1 .\" $OpenBSD: openssl.1,v 1.89 2018/03/22 19:24:18 jmc Exp $
2 .\" ====================================================================
3 .\" Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved.
5 .\" Redistribution and use in source and binary forms, with or without
6 .\" modification, are permitted provided that the following conditions
9 .\" 1. Redistributions of source code must retain the above copyright
10 .\" notice, this list of conditions and the following disclaimer.
12 .\" 2. Redistributions in binary form must reproduce the above copyright
13 .\" notice, this list of conditions and the following disclaimer in
14 .\" the documentation and/or other materials provided with the
17 .\" 3. All advertising materials mentioning features or use of this
18 .\" software must display the following acknowledgment:
19 .\" "This product includes software developed by the OpenSSL Project
20 .\" for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
22 .\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
23 .\" endorse or promote products derived from this software without
24 .\" prior written permission. For written permission, please contact
25 .\" openssl-core@openssl.org.
27 .\" 5. Products derived from this software may not be called "OpenSSL"
28 .\" nor may "OpenSSL" appear in their names without prior written
29 .\" permission of the OpenSSL Project.
31 .\" 6. Redistributions of any form whatsoever must retain the following
33 .\" "This product includes software developed by the OpenSSL Project
34 .\" for use in the OpenSSL Toolkit (http://www.openssl.org/)"
36 .\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
37 .\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
38 .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
39 .\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
40 .\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
41 .\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
42 .\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
43 .\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
44 .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
45 .\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
46 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
47 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
48 .\" ====================================================================
50 .\" This product includes cryptographic software written by Eric Young
51 .\" (eay@cryptsoft.com). This product includes software written by Tim
52 .\" Hudson (tjh@cryptsoft.com).
55 .\" Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
56 .\" All rights reserved.
58 .\" This package is an SSL implementation written
59 .\" by Eric Young (eay@cryptsoft.com).
60 .\" The implementation was written so as to conform with Netscapes SSL.
62 .\" This library is free for commercial and non-commercial use as long as
63 .\" the following conditions are aheared to. The following conditions
64 .\" apply to all code found in this distribution, be it the RC4, RSA,
65 .\" lhash, DES, etc., code; not just the SSL code. The SSL documentation
66 .\" included with this distribution is covered by the same copyright terms
67 .\" except that the holder is Tim Hudson (tjh@cryptsoft.com).
69 .\" Copyright remains Eric Young's, and as such any Copyright notices in
70 .\" the code are not to be removed.
71 .\" If this package is used in a product, Eric Young should be given attribution
72 .\" as the author of the parts of the library used.
73 .\" This can be in the form of a textual message at program startup or
74 .\" in documentation (online or textual) provided with the package.
76 .\" Redistribution and use in source and binary forms, with or without
77 .\" modification, are permitted provided that the following conditions
79 .\" 1. Redistributions of source code must retain the copyright
80 .\" notice, this list of conditions and the following disclaimer.
81 .\" 2. Redistributions in binary form must reproduce the above copyright
82 .\" notice, this list of conditions and the following disclaimer in the
83 .\" documentation and/or other materials provided with the distribution.
84 .\" 3. All advertising materials mentioning features or use of this software
85 .\" must display the following acknowledgement:
86 .\" "This product includes cryptographic software written by
87 .\" Eric Young (eay@cryptsoft.com)"
88 .\" The word 'cryptographic' can be left out if the rouines from the library
89 .\" being used are not cryptographic related :-).
90 .\" 4. If you include any Windows specific code (or a derivative thereof) from
91 .\" the apps directory (application code) you must include an
93 .\" "This product includes software written by Tim Hudson
94 .\" (tjh@cryptsoft.com)"
96 .\" THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
97 .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
98 .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
99 .\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
100 .\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
101 .\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
102 .\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
103 .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
104 .\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
105 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
108 .\" The licence and distribution terms for any publically available version or
109 .\" derivative of this code cannot be changed. i.e. this code cannot simply be
110 .\" copied and put under another distribution licence
111 .\" [including the GNU Public Licence.]
115 .Dd $Mdocdate: March 22 2018 $
120 .Nd OpenSSL command line tool
128 .Cm list-standard-commands |
129 .Cm list-message-digest-commands |
130 .Cm list-cipher-commands |
131 .Cm list-cipher-algorithms |
132 .Cm list-message-digest-algorithms |
133 .Cm list-public-key-algorithms
136 .Cm no- Ns Ar command
139 is a cryptography toolkit implementing the
140 Transport Layer Security
143 as well as related cryptography standards.
147 program is a command line tool for using the various
148 cryptography functions of
150 crypto library from the shell.
153 .Cm list-standard-commands , list-message-digest-commands ,
155 .Cm list-cipher-commands
157 .Pq one entry per line
158 of the names of all standard commands, message digest commands,
159 or cipher commands, respectively, that are available in the present
164 .Cm list-cipher-algorithms
166 .Cm list-message-digest-algorithms
167 list all cipher and message digest names,
169 Aliases are listed as:
174 .Cm list-public-key-algorithms
175 lists all supported public key algorithms.
178 .Cm no- Ns Ar command
179 tests whether a command of the
180 specified name is available.
186 .Cm no- Ns Ar command ;
187 otherwise it returns 1 and prints
189 In both cases, the output goes to stdout and nothing is printed to stderr.
190 Additional command line arguments are always ignored.
191 Since for each cipher there is a command of the same name,
192 this provides an easy way for shell scripts to test for the
193 availability of ciphers in the
198 .Cm no- Ns Ar command
199 is not able to detect pseudo-commands such as
201 .Cm list- Ns Ar ... Ns Cm -commands ,
203 .Cm no- Ns Ar command
207 .Nm "openssl asn1parse"
209 .Op Fl dlimit Ar number
211 .Op Fl genconf Ar file
214 .Op Fl inform Cm der | pem | txt
215 .Op Fl length Ar number
217 .Op Fl offset Ar number
220 .Op Fl strparse Ar offset
225 command is a diagnostic utility that can parse ASN.1 structures.
226 It can also be used to extract data from ASN.1 formatted data.
228 The options are as follows:
230 .It Fl dlimit Ar number
233 bytes of unknown data in hex form.
235 Dump unknown data in hex form.
236 .It Fl genconf Ar file , Fl genstr Ar str
237 Generate encoded data based on string
241 or both, using the format described in
242 .Xr ASN1_generate_nconf 3 .
245 is present then the string is obtained from the default section
248 The encoded data is passed through the ASN.1 parser and printed out as
249 though it came from a file;
250 the contents can thus be examined and written to a file using the
254 Indent the output according to the
258 The input file to read from, or standard input if not specified.
259 .It Fl inform Cm der | pem | txt
261 .It Fl length Ar number
262 Number of bytes to parse; the default is until end of file.
264 Do not output the parsed version of the input file.
265 .It Fl offset Ar number
266 Starting offset to begin parsing; the default is start of file.
268 A file containing additional object identifiers
271 .Pq object identifier
274 internal table it will be represented in
276 .Pq for example 1.2.3.4 .
278 Each line consists of three columns:
279 the first column is the OID in numerical format and should be followed by
281 The second column is the
283 which is a single word followed by whitespace.
284 The final column is the rest of the line and is the
287 displays the long name.
289 The DER-encoded output file; the default is no encoded output
290 (useful when combined with
292 .It Fl strparse Ar offset
293 Parse the content octets of the ASN.1 object starting at
295 This option can be used multiple times to
297 into a nested structure.
304 .Op Fl config Ar file
305 .Op Fl crl_CA_compromise Ar time
306 .Op Fl crl_compromise Ar time
307 .Op Fl crl_hold Ar instruction
308 .Op Fl crl_reason Ar reason
309 .Op Fl crldays Ar days
310 .Op Fl crlexts Ar section
311 .Op Fl crlhours Ar hours
313 .Op Fl enddate Ar date
314 .Op Fl extensions Ar section
315 .Op Fl extfile Ar section
319 .Op Fl key Ar keyfile
320 .Op Fl keyfile Ar arg
321 .Op Fl keyform Ar pem
324 .Op Fl name Ar section
332 .Op Fl revoke Ar file
334 .Op Fl ss_cert Ar file
335 .Op Fl startdate Ar date
336 .Op Fl status Ar serial
344 command is a minimal certificate authority (CA) application.
345 It can be used to sign certificate requests in a variety of forms
346 and generate certificate revocation lists (CRLs).
347 It also maintains a text database of issued certificates and their status.
349 The options relevant to CAs are as follows:
350 .Bl -tag -width "XXXX"
353 In this mode no questions will be asked
354 and all certificates will be certified automatically.
356 The CA certificate file.
357 .It Fl config Ar file
358 Specify an alternative configuration file.
360 The number of days to certify the certificate for.
361 .It Fl enddate Ar date
363 The format of the date is [YY]YYMMDDHHMMSSZ,
364 with all four year digits required for dates from 2050 onwards.
365 .It Fl extensions Ar section
366 The section of the configuration file containing certificate extensions
367 to be added when a certificate is issued (defaults to
372 If no extension section is present, a V1 certificate is created.
373 If the extension section is present
374 .Pq even if it is empty ,
375 then a V3 certificate is created.
376 .It Fl extfile Ar file
377 An additional configuration
379 to read certificate extensions from
380 (using the default section unless the
382 option is also used).
386 containing a single certificate request to be signed by the CA.
388 If present, this should be the last option; all subsequent arguments
389 are assumed to be the names of files containing certificate requests.
390 .It Fl key Ar keyfile
391 The password used to encrypt the private key.
392 Since on some systems the command line arguments are visible,
393 this option should be used with caution.
394 .It Fl keyfile Ar file
395 The private key to sign requests with.
396 .It Fl keyform Ar pem
397 Private key file format.
399 The message digest to use.
400 Possible values include
404 This option also applies to CRLs.
406 This is a legacy option to make
408 work with very old versions of the IE certificate enrollment control
410 It used UniversalStrings for almost everything.
411 Since the old control has various security bugs,
412 its use is strongly discouraged.
415 does not need this option.
416 .It Fl name Ar section
417 Specifies the configuration file
425 The DN of a certificate can contain the EMAIL field if present in the
426 request DN, however it is good policy just having the email set into
429 extension of the certificate.
430 When this option is set, the EMAIL field is removed from the certificate's
431 subject and set only in the, eventually present, extensions.
434 keyword can be used in the configuration file to enable this behaviour.
436 Don't output the text form of a certificate to the output file.
438 The output file to output certificates to.
439 The default is standard output.
440 The certificate details will also be printed out to this file.
441 .It Fl outdir Ar directory
444 to output certificates to.
445 The certificate will be written to a file consisting of the
446 serial number in hex with
450 The key password source.
455 The policy section in the configuration file
456 consists of a set of variables corresponding to certificate DN fields.
457 The values may be one of
459 (the value must match the same field in the CA certificate),
461 (the value must be present), or
463 (the value may be present).
464 Any fields not mentioned in the policy section
465 are silently deleted, unless the
468 but this can be regarded more of a quirk than intended behaviour.
470 Normally, the DN order of a certificate is the same as the order of the
471 fields in the relevant policy section.
472 When this option is set, the order is the same as the request.
473 This is largely for compatibility with the older IE enrollment control
474 which would only accept certificates if their DNs matched the order of the
476 This is not needed for Xenroll.
478 A file containing a single Netscape signed public key and challenge,
479 and additional field values to be signed by the CA.
480 This will usually come from the
481 KEYGEN tag in an HTML form to create a new private key.
482 It is, however, possible to create SPKACs using the
486 The file should contain the variable SPKAC set to the value of
487 the SPKAC and also the required DN components as name value pairs.
488 If it's necessary to include the same component twice,
489 then it can be preceded by a number and a
491 .It Fl ss_cert Ar file
492 A single self-signed certificate to be signed by the CA.
493 .It Fl startdate Ar date
495 The format of the date is [YY]YYMMDDHHMMSSZ,
496 with all four year digits required for dates from 2050 onwards.
497 .It Fl status Ar serial
498 Show the status of the certificate with serial number
501 Update database for expired certificates.
503 Print extra details about the operations being performed.
506 The options relevant to CRLs are as follows:
507 .Bl -tag -width "XXXX"
508 .It Fl crl_CA_compromise Ar time
511 except the revocation reason is set to CACompromise.
512 .It Fl crl_compromise Ar time
513 Set the revocation reason to keyCompromise and the compromise time to
516 should be in GeneralizedTime format, i.e. YYYYMMDDHHMMSSZ.
517 .It Fl crl_hold Ar instruction
518 Set the CRL revocation reason code to certificateHold and the hold
521 which must be an OID.
522 Although any OID can be used, only holdInstructionNone
523 (the use of which is discouraged by RFC 2459), holdInstructionCallIssuer or
524 holdInstructionReject will normally be used.
525 .It Fl crl_reason Ar reason
526 Revocation reason, where
529 unspecified, keyCompromise, CACompromise, affiliationChanged, superseded,
530 cessationOfOperation, certificateHold or removeFromCRL.
534 Setting any revocation reason will make the CRL v2.
535 In practice, removeFromCRL is not particularly useful because it is only used
536 in delta CRLs which are not currently implemented.
537 .It Fl crldays Ar num
538 The number of days before the next CRL is due.
539 This is the days from now to place in the CRL
542 .It Fl crlexts Ar section
545 of the configuration file containing CRL extensions to include.
546 If no CRL extension section is present then a V1 CRL is created;
547 if the CRL extension section is present
548 (even if it is empty)
549 then a V2 CRL is created.
550 The CRL extensions specified are CRL extensions and not CRL entry extensions.
551 It should be noted that some software can't handle V2 CRLs.
552 .It Fl crlhours Ar num
553 The number of hours before the next CRL is due.
555 Generate a CRL based on information in the index file.
556 .It Fl revoke Ar file
559 containing a certificate to revoke.
561 Supersedes the subject name given in the request.
565 .Ar /type0=value0/type1=value1/type2=... ;
566 characters may be escaped by
569 no spaces are skipped.
572 Many of the options can be set in the
574 section of the configuration file
575 (or in the default section of the configuration file),
584 are read directly from the
588 Many of the configuration file options are identical to command line
590 Where the option is present in the configuration file and the command line,
591 the command line value is used.
592 Where an option is described as mandatory, then it must be present in
593 the configuration file or the command line equivalent
596 .Bl -tag -width "XXXX"
600 It gives the file containing the CA certificate.
602 .It Cm copy_extensions
603 Determines how extensions in certificate requests should be handled.
606 or this option is not present, then extensions are
607 ignored and not copied to the certificate.
610 then any extensions present in the request that are not already present
611 are copied to the certificate.
614 then all extensions in the request are copied to the certificate:
615 if the extension is already present in the certificate it is deleted first.
619 option should be used with caution.
620 If care is not taken, it can be a security risk.
621 For example, if a certificate request contains a
623 extension with CA:TRUE and the
627 and the user does not spot
628 this when the certificate is displayed, then this will hand the requestor
629 a valid CA certificate.
631 This situation can be avoided by setting
637 with CA:FALSE in the configuration file.
638 Then if the request contains a
640 extension, it will be ignored.
642 The main use of this option is to allow a certificate request to supply
643 values for certain extensions such as
645 .It Cm crl_extensions
649 A text file containing the next CRL number to use in hex.
650 The CRL number will be inserted in the CRLs only if this file exists.
651 If this file is present, it must contain a valid CRL number.
653 The text database file to use.
655 This file must be present, though initially it will be empty.
656 .It Cm default_crl_hours , default_crl_days
662 These will only be used if neither command line option is present.
663 At least one of these must be present to generate a CRL.
668 The number of days to certify a certificate for.
669 .It Cm default_enddate
673 Either this option or
675 .Pq or the command line equivalents
681 The message digest to use.
683 .It Cm default_startdate
687 The start date to certify a certificate for.
688 If not set, the current time is used.
692 If the EMAIL field is to be removed from the DN of the certificate,
695 If not present, the default is to allow for the EMAIL field in the
700 .It Cm name_opt , cert_opt
701 These options allow the format used to display the certificate details
702 when asking the user to confirm signing.
703 All the options supported by the
709 switches can be used here, except that
713 are permanently set and cannot be disabled
714 (this is because the certificate signature cannot be displayed because
715 the certificate has not been signed at this point).
717 For convenience, the value
719 is accepted by both to produce a reasonable output.
721 If neither option is present, the format used in earlier versions of
724 Use of the old format is strongly discouraged
725 because it only displays fields mentioned in the
728 mishandles multicharacter string types and does not display extensions.
733 It specifies the directory where new certificates will be placed.
736 This specifies a file containing additional object identifiers.
737 Each line of the file should consist of the numerical form of the
738 object identifier followed by whitespace, then the short name followed
739 by whitespace and finally the long name.
741 This specifies a section in the configuration file containing extra
743 Each line should consist of the short name of the object identifier
746 and the numerical form.
747 The short and long names are the same when this option is used.
759 The file containing the CA private key.
762 A text file containing the next serial number to use in hex.
764 This file must be present and contain a valid serial number.
765 .It Cm unique_subject
768 is given, the valid certificate entries in the
769 database must have unique subjects.
773 several valid certificate entries may have the exact same subject.
776 .It Cm x509_extensions
790 cipher lists into ordered SSL cipher preference lists.
791 It can be used as a way to determine the appropriate cipher list.
793 The options are as follows:
796 Print a brief usage message.
798 Only include TLS v1 ciphers.
801 List ciphers with a complete description of protocol version,
802 key exchange, authentication, encryption and mac algorithms,
803 any key size restrictions,
804 and cipher suite codes (hex format).
808 but without cipher suite codes.
810 A cipher list to convert to a cipher preference list.
811 If it is not included, the default cipher list will be used.
813 The cipher list consists of one or more cipher strings
815 Commas or spaces are also acceptable separators, but colons are normally used.
817 The actual cipher string can take several different forms:
819 It can consist of a single cipher suite, such as RC4-SHA.
821 It can represent a list of cipher suites containing a certain algorithm,
822 or cipher suites of a certain type.
823 For example SHA1 represents all cipher suites using the digest algorithm SHA1.
825 Lists of cipher suites can be combined in a single cipher string using the
828 (logical AND operation).
829 For example, SHA1+DES represents all cipher suites
830 containing the SHA1 and DES algorithms.
832 Each cipher string can be optionally preceded by the characters
839 is used, then the ciphers are permanently deleted from the list.
840 The ciphers deleted can never reappear in the list even if they are
844 is used, then the ciphers are deleted from the list, but some or
845 all of the ciphers can be added again by later options.
848 is used, then the ciphers are moved to the end of the list.
849 This option doesn't add any new ciphers, it just moves matching existing ones.
851 If none of these characters is present, the string is just interpreted
852 as a list of ciphers to be appended to the current preference list.
853 If the list includes any ciphers already present, they will be ignored;
854 that is, they will not be moved to the end of the list.
856 Additionally, the cipher string
858 can be used at any point to sort the current cipher list in order of
859 encryption algorithm key length.
862 The following is a list of all permitted cipher strings and their meanings.
863 .Bl -tag -width "XXXX"
865 The default cipher list.
866 This is determined at compile time and is currently
867 .Cm ALL:!aNULL:!eNULL:!SSLv2 .
868 This must be the first cipher string specified.
869 .It Cm COMPLEMENTOFDEFAULT
870 The ciphers included in
872 but not enabled by default.
875 Note that this rule does not cover
877 which is not included by
883 All cipher suites except the
885 ciphers, which must be explicitly enabled.
886 .It Cm COMPLEMENTOFALL
887 The cipher suites not enabled by
893 encryption cipher suites.
894 This currently means those with key lengths larger than 128 bits.
897 encryption cipher suites, currently those using 128-bit encryption.
900 encryption cipher suites, currently those using 64- or 56-bit encryption
905 ciphers; that is, those offering no encryption.
906 Because these offer no encryption at all and are a security risk,
907 they are disabled unless explicitly included.
909 The cipher suites offering no authentication.
910 This is currently the anonymous DH algorithms.
911 These cipher suites are vulnerable to a
912 .Qq man in the middle
913 attack, so their use is normally discouraged.
915 Cipher suites using RSA key exchange.
917 Cipher suites using ephemeral DH key agreement.
919 Cipher suites using RSA authentication, i.e. the certificates carry RSA keys.
921 Cipher suites using DSS authentication, i.e. the certificates carry DSS keys.
923 TLS v1.0 cipher suites.
925 Cipher suites using DH, including anonymous DH.
927 Anonymous DH cipher suites.
929 Cipher suites using AES.
931 Cipher suites using triple DES.
933 Cipher suites using DES
936 Cipher suites using RC4.
938 Cipher suites using Camellia.
940 Cipher suites using ChaCha20.
942 Cipher suites using IDEA.
944 Cipher suites using MD5.
946 Cipher suites using SHA1.
951 .Op Fl CAfile Ar file
956 .Op Fl inform Cm der | pem
962 .Op Fl outform Cm der | pem
968 command processes CRL files in DER or PEM format.
970 The options are as follows:
972 .It Fl CAfile Ar file
973 Verify the signature on a CRL by looking up the issuing certificate in
975 .It Fl CApath Ar directory
976 Verify the signature on a CRL by looking up the issuing certificate in
978 This directory must be a standard certificate directory,
979 i.e. a hash of each subject name (using
981 should be linked to each certificate.
983 Print the CRL fingerprint.
985 Output a hash of the issuer name.
986 This can be used to look up CRLs in a directory by issuer name.
988 The input file to read from, or standard input if not specified.
989 .It Fl inform Cm der | pem
992 Output the issuer name.
1002 Do not output the encoded version of the CRL.
1004 The output file to write to, or standard output if not specified.
1005 .It Fl outform Cm der | pem
1008 Print the CRL in plain text.
1012 .Nm "openssl crl2pkcs7"
1013 .Op Fl certfile Ar file
1015 .Op Fl inform Cm der | pem
1018 .Op Fl outform Cm der | pem
1023 command takes an optional CRL and one or more
1024 certificates and converts them into a PKCS#7 degenerate
1025 .Qq certificates only
1028 The options are as follows:
1030 .It Fl certfile Ar file
1031 Add the certificates in PEM
1033 to the PKCS#7 structure.
1034 This option can be used more than once
1035 to read certificates from multiple files.
1039 or standard input if not specified.
1040 .It Fl inform Cm der | pem
1043 Normally, a CRL is included in the output file.
1044 With this option, no CRL is
1045 included in the output file and a CRL is not read from the input file.
1047 Write the PKCS#7 structure to
1049 or standard output if not specified.
1050 .It Fl outform Cm der | pem
1061 .Op Fl keyform Cm pem
1062 .Op Fl mac Ar algorithm
1063 .Op Fl macopt Ar nm : Ns Ar v
1065 .Op Fl passin Ar arg
1066 .Op Fl prverify Ar file
1068 .Op Fl signature Ar file
1069 .Op Fl sigopt Ar nm : Ns Ar v
1070 .Op Fl verify Ar file
1074 The digest functions output the message digest of a supplied
1078 in hexadecimal form.
1079 They can also be used for digital signing and verification.
1081 The options are as follows:
1084 Output the digest or signature in binary form.
1086 Print the digest in two-digit groups separated by colons.
1088 Print BIO debugging information.
1090 Use the specified message
1093 The available digests can be displayed using
1095 .Cm list-message-digest-commands .
1096 The following are equivalent:
1103 Digest is to be output as a hex dump.
1104 This is the default case for a
1106 digest as opposed to a digital signature.
1108 Create a hashed MAC using
1110 .It Fl keyform Cm pem
1111 Specifies the key format to sign the digest with.
1112 .It Fl mac Ar algorithm
1113 Create a keyed Message Authentication Code (MAC).
1114 The most popular MAC algorithm is HMAC (hash-based MAC),
1115 but there are other MAC algorithms which are not based on hash.
1116 MAC keys and other options should be set via the
1119 .It Fl macopt Ar nm : Ns Ar v
1120 Passes options to the MAC algorithm, specified by
1122 The following options are supported by HMAC:
1124 .It Cm key : Ns Ar string
1125 Specifies the MAC key as an alphanumeric string
1126 (use if the key contain printable characters only).
1127 String length must conform to any restrictions of the MAC algorithm.
1128 .It Cm hexkey : Ns Ar string
1129 Specifies the MAC key in hexadecimal form (two hex digits per byte).
1130 Key length must conform to any restrictions of the MAC algorithm.
1133 The output file to write to,
1134 or standard output if not specified.
1135 .It Fl passin Ar arg
1136 The key password source.
1137 .It Fl prverify Ar file
1138 Verify the signature using the private key in
1140 The output is either
1143 .Qq Verification Failure .
1145 Digitally sign the digest using the private key in
1147 .It Fl signature Ar file
1148 The actual signature to verify.
1149 .It Fl sigopt Ar nm : Ns Ar v
1150 Pass options to the signature algorithm during sign or verify operations.
1151 The names and values of these options are algorithm-specific.
1152 .It Fl verify Ar file
1153 Verify the signature using the public key in
1155 The output is either
1158 .Qq Verification Failure .
1160 File or files to digest.
1161 If no files are specified then standard input is used.
1165 .Nm "openssl dhparam"
1171 .Op Fl inform Cm der | pem
1174 .Op Fl outform Cm der | pem
1181 command is used to manipulate DH parameter files.
1182 Only the older PKCS#3 DH is supported,
1183 not the newer X9.42 DH.
1185 The options are as follows:
1188 The generator to use;
1190 If present, the input file is ignored and parameters are generated instead.
1192 Convert the parameters into C code.
1193 The parameters can then be loaded by calling the
1194 .No get_dh Ns Ar numbits
1197 Check the DH parameters.
1199 Read or create DSA parameters,
1200 converted to DH format on output.
1204 .Pq such that (p-1)/2 is also prime
1205 will be used for DH parameter generation.
1207 DH parameter generation with the
1209 option is much faster,
1210 and the recommended exponent length is shorter,
1211 which makes DH key exchange more efficient.
1212 Beware that with such DSA-style DH parameters,
1213 a fresh DH key should be created for each use to
1214 avoid small-subgroup attacks that may be possible otherwise.
1216 The input file to read from,
1217 or standard input if not specified.
1218 .It Fl inform Cm der | pem
1221 Do not output the encoded version of the parameters.
1223 The output file to write to,
1224 or standard output if not specified.
1225 .It Fl outform Cm der | pem
1228 Print the DH parameters in plain text.
1230 Generate a parameter set of size
1232 It must be the last option.
1233 If not present, a value of 2048 is used.
1234 If this value is present, the input file is ignored and
1235 parameters are generated instead.
1241 .Fl aes128 | aes192 | aes256 |
1245 .Op Fl inform Cm der | pem
1249 .Op Fl outform Cm der | pem
1250 .Op Fl passin Ar arg
1251 .Op Fl passout Ar arg
1259 command processes DSA keys.
1260 They can be converted between various forms and their components printed out.
1263 This command uses the traditional
1265 compatible format for private key encryption:
1266 newer applications should use the more secure PKCS#8 format using the
1270 The options are as follows:
1273 .Fl aes128 | aes192 | aes256 |
1276 Encrypt the private key with the AES, DES, or the triple DES
1277 ciphers, respectively, before outputting it.
1278 A pass phrase is prompted for.
1279 If none of these options are specified, the key is written in plain text.
1280 This means that using the
1282 utility to read an encrypted key with no encryption option can be used to
1283 remove the pass phrase from a key,
1284 or by setting the encryption options it can be used to add or change
1286 These options can only be used with PEM format output files.
1288 The input file to read from,
1289 or standard input if not specified.
1290 If the key is encrypted, a pass phrase will be prompted for.
1291 .It Fl inform Cm der | pem
1294 Print the value of the public key component of the key.
1296 Do not output the encoded version of the key.
1298 The output file to write to,
1299 or standard output if not specified.
1300 If any encryption options are set then a pass phrase will be
1302 .It Fl outform Cm der | pem
1304 .It Fl passin Ar arg
1305 The key password source.
1306 .It Fl passout Ar arg
1307 The output file password source.
1309 Read in a public key, not a private key.
1311 Output a public key, not a private key.
1312 Automatically set if the input is a public key.
1314 Print the public/private key in plain text.
1318 .Nm "openssl dsaparam"
1322 .Op Fl inform Cm der | pem
1325 .Op Fl outform Cm der | pem
1332 command is used to manipulate or generate DSA parameter files.
1334 The options are as follows:
1337 Convert the parameters into C code.
1338 The parameters can then be loaded by calling the
1339 .No get_dsa Ns Ar XXX
1342 Generate a DSA key either using the specified or generated
1345 The input file to read from,
1346 or standard input if not specified.
1349 parameter is included, then this option is ignored.
1350 .It Fl inform Cm der | pem
1353 Do not output the encoded version of the parameters.
1355 The output file to write to,
1356 or standard output if not specified.
1357 .It Fl outform Cm der | pem
1360 Print the DSA parameters in plain text.
1362 Generate a parameter set of size
1364 If this option is included, the input file is ignored.
1369 .Op Fl conv_form Ar arg
1373 .Op Fl inform Cm der | pem
1376 .Op Fl outform Cm der | pem
1377 .Op Fl param_enc Ar arg
1379 .Op Fl passin Ar arg
1380 .Op Fl passout Ar arg
1388 command processes EC keys.
1389 They can be converted between various
1390 forms and their components printed out.
1392 uses the private key format specified in
1393 .Dq SEC 1: Elliptic Curve Cryptography
1394 .Pq Lk http://www.secg.org/ .
1396 EC private key into the PKCS#8 private key format use the
1400 The options are as follows:
1402 .It Fl conv_form Ar arg
1403 Specify how the points on the elliptic curve are converted
1405 Possible values are:
1411 For more information regarding
1412 the point conversion forms see the X9.62 standard.
1414 Due to patent issues the
1416 option is disabled by default for binary curves
1417 and can be enabled by defining the preprocessor macro
1418 .Dv OPENSSL_EC_BIN_PT_COMP
1421 Encrypt the private key with DES, triple DES, or
1422 any other cipher supported by
1424 A pass phrase is prompted for.
1425 If none of these options is specified the key is written in plain text.
1426 This means that using the
1428 utility to read in an encrypted key with no
1429 encryption option can be used to remove the pass phrase from a key,
1430 or by setting the encryption options
1431 it can be used to add or change the pass phrase.
1432 These options can only be used with PEM format output files.
1434 The input file to read a key from,
1435 or standard input if not specified.
1436 If the key is encrypted a pass phrase will be prompted for.
1437 .It Fl inform Cm der | pem
1440 Do not output the encoded version of the key.
1442 The output filename to write to,
1443 or standard output if not specified.
1444 If any encryption options are set then a pass phrase will be prompted for.
1445 .It Fl outform Cm der | pem
1447 .It Fl param_enc Ar arg
1448 Specify how the elliptic curve parameters are encoded.
1451 i.e. the EC parameters are specified by an OID; or
1453 where the EC parameters are explicitly given
1454 (see RFC 3279 for the definition of the EC parameter structures).
1455 The default value is
1460 as specified in RFC 3279,
1461 is currently not implemented.
1462 .It Fl passin Ar arg
1463 The key password source.
1464 .It Fl passout Ar arg
1465 The output file password source.
1467 Read in a public key, not a private key.
1469 Output a public key, not a private key.
1470 Automatically set if the input is a public key.
1472 Print the public/private key in plain text.
1476 .Nm "openssl ecparam"
1479 .Op Fl conv_form Ar arg
1482 .Op Fl inform Cm der | pem
1488 .Op Fl outform Cm der | pem
1489 .Op Fl param_enc Ar arg
1495 command is used to manipulate or generate EC parameter files.
1497 is not able to generate new groups so
1499 can only create EC parameters from known (named) curves.
1501 The options are as follows:
1504 Convert the EC parameters into C code.
1505 The parameters can then be loaded by calling the
1506 .No get_ec_group_ Ns Ar XXX
1509 Validate the elliptic curve parameters.
1510 .It Fl conv_form Ar arg
1511 Specify how the points on the elliptic curve are converted
1513 Possible values are:
1519 For more information regarding
1520 the point conversion forms see the X9.62 standard.
1522 Due to patent issues the
1524 option is disabled by default for binary curves
1525 and can be enabled by defining the preprocessor macro
1526 .Dv OPENSSL_EC_BIN_PT_COMP
1529 Generate an EC private key using the specified parameters.
1531 The input file to read from,
1532 or standard input if not specified.
1533 .It Fl inform Cm der | pem
1537 currently implemented EC parameter names and exit.
1539 Use the EC parameters with the specified "short" name.
1541 Do not include the seed for the parameter generation
1542 in the ECParameters structure (see RFC 3279).
1544 Do not output the encoded version of the parameters.
1546 The output file to write to,
1547 or standard output if not specified.
1548 .It Fl outform Cm der | pem
1550 .It Fl param_enc Ar arg
1551 Specify how the elliptic curve parameters are encoded.
1554 i.e. the EC parameters are specified by an OID, or
1556 where the EC parameters are explicitly given
1557 (see RFC 3279 for the definition of the EC parameter structures).
1558 The default value is
1562 alternative, as specified in RFC 3279,
1563 is currently not implemented.
1565 Print the EC parameters in plain text.
1573 .Op Fl bufsize Ar number
1578 .Op Fl k Ar password
1579 .Op Fl kfile Ar file
1590 The symmetric cipher commands allow data to be encrypted or decrypted
1591 using various block and stream ciphers using keys based on passwords
1592 or explicitly provided.
1593 Base64 encoding or decoding can also be performed either by itself
1594 or in addition to the encryption or decryption.
1595 The program can be called either as
1596 .Nm openssl Ar ciphername
1598 .Nm openssl enc - Ns Ar ciphername .
1600 Some of the ciphers do not have large keys and others have security
1601 implications if not used correctly.
1602 All the block ciphers normally use PKCS#5 padding,
1603 also known as standard block padding.
1604 If padding is disabled, the input data must be a multiple of the cipher
1607 The options are as follows:
1612 option is set, then base64 process the data on one line.
1614 Base64 process the data.
1615 This means that if encryption is taking place, the data is base64-encoded
1617 If decryption is set, the input data is base64-decoded before
1619 .It Fl bufsize Ar number
1620 Set the buffer size for I/O.
1622 Decrypt the input data.
1624 Debug the BIOs used for I/O.
1626 Encrypt the input data.
1627 This is the default.
1629 The input file to read from,
1630 or standard input if not specified.
1634 .Pq initialisation vector
1636 this must be represented as a string comprised only of hex digits.
1639 is specified using the
1642 the IV must explicitly be defined.
1643 When a password is being specified using one of the other options,
1644 the IV is generated from this password.
1649 this must be represented as a string comprised only of hex digits.
1650 If only the key is specified,
1651 the IV must also be specified using the
1662 option will be used and the IV generated from the password will be taken.
1663 It probably does not make much sense to specify both
1667 .It Fl k Ar password
1670 to derive the key from.
1674 .It Fl kfile Ar file
1675 Read the password to derive the key from the first line of
1683 to create a key from a pass phrase.
1690 Use NULL cipher (no encryption or decryption of input).
1692 Disable standard block padding.
1694 Don't use a salt in the key derivation routines.
1695 This option should never be used
1696 since it makes it possible to perform efficient dictionary
1697 attacks on the password and to attack stream cipher encrypted data.
1699 The output file to write to,
1700 or standard output if not specified.
1702 Print out the salt, key, and IV used, then immediately exit;
1703 don't do any encryption or decryption.
1705 Print out the salt, key, and IV used.
1707 The password source.
1712 this must be represented as a string comprised only of hex digits.
1714 Use a salt in the key derivation routines (the default).
1715 When the salt is being used
1716 the first eight bytes of the encrypted data are reserved for the salt:
1717 it is randomly generated when encrypting a file and read from the
1718 encrypted file when it is decrypted.
1727 command performs error number to error string conversion,
1728 generating a human-readable string representing the error code
1730 The string is obtained through the
1731 .Xr ERR_error_string_n 3
1732 function and has the following format:
1734 .Dl error:[error code]:[library name]:[function name]:[reason string]
1737 is an 8-digit hexadecimal number.
1738 The remaining fields
1745 The options are as follows:
1748 Print debugging statistics about various aspects of the hash table.
1752 .Nm "openssl gendsa"
1754 .Fl aes128 | aes192 | aes256 |
1763 command generates a DSA private key from a DSA parameter file
1764 (typically generated by the
1765 .Nm openssl dsaparam
1767 DSA key generation is little more than random number generation so it is
1772 The options are as follows:
1775 .Fl aes128 | aes192 | aes256 |
1778 Encrypt the private key with the AES, DES,
1779 or the triple DES ciphers, respectively, before outputting it.
1780 A pass phrase is prompted for.
1781 If none of these options are specified, no encryption is used.
1783 The output file to write to,
1784 or standard output if not specified.
1786 Specify the DSA parameter file to use.
1787 The parameters in this file determine the size of the private key.
1791 .Nm "openssl genpkey"
1792 .Op Fl algorithm Ar alg
1796 .Op Fl outform Cm der | pem
1797 .Op Fl paramfile Ar file
1799 .Op Fl pkeyopt Ar opt : Ns Ar value
1805 command generates private keys.
1807 program is encouraged over the algorithm specific utilities
1808 because additional algorithm options can be used.
1810 The options are as follows:
1812 .It Fl algorithm Ar alg
1813 The public key algorithm to use,
1814 such as RSA, DSA, or DH.
1815 This option must precede any
1822 are mutually exclusive.
1824 Encrypt the private key with the supplied cipher.
1825 Any algorithm name accepted by
1826 .Xr EVP_get_cipherbyname 3
1829 Generate a set of parameters instead of a private key.
1830 This option must precede any
1837 The output file to write to,
1838 or standard output if not specified.
1839 .It Fl outform Cm der | pem
1841 .It Fl paramfile Ar file
1842 Some public key algorithms generate a private key based on a set of parameters,
1843 which can be supplied using this option.
1844 If this option is used the public key
1845 algorithm used is determined by the parameters.
1846 This option must precede any
1853 are mutually exclusive.
1855 The output file password source.
1856 .It Fl pkeyopt Ar opt : Ns Ar value
1857 Set the public key algorithm option
1862 .Bl -tag -width Ds -offset indent
1863 .It rsa_keygen_bits : Ns Ar numbits
1865 The number of bits in the generated key.
1866 The default is 2048.
1867 .It rsa_keygen_pubexp : Ns Ar value
1869 The RSA public exponent value.
1870 This can be a large decimal or hexadecimal value if preceded by 0x.
1871 The default is 65537.
1872 .It dsa_paramgen_bits : Ns Ar numbits
1874 The number of bits in the generated parameters.
1875 The default is 1024.
1876 .It dh_paramgen_prime_len : Ns Ar numbits
1878 The number of bits in the prime parameter
1880 .It dh_paramgen_generator : Ns Ar value
1882 The value to use for the generator
1884 .It ec_paramgen_curve : Ns Ar curve
1886 The EC curve to use.
1889 Print the private/public key in plain text.
1893 .Nm "openssl genrsa"
1895 .Op Fl aes128 | aes192 | aes256 | des | des3
1897 .Op Fl passout Ar arg
1903 command generates an RSA private key,
1904 which essentially involves the generation of two prime numbers.
1905 When generating the key,
1906 various symbols will be output to indicate the progress of the generation.
1909 represents each number which has passed an initial sieve test;
1911 means a number has passed a single round of the Miller-Rabin primality test.
1912 A newline means that the number has passed all the prime tests
1913 (the actual number depends on the key size).
1915 The options are as follows:
1918 The public exponent to use, either 3 or 65537.
1919 The default is 65537.
1920 .It Fl aes128 | aes192 | aes256 | des | des3
1921 Encrypt the private key with the AES, DES,
1922 or the triple DES ciphers, respectively, before outputting it.
1923 If none of these options are specified, no encryption is used.
1924 If encryption is used, a pass phrase is prompted for,
1925 if it is not supplied via the
1929 The output file to write to,
1930 or standard output if not specified.
1931 .It Fl passout Ar arg
1932 The output file password source.
1934 The size of the private key to generate in bits.
1935 This must be the last option specified.
1936 The default is 2048.
1946 command takes a file containing a Netscape certificate sequence
1947 (an alternative to the standard PKCS#7 format)
1948 and prints out the certificates contained in it,
1949 or takes a file of certificates
1950 and converts it into a Netscape certificate sequence.
1952 The options are as follows:
1955 The input file to read from,
1956 or standard input if not specified.
1958 The output file to write to,
1959 or standard output if not specified.
1961 Normally, a Netscape certificate sequence will be input and the output
1962 is the certificates contained in it.
1965 option the situation is reversed:
1966 a Netscape certificate sequence is created from a file of certificates.
1972 .Op Fl CAfile Ar file
1973 .Op Fl CApath Ar directory
1976 .Op Fl host Ar hostname : Ns Ar port
1977 .Op Fl index Ar indexfile
1978 .Op Fl issuer Ar file
1979 .Op Fl ndays Ar days
1980 .Op Fl nmin Ar minutes
1981 .Op Fl no_cert_checks
1982 .Op Fl no_cert_verify
1987 .Op Fl no_signature_verify
1990 .Op Fl nrequest Ar number
1993 .Op Fl port Ar portnum
1995 .Op Fl reqin Ar file
1996 .Op Fl reqout Ar file
1998 .Op Fl resp_no_certs
2000 .Op Fl respin Ar file
2001 .Op Fl respout Ar file
2003 .Op Fl rother Ar file
2004 .Op Fl rsigner Ar file
2005 .Op Fl serial Ar number
2006 .Op Fl sign_other Ar file
2007 .Op Fl signer Ar file
2008 .Op Fl signkey Ar file
2009 .Op Fl status_age Ar age
2012 .Op Fl url Ar responder_url
2013 .Op Fl VAfile Ar file
2014 .Op Fl validity_period Ar nsec
2015 .Op Fl verify_other Ar file
2018 The Online Certificate Status Protocol (OCSP)
2019 enables applications to determine the (revocation) state
2020 of an identified certificate (RFC 2560).
2024 command performs many common OCSP tasks.
2025 It can be used to print out requests and responses,
2026 create requests and send queries to an OCSP responder,
2027 and behave like a mini OCSP server itself.
2029 The options are as follows:
2031 .It Fl CAfile Ar file , Fl CApath Ar directory
2032 A file or path containing trusted CA certificates,
2033 used to verify the signature on the OCSP response.
2038 The issuer certificate is taken from the previous
2040 option, or an error occurs if no issuer certificate is specified.
2042 Use the digest algorithm
2044 for certificate identification in the OCSP request.
2045 By default SHA-1 is used.
2047 .Fl host Ar hostname : Ns Ar port ,
2056 specifies the HTTP path name to use, or
2059 .It Fl issuer Ar file
2060 The current issuer certificate, in PEM format.
2061 Can be used multiple times and must come before any
2064 .It Fl no_cert_checks
2065 Don't perform any additional checks on the OCSP response signer's certificate.
2066 That is, do not make any checks to see if the signer's certificate is
2067 authorised to provide the necessary status information:
2068 as a result this option should only be used for testing purposes.
2069 .It Fl no_cert_verify
2070 Don't verify the OCSP response signer's certificate at all.
2071 Since this option allows the OCSP response to be signed by any certificate,
2072 it should only be used for testing purposes.
2074 Don't include any certificates in the signed request.
2076 Do not use certificates in the response as additional untrusted CA
2079 Ignore certificates contained in the OCSP response
2080 when searching for the signer's certificate.
2081 The signer's certificate must be specified with either the
2086 .It Fl no_signature_verify
2087 Don't check the signature on the OCSP response.
2088 Since this option tolerates invalid signatures on OCSP responses,
2089 it will normally only be used for testing purposes.
2090 .It Fl nonce , no_nonce
2091 Add an OCSP nonce extension to a request,
2092 or disable an OCSP nonce addition.
2093 Normally, if an OCSP request is input using the
2095 option no nonce is added:
2098 option will force the addition of a nonce.
2099 If an OCSP request is being created (using the
2104 a nonce is automatically added; specifying
2108 Don't attempt to verify the OCSP response signature or the nonce values.
2109 This is normally only be used for debugging
2110 since it disables all verification of the responder's certificate.
2112 Specify the output file to write to,
2113 or standard output if not specified.
2114 .It Fl req_text , resp_text , text
2115 Print out the text form of the OCSP request, response, or both, respectively.
2116 .It Fl reqin Ar file , Fl respin Ar file
2117 Read an OCSP request or response file from
2119 These options are ignored
2120 if an OCSP request or response creation is implied by other options
2121 (for example with the
2126 .It Fl reqout Ar file , Fl respout Ar file
2127 Write out the DER-encoded certificate request or response to
2129 .It Fl serial Ar num
2132 option except the certificate with serial number
2134 is added to the request.
2135 The serial number is interpreted as a decimal integer unless preceded by
2137 Negative integers can also be specified
2138 by preceding the value with a minus sign.
2139 .It Fl sign_other Ar file
2140 Additional certificates to include in the signed request.
2141 .It Fl signer Ar file , Fl signkey Ar file
2142 Sign the OCSP request using the certificate specified in the
2144 option and the private key specified by the
2149 option is not present, then the private key is read from the same file
2151 If neither option is specified, the OCSP request is not signed.
2153 The certificates specified by the
2155 option should be explicitly trusted and no additional checks will be
2157 This is useful when the complete responder certificate chain is not available
2158 or trusting a root CA is not appropriate.
2159 .It Fl url Ar responder_url
2160 Specify the responder URL.
2163 URLs can be specified.
2164 .It Fl VAfile Ar file
2165 A file containing explicitly trusted responder certificates.
2171 .It Fl validity_period Ar nsec , Fl status_age Ar age
2172 The range of times, in seconds, which will be tolerated in an OCSP response.
2173 Each certificate status response includes a notBefore time
2174 and an optional notAfter time.
2175 The current time should fall between these two values,
2176 but the interval between the two times may be only a few seconds.
2177 In practice the OCSP responder and clients' clocks may not be precisely
2178 synchronised and so such a check may fail.
2181 option can be used to specify an acceptable error range in seconds,
2182 the default value being 5 minutes.
2184 If the notAfter time is omitted from a response,
2185 it means that new status information is immediately available.
2186 In this case the age of the notBefore field is checked
2187 to see it is not older than
2190 By default, this additional check is not performed.
2191 .It Fl verify_other Ar file
2192 A file containing additional certificates to search
2193 when attempting to locate the OCSP response signing certificate.
2194 Some responders omit the actual signer's certificate from the response,
2195 so this can be used to supply the necessary certificate.
2198 The options for the OCSP server are as follows:
2199 .Bl -tag -width "XXXX"
2201 CA certificate corresponding to the revocation information in
2203 .It Fl index Ar indexfile
2205 is a text index file in ca format
2206 containing certificate revocation information.
2208 If this option is specified,
2210 is in responder mode, otherwise it is in client mode.
2211 The requests the responder processes can be either specified on
2212 the command line (using the
2216 options), supplied in a file (using the
2218 option), or via external OCSP clients (if
2224 If this option is present, then the
2228 options must also be present.
2229 .It Fl nmin Ar minutes , Fl ndays Ar days
2234 when fresh revocation information is available:
2235 used in the nextUpdate field.
2236 If neither option is present,
2237 the nextUpdate field is omitted,
2238 meaning fresh revocation information is immediately available.
2239 .It Fl nrequest Ar number
2240 Exit after receiving
2242 requests (the default is unlimited).
2243 .It Fl port Ar portnum
2244 Port to listen for OCSP requests on.
2245 May also be specified using the
2249 Identify the signer certificate using the key ID;
2250 the default is to use the subject name.
2251 .It Fl resp_no_certs
2252 Don't include any certificates in the OCSP response.
2254 The private key to sign OCSP responses with;
2255 if not present, the file specified in the
2258 .It Fl rother Ar file
2259 Additional certificates to include in the OCSP response.
2260 .It Fl rsigner Ar file
2261 The certificate to sign OCSP responses with.
2264 Initially the OCSP responder certificate is located and the signature on
2265 the OCSP request checked using the responder certificate's public key.
2266 Then a normal certificate verify is performed on the OCSP responder certificate
2267 building up a certificate chain in the process.
2268 The locations of the trusted certificates used to build the chain can be
2273 options or they will be looked for in the standard
2275 certificates directory.
2277 If the initial verify fails, the OCSP verify process halts with an error.
2278 Otherwise the issuing CA certificate in the request is compared to the OCSP
2279 responder certificate: if there is a match then the OCSP verify succeeds.
2281 Otherwise the OCSP responder certificate's CA is checked against the issuing
2282 CA certificate in the request.
2283 If there is a match and the OCSPSigning extended key usage is present
2284 in the OCSP responder certificate, then the OCSP verify succeeds.
2286 Otherwise the root CA of the OCSP responder's CA is checked to see if it
2287 is trusted for OCSP signing.
2288 If it is, the OCSP verify succeeds.
2290 If none of these checks is successful, the OCSP verify fails.
2291 What this effectively means is that if the OCSP responder certificate is
2292 authorised directly by the CA it is issuing revocation information about
2293 (and it is correctly configured),
2294 then verification will succeed.
2296 If the OCSP responder is a global responder,
2297 which can give details about multiple CAs
2298 and has its own separate certificate chain,
2299 then its root CA can be trusted for OCSP signing.
2300 Alternatively, the responder certificate itself can be explicitly trusted
2306 .Nm "openssl passwd"
2307 .Op Fl 1 | apr1 | crypt
2312 .Op Fl salt Ar string
2320 command computes the hash of a password.
2322 The options are as follows:
2334 Apache variant of the
2341 algorithm (the default).
2346 Don't verify when reading a password from the terminal.
2348 Don't output warnings when passwords given on the command line are truncated.
2350 Switch table columns.
2351 This only makes sense in conjunction with the
2354 .It Fl salt Ar string
2355 Use the salt specified by
2357 When reading a password from the terminal, this implies
2360 Read passwords from standard input.
2362 In the output list, prepend the cleartext password and a TAB character
2363 to each password hash.
2369 .Op Fl inform Cm der | pem
2372 .Op Fl outform Cm der | pem
2379 command processes PKCS#7 files in DER or PEM format.
2380 The PKCS#7 routines only understand PKCS#7 v 1.5 as specified in RFC 2315.
2382 The options are as follows:
2385 The input file to read from,
2386 or standard input if not specified.
2387 .It Fl inform Cm der | pem
2390 Don't output the encoded version of the PKCS#7 structure
2395 The output to write to,
2396 or standard output if not specified.
2397 .It Fl outform Cm der | pem
2400 Print any certificates or CRLs contained in the file,
2401 preceded by their subject and issuer names in a one-line format.
2403 Print certificate details in full rather than just subject and issuer names.
2410 .Op Fl inform Cm der | pem
2416 .Op Fl outform Cm der | pem
2417 .Op Fl passin Ar arg
2418 .Op Fl passout Ar arg
2426 command processes private keys
2427 (both encrypted and unencrypted)
2429 with a variety of PKCS#5 (v1.5 and v2.0) and PKCS#12 algorithms.
2430 The default encryption is only 56 bits;
2431 keys encrypted using PKCS#5 v2.0 algorithms and high iteration counts
2434 The options are as follows:
2437 Generate DSA keys in a broken format.
2438 The DSA parameters are embedded inside the PrivateKey structure.
2439 In this form the OCTET STRING contains an ASN.1 SEQUENCE consisting of
2441 a SEQUENCE containing the parameters and an ASN.1 INTEGER containing
2444 The input file to read from,
2445 or standard input if not specified.
2446 If the key is encrypted, a pass phrase will be prompted for.
2447 .It Fl inform Cm der | pem
2450 Generate an unencrypted PrivateKeyInfo structure.
2451 This option does not encrypt private keys at all
2452 and should only be used when absolutely necessary.
2454 Use an iteration count of 1.
2457 section below for a detailed explanation of this option.
2459 Generate RSA private keys in a broken format that some software uses.
2460 Specifically the private key should be enclosed in an OCTET STRING,
2461 but some software just includes the structure itself without the
2462 surrounding OCTET STRING.
2464 Generate DSA keys in a broken format compatible with Netscape
2465 private key databases.
2466 The PrivateKey contains a SEQUENCE
2467 consisting of the public and private keys, respectively.
2469 The output file to write to,
2470 or standard output if none is specified.
2471 If any encryption options are set, a pass phrase will be prompted for.
2472 .It Fl outform Cm der | pem
2474 .It Fl passin Ar arg
2475 The key password source.
2476 .It Fl passout Ar arg
2477 The output file password source.
2479 Read a traditional format private key and write a PKCS#8 format key.
2481 Specify a PKCS#5 v1.5 or PKCS#12 algorithm to use.
2483 .Bl -tag -width "XXXX" -compact
2486 .It PBE-SHA1-RC2-64 | PBE-MD5-RC2-64 | PBE-SHA1-DES
2487 64-bit RC2 or 56-bit DES.
2488 .It PBE-SHA1-RC4-128 | PBE-SHA1-RC4-40 | PBE-SHA1-3DES
2489 .It PBE-SHA1-2DES | PBE-SHA1-RC2-128 | PBE-SHA1-RC2-40
2490 PKCS#12 password-based encryption algorithm,
2491 which allow strong encryption algorithms like triple DES or 128-bit RC2.
2494 Use PKCS#5 v2.0 algorithms.
2495 Supports algorithms such as 168-bit triple DES or 128-bit RC2,
2496 however not many implementations support PKCS#5 v2.0 yet
2497 (if using private keys with
2499 this doesn't matter).
2502 is the encryption algorithm to use;
2503 valid values include des, des3, and rc2.
2504 It is recommended that des3 is used.
2508 .Nm "openssl pkcs12"
2509 .Op Fl aes128 | aes192 | aes256 | des | des3
2511 .Op Fl CAfile Ar file
2512 .Op Fl caname Ar name
2513 .Op Fl CApath Ar directory
2514 .Op Fl certfile Ar file
2515 .Op Fl certpbe Ar alg
2523 .Op Fl inkey Ar file
2525 .Op Fl keypbe Ar alg
2527 .Op Fl macalg Ar alg
2539 .Op Fl passin Ar arg
2540 .Op Fl passout Ar arg
2546 command allows PKCS#12 files
2547 .Pq sometimes referred to as PFX files
2548 to be created and parsed.
2549 By default, a PKCS#12 file is parsed;
2550 a PKCS#12 file can be created by using the
2554 The options for parsing a PKCS12 file are as follows:
2555 .Bl -tag -width "XXXX"
2556 .It Fl aes128 | aes192 | aes256 | des | des3
2557 Encrypt private keys
2558 using AES, DES, or triple DES, respectively.
2559 The default is triple DES.
2561 Only output CA certificates
2562 .Pq not client certificates .
2564 Only output client certificates
2565 .Pq not CA certificates .
2567 The input file to read from,
2568 or standard input if not specified.
2570 Output additional information about the PKCS#12 file structure,
2571 algorithms used, and iteration counts.
2573 Do not output certificates.
2575 Do not encrypt private keys.
2577 Do not output private keys.
2579 Do not attempt to verify the integrity MAC before reading the file.
2581 Do not output the keys and certificates to the output file
2582 version of the PKCS#12 file.
2584 The output file to write to,
2585 or standard output if not specified.
2586 .It Fl passin Ar arg
2587 The key password source.
2588 .It Fl passout Ar arg
2589 The output file password source.
2591 Prompt for separate integrity and encryption passwords: most software
2592 always assumes these are the same so this option will render such
2593 PKCS#12 files unreadable.
2596 The options for PKCS12 file creation are as follows:
2597 .Bl -tag -width "XXXX"
2598 .It Fl CAfile Ar file
2599 CA storage as a file.
2600 .It Fl CApath Ar directory
2601 CA storage as a directory.
2602 The directory must be a standard certificate directory:
2603 that is, a hash of each subject name (using
2605 should be linked to each certificate.
2606 .It Fl caname Ar name
2609 for other certificates.
2610 May be used multiple times to specify names for all certificates
2611 in the order they appear.
2612 .It Fl certfile Ar file
2613 A file to read additional certificates from.
2614 .It Fl certpbe Ar alg , Fl keypbe Ar alg
2615 Specify the algorithm used to encrypt the private key and
2616 certificates to be selected.
2617 Any PKCS#5 v1.5 or PKCS#12 PBE algorithm name can be used.
2620 .Cm list-cipher-algorithms
2621 command) is specified then it
2622 is used with PKCS#5 v2.0.
2623 For interoperability reasons it is advisable to only use PKCS#12 algorithms.
2625 Include the entire certificate chain of the user certificate.
2626 The standard CA store is used for this search.
2627 If the search fails, it is considered a fatal error.
2631 as a Microsoft CSP name.
2633 Encrypt the certificate using triple DES; this may render the PKCS#12
2634 file unreadable by some
2637 By default, the private key is encrypted using triple DES and the
2638 certificate using 40-bit RC2.
2640 Create a PKCS#12 file (rather than parsing one).
2642 The input file to read from,
2643 or standard input if not specified.
2644 The order doesn't matter but one private key and its corresponding
2645 certificate should be present.
2646 If additional certificates are present, they will also be included
2647 in the PKCS#12 file.
2648 .It Fl inkey Ar file
2649 File to read a private key from.
2650 If not present, a private key must be present in the input file.
2651 .It Fl keyex | keysig
2652 Specify whether the private key is to be used for key exchange or just signing.
2655 software will only allow 512-bit RSA keys to be
2656 used for encryption purposes, but arbitrary length keys for signing.
2659 option marks the key for signing only.
2660 Signing only keys can be used for S/MIME signing, authenticode
2661 (ActiveX control signing)
2662 and SSL client authentication.
2663 .It Fl macalg Ar alg
2664 Specify the MAC digest algorithm.
2665 The default is SHA1.
2667 Included for compatibility only:
2668 it used to be needed to use MAC iterations counts
2669 but they are now used by default.
2673 for the certificate and private key.
2674 This name is typically displayed in list boxes by software importing the file.
2676 Don't attempt to provide the MAC integrity.
2677 .It Fl nomaciter , noiter
2678 Affect the iteration counts on the MAC and key algorithms.
2680 To discourage attacks by using large dictionaries of common passwords,
2681 the algorithm that derives keys from passwords can have an iteration count
2682 applied to it: this causes a certain part of the algorithm to be repeated
2684 The MAC is used to check the file integrity but since it will normally
2685 have the same password as the keys and certificates it could also be attacked.
2686 By default, both MAC and encryption iteration counts are set to 2048;
2687 using these options the MAC and encryption iteration counts can be set to 1.
2688 Since this reduces the file security you should not use these options
2689 unless you really have to.
2690 Most software supports both MAC and key iteration counts.
2692 The output file to write to,
2693 or standard output if not specified.
2694 .It Fl passin Ar arg
2695 The key password source.
2696 .It Fl passout Ar arg
2697 The output file password source.
2704 .Op Fl inform Cm der | pem
2707 .Op Fl outform Cm der | pem
2708 .Op Fl passin Ar arg
2709 .Op Fl passout Ar arg
2718 command processes public or private keys.
2719 They can be converted between various forms
2720 and their components printed out.
2722 The options are as follows:
2725 Encrypt the private key with the specified cipher.
2726 Any algorithm name accepted by
2727 .Xr EVP_get_cipherbyname 3
2728 is acceptable, such as
2731 The input file to read from,
2732 or standard input if not specified.
2733 If the key is encrypted a pass phrase will be prompted for.
2734 .It Fl inform Cm der | pem
2737 Do not output the encoded version of the key.
2739 The output file to write to,
2740 or standard output if not specified.
2741 If any encryption options are set then a pass phrase
2742 will be prompted for.
2743 .It Fl outform Cm der | pem
2745 .It Fl passin Ar arg
2746 The key password source.
2747 .It Fl passout Ar arg
2748 The output file password source.
2750 Read in a public key, not a private key.
2752 Output a public key, not a private key.
2753 Automatically set if the input is a public key.
2755 Print the public/private key in plain text.
2757 Print out only public key components
2758 even if a private key is being processed.
2761 .Cm openssl pkeyparam
2769 command processes public or private keys.
2770 The key type is determined by the PEM headers.
2772 The options are as follows:
2775 The input file to read from,
2776 or standard input if not specified.
2778 Do not output the encoded version of the parameters.
2780 The output file to write to,
2781 or standard output if not specified.
2783 Print the parameters in plain text.
2787 .Nm "openssl pkeyutl"
2795 .Op Fl inkey Ar file
2796 .Op Fl keyform Cm der | pem
2798 .Op Fl passin Ar arg
2799 .Op Fl peerform Cm der | pem
2800 .Op Fl peerkey Ar file
2801 .Op Fl pkeyopt Ar opt : Ns Ar value
2804 .Op Fl sigfile Ar file
2807 .Op Fl verifyrecover
2812 command can be used to perform public key operations using
2813 any supported algorithm.
2815 The options are as follows:
2818 ASN.1 parse the output data.
2819 This is useful when combined with the
2821 option when an ASN.1 structure is signed.
2823 The input is a certificate containing a public key.
2825 Decrypt the input data using a private key.
2827 Derive a shared secret using the peer key.
2829 Encrypt the input data using a public key.
2831 Hex dump the output data.
2833 The input file to read from,
2834 or standard input if not specified.
2835 .It Fl inkey Ar file
2837 By default it should be a private key.
2838 .It Fl keyform Cm der | pem
2841 The output file to write to,
2842 or standard output if not specified.
2843 .It Fl passin Ar arg
2844 The key password source.
2845 .It Fl peerform Cm der | pem
2846 The peer key format.
2847 .It Fl peerkey Ar file
2848 The peer key file, used by key derivation (agreement) operations.
2849 .It Fl pkeyopt Ar opt : Ns Ar value
2850 Set the public key algorithm option
2854 Unless otherwise mentioned, all algorithms support the format
2855 .Ar digest : Ns Ar alg ,
2856 which specifies the digest to use
2857 for sign, verify, and verifyrecover operations.
2860 should represent a digest name as used in the
2861 .Xr EVP_get_digestbyname 3
2864 The RSA algorithm supports the
2865 encrypt, decrypt, sign, verify, and verifyrecover operations in general.
2866 Some padding modes only support some of these
2869 .It rsa_padding_mode : Ns Ar mode
2870 This sets the RSA padding mode.
2871 Acceptable values for
2886 In PKCS#1 padding if the message digest is not set then the supplied data is
2887 signed or verified directly instead of using a DigestInfo structure.
2888 If a digest is set then a DigestInfo
2889 structure is used and its length
2890 must correspond to the digest type.
2891 For oeap mode only encryption and decryption is supported.
2892 For x931 if the digest type is set it is used to format the block data;
2893 otherwise the first byte is used to specify the X9.31 digest ID.
2894 Sign, verify, and verifyrecover can be performed in this mode.
2895 For pss mode only sign and verify are supported and the digest type must be
2897 .It rsa_pss_saltlen : Ns Ar len
2899 mode only this option specifies the salt length.
2900 Two special values are supported:
2901 -1 sets the salt length to the digest length.
2902 When signing -2 sets the salt length to the maximum permissible value.
2903 When verifying -2 causes the salt length to be automatically determined
2904 based on the PSS block structure.
2907 The DSA algorithm supports the sign and verify operations.
2908 Currently there are no additional options other than
2910 Only the SHA1 digest can be used and this digest is assumed by default.
2912 The DH algorithm supports the derive operation
2913 and no additional options.
2915 The EC algorithm supports the sign, verify, and derive operations.
2916 The sign and verify operations use ECDSA and derive uses ECDH.
2917 Currently there are no additional options other than
2919 Only the SHA1 digest can be used and this digest is assumed by default.
2921 The input file is a public key.
2923 Reverse the order of the input buffer.
2924 .It Fl sigfile Ar file
2925 Signature file (verify operation only).
2927 Sign the input data and output the signed result.
2928 This requires a private key.
2930 Verify the input data against the signature file and indicate if the
2931 verification succeeded or failed.
2932 .It Fl verifyrecover
2933 Verify the input data and output the recovered data.
2946 command is used to generate prime numbers,
2947 or to check numbers for primality.
2948 Results are probabilistic:
2949 they have an exceedingly high likelihood of being correct,
2950 but are not guaranteed.
2952 The options are as follows:
2955 Specify the number of bits in the generated prime number.
2956 Must be used in conjunction with
2959 Perform a Miller-Rabin probabilistic primality test with
2964 Generate a pseudo-random prime number.
2965 Must be used in conjunction with
2968 Output in hex format.
2973 (i.e. a prime p so that (p-1)/2 is also prime).
2992 pseudo-random bytes.
2994 The options are as follows:
2997 Perform base64 encoding on the output.
2999 Specify hexadecimal output.
3001 The output file to write to,
3002 or standard output if not specified.
3009 .Op Fl config Ar file
3011 .Op Fl extensions Ar section
3013 .Op Fl inform Cm der | pem
3014 .Op Fl key Ar keyfile
3015 .Op Fl keyform Cm der | pem
3016 .Op Fl keyout Ar file
3017 .Op Fl md4 | md5 | sha1
3019 .Op Fl nameopt Ar option
3022 .Op Fl newkey Ar arg
3023 .Op Fl no-asn1-kludge
3027 .Op Fl outform Cm der | pem
3028 .Op Fl passin Ar arg
3029 .Op Fl passout Ar arg
3031 .Op Fl reqexts Ar section
3032 .Op Fl reqopt Ar option
3033 .Op Fl set_serial Ar n
3045 command primarily creates and processes certificate requests
3047 It can additionally create self-signed certificates,
3048 for use as root CAs, for example.
3050 The options are as follows:
3053 Produce requests in an invalid format for certain picky CAs.
3054 Very few CAs still require the use of this option.
3056 Non-interactive mode.
3057 .It Fl config Ar file
3058 Specify an alternative configuration file.
3060 Specify the number of days to certify the certificate for.
3061 The default is 30 days.
3065 .It Fl extensions Ar section , Fl reqexts Ar section
3066 Specify alternative sections to include certificate
3069 or certificate request extensions,
3070 allowing several different sections to be used in the same configuration file.
3072 The input file to read a request from,
3073 or standard input if not specified.
3074 A request is only read if the creation options
3079 .It Fl inform Cm der | pem
3081 .It Fl key Ar keyfile
3082 The file to read the private key from.
3083 It also accepts PKCS#8 format private keys for PEM format files.
3084 .It Fl keyform Cm der | pem
3085 The format of the private key file specified in the
3090 .It Fl keyout Ar file
3091 The file to write the newly created private key to.
3092 If this option is not specified,
3093 the filename present in the configuration file is used.
3094 .It Fl md5 | sha1 | sha256
3095 The message digest to sign the request with.
3096 This overrides the digest algorithm specified in the configuration file.
3098 Some public key algorithms may override this choice.
3099 For instance, DSA signatures always use SHA1.
3101 Print the value of the modulus of the public key contained in the request.
3102 .It Fl nameopt Ar option , Fl reqopt Ar option
3103 Determine how the subject or issuer names are displayed.
3105 can be a single option or multiple options separated by commas.
3106 Alternatively, these options may be used more than once to set multiple options.
3109 section below for details.
3111 Generate a new certificate request.
3112 The user is prompted for the relevant field values.
3113 The actual fields prompted for and their maximum and minimum sizes
3114 are specified in the configuration file and any requested extensions.
3118 option is not used, it will generate a new RSA private
3119 key using information specified in the configuration file.
3121 Add the word NEW to the PEM file header and footer lines
3122 on the outputed request.
3123 Some software and CAs need this.
3124 .It Fl newkey Ar arg
3125 Create a new certificate request and a new private key.
3126 The argument takes one of several forms.
3128 .No rsa : Ns Ar nbits
3129 generates an RSA key
3135 the default key size is used.
3137 .No dsa : Ns Ar file
3138 generates a DSA key using the parameters in
3141 .No param : Ns Ar file
3142 generates a key using the parameters or certificate in
3145 All other algorithms support the form
3146 .Ar algorithm : Ns Ar file ,
3147 where file may be an algorithm parameter file,
3149 .Cm genpkey -genparam
3150 command or an X.509 certificate for a key with appropriate algorithm.
3153 in which case any parameters can be specified via the
3156 .It Fl no-asn1-kludge
3157 Reverse the effect of
3160 Do not encrypt the private key.
3162 Do not output the encoded version of the request.
3164 The output file to write to,
3165 or standard output if not spceified.
3166 .It Fl outform Cm der | pem
3168 .It Fl passin Ar arg
3169 The key password source.
3170 .It Fl passout Ar arg
3171 The output file password source.
3173 Output the public key.
3174 .It Fl reqopt Ar option
3175 Customise the output format used with
3179 argument can be a single option or multiple options separated by commas.
3180 See also the discussion of
3185 .It Fl set_serial Ar n
3186 Serial number to use when outputting a self-signed certificate.
3187 This may be specified as a decimal value or a hex value if preceded by
3189 It is possible to use negative serial numbers but this is not recommended.
3191 Replaces the subject field of an input request
3192 with the specified data and output the modified request.
3194 must be formatted as /type0=value0/type1=value1/type2=...;
3195 characters may be escaped by
3198 no spaces are skipped.
3200 Print the request subject (or certificate subject if
3204 Print the certificate request in plain text.
3206 Interpret field values as UTF8 strings, not ASCII.
3208 Print extra details about the operations being performed.
3210 Verify the signature on the request.
3212 Output a self-signed certificate instead of a certificate request.
3213 This is typically used to generate a test certificate or a self-signed root CA.
3214 The extensions added to the certificate (if any)
3215 are specified in the configuration file.
3216 Unless specified using the
3218 option, 0 is used for the serial number.
3221 The configuration options are specified in the
3223 section of the configuration file.
3224 The options available are as follows:
3225 .Bl -tag -width "XXXX"
3227 The section containing any request attributes: its format
3229 .Cm distinguished_name .
3230 Typically these may contain the challengePassword or unstructuredName types.
3231 They are currently ignored by the
3233 request signing utilities, but some CAs might want them.
3235 The default key size, in bits.
3236 The default is 2048.
3239 option is used and can be overridden by using the
3242 .It Cm default_keyfile
3243 The default file to write a private key to,
3244 or standard output if not specified.
3245 It can be overridden by the
3249 The digest algorithm to use.
3250 Possible values include
3256 It can be overridden on the command line.
3257 .It Cm distinguished_name
3258 The section containing the distinguished name fields to
3259 prompt for when generating a certificate or certificate request.
3260 The format is described below.
3264 and a private key is generated, it is not encrypted.
3265 It is equivalent to the
3270 is an equivalent option.
3271 .It Cm input_password | output_password
3272 The passwords for the input private key file (if present)
3273 and the output private key file (if one will be created).
3274 The command line options
3278 override the configuration file values.
3280 A file containing additional OBJECT IDENTIFIERS.
3281 Each line of the file should consist of the numerical form of the
3282 object identifier, followed by whitespace, then the short name followed
3283 by whitespace and finally the long name.
3285 Specify a section in the configuration file containing extra
3287 Each line should consist of the short name of the
3288 object identifier followed by
3290 and the numerical form.
3291 The short and long names are the same when this option is used.
3295 it disables prompting of certificate fields
3296 and just takes values from the config file directly.
3297 It also changes the expected format of the
3298 .Cm distinguished_name
3302 .It Cm req_extensions
3303 The configuration file section containing a list of
3304 extensions to add to the certificate request.
3305 It can be overridden by the
3309 Limit the string types for encoding certain fields.
3310 The following values may be used, limiting strings to the indicated types:
3311 .Bl -tag -width "MASK:number"
3314 This is the default, as recommended by PKIX in RFC 2459.
3316 PrintableString, IA5String, T61String, BMPString, UTF8String.
3318 PrintableString, IA5String, BMPString, UTF8String.
3319 Inspired by the PKIX recommendation in RFC 2459 for certificates
3320 generated before 2004, but differs by also permitting IA5String.
3322 PrintableString, IA5String, T61String, UniversalString.
3323 A workaround for some ancient software that had problems
3324 with the variable-sized BMPString and UTF8String types.
3325 .It Cm MASK : Ns Ar number
3326 An explicit bitmask of permitted types, where
3328 is a C-style hex, decimal, or octal number that's a bit-wise OR of
3331 .In openssl/asn1.h .
3336 field values are interpreted as UTF8 strings.
3337 .It Cm x509_extensions
3338 The configuration file section containing a list of
3339 extensions to add to a certificate generated when the
3342 It can be overridden by the
3344 command line switch.
3347 There are two separate formats for the distinguished name and attribute
3353 then these sections just consist of field names and values.
3356 option is absent or not set to
3358 then the file contains field prompting information of the form:
3359 .Bd -unfilled -offset indent
3361 fieldName_default="default field value"
3367 is the field name being used, for example
3372 string is used to ask the user to enter the relevant details.
3373 If the user enters nothing, the default value is used;
3374 if no default value is present, the field is omitted.
3375 A field can still be omitted if a default value is present,
3376 if the user just enters the
3380 The number of characters entered must be between the
3381 fieldName_min and fieldName_max limits:
3382 there may be additional restrictions based on the field being used
3385 can only ever be two characters long and must fit in a
3386 .Cm PrintableString ) .
3388 Some fields (such as
3389 .Cm organizationName )
3390 can be used more than once in a DN.
3391 This presents a problem because configuration files will
3392 not recognize the same name occurring twice.
3393 To avoid this problem, if the
3395 contains some characters followed by a full stop, they will be ignored.
3396 So, for example, a second
3397 .Cm organizationName
3398 can be input by calling it
3399 .Qq 1.organizationName .
3401 The actual permitted field names are any object identifier short or
3403 These are compiled into
3405 and include the usual values such as
3406 .Cm commonName , countryName , localityName , organizationName ,
3407 .Cm organizationalUnitName , stateOrProvinceName .
3410 is included as well as
3411 .Cm name , surname , givenName , initials
3415 Additional object identifiers can be defined with the
3419 options in the configuration file.
3420 Any additional fields will be treated as though they were a
3421 .Cm DirectoryString .
3425 .Op Fl aes128 | aes192 | aes256 | des | des3
3428 .Op Fl inform Cm der | net | pem
3432 .Op Fl outform Cm der | net | pem
3433 .Op Fl passin Ar arg
3434 .Op Fl passout Ar arg
3443 command processes RSA keys.
3444 They can be converted between various forms and their components printed out.
3446 uses the traditional
3448 compatible format for private key encryption:
3449 newer applications should use the more secure PKCS#8 format using the
3453 The options are as follows:
3455 .It Fl aes128 | aes192 | aes256 | des | des3
3456 Encrypt the private key with the AES, DES,
3457 or the triple DES ciphers, respectively, before outputting it.
3458 A pass phrase is prompted for.
3459 If none of these options are specified, the key is written in plain text.
3460 This means that using the
3462 utility to read in an encrypted key with no encryption option can be used
3463 to remove the pass phrase from a key, or by setting the encryption options
3464 it can be used to add or change the pass phrase.
3465 These options can only be used with PEM format output files.
3467 Check the consistency of an RSA private key.
3469 The input file to read from,
3470 or standard input if not specified.
3471 If the key is encrypted, a pass phrase will be prompted for.
3472 .It Fl inform Cm der | net | pem
3475 Do not output the encoded version of the key.
3477 Print the value of the modulus of the key.
3479 The output file to write to,
3480 or standard output if not specified.
3481 .It Fl outform Cm der | net | pem
3483 .It Fl passin Ar arg
3484 The key password source.
3485 .It Fl passout Ar arg
3486 The output file password source.
3488 Read in a public key,
3491 Output a public key,
3493 Automatically set if the input is a public key.
3495 Use the modified NET algorithm used with some versions of Microsoft IIS
3498 Print the public/private key components in plain text.
3502 .Nm "openssl rsautl"
3509 .Op Fl inkey Ar file
3510 .Op Fl keyform Cm der | pem
3511 .Op Fl oaep | pkcs | raw
3520 command can be used to sign, verify, encrypt and decrypt
3521 data using the RSA algorithm.
3523 The options are as follows:
3526 Asn1parse the output data; this is useful when combined with the
3530 The input is a certificate containing an RSA public key.
3532 Decrypt the input data using an RSA private key.
3534 Encrypt the input data using an RSA public key.
3536 Hex dump the output data.
3538 The input to read from,
3539 or standard input if not specified.
3540 .It Fl inkey Ar file
3541 The input key file; by default an RSA private key.
3542 .It Fl keyform Cm der | pem
3543 The private key format.
3546 .It Fl oaep | pkcs | raw
3548 PKCS#1 OAEP, PKCS#1 v1.5 (the default), or no padding, respectively.
3549 For signatures, only
3555 The output file to write to,
3556 or standard output if not specified.
3558 The input file is an RSA public key.
3560 Sign the input data and output the signed result.
3561 This requires an RSA private key.
3563 Verify the input data and output the recovered data.
3567 .Nm "openssl s_client"
3570 .Op Fl CAfile Ar file
3571 .Op Fl CApath Ar directory
3574 .Op Fl cipher Ar cipherlist
3575 .Op Fl connect Ar host Ns Op : Ns Ar port
3577 .Op Fl crl_check_all
3583 .Op Fl ignore_critical
3584 .Op Fl issuer_checks
3585 .Op Fl key Ar keyfile
3596 .Op Fl proxy Ar host : Ns Ar port
3598 .Op Fl psk_identity Ar identity
3601 .Op Fl servername Ar name
3603 .Op Fl starttls Ar protocol
3609 .Op Fl verify Ar depth
3611 .Op Fl xmpphost Ar host
3616 command implements a generic SSL/TLS client which connects
3617 to a remote host using SSL/TLS.
3619 If a connection is established with an SSL server, any data received
3620 from the server is displayed and any key presses will be sent to the
3622 When used interactively (which means neither
3626 have been given), the session will be renegotiated if the line begins with an
3628 if the line begins with a
3630 or if end of file is reached, the connection will be closed down.
3632 The options are as follows:
3635 Attempt connections using IPv4 only.
3637 Attempt connections using IPv6 only.
3639 Enable various workarounds for buggy implementations.
3640 .It Fl CAfile Ar file
3643 containing trusted certificates to use during server authentication
3644 and to use when attempting to build the client certificate chain.
3645 .It Fl CApath Ar directory
3648 to use for server certificate verification.
3649 This directory must be in
3653 for more information.
3654 These are also used when building the client certificate chain.
3656 The certificate to use, if one is requested by the server.
3657 The default is not to use a certificate.
3663 .Fl ignore_critical ,
3668 Set various certificate chain validation options.
3671 command for details.
3672 .It Fl cipher Ar cipherlist
3673 Modify the cipher list sent by the client.
3674 Although the server determines which cipher suite is used, it should take
3675 the first supported cipher in the list sent by the client.
3678 command for more information.
3679 .It Fl connect Ar host Ns Op : Ns Ar port
3685 If not specified, an attempt is made to connect to the local host
3687 Alternatively, the host and port pair may be separated using a forward-slash
3689 which is useful for numeric IPv6 addresses.
3691 Translate a line feed from the terminal into CR+LF,
3692 as required by some servers.
3694 Print extensive debugging information, including a hex dump of all traffic.
3695 .It Fl groups Ar ecgroups
3696 Specify a colon-separated list of permitted EC curve groups.
3698 Inhibit shutting down the connection when end of file is reached in the input.
3699 .It Fl key Ar keyfile
3700 The private key to use.
3701 If not specified, the certificate file will be used.
3703 Show all protocol messages with hex dump.
3705 Turn on non-blocking I/O.
3707 Test non-blocking I/O.
3708 .It Fl no_tls1 | no_tls1_1 | no_tls1_2
3709 Disable the use of TLS1.0, 1.1, and 1.2, respectively.
3711 Disable RFC 4507 session ticket support.
3713 Pause 1 second between each read and write call.
3715 Print session information when the program exits.
3716 This will always attempt
3717 to print out information even if the connection fails.
3718 Normally, information will only be printed out once if the connection succeeds.
3719 This option is useful because the cipher in use may be renegotiated
3720 or the connection may fail because a client certificate is required or is
3721 requested only after an attempt is made to access a certain URL.
3722 Note that the output produced by this option is not always accurate
3723 because a connection might never have been established.
3724 .It Fl proxy Ar host : Ns Ar port
3725 Use the HTTP proxy at
3729 The connection to the proxy is done in cleartext and the
3731 argument is given to the proxy.
3732 If not specified, localhost is used as final destination.
3733 After that, switch the connection through the proxy to the destination
3738 when using a PSK cipher suite.
3739 The key is given as a hexadecimal number without the leading 0x,
3740 for example -psk 1a2b3c4d.
3741 .It Fl psk_identity Ar identity
3744 when using a PSK cipher suite.
3746 Inhibit printing of session and certificate information.
3747 This implicitly turns on
3751 Reconnect to the same server 5 times using the same session ID; this can
3752 be used as a test that session caching is working.
3753 .It Fl servername Ar name
3754 Include the TLS Server Name Indication (SNI) extension in the ClientHello
3755 message, using the specified server
3758 Display the whole server certificate chain: normally only the server
3759 certificate itself is displayed.
3760 .It Fl starttls Ar protocol
3761 Send the protocol-specific messages to switch to TLS for communication.
3763 is a keyword for the intended protocol.
3764 Currently, the supported keywords are
3772 Print the SSL session states.
3773 .It Fl tls1 | tls1_1 | tls1_2
3774 Permit only TLS1.0, 1.1, or 1.2, respectively.
3776 Print a hex dump of any TLS extensions received from the server.
3777 .It Fl verify Ar depth
3778 Turn on server certificate verification,
3779 with a maximum length of
3781 Currently the verify operation continues after errors so all the problems
3782 with a certificate chain can be seen.
3783 As a side effect the connection will never fail due to a server
3784 certificate verify failure.
3785 .It Fl xmpphost Ar hostname
3787 .Fl starttls Ar xmpp ,
3788 specify the host for the "to" attribute of the stream element.
3789 If this option is not specified then the host specified with
3795 .Nm "openssl s_server"
3796 .Op Fl accept Ar port
3798 .Op Fl CAfile Ar file
3799 .Op Fl CApath Ar directory
3801 .Op Fl cipher Ar cipherlist
3802 .Op Fl context Ar id
3804 .Op Fl crl_check_all
3806 .Op Fl dcert Ar file
3808 .Op Fl dhparam Ar file
3812 .Op Fl id_prefix Ar arg
3813 .Op Fl key Ar keyfile
3824 .Op Fl psk_hint Ar hint
3831 .Op Fl Verify Ar depth
3832 .Op Fl verify Ar depth
3839 command implements a generic SSL/TLS server which listens
3840 for connections on a given port using SSL/TLS.
3842 If a connection request is established with a client and neither the
3846 option has been used, then any data received
3847 from the client is displayed and any key presses are sent to the client.
3848 Certain single letter commands perform special operations:
3850 .Bl -tag -width "XXXX" -compact
3852 Send plain text, which should cause the client to disconnect.
3854 End the current SSL connection and exit.
3856 End the current SSL connection, but still accept new connections.
3858 Renegotiate the SSL session and request a client certificate.
3860 Renegotiate the SSL session.
3862 Print out some session cache status information.
3865 The options are as follows:
3867 .It Fl accept Ar port
3871 The default is port 4433.
3873 Enable various workarounds for buggy implementations.
3874 .It Fl CAfile Ar file
3877 containing trusted certificates to use during client authentication
3878 and to use when attempting to build the server certificate chain.
3879 The list is also used in the list of acceptable client CAs passed to the
3880 client when a certificate is requested.
3881 .It Fl CApath Ar directory
3884 to use for client certificate verification.
3885 This directory must be in
3889 for more information.
3890 These are also used when building the server certificate chain.
3892 The certificate to use: most server's cipher suites require the use of a
3893 certificate and some require a certificate with a certain public key type.
3894 For example, the DSS cipher suites require a certificate containing a DSS
3896 If not specified, the file
3899 .It Fl cipher Ar cipherlist
3900 Modify the cipher list used by the server.
3901 This allows the cipher list used by the server to be modified.
3902 When the client sends a list of supported ciphers, the first client cipher
3903 also included in the server list is used.
3904 Because the client specifies the preference order, the order of the server
3905 cipherlist is irrelevant.
3908 command for more information.
3909 .It Fl context Ar id
3910 Set the SSL context ID.
3911 It can be given any string value.
3912 .It Fl crl_check , crl_check_all
3913 Check the peer certificate has not been revoked by its CA.
3914 The CRLs are appended to the certificate file.
3916 checks all CRLs of all CAs in the chain.
3918 Translate a line feed from the terminal into CR+LF.
3919 .It Fl dcert Ar file , Fl dkey Ar file
3920 Specify an additional certificate and private key; these behave in the
3925 options except there is no default if they are not specified
3926 (no additional certificate or key is used).
3927 By using RSA and DSS certificates and keys,
3928 a server can support clients which only support RSA or DSS cipher suites
3929 by using an appropriate certificate.
3931 Print extensive debugging information, including a hex dump of all traffic.
3932 .It Fl dhparam Ar file
3933 The DH parameter file to use.
3934 The ephemeral DH cipher suites generate keys
3935 using a set of DH parameters.
3936 If not specified, an attempt is made to
3937 load the parameters from the server certificate file.
3938 If this fails, a static set of parameters hard coded into the
3940 program will be used.
3942 Enables a further workaround for some early Netscape SSL code.
3944 Emulate a simple web server.
3945 Pages are resolved relative to the current directory.
3946 For example if the URL
3947 .Pa https://myhost/page.html
3948 is requested, the file
3951 The files loaded are assumed to contain a complete and correct HTTP
3952 response (lines that are part of the HTTP response line and headers
3953 must end with CRLF).
3954 .It Fl id_prefix Ar arg
3955 Generate SSL/TLS session IDs prefixed by
3957 This is mostly useful for testing any SSL/TLS code
3958 that wish to deal with multiple servers,
3959 when each of which might be generating a unique range of session IDs.
3960 .It Fl key Ar keyfile
3961 The private key to use.
3962 If not specified, the certificate file will be used.
3964 Show all protocol messages with hex dump.
3966 Turn on non-blocking I/O.
3968 Test non-blocking I/O.
3970 Disable ephemeral DH cipher suites.
3971 .It Fl no_tls1 | no_tls1_1 | no_tls1_2
3972 Disable the use of TLS1.0, 1.1, and 1.2, respectively.
3974 Disable temporary RSA key generation.
3976 Do not use a certificate.
3977 This restricts the cipher suites available to the anonymous ones
3978 (currently just anonymous DH).
3982 when using a PSK cipher suite.
3983 The key is given as a hexadecimal number without the leading 0x,
3984 for example -psk 1a2b3c4d.
3985 .It Fl psk_hint Ar hint
3986 Use the PSK identity hint
3988 when using a PSK cipher suite.
3990 Inhibit printing of session and certificate information.
3992 Use server's cipher preferences.
3994 Print the SSL session states.
3995 .It Fl tls1 | tls1_1 | tls1_2
3996 Permit only TLS1.0, 1.1, or 1.2, respectively.
3998 Emulate a simple web server.
3999 Pages are resolved relative to the current directory.
4000 For example if the URL
4001 .Pa https://myhost/page.html
4002 is requested, the file
4006 Send a status message to the client when it connects,
4007 including information about the ciphers used and various session parameters.
4008 The output is in HTML format so this option will normally be used with a
4010 .It Fl Verify Ar depth , Fl verify Ar depth
4011 Request a certificate chain from the client,
4012 with a maximum length of
4016 the client must supply a certificate or an error occurs;
4019 a certificate is requested but the client does not have to send one.
4023 .Nm "openssl s_time"
4025 .Op Fl CAfile Ar file
4026 .Op Fl CApath Ar directory
4028 .Op Fl cipher Ar cipherlist
4029 .Op Fl connect Ar host Ns Op : Ns Ar port
4030 .Op Fl key Ar keyfile
4035 .Op Fl time Ar seconds
4036 .Op Fl verify Ar depth
4042 command implements a generic SSL/TLS client which connects to a
4043 remote host using SSL/TLS.
4044 It can request a page from the server and includes
4045 the time to transfer the payload data in its timing measurements.
4046 It measures the number of connections within a given timeframe,
4047 the amount of data transferred
4049 and calculates the average time spent for one connection.
4051 The options are as follows:
4054 Enable various workarounds for buggy implementations.
4055 .It Fl CAfile Ar file
4058 containing trusted certificates to use during server authentication
4059 and to use when attempting to build the client certificate chain.
4060 .It Fl CApath Ar directory
4061 The directory to use for server certificate verification.
4062 This directory must be in
4066 for more information.
4067 These are also used when building the client certificate chain.
4069 The certificate to use, if one is requested by the server.
4070 The default is not to use a certificate.
4071 .It Fl cipher Ar cipherlist
4072 Modify the cipher list sent by the client.
4073 Although the server determines which cipher suite is used,
4074 it should take the first supported cipher in the list sent by the client.
4077 command for more information.
4078 .It Fl connect Ar host Ns Op : Ns Ar port
4079 The host and port to connect to.
4080 .It Fl key Ar keyfile
4081 The private key to use.
4082 If not specified, the certificate file will be used.
4084 Turn on non-blocking I/O.
4086 Perform the timing test using a new session ID for each connection.
4092 they are both on by default and executed in sequence.
4094 Shut down the connection without sending a
4096 shutdown alert to the server.
4098 Perform the timing test using the same session ID for each connection.
4104 they are both on by default and executed in sequence.
4105 .It Fl time Ar seconds
4108 benchmarks to the number of
4110 The default is 30 seconds.
4111 .It Fl verify Ar depth
4112 Turn on server certificate verification,
4113 with a maximum length of
4115 Currently the verify operation continues after errors, so all the problems
4116 with a certificate chain can be seen.
4118 the connection will never fail due to a server certificate verify failure.
4120 The page to GET from the server.
4123 gets the index.htm[l] page.
4124 If this parameter is not specified,
4126 will only perform the handshake to establish SSL connections
4127 but not transfer any payload data.
4131 .Nm "openssl sess_id"
4133 .Op Fl context Ar ID
4135 .Op Fl inform Cm der | pem
4138 .Op Fl outform Cm der | pem
4144 program processes the encoded version of the SSL session structure and
4145 optionally prints out SSL session details
4146 (for example the SSL session master key)
4147 in human-readable format.
4149 The options are as follows:
4152 If a certificate is present in the session,
4153 it will be output using this option;
4156 option is also present, then it will be printed out in text form.
4157 .It Fl context Ar ID
4160 The ID can be any string of characters.
4162 The input file to read from,
4163 or standard input if not specified.
4164 .It Fl inform Cm der | pem
4167 uses an ASN.1 DER-encoded format containing session details.
4168 The precise format can vary from one version to the next.
4170 is the default format: it consists of the DER
4171 format base64-encoded with additional header and footer lines.
4173 Do not output the encoded version of the session.
4175 The output file to write to,
4176 or standard output if not specified.
4177 .It Fl outform Cm der | pem
4180 Print the various public or private key components in plain text,
4181 in addition to the encoded version.
4186 is composed as follows:
4188 .Bl -tag -width "Verify return code " -offset 3n -compact
4190 The protocol in use.
4192 The actual raw SSL or TLS cipher code.
4194 The SSL session ID, in hex format.
4196 The session ID context, in hex format.
4198 The SSL session master key.
4200 The key argument; this is only used in SSL v2.
4202 The session start time.
4206 The timeout, in seconds.
4207 .It Verify return code
4208 The return code when a certificate is verified.
4211 Since the SSL session output contains the master key, it is possible to read
4212 the contents of an encrypted session using this information.
4213 Therefore appropriate security precautions
4214 should be taken if the information is being output by a
4217 This is, however, strongly discouraged and should only be used for
4223 .Fl aes128 | aes192 | aes256 | des |
4224 .Fl des3 | rc2-40 | rc2-64 | rc2-128
4227 .Op Fl CAfile Ar file
4228 .Op Fl CApath Ar directory
4229 .Op Fl certfile Ar file
4231 .Op Fl content Ar file
4233 .Op Fl crl_check_all
4238 .Op Fl ignore_critical
4241 .Op Fl inform Cm der | pem | smime
4242 .Op Fl inkey Ar file
4243 .Op Fl issuer_checks
4244 .Op Fl keyform Cm pem
4255 .Op Fl outform Cm der | pem | smime
4256 .Op Fl passin Ar arg
4259 .Op Fl recip Ar file
4262 .Op Fl signer Ar file
4274 command handles S/MIME mail.
4275 It can encrypt, decrypt, sign, and verify S/MIME messages.
4277 The MIME message must be sent without any blank lines between the
4278 headers and the output.
4279 Some mail programs will automatically add a blank line.
4280 Piping the mail directly to an MTA is one way to
4281 achieve the correct format.
4283 The supplied message to be signed or encrypted must include the necessary
4284 MIME headers or many S/MIME clients won't display it properly (if at all).
4287 option to automatically add plain text headers.
4290 .Qq signed and encrypted
4291 message is one where a signed message is then encrypted.
4292 This can be produced by encrypting an already signed message.
4294 There are a number of operations that can be performed, as follows:
4295 .Bl -tag -width "XXXX"
4297 Decrypt mail using the supplied certificate and private key.
4298 The input file is an encrypted mail message in MIME format.
4299 The decrypted mail is written to the output file.
4301 Encrypt mail for the given recipient certificates.
4302 The input is the message to be encrypted.
4303 The output file is the encrypted mail, in MIME format.
4305 Take an input message and write out a PEM-encoded PKCS#7 structure.
4307 Resign a message: take an existing message and one or more new signers.
4309 Sign mail using the supplied certificate and private key.
4310 The input file is the message to be signed.
4311 The signed message, in MIME format, is written to the output file.
4314 The input is a signed mail message and the output is the signed data.
4315 Both clear text and opaque signing is supported.
4318 The remaining options are as follows:
4319 .Bl -tag -width "XXXX"
4321 .Fl aes128 | aes192 | aes256 | des |
4322 .Fl des3 | rc2-40 | rc2-64 | rc2-128
4324 The encryption algorithm to use.
4325 128-, 192-, or 256-bit AES, DES (56 bits), triple DES (168 bits),
4326 or 40-, 64-, or 128-bit RC2, respectively;
4327 if not specified, 40-bit RC2 is
4332 Normally, the input message is converted to
4334 format which uses CR/LF as end of line,
4335 as required by the S/MIME specification.
4336 When this option is present no translation occurs.
4337 This is useful when handling binary data which may not be in MIME format.
4338 .It Fl CAfile Ar file
4341 containing trusted CA certificates; only used with
4343 .It Fl CApath Ar directory
4346 containing trusted CA certificates; only used with
4348 This directory must be a standard certificate directory:
4349 that is, a hash of each subject name (using
4351 should be linked to each certificate.
4353 One or more certificates of message recipients: used when encrypting
4355 .It Fl certfile Ar file
4356 Allows additional certificates to be specified.
4357 When signing, these will be included with the message.
4358 When verifying, these will be searched for the signers' certificates.
4359 The certificates should be in PEM format.
4365 .Fl ignore_critical ,
4370 Set various certificate chain validation options.
4373 command for details.
4374 .It Fl content Ar file
4375 A file containing the detached content.
4376 This is only useful with the
4379 and only usable if the PKCS#7 structure is using the detached
4380 signature form where the content is not included.
4381 This option will override any content if the input format is S/MIME
4382 and it uses the multipart/signed MIME content type.
4388 The relevant mail headers.
4389 These are included outside the signed
4390 portion of a message so they may be included manually.
4391 When signing, many S/MIME
4392 mail clients check that the signer's certificate email
4393 address matches the From: address.
4395 The input file to read from.
4397 Enable streaming I/O for encoding operations.
4398 This permits single pass processing of data without
4399 the need to hold the entire contents in memory,
4400 potentially supporting very large files.
4401 Streaming is automatically set for S/MIME signing with detached
4402 data if the output format is SMIME;
4403 it is currently off by default for all other operations.
4404 .It Fl inform Cm der | pem | smime
4406 .It Fl inkey Ar file
4407 The private key to use when signing or decrypting,
4408 which must match the corresponding certificate.
4409 If this option is not specified, the private key must be included
4410 in the certificate file specified with
4417 this option can be used multiple times to specify successive keys.
4418 .It Fl keyform Cm pem
4419 Input private key format.
4421 The digest algorithm to use when signing or resigning.
4422 If not present then the default digest algorithm for the signing key is used
4425 Do not include attributes.
4427 Do not include the signer's certificate.
4428 This will reduce the size of the signed message but the verifier must
4429 have a copy of the signer's certificate available locally (passed using the
4431 option, for example).
4433 Do not do chain verification of signers' certificates: that is,
4434 don't use the certificates in the signed message as untrusted CAs.
4436 When signing a message use opaque signing: this form is more resistant
4437 to translation by mail relays but it cannot be read by mail agents that
4438 do not support S/MIME.
4439 Without this option cleartext signing with the MIME type
4440 multipart/signed is used.
4442 Disable streaming I/O where it would produce an encoding of indefinite length
4443 (currently has no effect).
4445 Only use certificates specified in the
4447 The supplied certificates can still be used as untrusted CAs.
4449 Do not try to verify the signatures on the message.
4451 Do not verify the signer's certificate of a signed message.
4453 The output file to write to.
4454 .It Fl outform Cm der | pem | smime
4456 The default is smime, which writes an S/MIME format message.
4460 change this to write PEM and DER format PKCS#7 structures instead.
4461 This currently only affects the output format of the PKCS#7
4462 structure; if no PKCS#7 structure is being output (for example with
4466 this option has no effect.
4467 .It Fl passin Ar arg
4468 The key password source.
4469 .It Fl recip Ar file
4470 The recipients certificate when decrypting a message.
4472 must match one of the recipients of the message or an error occurs.
4473 .It Fl signer Ar file
4474 A signing certificate when signing or resigning a message;
4475 this option can be used multiple times if more than one signer is required.
4476 If a message is being verified, the signer's certificates will be
4477 written to this file if the verification was successful.
4482 Add plain text (text/plain) MIME
4483 headers to the supplied message if encrypting or signing.
4484 If decrypting or verifying, it strips off text headers:
4485 if the decrypted or verified message is not of MIME type text/plain
4486 then an error occurs.
4493 .Bl -tag -width "XXXX" -offset 3n -compact
4495 The operation was completely successful.
4497 An error occurred parsing the command options.
4499 One of the input files could not be read.
4501 An error occurred creating the file or when reading the message.
4503 An error occurred decrypting or verifying the message.
4505 An error occurred writing certificates.
4513 .Op Fl evp Ar algorithm
4515 .Op Fl multi Ar number
4520 command is used to test the performance of cryptographic algorithms.
4521 .Bl -tag -width "XXXX"
4523 Perform the test using
4525 The default is to test all algorithms.
4527 Time decryption instead of encryption;
4531 Measure time in real time instead of CPU user time.
4532 .It Fl evp Ar algorithm
4533 Perform the test using one of the algorithms accepted by
4534 .Xr EVP_get_cipherbyname 3 .
4536 Produce machine readable output.
4537 .It Fl multi Ar number
4540 benchmarks in parallel.
4545 .Op Fl challenge Ar string
4547 .Op Fl key Ar keyfile
4550 .Op Fl passin Ar arg
4552 .Op Fl spkac Ar spkacname
4553 .Op Fl spksect Ar section
4559 command processes signed public key and challenge (SPKAC) files.
4560 It can print out their contents, verify the signature,
4561 and produce its own SPKACs from a supplied private key.
4563 The options are as follows:
4565 .It Fl challenge Ar string
4566 The challenge string, if an SPKAC is being created.
4568 The input file to read from,
4569 or standard input if not specified.
4573 .It Fl key Ar keyfile
4574 Create an SPKAC file using the private key in
4577 .Fl in , noout , spksect ,
4580 options are ignored, if present.
4582 Do not output the text version of the SPKAC.
4584 The output file to write to,
4585 or standard output if not specified.
4586 .It Fl passin Ar arg
4587 The key password source.
4589 Output the public key of an SPKAC.
4590 .It Fl spkac Ar spkacname
4591 An alternative name for the variable containing the SPKAC.
4592 The default is "SPKAC".
4593 This option affects both generated and input SPKAC files.
4594 .It Fl spksect Ar section
4595 An alternative name for the
4597 containing the SPKAC.
4599 Verify the digital signature on the supplied SPKAC.
4605 .Op Fl md4 | md5 | ripemd160 | sha1
4607 .Op Fl config Ar configfile
4608 .Op Fl data Ar file_to_hash
4609 .Op Fl digest Ar digest_bytes
4610 .Op Fl in Ar request.tsq
4612 .Op Fl out Ar request.tsq
4613 .Op Fl policy Ar object_id
4620 .Op Fl chain Ar certs_file.pem
4621 .Op Fl config Ar configfile
4622 .Op Fl in Ar response.tsr
4623 .Op Fl inkey Ar private.pem
4624 .Op Fl out Ar response.tsr
4625 .Op Fl passin Ar arg
4626 .Op Fl policy Ar object_id
4627 .Op Fl queryfile Ar request.tsq
4628 .Op Fl section Ar tsa_section
4629 .Op Fl signer Ar tsa_cert.pem
4638 .Op Fl CAfile Ar trusted_certs.pem
4639 .Op Fl CApath Ar trusted_cert_path
4640 .Op Fl data Ar file_to_hash
4641 .Op Fl digest Ar digest_bytes
4642 .Op Fl in Ar response.tsr
4643 .Op Fl queryfile Ar request.tsq
4645 .Op Fl untrusted Ar cert_file.pem
4650 command is a basic Time Stamping Authority (TSA) client and server
4651 application as specified in RFC 3161 (Time-Stamp Protocol, TSP).
4652 A TSA can be part of a PKI deployment and its role is to provide long
4653 term proof of the existence of specific data.
4654 Here is a brief description of the protocol:
4657 The TSA client computes a one-way hash value for a data file and sends
4658 the hash to the TSA.
4660 The TSA attaches the current date and time to the received hash value,
4661 signs them and sends the time stamp token back to the client.
4662 By creating this token the TSA certifies the existence of the original
4663 data file at the time of response generation.
4665 The TSA client receives the time stamp token and verifies the
4667 It also checks if the token contains the same hash
4668 value that it had sent to the TSA.
4671 There is one DER-encoded protocol data unit defined for transporting a time
4672 stamp request to the TSA and one for sending the time stamp response
4676 command has three main functions:
4677 creating a time stamp request based on a data file;
4678 creating a time stamp response based on a request;
4679 and verifying if a response corresponds
4680 to a particular request or a data file.
4682 There is no support for sending the requests/responses automatically
4683 over HTTP or TCP yet as suggested in RFC 3161.
4684 Users must send the requests either by FTP or email.
4688 switch can be used for creating and printing a time stamp
4689 request with the following options:
4692 Expect the TSA to include its signing certificate in the response.
4693 .It Fl config Ar configfile
4694 Specify an alternative configuration file.
4695 Only the OID section is used.
4696 .It Fl data Ar file_to_hash
4697 The data file for which the time stamp request needs to be created.
4698 The default is standard input.
4699 .It Fl digest Ar digest_bytes
4700 Specify the message imprint explicitly without the data file.
4701 The imprint must be specified in a hexadecimal format,
4702 two characters per byte,
4703 the bytes optionally separated by colons.
4704 The number of bytes must match the message digest algorithm in use.
4705 .It Fl in Ar request.tsq
4706 A previously created time stamp request in DER
4707 format that will be printed into the output file.
4708 Useful for examining the content of a request in human-readable format.
4709 .It Fl md4 | md5 | ripemd160 | sha | sha1
4710 The message digest to apply to the data file.
4711 It supports all the message digest algorithms that are supported by the
4714 The default is SHA-1.
4716 Specify no nonce in the request.
4717 The default, to include a 64-bit long pseudo-random nonce,
4718 is recommended to protect against replay attacks.
4719 .It Fl out Ar request.tsq
4720 The output file to write to,
4721 or standard output if not specified.
4722 .It Fl policy Ar object_id
4723 The policy that the client expects the TSA to use for creating the
4725 Either dotted OID notation or OID names defined
4726 in the config file can be used.
4727 If no policy is requested the TSA uses its own default policy.
4729 Output in human-readable text format instead of DER.
4732 A time stamp response (TimeStampResp) consists of a response status
4733 and the time stamp token itself (ContentInfo),
4734 if the token generation was successful.
4737 command is for creating a time stamp
4738 response or time stamp token based on a request and printing the
4739 response/token in human-readable format.
4742 is not specified the output is always a time stamp response (TimeStampResp),
4743 otherwise it is a time stamp token (ContentInfo).
4745 .It Fl chain Ar certs_file.pem
4746 The collection of PEM certificates
4747 that will be included in the response
4748 in addition to the signer certificate if the
4750 option was used for the request.
4751 This file is supposed to contain the certificate chain
4752 for the signer certificate from its issuer upwards.
4755 command does not build a certificate chain automatically.
4756 .It Fl config Ar configfile
4757 Specify an alternative configuration file.
4758 .It Fl in Ar response.tsr
4759 Specify a previously created time stamp response (or time stamp token, if
4762 in DER format that will be written to the output file.
4763 This option does not require a request;
4764 it is useful, for example,
4765 to examine the content of a response or token
4766 or to extract the time stamp token from a response.
4767 If the input is a token and the output is a time stamp response a default
4769 status info is added to the token.
4770 .It Fl inkey Ar private.pem
4771 The signer private key of the TSA in PEM format.
4775 .It Fl out Ar response.tsr
4776 The response is written to this file.
4777 The format and content of the file depends on other options (see
4781 The default is stdout.
4782 .It Fl passin Ar arg
4783 The key password source.
4784 .It Fl policy Ar object_id
4785 The default policy to use for the response.
4786 Either dotted OID notation or OID names defined
4787 in the config file can be used.
4788 If no policy is requested the TSA uses its own default policy.
4789 .It Fl queryfile Ar request.tsq
4790 The file containing a DER-encoded time stamp request.
4791 .It Fl section Ar tsa_section
4792 The config file section containing the settings for response generation.
4793 .It Fl signer Ar tsa_cert.pem
4794 The PEM signer certificate of the TSA.
4795 The TSA signing certificate must have exactly one extended key usage
4796 assigned to it: timeStamping.
4797 The extended key usage must also be critical,
4798 otherwise the certificate is going to be refused.
4801 variable of the config file.
4803 Output in human-readable text format instead of DER.
4805 The input is a DER-encoded time stamp token (ContentInfo)
4806 instead of a time stamp response (TimeStampResp).
4808 The output is a time stamp token (ContentInfo)
4809 instead of a time stamp response (TimeStampResp).
4814 command is for verifying if a time stamp response or time stamp token
4815 is valid and matches a particular time stamp request or data file.
4818 command does not use the configuration file.
4820 .It Fl CAfile Ar trusted_certs.pem
4821 The file containing a set of trusted self-signed PEM CA certificates.
4824 for additional details.
4825 Either this option or
4828 .It Fl CApath Ar trusted_cert_path
4829 The directory containing the trused CA certificates of the client.
4832 for additional details.
4833 Either this option or
4836 .It Fl data Ar file_to_hash
4837 The response or token must be verified against
4839 The file is hashed with the message digest algorithm specified in the token.
4844 options must not be specified with this one.
4845 .It Fl digest Ar digest_bytes
4846 The response or token must be verified against the message digest specified
4848 The number of bytes must match the message digest algorithm
4849 specified in the token.
4854 options must not be specified with this one.
4855 .It Fl in Ar response.tsr
4856 The time stamp response that needs to be verified, in DER format.
4857 This option in mandatory.
4858 .It Fl queryfile Ar request.tsq
4859 The original time stamp request, in DER format.
4864 options must not be specified with this one.
4866 The input is a DER-encoded time stamp token (ContentInfo)
4867 instead of a time stamp response (TimeStampResp).
4868 .It Fl untrusted Ar cert_file.pem
4869 Additional untrusted PEM certificates which may be needed
4870 when building the certificate chain for the TSA's signing certificate.
4871 This file must contain the TSA signing certificate and
4872 all intermediate CA certificates unless the response includes them.
4875 Options specified on the command line always override
4876 the settings in the config file:
4878 .It Cm tsa Ar section , Cm default_tsa
4879 This is the main section and it specifies the name of another section
4880 that contains all the options for the
4883 This section can be overridden with the
4885 command line switch.
4895 The file containing the hexadecimal serial number of the
4896 last time stamp response created.
4897 This number is incremented by 1 for each response.
4898 If the file does not exist at the time of response generation
4899 a new file is created with serial number 1.
4900 This parameter is mandatory.
4902 TSA signing certificate, in PEM format.
4905 command line option.
4907 A set of PEM-encoded certificates that need to be
4908 included in the response.
4911 command line option.
4913 The private key of the TSA, in PEM format.
4916 command line option.
4917 .It Cm default_policy
4918 The default policy to use when the request does not mandate any policy.
4921 command line option.
4922 .It Cm other_policies
4923 Comma separated list of policies that are also acceptable by the TSA
4924 and used only if the request explicitly specifies one of them.
4926 The list of message digest algorithms that the TSA accepts.
4927 At least one algorithm must be specified.
4928 This parameter is mandatory.
4930 The accuracy of the time source of the TSA in seconds, milliseconds
4932 For example, secs:1, millisecs:500, microsecs:100.
4933 If any of the components is missing,
4934 zero is assumed for that field.
4935 .It Cm clock_precision_digits
4936 The maximum number of digits, which represent the fraction of seconds,
4937 that need to be included in the time field.
4938 The trailing zeroes must be removed from the time,
4939 so there might actually be fewer digits
4940 or no fraction of seconds at all.
4941 The maximum value is 6;
4944 If this option is yes,
4945 the responses generated by this TSA can always be ordered,
4946 even if the time difference between two responses is less
4947 than the sum of their accuracies.
4950 Set this option to yes if the subject name of the TSA must be included in
4951 the TSA name field of the response.
4953 .It Cm ess_cert_id_chain
4954 The SignedData objects created by the TSA always contain the
4955 certificate identifier of the signing certificate in a signed
4956 attribute (see RFC 2634, Enhanced Security Services).
4957 If this option is set to yes and either the
4961 option is specified then the certificate identifiers of the chain will also
4962 be included in the SigningCertificate signed attribute.
4963 If this variable is set to no,
4964 only the signing certificate identifier is included.
4969 .Nm "openssl verify"
4970 .Op Fl CAfile Ar file
4971 .Op Fl CApath Ar directory
4974 .Op Fl crl_check_all
4975 .Op Fl explicit_policy
4978 .Op Fl ignore_critical
4981 .Op Fl issuer_checks
4983 .Op Fl purpose Ar purpose
4984 .Op Fl untrusted Ar file
4992 command verifies certificate chains.
4994 The options are as follows:
4997 Verify the signature on the self-signed root CA.
4998 This is disabled by default
4999 because it doesn't add any security.
5000 .It Fl CAfile Ar file
5003 of trusted certificates.
5006 should contain multiple certificates in PEM format, concatenated together.
5007 .It Fl CApath Ar directory
5010 of trusted certificates.
5011 The certificates, or symbolic links to them,
5012 should have names of the form
5016 is the hashed certificate subject name
5023 Check end entity certificate validity by attempting to look up a valid CRL.
5024 If a valid CRL cannot be found an error occurs.
5025 .It Fl crl_check_all
5026 Check the validity of all certificates in the chain by attempting
5027 to look up valid CRLs.
5028 .It Fl explicit_policy
5029 Set policy variable require-explicit-policy (RFC 3280).
5031 Enable extended CRL features such as indirect CRLs and alternate CRL
5034 Print a usage message.
5035 .It Fl ignore_critical
5036 Ignore critical extensions instead of rejecting the certificate.
5038 Set policy variable inhibit-any-policy (RFC 3280).
5040 Set policy variable inhibit-policy-mapping (RFC 3280).
5041 .It Fl issuer_checks
5042 Print diagnostics relating to searches for the issuer certificate
5043 of the current certificate
5044 showing why each candidate issuer certificate was rejected.
5045 The presence of rejection messages
5046 does not itself imply that anything is wrong:
5047 during the normal verify process several rejections may take place.
5049 Enable certificate policy processing.
5050 .It Fl purpose Ar purpose
5051 The intended use for the certificate.
5052 Without this option no chain verification will be done.
5053 Currently accepted uses are
5054 .Cm sslclient , sslserver ,
5055 .Cm nssslserver , smimesign ,
5056 .Cm smimeencrypt , crlsign ,
5060 .It Fl untrusted Ar file
5063 of untrusted certificates.
5066 should contain multiple certificates.
5068 Print extra information about the operations being performed.
5070 Disable workarounds for broken certificates which have to be disabled
5071 for strict X.509 compliance.
5076 If no certificate files are included, an attempt is made to read
5077 a certificate from standard input.
5078 If the first certificate filename begins with a dash,
5079 use a lone dash to mark the last option.
5084 program uses the same functions as the internal SSL and S/MIME verification,
5085 with one crucial difference:
5086 wherever possible an attempt is made to continue after an error,
5087 whereas normally the verify operation would halt on the first error.
5088 This allows all the problems with a certificate chain to be determined.
5090 The verify operation consists of a number of separate steps.
5091 Firstly a certificate chain is built up starting from the supplied certificate
5092 and ending in the root CA.
5093 It is an error if the whole chain cannot be built up.
5094 The chain is built up by looking up the issuer's certificate of the current
5096 If a certificate is found which is its own issuer, it is assumed
5099 All certificates whose subject name matches the issuer name
5100 of the current certificate are subject to further tests.
5101 The relevant authority key identifier components of the current certificate
5102 (if present) must match the subject key identifier (if present)
5103 and issuer and serial number of the candidate issuer;
5106 extension of the candidate issuer (if present) must permit certificate signing.
5108 The lookup first looks in the list of untrusted certificates and if no match
5109 is found the remaining lookups are from the trusted certificates.
5110 The root CA is always looked up in the trusted certificate list:
5111 if the certificate to verify is a root certificate,
5112 then an exact match must be found in the trusted list.
5114 The second operation is to check every untrusted certificate's extensions for
5115 consistency with the supplied purpose.
5118 option is not included, then no checks are done.
5121 certificate must have extensions compatible with the supplied purpose
5122 and all other certificates must also be valid CA certificates.
5123 The precise extensions required are described in more detail in
5128 The third operation is to check the trust settings on the root CA.
5129 The root CA should be trusted for the supplied purpose.
5130 A certificate with no trust settings is considered to be valid for
5133 The final operation is to check the validity of the certificate chain.
5134 The validity period is checked against the current system time and the
5138 dates in the certificate.
5139 The certificate signatures are also checked at this point.
5141 If all operations complete successfully, the certificate is considered
5143 If any operation fails then the certificate is not valid.
5144 When a verify operation fails, the output messages can be somewhat cryptic.
5145 The general form of the error message is:
5147 server.pem: /C=AU/ST=Queensland/O=CryptSoft Pty Ltd/CN=Test CA (1024-bit)
5148 error 24 at 1 depth lookup:invalid CA certificate
5151 The first line contains the name of the certificate being verified, followed by
5152 the subject name of the certificate.
5153 The second line contains the error number and the depth.
5154 The depth is the number of the certificate being verified when a
5155 problem was detected starting with zero for the certificate being verified
5156 itself, then 1 for the CA that signed the certificate and so on.
5157 Finally a text version of the error number is presented.
5159 An exhaustive list of the error codes and messages is shown below; this also
5160 includes the name of the error code as defined in the header file
5161 .In openssl/x509_vfy.h .
5162 Some of the error codes are defined but never returned: these are described as
5164 .Bl -tag -width "XXXX"
5166 The operation was successful.
5167 .It 2 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT
5168 The issuer certificate of an untrusted certificate could not be found.
5169 .It 3 X509_V_ERR_UNABLE_TO_GET_CRL
5170 The CRL of a certificate could not be found.
5171 .It 4 X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE
5172 The certificate signature could not be decrypted.
5173 This means that the actual signature value could not be determined
5174 rather than it not matching the expected value.
5175 This is only meaningful for RSA keys.
5176 .It 5 X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE
5177 The CRL signature could not be decrypted.
5178 This means that the actual signature value could not be determined
5179 rather than it not matching the expected value.
5181 .It 6 X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY
5182 The public key in the certificate
5183 .Cm SubjectPublicKeyInfo
5185 .It 7 X509_V_ERR_CERT_SIGNATURE_FAILURE
5186 The signature of the certificate is invalid.
5187 .It 8 X509_V_ERR_CRL_SIGNATURE_FAILURE
5188 The signature of the certificate is invalid.
5189 .It 9 X509_V_ERR_CERT_NOT_YET_VALID
5190 The certificate is not yet valid: the
5192 date is after the current time.
5193 .It 10 X509_V_ERR_CERT_HAS_EXPIRED
5194 The certificate has expired; that is, the
5196 date is before the current time.
5197 .It 11 X509_V_ERR_CRL_NOT_YET_VALID
5198 The CRL is not yet valid.
5199 .It 12 X509_V_ERR_CRL_HAS_EXPIRED
5200 The CRL has expired.
5201 .It 13 X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD
5204 field contains an invalid time.
5205 .It 14 X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD
5208 field contains an invalid time.
5209 .It 15 X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD
5212 field contains an invalid time.
5213 .It 16 X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD
5216 field contains an invalid time.
5217 .It 17 X509_V_ERR_OUT_OF_MEM
5218 An error occurred trying to allocate memory.
5219 This should never happen.
5220 .It 18 X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT
5221 The passed certificate is self-signed and the same certificate cannot be
5222 found in the list of trusted certificates.
5223 .It 19 X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN
5224 The certificate chain could be built up using the untrusted certificates but
5225 the root could not be found locally.
5226 .It 20 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY
5227 The issuer certificate of a locally looked up certificate could not be found.
5228 This normally means the list of trusted certificates is not complete.
5229 .It 21 X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE
5230 No signatures could be verified because the chain contains only one
5231 certificate and it is not self-signed.
5232 .It 22 X509_V_ERR_CERT_CHAIN_TOO_LONG
5233 The certificate chain length is greater than the supplied maximum depth.
5235 .It 23 X509_V_ERR_CERT_REVOKED
5236 The certificate has been revoked.
5237 .It 24 X509_V_ERR_INVALID_CA
5238 A CA certificate is invalid.
5239 Either it is not a CA or its extensions are not consistent
5240 with the supplied purpose.
5241 .It 25 X509_V_ERR_PATH_LENGTH_EXCEEDED
5243 .Cm basicConstraints
5244 pathlength parameter has been exceeded.
5245 .It 26 X509_V_ERR_INVALID_PURPOSE
5246 The supplied certificate cannot be used for the specified purpose.
5247 .It 27 X509_V_ERR_CERT_UNTRUSTED
5248 The root CA is not marked as trusted for the specified purpose.
5249 .It 28 X509_V_ERR_CERT_REJECTED
5250 The root CA is marked to reject the specified purpose.
5251 .It 29 X509_V_ERR_SUBJECT_ISSUER_MISMATCH
5252 The current candidate issuer certificate was rejected because its subject name
5253 did not match the issuer name of the current certificate.
5254 Only displayed when the
5257 .It 30 X509_V_ERR_AKID_SKID_MISMATCH
5258 The current candidate issuer certificate was rejected because its subject key
5259 identifier was present and did not match the authority key identifier current
5261 Only displayed when the
5264 .It 31 X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH
5265 The current candidate issuer certificate was rejected because its issuer name
5266 and serial number were present and did not match the authority key identifier
5267 of the current certificate.
5268 Only displayed when the
5271 .It 32 X509_V_ERR_KEYUSAGE_NO_CERTSIGN
5272 The current candidate issuer certificate was rejected because its
5274 extension does not permit certificate signing.
5275 .It 50 X509_V_ERR_APPLICATION_VERIFICATION
5276 An application specific error.
5285 command is used to print out version information about
5288 The options are as follows:
5291 All information: this is the same as setting all the other flags.
5293 The date the current version of
5302 Option information: various options set when the library was built.
5314 .Op Fl addreject Ar arg
5315 .Op Fl addtrust Ar arg
5318 .Op Fl CAcreateserial
5319 .Op Fl CAform Cm der | pem
5320 .Op Fl CAkey Ar file
5321 .Op Fl CAkeyform Cm der | pem
5322 .Op Fl CAserial Ar file
5323 .Op Fl certopt Ar option
5324 .Op Fl checkend Ar arg
5332 .Op Fl extensions Ar section
5333 .Op Fl extfile Ar file
5337 .Op Fl inform Cm der | net | pem
5340 .Op Fl issuer_hash_old
5341 .Op Fl keyform Cm der | pem
5344 .Op Fl nameopt Ar option
5349 .Op Fl outform Cm der | net | pem
5350 .Op Fl passin Ar arg
5355 .Op Fl set_serial Ar n
5356 .Op Fl setalias Ar arg
5357 .Op Fl signkey Ar file
5361 .Op Fl subject_hash_old
5369 command is a multi-purpose certificate utility.
5370 It can be used to display certificate information, convert certificates to
5371 various forms, sign certificate requests like a
5373 or edit certificate trust settings.
5375 The following are x509 input, output, and general purpose options:
5376 .Bl -tag -width "XXXX"
5378 The input file to read from,
5379 or standard input if not specified.
5380 .It Fl inform Cm der | net | pem
5382 Normally, the command will expect an X.509 certificate,
5383 but this can change if other options such as
5388 This affects any signing or display option that uses a message digest,
5390 .Fl fingerprint , signkey ,
5394 If not specified, MD5 is used.
5395 SHA1 is always used with DSA keys.
5397 The output file to write to,
5398 or standard output if none is specified.
5399 .It Fl outform Cm der | net | pem
5401 .It Fl passin Ar arg
5402 The key password source.
5405 The following are x509 display options:
5406 .Bl -tag -width "XXXX"
5408 Output the certificate in the form of a C source file.
5409 .It Fl certopt Ar option
5410 Customise the output format used with
5412 either using a list of comma-separated options or by specifying
5415 The default behaviour is to print all fields.
5416 The options are as follows:
5418 .Bl -tag -width "no_extensions" -offset indent -compact
5421 .Cm no_issuer , no_pubkey , no_header ,
5422 .Cm no_version , no_sigdump ,
5426 Equivalent to no output options at all.
5428 Print unsupported certificate extensions.
5430 Hex dump unsupported extensions.
5432 Print an error message for unsupported certificate extensions.
5434 ASN.1 parse unsupported extensions.
5436 Do not print certificate trust information.
5437 .It Cm no_extensions
5438 Do not print X509V3 extensions.
5440 Do not print header (Certificate and Data) information.
5442 Do not print the issuer name.
5444 Do not print the public key.
5446 Do not print the serial number.
5448 Do not give a hexadecimal dump of the certificate signature.
5450 Do not print the signature algorithm used.
5452 Do not print the subject name.
5460 Do not print the version number.
5463 Print the start and expiry date of a certificate.
5465 Output the email addresses, if any.
5467 Print the expiry date of the certificate; that is, the
5471 Print the digest of the DER-encoded version of the whole certificate.
5476 Print the issuer name.
5478 Print the hash of the certificate issuer name.
5479 .It Fl issuer_hash_old
5480 Print the hash of the certificate issuer name
5481 using the older algorithm as used by
5483 versions before 1.0.0.
5485 Print the value of the modulus of the public key contained in the certificate.
5486 .It Fl nameopt Ar option
5487 Customise how the subject or issuer names are displayed,
5488 either using a list of comma-separated options or by specifying
5491 The default behaviour is to use the
5495 which can be preceded by a dash to turn them off,
5497 .Bl -tag -width "XXXX"
5499 Align field values for a more readable output.
5504 equivalent to specifying no options at all.
5506 Reverse the fields of the DN, as required by RFC 2253.
5507 As a side effect, this also reverses the order of multiple AVAs.
5512 it allows the DER encoding of the structure to be unambiguously determined.
5514 Any fields that need to be hexdumped are
5515 dumped using the DER encoding of the field.
5516 Otherwise just the content octets will be displayed.
5517 Both options use the RFC 2253 #XXXX... format.
5519 Dump non-character string types
5520 (for example OCTET STRING);
5521 usually, non-character string types are displayed
5522 as though each content octet represents a single character.
5524 Dump any field whose OID is not recognised by
5529 characters required by RFC 2253 in a field that is
5533 is escaped at the beginning of a string
5534 and a space character at the beginning or end of a string.
5536 Escape control characters.
5537 That is, those with ASCII values less than 0x20 (space)
5538 and the delete (0x7f) character.
5539 They are escaped using the RFC 2253 \eXX notation (where XX are two hex
5540 digits representing the character value).
5542 Escape characters with the MSB set; that is, with ASCII values larger than
5547 .Cm esc_ctrl , esc_msb , sep_multiline ,
5548 .Cm space_eq , lname ,
5552 Do not attempt to interpret multibyte characters.
5553 That is, content octets are merely dumped as though one octet
5554 represents each character.
5555 This is useful for diagnostic purposes
5556 but results in rather odd looking output.
5557 .It Cm nofname , sname , lname , oid
5558 Alter how the field name is displayed:
5560 does not display the field at all;
5562 uses the short name form (CN for
5568 represents the OID in numerical form and is useful for diagnostic purpose.
5570 A one line format which is more readable than
5573 .Cm esc_2253 , esc_ctrl , esc_msb , utf8 ,
5574 .Cm dump_nostr , dump_der , use_quote , sep_comma_plus_spc ,
5579 Displays names compatible with RFC 2253.
5581 .Cm esc_2253 , esc_ctrl ,
5582 .Cm esc_msb , utf8 , dump_nostr , dump_unknown ,
5583 .Cm dump_der , sep_comma_plus , dn_rev ,
5586 .It Cm sep_comma_plus , sep_comma_plus_space , sep_semi_plus_space , sep_multiline
5587 Determine the field separators:
5588 the first character is between RDNs and the second between multiple AVAs
5589 (multiple AVAs are very rare and their use is discouraged).
5590 The options ending in
5592 additionally place a space after the separator to make it more readable.
5594 uses a linefeed character for the RDN separator and a spaced
5596 for the AVA separator,
5597 as well as indenting the fields by four characters.
5599 Show the type of the ASN.1 character string.
5600 The type precedes the field contents.
5602 .Qq BMPSTRING: Hello World .
5604 Place spaces round the
5606 character which follows the field name.
5608 Escape some characters by surrounding the whole string with
5611 Without the option, all escaping is done with the
5615 Convert all strings to UTF8 format first, as required by RFC 2253.
5616 On a UTF8 compatible terminal,
5617 the use of this option (and not setting
5619 may result in the correct display of multibyte characters.
5620 Usually, multibyte characters larger than 0xff
5621 are represented using the format \eUXXXX for 16 bits and \eWXXXXXXXX
5623 and any UTF8Strings are converted to their character form first.
5626 Do not output the encoded version of the request.
5628 Print the OCSP responder addresses, if any.
5630 Print OCSP hash values for the subject name and public key.
5632 Print the public key.
5634 Print the certificate serial number.
5636 Print the start date of the certificate; that is, the
5640 Print the subject name.
5642 Print the hash of the certificate subject name.
5645 to form an index to allow certificates in a directory to be looked up
5647 .It Fl subject_hash_old
5648 Print the hash of the certificate subject name
5649 using the older algorithm as used by
5651 versions before 1.0.0.
5653 Print the full certificate in text form.
5656 A trusted certificate is a certificate which has several
5657 additional pieces of information attached to it such as the permitted
5658 and prohibited uses of the certificate and an alias.
5659 When a certificate is being verified at least one certificate must be trusted.
5660 By default, a trusted certificate must be stored locally and be a root CA.
5661 The following are x509 trust settings options:
5662 .Bl -tag -width "XXXX"
5663 .It Fl addreject Ar arg
5664 Add a prohibited use.
5665 Accepts the same values as the
5668 .It Fl addtrust Ar arg
5669 Add a trusted certificate use.
5670 Any object name can be used here, but currently only
5677 (S/MIME email) are used.
5679 Output the certificate alias.
5681 Clear all the prohibited or rejected uses of the certificate.
5683 Clear all the permitted or trusted uses of the certificate.
5685 Perform tests on the certificate extensions.
5686 The same code is used when verifying untrusted certificates in chains,
5687 so this section is useful if a chain is rejected by the verify code.
5690 .Cm basicConstraints
5691 extension CA flag is used to determine whether the
5692 certificate can be used as a CA.
5693 If the CA flag is true, it is a CA;
5694 if the CA flag is false, it is not a CA.
5695 All CAs should have the CA flag set to true.
5698 .Cm basicConstraints
5699 extension is absent, then the certificate is
5700 considered to be a possible CA;
5701 other extensions are checked according to the intended use of the certificate.
5702 A warning is given in this case because the certificate should really not
5703 be regarded as a CA.
5704 However it is allowed to be a CA to work around some broken software.
5706 If the certificate is a V1 certificate
5707 (and thus has no extensions) and it is self-signed,
5708 it is also assumed to be a CA but a warning is again given.
5709 This is to work around the problem of Verisign roots
5710 which are V1 self-signed certificates.
5714 extension is present, then additional restraints are
5715 made on the uses of the certificate.
5716 A CA certificate must have the
5720 extension is present.
5722 The extended key usage extension places additional restrictions on the
5724 If this extension is present, whether critical or not,
5725 the key can only be used for the purposes specified.
5727 A complete description of each test is given below.
5729 .Cm basicConstraints
5732 and V1 certificates above apply to all CA certificates.
5733 .Bl -tag -width "XXXX"
5735 The extended key usage extension must be absent or include the
5736 web client authentication OID.
5738 must be absent or it must have the
5739 .Cm digitalSignature
5741 The Netscape certificate type must be absent
5742 or it must have the SSL client bit set.
5744 The extended key usage extension must be absent or include the
5745 web client authentication OID.
5746 The Netscape certificate type must be absent
5747 or it must have the SSL CA bit set:
5748 this is used as a workaround if the
5749 .Cm basicConstraints
5750 extension is absent.
5752 The extended key usage extension must be absent or include the
5753 web server authentication and/or one of the SGC OIDs.
5755 must be absent or it must have the
5756 .Cm digitalSignature
5759 set, or both bits set.
5760 The Netscape certificate type must be absent or have the SSL server bit set.
5762 The extended key usage extension must be absent or include the
5763 web server authentication and/or one of the SGC OIDs.
5764 The Netscape certificate type must be absent or the SSL CA bit must be set:
5765 this is used as a workaround if the
5766 .Cm basicConstraints
5767 extension is absent.
5768 .It Netscape SSL Server
5769 For Netscape SSL clients to connect to an SSL server; it must have the
5773 extension is present.
5774 This isn't always valid because some cipher suites use the key for
5776 Otherwise it is the same as a normal SSL server.
5777 .It Common S/MIME Client Tests
5778 The extended key usage extension must be absent or include the
5779 email protection OID.
5780 The Netscape certificate type must be absent or should have the S/MIME bit set.
5781 If the S/MIME bit is not set in Netscape certificate type, then the SSL
5782 client bit is tolerated as an alternative but a warning is shown:
5783 this is because some Verisign certificates don't set the S/MIME bit.
5785 In addition to the common S/MIME client tests, the
5786 .Cm digitalSignature
5787 bit must be set if the
5789 extension is present.
5790 .It S/MIME Encryption
5791 In addition to the common S/MIME tests, the
5793 bit must be set if the
5795 extension is present.
5797 The extended key usage extension must be absent or include the
5798 email protection OID.
5799 The Netscape certificate type must be absent
5800 or must have the S/MIME CA bit set:
5801 this is used as a workaround if the
5802 .Cm basicConstraints
5803 extension is absent.
5807 extension must be absent or it must have the CRL signing bit set.
5809 The normal CA tests apply, except the
5810 .Cm basicConstraints
5811 extension must be present.
5813 .It Fl setalias Ar arg
5814 Set the alias of the certificate,
5815 allowing the certificate to be referred to using a nickname,
5817 .Qq Steve's Certificate .
5819 Output a trusted certificate
5820 (the default if any trust settings are modified).
5821 An ordinary or trusted certificate can be input, but by default an ordinary
5822 certificate is output and any trust settings are discarded.
5827 utility can be used to sign certificates and requests:
5828 it can thus behave like a mini CA.
5829 The following are x509 signing options:
5830 .Bl -tag -width "XXXX"
5832 The CA certificate to be used for signing.
5833 When this option is present,
5835 behaves like a mini CA.
5836 The input file is signed by the CA using this option;
5837 that is, its issuer name is set to the subject name of the CA and it is
5838 digitally signed using the CA's private key.
5840 This option is normally combined with the
5845 option, the input is a certificate which must be self-signed.
5846 .It Fl CAcreateserial
5847 Create the CA serial number file if it does not exist
5848 instead of generating an error.
5849 The file will contain the serial number
5851 and the certificate being signed will have
5853 as its serial number.
5854 .It Fl CAform Cm der | pem
5855 The format of the CA certificate file.
5858 .It Fl CAkey Ar file
5859 Set the CA private key to sign a certificate with.
5860 Otherwise it is assumed that the CA private key is present
5861 in the CA certificate file.
5862 .It Fl CAkeyform Cm der | pem
5863 The format of the CA private key.
5866 .It Fl CAserial Ar file
5867 Use the serial number in
5869 to sign a certificate.
5870 The file should consist of one line containing an even number of hex digits
5871 with the serial number to use.
5872 After each use the serial number is incremented and written out
5875 The default filename consists of the CA certificate file base name with
5878 For example, if the CA certificate file is called
5880 it expects to find a serial number file called
5882 .It Fl checkend Ar arg
5883 Check whether the certificate expires in the next
5886 If so, exit with return value 1;
5887 otherwise exit with return value 0.
5889 Delete any extensions from a certificate.
5890 This option is used when a certificate is being created from another
5891 certificate (for example with the
5896 Normally, all extensions are retained.
5898 The number of days to make a certificate valid for.
5899 The default is 30 days.
5900 .It Fl extensions Ar section
5901 The section to add certificate extensions from.
5902 If this option is not specified, the extensions should either be
5903 contained in the unnamed (default) section
5904 or the default section should contain a variable called
5906 which contains the section to use.
5907 .It Fl extfile Ar file
5908 File containing certificate extensions to use.
5909 If not specified, no extensions are added to the certificate.
5910 .It Fl keyform Cm der | pem
5911 The format of the private key file used in the
5915 Expect a certificate request on input instead of a certificate.
5916 .It Fl set_serial Ar n
5917 The serial number to use.
5918 This option can be used with either the
5923 If used in conjunction with the
5925 option, the serial number file (as specified by the
5929 options) is not used.
5931 The serial number can be decimal or hex (if preceded by
5933 Negative serial numbers can also be specified but their use is not recommended.
5934 .It Fl signkey Ar file
5937 using the supplied private key.
5939 If the input file is a certificate, it sets the issuer name to the
5940 subject name (i.e. makes it self-signed),
5941 changes the public key to the supplied value,
5942 and changes the start and end dates.
5943 The start date is set to the current time and the end date is set to
5944 a value determined by the
5947 Any certificate extensions are retained unless the
5951 If the input is a certificate request, a self-signed certificate
5952 is created using the supplied private key using the subject name in
5955 Convert a certificate into a certificate request.
5958 option is used to pass the required private key.
5961 Several commands share a common syntax,
5964 Password arguments, typically specified using
5968 for input and output passwords,
5969 allow passwords to be obtained from a variety of sources.
5970 Both of these options take a single argument, described below.
5971 If no password argument is given and a password is required,
5972 then the user is prompted to enter one:
5973 this will typically be read from the current terminal with echoing turned off.
5974 .Bl -tag -width "pass:password" -offset indent
5975 .It Cm pass : Ns Ar password
5976 The actual password is
5978 Since the password is visible to utilities,
5979 this form should only be used where security is not important.
5980 .It Cm env : Ns Ar var
5981 Obtain the password from the environment variable
5983 Since the environment of other processes is visible,
5984 this option should be used with caution.
5985 .It Cm file : Ns Ar path
5991 argument is supplied to
5995 then the first line will be used for the input password and the next line
5996 for the output password.
5998 need not refer to a regular file:
5999 it could, for example, refer to a device or named pipe.
6000 .It Cm fd : Ns Ar number
6001 Read the password from the file descriptor
6003 This can be used to send the data via a pipe, for example.
6005 Read the password from standard input.
6008 Input/output formats,
6009 typically specified using
6013 indicate the format being read from or written to.
6014 The argument is case insensitive.
6016 .Bl -tag -width Ds -offset indent -compact
6018 Distinguished Encoding Rules (DER)
6021 Insecure legacy format.
6023 Privacy Enhanced Mail (PEM)
6026 An SMIME format message.
6031 The following environment variables affect the execution of
6033 .Bl -tag -width "/etc/ssl/openssl.cnf"
6035 The location of the master configuration file.
6038 .Bl -tag -width "/etc/ssl/openssl.cnf" -compact
6040 Default config directory for
6042 .It Pa /etc/ssl/lib/
6044 .It Pa /etc/ssl/private/
6045 Default private key directory.
6046 .It Pa /etc/ssl/openssl.cnf
6047 Default configuration file for
6049 .It Pa /etc/ssl/x509v3.cnf
6050 Default configuration file for
6065 .%T The TLS Protocol Version 1.0
6074 .%T Lightweight Directory Access Protocol (v3): UTF-8 String Representation of Distinguished Names
6081 .%T PKCS #7: Cryptographic Message Syntax Version 1.5
6091 .%T Internet X.509 Public Key Infrastructure Certificate and CRL Profile
6102 .%T X.509 Internet Public Key Infrastructure Online Certificate Status Protocol \(en OCSP
6109 .%T Cryptographic Message Syntax
6116 .%T Advanced Encryption Standard (AES) Ciphersuites for Transport Layer Security (TLS)