption options it can be use to add or change
1393 These options can only be used with PEM format output files.
1395 This specifies the input
1397 to read a key from, or standard input if this option is not specified.
1398 If the key is encrypted, a pass phrase will be prompted for.
1399 .It Fl inform Ar DER | PEM
1400 This specifies the input format.
1403 argument with a private key uses an ASN1 DER-encoded form of an ASN.1
1404 SEQUENCE consisting of the values of version
1405 .Pq currently zero ,
1407 and the public and private key components, respectively, as ASN.1 INTEGERs.
1408 When used with a public key it uses a
1409 .Em SubjectPublicKeyInfo
1410 structure: it is an error if the key is not DSA.
1414 form is the default format:
1415 it consists of the DER format base64-encoded with additional header and footer
1417 In the case of a private key, PKCS#8 format is also accepted.
1419 This option prints out the value of the public key component of the key.
1421 This option prevents output of the encoded version of the key.
1423 This specifies the output
1425 to write a key to, or standard output if not specified.
1426 If any encryption options are set then a pass phrase will be
1428 The output filename should
1430 be the same as the input filename.
1431 .It Fl outform Ar DER | PEM
1432 This specifies the output format; the options have the same meaning as the
1435 .It Fl passin Ar arg
1436 The key password source.
1437 .It Fl passout Ar arg
1438 The output file password source.
1440 By default, a private key is read from the input file.
1441 With this option a public key is read instead.
1443 By default, a private key is output.
1444 With this option a public key will be output instead.
1445 This option is automatically set if the input is a public key.
1447 Prints out the public/private key components and parameters.
1450 The PEM private key format uses the header and footer lines:
1451 .Bd -unfilled -offset indent
1452 -----BEGIN DSA PRIVATE KEY-----
1453 -----END DSA PRIVATE KEY-----
1456 The PEM public key format uses the header and footer lines:
1457 .Bd -unfilled -offset indent
1458 -----BEGIN PUBLIC KEY-----
1459 -----END PUBLIC KEY-----
1462 To remove the pass phrase on a DSA private key:
1464 .Dl $ openssl dsa -in key.pem -out keyout.pem
1466 To encrypt a private key using triple DES:
1468 .Dl $ openssl dsa -in key.pem -des3 -out keyout.pem
1470 To convert a private key from PEM to DER format:
1472 .Dl $ openssl dsa -in key.pem -outform DER -out keyout.der
1474 To print out the components of a private key to standard output:
1476 .Dl $ openssl dsa -in key.pem -text -noout
1478 To just output the public part of a private key:
1480 .Dl $ openssl dsa -in key.pem -pubout -out pubkey.pem
1486 .Nm "openssl dsaparam"
1491 .Op Fl inform Ar DER | PEM
1494 .Op Fl outform Ar DER | PEM
1502 command is used to manipulate or generate DSA parameter files.
1504 The options are as follows:
1507 This option converts the parameters into C code.
1508 The parameters can then be loaded by calling the
1509 .Cm get_dsa Ns Ar XXX Ns Li ()
1512 This option will generate a DSA either using the specified or generated
1515 This specifies the input
1517 to read parameters from, or standard input if this option is not specified.
1520 parameter is included, then this option will be ignored.
1521 .It Fl inform Ar DER | PEM
1522 This specifies the input format.
1525 argument uses an ASN1 DER-encoded form compatible with RFC 2459
1527 DSS-Parms that is a SEQUENCE consisting of p, q and g, respectively.
1530 form is the default format:
1531 it consists of the DER format base64-encoded with additional header
1534 This option inhibits the output of the encoded version of the parameters.
1536 This option specifies that a parameter set should be generated of size
1538 If this option is included, the input file
1542 This specifies the output
1544 to write parameters to.
1545 Standard output is used if this option is not present.
1546 The output filename should
1548 be the same as the input filename.
1549 .It Fl outform Ar DER | PEM
1550 This specifies the output format; the options have the same meaning as the
1554 This option prints out the DSA parameters in human readable form.
1557 PEM format DSA parameters use the header and footer lines:
1558 .Bd -unfilled -offset indent
1559 -----BEGIN DSA PARAMETERS-----
1560 -----END DSA PARAMETERS-----
1563 DSA parameter generation is a slow process and as a result the same set of
1564 DSA parameters is often used to generate several distinct keys.
1572 .Op Fl conv_form Ar arg
1576 .Op Fl inform Ar DER | PEM
1579 .Op Fl outform Ar DER | PEM
1580 .Op Fl param_enc Ar arg
1582 .Op Fl passin Ar arg
1583 .Op Fl passout Ar arg
1592 command processes EC keys.
1593 They can be converted between various
1594 forms and their components printed out.
1597 uses the private key format specified in
1598 .Dq SEC 1: Elliptic Curve Cryptography
1599 .Pq Lk http://www.secg.org/ .
1602 EC private key into the PKCS#8 private key format use the
1606 The options are as follows:
1608 .It Fl conv_form Ar arg
1609 This specifies how the points on the elliptic curve are converted
1611 Possible values are:
1613 (the default value),
1617 For more information regarding
1618 the point conversion forms please read the X9.62 standard.
1620 Due to patent issues the
1622 option is disabled by default for binary curves
1623 and can be enabled by defining the preprocessor macro
1624 .Ar OPENSSL_EC_BIN_PT_COMP
1627 These options encrypt the private key with the DES, triple DES, or
1628 any other cipher supported by
1630 before outputting it.
1631 A pass phrase is prompted for.
1632 If none of these options is specified the key is written in plain text.
1633 This means that using the
1635 utility to read in an encrypted key with no
1636 encryption option can be used to remove the pass phrase from a key,
1637 or by setting the encryption options
1638 it can be use to add or change the pass phrase.
1639 These options can only be used with PEM format output files.
1641 This specifies the input filename to read a key from,
1642 or standard input if this option is not specified.
1643 If the key is encrypted a pass phrase will be prompted for.
1644 .It Fl inform Ar DER | PEM
1645 This specifies the input format.
1646 DER with a private key uses
1647 an ASN.1 DER-encoded SEC1 private key.
1648 When used with a public key it
1649 uses the SubjectPublicKeyInfo structure as specified in RFC 3280.
1650 PEM is the default format:
1651 it consists of the DER format base64
1652 encoded with additional header and footer lines.
1653 In the case of a private key
1654 PKCS#8 format is also accepted.
1656 Prevents output of the encoded version of the key.
1658 Specifies the output filename to write a key to,
1659 or standard output if none is specified.
1660 If any encryption options are set then a pass phrase will be prompted for.
1661 The output filename should
1663 be the same as the input filename.
1664 .It Fl outform Ar DER | PEM
1665 This specifies the output format.
1666 The options have the same meaning as the
1669 .It Fl param_enc Ar arg
1670 This specifies how the elliptic curve parameters are encoded.
1673 i.e. the EC parameters are specified by an OID; or
1675 where the EC parameters are explicitly given
1676 (see RFC 3279 for the definition of the EC parameter structures).
1677 The default value is
1682 as specified in RFC 3279,
1683 is currently not implemented in
1685 .It Fl passin Ar arg
1686 The key password source.
1687 .It Fl passout Ar arg
1688 The output file password source.
1690 By default a private key is read from the input file;
1691 with this option a public key is read instead.
1693 By default a private key is output;
1694 with this option a public key is output instead.
1695 This option is automatically set if the input is a public key.
1697 Prints out the public/private key components and parameters.
1700 The PEM private key format uses the header and footer lines:
1701 .Bd -literal -offset indent
1702 -----BEGIN EC PRIVATE KEY-----
1703 -----END EC PRIVATE KEY-----
1706 The PEM public key format uses the header and footer lines:
1707 .Bd -literal -offset indent
1708 -----BEGIN PUBLIC KEY-----
1709 -----END PUBLIC KEY-----
1712 To encrypt a private key using triple DES:
1713 .Bd -literal -offset indent
1714 $ openssl ec -in key.pem -des3 -out keyout.pem
1717 To convert a private key from PEM to DER format:
1718 .Bd -literal -offset indent
1719 $ openssl ec -in key.pem -outform DER -out keyout.der
1722 To print out the components of a private key to standard output:
1723 .Bd -literal -offset indent
1724 $ openssl ec -in key.pem -text -noout
1727 To just output the public part of a private key:
1728 .Bd -literal -offset indent
1729 $ openssl ec -in key.pem -pubout -out pubkey.pem
1732 To change the parameter encoding to
1734 .Bd -literal -offset indent
1735 $ openssl ec -in key.pem -param_enc explicit -out keyout.pem
1738 To change the point conversion form to
1740 .Bd -literal -offset indent
1741 $ openssl ec -in key.pem -conv_form compressed -out keyout.pem
1746 command was first introduced in
1756 .Nm "openssl ecparam"
1760 .Op Fl conv_form Ar arg
1763 .Op Fl inform Ar DER | PEM
1769 .Op Fl outform Ar DER | PEM
1770 .Op Fl param_enc Ar arg
1775 This command is used to manipulate or generate EC parameter files.
1777 The options are as follows:
1780 Convert the EC parameters into C code.
1781 The parameters can then be loaded by calling the
1782 .Fn get_ec_group_XXX
1785 Validate the elliptic curve parameters.
1786 .It Fl conv_form Ar arg
1787 Specify how the points on the elliptic curve are converted
1789 Possible values are:
1791 (the default value),
1795 For more information regarding
1796 the point conversion forms please read the X9.62 standard.
1798 Due to patent issues the
1800 option is disabled by default for binary curves
1801 and can be enabled by defining the preprocessor macro
1802 .Ar OPENSSL_EC_BIN_PT_COMP
1805 Generate an EC private key using the specified parameters.
1807 Specify the input filename to read parameters from or standard input if
1808 this option is not specified.
1809 .It Fl inform Ar DER | PEM
1810 Specify the input format.
1811 DER uses an ASN.1 DER-encoded
1812 form compatible with RFC 3279 EcpkParameters.
1813 PEM is the default format:
1814 it consists of the DER format base64 encoded with additional
1815 header and footer lines.
1817 Print out a list of all
1818 currently implemented EC parameter names and exit.
1820 Use the EC parameters with the specified 'short' name.
1823 to get a list of all currently implemented EC parameters.
1825 Inhibit that the 'seed' for the parameter generation
1826 is included in the ECParameters structure (see RFC 3279).
1828 Inhibit the output of the encoded version of the parameters.
1830 Specify the output filename parameters are written to.
1831 Standard output is used if this option is not present.
1832 The output filename should
1834 be the same as the input filename.
1835 .It Fl outform Ar DER | PEM
1836 Specify the output format;
1837 the parameters have the same meaning as the
1840 .It Fl param_enc Ar arg
1841 This specifies how the elliptic curve parameters are encoded.
1844 i.e. the EC parameters are specified by an OID, or
1846 where the EC parameters are explicitly given
1847 (see RFC 3279 for the definition of the EC parameter structures).
1848 The default value is
1852 alternative, as specified in RFC 3279,
1853 is currently not implemented in
1856 Print out the EC parameters in human readable form.
1859 PEM format EC parameters use the header and footer lines:
1860 .Bd -literal -offset indent
1861 -----BEGIN EC PARAMETERS-----
1862 -----END EC PARAMETERS-----
1866 is currently not able to generate new groups and therefore
1868 can only create EC parameters from known (named) curves.
1869 .Sh ECPARAM EXAMPLES
1870 To create EC parameters with the group 'prime192v1':
1871 .Bd -literal -offset indent
1872 $ openssl ecparam -out ec_param.pem -name prime192v1
1875 To create EC parameters with explicit parameters:
1876 .Bd -literal -offset indent
1877 $ openssl ecparam -out ec_param.pem -name prime192v1 \e
1881 To validate given EC parameters:
1882 .Bd -literal -offset indent
1883 $ openssl ecparam -in ec_param.pem -check
1886 To create EC parameters and a private key:
1887 .Bd -literal -offset indent
1888 $ openssl ecparam -out ec_key.pem -name prime192v1 -genkey
1891 To change the point encoding to 'compressed':
1892 .Bd -literal -offset indent
1893 $ openssl ecparam -in ec_in.pem -out ec_out.pem \e
1894 -conv_form compressed
1897 To print out the EC parameters to standard output:
1898 .Bd -literal -offset indent
1899 $ openssl ecparam -in ec_param.pem -noout -text
1904 command was first introduced in
1919 .Op Fl bufsize Ar number
1924 .Op Fl k Ar password
1925 .Op Fl kfile Ar file
1937 The symmetric cipher commands allow data to be encrypted or decrypted
1938 using various block and stream ciphers using keys based on passwords
1939 or explicitly provided.
1940 Base64 encoding or decoding can also be performed either by itself
1941 or in addition to the encryption or decryption.
1943 The options are as follows:
1948 option is set, then base64 process the data on one line.
1950 Base64 process the data.
1951 This means that if encryption is taking place, the data is base64-encoded
1953 If decryption is set, the input data is base64 decoded before
1955 .It Fl bufsize Ar number
1956 Set the buffer size for I/O.
1958 Decrypt the input data.
1960 Debug the BIOs used for I/O.
1962 Encrypt the input data: this is the default.
1966 standard input by default.
1970 .Pq initialisation vector
1972 this must be represented as a string comprised only of hex digits.
1975 is specified using the
1979 must explicitly be defined.
1980 When a password is being specified using one of the other options,
1983 is generated from this password.
1988 this must be represented as a string comprised only of hex digits.
1989 If only the key is specified, the
1991 must be additionally specified using the
2002 option will be used and the
2004 generated from the password will be taken.
2005 It probably does not make much sense to specify both
2009 .It Fl k Ar password
2012 to derive the key from.
2013 This is for compatibility with previous versions of
2018 .It Fl kfile Ar file
2019 Read the password to derive the key from the first line of
2021 This is for compatibility with previous versions of
2029 to create a key from a pass phrase.
2036 Use NULL cipher (no encryption or decryption of input).
2038 Disable standard block padding.
2042 in the key derivation routines.
2045 be used unless compatibility with previous versions of
2053 standard output by default.
2060 used, then immediately exit;
2061 don't do any encryption or decryption.
2070 The password source.
2075 this must be represented as a string comprised only of hex digits.
2079 in the key derivation routines.
2080 This is the default.
2083 The program can be called either as
2084 .Nm openssl ciphername
2086 .Nm openssl enc -ciphername .
2088 A password will be prompted for to derive the
2098 be used unless compatibility with previous versions of
2106 option it is possible to perform efficient dictionary
2107 attacks on the password and to attack stream cipher encrypted data.
2108 The reason for this is that without the salt
2109 the same password always generates the same encryption key.
2111 is being used the first eight bytes of the encrypted data are reserved
2113 it is generated at random when encrypting a file and read from the
2114 encrypted file when it is decrypted.
2116 Some of the ciphers do not have large keys and others have security
2117 implications if not used correctly.
2118 A beginner is advised to just use a strong block cipher in CBC mode
2121 All the block ciphers normally use PKCS#5 padding also known as standard block
2123 this allows a rudimentary integrity or password check to be performed.
2124 However, since the chance of random data passing the test is
2125 better than 1 in 256, it isn't a very good test.
2127 If padding is disabled, the input data must be a multiple of the cipher
2130 All RC2 ciphers have the same key and effective key length.
2132 Blowfish and RC5 algorithms use a 128-bit key.
2133 .Sh ENC SUPPORTED CIPHERS
2134 .Bd -unfilled -offset indent
2135 aes-[128|192|256]-cbc 128/192/256 bit AES in CBC mode
2136 aes-[128|192|256] Alias for aes-[128|192|256]-cbc
2137 aes-[128|192|256]-cfb 128/192/256 bit AES in 128 bit CFB mode
2138 aes-[128|192|256]-cfb1 128/192/256 bit AES in 1 bit CFB mode
2139 aes-[128|192|256]-cfb8 128/192/256 bit AES in 8 bit CFB mode
2140 aes-[128|192|256]-ecb 128/192/256 bit AES in ECB mode
2141 aes-[128|192|256]-ofb 128/192/256 bit AES in OFB mode
2146 bf-cbc Blowfish in CBC mode
2147 bf-cfb Blowfish in CFB mode
2148 bf-ecb Blowfish in ECB mode
2149 bf-ofb Blowfish in OFB mode
2151 cast Alias for cast-cbc
2152 cast-cbc CAST in CBC mode
2153 cast5-cbc CAST5 in CBC mode
2154 cast5-cfb CAST5 in CFB mode
2155 cast5-ecb CAST5 in ECB mode
2156 cast5-ofb CAST5 in OFB mode
2158 des Alias for des-cbc
2159 des-cbc DES in CBC mode
2160 des-cfb DES in CBC mode
2161 des-ecb DES in ECB mode
2162 des-ofb DES in OFB mode
2164 des-ede Two key triple DES EDE in ECB mode
2165 des-ede-cbc Two key triple DES EDE in CBC mode
2166 des-ede-cfb Two key triple DES EDE in CFB mode
2167 des-ede-ofb Two key triple DES EDE in OFB mode
2169 des3 Alias for des-ede3-cbc
2170 des-ede3 Three key triple DES EDE in ECB mode
2171 des-ede3-cbc Three key triple DES EDE in CBC mode
2172 des-ede3-cfb Three key triple DES EDE CFB mode
2173 des-ede3-ofb Three key triple DES EDE in OFB mode
2177 rc2 Alias for rc2-cbc
2178 rc2-cbc 128-bit RC2 in CBC mode
2179 rc2-cfb 128-bit RC2 in CFB mode
2180 rc2-ecb 128-bit RC2 in ECB mode
2181 rc2-ofb 128-bit RC2 in OFB mode
2182 rc2-64-cbc 64-bit RC2 in CBC mode
2183 rc2-40-cbc 40-bit RC2 in CBC mode
2189 Just base64 encode a binary file:
2191 .Dl $ openssl base64 -in file.bin -out file.b64
2193 Decode the same file:
2195 .Dl $ openssl base64 -d -in file.b64 -out file.bin
2197 Encrypt a file using triple DES in CBC mode using a prompted password:
2199 .Dl $ openssl des3 -salt -in file.txt -out file.des3
2201 Decrypt a file using a supplied password:
2203 .Dl "$ openssl des3 -d -in file.des3 -out file.txt -k mypassword"
2205 Encrypt a file then base64 encode it
2206 (so it can be sent via mail for example)
2207 using Blowfish in CBC mode:
2209 .Dl $ openssl bf -a -salt -in file.txt -out file.bf
2211 Base64 decode a file then decrypt it:
2213 .Dl "$ openssl bf -d -a -in file.bf -out file.txt"
2217 option when used with large files doesn't work properly.
2219 There should be an option to allow an iteration count to be included.
2223 program only supports a fixed number of algorithms with certain parameters.
2224 Therefore it is not possible to use RC2 with a 76-bit key
2225 or RC4 with an 84-bit key with this program.
2236 command performs error number to error string conversion,
2237 generating a human-readable string representing the error code
2239 The string is obtained through the
2240 .Xr ERR_error_string_n 3
2241 function and has the following format:
2243 .Dl error:[error code]:[library name]:[function name]:[reason string]
2246 is an 8-digit hexadecimal number.
2247 The remaining fields
2254 The options are as follows:
2257 Print debugging statistics about various aspects of the hash table.
2260 The following error code:
2262 .Dl 27594:error:2006D080:lib(32):func(109):reason(128):bss_file.c:107:
2264 \&...can be displayed with:
2266 .Dl $ openssl errstr 2006D080
2268 \&...to produce the error message:
2270 .Dl error:2006D080:BIO routines:BIO_new_file:no such file
2275 Generation of Diffie-Hellman Parameters.
2286 .Nm "openssl gendsa"
2289 .Fl aes128 | aes192 | aes256 |
2299 command generates a DSA private key from a DSA parameter file
2300 (which will typically be generated by the
2301 .Nm openssl dsaparam
2304 The options are as follows:
2307 .Fl aes128 | aes192 | aes256 |
2310 These options encrypt the private key with the AES, DES,
2311 or the triple DES ciphers, respectively, before outputting it.
2312 A pass phrase is prompted for.
2313 If none of these options are specified, no encryption is used.
2317 If this argument is not specified, standard output is used.
2319 This option specifies the DSA parameter file to use.
2320 The parameters in this file determine the size of the private key.
2321 DSA parameters can be generated and examined using the
2322 .Nm openssl dsaparam
2326 DSA key generation is little more than random number generation so it is
2327 much quicker than RSA key generation, for example.
2333 .Nm "openssl genpkey"
2335 .Op Fl algorithm Ar alg
2339 .Op Fl outform Ar DER | PEM
2340 .Op Fl paramfile Ar file
2342 .Op Fl pkeyopt Ar opt : Ns Ar value
2349 command generates private keys.
2351 program is encouraged over the algorithm specific utilities
2352 because additional algorithm options can be used.
2354 The options are as follows:
2356 .It Fl algorithm Ar alg
2357 The public key algorithm to use,
2358 such as RSA, DSA, or DH.
2359 If used this option must precede any
2366 are mutually exclusive.
2368 Encrypt the private key with the supplied cipher.
2369 Any algorithm name accepted by
2370 .Fn EVP_get_cipherbyname
2371 is acceptable, such as
2374 Generate a set of parameters instead of a private key.
2375 If used this option must precede any
2382 The output filename.
2383 If this argument is not specified then standard output is used.
2384 .It Fl outform Ar DER | PEM
2385 This specifies the output format, DER or PEM.
2386 .It Fl paramfile Ar file
2387 Some public key algorithms generate a private key based on a set of parameters.
2388 They can be supplied using this option.
2389 If this option is used the public key
2390 algorithm used is determined by the parameters.
2391 If used this option must precede any
2398 are mutually exclusive.
2400 The output file password source.
2401 .It Fl pkeyopt Ar opt : Ns Ar value
2402 Set the public key algorithm option
2406 The precise set of options supported
2407 depends on the public key algorithm used and its implementation.
2409 .Sx GENPKEY KEY GENERATION OPTIONS
2410 below for more details.
2412 Print an (unencrypted) text representation of private and public keys and
2413 parameters along with the DER or PEM structure.
2415 .Sh GENPKEY KEY GENERATION OPTIONS
2416 The options supported by each algorithm
2417 and indeed each implementation of an algorithm can vary.
2420 implementations are detailed below.
2421 .Bl -tag -width Ds -offset indent
2422 .It rsa_keygen_bits : Ns Ar numbits
2424 The number of bits in the generated key.
2425 If not specified 2048 is used.
2426 .It rsa_keygen_pubexp : Ns Ar value
2428 The RSA public exponent value.
2429 This can be a large decimal or hexadecimal value if preceded by 0x.
2430 The default value is 65537.
2431 .It dsa_paramgen_bits : Ns Ar numbits
2433 The number of bits in the generated parameters.
2434 If not specified 1024 is used.
2435 .It dh_paramgen_prime_len : Ns Ar numbits
2437 The number of bits in the prime parameter
2439 .It dh_paramgen_generator : Ns Ar value
2441 The value to use for the generator
2443 .It ec_paramgen_curve : Ns Ar curve
2445 The EC curve to use.
2447 .Sh GENPKEY EXAMPLES
2448 Generate an RSA private key using default parameters:
2449 .Bd -literal -offset indent
2450 $ openssl genpkey -algorithm RSA -out key.pem
2453 Encrypt and output a private key using 128-bit AES and the passphrase "hello":
2454 .Bd -literal -offset indent
2455 $ openssl genpkey -algorithm RSA -out key.pem \e
2456 -aes-128-cbc -pass pass:hello
2459 Generate a 2048-bit RSA key using 3 as the public exponent:
2460 .Bd -literal -offset indent
2461 $ openssl genpkey -algorithm RSA -out key.pem \e
2462 -pkeyopt rsa_keygen_bits:2048 -pkeyopt rsa_keygen_pubexp:3
2465 Generate 1024-bit DSA parameters:
2466 .Bd -literal -offset indent
2467 $ openssl genpkey -genparam -algorithm DSA \e
2468 -out dsap.pem -pkeyopt dsa_paramgen_bits:1024
2471 Generate a DSA key from parameters:
2472 .Bd -literal -offset indent
2473 $ openssl genpkey -paramfile dsap.pem -out dsakey.pem
2476 Generate 1024-bit DH parameters:
2477 .Bd -literal -offset indent
2478 $ openssl genpkey -genparam -algorithm DH \e
2479 -out dhp.pem -pkeyopt dh_paramgen_prime_len:1024
2482 Generate a DH key from parameters:
2483 .Bd -literal -offset indent
2484 $ openssl genpkey -paramfile dhp.pem -out dhkey.pem
2491 .Nm "openssl genrsa"
2495 .Fl aes128 | aes192 | aes256 |
2499 .Op Fl passout Ar arg
2506 command generates an RSA private key.
2508 The options are as follows:
2511 The public exponent to use, either 3 or 65537.
2512 The default is 65537.
2514 .Fl aes128 | aes192 | aes256 |
2517 These options encrypt the private key with the AES, DES,
2518 or the triple DES ciphers, respectively, before outputting it.
2519 If none of these options are specified, no encryption is used.
2520 If encryption is used, a pass phrase is prompted for,
2521 if it is not supplied via the
2527 If this argument is not specified, standard output is used.
2528 .It Fl passout Ar arg
2529 The output file password source.
2531 The size of the private key to generate in bits.
2532 This must be the last option specified.
2533 The default is 2048.
2536 RSA private key generation essentially involves the generation of two prime
2538 When generating a private key, various symbols will be output to
2539 indicate the progress of the generation.
2542 represents each number which has passed an initial sieve test;
2544 means a number has passed a single round of the Miller-Rabin primality test.
2545 A newline means that the number has passed all the prime tests
2546 .Pq the actual number depends on the key size .
2548 Because key generation is a random process,
2549 the time taken to generate a key may vary somewhat.
2551 A quirk of the prime generation algorithm is that it cannot generate small
2553 Therefore the number of bits should not be less that 64.
2554 For typical private keys this will not matter because for security reasons
2555 they will be much larger
2556 .Pq typically 2048 bits .
2568 command takes a file containing a Netscape certificate
2569 sequence and prints out the certificates contained in it or takes a
2570 file of certificates and converts it into a Netscape certificate
2573 The options are as follows:
2576 This specifies the input
2578 to read, or standard input if this option is not specified.
2580 Specifies the output
2582 or standard output by default.
2584 Normally, a Netscape certificate sequence will be input and the output
2585 is the certificates contained in it.
2588 option the situation is reversed:
2589 a Netscape certificate sequence is created from a file of certificates.
2592 Output the certificates in a Netscape certificate sequence:
2593 .Bd -literal -offset indent
2594 $ openssl nseq -in nseq.pem -out certs.pem
2597 Create a Netscape certificate sequence:
2598 .Bd -literal -offset indent
2599 $ openssl nseq -in certs.pem -toseq -out nseq.pem
2602 The PEM-encoded form uses the same headers and footers as a certificate:
2603 .Bd -unfilled -offset indent
2604 -----BEGIN CERTIFICATE-----
2605 -----END CERTIFICATE-----
2608 A Netscape certificate sequence is a Netscape specific form that can be sent
2609 to browsers as an alternative to the standard PKCS#7 format when several
2610 certificates are sent to the browser:
2611 for example during certificate enrollment.
2612 It is used by the Netscape certificate server, for example.
2614 This program needs a few more options,
2615 like allowing DER or PEM input and output files
2616 and allowing multiple certificate files to be used.
2625 .Op Fl CAfile Ar file
2626 .Op Fl CApath Ar directory
2631 .Ar hostname : Ns Ar port
2633 .Op Fl index Ar indexfile
2634 .Op Fl issuer Ar file
2635 .Op Fl ndays Ar days
2636 .Op Fl nmin Ar minutes
2637 .Op Fl no_cert_checks
2638 .Op Fl no_cert_verify
2643 .Op Fl no_signature_verify
2646 .Op Fl nrequest Ar number
2649 .Op Fl port Ar portnum
2651 .Op Fl reqin Ar file
2652 .Op Fl reqout Ar file
2654 .Op Fl resp_no_certs
2656 .Op Fl respin Ar file
2657 .Op Fl respout Ar file
2659 .Op Fl rother Ar file
2660 .Op Fl rsigner Ar file
2661 .Op Fl serial Ar number
2662 .Op Fl sign_other Ar file
2663 .Op Fl signer Ar file
2664 .Op Fl signkey Ar file
2665 .Op Fl status_age Ar age
2668 .Op Fl url Ar responder_url
2669 .Op Fl VAfile Ar file
2670 .Op Fl validity_period Ar nsec
2671 .Op Fl verify_other Ar file
2675 The Online Certificate Status Protocol
2677 enables applications to determine the
2679 state of an identified certificate
2684 command performs many common OCSP tasks.
2685 It can be used to print out requests and responses,
2686 create requests and send queries to an OCSP responder,
2687 and behave like a mini OCSP server itself.
2689 The options are as follows:
2691 .It Fl CAfile Ar file , Fl CApath Ar directory
2695 containing trusted CA certificates.
2696 These are used to verify the signature on the OCSP response.
2701 The issuer certificate is taken from the previous
2703 option, or an error occurs if no issuer certificate is specified.
2705 Sets the digest algorithm to use for certificate identification
2706 in the OCSP request.
2707 By default SHA-1 is used.
2709 .Fl host Ar hostname : Ns Ar port ,
2714 option is present, then the OCSP request is sent to the host
2719 specifies the HTTP path name to use, or
2722 .It Fl issuer Ar file
2723 This specifies the current issuer certificate.
2724 This option can be used multiple times.
2725 The certificate specified in
2727 must be in PEM format.
2733 .It Fl no_cert_checks
2734 Don't perform any additional checks on the OCSP response signer's certificate.
2735 That is, do not make any checks to see if the signer's certificate is
2736 authorised to provide the necessary status information:
2737 as a result this option should only be used for testing purposes.
2738 .It Fl no_cert_verify
2739 Don't verify the OCSP response signer's certificate at all.
2740 Since this option allows the OCSP response to be signed by any certificate,
2741 it should only be used for testing purposes.
2743 Don't include any certificates in signed request.
2745 Do not use certificates in the response as additional untrusted CA
2748 Ignore certificates contained in the OCSP response
2749 when searching for the signer's certificate.
2750 With this option, the signer's certificate must be specified with either the
2755 .It Fl no_signature_verify
2756 Don't check the signature on the OCSP response.
2757 Since this option tolerates invalid signatures on OCSP responses,
2758 it will normally only be used for testing purposes.
2759 .It Fl nonce , no_nonce
2762 extension to a request or disable an OCSP
2765 Normally, if an OCSP request is input using the
2772 option will force addition of a
2774 If an OCSP request is being created (using the
2781 is automatically added; specifying
2785 Don't attempt to verify the OCSP response signature or the
2788 This option will normally only be used for debugging
2789 since it disables all verification of the responder's certificate.
2793 default is standard output.
2794 .It Fl req_text , resp_text , text
2795 Print out the text form of the OCSP request, response, or both, respectively.
2796 .It Fl reqin Ar file , Fl respin Ar file
2797 Read an OCSP request or response file from
2799 These options are ignored
2800 if an OCSP request or response creation is implied by other options
2801 (for example with the
2806 .It Fl reqout Ar file , Fl respout Ar file
2807 Write out the DER-encoded certificate request or response to
2809 .It Fl serial Ar num
2812 option except the certificate with serial number
2814 is added to the request.
2815 The serial number is interpreted as a decimal integer unless preceded by
2817 Negative integers can also be specified by preceding the value with a
2820 .It Fl sign_other Ar file
2821 Additional certificates to include in the signed request.
2822 .It Fl signer Ar file , Fl signkey Ar file
2823 Sign the OCSP request using the certificate specified in the
2825 option and the private key specified by the
2830 option is not present, then the private key is read from the same file
2832 If neither option is specified, the OCSP request is not signed.
2834 The certificates specified by the
2836 option should be explicitly trusted and no additional checks will be
2838 This is useful when the complete responder certificate chain is not available
2839 or trusting a root CA is not appropriate.
2840 .It Fl url Ar responder_url
2841 Specify the responder URL.
2844 URLs can be specified.
2845 .It Fl VAfile Ar file
2847 containing explicitly trusted responder certificates.
2853 .It Fl validity_period Ar nsec , Fl status_age Ar age
2854 These options specify the range of times, in seconds, which will be tolerated
2855 in an OCSP response.
2856 Each certificate status response includes a
2858 time and an optional
2861 The current time should fall between these two values,
2862 but the interval between the two times may be only a few seconds.
2863 In practice the OCSP responder and clients' clocks may not be precisely
2864 synchronised and so such a check may fail.
2867 option can be used to specify an acceptable error range in seconds,
2868 the default value is 5 minutes.
2872 time is omitted from a response, then this means that new status
2873 information is immediately available.
2874 In this case the age of the
2876 field is checked to see it is not older than
2879 By default, this additional check is not performed.
2880 .It Fl verify_other Ar file
2882 containing additional certificates to search when attempting to locate
2883 the OCSP response signing certificate.
2884 Some responders omit the actual signer's certificate from the response;
2885 this option can be used to supply the necessary certificate in such cases.
2887 .Sh OCSP SERVER OPTIONS
2888 .Bl -tag -width "XXXX"
2890 CA certificate corresponding to the revocation information in
2892 .It Fl index Ar indexfile
2894 is a text index file in
2896 format containing certificate revocation information.
2900 option is specified, the
2904 mode, otherwise it is in
2907 The request(s) the responder processes can be either specified on
2908 the command line (using the
2912 options), supplied in a file (using the
2914 option) or via external OCSP clients (if
2922 option is present, then the
2926 options must also be present.
2927 .It Fl nmin Ar minutes , Fl ndays Ar days
2932 when fresh revocation information is available: used in the
2935 If neither option is present, the
2937 field is omitted, meaning fresh revocation information is immediately available.
2938 .It Fl nrequest Ar number
2939 The OCSP server will exit after receiving
2941 requests, default unlimited.
2942 .It Fl port Ar portnum
2943 Port to listen for OCSP requests on.
2944 The port may also be specified using the
2948 Identify the signer certificate using the key ID;
2949 default is to use the subject name.
2950 .It Fl resp_no_certs
2951 Don't include any certificates in the OCSP response.
2953 The private key to sign OCSP responses with;
2954 if not present, the file specified in the
2957 .It Fl rother Ar file
2958 Additional certificates to include in the OCSP response.
2959 .It Fl rsigner Ar file
2960 The certificate to sign OCSP responses with.
2962 .Sh OCSP RESPONSE VERIFICATION
2963 OCSP Response follows the rules specified in RFC 2560.
2965 Initially the OCSP responder certificate is located and the signature on
2966 the OCSP request checked using the responder certificate's public key.
2968 Then a normal certificate verify is performed on the OCSP responder certificate
2969 building up a certificate chain in the process.
2970 The locations of the trusted certificates used to build the chain can be
2975 options or they will be looked for in the standard
2980 If the initial verify fails, the OCSP verify process halts with an
2983 Otherwise the issuing CA certificate in the request is compared to the OCSP
2984 responder certificate: if there is a match then the OCSP verify succeeds.
2986 Otherwise the OCSP responder certificate's CA is checked against the issuing
2987 CA certificate in the request.
2988 If there is a match and the OCSPSigning extended key usage is present
2989 in the OCSP responder certificate, then the OCSP verify succeeds.
2991 Otherwise the root CA of the OCSP responder's CA is checked to see if it
2992 is trusted for OCSP signing.
2993 If it is, the OCSP verify succeeds.
2995 If none of these checks is successful, the OCSP verify fails.
2997 What this effectively means is that if the OCSP responder certificate is
2998 authorised directly by the CA it is issuing revocation information about
2999 .Pq and it is correctly configured ,
3000 then verification will succeed.
3002 If the OCSP responder is a
3003 .Em global responder
3004 which can give details about multiple CAs and has its own separate
3005 certificate chain, then its root CA can be trusted for OCSP signing.
3007 .Bd -literal -offset indent
3008 $ openssl x509 -in ocspCA.pem -addtrust OCSPSigning \e
3012 Alternatively, the responder certificate itself can be explicitly trusted
3017 As noted, most of the verify options are for testing or debugging purposes.
3021 .Pq if the responder is a `global VA'
3023 options need to be used.
3025 The OCSP server is only useful for test and demonstration purposes:
3026 it is not really usable as a full OCSP responder.
3027 It contains only a very simple HTTP request handling and can only handle
3028 the POST form of OCSP queries.
3029 It also handles requests serially, meaning it cannot respond to
3030 new requests until it has processed the current one.
3031 The text index file format of revocation is also inefficient for large
3032 quantities of revocation data.
3034 It is possible to run the
3038 mode via a CGI script using the
3044 Create an OCSP request and write it to a file:
3045 .Bd -literal -offset indent
3046 $ openssl ocsp -issuer issuer.pem -cert c1.pem -cert c2.pem \e
3050 Send a query to an OCSP responder with URL
3051 .Pa http://ocsp.myhost.com/ ,
3052 save the response to a file and print it out in text form:
3053 .Bd -literal -offset indent
3054 $ openssl ocsp -issuer issuer.pem -cert c1.pem -cert c2.pem \e
3055 -url http://ocsp.myhost.com/ -resp_text -respout resp.der
3058 Read in an OCSP response and print out in text form:
3060 .Dl $ openssl ocsp -respin resp.der -text
3062 OCSP server on port 8888 using a standard
3064 configuration, and a separate responder certificate.
3065 All requests and responses are printed to a file:
3066 .Bd -literal -offset indent
3067 $ openssl ocsp -index demoCA/index.txt -port 8888 -rsigner \e
3068 rcert.pem -CA demoCA/cacert.pem -text -out log.txt
3071 As above, but exit after processing one request:
3072 .Bd -literal -offset indent
3073 $ openssl ocsp -index demoCA/index.txt -port 8888 -rsigner \e
3074 rcert.pem -CA demoCA/cacert.pem -nrequest 1
3077 Query status information using internally generated request:
3078 .Bd -literal -offset indent
3079 $ openssl ocsp -index demoCA/index.txt -rsigner rcert.pem -CA \e
3080 demoCA/cacert.pem -issuer demoCA/cacert.pem -serial 1
3083 Query status information using request read from a file and write
3084 the response to a second file:
3085 .Bd -literal -offset indent
3086 $ openssl ocsp -index demoCA/index.txt -rsigner rcert.pem -CA \e
3087 demoCA/cacert.pem -reqin req.der -respout resp.der
3094 .Nm "openssl passwd"
3095 .Op Fl 1 | apr1 | crypt
3100 .Op Fl salt Ar string
3108 command computes the hash of a password typed at run-time
3109 or the hash of each password in a list.
3110 The password list is taken from the named
3114 from stdin for option
3116 or from the command line, or from the terminal otherwise.
3125 and its Apache variant
3129 The options are as follows:
3140 .Pq Apache variant of the
3152 Don't verify when reading a password from the terminal.
3154 Don't output warnings when passwords given on the command line are truncated.
3156 Switch table columns.
3157 This only makes sense in conjunction with the
3160 .It Fl salt Ar string
3163 When reading a password from the terminal, this implies
3169 In the output list, prepend the cleartext password and a TAB character
3170 to each password hash.
3173 .Dl $ openssl passwd -crypt -salt xx password
3177 .Dl $ openssl passwd -1 -salt xxxxxxxx password
3179 .Qq $1$xxxxxxxx$UYCIxa628.9qXjpQCjM4a. .
3181 .Dl $ openssl passwd -apr1 -salt xxxxxxxx password
3183 .Qq $apr1$xxxxxxxx$dxHfLAsjHkDRmG83UXe8K0 .
3192 .Op Fl inform Ar DER | PEM
3195 .Op Fl outform Ar DER | PEM
3203 command processes PKCS#7 files in DER or PEM format.
3205 The options are as follows:
3208 This specifies the input
3210 to read from, or standard input if this option is not specified.
3211 .It Fl inform Ar DER | PEM
3212 This specifies the input format.
3214 format is a DER-encoded PKCS#7 v1.5 structure.
3217 is a base64-encoded version of the DER form with header and footer lines.
3219 Don't output the encoded version of the PKCS#7 structure
3224 Specifies the output
3226 to write to, or standard output by default.
3227 .It Fl outform Ar DER | PEM
3228 This specifies the output format; the options have the same meaning as the
3232 Prints out any certificates or CRLs contained in the file.
3233 They are preceded by their subject and issuer names in a one-line format.
3235 Prints out certificate details in full rather than just subject and
3239 Convert a PKCS#7 file from PEM to DER:
3241 .Dl $ openssl pkcs7 -in file.pem -outform DER -out file.der
3243 Output all certificates in a file:
3245 .Dl $ openssl pkcs7 -in file.pem -print_certs -out certs.pem
3247 The PEM PKCS#7 format uses the header and footer lines:
3248 .Bd -unfilled -offset indent
3249 -----BEGIN PKCS7-----
3253 For compatibility with some CAs it will also accept:
3254 .Bd -unfilled -offset indent
3255 -----BEGIN CERTIFICATE-----
3256 -----END CERTIFICATE-----
3258 .Sh PKCS7 RESTRICTIONS
3259 There is no option to print out all the fields of a PKCS#7 file.
3261 The PKCS#7 routines only understand PKCS#7 v 1.5 as specified in RFC 2315.
3262 They cannot currently parse, for example, the new CMS as described in RFC 2630.
3272 .Op Fl inform Ar DER | PEM
3278 .Op Fl outform Ar DER | PEM
3279 .Op Fl passin Ar arg
3280 .Op Fl passout Ar arg
3289 command processes private keys in PKCS#8 format.
3290 It can handle both unencrypted PKCS#8 PrivateKeyInfo format
3291 and EncryptedPrivateKeyInfo format with a variety of PKCS#5
3293 and PKCS#12 algorithms.
3295 The options are as follows:
3298 This option generates DSA keys in a broken format.
3299 The DSA parameters are embedded inside the
3302 In this form the OCTET STRING contains an ASN1 SEQUENCE consisting of
3304 a SEQUENCE containing the parameters and an ASN1 INTEGER containing
3307 This specifies the input
3309 to read a key from, or standard input if this option is not specified.
3310 If the key is encrypted, a pass phrase will be prompted for.
3311 .It Fl inform Ar DER | PEM
3312 This specifies the input format.
3313 If a PKCS#8 format key is expected on input,
3315 DER- or PEM-encoded version of a PKCS#8 key will be expected.
3316 Otherwise the DER or PEM format of the traditional format private key is used.
3318 PKCS#8 keys generated or input are normally PKCS#8
3319 .Em EncryptedPrivateKeyInfo
3320 structures using an appropriate password-based encryption algorithm.
3321 With this option, an unencrypted
3323 structure is expected or output.
3324 This option does not encrypt private keys at all and should only be used
3325 when absolutely necessary.
3326 Certain software such as some versions of Java code signing software use
3327 unencrypted private keys.
3329 Use an iteration count of 1.
3332 section below for a detailed explanation of this option.
3334 This option generates RSA private keys in a broken format that some software
3336 Specifically the private key should be enclosed in an OCTET STRING,
3337 but some software just includes the structure itself without the
3338 surrounding OCTET STRING.
3340 This option generates DSA keys in a broken format compatible with Netscape
3341 private key databases.
3344 contains a SEQUENCE consisting of the public and private keys, respectively.
3346 This specifies the output
3348 to write a key to, or standard output by default.
3349 If any encryption options are set, a pass phrase will be prompted for.
3350 The output filename should
3352 be the same as the input filename.
3353 .It Fl outform Ar DER | PEM
3354 This specifies the output format; the options have the same meaning as the
3357 .It Fl passin Ar arg
3358 The key password source.
3359 .It Fl passout Ar arg
3360 The output file password source.
3362 Normally, a PKCS#8 private key is expected on input and a traditional format
3363 private key will be written.
3366 option the situation is reversed:
3367 it reads a traditional format private key and writes a PKCS#8 format key.
3369 This option specifies a PKCS#5 v1.5 or PKCS#12 algorithm to use.
3370 A complete list of possible algorithms is included below.
3372 This option enables the use of PKCS#5 v2.0 algorithms.
3373 Normally, PKCS#8 private keys are encrypted with the password-based
3374 encryption algorithm called
3375 .Em pbeWithMD5AndDES-CBC ;
3376 this uses 56-bit DES encryption but it was the strongest encryption
3377 algorithm supported in PKCS#5 v1.5.
3380 option PKCS#5 v2.0 algorithms are used which can use any
3381 encryption algorithm such as 168-bit triple DES or 128-bit RC2, however
3382 not many implementations support PKCS#5 v2.0 yet.
3383 If using private keys with
3385 then this doesn't matter.
3389 argument is the encryption algorithm to use; valid values include
3393 It is recommended that
3398 The encrypted form of a PEM-encoded PKCS#8 file uses the following
3399 headers and footers:
3400 .Bd -unfilled -offset indent
3401 -----BEGIN ENCRYPTED PRIVATE KEY-----
3402 -----END ENCRYPTED PRIVATE KEY-----
3405 The unencrypted form uses:
3406 .Bd -unfilled -offset indent
3407 -----BEGIN PRIVATE KEY-----
3408 -----END PRIVATE KEY-----
3411 Private keys encrypted using PKCS#5 v2.0 algorithms and high iteration
3412 counts are more secure than those encrypted using the traditional
3415 So if additional security is considered important, the keys should be converted.
3417 The default encryption is only 56 bits because this is the encryption
3418 that most current implementations of PKCS#8 support.
3420 Some software may use PKCS#12 password-based encryption algorithms
3421 with PKCS#8 format private keys: these are handled automatically
3422 but there is no option to produce them.
3424 It is possible to write out
3425 DER-encoded encrypted private keys in PKCS#8 format because the encryption
3426 details are included at an ASN1
3427 level whereas the traditional format includes them at a PEM level.
3428 .Sh PKCS#5 V1.5 AND PKCS#12 ALGORITHMS
3429 Various algorithms can be used with the
3431 command line option, including PKCS#5 v1.5 and PKCS#12.
3432 These are described in more detail below.
3434 .Bl -tag -width "XXXX" -compact
3436 These algorithms were included in the original PKCS#5 v1.5 specification.
3437 They only offer 56 bits of protection since they both use DES.
3439 .It Ar PBE-SHA1-RC2-64 | PBE-MD5-RC2-64 | PBE-SHA1-DES
3440 These algorithms are not mentioned in the original PKCS#5 v1.5 specification
3441 but they use the same key derivation algorithm and are supported by some
3443 They are mentioned in PKCS#5 v2.0.
3444 They use either 64-bit RC2 or 56-bit DES.
3446 .It Ar PBE-SHA1-RC4-128 | PBE-SHA1-RC4-40 | PBE-SHA1-3DES | PBE-SHA1-2DES
3447 .It Ar PBE-SHA1-RC2-128 | PBE-SHA1-RC2-40
3448 These algorithms use the PKCS#12 password-based encryption algorithm and
3449 allow strong encryption algorithms like triple DES or 128-bit RC2 to be used.
3452 Convert a private key from traditional to PKCS#5 v2.0 format using triple DES:
3454 .Dl "$ openssl pkcs8 -in key.pem -topk8 -v2 des3 -out enckey.pem"
3456 Convert a private key to PKCS#8 using a PKCS#5 1.5 compatible algorithm
3459 .Dl $ openssl pkcs8 -in key.pem -topk8 -out enckey.pem
3461 Convert a private key to PKCS#8 using a PKCS#12 compatible algorithm
3463 .Bd -literal -offset indent
3464 $ openssl pkcs8 -in key.pem -topk8 -out enckey.pem \e
3468 Read a DER-unencrypted PKCS#8 format private key:
3470 .Dl "$ openssl pkcs8 -inform DER -nocrypt -in key.der -out key.pem"
3472 Convert a private key from any PKCS#8 format to traditional format:
3474 .Dl $ openssl pkcs8 -in pk8.pem -out key.pem
3476 Test vectors from this PKCS#5 v2.0 implementation were posted to the
3477 pkcs-tng mailing list using triple DES, DES and RC2 with high iteration counts;
3478 several people confirmed that they could decrypt the private
3479 keys produced and therefore it can be assumed that the PKCS#5 v2.0
3480 implementation is reasonably accurate at least as far as these
3481 algorithms are concerned.
3483 The format of PKCS#8 DSA
3485 private keys is not well documented:
3486 it is hidden away in PKCS#11 v2.01, section 11.9;
3487 .Nm OpenSSL Ns Li 's
3488 default DSA PKCS#8 private key format complies with this standard.
3490 There should be an option that prints out the encryption algorithm
3491 in use and other details such as the iteration count.
3493 PKCS#8 using triple DES and PKCS#5 v2.0 should be the default private
3496 compatibility, several of the utilities use the old format at present.
3502 .Nm "openssl pkcs12"
3505 .Fl aes128 | aes192 | aes256 |
3509 .Op Fl CAfile Ar file
3510 .Op Fl caname Ar name
3511 .Op Fl CApath Ar directory
3512 .Op Fl certfile Ar file
3513 .Op Fl certpbe Ar alg
3521 .Op Fl inkey Ar file
3523 .Op Fl keypbe Ar alg
3525 .Op Fl macalg Ar alg
3537 .Op Fl passin Ar arg
3538 .Op Fl passout Ar arg
3545 command allows PKCS#12 files
3546 .Pq sometimes referred to as PFX files
3547 to be created and parsed.
3548 PKCS#12 files are used by several programs including Netscape, MSIE
3551 There are a lot of options; the meaning of some depends on whether a
3552 PKCS#12 file is being created or parsed.
3553 By default, a PKCS#12 file is parsed;
3554 a PKCS#12 file can be created by using the
3558 .Sh PKCS12 PARSING OPTIONS
3559 .Bl -tag -width "XXXX"
3561 .Fl aes128 | aes192 | aes256 |
3564 Use AES, DES, or triple DES, respectively,
3565 to encrypt private keys before outputting.
3566 The default is triple DES.
3568 Only output CA certificates
3569 .Pq not client certificates .
3571 Only output client certificates
3572 .Pq not CA certificates .
3576 of the PKCS#12 file to be parsed.
3577 Standard input is used by default.
3579 Output additional information about the PKCS#12 file structure,
3580 algorithms used, and iteration counts.
3582 No certificates at all will be output.
3584 Don't encrypt the private keys at all.
3586 No private keys will be output.
3588 Don't attempt to verify the integrity MAC before reading the file.
3590 This option inhibits output of the keys and certificates to the output file
3591 version of the PKCS#12 file.
3595 to write certificates and private keys to, standard output by default.
3596 They are all written in PEM format.
3597 .It Fl passin Ar arg
3598 The key password source.
3599 .It Fl passout Ar arg
3600 The output file password source.
3602 Prompt for separate integrity and encryption passwords: most software
3603 always assumes these are the same so this option will render such
3604 PKCS#12 files unreadable.
3606 .Sh PKCS12 FILE CREATION OPTIONS
3607 .Bl -tag -width "XXXX"
3608 .It Fl CAfile Ar file
3609 CA storage as a file.
3610 .It Fl CApath Ar directory
3611 CA storage as a directory.
3612 This directory must be a standard certificate directory:
3613 that is, a hash of each subject name (using
3615 should be linked to each certificate.
3616 .It Fl caname Ar name
3619 for other certificates.
3620 This option may be used multiple times to specify names for all certificates
3621 in the order they appear.
3622 Netscape ignores friendly names on other certificates,
3623 whereas MSIE displays them.
3624 .It Fl certfile Ar file
3625 A file to read additional certificates from.
3626 .It Fl certpbe Ar alg , Fl keypbe Ar alg
3627 These options allow the algorithm used to encrypt the private key and
3628 certificates to be selected.
3629 Any PKCS#5 v1.5 or PKCS#12 PBE algorithm name can be used (see the
3631 section for more information).
3634 .Cm list-cipher-algorithms
3635 command) is specified then it
3636 is used with PKCS#5 v2.0.
3637 For interoperability reasons it is advisable to only use PKCS#12 algorithms.
3639 If this option is present, an attempt is made to include the entire
3640 certificate chain of the user certificate.
3641 The standard CA store is used for this search.
3642 If the search fails, it is considered a fatal error.
3646 as a Microsoft CSP name.
3648 Encrypt the certificate using triple DES; this may render the PKCS#12
3649 file unreadable by some
3652 By default, the private key is encrypted using triple DES and the
3653 certificate using 40-bit RC2.
3655 This option specifies that a PKCS#12 file will be created rather than
3660 to read certificates and private keys from, standard input by default.
3661 They must all be in PEM format.
3662 The order doesn't matter but one private key and its corresponding
3663 certificate should be present.
3664 If additional certificates are present, they will also be included
3665 in the PKCS#12 file.
3666 .It Fl inkey Ar file
3667 File to read private key from.
3668 If not present, a private key must be present in the input file.
3669 .It Fl keyex | keysig
3670 Specifies that the private key is to be used for key exchange or just signing.
3671 This option is only interpreted by MSIE and similar MS software.
3674 software will only allow 512-bit RSA keys to be
3675 used for encryption purposes, but arbitrary length keys for signing.
3678 option marks the key for signing only.
3679 Signing only keys can be used for S/MIME signing, authenticode
3680 .Pq ActiveX control signing
3681 and SSL client authentication;
3682 however, due to a bug only MSIE 5.0 and later support
3683 the use of signing only keys for SSL client authentication.
3684 .It Fl macalg Ar alg
3685 Specify the MAC digest algorithm.
3686 If not included then SHA1 is used.
3688 This option is included for compatibility with previous versions; it used
3689 to be needed to use MAC iterations counts but they are now used by default.
3693 for the certificate and private key.
3694 This name is typically displayed in list boxes by software importing the file.
3696 Don't attempt to provide the MAC integrity.
3697 .It Fl nomaciter , noiter
3698 These options affect the iteration counts on the MAC and key algorithms.
3699 Unless you wish to produce files compatible with MSIE 4.0, you should leave
3700 these options alone.
3702 To discourage attacks by using large dictionaries of common passwords,
3703 the algorithm that derives keys from passwords can have an iteration count
3704 applied to it: this causes a certain part of the algorithm to be repeated
3706 The MAC is used to check the file integrity but since it will normally
3707 have the same password as the keys and certificates it could also be attacked.
3708 By default, both MAC and encryption iteration counts are set to 2048;
3709 using these options the MAC and encryption iteration counts can be set to 1.
3710 Since this reduces the file security you should not use these options
3711 unless you really have to.
3712 Most software supports both MAC and key iteration counts.
3713 MSIE 4.0 doesn't support MAC iteration counts, so it needs the
3719 to write the PKCS#12 file to.
3720 Standard output is used by default.
3721 .It Fl passin Ar arg
3722 The key password source.
3723 .It Fl passout Ar arg
3724 The output file password source.
3727 Although there are a large number of options,
3728 most of them are very rarely used.
3729 For PKCS#12 file parsing, only
3733 need to be used for PKCS#12 file creation.
3740 .Fl clcerts , cacerts ,
3743 options are present, then all certificates will be output in the order
3744 they appear in the input PKCS#12 files.
3745 There is no guarantee that the first certificate present is
3746 the one corresponding to the private key.
3747 Certain software which requires a private key and certificate and assumes
3748 the first certificate in the file is the one corresponding to the private key:
3749 this may not always be the case.
3752 option will solve this problem by only outputting the certificate
3753 corresponding to the private key.
3754 If the CA certificates are required, they can be output to a separate
3759 options to just output CA certificates.
3765 algorithms allow the precise encryption algorithms for private keys
3766 and certificates to be specified.
3767 Normally, the defaults are fine but occasionally software can't handle
3768 triple DES encrypted private keys;
3770 .Fl keypbe Ar PBE-SHA1-RC2-40
3771 can be used to reduce the private key encryption to 40-bit RC2.
3772 A complete description of all algorithms is contained in the
3776 Parse a PKCS#12 file and output it to a file:
3778 .Dl $ openssl pkcs12 -in file.p12 -out file.pem
3780 Output only client certificates to a file:
3782 .Dl $ openssl pkcs12 -in file.p12 -clcerts -out file.pem
3784 Don't encrypt the private key:
3786 .Dl $ openssl pkcs12 -in file.p12 -out file.pem -nodes
3788 Print some info about a PKCS#12 file:
3790 .Dl $ openssl pkcs12 -in file.p12 -info -noout
3792 Create a PKCS#12 file:
3793 .Bd -literal -offset indent
3794 $ openssl pkcs12 -export -in file.pem -out file.p12 \e
3795 -name "My Certificate"
3798 Include some extra certificates:
3799 .Bd -literal -offset indent
3800 $ openssl pkcs12 -export -in file.pem -out file.p12 \e
3801 -name "My Certificate" -certfile othercerts.pem
3804 Some would argue that the PKCS#12 standard is one big bug :\-)
3808 before 0.9.6a had a bug in the PKCS#12 key generation routines.
3809 Under rare circumstances this could produce a PKCS#12 file encrypted
3810 with an invalid key.
3811 As a result some PKCS#12 files which triggered this bug
3812 from other implementations
3813 .Pq MSIE or Netscape
3814 could not be decrypted by
3818 could produce PKCS#12 files which could not be decrypted by other
3820 The chances of producing such a file are relatively small: less than 1 in 256.
3822 A side effect of fixing this bug is that any old invalidly encrypted PKCS#12
3823 files can no longer be parsed by the fixed version.
3824 Under such circumstances the
3826 utility will report that the MAC is OK but fail with a decryption
3827 error when extracting private keys.
3829 This problem can be resolved by extracting the private keys and certificates
3830 from the PKCS#12 file using an older version of
3833 the PKCS#12 file from the keys and certificates using a newer version of
3836 .Bd -literal -offset indent
3837 $ old-openssl -in bad.p12 -out keycerts.pem
3838 $ openssl -in keycerts.pem -export -name "My PKCS#12 file" \e
3850 .Op Fl inform Ar DER | PEM
3853 .Op Fl outform Ar DER | PEM
3854 .Op Fl passin Ar arg
3855 .Op Fl passout Ar arg
3865 command processes public or private keys.
3866 They can be converted between various forms
3867 and their components printed out.
3869 The options are as follows:
3872 These options encrypt the private key with the supplied cipher.
3873 Any algorithm name accepted by
3874 .Fn EVP_get_cipherbyname
3875 is acceptable, such as
3878 This specifies the input filename to read a key from,
3879 or standard input if this option is not specified.
3880 If the key is encrypted a pass phrase will be prompted for.
3881 .It Fl inform Ar DER | PEM
3882 This specifies the input format, DER or PEM.
3884 Do not output the encoded version of the key.
3886 This specifies the output filename to write a key to,
3887 or standard output if this option is not specified.
3888 If any encryption options are set then a pass phrase
3889 will be prompted for.
3890 The output filename should
3892 be the same as the input filename.
3893 .It Fl outform Ar DER | PEM
3894 This specifies the output format;
3895 the options have the same meaning as the
3898 .It Fl passin Ar arg
3899 The key password source.
3900 .It Fl passout Ar arg
3901 The output file password source.
3903 By default a private key is read from the input file:
3904 with this option a public key is read instead.
3906 By default a private key is output:
3907 with this option a public key will be output instead.
3908 This option is automatically set if
3909 the input is a public key.
3911 Print out the various public or private key components in
3912 plain text in addition to the encoded version.
3914 Print out only public key components
3915 even if a private key is being processed.
3918 To remove the pass phrase on an RSA private key:
3919 .Bd -literal -offset indent
3920 $ openssl pkey -in key.pem -out keyout.pem
3923 To encrypt a private key using triple DES:
3924 .Bd -literal -offset indent
3925 $ openssl pkey -in key.pem -des3 -out keyout.pem
3928 To convert a private key from PEM to DER format:
3929 .Bd -literal -offset indent
3930 $ openssl pkey -in key.pem -outform DER -out keyout.der
3933 To print the components of a private key to standard output:
3934 .Bd -literal -offset indent
3935 $ openssl pkey -in key.pem -text -noout
3938 To print the public components of a private key to standard output:
3939 .Bd -literal -offset indent
3940 $ openssl pkey -in key.pem -text_pub -noout
3943 To just output the public part of a private key:
3944 .Bd -literal -offset indent
3945 $ openssl pkey -in key.pem -pubout -out pubkey.pem
3951 .Cm openssl pkeyparam
3959 command processes public or private keys.
3960 They can be converted between various forms and their components printed out.
3962 The options are as follows:
3965 This specifies the input filename to read parameters from,
3966 or standard input if this option is not specified.
3968 Do not output the encoded version of the parameters.
3970 This specifies the output filename to write parameters to,
3971 or standard output if this option is not specified.
3973 Prints out the parameters in plain text in addition to the encoded version.
3975 .Sh PKEYPARAM EXAMPLES
3976 Print out text version of parameters:
3977 .Bd -literal -offset indent
3978 $ openssl pkeyparam -in param.pem -text
3985 options for this command because only PEM format is supported
3986 because the key type is determined by the PEM headers.
3992 .Nm "openssl pkeyutl"
4001 .Op Fl inkey Ar file
4002 .Op Fl keyform Ar DER | PEM
4004 .Op Fl passin Ar arg
4005 .Op Fl peerform Ar DER | PEM
4006 .Op Fl peerkey Ar file
4007 .Op Fl pkeyopt Ar opt : Ns Ar value
4010 .Op Fl sigfile Ar file
4013 .Op Fl verifyrecover
4019 command can be used to perform public key operations using
4020 any supported algorithm.
4022 The options are as follows:
4025 ASN1parse the output data.
4026 This is useful when combined with the
4028 option when an ASN1 structure is signed.
4030 The input is a certificate containing a public key.
4032 Decrypt the input data using a private key.
4034 Derive a shared secret using the peer key.
4036 Encrypt the input data using a public key.
4038 Hex dump the output data.
4040 Specify the input filename to read data from,
4041 or standard input if this option is not specified.
4042 .It Fl inkey Ar file
4044 By default it should be a private key.
4045 .It Fl keyform Ar DER | PEM
4046 The key format DER or PEM.
4048 Specify the output filename to write to,
4049 or standard output by default.
4050 .It Fl passin Ar arg
4051 The key password source.
4052 .It Fl peerform Ar DER | PEM
4053 The peer key format DER or PEM.
4054 .It Fl peerkey Ar file
4055 The peer key file, used by key derivation (agreement) operations.
4056 .It Fl pkeyopt Ar opt : Ns Ar value
4059 The input file is a public key.
4061 Reverse the order of the input buffer.
4062 This is useful for some libraries (such as CryptoAPI)
4063 which represent the buffer in little endian format.
4064 .It Fl sigfile Ar file
4065 Signature file (verify operation only).
4067 Sign the input data and output the signed result.
4068 This requires a private key.
4070 Verify the input data against the signature file and indicate if the
4071 verification succeeded or failed.
4072 .It Fl verifyrecover
4073 Verify the input data and output the recovered data.
4076 The operations and options supported vary according to the key algorithm
4077 and its implementation.
4080 operations and options are indicated below.
4082 Unless otherwise mentioned all algorithms support the
4083 .Ar digest : Ns Ar alg
4084 option which specifies the digest in use
4085 for sign, verify, and verifyrecover operations.
4088 should represent a digest name as used in the
4089 .Fn EVP_get_digestbyname
4090 function, for example
4093 The RSA algorithm supports the
4094 encrypt, decrypt, sign, verify, and verifyrecover operations in general.
4095 Some padding modes only support some of these
4098 .It rsa_padding_mode : Ns Ar mode
4099 This sets the RSA padding mode.
4100 Acceptable values for
4115 In PKCS#1 padding if the message digest is not set then the supplied data is
4116 signed or verified directly instead of using a DigestInfo structure.
4117 If a digest is set then a DigestInfo
4118 structure is used and its length
4119 must correspond to the digest type.
4121 For oeap mode only encryption and decryption is supported.
4123 For x931 if the digest type is set it is used to format the block data;
4124 otherwise the first byte is used to specify the X9.31 digest ID.
4125 Sign, verify, and verifyrecover can be performed in this mode.
4127 For pss mode only sign and verify are supported and the digest type must be
4129 .It rsa_pss_saltlen : Ns Ar len
4131 mode only this option specifies the salt length.
4132 Two special values are supported:
4133 -1 sets the salt length to the digest length.
4134 When signing -2 sets the salt length to the maximum permissible value.
4135 When verifying -2 causes the salt length to be automatically determined
4136 based on the PSS block structure.
4139 The DSA algorithm supports the sign and verify operations.
4140 Currently there are no additional options other than
4142 Only the SHA1 digest can be used and this digest is assumed by default.
4144 The DH algorithm supports the derive operation
4145 and no additional options.
4147 The EC algorithm supports the sign, verify, and derive operations.
4148 The sign and verify operations use ECDSA and derive uses ECDH.
4149 Currently there are no additional options other than
4151 Only the SHA1 digest can be used and this digest is assumed by default.
4152 .Sh PKEYUTL EXAMPLES
4153 Sign some data using a private key:
4154 .Bd -literal -offset indent
4155 $ openssl pkeyutl -sign -in file -inkey key.pem -out sig
4158 Recover the signed data (e.g. if an RSA key is used):
4159 .Bd -literal -offset indent
4160 $ openssl pkeyutl -verifyrecover -in sig -inkey key.pem
4163 Verify the signature (e.g. a DSA key):
4164 .Bd -literal -offset indent
4165 $ openssl pkeyutl -verify -in file -sigfile sig \e
4169 Sign data using a message digest value (this is currently only valid for RSA):
4170 .Bd -literal -offset indent
4171 $ openssl pkeyutl -sign -in file -inkey key.pem \e
4172 -out sig -pkeyopt digest:sha256
4175 Derive a shared secret value:
4176 .Bd -literal -offset indent
4177 $ openssl pkeyutl -derive -inkey key.pem \e
4178 -peerkey pubkey.pem -out secret
4194 command is used to generate prime numbers,
4195 or to check numbers for primality.
4196 Results are probabilistic:
4197 they have an exceedingly high likelihood of being correct,
4198 but are not guaranteed.
4200 The options are as follows:
4203 Specify the number of bits in the generated prime number.
4204 Must be used in conjunction with
4207 Perform a Miller-Rabin probabilistic primality test with
4212 Generate a pseudo-random prime number.
4213 Must be used in conjunction with
4216 Output in hex format.
4221 (i.e. a prime p so that (p-1)/2 is also prime).
4243 pseudo-random bytes.
4245 The options are as follows:
4250 encoding on the output.
4252 Specify hexadecimal output.
4256 instead of standard output.
4267 .Op Fl config Ar file
4269 .Op Fl extensions Ar section
4271 .Op Fl inform Ar DER | PEM
4272 .Op Fl key Ar keyfile
4273 .Op Fl keyform Ar DER | PEM
4274 .Op Fl keyout Ar file
4275 .Op Fl md4 | md5 | sha1
4277 .Op Fl nameopt Ar option
4280 .Op Fl newkey Ar arg
4281 .Op Fl no-asn1-kludge
4285 .Op Fl outform Ar DER | PEM
4286 .Op Fl passin Ar arg
4287 .Op Fl passout Ar arg
4289 .Op Fl reqexts Ar section
4290 .Op Fl reqopt Ar option
4291 .Op Fl set_serial Ar n
4304 command primarily creates and processes certificate requests
4306 It can additionally create self-signed certificates,
4307 for use as root CAs, for example.
4309 The options are as follows:
4314 command outputs certificate requests containing
4315 no attributes in the correct PKCS#10 format.
4316 However certain CAs will only
4317 accept requests containing no attributes in an invalid form: this
4318 option produces this invalid format.
4322 in a PKCS#10 certificate request are defined as a SET OF Attribute.
4325 optional, so if no attributes are present then they should be encoded as an
4327 The invalid form does not include the empty
4328 SET OF, whereas the correct form does.
4330 It should be noted that very few CAs still require the use of this option.
4332 Non-interactive mode.
4333 .It Fl config Ar file
4334 This allows an alternative configuration file to be specified;
4335 this overrides the compile time filename or any specified in
4338 environment variable.
4342 option is being used, this specifies the number of
4343 days to certify the certificate for.
4344 The default is 30 days.
4345 .It Fl extensions Ar section , Fl reqexts Ar section
4346 These options specify alternative sections to include certificate
4349 option is present) or certificate request extensions.
4350 This allows several different sections to
4351 be used in the same configuration file to specify requests for
4352 a variety of purposes.
4354 This specifies the input
4356 to read a request from, or standard input
4357 if this option is not specified.
4358 A request is only read if the creation options
4363 .It Fl inform Ar DER | PEM
4364 This specifies the input format.
4367 argument uses an ASN1 DER-encoded form compatible with the PKCS#10.
4370 form is the default format:
4371 it consists of the DER format base64-encoded with additional header and
4373 .It Fl key Ar keyfile
4374 This specifies the file to read the private key from.
4375 It also accepts PKCS#8 format private keys for PEM format files.
4376 .It Fl keyform Ar DER | PEM
4377 The format of the private key file specified in the
4382 .It Fl keyout Ar file
4385 to write the newly created private key to.
4386 If this option is not specified, the filename present in the
4387 configuration file is used.
4388 .It Fl md5 | sha1 | sha256
4389 This specifies the message digest to sign the request with.
4390 This overrides the digest algorithm specified in the configuration file.
4392 Some public key algorithms may override this choice.
4393 For instance, DSA signatures always use SHA1.
4395 This option prints out the value of the modulus of the public key
4396 contained in the request.
4397 .It Fl nameopt Ar option , Fl reqopt Ar option
4398 These options determine how the subject or issuer names are displayed.
4401 argument can be a single option or multiple options separated by commas.
4402 Alternatively, these options may be used more than once to set multiple options.
4405 section below for details.
4407 This option generates a new certificate request.
4408 It will prompt the user for the relevant field values.
4409 The actual fields prompted for and their maximum and minimum sizes
4410 are specified in the configuration file and any requested extensions.
4414 option is not used, it will generate a new RSA private
4415 key using information specified in the configuration file.
4417 Adds the word NEW to the PEM file header and footer lines
4418 on the outputed request.
4420 .Pq Netscape certificate server
4421 and some CAs need this.
4422 .It Fl newkey Ar arg
4423 This option creates a new certificate request and a new private key.
4424 The argument takes one of several forms.
4425 .Ar rsa : Ns Ar nbits ,
4428 is the number of bits, generates an RSA key
4436 the default key size, specified in the configuration file, is used.
4438 All other algorithms support the
4439 .Ar alg : Ns Ar file
4441 where file may be an algorithm parameter file,
4443 .Cm genpkey -genparam
4444 command or an X.509 certificate for a key with appropriate algorithm.
4446 .Ar param : Ns Ar file
4447 generates a key using the parameter file or certificate
4449 the algorithm is determined by the parameters.
4450 .Ar algname : Ns Ar file
4455 the two algorithms must match or an error occurs.
4459 and parameters, if necessary,
4460 should be specified via the
4464 .Ar dsa : Ns Ar file
4465 generates a DSA key using the parameters in the file
4467 .It Fl no-asn1-kludge
4468 Reverses the effect of
4471 If this option is specified and a private key is created, it
4472 will not be encrypted.
4474 This option prevents output of the encoded version of the request.
4476 This specifies the output
4478 to write to, or standard output by default.
4479 .It Fl outform Ar DER | PEM
4480 This specifies the output format; the options have the same meaning as the
4483 .It Fl passin Ar arg
4484 The key password source.
4485 .It Fl passout Ar arg
4486 The output file password source.
4488 Outputs the public key.
4489 .It Fl reqopt Ar option
4490 Customise the output format used with
4494 argument can be a single option or multiple options separated by commas.
4496 See the discussion of the
4501 .It Fl set_serial Ar n
4502 Serial number to use when outputting a self-signed certificate.
4503 This may be specified as a decimal value or a hex value if preceded by
4505 It is possible to use negative serial numbers but this is not recommended.
4507 Replaces subject field of input request with specified data and outputs
4509 The arg must be formatted as
4510 .Em /type0=value0/type1=value1/type2=... ;
4511 characters may be escaped by
4514 no spaces are skipped.
4516 Prints out the request subject (or certificate subject if
4520 Prints out the certificate request in text form.
4522 This option causes field values to be interpreted as UTF8 strings;
4523 by default they are interpreted as ASCII.
4524 This means that the field values, whether prompted from a terminal or
4525 obtained from a configuration file, must be valid UTF8 strings.
4527 Print extra details about the operations being performed.
4529 Verifies the signature on the request.
4531 This option outputs a self-signed certificate instead of a certificate
4533 This is typically used to generate a test certificate or
4534 a self-signed root CA.
4535 The extensions added to the certificate
4537 are specified in the configuration file.
4538 Unless specified using the
4540 option, 0 will be used for the serial number.
4542 .Sh REQ CONFIGURATION FILE FORMAT
4543 The configuration options are specified in the
4545 section of the configuration file.
4546 As with all configuration files, if no value is specified in the specific
4549 then the initial unnamed or
4551 section is searched too.
4553 The options available are described in detail below.
4554 .Bl -tag -width "XXXX"
4556 This specifies the section containing any request attributes: its format
4558 .Ar distinguished_name .
4559 Typically these may contain the
4560 .Em challengePassword
4562 .Em unstructuredName
4564 They are currently ignored by
4565 .Nm OpenSSL Ns Li 's
4566 request signing utilities, but some CAs might want them.
4568 This specifies the default key size in bits.
4569 If not specified, 2048 is used.
4573 It can be overridden by using the
4576 .It Ar default_keyfile
4577 This is the default file to write a private key to.
4578 If not specified, the key is written to standard output.
4579 This can be overridden by the
4583 This option specifies the digest algorithm to use.
4584 Possible values include
4589 If not present, SHA256 is used.
4590 This option can be overridden on the command line.
4591 .It Ar distinguished_name
4592 This specifies the section containing the distinguished name fields to
4593 prompt for when generating a certificate or certificate request.
4594 The format is described in the next section.
4598 and a private key is generated, it is
4601 This is equivalent to the
4603 command line option.
4606 is an equivalent option.
4607 .It Ar input_password | output_password
4608 The passwords for the input private key file
4610 and the output private key file
4611 .Pq if one will be created .
4612 The command line options
4616 override the configuration file values.
4618 This specifies a file containing additional OBJECT IDENTIFIERS.
4619 Each line of the file should consist of the numerical form of the
4620 object identifier, followed by whitespace, then the short name followed
4621 by whitespace and finally the long name.
4623 This specifies a section in the configuration file containing extra
4625 Each line should consist of the short name of the
4626 object identifier followed by
4628 and the numerical form.
4629 The short and long names are the same when this option is used.
4633 this disables prompting of certificate fields
4634 and just takes values from the config file directly.
4635 It also changes the expected format of the
4636 .Em distinguished_name
4640 .It Ar req_extensions
4641 This specifies the configuration file section containing a list of
4642 extensions to add to the certificate request.
4643 It can be overridden by the
4645 command line switch.
4647 This option limits the string types for encoding certain
4649 The following values may be used, limiting strings to the indicated types:
4650 .Bl -tag -width "MASK:number"
4653 This is the default, as recommended by PKIX in RFC 2459.
4655 .Em PrintableString , IA5String , T61String , BMPString , UTF8String .
4657 .Em PrintableString , IA5String , BMPString , UTF8String .
4658 This was inspired by the PKIX recommendation in RFC 2459 for certificates
4659 generated before 2004, but differs by also permitting
4662 .Em PrintableString , IA5String , T61String , UniversalString .
4663 This was a workaround for some ancient software that had problems
4664 with the variable-sized
4669 .It Cm MASK : Ns Ar number
4670 This is an explicit bitmask of permitted types, where
4672 is a C-style hex, decimal, or octal number that's a bit-wise OR of
4675 .In openssl/asn1.h .
4680 then field values are interpreted as UTF8 strings;
4681 by default they are interpreted as ASCII.
4682 This means that the field values, whether prompted from a terminal or
4683 obtained from a configuration file, must be valid UTF8 strings.
4684 .It Ar x509_extensions
4685 This specifies the configuration file section containing a list of
4686 extensions to add to a certificate generated when the
4689 It can be overridden by the
4691 command line switch.
4693 .Sh REQ DISTINGUISHED NAME AND ATTRIBUTE SECTION FORMAT
4694 There are two separate formats for the distinguished name and attribute
4700 then these sections just consist of field names and values: for example,
4701 .Bd -unfilled -offset indent
4704 emailAddress=someone@somewhere.org
4707 This allows external programs
4709 to generate a template file with all the field names and values
4712 An example of this kind of configuration file is contained in the
4716 Alternatively if the
4718 option is absent or not set to
4720 then the file contains field prompting information.
4721 It consists of lines of the form:
4722 .Bd -unfilled -offset indent
4724 fieldName_default="default field value"
4730 is the field name being used, for example
4735 string is used to ask the user to enter the relevant details.
4736 If the user enters nothing, the default value is used;
4737 if no default value is present, the field is omitted.
4738 A field can still be omitted if a default value is present,
4739 if the user just enters the
4743 The number of characters entered must be between the
4748 there may be additional restrictions based on the field being used
4751 can only ever be two characters long and must fit in a
4752 .Em PrintableString ) .
4754 Some fields (such as
4755 .Em organizationName )
4756 can be used more than once in a DN.
4757 This presents a problem because configuration files will
4758 not recognize the same name occurring twice.
4759 To avoid this problem, if the
4761 contains some characters followed by a full stop, they will be ignored.
4762 So, for example, a second
4763 .Em organizationName
4764 can be input by calling it
4765 .Qq 1.organizationName .
4767 The actual permitted field names are any object identifier short or
4769 These are compiled into
4771 and include the usual values such as
4772 .Em commonName , countryName , localityName , organizationName ,
4773 .Em organizationUnitName , stateOrProvinceName .
4776 is included as well as
4777 .Em name , surname , givenName initials
4781 Additional object identifiers can be defined with the
4785 options in the configuration file.
4786 Any additional fields will be treated as though they were a
4787 .Em DirectoryString .
4789 Examine and verify a certificate request:
4791 .Dl $ openssl req -in req.pem -text -verify -noout
4793 Create a private key and then generate a certificate request from it:
4794 .Bd -literal -offset indent
4795 $ openssl genrsa -out key.pem 2048
4796 $ openssl req -new -key key.pem -out req.pem
4799 The same but just using req:
4801 .Dl $ openssl req -newkey rsa:2048 -keyout key.pem -out req.pem
4803 Generate a self-signed root certificate:
4805 .Dl "$ openssl req -x509 -newkey rsa:2048 -keyout key.pem -out req.pem"
4807 Example of a file pointed to by the
4810 .Bd -unfilled -offset indent
4811 1.2.3.4 shortName A longer Name
4812 1.2.3.6 otherName Other longer Name
4815 Example of a section pointed to by
4817 making use of variable expansion:
4818 .Bd -unfilled -offset indent
4820 testoid2=${testoid1}.6
4823 Sample configuration file prompting for field values:
4826 \& default_bits = 1024
4827 \& default_keyfile = privkey.pem
4828 \& distinguished_name = req_distinguished_name
4829 \& attributes = req_attributes
4830 \& x509_extensions = v3_ca
4832 \& dirstring_type = nobmp
4834 \& [ req_distinguished_name ]
4835 \& countryName = Country Name (2 letter code)
4836 \& countryName_default = AU
4837 \& countryName_min = 2
4838 \& countryName_max = 2
4840 \& localityName = Locality Name (eg, city)
4842 \& organizationalUnitName = Organizational Unit Name (eg, section)
4844 \& commonName = Common Name (eg, YOUR name)
4845 \& commonName_max = 64
4847 \& emailAddress = Email Address
4848 \& emailAddress_max = 40
4850 \& [ req_attributes ]
4851 \& challengePassword = A challenge password
4852 \& challengePassword_min = 4
4853 \& challengePassword_max = 20
4857 \& subjectKeyIdentifier=hash
4858 \& authorityKeyIdentifier=keyid:always,issuer:always
4859 \& basicConstraints = CA:true
4862 Sample configuration containing all field values:
4866 \& default_bits = 1024
4867 \& default_keyfile = keyfile.pem
4868 \& distinguished_name = req_distinguished_name
4869 \& attributes = req_attributes
4871 \& output_password = mypass
4873 \& [ req_distinguished_name ]
4875 \& ST = Test State or Province
4876 \& L = Test Locality
4877 \& O = Organization Name
4878 \& OU = Organizational Unit Name
4880 \& emailAddress = test@email.address
4882 \& [ req_attributes ]
4883 \& challengePassword = A challenge password
4886 The header and footer lines in the PEM format are normally:
4887 .Bd -unfilled -offset indent
4888 -----BEGIN CERTIFICATE REQUEST-----
4889 -----END CERTIFICATE REQUEST-----
4893 .Pq some versions of Netscape certificate server
4895 .Bd -unfilled -offset indent
4896 -----BEGIN NEW CERTIFICATE REQUEST-----
4897 -----END NEW CERTIFICATE REQUEST-----
4900 which is produced with the
4902 option but is otherwise compatible.
4903 Either form is accepted transparently on input.
4905 The certificate requests generated by Xenroll with MSIE have extensions added.
4908 extension which determines the type of key
4909 .Pq signature only or general purpose
4910 and any additional OIDs entered by the script in an
4911 .Em extendedKeyUsage
4914 The following messages are frequently asked about:
4915 .Bd -unfilled -offset indent
4916 Using configuration from /some/path/openssl.cnf
4917 Unable to load config info
4920 This is followed some time later by...
4921 .Bd -unfilled -offset indent
4922 unable to find 'distinguished_name' in config
4923 problems making Certificate Request
4926 The first error message is the clue: it can't find the configuration
4929 .Pq like examining a certificate request
4930 don't need a configuration file so its use isn't enforced.
4931 Generation of certificates or requests, however, do need a configuration file.
4932 This could be regarded as a bug.
4934 Another puzzling message is this:
4935 .Bd -unfilled -offset indent
4940 This is displayed when no attributes are present and the request includes
4941 the correct empty SET OF structure
4942 .Pq the DER encoding of which is 0xa0 0x00 .
4947 then the SET OF is missing and the encoding is technically invalid
4948 .Pq but it is tolerated .
4949 See the description of the command line option
4951 for more information.
4952 .Sh REQ ENVIRONMENT VARIABLES
4955 if defined, allows an alternative configuration
4956 file location to be specified; it will be overridden by the
4958 command line switch if it is present.
4960 .Nm OpenSSL Ns Li 's
4961 handling of T61Strings
4962 .Pq aka TeletexStrings
4963 is broken: it effectively treats them as ISO 8859-1
4965 Netscape and MSIE have similar behaviour.
4966 This can cause problems if you need characters that aren't available in
4967 .Em PrintableStrings
4968 and you don't want to or can't use
4971 As a consequence of the T61String handling, the only correct way to represent
4972 accented characters in
4976 unfortunately Netscape currently chokes on these.
4977 If you have to use accented characters with Netscape
4978 and MSIE then you currently need to use the invalid T61String form.
4980 The current prompting is not very friendly.
4981 It doesn't allow you to confirm what you've just entered.
4982 Other things, like extensions in certificate requests, are
4983 statically defined in the configuration file.
4984 Some of these, like an email address in
4985 .Em subjectAltName ,
4986 should be input by the user.
4995 .Fl aes128 | aes192 | aes256 |
5000 .Op Fl inform Ar DER | NET | PEM
5004 .Op Fl outform Ar DER | NET | PEM
5005 .Op Fl passin Ar arg
5006 .Op Fl passout Ar arg
5016 command processes RSA keys.
5017 They can be converted between various forms and their components printed out.
5020 this command uses the traditional
5022 compatible format for private key encryption:
5023 newer applications should use the more secure PKCS#8 format using the
5027 The options are as follows:
5030 .Fl aes128 | aes192 | aes256 |
5033 These options encrypt the private key with the AES, DES,
5034 or the triple DES ciphers, respectively, before outputting it.
5035 A pass phrase is prompted for.
5036 If none of these options are specified, the key is written in plain text.
5037 This means that using the
5039 utility to read in an encrypted key with no encryption option can be used
5040 to remove the pass phrase from a key, or by setting the encryption options
5041 it can be used to add or change the pass phrase.
5042 These options can only be used with PEM format output files.
5044 This option checks the consistency of an RSA private key.
5046 This specifies the input
5048 to read a key from, or standard input if this
5049 option is not specified.
5050 If the key is encrypted, a pass phrase will be prompted for.
5051 .It Fl inform Ar DER | NET | PEM
5052 This specifies the input format.
5056 uses an ASN1 DER-encoded form compatible with the PKCS#1
5057 RSAPrivateKey or SubjectPublicKeyInfo format.
5060 form is the default format: it consists of the DER format base64-encoded with
5061 additional header and footer lines.
5062 On input PKCS#8 format private keys are also accepted.
5065 form is a format described in the
5069 This option prevents output of the encoded version of the key.
5071 This option prints out the value of the modulus of the key.
5073 This specifies the output
5075 to write a key to, or standard output if this option is not specified.
5076 If any encryption options are set, a pass phrase will be prompted for.
5077 The output filename should
5079 be the same as the input filename.
5080 .It Fl outform Ar DER | NET | PEM
5081 This specifies the output format; the options have the same meaning as the
5084 .It Fl passin Ar arg
5085 The key password source.
5086 .It Fl passout Ar arg
5087 The output file password source.
5089 By default, a private key is read from the input file; with this
5090 option a public key is read instead.
5092 By default, a private key is output;
5093 with this option a public key will be output instead.
5094 This option is automatically set if the input is a public key.
5098 algorithm used with some versions of Microsoft IIS and SGC keys.
5100 Prints out the various public or private key components in
5101 plain text, in addition to the encoded version.
5104 The PEM private key format uses the header and footer lines:
5105 .Bd -unfilled -offset indent
5106 -----BEGIN RSA PRIVATE KEY-----
5107 -----END RSA PRIVATE KEY-----
5110 The PEM public key format uses the header and footer lines:
5111 .Bd -unfilled -offset indent
5112 -----BEGIN PUBLIC KEY-----
5113 -----END PUBLIC KEY-----
5118 form is a format compatible with older Netscape servers
5119 and Microsoft IIS .key files; this uses unsalted RC4 for its encryption.
5120 It is not very secure and so should only be used when necessary.
5122 Some newer version of IIS have additional data in the exported .key files.
5123 To use these with the
5125 utility, view the file with a binary editor
5126 and look for the string
5128 then trace back to the byte sequence 0x30, 0x82
5129 .Pq this is an ASN1 SEQUENCE .
5130 Copy all the data from this point onwards to another file and use that as
5136 If there is an error after entering the password, try the
5140 To remove the pass phrase on an RSA private key:
5142 .Dl $ openssl rsa -in key.pem -out keyout.pem
5144 To encrypt a private key using triple DES:
5146 .Dl $ openssl rsa -in key.pem -des3 -out keyout.pem
5148 To convert a private key from PEM to DER format:
5150 .Dl $ openssl rsa -in key.pem -outform DER -out keyout.der
5152 To print out the components of a private key to standard output:
5154 .Dl $ openssl rsa -in key.pem -text -noout
5156 To just output the public part of a private key:
5158 .Dl $ openssl rsa -in key.pem -pubout -out pubkey.pem
5160 The command line password arguments don't currently work with
5164 There should be an option that automatically handles .key files,
5165 without having to manually edit them.
5171 .Nm "openssl rsautl"
5179 .Op Fl inkey Ar file
5180 .Op Fl keyform Ar DER | PEM
5181 .Op Fl oaep | pkcs | raw | ssl
5191 command can be used to sign, verify, encrypt and decrypt
5192 data using the RSA algorithm.
5194 The options are as follows:
5197 Asn1parse the output data; this is useful when combined with the
5201 The input is a certificate containing an RSA public key.
5203 Decrypt the input data using an RSA private key.
5205 Encrypt the input data using an RSA public key.
5207 Hex dump the output data.
5209 This specifies the input
5211 to read data from, or standard input
5212 if this option is not specified.
5213 .It Fl inkey Ar file
5214 The input key file, by default it should be an RSA private key.
5215 .It Fl keyform Ar DER | PEM
5219 .It Fl oaep | pkcs | raw | ssl
5221 PKCS#1 OAEP, PKCS#1 v1.5
5223 or no padding, respectively.
5224 For signatures, only
5230 Specifies the output
5232 to write to, or standard output by
5235 The input file is an RSA public key.
5237 Sign the input data and output the signed result.
5238 This requires an RSA private key.
5240 Verify the input data and output the recovered data.
5244 because it uses the RSA algorithm directly, can only be
5245 used to sign or verify small pieces of data.
5247 Sign some data using a private key:
5249 .Dl "$ openssl rsautl -sign -in file -inkey key.pem -out sig"
5251 Recover the signed data:
5253 .Dl $ openssl rsautl -verify -in sig -inkey key.pem
5255 Examine the raw signed data:
5257 .Li "\ \&$ openssl rsautl -verify -in file -inkey key.pem -raw -hexdump"
5259 \& 0000 - 00 01 ff ff ff ff ff ff-ff ff ff ff ff ff ff ff ................
5260 \& 0010 - ff ff ff ff ff ff ff ff-ff ff ff ff ff ff ff ff ................
5261 \& 0020 - ff ff ff ff ff ff ff ff-ff ff ff ff ff ff ff ff ................
5262 \& 0030 - ff ff ff ff ff ff ff ff-ff ff ff ff ff ff ff ff ................
5263 \& 0040 - ff ff ff ff ff ff ff ff-ff ff ff ff ff ff ff ff ................
5264 \& 0050 - ff ff ff ff ff ff ff ff-ff ff ff ff ff ff ff ff ................
5265 \& 0060 - ff ff ff ff ff ff ff ff-ff ff ff ff ff ff ff ff ................
5266 \& 0070 - ff ff ff ff 00 68 65 6c-6c 6f 20 77 6f 72 6c 64 .....hello world
5269 The PKCS#1 block formatting is evident from this.
5270 If this was done using encrypt and decrypt, the block would have been of type 2
5272 and random padding data visible instead of the 0xff bytes.
5274 It is possible to analyse the signature of certificates using this
5275 utility in conjunction with
5277 Consider the self-signed example in
5278 .Pa certs/pca-cert.pem :
5283 .Li "\ \&$ openssl asn1parse -in pca-cert.pem"
5285 \& 0:d=0 hl=4 l= 742 cons: SEQUENCE
5286 \& 4:d=1 hl=4 l= 591 cons: SEQUENCE
5287 \& 8:d=2 hl=2 l= 3 cons: cont [ 0 ]
5288 \& 10:d=3 hl=2 l= 1 prim: INTEGER :02
5289 \& 13:d=2 hl=2 l= 1 prim: INTEGER :00
5290 \& 16:d=2 hl=2 l= 13 cons: SEQUENCE
5291 \& 18:d=3 hl=2 l= 9 prim: OBJECT :md5WithRSAEncryption
5292 \& 29:d=3 hl=2 l= 0 prim: NULL
5293 \& 31:d=2 hl=2 l= 92 cons: SEQUENCE
5294 \& 33:d=3 hl=2 l= 11 cons: SET
5295 \& 35:d=4 hl=2 l= 9 cons: SEQUENCE
5296 \& 37:d=5 hl=2 l= 3 prim: OBJECT :countryName
5297 \& 42:d=5 hl=2 l= 2 prim: PRINTABLESTRING :AU
5299 \& 599:d=1 hl=2 l= 13 cons: SEQUENCE
5300 \& 601:d=2 hl=2 l= 9 prim: OBJECT :md5WithRSAEncryption
5301 \& 612:d=2 hl=2 l= 0 prim: NULL
5302 \& 614:d=1 hl=3 l= 129 prim: BIT STRING
5305 The final BIT STRING contains the actual signature.
5306 It can be extracted with:
5308 .Dl "$ openssl asn1parse -in pca-cert.pem -out sig -noout -strparse 614"
5310 The certificate public key can be extracted with:
5312 .Dl $ openssl x509 -in test/testx509.pem -pubkey -noout \*(Gtpubkey.pem
5314 The signature can be analysed with:
5316 .Li "\ \&$ openssl rsautl -in sig -verify -asn1parse -inkey pubkey.pem -pubin"
5318 \& 0:d=0 hl=2 l= 32 cons: SEQUENCE
5319 \& 2:d=1 hl=2 l= 12 cons: SEQUENCE
5320 \& 4:d=2 hl=2 l= 8 prim: OBJECT :md5
5321 \& 14:d=2 hl=2 l= 0 prim: NULL
5322 \& 16:d=1 hl=2 l= 16 prim: OCTET STRING
5323 \& 0000 - f3 46 9e aa 1a 4a 73 c9-37 ea 93 00 48 25 08 b5 .F...Js.7...H%..
5326 This is the parsed version of an ASN1
5329 It can be seen that the digest used was MD5.
5330 The actual part of the certificate that was signed can be extracted with:
5332 .Dl "$ openssl asn1parse -in pca-cert.pem -out tbs -noout -strparse 4"
5334 and its digest computed with:
5336 .Dl $ openssl md5 -c tbs
5337 .D1 MD5(tbs)= f3:46:9e:aa:1a:4a:73:c9:37:ea:93:00:48:25:08:b5
5339 which it can be seen agrees with the recovered value above.
5345 .Nm "openssl s_client"
5349 .Op Fl CAfile Ar file
5350 .Op Fl CApath Ar directory
5353 .Op Fl cipher Ar cipherlist
5355 .Fl connect Ar host : Ns Ar port |
5356 .Ar host Ns / Ns Ar port
5359 .Op Fl crl_check_all
5364 .Op Fl ignore_critical
5365 .Op Fl issuer_checks
5366 .Op Fl key Ar keyfile
5377 .Op Fl proxy Ar host : Ns Ar port
5379 .Op Fl psk_identity Ar identity
5382 .Op Fl servername Ar name
5384 .Op Fl starttls Ar protocol
5390 .Op Fl verify Ar depth
5392 .Op Fl xmpphost Ar host
5398 command implements a generic SSL/TLS client which connects
5399 to a remote host using SSL/TLS.
5402 useful diagnostic tool for SSL servers.
5404 The options are as follows:
5409 should attempt connections using IPv4 only.
5413 should attempt connections using IPv6 only.
5415 There are several known bugs in SSL and TLS implementations.
5416 Adding this option enables various workarounds.
5417 .It Fl CAfile Ar file
5420 containing trusted certificates to use during server authentication
5421 and to use when attempting to build the client certificate chain.
5422 .It Fl CApath Ar directory
5425 to use for server certificate verification.
5426 This directory must be in
5430 for more information.
5431 These are also used when building the client certificate chain.
5433 The certificate to use, if one is requested by the server.
5434 The default is not to use a certificate.
5440 .Fl ignore_critical ,
5445 Set various certificate chain validation options.
5448 command for details.
5449 .It Fl cipher Ar cipherlist
5450 This allows the cipher list sent by the client to be modified.
5451 Although the server determines which cipher suite is used, it should take
5452 the first supported cipher in the list sent by the client.
5455 section above for more information.
5457 .Fl connect Ar host : Ns Ar port |
5458 .Ar host Ns / Ns Ar port
5465 If not specified, an attempt is made to connect to the local host
5467 Alternatively, the host and port pair may be separated using a forward-slash
5469 This form is useful for numeric IPv6 addresses.
5471 This option translates a line feed from the terminal into CR+LF as required
5474 Print extensive debugging information including a hex dump of all traffic.
5476 Inhibit shutting down the connection when end of file is reached in the
5478 .It Fl key Ar keyfile
5479 The private key to use.
5480 If not specified, the certificate file will be used.
5482 Show all protocol messages with hex dump.
5484 Turns on non-blocking I/O.
5486 Tests non-blocking I/O.
5487 .It Fl no_tls1 | no_tls1_1 | no_tls1_2
5488 By default, the initial handshake uses a method which should be compatible
5489 with servers supporting any version of TLS.
5490 These options disable the use of TLS1.0, 1.1, and 1.2, respectively.
5492 Unfortunately there are a lot of ancient and broken servers in use which
5493 cannot handle this technique and will fail to connect.
5495 Disable RFC 4507 session ticket support.
5497 Pauses 1 second between each read and write call.
5499 Print session information when the program exits.
5500 This will always attempt
5501 to print out information even if the connection fails.
5502 Normally, information will only be printed out once if the connection succeeds.
5503 This option is useful because the cipher in use may be renegotiated
5504 or the connection may fail because a client certificate is required or is
5505 requested only after an attempt is made to access a certain URL.
5507 the output produced by this option is not always accurate because a
5508 connection might never have been established.
5509 .It Fl proxy Ar host : Ns Ar port
5510 Use the HTTP proxy at
5514 The connection to the proxy is done in cleartext and the
5516 argument is given to the proxy.
5517 If not specified, localhost is used as final destination.
5518 After that, switch the connection through the proxy to the destination
5523 when using a PSK cipher suite.
5524 The key is given as a hexadecimal number without the leading 0x,
5525 for example -psk 1a2b3c4d.
5526 .It Fl psk_identity Ar identity
5527 Use the PSK identity
5529 when using a PSK cipher suite.
5531 Inhibit printing of session and certificate information.
5532 This implicitly turns on
5536 Reconnects to the same server 5 times using the same session ID; this can
5537 be used as a test that session caching is working.
5538 .It Fl servername Ar name
5539 Include the TLS Server Name Indication (SNI) extension in the ClientHello
5540 message, using the specified server
5543 Display the whole server certificate chain: normally only the server
5544 certificate itself is displayed.
5545 .It Fl starttls Ar protocol
5546 Send the protocol-specific message(s) to switch to TLS for communication.
5548 is a keyword for the intended protocol.
5549 Currently, the supported keywords are
5557 Prints out the SSL session states.
5558 .It Fl tls1 | tls1_1 | tls1_2
5559 Permit only TLS1.0, 1.1, or 1.2, respectively.
5561 Print out a hex dump of any TLS extensions received from the server.
5562 .It Fl verify Ar depth
5566 This specifies the maximum length of the
5567 server certificate chain and turns on server certificate verification.
5568 Currently the verify operation continues after errors so all the problems
5569 with a certificate chain can be seen.
5570 As a side effect the connection will never fail due to a server
5571 certificate verify failure.
5572 .It Fl xmpphost Ar hostname
5573 This option, when used with
5574 .Fl starttls Ar xmpp ,
5575 specifies the host for the "to" attribute of the stream element.
5576 If this option is not specified then the host specified with
5580 .Sh S_CLIENT CONNECTED COMMANDS
5581 If a connection is established with an SSL server, any data received
5582 from the server is displayed and any key presses will be sent to the
5584 When used interactively (which means neither
5588 have been given), the session will be renegotiated if the line begins with an
5590 if the line begins with a
5592 or if end of file is reached, the connection will be closed down.
5595 can be used to debug SSL servers.
5596 To connect to an SSL HTTP server the command:
5598 .Dl $ openssl s_client -connect servername:443
5600 would typically be used
5601 .Pq HTTPS uses port 443 .
5602 If the connection succeeds, an HTTP command can be given such as
5604 to retrieve a web page.
5606 If the handshake fails, there are several possible causes; if it is
5607 nothing obvious like no client certificate, then the
5608 .Fl bugs , tls1 , tls1_1, tls1_2 , no_tls1 , no_tls1_1 ,
5611 options can be tried in case it is a buggy server.
5613 A frequent problem when attempting to get client certificates working
5614 is that a web client complains it has no certificates or gives an empty
5615 list to choose from.
5616 This is normally because the server is not sending the client's certificate
5618 .Qq acceptable CA list
5619 when it requests a certificate.
5622 the CA list can be viewed and checked.
5623 However some servers only request client authentication
5624 after a specific URL is requested.
5625 To obtain the list in this case it is necessary to use the
5627 option and send an HTTP request for an appropriate page.
5629 If a certificate is specified on the command line using the
5631 option, it will not be used unless the server specifically requests
5632 a client certificate.
5633 Therefore merely including a client certificate
5634 on the command line is no guarantee that the certificate works.
5636 If there are problems verifying a server certificate, the
5638 option can be used to show the whole chain.
5640 Compression methods are only supported for
5643 Because this program has a lot of options and also because some of
5644 the techniques used are rather old, the C source of
5646 is rather hard to read and not a model of how things should be done.
5647 A typical SSL client program would be much simpler.
5651 option should really exit if the server verification fails.
5655 option is a bit of a hack.
5656 We should really report information whenever a session is renegotiated.
5662 .Nm "openssl s_server"
5664 .Op Fl accept Ar port
5666 .Op Fl CAfile Ar file
5667 .Op Fl CApath Ar directory
5669 .Op Fl cipher Ar cipherlist
5670 .Op Fl context Ar id
5672 .Op Fl crl_check_all
5674 .Op Fl dcert Ar file
5676 .Op Fl dhparam Ar file
5680 .Op Fl id_prefix Ar arg
5681 .Op Fl key Ar keyfile
5692 .Op Fl psk_hint Ar hint
5699 .Op Fl Verify Ar depth
5700 .Op Fl verify Ar depth
5708 command implements a generic SSL/TLS server which listens
5709 for connections on a given port using SSL/TLS.
5711 The options are as follows:
5713 .It Fl accept Ar port
5716 to listen on for connections.
5717 If not specified, 4433 is used.
5719 There are several known bugs in SSL and TLS implementations.
5720 Adding this option enables various workarounds.
5721 .It Fl CAfile Ar file
5722 A file containing trusted certificates to use during client authentication
5723 and to use when attempting to build the server certificate chain.
5724 The list is also used in the list of acceptable client CAs passed to the
5725 client when a certificate is requested.
5726 .It Fl CApath Ar directory
5729 to use for client certificate verification.
5730 This directory must be in
5734 for more information.
5735 These are also used when building the server certificate chain.
5737 The certificate to use; most server's cipher suites require the use of a
5738 certificate and some require a certificate with a certain public key type:
5739 for example the DSS cipher suites require a certificate containing a DSS
5742 If not specified, the file
5745 .It Fl cipher Ar cipherlist
5746 This allows the cipher list used by the server to be modified.
5747 When the client sends a list of supported ciphers, the first client cipher
5748 also included in the server list is used.
5749 Because the client specifies the preference order, the order of the server
5750 cipherlist is irrelevant.
5753 section for more information.
5754 .It Fl context Ar id
5755 Sets the SSL context ID.
5756 It can be given any string value.
5757 If this option is not present, a default value will be used.
5758 .It Fl crl_check , crl_check_all
5759 Check the peer certificate has not been revoked by its CA.
5760 The CRLs are appended to the certificate file.
5763 option, all CRLs of all CAs in the chain are checked.
5765 This option translates a line feed from the terminal into CR+LF.
5766 .It Fl dcert Ar file , Fl dkey Ar file
5767 Specify an additional certificate and private key; these behave in the
5772 options except there is no default if they are not specified
5773 .Pq no additional certificate or key is used .
5774 As noted above some cipher suites require a certificate containing a key of
5776 Some cipher suites need a certificate carrying an RSA key
5780 By using RSA and DSS certificates and keys,
5781 a server can support clients which only support RSA or DSS cipher suites
5782 by using an appropriate certificate.
5784 Print extensive debugging information including a hex dump of all traffic.
5785 .It Fl dhparam Ar file
5786 The DH parameter file to use.
5787 The ephemeral DH cipher suites generate keys
5788 using a set of DH parameters.
5789 If not specified, an attempt is made to
5790 load the parameters from the server certificate file.
5791 If this fails, a static set of parameters hard coded into the
5793 program will be used.
5795 This option enables a further workaround for some early Netscape
5799 Emulates a simple web server.
5800 Pages will be resolved relative to the current directory;
5801 for example if the URL
5802 .Pa https://myhost/page.html
5803 is requested, the file
5806 The files loaded are assumed to contain a complete and correct HTTP
5807 response (lines that are part of the HTTP response line and headers
5808 must end with CRLF).
5809 .It Fl id_prefix Ar arg
5810 Generate SSL/TLS session IDs prefixed by
5812 This is mostly useful for testing any SSL/TLS code
5814 that wish to deal with multiple servers, when each of which might be
5815 generating a unique range of session IDs
5816 .Pq e.g. with a certain prefix .
5817 .It Fl key Ar keyfile
5818 The private key to use.
5819 If not specified, the certificate file will be used.
5821 Show all protocol messages with hex dump.
5823 Turns on non-blocking I/O.
5825 Tests non-blocking I/O.
5827 If this option is set, no DH parameters will be loaded, effectively
5828 disabling the ephemeral DH cipher suites.
5829 .It Fl no_tls1 | no_tls1_1 | no_tls1_2
5830 By default, the initial handshake uses a method which should be compatible
5831 with clients supporting any version of TLS.
5832 These options disable the use of TLS1.0, 1.1, and 1.2, respectively.
5834 Certain export cipher suites sometimes use a temporary RSA key; this option
5835 disables temporary RSA key generation.
5837 If this option is set, no certificate is used.
5838 This restricts the cipher suites available to the anonymous ones
5839 .Pq currently just anonymous DH .
5843 when using a PSK cipher suite.
5844 The key is given as a hexadecimal number without the leading 0x,
5845 for example -psk 1a2b3c4d.
5846 .It Fl psk_hint Ar hint
5847 Use the PSK identity hint
5849 when using a PSK cipher suite.
5851 Inhibit printing of session and certificate information.
5853 Use server's cipher preferences.
5855 Prints out the SSL session states.
5856 .It Fl tls1 | tls1_1 | tls1_2
5857 Permit only TLS1.0, 1.1, or 1.2, respectively.
5859 Emulates a simple web server.
5860 Pages will be resolved relative to the current directory;
5861 for example if the URL
5862 .Pa https://myhost/page.html
5863 is requested, the file
5867 Sends a status message back to the client when it connects.
5868 This includes lots of information about the ciphers used and various
5870 The output is in HTML format so this option will normally be used with a
5872 .It Fl Verify Ar depth , Fl verify Ar depth
5876 This specifies the maximum length of the client certificate chain
5877 and makes the server request a certificate from the client.
5880 option, the client must supply a certificate or an error occurs.
5883 option, a certificate is requested but the client does not have to send one.
5885 .Sh S_SERVER CONNECTED COMMANDS
5886 If a connection request is established with an SSL client and neither the
5890 option has been used, then normally any data received
5891 from the client is displayed and any key presses will be sent to the client.
5893 Certain single letter commands are also recognized which perform special
5894 operations: these are listed below.
5895 .Bl -tag -width "XXXX"
5897 Send some plain text down the underlying TCP connection: this should
5898 cause the client to disconnect due to a protocol violation.
5900 End the current SSL connection and exit.
5902 End the current SSL connection, but still accept new connections.
5904 Renegotiate the SSL session and request a client certificate.
5906 Renegotiate the SSL session.
5908 Print out some session cache status information.
5912 can be used to debug SSL clients.
5913 To accept connections from a web browser the command:
5915 .Dl $ openssl s_server -accept 443 -www
5917 can be used, for example.
5920 .Pq in particular Netscape and MSIE
5921 only support RSA cipher suites, so they cannot connect to servers
5922 which don't use a certificate carrying an RSA key or a version of
5926 Although specifying an empty list of CAs when requesting a client certificate
5927 is strictly speaking a protocol violation, some SSL
5928 clients interpret this to mean any CA is acceptable.
5929 This is useful for debugging purposes.
5931 The session parameters can printed out using the
5935 Because this program has a lot of options and also because some of
5936 the techniques used are rather old, the C source of
5938 is rather hard to read and not a model of how things should be done.
5939 A typical SSL server program would be much simpler.
5941 The output of common ciphers is wrong: it just gives the list of ciphers that
5943 recognizes and the client supports.
5945 There should be a way for the
5947 program to print out details of any
5948 unknown cipher suites a client says it supports.
5954 .Nm "openssl s_time"
5957 .Op Fl CAfile Ar file
5958 .Op Fl CApath Ar directory
5960 .Op Fl cipher Ar cipherlist
5961 .Op Fl connect Ar host : Ns Ar port
5962 .Op Fl key Ar keyfile
5967 .Op Fl time Ar seconds
5968 .Op Fl verify Ar depth
5975 command implements a generic SSL/TLS client which connects to a
5976 remote host using SSL/TLS.
5977 It can request a page from the server and includes
5978 the time to transfer the payload data in its timing measurements.
5979 It measures the number of connections within a given timeframe,
5980 the amount of data transferred
5982 and calculates the average time spent for one connection.
5984 The options are as follows:
5987 There are several known bugs in SSL and TLS implementations.
5988 Adding this option enables various workarounds.
5989 .It Fl CAfile Ar file
5990 A file containing trusted certificates to use during server authentication
5991 and to use when attempting to build the client certificate chain.
5992 .It Fl CApath Ar directory
5993 The directory to use for server certificate verification.
5994 This directory must be in
5998 for more information.
5999 These are also used when building the client certificate chain.
6001 The certificate to use, if one is requested by the server.
6002 The default is not to use a certificate.
6003 The file is in PEM format.
6004 .It Fl cipher Ar cipherlist
6005 This allows the cipher list sent by the client to be modified.
6006 Although the server determines which cipher suite is used,
6007 it should take the first supported cipher in the list sent by the client.
6010 command for more information.
6011 .It Fl connect Ar host : Ns Ar port
6012 This specifies the host and optional port to connect to.
6013 .It Fl key Ar keyfile
6014 The private key to use.
6015 If not specified, the certificate file will be used.
6016 The file is in PEM format.
6018 Turns on non-blocking I/O.
6020 Performs the timing test using a new session ID for each connection.
6026 they are both on by default and executed in sequence.
6028 Shut down the connection without sending a
6030 shutdown alert to the server.
6032 Performs the timing test using the same session ID;
6033 this can be used as a test that session caching is working.
6039 they are both on by default and executed in sequence.
6040 .It Fl time Ar seconds
6044 should establish connections and
6045 optionally transfer payload data from a server.
6046 The default is 30 seconds.
6047 Server and client performance and the link speed
6048 determine how many connections
6051 .It Fl verify Ar depth
6052 The verify depth to use.
6053 This specifies the maximum length of the server certificate chain
6054 and turns on server certificate verification.
6055 Currently the verify operation continues after errors, so all the problems
6056 with a certificate chain can be seen.
6058 the connection will never fail due to a server certificate verify failure.
6060 This specifies the page to GET from the server.
6063 gets the index.htm[l] page.
6064 If this parameter is not specified,
6066 will only perform the handshake to establish SSL connections
6067 but not transfer any payload data.
6071 can be used to measure the performance of an SSL connection.
6072 To connect to an SSL HTTP server and get the default page the command
6073 .Bd -literal -offset indent
6074 $ openssl s_time -connect servername:443 -www / -CApath yourdir \e
6075 -CAfile yourfile.pem -cipher commoncipher
6078 would typically be used
6079 .Pq HTTPS uses port 443 .
6081 is a cipher to which both client and server can agree;
6084 command for details.
6086 If the handshake fails, there are several possible causes:
6087 if it is nothing obvious like no client certificate, the
6089 option can be tried in case it is a buggy server.
6091 A frequent problem when attempting to get client certificates working
6092 is that a web client complains it has no certificates or gives an empty
6093 list to choose from.
6094 This is normally because the server is not sending
6095 the clients certificate authority in its
6096 .Qq acceptable CA list
6097 when it requests a certificate.
6100 the CA list can be viewed and checked.
6101 However some servers only request client authentication
6102 after a specific URL is requested.
6103 To obtain the list in this case, it is necessary to use the
6107 and send an HTTP request for an appropriate page.
6109 If a certificate is specified on the command line using the
6112 it will not be used unless the server specifically requests
6113 a client certificate.
6114 Therefore merely including a client certificate
6115 on the command line is no guarantee that the certificate works.
6117 Because this program does not have all the options of the
6119 program to turn protocols on and off,
6120 you may not be able to measure the performance
6121 of all protocols with all servers.
6125 option should really exit if the server verification fails.
6131 .Nm "openssl sess_id"
6134 .Op Fl context Ar ID
6136 .Op Fl inform Ar DER | PEM
6139 .Op Fl outform Ar DER | PEM
6146 program processes the encoded version of the SSL session structure and
6147 optionally prints out SSL session details
6148 .Pq for example the SSL session master key
6149 in human readable format.
6150 Since this is a diagnostic tool that needs some knowledge of the SSL
6151 protocol to use properly, most users will not need to use it.
6153 The options are as follows:
6156 If a certificate is present in the session,
6157 it will be output using this option;
6160 option is also present, then it will be printed out in text form.
6161 .It Fl context Ar ID
6162 This option can set the session ID so the output session information uses the
6167 can be any string of characters.
6168 This option won't normally be used.
6170 This specifies the input
6172 to read session information from, or standard input by default.
6173 .It Fl inform Ar DER | PEM
6174 This specifies the input format.
6177 argument uses an ASN1 DER-encoded
6178 format containing session details.
6179 The precise format can vary from one version to the next.
6182 form is the default format: it consists of the DER
6183 format base64-encoded with additional header and footer lines.
6185 This option prevents output of the encoded version of the session.
6187 This specifies the output
6189 to write session information to, or standard
6190 output if this option is not specified.
6191 .It Fl outform Ar DER | PEM
6192 This specifies the output format; the options have the same meaning as the
6196 Prints out the various public or private key components in
6197 plain text in addition to the encoded version.
6205 Session-ID: 871E62626C554CE95488823752CBD5F3673A3EF3DCE9C67BD916C809914B40ED
6206 Session-ID-ctx: 01000000
6207 Master-Key: A7CEFC571974BE02CAC305269DC59F76EA9F0B180CB6642697A68251F2D2BB57E51DBBB4C7885573192AE9AEE220FACD
6209 Start Time: 948459261
6211 Verify return code 0 (ok)
6214 These are described below in more detail.
6216 .Bl -tag -width "Verify return code " -compact
6218 This is the protocol in use.
6220 The cipher used is the actual raw SSL or TLS cipher code;
6221 see the SSL or TLS specifications for more information.
6223 The SSL session ID in hex format.
6224 .It Ar Session-ID-ctx
6225 The session ID context in hex format.
6227 This is the SSL session master key.
6229 The key argument; this is only used in SSL v2.
6231 This is the session start time, represented as an integer in standard
6235 The timeout in seconds.
6236 .It Ar Verify return code
6237 This is the return code when an SSL client certificate is verified.
6240 The PEM-encoded session format uses the header and footer lines:
6241 .Bd -unfilled -offset indent
6242 -----BEGIN SSL SESSION PARAMETERS-----
6243 -----END SSL SESSION PARAMETERS-----
6246 Since the SSL session output contains the master key, it is possible to read
6247 the contents of an encrypted session using this information.
6248 Therefore appropriate security precautions
6249 should be taken if the information is being output by a
6252 This is, however, strongly discouraged and should only be used for
6255 The cipher and start time should be printed out in human readable form.
6264 .Fl aes128 | aes192 | aes256 | des |
6265 .Fl des3 | rc2-40 | rc2-64 | rc2-128
6268 .Op Fl CAfile Ar file
6269 .Op Fl CApath Ar directory
6270 .Op Fl certfile Ar file
6272 .Op Fl content Ar file
6274 .Op Fl crl_check_all
6279 .Op Fl ignore_critical
6282 .Op Fl inform Ar DER | PEM | SMIME
6283 .Op Fl inkey Ar file
6284 .Op Fl issuer_checks
6285 .Op Fl keyform Ar PEM
6296 .Op Fl outform Ar DER | PEM | SMIME
6297 .Op Fl passin Ar arg
6300 .Op Fl recip Ar file
6303 .Op Fl signer Ar file
6319 It can encrypt, decrypt, sign, and verify
6323 There are six operation options that set the type of operation to be performed.
6324 The meaning of the other options varies according to the operation type.
6326 The six operation options are as follows:
6327 .Bl -tag -width "XXXX"
6329 Decrypt mail using the supplied certificate and private key.
6330 Expects an encrypted mail message in
6332 format for the input file.
6333 The decrypted mail is written to the output file.
6335 Encrypt mail for the given recipient certificates.
6336 Input file is the message to be encrypted.
6337 The output file is the encrypted mail in
6341 Takes an input message and writes out a PEM-encoded PKCS#7 structure.
6343 Resign a message: take an existing message and one or more new signers.
6345 Sign mail using the supplied certificate and private key.
6346 Input file is the message to be signed.
6347 The signed message in
6349 format is written to the output file.
6352 Expects a signed mail message on input and outputs the signed data.
6353 Both clear text and opaque signing is supported.
6356 The remaining options are as follows:
6357 .Bl -tag -width "XXXX"
6359 .Fl aes128 | aes192 | aes256 | des |
6360 .Fl des3 | rc2-40 | rc2-64 | rc2-128
6362 The encryption algorithm to use.
6363 128-, 192-, or 256-bit AES,
6368 or 40-, 64-, or 128-bit RC2, respectively;
6369 if not specified, 40-bit RC2 is
6374 Normally, the input message is converted to
6376 format which is effectively using CR and LF as end of line \-
6380 When this option is present no translation occurs.
6381 This is useful when handling binary data which may not be in
6384 .It Fl CAfile Ar file
6387 containing trusted CA certificates; only used with
6389 .It Fl CApath Ar directory
6392 containing trusted CA certificates; only used with
6394 This directory must be a standard certificate directory:
6395 that is, a hash of each subject name (using
6397 should be linked to each certificate.
6399 One or more certificates of message recipients: used when encrypting
6401 .It Fl certfile Ar file
6402 Allows additional certificates to be specified.
6403 When signing, these will be included with the message.
6404 When verifying, these will be searched for the signers' certificates.
6405 The certificates should be in PEM format.
6411 .Fl ignore_critical ,
6416 Set various certificate chain validation options.
6419 command for details.
6420 .It Fl content Ar file
6421 This specifies a file containing the detached content.
6422 This is only useful with the
6425 This is only usable if the PKCS#7 structure is using the detached
6426 signature form where the content is not included.
6427 This option will override any content if the input format is
6429 and it uses the multipart/signed
6437 The relevant mail headers.
6438 These are included outside the signed
6439 portion of a message so they may be included manually.
6442 mail clients check that the signer's certificate email
6443 address matches the From: address.
6445 The input message to be encrypted or signed or the
6448 be decrypted or verified.
6450 Enable streaming I/O for encoding operations.
6451 This permits single pass processing of data without
6452 the need to hold the entire contents in memory,
6453 potentially supporting very large files.
6454 Streaming is automatically set for S/MIME signing with detached
6455 data if the output format is SMIME;
6456 it is currently off by default for all other operations.
6457 .It Fl inform Ar DER | PEM | SMIME
6458 This specifies the input format for the PKCS#7 structure.
6467 format change this to expect PEM and DER format PKCS#7 structures
6469 This currently only affects the input format of the PKCS#7
6470 structure; if no PKCS#7 structure is being input (for example with
6474 this option has no effect.
6475 .It Fl inkey Ar file
6476 The private key to use when signing or decrypting.
6477 This must match the corresponding certificate.
6478 If this option is not specified, the private key must be included
6479 in the certificate file specified with
6486 this option can be used multiple times to specify successive keys.
6487 .It Fl keyform Ar PEM
6488 Input private key format.
6490 The digest algorithm to use when signing or resigning.
6491 If not present then the default digest algorithm for the signing key is used
6494 Normally, when a message is signed a set of attributes are included which
6495 include the signing time and supported symmetric algorithms.
6496 With this option they are not included.
6498 When signing a message, the signer's certificate is normally included;
6499 with this option it is excluded.
6500 This will reduce the size of the signed message but the verifier must
6501 have a copy of the signer's certificate available locally (passed using the
6503 option, for example).
6505 Do not do chain verification of signers' certificates: that is,
6506 don't use the certificates in the signed message as untrusted CAs.
6508 When signing a message use opaque signing: this form is more resistant
6509 to translation by mail relays but it cannot be read by mail agents that
6512 Without this option cleartext signing with the
6514 type multipart/signed is used.
6516 Disable streaming I/O where it would produce an encoding of indefinite length.
6517 This option currently has no effect.
6518 In future streaming will be enabled by default on all relevant operations
6519 and this option will disable it.
6521 When verifying a message, normally certificates
6523 included in the message are searched for the signing certificate.
6524 With this option, only the certificates specified in the
6527 The supplied certificates can still be used as untrusted CAs however.
6529 Don't try to verify the signatures on the message.
6531 Do not verify the signer's certificate of a signed message.
6533 The message text that has been decrypted or verified, or the output
6535 format message that has been signed or verified.
6536 .It Fl outform Ar DER | PEM | SMIME
6537 This specifies the output format for the PKCS#7 structure.
6546 format change this to write PEM and DER format PKCS#7 structures
6548 This currently only affects the output format of the PKCS#7
6549 structure; if no PKCS#7 structure is being output (for example with
6553 this option has no effect.
6554 .It Fl passin Ar arg
6555 The key password source.
6556 .It Fl recip Ar file
6557 The recipients certificate when decrypting a message.
6559 must match one of the recipients of the message or an error occurs.
6560 .It Fl signer Ar file
6561 A signing certificate when signing or resigning a message;
6562 this option can be used multiple times if more than one signer is required.
6563 If a message is being verified, the signer's certificates will be
6564 written to this file if the verification was successful.
6569 This option adds plain text
6572 headers to the supplied message if encrypting or signing.
6573 If decrypting or verifying, it strips off text headers:
6574 if the decrypted or verified message is not of
6576 type text/plain then an error occurs.
6581 message must be sent without any blank lines between the
6582 headers and the output.
6583 Some mail programs will automatically add a blank line.
6584 Piping the mail directly to an MTA is one way to
6585 achieve the correct format.
6587 The supplied message to be signed or encrypted must include the
6592 clients won't display it properly
6596 option to automatically add plain text headers.
6599 .Qq signed and encrypted
6600 message is one where a signed message is then encrypted.
6601 This can be produced by encrypting an already signed message:
6606 This version of the program only allows one signer per message, but it
6607 will verify multiple signers on received messages.
6610 clients choke if a message contains multiple signers.
6611 It is possible to sign messages
6613 by signing an already signed message.
6619 reflect common usage in
6622 Strictly speaking these process PKCS#7 enveloped data: PKCS#7
6623 encrypted data is used for other purposes.
6627 option uses an existing message digest when adding a new signer.
6628 This means that attributes must be present in at least one existing
6629 signer using the same message digest or this operation will fail.
6635 options enable experimental streaming I/O support.
6636 As a result the encoding is BER using indefinite length constructed encoding
6638 Streaming is supported for the
6642 operations if the content is not detached.
6644 Streaming is always used for the
6646 operation with detached data
6647 but since the content is no longer part of the PKCS#7 structure
6648 the encoding remains DER.
6649 .Sh SMIME EXIT CODES
6650 .Bl -tag -width "XXXX"
6652 The operation was completely successful.
6654 An error occurred parsing the command options.
6656 One of the input files could not be read.
6658 An error occurred creating the PKCS#7 file or when reading the
6662 An error occurred decrypting or verifying the message.
6664 The message was verified correctly, but an error occurred writing out
6665 the signer's certificates.
6668 Create a cleartext signed message:
6669 .Bd -literal -offset indent
6670 $ openssl smime -sign -in message.txt -text -out mail.msg \e
6674 Create an opaque signed message:
6675 .Bd -literal -offset indent
6676 $ openssl smime -sign -in message.txt -text -out mail.msg \e
6677 -nodetach -signer mycert.pem
6680 Create a signed message, include some additional certificates and
6681 read the private key from another file:
6682 .Bd -literal -offset indent
6683 $ openssl smime -sign -in in.txt -text -out mail.msg \e
6684 -signer mycert.pem -inkey mykey.pem -certfile mycerts.pem
6687 Create a signed message with two signers:
6688 .Bd -literal -offset indent
6689 openssl smime -sign -in message.txt -text -out mail.msg \e
6690 -signer mycert.pem -signer othercert.pem
6693 Send a signed message under
6698 .Bd -literal -offset indent
6699 $ openssl smime -sign -in in.txt -text -signer mycert.pem \e
6700 -from steve@openssl.org -to someone@somewhere \e
6701 -subject "Signed message" | sendmail someone@somewhere
6704 Verify a message and extract the signer's certificate if successful:
6705 .Bd -literal -offset indent
6706 $ openssl smime -verify -in mail.msg -signer user.pem \e
6710 Send encrypted mail using triple DES:
6711 .Bd -literal -offset indent
6712 $ openssl smime -encrypt -in in.txt -from steve@openssl.org \e
6713 -to someone@somewhere -subject "Encrypted message" \e
6714 -des3 -out mail.msg user.pem
6717 Sign and encrypt mail:
6718 .Bd -literal -offset indent
6719 $ openssl smime -sign -in ml.txt -signer my.pem -text | \e
6720 openssl smime -encrypt -out mail.msg \e
6721 -from steve@openssl.org -to someone@somewhere \e
6722 -subject "Signed and Encrypted message" -des3 user.pem
6726 The encryption command does not include the
6728 option because the message being encrypted already has
6733 .Bd -literal -offset indent
6734 $ openssl smime -decrypt -in mail.msg -recip mycert.pem \e
6738 The output from Netscape form signing is a PKCS#7 structure with the
6739 detached signature format.
6740 You can use this program to verify the signature by line wrapping the
6741 base64-encoded structure and surrounding it with:
6742 .Bd -unfilled -offset indent
6743 -----BEGIN PKCS7-----
6747 and using the command:
6748 .Bd -literal -offset indent
6749 $ openssl smime -verify -inform PEM -in signature.pem \e
6750 -content content.txt
6753 Alternatively, you can base64 decode the signature and use:
6754 .Bd -literal -offset indent
6755 $ openssl smime -verify -inform DER -in signature.der \e
6756 -content content.txt
6759 Create an encrypted message using 128-bit AES:
6760 .Bd -literal -offset indent
6761 openssl smime -encrypt -in plain.txt -aes128 \e
6762 -out mail.msg cert.pem
6765 Add a signer to an existing message:
6766 .Bd -literal -offset indent
6767 openssl smime -resign -in mail.msg -signer newsign.pem \e
6773 parser isn't very clever: it seems to handle most messages that I've thrown
6774 at it, but it may choke on others.
6776 The code currently will only write out the signer's certificate to a file:
6777 if the signer has a separate encryption certificate this must be manually
6779 There should be some heuristic that determines the correct encryption
6782 Ideally, a database should be maintained of a certificate for each email
6785 The code doesn't currently take note of the permitted symmetric encryption
6786 algorithms as supplied in the
6787 .Em SMIMECapabilities
6789 This means the user has to manually include the correct encryption algorithm.
6790 It should store the list of permitted ciphers in a database and only use those.
6792 No revocation checking is done on the signer's certificate.
6794 The current code can only handle
6796 v2 messages; the more complex
6798 v3 structures may cause parsing errors.
6804 command were first added in
6824 .Op Cm chacha20-poly1305
6849 .Op Fl multi Ar number
6855 command is used to test the performance of cryptographic algorithms.
6856 .Bl -tag -width "XXXX"
6857 .It Bq Cm zero or more test algorithms
6858 If any options are given,
6860 tests those algorithms, otherwise all of the above are tested.
6862 Time decryption instead of encryption
6865 Measure time in real time instead of CPU user time.
6870 Produce machine readable output.
6871 .It Fl multi Ar number
6874 benchmarks in parallel.
6884 .Op Fl md4 | md5 | ripemd160 | sha1
6886 .Op Fl config Ar configfile
6887 .Op Fl data Ar file_to_hash
6888 .Op Fl digest Ar digest_bytes
6889 .Op Fl in Ar request.tsq
6891 .Op Fl out Ar request.tsq
6892 .Op Fl policy Ar object_id
6901 .Op Fl chain Ar certs_file.pem
6902 .Op Fl config Ar configfile
6903 .Op Fl in Ar response.tsr
6904 .Op Fl inkey Ar private.pem
6905 .Op Fl out Ar response.tsr
6906 .Op Fl passin Ar arg
6907 .Op Fl policy Ar object_id
6908 .Op Fl queryfile Ar request.tsq
6909 .Op Fl section Ar tsa_section
6910 .Op Fl signer Ar tsa_cert.pem
6921 .Op Fl CAfile Ar trusted_certs.pem
6922 .Op Fl CApath Ar trusted_cert_path
6923 .Op Fl data Ar file_to_hash
6924 .Op Fl digest Ar digest_bytes
6925 .Op Fl in Ar response.tsr
6926 .Op Fl queryfile Ar request.tsq
6928 .Op Fl untrusted Ar cert_file.pem
6934 command is a basic Time Stamping Authority (TSA) client and server
6935 application as specified in RFC 3161 (Time-Stamp Protocol, TSP).
6936 A TSA can be part of a PKI deployment and its role is to provide long
6937 term proof of the existence of a certain datum before a particular time.
6938 Here is a brief description of the protocol:
6941 The TSA client computes a one-way hash value for a data file and sends
6942 the hash to the TSA.
6944 The TSA attaches the current date and time to the received hash value,
6945 signs them and sends the time stamp token back to the client.
6946 By creating this token the TSA certifies the existence of the original
6947 data file at the time of response generation.
6949 The TSA client receives the time stamp token and verifies the
6951 It also checks if the token contains the same hash
6952 value that it had sent to the TSA.
6955 There is one DER-encoded protocol data unit defined for transporting a time
6956 stamp request to the TSA and one for sending the time stamp response
6960 command has three main functions:
6961 creating a time stamp request based on a data file;
6962 creating a time stamp response based on a request;
6963 and verifying if a response corresponds
6964 to a particular request or a data file.
6966 There is no support for sending the requests/responses automatically
6967 over HTTP or TCP yet as suggested in RFC 3161.
6968 Users must send the requests either by FTP or email.
6972 switch can be used for creating and printing a time stamp
6973 request with the following options:
6976 The TSA is expected to include its signing certificate in the
6978 .It Fl config Ar configfile
6979 The configuration file to use.
6980 This option overrides the
6982 environment variable.
6983 Only the OID section of the config file is used with the
6986 .It Fl data Ar file_to_hash
6987 The data file for which the time stamp request needs to be created.
6988 stdin is the default if neither the
6992 option is specified.
6993 .It Fl digest Ar digest_bytes
6994 It is possible to specify the message imprint explicitly without the data
6996 The imprint must be specified in a hexadecimal format,
6997 two characters per byte,
6998 the bytes optionally separated by colons (e.g. 1A:F6:01:... or 1AF601...).
6999 The number of bytes must match the message digest algorithm in use.
7000 .It Fl in Ar request.tsq
7001 This option specifies a previously created time stamp request in DER
7002 format that will be printed into the output file.
7003 Useful when you need to examine the content of a request in human-readable
7005 .It Fl md4|md5|ripemd160|sha|sha1
7006 The message digest to apply to the data file.
7007 It supports all the message digest algorithms that are supported by the
7010 The default is SHA-1.
7012 No nonce is specified in the request if this option is given.
7013 Otherwise a 64-bit long pseudo-random none is
7014 included in the request.
7015 It is recommended to use nonce to protect against replay-attacks.
7016 .It Fl out Ar request.tsq
7017 Name of the output file to which the request will be written.
7018 The default is stdout.
7019 .It Fl policy Ar object_id
7020 The policy that the client expects the TSA to use for creating the
7022 Either the dotted OID notation or OID names defined
7023 in the config file can be used.
7024 If no policy is requested the TSA will
7025 use its own default policy.
7027 If this option is specified the output is in human-readable text format
7031 A time stamp response (TimeStampResp) consists of a response status
7032 and the time stamp token itself (ContentInfo),
7033 if the token generation was successful.
7036 command is for creating a time stamp
7037 response or time stamp token based on a request and printing the
7038 response/token in human-readable format.
7041 is not specified the output is always a time stamp response (TimeStampResp),
7042 otherwise it is a time stamp token (ContentInfo).
7044 .It Fl chain Ar certs_file.pem
7045 The collection of certificates, in PEM format,
7046 that will be included in the response
7047 in addition to the signer certificate if the
7049 option was used for the request.
7050 This file is supposed to contain the certificate chain
7051 for the signer certificate from its issuer upwards.
7054 command does not build a certificate chain automatically.
7055 .It Fl config Ar configfile
7056 The configuration file to use.
7057 This option overrides the
7059 environment variable.
7061 .Sx TS CONFIGURATION FILE OPTIONS
7062 for configurable variables.
7063 .It Fl in Ar response.tsr
7064 Specifies a previously created time stamp response or time stamp token, if
7067 in DER format that will be written to the output file.
7068 This option does not require a request;
7069 it is useful, for example,
7070 when you need to examine the content of a response or token
7071 or you want to extract the time stamp token from a response.
7072 If the input is a token and the output is a time stamp response a default
7074 status info is added to the token.
7075 .It Fl inkey Ar private.pem
7076 The signer private key of the TSA in PEM format.
7080 .It Fl out Ar response.tsr
7081 The response is written to this file.
7082 The format and content of the file depends on other options (see
7086 The default is stdout.
7087 .It Fl passin Ar arg
7088 The key password source.
7089 .It Fl policy Ar object_id
7090 The default policy to use for the response unless the client
7091 explicitly requires a particular TSA policy.
7092 The OID can be specified either in dotted notation or with its name.
7096 .It Fl queryfile Ar request.tsq
7097 The name of the file containing a DER-encoded time stamp request.
7098 .It Fl section Ar tsa_section
7099 The name of the config file section containing the settings for the
7100 response generation.
7101 If not specified the default TSA section is used; see
7102 .Sx TS CONFIGURATION FILE OPTIONS
7104 .It Fl signer Ar tsa_cert.pem
7105 The signer certificate of the TSA in PEM format.
7106 The TSA signing certificate must have exactly one extended key usage
7107 assigned to it: timeStamping.
7108 The extended key usage must also be critical,
7109 otherwise the certificate is going to be refused.
7112 variable of the config file.
7114 If this option is specified the output is human-readable text format
7117 This flag can be used together with the
7119 option and indicates that the input is a DER-encoded time stamp token
7120 (ContentInfo) instead of a time stamp response (TimeStampResp).
7122 The output is a time stamp token (ContentInfo) instead of time stamp
7123 response (TimeStampResp).
7128 command is for verifying if a time stamp response or time stamp token
7129 is valid and matches a particular time stamp request or data file.
7132 command does not use the configuration file.
7134 .It Fl CAfile Ar trusted_certs.pem
7135 The name of the file containing a set of trusted self-signed CA
7136 certificates in PEM format.
7137 See the similar option of
7139 for additional details.
7140 Either this option or
7143 .It Fl CApath Ar trusted_cert_path
7144 The name of the directory containing the trused CA certificates of the
7146 See the similar option of
7148 for additional details.
7149 Either this option or
7152 .It Fl data Ar file_to_hash
7153 The response or token must be verified against
7155 The file is hashed with the message digest algorithm specified in the token.
7160 options must not be specified with this one.
7161 .It Fl digest Ar digest_bytes
7162 The response or token must be verified against the message digest specified
7164 The number of bytes must match the message digest algorithm
7165 specified in the token.
7170 options must not be specified with this one.
7171 .It Fl in Ar response.tsr
7172 The time stamp response that needs to be verified, in DER format.
7173 This option in mandatory.
7174 .It Fl queryfile Ar request.tsq
7175 The original time stamp request, in DER format.
7180 options must not be specified with this one.
7182 This flag can be used together with the
7184 option and indicates that the input is a DER-encoded time stamp token
7185 (ContentInfo) instead of a time stamp response (TimeStampResp).
7186 .It Fl untrusted Ar cert_file.pem
7187 Set of additional untrusted certificates in PEM format which may be
7188 needed when building the certificate chain for the TSA's signing
7190 This file must contain the TSA signing certificate and
7191 all intermediate CA certificates unless the response includes them.
7193 .Sh TS CONFIGURATION FILE OPTIONS
7198 options make use of a configuration file defined by the
7200 environment variable.
7203 option uses only the symbolic OID names section
7204 and it can work without it.
7207 option needs the config file for its operation.
7209 When there is a command line switch equivalent of a variable the
7210 switch always overrides the settings in the config file.
7212 .It Cm tsa Ar section , Cm default_tsa
7213 This is the main section and it specifies the name of another section
7214 that contains all the options for the
7217 This default section can be overridden with the
7219 command line switch.
7229 The name of the file containing the hexadecimal serial number of the
7230 last time stamp response created.
7231 This number is incremented by 1 for each response.
7232 If the file does not exist at the time of response
7233 generation a new file is created with serial number 1.
7234 This parameter is mandatory.
7236 TSA signing certificate, in PEM format.
7239 command line option.
7241 A file containing a set of PEM-encoded certificates that need to be
7242 included in the response.
7245 command line option.
7247 The private key of the TSA, in PEM format.
7250 command line option.
7251 .It Cm default_policy
7252 The default policy to use when the request does not mandate any policy.
7255 command line option.
7256 .It Cm other_policies
7257 Comma separated list of policies that are also acceptable by the TSA
7258 and used only if the request explicitly specifies one of them.
7260 The list of message digest algorithms that the TSA accepts.
7261 At least one algorithm must be specified.
7262 This parameter is mandatory.
7264 The accuracy of the time source of the TSA in seconds, milliseconds
7266 For example, secs:1, millisecs:500, microsecs:100.
7267 If any of the components is missing,
7268 zero is assumed for that field.
7269 .It Cm clock_precision_digits
7270 Specifies the maximum number of digits, which represent the fraction of
7271 seconds, that need to be included in the time field.
7272 The trailing zeroes must be removed from the time,
7273 so there might actually be fewer digits,
7274 or no fraction of seconds at all.
7275 The maximum value is 6;
7278 If this option is yes,
7279 the responses generated by this TSA can always be ordered,
7280 even if the time difference between two responses is less
7281 than the sum of their accuracies.
7284 Set this option to yes if the subject name of the TSA must be included in
7285 the TSA name field of the response.
7287 .It Cm ess_cert_id_chain
7288 The SignedData objects created by the TSA always contain the
7289 certificate identifier of the signing certificate in a signed
7290 attribute (see RFC 2634, Enhanced Security Services).
7291 If this option is set to yes and either the
7295 option is specified then the certificate identifiers of the chain will also
7296 be included in the SigningCertificate signed attribute.
7297 If this variable is set to no,
7298 only the signing certificate identifier is included.
7301 .Sh TS ENVIRONMENT VARIABLES
7303 contains the path of the configuration file and can be
7306 command line option.
7308 All the examples below presume that
7310 is set to a proper configuration file,
7311 e.g. the example configuration file
7312 .Pa openssl/apps/openssl.cnf
7315 To create a time stamp request for design1.txt with SHA-1
7316 without nonce and policy and no certificate is required in the response:
7317 .Bd -literal -offset indent
7318 $ openssl ts -query -data design1.txt -no_nonce \e
7322 To create a similar time stamp request but specifying the message imprint
7324 .Bd -literal -offset indent
7325 $ openssl ts -query \e
7326 -digest b7e5d3f93198b38379852f2c04e78d73abdd0f4b \e
7327 -no_nonce -out design1.tsq
7330 To print the content of the previous request in human readable format:
7331 .Bd -literal -offset indent
7332 $ openssl ts -query -in design1.tsq -text
7335 To create a time stamp request which includes the MD5 digest
7336 of design2.txt, requests the signer certificate and nonce,
7337 specifies a policy ID
7338 (assuming the tsa_policy1 name is defined in the
7339 OID section of the config file):
7340 .Bd -literal -offset indent
7341 $ openssl ts -query -data design2.txt -md5 \e
7342 -policy tsa_policy1 -cert -out design2.tsq
7345 Before generating a response,
7346 a signing certificate must be created for the TSA that contains the
7348 critical extended key usage extension
7349 without any other key usage extensions.
7351 .Dq extendedKeyUsage = critical,timeStamping
7352 line to the user certificate section
7353 of the config file to generate a proper certificate.
7359 commands for instructions.
7360 The examples below assume that cacert.pem contains the certificate of the CA,
7361 tsacert.pem is the signing certificate issued by cacert.pem and
7362 tsakey.pem is the private key of the TSA.
7364 To create a time stamp response for a request:
7365 .Bd -literal -offset indent
7366 $ openssl ts -reply -queryfile design1.tsq -inkey tsakey.pem \e
7367 -signer tsacert.pem -out design1.tsr
7370 If you want to use the settings in the config file you could just write:
7371 .Bd -literal -offset indent
7372 $ openssl ts -reply -queryfile design1.tsq -out design1.tsr
7375 To print a time stamp reply to stdout in human readable format:
7376 .Bd -literal -offset indent
7377 $ openssl ts -reply -in design1.tsr -text
7380 To create a time stamp token instead of time stamp response:
7381 .Bd -literal -offset indent
7382 $ openssl ts -reply -queryfile design1.tsq \e
7383 -out design1_token.der -token_out
7386 To print a time stamp token to stdout in human readable format:
7387 .Bd -literal -offset indent
7388 $ openssl ts -reply -in design1_token.der -token_in \e
7392 To extract the time stamp token from a response:
7393 .Bd -literal -offset indent
7394 $ openssl ts -reply -in design1.tsr -out design1_token.der \e
7400 status info to a time stamp token thereby creating a valid response:
7401 .Bd -literal -offset indent
7402 $ openssl ts -reply -in design1_token.der \e
7403 -token_in -out design1.tsr
7406 To verify a time stamp reply against a request:
7407 .Bd -literal -offset indent
7408 $ openssl ts -verify -queryfile design1.tsq -in design1.tsr \e
7409 -CAfile cacert.pem -untrusted tsacert.pem
7412 To verify a time stamp reply that includes the certificate chain:
7413 .Bd -literal -offset indent
7414 $ openssl ts -verify -queryfile design2.tsq -in design2.tsr \e
7418 To verify a time stamp token against the original data file:
7419 .Bd -literal -offset indent
7420 $ openssl ts -verify -data design2.txt -in design2.tsr \e
7424 To verify a time stamp token against a message imprint:
7425 .Bd -literal -offset indent
7426 $ openssl ts -verify \e
7427 -digest b7e5d3f93198b38379852f2c04e78d73abdd0f4b \e
7428 -in design2.tsr -CAfile cacert.pem
7431 No support for time stamps over SMTP, though it is quite easy
7432 to implement an automatic email-based TSA with
7436 Pure TCP/IP is not supported.
7438 The file containing the last serial number of the TSA is not
7439 locked when being read or written.
7440 This is a problem if more than one instance of
7442 is trying to create a time stamp
7443 response at the same time.
7445 Look for the FIXME word in the source files.
7447 The source code should really be reviewed by somebody else, too.
7449 More testing is needed.
7451 .An Zoltan Glozik Aq Mt zglozik@opentsa.org ,
7453 .Pq Lk http://www.opentsa.org .
7461 .Op Fl challenge Ar string
7463 .Op Fl key Ar keyfile
7466 .Op Fl passin Ar arg
7468 .Op Fl spkac Ar spkacname
7469 .Op Fl spksect Ar section
7476 command processes Netscape signed public key and challenge
7479 It can print out their contents, verify the signature,
7480 and produce its own SPKACs from a supplied private key.
7482 The options are as follows:
7484 .It Fl challenge Ar string
7485 Specifies the challenge string if an SPKAC is being created.
7487 This specifies the input
7489 to read from, or standard input if this option is not specified.
7493 .It Fl key Ar keyfile
7494 Create an SPKAC file using the private key in
7497 .Fl in , noout , spksect ,
7500 options are ignored if present.
7502 Don't output the text version of the SPKAC
7503 .Pq not used if an SPKAC is being created .
7505 Specifies the output
7507 to write to, or standard output by default.
7508 .It Fl passin Ar arg
7509 The key password source.
7511 Output the public key of an SPKAC
7512 .Pq not used if an SPKAC is being created .
7513 .It Fl spkac Ar spkacname
7514 Allows an alternative name for the variable containing the SPKAC.
7515 The default is "SPKAC".
7516 This option affects both generated and input SPKAC files.
7517 .It Fl spksect Ar section
7518 Allows an alternative name for the
7520 containing the SPKAC.
7521 The default is the default section.
7523 Verifies the digital signature on the supplied SPKAC.
7526 Print out the contents of an SPKAC:
7528 .Dl $ openssl spkac -in spkac.cnf
7530 Verify the signature of an SPKAC:
7532 .Dl $ openssl spkac -in spkac.cnf -noout -verify
7534 Create an SPKAC using the challenge string
7537 .Dl $ openssl spkac -key key.pem -challenge hello -out spkac.cnf
7539 Example of an SPKAC,
7540 .Pq long lines split up for clarity :
7541 .Bd -unfilled -offset indent
7542 SPKAC=MIG5MGUwXDANBgkqhkiG9w0BAQEFAANLADBIAkEA1cCoq2Wa3Ixs47uI7F\e
7543 PVwHVIPDx5yso105Y6zpozam135a8R0CpoRvkkigIyXfcCjiVi5oWk+6FfPaD03u\e
7544 PFoQIDAQABFgVoZWxsbzANBgkqhkiG9w0BAQQFAANBAFpQtY/FojdwkJh1bEIYuc\e
7545 2EeM2KHTWPEepWYeawvHD0gQ3DngSC75YCWnnDdq+NQ3F+X4deMx9AaEglZtULwV\e
7549 A created SPKAC with suitable DN components appended can be fed into
7554 SPKACs are typically generated by Netscape when a form is submitted
7557 tag as part of the certificate enrollment process.
7559 The challenge string permits a primitive form of proof of possession
7561 By checking the SPKAC signature and a random challenge
7562 string, some guarantee is given that the user knows the private key
7563 corresponding to the public key being certified.
7564 This is important in some applications.
7565 Without this it is possible for a previous SPKAC
7573 .Nm "openssl verify"
7575 .Op Fl CAfile Ar file
7576 .Op Fl CApath Ar directory
7579 .Op Fl crl_check_all
7580 .Op Fl explicit_policy
7583 .Op Fl ignore_critical
7586 .Op Fl issuer_checks
7588 .Op Fl purpose Ar purpose
7589 .Op Fl untrusted Ar file
7599 command verifies certificate chains.
7601 The options are as follows:
7604 Verify the signature on the self-signed root CA.
7605 This is disabled by default
7606 because it doesn't add any security.
7607 .It Fl CAfile Ar file
7610 of trusted certificates.
7613 should contain multiple certificates in PEM format, concatenated together.
7614 .It Fl CApath Ar directory
7617 of trusted certificates.
7618 The certificates should have names of the form
7620 or have symbolic links to them of this form
7621 ("hash" is the hashed certificate subject name: see the
7628 script distributed with OpenSSL
7629 will automatically create symbolic links to a directory of certificates.
7631 Checks end entity certificate validity by attempting to look up a valid CRL.
7632 If a valid CRL cannot be found an error occurs.
7633 .It Fl crl_check_all
7634 Checks the validity of all certificates in the chain by attempting
7635 to look up valid CRLs.
7636 .It Fl explicit_policy
7637 Set policy variable require-explicit-policy (see RFC 3280 et al).
7639 Enable extended CRL features such as indirect CRLs and alternate CRL
7642 Prints out a usage message.
7643 .It Fl ignore_critical
7644 Normally if an unhandled critical extension is present which is not
7647 the certificate is rejected (as required by RFC 3280 et al).
7648 If this option is set, critical extensions are ignored.
7650 Set policy variable inhibit-any-policy (see RFC 3280 et al).
7652 Set policy variable inhibit-policy-mapping (see RFC 3280 et al).
7653 .It Fl issuer_checks
7654 Print out diagnostics relating to searches for the issuer certificate
7655 of the current certificate.
7656 This shows why each candidate issuer certificate was rejected.
7657 However the presence of rejection messages
7658 does not itself imply that anything is wrong: during the normal
7659 verify process several rejections may take place.
7661 Enables certificate policy processing.
7662 .It Fl purpose Ar purpose
7663 The intended use for the certificate.
7664 Without this option no chain verification will be done.
7665 Currently accepted uses are
7666 .Ar sslclient , sslserver ,
7667 .Ar nssslserver , smimesign ,
7668 .Ar smimeencrypt , crlsign ,
7673 .Sx VERIFY OPERATION
7674 section for more information.
7675 .It Fl untrusted Ar file
7678 of untrusted certificates.
7681 should contain multiple certificates.
7683 Print extra information about the operations being performed.
7685 Disable workarounds for broken certificates which have to be disabled
7686 for strict X.509 compliance.
7688 Marks the last option.
7689 All arguments following this are assumed to be certificate files.
7690 This is useful if the first certificate filename begins with a
7696 If no certificate files are included, an attempt is made to read
7697 a certificate from standard input.
7698 They should all be in PEM format.
7700 .Sh VERIFY OPERATION
7703 program uses the same functions as the internal SSL and S/MIME verification,
7704 therefore this description applies to these verify operations too.
7706 There is one crucial difference between the verify operations performed
7709 program: wherever possible an attempt is made to continue
7710 after an error, whereas normally the verify operation would halt on the
7712 This allows all the problems with a certificate chain to be determined.
7714 The verify operation consists of a number of separate steps:
7716 Firstly a certificate chain is built up starting from the supplied certificate
7717 and ending in the root CA.
7718 It is an error if the whole chain cannot be built up.
7719 The chain is built up by looking up the issuer's certificate of the current
7721 If a certificate is found which is its own issuer, it is assumed
7725 .Qq looking up the issuer's certificate
7726 itself involves a number of steps.
7729 before 0.9.5a the first certificate whose subject name matched the issuer
7730 of the current certificate was assumed to be the issuer's certificate.
7733 0.9.6 and later all certificates whose subject name matches the issuer name
7734 of the current certificate are subject to further tests.
7735 The relevant authority key identifier components of the current certificate
7737 must match the subject key identifier
7739 and issuer and serial number of the candidate issuer; in addition the
7741 extension of the candidate issuer
7743 must permit certificate signing.
7745 The lookup first looks in the list of untrusted certificates and if no match
7746 is found the remaining lookups are from the trusted certificates.
7747 The root CA is always looked up in the trusted certificate list: if the
7748 certificate to verify is a root certificate, then an exact match must be
7749 found in the trusted list.
7751 The second operation is to check every untrusted certificate's extensions for
7752 consistency with the supplied purpose.
7755 option is not included, then no checks are done.
7758 certificate must have extensions compatible with the supplied purpose
7759 and all other certificates must also be valid CA certificates.
7760 The precise extensions required are described in more detail in
7762 .Sx X.509 CERTIFICATE EXTENSIONS
7765 The third operation is to check the trust settings on the root CA.
7766 The root CA should be trusted for the supplied purpose.
7767 For compatibility with previous versions of
7771 a certificate with no trust settings is considered to be valid for
7774 The final operation is to check the validity of the certificate chain.
7775 The validity period is checked against the current system time and the
7779 dates in the certificate.
7780 The certificate signatures are also checked at this point.
7782 If all operations complete successfully, the certificate is considered
7784 If any operation fails then the certificate is not valid.
7785 .Sh VERIFY DIAGNOSTICS
7786 When a verify operation fails, the output messages can be somewhat cryptic.
7787 The general form of the error message is:
7789 \& server.pem: /C=AU/ST=Queensland/O=CryptSoft Pty Ltd/CN=Test CA (1024-bit)
7790 \& error 24 at 1 depth lookup:invalid CA certificate
7793 The first line contains the name of the certificate being verified, followed by
7794 the subject name of the certificate.
7795 The second line contains the error number and the depth.
7796 The depth is the number of the certificate being verified when a
7797 problem was detected starting with zero for the certificate being verified
7798 itself, then 1 for the CA that signed the certificate and so on.
7799 Finally a text version of the error number is presented.
7801 An exhaustive list of the error codes and messages is shown below; this also
7802 includes the name of the error code as defined in the header file
7803 .In openssl/x509_vfy.h .
7804 Some of the error codes are defined but never returned: these are described
7807 .Bl -tag -width "XXXX"
7808 .It Ar "0 X509_V_OK: ok"
7809 The operation was successful.
7810 .It Ar 2 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT: unable to get issuer certificate
7811 The issuer certificate could not be found: this occurs if the issuer certificate
7812 of an untrusted certificate cannot be found.
7813 .It Ar 3 X509_V_ERR_UNABLE_TO_GET_CRL: unable to get certificate CRL
7814 The CRL of a certificate could not be found.
7815 .It Ar 4 X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE: unable to decrypt certificate's signature
7816 The certificate signature could not be decrypted.
7817 This means that the actual signature value could not be determined rather
7818 than it not matching the expected value.
7819 This is only meaningful for RSA keys.
7820 .It Ar 5 X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE: unable to decrypt CRL's signature
7821 The CRL signature could not be decrypted: this means that the actual
7822 signature value could not be determined rather than it not matching the
7825 .It Ar 6 X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY: unable to decode issuer public key
7826 The public key in the certificate
7827 .Em SubjectPublicKeyInfo
7829 .It Ar 7 X509_V_ERR_CERT_SIGNATURE_FAILURE: certificate signature failure
7830 The signature of the certificate is invalid.
7831 .It Ar 8 X509_V_ERR_CRL_SIGNATURE_FAILURE: CRL signature failure
7832 The signature of the certificate is invalid.
7833 .It Ar 9 X509_V_ERR_CERT_NOT_YET_VALID: certificate is not yet valid
7834 The certificate is not yet valid: the
7836 date is after the current time.
7837 .It Ar 10 X509_V_ERR_CERT_HAS_EXPIRED: certificate has expired
7838 The certificate has expired; that is, the
7840 date is before the current time.
7841 .It Ar 11 X509_V_ERR_CRL_NOT_YET_VALID: CRL is not yet valid
7842 The CRL is not yet valid.
7843 .It Ar 12 X509_V_ERR_CRL_HAS_EXPIRED: CRL has expired
7844 The CRL has expired.
7845 .It Ar 13 X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD: format error in certificate's notBefore field
7848 field contains an invalid time.
7849 .It Ar 14 X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD: format error in certificate's notAfter field
7852 field contains an invalid time.
7853 .It Ar 15 X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD: format error in CRL's lastUpdate field
7856 field contains an invalid time.
7857 .It Ar 16 X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD: format error in CRL's nextUpdate field
7860 field contains an invalid time.
7861 .It Ar 17 X509_V_ERR_OUT_OF_MEM: out of memory
7862 An error occurred trying to allocate memory.
7863 This should never happen.
7864 .It Ar 18 X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT: self signed certificate
7865 The passed certificate is self-signed and the same certificate cannot be
7866 found in the list of trusted certificates.
7867 .It Ar 19 X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN: self signed certificate in certificate chain
7868 The certificate chain could be built up using the untrusted certificates but
7869 the root could not be found locally.
7870 .It Ar 20 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY: unable to get local issuer certificate
7871 The issuer certificate of a locally looked up certificate could not be found.
7872 This normally means the list of trusted certificates is not complete.
7873 .It Ar 21 X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE: unable to verify the first certificate
7874 No signatures could be verified because the chain contains only one
7875 certificate and it is not self-signed.
7876 .It Ar 22 X509_V_ERR_CERT_CHAIN_TOO_LONG: certificate chain too long
7877 The certificate chain length is greater than the supplied maximum depth.
7879 .It Ar 23 X509_V_ERR_CERT_REVOKED: certificate revoked
7880 The certificate has been revoked.
7881 .It Ar 24 X509_V_ERR_INVALID_CA: invalid CA certificate
7882 A CA certificate is invalid.
7883 Either it is not a CA or its extensions are not consistent
7884 with the supplied purpose.
7885 .It Ar 25 X509_V_ERR_PATH_LENGTH_EXCEEDED: path length constraint exceeded
7887 .Em basicConstraints
7888 pathlength parameter has been exceeded.
7889 .It Ar 26 X509_V_ERR_INVALID_PURPOSE: unsupported certificate purpose
7890 The supplied certificate cannot be used for the specified purpose.
7891 .It Ar 27 X509_V_ERR_CERT_UNTRUSTED: certificate not trusted
7892 The root CA is not marked as trusted for the specified purpose.
7893 .It Ar 28 X509_V_ERR_CERT_REJECTED: certificate rejected
7894 The root CA is marked to reject the specified purpose.
7895 .It Ar 29 X509_V_ERR_SUBJECT_ISSUER_MISMATCH: subject issuer mismatch
7896 The current candidate issuer certificate was rejected because its subject name
7897 did not match the issuer name of the current certificate.
7898 Only displayed when the
7901 .It Ar 30 X509_V_ERR_AKID_SKID_MISMATCH: authority and subject key identifier mismatch
7902 The current candidate issuer certificate was rejected because its subject key
7903 identifier was present and did not match the authority key identifier current
7905 Only displayed when the
7908 .It Ar 31 X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH: authority and issuer serial number mismatch
7909 The current candidate issuer certificate was rejected because its issuer name
7910 and serial number were present and did not match the authority key identifier
7911 of the current certificate.
7912 Only displayed when the
7915 .It Ar 32 X509_V_ERR_KEYUSAGE_NO_CERTSIGN:key usage does not include certificate signing
7916 The current candidate issuer certificate was rejected because its
7918 extension does not permit certificate signing.
7919 .It Ar 50 X509_V_ERR_APPLICATION_VERIFICATION: application verification failure
7920 An application specific error.
7924 Although the issuer checks are a considerable improvement over the old
7925 technique, they still suffer from limitations in the underlying
7927 One consequence of this is that trusted certificates with matching subject
7928 name must either appear in a file (as specified by the
7930 option) or a directory (as specified by
7932 If they occur in both, only the certificates in the file will
7935 Previous versions of
7937 assumed certificates with matching subject name were identical and
7948 command is used to print out version information about
7951 The options are as follows:
7954 All information: this is the same as setting all the other flags.
7956 The date the current version of
7965 Option information: various options set when the library was built.
7975 .Nm openssl version -a
7976 would typically be used when sending in a bug report.
7991 .Op Fl addreject Ar arg
7992 .Op Fl addtrust Ar arg
7995 .Op Fl CAcreateserial
7996 .Op Fl CAform Ar DER | PEM
7997 .Op Fl CAkey Ar file
7998 .Op Fl CAkeyform Ar DER | PEM
7999 .Op Fl CAserial Ar file
8000 .Op Fl certopt Ar option
8001 .Op Fl checkend Ar arg
8009 .Op Fl extensions Ar section
8010 .Op Fl extfile Ar file
8014 .Op Fl inform Ar DER | NET | PEM
8017 .Op Fl issuer_hash_old
8018 .Op Fl keyform Ar DER | PEM
8021 .Op Fl nameopt Ar option
8026 .Op Fl outform Ar DER | NET | PEM
8027 .Op Fl passin Ar arg
8032 .Op Fl set_serial Ar n
8033 .Op Fl setalias Ar arg
8034 .Op Fl signkey Ar file
8038 .Op Fl subject_hash_old
8047 command is a multi-purpose certificate utility.
8048 It can be used to display certificate information, convert certificates to
8049 various forms, sign certificate requests like a
8051 or edit certificate trust settings.
8053 Since there are a large number of options, they are split up into
8055 .Sh X509 INPUT, OUTPUT, AND GENERAL PURPOSE OPTIONS
8056 .Bl -tag -width "XXXX"
8058 This specifies the input
8060 to read a certificate from, or standard input if this option is not specified.
8061 .It Fl inform Ar DER | NET | PEM
8062 This specifies the input format.
8063 Normally, the command will expect an X.509 certificate,
8064 but this can change if other options such as
8069 format is the DER encoding of the certificate and
8071 is the base64 encoding of the DER encoding with header and footer lines added.
8074 option is an obscure Netscape server format that is now
8078 This affects any signing or display option that uses a message digest,
8080 .Fl fingerprint , signkey ,
8084 If not specified, MD5 is used.
8085 If the key being used to sign with is a DSA key,
8086 this option has no effect: SHA1 is always used with DSA keys.
8088 This specifies the output
8090 to write to, or standard output by default.
8091 .It Fl outform Ar DER | NET | PEM
8092 This specifies the output format; the options have the same meaning as the
8095 .It Fl passin Ar arg
8096 The key password source.
8098 .Sh X509 DISPLAY OPTIONS
8104 options are also display options but are described in the
8105 .Sx X509 TRUST SETTINGS
8107 .Bl -tag -width "XXXX"
8109 This outputs the certificate in the form of a C source file.
8110 .It Fl certopt Ar option
8111 Customise the output format used with
8115 argument can be a single option or multiple options separated by commas.
8118 switch may also be used more than once to set multiple options.
8120 .Sx X509 TEXT OPTIONS
8121 section for more information.
8123 Prints out the start and expiry dates of a certificate.
8125 Outputs the email address(es), if any.
8127 Prints out the expiry date of the certificate; that is, the
8131 Prints out the digest of the DER-encoded version of the whole certificate
8133 .Sx DIGEST OPTIONS ) .
8137 for backwards compatibility.
8139 Outputs the issuer name.
8143 of the certificate issuer name.
8144 .It Fl issuer_hash_old
8147 of the certificate issuer name using the older algorithm
8150 versions before 1.0.0.
8152 This option prints out the value of the modulus of the public key
8153 contained in the certificate.
8154 .It Fl nameopt Ar option
8155 Option which determines how the subject or issuer names are displayed.
8158 argument can be a single option or multiple options separated by commas.
8161 switch may be used more than once to set multiple options.
8163 .Sx X509 NAME OPTIONS
8164 section for more information.
8166 This option prevents output of the encoded version of the request.
8168 Outputs the OCSP responder addresses, if any.
8170 Print OCSP hash values for the subject name and public key.
8172 Output the public key.
8174 Outputs the certificate serial number.
8176 Prints out the start date of the certificate; that is, the
8180 Outputs the subject name.
8184 of the certificate subject name.
8187 to form an index to allow certificates in a directory to be looked up
8189 .It Fl subject_hash_old
8192 of the certificate subject name using the older algorithm
8195 versions before 1.0.0.
8197 Prints out the certificate in text form.
8198 Full details are output including the public key, signature algorithms,
8199 issuer and subject names, serial number, any extensions present,
8200 and any trust settings.
8202 .Sh X509 TRUST SETTINGS
8203 Please note these options are currently experimental and may well change.
8206 .Em trusted certificate
8207 is an ordinary certificate which has several
8208 additional pieces of information attached to it such as the permitted
8209 and prohibited uses of the certificate and an
8212 Normally, when a certificate is being verified at least one certificate
8215 By default, a trusted certificate must be stored
8216 locally and must be a root CA: any certificate chain ending in this CA
8217 is then usable for any purpose.
8219 Trust settings currently are only used with a root CA.
8220 They allow a finer control over the purposes the root CA can be used for.
8221 For example, a CA may be trusted for an SSL client but not for
8224 See the description of the
8226 utility for more information on the meaning of trust settings.
8230 will recognize trust settings on any certificate: not just root CAs.
8231 .Bl -tag -width "XXXX"
8232 .It Fl addreject Ar arg
8233 Adds a prohibited use.
8234 It accepts the same values as the
8237 .It Fl addtrust Ar arg
8238 Adds a trusted certificate use.
8239 Any object name can be used here, but currently only
8241 .Pq SSL client use ,
8243 .Pq SSL server use ,
8250 applications may define additional uses.
8252 Outputs the certificate alias, if any.
8254 Clears all the prohibited or rejected uses of the certificate.
8256 Clears all the permitted or trusted uses of the certificate.
8258 This option performs tests on the certificate extensions and outputs
8260 For a more complete description, see the
8261 .Sx X.509 CERTIFICATE EXTENSIONS
8263 .It Fl setalias Ar arg
8264 Sets the alias of the certificate.
8265 This will allow the certificate to be referred to using a nickname,
8267 .Qq Steve's Certificate .
8272 .Em trusted certificate .
8273 An ordinary or trusted certificate can be input, but by default an ordinary
8274 certificate is output and any trust settings are discarded.
8277 option a trusted certificate is output.
8278 A trusted certificate is automatically output if any trust settings
8281 .Sh X509 SIGNING OPTIONS
8284 utility can be used to sign certificates and requests: it
8285 can thus behave like a
8287 .Bl -tag -width "XXXX"
8289 Specifies the CA certificate to be used for signing.
8290 When this option is present,
8294 The input file is signed by the CA using this option;
8295 that is, its issuer name is set to the subject name of the CA and it is
8296 digitally signed using the CA's private key.
8298 This option is normally combined with the
8303 option, the input is a certificate which must be self-signed.
8304 .It Fl CAcreateserial
8305 With this option the CA serial number file is created if it does not exist:
8306 it will contain the serial number
8308 and the certificate being signed will have
8310 as its serial number.
8313 option is specified and the serial number file does not exist, it is an error.
8314 .It Fl CAform Ar DER | PEM
8315 The format of the CA certificate file.
8318 .It Fl CAkey Ar file
8319 Sets the CA private key to sign a certificate with.
8320 If this option is not specified, it is assumed that the CA private key
8321 is present in the CA certificate file.
8322 .It Fl CAkeyform Ar DER | PEM
8323 The format of the CA private key.
8326 .It Fl CAserial Ar file
8327 Sets the CA serial number file to use.
8331 option is used to sign a certificate,
8332 it uses a serial number specified in a file.
8333 This file consists of one line containing an even number of hex digits
8334 with the serial number to use.
8335 After each use the serial number is incremented and written out
8338 The default filename consists of the CA certificate file base name with
8341 For example, if the CA certificate file is called
8343 it expects to find a serial number file called
8345 .It Fl checkend Ar arg
8346 Check whether the certificate expires in the next
8349 If so, exit with return value 1;
8350 otherwise exit with return value 0.
8352 Delete any extensions from a certificate.
8353 This option is used when a certificate is being created from another
8354 certificate (for example with the
8359 Normally, all extensions are retained.
8361 Specifies the number of days to make a certificate valid for.
8362 The default is 30 days.
8363 .It Fl extensions Ar section
8364 The section to add certificate extensions from.
8365 If this option is not specified, the extensions should either be
8366 contained in the unnamed
8368 section or the default section should contain a variable called
8370 which contains the section to use.
8371 .It Fl extfile Ar file
8372 File containing certificate extensions to use.
8373 If not specified, no extensions are added to the certificate.
8374 .It Fl keyform Ar DER | PEM
8375 Specifies the format
8377 of the private key file used in the
8381 By default, a certificate is expected on input.
8382 With this option a certificate request is expected instead.
8383 .It Fl set_serial Ar n
8384 Specifies the serial number to use.
8385 This option can be used with either the
8390 If used in conjunction with the
8392 option, the serial number file (as specified by the
8396 options) is not used.
8398 The serial number can be decimal or hex (if preceded by
8400 Negative serial numbers can also be specified but their use is not recommended.
8401 .It Fl signkey Ar file
8402 This option causes the input file to be self-signed using the supplied
8405 If the input file is a certificate, it sets the issuer name to the
8407 .Pq i.e. makes it self-signed ,
8408 changes the public key to the supplied value,
8409 and changes the start and end dates.
8410 The start date is set to the current time and the end date is set to
8411 a value determined by the
8414 Any certificate extensions are retained unless the
8418 If the input is a certificate request, a self-signed certificate
8419 is created using the supplied private key using the subject name in
8422 Converts a certificate into a certificate request.
8425 option is used to pass the required private key.
8427 .Sh X509 NAME OPTIONS
8430 command line switch determines how the subject and issuer
8431 names are displayed.
8434 switch is present, the default
8436 format is used which is compatible with previous versions of
8438 Each option is described in detail below; all options can be preceded by a
8440 to turn the option off.
8447 will normally be used.
8448 .Bl -tag -width "XXXX"
8450 Align field values for a more readable output.
8455 This is equivalent to specifying no name options at all.
8457 Reverse the fields of the DN.
8458 This is required by RFC 2253.
8459 As a side effect, this also reverses the order of multiple AVAs but this is
8463 This option, when used with
8465 allows the DER encoding of the structure to be unambiguously determined.
8467 When this option is set, any fields that need to be hexdumped will
8468 be dumped using the DER encoding of the field.
8469 Otherwise just the content octets will be displayed.
8470 Both options use the RFC 2253 #XXXX... format.
8472 Dump non-character string types
8473 .Pq for example OCTET STRING ;
8474 if this option is not set, non-character string types will be displayed
8475 as though each content octet represents a single character.
8477 Dump any field whose OID is not recognised by
8482 characters required by RFC 2253 in a field that is
8483 .Dq \& ,+"\*(Lt\*(Gt; .
8486 is escaped at the beginning of a string
8487 and a space character at the beginning or end of a string.
8489 Escape control characters.
8490 That is, those with ASCII values less than 0x20
8495 They are escaped using the RFC 2253 \eXX notation (where XX are two hex
8496 digits representing the character value).
8498 Escape characters with the MSB set; that is, with ASCII values larger than
8503 .Ar esc_ctrl , esc_msb , sep_multiline ,
8504 .Ar space_eq , lname ,
8508 This option does not attempt to interpret multibyte characters in any
8510 That is, their content octets are merely dumped as though one octet
8511 represents each character.
8512 This is useful for diagnostic purposes but will result in rather odd
8514 .It Ar nofname , sname , lname , oid
8515 These options alter how the field name is displayed.
8517 does not display the field at all.
8527 represents the OID in numerical form and is useful for diagnostic purpose.
8529 A oneline format which is more readable than
8531 It is equivalent to specifying the
8532 .Ar esc_2253 , esc_ctrl , esc_msb , utf8 ,
8533 .Ar dump_nostr , dump_der , use_quote , sep_comma_plus_spc ,
8539 Displays names compatible with RFC 2253; equivalent to
8540 .Ar esc_2253 , esc_ctrl ,
8541 .Ar esc_msb , utf8 , dump_nostr , dump_unknown ,
8542 .Ar dump_der , sep_comma_plus , dn_rev ,
8545 .It Ar sep_comma_plus , sep_comma_plus_space , sep_semi_plus_space , sep_multiline
8546 These options determine the field separators.
8547 The first character is between RDNs and the second between multiple AVAs
8548 (multiple AVAs are very rare and their use is discouraged).
8549 The options ending in
8551 additionally place a space after the separator to make it more readable.
8554 uses a linefeed character for the RDN separator and a spaced
8556 for the AVA separator.
8557 It also indents the fields by four characters.
8559 Show the type of the ASN1 character string.
8560 The type precedes the field contents.
8562 .Qq BMPSTRING: Hello World .
8564 Places spaces round the
8566 character which follows the field name.
8568 Escapes some characters by surrounding the whole string with
8571 Without the option, all escaping is done with the
8575 Convert all strings to UTF8 format first.
8576 This is required by RFC 2253.
8577 If you are lucky enough to have a UTF8 compatible terminal,
8578 the use of this option (and
8582 may result in the correct display of multibyte
8585 If this option is not present, multibyte characters larger than 0xff
8586 will be represented using the format \eUXXXX for 16 bits and \eWXXXXXXXX
8588 Also, if this option is off, any UTF8Strings will be converted to their
8589 character form first.
8591 .Sh X509 TEXT OPTIONS
8592 As well as customising the name output format, it is also possible to
8593 customise the actual fields printed using the
8598 The default behaviour is to print all fields.
8599 .Bl -tag -width "XXXX"
8601 The value used by the
8603 utility; equivalent to
8604 .Ar no_issuer , no_pubkey , no_header ,
8605 .Ar no_version , no_sigdump ,
8610 This is equivalent to specifying no output options at all.
8612 Retain default extension behaviour: attempt to print out unsupported
8613 certificate extensions.
8615 Hex dump unsupported extensions.
8617 Print an error message for unsupported certificate extensions.
8619 ASN1 parse unsupported extensions.
8621 Don't print out certificate trust information.
8622 .It Ar no_extensions
8623 Don't print out any X509V3 extensions.
8625 Don't print header information: that is, the lines saying
8630 Don't print out the issuer name.
8632 Don't print out the public key.
8634 Don't print out the serial number.
8636 Don't give a hexadecimal dump of the certificate signature.
8638 Don't print out the signature algorithm used.
8640 Don't print out the subject name.
8642 Don't print the validity; that is, the
8648 Don't print out the version number.
8651 Display the contents of a certificate:
8653 .Dl $ openssl x509 -in cert.pem -noout -text
8655 Display the certificate serial number:
8657 .Dl $ openssl x509 -in cert.pem -noout -serial
8659 Display the certificate subject name:
8661 .Dl $ openssl x509 -in cert.pem -noout -subject
8663 Display the certificate subject name in RFC 2253 form:
8665 .Dl $ openssl x509 -in cert.pem -noout -subject -nameopt RFC2253
8667 Display the certificate subject name in oneline form on a terminal
8669 .Bd -literal -offset indent
8670 $ openssl x509 -in cert.pem -noout -subject \e
8671 -nameopt oneline,-esc_msb
8674 Display the certificate MD5 fingerprint:
8676 .Dl $ openssl x509 -in cert.pem -noout -fingerprint
8678 Display the certificate SHA1 fingerprint:
8680 .Dl $ openssl x509 -sha1 -in cert.pem -noout -fingerprint
8682 Convert a certificate from PEM to DER format:
8684 .Dl "$ openssl x509 -in cert.pem -inform PEM -out cert.der -outform DER"
8686 Convert a certificate to a certificate request:
8687 .Bd -literal -offset indent
8688 $ openssl x509 -x509toreq -in cert.pem -out req.pem \e
8692 Convert a certificate request into a self-signed certificate using
8693 extensions for a CA:
8694 .Bd -literal -offset indent
8695 $ openssl x509 -req -in careq.pem -extfile openssl.cnf -extensions \e
8696 v3_ca -signkey key.pem -out cacert.pem
8699 Sign a certificate request using the CA certificate above and add user
8700 certificate extensions:
8701 .Bd -literal -offset indent
8702 $ openssl x509 -req -in req.pem -extfile openssl.cnf -extensions \e
8703 v3_usr -CA cacert.pem -CAkey key.pem -CAcreateserial
8706 Set a certificate to be trusted for SSL
8707 client use and set its alias to
8708 .Qq Steve's Class 1 CA :
8709 .Bd -literal -offset indent
8710 $ openssl x509 -in cert.pem -addtrust clientAuth \e
8711 -setalias "Steve's Class 1 CA" -out trust.pem
8714 The PEM format uses the header and footer lines:
8715 .Bd -unfilled -offset indent
8716 -----BEGIN CERTIFICATE-----
8717 -----END CERTIFICATE-----
8720 It will also handle files containing:
8721 .Bd -unfilled -offset indent
8722 -----BEGIN X509 CERTIFICATE-----
8723 -----END X509 CERTIFICATE-----
8726 Trusted certificates have the lines:
8727 .Bd -unfilled -offset indent
8728 -----BEGIN TRUSTED CERTIFICATE-----
8729 -----END TRUSTED CERTIFICATE-----
8732 The conversion to UTF8 format used with the name options assumes that
8733 T61Strings use the ISO 8859-1 character set.
8734 This is wrong, but Netscape and MSIE do this, as do many certificates.
8735 So although this is incorrect
8736 it is more likely to display the majority of certificates correctly.
8740 option takes the digest of the DER-encoded certificate.
8741 This is commonly called a
8743 Because of the nature of message digests, the fingerprint of a certificate
8744 is unique to that certificate and two certificates with the same fingerprint
8745 can be considered to be the same.
8747 The Netscape fingerprint uses MD5, whereas MSIE uses SHA1.
8751 option searches the subject name and the subject alternative
8753 Only unique email addresses will be printed out: it will
8754 not print the same address more than once.
8755 .Sh X.509 CERTIFICATE EXTENSIONS
8758 option checks the certificate extensions and determines
8759 what the certificate can be used for.
8760 The actual checks done are rather
8761 complex and include various hacks and workarounds to handle broken
8762 certificates and software.
8764 The same code is used when verifying untrusted certificates in chains,
8765 so this section is useful if a chain is rejected by the verify code.
8768 .Em basicConstraints
8769 extension CA flag is used to determine whether the
8770 certificate can be used as a CA.
8771 If the CA flag is true, it is a CA;
8772 if the CA flag is false, it is not a CA.
8774 CAs should have the CA flag set to true.
8777 .Em basicConstraints
8778 extension is absent, then the certificate is
8781 other extensions are checked according to the intended use of the certificate.
8782 A warning is given in this case because the certificate should really not
8783 be regarded as a CA: however,
8784 it is allowed to be a CA to work around some broken software.
8786 If the certificate is a V1 certificate
8787 .Pq and thus has no extensions
8788 and it is self-signed, it is also assumed to be a CA but a warning is again
8789 given: this is to work around the problem of Verisign roots which are V1
8790 self-signed certificates.
8794 extension is present, then additional restraints are
8795 made on the uses of the certificate.
8802 extension is present.
8804 The extended key usage extension places additional restrictions on the
8806 If this extension is present
8807 .Pq whether critical or not ,
8808 the key can only be used for the purposes specified.
8810 A complete description of each test is given below.
8812 .Em basicConstraints
8815 and V1 certificates above apply to
8818 .Bl -tag -width "XXXX"
8820 The extended key usage extension must be absent or include the
8821 .Qq web client authentication
8824 must be absent or it must have the
8825 .Em digitalSignature
8827 Netscape certificate type must be absent or it must have the SSL
8829 .It Ar SSL Client CA
8830 The extended key usage extension must be absent or include the
8831 .Qq web client authentication
8833 Netscape certificate type must be absent or it must have the SSL CA
8834 bit set: this is used as a work around if the
8835 .Em basicConstraints
8836 extension is absent.
8838 The extended key usage extension must be absent or include the
8839 .Qq web server authentication
8840 and/or one of the SGC OIDs.
8842 must be absent or it must have the
8843 .Em digitalSignature
8846 set, or both bits set.
8847 Netscape certificate type must be absent or have the SSL server bit set.
8848 .It Ar SSL Server CA
8849 The extended key usage extension must be absent or include the
8850 .Qq web server authentication
8851 and/or one of the SGC OIDs.
8852 Netscape certificate type must be absent or the SSL CA
8853 bit must be set: this is used as a work around if the
8854 .Em basicConstraints
8855 extension is absent.
8856 .It Ar Netscape SSL Server
8857 For Netscape SSL clients to connect to an SSL server; it must have the
8861 extension is present.
8862 This isn't always valid because some cipher suites use the key for
8864 Otherwise it is the same as a normal SSL server.
8865 .It Ar Common S/MIME Client Tests
8866 The extended key usage extension must be absent or include the
8867 .Qq email protection
8869 Netscape certificate type must be absent or should have the
8874 bit is not set in Netscape certificate type, then the SSL
8875 client bit is tolerated as an alternative but a warning is shown:
8876 this is because some Verisign certificates don't set the
8879 .It Ar S/MIME Signing
8880 In addition to the common
8883 .Em digitalSignature
8884 bit must be set if the
8886 extension is present.
8887 .It Ar S/MIME Encryption
8888 In addition to the common
8892 bit must be set if the
8894 extension is present.
8896 The extended key usage extension must be absent or include the
8897 .Qq email protection
8899 Netscape certificate type must be absent or must have the
8901 bit set: this is used as a work around if the
8902 .Em basicConstraints
8903 extension is absent.
8907 extension must be absent or it must have the
8910 .It Ar CRL Signing CA
8911 The normal CA tests apply.
8912 Except in this case the
8913 .Em basicConstraints
8914 extension must be present.
8917 Extensions in certificates are not transferred to certificate requests and
8920 It is possible to produce invalid certificates or requests by specifying the
8921 wrong private key or using inconsistent options in some cases: these should
8924 There should be options to explicitly set such things as start and end dates,
8925 rather than an offset from the current time.
8927 The code to implement the verify behaviour described in the
8928 .Sx X509 TRUST SETTINGS
8929 is currently being developed.
8930 It thus describes the intended behaviour rather than the current behaviour.
8931 It is hoped that it will represent reality in
8938 the default digest for RSA keys was MD5.
8940 The hash algorithm used in the
8946 1.0.0 was based on the deprecated MD5 algorithm and the encoding
8947 of the distinguished name.
8950 1.0.0 and later it is based on a canonical version of the DN using SHA1.
8951 This means that any directories using the old form
8952 must have their links rebuilt using
8956 Several commands share a common syntax,
8959 Password arguments, typically specified using
8963 for input and output passwords,
8964 allow passwords to be obtained from a variety of sources.
8965 Both of these options take a single argument, described below.
8966 If no password argument is given and a password is required,
8967 then the user is prompted to enter one:
8968 this will typically be read from the current terminal with echoing turned off.
8969 .Bl -tag -width "pass:password" -offset indent
8970 .It Cm pass : Ns Ar password
8971 The actual password is
8973 Since the password is visible to utilities,
8974 this form should only be used where security is not important.
8975 .It Cm env : Ns Ar var
8976 Obtain the password from the environment variable
8978 Since the environment of other processes is visible,
8979 this option should be used with caution.
8980 .It Cm file : Ns Ar path
8986 argument is supplied to
8990 then the first line will be used for the input password and the next line
8991 for the output password.
8993 need not refer to a regular file:
8994 it could, for example, refer to a device or named pipe.
8995 .It Cm fd : Ns Ar number
8996 Read the password from the file descriptor
8998 This can be used to send the data via a pipe, for example.
9000 Read the password from standard input.
9004 typically specified using
9008 indicate the type of file being read from
9009 or the file format to write.
9010 The argument is case insensitive.
9012 .Bl -tag -width Ds -offset indent -compact
9014 Distinguished Encoding Rules (DER)
9017 Privacy Enhanced Mail (PEM)
9023 The following environment variables affect the execution of
9025 .Bl -tag -width "/etc/ssl/openssl.cnf"
9027 The location of the master configuration file.
9033 .Bl -tag -width "/etc/ssl/openssl.cnf" -compact
9035 Default config directory for
9037 .It Pa /etc/ssl/lib/
9039 .It Pa /etc/ssl/private/
9040 Default private key directory.
9041 .It Pa /etc/ssl/openssl.cnf
9042 Default configuration file for
9044 .It Pa /etc/ssl/x509v3.cnf
9045 Default configuration file for
9059 .%Q Netscape Communications Corp.
9060 .%T The SSL Protocol
9065 .%Q Netscape Communications Corp.
9066 .%T The SSL 3.0 Protocol
9074 .%T The TLS Protocol Version 1.0
9083 .%T Lightweight Directory Access Protocol (v3): UTF-8 String Representation of Distinguished Names
9090 .%T PKCS #7: Cryptographic Message Syntax Version 1.5
9100 .%T Internet X.509 Public Key Infrastructure Certificate and CRL Profile
9111 .%T X.509 Internet Public Key Infrastructure Online Certificate Status Protocol \(en OCSP
9118 .%T Cryptographic Message Syntax
9125 .%T Advanced Encryption Standard (AES) Ciphersuites for Transport Layer Security (TLS)
9133 document appeared in
9137 .Cm list- Ns XXX Ns Cm -commands
9138 pseudo-commands were added in
9143 pseudo-commands were added in
9147 .Cm list- Ns XXX Ns Cm -algorithms
9148 pseudo-commands were added in