laantungir/nostr_core_lib
1
1
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Updated build.sh to build curl, openssl, and 256k1 if needed

Browse Source
This commit is contained in:
Laan Tungir
2025-08-16 10:26:39 -04:00
parent 00df0cad99
commit 40dd3aa20b
9429 changed files with 407781 additions and 47716 deletions
Download Patch File Download Diff File Expand all files Collapse all files

317
openssl-install/share/man/man1/CA.pl.1ossl Normal file
View File

@@ -0,0 +1,317 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "CA.PL 1ossl"
.TH CA.PL 1ossl "2025-07-01" "3.4.2" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
CA.pl \- friendlier interface for OpenSSL certificate programs
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
\&\fB\s-1CA\s0.pl\fR
\&\fB\-?\fR |
\&\fB\-h\fR |
\&\fB\-help\fR
.PP
\&\fB\s-1CA\s0.pl\fR
\&\fB\-newcert\fR |
\&\fB\-newreq\fR |
\&\fB\-newreq\-nodes\fR |
\&\fB\-xsign\fR |
\&\fB\-sign\fR |
\&\fB\-signCA\fR |
\&\fB\-signcert\fR |
\&\fB\-crl\fR |
\&\fB\-newca\fR
[\fB\-extra\-\f(BIcmd\fB\fR \fIparameter\fR]
.PP
\&\fB\s-1CA\s0.pl\fR \fB\-pkcs12\fR [\fIcertname\fR]
.PP
\&\fB\s-1CA\s0.pl\fR \fB\-verify\fR \fIcertfile\fR ...
.PP
\&\fB\s-1CA\s0.pl\fR \fB\-revoke\fR \fIcertfile\fR [\fIreason\fR]
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
The \fB\s-1CA\s0.pl\fR script is a perl script that supplies the relevant command line
arguments to the \fBopenssl\fR\|(1) command for some common certificate operations.
It is intended to simplify the process of certificate creation and management
by the use of some simple options.
.PP
The script is intended as a simple front end for the \fBopenssl\fR\|(1) program for
use by a beginner. Its behaviour isn't always what is wanted. For more control
over the behaviour of the certificate commands call the \fBopenssl\fR\|(1) command
directly.
.PP
Most of the filenames mentioned below can be modified by editing the
\&\fB\s-1CA\s0.pl\fR script.
.PP
Under some environments it may not be possible to run the \fB\s-1CA\s0.pl\fR script
directly (for example Win32) and the default configuration file location may
be wrong. In this case the command:
.PP
.Vb 1
\& perl \-S CA.pl
.Ve
.PP
can be used and the \fB\s-1OPENSSL_CONF\s0\fR environment variable can be set to point to
the correct path of the configuration file.
.SH "OPTIONS"
.IX Header "OPTIONS"
.IP "\fB\-?\fR, \fB\-h\fR, \fB\-help\fR" 4
.IX Item "-?, -h, -help"
Prints a usage message.
.IP "\fB\-newcert\fR" 4
.IX Item "-newcert"
Creates a new self signed certificate. The private key is written to the file
\&\fInewkey.pem\fR and the request written to the file \fInewreq.pem\fR.
Invokes \fBopenssl\-req\fR\|(1).
.IP "\fB\-newreq\fR" 4
.IX Item "-newreq"
Creates a new certificate request. The private key is written to the file
\&\fInewkey.pem\fR and the request written to the file \fInewreq.pem\fR.
Executes \fBopenssl\-req\fR\|(1) under the hood.
.IP "\fB\-newreq\-nodes\fR" 4
.IX Item "-newreq-nodes"
Is like \fB\-newreq\fR except that the private key will not be encrypted.
Uses \fBopenssl\-req\fR\|(1).
.IP "\fB\-newca\fR" 4
.IX Item "-newca"
Creates a new \s-1CA\s0 hierarchy for use with the \fBca\fR program (or the \fB\-signcert\fR
and \fB\-xsign\fR options). The user is prompted to enter the filename of the \s-1CA\s0
certificates (which should also contain the private key) or by hitting \s-1ENTER\s0
details of the \s-1CA\s0 will be prompted for. The relevant files and directories
are created in a directory called \fIdemoCA\fR in the current directory.
Uses \fBopenssl\-req\fR\|(1) and \fBopenssl\-ca\fR\|(1).
.Sp
If the \fIdemoCA\fR directory already exists then the \fB\-newca\fR command will not
overwrite it and will do nothing. This can happen if a previous call using
the \fB\-newca\fR option terminated abnormally. To get the correct behaviour
delete the directory if it already exists.
.IP "\fB\-pkcs12\fR" 4
.IX Item "-pkcs12"
Create a PKCS#12 file containing the user certificate, private key and \s-1CA\s0
certificate. It expects the user certificate and private key to be in the
file \fInewcert.pem\fR and the \s-1CA\s0 certificate to be in the file \fIdemoCA/cacert.pem\fR,
it creates a file \fInewcert.p12\fR. This command can thus be called after the
\&\fB\-sign\fR option. The PKCS#12 file can be imported directly into a browser.
If there is an additional argument on the command line it will be used as the
\&\*(L"friendly name\*(R" for the certificate (which is typically displayed in the browser
list box), otherwise the name \*(L"My Certificate\*(R" is used.
Delegates work to \fBopenssl\-pkcs12\fR\|(1).
.IP "\fB\-sign\fR, \fB\-signcert\fR, \fB\-xsign\fR" 4
.IX Item "-sign, -signcert, -xsign"
Calls the \fBopenssl\-ca\fR\|(1) command to sign a certificate request. It expects the
request to be in the file \fInewreq.pem\fR. The new certificate is written to the
file \fInewcert.pem\fR except in the case of the \fB\-xsign\fR option when it is
written to standard output.
.IP "\fB\-signCA\fR" 4
.IX Item "-signCA"
This option is the same as the \fB\-sign\fR option except it uses the
configuration file section \fBv3_ca\fR and so makes the signed request a
valid \s-1CA\s0 certificate. This is useful when creating intermediate \s-1CA\s0 from
a root \s-1CA.\s0 Extra params are passed to \fBopenssl\-ca\fR\|(1).
.IP "\fB\-signcert\fR" 4
.IX Item "-signcert"
This option is the same as \fB\-sign\fR except it expects a self signed certificate
to be present in the file \fInewreq.pem\fR.
Extra params are passed to \fBopenssl\-x509\fR\|(1) and \fBopenssl\-ca\fR\|(1).
.IP "\fB\-crl\fR" 4
.IX Item "-crl"
Generate a \s-1CRL.\s0 Executes \fBopenssl\-ca\fR\|(1).
.IP "\fB\-revoke\fR \fIcertfile\fR [\fIreason\fR]" 4
.IX Item "-revoke certfile [reason]"
Revoke the certificate contained in the specified \fBcertfile\fR. An optional
reason may be specified, and must be one of: \fBunspecified\fR,
\&\fBkeyCompromise\fR, \fBCACompromise\fR, \fBaffiliationChanged\fR, \fBsuperseded\fR,
\&\fBcessationOfOperation\fR, \fBcertificateHold\fR, or \fBremoveFromCRL\fR.
Leverages \fBopenssl\-ca\fR\|(1).
.IP "\fB\-verify\fR" 4
.IX Item "-verify"
Verifies certificates against the \s-1CA\s0 certificate for \fIdemoCA\fR. If no
certificates are specified on the command line it tries to verify the file
\&\fInewcert.pem\fR. Invokes \fBopenssl\-verify\fR\|(1).
.IP "\fB\-extra\-\f(BIcmd\fB\fR \fIparameter\fR" 4
.IX Item "-extra-cmd parameter"
For each option \fBextra\-\f(BIcmd\fB\fR, pass \fIparameter\fR to the \fBopenssl\fR\|(1)
sub-command with the same name as \fIcmd\fR, if that sub-command is invoked.
For example, if \fBopenssl\-req\fR\|(1) is invoked, the \fIparameter\fR given with
\&\fB\-extra\-req\fR will be passed to it.
For multi-word parameters, either repeat the option or quote the \fIparameters\fR
so it looks like one word to your shell.
See the individual command documentation for more information.
.SH "EXAMPLES"
.IX Header "EXAMPLES"
Create a \s-1CA\s0 hierarchy:
.PP
.Vb 1
\& CA.pl \-newca
.Ve
.PP
Complete certificate creation example: create a \s-1CA,\s0 create a request, sign
the request and finally create a PKCS#12 file containing it.
.PP
.Vb 4
\& CA.pl \-newca
\& CA.pl \-newreq
\& CA.pl \-sign
\& CA.pl \-pkcs12 "My Test Certificate"
.Ve
.SH "ENVIRONMENT"
.IX Header "ENVIRONMENT"
The environment variable \fB\s-1OPENSSL\s0\fR may be used to specify the name of
the OpenSSL program. It can be a full pathname, or a relative one.
.PP
The environment variable \fB\s-1OPENSSL_CONFIG\s0\fR may be used to specify a
configuration option and value to the \fBreq\fR and \fBca\fR commands invoked by
this script. It's value should be the option and pathname, as in
\&\f(CW\*(C`\-config /path/to/conf\-file\*(C'\fR.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBopenssl\fR\|(1),
\&\fBopenssl\-x509\fR\|(1),
\&\fBopenssl\-ca\fR\|(1),
\&\fBopenssl\-req\fR\|(1),
\&\fBopenssl\-pkcs12\fR\|(1),
\&\fBconfig\fR\|(5)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2000\-2021 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the Apache License 2.0 (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.

1
openssl-install/share/man/man1/asn1parse.1ossl Symbolic link
View File

@@ -0,0 +1 @@
openssl-cmds.1ossl

1
openssl-install/share/man/man1/c_rehash.1ossl Symbolic link
View File

@@ -0,0 +1 @@
openssl-rehash.1ossl

1
openssl-install/share/man/man1/ca.1ossl Symbolic link
View File

@@ -0,0 +1 @@
openssl-cmds.1ossl

1
openssl-install/share/man/man1/ciphers.1ossl Symbolic link
View File

@@ -0,0 +1 @@
openssl-cmds.1ossl

1
openssl-install/share/man/man1/cmp.1ossl Symbolic link
View File

@@ -0,0 +1 @@
openssl-cmds.1ossl

1
openssl-install/share/man/man1/cms.1ossl Symbolic link
View File

@@ -0,0 +1 @@
openssl-cmds.1ossl

1
openssl-install/share/man/man1/crl.1ossl Symbolic link
View File

@@ -0,0 +1 @@
openssl-cmds.1ossl

1
openssl-install/share/man/man1/crl2pkcs7.1ossl Symbolic link
View File

@@ -0,0 +1 @@
openssl-cmds.1ossl

1
openssl-install/share/man/man1/dgst.1ossl Symbolic link
View File

@@ -0,0 +1 @@
openssl-cmds.1ossl

1
openssl-install/share/man/man1/dhparam.1ossl Symbolic link
View File

@@ -0,0 +1 @@
openssl-cmds.1ossl

1
openssl-install/share/man/man1/dsa.1ossl Symbolic link
View File

@@ -0,0 +1 @@
openssl-cmds.1ossl

1
openssl-install/share/man/man1/dsaparam.1ossl Symbolic link
View File

@@ -0,0 +1 @@
openssl-cmds.1ossl

1
openssl-install/share/man/man1/ec.1ossl Symbolic link
View File

@@ -0,0 +1 @@
openssl-cmds.1ossl

1
openssl-install/share/man/man1/ecparam.1ossl Symbolic link
View File

@@ -0,0 +1 @@
openssl-cmds.1ossl

1
openssl-install/share/man/man1/enc.1ossl Symbolic link
View File

@@ -0,0 +1 @@
openssl-cmds.1ossl

1
openssl-install/share/man/man1/engine.1ossl Symbolic link
View File

@@ -0,0 +1 @@
openssl-cmds.1ossl

1
openssl-install/share/man/man1/errstr.1ossl Symbolic link
View File

@@ -0,0 +1 @@
openssl-cmds.1ossl

1
openssl-install/share/man/man1/gendsa.1ossl Symbolic link
View File

@@ -0,0 +1 @@
openssl-cmds.1ossl

1
openssl-install/share/man/man1/genpkey.1ossl Symbolic link
View File

@@ -0,0 +1 @@
openssl-cmds.1ossl

1
openssl-install/share/man/man1/genrsa.1ossl Symbolic link
View File

@@ -0,0 +1 @@
openssl-cmds.1ossl

1
openssl-install/share/man/man1/info.1ossl Symbolic link
View File

@@ -0,0 +1 @@
openssl-cmds.1ossl

1
openssl-install/share/man/man1/kdf.1ossl Symbolic link
View File

@@ -0,0 +1 @@
openssl-cmds.1ossl

1
openssl-install/share/man/man1/mac.1ossl Symbolic link
View File

@@ -0,0 +1 @@
openssl-cmds.1ossl

1
openssl-install/share/man/man1/nseq.1ossl Symbolic link
View File

@@ -0,0 +1 @@
openssl-cmds.1ossl

1
openssl-install/share/man/man1/ocsp.1ossl Symbolic link
View File

@@ -0,0 +1 @@
openssl-cmds.1ossl

344
openssl-install/share/man/man1/openssl-asn1parse.1ossl Normal file
View File

@@ -0,0 +1,344 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "OPENSSL-ASN1PARSE 1ossl"
.TH OPENSSL-ASN1PARSE 1ossl "2025-08-16" "3.4.2" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
openssl\-asn1parse \- ASN.1 parsing command
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
\&\fBopenssl\fR \fBasn1parse\fR
[\fB\-help\fR]
[\fB\-inform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR|\fBB64\fR]
[\fB\-in\fR \fIfilename\fR]
[\fB\-out\fR \fIfilename\fR]
[\fB\-noout\fR]
[\fB\-offset\fR \fInumber\fR]
[\fB\-length\fR \fInumber\fR]
[\fB\-i\fR]
[\fB\-oid\fR \fIfilename\fR]
[\fB\-dump\fR]
[\fB\-dlimit\fR \fInum\fR]
[\fB\-strparse\fR \fIoffset\fR]
[\fB\-genstr\fR \fIstring\fR]
[\fB\-genconf\fR \fIfile\fR]
[\fB\-strictpem\fR]
[\fB\-item\fR \fIname\fR]
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
This command is a diagnostic utility that can parse \s-1ASN.1\s0 structures.
It can also be used to extract data from \s-1ASN.1\s0 formatted data.
.SH "OPTIONS"
.IX Header "OPTIONS"
.IP "\fB\-help\fR" 4
.IX Item "-help"
Print out a usage message.
.IP "\fB\-inform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR|\fBB64\fR" 4
.IX Item "-inform DER|PEM|B64"
The input format; the default is \fB\s-1PEM\s0\fR.
See \fBopenssl\-format\-options\fR\|(1) for details.
.IP "\fB\-in\fR \fIfilename\fR" 4
.IX Item "-in filename"
The input file, default is standard input.
.IP "\fB\-out\fR \fIfilename\fR" 4
.IX Item "-out filename"
Output file to place the \s-1DER\s0 encoded data into. If this
option is not present then no data will be output. This is most useful when
combined with the \fB\-strparse\fR option.
.IP "\fB\-noout\fR" 4
.IX Item "-noout"
Don't output the parsed version of the input file.
.IP "\fB\-offset\fR \fInumber\fR" 4
.IX Item "-offset number"
Starting offset to begin parsing, default is start of file.
.IP "\fB\-length\fR \fInumber\fR" 4
.IX Item "-length number"
Number of bytes to parse, default is until end of file.
.IP "\fB\-i\fR" 4
.IX Item "-i"
Indents the output according to the \*(L"depth\*(R" of the structures.
.IP "\fB\-oid\fR \fIfilename\fR" 4
.IX Item "-oid filename"
A file containing additional \s-1OBJECT\s0 IDENTIFIERs (OIDs). The format of this
file is described in the \s-1NOTES\s0 section below.
.IP "\fB\-dump\fR" 4
.IX Item "-dump"
Dump unknown data in hex format.
.IP "\fB\-dlimit\fR \fInum\fR" 4
.IX Item "-dlimit num"
Like \fB\-dump\fR, but only the first \fBnum\fR bytes are output.
.IP "\fB\-strparse\fR \fIoffset\fR" 4
.IX Item "-strparse offset"
Parse the contents octets of the \s-1ASN.1\s0 object starting at \fBoffset\fR. This
option can be used multiple times to \*(L"drill down\*(R" into a nested structure.
.IP "\fB\-genstr\fR \fIstring\fR, \fB\-genconf\fR \fIfile\fR" 4
.IX Item "-genstr string, -genconf file"
Generate encoded data based on \fIstring\fR, \fIfile\fR or both using
\&\fBASN1_generate_nconf\fR\|(3) format. If \fIfile\fR only is
present then the string is obtained from the default section using the name
\&\fBasn1\fR. The encoded data is passed through the \s-1ASN1\s0 parser and printed out as
though it came from a file, the contents can thus be examined and written to a
file using the \fB\-out\fR option.
.IP "\fB\-strictpem\fR" 4
.IX Item "-strictpem"
If this option is used then \fB\-inform\fR will be ignored. Without this option any
data in a \s-1PEM\s0 format input file will be treated as being base64 encoded and
processed whether it has the normal \s-1PEM BEGIN\s0 and \s-1END\s0 markers or not. This
option will ignore any data prior to the start of the \s-1BEGIN\s0 marker, or after an
\&\s-1END\s0 marker in a \s-1PEM\s0 file.
.IP "\fB\-item\fR \fIname\fR" 4
.IX Item "-item name"
Attempt to decode and print the data as an \fB\s-1ASN1_ITEM\s0\fR \fIname\fR. This can be
used to print out the fields of any supported \s-1ASN.1\s0 structure if the type is
known.
.SS "Output"
.IX Subsection "Output"
The output will typically contain lines like this:
.PP
.Vb 1
\& 0:d=0 hl=4 l= 681 cons: SEQUENCE
.Ve
.PP
\&.....
.PP
.Vb 10
\& 229:d=3 hl=3 l= 141 prim: BIT STRING
\& 373:d=2 hl=3 l= 162 cons: cont [ 3 ]
\& 376:d=3 hl=3 l= 159 cons: SEQUENCE
\& 379:d=4 hl=2 l= 29 cons: SEQUENCE
\& 381:d=5 hl=2 l= 3 prim: OBJECT :X509v3 Subject Key Identifier
\& 386:d=5 hl=2 l= 22 prim: OCTET STRING
\& 410:d=4 hl=2 l= 112 cons: SEQUENCE
\& 412:d=5 hl=2 l= 3 prim: OBJECT :X509v3 Authority Key Identifier
\& 417:d=5 hl=2 l= 105 prim: OCTET STRING
\& 524:d=4 hl=2 l= 12 cons: SEQUENCE
.Ve
.PP
\&.....
.PP
This example is part of a self-signed certificate. Each line starts with the
offset in decimal. \f(CW\*(C`d=XX\*(C'\fR specifies the current depth. The depth is increased
within the scope of any \s-1SET\s0 or \s-1SEQUENCE.\s0 \f(CW\*(C`hl=XX\*(C'\fR gives the header length
(tag and length octets) of the current type. \f(CW\*(C`l=XX\*(C'\fR gives the length of
the contents octets.
.PP
The \fB\-i\fR option can be used to make the output more readable.
.PP
Some knowledge of the \s-1ASN.1\s0 structure is needed to interpret the output.
.PP
In this example the \s-1BIT STRING\s0 at offset 229 is the certificate public key.
The contents octets of this will contain the public key information. This can
be examined using the option \f(CW\*(C`\-strparse 229\*(C'\fR to yield:
.PP
.Vb 3
\& 0:d=0 hl=3 l= 137 cons: SEQUENCE
\& 3:d=1 hl=3 l= 129 prim: INTEGER :E5D21E1F5C8D208EA7A2166C7FAF9F6BDF2059669C60876DDB70840F1A5AAFA59699FE471F379F1DD6A487E7D5409AB6A88D4A9746E24B91D8CF55DB3521015460C8EDE44EE8A4189F7A7BE77D6CD3A9AF2696F486855CF58BF0EDF2B4068058C7A947F52548DDF7E15E96B385F86422BEA9064A3EE9E1158A56E4A6F47E5897
\& 135:d=1 hl=2 l= 3 prim: INTEGER :010001
.Ve
.SH "NOTES"
.IX Header "NOTES"
If an \s-1OID\s0 is not part of OpenSSL's internal table it will be represented in
numerical form (for example 1.2.3.4). The file passed to the \fB\-oid\fR option
allows additional OIDs to be included. Each line consists of three columns,
the first column is the \s-1OID\s0 in numerical format and should be followed by white
space. The second column is the \*(L"short name\*(R" which is a single word followed
by whitespace. The final column is the rest of the line and is the
\&\*(L"long name\*(R". Example:
.PP
\&\f(CW\*(C`1.2.3.4 shortName A long name\*(C'\fR
.PP
For any \s-1OID\s0 with an associated short and long name, this command will display
the long name.
.SH "EXAMPLES"
.IX Header "EXAMPLES"
Parse a file:
.PP
.Vb 1
\& openssl asn1parse \-in file.pem
.Ve
.PP
Parse a \s-1DER\s0 file:
.PP
.Vb 1
\& openssl asn1parse \-inform DER \-in file.der
.Ve
.PP
Generate a simple UTF8String:
.PP
.Vb 1
\& openssl asn1parse \-genstr \*(AqUTF8:Hello World\*(Aq
.Ve
.PP
Generate and write out a UTF8String, don't print parsed output:
.PP
.Vb 1
\& openssl asn1parse \-genstr \*(AqUTF8:Hello World\*(Aq \-noout \-out utf8.der
.Ve
.PP
Generate using a config file:
.PP
.Vb 1
\& openssl asn1parse \-genconf asn1.cnf \-noout \-out asn1.der
.Ve
.PP
Example config file:
.PP
.Vb 1
\& asn1=SEQUENCE:seq_sect
\&
\& [seq_sect]
\&
\& field1=BOOL:TRUE
\& field2=EXP:0, UTF8:some random string
.Ve
.SH "BUGS"
.IX Header "BUGS"
There should be options to change the format of output lines. The output of some
\&\s-1ASN.1\s0 types is not well handled (if at all).
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBopenssl\fR\|(1),
\&\fBASN1_generate_nconf\fR\|(3)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2000\-2023 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the Apache License 2.0 (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.

937
openssl-install/share/man/man1/openssl-ca.1ossl Normal file
View File

@@ -0,0 +1,937 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "OPENSSL-CA 1ossl"
.TH OPENSSL-CA 1ossl "2025-08-16" "3.4.2" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
openssl\-ca \- sample minimal CA application
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
\&\fBopenssl\fR \fBca\fR
[\fB\-help\fR]
[\fB\-verbose\fR]
[\fB\-quiet\fR]
[\fB\-config\fR \fIfilename\fR]
[\fB\-name\fR \fIsection\fR]
[\fB\-section\fR \fIsection\fR]
[\fB\-gencrl\fR]
[\fB\-revoke\fR \fIfile\fR]
[\fB\-valid\fR \fIfile\fR]
[\fB\-status\fR \fIserial\fR]
[\fB\-updatedb\fR]
[\fB\-crl_reason\fR \fIreason\fR]
[\fB\-crl_hold\fR \fIinstruction\fR]
[\fB\-crl_compromise\fR \fItime\fR]
[\fB\-crl_CA_compromise\fR \fItime\fR]
[\fB\-crl_lastupdate\fR \fIdate\fR]
[\fB\-crl_nextupdate\fR \fIdate\fR]
[\fB\-crldays\fR \fIdays\fR]
[\fB\-crlhours\fR \fIhours\fR]
[\fB\-crlsec\fR \fIseconds\fR]
[\fB\-crlexts\fR \fIsection\fR]
[\fB\-startdate\fR \fIdate\fR]
[\fB\-not_before\fR \fIdate\fR]
[\fB\-enddate\fR \fIdate\fR]
[\fB\-not_after\fR \fIdate\fR]
[\fB\-days\fR \fIarg\fR]
[\fB\-md\fR \fIarg\fR]
[\fB\-policy\fR \fIarg\fR]
[\fB\-keyfile\fR \fIfilename\fR|\fIuri\fR]
[\fB\-keyform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR|\fBP12\fR|\fB\s-1ENGINE\s0\fR]
[\fB\-key\fR \fIarg\fR]
[\fB\-passin\fR \fIarg\fR]
[\fB\-cert\fR \fIfile\fR]
[\fB\-certform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR|\fBP12\fR]
[\fB\-selfsign\fR]
[\fB\-in\fR \fIfile\fR]
[\fB\-inform\fR \fB\s-1DER\s0\fR|<\s-1PEM\s0>]
[\fB\-out\fR \fIfile\fR]
[\fB\-notext\fR]
[\fB\-dateopt\fR]
[\fB\-outdir\fR \fIdir\fR]
[\fB\-infiles\fR]
[\fB\-spkac\fR \fIfile\fR]
[\fB\-ss_cert\fR \fIfile\fR]
[\fB\-preserveDN\fR]
[\fB\-noemailDN\fR]
[\fB\-batch\fR]
[\fB\-msie_hack\fR]
[\fB\-extensions\fR \fIsection\fR]
[\fB\-extfile\fR \fIsection\fR]
[\fB\-subj\fR \fIarg\fR]
[\fB\-utf8\fR]
[\fB\-sigopt\fR \fInm\fR:\fIv\fR]
[\fB\-vfyopt\fR \fInm\fR:\fIv\fR]
[\fB\-create_serial\fR]
[\fB\-rand_serial\fR]
[\fB\-multivalue\-rdn\fR]
[\fB\-rand\fR \fIfiles\fR]
[\fB\-writerand\fR \fIfile\fR]
[\fB\-engine\fR \fIid\fR]
[\fB\-provider\fR \fIname\fR]
[\fB\-provider\-path\fR \fIpath\fR]
[\fB\-propquery\fR \fIpropq\fR]
[\fIcertreq\fR...]
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
This command emulates a \s-1CA\s0 application.
See the \fB\s-1WARNINGS\s0\fR especially when considering to use it productively.
.PP
It generates certificates bearing X.509 version 3.
Unless specified otherwise,
key identifier extensions are included as described in \fBx509v3_config\fR\|(5).
.PP
It can be used to sign certificate requests (CSRs) in a variety of forms
and generate certificate revocation lists (CRLs).
It also maintains a text database of issued certificates and their status.
When signing certificates, a single request can be specified
with the \fB\-in\fR option, or multiple requests can be processed by
specifying a set of \fBcertreq\fR files after all options.
.PP
Note that there are also very lean ways of generating certificates:
the \fBreq\fR and \fBx509\fR commands can be used for directly creating certificates.
See \fBopenssl\-req\fR\|(1) and \fBopenssl\-x509\fR\|(1) for details.
.PP
The descriptions of the \fBca\fR command options are divided into each purpose.
.SH "OPTIONS"
.IX Header "OPTIONS"
.IP "\fB\-help\fR" 4
.IX Item "-help"
Print out a usage message.
.IP "\fB\-verbose\fR" 4
.IX Item "-verbose"
This prints extra details about the operations being performed.
.IP "\fB\-quiet\fR" 4
.IX Item "-quiet"
This prints fewer details about the operations being performed, which may
be handy during batch scripts or pipelines.
.IP "\fB\-config\fR \fIfilename\fR" 4
.IX Item "-config filename"
Specifies the configuration file to use.
Optional; for a description of the default value,
see \*(L"\s-1COMMAND SUMMARY\*(R"\s0 in \fBopenssl\fR\|(1).
.IP "\fB\-name\fR \fIsection\fR, \fB\-section\fR \fIsection\fR" 4
.IX Item "-name section, -section section"
Specifies the configuration file section to use (overrides
\&\fBdefault_ca\fR in the \fBca\fR section).
.IP "\fB\-in\fR \fIfilename\fR" 4
.IX Item "-in filename"
An input filename containing a single certificate request (\s-1CSR\s0) to be
signed by the \s-1CA.\s0
.IP "\fB\-inform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR" 4
.IX Item "-inform DER|PEM"
The format to use when loading certificate request (\s-1CSR\s0) input files;
by default \s-1PEM\s0 is tried first.
See \fBopenssl\-format\-options\fR\|(1) for details.
.IP "\fB\-ss_cert\fR \fIfilename\fR" 4
.IX Item "-ss_cert filename"
A single self-signed certificate to be signed by the \s-1CA.\s0
.IP "\fB\-spkac\fR \fIfilename\fR" 4
.IX Item "-spkac filename"
A file containing a single Netscape signed public key and challenge
and additional field values to be signed by the \s-1CA.\s0 See the \fB\s-1SPKAC FORMAT\s0\fR
section for information on the required input and output format.
.IP "\fB\-infiles\fR" 4
.IX Item "-infiles"
If present this should be the last option, all subsequent arguments
are taken as the names of files containing certificate requests.
.IP "\fB\-out\fR \fIfilename\fR" 4
.IX Item "-out filename"
The output file to output certificates to. The default is standard
output. The certificate details will also be printed out to this
file in \s-1PEM\s0 format (except that \fB\-spkac\fR outputs \s-1DER\s0 format).
.IP "\fB\-outdir\fR \fIdirectory\fR" 4
.IX Item "-outdir directory"
The directory to output certificates to. The certificate will be
written to a filename consisting of the serial number in hex with
\&\fI.pem\fR appended.
.IP "\fB\-cert\fR \fIfilename\fR" 4
.IX Item "-cert filename"
The \s-1CA\s0 certificate, which must match with \fB\-keyfile\fR.
.IP "\fB\-certform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR|\fBP12\fR" 4
.IX Item "-certform DER|PEM|P12"
The format of the data in certificate input files; unspecified by default.
See \fBopenssl\-format\-options\fR\|(1) for details.
.IP "\fB\-keyfile\fR \fIfilename\fR|\fIuri\fR" 4
.IX Item "-keyfile filename|uri"
The \s-1CA\s0 private key to sign certificate requests with.
This must match with \fB\-cert\fR.
.IP "\fB\-keyform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR|\fBP12\fR|\fB\s-1ENGINE\s0\fR" 4
.IX Item "-keyform DER|PEM|P12|ENGINE"
The format of the private key input file; unspecified by default.
See \fBopenssl\-format\-options\fR\|(1) for details.
.IP "\fB\-sigopt\fR \fInm\fR:\fIv\fR" 4
.IX Item "-sigopt nm:v"
Pass options to the signature algorithm during sign operations.
Names and values of these options are algorithm-specific and
documented in \*(L"Signature parameters\*(R" in \fBprovider\-signature\fR\|(7).
.IP "\fB\-vfyopt\fR \fInm\fR:\fIv\fR" 4
.IX Item "-vfyopt nm:v"
Pass options to the signature algorithm during verify operations.
Names and values of these options are algorithm-specific.
.Sp
This often needs to be given while signing too, because the self-signature of
a certificate signing request (\s-1CSR\s0) is verified against the included public key,
and that verification may need its own set of options.
.IP "\fB\-key\fR \fIpassword\fR" 4
.IX Item "-key password"
The password used to encrypt the private key. Since on some
systems the command line arguments are visible (e.g., when using
\&\fBps\fR\|(1) on Unix),
this option should be used with caution.
Better use \fB\-passin\fR.
.IP "\fB\-passin\fR \fIarg\fR" 4
.IX Item "-passin arg"
The key password source for key files and certificate PKCS#12 files.
For more information about the format of \fBarg\fR
see \fBopenssl\-passphrase\-options\fR\|(1).
.IP "\fB\-selfsign\fR" 4
.IX Item "-selfsign"
Indicates the issued certificates are to be signed with the key
the certificate requests were signed with (given with \fB\-keyfile\fR).
Certificate requests signed with a different key are ignored.
If \fB\-spkac\fR, \fB\-ss_cert\fR or \fB\-gencrl\fR are given, \fB\-selfsign\fR is ignored.
.Sp
A consequence of using \fB\-selfsign\fR is that the self-signed
certificate appears among the entries in the certificate database
(see the configuration option \fBdatabase\fR), and uses the same
serial number counter as all other certificates sign with the
self-signed certificate.
.IP "\fB\-notext\fR" 4
.IX Item "-notext"
Don't output the text form of a certificate to the output file.
.IP "\fB\-dateopt\fR" 4
.IX Item "-dateopt"
Specify the date output format. Values are: rfc_822 and iso_8601.
Defaults to rfc_822.
.IP "\fB\-startdate\fR \fIdate\fR, \fB\-not_before\fR \fIdate\fR" 4
.IX Item "-startdate date, -not_before date"
This allows the start date to be explicitly set. The format of the
date is \s-1YYMMDDHHMMSSZ\s0 (the same as an \s-1ASN1\s0 UTCTime structure), or
\&\s-1YYYYMMDDHHMMSSZ\s0 (the same as an \s-1ASN1\s0 GeneralizedTime structure). In
both formats, seconds \s-1SS\s0 and timezone Z must be present.
Alternatively, you can also use \*(L"today\*(R".
.IP "\fB\-enddate\fR \fIdate\fR, \fB\-not_after\fR \fIdate\fR" 4
.IX Item "-enddate date, -not_after date"
This allows the expiry date to be explicitly set. The format of the
date is \s-1YYMMDDHHMMSSZ\s0 (the same as an \s-1ASN1\s0 UTCTime structure), or
\&\s-1YYYYMMDDHHMMSSZ\s0 (the same as an \s-1ASN1\s0 GeneralizedTime structure). In
both formats, seconds \s-1SS\s0 and timezone Z must be present.
Alternatively, you can also use \*(L"today\*(R".
.Sp
This overrides the \fB\-days\fR option.
.IP "\fB\-days\fR \fIarg\fR" 4
.IX Item "-days arg"
The number of days from today to certify the certificate for.
.Sp
Regardless of the option \fB\-not_before\fR, the days are always counted from
today.
When used together with the option \fB\-not_after\fR/\fB\-startdate\fR, the explicit
expiry date takes precedence.
.IP "\fB\-md\fR \fIalg\fR" 4
.IX Item "-md alg"
The message digest to use.
Any digest supported by the \fBopenssl\-dgst\fR\|(1) command can be used. For signing
algorithms that do not support a digest (i.e. Ed25519 and Ed448) any message
digest that is set is ignored. This option also applies to CRLs.
.IP "\fB\-policy\fR \fIarg\fR" 4
.IX Item "-policy arg"
This option defines the \s-1CA\s0 \*(L"policy\*(R" to use. This is a section in
the configuration file which decides which fields should be mandatory
or match the \s-1CA\s0 certificate. Check out the \fB\s-1POLICY FORMAT\s0\fR section
for more information.
.IP "\fB\-msie_hack\fR" 4
.IX Item "-msie_hack"
This is a deprecated option to make this command work with very old versions
of the \s-1IE\s0 certificate enrollment control \*(L"certenr3\*(R". It used UniversalStrings
for almost everything. Since the old control has various security bugs
its use is strongly discouraged.
.IP "\fB\-preserveDN\fR" 4
.IX Item "-preserveDN"
Normally the \s-1DN\s0 order of a certificate is the same as the order of the
fields in the relevant policy section. When this option is set the order
is the same as the request. This is largely for compatibility with the
older \s-1IE\s0 enrollment control which would only accept certificates if their
DNs match the order of the request. This is not needed for Xenroll.
.IP "\fB\-noemailDN\fR" 4
.IX Item "-noemailDN"
The \s-1DN\s0 of a certificate can contain the \s-1EMAIL\s0 field if present in the
request \s-1DN,\s0 however, it is good policy just having the e\-mail set into
the altName extension of the certificate. When this option is set the
\&\s-1EMAIL\s0 field is removed from the certificate' subject and set only in
the, eventually present, extensions. The \fBemail_in_dn\fR keyword can be
used in the configuration file to enable this behaviour.
.IP "\fB\-batch\fR" 4
.IX Item "-batch"
This sets the batch mode. In this mode no questions will be asked
and all certificates will be certified automatically.
.IP "\fB\-extensions\fR \fIsection\fR" 4
.IX Item "-extensions section"
The section of the configuration file containing certificate extensions
to be added when a certificate is issued (defaults to \fBx509_extensions\fR
unless the \fB\-extfile\fR option is used).
.Sp
See the \fBx509v3_config\fR\|(5) manual page for details of the
extension section format.
.IP "\fB\-extfile\fR \fIfile\fR" 4
.IX Item "-extfile file"
An additional configuration file to read certificate extensions from
(using the default section unless the \fB\-extensions\fR option is also
used).
.IP "\fB\-subj\fR \fIarg\fR" 4
.IX Item "-subj arg"
Supersedes subject name given in the request.
.Sp
The arg must be formatted as \f(CW\*(C`/type0=value0/type1=value1/type2=...\*(C'\fR.
Special characters may be escaped by \f(CW\*(C`\e\*(C'\fR (backslash), whitespace is retained.
Empty values are permitted, but the corresponding type will not be included
in the resulting certificate.
Giving a single \f(CW\*(C`/\*(C'\fR will lead to an empty sequence of RDNs (a NULL-DN).
Multi-valued RDNs can be formed by placing a \f(CW\*(C`+\*(C'\fR character instead of a \f(CW\*(C`/\*(C'\fR
between the AttributeValueAssertions (AVAs) that specify the members of the set.
Example:
.Sp
\&\f(CW\*(C`/DC=org/DC=OpenSSL/DC=users/UID=123456+CN=John Doe\*(C'\fR
.IP "\fB\-utf8\fR" 4
.IX Item "-utf8"
This option causes field values to be interpreted as \s-1UTF8\s0 strings, by
default they are interpreted as \s-1ASCII.\s0 This means that the field
values, whether prompted from a terminal or obtained from a
configuration file, must be valid \s-1UTF8\s0 strings.
.IP "\fB\-create_serial\fR" 4
.IX Item "-create_serial"
If reading serial from the text file as specified in the configuration
fails, specifying this option creates a new random serial to be used as next
serial number.
To get random serial numbers, use the \fB\-rand_serial\fR flag instead; this
should only be used for simple error-recovery.
.IP "\fB\-rand_serial\fR" 4
.IX Item "-rand_serial"
Generate a large random number to use as the serial number.
This overrides any option or configuration to use a serial number file.
.IP "\fB\-multivalue\-rdn\fR" 4
.IX Item "-multivalue-rdn"
This option has been deprecated and has no effect.
.IP "\fB\-rand\fR \fIfiles\fR, \fB\-writerand\fR \fIfile\fR" 4
.IX Item "-rand files, -writerand file"
See \*(L"Random State Options\*(R" in \fBopenssl\fR\|(1) for details.
.IP "\fB\-engine\fR \fIid\fR" 4
.IX Item "-engine id"
See \*(L"Engine Options\*(R" in \fBopenssl\fR\|(1).
This option is deprecated.
.IP "\fB\-provider\fR \fIname\fR" 4
.IX Item "-provider name"
.PD 0
.IP "\fB\-provider\-path\fR \fIpath\fR" 4
.IX Item "-provider-path path"
.IP "\fB\-propquery\fR \fIpropq\fR" 4
.IX Item "-propquery propq"
.PD
See \*(L"Provider Options\*(R" in \fBopenssl\fR\|(1), \fBprovider\fR\|(7), and \fBproperty\fR\|(7).
.SH "CRL OPTIONS"
.IX Header "CRL OPTIONS"
.IP "\fB\-gencrl\fR" 4
.IX Item "-gencrl"
This option generates a \s-1CRL\s0 based on information in the index file.
.IP "\fB\-crl_lastupdate\fR \fItime\fR" 4
.IX Item "-crl_lastupdate time"
Allows the value of the \s-1CRL\s0's lastUpdate field to be explicitly set; if
this option is not present, the current time is used. Accepts times in
\&\s-1YYMMDDHHMMSSZ\s0 format (the same as an \s-1ASN1\s0 UTCTime structure) or
\&\s-1YYYYMMDDHHMMSSZ\s0 format (the same as an \s-1ASN1\s0 GeneralizedTime structure).
.IP "\fB\-crl_nextupdate\fR \fItime\fR" 4
.IX Item "-crl_nextupdate time"
Allows the value of the \s-1CRL\s0's nextUpdate field to be explicitly set; if
this option is present, any values given for \fB\-crldays\fR, \fB\-crlhours\fR
and \fB\-crlsec\fR are ignored. Accepts times in the same formats as
\&\fB\-crl_lastupdate\fR.
.IP "\fB\-crldays\fR \fInum\fR" 4
.IX Item "-crldays num"
The number of days before the next \s-1CRL\s0 is due. That is the days from
now to place in the \s-1CRL\s0 nextUpdate field.
.IP "\fB\-crlhours\fR \fInum\fR" 4
.IX Item "-crlhours num"
The number of hours before the next \s-1CRL\s0 is due.
.IP "\fB\-crlsec\fR \fInum\fR" 4
.IX Item "-crlsec num"
The number of seconds before the next \s-1CRL\s0 is due.
.IP "\fB\-revoke\fR \fIfilename\fR" 4
.IX Item "-revoke filename"
A filename containing a certificate to revoke.
.IP "\fB\-valid\fR \fIfilename\fR" 4
.IX Item "-valid filename"
A filename containing a certificate to add a Valid certificate entry.
.IP "\fB\-status\fR \fIserial\fR" 4
.IX Item "-status serial"
Displays the revocation status of the certificate with the specified
serial number and exits.
.IP "\fB\-updatedb\fR" 4
.IX Item "-updatedb"
Updates the database index to purge expired certificates.
.IP "\fB\-crl_reason\fR \fIreason\fR" 4
.IX Item "-crl_reason reason"
Revocation reason, where \fIreason\fR is one of: \fBunspecified\fR, \fBkeyCompromise\fR,
\&\fBCACompromise\fR, \fBaffiliationChanged\fR, \fBsuperseded\fR, \fBcessationOfOperation\fR,
\&\fBcertificateHold\fR or \fBremoveFromCRL\fR. The matching of \fIreason\fR is case
insensitive. Setting any revocation reason will make the \s-1CRL\s0 v2.
.Sp
In practice \fBremoveFromCRL\fR is not particularly useful because it is only used
in delta CRLs which are not currently implemented.
.IP "\fB\-crl_hold\fR \fIinstruction\fR" 4
.IX Item "-crl_hold instruction"
This sets the \s-1CRL\s0 revocation reason code to \fBcertificateHold\fR and the hold
instruction to \fIinstruction\fR which must be an \s-1OID.\s0 Although any \s-1OID\s0 can be
used only \fBholdInstructionNone\fR (the use of which is discouraged by \s-1RFC2459\s0)
\&\fBholdInstructionCallIssuer\fR or \fBholdInstructionReject\fR will normally be used.
.IP "\fB\-crl_compromise\fR \fItime\fR" 4
.IX Item "-crl_compromise time"
This sets the revocation reason to \fBkeyCompromise\fR and the compromise time to
\&\fItime\fR. \fItime\fR should be in GeneralizedTime format that is \fI\s-1YYYYMMDDHHMMSSZ\s0\fR.
.IP "\fB\-crl_CA_compromise\fR \fItime\fR" 4
.IX Item "-crl_CA_compromise time"
This is the same as \fBcrl_compromise\fR except the revocation reason is set to
\&\fBCACompromise\fR.
.IP "\fB\-crlexts\fR \fIsection\fR" 4
.IX Item "-crlexts section"
The section of the configuration file containing \s-1CRL\s0 extensions to
include. If no \s-1CRL\s0 extension section is present then a V1 \s-1CRL\s0 is
created, if the \s-1CRL\s0 extension section is present (even if it is
empty) then a V2 \s-1CRL\s0 is created. The \s-1CRL\s0 extensions specified are
\&\s-1CRL\s0 extensions and \fBnot\fR \s-1CRL\s0 entry extensions. It should be noted
that some software (for example Netscape) can't handle V2 CRLs. See
\&\fBx509v3_config\fR\|(5) manual page for details of the
extension section format.
.SH "CONFIGURATION FILE OPTIONS"
.IX Header "CONFIGURATION FILE OPTIONS"
The section of the configuration file containing options for this command
is found as follows: If the \fB\-name\fR command line option is used,
then it names the section to be used. Otherwise the section to
be used must be named in the \fBdefault_ca\fR option of the \fBca\fR section
of the configuration file (or in the default section of the
configuration file). Besides \fBdefault_ca\fR, the following options are
read directly from the \fBca\fR section:
\s-1RANDFILE\s0
preserve
msie_hack
With the exception of \fB\s-1RANDFILE\s0\fR, this is probably a bug and may
change in future releases.
.PP
Many of the configuration file options are identical to command line
options. Where the option is present in the configuration file
and the command line the command line value is used. Where an
option is described as mandatory then it must be present in
the configuration file or the command line equivalent (if
any) used.
.IP "\fBoid_file\fR" 4
.IX Item "oid_file"
This specifies a file containing additional \fB\s-1OBJECT IDENTIFIERS\s0\fR.
Each line of the file should consist of the numerical form of the
object identifier followed by whitespace then the short name followed
by whitespace and finally the long name.
.IP "\fBoid_section\fR" 4
.IX Item "oid_section"
This specifies a section in the configuration file containing extra
object identifiers. Each line should consist of the short name of the
object identifier followed by \fB=\fR and the numerical form. The short
and long names are the same when this option is used.
.IP "\fBnew_certs_dir\fR" 4
.IX Item "new_certs_dir"
The same as the \fB\-outdir\fR command line option. It specifies
the directory where new certificates will be placed. Mandatory.
.IP "\fBcertificate\fR" 4
.IX Item "certificate"
The same as \fB\-cert\fR. It gives the file containing the \s-1CA\s0
certificate. Mandatory.
.IP "\fBprivate_key\fR" 4
.IX Item "private_key"
Same as the \fB\-keyfile\fR option. The file containing the
\&\s-1CA\s0 private key. Mandatory.
.IP "\fB\s-1RANDFILE\s0\fR" 4
.IX Item "RANDFILE"
At startup the specified file is loaded into the random number generator,
and at exit 256 bytes will be written to it. (Note: Using a \s-1RANDFILE\s0 is
not necessary anymore, see the \*(L"\s-1HISTORY\*(R"\s0 section.
.IP "\fBdefault_days\fR" 4
.IX Item "default_days"
The same as the \fB\-days\fR option. The number of days from today to certify
a certificate for.
.IP "\fBdefault_startdate\fR" 4
.IX Item "default_startdate"
The same as the \fB\-startdate\fR option. The start date to certify
a certificate for. If not set the current time is used.
.IP "\fBdefault_enddate\fR" 4
.IX Item "default_enddate"
The same as the \fB\-enddate\fR option. Either this option or
\&\fBdefault_days\fR (or the command line equivalents) must be
present.
.IP "\fBdefault_crl_hours default_crl_days\fR" 4
.IX Item "default_crl_hours default_crl_days"
The same as the \fB\-crlhours\fR and the \fB\-crldays\fR options. These
will only be used if neither command line option is present. At
least one of these must be present to generate a \s-1CRL.\s0
.IP "\fBdefault_md\fR" 4
.IX Item "default_md"
The same as the \fB\-md\fR option. Mandatory except where the signing algorithm does
not require a digest (i.e. Ed25519 and Ed448).
.IP "\fBdatabase\fR" 4
.IX Item "database"
The text database file to use. Mandatory. This file must be present
though initially it will be empty.
.IP "\fBunique_subject\fR" 4
.IX Item "unique_subject"
If the value \fByes\fR is given, the valid certificate entries in the
database must have unique subjects. if the value \fBno\fR is given,
several valid certificate entries may have the exact same subject.
The default value is \fByes\fR, to be compatible with older (pre 0.9.8)
versions of OpenSSL. However, to make \s-1CA\s0 certificate roll-over easier,
it's recommended to use the value \fBno\fR, especially if combined with
the \fB\-selfsign\fR command line option.
.Sp
Note that it is valid in some circumstances for certificates to be created
without any subject. In the case where there are multiple certificates without
subjects this does not count as a duplicate.
.IP "\fBserial\fR" 4
.IX Item "serial"
A text file containing the next serial number to use in hex. Mandatory.
This file must be present and contain a valid serial number.
.IP "\fBcrlnumber\fR" 4
.IX Item "crlnumber"
A text file containing the next \s-1CRL\s0 number to use in hex. The crl number
will be inserted in the CRLs only if this file exists. If this file is
present, it must contain a valid \s-1CRL\s0 number.
.IP "\fBx509_extensions\fR" 4
.IX Item "x509_extensions"
A fallback to the \fB\-extensions\fR option.
.IP "\fBcrl_extensions\fR" 4
.IX Item "crl_extensions"
A fallback to the \fB\-crlexts\fR option.
.IP "\fBpreserve\fR" 4
.IX Item "preserve"
The same as \fB\-preserveDN\fR
.IP "\fBemail_in_dn\fR" 4
.IX Item "email_in_dn"
The same as \fB\-noemailDN\fR. If you want the \s-1EMAIL\s0 field to be removed
from the \s-1DN\s0 of the certificate simply set this to 'no'. If not present
the default is to allow for the \s-1EMAIL\s0 filed in the certificate's \s-1DN.\s0
.IP "\fBmsie_hack\fR" 4
.IX Item "msie_hack"
The same as \fB\-msie_hack\fR
.IP "\fBpolicy\fR" 4
.IX Item "policy"
The same as \fB\-policy\fR. Mandatory. See the \fB\s-1POLICY FORMAT\s0\fR section
for more information.
.IP "\fBname_opt\fR, \fBcert_opt\fR" 4
.IX Item "name_opt, cert_opt"
These options allow the format used to display the certificate details
when asking the user to confirm signing. All the options supported by
the \fBx509\fR utilities \fB\-nameopt\fR and \fB\-certopt\fR switches can be used
here, except the \fBno_signame\fR and \fBno_sigdump\fR are permanently set
and cannot be disabled (this is because the certificate signature cannot
be displayed because the certificate has not been signed at this point).
.Sp
For convenience the values \fBca_default\fR are accepted by both to produce
a reasonable output.
.Sp
If neither option is present the format used in earlier versions of
OpenSSL is used. Use of the old format is \fBstrongly\fR discouraged because
it only displays fields mentioned in the \fBpolicy\fR section, mishandles
multicharacter string types and does not display extensions.
.IP "\fBcopy_extensions\fR" 4
.IX Item "copy_extensions"
Determines how extensions in certificate requests should be handled.
If set to \fBnone\fR or this option is not present then extensions are
ignored and not copied to the certificate. If set to \fBcopy\fR then any
extensions present in the request that are not already present are copied
to the certificate. If set to \fBcopyall\fR then all extensions in the
request are copied to the certificate: if the extension is already present
in the certificate it is deleted first. See the \fB\s-1WARNINGS\s0\fR section before
using this option.
.Sp
The main use of this option is to allow a certificate request to supply
values for certain extensions such as subjectAltName.
.SH "POLICY FORMAT"
.IX Header "POLICY FORMAT"
The policy section consists of a set of variables corresponding to
certificate \s-1DN\s0 fields. If the value is \*(L"match\*(R" then the field value
must match the same field in the \s-1CA\s0 certificate. If the value is
\&\*(L"supplied\*(R" then it must be present. If the value is \*(L"optional\*(R" then
it may be present. Any fields not mentioned in the policy section
are silently deleted, unless the \fB\-preserveDN\fR option is set but
this can be regarded more of a quirk than intended behaviour.
.SH "SPKAC FORMAT"
.IX Header "SPKAC FORMAT"
The input to the \fB\-spkac\fR command line option is a Netscape
signed public key and challenge. This will usually come from
the \fB\s-1KEYGEN\s0\fR tag in an \s-1HTML\s0 form to create a new private key.
It is however possible to create SPKACs using \fBopenssl\-spkac\fR\|(1).
.PP
The file should contain the variable \s-1SPKAC\s0 set to the value of
the \s-1SPKAC\s0 and also the required \s-1DN\s0 components as name value pairs.
If you need to include the same component twice then it can be
preceded by a number and a '.'.
.PP
When processing \s-1SPKAC\s0 format, the output is \s-1DER\s0 if the \fB\-out\fR
flag is used, but \s-1PEM\s0 format if sending to stdout or the \fB\-outdir\fR
flag is used.
.SH "EXAMPLES"
.IX Header "EXAMPLES"
Note: these examples assume that the directory structure this command
assumes is already set up and the relevant files already exist. This
usually involves creating a \s-1CA\s0 certificate and private key with
\&\fBopenssl\-req\fR\|(1), a serial number file and an empty index file and
placing them in the relevant directories.
.PP
To use the sample configuration file below the directories \fIdemoCA\fR,
\&\fIdemoCA/private\fR and \fIdemoCA/newcerts\fR would be created. The \s-1CA\s0
certificate would be copied to \fIdemoCA/cacert.pem\fR and its private
key to \fIdemoCA/private/cakey.pem\fR. A file \fIdemoCA/serial\fR would be
created containing for example \*(L"01\*(R" and the empty index file
\&\fIdemoCA/index.txt\fR.
.PP
Sign a certificate request:
.PP
.Vb 1
\& openssl ca \-in req.pem \-out newcert.pem
.Ve
.PP
Sign an \s-1SM2\s0 certificate request:
.PP
.Vb 3
\& openssl ca \-in sm2.csr \-out sm2.crt \-md sm3 \e
\& \-sigopt "distid:1234567812345678" \e
\& \-vfyopt "distid:1234567812345678"
.Ve
.PP
Sign a certificate request, using \s-1CA\s0 extensions:
.PP
.Vb 1
\& openssl ca \-in req.pem \-extensions v3_ca \-out newcert.pem
.Ve
.PP
Generate a \s-1CRL\s0
.PP
.Vb 1
\& openssl ca \-gencrl \-out crl.pem
.Ve
.PP
Sign several requests:
.PP
.Vb 1
\& openssl ca \-infiles req1.pem req2.pem req3.pem
.Ve
.PP
Certify a Netscape \s-1SPKAC:\s0
.PP
.Vb 1
\& openssl ca \-spkac spkac.txt
.Ve
.PP
A sample \s-1SPKAC\s0 file (the \s-1SPKAC\s0 line has been truncated for clarity):
.PP
.Vb 5
\& SPKAC=MIG0MGAwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAn7PDhCeV/xIxUg8V70YRxK2A5
\& CN=Steve Test
\& emailAddress=steve@openssl.org
\& 0.OU=OpenSSL Group
\& 1.OU=Another Group
.Ve
.PP
A sample configuration file with the relevant sections for this command:
.PP
.Vb 2
\& [ ca ]
\& default_ca = CA_default # The default ca section
\&
\& [ CA_default ]
\&
\& dir = ./demoCA # top dir
\& database = $dir/index.txt # index file.
\& new_certs_dir = $dir/newcerts # new certs dir
\&
\& certificate = $dir/cacert.pem # The CA cert
\& serial = $dir/serial # serial no file
\& #rand_serial = yes # for random serial#\*(Aqs
\& private_key = $dir/private/cakey.pem# CA private key
\&
\& default_days = 365 # how long to certify for
\& default_crl_days= 30 # how long before next CRL
\& default_md = sha256 # md to use
\&
\& policy = policy_any # default policy
\& email_in_dn = no # Don\*(Aqt add the email into cert DN
\&
\& name_opt = ca_default # Subject name display option
\& cert_opt = ca_default # Certificate display option
\& copy_extensions = none # Don\*(Aqt copy extensions from request
\&
\& [ policy_any ]
\& countryName = supplied
\& stateOrProvinceName = optional
\& organizationName = optional
\& organizationalUnitName = optional
\& commonName = supplied
\& emailAddress = optional
.Ve
.SH "FILES"
.IX Header "FILES"
Note: the location of all files can change either by compile time options,
configuration file entries, environment variables or command line options.
The values below reflect the default values.
.PP
.Vb 9
\& /usr/local/ssl/lib/openssl.cnf \- master configuration file
\& ./demoCA \- main CA directory
\& ./demoCA/cacert.pem \- CA certificate
\& ./demoCA/private/cakey.pem \- CA private key
\& ./demoCA/serial \- CA serial number file
\& ./demoCA/serial.old \- CA serial number backup file
\& ./demoCA/index.txt \- CA text database file
\& ./demoCA/index.txt.old \- CA text database backup file
\& ./demoCA/certs \- certificate output file
.Ve
.SH "RESTRICTIONS"
.IX Header "RESTRICTIONS"
The text database index file is a critical part of the process and
if corrupted it can be difficult to fix. It is theoretically possible
to rebuild the index file from all the issued certificates and a current
\&\s-1CRL:\s0 however there is no option to do this.
.PP
V2 \s-1CRL\s0 features like delta CRLs are not currently supported.
.PP
Although several requests can be input and handled at once it is only
possible to include one \s-1SPKAC\s0 or self-signed certificate.
.SH "BUGS"
.IX Header "BUGS"
This command is quirky and at times downright unfriendly.
.PP
The use of an in-memory text database can cause problems when large
numbers of certificates are present because, as the name implies
the database has to be kept in memory.
.PP
This command really needs rewriting or the required functionality
exposed at either a command or interface level so that a more user-friendly
replacement could handle things properly. The script
\&\fB\s-1CA\s0.pl\fR helps a little but not very much.
.PP
Any fields in a request that are not present in a policy are silently
deleted. This does not happen if the \fB\-preserveDN\fR option is used. To
enforce the absence of the \s-1EMAIL\s0 field within the \s-1DN,\s0 as suggested by
RFCs, regardless the contents of the request' subject the \fB\-noemailDN\fR
option can be used. The behaviour should be more friendly and
configurable.
.PP
Canceling some commands by refusing to certify a certificate can
create an empty file.
.SH "WARNINGS"
.IX Header "WARNINGS"
This command was originally meant as an example of how to do things in a \s-1CA.\s0
Its code does not have production quality.
It was not supposed to be used as a full blown \s-1CA\s0 itself,
nevertheless some people are using it for this purpose at least internally.
When doing so, specific care should be taken to
properly secure the private key(s) used for signing certificates.
It is advisable to keep them in a secure \s-1HW\s0 storage such as a smart card or \s-1HSM\s0
and access them via a suitable engine or crypto provider.
.PP
This command is effectively a single user command: no locking
is done on the various files and attempts to run more than one \fBopenssl ca\fR
command on the same database can have unpredictable results.
.PP
The \fBcopy_extensions\fR option should be used with caution. If care is
not taken then it can be a security risk. For example if a certificate
request contains a basicConstraints extension with \s-1CA:TRUE\s0 and the
\&\fBcopy_extensions\fR value is set to \fBcopyall\fR and the user does not spot
this when the certificate is displayed then this will hand the requester
a valid \s-1CA\s0 certificate.
This situation can be avoided by setting \fBcopy_extensions\fR to \fBcopy\fR
and including basicConstraints with \s-1CA:FALSE\s0 in the configuration file.
Then if the request contains a basicConstraints extension it will be
ignored.
.PP
It is advisable to also include values for other extensions such
as \fBkeyUsage\fR to prevent a request supplying its own values.
.PP
Additional restrictions can be placed on the \s-1CA\s0 certificate itself.
For example if the \s-1CA\s0 certificate has:
.PP
.Vb 1
\& basicConstraints = CA:TRUE, pathlen:0
.Ve
.PP
then even if a certificate is issued with \s-1CA:TRUE\s0 it will not be valid.
.SH "HISTORY"
.IX Header "HISTORY"
Since OpenSSL 1.1.1, the program follows \s-1RFC5280.\s0 Specifically,
certificate validity period (specified by any of \fB\-startdate\fR,
\&\fB\-enddate\fR and \fB\-days\fR) and \s-1CRL\s0 last/next update time (specified by
any of \fB\-crl_lastupdate\fR, \fB\-crl_nextupdate\fR, \fB\-crldays\fR, \fB\-crlhours\fR
and \fB\-crlsec\fR) will be encoded as UTCTime if the dates are
earlier than year 2049 (included), and as GeneralizedTime if the dates
are in year 2050 or later.
.PP
OpenSSL 1.1.1 introduced a new random generator (\s-1CSPRNG\s0) with an improved
seeding mechanism. The new seeding mechanism makes it unnecessary to
define a \s-1RANDFILE\s0 for saving and restoring randomness. This option is
retained mainly for compatibility reasons.
.PP
The \fB\-section\fR option was added in OpenSSL 3.0.0.
.PP
The \fB\-multivalue\-rdn\fR option has become obsolete in OpenSSL 3.0.0 and
has no effect.
.PP
The \fB\-engine\fR option was deprecated in OpenSSL 3.0.
.PP
Since OpenSSL 3.2, generated certificates bear X.509 version 3,
and key identifier extensions are included by default.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBopenssl\fR\|(1),
\&\fBopenssl\-req\fR\|(1),
\&\fBopenssl\-spkac\fR\|(1),
\&\fBopenssl\-x509\fR\|(1),
\&\s-1\fBCA\s0.pl\fR\|(1),
\&\fBconfig\fR\|(5),
\&\fBx509v3_config\fR\|(5)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2000\-2024 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the Apache License 2.0 (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.

926
openssl-install/share/man/man1/openssl-ciphers.1ossl Normal file
View File

@@ -0,0 +1,926 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "OPENSSL-CIPHERS 1ossl"
.TH OPENSSL-CIPHERS 1ossl "2025-08-16" "3.4.2" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
openssl\-ciphers \- SSL cipher display and cipher list command
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
\&\fBopenssl\fR \fBciphers\fR
[\fB\-help\fR]
[\fB\-s\fR]
[\fB\-v\fR]
[\fB\-V\fR]
[\fB\-ssl3\fR]
[\fB\-tls1\fR]
[\fB\-tls1_1\fR]
[\fB\-tls1_2\fR]
[\fB\-tls1_3\fR]
[\fB\-s\fR]
[\fB\-psk\fR]
[\fB\-srp\fR]
[\fB\-stdname\fR]
[\fB\-convert\fR \fIname\fR]
[\fB\-ciphersuites\fR \fIval\fR]
[\fB\-provider\fR \fIname\fR]
[\fB\-provider\-path\fR \fIpath\fR]
[\fB\-propquery\fR \fIpropq\fR]
[\fIcipherlist\fR]
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
This command converts textual OpenSSL cipher lists into
ordered \s-1SSL\s0 cipher preference lists. It can be used to
determine the appropriate cipherlist.
.SH "OPTIONS"
.IX Header "OPTIONS"
.IP "\fB\-help\fR" 4
.IX Item "-help"
Print a usage message.
.IP "\fB\-provider\fR \fIname\fR" 4
.IX Item "-provider name"
.PD 0
.IP "\fB\-provider\-path\fR \fIpath\fR" 4
.IX Item "-provider-path path"
.IP "\fB\-propquery\fR \fIpropq\fR" 4
.IX Item "-propquery propq"
.PD
See \*(L"Provider Options\*(R" in \fBopenssl\fR\|(1), \fBprovider\fR\|(7), and \fBproperty\fR\|(7).
.IP "\fB\-s\fR" 4
.IX Item "-s"
Only list supported ciphers: those consistent with the security level, and
minimum and maximum protocol version. This is closer to the actual cipher list
an application will support.
.Sp
\&\s-1PSK\s0 and \s-1SRP\s0 ciphers are not enabled by default: they require \fB\-psk\fR or \fB\-srp\fR
to enable them.
.Sp
It also does not change the default list of supported signature algorithms.
.Sp
On a server the list of supported ciphers might also exclude other ciphers
depending on the configured certificates and presence of \s-1DH\s0 parameters.
.Sp
If this option is not used then all ciphers that match the cipherlist will be
listed.
.IP "\fB\-psk\fR" 4
.IX Item "-psk"
When combined with \fB\-s\fR includes cipher suites which require \s-1PSK.\s0
.IP "\fB\-srp\fR" 4
.IX Item "-srp"
When combined with \fB\-s\fR includes cipher suites which require \s-1SRP.\s0 This option
is deprecated.
.IP "\fB\-v\fR" 4
.IX Item "-v"
Verbose output: For each cipher suite, list details as provided by
\&\fBSSL_CIPHER_description\fR\|(3).
.IP "\fB\-V\fR" 4
.IX Item "-V"
Like \fB\-v\fR, but include the official cipher suite values in hex.
.IP "\fB\-tls1_3\fR, \fB\-tls1_2\fR, \fB\-tls1_1\fR, \fB\-tls1\fR, \fB\-ssl3\fR" 4
.IX Item "-tls1_3, -tls1_2, -tls1_1, -tls1, -ssl3"
In combination with the \fB\-s\fR option, list the ciphers which could be used if
the specified protocol were negotiated.
Note that not all protocols and flags may be available, depending on how
OpenSSL was built.
.IP "\fB\-stdname\fR" 4
.IX Item "-stdname"
Precede each cipher suite by its standard name.
.IP "\fB\-convert\fR \fIname\fR" 4
.IX Item "-convert name"
Convert a standard cipher \fIname\fR to its OpenSSL name.
.IP "\fB\-ciphersuites\fR \fIval\fR" 4
.IX Item "-ciphersuites val"
Sets the list of TLSv1.3 ciphersuites. This list will be combined with any
TLSv1.2 and below ciphersuites that have been configured. The format for this
list is a simple colon (\*(L":\*(R") separated list of TLSv1.3 ciphersuite names. By
default this value is:
.Sp
.Vb 1
\& TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256
.Ve
.IP "\fBcipherlist\fR" 4
.IX Item "cipherlist"
A cipher list of TLSv1.2 and below ciphersuites to convert to a cipher
preference list. This list will be combined with any TLSv1.3 ciphersuites that
have been configured. If it is not included then the default cipher list will be
used. The format is described below.
.SH "CIPHER LIST FORMAT"
.IX Header "CIPHER LIST FORMAT"
The cipher list consists of one or more \fIcipher strings\fR separated by colons.
Commas or spaces are also acceptable separators but colons are normally used.
.PP
The cipher string may reference a cipher using its standard name from
the \s-1IANA TLS\s0 Cipher Suites Registry
(<https://www.iana.org/assignments/tls\-parameters/tls\-parameters.xhtml#tls\-parameters\-4>).
.PP
The actual cipher string can take several different forms.
.PP
It can consist of a single cipher suite such as \fB\s-1RC4\-SHA\s0\fR.
.PP
It can represent a list of cipher suites containing a certain algorithm, or
cipher suites of a certain type. For example \fB\s-1SHA1\s0\fR represents all ciphers
suites using the digest algorithm \s-1SHA1\s0 and \fBSSLv3\fR represents all \s-1SSL\s0 v3
algorithms.
.PP
Lists of cipher suites can be combined in a single cipher string using the
\&\fB+\fR character. This is used as a logical \fBand\fR operation. For example
\&\fB\s-1SHA1+DES\s0\fR represents all cipher suites containing the \s-1SHA1\s0 \fBand\fR the \s-1DES\s0
algorithms.
.PP
Each cipher string can be optionally preceded by the characters \fB!\fR,
\&\fB\-\fR or \fB+\fR.
.PP
If \fB!\fR is used then the ciphers are permanently deleted from the list.
The ciphers deleted can never reappear in the list even if they are
explicitly stated.
.PP
If \fB\-\fR is used then the ciphers are deleted from the list, but some or
all of the ciphers can be added again by later options.
.PP
If \fB+\fR is used then the ciphers are moved to the end of the list. This
option doesn't add any new ciphers it just moves matching existing ones.
.PP
If none of these characters is present then the string is just interpreted
as a list of ciphers to be appended to the current preference list. If the
list includes any ciphers already present they will be ignored: that is they
will not moved to the end of the list.
.PP
The cipher string \fB\f(CB@STRENGTH\fB\fR can be used at any point to sort the current
cipher list in order of encryption algorithm key length.
.PP
The cipher string \fB\f(CB@SECLEVEL\fB\fR=\fIn\fR can be used at any point to set the security
level to \fIn\fR, which should be a number between zero and five, inclusive.
See \fBSSL_CTX_set_security_level\fR\|(3) for a description of what each level means.
.PP
The cipher list can be prefixed with the \fB\s-1DEFAULT\s0\fR keyword, which enables
the default cipher list as defined below. Unlike cipher strings,
this prefix may not be combined with other strings using \fB+\fR character.
For example, \fB\s-1DEFAULT+DES\s0\fR is not valid.
.PP
The content of the default list is determined at compile time and normally
corresponds to \fB\s-1ALL:\s0!COMPLEMENTOFDEFAULT:!eNULL\fR.
.SH "CIPHER STRINGS"
.IX Header "CIPHER STRINGS"
The following is a list of all permitted cipher strings and their meanings.
.IP "\fB\s-1COMPLEMENTOFDEFAULT\s0\fR" 4
.IX Item "COMPLEMENTOFDEFAULT"
The ciphers included in \fB\s-1ALL\s0\fR, but not enabled by default. Currently
this includes all \s-1RC4\s0 and anonymous ciphers. Note that this rule does
not cover \fBeNULL\fR, which is not included by \fB\s-1ALL\s0\fR (use \fB\s-1COMPLEMENTOFALL\s0\fR if
necessary). Note that \s-1RC4\s0 based cipher suites are not built into OpenSSL by
default (see the enable-weak-ssl-ciphers option to Configure).
.IP "\fB\s-1ALL\s0\fR" 4
.IX Item "ALL"
All cipher suites except the \fBeNULL\fR ciphers (which must be explicitly enabled
if needed).
As of OpenSSL 1.0.0, the \fB\s-1ALL\s0\fR cipher suites are sensibly ordered by default.
.IP "\fB\s-1COMPLEMENTOFALL\s0\fR" 4
.IX Item "COMPLEMENTOFALL"
The cipher suites not enabled by \fB\s-1ALL\s0\fR, currently \fBeNULL\fR.
.IP "\fB\s-1HIGH\s0\fR" 4
.IX Item "HIGH"
\&\*(L"High\*(R" encryption cipher suites. This currently means those with key lengths
larger than 128 bits, and some cipher suites with 128\-bit keys.
.IP "\fB\s-1MEDIUM\s0\fR" 4
.IX Item "MEDIUM"
\&\*(L"Medium\*(R" encryption cipher suites, currently some of those using 128 bit
encryption.
.IP "\fB\s-1LOW\s0\fR" 4
.IX Item "LOW"
\&\*(L"Low\*(R" encryption cipher suites, currently those using 64 or 56 bit
encryption algorithms but excluding export cipher suites. All these
cipher suites have been removed as of OpenSSL 1.1.0.
.IP "\fBeNULL\fR, \fB\s-1NULL\s0\fR" 4
.IX Item "eNULL, NULL"
The \*(L"\s-1NULL\*(R"\s0 ciphers that is those offering no encryption. Because these offer no
encryption at all and are a security risk they are not enabled via either the
\&\fB\s-1DEFAULT\s0\fR or \fB\s-1ALL\s0\fR cipher strings.
Be careful when building cipherlists out of lower-level primitives such as
\&\fBkRSA\fR or \fBaECDSA\fR as these do overlap with the \fBeNULL\fR ciphers. When in
doubt, include \fB!eNULL\fR in your cipherlist.
.IP "\fBaNULL\fR" 4
.IX Item "aNULL"
The cipher suites offering no authentication. This is currently the anonymous
\&\s-1DH\s0 algorithms and anonymous \s-1ECDH\s0 algorithms. These cipher suites are vulnerable
to \*(L"man in the middle\*(R" attacks and so their use is discouraged.
These are excluded from the \fB\s-1DEFAULT\s0\fR ciphers, but included in the \fB\s-1ALL\s0\fR
ciphers.
Be careful when building cipherlists out of lower-level primitives such as
\&\fBkDHE\fR or \fB\s-1AES\s0\fR as these do overlap with the \fBaNULL\fR ciphers.
When in doubt, include \fB!aNULL\fR in your cipherlist.
.IP "\fBkRSA\fR, \fBaRSA\fR, \fB\s-1RSA\s0\fR" 4
.IX Item "kRSA, aRSA, RSA"
Cipher suites using \s-1RSA\s0 key exchange or authentication. \fB\s-1RSA\s0\fR is an alias for
\&\fBkRSA\fR.
.IP "\fBkDHr\fR, \fBkDHd\fR, \fBkDH\fR" 4
.IX Item "kDHr, kDHd, kDH"
Cipher suites using static \s-1DH\s0 key agreement and \s-1DH\s0 certificates signed by CAs
with \s-1RSA\s0 and \s-1DSS\s0 keys or either respectively.
All these cipher suites have been removed in OpenSSL 1.1.0.
.IP "\fBkDHE\fR, \fBkEDH\fR, \fB\s-1DH\s0\fR" 4
.IX Item "kDHE, kEDH, DH"
Cipher suites using ephemeral \s-1DH\s0 key agreement, including anonymous cipher
suites.
.IP "\fB\s-1DHE\s0\fR, \fB\s-1EDH\s0\fR" 4
.IX Item "DHE, EDH"
Cipher suites using authenticated ephemeral \s-1DH\s0 key agreement.
.IP "\fB\s-1ADH\s0\fR" 4
.IX Item "ADH"
Anonymous \s-1DH\s0 cipher suites, note that this does not include anonymous Elliptic
Curve \s-1DH\s0 (\s-1ECDH\s0) cipher suites.
.IP "\fBkEECDH\fR, \fBkECDHE\fR, \fB\s-1ECDH\s0\fR" 4
.IX Item "kEECDH, kECDHE, ECDH"
Cipher suites using ephemeral \s-1ECDH\s0 key agreement, including anonymous
cipher suites.
.IP "\fB\s-1ECDHE\s0\fR, \fB\s-1EECDH\s0\fR" 4
.IX Item "ECDHE, EECDH"
Cipher suites using authenticated ephemeral \s-1ECDH\s0 key agreement.
.IP "\fB\s-1AECDH\s0\fR" 4
.IX Item "AECDH"
Anonymous Elliptic Curve Diffie-Hellman cipher suites.
.IP "\fBaDSS\fR, \fB\s-1DSS\s0\fR" 4
.IX Item "aDSS, DSS"
Cipher suites using \s-1DSS\s0 authentication, i.e. the certificates carry \s-1DSS\s0 keys.
.IP "\fBaDH\fR" 4
.IX Item "aDH"
Cipher suites effectively using \s-1DH\s0 authentication, i.e. the certificates carry
\&\s-1DH\s0 keys.
All these cipher suites have been removed in OpenSSL 1.1.0.
.IP "\fBaECDSA\fR, \fB\s-1ECDSA\s0\fR" 4
.IX Item "aECDSA, ECDSA"
Cipher suites using \s-1ECDSA\s0 authentication, i.e. the certificates carry \s-1ECDSA\s0
keys.
.IP "\fBTLSv1.2\fR, \fBTLSv1.0\fR, \fBSSLv3\fR" 4
.IX Item "TLSv1.2, TLSv1.0, SSLv3"
Lists cipher suites which are only supported in at least \s-1TLS\s0 v1.2, \s-1TLS\s0 v1.0 or
\&\s-1SSL\s0 v3.0 respectively.
Note: there are no cipher suites specific to \s-1TLS\s0 v1.1.
Since this is only the minimum version, if, for example, TLSv1.0 is negotiated
then both TLSv1.0 and SSLv3.0 cipher suites are available.
.Sp
Note: these cipher strings \fBdo not\fR change the negotiated version of \s-1SSL\s0 or
\&\s-1TLS,\s0 they only affect the list of available cipher suites.
.IP "\fB\s-1AES128\s0\fR, \fB\s-1AES256\s0\fR, \fB\s-1AES\s0\fR" 4
.IX Item "AES128, AES256, AES"
cipher suites using 128 bit \s-1AES, 256\s0 bit \s-1AES\s0 or either 128 or 256 bit \s-1AES.\s0
.IP "\fB\s-1AESGCM\s0\fR" 4
.IX Item "AESGCM"
\&\s-1AES\s0 in Galois Counter Mode (\s-1GCM\s0): these cipher suites are only supported
in \s-1TLS\s0 v1.2.
.IP "\fB\s-1AESCCM\s0\fR, \fB\s-1AESCCM8\s0\fR" 4
.IX Item "AESCCM, AESCCM8"
\&\s-1AES\s0 in Cipher Block Chaining \- Message Authentication Mode (\s-1CCM\s0): these
cipher suites are only supported in \s-1TLS\s0 v1.2. \fB\s-1AESCCM\s0\fR references \s-1CCM\s0
cipher suites using both 16 and 8 octet Integrity Check Value (\s-1ICV\s0)
while \fB\s-1AESCCM8\s0\fR only references 8 octet \s-1ICV.\s0
.IP "\fB\s-1ARIA128\s0\fR, \fB\s-1ARIA256\s0\fR, \fB\s-1ARIA\s0\fR" 4
.IX Item "ARIA128, ARIA256, ARIA"
Cipher suites using 128 bit \s-1ARIA, 256\s0 bit \s-1ARIA\s0 or either 128 or 256 bit
\&\s-1ARIA.\s0
.IP "\fB\s-1CAMELLIA128\s0\fR, \fB\s-1CAMELLIA256\s0\fR, \fB\s-1CAMELLIA\s0\fR" 4
.IX Item "CAMELLIA128, CAMELLIA256, CAMELLIA"
Cipher suites using 128 bit \s-1CAMELLIA, 256\s0 bit \s-1CAMELLIA\s0 or either 128 or 256 bit
\&\s-1CAMELLIA.\s0
.IP "\fB\s-1CHACHA20\s0\fR" 4
.IX Item "CHACHA20"
Cipher suites using ChaCha20.
.IP "\fB3DES\fR" 4
.IX Item "3DES"
Cipher suites using triple \s-1DES.\s0
.IP "\fB\s-1DES\s0\fR" 4
.IX Item "DES"
Cipher suites using \s-1DES\s0 (not triple \s-1DES\s0).
All these cipher suites have been removed in OpenSSL 1.1.0.
.IP "\fB\s-1RC4\s0\fR" 4
.IX Item "RC4"
Cipher suites using \s-1RC4.\s0
.IP "\fB\s-1RC2\s0\fR" 4
.IX Item "RC2"
Cipher suites using \s-1RC2.\s0
.IP "\fB\s-1IDEA\s0\fR" 4
.IX Item "IDEA"
Cipher suites using \s-1IDEA.\s0
.IP "\fB\s-1SEED\s0\fR" 4
.IX Item "SEED"
Cipher suites using \s-1SEED.\s0
.IP "\fB\s-1MD5\s0\fR" 4
.IX Item "MD5"
Cipher suites using \s-1MD5.\s0
.IP "\fB\s-1SHA1\s0\fR, \fB\s-1SHA\s0\fR" 4
.IX Item "SHA1, SHA"
Cipher suites using \s-1SHA1.\s0
.IP "\fB\s-1SHA256\s0\fR, \fB\s-1SHA384\s0\fR" 4
.IX Item "SHA256, SHA384"
Cipher suites using \s-1SHA256\s0 or \s-1SHA384.\s0
.IP "\fBaGOST\fR" 4
.IX Item "aGOST"
Cipher suites using \s-1GOST R 34.10\s0 (either 2001 or 94) for authentication
(needs an engine supporting \s-1GOST\s0 algorithms).
.IP "\fBaGOST01\fR" 4
.IX Item "aGOST01"
Cipher suites using \s-1GOST R 34.10\-2001\s0 authentication.
.IP "\fBkGOST\fR" 4
.IX Item "kGOST"
Cipher suites, using \s-1VKO 34.10\s0 key exchange, specified in the \s-1RFC 4357.\s0
.IP "\fB\s-1GOST94\s0\fR" 4
.IX Item "GOST94"
Cipher suites, using \s-1HMAC\s0 based on \s-1GOST R 34.11\-94.\s0
.IP "\fB\s-1GOST89MAC\s0\fR" 4
.IX Item "GOST89MAC"
Cipher suites using \s-1GOST 28147\-89 MAC\s0 \fBinstead of\fR \s-1HMAC.\s0
.IP "\fB\s-1PSK\s0\fR" 4
.IX Item "PSK"
All cipher suites using pre-shared keys (\s-1PSK\s0).
.IP "\fBkPSK\fR, \fBkECDHEPSK\fR, \fBkDHEPSK\fR, \fBkRSAPSK\fR" 4
.IX Item "kPSK, kECDHEPSK, kDHEPSK, kRSAPSK"
Cipher suites using \s-1PSK\s0 key exchange, \s-1ECDHE_PSK, DHE_PSK\s0 or \s-1RSA_PSK.\s0
.IP "\fBaPSK\fR" 4
.IX Item "aPSK"
Cipher suites using \s-1PSK\s0 authentication (currently all \s-1PSK\s0 modes apart from
\&\s-1RSA_PSK\s0).
.IP "\fB\s-1SUITEB128\s0\fR, \fB\s-1SUITEB128ONLY\s0\fR, \fB\s-1SUITEB192\s0\fR" 4
.IX Item "SUITEB128, SUITEB128ONLY, SUITEB192"
Enables suite B mode of operation using 128 (permitting 192 bit mode by peer)
128 bit (not permitting 192 bit by peer) or 192 bit level of security
respectively.
If used these cipherstrings should appear first in the cipher
list and anything after them is ignored.
Setting Suite B mode has additional consequences required to comply with
\&\s-1RFC6460.\s0
In particular the supported signature algorithms is reduced to support only
\&\s-1ECDSA\s0 and \s-1SHA256\s0 or \s-1SHA384,\s0 only the elliptic curves P\-256 and P\-384 can be
used and only the two suite B compliant cipher suites
(\s-1ECDHE\-ECDSA\-AES128\-GCM\-SHA256\s0 and \s-1ECDHE\-ECDSA\-AES256\-GCM\-SHA384\s0) are
permissible.
.IP "\fB\s-1CBC\s0\fR" 4
.IX Item "CBC"
All cipher suites using encryption algorithm in Cipher Block Chaining (\s-1CBC\s0)
mode. These cipher suites are only supported in \s-1TLS\s0 v1.2 and earlier. Currently
it's an alias for the following cipherstrings: \fB\s-1SSL_DES\s0\fR, \fB\s-1SSL_3DES\s0\fR, \fB\s-1SSL_RC2\s0\fR,
\&\fB\s-1SSL_IDEA\s0\fR, \fB\s-1SSL_AES128\s0\fR, \fB\s-1SSL_AES256\s0\fR, \fB\s-1SSL_CAMELLIA128\s0\fR, \fB\s-1SSL_CAMELLIA256\s0\fR, \fB\s-1SSL_SEED\s0\fR.
.SH "CIPHER SUITE NAMES"
.IX Header "CIPHER SUITE NAMES"
The following lists give the standard \s-1SSL\s0 or \s-1TLS\s0 cipher suites names from the
relevant specification and their OpenSSL equivalents. You can use either
standard names or OpenSSL names in cipher lists, or a mix of both.
.PP
It should be noted, that several cipher suite names do not include the
authentication used, e.g. \s-1DES\-CBC3\-SHA.\s0 In these cases, \s-1RSA\s0 authentication
is used.
.SS "\s-1SSL\s0 v3.0 cipher suites"
.IX Subsection "SSL v3.0 cipher suites"
.Vb 6
\& SSL_RSA_WITH_NULL_MD5 NULL\-MD5
\& SSL_RSA_WITH_NULL_SHA NULL\-SHA
\& SSL_RSA_WITH_RC4_128_MD5 RC4\-MD5
\& SSL_RSA_WITH_RC4_128_SHA RC4\-SHA
\& SSL_RSA_WITH_IDEA_CBC_SHA IDEA\-CBC\-SHA
\& SSL_RSA_WITH_3DES_EDE_CBC_SHA DES\-CBC3\-SHA
\&
\& SSL_DH_DSS_WITH_3DES_EDE_CBC_SHA DH\-DSS\-DES\-CBC3\-SHA
\& SSL_DH_RSA_WITH_3DES_EDE_CBC_SHA DH\-RSA\-DES\-CBC3\-SHA
\& SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA DHE\-DSS\-DES\-CBC3\-SHA
\& SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA DHE\-RSA\-DES\-CBC3\-SHA
\&
\& SSL_DH_anon_WITH_RC4_128_MD5 ADH\-RC4\-MD5
\& SSL_DH_anon_WITH_3DES_EDE_CBC_SHA ADH\-DES\-CBC3\-SHA
\&
\& SSL_FORTEZZA_KEA_WITH_NULL_SHA Not implemented.
\& SSL_FORTEZZA_KEA_WITH_FORTEZZA_CBC_SHA Not implemented.
\& SSL_FORTEZZA_KEA_WITH_RC4_128_SHA Not implemented.
.Ve
.SS "\s-1TLS\s0 v1.0 cipher suites"
.IX Subsection "TLS v1.0 cipher suites"
.Vb 6
\& TLS_RSA_WITH_NULL_MD5 NULL\-MD5
\& TLS_RSA_WITH_NULL_SHA NULL\-SHA
\& TLS_RSA_WITH_RC4_128_MD5 RC4\-MD5
\& TLS_RSA_WITH_RC4_128_SHA RC4\-SHA
\& TLS_RSA_WITH_IDEA_CBC_SHA IDEA\-CBC\-SHA
\& TLS_RSA_WITH_3DES_EDE_CBC_SHA DES\-CBC3\-SHA
\&
\& TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA Not implemented.
\& TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA Not implemented.
\& TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA DHE\-DSS\-DES\-CBC3\-SHA
\& TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA DHE\-RSA\-DES\-CBC3\-SHA
\&
\& TLS_DH_anon_WITH_RC4_128_MD5 ADH\-RC4\-MD5
\& TLS_DH_anon_WITH_3DES_EDE_CBC_SHA ADH\-DES\-CBC3\-SHA
.Ve
.SS "\s-1AES\s0 cipher suites from \s-1RFC3268,\s0 extending \s-1TLS\s0 v1.0"
.IX Subsection "AES cipher suites from RFC3268, extending TLS v1.0"
.Vb 2
\& TLS_RSA_WITH_AES_128_CBC_SHA AES128\-SHA
\& TLS_RSA_WITH_AES_256_CBC_SHA AES256\-SHA
\&
\& TLS_DH_DSS_WITH_AES_128_CBC_SHA DH\-DSS\-AES128\-SHA
\& TLS_DH_DSS_WITH_AES_256_CBC_SHA DH\-DSS\-AES256\-SHA
\& TLS_DH_RSA_WITH_AES_128_CBC_SHA DH\-RSA\-AES128\-SHA
\& TLS_DH_RSA_WITH_AES_256_CBC_SHA DH\-RSA\-AES256\-SHA
\&
\& TLS_DHE_DSS_WITH_AES_128_CBC_SHA DHE\-DSS\-AES128\-SHA
\& TLS_DHE_DSS_WITH_AES_256_CBC_SHA DHE\-DSS\-AES256\-SHA
\& TLS_DHE_RSA_WITH_AES_128_CBC_SHA DHE\-RSA\-AES128\-SHA
\& TLS_DHE_RSA_WITH_AES_256_CBC_SHA DHE\-RSA\-AES256\-SHA
\&
\& TLS_DH_anon_WITH_AES_128_CBC_SHA ADH\-AES128\-SHA
\& TLS_DH_anon_WITH_AES_256_CBC_SHA ADH\-AES256\-SHA
.Ve
.SS "Camellia cipher suites from \s-1RFC4132,\s0 extending \s-1TLS\s0 v1.0"
.IX Subsection "Camellia cipher suites from RFC4132, extending TLS v1.0"
.Vb 2
\& TLS_RSA_WITH_CAMELLIA_128_CBC_SHA CAMELLIA128\-SHA
\& TLS_RSA_WITH_CAMELLIA_256_CBC_SHA CAMELLIA256\-SHA
\&
\& TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA DH\-DSS\-CAMELLIA128\-SHA
\& TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA DH\-DSS\-CAMELLIA256\-SHA
\& TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA DH\-RSA\-CAMELLIA128\-SHA
\& TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA DH\-RSA\-CAMELLIA256\-SHA
\&
\& TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA DHE\-DSS\-CAMELLIA128\-SHA
\& TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA DHE\-DSS\-CAMELLIA256\-SHA
\& TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA DHE\-RSA\-CAMELLIA128\-SHA
\& TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA DHE\-RSA\-CAMELLIA256\-SHA
\&
\& TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA ADH\-CAMELLIA128\-SHA
\& TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA ADH\-CAMELLIA256\-SHA
.Ve
.SS "\s-1SEED\s0 cipher suites from \s-1RFC4162,\s0 extending \s-1TLS\s0 v1.0"
.IX Subsection "SEED cipher suites from RFC4162, extending TLS v1.0"
.Vb 1
\& TLS_RSA_WITH_SEED_CBC_SHA SEED\-SHA
\&
\& TLS_DH_DSS_WITH_SEED_CBC_SHA DH\-DSS\-SEED\-SHA
\& TLS_DH_RSA_WITH_SEED_CBC_SHA DH\-RSA\-SEED\-SHA
\&
\& TLS_DHE_DSS_WITH_SEED_CBC_SHA DHE\-DSS\-SEED\-SHA
\& TLS_DHE_RSA_WITH_SEED_CBC_SHA DHE\-RSA\-SEED\-SHA
\&
\& TLS_DH_anon_WITH_SEED_CBC_SHA ADH\-SEED\-SHA
.Ve
.SS "\s-1GOST\s0 cipher suites from draft-chudov-cryptopro-cptls, extending \s-1TLS\s0 v1.0"
.IX Subsection "GOST cipher suites from draft-chudov-cryptopro-cptls, extending TLS v1.0"
Note: these ciphers require an engine which including \s-1GOST\s0 cryptographic
algorithms, such as the \fBgost\fR engine, which isn't part of the OpenSSL
distribution.
.PP
.Vb 4
\& TLS_GOSTR341094_WITH_28147_CNT_IMIT GOST94\-GOST89\-GOST89
\& TLS_GOSTR341001_WITH_28147_CNT_IMIT GOST2001\-GOST89\-GOST89
\& TLS_GOSTR341094_WITH_NULL_GOSTR3411 GOST94\-NULL\-GOST94
\& TLS_GOSTR341001_WITH_NULL_GOSTR3411 GOST2001\-NULL\-GOST94
.Ve
.SS "\s-1GOST\s0 cipher suites, extending \s-1TLS\s0 v1.2"
.IX Subsection "GOST cipher suites, extending TLS v1.2"
Note: these ciphers require an engine which including \s-1GOST\s0 cryptographic
algorithms, such as the \fBgost\fR engine, which isn't part of the OpenSSL
distribution.
.PP
.Vb 2
\& TLS_GOSTR341112_256_WITH_28147_CNT_IMIT GOST2012\-GOST8912\-GOST8912
\& TLS_GOSTR341112_256_WITH_NULL_GOSTR3411 GOST2012\-NULL\-GOST12
.Ve
.PP
Note: \s-1GOST2012\-GOST8912\-GOST8912\s0 is an alias for two ciphers \s-1ID\s0
old \s-1LEGACY\-GOST2012\-GOST8912\-GOST8912\s0 and new \s-1IANA\-GOST2012\-GOST8912\-GOST8912\s0
.SS "Additional Export 1024 and other cipher suites"
.IX Subsection "Additional Export 1024 and other cipher suites"
Note: these ciphers can also be used in \s-1SSL\s0 v3.
.PP
.Vb 1
\& TLS_DHE_DSS_WITH_RC4_128_SHA DHE\-DSS\-RC4\-SHA
.Ve
.SS "Elliptic curve cipher suites"
.IX Subsection "Elliptic curve cipher suites"
.Vb 5
\& TLS_ECDHE_RSA_WITH_NULL_SHA ECDHE\-RSA\-NULL\-SHA
\& TLS_ECDHE_RSA_WITH_RC4_128_SHA ECDHE\-RSA\-RC4\-SHA
\& TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA ECDHE\-RSA\-DES\-CBC3\-SHA
\& TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA ECDHE\-RSA\-AES128\-SHA
\& TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA ECDHE\-RSA\-AES256\-SHA
\&
\& TLS_ECDHE_ECDSA_WITH_NULL_SHA ECDHE\-ECDSA\-NULL\-SHA
\& TLS_ECDHE_ECDSA_WITH_RC4_128_SHA ECDHE\-ECDSA\-RC4\-SHA
\& TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA ECDHE\-ECDSA\-DES\-CBC3\-SHA
\& TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA ECDHE\-ECDSA\-AES128\-SHA
\& TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA ECDHE\-ECDSA\-AES256\-SHA
\&
\& TLS_ECDH_anon_WITH_NULL_SHA AECDH\-NULL\-SHA
\& TLS_ECDH_anon_WITH_RC4_128_SHA AECDH\-RC4\-SHA
\& TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA AECDH\-DES\-CBC3\-SHA
\& TLS_ECDH_anon_WITH_AES_128_CBC_SHA AECDH\-AES128\-SHA
\& TLS_ECDH_anon_WITH_AES_256_CBC_SHA AECDH\-AES256\-SHA
.Ve
.SS "\s-1TLS\s0 v1.2 cipher suites"
.IX Subsection "TLS v1.2 cipher suites"
.Vb 1
\& TLS_RSA_WITH_NULL_SHA256 NULL\-SHA256
\&
\& TLS_RSA_WITH_AES_128_CBC_SHA256 AES128\-SHA256
\& TLS_RSA_WITH_AES_256_CBC_SHA256 AES256\-SHA256
\& TLS_RSA_WITH_AES_128_GCM_SHA256 AES128\-GCM\-SHA256
\& TLS_RSA_WITH_AES_256_GCM_SHA384 AES256\-GCM\-SHA384
\&
\& TLS_DH_RSA_WITH_AES_128_CBC_SHA256 DH\-RSA\-AES128\-SHA256
\& TLS_DH_RSA_WITH_AES_256_CBC_SHA256 DH\-RSA\-AES256\-SHA256
\& TLS_DH_RSA_WITH_AES_128_GCM_SHA256 DH\-RSA\-AES128\-GCM\-SHA256
\& TLS_DH_RSA_WITH_AES_256_GCM_SHA384 DH\-RSA\-AES256\-GCM\-SHA384
\&
\& TLS_DH_DSS_WITH_AES_128_CBC_SHA256 DH\-DSS\-AES128\-SHA256
\& TLS_DH_DSS_WITH_AES_256_CBC_SHA256 DH\-DSS\-AES256\-SHA256
\& TLS_DH_DSS_WITH_AES_128_GCM_SHA256 DH\-DSS\-AES128\-GCM\-SHA256
\& TLS_DH_DSS_WITH_AES_256_GCM_SHA384 DH\-DSS\-AES256\-GCM\-SHA384
\&
\& TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 DHE\-RSA\-AES128\-SHA256
\& TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 DHE\-RSA\-AES256\-SHA256
\& TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 DHE\-RSA\-AES128\-GCM\-SHA256
\& TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 DHE\-RSA\-AES256\-GCM\-SHA384
\&
\& TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 DHE\-DSS\-AES128\-SHA256
\& TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 DHE\-DSS\-AES256\-SHA256
\& TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 DHE\-DSS\-AES128\-GCM\-SHA256
\& TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 DHE\-DSS\-AES256\-GCM\-SHA384
\&
\& TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 ECDHE\-RSA\-AES128\-SHA256
\& TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 ECDHE\-RSA\-AES256\-SHA384
\& TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ECDHE\-RSA\-AES128\-GCM\-SHA256
\& TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 ECDHE\-RSA\-AES256\-GCM\-SHA384
\&
\& TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 ECDHE\-ECDSA\-AES128\-SHA256
\& TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 ECDHE\-ECDSA\-AES256\-SHA384
\& TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 ECDHE\-ECDSA\-AES128\-GCM\-SHA256
\& TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 ECDHE\-ECDSA\-AES256\-GCM\-SHA384
\&
\& TLS_DH_anon_WITH_AES_128_CBC_SHA256 ADH\-AES128\-SHA256
\& TLS_DH_anon_WITH_AES_256_CBC_SHA256 ADH\-AES256\-SHA256
\& TLS_DH_anon_WITH_AES_128_GCM_SHA256 ADH\-AES128\-GCM\-SHA256
\& TLS_DH_anon_WITH_AES_256_GCM_SHA384 ADH\-AES256\-GCM\-SHA384
\&
\& RSA_WITH_AES_128_CCM AES128\-CCM
\& RSA_WITH_AES_256_CCM AES256\-CCM
\& DHE_RSA_WITH_AES_128_CCM DHE\-RSA\-AES128\-CCM
\& DHE_RSA_WITH_AES_256_CCM DHE\-RSA\-AES256\-CCM
\& RSA_WITH_AES_128_CCM_8 AES128\-CCM8
\& RSA_WITH_AES_256_CCM_8 AES256\-CCM8
\& DHE_RSA_WITH_AES_128_CCM_8 DHE\-RSA\-AES128\-CCM8
\& DHE_RSA_WITH_AES_256_CCM_8 DHE\-RSA\-AES256\-CCM8
\& ECDHE_ECDSA_WITH_AES_128_CCM ECDHE\-ECDSA\-AES128\-CCM
\& ECDHE_ECDSA_WITH_AES_256_CCM ECDHE\-ECDSA\-AES256\-CCM
\& ECDHE_ECDSA_WITH_AES_128_CCM_8 ECDHE\-ECDSA\-AES128\-CCM8
\& ECDHE_ECDSA_WITH_AES_256_CCM_8 ECDHE\-ECDSA\-AES256\-CCM8
.Ve
.SS "\s-1ARIA\s0 cipher suites from \s-1RFC6209,\s0 extending \s-1TLS\s0 v1.2"
.IX Subsection "ARIA cipher suites from RFC6209, extending TLS v1.2"
Note: the \s-1CBC\s0 modes mentioned in this \s-1RFC\s0 are not supported.
.PP
.Vb 10
\& TLS_RSA_WITH_ARIA_128_GCM_SHA256 ARIA128\-GCM\-SHA256
\& TLS_RSA_WITH_ARIA_256_GCM_SHA384 ARIA256\-GCM\-SHA384
\& TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256 DHE\-RSA\-ARIA128\-GCM\-SHA256
\& TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384 DHE\-RSA\-ARIA256\-GCM\-SHA384
\& TLS_DHE_DSS_WITH_ARIA_128_GCM_SHA256 DHE\-DSS\-ARIA128\-GCM\-SHA256
\& TLS_DHE_DSS_WITH_ARIA_256_GCM_SHA384 DHE\-DSS\-ARIA256\-GCM\-SHA384
\& TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256 ECDHE\-ECDSA\-ARIA128\-GCM\-SHA256
\& TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384 ECDHE\-ECDSA\-ARIA256\-GCM\-SHA384
\& TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256 ECDHE\-ARIA128\-GCM\-SHA256
\& TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384 ECDHE\-ARIA256\-GCM\-SHA384
\& TLS_PSK_WITH_ARIA_128_GCM_SHA256 PSK\-ARIA128\-GCM\-SHA256
\& TLS_PSK_WITH_ARIA_256_GCM_SHA384 PSK\-ARIA256\-GCM\-SHA384
\& TLS_DHE_PSK_WITH_ARIA_128_GCM_SHA256 DHE\-PSK\-ARIA128\-GCM\-SHA256
\& TLS_DHE_PSK_WITH_ARIA_256_GCM_SHA384 DHE\-PSK\-ARIA256\-GCM\-SHA384
\& TLS_RSA_PSK_WITH_ARIA_128_GCM_SHA256 RSA\-PSK\-ARIA128\-GCM\-SHA256
\& TLS_RSA_PSK_WITH_ARIA_256_GCM_SHA384 RSA\-PSK\-ARIA256\-GCM\-SHA384
.Ve
.SS "Camellia HMAC-Based cipher suites from \s-1RFC6367,\s0 extending \s-1TLS\s0 v1.2"
.IX Subsection "Camellia HMAC-Based cipher suites from RFC6367, extending TLS v1.2"
.Vb 4
\& TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 ECDHE\-ECDSA\-CAMELLIA128\-SHA256
\& TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 ECDHE\-ECDSA\-CAMELLIA256\-SHA384
\& TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 ECDHE\-RSA\-CAMELLIA128\-SHA256
\& TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384 ECDHE\-RSA\-CAMELLIA256\-SHA384
.Ve
.SS "Pre-shared keying (\s-1PSK\s0) cipher suites"
.IX Subsection "Pre-shared keying (PSK) cipher suites"
.Vb 3
\& PSK_WITH_NULL_SHA PSK\-NULL\-SHA
\& DHE_PSK_WITH_NULL_SHA DHE\-PSK\-NULL\-SHA
\& RSA_PSK_WITH_NULL_SHA RSA\-PSK\-NULL\-SHA
\&
\& PSK_WITH_RC4_128_SHA PSK\-RC4\-SHA
\& PSK_WITH_3DES_EDE_CBC_SHA PSK\-3DES\-EDE\-CBC\-SHA
\& PSK_WITH_AES_128_CBC_SHA PSK\-AES128\-CBC\-SHA
\& PSK_WITH_AES_256_CBC_SHA PSK\-AES256\-CBC\-SHA
\&
\& DHE_PSK_WITH_RC4_128_SHA DHE\-PSK\-RC4\-SHA
\& DHE_PSK_WITH_3DES_EDE_CBC_SHA DHE\-PSK\-3DES\-EDE\-CBC\-SHA
\& DHE_PSK_WITH_AES_128_CBC_SHA DHE\-PSK\-AES128\-CBC\-SHA
\& DHE_PSK_WITH_AES_256_CBC_SHA DHE\-PSK\-AES256\-CBC\-SHA
\&
\& RSA_PSK_WITH_RC4_128_SHA RSA\-PSK\-RC4\-SHA
\& RSA_PSK_WITH_3DES_EDE_CBC_SHA RSA\-PSK\-3DES\-EDE\-CBC\-SHA
\& RSA_PSK_WITH_AES_128_CBC_SHA RSA\-PSK\-AES128\-CBC\-SHA
\& RSA_PSK_WITH_AES_256_CBC_SHA RSA\-PSK\-AES256\-CBC\-SHA
\&
\& PSK_WITH_AES_128_GCM_SHA256 PSK\-AES128\-GCM\-SHA256
\& PSK_WITH_AES_256_GCM_SHA384 PSK\-AES256\-GCM\-SHA384
\& DHE_PSK_WITH_AES_128_GCM_SHA256 DHE\-PSK\-AES128\-GCM\-SHA256
\& DHE_PSK_WITH_AES_256_GCM_SHA384 DHE\-PSK\-AES256\-GCM\-SHA384
\& RSA_PSK_WITH_AES_128_GCM_SHA256 RSA\-PSK\-AES128\-GCM\-SHA256
\& RSA_PSK_WITH_AES_256_GCM_SHA384 RSA\-PSK\-AES256\-GCM\-SHA384
\&
\& PSK_WITH_AES_128_CBC_SHA256 PSK\-AES128\-CBC\-SHA256
\& PSK_WITH_AES_256_CBC_SHA384 PSK\-AES256\-CBC\-SHA384
\& PSK_WITH_NULL_SHA256 PSK\-NULL\-SHA256
\& PSK_WITH_NULL_SHA384 PSK\-NULL\-SHA384
\& DHE_PSK_WITH_AES_128_CBC_SHA256 DHE\-PSK\-AES128\-CBC\-SHA256
\& DHE_PSK_WITH_AES_256_CBC_SHA384 DHE\-PSK\-AES256\-CBC\-SHA384
\& DHE_PSK_WITH_NULL_SHA256 DHE\-PSK\-NULL\-SHA256
\& DHE_PSK_WITH_NULL_SHA384 DHE\-PSK\-NULL\-SHA384
\& RSA_PSK_WITH_AES_128_CBC_SHA256 RSA\-PSK\-AES128\-CBC\-SHA256
\& RSA_PSK_WITH_AES_256_CBC_SHA384 RSA\-PSK\-AES256\-CBC\-SHA384
\& RSA_PSK_WITH_NULL_SHA256 RSA\-PSK\-NULL\-SHA256
\& RSA_PSK_WITH_NULL_SHA384 RSA\-PSK\-NULL\-SHA384
\& PSK_WITH_AES_128_GCM_SHA256 PSK\-AES128\-GCM\-SHA256
\& PSK_WITH_AES_256_GCM_SHA384 PSK\-AES256\-GCM\-SHA384
\&
\& ECDHE_PSK_WITH_RC4_128_SHA ECDHE\-PSK\-RC4\-SHA
\& ECDHE_PSK_WITH_3DES_EDE_CBC_SHA ECDHE\-PSK\-3DES\-EDE\-CBC\-SHA
\& ECDHE_PSK_WITH_AES_128_CBC_SHA ECDHE\-PSK\-AES128\-CBC\-SHA
\& ECDHE_PSK_WITH_AES_256_CBC_SHA ECDHE\-PSK\-AES256\-CBC\-SHA
\& ECDHE_PSK_WITH_AES_128_CBC_SHA256 ECDHE\-PSK\-AES128\-CBC\-SHA256
\& ECDHE_PSK_WITH_AES_256_CBC_SHA384 ECDHE\-PSK\-AES256\-CBC\-SHA384
\& ECDHE_PSK_WITH_NULL_SHA ECDHE\-PSK\-NULL\-SHA
\& ECDHE_PSK_WITH_NULL_SHA256 ECDHE\-PSK\-NULL\-SHA256
\& ECDHE_PSK_WITH_NULL_SHA384 ECDHE\-PSK\-NULL\-SHA384
\&
\& PSK_WITH_CAMELLIA_128_CBC_SHA256 PSK\-CAMELLIA128\-SHA256
\& PSK_WITH_CAMELLIA_256_CBC_SHA384 PSK\-CAMELLIA256\-SHA384
\&
\& DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 DHE\-PSK\-CAMELLIA128\-SHA256
\& DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 DHE\-PSK\-CAMELLIA256\-SHA384
\&
\& RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256 RSA\-PSK\-CAMELLIA128\-SHA256
\& RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384 RSA\-PSK\-CAMELLIA256\-SHA384
\&
\& ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 ECDHE\-PSK\-CAMELLIA128\-SHA256
\& ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 ECDHE\-PSK\-CAMELLIA256\-SHA384
\&
\& PSK_WITH_AES_128_CCM PSK\-AES128\-CCM
\& PSK_WITH_AES_256_CCM PSK\-AES256\-CCM
\& DHE_PSK_WITH_AES_128_CCM DHE\-PSK\-AES128\-CCM
\& DHE_PSK_WITH_AES_256_CCM DHE\-PSK\-AES256\-CCM
\& PSK_WITH_AES_128_CCM_8 PSK\-AES128\-CCM8
\& PSK_WITH_AES_256_CCM_8 PSK\-AES256\-CCM8
\& DHE_PSK_WITH_AES_128_CCM_8 DHE\-PSK\-AES128\-CCM8
\& DHE_PSK_WITH_AES_256_CCM_8 DHE\-PSK\-AES256\-CCM8
.Ve
.SS "ChaCha20\-Poly1305 cipher suites, extending \s-1TLS\s0 v1.2"
.IX Subsection "ChaCha20-Poly1305 cipher suites, extending TLS v1.2"
.Vb 7
\& TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 ECDHE\-RSA\-CHACHA20\-POLY1305
\& TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 ECDHE\-ECDSA\-CHACHA20\-POLY1305
\& TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 DHE\-RSA\-CHACHA20\-POLY1305
\& TLS_PSK_WITH_CHACHA20_POLY1305_SHA256 PSK\-CHACHA20\-POLY1305
\& TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256 ECDHE\-PSK\-CHACHA20\-POLY1305
\& TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256 DHE\-PSK\-CHACHA20\-POLY1305
\& TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256 RSA\-PSK\-CHACHA20\-POLY1305
.Ve
.SS "\s-1TLS\s0 v1.3 cipher suites"
.IX Subsection "TLS v1.3 cipher suites"
.Vb 5
\& TLS_AES_128_GCM_SHA256 TLS_AES_128_GCM_SHA256
\& TLS_AES_256_GCM_SHA384 TLS_AES_256_GCM_SHA384
\& TLS_CHACHA20_POLY1305_SHA256 TLS_CHACHA20_POLY1305_SHA256
\& TLS_AES_128_CCM_SHA256 TLS_AES_128_CCM_SHA256
\& TLS_AES_128_CCM_8_SHA256 TLS_AES_128_CCM_8_SHA256
.Ve
.SS "\s-1TLS\s0 v1.3 integrity-only cipher suites according to \s-1RFC 9150\s0"
.IX Subsection "TLS v1.3 integrity-only cipher suites according to RFC 9150"
.Vb 2
\& TLS_SHA256_SHA256 TLS_SHA256_SHA256
\& TLS_SHA384_SHA384 TLS_SHA384_SHA384
.Ve
.PP
Note: these ciphers are purely \s-1HMAC\s0 based and do not provide any confidentiality
and thus are disabled by default.
These ciphers are only available at security level 0.
.SS "Older names used by OpenSSL"
.IX Subsection "Older names used by OpenSSL"
The following names are accepted by older releases:
.PP
.Vb 2
\& SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA EDH\-RSA\-DES\-CBC3\-SHA (DHE\-RSA\-DES\-CBC3\-SHA)
\& SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA EDH\-DSS\-DES\-CBC3\-SHA (DHE\-DSS\-DES\-CBC3\-SHA)
.Ve
.SH "NOTES"
.IX Header "NOTES"
Some compiled versions of OpenSSL may not include all the ciphers
listed here because some ciphers were excluded at compile time.
.SH "EXAMPLES"
.IX Header "EXAMPLES"
Verbose listing of all OpenSSL ciphers including \s-1NULL\s0 ciphers:
.PP
.Vb 1
\& openssl ciphers \-v \*(AqALL:eNULL\*(Aq
.Ve
.PP
Include all ciphers except \s-1NULL\s0 and anonymous \s-1DH\s0 then sort by
strength:
.PP
.Vb 1
\& openssl ciphers \-v \*(AqALL:!ADH:@STRENGTH\*(Aq
.Ve
.PP
Include all ciphers except ones with no encryption (eNULL) or no
authentication (aNULL):
.PP
.Vb 1
\& openssl ciphers \-v \*(AqALL:!aNULL\*(Aq
.Ve
.PP
Include only 3DES ciphers and then place \s-1RSA\s0 ciphers last:
.PP
.Vb 1
\& openssl ciphers \-v \*(Aq3DES:+RSA\*(Aq
.Ve
.PP
Include all \s-1RC4\s0 ciphers but leave out those without authentication:
.PP
.Vb 1
\& openssl ciphers \-v \*(AqRC4:!COMPLEMENTOFDEFAULT\*(Aq
.Ve
.PP
Include all ciphers with \s-1RSA\s0 authentication but leave out ciphers without
encryption.
.PP
.Vb 1
\& openssl ciphers \-v \*(AqRSA:!COMPLEMENTOFALL\*(Aq
.Ve
.PP
Set security level to 2 and display all ciphers consistent with level 2:
.PP
.Vb 1
\& openssl ciphers \-s \-v \*(AqALL:@SECLEVEL=2\*(Aq
.Ve
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBopenssl\fR\|(1),
\&\fBopenssl\-s_client\fR\|(1),
\&\fBopenssl\-s_server\fR\|(1),
\&\fBssl\fR\|(7)
.SH "HISTORY"
.IX Header "HISTORY"
The \fB\-V\fR option was added in OpenSSL 1.0.0.
.PP
The \fB\-stdname\fR is only available if OpenSSL is built with tracing enabled
(\fBenable-ssl-trace\fR argument to Configure) before OpenSSL 1.1.1.
.PP
The \fB\-convert\fR option was added in OpenSSL 1.1.1.
.PP
Support for standard \s-1IANA\s0 names in cipher lists was added in
OpenSSL 3.2.0.
.PP
The support for \s-1TLS\s0 v1.3 integrity-only cipher suites was added in OpenSSL 3.4.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2000\-2024 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the Apache License 2.0 (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.

277
openssl-install/share/man/man1/openssl-cmds.1ossl Normal file
View File

@@ -0,0 +1,277 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "OPENSSL-CMDS 1ossl"
.TH OPENSSL-CMDS 1ossl "2025-08-16" "3.4.2" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
asn1parse,
ca,
ciphers,
cmp,
cms,
crl,
crl2pkcs7,
dgst,
dhparam,
dsa,
dsaparam,
ec,
ecparam,
enc,
engine,
errstr,
gendsa,
genpkey,
genrsa,
info,
kdf,
mac,
nseq,
ocsp,
passwd,
pkcs12,
pkcs7,
pkcs8,
pkey,
pkeyparam,
pkeyutl,
prime,
rand,
rehash,
req,
rsa,
rsautl,
s_client,
s_server,
s_time,
sess_id,
smime,
speed,
spkac,
srp,
storeutl,
ts,
verify,
version,
x509
\&\- OpenSSL application commands
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
\&\fBopenssl\fR \fIcmd\fR \fB\-help\fR | [\fI\-option\fR | \fI\-option\fR \fIarg\fR] ... [\fIarg\fR] ...
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
Every \fIcmd\fR listed above is a (sub\-)command of the \fBopenssl\fR\|(1) application.
It has its own detailed manual page at \fBopenssl\-\f(BIcmd\fB\fR(1). For example, to
view the manual page for the \fBopenssl dgst\fR command, type \f(CW\*(C`man openssl\-dgst\*(C'\fR.
.SH "OPTIONS"
.IX Header "OPTIONS"
Among others, every subcommand has a help option.
.IP "\fB\-help\fR" 4
.IX Item "-help"
Print out a usage message for the subcommand.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBopenssl\fR\|(1),
\&\fBopenssl\-asn1parse\fR\|(1),
\&\fBopenssl\-ca\fR\|(1),
\&\fBopenssl\-ciphers\fR\|(1),
\&\fBopenssl\-cmp\fR\|(1),
\&\fBopenssl\-cms\fR\|(1),
\&\fBopenssl\-crl\fR\|(1),
\&\fBopenssl\-crl2pkcs7\fR\|(1),
\&\fBopenssl\-dgst\fR\|(1),
\&\fBopenssl\-dhparam\fR\|(1),
\&\fBopenssl\-dsa\fR\|(1),
\&\fBopenssl\-dsaparam\fR\|(1),
\&\fBopenssl\-ec\fR\|(1),
\&\fBopenssl\-ecparam\fR\|(1),
\&\fBopenssl\-enc\fR\|(1),
\&\fBopenssl\-engine\fR\|(1),
\&\fBopenssl\-errstr\fR\|(1),
\&\fBopenssl\-gendsa\fR\|(1),
\&\fBopenssl\-genpkey\fR\|(1),
\&\fBopenssl\-genrsa\fR\|(1),
\&\fBopenssl\-info\fR\|(1),
\&\fBopenssl\-kdf\fR\|(1),
\&\fBopenssl\-mac\fR\|(1),
\&\fBopenssl\-nseq\fR\|(1),
\&\fBopenssl\-ocsp\fR\|(1),
\&\fBopenssl\-passwd\fR\|(1),
\&\fBopenssl\-pkcs12\fR\|(1),
\&\fBopenssl\-pkcs7\fR\|(1),
\&\fBopenssl\-pkcs8\fR\|(1),
\&\fBopenssl\-pkey\fR\|(1),
\&\fBopenssl\-pkeyparam\fR\|(1),
\&\fBopenssl\-pkeyutl\fR\|(1),
\&\fBopenssl\-prime\fR\|(1),
\&\fBopenssl\-rand\fR\|(1),
\&\fBopenssl\-rehash\fR\|(1),
\&\fBopenssl\-req\fR\|(1),
\&\fBopenssl\-rsa\fR\|(1),
\&\fBopenssl\-rsautl\fR\|(1),
\&\fBopenssl\-s_client\fR\|(1),
\&\fBopenssl\-s_server\fR\|(1),
\&\fBopenssl\-s_time\fR\|(1),
\&\fBopenssl\-sess_id\fR\|(1),
\&\fBopenssl\-smime\fR\|(1),
\&\fBopenssl\-speed\fR\|(1),
\&\fBopenssl\-spkac\fR\|(1),
\&\fBopenssl\-srp\fR\|(1),
\&\fBopenssl\-storeutl\fR\|(1),
\&\fBopenssl\-ts\fR\|(1),
\&\fBopenssl\-verify\fR\|(1),
\&\fBopenssl\-version\fR\|(1),
\&\fBopenssl\-x509\fR\|(1),
.SH "HISTORY"
.IX Header "HISTORY"
Initially, the manual page entry for the \f(CW\*(C`openssl \f(CIcmd\f(CW\*(C'\fR command used
to be available at \fIcmd\fR(1). Later, the alias \fBopenssl\-\f(BIcmd\fB\fR(1) was
introduced, which made it easier to group the openssl commands using
the \fBapropos\fR\|(1) command or the shell's tab completion.
.PP
In order to reduce cluttering of the global manual page namespace,
the manual page entries without the 'openssl\-' prefix have been
deprecated in OpenSSL 3.0 and will be removed in OpenSSL 4.0.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2019\-2020 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the Apache License 2.0 (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.

1538
openssl-install/share/man/man1/openssl-cmp.1ossl Normal file
View File

File diff suppressed because it is too large Load Diff

1000
openssl-install/share/man/man1/openssl-cms.1ossl Normal file
View File

File diff suppressed because it is too large Load Diff

305
openssl-install/share/man/man1/openssl-crl.1ossl Normal file
View File

@@ -0,0 +1,305 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "OPENSSL-CRL 1ossl"
.TH OPENSSL-CRL 1ossl "2025-08-16" "3.4.2" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
openssl\-crl \- CRL command
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
\&\fBopenssl\fR \fBcrl\fR
[\fB\-help\fR]
[\fB\-inform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR]
[\fB\-outform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR]
[\fB\-key\fR \fIfilename\fR]
[\fB\-keyform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR|\fBP12\fR]
[\fB\-dateopt\fR]
[\fB\-text\fR]
[\fB\-in\fR \fIfilename\fR]
[\fB\-out\fR \fIfilename\fR]
[\fB\-gendelta\fR \fIfilename\fR]
[\fB\-badsig\fR]
[\fB\-verify\fR]
[\fB\-noout\fR]
[\fB\-hash\fR]
[\fB\-hash_old\fR]
[\fB\-fingerprint\fR]
[\fB\-crlnumber\fR]
[\fB\-issuer\fR]
[\fB\-lastupdate\fR]
[\fB\-nextupdate\fR]
[\fB\-nameopt\fR \fIoption\fR]
[\fB\-CAfile\fR \fIfile\fR]
[\fB\-no\-CAfile\fR]
[\fB\-CApath\fR \fIdir\fR]
[\fB\-no\-CApath\fR]
[\fB\-CAstore\fR \fIuri\fR]
[\fB\-no\-CAstore\fR]
[\fB\-provider\fR \fIname\fR]
[\fB\-provider\-path\fR \fIpath\fR]
[\fB\-propquery\fR \fIpropq\fR]
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
This command processes \s-1CRL\s0 files in \s-1DER\s0 or \s-1PEM\s0 format.
.SH "OPTIONS"
.IX Header "OPTIONS"
.IP "\fB\-help\fR" 4
.IX Item "-help"
Print out a usage message.
.IP "\fB\-inform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR" 4
.IX Item "-inform DER|PEM"
The \s-1CRL\s0 input format; unspecified by default.
See \fBopenssl\-format\-options\fR\|(1) for details.
.IP "\fB\-outform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR" 4
.IX Item "-outform DER|PEM"
The \s-1CRL\s0 output format; the default is \fB\s-1PEM\s0\fR.
See \fBopenssl\-format\-options\fR\|(1) for details.
.IP "\fB\-key\fR \fIfilename\fR" 4
.IX Item "-key filename"
The private key to be used to sign the \s-1CRL.\s0
.IP "\fB\-keyform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR|\fBP12\fR" 4
.IX Item "-keyform DER|PEM|P12"
The format of the private key file; unspecified by default.
See \fBopenssl\-format\-options\fR\|(1) for details.
.IP "\fB\-in\fR \fIfilename\fR" 4
.IX Item "-in filename"
This specifies the input filename to read from or standard input if this
option is not specified.
.IP "\fB\-out\fR \fIfilename\fR" 4
.IX Item "-out filename"
Specifies the output filename to write to or standard output by
default.
.IP "\fB\-gendelta\fR \fIfilename\fR" 4
.IX Item "-gendelta filename"
Output a comparison of the main \s-1CRL\s0 and the one specified here.
.IP "\fB\-badsig\fR" 4
.IX Item "-badsig"
Corrupt the signature before writing it; this can be useful
for testing.
.IP "\fB\-dateopt\fR" 4
.IX Item "-dateopt"
Specify the date output format. Values are: rfc_822 and iso_8601.
Defaults to rfc_822.
.IP "\fB\-text\fR" 4
.IX Item "-text"
Print out the \s-1CRL\s0 in text form.
.IP "\fB\-verify\fR" 4
.IX Item "-verify"
Verify the signature in the \s-1CRL.\s0 If the verification fails,
the program will immediately exit, i.e. further option processing
(e.g. \fB\-gendelta\fR) is skipped.
.Sp
This option is implicitly enabled if any of \fB\-CApath\fR, \fB\-CAfile\fR
or \fB\-CAstore\fR is specified.
.IP "\fB\-noout\fR" 4
.IX Item "-noout"
Don't output the encoded version of the \s-1CRL.\s0
.IP "\fB\-fingerprint\fR" 4
.IX Item "-fingerprint"
Output the fingerprint of the \s-1CRL.\s0
.IP "\fB\-crlnumber\fR" 4
.IX Item "-crlnumber"
Output the number of the \s-1CRL.\s0
.IP "\fB\-hash\fR" 4
.IX Item "-hash"
Output a hash of the issuer name. This can be use to lookup CRLs in
a directory by issuer name.
.IP "\fB\-hash_old\fR" 4
.IX Item "-hash_old"
Outputs the \*(L"hash\*(R" of the \s-1CRL\s0 issuer name using the older algorithm
as used by OpenSSL before version 1.0.0.
.IP "\fB\-issuer\fR" 4
.IX Item "-issuer"
Output the issuer name.
.IP "\fB\-lastupdate\fR" 4
.IX Item "-lastupdate"
Output the lastUpdate field.
.IP "\fB\-nextupdate\fR" 4
.IX Item "-nextupdate"
Output the nextUpdate field.
.IP "\fB\-nameopt\fR \fIoption\fR" 4
.IX Item "-nameopt option"
This specifies how the subject or issuer names are displayed.
See \fBopenssl\-namedisplay\-options\fR\|(1) for details.
.IP "\fB\-CAfile\fR \fIfile\fR, \fB\-no\-CAfile\fR, \fB\-CApath\fR \fIdir\fR, \fB\-no\-CApath\fR, \fB\-CAstore\fR \fIuri\fR, \fB\-no\-CAstore\fR" 4
.IX Item "-CAfile file, -no-CAfile, -CApath dir, -no-CApath, -CAstore uri, -no-CAstore"
See \*(L"Trusted Certificate Options\*(R" in \fBopenssl\-verification\-options\fR\|(1) for details.
.IP "\fB\-provider\fR \fIname\fR" 4
.IX Item "-provider name"
.PD 0
.IP "\fB\-provider\-path\fR \fIpath\fR" 4
.IX Item "-provider-path path"
.IP "\fB\-propquery\fR \fIpropq\fR" 4
.IX Item "-propquery propq"
.PD
See \*(L"Provider Options\*(R" in \fBopenssl\fR\|(1), \fBprovider\fR\|(7), and \fBproperty\fR\|(7).
.SH "EXAMPLES"
.IX Header "EXAMPLES"
Convert a \s-1CRL\s0 file from \s-1PEM\s0 to \s-1DER:\s0
.PP
.Vb 1
\& openssl crl \-in crl.pem \-outform DER \-out crl.der
.Ve
.PP
Output the text form of a \s-1DER\s0 encoded certificate:
.PP
.Vb 1
\& openssl crl \-in crl.der \-text \-noout
.Ve
.SH "BUGS"
.IX Header "BUGS"
Ideally it should be possible to create a \s-1CRL\s0 using appropriate options
and files too.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBopenssl\fR\|(1),
\&\fBopenssl\-crl2pkcs7\fR\|(1),
\&\fBopenssl\-ca\fR\|(1),
\&\fBopenssl\-x509\fR\|(1),
\&\fBossl_store\-file\fR\|(7)
.SH "HISTORY"
.IX Header "HISTORY"
Since OpenSSL 3.3, the \fB\-verify\fR option will exit with 1 on failure.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2000\-2024 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the Apache License 2.0 (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.

238
openssl-install/share/man/man1/openssl-crl2pkcs7.1ossl Normal file
View File

@@ -0,0 +1,238 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "OPENSSL-CRL2PKCS7 1ossl"
.TH OPENSSL-CRL2PKCS7 1ossl "2025-08-16" "3.4.2" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
openssl\-crl2pkcs7 \- Create a PKCS#7 structure from a CRL and certificates
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
\&\fBopenssl\fR \fBcrl2pkcs7\fR
[\fB\-help\fR]
[\fB\-inform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR]
[\fB\-outform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR]
[\fB\-in\fR \fIfilename\fR]
[\fB\-out\fR \fIfilename\fR]
[\fB\-certfile\fR \fIfilename\fR]
[\fB\-nocrl\fR]
[\fB\-provider\fR \fIname\fR]
[\fB\-provider\-path\fR \fIpath\fR]
[\fB\-propquery\fR \fIpropq\fR]
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
This command takes an optional \s-1CRL\s0 and one or more
certificates and converts them into a PKCS#7 degenerate \*(L"certificates
only\*(R" structure.
.SH "OPTIONS"
.IX Header "OPTIONS"
.IP "\fB\-help\fR" 4
.IX Item "-help"
Print out a usage message.
.IP "\fB\-inform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR" 4
.IX Item "-inform DER|PEM"
The input format of the \s-1CRL\s0; the default is \fB\s-1PEM\s0\fR.
See \fBopenssl\-format\-options\fR\|(1) for details.
.IP "\fB\-outform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR" 4
.IX Item "-outform DER|PEM"
The output format of the PKCS#7 object; the default is \fB\s-1PEM\s0\fR.
See \fBopenssl\-format\-options\fR\|(1) for details.
.IP "\fB\-in\fR \fIfilename\fR" 4
.IX Item "-in filename"
This specifies the input filename to read a \s-1CRL\s0 from or standard input if this
option is not specified.
.IP "\fB\-out\fR \fIfilename\fR" 4
.IX Item "-out filename"
Specifies the output filename to write the PKCS#7 structure to or standard
output by default.
.IP "\fB\-certfile\fR \fIfilename\fR" 4
.IX Item "-certfile filename"
Specifies a filename containing one or more certificates in \fB\s-1PEM\s0\fR format.
All certificates in the file will be added to the PKCS#7 structure. This
option can be used more than once to read certificates from multiple
files.
.IP "\fB\-nocrl\fR" 4
.IX Item "-nocrl"
Normally a \s-1CRL\s0 is included in the output file. With this option no \s-1CRL\s0 is
included in the output file and a \s-1CRL\s0 is not read from the input file.
.IP "\fB\-provider\fR \fIname\fR" 4
.IX Item "-provider name"
.PD 0
.IP "\fB\-provider\-path\fR \fIpath\fR" 4
.IX Item "-provider-path path"
.IP "\fB\-propquery\fR \fIpropq\fR" 4
.IX Item "-propquery propq"
.PD
See \*(L"Provider Options\*(R" in \fBopenssl\fR\|(1), \fBprovider\fR\|(7), and \fBproperty\fR\|(7).
.SH "EXAMPLES"
.IX Header "EXAMPLES"
Create a PKCS#7 structure from a certificate and \s-1CRL:\s0
.PP
.Vb 1
\& openssl crl2pkcs7 \-in crl.pem \-certfile cert.pem \-out p7.pem
.Ve
.PP
Creates a PKCS#7 structure in \s-1DER\s0 format with no \s-1CRL\s0 from several
different certificates:
.PP
.Vb 2
\& openssl crl2pkcs7 \-nocrl \-certfile newcert.pem
\& \-certfile demoCA/cacert.pem \-outform DER \-out p7.der
.Ve
.SH "NOTES"
.IX Header "NOTES"
The output file is a PKCS#7 signed data structure containing no signers and
just certificates and an optional \s-1CRL.\s0
.PP
This command can be used to send certificates and CAs to Netscape as part of
the certificate enrollment process. This involves sending the \s-1DER\s0 encoded output
as \s-1MIME\s0 type application/x\-x509\-user\-cert.
.PP
The \fB\s-1PEM\s0\fR encoded form with the header and footer lines removed can be used to
install user certificates and CAs in \s-1MSIE\s0 using the Xenroll control.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBopenssl\fR\|(1),
\&\fBopenssl\-pkcs7\fR\|(1)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2000\-2021 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the Apache License 2.0 (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.

402
openssl-install/share/man/man1/openssl-dgst.1ossl Normal file
View File

@@ -0,0 +1,402 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "OPENSSL-DGST 1ossl"
.TH OPENSSL-DGST 1ossl "2025-08-16" "3.4.2" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
openssl\-dgst \- perform digest operations
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
\&\fBopenssl\fR \fBdgst\fR|\fIdigest\fR
[\fB\-\f(BIdigest\fB\fR]
[\fB\-list\fR]
[\fB\-help\fR]
[\fB\-c\fR]
[\fB\-d\fR]
[\fB\-debug\fR]
[\fB\-hex\fR]
[\fB\-binary\fR]
[\fB\-xoflen\fR \fIlength\fR]
[\fB\-r\fR]
[\fB\-out\fR \fIfilename\fR]
[\fB\-sign\fR \fIfilename\fR|\fIuri\fR]
[\fB\-keyform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR|\fBP12\fR|\fB\s-1ENGINE\s0\fR]
[\fB\-passin\fR \fIarg\fR]
[\fB\-verify\fR \fIfilename\fR]
[\fB\-prverify\fR \fIfilename\fR]
[\fB\-signature\fR \fIfilename\fR]
[\fB\-sigopt\fR \fInm\fR:\fIv\fR]
[\fB\-hmac\fR \fIkey\fR]
[\fB\-mac\fR \fIalg\fR]
[\fB\-macopt\fR \fInm\fR:\fIv\fR]
[\fB\-fips\-fingerprint\fR]
[\fB\-engine\fR \fIid\fR]
[\fB\-engine_impl\fR \fIid\fR]
[\fB\-rand\fR \fIfiles\fR]
[\fB\-writerand\fR \fIfile\fR]
[\fB\-provider\fR \fIname\fR]
[\fB\-provider\-path\fR \fIpath\fR]
[\fB\-propquery\fR \fIpropq\fR]
[\fIfile\fR ...]
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
This command output the message digest of a supplied file or files
in hexadecimal, and also generates and verifies digital
signatures using message digests.
.PP
The generic name, \fBopenssl dgst\fR, may be used with an option specifying the
algorithm to be used.
The default digest is \fBsha256\fR.
A supported \fIdigest\fR name may also be used as the sub-command name.
To see the list of supported algorithms, use \f(CW\*(C`openssl list \-digest\-algorithms\*(C'\fR
.SH "OPTIONS"
.IX Header "OPTIONS"
.IP "\fB\-help\fR" 4
.IX Item "-help"
Print out a usage message.
.IP "\fB\-\f(BIdigest\fB\fR" 4
.IX Item "-digest"
Specifies name of a supported digest to be used. See option \fB\-list\fR below :
.IP "\fB\-list\fR" 4
.IX Item "-list"
Prints out a list of supported message digests.
.IP "\fB\-c\fR" 4
.IX Item "-c"
Print out the digest in two digit groups separated by colons, only relevant if
the \fB\-hex\fR option is given as well.
.IP "\fB\-d\fR, \fB\-debug\fR" 4
.IX Item "-d, -debug"
Print out \s-1BIO\s0 debugging information.
.IP "\fB\-hex\fR" 4
.IX Item "-hex"
Digest is to be output as a hex dump. This is the default case for a \*(L"normal\*(R"
digest as opposed to a digital signature. See \s-1NOTES\s0 below for digital
signatures using \fB\-hex\fR.
.IP "\fB\-binary\fR" 4
.IX Item "-binary"
Output the digest or signature in binary form.
.IP "\fB\-xoflen\fR \fIlength\fR" 4
.IX Item "-xoflen length"
Set the output length for \s-1XOF\s0 algorithms, such as \fBshake128\fR and \fBshake256\fR.
This option is not supported for signing operations.
.Sp
For OpenSSL providers it is required to set this value for shake algorithms,
since the previous default values were only set to supply half of the maximum
security strength.
.Sp
To ensure the maximum security strength of 128 bits, the xoflen for \fBshake128\fR
should be set to at least 32 (bytes). For compatibility with previous versions
of OpenSSL, it may be set to 16, resulting in a security strength of only 64
bits.
.Sp
To ensure the maximum security strength of 256 bits, the xoflen for \fBshake256\fR
should be set to at least 64 (bytes). For compatibility with previous versions
of OpenSSL, it may be set to 32, resulting in a security strength of only 128
bits.
.IP "\fB\-r\fR" 4
.IX Item "-r"
Output the digest in the \*(L"coreutils\*(R" format, including newlines.
Used by programs like \fBsha1sum\fR\|(1).
.IP "\fB\-out\fR \fIfilename\fR" 4
.IX Item "-out filename"
Filename to output to, or standard output by default.
.IP "\fB\-sign\fR \fIfilename\fR|\fIuri\fR" 4
.IX Item "-sign filename|uri"
Digitally sign the digest using the given private key. Note this option
does not support Ed25519 or Ed448 private keys. Use the \fBopenssl\-pkeyutl\fR\|(1)
command instead for this.
.IP "\fB\-keyform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR|\fBP12\fR|\fB\s-1ENGINE\s0\fR" 4
.IX Item "-keyform DER|PEM|P12|ENGINE"
The format of the key to sign with; unspecified by default.
See \fBopenssl\-format\-options\fR\|(1) for details.
.IP "\fB\-sigopt\fR \fInm\fR:\fIv\fR" 4
.IX Item "-sigopt nm:v"
Pass options to the signature algorithm during sign or verify operations.
Names and values of these options are algorithm-specific and documented
in \*(L"Signature parameters\*(R" in \fBprovider\-signature\fR\|(7).
.IP "\fB\-passin\fR \fIarg\fR" 4
.IX Item "-passin arg"
The private key password source. For more information about the format of \fIarg\fR
see \fBopenssl\-passphrase\-options\fR\|(1).
.IP "\fB\-verify\fR \fIfilename\fR" 4
.IX Item "-verify filename"
Verify the signature using the public key in \*(L"filename\*(R".
The output is either \*(L"Verified \s-1OK\*(R"\s0 or \*(L"Verification Failure\*(R".
.IP "\fB\-prverify\fR \fIfilename\fR" 4
.IX Item "-prverify filename"
Verify the signature using the private key in \*(L"filename\*(R".
.IP "\fB\-signature\fR \fIfilename\fR" 4
.IX Item "-signature filename"
The actual signature to verify.
.IP "\fB\-hmac\fR \fIkey\fR" 4
.IX Item "-hmac key"
Create a hashed \s-1MAC\s0 using \*(L"key\*(R".
.Sp
The \fBopenssl\-mac\fR\|(1) command should be preferred to using this command line
option.
.IP "\fB\-mac\fR \fIalg\fR" 4
.IX Item "-mac alg"
Create \s-1MAC\s0 (keyed Message Authentication Code). The most popular \s-1MAC\s0
algorithm is \s-1HMAC\s0 (hash-based \s-1MAC\s0), but there are other \s-1MAC\s0 algorithms
which are not based on hash, for instance \fBgost-mac\fR algorithm,
supported by the \fBgost\fR engine. \s-1MAC\s0 keys and other options should be set
via \fB\-macopt\fR parameter.
.Sp
The \fBopenssl\-mac\fR\|(1) command should be preferred to using this command line
option.
.IP "\fB\-macopt\fR \fInm\fR:\fIv\fR" 4
.IX Item "-macopt nm:v"
Passes options to \s-1MAC\s0 algorithm, specified by \fB\-mac\fR key.
Following options are supported by both by \fB\s-1HMAC\s0\fR and \fBgost-mac\fR:
.RS 4
.IP "\fBkey\fR:\fIstring\fR" 4
.IX Item "key:string"
Specifies \s-1MAC\s0 key as alphanumeric string (use if key contain printable
characters only). String length must conform to any restrictions of
the \s-1MAC\s0 algorithm for example exactly 32 chars for gost-mac.
.IP "\fBhexkey\fR:\fIstring\fR" 4
.IX Item "hexkey:string"
Specifies \s-1MAC\s0 key in hexadecimal form (two hex digits per byte).
Key length must conform to any restrictions of the \s-1MAC\s0 algorithm
for example exactly 32 chars for gost-mac.
.RE
.RS 4
.Sp
The \fBopenssl\-mac\fR\|(1) command should be preferred to using this command line
option.
.RE
.IP "\fB\-fips\-fingerprint\fR" 4
.IX Item "-fips-fingerprint"
Compute \s-1HMAC\s0 using a specific key for certain OpenSSL-FIPS operations.
.IP "\fB\-rand\fR \fIfiles\fR, \fB\-writerand\fR \fIfile\fR" 4
.IX Item "-rand files, -writerand file"
See \*(L"Random State Options\*(R" in \fBopenssl\fR\|(1) for details.
.IP "\fB\-engine\fR \fIid\fR" 4
.IX Item "-engine id"
See \*(L"Engine Options\*(R" in \fBopenssl\fR\|(1).
This option is deprecated.
.Sp
The engine is not used for digests unless the \fB\-engine_impl\fR option is
used or it is configured to do so, see \*(L"Engine Configuration Module\*(R" in \fBconfig\fR\|(5).
.IP "\fB\-engine_impl\fR \fIid\fR" 4
.IX Item "-engine_impl id"
When used with the \fB\-engine\fR option, it specifies to also use
engine \fIid\fR for digest operations.
.IP "\fB\-provider\fR \fIname\fR" 4
.IX Item "-provider name"
.PD 0
.IP "\fB\-provider\-path\fR \fIpath\fR" 4
.IX Item "-provider-path path"
.IP "\fB\-propquery\fR \fIpropq\fR" 4
.IX Item "-propquery propq"
.PD
See \*(L"Provider Options\*(R" in \fBopenssl\fR\|(1), \fBprovider\fR\|(7), and \fBproperty\fR\|(7).
.IP "\fIfile\fR ..." 4
.IX Item "file ..."
File or files to digest. If no files are specified then standard input is
used.
.SH "EXAMPLES"
.IX Header "EXAMPLES"
To create a hex-encoded message digest of a file:
.PP
.Vb 3
\& openssl dgst \-md5 \-hex file.txt
\& or
\& openssl md5 file.txt
.Ve
.PP
To sign a file using \s-1SHA\-256\s0 with binary file output:
.PP
.Vb 3
\& openssl dgst \-sha256 \-sign privatekey.pem \-out signature.sign file.txt
\& or
\& openssl sha256 \-sign privatekey.pem \-out signature.sign file.txt
.Ve
.PP
To verify a signature:
.PP
.Vb 3
\& openssl dgst \-sha256 \-verify publickey.pem \e
\& \-signature signature.sign \e
\& file.txt
.Ve
.SH "NOTES"
.IX Header "NOTES"
The digest mechanisms that are available will depend on the options
used when building OpenSSL.
The \f(CW\*(C`openssl list \-digest\-algorithms\*(C'\fR command can be used to list them.
.PP
New or agile applications should use probably use \s-1SHA\-256.\s0 Other digests,
particularly \s-1SHA\-1\s0 and \s-1MD5,\s0 are still widely used for interoperating
with existing formats and protocols.
.PP
When signing a file, this command will automatically determine the algorithm
(\s-1RSA, ECC,\s0 etc) to use for signing based on the private key's \s-1ASN.1\s0 info.
When verifying signatures, it only handles the \s-1RSA, DSA,\s0 or \s-1ECDSA\s0 signature
itself, not the related data to identify the signer and algorithm used in
formats such as x.509, \s-1CMS,\s0 and S/MIME.
.PP
A source of random numbers is required for certain signing algorithms, in
particular \s-1ECDSA\s0 and \s-1DSA.\s0
.PP
The signing and verify options should only be used if a single file is
being signed or verified.
.PP
Hex signatures cannot be verified using \fBopenssl\fR. Instead, use \*(L"xxd \-r\*(R"
or similar program to transform the hex signature into a binary signature
prior to verification.
.PP
The \fBopenssl\-mac\fR\|(1) command is preferred over the \fB\-hmac\fR, \fB\-mac\fR and
\&\fB\-macopt\fR command line options.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBopenssl\-mac\fR\|(1)
.SH "HISTORY"
.IX Header "HISTORY"
The default digest was changed from \s-1MD5\s0 to \s-1SHA256\s0 in OpenSSL 1.1.0.
The FIPS-related options were removed in OpenSSL 1.1.0.
.PP
The \fB\-engine\fR and \fB\-engine_impl\fR options were deprecated in OpenSSL 3.0.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2000\-2024 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the Apache License 2.0 (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.

273
openssl-install/share/man/man1/openssl-dhparam.1ossl Normal file
View File

@@ -0,0 +1,273 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "OPENSSL-DHPARAM 1ossl"
.TH OPENSSL-DHPARAM 1ossl "2025-08-16" "3.4.2" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
openssl\-dhparam \- DH parameter manipulation and generation
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
\&\fBopenssl dhparam\fR
[\fB\-help\fR]
[\fB\-inform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR]
[\fB\-outform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR]
[\fB\-in\fR \fIfilename\fR]
[\fB\-out\fR \fIfilename\fR]
[\fB\-dsaparam\fR]
[\fB\-check\fR]
[\fB\-noout\fR]
[\fB\-text\fR]
[\fB\-verbose\fR]
[\fB\-quiet\fR]
[\fB\-2\fR]
[\fB\-3\fR]
[\fB\-5\fR]
[\fB\-engine\fR \fIid\fR]
[\fB\-rand\fR \fIfiles\fR]
[\fB\-writerand\fR \fIfile\fR]
[\fB\-provider\fR \fIname\fR]
[\fB\-provider\-path\fR \fIpath\fR]
[\fB\-propquery\fR \fIpropq\fR]
[\fInumbits\fR]
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
This command is used to manipulate \s-1DH\s0 parameter files.
.PP
See \*(L"\s-1EXAMPLES\*(R"\s0 in \fBopenssl\-genpkey\fR\|(1) for examples on how to generate
a key using a named safe prime group without generating intermediate
parameters.
.SH "OPTIONS"
.IX Header "OPTIONS"
.IP "\fB\-help\fR" 4
.IX Item "-help"
Print out a usage message.
.IP "\fB\-inform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR, \fB\-outform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR" 4
.IX Item "-inform DER|PEM, -outform DER|PEM"
The input format and output format; the default is \fB\s-1PEM\s0\fR.
The object is compatible with the PKCS#3 \fBDHparameter\fR structure.
See \fBopenssl\-format\-options\fR\|(1) for details.
.IP "\fB\-in\fR \fIfilename\fR" 4
.IX Item "-in filename"
This specifies the input filename to read parameters from or standard input if
this option is not specified.
.IP "\fB\-out\fR \fIfilename\fR" 4
.IX Item "-out filename"
This specifies the output filename parameters to. Standard output is used
if this option is not present. The output filename should \fBnot\fR be the same
as the input filename.
.IP "\fB\-dsaparam\fR" 4
.IX Item "-dsaparam"
If this option is used, \s-1DSA\s0 rather than \s-1DH\s0 parameters are read or created;
they are converted to \s-1DH\s0 format. Otherwise, safe primes (such
that (p\-1)/2 is also prime) will be used for \s-1DH\s0 parameter generation.
.Sp
\&\s-1DH\s0 parameter generation with the \fB\-dsaparam\fR option is much faster.
Beware that with such DSA-style \s-1DH\s0 parameters, a fresh \s-1DH\s0 key should be
created for each use to avoid small-subgroup attacks that may be possible
otherwise.
.IP "\fB\-check\fR" 4
.IX Item "-check"
Performs numerous checks to see if the supplied parameters are valid and
displays a warning if not.
.IP "\fB\-2\fR, \fB\-3\fR, \fB\-5\fR" 4
.IX Item "-2, -3, -5"
The generator to use, either 2, 3 or 5. If present then the
input file is ignored and parameters are generated instead. If not
present but \fInumbits\fR is present, parameters are generated with the
default generator 2.
.IP "\fInumbits\fR" 4
.IX Item "numbits"
This option specifies that a parameter set should be generated of size
\&\fInumbits\fR. It must be the last option. If this option is present then
the input file is ignored and parameters are generated instead. If
this option is not present but a generator (\fB\-2\fR, \fB\-3\fR or \fB\-5\fR) is
present, parameters are generated with a default length of 2048 bits.
The minimum length is 512 bits. The maximum length is 10000 bits.
.IP "\fB\-noout\fR" 4
.IX Item "-noout"
This option inhibits the output of the encoded version of the parameters.
.IP "\fB\-text\fR" 4
.IX Item "-text"
This option prints out the \s-1DH\s0 parameters in human readable form.
.IP "\fB\-engine\fR \fIid\fR" 4
.IX Item "-engine id"
See \*(L"Engine Options\*(R" in \fBopenssl\fR\|(1).
This option is deprecated.
.IP "\fB\-rand\fR \fIfiles\fR, \fB\-writerand\fR \fIfile\fR" 4
.IX Item "-rand files, -writerand file"
See \*(L"Random State Options\*(R" in \fBopenssl\fR\|(1) for details.
.IP "\fB\-provider\fR \fIname\fR" 4
.IX Item "-provider name"
.PD 0
.IP "\fB\-provider\-path\fR \fIpath\fR" 4
.IX Item "-provider-path path"
.IP "\fB\-propquery\fR \fIpropq\fR" 4
.IX Item "-propquery propq"
.PD
See \*(L"Provider Options\*(R" in \fBopenssl\fR\|(1), \fBprovider\fR\|(7), and \fBproperty\fR\|(7).
.IP "\fB\-verbose\fR" 4
.IX Item "-verbose"
This option enables the output of progress messages, which is handy when
running commands interactively that may take a long time to execute.
.IP "\fB\-quiet\fR" 4
.IX Item "-quiet"
This option suppresses the output of progress messages, which may be
undesirable in batch scripts or pipelines.
.SH "NOTES"
.IX Header "NOTES"
This command replaces the \fBdh\fR and \fBgendh\fR commands of previous
releases.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBopenssl\fR\|(1),
\&\fBopenssl\-pkeyparam\fR\|(1),
\&\fBopenssl\-dsaparam\fR\|(1),
\&\fBopenssl\-genpkey\fR\|(1).
.SH "HISTORY"
.IX Header "HISTORY"
The \fB\-engine\fR option was deprecated in OpenSSL 3.0.
.PP
The \fB\-C\fR option was removed in OpenSSL 3.0.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2000\-2023 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the Apache License 2.0 (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.

323
openssl-install/share/man/man1/openssl-dsa.1ossl Normal file
View File

@@ -0,0 +1,323 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "OPENSSL-DSA 1ossl"
.TH OPENSSL-DSA 1ossl "2025-08-16" "3.4.2" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
openssl\-dsa \- DSA key processing
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
\&\fBopenssl\fR \fBdsa\fR
[\fB\-help\fR]
[\fB\-inform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR]
[\fB\-outform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR]
[\fB\-in\fR \fIfilename\fR]
[\fB\-passin\fR \fIarg\fR]
[\fB\-out\fR \fIfilename\fR]
[\fB\-passout\fR \fIarg\fR]
[\fB\-aes128\fR]
[\fB\-aes192\fR]
[\fB\-aes256\fR]
[\fB\-aria128\fR]
[\fB\-aria192\fR]
[\fB\-aria256\fR]
[\fB\-camellia128\fR]
[\fB\-camellia192\fR]
[\fB\-camellia256\fR]
[\fB\-des\fR]
[\fB\-des3\fR]
[\fB\-idea\fR]
[\fB\-text\fR]
[\fB\-noout\fR]
[\fB\-modulus\fR]
[\fB\-pubin\fR]
[\fB\-pubout\fR]
[\fB\-pvk\-strong\fR]
[\fB\-pvk\-weak\fR]
[\fB\-pvk\-none\fR]
[\fB\-engine\fR \fIid\fR]
[\fB\-provider\fR \fIname\fR]
[\fB\-provider\-path\fR \fIpath\fR]
[\fB\-propquery\fR \fIpropq\fR]
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
This command processes \s-1DSA\s0 keys. They can be converted between various
forms and their components printed out. \fBNote\fR This command uses the
traditional SSLeay compatible format for private key encryption: newer
applications should use the more secure PKCS#8 format using the \fBpkcs8\fR
.SH "OPTIONS"
.IX Header "OPTIONS"
.IP "\fB\-help\fR" 4
.IX Item "-help"
Print out a usage message.
.IP "\fB\-inform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR" 4
.IX Item "-inform DER|PEM"
The key input format; unspecified by default.
See \fBopenssl\-format\-options\fR\|(1) for details.
.IP "\fB\-outform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR" 4
.IX Item "-outform DER|PEM"
The key output format; the default is \fB\s-1PEM\s0\fR.
See \fBopenssl\-format\-options\fR\|(1) for details.
.Sp
Private keys are a sequence of \fB\s-1ASN.1 INTEGERS\s0\fR: the version (zero), \fBp\fR,
\&\fBq\fR, \fBg\fR, and the public and private key components. Public keys
are a \fBSubjectPublicKeyInfo\fR structure with the \fB\s-1DSA\s0\fR type.
.Sp
The \fB\s-1PEM\s0\fR format also accepts PKCS#8 data.
.IP "\fB\-in\fR \fIfilename\fR" 4
.IX Item "-in filename"
This specifies the input filename to read a key from or standard input if this
option is not specified. If the key is encrypted a pass phrase will be
prompted for.
.IP "\fB\-out\fR \fIfilename\fR" 4
.IX Item "-out filename"
This specifies the output filename to write a key to or standard output by
is not specified. If any encryption options are set then a pass phrase will be
prompted for. The output filename should \fBnot\fR be the same as the input
filename.
.IP "\fB\-passin\fR \fIarg\fR, \fB\-passout\fR \fIarg\fR" 4
.IX Item "-passin arg, -passout arg"
The password source for the input and output file.
For more information about the format of \fBarg\fR
see \fBopenssl\-passphrase\-options\fR\|(1).
.IP "\fB\-aes128\fR, \fB\-aes192\fR, \fB\-aes256\fR, \fB\-aria128\fR, \fB\-aria192\fR, \fB\-aria256\fR, \fB\-camellia128\fR, \fB\-camellia192\fR, \fB\-camellia256\fR, \fB\-des\fR, \fB\-des3\fR, \fB\-idea\fR" 4
.IX Item "-aes128, -aes192, -aes256, -aria128, -aria192, -aria256, -camellia128, -camellia192, -camellia256, -des, -des3, -idea"
These options encrypt the private key with the specified
cipher before outputting it. A pass phrase is prompted for.
If none of these options is specified the key is written in plain text. This
means that this command can be used to remove the pass phrase from a key
by not giving any encryption option is given, or to add or change the pass
phrase by setting them.
These options can only be used with \s-1PEM\s0 format output files.
.IP "\fB\-text\fR" 4
.IX Item "-text"
Prints out the public, private key components and parameters.
.IP "\fB\-noout\fR" 4
.IX Item "-noout"
This option prevents output of the encoded version of the key.
.IP "\fB\-modulus\fR" 4
.IX Item "-modulus"
This option prints out the value of the public key component of the key.
.IP "\fB\-pubin\fR" 4
.IX Item "-pubin"
By default, a private key is read from the input.
With this option a public key is read instead.
If the input contains no public key but a private key, its public part is used.
.IP "\fB\-pubout\fR" 4
.IX Item "-pubout"
By default, a private key is output. With this option a public
key will be output instead. This option is automatically set if the input is
a public key.
.IP "\fB\-pvk\-strong\fR" 4
.IX Item "-pvk-strong"
Enable 'Strong' \s-1PVK\s0 encoding level (default).
.IP "\fB\-pvk\-weak\fR" 4
.IX Item "-pvk-weak"
Enable 'Weak' \s-1PVK\s0 encoding level.
.IP "\fB\-pvk\-none\fR" 4
.IX Item "-pvk-none"
Don't enforce \s-1PVK\s0 encoding.
.IP "\fB\-engine\fR \fIid\fR" 4
.IX Item "-engine id"
See \*(L"Engine Options\*(R" in \fBopenssl\fR\|(1).
This option is deprecated.
.IP "\fB\-provider\fR \fIname\fR" 4
.IX Item "-provider name"
.PD 0
.IP "\fB\-provider\-path\fR \fIpath\fR" 4
.IX Item "-provider-path path"
.IP "\fB\-propquery\fR \fIpropq\fR" 4
.IX Item "-propquery propq"
.PD
See \*(L"Provider Options\*(R" in \fBopenssl\fR\|(1), \fBprovider\fR\|(7), and \fBproperty\fR\|(7).
.PP
The \fBopenssl\-pkey\fR\|(1) command is capable of performing all the operations
this command can, as well as supporting other public key types.
.SH "EXAMPLES"
.IX Header "EXAMPLES"
The documentation for the \fBopenssl\-pkey\fR\|(1) command contains examples
equivalent to the ones listed here.
.PP
To remove the pass phrase on a \s-1DSA\s0 private key:
.PP
.Vb 1
\& openssl dsa \-in key.pem \-out keyout.pem
.Ve
.PP
To encrypt a private key using triple \s-1DES:\s0
.PP
.Vb 1
\& openssl dsa \-in key.pem \-des3 \-out keyout.pem
.Ve
.PP
To convert a private key from \s-1PEM\s0 to \s-1DER\s0 format:
.PP
.Vb 1
\& openssl dsa \-in key.pem \-outform DER \-out keyout.der
.Ve
.PP
To print out the components of a private key to standard output:
.PP
.Vb 1
\& openssl dsa \-in key.pem \-text \-noout
.Ve
.PP
To just output the public part of a private key:
.PP
.Vb 1
\& openssl dsa \-in key.pem \-pubout \-out pubkey.pem
.Ve
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBopenssl\fR\|(1),
\&\fBopenssl\-pkey\fR\|(1),
\&\fBopenssl\-dsaparam\fR\|(1),
\&\fBopenssl\-gendsa\fR\|(1),
\&\fBopenssl\-rsa\fR\|(1),
\&\fBopenssl\-genrsa\fR\|(1)
.SH "HISTORY"
.IX Header "HISTORY"
The \fB\-engine\fR option was deprecated in OpenSSL 3.0.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2000\-2023 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the Apache License 2.0 (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.

259
openssl-install/share/man/man1/openssl-dsaparam.1ossl Normal file
View File

@@ -0,0 +1,259 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "OPENSSL-DSAPARAM 1ossl"
.TH OPENSSL-DSAPARAM 1ossl "2025-08-16" "3.4.2" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
openssl\-dsaparam \- DSA parameter manipulation and generation
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
\&\fBopenssl dsaparam\fR
[\fB\-help\fR]
[\fB\-inform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR]
[\fB\-outform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR]
[\fB\-in\fR \fIfilename\fR]
[\fB\-out\fR \fIfilename\fR]
[\fB\-noout\fR]
[\fB\-text\fR]
[\fB\-genkey\fR]
[\fB\-verbose\fR]
[\fB\-quiet\fR]
[\fB\-rand\fR \fIfiles\fR]
[\fB\-writerand\fR \fIfile\fR]
[\fB\-engine\fR \fIid\fR]
[\fB\-provider\fR \fIname\fR]
[\fB\-provider\-path\fR \fIpath\fR]
[\fB\-propquery\fR \fIpropq\fR]
[\fInumbits\fR]
[\fInumqbits\fR]
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
This command is used to manipulate or generate \s-1DSA\s0 parameter files.
.PP
\&\s-1DSA\s0 parameter generation can be a slow process and as a result the same set of
\&\s-1DSA\s0 parameters is often used to generate several distinct keys.
.SH "OPTIONS"
.IX Header "OPTIONS"
.IP "\fB\-help\fR" 4
.IX Item "-help"
Print out a usage message.
.IP "\fB\-inform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR" 4
.IX Item "-inform DER|PEM"
The \s-1DSA\s0 parameters input format; unspecified by default.
See \fBopenssl\-format\-options\fR\|(1) for details.
.IP "\fB\-outform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR" 4
.IX Item "-outform DER|PEM"
The \s-1DSA\s0 parameters output format; the default is \fB\s-1PEM\s0\fR.
See \fBopenssl\-format\-options\fR\|(1) for details.
.Sp
Parameters are a sequence of \fB\s-1ASN.1 INTEGER\s0\fRs: \fBp\fR, \fBq\fR, and \fBg\fR.
This is compatible with \s-1RFC 2459\s0 \fBDSS-Parms\fR structure.
.IP "\fB\-in\fR \fIfilename\fR" 4
.IX Item "-in filename"
This specifies the input filename to read parameters from or standard input if
this option is not specified. If the \fInumbits\fR parameter is included then
this option will be ignored.
.IP "\fB\-out\fR \fIfilename\fR" 4
.IX Item "-out filename"
This specifies the output filename parameters to. Standard output is used
if this option is not present. The output filename should \fBnot\fR be the same
as the input filename.
.IP "\fB\-noout\fR" 4
.IX Item "-noout"
This option inhibits the output of the encoded version of the parameters.
.IP "\fB\-text\fR" 4
.IX Item "-text"
This option prints out the \s-1DSA\s0 parameters in human readable form.
.IP "\fB\-genkey\fR" 4
.IX Item "-genkey"
This option will generate a \s-1DSA\s0 either using the specified or generated
parameters.
.IP "\fB\-verbose\fR" 4
.IX Item "-verbose"
Print extra details about the operations being performed.
.IP "\fB\-quiet\fR" 4
.IX Item "-quiet"
Print fewer details about the operations being performed, which may
be handy during batch scripts and pipelines.
.IP "\fB\-rand\fR \fIfiles\fR, \fB\-writerand\fR \fIfile\fR" 4
.IX Item "-rand files, -writerand file"
See \*(L"Random State Options\*(R" in \fBopenssl\fR\|(1) for details.
.IP "\fB\-engine\fR \fIid\fR" 4
.IX Item "-engine id"
See \*(L"Engine Options\*(R" in \fBopenssl\fR\|(1).
This option is deprecated.
.IP "\fInumbits\fR" 4
.IX Item "numbits"
This optional argument specifies that a parameter set should be generated of
size \fInumbits\fR. If this argument is included then the input file (if any) is
ignored.
.IP "\fInumqbits\fR" 4
.IX Item "numqbits"
This optional argument specifies that a parameter set should be generated with
a subprime parameter q of size \fInumqbits\fR. It must be the last argument. If
this argument is included then the input file (if any) is ignored.
.IP "\fB\-provider\fR \fIname\fR" 4
.IX Item "-provider name"
.PD 0
.IP "\fB\-provider\-path\fR \fIpath\fR" 4
.IX Item "-provider-path path"
.IP "\fB\-propquery\fR \fIpropq\fR" 4
.IX Item "-propquery propq"
.PD
See \*(L"Provider Options\*(R" in \fBopenssl\fR\|(1), \fBprovider\fR\|(7), and \fBproperty\fR\|(7).
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBopenssl\fR\|(1),
\&\fBopenssl\-pkeyparam\fR\|(1),
\&\fBopenssl\-gendsa\fR\|(1),
\&\fBopenssl\-dsa\fR\|(1),
\&\fBopenssl\-genrsa\fR\|(1),
\&\fBopenssl\-rsa\fR\|(1)
.SH "HISTORY"
.IX Header "HISTORY"
The \fB\-engine\fR option was deprecated in OpenSSL 3.0.
.PP
The \fB\-C\fR option was removed in OpenSSL 3.0.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2000\-2023 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the Apache License 2.0 (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.

337
openssl-install/share/man/man1/openssl-ec.1ossl Normal file
View File

@@ -0,0 +1,337 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "OPENSSL-EC 1ossl"
.TH OPENSSL-EC 1ossl "2025-08-16" "3.4.2" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
openssl\-ec \- EC key processing
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
\&\fBopenssl\fR \fBec\fR
[\fB\-help\fR]
[\fB\-inform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR|\fBP12\fR|\fB\s-1ENGINE\s0\fR]
[\fB\-outform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR]
[\fB\-in\fR \fIfilename\fR|\fIuri\fR]
[\fB\-passin\fR \fIarg\fR]
[\fB\-out\fR \fIfilename\fR]
[\fB\-passout\fR \fIarg\fR]
[\fB\-des\fR]
[\fB\-des3\fR]
[\fB\-idea\fR]
[\fB\-text\fR]
[\fB\-noout\fR]
[\fB\-param_out\fR]
[\fB\-pubin\fR]
[\fB\-pubout\fR]
[\fB\-conv_form\fR \fIarg\fR]
[\fB\-param_enc\fR \fIarg\fR]
[\fB\-no_public\fR]
[\fB\-check\fR]
[\fB\-engine\fR \fIid\fR]
[\fB\-provider\fR \fIname\fR]
[\fB\-provider\-path\fR \fIpath\fR]
[\fB\-propquery\fR \fIpropq\fR]
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
The \fBopenssl\-ec\fR\|(1) command processes \s-1EC\s0 keys. They can be converted between
various forms and their components printed out. \fBNote\fR OpenSSL uses the
private key format specified in '\s-1SEC 1:\s0 Elliptic Curve Cryptography'
(http://www.secg.org/). To convert an OpenSSL \s-1EC\s0 private key into the
PKCS#8 private key format use the \fBopenssl\-pkcs8\fR\|(1) command.
.SH "OPTIONS"
.IX Header "OPTIONS"
.IP "\fB\-help\fR" 4
.IX Item "-help"
Print out a usage message.
.IP "\fB\-inform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR|\fBP12\fR|\fB\s-1ENGINE\s0\fR" 4
.IX Item "-inform DER|PEM|P12|ENGINE"
The key input format; unspecified by default.
See \fBopenssl\-format\-options\fR\|(1) for details.
.IP "\fB\-outform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR" 4
.IX Item "-outform DER|PEM"
The key output format; the default is \fB\s-1PEM\s0\fR.
See \fBopenssl\-format\-options\fR\|(1) for details.
.Sp
Private keys are an \s-1SEC1\s0 private key or PKCS#8 format.
Public keys are a \fBSubjectPublicKeyInfo\fR as specified in \s-1IETF RFC 3280.\s0
.IP "\fB\-in\fR \fIfilename\fR|\fIuri\fR" 4
.IX Item "-in filename|uri"
This specifies the input to read a key from or standard input if this
option is not specified. If the key is encrypted a pass phrase will be
prompted for.
.IP "\fB\-out\fR \fIfilename\fR" 4
.IX Item "-out filename"
This specifies the output filename to write a key to or standard output by
is not specified. If any encryption options are set then a pass phrase will be
prompted for. The output filename should \fBnot\fR be the same as the input
filename.
.IP "\fB\-passin\fR \fIarg\fR, \fB\-passout\fR \fIarg\fR" 4
.IX Item "-passin arg, -passout arg"
The password source for the input and output file.
For more information about the format of \fBarg\fR
see \fBopenssl\-passphrase\-options\fR\|(1).
.IP "\fB\-des\fR|\fB\-des3\fR|\fB\-idea\fR" 4
.IX Item "-des|-des3|-idea"
These options encrypt the private key with the \s-1DES,\s0 triple \s-1DES, IDEA\s0 or
any other cipher supported by OpenSSL before outputting it. A pass phrase is
prompted for.
If none of these options is specified the key is written in plain text. This
means that using this command to read in an encrypted key with no
encryption option can be used to remove the pass phrase from a key, or by
setting the encryption options it can be use to add or change the pass phrase.
These options can only be used with \s-1PEM\s0 format output files.
.IP "\fB\-text\fR" 4
.IX Item "-text"
Prints out the public, private key components and parameters.
.IP "\fB\-noout\fR" 4
.IX Item "-noout"
This option prevents output of the encoded version of the key.
.IP "\fB\-param_out\fR" 4
.IX Item "-param_out"
Print the elliptic curve parameters.
.IP "\fB\-pubin\fR" 4
.IX Item "-pubin"
By default a private key is read from the input.
With this option a public key is read instead.
If the input contains no public key but a private key, its public part is used.
.IP "\fB\-pubout\fR" 4
.IX Item "-pubout"
By default a private key is output. With this option a public
key will be output instead. This option is automatically set if the input is
a public key.
.IP "\fB\-conv_form\fR \fIarg\fR" 4
.IX Item "-conv_form arg"
This specifies how the points on the elliptic curve are converted
into octet strings. Possible values are: \fBcompressed\fR, \fBuncompressed\fR (the
default value) and \fBhybrid\fR. For more information regarding
the point conversion forms please read the X9.62 standard.
\&\fBNote\fR Due to patent issues the \fBcompressed\fR option is disabled
by default for binary curves and can be enabled by defining
the preprocessor macro \fB\s-1OPENSSL_EC_BIN_PT_COMP\s0\fR at compile time.
.IP "\fB\-param_enc\fR \fIarg\fR" 4
.IX Item "-param_enc arg"
This specifies how the elliptic curve parameters are encoded.
Possible value are: \fBnamed_curve\fR, i.e. the ec parameters are
specified by an \s-1OID,\s0 or \fBexplicit\fR where the ec parameters are
explicitly given (see \s-1RFC 3279\s0 for the definition of the
\&\s-1EC\s0 parameters structures). The default value is \fBnamed_curve\fR.
\&\fBNote\fR the \fBimplicitlyCA\fR alternative, as specified in \s-1RFC 3279,\s0
is currently not implemented in OpenSSL.
.IP "\fB\-no_public\fR" 4
.IX Item "-no_public"
This option omits the public key components from the private key output.
.IP "\fB\-check\fR" 4
.IX Item "-check"
This option checks the consistency of an \s-1EC\s0 private or public key.
.IP "\fB\-engine\fR \fIid\fR" 4
.IX Item "-engine id"
See \*(L"Engine Options\*(R" in \fBopenssl\fR\|(1).
This option is deprecated.
.IP "\fB\-provider\fR \fIname\fR" 4
.IX Item "-provider name"
.PD 0
.IP "\fB\-provider\-path\fR \fIpath\fR" 4
.IX Item "-provider-path path"
.IP "\fB\-propquery\fR \fIpropq\fR" 4
.IX Item "-propquery propq"
.PD
See \*(L"Provider Options\*(R" in \fBopenssl\fR\|(1), \fBprovider\fR\|(7), and \fBproperty\fR\|(7).
.PP
The \fBopenssl\-pkey\fR\|(1) command is capable of performing all the operations
this command can, as well as supporting other public key types.
.SH "EXAMPLES"
.IX Header "EXAMPLES"
The documentation for the \fBopenssl\-pkey\fR\|(1) command contains examples
equivalent to the ones listed here.
.PP
To encrypt a private key using triple \s-1DES:\s0
.PP
.Vb 1
\& openssl ec \-in key.pem \-des3 \-out keyout.pem
.Ve
.PP
To convert a private key from \s-1PEM\s0 to \s-1DER\s0 format:
.PP
.Vb 1
\& openssl ec \-in key.pem \-outform DER \-out keyout.der
.Ve
.PP
To print out the components of a private key to standard output:
.PP
.Vb 1
\& openssl ec \-in key.pem \-text \-noout
.Ve
.PP
To just output the public part of a private key:
.PP
.Vb 1
\& openssl ec \-in key.pem \-pubout \-out pubkey.pem
.Ve
.PP
To change the parameters encoding to \fBexplicit\fR:
.PP
.Vb 1
\& openssl ec \-in key.pem \-param_enc explicit \-out keyout.pem
.Ve
.PP
To change the point conversion form to \fBcompressed\fR:
.PP
.Vb 1
\& openssl ec \-in key.pem \-conv_form compressed \-out keyout.pem
.Ve
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBopenssl\fR\|(1),
\&\fBopenssl\-pkey\fR\|(1),
\&\fBopenssl\-ecparam\fR\|(1),
\&\fBopenssl\-dsa\fR\|(1),
\&\fBopenssl\-rsa\fR\|(1)
.SH "HISTORY"
.IX Header "HISTORY"
The \fB\-engine\fR option was deprecated in OpenSSL 3.0.
.PP
The \fB\-conv_form\fR and \fB\-no_public\fR options are no longer supported
with keys loaded from an engine in OpenSSL 3.0.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2003\-2023 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the Apache License 2.0 (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.

321
openssl-install/share/man/man1/openssl-ecparam.1ossl Normal file
View File

@@ -0,0 +1,321 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "OPENSSL-ECPARAM 1ossl"
.TH OPENSSL-ECPARAM 1ossl "2025-08-16" "3.4.2" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
openssl\-ecparam \- EC parameter manipulation and generation
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
\&\fBopenssl ecparam\fR
[\fB\-help\fR]
[\fB\-inform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR]
[\fB\-outform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR]
[\fB\-in\fR \fIfilename\fR]
[\fB\-out\fR \fIfilename\fR]
[\fB\-noout\fR]
[\fB\-text\fR]
[\fB\-check\fR]
[\fB\-check_named\fR]
[\fB\-name\fR \fIarg\fR]
[\fB\-list_curves\fR]
[\fB\-conv_form\fR \fIarg\fR]
[\fB\-param_enc\fR \fIarg\fR]
[\fB\-no_seed\fR]
[\fB\-genkey\fR]
[\fB\-engine\fR \fIid\fR]
[\fB\-rand\fR \fIfiles\fR]
[\fB\-writerand\fR \fIfile\fR]
[\fB\-provider\fR \fIname\fR]
[\fB\-provider\-path\fR \fIpath\fR]
[\fB\-propquery\fR \fIpropq\fR]
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
This command is used to manipulate or generate \s-1EC\s0 parameter files.
.PP
OpenSSL is currently not able to generate new groups and therefore
this command can only create \s-1EC\s0 parameters from known (named) curves.
.SH "OPTIONS"
.IX Header "OPTIONS"
.IP "\fB\-help\fR" 4
.IX Item "-help"
Print out a usage message.
.IP "\fB\-inform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR" 4
.IX Item "-inform DER|PEM"
The \s-1EC\s0 parameters input format; unspecified by default.
See \fBopenssl\-format\-options\fR\|(1) for details.
.IP "\fB\-outform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR" 4
.IX Item "-outform DER|PEM"
The \s-1EC\s0 parameters output format; the default is \fB\s-1PEM\s0\fR.
See \fBopenssl\-format\-options\fR\|(1) for details.
.Sp
Parameters are encoded as \fBEcpkParameters\fR as specified in \s-1IETF RFC 3279.\s0
.IP "\fB\-in\fR \fIfilename\fR" 4
.IX Item "-in filename"
This specifies the input filename to read parameters from or standard input if
this option is not specified.
.IP "\fB\-out\fR \fIfilename\fR" 4
.IX Item "-out filename"
This specifies the output filename parameters to. Standard output is used
if this option is not present. The output filename should \fBnot\fR be the same
as the input filename.
.IP "\fB\-noout\fR" 4
.IX Item "-noout"
This option inhibits the output of the encoded version of the parameters.
.IP "\fB\-text\fR" 4
.IX Item "-text"
This option prints out the \s-1EC\s0 parameters in human readable form.
.IP "\fB\-check\fR" 4
.IX Item "-check"
Validate the elliptic curve parameters.
.IP "\fB\-check_named\fR" 4
.IX Item "-check_named"
Validate the elliptic name curve parameters by checking if the curve parameters
match any built-in curves.
.IP "\fB\-name\fR \fIarg\fR" 4
.IX Item "-name arg"
Use the \s-1EC\s0 parameters with the specified 'short' name. Use \fB\-list_curves\fR
to get a list of all currently implemented \s-1EC\s0 parameters.
.IP "\fB\-list_curves\fR" 4
.IX Item "-list_curves"
Print out a list of all currently implemented \s-1EC\s0 parameters names and exit.
.IP "\fB\-conv_form\fR \fIarg\fR" 4
.IX Item "-conv_form arg"
This specifies how the points on the elliptic curve are converted
into octet strings. Possible values are: \fBcompressed\fR, \fBuncompressed\fR (the
default value) and \fBhybrid\fR. For more information regarding
the point conversion forms please read the X9.62 standard.
\&\fBNote\fR Due to patent issues the \fBcompressed\fR option is disabled
by default for binary curves and can be enabled by defining
the preprocessor macro \fB\s-1OPENSSL_EC_BIN_PT_COMP\s0\fR at compile time.
.IP "\fB\-param_enc\fR \fIarg\fR" 4
.IX Item "-param_enc arg"
This specifies how the elliptic curve parameters are encoded.
Possible value are: \fBnamed_curve\fR, i.e. the ec parameters are
specified by an \s-1OID,\s0 or \fBexplicit\fR where the ec parameters are
explicitly given (see \s-1RFC 3279\s0 for the definition of the
\&\s-1EC\s0 parameters structures). The default value is \fBnamed_curve\fR.
\&\fBNote\fR the \fBimplicitlyCA\fR alternative, as specified in \s-1RFC 3279,\s0
is currently not implemented in OpenSSL.
.IP "\fB\-no_seed\fR" 4
.IX Item "-no_seed"
This option inhibits that the 'seed' for the parameter generation
is included in the ECParameters structure (see \s-1RFC 3279\s0).
.IP "\fB\-genkey\fR" 4
.IX Item "-genkey"
This option will generate an \s-1EC\s0 private key using the specified parameters.
.IP "\fB\-engine\fR \fIid\fR" 4
.IX Item "-engine id"
See \*(L"Engine Options\*(R" in \fBopenssl\fR\|(1).
This option is deprecated.
.IP "\fB\-rand\fR \fIfiles\fR, \fB\-writerand\fR \fIfile\fR" 4
.IX Item "-rand files, -writerand file"
See \*(L"Random State Options\*(R" in \fBopenssl\fR\|(1) for details.
.IP "\fB\-provider\fR \fIname\fR" 4
.IX Item "-provider name"
.PD 0
.IP "\fB\-provider\-path\fR \fIpath\fR" 4
.IX Item "-provider-path path"
.IP "\fB\-propquery\fR \fIpropq\fR" 4
.IX Item "-propquery propq"
.PD
See \*(L"Provider Options\*(R" in \fBopenssl\fR\|(1), \fBprovider\fR\|(7), and \fBproperty\fR\|(7).
.PP
The \fBopenssl\-genpkey\fR\|(1) and \fBopenssl\-pkeyparam\fR\|(1) commands are capable
of performing all the operations this command can, as well as supporting
other public key types.
.SH "EXAMPLES"
.IX Header "EXAMPLES"
The documentation for the \fBopenssl\-genpkey\fR\|(1) and \fBopenssl\-pkeyparam\fR\|(1)
commands contains examples equivalent to the ones listed here.
.PP
To create \s-1EC\s0 parameters with the group 'prime192v1':
.PP
.Vb 1
\& openssl ecparam \-out ec_param.pem \-name prime192v1
.Ve
.PP
To create \s-1EC\s0 parameters with explicit parameters:
.PP
.Vb 1
\& openssl ecparam \-out ec_param.pem \-name prime192v1 \-param_enc explicit
.Ve
.PP
To validate given \s-1EC\s0 parameters:
.PP
.Vb 1
\& openssl ecparam \-in ec_param.pem \-check
.Ve
.PP
To create \s-1EC\s0 parameters and a private key:
.PP
.Vb 1
\& openssl ecparam \-out ec_key.pem \-name prime192v1 \-genkey
.Ve
.PP
To change the point encoding to 'compressed':
.PP
.Vb 1
\& openssl ecparam \-in ec_in.pem \-out ec_out.pem \-conv_form compressed
.Ve
.PP
To print out the \s-1EC\s0 parameters to standard output:
.PP
.Vb 1
\& openssl ecparam \-in ec_param.pem \-noout \-text
.Ve
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBopenssl\fR\|(1),
\&\fBopenssl\-pkeyparam\fR\|(1),
\&\fBopenssl\-genpkey\fR\|(1),
\&\fBopenssl\-ec\fR\|(1),
\&\fBopenssl\-dsaparam\fR\|(1)
.SH "HISTORY"
.IX Header "HISTORY"
The \fB\-engine\fR option was deprecated in OpenSSL 3.0.
.PP
The \fB\-C\fR option was removed in OpenSSL 3.0.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2003\-2021 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the Apache License 2.0 (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.

619
openssl-install/share/man/man1/openssl-enc.1ossl Normal file
View File

@@ -0,0 +1,619 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "OPENSSL-ENC 1ossl"
.TH OPENSSL-ENC 1ossl "2025-08-16" "3.4.2" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
openssl\-enc \- symmetric cipher routines
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
\&\fBopenssl\fR \fBenc\fR|\fIcipher\fR
[\fB\-\f(BIcipher\fB\fR]
[\fB\-help\fR]
[\fB\-list\fR]
[\fB\-ciphers\fR]
[\fB\-in\fR \fIfilename\fR]
[\fB\-out\fR \fIfilename\fR]
[\fB\-pass\fR \fIarg\fR]
[\fB\-e\fR]
[\fB\-d\fR]
[\fB\-a\fR]
[\fB\-base64\fR]
[\fB\-A\fR]
[\fB\-k\fR \fIpassword\fR]
[\fB\-kfile\fR \fIfilename\fR]
[\fB\-K\fR \fIkey\fR]
[\fB\-iv\fR \fI\s-1IV\s0\fR]
[\fB\-S\fR \fIsalt\fR]
[\fB\-salt\fR]
[\fB\-nosalt\fR]
[\fB\-z\fR]
[\fB\-md\fR \fIdigest\fR]
[\fB\-iter\fR \fIcount\fR]
[\fB\-pbkdf2\fR]
[\fB\-saltlen\fR \fIsize\fR]
[\fB\-p\fR]
[\fB\-P\fR]
[\fB\-bufsize\fR \fInumber\fR]
[\fB\-nopad\fR]
[\fB\-v\fR]
[\fB\-debug\fR]
[\fB\-none\fR]
[\fB\-engine\fR \fIid\fR]
[\fB\-rand\fR \fIfiles\fR]
[\fB\-writerand\fR \fIfile\fR]
[\fB\-provider\fR \fIname\fR]
[\fB\-provider\-path\fR \fIpath\fR]
[\fB\-propquery\fR \fIpropq\fR]
.PP
\&\fBopenssl\fR \fIcipher\fR [\fB...\fR]
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
The symmetric cipher commands allow data to be encrypted or decrypted
using various block and stream ciphers using keys based on passwords
or explicitly provided. Base64 encoding or decoding can also be performed
either by itself or in addition to the encryption or decryption.
.SH "OPTIONS"
.IX Header "OPTIONS"
.IP "\fB\-\f(BIcipher\fB\fR" 4
.IX Item "-cipher"
The cipher to use.
.IP "\fB\-help\fR" 4
.IX Item "-help"
Print out a usage message.
.IP "\fB\-list\fR" 4
.IX Item "-list"
List all supported ciphers.
.IP "\fB\-ciphers\fR" 4
.IX Item "-ciphers"
Alias of \-list to display all supported ciphers.
.IP "\fB\-in\fR \fIfilename\fR" 4
.IX Item "-in filename"
The input filename, standard input by default.
.IP "\fB\-out\fR \fIfilename\fR" 4
.IX Item "-out filename"
The output filename, standard output by default.
.IP "\fB\-pass\fR \fIarg\fR" 4
.IX Item "-pass arg"
The password source. For more information about the format of \fIarg\fR
see \fBopenssl\-passphrase\-options\fR\|(1).
.IP "\fB\-e\fR" 4
.IX Item "-e"
Encrypt the input data: this is the default.
.IP "\fB\-d\fR" 4
.IX Item "-d"
Decrypt the input data.
.IP "\fB\-a\fR" 4
.IX Item "-a"
Base64 process the data. This means that if encryption is taking place
the data is base64 encoded after encryption. If decryption is set then
the input data is base64 decoded before being decrypted.
.Sp
When the \fB\-A\fR option not given,
on encoding a newline is inserted after each 64 characters, and
on decoding a newline is expected among the first 1024 bytes of input.
.IP "\fB\-base64\fR" 4
.IX Item "-base64"
Same as \fB\-a\fR
.IP "\fB\-A\fR" 4
.IX Item "-A"
If the \fB\-a\fR option is set then base64 encoding produces output without any
newline character, and base64 decoding does not require any newlines.
Therefore it can be helpful to use the \fB\-A\fR option when decoding unknown input.
.IP "\fB\-k\fR \fIpassword\fR" 4
.IX Item "-k password"
The password to derive the key from. This is for compatibility with previous
versions of OpenSSL. Superseded by the \fB\-pass\fR argument.
.IP "\fB\-kfile\fR \fIfilename\fR" 4
.IX Item "-kfile filename"
Read the password to derive the key from the first line of \fIfilename\fR.
This is for compatibility with previous versions of OpenSSL. Superseded by
the \fB\-pass\fR argument.
.IP "\fB\-md\fR \fIdigest\fR" 4
.IX Item "-md digest"
Use the specified digest to create the key from the passphrase.
The default algorithm is sha\-256.
.IP "\fB\-iter\fR \fIcount\fR" 4
.IX Item "-iter count"
Use a given number of iterations on the password in deriving the encryption key.
High values increase the time required to brute-force the resulting file.
This option enables the use of \s-1PBKDF2\s0 algorithm to derive the key.
.IP "\fB\-pbkdf2\fR" 4
.IX Item "-pbkdf2"
Use \s-1PBKDF2\s0 algorithm with a default iteration count of 10000
unless otherwise specified by the \fB\-iter\fR command line option.
.IP "\fB\-saltlen\fR" 4
.IX Item "-saltlen"
Set the salt length to use when using the \fB\-pbkdf2\fR option.
For compatibility reasons, the default is 8 bytes.
The maximum value is currently 16 bytes.
If the \fB\-pbkdf2\fR option is not used, then this option is ignored
and a fixed salt length of 8 is used. The salt length used when
encrypting must also be used when decrypting.
.IP "\fB\-nosalt\fR" 4
.IX Item "-nosalt"
Don't use a salt in the key derivation routines. This option \fB\s-1SHOULD NOT\s0\fR be
used except for test purposes or compatibility with ancient versions of
OpenSSL.
.IP "\fB\-salt\fR" 4
.IX Item "-salt"
Use salt (randomly generated or provide with \fB\-S\fR option) when
encrypting, this is the default.
.IP "\fB\-S\fR \fIsalt\fR" 4
.IX Item "-S salt"
The actual salt to use: this must be represented as a string of hex digits.
If this option is used while encrypting, the same exact value will be needed
again during decryption. This salt may be truncated or zero padded to
match the salt length (See \fB\-saltlen\fR).
.IP "\fB\-K\fR \fIkey\fR" 4
.IX Item "-K key"
The actual key to use: this must be represented as a string comprised only
of hex digits. If only the key is specified, the \s-1IV\s0 must additionally specified
using the \fB\-iv\fR option. When both a key and a password are specified, the
key given with the \fB\-K\fR option will be used and the \s-1IV\s0 generated from the
password will be taken. It does not make much sense to specify both key
and password.
.IP "\fB\-iv\fR \fI\s-1IV\s0\fR" 4
.IX Item "-iv IV"
The actual \s-1IV\s0 to use: this must be represented as a string comprised only
of hex digits. When only the key is specified using the \fB\-K\fR option, the
\&\s-1IV\s0 must explicitly be defined. When a password is being specified using
one of the other options, the \s-1IV\s0 is generated from this password.
.IP "\fB\-p\fR" 4
.IX Item "-p"
Print out the key and \s-1IV\s0 used.
.IP "\fB\-P\fR" 4
.IX Item "-P"
Print out the key and \s-1IV\s0 used then immediately exit: don't do any encryption
or decryption.
.IP "\fB\-bufsize\fR \fInumber\fR" 4
.IX Item "-bufsize number"
Set the buffer size for I/O.
.IP "\fB\-nopad\fR" 4
.IX Item "-nopad"
Disable standard block padding.
.IP "\fB\-v\fR" 4
.IX Item "-v"
Verbose print; display some statistics about I/O and buffer sizes.
.IP "\fB\-debug\fR" 4
.IX Item "-debug"
Debug the BIOs used for I/O.
.IP "\fB\-z\fR" 4
.IX Item "-z"
Compress or decompress encrypted data using zlib after encryption or before
decryption. This option exists only if OpenSSL was compiled with the zlib
or zlib-dynamic option.
.IP "\fB\-none\fR" 4
.IX Item "-none"
Use \s-1NULL\s0 cipher (no encryption or decryption of input).
.IP "\fB\-rand\fR \fIfiles\fR, \fB\-writerand\fR \fIfile\fR" 4
.IX Item "-rand files, -writerand file"
See \*(L"Random State Options\*(R" in \fBopenssl\fR\|(1) for details.
.IP "\fB\-provider\fR \fIname\fR" 4
.IX Item "-provider name"
.PD 0
.IP "\fB\-provider\-path\fR \fIpath\fR" 4
.IX Item "-provider-path path"
.IP "\fB\-propquery\fR \fIpropq\fR" 4
.IX Item "-propquery propq"
.PD
See \*(L"Provider Options\*(R" in \fBopenssl\fR\|(1), \fBprovider\fR\|(7), and \fBproperty\fR\|(7).
.IP "\fB\-engine\fR \fIid\fR" 4
.IX Item "-engine id"
See \*(L"Engine Options\*(R" in \fBopenssl\fR\|(1).
This option is deprecated.
.SH "NOTES"
.IX Header "NOTES"
The program can be called either as \f(CW\*(C`openssl \f(CIcipher\f(CW\*(C'\fR or
\&\f(CW\*(C`openssl enc \-\f(CIcipher\f(CW\*(C'\fR. The first form doesn't work with
engine-provided ciphers, because this form is processed before the
configuration file is read and any ENGINEs loaded.
Use the \fBopenssl\-list\fR\|(1) command to get a list of supported ciphers.
.PP
Engines which provide entirely new encryption algorithms (such as the ccgost
engine which provides gost89 algorithm) should be configured in the
configuration file. Engines specified on the command line using \fB\-engine\fR
option can only be used for hardware-assisted implementations of
ciphers which are supported by the OpenSSL core or another engine specified
in the configuration file.
.PP
When the enc command lists supported ciphers, ciphers provided by engines,
specified in the configuration files are listed too.
.PP
A password will be prompted for to derive the key and \s-1IV\s0 if necessary.
.PP
The \fB\-salt\fR option should \fB\s-1ALWAYS\s0\fR be used if the key is being derived
from a password unless you want compatibility with previous versions of
OpenSSL.
.PP
Without the \fB\-salt\fR option it is possible to perform efficient dictionary
attacks on the password and to attack stream cipher encrypted data. The reason
for this is that without the salt the same password always generates the same
encryption key.
.PP
When the salt is generated at random (that means when encrypting using a
passphrase without explicit salt given using \fB\-S\fR option), the first bytes
of the encrypted data are reserved to store the salt for later decrypting.
.PP
Some of the ciphers do not have large keys and others have security
implications if not used correctly. A beginner is advised to just use
a strong block cipher, such as \s-1AES,\s0 in \s-1CBC\s0 mode.
.PP
All the block ciphers normally use PKCS#5 padding, also known as standard
block padding. This allows a rudimentary integrity or password check to
be performed. However, since the chance of random data passing the test
is better than 1 in 256 it isn't a very good test.
.PP
If padding is disabled then the input data must be a multiple of the cipher
block length.
.PP
All \s-1RC2\s0 ciphers have the same key and effective key length.
.PP
Blowfish and \s-1RC5\s0 algorithms use a 128 bit key.
.PP
Please note that OpenSSL 3.0 changed the effect of the \fB\-S\fR option.
Any explicit salt value specified via this option is no longer prepended to the
ciphertext when encrypting, and must again be explicitly provided when decrypting.
Conversely, when the \fB\-S\fR option is used during decryption, the ciphertext
is expected to not have a prepended salt value.
.PP
When using OpenSSL 3.0 or later to decrypt data that was encrypted with an
explicit salt under OpenSSL 1.1.1 do not use the \fB\-S\fR option, the salt will
then be read from the ciphertext.
To generate ciphertext that can be decrypted with OpenSSL 1.1.1 do not use
the \fB\-S\fR option, the salt will be then be generated randomly and prepended
to the output.
.SH "SUPPORTED CIPHERS"
.IX Header "SUPPORTED CIPHERS"
Note that some of these ciphers can be disabled at compile time
and some are available only if an appropriate engine is configured
in the configuration file. The output when invoking this command
with the \fB\-list\fR option (that is \f(CW\*(C`openssl enc \-list\*(C'\fR) is
a list of ciphers, supported by your version of OpenSSL, including
ones provided by configured engines.
.PP
This command does not support authenticated encryption modes
like \s-1CCM\s0 and \s-1GCM,\s0 and will not support such modes in the future.
This is due to having to begin streaming output (e.g., to standard output
when \fB\-out\fR is not used) before the authentication tag could be validated.
When this command is used in a pipeline, the receiving end will not be
able to roll back upon authentication failure. The \s-1AEAD\s0 modes currently in
common use also suffer from catastrophic failure of confidentiality and/or
integrity upon reuse of key/iv/nonce, and since \fBopenssl enc\fR places the
entire burden of key/iv/nonce management upon the user, the risk of
exposing \s-1AEAD\s0 modes is too great to allow. These key/iv/nonce
management issues also affect other modes currently exposed in this command,
but the failure modes are less extreme in these cases, and the
functionality cannot be removed with a stable release branch.
For bulk encryption of data, whether using authenticated encryption
modes or other modes, \fBopenssl\-cms\fR\|(1) is recommended, as it provides a
standard data format and performs the needed key/iv/nonce management.
.PP
When enc is used with key wrapping modes the input data cannot be streamed,
meaning it must be processed in a single pass.
Consequently, the input data size must be less than
the buffer size (\-bufsize arg, default to 8*1024 bytes).
The '*\-wrap' ciphers require the input to be a multiple of 8 bytes long,
because no padding is involved.
The '*\-wrap\-pad' ciphers allow any input length.
In both cases, no \s-1IV\s0 is needed. See example below.
.PP
.Vb 1
\& base64 Base 64
\&
\& bf\-cbc Blowfish in CBC mode
\& bf Alias for bf\-cbc
\& blowfish Alias for bf\-cbc
\& bf\-cfb Blowfish in CFB mode
\& bf\-ecb Blowfish in ECB mode
\& bf\-ofb Blowfish in OFB mode
\&
\& cast\-cbc CAST in CBC mode
\& cast Alias for cast\-cbc
\& cast5\-cbc CAST5 in CBC mode
\& cast5\-cfb CAST5 in CFB mode
\& cast5\-ecb CAST5 in ECB mode
\& cast5\-ofb CAST5 in OFB mode
\&
\& chacha20 ChaCha20 algorithm
\&
\& des\-cbc DES in CBC mode
\& des Alias for des\-cbc
\& des\-cfb DES in CFB mode
\& des\-ofb DES in OFB mode
\& des\-ecb DES in ECB mode
\&
\& des\-ede\-cbc Two key triple DES EDE in CBC mode
\& des\-ede Two key triple DES EDE in ECB mode
\& des\-ede\-cfb Two key triple DES EDE in CFB mode
\& des\-ede\-ofb Two key triple DES EDE in OFB mode
\&
\& des\-ede3\-cbc Three key triple DES EDE in CBC mode
\& des\-ede3 Three key triple DES EDE in ECB mode
\& des3 Alias for des\-ede3\-cbc
\& des\-ede3\-cfb Three key triple DES EDE CFB mode
\& des\-ede3\-ofb Three key triple DES EDE in OFB mode
\&
\& desx DESX algorithm.
\&
\& gost89 GOST 28147\-89 in CFB mode (provided by ccgost engine)
\& gost89\-cnt GOST 28147\-89 in CNT mode (provided by ccgost engine)
\&
\& idea\-cbc IDEA algorithm in CBC mode
\& idea same as idea\-cbc
\& idea\-cfb IDEA in CFB mode
\& idea\-ecb IDEA in ECB mode
\& idea\-ofb IDEA in OFB mode
\&
\& rc2\-cbc 128 bit RC2 in CBC mode
\& rc2 Alias for rc2\-cbc
\& rc2\-cfb 128 bit RC2 in CFB mode
\& rc2\-ecb 128 bit RC2 in ECB mode
\& rc2\-ofb 128 bit RC2 in OFB mode
\& rc2\-64\-cbc 64 bit RC2 in CBC mode
\& rc2\-40\-cbc 40 bit RC2 in CBC mode
\&
\& rc4 128 bit RC4
\& rc4\-64 64 bit RC4
\& rc4\-40 40 bit RC4
\&
\& rc5\-cbc RC5 cipher in CBC mode
\& rc5 Alias for rc5\-cbc
\& rc5\-cfb RC5 cipher in CFB mode
\& rc5\-ecb RC5 cipher in ECB mode
\& rc5\-ofb RC5 cipher in OFB mode
\&
\& seed\-cbc SEED cipher in CBC mode
\& seed Alias for seed\-cbc
\& seed\-cfb SEED cipher in CFB mode
\& seed\-ecb SEED cipher in ECB mode
\& seed\-ofb SEED cipher in OFB mode
\&
\& sm4\-cbc SM4 cipher in CBC mode
\& sm4 Alias for sm4\-cbc
\& sm4\-cfb SM4 cipher in CFB mode
\& sm4\-ctr SM4 cipher in CTR mode
\& sm4\-ecb SM4 cipher in ECB mode
\& sm4\-ofb SM4 cipher in OFB mode
\&
\& aes\-[128|192|256]\-cbc 128/192/256 bit AES in CBC mode
\& aes[128|192|256] Alias for aes\-[128|192|256]\-cbc
\& aes\-[128|192|256]\-cfb 128/192/256 bit AES in 128 bit CFB mode
\& aes\-[128|192|256]\-cfb1 128/192/256 bit AES in 1 bit CFB mode
\& aes\-[128|192|256]\-cfb8 128/192/256 bit AES in 8 bit CFB mode
\& aes\-[128|192|256]\-ctr 128/192/256 bit AES in CTR mode
\& aes\-[128|192|256]\-ecb 128/192/256 bit AES in ECB mode
\& aes\-[128|192|256]\-ofb 128/192/256 bit AES in OFB mode
\&
\& aes\-[128|192|256]\-wrap key wrapping using 128/192/256 bit AES
\& aes\-[128|192|256]\-wrap\-pad key wrapping with padding using 128/192/256 bit AES
\&
\& aria\-[128|192|256]\-cbc 128/192/256 bit ARIA in CBC mode
\& aria[128|192|256] Alias for aria\-[128|192|256]\-cbc
\& aria\-[128|192|256]\-cfb 128/192/256 bit ARIA in 128 bit CFB mode
\& aria\-[128|192|256]\-cfb1 128/192/256 bit ARIA in 1 bit CFB mode
\& aria\-[128|192|256]\-cfb8 128/192/256 bit ARIA in 8 bit CFB mode
\& aria\-[128|192|256]\-ctr 128/192/256 bit ARIA in CTR mode
\& aria\-[128|192|256]\-ecb 128/192/256 bit ARIA in ECB mode
\& aria\-[128|192|256]\-ofb 128/192/256 bit ARIA in OFB mode
\&
\& camellia\-[128|192|256]\-cbc 128/192/256 bit Camellia in CBC mode
\& camellia[128|192|256] Alias for camellia\-[128|192|256]\-cbc
\& camellia\-[128|192|256]\-cfb 128/192/256 bit Camellia in 128 bit CFB mode
\& camellia\-[128|192|256]\-cfb1 128/192/256 bit Camellia in 1 bit CFB mode
\& camellia\-[128|192|256]\-cfb8 128/192/256 bit Camellia in 8 bit CFB mode
\& camellia\-[128|192|256]\-ctr 128/192/256 bit Camellia in CTR mode
\& camellia\-[128|192|256]\-ecb 128/192/256 bit Camellia in ECB mode
\& camellia\-[128|192|256]\-ofb 128/192/256 bit Camellia in OFB mode
.Ve
.SH "EXAMPLES"
.IX Header "EXAMPLES"
Just base64 encode a binary file:
.PP
.Vb 1
\& openssl base64 \-in file.bin \-out file.b64
.Ve
.PP
Decode the same file
.PP
.Vb 1
\& openssl base64 \-d \-in file.b64 \-out file.bin
.Ve
.PP
Encrypt a file using \s-1AES\-128\s0 using a prompted password
and \s-1PBKDF2\s0 key derivation:
.PP
.Vb 1
\& openssl enc \-aes128 \-pbkdf2 \-in file.txt \-out file.aes128
.Ve
.PP
Decrypt a file using a supplied password:
.PP
.Vb 2
\& openssl enc \-aes128 \-pbkdf2 \-d \-in file.aes128 \-out file.txt \e
\& \-pass pass:<password>
.Ve
.PP
Encrypt a file then base64 encode it (so it can be sent via mail for example)
using \s-1AES\-256\s0 in \s-1CTR\s0 mode and \s-1PBKDF2\s0 key derivation:
.PP
.Vb 1
\& openssl enc \-aes\-256\-ctr \-pbkdf2 \-a \-in file.txt \-out file.aes256
.Ve
.PP
Base64 decode a file then decrypt it using a password supplied in a file:
.PP
.Vb 2
\& openssl enc \-aes\-256\-ctr \-pbkdf2 \-d \-a \-in file.aes256 \-out file.txt \e
\& \-pass file:<passfile>
.Ve
.PP
\&\s-1AES\s0 key wrapping:
.PP
.Vb 3
\& openssl enc \-e \-a \-id\-aes128\-wrap\-pad \-K 000102030405060708090A0B0C0D0E0F \-in file.bin
\&or
\& openssl aes128\-wrap\-pad \-e \-a \-K 000102030405060708090A0B0C0D0E0F \-in file.bin
.Ve
.SH "BUGS"
.IX Header "BUGS"
The \fB\-A\fR option when used with large files doesn't work properly.
On the other hand, when base64 decoding without the \fB\-A\fR option,
if the first 1024 bytes of input do not include a newline character
the first two lines of input are ignored.
.PP
The \fBopenssl enc\fR command only supports a fixed number of algorithms with
certain parameters. So if, for example, you want to use \s-1RC2\s0 with a
76 bit key or \s-1RC4\s0 with an 84 bit key you can't use this program.
.SH "HISTORY"
.IX Header "HISTORY"
The default digest was changed from \s-1MD5\s0 to \s-1SHA256\s0 in OpenSSL 1.1.0.
.PP
The \fB\-list\fR option was added in OpenSSL 1.1.1e.
.PP
The \fB\-ciphers\fR and \fB\-engine\fR options were deprecated in OpenSSL 3.0.
.PP
The \fB\-saltlen\fR option was added in OpenSSL 3.2.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2000\-2024 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the Apache License 2.0 (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.

251
openssl-install/share/man/man1/openssl-engine.1ossl Normal file
View File

@@ -0,0 +1,251 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "OPENSSL-ENGINE 1ossl"
.TH OPENSSL-ENGINE 1ossl "2025-08-16" "3.4.2" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
openssl\-engine \- load and query engines
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
\&\fBopenssl engine\fR
[\fB\-help\fR]
[\fB\-v\fR]
[\fB\-vv\fR]
[\fB\-vvv\fR]
[\fB\-vvvv\fR]
[\fB\-c\fR]
[\fB\-t\fR]
[\fB\-tt\fR]
[\fB\-pre\fR \fIcommand\fR] ...
[\fB\-post\fR \fIcommand\fR] ...
[\fIengine\fR ...]
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
This command has been deprecated. Providers should be used instead of engines.
.PP
This command is used to query the status and capabilities
of the specified \fIengine\fRs.
Engines may be specified before and after all other command-line flags.
Only those specified are queried.
.SH "OPTIONS"
.IX Header "OPTIONS"
.IP "\fB\-help\fR" 4
.IX Item "-help"
Display an option summary.
.IP "\fB\-v\fR \fB\-vv\fR \fB\-vvv\fR \fB\-vvvv\fR" 4
.IX Item "-v -vv -vvv -vvvv"
Provides information about each specified engine. The first flag lists
all the possible run-time control commands; the second adds a
description of each command; the third adds the input flags, and the
final option adds the internal input flags.
.IP "\fB\-c\fR" 4
.IX Item "-c"
Lists the capabilities of each engine.
.IP "\fB\-t\fR" 4
.IX Item "-t"
Tests if each specified engine is available, and displays the answer.
.IP "\fB\-tt\fR" 4
.IX Item "-tt"
Displays an error trace for any unavailable engine.
.IP "\fB\-pre\fR \fIcommand\fR" 4
.IX Item "-pre command"
.PD 0
.IP "\fB\-post\fR \fIcommand\fR" 4
.IX Item "-post command"
.PD
Command-line configuration of engines.
The \fB\-pre\fR command is given to the engine before it is loaded and
the \fB\-post\fR command is given after the engine is loaded.
The \fIcommand\fR is of the form \fIcmd\fR:\fIval\fR where \fIcmd\fR is the command,
and \fIval\fR is the value for the command.
See the example below.
.Sp
These two options are cumulative, so they may be given more than once in the
same command.
.SH "EXAMPLES"
.IX Header "EXAMPLES"
To list all the commands available to a dynamic engine:
.PP
.Vb 10
\& $ openssl engine \-t \-tt \-vvvv dynamic
\& (dynamic) Dynamic engine loading support
\& [ unavailable ]
\& SO_PATH: Specifies the path to the new ENGINE shared library
\& (input flags): STRING
\& NO_VCHECK: Specifies to continue even if version checking fails (boolean)
\& (input flags): NUMERIC
\& ID: Specifies an ENGINE id name for loading
\& (input flags): STRING
\& LIST_ADD: Whether to add a loaded ENGINE to the internal list (0=no,1=yes,2=mandatory)
\& (input flags): NUMERIC
\& DIR_LOAD: Specifies whether to load from \*(AqDIR_ADD\*(Aq directories (0=no,1=yes,2=mandatory)
\& (input flags): NUMERIC
\& DIR_ADD: Adds a directory from which ENGINEs can be loaded
\& (input flags): STRING
\& LOAD: Load up the ENGINE specified by other settings
\& (input flags): NO_INPUT
.Ve
.PP
To list the capabilities of the \fBrsax\fR engine:
.PP
.Vb 4
\& $ openssl engine \-c
\& (rsax) RSAX engine support
\& [RSA]
\& (dynamic) Dynamic engine loading support
.Ve
.SH "ENVIRONMENT"
.IX Header "ENVIRONMENT"
.IP "\fB\s-1OPENSSL_ENGINES\s0\fR" 4
.IX Item "OPENSSL_ENGINES"
The path to the engines directory.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBopenssl\fR\|(1),
\&\fBconfig\fR\|(5)
.SH "HISTORY"
.IX Header "HISTORY"
This command was deprecated in OpenSSL 3.0.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2016\-2020 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the Apache License 2.0 (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.

185
openssl-install/share/man/man1/openssl-errstr.1ossl Normal file
View File

@@ -0,0 +1,185 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "OPENSSL-ERRSTR 1ossl"
.TH OPENSSL-ERRSTR 1ossl "2025-08-16" "3.4.2" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
openssl\-errstr \- lookup error codes
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
\&\fBopenssl errstr\fR
[\fB\-help\fR]
\&\fIerror_code...\fR
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
Sometimes an application will not load error message texts and only
numerical forms will be available. This command can be
used to display the meaning of the hex code. The hex code is the hex digits
after the second colon.
.SH "OPTIONS"
.IX Header "OPTIONS"
.IP "\fB\-help\fR" 4
.IX Item "-help"
Display a usage message.
.SH "EXAMPLES"
.IX Header "EXAMPLES"
The error code:
.PP
.Vb 1
\& 27594:error:2006D080:lib(32)::reason(128)::107:
.Ve
.PP
can be displayed with:
.PP
.Vb 1
\& openssl errstr 2006D080
.Ve
.PP
to produce the error message:
.PP
.Vb 1
\& error:2006D080:BIO routines::no such file
.Ve
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2004\-2020 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the Apache License 2.0 (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.

578
openssl-install/share/man/man1/openssl-fipsinstall.1ossl Normal file
View File

@@ -0,0 +1,578 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "OPENSSL-FIPSINSTALL 1ossl"
.TH OPENSSL-FIPSINSTALL 1ossl "2025-08-16" "3.4.2" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
openssl\-fipsinstall \- perform FIPS configuration installation
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
\&\fBopenssl fipsinstall\fR
[\fB\-help\fR]
[\fB\-in\fR \fIconfigfilename\fR]
[\fB\-out\fR \fIconfigfilename\fR]
[\fB\-module\fR \fImodulefilename\fR]
[\fB\-provider_name\fR \fIprovidername\fR]
[\fB\-section_name\fR \fIsectionname\fR]
[\fB\-verify\fR]
[\fB\-mac_name\fR \fImacname\fR]
[\fB\-macopt\fR \fInm\fR:\fIv\fR]
[\fB\-noout\fR]
[\fB\-quiet\fR]
[\fB\-pedantic\fR]
[\fB\-no_conditional_errors\fR]
[\fB\-no_security_checks\fR]
[\fB\-hmac_key_check\fR]
[\fB\-kmac_key_check\fR]
[\fB\-ems_check\fR]
[\fB\-no_drbg_truncated_digests\fR]
[\fB\-signature_digest_check\fR]
[\fB\-hkdf_digest_check\fR]
[\fB\-tls13_kdf_digest_check\fR]
[\fB\-tls1_prf_digest_check\fR]
[\fB\-sshkdf_digest_check\fR]
[\fB\-sskdf_digest_check\fR]
[\fB\-x963kdf_digest_check\fR]
[\fB\-dsa_sign_disabled\fR]
[\fB\-no_pbkdf2_lower_bound_check\fR]
[\fB\-no_short_mac\fR]
[\fB\-tdes_encrypt_disabled\fR]
[\fB\-rsa_pkcs15_padding_disabled\fR]
[\fB\-rsa_pss_saltlen_check\fR]
[\fB\-rsa_sign_x931_disabled\fR]
[\fB\-hkdf_key_check\fR]
[\fB\-kbkdf_key_check\fR]
[\fB\-tls13_kdf_key_check\fR]
[\fB\-tls1_prf_key_check\fR]
[\fB\-sshkdf_key_check\fR]
[\fB\-sskdf_key_check\fR]
[\fB\-x963kdf_key_check\fR]
[\fB\-x942kdf_key_check\fR]
[\fB\-ecdh_cofactor_check\fR]
[\fB\-self_test_onload\fR]
[\fB\-self_test_oninstall\fR]
[\fB\-corrupt_desc\fR \fIselftest_description\fR]
[\fB\-corrupt_type\fR \fIselftest_type\fR]
[\fB\-config\fR \fIparent_config\fR]
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
This command is used to generate a \s-1FIPS\s0 module configuration file.
This configuration file can be used each time a \s-1FIPS\s0 module is loaded
in order to pass data to the \s-1FIPS\s0 module self tests. The \s-1FIPS\s0 module always
verifies its \s-1MAC,\s0 but optionally only needs to run the \s-1KAT\s0's once,
at installation.
.PP
The generated configuration file consists of:
.IP "\- A \s-1MAC\s0 of the \s-1FIPS\s0 module file." 4
.IX Item "- A MAC of the FIPS module file."
.PD 0
.IP "\- A test status indicator." 4
.IX Item "- A test status indicator."
.PD
This indicates if the Known Answer Self Tests (\s-1KAT\s0's) have successfully run.
.IP "\- A \s-1MAC\s0 of the status indicator." 4
.IX Item "- A MAC of the status indicator."
.PD 0
.IP "\- A control for conditional self tests errors." 4
.IX Item "- A control for conditional self tests errors."
.PD
By default if a continuous test (e.g a key pair test) fails then the \s-1FIPS\s0 module
will enter an error state, and no services or cryptographic algorithms will be
able to be accessed after this point.
The default value of '1' will cause the fips module error state to be entered.
If the value is '0' then the module error state will not be entered.
Regardless of whether the error state is entered or not, the current operation
(e.g. key generation) will return an error. The user is responsible for retrying
the operation if the module error state is not entered.
.IP "\- A control to indicate whether run-time security checks are done." 4
.IX Item "- A control to indicate whether run-time security checks are done."
This indicates if run-time checks related to enforcement of security parameters
such as minimum security strength of keys and approved curve names are used.
The default value of '1' will perform the checks.
If the value is '0' the checks are not performed and \s-1FIPS\s0 compliance must
be done by procedures documented in the relevant Security Policy.
.PP
This file is described in \fBfips_config\fR\|(5).
.SH "OPTIONS"
.IX Header "OPTIONS"
.IP "\fB\-help\fR" 4
.IX Item "-help"
Print a usage message.
.IP "\fB\-module\fR \fIfilename\fR" 4
.IX Item "-module filename"
Filename of the \s-1FIPS\s0 module to perform an integrity check on.
The path provided in the filename is used to load the module when it is
activated, and this overrides the environment variable \fB\s-1OPENSSL_MODULES\s0\fR.
.IP "\fB\-out\fR \fIconfigfilename\fR" 4
.IX Item "-out configfilename"
Filename to output the configuration data to; the default is standard output.
.IP "\fB\-in\fR \fIconfigfilename\fR" 4
.IX Item "-in configfilename"
Input filename to load configuration data from.
Must be used if the \fB\-verify\fR option is specified.
.IP "\fB\-verify\fR" 4
.IX Item "-verify"
Verify that the input configuration file contains the correct information.
.IP "\fB\-provider_name\fR \fIprovidername\fR" 4
.IX Item "-provider_name providername"
Name of the provider inside the configuration file.
The default value is \f(CW\*(C`fips\*(C'\fR.
.IP "\fB\-section_name\fR \fIsectionname\fR" 4
.IX Item "-section_name sectionname"
Name of the section inside the configuration file.
The default value is \f(CW\*(C`fips_sect\*(C'\fR.
.IP "\fB\-mac_name\fR \fIname\fR" 4
.IX Item "-mac_name name"
Specifies the name of a supported \s-1MAC\s0 algorithm which will be used.
The \s-1MAC\s0 mechanisms that are available will depend on the options
used when building OpenSSL.
To see the list of supported \s-1MAC\s0's use the command
\&\f(CW\*(C`openssl list \-mac\-algorithms\*(C'\fR. The default is \fB\s-1HMAC\s0\fR.
.IP "\fB\-macopt\fR \fInm\fR:\fIv\fR" 4
.IX Item "-macopt nm:v"
Passes options to the \s-1MAC\s0 algorithm.
A comprehensive list of controls can be found in the \s-1EVP_MAC\s0 implementation
documentation.
Common control strings used for this command are:
.RS 4
.IP "\fBkey\fR:\fIstring\fR" 4
.IX Item "key:string"
Specifies the \s-1MAC\s0 key as an alphanumeric string (use if the key contains
printable characters only).
The string length must conform to any restrictions of the \s-1MAC\s0 algorithm.
A key must be specified for every \s-1MAC\s0 algorithm.
If no key is provided, the default that was specified when OpenSSL was
configured is used.
.IP "\fBhexkey\fR:\fIstring\fR" 4
.IX Item "hexkey:string"
Specifies the \s-1MAC\s0 key in hexadecimal form (two hex digits per byte).
The key length must conform to any restrictions of the \s-1MAC\s0 algorithm.
A key must be specified for every \s-1MAC\s0 algorithm.
If no key is provided, the default that was specified when OpenSSL was
configured is used.
.IP "\fBdigest\fR:\fIstring\fR" 4
.IX Item "digest:string"
Used by \s-1HMAC\s0 as an alphanumeric string (use if the key contains printable
characters only).
The string length must conform to any restrictions of the \s-1MAC\s0 algorithm.
To see the list of supported digests, use the command
\&\f(CW\*(C`openssl list \-digest\-commands\*(C'\fR.
The default digest is \s-1SHA\-256.\s0
.RE
.RS 4
.RE
.IP "\fB\-noout\fR" 4
.IX Item "-noout"
Disable logging of the self tests.
.IP "\fB\-pedantic\fR" 4
.IX Item "-pedantic"
Configure the module so that it is strictly \s-1FIPS\s0 compliant rather
than being backwards compatible. This enables conditional errors,
security checks etc. Note that any previous configuration options will
be overwritten and any subsequent configuration options that violate
\&\s-1FIPS\s0 compliance will result in an error.
.IP "\fB\-no_conditional_errors\fR" 4
.IX Item "-no_conditional_errors"
Configure the module to not enter an error state if a conditional self test
fails as described above.
.IP "\fB\-no_security_checks\fR" 4
.IX Item "-no_security_checks"
Configure the module to not perform run-time security checks as described above.
.Sp
Enabling the configuration option \*(L"no-fips-securitychecks\*(R" provides another way to
turn off the check at compile time.
.IP "\fB\-ems_check\fR" 4
.IX Item "-ems_check"
Configure the module to enable a run-time Extended Master Secret (\s-1EMS\s0) check
when using the \s-1TLS1_PRF KDF\s0 algorithm. This check is disabled by default.
See \s-1RFC 7627\s0 for information related to \s-1EMS.\s0
.IP "\fB\-no_short_mac\fR" 4
.IX Item "-no_short_mac"
Configure the module to not allow short \s-1MAC\s0 outputs.
See \s-1SP 800\-185 8.4.2\s0 and \s-1FIPS 140\-3 ID C.D\s0 for details.
.IP "\fB\-hmac_key_check\fR" 4
.IX Item "-hmac_key_check"
Configure the module to not allow small keys sizes when using \s-1HMAC.\s0
See \s-1SP\s0 800\-131Ar2 for details.
.IP "\fB\-kmac_key_check\fR" 4
.IX Item "-kmac_key_check"
Configure the module to not allow small keys sizes when using \s-1KMAC.\s0
See \s-1SP\s0 800\-131Ar2 for details.
.IP "\fB\-no_drbg_truncated_digests\fR" 4
.IX Item "-no_drbg_truncated_digests"
Configure the module to not allow truncated digests to be used with Hash and
\&\s-1HMAC\s0 DRBGs. See \s-1FIPS 140\-3 IG D.R\s0 for details.
.IP "\fB\-signature_digest_check\fR" 4
.IX Item "-signature_digest_check"
Configure the module to enforce signature algorithms to use digests that are
explicitly permitted by the various standards.
.IP "\fB\-hkdf_digest_check\fR" 4
.IX Item "-hkdf_digest_check"
Configure the module to enable a run-time digest check when deriving a key by
\&\s-1HKDF.\s0
See \s-1NIST SP\s0 800\-56Cr2 for details.
.IP "\fB\-tls13_kdf_digest_check\fR" 4
.IX Item "-tls13_kdf_digest_check"
Configure the module to enable a run-time digest check when deriving a key by
\&\s-1TLS13 KDF.\s0
See \s-1RFC 8446\s0 for details.
.IP "\fB\-tls1_prf_digest_check\fR" 4
.IX Item "-tls1_prf_digest_check"
Configure the module to enable a run-time digest check when deriving a key by
\&\s-1TLS_PRF.\s0
See \s-1NIST SP\s0 800\-135r1 for details.
.IP "\fB\-sshkdf_digest_check\fR" 4
.IX Item "-sshkdf_digest_check"
Configure the module to enable a run-time digest check when deriving a key by
\&\s-1SSHKDF.\s0
See \s-1NIST SP\s0 800\-135r1 for details.
.IP "\fB\-sskdf_digest_check\fR" 4
.IX Item "-sskdf_digest_check"
Configure the module to enable a run-time digest check when deriving a key by
\&\s-1SSKDF.\s0
See \s-1NIST SP\s0 800\-56Cr2 for details.
.IP "\fB\-x963kdf_digest_check\fR" 4
.IX Item "-x963kdf_digest_check"
Configure the module to enable a run-time digest check when deriving a key by
X963KDF.
See \s-1NIST SP\s0 800\-131Ar2 for details.
.IP "\fB\-dsa_sign_disabled\fR" 4
.IX Item "-dsa_sign_disabled"
Configure the module to not allow \s-1DSA\s0 signing (\s-1DSA\s0 signature verification is
still allowed). See \s-1FIPS 140\-3 IG C.K\s0 for details.
.IP "\fB\-tdes_encrypt_disabled\fR" 4
.IX Item "-tdes_encrypt_disabled"
Configure the module to not allow Triple-DES encryption.
Triple-DES decryption is still allowed for legacy purposes.
See SP800\-131Ar2 for details.
.IP "\fB\-rsa_pkcs15_padding_disabled\fR" 4
.IX Item "-rsa_pkcs15_padding_disabled"
Configure the module to not allow PKCS#1 version 1.5 padding to be used with
\&\s-1RSA\s0 for key transport and key agreement. See \s-1NIST\s0's \s-1SP 800\-131A\s0 Revision 2
for details.
.IP "\fB\-rsa_pss_saltlen_check\fR" 4
.IX Item "-rsa_pss_saltlen_check"
Configure the module to enable a run-time salt length check when generating or
verifying a RSA-PSS signature.
See \s-1FIPS 186\-5 5.4\s0 (g) for details.
.IP "\fB\-rsa_sign_x931_disabled\fR" 4
.IX Item "-rsa_sign_x931_disabled"
Configure the module to not allow X9.31 padding to be used when signing with
\&\s-1RSA.\s0 See \s-1FIPS 140\-3 IG C.K\s0 for details.
.IP "\fB\-hkdf_key_check\fR" 4
.IX Item "-hkdf_key_check"
Configure the module to enable a run-time short key-derivation key check when
deriving a key by \s-1HKDF.\s0
See \s-1NIST SP\s0 800\-131Ar2 for details.
.IP "\fB\-kbkdf_key_check\fR" 4
.IX Item "-kbkdf_key_check"
Configure the module to enable a run-time short key-derivation key check when
deriving a key by \s-1KBKDF.\s0
See \s-1NIST SP\s0 800\-131Ar2 for details.
.IP "\fB\-tls13_kdf_key_check\fR" 4
.IX Item "-tls13_kdf_key_check"
Configure the module to enable a run-time short key-derivation key check when
deriving a key by \s-1TLS13 KDF.\s0
See \s-1NIST SP\s0 800\-131Ar2 for details.
.IP "\fB\-tls1_prf_key_check\fR" 4
.IX Item "-tls1_prf_key_check"
Configure the module to enable a run-time short key-derivation key check when
deriving a key by \s-1TLS_PRF.\s0
See \s-1NIST SP\s0 800\-131Ar2 for details.
.IP "\fB\-sshkdf_key_check\fR" 4
.IX Item "-sshkdf_key_check"
Configure the module to enable a run-time short key-derivation key check when
deriving a key by \s-1SSHKDF.\s0
See \s-1NIST SP\s0 800\-131Ar2 for details.
.IP "\fB\-sskdf_key_check\fR" 4
.IX Item "-sskdf_key_check"
Configure the module to enable a run-time short key-derivation key check when
deriving a key by \s-1SSKDF.\s0
See \s-1NIST SP\s0 800\-131Ar2 for details.
.IP "\fB\-x963kdf_key_check\fR" 4
.IX Item "-x963kdf_key_check"
Configure the module to enable a run-time short key-derivation key check when
deriving a key by X963KDF.
See \s-1NIST SP\s0 800\-131Ar2 for details.
.IP "\fB\-x942kdf_key_check\fR" 4
.IX Item "-x942kdf_key_check"
Configure the module to enable a run-time short key-derivation key check when
deriving a key by X942KDF.
See \s-1NIST SP\s0 800\-131Ar2 for details.
.IP "\fB\-no_pbkdf2_lower_bound_check\fR" 4
.IX Item "-no_pbkdf2_lower_bound_check"
Configure the module to not perform run-time lower bound check for \s-1PBKDF2.\s0
See \s-1NIST SP 800\-132\s0 for details.
.IP "\fB\-ecdh_cofactor_check\fR" 4
.IX Item "-ecdh_cofactor_check"
Configure the module to enable a run-time check that \s-1ECDH\s0 uses the \s-1EC\s0 curves
cofactor value when deriving a key. This only affects the 'B' and 'K' curves.
See \s-1SP 800\-56A\s0 r3 Section 5.7.1.2 for details.
.IP "\fB\-self_test_onload\fR" 4
.IX Item "-self_test_onload"
Do not write the two fields related to the \*(L"test status indicator\*(R" and
\&\*(L"\s-1MAC\s0 status indicator\*(R" to the output configuration file. Without these fields
the self tests \s-1KATS\s0 will run each time the module is loaded. This option could be
used for cross compiling, since the self tests need to run at least once on each
target machine. Once the self tests have run on the target machine the user
could possibly then add the 2 fields into the configuration using some other
mechanism.
.Sp
This is the default.
.IP "\fB\-self_test_oninstall\fR" 4
.IX Item "-self_test_oninstall"
The converse of \fB\-self_test_oninstall\fR. The two fields related to the
\&\*(L"test status indicator\*(R" and \*(L"\s-1MAC\s0 status indicator\*(R" are written to the
output configuration file.
.IP "\fB\-quiet\fR" 4
.IX Item "-quiet"
Do not output pass/fail messages. Implies \fB\-noout\fR.
.IP "\fB\-corrupt_desc\fR \fIselftest_description\fR, \fB\-corrupt_type\fR \fIselftest_type\fR" 4
.IX Item "-corrupt_desc selftest_description, -corrupt_type selftest_type"
The corrupt options can be used to test failure of one or more self tests by
name.
Either option or both may be used to select the tests to corrupt.
Refer to the entries for \fBst-desc\fR and \fBst-type\fR in \s-1\fBOSSL_PROVIDER\-FIPS\s0\fR\|(7) for
values that can be used.
.IP "\fB\-config\fR \fIparent_config\fR" 4
.IX Item "-config parent_config"
Test that a \s-1FIPS\s0 provider can be loaded from the specified configuration file.
A previous call to this application needs to generate the extra configuration
data that is included by the base \f(CW\*(C`parent_config\*(C'\fR configuration file.
See \fBconfig\fR\|(5) for further information on how to set up a provider section.
All other options are ignored if '\-config' is used.
.SH "NOTES"
.IX Header "NOTES"
Self tests results are logged by default if the options \fB\-quiet\fR and \fB\-noout\fR
are not specified, or if either of the options \fB\-corrupt_desc\fR or
\&\fB\-corrupt_type\fR are used.
If the base configuration file is set up to autoload the fips module, then the
fips module will be loaded and self tested \s-1BEFORE\s0 the fipsinstall application
has a chance to set up its own self test callback. As a result of this the self
test output and the options \fB\-corrupt_desc\fR and \fB\-corrupt_type\fR will be ignored.
For normal usage the base configuration file should use the default provider
when generating the fips configuration file.
.PP
The \fB\-self_test_oninstall\fR option was added and the
\&\fB\-self_test_onload\fR option was made the default in OpenSSL 3.1.
.PP
The command and all remaining options were added in OpenSSL 3.0.
.SH "EXAMPLES"
.IX Header "EXAMPLES"
Calculate the mac of a \s-1FIPS\s0 module \fIfips.so\fR and run a \s-1FIPS\s0 self test
for the module, and save the \fIfips.cnf\fR configuration file:
.PP
.Vb 1
\& openssl fipsinstall \-module ./fips.so \-out fips.cnf \-provider_name fips
.Ve
.PP
Verify that the configuration file \fIfips.cnf\fR contains the correct info:
.PP
.Vb 1
\& openssl fipsinstall \-module ./fips.so \-in fips.cnf \-provider_name fips \-verify
.Ve
.PP
Corrupt any self tests which have the description \f(CW\*(C`SHA1\*(C'\fR:
.PP
.Vb 2
\& openssl fipsinstall \-module ./fips.so \-out fips.cnf \-provider_name fips \e
\& \-corrupt_desc \*(AqSHA1\*(Aq
.Ve
.PP
Validate that the fips module can be loaded from a base configuration file:
.PP
.Vb 3
\& export OPENSSL_CONF_INCLUDE=<path of configuration files>
\& export OPENSSL_MODULES=<provider\-path>
\& openssl fipsinstall \-config\*(Aq \*(Aqdefault.cnf\*(Aq
.Ve
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBconfig\fR\|(5),
\&\fBfips_config\fR\|(5),
\&\s-1\fBOSSL_PROVIDER\-FIPS\s0\fR\|(7),
\&\s-1\fBEVP_MAC\s0\fR\|(3)
.SH "HISTORY"
.IX Header "HISTORY"
The \fBopenssl-fipsinstall\fR application was added in OpenSSL 3.0.
.PP
The following options were added in OpenSSL 3.1:
.PP
\&\fB\-ems_check\fR,
\&\fB\-self_test_oninstall\fR
.PP
The following options were added in OpenSSL 3.2:
.PP
\&\fB\-pedantic\fR,
\&\fB\-no_drbg_truncated_digests\fR
.PP
The following options were added in OpenSSL 3.4:
.PP
\&\fB\-hmac_key_check\fR,
\&\fB\-kmac_key_check\fR,
\&\fB\-signature_digest_check\fR,
\&\fB\-hkdf_digest_check\fR,
\&\fB\-tls13_kdf_digest_check\fR,
\&\fB\-tls1_prf_digest_check\fR,
\&\fB\-sshkdf_digest_check\fR,
\&\fB\-sskdf_digest_check\fR,
\&\fB\-x963kdf_digest_check\fR,
\&\fB\-dsa_sign_disabled\fR,
\&\fB\-no_pbkdf2_lower_bound_check\fR,
\&\fB\-no_short_mac\fR,
\&\fB\-tdes_encrypt_disabled\fR,
\&\fB\-rsa_pkcs15_padding_disabled\fR,
\&\fB\-rsa_pss_saltlen_check\fR,
\&\fB\-rsa_sign_x931_disabled\fR,
\&\fB\-hkdf_key_check\fR,
\&\fB\-kbkdf_key_check\fR,
\&\fB\-tls13_kdf_key_check\fR,
\&\fB\-tls1_prf_key_check\fR,
\&\fB\-sshkdf_key_check\fR,
\&\fB\-sskdf_key_check\fR,
\&\fB\-x963kdf_key_check\fR,
\&\fB\-x942kdf_key_check\fR,
\&\fB\-ecdh_cofactor_check\fR
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2019\-2024 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the Apache License 2.0 (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.

265
openssl-install/share/man/man1/openssl-format-options.1ossl Normal file
View File

@@ -0,0 +1,265 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "OPENSSL-FORMAT-OPTIONS 1ossl"
.TH OPENSSL-FORMAT-OPTIONS 1ossl "2025-07-01" "3.4.2" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
openssl\-format\-options \- OpenSSL command input and output format options
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
\&\fBopenssl\fR
\&\fIcommand\fR
[ \fIoptions\fR ... ]
[ \fIparameters\fR ... ]
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
Several OpenSSL commands can take input or generate output in a variety
of formats.
.PP
Since OpenSSL 3.0 keys, single certificates, and CRLs can be read from
files in any of the \fB\s-1DER\s0\fR, \fB\s-1PEM\s0\fR or \fBP12\fR formats. Specifying their input
format is no more needed and the openssl commands will automatically try all
the possible formats. However if the \fB\s-1DER\s0\fR or \fB\s-1PEM\s0\fR input format is specified
it will be enforced.
.PP
In order to access a key via an engine the input format \fB\s-1ENGINE\s0\fR may be used;
alternatively the key identifier in the <uri> argument of the respective key
option may be preceded by \f(CW\*(C`org.openssl.engine:\*(C'\fR.
See \*(L"Engine Options\*(R" in \fBopenssl\fR\|(1) for an example usage of the latter.
.SH "OPTIONS"
.IX Header "OPTIONS"
.SS "Format Options"
.IX Subsection "Format Options"
The options to specify the format are as follows.
Refer to the individual man page to see which options are accepted.
.IP "\fB\-inform\fR \fIformat\fR, \fB\-outform\fR \fIformat\fR" 4
.IX Item "-inform format, -outform format"
The format of the input or output streams.
.IP "\fB\-keyform\fR \fIformat\fR" 4
.IX Item "-keyform format"
Format of a private key input source.
.IP "\fB\-CRLform\fR \fIformat\fR" 4
.IX Item "-CRLform format"
Format of a \s-1CRL\s0 input source.
.SS "Format Option Arguments"
.IX Subsection "Format Option Arguments"
The possible format arguments are described below.
Both uppercase and lowercase are accepted.
.PP
The list of acceptable format arguments, and the default,
is described in each command documentation.
.IP "\fB\s-1DER\s0\fR" 4
.IX Item "DER"
A binary format, encoded or parsed according to Distinguished Encoding Rules
(\s-1DER\s0) of the \s-1ASN.1\s0 data language.
.IP "\fB\s-1ENGINE\s0\fR" 4
.IX Item "ENGINE"
Used to specify that the cryptographic material is in an OpenSSL \fBengine\fR.
An engine must be configured or specified using the \fB\-engine\fR option.
A password or \s-1PIN\s0 may be supplied to the engine using the \fB\-passin\fR option.
.IP "\fBP12\fR" 4
.IX Item "P12"
A DER-encoded file containing a PKCS#12 object.
It might be necessary to provide a decryption password to retrieve
the private key.
.IP "\fB\s-1PEM\s0\fR" 4
.IX Item "PEM"
A text format defined in \s-1IETF RFC 1421\s0 and \s-1IETF RFC 7468.\s0 Briefly, this is
a block of base\-64 encoding (defined in \s-1IETF RFC 4648\s0), with specific
lines used to mark the start and end:
.Sp
.Vb 7
\& Text before the BEGIN line is ignored.
\& \-\-\-\-\- BEGIN object\-type \-\-\-\-\-
\& OT43gQKBgQC/2OHZoko6iRlNOAQ/tMVFNq7fL81GivoQ9F1U0Qr+DH3ZfaH8eIkX
\& xT0ToMPJUzWAn8pZv0snA0um6SIgvkCuxO84OkANCVbttzXImIsL7pFzfcwV/ERK
\& UM6j0ZuSMFOCr/lGPAoOQU0fskidGEHi1/kW+suSr28TqsyYZpwBDQ==
\& \-\-\-\-\- END object\-type \-\-\-\-\-
\& Text after the END line is also ignored
.Ve
.Sp
The \fIobject-type\fR must match the type of object that is expected.
For example a \f(CW\*(C`BEGIN X509 CERTIFICATE\*(C'\fR will not match if the command
is trying to read a private key. The types supported include:
.Sp
.Vb 10
\& ANY PRIVATE KEY
\& CERTIFICATE
\& CERTIFICATE REQUEST
\& CMS
\& DH PARAMETERS
\& DSA PARAMETERS
\& DSA PUBLIC KEY
\& EC PARAMETERS
\& EC PRIVATE KEY
\& ECDSA PUBLIC KEY
\& ENCRYPTED PRIVATE KEY
\& PARAMETERS
\& PKCS #7 SIGNED DATA
\& PKCS7
\& PRIVATE KEY
\& PUBLIC KEY
\& RSA PRIVATE KEY
\& SSL SESSION PARAMETERS
\& TRUSTED CERTIFICATE
\& X509 CRL
\& X9.42 DH PARAMETERS
.Ve
.Sp
The following legacy \fIobject-type\fR's are also supported for compatibility
with earlier releases:
.Sp
.Vb 4
\& DSA PRIVATE KEY
\& NEW CERTIFICATE REQUEST
\& RSA PUBLIC KEY
\& X509 CERTIFICATE
.Ve
.IP "\fB\s-1SMIME\s0\fR" 4
.IX Item "SMIME"
An S/MIME object as described in \s-1IETF RFC 8551.\s0
Earlier versions were known as \s-1CMS\s0 and are compatible.
Note that the parsing is simple and might fail to parse some legal data.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2000\-2021 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the Apache License 2.0 (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.

244
openssl-install/share/man/man1/openssl-gendsa.1ossl Normal file
View File

@@ -0,0 +1,244 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "OPENSSL-GENDSA 1ossl"
.TH OPENSSL-GENDSA 1ossl "2025-08-16" "3.4.2" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
openssl\-gendsa \- generate a DSA private key from a set of parameters
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
\&\fBopenssl\fR \fBgendsa\fR
[\fB\-help\fR]
[\fB\-out\fR \fIfilename\fR]
[\fB\-passout\fR \fIarg\fR]
[\fB\-aes128\fR]
[\fB\-aes192\fR]
[\fB\-aes256\fR]
[\fB\-aria128\fR]
[\fB\-aria192\fR]
[\fB\-aria256\fR]
[\fB\-camellia128\fR]
[\fB\-camellia192\fR]
[\fB\-camellia256\fR]
[\fB\-des\fR]
[\fB\-des3\fR]
[\fB\-idea\fR]
[\fB\-verbose\fR]
[\fB\-quiet\fR]
[\fB\-rand\fR \fIfiles\fR]
[\fB\-writerand\fR \fIfile\fR]
[\fB\-engine\fR \fIid\fR]
[\fB\-provider\fR \fIname\fR]
[\fB\-provider\-path\fR \fIpath\fR]
[\fB\-propquery\fR \fIpropq\fR]
[\fIparamfile\fR]
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
This command generates a \s-1DSA\s0 private key from a \s-1DSA\s0 parameter file
(which will be typically generated by the \fBopenssl\-dsaparam\fR\|(1) command).
.SH "OPTIONS"
.IX Header "OPTIONS"
.IP "\fB\-help\fR" 4
.IX Item "-help"
Print out a usage message.
.IP "\fB\-out\fR \fIfilename\fR" 4
.IX Item "-out filename"
Output the key to the specified file. If this argument is not specified then
standard output is used.
.IP "\fB\-passout\fR \fIarg\fR" 4
.IX Item "-passout arg"
The passphrase used for the output file.
See \fBopenssl\-passphrase\-options\fR\|(1).
.IP "\fB\-aes128\fR, \fB\-aes192\fR, \fB\-aes256\fR, \fB\-aria128\fR, \fB\-aria192\fR, \fB\-aria256\fR, \fB\-camellia128\fR, \fB\-camellia192\fR, \fB\-camellia256\fR, \fB\-des\fR, \fB\-des3\fR, \fB\-idea\fR" 4
.IX Item "-aes128, -aes192, -aes256, -aria128, -aria192, -aria256, -camellia128, -camellia192, -camellia256, -des, -des3, -idea"
These options encrypt the private key with specified
cipher before outputting it. A pass phrase is prompted for.
If none of these options is specified no encryption is used.
.Sp
Note that all options must be given before the \fIparamfile\fR argument.
.IP "\fB\-verbose\fR" 4
.IX Item "-verbose"
Print extra details about the operations being performed.
.IP "\fB\-quiet\fR" 4
.IX Item "-quiet"
Print fewer details about the operations being performed, which may
be handy during batch scripts and pipelines.
.IP "\fB\-rand\fR \fIfiles\fR, \fB\-writerand\fR \fIfile\fR" 4
.IX Item "-rand files, -writerand file"
See \*(L"Random State Options\*(R" in \fBopenssl\fR\|(1) for details.
.IP "\fB\-engine\fR \fIid\fR" 4
.IX Item "-engine id"
See \*(L"Engine Options\*(R" in \fBopenssl\fR\|(1).
This option is deprecated.
.IP "\fIparamfile\fR" 4
.IX Item "paramfile"
The \s-1DSA\s0 parameter file to use. The parameters in this file determine
the size of the private key. \s-1DSA\s0 parameters can be generated and
examined using the \fBopenssl\-dsaparam\fR\|(1) command.
.IP "\fB\-provider\fR \fIname\fR" 4
.IX Item "-provider name"
.PD 0
.IP "\fB\-provider\-path\fR \fIpath\fR" 4
.IX Item "-provider-path path"
.IP "\fB\-propquery\fR \fIpropq\fR" 4
.IX Item "-propquery propq"
.PD
See \*(L"Provider Options\*(R" in \fBopenssl\fR\|(1), \fBprovider\fR\|(7), and \fBproperty\fR\|(7).
.SH "NOTES"
.IX Header "NOTES"
\&\s-1DSA\s0 key generation is little more than random number generation so it is
much quicker that \s-1RSA\s0 key generation for example.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBopenssl\fR\|(1),
\&\fBopenssl\-genpkey\fR\|(1),
\&\fBopenssl\-dsaparam\fR\|(1),
\&\fBopenssl\-dsa\fR\|(1),
\&\fBopenssl\-genrsa\fR\|(1),
\&\fBopenssl\-rsa\fR\|(1)
.SH "HISTORY"
.IX Header "HISTORY"
The \fB\-engine\fR option was deprecated in OpenSSL 3.0.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2000\-2023 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the Apache License 2.0 (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.

634
openssl-install/share/man/man1/openssl-genpkey.1ossl Normal file
View File

@@ -0,0 +1,634 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "OPENSSL-GENPKEY 1ossl"
.TH OPENSSL-GENPKEY 1ossl "2025-08-16" "3.4.2" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
openssl\-genpkey \- generate a private key or key pair
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
\&\fBopenssl\fR \fBgenpkey\fR
[\fB\-help\fR]
[\fB\-out\fR \fIfilename\fR]
[\fB\-outpubkey\fR \fIfilename\fR]
[\fB\-outform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR]
[\fB\-verbose\fR]
[\fB\-quiet\fR]
[\fB\-pass\fR \fIarg\fR]
[\fB\-\f(BIcipher\fB\fR]
[\fB\-paramfile\fR \fIfile\fR]
[\fB\-algorithm\fR \fIalg\fR]
[\fB\-pkeyopt\fR \fIopt\fR:\fIvalue\fR]
[\fB\-genparam\fR]
[\fB\-text\fR]
[\fB\-rand\fR \fIfiles\fR]
[\fB\-writerand\fR \fIfile\fR]
[\fB\-engine\fR \fIid\fR]
.PP
[\fB\-provider\fR \fIname\fR]
[\fB\-provider\-path\fR \fIpath\fR]
[\fB\-propquery\fR \fIpropq\fR]
[\fB\-config\fR \fIconfigfile\fR]
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
This command generates a private key or key pair.
.SH "OPTIONS"
.IX Header "OPTIONS"
.IP "\fB\-help\fR" 4
.IX Item "-help"
Print out a usage message.
.IP "\fB\-out\fR \fIfilename\fR" 4
.IX Item "-out filename"
Output the private key to the specified file. If this argument is not
specified then standard output is used.
.IP "\fB\-outpubkey\fR \fIfilename\fR" 4
.IX Item "-outpubkey filename"
Output the public key to the specified file. If this argument is not
specified then the public key is not output.
.IP "\fB\-outform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR" 4
.IX Item "-outform DER|PEM"
The output format, except when \fB\-genparam\fR is given; the default is \fB\s-1PEM\s0\fR.
See \fBopenssl\-format\-options\fR\|(1) for details.
.Sp
When \fB\-genparam\fR is given, \fB\-outform\fR is ignored.
.IP "\fB\-verbose\fR" 4
.IX Item "-verbose"
Output \*(L"status dots\*(R" while generating keys.
.IP "\fB\-quiet\fR" 4
.IX Item "-quiet"
Do not output \*(L"status dots\*(R" while generating keys.
.IP "\fB\-pass\fR \fIarg\fR" 4
.IX Item "-pass arg"
The output file password source. For more information about the format of \fIarg\fR
see \fBopenssl\-passphrase\-options\fR\|(1).
.IP "\fB\-\f(BIcipher\fB\fR" 4
.IX Item "-cipher"
This option encrypts the private key with the supplied cipher. Any algorithm
name accepted by \fBEVP_get_cipherbyname()\fR is acceptable such as \fBdes3\fR.
.IP "\fB\-algorithm\fR \fIalg\fR" 4
.IX Item "-algorithm alg"
Public key algorithm to use such as \s-1RSA, DSA, DH\s0 or \s-1DHX.\s0 If used this option must
precede any \fB\-pkeyopt\fR options. The options \fB\-paramfile\fR and \fB\-algorithm\fR
are mutually exclusive. Engines or providers may add algorithms in addition to
the standard built-in ones.
.Sp
Valid built-in algorithm names for private key generation are \s-1RSA,\s0 RSA-PSS, \s-1EC,
X25519, X448, ED25519\s0 and \s-1ED448.\s0
.Sp
Valid built-in algorithm names for parameter generation (see the \fB\-genparam\fR
option) are \s-1DH, DSA\s0 and \s-1EC.\s0
.Sp
Note that the algorithm name X9.42 \s-1DH\s0 may be used as a synonym for \s-1DHX\s0 keys and
PKCS#3 refers to \s-1DH\s0 Keys. Some options are not shared between \s-1DH\s0 and \s-1DHX\s0 keys.
.IP "\fB\-pkeyopt\fR \fIopt\fR:\fIvalue\fR" 4
.IX Item "-pkeyopt opt:value"
Set the public key algorithm option \fIopt\fR to \fIvalue\fR. The precise set of
options supported depends on the public key algorithm used and its
implementation. See \*(L"\s-1KEY GENERATION OPTIONS\*(R"\s0 and
\&\*(L"\s-1PARAMETER GENERATION OPTIONS\*(R"\s0 below for more details.
.Sp
To list the possible \fIopt\fR values for an algorithm use:
\&\fBopenssl\fR \fBgenpkey\fR \-algorithm \s-1XXX\s0 \-help
.IP "\fB\-genparam\fR" 4
.IX Item "-genparam"
Generate a set of parameters instead of a private key. If used this option must
precede any \fB\-algorithm\fR, \fB\-paramfile\fR or \fB\-pkeyopt\fR options.
.IP "\fB\-paramfile\fR \fIfilename\fR" 4
.IX Item "-paramfile filename"
Some public key algorithms generate a private key based on a set of parameters.
They can be supplied using this option. If this option is used the public key
algorithm used is determined by the parameters. If used this option must
precede any \fB\-pkeyopt\fR options. The options \fB\-paramfile\fR and \fB\-algorithm\fR
are mutually exclusive.
.IP "\fB\-text\fR" 4
.IX Item "-text"
Print an (unencrypted) text representation of private and public keys and
parameters along with the \s-1PEM\s0 or \s-1DER\s0 structure.
.IP "\fB\-rand\fR \fIfiles\fR, \fB\-writerand\fR \fIfile\fR" 4
.IX Item "-rand files, -writerand file"
See \*(L"Random State Options\*(R" in \fBopenssl\fR\|(1) for details.
.IP "\fB\-engine\fR \fIid\fR" 4
.IX Item "-engine id"
See \*(L"Engine Options\*(R" in \fBopenssl\fR\|(1).
This option is deprecated.
.IP "\fB\-provider\fR \fIname\fR" 4
.IX Item "-provider name"
.PD 0
.IP "\fB\-provider\-path\fR \fIpath\fR" 4
.IX Item "-provider-path path"
.IP "\fB\-propquery\fR \fIpropq\fR" 4
.IX Item "-propquery propq"
.PD
See \*(L"Provider Options\*(R" in \fBopenssl\fR\|(1), \fBprovider\fR\|(7), and \fBproperty\fR\|(7).
.IP "\fB\-config\fR \fIconfigfile\fR" 4
.IX Item "-config configfile"
See \*(L"Configuration Option\*(R" in \fBopenssl\fR\|(1).
.SH "KEY GENERATION OPTIONS"
.IX Header "KEY GENERATION OPTIONS"
The options supported by each algorithm and indeed each implementation of an
algorithm can vary. The options for the OpenSSL implementations are detailed
below. There are no key generation options defined for the X25519, X448, \s-1ED25519\s0
or \s-1ED448\s0 algorithms.
.SS "\s-1RSA\s0 Key Generation Options"
.IX Subsection "RSA Key Generation Options"
.IP "\fBrsa_keygen_bits:numbits\fR" 4
.IX Item "rsa_keygen_bits:numbits"
The number of bits in the generated key. If not specified 2048 is used.
.IP "\fBrsa_keygen_primes:numprimes\fR" 4
.IX Item "rsa_keygen_primes:numprimes"
The number of primes in the generated key. If not specified 2 is used.
.IP "\fBrsa_keygen_pubexp:value\fR" 4
.IX Item "rsa_keygen_pubexp:value"
The \s-1RSA\s0 public exponent value. This can be a large decimal or
hexadecimal value if preceded by \f(CW\*(C`0x\*(C'\fR. Default value is 65537.
.SS "RSA-PSS Key Generation Options"
.IX Subsection "RSA-PSS Key Generation Options"
Note: by default an \fBRSA-PSS\fR key has no parameter restrictions.
.IP "\fBrsa_keygen_bits\fR:\fInumbits\fR, \fBrsa_keygen_primes\fR:\fInumprimes\fR, \fBrsa_keygen_pubexp\fR:\fIvalue\fR" 4
.IX Item "rsa_keygen_bits:numbits, rsa_keygen_primes:numprimes, rsa_keygen_pubexp:value"
These options have the same meaning as the \fB\s-1RSA\s0\fR algorithm.
.IP "\fBrsa_pss_keygen_md\fR:\fIdigest\fR" 4
.IX Item "rsa_pss_keygen_md:digest"
If set the key is restricted and can only use \fIdigest\fR for signing.
.IP "\fBrsa_pss_keygen_mgf1_md\fR:\fIdigest\fR" 4
.IX Item "rsa_pss_keygen_mgf1_md:digest"
If set the key is restricted and can only use \fIdigest\fR as it's \s-1MGF1\s0
parameter.
.IP "\fBrsa_pss_keygen_saltlen\fR:\fIlen\fR" 4
.IX Item "rsa_pss_keygen_saltlen:len"
If set the key is restricted and \fIlen\fR specifies the minimum salt length.
.SS "\s-1EC\s0 Key Generation Options"
.IX Subsection "EC Key Generation Options"
The \s-1EC\s0 key generation options can also be used for parameter generation.
.IP "\fBec_paramgen_curve\fR:\fIcurve\fR" 4
.IX Item "ec_paramgen_curve:curve"
The \s-1EC\s0 curve to use. OpenSSL supports \s-1NIST\s0 curve names such as \*(L"P\-256\*(R".
.IP "\fBec_param_enc\fR:\fIencoding\fR" 4
.IX Item "ec_param_enc:encoding"
The encoding to use for parameters. The \fIencoding\fR parameter must be either
\&\fBnamed_curve\fR or \fBexplicit\fR. The default value is \fBnamed_curve\fR.
.SS "\s-1DH\s0 Key Generation Options"
.IX Subsection "DH Key Generation Options"
.IP "\fBgroup\fR:\fIname\fR" 4
.IX Item "group:name"
The \fBparamfile\fR option is not required if a named group is used here.
See the \*(L"\s-1DH\s0 Parameter Generation Options\*(R" section below.
.SH "PARAMETER GENERATION OPTIONS"
.IX Header "PARAMETER GENERATION OPTIONS"
The options supported by each algorithm and indeed each implementation of an
algorithm can vary. The options for the OpenSSL implementations are detailed
below.
.SS "\s-1DSA\s0 Parameter Generation Options"
.IX Subsection "DSA Parameter Generation Options"
.IP "\fBdsa_paramgen_bits\fR:\fInumbits\fR" 4
.IX Item "dsa_paramgen_bits:numbits"
The number of bits in the generated prime. If not specified 2048 is used.
.IP "\fBdsa_paramgen_q_bits\fR:\fInumbits\fR" 4
.IX Item "dsa_paramgen_q_bits:numbits"
.PD 0
.IP "\fBqbits\fR:\fInumbits\fR" 4
.IX Item "qbits:numbits"
.PD
The number of bits in the q parameter. Must be one of 160, 224 or 256. If not
specified 224 is used.
.IP "\fBdsa_paramgen_md\fR:\fIdigest\fR" 4
.IX Item "dsa_paramgen_md:digest"
.PD 0
.IP "\fBdigest\fR:\fIdigest\fR" 4
.IX Item "digest:digest"
.PD
The digest to use during parameter generation. Must be one of \fBsha1\fR, \fBsha224\fR
or \fBsha256\fR. If set, then the number of bits in \fBq\fR will match the output size
of the specified digest and the \fBdsa_paramgen_q_bits\fR parameter will be
ignored. If not set, then a digest will be used that gives an output matching
the number of bits in \fBq\fR, i.e. \fBsha1\fR if q length is 160, \fBsha224\fR if it 224
or \fBsha256\fR if it is 256.
.IP "\fBproperties\fR:\fIquery\fR" 4
.IX Item "properties:query"
The \fIdigest\fR property \fIquery\fR string to use when fetching a digest from a provider.
.IP "\fBtype\fR:\fItype\fR" 4
.IX Item "type:type"
The type of generation to use. Set this to 1 to use legacy \s-1FIPS186\-2\s0 parameter
generation. The default of 0 uses \s-1FIPS186\-4\s0 parameter generation.
.IP "\fBgindex\fR:\fIindex\fR" 4
.IX Item "gindex:index"
The index to use for canonical generation and verification of the generator g.
Set this to a positive value ranging from 0..255 to use this mode. Larger values
will only use the bottom byte.
This \fIindex\fR must then be reused during key validation to verify the value of g.
If this value is not set then g is not verifiable. The default value is \-1.
.IP "\fBhexseed\fR:\fIseed\fR" 4
.IX Item "hexseed:seed"
The seed \fIseed\fR data to use instead of generating a random seed internally.
This should be used for testing purposes only. This will either produced fixed
values for the generated parameters \s-1OR\s0 it will fail if the seed did not
generate valid primes.
.SS "\s-1DH\s0 Parameter Generation Options"
.IX Subsection "DH Parameter Generation Options"
For most use cases it is recommended to use the \fBgroup\fR option rather than
the \fBtype\fR options. Note that the \fBgroup\fR option is not used by default if
no parameter generation options are specified.
.IP "\fBgroup\fR:\fIname\fR" 4
.IX Item "group:name"
.PD 0
.IP "\fBdh_param\fR:\fIname\fR" 4
.IX Item "dh_param:name"
.PD
Use a named \s-1DH\s0 group to select constant values for the \s-1DH\s0 parameters.
All other options will be ignored if this value is set.
.Sp
Valid values that are associated with the \fBalgorithm\fR of \fB\*(L"\s-1DH\*(R"\s0\fR are:
\&\*(L"ffdhe2048\*(R", \*(L"ffdhe3072\*(R", \*(L"ffdhe4096\*(R", \*(L"ffdhe6144\*(R", \*(L"ffdhe8192\*(R",
\&\*(L"modp_1536\*(R", \*(L"modp_2048\*(R", \*(L"modp_3072\*(R", \*(L"modp_4096\*(R", \*(L"modp_6144\*(R", \*(L"modp_8192\*(R".
.Sp
Valid values that are associated with the \fBalgorithm\fR of \fB\*(L"\s-1DHX\*(R"\s0\fR are the
\&\s-1RFC5114\s0 names \*(L"dh_1024_160\*(R", \*(L"dh_2048_224\*(R", \*(L"dh_2048_256\*(R".
.IP "\fBdh_rfc5114\fR:\fInum\fR" 4
.IX Item "dh_rfc5114:num"
If this option is set, then the appropriate \s-1RFC5114\s0 parameters are used
instead of generating new parameters. The value \fInum\fR can be one of
1, 2 or 3 that are equivalent to using the option \fBgroup\fR with one of
\&\*(L"dh_1024_160\*(R", \*(L"dh_2048_224\*(R" or \*(L"dh_2048_256\*(R".
All other options will be ignored if this value is set.
.IP "\fBpbits\fR:\fInumbits\fR" 4
.IX Item "pbits:numbits"
.PD 0
.IP "\fBdh_paramgen_prime_len\fR:\fInumbits\fR" 4
.IX Item "dh_paramgen_prime_len:numbits"
.PD
The number of bits in the prime parameter \fIp\fR. The default is 2048.
.IP "\fBqbits\fR:\fInumbits\fR" 4
.IX Item "qbits:numbits"
.PD 0
.IP "\fBdh_paramgen_subprime_len\fR:\fInumbits\fR" 4
.IX Item "dh_paramgen_subprime_len:numbits"
.PD
The number of bits in the sub prime parameter \fIq\fR. The default is 224.
Only relevant if used in conjunction with the \fBdh_paramgen_type\fR option to
generate \s-1DHX\s0 parameters.
.IP "\fBsafeprime-generator\fR:\fIvalue\fR" 4
.IX Item "safeprime-generator:value"
.PD 0
.IP "\fBdh_paramgen_generator\fR:\fIvalue\fR" 4
.IX Item "dh_paramgen_generator:value"
.PD
The value to use for the generator \fIg\fR. The default is 2.
The \fBalgorithm\fR option must be \fB\*(L"\s-1DH\*(R"\s0\fR for this parameter to be used.
.IP "\fBtype\fR:\fIstring\fR" 4
.IX Item "type:string"
The type name of \s-1DH\s0 parameters to generate. Valid values are:
.RS 4
.ie n .IP """generator""" 4
.el .IP "``generator''" 4
.IX Item "generator"
Use a safe prime generator with the option \fBsafeprime_generator\fR
The \fBalgorithm\fR option must be \fB\*(L"\s-1DH\*(R"\s0\fR.
.ie n .IP """fips186_4""" 4
.el .IP "``fips186_4''" 4
.IX Item "fips186_4"
\&\s-1FIPS186\-4\s0 parameter generation.
The \fBalgorithm\fR option must be \fB\*(L"\s-1DHX\*(R"\s0\fR.
.ie n .IP """fips186_2""" 4
.el .IP "``fips186_2''" 4
.IX Item "fips186_2"
\&\s-1FIPS186\-4\s0 parameter generation.
The \fBalgorithm\fR option must be \fB\*(L"\s-1DHX\*(R"\s0\fR.
.ie n .IP """group""" 4
.el .IP "``group''" 4
.IX Item "group"
Can be used with the option \fBpbits\fR to select one of
\&\*(L"ffdhe2048\*(R", \*(L"ffdhe3072\*(R", \*(L"ffdhe4096\*(R", \*(L"ffdhe6144\*(R" or \*(L"ffdhe8192\*(R".
The \fBalgorithm\fR option must be \fB\*(L"\s-1DH\*(R"\s0\fR.
.ie n .IP """default""" 4
.el .IP "``default''" 4
.IX Item "default"
Selects a default type based on the \fBalgorithm\fR. This is used by the
OpenSSL default provider to set the type for backwards compatibility.
If \fBalgorithm\fR is \fB\*(L"\s-1DH\*(R"\s0\fR then \fB\*(L"generator\*(R"\fR is used.
If \fBalgorithm\fR is \fB\*(L"\s-1DHX\*(R"\s0\fR then \fB\*(L"fips186_2\*(R"\fR is used.
.RE
.RS 4
.RE
.IP "\fBdh_paramgen_type\fR:\fIvalue\fR" 4
.IX Item "dh_paramgen_type:value"
The type of \s-1DH\s0 parameters to generate. Valid values are 0, 1, 2 or 3
which correspond to setting the option \fBtype\fR to
\&\*(L"generator\*(R", \*(L"fips186_2\*(R", \*(L"fips186_4\*(R" or \*(L"group\*(R".
.IP "\fBdigest\fR:\fIdigest\fR" 4
.IX Item "digest:digest"
The digest to use during parameter generation. Must be one of \fBsha1\fR, \fBsha224\fR
or \fBsha256\fR. If set, then the number of bits in \fBqbits\fR will match the output
size of the specified digest and the \fBqbits\fR parameter will be
ignored. If not set, then a digest will be used that gives an output matching
the number of bits in \fBq\fR, i.e. \fBsha1\fR if q length is 160, \fBsha224\fR if it is
224 or \fBsha256\fR if it is 256.
This is only used by \*(L"fips186_4\*(R" and \*(L"fips186_2\*(R" key generation.
.IP "\fBproperties\fR:\fIquery\fR" 4
.IX Item "properties:query"
The \fIdigest\fR property \fIquery\fR string to use when fetching a digest from a provider.
This is only used by \*(L"fips186_4\*(R" and \*(L"fips186_2\*(R" key generation.
.IP "\fBgindex\fR:\fIindex\fR" 4
.IX Item "gindex:index"
The index to use for canonical generation and verification of the generator g.
Set this to a positive value ranging from 0..255 to use this mode. Larger values
will only use the bottom byte.
This \fIindex\fR must then be reused during key validation to verify the value of g.
If this value is not set then g is not verifiable. The default value is \-1.
This is only used by \*(L"fips186_4\*(R" and \*(L"fips186_2\*(R" key generation.
.IP "\fBhexseed\fR:\fIseed\fR" 4
.IX Item "hexseed:seed"
The seed \fIseed\fR data to use instead of generating a random seed internally.
This should be used for testing purposes only. This will either produced fixed
values for the generated parameters \s-1OR\s0 it will fail if the seed did not
generate valid primes.
This is only used by \*(L"fips186_4\*(R" and \*(L"fips186_2\*(R" key generation.
.SS "\s-1EC\s0 Parameter Generation Options"
.IX Subsection "EC Parameter Generation Options"
The \s-1EC\s0 parameter generation options are the same as for key generation. See
\&\*(L"\s-1EC\s0 Key Generation Options\*(R" above.
.SH "NOTES"
.IX Header "NOTES"
The use of the genpkey program is encouraged over the algorithm specific
utilities because additional algorithm options and \s-1ENGINE\s0 provided algorithms
can be used.
.SH "EXAMPLES"
.IX Header "EXAMPLES"
Generate an \s-1RSA\s0 private key using default parameters:
.PP
.Vb 1
\& openssl genpkey \-algorithm RSA \-out key.pem
.Ve
.PP
Encrypt output private key using 128 bit \s-1AES\s0 and the passphrase \*(L"hello\*(R":
.PP
.Vb 1
\& openssl genpkey \-algorithm RSA \-out key.pem \-aes\-128\-cbc \-pass pass:hello
.Ve
.PP
Generate a 2048 bit \s-1RSA\s0 key using 3 as the public exponent:
.PP
.Vb 2
\& openssl genpkey \-algorithm RSA \-out key.pem \e
\& \-pkeyopt rsa_keygen_bits:2048 \-pkeyopt rsa_keygen_pubexp:3
.Ve
.PP
Generate 2048 bit \s-1DSA\s0 parameters that can be validated: The output values for
gindex and seed are required for key validation purposes and are not saved to
the output pem file).
.PP
.Vb 2
\& openssl genpkey \-genparam \-algorithm DSA \-out dsap.pem \-pkeyopt pbits:2048 \e
\& \-pkeyopt qbits:224 \-pkeyopt digest:SHA256 \-pkeyopt gindex:1 \-text
.Ve
.PP
Generate \s-1DSA\s0 key from parameters:
.PP
.Vb 1
\& openssl genpkey \-paramfile dsap.pem \-out dsakey.pem
.Ve
.PP
Generate 4096 bit \s-1DH\s0 Key using safe prime group ffdhe4096:
.PP
.Vb 1
\& openssl genpkey \-algorithm DH \-out dhkey.pem \-pkeyopt group:ffdhe4096
.Ve
.PP
Generate 2048 bit X9.42 \s-1DH\s0 key with 256 bit subgroup using \s-1RFC5114\s0 group3:
.PP
.Vb 1
\& openssl genpkey \-algorithm DHX \-out dhkey.pem \-pkeyopt dh_rfc5114:3
.Ve
.PP
Generate a \s-1DH\s0 key using a \s-1DH\s0 parameters file:
.PP
.Vb 1
\& openssl genpkey \-paramfile dhp.pem \-out dhkey.pem
.Ve
.PP
Output \s-1DH\s0 parameters for safe prime group ffdhe2048:
.PP
.Vb 1
\& openssl genpkey \-genparam \-algorithm DH \-out dhp.pem \-pkeyopt group:ffdhe2048
.Ve
.PP
Output 2048 bit X9.42 \s-1DH\s0 parameters with 224 bit subgroup using \s-1RFC5114\s0 group2:
.PP
.Vb 1
\& openssl genpkey \-genparam \-algorithm DHX \-out dhp.pem \-pkeyopt dh_rfc5114:2
.Ve
.PP
Output 2048 bit X9.42 \s-1DH\s0 parameters with 224 bit subgroup using \s-1FIP186\-4\s0 keygen:
.PP
.Vb 3
\& openssl genpkey \-genparam \-algorithm DHX \-out dhp.pem \-text \e
\& \-pkeyopt pbits:2048 \-pkeyopt qbits:224 \-pkeyopt digest:SHA256 \e
\& \-pkeyopt gindex:1 \-pkeyopt dh_paramgen_type:2
.Ve
.PP
Output 1024 bit X9.42 \s-1DH\s0 parameters with 160 bit subgroup using \s-1FIP186\-2\s0 keygen:
.PP
.Vb 3
\& openssl genpkey \-genparam \-algorithm DHX \-out dhp.pem \-text \e
\& \-pkeyopt pbits:1024 \-pkeyopt qbits:160 \-pkeyopt digest:SHA1 \e
\& \-pkeyopt gindex:1 \-pkeyopt dh_paramgen_type:1
.Ve
.PP
Output 2048 bit \s-1DH\s0 parameters:
.PP
.Vb 2
\& openssl genpkey \-genparam \-algorithm DH \-out dhp.pem \e
\& \-pkeyopt dh_paramgen_prime_len:2048
.Ve
.PP
Output 2048 bit \s-1DH\s0 parameters using a generator:
.PP
.Vb 3
\& openssl genpkey \-genparam \-algorithm DH \-out dhpx.pem \e
\& \-pkeyopt dh_paramgen_prime_len:2048 \e
\& \-pkeyopt dh_paramgen_type:1
.Ve
.PP
Generate \s-1EC\s0 parameters:
.PP
.Vb 3
\& openssl genpkey \-genparam \-algorithm EC \-out ecp.pem \e
\& \-pkeyopt ec_paramgen_curve:secp384r1 \e
\& \-pkeyopt ec_param_enc:named_curve
.Ve
.PP
Generate \s-1EC\s0 key from parameters:
.PP
.Vb 1
\& openssl genpkey \-paramfile ecp.pem \-out eckey.pem
.Ve
.PP
Generate \s-1EC\s0 key directly:
.PP
.Vb 3
\& openssl genpkey \-algorithm EC \-out eckey.pem \e
\& \-pkeyopt ec_paramgen_curve:P\-384 \e
\& \-pkeyopt ec_param_enc:named_curve
.Ve
.PP
Generate an X25519 private key:
.PP
.Vb 1
\& openssl genpkey \-algorithm X25519 \-out xkey.pem
.Ve
.PP
Generate an \s-1ED448\s0 private key:
.PP
.Vb 1
\& openssl genpkey \-algorithm ED448 \-out xkey.pem
.Ve
.SH "HISTORY"
.IX Header "HISTORY"
The ability to use \s-1NIST\s0 curve names, and to generate an \s-1EC\s0 key directly,
were added in OpenSSL 1.0.2.
The ability to generate X25519 keys was added in OpenSSL 1.1.0.
The ability to generate X448, \s-1ED25519\s0 and \s-1ED448\s0 keys was added in OpenSSL 1.1.1.
.PP
The \fB\-engine\fR option was deprecated in OpenSSL 3.0.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2006\-2024 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the Apache License 2.0 (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.

262
openssl-install/share/man/man1/openssl-genrsa.1ossl Normal file
View File

@@ -0,0 +1,262 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "OPENSSL-GENRSA 1ossl"
.TH OPENSSL-GENRSA 1ossl "2025-08-16" "3.4.2" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
openssl\-genrsa \- generate an RSA private key
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
\&\fBopenssl\fR \fBgenrsa\fR
[\fB\-help\fR]
[\fB\-out\fR \fIfilename\fR]
[\fB\-passout\fR \fIarg\fR]
[\fB\-aes128\fR]
[\fB\-aes192\fR]
[\fB\-aes256\fR]
[\fB\-aria128\fR]
[\fB\-aria192\fR]
[\fB\-aria256\fR]
[\fB\-camellia128\fR]
[\fB\-camellia192\fR]
[\fB\-camellia256\fR]
[\fB\-des\fR]
[\fB\-des3\fR]
[\fB\-idea\fR]
[\fB\-F4\fR]
[\fB\-f4\fR]
[\fB\-3\fR]
[\fB\-primes\fR \fInum\fR]
[\fB\-verbose\fR]
[\fB\-quiet\fR]
[\fB\-traditional\fR]
[\fB\-rand\fR \fIfiles\fR]
[\fB\-writerand\fR \fIfile\fR]
[\fB\-engine\fR \fIid\fR]
[\fB\-provider\fR \fIname\fR]
[\fB\-provider\-path\fR \fIpath\fR]
[\fB\-propquery\fR \fIpropq\fR]
[\fBnumbits\fR]
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
This command generates an \s-1RSA\s0 private key.
.SH "OPTIONS"
.IX Header "OPTIONS"
.IP "\fB\-help\fR" 4
.IX Item "-help"
Print out a usage message.
.IP "\fB\-out\fR \fIfilename\fR" 4
.IX Item "-out filename"
Output the key to the specified file. If this argument is not specified then
standard output is used.
.IP "\fB\-passout\fR \fIarg\fR" 4
.IX Item "-passout arg"
The output file password source. For more information about the format
see \fBopenssl\-passphrase\-options\fR\|(1).
.IP "\fB\-aes128\fR, \fB\-aes192\fR, \fB\-aes256\fR, \fB\-aria128\fR, \fB\-aria192\fR, \fB\-aria256\fR, \fB\-camellia128\fR, \fB\-camellia192\fR, \fB\-camellia256\fR, \fB\-des\fR, \fB\-des3\fR, \fB\-idea\fR" 4
.IX Item "-aes128, -aes192, -aes256, -aria128, -aria192, -aria256, -camellia128, -camellia192, -camellia256, -des, -des3, -idea"
These options encrypt the private key with specified
cipher before outputting it. If none of these options is
specified no encryption is used. If encryption is used a pass phrase is prompted
for if it is not supplied via the \fB\-passout\fR argument.
.IP "\fB\-F4\fR, \fB\-f4\fR, \fB\-3\fR" 4
.IX Item "-F4, -f4, -3"
The public exponent to use, either 65537 or 3. The default is 65537.
The \fB\-3\fR option has been deprecated.
.IP "\fB\-primes\fR \fInum\fR" 4
.IX Item "-primes num"
Specify the number of primes to use while generating the \s-1RSA\s0 key. The \fInum\fR
parameter must be a positive integer that is greater than 1 and less than 16.
If \fInum\fR is greater than 2, then the generated key is called a 'multi\-prime'
\&\s-1RSA\s0 key, which is defined in \s-1RFC 8017.\s0
.IP "\fB\-verbose\fR" 4
.IX Item "-verbose"
Print extra details about the operations being performed.
.IP "\fB\-quiet\fR" 4
.IX Item "-quiet"
Print fewer details about the operations being performed, which may
be handy during batch scripts and pipelines.
.IP "\fB\-traditional\fR" 4
.IX Item "-traditional"
Write the key using the traditional PKCS#1 format instead of the PKCS#8 format.
.IP "\fB\-rand\fR \fIfiles\fR, \fB\-writerand\fR \fIfile\fR" 4
.IX Item "-rand files, -writerand file"
See \*(L"Random State Options\*(R" in \fBopenssl\fR\|(1) for details.
.IP "\fB\-engine\fR \fIid\fR" 4
.IX Item "-engine id"
See \*(L"Engine Options\*(R" in \fBopenssl\fR\|(1).
This option is deprecated.
.IP "\fB\-provider\fR \fIname\fR" 4
.IX Item "-provider name"
.PD 0
.IP "\fB\-provider\-path\fR \fIpath\fR" 4
.IX Item "-provider-path path"
.IP "\fB\-propquery\fR \fIpropq\fR" 4
.IX Item "-propquery propq"
.PD
See \*(L"Provider Options\*(R" in \fBopenssl\fR\|(1), \fBprovider\fR\|(7), and \fBproperty\fR\|(7).
.IP "\fBnumbits\fR" 4
.IX Item "numbits"
The size of the private key to generate in bits. This must be the last option
specified. The default is 2048 and values less than 512 are not allowed.
.SH "NOTES"
.IX Header "NOTES"
\&\s-1RSA\s0 private key generation essentially involves the generation of two or more
prime numbers. When generating a private key various symbols will be output to
indicate the progress of the generation. A \fB.\fR represents each number which
has passed an initial sieve test, \fB+\fR means a number has passed a single
round of the Miller-Rabin primality test, \fB*\fR means the current prime starts
a regenerating progress due to some failed tests. A newline means that the number
has passed all the prime tests (the actual number depends on the key size).
.PP
Because key generation is a random process the time taken to generate a key
may vary somewhat. But in general, more primes lead to less generation time
of a key.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBopenssl\fR\|(1),
\&\fBopenssl\-genpkey\fR\|(1),
\&\fBopenssl\-gendsa\fR\|(1)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2000\-2023 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the Apache License 2.0 (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.

214
openssl-install/share/man/man1/openssl-info.1ossl Normal file
View File

@@ -0,0 +1,214 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "OPENSSL-INFO 1ossl"
.TH OPENSSL-INFO 1ossl "2025-08-16" "3.4.2" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
openssl\-info \- print OpenSSL built\-in information
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
\&\fBopenssl info\fR
[\fB\-help\fR]
[\fB\-configdir\fR]
[\fB\-enginesdir\fR]
[\fB\-modulesdir\fR ]
[\fB\-dsoext\fR]
[\fB\-dirnamesep\fR]
[\fB\-listsep\fR]
[\fB\-seeds\fR]
[\fB\-cpusettings\fR]
[\fB\-windowscontext\fR]
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
This command is used to print out information about OpenSSL.
The information is written exactly as it is with no extra text, which
makes useful for scripts.
.PP
As a consequence, only one item may be chosen for each run of this
command.
.SH "OPTIONS"
.IX Header "OPTIONS"
.IP "\fB\-help\fR" 4
.IX Item "-help"
Print out a usage message.
.IP "\fB\-configdir\fR" 4
.IX Item "-configdir"
Outputs the default directory for OpenSSL configuration files.
.IP "\fB\-enginesdir\fR" 4
.IX Item "-enginesdir"
Outputs the default directory for OpenSSL engine modules.
.IP "\fB\-modulesdir\fR" 4
.IX Item "-modulesdir"
Outputs the default directory for OpenSSL dynamically loadable modules
other than engine modules.
.IP "\fB\-dsoext\fR" 4
.IX Item "-dsoext"
Outputs the \s-1DSO\s0 extension OpenSSL uses.
.IP "\fB\-dirnamesep\fR" 4
.IX Item "-dirnamesep"
Outputs the separator character between a directory specification and
a filename.
Note that on some operating systems, this is not the same as the
separator between directory elements.
.IP "\fB\-listsep\fR" 4
.IX Item "-listsep"
Outputs the OpenSSL list separator character.
This is typically used to construct \f(CW$PATH\fR (\f(CW\*(C`%PATH%\*(C'\fR on Windows)
style lists.
.IP "\fB\-seeds\fR" 4
.IX Item "-seeds"
Outputs the randomness seed sources.
.IP "\fB\-cpusettings\fR" 4
.IX Item "-cpusettings"
Outputs the OpenSSL \s-1CPU\s0 settings info.
.IP "\fB\-windowscontext\fR" 4
.IX Item "-windowscontext"
Outputs the Windows install context.
.SH "HISTORY"
.IX Header "HISTORY"
This command was added in OpenSSL 3.0.
.PP
The \fB\-windowscontext\fR option was added in OpenSSL 3.4.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2019\-2024 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the Apache License 2.0 (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.

358
openssl-install/share/man/man1/openssl-kdf.1ossl Normal file
View File

@@ -0,0 +1,358 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "OPENSSL-KDF 1ossl"
.TH OPENSSL-KDF 1ossl "2025-08-16" "3.4.2" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
openssl\-kdf \- perform Key Derivation Function operations
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
\&\fBopenssl kdf\fR
[\fB\-help\fR]
[\fB\-cipher\fR]
[\fB\-digest\fR]
[\fB\-mac\fR]
[\fB\-kdfopt\fR \fInm\fR:\fIv\fR]
[\fB\-keylen\fR \fInum\fR]
[\fB\-out\fR \fIfilename\fR]
[\fB\-binary\fR]
[\fB\-provider\fR \fIname\fR]
[\fB\-provider\-path\fR \fIpath\fR]
[\fB\-propquery\fR \fIpropq\fR]
\&\fIkdf_name\fR
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
The key derivation functions generate a derived key from either a secret or
password.
.SH "OPTIONS"
.IX Header "OPTIONS"
.IP "\fB\-help\fR" 4
.IX Item "-help"
Print a usage message.
.IP "\fB\-keylen\fR \fInum\fR" 4
.IX Item "-keylen num"
The output size of the derived key. This field is required.
.IP "\fB\-out\fR \fIfilename\fR" 4
.IX Item "-out filename"
Filename to output to, or standard output by default.
.IP "\fB\-binary\fR" 4
.IX Item "-binary"
Output the derived key in binary form. Uses hexadecimal text format if not specified.
.IP "\fB\-cipher\fR \fIname\fR" 4
.IX Item "-cipher name"
Specify the cipher to be used by the \s-1KDF.\s0
Not all KDFs require a cipher and it is an error to use this option in such
cases.
.IP "\fB\-digest\fR \fIname\fR" 4
.IX Item "-digest name"
Specify the digest to be used by the \s-1KDF.\s0
Not all KDFs require a digest and it is an error to use this option in such
cases.
To see the list of supported digests, use \f(CW\*(C`openssl list \-digest\-commands\*(C'\fR.
.IP "\fB\-mac\fR \fIname\fR" 4
.IX Item "-mac name"
Specify the \s-1MAC\s0 to be used by the \s-1KDF.\s0
Not all KDFs require a \s-1MAC\s0 and it is an error to use this option in such
cases.
.IP "\fB\-kdfopt\fR \fInm\fR:\fIv\fR" 4
.IX Item "-kdfopt nm:v"
Passes options to the \s-1KDF\s0 algorithm.
A comprehensive list of parameters can be found in \*(L"\s-1PARAMETERS\*(R"\s0 in \s-1\fBEVP_KDF\s0\fR\|(3).
Common parameter names used by \fBEVP_KDF_CTX_set_params()\fR are:
.RS 4
.IP "\fBkey:\fR\fIstring\fR" 4
.IX Item "key:string"
Specifies the secret key as an alphanumeric string (use if the key contains
printable characters only).
The string length must conform to any restrictions of the \s-1KDF\s0 algorithm.
A key must be specified for most \s-1KDF\s0 algorithms.
.IP "\fBhexkey:\fR\fIstring\fR" 4
.IX Item "hexkey:string"
Alternative to the \fBkey:\fR option where
the secret key is specified in hexadecimal form (two hex digits per byte).
.IP "\fBpass:\fR\fIstring\fR" 4
.IX Item "pass:string"
Specifies the password as an alphanumeric string (use if the password contains
printable characters only).
The password must be specified for \s-1PBKDF2\s0 and scrypt.
.IP "\fBhexpass:\fR\fIstring\fR" 4
.IX Item "hexpass:string"
Alternative to the \fBpass:\fR option where
the password is specified in hexadecimal form (two hex digits per byte).
.IP "\fBsalt:\fR\fIstring\fR" 4
.IX Item "salt:string"
Specifies a non-secret unique cryptographic salt as an alphanumeric string
(use if it contains printable characters only).
The length must conform to any restrictions of the \s-1KDF\s0 algorithm.
A salt parameter is required for several \s-1KDF\s0 algorithms,
such as \s-1\fBEVP_KDF\-PBKDF2\s0\fR\|(7).
.IP "\fBhexsalt:\fR\fIstring\fR" 4
.IX Item "hexsalt:string"
Alternative to the \fBsalt:\fR option where
the salt is specified in hexadecimal form (two hex digits per byte).
.IP "\fBinfo:\fR\fIstring\fR" 4
.IX Item "info:string"
Some \s-1KDF\s0 implementations, such as \s-1\fBEVP_KDF\-HKDF\s0\fR\|(7), take an 'info' parameter
for binding the derived key material
to application\- and context-specific information.
Specifies the info, fixed info, other info or shared info argument
as an alphanumeric string (use if it contains printable characters only).
The length must conform to any restrictions of the \s-1KDF\s0 algorithm.
.IP "\fBhexinfo:\fR\fIstring\fR" 4
.IX Item "hexinfo:string"
Alternative to the \fBinfo:\fR option where
the info is specified in hexadecimal form (two hex digits per byte).
.IP "\fBdigest:\fR\fIstring\fR" 4
.IX Item "digest:string"
This option is identical to the \fB\-digest\fR option.
.IP "\fBcipher:\fR\fIstring\fR" 4
.IX Item "cipher:string"
This option is identical to the \fB\-cipher\fR option.
.IP "\fBmac:\fR\fIstring\fR" 4
.IX Item "mac:string"
This option is identical to the \fB\-mac\fR option.
.RE
.RS 4
.RE
.IP "\fB\-provider\fR \fIname\fR" 4
.IX Item "-provider name"
.PD 0
.IP "\fB\-provider\-path\fR \fIpath\fR" 4
.IX Item "-provider-path path"
.IP "\fB\-propquery\fR \fIpropq\fR" 4
.IX Item "-propquery propq"
.PD
See \*(L"Provider Options\*(R" in \fBopenssl\fR\|(1), \fBprovider\fR\|(7), and \fBproperty\fR\|(7).
.IP "\fIkdf_name\fR" 4
.IX Item "kdf_name"
Specifies the name of a supported \s-1KDF\s0 algorithm which will be used.
The supported algorithms names include \s-1TLS1\-PRF, HKDF, SSKDF, PBKDF2,
SSHKDF, X942KDF\-ASN1, X942KDF\-CONCAT, X963KDF\s0 and \s-1SCRYPT.\s0
.SH "EXAMPLES"
.IX Header "EXAMPLES"
Use \s-1TLS1\-PRF\s0 to create a hex-encoded derived key from a secret key and seed:
.PP
.Vb 2
\& openssl kdf \-keylen 16 \-kdfopt digest:SHA2\-256 \-kdfopt key:secret \e
\& \-kdfopt seed:seed TLS1\-PRF
.Ve
.PP
Use \s-1HKDF\s0 to create a hex-encoded derived key from a secret key, salt and info:
.PP
.Vb 2
\& openssl kdf \-keylen 10 \-kdfopt digest:SHA2\-256 \-kdfopt key:secret \e
\& \-kdfopt salt:salt \-kdfopt info:label HKDF
.Ve
.PP
Use \s-1SSKDF\s0 with \s-1KMAC\s0 to create a hex-encoded derived key from a secret key, salt and info:
.PP
.Vb 3
\& openssl kdf \-keylen 64 \-kdfopt mac:KMAC\-128 \-kdfopt maclen:20 \e
\& \-kdfopt hexkey:b74a149a161545 \-kdfopt hexinfo:348a37a2 \e
\& \-kdfopt hexsalt:3638271ccd68a2 SSKDF
.Ve
.PP
Use \s-1SSKDF\s0 with \s-1HMAC\s0 to create a hex-encoded derived key from a secret key, salt and info:
.PP
.Vb 3
\& openssl kdf \-keylen 16 \-kdfopt mac:HMAC \-kdfopt digest:SHA2\-256 \e
\& \-kdfopt hexkey:b74a149a \-kdfopt hexinfo:348a37a2 \e
\& \-kdfopt hexsalt:3638271c SSKDF
.Ve
.PP
Use \s-1SSKDF\s0 with Hash to create a hex-encoded derived key from a secret key, salt and info:
.PP
.Vb 3
\& openssl kdf \-keylen 14 \-kdfopt digest:SHA2\-256 \e
\& \-kdfopt hexkey:6dbdc23f045488 \e
\& \-kdfopt hexinfo:a1b2c3d4 SSKDF
.Ve
.PP
Use \s-1SSHKDF\s0 to create a hex-encoded derived key from a secret key, hash and session_id:
.PP
.Vb 5
\& openssl kdf \-keylen 16 \-kdfopt digest:SHA2\-256 \e
\& \-kdfopt hexkey:0102030405 \e
\& \-kdfopt hexxcghash:06090A \e
\& \-kdfopt hexsession_id:01020304 \e
\& \-kdfopt type:A SSHKDF
.Ve
.PP
Use \s-1PBKDF2\s0 to create a hex-encoded derived key from a password and salt:
.PP
.Vb 2
\& openssl kdf \-keylen 32 \-kdfopt digest:SHA256 \-kdfopt pass:password \e
\& \-kdfopt salt:salt \-kdfopt iter:2 PBKDF2
.Ve
.PP
Use scrypt to create a hex-encoded derived key from a password and salt:
.PP
.Vb 3
\& openssl kdf \-keylen 64 \-kdfopt pass:password \-kdfopt salt:NaCl \e
\& \-kdfopt n:1024 \-kdfopt r:8 \-kdfopt p:16 \e
\& \-kdfopt maxmem_bytes:10485760 SCRYPT
.Ve
.SH "NOTES"
.IX Header "NOTES"
The \s-1KDF\s0 mechanisms that are available will depend on the options
used when building OpenSSL.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBopenssl\fR\|(1),
\&\fBopenssl\-pkeyutl\fR\|(1),
\&\s-1\fBEVP_KDF\s0\fR\|(3),
\&\s-1\fBEVP_KDF\-SCRYPT\s0\fR\|(7),
\&\s-1\fBEVP_KDF\-TLS1_PRF\s0\fR\|(7),
\&\s-1\fBEVP_KDF\-PBKDF2\s0\fR\|(7),
\&\s-1\fBEVP_KDF\-HKDF\s0\fR\|(7),
\&\s-1\fBEVP_KDF\-SS\s0\fR\|(7),
\&\s-1\fBEVP_KDF\-SSHKDF\s0\fR\|(7),
\&\s-1\fBEVP_KDF\-X942\-ASN1\s0\fR\|(7),
\&\s-1\fBEVP_KDF\-X942\-CONCAT\s0\fR\|(7),
\&\s-1\fBEVP_KDF\-X963\s0\fR\|(7)
.SH "HISTORY"
.IX Header "HISTORY"
Added in OpenSSL 3.0
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2019\-2023 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the Apache License 2.0 (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.

388
openssl-install/share/man/man1/openssl-list.1ossl Normal file
View File

@@ -0,0 +1,388 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "OPENSSL-LIST 1ossl"
.TH OPENSSL-LIST 1ossl "2025-08-16" "3.4.2" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
openssl\-list \- list algorithms and features
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
\&\fBopenssl list\fR
[\fB\-help\fR]
[\fB\-verbose\fR]
[\fB\-select\fR \fIname\fR]
[\fB\-1\fR]
[\fB\-all\-algorithms\fR]
[\fB\-commands\fR]
[\fB\-standard\-commands\fR]
[\fB\-digest\-algorithms\fR]
[\fB\-digest\-commands\fR]
[\fB\-kdf\-algorithms\fR]
[\fB\-mac\-algorithms\fR]
[\fB\-random\-instances\fR]
[\fB\-random\-generators\fR]
[\fB\-cipher\-algorithms\fR]
[\fB\-cipher\-commands\fR]
[\fB\-encoders\fR]
[\fB\-decoders\fR]
[\fB\-key\-managers\fR]
[\fB\-key\-exchange\-algorithms\fR]
[\fB\-kem\-algorithms\fR]
[\fB\-signature\-algorithms\fR]
[\fB\-tls\-signature\-algorithms\fR]
[\fB\-asymcipher\-algorithms\fR]
[\fB\-public\-key\-algorithms\fR]
[\fB\-public\-key\-methods\fR]
[\fB\-store\-loaders\fR]
[\fB\-providers\fR]
[\fB\-engines\fR]
[\fB\-disabled\fR]
[\fB\-objects\fR]
[\fB\-options\fR \fIcommand\fR]
[\fB\-provider\fR \fIname\fR]
[\fB\-provider\-path\fR \fIpath\fR]
[\fB\-propquery\fR \fIpropq\fR]
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
This command is used to generate list of algorithms or disabled
features.
.SH "OPTIONS"
.IX Header "OPTIONS"
.IP "\fB\-help\fR" 4
.IX Item "-help"
Display a usage message.
.IP "\fB\-verbose\fR" 4
.IX Item "-verbose"
Displays extra information.
The options below where verbosity applies say a bit more about what that means.
.IP "\fB\-select\fR \fIname\fR" 4
.IX Item "-select name"
Only list algorithms that match this name.
.IP "\fB\-1\fR" 4
.IX Item "-1"
List the commands, digest-commands, or cipher-commands in a single column.
If used, this option must be given first.
.IP "\fB\-all\-algorithms\fR" 4
.IX Item "-all-algorithms"
Display lists of all algorithms. These include:
.RS 4
.IP "Asymmetric ciphers" 4
.IX Item "Asymmetric ciphers"
.PD 0
.IP "Decoders" 4
.IX Item "Decoders"
.IP "Digests" 4
.IX Item "Digests"
.IP "Encoders" 4
.IX Item "Encoders"
.IP "Key derivation algorithms (\s-1KDF\s0)" 4
.IX Item "Key derivation algorithms (KDF)"
.IP "Key encapsulation methods (\s-1KEM\s0)" 4
.IX Item "Key encapsulation methods (KEM)"
.IP "Key exchange algorithms (\s-1KEX\s0)" 4
.IX Item "Key exchange algorithms (KEX)"
.IP "Key managers" 4
.IX Item "Key managers"
.IP "Message authentication code algorithms (\s-1MAC\s0)" 4
.IX Item "Message authentication code algorithms (MAC)"
.IP "Random number generators (\s-1RNG, DRBG\s0)" 4
.IX Item "Random number generators (RNG, DRBG)"
.IP "Signature algorithms" 4
.IX Item "Signature algorithms"
.IP "Store loaders" 4
.IX Item "Store loaders"
.IP "Symmetric ciphers" 4
.IX Item "Symmetric ciphers"
.RE
.RS 4
.RE
.IP "\fB\-commands\fR" 4
.IX Item "-commands"
.PD
Display a list of standard commands.
.IP "\fB\-standard\-commands\fR" 4
.IX Item "-standard-commands"
List of standard commands.
.IP "\fB\-digest\-commands\fR" 4
.IX Item "-digest-commands"
This option is deprecated. Use \fBdigest-algorithms\fR instead.
.Sp
Display a list of message digest commands, which are typically used
as input to the \fBopenssl\-dgst\fR\|(1) or \fBopenssl\-speed\fR\|(1) commands.
.IP "\fB\-cipher\-commands\fR" 4
.IX Item "-cipher-commands"
This option is deprecated. Use \fBcipher-algorithms\fR instead.
.Sp
Display a list of cipher commands, which are typically used as input
to the \fBopenssl\-enc\fR\|(1) or \fBopenssl\-speed\fR\|(1) commands.
.IP "\fB\-cipher\-algorithms\fR, \fB\-digest\-algorithms\fR, \fB\-kdf\-algorithms\fR, \fB\-mac\-algorithms\fR," 4
.IX Item "-cipher-algorithms, -digest-algorithms, -kdf-algorithms, -mac-algorithms,"
Display a list of symmetric cipher, digest, kdf and mac algorithms.
See \*(L"Display of algorithm names\*(R" for a description of how names are
displayed.
.Sp
In verbose mode, the algorithms provided by a provider will get additional
information on what parameters each implementation supports.
.IP "\fB\-random\-instances\fR" 4
.IX Item "-random-instances"
List the primary, public and private random number generator details.
.IP "\fB\-random\-generators\fR" 4
.IX Item "-random-generators"
Display a list of random number generators.
See \*(L"Display of algorithm names\*(R" for a description of how names are
displayed.
.IP "\fB\-encoders\fR" 4
.IX Item "-encoders"
Display a list of encoders.
See \*(L"Display of algorithm names\*(R" for a description of how names are
displayed.
.Sp
In verbose mode, the algorithms provided by a provider will get additional
information on what parameters each implementation supports.
.IP "\fB\-decoders\fR" 4
.IX Item "-decoders"
Display a list of decoders.
See \*(L"Display of algorithm names\*(R" for a description of how names are
displayed.
.Sp
In verbose mode, the algorithms provided by a provider will get additional
information on what parameters each implementation supports.
.IP "\fB\-public\-key\-algorithms\fR" 4
.IX Item "-public-key-algorithms"
Display a list of public key algorithms, with each algorithm as
a block of multiple lines, all but the first are indented.
The options \fBkey-exchange-algorithms\fR, \fBkem-algorithms\fR,
\&\fBsignature-algorithms\fR, and \fBasymcipher-algorithms\fR will display similar info.
.IP "\fB\-public\-key\-methods\fR" 4
.IX Item "-public-key-methods"
Display a list of public key methods.
.IP "\fB\-key\-managers\fR" 4
.IX Item "-key-managers"
Display a list of key managers.
.IP "\fB\-key\-exchange\-algorithms\fR" 4
.IX Item "-key-exchange-algorithms"
Display a list of key exchange algorithms.
.IP "\fB\-kem\-algorithms\fR" 4
.IX Item "-kem-algorithms"
Display a list of key encapsulation algorithms.
.IP "\fB\-signature\-algorithms\fR" 4
.IX Item "-signature-algorithms"
Display a list of signature algorithms.
.IP "\fB\-tls\-signature\-algorithms\fR" 4
.IX Item "-tls-signature-algorithms"
Display the list of signature algorithms available for \s-1TLS\s0 handshakes
made available by all currently active providers.
The output format is colon delimited in a form directly usable in
\&\fBSSL_CONF_cmd\fR\|(3) specifying SignatureAlgorithms.
.IP "\fB\-asymcipher\-algorithms\fR" 4
.IX Item "-asymcipher-algorithms"
Display a list of asymmetric cipher algorithms.
.IP "\fB\-store\-loaders\fR" 4
.IX Item "-store-loaders"
Display a list of store loaders.
.IP "\fB\-providers\fR" 4
.IX Item "-providers"
Display a list of all loaded providers with their names, version and status.
.Sp
In verbose mode, the full version and all provider parameters will additionally
be displayed.
.IP "\fB\-engines\fR" 4
.IX Item "-engines"
This option is deprecated.
.Sp
Display a list of loaded engines.
.IP "\fB\-disabled\fR" 4
.IX Item "-disabled"
Display a list of disabled features, those that were compiled out
of the installation.
.IP "\fB\-objects\fR" 4
.IX Item "-objects"
Display a list of built in objects, i.e. OIDs with names. They're listed in the
format described in \*(L"\s-1ASN1\s0 Object Configuration Module\*(R" in \fBconfig\fR\|(5).
.IP "\fB\-options\fR \fIcommand\fR" 4
.IX Item "-options command"
Output a two-column list of the options accepted by the specified \fIcommand\fR.
The first is the option name, and the second is a one-character indication
of what type of parameter it takes, if any.
This is an internal option, used for checking that the documentation
is complete.
.IP "\fB\-provider\fR \fIname\fR" 4
.IX Item "-provider name"
.PD 0
.IP "\fB\-provider\-path\fR \fIpath\fR" 4
.IX Item "-provider-path path"
.IP "\fB\-propquery\fR \fIpropq\fR" 4
.IX Item "-propquery propq"
.PD
See \*(L"Provider Options\*(R" in \fBopenssl\fR\|(1), \fBprovider\fR\|(7), and \fBproperty\fR\|(7).
.SS "Display of algorithm names"
.IX Subsection "Display of algorithm names"
Algorithm names may be displayed in one of two manners:
.IP "Legacy implementations" 4
.IX Item "Legacy implementations"
Legacy implementations will simply display the main name of the
algorithm on a line of its own, or in the form \f(CW\*(C`<foo \*(C'\fR bar>> to show
that \f(CW\*(C`foo\*(C'\fR is an alias for the main name, \f(CW\*(C`bar\*(C'\fR
.IP "Provided implementations" 4
.IX Item "Provided implementations"
Implementations from a provider are displayed like this if the
implementation is labeled with a single name:
.Sp
.Vb 1
\& foo @ bar
.Ve
.Sp
or like this if it's labeled with multiple names:
.Sp
.Vb 1
\& { foo1, foo2 } @bar
.Ve
.Sp
In both cases, \f(CW\*(C`bar\*(C'\fR is the name of the provider.
.SH "HISTORY"
.IX Header "HISTORY"
The \fB\-engines\fR, \fB\-digest\-commands\fR, and \fB\-cipher\-commands\fR options
were deprecated in OpenSSL 3.0.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2016\-2024 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the Apache License 2.0 (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.

305
openssl-install/share/man/man1/openssl-mac.1ossl Normal file
View File

@@ -0,0 +1,305 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "OPENSSL-MAC 1ossl"
.TH OPENSSL-MAC 1ossl "2025-08-16" "3.4.2" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
openssl\-mac \- perform Message Authentication Code operations
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
\&\fBopenssl mac\fR
[\fB\-help\fR]
[\fB\-cipher\fR]
[\fB\-digest\fR]
[\fB\-macopt\fR]
[\fB\-in\fR \fIfilename\fR]
[\fB\-out\fR \fIfilename\fR]
[\fB\-binary\fR]
[\fB\-provider\fR \fIname\fR]
[\fB\-provider\-path\fR \fIpath\fR]
[\fB\-propquery\fR \fIpropq\fR]
\&\fImac_name\fR
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
The message authentication code functions output the \s-1MAC\s0 of a supplied input
file.
.SH "OPTIONS"
.IX Header "OPTIONS"
.IP "\fB\-help\fR" 4
.IX Item "-help"
Print a usage message.
.IP "\fB\-in\fR \fIfilename\fR" 4
.IX Item "-in filename"
Input filename to calculate a \s-1MAC\s0 for, or standard input by default.
Standard input is used if the filename is '\-'.
Files and standard input are expected to be in binary format.
.IP "\fB\-out\fR \fIfilename\fR" 4
.IX Item "-out filename"
Filename to output to, or standard output by default.
.IP "\fB\-binary\fR" 4
.IX Item "-binary"
Output the \s-1MAC\s0 in binary form. Uses hexadecimal text format if not specified.
.IP "\fB\-cipher\fR \fIname\fR" 4
.IX Item "-cipher name"
Used by \s-1CMAC\s0 and \s-1GMAC\s0 to specify the cipher algorithm.
For \s-1CMAC\s0 it should be a \s-1CBC\s0 mode cipher e.g. \s-1AES\-128\-CBC.\s0
For \s-1GMAC\s0 it should be a \s-1GCM\s0 mode cipher e.g. \s-1AES\-128\-GCM.\s0
.IP "\fB\-digest\fR \fIname\fR" 4
.IX Item "-digest name"
Used by \s-1HMAC\s0 as an alphanumeric string (use if the key contains printable
characters only).
The string length must conform to any restrictions of the \s-1MAC\s0 algorithm.
To see the list of supported digests, use \f(CW\*(C`openssl list \-digest\-commands\*(C'\fR.
.IP "\fB\-macopt\fR \fInm\fR:\fIv\fR" 4
.IX Item "-macopt nm:v"
Passes options to the \s-1MAC\s0 algorithm.
A comprehensive list of controls can be found in the \s-1EVP_MAC\s0 implementation
documentation.
Common parameter names used by \fBEVP_MAC_CTX_get_params()\fR are:
.RS 4
.IP "\fBkey:\fR\fIstring\fR" 4
.IX Item "key:string"
Specifies the \s-1MAC\s0 key as an alphanumeric string (use if the key contains
printable characters only).
The string length must conform to any restrictions of the \s-1MAC\s0 algorithm.
A key must be specified for every \s-1MAC\s0 algorithm.
.IP "\fBhexkey:\fR\fIstring\fR" 4
.IX Item "hexkey:string"
Specifies the \s-1MAC\s0 key in hexadecimal form (two hex digits per byte).
The key length must conform to any restrictions of the \s-1MAC\s0 algorithm.
A key must be specified for every \s-1MAC\s0 algorithm.
.IP "\fBiv:\fR\fIstring\fR" 4
.IX Item "iv:string"
Used by \s-1GMAC\s0 to specify an \s-1IV\s0 as an alphanumeric string (use if the \s-1IV\s0 contains
printable characters only).
.IP "\fBhexiv:\fR\fIstring\fR" 4
.IX Item "hexiv:string"
Used by \s-1GMAC\s0 to specify an \s-1IV\s0 in hexadecimal form (two hex digits per byte).
.IP "\fBsize:\fR\fIint\fR" 4
.IX Item "size:int"
Used by \s-1KMAC128\s0 or \s-1KMAC256\s0 to specify an output length.
The default sizes are 32 or 64 bytes respectively.
.IP "\fBcustom:\fR\fIstring\fR" 4
.IX Item "custom:string"
Used by \s-1KMAC128\s0 or \s-1KMAC256\s0 to specify a customization string.
The default is the empty string "".
.IP "\fBdigest:\fR\fIstring\fR" 4
.IX Item "digest:string"
This option is identical to the \fB\-digest\fR option.
.IP "\fBcipher:\fR\fIstring\fR" 4
.IX Item "cipher:string"
This option is identical to the \fB\-cipher\fR option.
.RE
.RS 4
.RE
.IP "\fB\-provider\fR \fIname\fR" 4
.IX Item "-provider name"
.PD 0
.IP "\fB\-provider\-path\fR \fIpath\fR" 4
.IX Item "-provider-path path"
.IP "\fB\-propquery\fR \fIpropq\fR" 4
.IX Item "-propquery propq"
.PD
See \*(L"Provider Options\*(R" in \fBopenssl\fR\|(1), \fBprovider\fR\|(7), and \fBproperty\fR\|(7).
.IP "\fImac_name\fR" 4
.IX Item "mac_name"
Specifies the name of a supported \s-1MAC\s0 algorithm which will be used.
To see the list of supported \s-1MAC\s0's use the command \f(CW\*(C`openssl list
\&\-mac\-algorithms\*(C'\fR.
.SH "EXAMPLES"
.IX Header "EXAMPLES"
To create a hex-encoded \s-1HMAC\-SHA1 MAC\s0 of a file and write to stdout:
.PP
.Vb 3
\& openssl mac \-digest SHA1 \e
\& \-macopt hexkey:000102030405060708090A0B0C0D0E0F10111213 \e
\& \-in msg.bin HMAC
.Ve
.PP
To create a SipHash \s-1MAC\s0 from a file with a binary file output:
.PP
.Vb 2
\& openssl mac \-macopt hexkey:000102030405060708090A0B0C0D0E0F \e
\& \-in msg.bin \-out out.bin \-binary SipHash
.Ve
.PP
To create a hex-encoded \s-1CMAC\-AES\-128\-CBC MAC\s0 from a file:
.PP
.Vb 3
\& openssl mac \-cipher AES\-128\-CBC \e
\& \-macopt hexkey:77A77FAF290C1FA30C683DF16BA7A77B \e
\& \-in msg.bin CMAC
.Ve
.PP
To create a hex-encoded \s-1KMAC128 MAC\s0 from a file with a Customisation String
\&'Tag' and output length of 16:
.PP
.Vb 2
\& openssl mac \-macopt custom:Tag \-macopt hexkey:40414243444546 \e
\& \-macopt size:16 \-in msg.bin KMAC128
.Ve
.PP
To create a hex-encoded \s-1GMAC\-AES\-128\-GCM\s0 with a \s-1IV\s0 from a file:
.PP
.Vb 2
\& openssl mac \-cipher AES\-128\-GCM \-macopt hexiv:E0E00F19FED7BA0136A797F3 \e
\& \-macopt hexkey:77A77FAF290C1FA30C683DF16BA7A77B \-in msg.bin GMAC
.Ve
.SH "NOTES"
.IX Header "NOTES"
The \s-1MAC\s0 mechanisms that are available will depend on the options
used when building OpenSSL.
Use \f(CW\*(C`openssl list \-mac\-algorithms\*(C'\fR to list them.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBopenssl\fR\|(1),
\&\s-1\fBEVP_MAC\s0\fR\|(3),
\&\s-1\fBEVP_MAC\-CMAC\s0\fR\|(7),
\&\s-1\fBEVP_MAC\-GMAC\s0\fR\|(7),
\&\s-1\fBEVP_MAC\-HMAC\s0\fR\|(7),
\&\s-1\fBEVP_MAC\-KMAC\s0\fR\|(7),
\&\fBEVP_MAC\-Siphash\fR\|(7),
\&\fBEVP_MAC\-Poly1305\fR\|(7)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2018\-2024 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the Apache License 2.0 (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.

286
openssl-install/share/man/man1/openssl-namedisplay-options.1ossl Normal file
View File

@@ -0,0 +1,286 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "OPENSSL-NAMEDISPLAY-OPTIONS 1ossl"
.TH OPENSSL-NAMEDISPLAY-OPTIONS 1ossl "2025-07-01" "3.4.2" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
openssl\-namedisplay\-options \- Distinguished name display options
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
\&\fBopenssl\fR
\&\fIcommand\fR
[ \fIoptions\fR ... ]
[ \fIparameters\fR ... ]
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
OpenSSL provides fine-grain control over how the subject and issuer \s-1DN\s0's are
displayed.
This is specified by using the \fB\-nameopt\fR option, which takes a
comma-separated list of options from the following set.
An option may be preceded by a minus sign, \f(CW\*(C`\-\*(C'\fR, to turn it off.
The first four option arguments are the most commonly used.
.PP
The default value is
\&\f(CW\*(C`esc_ctrl,utf8,dump_unknown,dump_der,sep_comma_plus_space,sname\*(C'\fR.
.SH "OPTIONS"
.IX Header "OPTIONS"
.SS "Name Format Option Arguments"
.IX Subsection "Name Format Option Arguments"
The \s-1DN\s0 output format can be fine tuned with the following flags.
.IP "\fBcompat\fR" 4
.IX Item "compat"
Display the name using an old format from previous OpenSSL versions.
.IP "\fB\s-1RFC2253\s0\fR" 4
.IX Item "RFC2253"
Display the name using the format defined in \s-1RFC 2253.\s0
It is equivalent to \fBesc_2253\fR, \fBesc_ctrl\fR, \fBesc_msb\fR, \fButf8\fR,
\&\fBdump_nostr\fR, \fBdump_unknown\fR, \fBdump_der\fR, \fBsep_comma_plus\fR, \fBdn_rev\fR
and \fBsname\fR.
.IP "\fBoneline\fR" 4
.IX Item "oneline"
Display the name in one line, using a format that is more readable
\&\s-1RFC 2253.\s0
It is equivalent to \fBesc_2253\fR, \fBesc_ctrl\fR, \fBesc_msb\fR, \fButf8\fR,
\&\fBdump_nostr\fR, \fBdump_der\fR, \fBuse_quote\fR, \fBsep_comma_plus_space\fR,
\&\fBspace_eq\fR and \fBsname\fR options.
.IP "\fBmultiline\fR" 4
.IX Item "multiline"
Display the name using multiple lines.
It is equivalent to \fBesc_ctrl\fR, \fBesc_msb\fR, \fBsep_multiline\fR, \fBspace_eq\fR,
\&\fBlname\fR and \fBalign\fR.
.IP "\fBesc_2253\fR" 4
.IX Item "esc_2253"
Escape the \*(L"special\*(R" characters in a field, as required by \s-1RFC 2253.\s0
That is, any of the characters \f(CW\*(C`,+"<>;\*(C'\fR, \f(CW\*(C`#\*(C'\fR at the beginning of
a string and leading or trailing spaces.
.IP "\fBesc_2254\fR" 4
.IX Item "esc_2254"
Escape the \*(L"special\*(R" characters in a field as required by \s-1RFC 2254\s0 in a field.
That is, the \fB\s-1NUL\s0\fR character and of \f(CW\*(C`()*\*(C'\fR.
.IP "\fBesc_ctrl\fR" 4
.IX Item "esc_ctrl"
Escape non-printable \s-1ASCII\s0 characters, codes less than 0x20 (space)
or greater than 0x7F (\s-1DELETE\s0). They are displayed using \s-1RFC 2253\s0 \f(CW\*(C`\eXX\*(C'\fR
notation where \fB\s-1XX\s0\fR are the two hex digits representing the character value.
.IP "\fBesc_msb\fR" 4
.IX Item "esc_msb"
Escape any characters with the most significant bit set, that is with
values larger than 127, as described in \fBesc_ctrl\fR.
.IP "\fBuse_quote\fR" 4
.IX Item "use_quote"
Escapes some characters by surrounding the entire string with quotation
marks, \f(CW\*(C`"\*(C'\fR.
Without this option, individual special characters are preceded with
a backslash character, \f(CW\*(C`\e\*(C'\fR.
.IP "\fButf8\fR" 4
.IX Item "utf8"
Convert all strings to \s-1UTF\-8\s0 format first as required by \s-1RFC 2253.\s0
If the output device is \s-1UTF\-8\s0 compatible, then using this option (and
not setting \fBesc_msb\fR) may give the correct display of multibyte
characters.
If this option is not set, then multibyte characters larger than 0xFF
will be output as \f(CW\*(C`\eUXXXX\*(C'\fR for 16 bits or \f(CW\*(C`\eWXXXXXXXX\*(C'\fR for 32 bits.
In addition, any UTF8Strings will be converted to their character form first.
.IP "\fBignore_type\fR" 4
.IX Item "ignore_type"
This option does not attempt to interpret multibyte characters in any
way. That is, the content octets are merely dumped as though one octet
represents each character. This is useful for diagnostic purposes but
will result in rather odd looking output.
.IP "\fBshow_type\fR" 4
.IX Item "show_type"
Display the type of the \s-1ASN1\s0 character string before the value,
such as \f(CW\*(C`BMPSTRING: Hello World\*(C'\fR.
.IP "\fBdump_der\fR" 4
.IX Item "dump_der"
Any fields that would be output in hex format are displayed using
the \s-1DER\s0 encoding of the field.
If not set, just the content octets are displayed.
Either way, the \fB#XXXX...\fR format of \s-1RFC 2253\s0 is used.
.IP "\fBdump_nostr\fR" 4
.IX Item "dump_nostr"
Dump non-character strings, such as \s-1ASN.1\s0 \fB\s-1OCTET STRING\s0\fR.
If this option is not set, then non character string types will be displayed
as though each content octet represents a single character.
.IP "\fBdump_all\fR" 4
.IX Item "dump_all"
Dump all fields. When this used with \fBdump_der\fR, this allows the
\&\s-1DER\s0 encoding of the structure to be unambiguously determined.
.IP "\fBdump_unknown\fR" 4
.IX Item "dump_unknown"
Dump any field whose \s-1OID\s0 is not recognised by OpenSSL.
.IP "\fBsep_comma_plus\fR, \fBsep_comma_plus_space\fR, \fBsep_semi_plus_space\fR, \fBsep_multiline\fR" 4
.IX Item "sep_comma_plus, sep_comma_plus_space, sep_semi_plus_space, sep_multiline"
Specify the field separators. The first word is used between the
Relative Distinguished Names (RDNs) and the second is between
multiple Attribute Value Assertions (AVAs). Multiple AVAs are
very rare and their use is discouraged.
The options ending in \*(L"space\*(R" additionally place a space after the separator to make it more readable.
The \fBsep_multiline\fR starts each field on its own line, and uses \*(L"plus space\*(R"
for the \s-1AVA\s0 separator.
It also indents the fields by four characters.
The default value is \fBsep_comma_plus_space\fR.
.IP "\fBdn_rev\fR" 4
.IX Item "dn_rev"
Reverse the fields of the \s-1DN\s0 as required by \s-1RFC 2253.\s0
This also reverses the order of multiple AVAs in a field, but this is
permissible as there is no ordering on values.
.IP "\fBnofname\fR, \fBsname\fR, \fBlname\fR, \fBoid\fR" 4
.IX Item "nofname, sname, lname, oid"
Specify how the field name is displayed.
\&\fBnofname\fR does not display the field at all.
\&\fBsname\fR uses the \*(L"short name\*(R" form (\s-1CN\s0 for commonName for example).
\&\fBlname\fR uses the long form.
\&\fBoid\fR represents the \s-1OID\s0 in numerical form and is useful for
diagnostic purpose.
.IP "\fBalign\fR" 4
.IX Item "align"
Align field values for a more readable output. Only usable with
\&\fBsep_multiline\fR.
.IP "\fBspace_eq\fR" 4
.IX Item "space_eq"
Places spaces round the equal sign, \f(CW\*(C`=\*(C'\fR, character which follows the field
name.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2000\-2025 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the Apache License 2.0 (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.

211
openssl-install/share/man/man1/openssl-nseq.1ossl Normal file
View File

@@ -0,0 +1,211 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "OPENSSL-NSEQ 1ossl"
.TH OPENSSL-NSEQ 1ossl "2025-08-16" "3.4.2" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
openssl\-nseq \- create or examine a Netscape certificate sequence
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
\&\fBopenssl\fR \fBnseq\fR
[\fB\-help\fR]
[\fB\-in\fR \fIfilename\fR]
[\fB\-out\fR \fIfilename\fR]
[\fB\-toseq\fR]
[\fB\-provider\fR \fIname\fR]
[\fB\-provider\-path\fR \fIpath\fR]
[\fB\-propquery\fR \fIpropq\fR]
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
This command takes a file containing a Netscape certificate
sequence and prints out the certificates contained in it or takes a
file of certificates and converts it into a Netscape certificate
sequence.
.PP
A Netscape certificate sequence is an old Netscape-specific format that
can be sometimes be sent to browsers as an alternative to the standard PKCS#7
format when several certificates are sent to the browser, for example during
certificate enrollment. It was also used by Netscape certificate server.
.SH "OPTIONS"
.IX Header "OPTIONS"
.IP "\fB\-help\fR" 4
.IX Item "-help"
Print out a usage message.
.IP "\fB\-in\fR \fIfilename\fR" 4
.IX Item "-in filename"
This specifies the input filename to read or standard input if this
option is not specified.
.IP "\fB\-out\fR \fIfilename\fR" 4
.IX Item "-out filename"
Specifies the output filename or standard output by default.
.IP "\fB\-toseq\fR" 4
.IX Item "-toseq"
Normally a Netscape certificate sequence will be input and the output
is the certificates contained in it. With the \fB\-toseq\fR option the
situation is reversed: a Netscape certificate sequence is created from
a file of certificates.
.IP "\fB\-provider\fR \fIname\fR" 4
.IX Item "-provider name"
.PD 0
.IP "\fB\-provider\-path\fR \fIpath\fR" 4
.IX Item "-provider-path path"
.IP "\fB\-propquery\fR \fIpropq\fR" 4
.IX Item "-propquery propq"
.PD
See \*(L"Provider Options\*(R" in \fBopenssl\fR\|(1), \fBprovider\fR\|(7), and \fBproperty\fR\|(7).
.SH "EXAMPLES"
.IX Header "EXAMPLES"
Output the certificates in a Netscape certificate sequence
.PP
.Vb 1
\& openssl nseq \-in nseq.pem \-out certs.pem
.Ve
.PP
Create a Netscape certificate sequence
.PP
.Vb 1
\& openssl nseq \-in certs.pem \-toseq \-out nseq.pem
.Ve
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2000\-2020 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the Apache License 2.0 (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.

665
openssl-install/share/man/man1/openssl-ocsp.1ossl Normal file
View File

@@ -0,0 +1,665 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "OPENSSL-OCSP 1ossl"
.TH OPENSSL-OCSP 1ossl "2025-08-16" "3.4.2" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
openssl\-ocsp \- Online Certificate Status Protocol command
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.SS "\s-1OCSP\s0 Client"
.IX Subsection "OCSP Client"
\&\fBopenssl\fR \fBocsp\fR
[\fB\-help\fR]
[\fB\-out\fR \fIfile\fR]
[\fB\-issuer\fR \fIfile\fR]
[\fB\-cert\fR \fIfile\fR]
[\fB\-no_certs\fR]
[\fB\-serial\fR \fIn\fR]
[\fB\-signer\fR \fIfile\fR]
[\fB\-signkey\fR \fIfile\fR]
[\fB\-sign_other\fR \fIfile\fR]
[\fB\-nonce\fR]
[\fB\-no_nonce\fR]
[\fB\-req_text\fR]
[\fB\-resp_text\fR]
[\fB\-text\fR]
[\fB\-reqout\fR \fIfile\fR]
[\fB\-respout\fR \fIfile\fR]
[\fB\-reqin\fR \fIfile\fR]
[\fB\-respin\fR \fIfile\fR]
[\fB\-url\fR \fI\s-1URL\s0\fR]
[\fB\-host\fR \fIhost\fR:\fIport\fR]
[\fB\-path\fR \fIpathname\fR]
[\fB\-proxy\fR \fI[http[s]://][userinfo@]host[:port][/path][?query][#fragment]\fR]
[\fB\-no_proxy\fR \fIaddresses\fR]
[\fB\-header\fR]
[\fB\-timeout\fR \fIseconds\fR]
[\fB\-VAfile\fR \fIfile\fR]
[\fB\-validity_period\fR \fIn\fR]
[\fB\-status_age\fR \fIn\fR]
[\fB\-noverify\fR]
[\fB\-verify_other\fR \fIfile\fR]
[\fB\-trust_other\fR]
[\fB\-no_intern\fR]
[\fB\-no_signature_verify\fR]
[\fB\-no_cert_verify\fR]
[\fB\-no_chain\fR]
[\fB\-no_cert_checks\fR]
[\fB\-no_explicit\fR]
[\fB\-port\fR \fInum\fR]
[\fB\-ignore_err\fR]
.SS "\s-1OCSP\s0 Server"
.IX Subsection "OCSP Server"
\&\fBopenssl\fR \fBocsp\fR
[\fB\-index\fR \fIfile\fR]
[\fB\-CA\fR \fIfile\fR]
[\fB\-rsigner\fR \fIfile\fR]
[\fB\-rkey\fR \fIfile\fR]
[\fB\-passin\fR \fIarg\fR]
[\fB\-rother\fR \fIfile\fR]
[\fB\-rsigopt\fR \fInm\fR:\fIv\fR]
[\fB\-rmd\fR \fIdigest\fR]
[\fB\-badsig\fR]
[\fB\-resp_no_certs\fR]
[\fB\-nmin\fR \fIn\fR]
[\fB\-ndays\fR \fIn\fR]
[\fB\-resp_key_id\fR]
[\fB\-nrequest\fR \fIn\fR]
[\fB\-multi\fR \fIprocess-count\fR]
[\fB\-rcid\fR \fIdigest\fR]
[\fB\-\f(BIdigest\fB\fR]
[\fB\-CAfile\fR \fIfile\fR]
[\fB\-no\-CAfile\fR]
[\fB\-CApath\fR \fIdir\fR]
[\fB\-no\-CApath\fR]
[\fB\-CAstore\fR \fIuri\fR]
[\fB\-no\-CAstore\fR]
[\fB\-allow_proxy_certs\fR]
[\fB\-attime\fR \fItimestamp\fR]
[\fB\-no_check_time\fR]
[\fB\-check_ss_sig\fR]
[\fB\-crl_check\fR]
[\fB\-crl_check_all\fR]
[\fB\-explicit_policy\fR]
[\fB\-extended_crl\fR]
[\fB\-ignore_critical\fR]
[\fB\-inhibit_any\fR]
[\fB\-inhibit_map\fR]
[\fB\-partial_chain\fR]
[\fB\-policy\fR \fIarg\fR]
[\fB\-policy_check\fR]
[\fB\-policy_print\fR]
[\fB\-purpose\fR \fIpurpose\fR]
[\fB\-suiteB_128\fR]
[\fB\-suiteB_128_only\fR]
[\fB\-suiteB_192\fR]
[\fB\-trusted_first\fR]
[\fB\-no_alt_chains\fR]
[\fB\-use_deltas\fR]
[\fB\-auth_level\fR \fInum\fR]
[\fB\-verify_depth\fR \fInum\fR]
[\fB\-verify_email\fR \fIemail\fR]
[\fB\-verify_hostname\fR \fIhostname\fR]
[\fB\-verify_ip\fR \fIip\fR]
[\fB\-verify_name\fR \fIname\fR]
[\fB\-x509_strict\fR]
[\fB\-issuer_checks\fR]
[\fB\-provider\fR \fIname\fR]
[\fB\-provider\-path\fR \fIpath\fR]
[\fB\-propquery\fR \fIpropq\fR]
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
The Online Certificate Status Protocol (\s-1OCSP\s0) enables applications to
determine the (revocation) state of an identified certificate (\s-1RFC 2560\s0).
.PP
This command performs many common \s-1OCSP\s0 tasks. It can be used
to print out requests and responses, create requests and send queries
to an \s-1OCSP\s0 responder and behave like a mini \s-1OCSP\s0 server itself.
.SH "OPTIONS"
.IX Header "OPTIONS"
This command operates as either a client or a server.
The options are described below, divided into those two modes.
.SS "\s-1OCSP\s0 Client Options"
.IX Subsection "OCSP Client Options"
.IP "\fB\-help\fR" 4
.IX Item "-help"
Print out a usage message.
.IP "\fB\-out\fR \fIfilename\fR" 4
.IX Item "-out filename"
specify output filename, default is standard output.
.IP "\fB\-issuer\fR \fIfilename\fR" 4
.IX Item "-issuer filename"
This specifies the current issuer certificate.
The input can be in \s-1PEM, DER,\s0 or PKCS#12 format.
.Sp
This option can be used multiple times.
This option \fB\s-1MUST\s0\fR come before any \fB\-cert\fR options.
.IP "\fB\-cert\fR \fIfilename\fR" 4
.IX Item "-cert filename"
Add the certificate \fIfilename\fR to the request.
The input can be in \s-1PEM, DER,\s0 or PKCS#12 format.
.Sp
This option can be used multiple times.
The issuer certificate is taken from the previous \fB\-issuer\fR option,
or an error occurs if no issuer certificate is specified.
.IP "\fB\-no_certs\fR" 4
.IX Item "-no_certs"
Don't include any certificates in signed request.
.IP "\fB\-serial\fR \fInum\fR" 4
.IX Item "-serial num"
Same as the \fB\-cert\fR option except the certificate with serial number
\&\fBnum\fR is added to the request. The serial number is interpreted as a
decimal integer unless preceded by \f(CW\*(C`0x\*(C'\fR. Negative integers can also
be specified by preceding the value by a \f(CW\*(C`\-\*(C'\fR sign.
.IP "\fB\-signer\fR \fIfilename\fR, \fB\-signkey\fR \fIfilename\fR" 4
.IX Item "-signer filename, -signkey filename"
Sign the \s-1OCSP\s0 request using the certificate specified in the \fB\-signer\fR
option and the private key specified by the \fB\-signkey\fR option.
The input can be in \s-1PEM, DER,\s0 or PKCS#12 format.
.Sp
If the \fB\-signkey\fR option is not present then the private key is read
from the same file as the certificate. If neither option is specified then
the \s-1OCSP\s0 request is not signed.
.IP "\fB\-sign_other\fR \fIfilename\fR" 4
.IX Item "-sign_other filename"
Additional certificates to include in the signed request.
The input can be in \s-1PEM, DER,\s0 or PKCS#12 format.
.IP "\fB\-nonce\fR, \fB\-no_nonce\fR" 4
.IX Item "-nonce, -no_nonce"
Add an \s-1OCSP\s0 nonce extension to a request or disable \s-1OCSP\s0 nonce addition.
Normally if an \s-1OCSP\s0 request is input using the \fB\-reqin\fR option no
nonce is added: using the \fB\-nonce\fR option will force addition of a nonce.
If an \s-1OCSP\s0 request is being created (using \fB\-cert\fR and \fB\-serial\fR options)
a nonce is automatically added specifying \fB\-no_nonce\fR overrides this.
.IP "\fB\-req_text\fR, \fB\-resp_text\fR, \fB\-text\fR" 4
.IX Item "-req_text, -resp_text, -text"
Print out the text form of the \s-1OCSP\s0 request, response or both respectively.
.IP "\fB\-reqout\fR \fIfile\fR, \fB\-respout\fR \fIfile\fR" 4
.IX Item "-reqout file, -respout file"
Write out the \s-1DER\s0 encoded certificate request or response to \fIfile\fR.
.IP "\fB\-reqin\fR \fIfile\fR, \fB\-respin\fR \fIfile\fR" 4
.IX Item "-reqin file, -respin file"
Read \s-1OCSP\s0 request or response file from \fIfile\fR. These option are ignored
if \s-1OCSP\s0 request or response creation is implied by other options (for example
with \fB\-serial\fR, \fB\-cert\fR and \fB\-host\fR options).
.IP "\fB\-url\fR \fIresponder_url\fR" 4
.IX Item "-url responder_url"
Specify the responder host and optionally port and path via a \s-1URL.\s0
Both \s-1HTTP\s0 and \s-1HTTPS\s0 (\s-1SSL/TLS\s0) URLs can be specified.
The optional userinfo and fragment components are ignored.
Any given query component is handled as part of the path component.
For details, see the \fB\-host\fR and \fB\-path\fR options described next.
.IP "\fB\-host\fR \fIhost\fR:\fIport\fR, \fB\-path\fR \fIpathname\fR" 4
.IX Item "-host host:port, -path pathname"
If the \fB\-host\fR option is present then the \s-1OCSP\s0 request is sent to the host
\&\fIhost\fR on port \fIport\fR.
The \fIhost\fR may be a domain name or an \s-1IP\s0 (v4 or v6) address,
such as \f(CW127.0.0.1\fR or \f(CW\*(C`[::1]\*(C'\fR for localhost.
If it is an IPv6 address, it must be enclosed in \f(CW\*(C`[\*(C'\fR and \f(CW\*(C`]\*(C'\fR.
.Sp
The \fB\-path\fR option specifies the \s-1HTTP\s0 pathname to use or \*(L"/\*(R" by default.
This is equivalent to specifying \fB\-url\fR with scheme
http:// and the given \fIhost\fR, \fIport\fR, and optional \fIpathname\fR.
.IP "\fB\-proxy\fR \fI[http[s]://][userinfo@]host[:port][/path][?query][#fragment]\fR" 4
.IX Item "-proxy [http[s]://][userinfo@]host[:port][/path][?query][#fragment]"
The \s-1HTTP\s0(S) proxy server to use for reaching the \s-1OCSP\s0 server unless \fB\-no_proxy\fR
applies, see below.
If the host string is an IPv6 address, it must be enclosed in \f(CW\*(C`[\*(C'\fR and \f(CW\*(C`]\*(C'\fR.
The proxy port defaults to 80 or 443 if the scheme is \f(CW\*(C`https\*(C'\fR; apart from that
the optional \f(CW\*(C`http://\*(C'\fR or \f(CW\*(C`https://\*(C'\fR prefix is ignored,
as well as any userinfo, path, query, and fragment components.
Defaults to the environment variable \f(CW\*(C`http_proxy\*(C'\fR if set, else \f(CW\*(C`HTTP_PROXY\*(C'\fR
in case no \s-1TLS\s0 is used, otherwise \f(CW\*(C`https_proxy\*(C'\fR if set, else \f(CW\*(C`HTTPS_PROXY\*(C'\fR.
.IP "\fB\-no_proxy\fR \fIaddresses\fR" 4
.IX Item "-no_proxy addresses"
List of \s-1IP\s0 addresses and/or \s-1DNS\s0 names of servers
not to use an \s-1HTTP\s0(S) proxy for, separated by commas and/or whitespace
(where in the latter case the whole argument must be enclosed in \*(L"...\*(R").
Default is from the environment variable \f(CW\*(C`no_proxy\*(C'\fR if set, else \f(CW\*(C`NO_PROXY\*(C'\fR.
.IP "\fB\-header\fR \fIname\fR=\fIvalue\fR" 4
.IX Item "-header name=value"
Adds the header \fIname\fR with the specified \fIvalue\fR to the \s-1OCSP\s0 request
that is sent to the responder.
This may be repeated.
.IP "\fB\-timeout\fR \fIseconds\fR" 4
.IX Item "-timeout seconds"
Connection timeout to the \s-1OCSP\s0 responder in seconds.
On \s-1POSIX\s0 systems, when running as an \s-1OCSP\s0 responder, this option also limits
the time that the responder is willing to wait for the client request.
This time is measured from the time the responder accepts the connection until
the complete request is received.
.IP "\fB\-verify_other\fR \fIfile\fR" 4
.IX Item "-verify_other file"
File or \s-1URI\s0 containing additional certificates to search
when attempting to locate
the \s-1OCSP\s0 response signing certificate. Some responders omit the actual signer's
certificate from the response: this option can be used to supply the necessary
certificate in such cases.
The input can be in \s-1PEM, DER,\s0 or PKCS#12 format.
.IP "\fB\-trust_other\fR" 4
.IX Item "-trust_other"
The certificates specified by the \fB\-verify_other\fR option should be explicitly
trusted and no additional checks will be performed on them. This is useful
when the complete responder certificate chain is not available or trusting a
root \s-1CA\s0 is not appropriate.
.IP "\fB\-VAfile\fR \fIfile\fR" 4
.IX Item "-VAfile file"
File or \s-1URI\s0 containing explicitly trusted responder certificates.
Equivalent to the \fB\-verify_other\fR and \fB\-trust_other\fR options.
The input can be in \s-1PEM, DER,\s0 or PKCS#12 format.
.IP "\fB\-noverify\fR" 4
.IX Item "-noverify"
Don't attempt to verify the \s-1OCSP\s0 response signature or the nonce
values. This option will normally only be used for debugging since it
disables all verification of the responders certificate.
.IP "\fB\-no_intern\fR" 4
.IX Item "-no_intern"
Ignore certificates contained in the \s-1OCSP\s0 response when searching for the
signers certificate. With this option the signers certificate must be specified
with either the \fB\-verify_other\fR or \fB\-VAfile\fR options.
.IP "\fB\-no_signature_verify\fR" 4
.IX Item "-no_signature_verify"
Don't check the signature on the \s-1OCSP\s0 response. Since this option
tolerates invalid signatures on \s-1OCSP\s0 responses it will normally only be
used for testing purposes.
.IP "\fB\-no_cert_verify\fR" 4
.IX Item "-no_cert_verify"
Don't verify the \s-1OCSP\s0 response signers certificate at all. Since this
option allows the \s-1OCSP\s0 response to be signed by any certificate it should
only be used for testing purposes.
.IP "\fB\-no_chain\fR" 4
.IX Item "-no_chain"
Do not use certificates in the response as additional untrusted \s-1CA\s0
certificates.
.IP "\fB\-no_explicit\fR" 4
.IX Item "-no_explicit"
Do not explicitly trust the root \s-1CA\s0 if it is set to be trusted for \s-1OCSP\s0 signing.
.IP "\fB\-no_cert_checks\fR" 4
.IX Item "-no_cert_checks"
Don't perform any additional checks on the \s-1OCSP\s0 response signers certificate.
That is do not make any checks to see if the signers certificate is authorised
to provide the necessary status information: as a result this option should
only be used for testing purposes.
.IP "\fB\-validity_period\fR \fInsec\fR, \fB\-status_age\fR \fIage\fR" 4
.IX Item "-validity_period nsec, -status_age age"
These options specify the range of times, in seconds, which will be tolerated
in an \s-1OCSP\s0 response. Each certificate status response includes a \fBnotBefore\fR
time and an optional \fBnotAfter\fR time. The current time should fall between
these two values, but the interval between the two times may be only a few
seconds. In practice the \s-1OCSP\s0 responder and clients clocks may not be precisely
synchronised and so such a check may fail. To avoid this the
\&\fB\-validity_period\fR option can be used to specify an acceptable error range in
seconds, the default value is 5 minutes.
.Sp
If the \fBnotAfter\fR time is omitted from a response then this means that new
status information is immediately available. In this case the age of the
\&\fBnotBefore\fR field is checked to see it is not older than \fIage\fR seconds old.
By default this additional check is not performed.
.IP "\fB\-rcid\fR \fIdigest\fR" 4
.IX Item "-rcid digest"
This option sets the digest algorithm to use for certificate identification
in the \s-1OCSP\s0 response. Any digest supported by the \fBopenssl\-dgst\fR\|(1) command can
be used. The default is the same digest algorithm used in the request.
.IP "\fB\-\f(BIdigest\fB\fR" 4
.IX Item "-digest"
This option sets digest algorithm to use for certificate identification in the
\&\s-1OCSP\s0 request. Any digest supported by the OpenSSL \fBdgst\fR command can be used.
The default is \s-1SHA\-1.\s0 This option may be used multiple times to specify the
digest used by subsequent certificate identifiers.
.IP "\fB\-CAfile\fR \fIfile\fR, \fB\-no\-CAfile\fR, \fB\-CApath\fR \fIdir\fR, \fB\-no\-CApath\fR, \fB\-CAstore\fR \fIuri\fR, \fB\-no\-CAstore\fR" 4
.IX Item "-CAfile file, -no-CAfile, -CApath dir, -no-CApath, -CAstore uri, -no-CAstore"
See \*(L"Trusted Certificate Options\*(R" in \fBopenssl\-verification\-options\fR\|(1) for details.
.IP "\fB\-allow_proxy_certs\fR, \fB\-attime\fR, \fB\-no_check_time\fR, \fB\-check_ss_sig\fR, \fB\-crl_check\fR, \fB\-crl_check_all\fR, \fB\-explicit_policy\fR, \fB\-extended_crl\fR, \fB\-ignore_critical\fR, \fB\-inhibit_any\fR, \fB\-inhibit_map\fR, \fB\-no_alt_chains\fR, \fB\-partial_chain\fR, \fB\-policy\fR, \fB\-policy_check\fR, \fB\-policy_print\fR, \fB\-purpose\fR, \fB\-suiteB_128\fR, \fB\-suiteB_128_only\fR, \fB\-suiteB_192\fR, \fB\-trusted_first\fR, \fB\-use_deltas\fR, \fB\-auth_level\fR, \fB\-verify_depth\fR, \fB\-verify_email\fR, \fB\-verify_hostname\fR, \fB\-verify_ip\fR, \fB\-verify_name\fR, \fB\-x509_strict\fR \fB\-issuer_checks\fR" 4
.IX Item "-allow_proxy_certs, -attime, -no_check_time, -check_ss_sig, -crl_check, -crl_check_all, -explicit_policy, -extended_crl, -ignore_critical, -inhibit_any, -inhibit_map, -no_alt_chains, -partial_chain, -policy, -policy_check, -policy_print, -purpose, -suiteB_128, -suiteB_128_only, -suiteB_192, -trusted_first, -use_deltas, -auth_level, -verify_depth, -verify_email, -verify_hostname, -verify_ip, -verify_name, -x509_strict -issuer_checks"
Set various options of certificate chain verification.
See \*(L"Verification Options\*(R" in \fBopenssl\-verification\-options\fR\|(1) for details.
.IP "\fB\-provider\fR \fIname\fR" 4
.IX Item "-provider name"
.PD 0
.IP "\fB\-provider\-path\fR \fIpath\fR" 4
.IX Item "-provider-path path"
.IP "\fB\-propquery\fR \fIpropq\fR" 4
.IX Item "-propquery propq"
.PD
See \*(L"Provider Options\*(R" in \fBopenssl\fR\|(1), \fBprovider\fR\|(7), and \fBproperty\fR\|(7).
.SS "\s-1OCSP\s0 Server Options"
.IX Subsection "OCSP Server Options"
.IP "\fB\-index\fR \fIindexfile\fR" 4
.IX Item "-index indexfile"
The \fIindexfile\fR parameter is the name of a text index file in \fBca\fR
format containing certificate revocation information.
.Sp
If the \fB\-index\fR option is specified then this command switches to
responder mode, otherwise it is in client mode. The request(s) the responder
processes can be either specified on the command line (using \fB\-issuer\fR
and \fB\-serial\fR options), supplied in a file (using the \fB\-reqin\fR option)
or via external \s-1OCSP\s0 clients (if \fB\-port\fR or \fB\-url\fR is specified).
.Sp
If the \fB\-index\fR option is present then the \fB\-CA\fR and \fB\-rsigner\fR options
must also be present.
.IP "\fB\-CA\fR \fIfile\fR" 4
.IX Item "-CA file"
\&\s-1CA\s0 certificates corresponding to the revocation information in the index
file given with \fB\-index\fR.
The input can be in \s-1PEM, DER,\s0 or PKCS#12 format.
.IP "\fB\-rsigner\fR \fIfile\fR" 4
.IX Item "-rsigner file"
The certificate to sign \s-1OCSP\s0 responses with.
The input can be in \s-1PEM, DER,\s0 or PKCS#12 format.
.IP "\fB\-rkey\fR \fIfile\fR" 4
.IX Item "-rkey file"
The private key to sign \s-1OCSP\s0 responses with: if not present the file
specified in the \fB\-rsigner\fR option is used.
.IP "\fB\-passin\fR \fIarg\fR" 4
.IX Item "-passin arg"
The private key password source. For more information about the format of \fIarg\fR
see \fBopenssl\-passphrase\-options\fR\|(1).
.IP "\fB\-rother\fR \fIfile\fR" 4
.IX Item "-rother file"
Additional certificates to include in the \s-1OCSP\s0 response.
The input can be in \s-1PEM, DER,\s0 or PKCS#12 format.
.IP "\fB\-rsigopt\fR \fInm\fR:\fIv\fR" 4
.IX Item "-rsigopt nm:v"
Pass options to the signature algorithm when signing \s-1OCSP\s0 responses.
Names and values of these options are algorithm-specific.
.IP "\fB\-rmd\fR \fIdigest\fR" 4
.IX Item "-rmd digest"
The digest to use when signing the response.
.IP "\fB\-badsig\fR" 4
.IX Item "-badsig"
Corrupt the response signature before writing it; this can be useful
for testing.
.IP "\fB\-resp_no_certs\fR" 4
.IX Item "-resp_no_certs"
Don't include any certificates in the \s-1OCSP\s0 response.
.IP "\fB\-resp_key_id\fR" 4
.IX Item "-resp_key_id"
Identify the signer certificate using the key \s-1ID,\s0 default is to use the
subject name.
.IP "\fB\-port\fR \fIportnum\fR" 4
.IX Item "-port portnum"
Port to listen for \s-1OCSP\s0 requests on. Both IPv4 and IPv6 are possible.
The port may also be specified using the \fB\-url\fR option.
A \f(CW0\fR argument indicates that any available port shall be chosen automatically.
.IP "\fB\-ignore_err\fR" 4
.IX Item "-ignore_err"
Ignore malformed requests or responses: When acting as an \s-1OCSP\s0 client, retry if
a malformed response is received. When acting as an \s-1OCSP\s0 responder, continue
running instead of terminating upon receiving a malformed request.
.IP "\fB\-nrequest\fR \fInumber\fR" 4
.IX Item "-nrequest number"
The \s-1OCSP\s0 server will exit after receiving \fInumber\fR requests, default unlimited.
.IP "\fB\-multi\fR \fIprocess-count\fR" 4
.IX Item "-multi process-count"
Run the specified number of \s-1OCSP\s0 responder child processes, with the parent
process respawning child processes as needed.
Child processes will detect changes in the \s-1CA\s0 index file and automatically
reload it.
When running as a responder \fB\-timeout\fR option is recommended to limit the time
each child is willing to wait for the client's \s-1OCSP\s0 response.
This option is available on \s-1POSIX\s0 systems (that support the \fBfork()\fR and other
required unix system-calls).
.IP "\fB\-nmin\fR \fIminutes\fR, \fB\-ndays\fR \fIdays\fR" 4
.IX Item "-nmin minutes, -ndays days"
Number of minutes or days when fresh revocation information is available:
used in the \fBnextUpdate\fR field. If neither option is present then the
\&\fBnextUpdate\fR field is omitted meaning fresh revocation information is
immediately available.
.SH "OCSP RESPONSE VERIFICATION"
.IX Header "OCSP RESPONSE VERIFICATION"
\&\s-1OCSP\s0 Response follows the rules specified in \s-1RFC2560.\s0
.PP
Initially the \s-1OCSP\s0 responder certificate is located and the signature on
the \s-1OCSP\s0 request checked using the responder certificate's public key.
.PP
Then a normal certificate verify is performed on the \s-1OCSP\s0 responder certificate
building up a certificate chain in the process. The locations of the trusted
certificates used to build the chain can be specified by the \fB\-CAfile\fR,
\&\fB\-CApath\fR or \fB\-CAstore\fR options or they will be looked for in the
standard OpenSSL certificates directory.
.PP
If the initial verify fails then the \s-1OCSP\s0 verify process halts with an
error.
.PP
Otherwise the issuing \s-1CA\s0 certificate in the request is compared to the \s-1OCSP\s0
responder certificate: if there is a match then the \s-1OCSP\s0 verify succeeds.
.PP
Otherwise the \s-1OCSP\s0 responder certificate's \s-1CA\s0 is checked against the issuing
\&\s-1CA\s0 certificate in the request. If there is a match and the OCSPSigning
extended key usage is present in the \s-1OCSP\s0 responder certificate then the
\&\s-1OCSP\s0 verify succeeds.
.PP
Otherwise, if \fB\-no_explicit\fR is \fBnot\fR set the root \s-1CA\s0 of the \s-1OCSP\s0 responders
\&\s-1CA\s0 is checked to see if it is trusted for \s-1OCSP\s0 signing. If it is the \s-1OCSP\s0
verify succeeds.
.PP
If none of these checks is successful then the \s-1OCSP\s0 verify fails.
.PP
What this effectively means if that if the \s-1OCSP\s0 responder certificate is
authorised directly by the \s-1CA\s0 it is issuing revocation information about
(and it is correctly configured) then verification will succeed.
.PP
If the \s-1OCSP\s0 responder is a \*(L"global responder\*(R" which can give details about
multiple CAs and has its own separate certificate chain then its root
\&\s-1CA\s0 can be trusted for \s-1OCSP\s0 signing. For example:
.PP
.Vb 1
\& openssl x509 \-in ocspCA.pem \-addtrust OCSPSigning \-out trustedCA.pem
.Ve
.PP
Alternatively the responder certificate itself can be explicitly trusted
with the \fB\-VAfile\fR option.
.SH "NOTES"
.IX Header "NOTES"
As noted, most of the verify options are for testing or debugging purposes.
Normally only the \fB\-CApath\fR, \fB\-CAfile\fR, \fB\-CAstore\fR and (if the responder
is a 'global \s-1VA\s0') \fB\-VAfile\fR options need to be used.
.PP
The \s-1OCSP\s0 server is only useful for test and demonstration purposes: it is
not really usable as a full \s-1OCSP\s0 responder. It contains only a very
simple \s-1HTTP\s0 request handling and can only handle the \s-1POST\s0 form of \s-1OCSP\s0
queries. It also handles requests serially meaning it cannot respond to
new requests until it has processed the current one. The text index file
format of revocation is also inefficient for large quantities of revocation
data.
.PP
It is possible to run this command in responder mode via a \s-1CGI\s0
script using the \fB\-reqin\fR and \fB\-respout\fR options.
.SH "EXAMPLES"
.IX Header "EXAMPLES"
Create an \s-1OCSP\s0 request and write it to a file:
.PP
.Vb 1
\& openssl ocsp \-issuer issuer.pem \-cert c1.pem \-cert c2.pem \-reqout req.der
.Ve
.PP
Send a query to an \s-1OCSP\s0 responder with \s-1URL\s0 http://ocsp.myhost.com/ save the
response to a file, print it out in text form, and verify the response:
.PP
.Vb 2
\& openssl ocsp \-issuer issuer.pem \-cert c1.pem \-cert c2.pem \e
\& \-url http://ocsp.myhost.com/ \-resp_text \-respout resp.der
.Ve
.PP
Read in an \s-1OCSP\s0 response and print out text form:
.PP
.Vb 1
\& openssl ocsp \-respin resp.der \-text \-noverify
.Ve
.PP
\&\s-1OCSP\s0 server on port 8888 using a standard \fBca\fR configuration, and a separate
responder certificate. All requests and responses are printed to a file.
.PP
.Vb 2
\& openssl ocsp \-index demoCA/index.txt \-port 8888 \-rsigner rcert.pem \-CA demoCA/cacert.pem
\& \-text \-out log.txt
.Ve
.PP
As above but exit after processing one request:
.PP
.Vb 2
\& openssl ocsp \-index demoCA/index.txt \-port 8888 \-rsigner rcert.pem \-CA demoCA/cacert.pem
\& \-nrequest 1
.Ve
.PP
Query status information using an internally generated request:
.PP
.Vb 2
\& openssl ocsp \-index demoCA/index.txt \-rsigner rcert.pem \-CA demoCA/cacert.pem
\& \-issuer demoCA/cacert.pem \-serial 1
.Ve
.PP
Query status information using request read from a file, and write the response
to a second file.
.PP
.Vb 2
\& openssl ocsp \-index demoCA/index.txt \-rsigner rcert.pem \-CA demoCA/cacert.pem
\& \-reqin req.der \-respout resp.der
.Ve
.SH "HISTORY"
.IX Header "HISTORY"
The \-no_alt_chains option was added in OpenSSL 1.1.0.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2001\-2024 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the Apache License 2.0 (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.

203
openssl-install/share/man/man1/openssl-passphrase-options.1ossl Normal file
View File

@@ -0,0 +1,203 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "OPENSSL-PASSPHRASE-OPTIONS 1ossl"
.TH OPENSSL-PASSPHRASE-OPTIONS 1ossl "2025-07-01" "3.4.2" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
openssl\-passphrase\-options \- Pass phrase options
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
\&\fBopenssl\fR
\&\fIcommand\fR
[ \fIoptions\fR ... ]
[ \fIparameters\fR ... ]
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
Several OpenSSL commands accept password arguments, typically using \fB\-passin\fR
and \fB\-passout\fR for input and output passwords respectively. These allow
the password to be obtained from a variety of sources. Both of these
options take a single argument whose format is described below. If no
password argument is given and a password is required then the user is
prompted to enter one: this will typically be read from the current
terminal with echoing turned off.
.PP
Note that character encoding may be relevant, please see
\&\fBpassphrase\-encoding\fR\|(7).
.SH "OPTIONS"
.IX Header "OPTIONS"
.SS "Pass Phrase Option Arguments"
.IX Subsection "Pass Phrase Option Arguments"
Pass phrase arguments can be formatted as follows.
.IP "\fBpass:\fR\fIpassword\fR" 4
.IX Item "pass:password"
The actual password is \fIpassword\fR. Since the password is visible
to utilities (like 'ps' under Unix) this form should only be used
where security is not important.
.IP "\fBenv:\fR\fIvar\fR" 4
.IX Item "env:var"
Obtain the password from the environment variable \fIvar\fR. Since
the environment of other processes is visible on certain platforms
(e.g. ps under certain Unix OSes) this option should be used with caution.
.IP "\fBfile:\fR\fIpathname\fR" 4
.IX Item "file:pathname"
Reads the password from the specified file \fIpathname\fR, which can be a regular
file, device, or named pipe. Only the first line, up to the newline character,
is read from the stream.
.Sp
If the same \fIpathname\fR argument is supplied to both \fB\-passin\fR and \fB\-passout\fR
arguments, the first line will be used for the input password, and the next
line will be used for the output password.
.IP "\fBfd:\fR\fInumber\fR" 4
.IX Item "fd:number"
Reads the password from the file descriptor \fInumber\fR. This can be useful for
sending data via a pipe, for example. The same line handling as described for
\&\fBfile:\fR applies to passwords read from file descriptors.
.Sp
\&\fBfd:\fR is not supported on Windows.
.IP "\fBstdin\fR" 4
.IX Item "stdin"
Reads the password from standard input. The same line handling as described for
\&\fBfile:\fR applies to passwords read from standard input.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2000\-2024 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the Apache License 2.0 (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.

250
openssl-install/share/man/man1/openssl-passwd.1ossl Normal file
View File

@@ -0,0 +1,250 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "OPENSSL-PASSWD 1ossl"
.TH OPENSSL-PASSWD 1ossl "2025-08-16" "3.4.2" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
openssl\-passwd \- compute password hashes
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
\&\fBopenssl passwd\fR
[\fB\-help\fR]
[\fB\-1\fR]
[\fB\-apr1\fR]
[\fB\-aixmd5\fR]
[\fB\-5\fR]
[\fB\-6\fR]
[\fB\-salt\fR \fIstring\fR]
[\fB\-in\fR \fIfile\fR]
[\fB\-stdin\fR]
[\fB\-noverify\fR]
[\fB\-quiet\fR]
[\fB\-table\fR]
[\fB\-reverse\fR]
[\fB\-rand\fR \fIfiles\fR]
[\fB\-writerand\fR \fIfile\fR]
[\fB\-provider\fR \fIname\fR]
[\fB\-provider\-path\fR \fIpath\fR]
[\fB\-propquery\fR \fIpropq\fR]
[\fIpassword\fR]
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
This command computes the hash of a password typed at
run-time or the hash of each password in a list. The password list is
taken from the named file for option \fB\-in\fR, from stdin for
option \fB\-stdin\fR, or from the command line, or from the terminal otherwise.
.SH "OPTIONS"
.IX Header "OPTIONS"
.IP "\fB\-help\fR" 4
.IX Item "-help"
Print out a usage message.
.IP "\fB\-1\fR" 4
.IX Item "-1"
Use the \s-1MD5\s0 based \s-1BSD\s0 password algorithm \fB1\fR (default).
.IP "\fB\-apr1\fR" 4
.IX Item "-apr1"
Use the \fBapr1\fR algorithm (Apache variant of the \s-1BSD\s0 algorithm).
.IP "\fB\-aixmd5\fR" 4
.IX Item "-aixmd5"
Use the \fB\s-1AIX MD5\s0\fR algorithm (\s-1AIX\s0 variant of the \s-1BSD\s0 algorithm).
.IP "\fB\-5\fR" 4
.IX Item "-5"
.PD 0
.IP "\fB\-6\fR" 4
.IX Item "-6"
.PD
Use the \fB\s-1SHA256\s0\fR / \fB\s-1SHA512\s0\fR based algorithms defined by Ulrich Drepper.
See <https://www.akkadia.org/drepper/SHA\-crypt.txt>.
.IP "\fB\-salt\fR \fIstring\fR" 4
.IX Item "-salt string"
Use the specified salt.
When reading a password from the terminal, this implies \fB\-noverify\fR.
.IP "\fB\-in\fR \fIfile\fR" 4
.IX Item "-in file"
Read passwords from \fIfile\fR.
.IP "\fB\-stdin\fR" 4
.IX Item "-stdin"
Read passwords from \fBstdin\fR.
.IP "\fB\-noverify\fR" 4
.IX Item "-noverify"
Don't verify when reading a password from the terminal.
.IP "\fB\-quiet\fR" 4
.IX Item "-quiet"
Don't output warnings when passwords given at the command line are truncated.
.IP "\fB\-table\fR" 4
.IX Item "-table"
In the output list, prepend the cleartext password and a \s-1TAB\s0 character
to each password hash.
.IP "\fB\-reverse\fR" 4
.IX Item "-reverse"
When the \fB\-table\fR option is used, reverse the order of cleartext and hash.
.IP "\fB\-rand\fR \fIfiles\fR, \fB\-writerand\fR \fIfile\fR" 4
.IX Item "-rand files, -writerand file"
See \*(L"Random State Options\*(R" in \fBopenssl\fR\|(1) for details.
.IP "\fB\-provider\fR \fIname\fR" 4
.IX Item "-provider name"
.PD 0
.IP "\fB\-provider\-path\fR \fIpath\fR" 4
.IX Item "-provider-path path"
.IP "\fB\-propquery\fR \fIpropq\fR" 4
.IX Item "-propquery propq"
.PD
See \*(L"Provider Options\*(R" in \fBopenssl\fR\|(1), \fBprovider\fR\|(7), and \fBproperty\fR\|(7).
.SH "EXAMPLES"
.IX Header "EXAMPLES"
.Vb 2
\& % openssl passwd \-1 \-salt xxxxxxxx password
\& $1$xxxxxxxx$UYCIxa628.9qXjpQCjM4a.
\&
\& % openssl passwd \-apr1 \-salt xxxxxxxx password
\& $apr1$xxxxxxxx$dxHfLAsjHkDRmG83UXe8K0
\&
\& % openssl passwd \-aixmd5 \-salt xxxxxxxx password
\& xxxxxxxx$8Oaipk/GPKhC64w/YVeFD/
.Ve
.SH "HISTORY"
.IX Header "HISTORY"
The \fB\-crypt\fR option was removed in OpenSSL 3.0.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2000\-2021 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the Apache License 2.0 (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.

601
openssl-install/share/man/man1/openssl-pkcs12.1ossl Normal file
View File

@@ -0,0 +1,601 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "OPENSSL-PKCS12 1ossl"
.TH OPENSSL-PKCS12 1ossl "2025-08-16" "3.4.2" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
openssl\-pkcs12 \- PKCS#12 file command
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
\&\fBopenssl\fR \fBpkcs12\fR
[\fB\-help\fR]
[\fB\-passin\fR \fIarg\fR]
[\fB\-passout\fR \fIarg\fR]
[\fB\-password\fR \fIarg\fR]
[\fB\-twopass\fR]
[\fB\-in\fR \fIfilename\fR|\fIuri\fR]
[\fB\-out\fR \fIfilename\fR]
[\fB\-nokeys\fR]
[\fB\-nocerts\fR]
[\fB\-noout\fR]
[\fB\-legacy\fR]
[\fB\-engine\fR \fIid\fR]
[\fB\-provider\fR \fIname\fR]
[\fB\-provider\-path\fR \fIpath\fR]
[\fB\-propquery\fR \fIpropq\fR]
[\fB\-rand\fR \fIfiles\fR]
[\fB\-writerand\fR \fIfile\fR]
.PP
PKCS#12 input (parsing) options:
[\fB\-info\fR]
[\fB\-nomacver\fR]
[\fB\-clcerts\fR]
[\fB\-cacerts\fR]
.PP
[\fB\-aes128\fR]
[\fB\-aes192\fR]
[\fB\-aes256\fR]
[\fB\-aria128\fR]
[\fB\-aria192\fR]
[\fB\-aria256\fR]
[\fB\-camellia128\fR]
[\fB\-camellia192\fR]
[\fB\-camellia256\fR]
[\fB\-des\fR]
[\fB\-des3\fR]
[\fB\-idea\fR]
[\fB\-noenc\fR]
[\fB\-nodes\fR]
.PP
PKCS#12 output (export) options:
.PP
[\fB\-export\fR]
[\fB\-inkey\fR \fIfilename\fR|\fIuri\fR]
[\fB\-certfile\fR \fIfilename\fR]
[\fB\-passcerts\fR \fIarg\fR]
[\fB\-chain\fR]
[\fB\-untrusted\fR \fIfilename\fR]
[\fB\-CAfile\fR \fIfile\fR]
[\fB\-no\-CAfile\fR]
[\fB\-CApath\fR \fIdir\fR]
[\fB\-no\-CApath\fR]
[\fB\-CAstore\fR \fIuri\fR]
[\fB\-no\-CAstore\fR]
[\fB\-name\fR \fIname\fR]
[\fB\-caname\fR \fIname\fR]
[\fB\-CSP\fR \fIname\fR]
[\fB\-LMK\fR]
[\fB\-keyex\fR]
[\fB\-keysig\fR]
[\fB\-keypbe\fR \fIcipher\fR]
[\fB\-certpbe\fR \fIcipher\fR]
[\fB\-descert\fR]
[\fB\-macalg\fR \fIdigest\fR]
[\fB\-pbmac1_pbkdf2\fR]
[\fB\-pbmac1_pbkdf2_md\fR \fIdigest\fR]
[\fB\-iter\fR \fIcount\fR]
[\fB\-noiter\fR]
[\fB\-nomaciter\fR]
[\fB\-maciter\fR]
[\fB\-macsaltlen\fR]
[\fB\-nomac\fR]
[\fB\-jdktrust\fR \fIusage\fR]
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
This command allows PKCS#12 files (sometimes referred to as
\&\s-1PFX\s0 files) to be created and parsed. PKCS#12 files are used by several
programs including Netscape, \s-1MSIE\s0 and \s-1MS\s0 Outlook.
.SH "OPTIONS"
.IX Header "OPTIONS"
There are a lot of options the meaning of some depends of whether a PKCS#12 file
is being created or parsed. By default a PKCS#12 file is parsed.
A PKCS#12 file can be created by using the \fB\-export\fR option (see below).
The PKCS#12 export encryption and \s-1MAC\s0 options such as \fB\-certpbe\fR and \fB\-iter\fR
and many further options such as \fB\-chain\fR are relevant only with \fB\-export\fR.
Conversely, the options regarding encryption of private keys when outputting
PKCS#12 input are relevant only when the \fB\-export\fR option is not given.
.PP
The default encryption algorithm is \s-1AES\-256\-CBC\s0 with \s-1PBKDF2\s0 for key derivation.
.PP
When encountering problems loading legacy PKCS#12 files that involve,
for example, \s-1RC2\-40\-CBC,\s0
try using the \fB\-legacy\fR option and, if needed, the \fB\-provider\-path\fR option.
.IP "\fB\-help\fR" 4
.IX Item "-help"
Print out a usage message.
.IP "\fB\-passin\fR \fIarg\fR" 4
.IX Item "-passin arg"
The password source for the input, and for encrypting any private keys that
are output.
For more information about the format of \fBarg\fR
see \fBopenssl\-passphrase\-options\fR\|(1).
.IP "\fB\-passout\fR \fIarg\fR" 4
.IX Item "-passout arg"
The password source for output files.
.IP "\fB\-password\fR \fIarg\fR" 4
.IX Item "-password arg"
With \fB\-export\fR, \fB\-password\fR is equivalent to \fB\-passout\fR,
otherwise it is equivalent to \fB\-passin\fR.
.IP "\fB\-twopass\fR" 4
.IX Item "-twopass"
Prompt for separate integrity and encryption passwords: most software
always assumes these are the same so this option will render such
PKCS#12 files unreadable. Cannot be used in combination with the options
\&\fB\-password\fR, \fB\-passin\fR if importing from PKCS#12, or \fB\-passout\fR if exporting.
.IP "\fB\-nokeys\fR" 4
.IX Item "-nokeys"
No private keys will be output.
.IP "\fB\-nocerts\fR" 4
.IX Item "-nocerts"
No certificates will be output.
.IP "\fB\-noout\fR" 4
.IX Item "-noout"
This option inhibits all credentials output,
and so the input is just verified.
.IP "\fB\-legacy\fR" 4
.IX Item "-legacy"
Use legacy mode of operation and automatically load the legacy provider.
If OpenSSL is not installed system-wide,
it is necessary to also use, for example, \f(CW\*(C`\-provider\-path ./providers\*(C'\fR
or to set the environment variable \fB\s-1OPENSSL_MODULES\s0\fR
to point to the directory where the providers can be found.
.Sp
In the legacy mode, the default algorithm for certificate encryption
is \s-1RC2_CBC\s0 or 3DES_CBC depending on whether the \s-1RC2\s0 cipher is enabled
in the build. The default algorithm for private key encryption is 3DES_CBC.
If the legacy option is not specified, then the legacy provider is not loaded
and the default encryption algorithm for both certificates and private keys is
\&\s-1AES_256_CBC\s0 with \s-1PBKDF2\s0 for key derivation.
.IP "\fB\-engine\fR \fIid\fR" 4
.IX Item "-engine id"
See \*(L"Engine Options\*(R" in \fBopenssl\fR\|(1).
This option is deprecated.
.IP "\fB\-provider\fR \fIname\fR" 4
.IX Item "-provider name"
.PD 0
.IP "\fB\-provider\-path\fR \fIpath\fR" 4
.IX Item "-provider-path path"
.IP "\fB\-propquery\fR \fIpropq\fR" 4
.IX Item "-propquery propq"
.PD
See \*(L"Provider Options\*(R" in \fBopenssl\fR\|(1), \fBprovider\fR\|(7), and \fBproperty\fR\|(7).
.IP "\fB\-rand\fR \fIfiles\fR, \fB\-writerand\fR \fIfile\fR" 4
.IX Item "-rand files, -writerand file"
See \*(L"Random State Options\*(R" in \fBopenssl\fR\|(1) for details.
.SS "PKCS#12 input (parsing) options"
.IX Subsection "PKCS#12 input (parsing) options"
.IP "\fB\-in\fR \fIfilename\fR|\fIuri\fR" 4
.IX Item "-in filename|uri"
This specifies the input filename or \s-1URI.\s0
Standard input is used by default.
Without the \fB\-export\fR option this must be PKCS#12 file to be parsed.
For use with the \fB\-export\fR option
see the \*(L"PKCS#12 output (export) options\*(R" section.
.IP "\fB\-out\fR \fIfilename\fR" 4
.IX Item "-out filename"
The filename to write certificates and private keys to, standard output by
default. They are all written in \s-1PEM\s0 format.
.IP "\fB\-info\fR" 4
.IX Item "-info"
Output additional information about the PKCS#12 file structure, algorithms
used and iteration counts.
.IP "\fB\-nomacver\fR" 4
.IX Item "-nomacver"
Don't attempt to verify the integrity \s-1MAC.\s0
.IP "\fB\-clcerts\fR" 4
.IX Item "-clcerts"
Only output client certificates (not \s-1CA\s0 certificates).
.IP "\fB\-cacerts\fR" 4
.IX Item "-cacerts"
Only output \s-1CA\s0 certificates (not client certificates).
.IP "\fB\-aes128\fR, \fB\-aes192\fR, \fB\-aes256\fR" 4
.IX Item "-aes128, -aes192, -aes256"
Use \s-1AES\s0 to encrypt private keys before outputting.
.IP "\fB\-aria128\fR, \fB\-aria192\fR, \fB\-aria256\fR" 4
.IX Item "-aria128, -aria192, -aria256"
Use \s-1ARIA\s0 to encrypt private keys before outputting.
.IP "\fB\-camellia128\fR, \fB\-camellia192\fR, \fB\-camellia256\fR" 4
.IX Item "-camellia128, -camellia192, -camellia256"
Use Camellia to encrypt private keys before outputting.
.IP "\fB\-des\fR" 4
.IX Item "-des"
Use \s-1DES\s0 to encrypt private keys before outputting.
.IP "\fB\-des3\fR" 4
.IX Item "-des3"
Use triple \s-1DES\s0 to encrypt private keys before outputting.
.IP "\fB\-idea\fR" 4
.IX Item "-idea"
Use \s-1IDEA\s0 to encrypt private keys before outputting.
.IP "\fB\-noenc\fR" 4
.IX Item "-noenc"
Don't encrypt private keys at all.
.IP "\fB\-nodes\fR" 4
.IX Item "-nodes"
This option is deprecated since OpenSSL 3.0; use \fB\-noenc\fR instead.
.SS "PKCS#12 output (export) options"
.IX Subsection "PKCS#12 output (export) options"
.IP "\fB\-export\fR" 4
.IX Item "-export"
This option specifies that a PKCS#12 file will be created rather than
parsed.
.IP "\fB\-out\fR \fIfilename\fR" 4
.IX Item "-out filename"
This specifies filename to write the PKCS#12 file to. Standard output is used
by default.
.IP "\fB\-in\fR \fIfilename\fR|\fIuri\fR" 4
.IX Item "-in filename|uri"
This specifies the input filename or \s-1URI.\s0
Standard input is used by default.
With the \fB\-export\fR option this is a file with certificates and a key,
or a \s-1URI\s0 that refers to a key accessed via an engine.
The order of credentials in a file doesn't matter but one private key and
its corresponding certificate should be present. If additional
certificates are present they will also be included in the PKCS#12 output file.
.IP "\fB\-inkey\fR \fIfilename\fR|\fIuri\fR" 4
.IX Item "-inkey filename|uri"
The private key input for \s-1PKCS12\s0 output.
If this option is not specified then the input file (\fB\-in\fR argument) must
contain a private key.
If no engine is used, the argument is taken as a file.
If the \fB\-engine\fR option is used or the \s-1URI\s0 has prefix \f(CW\*(C`org.openssl.engine:\*(C'\fR
then the rest of the \s-1URI\s0 is taken as key identifier for the given engine.
.IP "\fB\-certfile\fR \fIfilename\fR" 4
.IX Item "-certfile filename"
An input file with extra certificates to be added to the PKCS#12 output
if the \fB\-export\fR option is given.
.IP "\fB\-passcerts\fR \fIarg\fR" 4
.IX Item "-passcerts arg"
The password source for certificate input such as \fB\-certfile\fR
and \fB\-untrusted\fR.
For more information about the format of \fBarg\fR see
\&\fBopenssl\-passphrase\-options\fR\|(1).
.IP "\fB\-chain\fR" 4
.IX Item "-chain"
If this option is present then the certificate chain of the end entity
certificate is built and included in the PKCS#12 output file.
The end entity certificate is the first one read from the \fB\-in\fR file
if no key is given, else the first certificate matching the given key.
The standard \s-1CA\s0 trust store is used for chain building,
as well as any untrusted \s-1CA\s0 certificates given with the \fB\-untrusted\fR option.
.IP "\fB\-untrusted\fR \fIfilename\fR" 4
.IX Item "-untrusted filename"
An input file of untrusted certificates that may be used
for chain building, which is relevant only when a PKCS#12 file is created
with the \fB\-export\fR option and the \fB\-chain\fR option is given as well.
Any certificates that are actually part of the chain are added to the output.
.IP "\fB\-CAfile\fR \fIfile\fR, \fB\-no\-CAfile\fR, \fB\-CApath\fR \fIdir\fR, \fB\-no\-CApath\fR, \fB\-CAstore\fR \fIuri\fR, \fB\-no\-CAstore\fR" 4
.IX Item "-CAfile file, -no-CAfile, -CApath dir, -no-CApath, -CAstore uri, -no-CAstore"
See \*(L"Trusted Certificate Options\*(R" in \fBopenssl\-verification\-options\fR\|(1) for details.
.IP "\fB\-name\fR \fIfriendlyname\fR" 4
.IX Item "-name friendlyname"
This specifies the \*(L"friendly name\*(R" for the certificates and private key. This
name is typically displayed in list boxes by software importing the file.
.IP "\fB\-caname\fR \fIfriendlyname\fR" 4
.IX Item "-caname friendlyname"
This specifies the \*(L"friendly name\*(R" for other certificates. This option may be
used multiple times to specify names for all certificates in the order they
appear. Netscape ignores friendly names on other certificates whereas \s-1MSIE\s0
displays them.
.IP "\fB\-CSP\fR \fIname\fR" 4
.IX Item "-CSP name"
Write \fIname\fR as a Microsoft \s-1CSP\s0 name.
The password source for the input, and for encrypting any private keys that
are output.
For more information about the format of \fBarg\fR
see \fBopenssl\-passphrase\-options\fR\|(1).
.IP "\fB\-LMK\fR" 4
.IX Item "-LMK"
Add the \*(L"Local Key Set\*(R" identifier to the attributes.
.IP "\fB\-keyex\fR|\fB\-keysig\fR" 4
.IX Item "-keyex|-keysig"
Specifies that the private key is to be used for key exchange or just signing.
This option is only interpreted by \s-1MSIE\s0 and similar \s-1MS\s0 software. Normally
\&\*(L"export grade\*(R" software will only allow 512 bit \s-1RSA\s0 keys to be used for
encryption purposes but arbitrary length keys for signing. The \fB\-keysig\fR
option marks the key for signing only. Signing only keys can be used for
S/MIME signing, authenticode (ActiveX control signing) and \s-1SSL\s0 client
authentication, however, due to a bug only \s-1MSIE 5.0\s0 and later support
the use of signing only keys for \s-1SSL\s0 client authentication.
.IP "\fB\-keypbe\fR \fIalg\fR, \fB\-certpbe\fR \fIalg\fR" 4
.IX Item "-keypbe alg, -certpbe alg"
These options allow the algorithm used to encrypt the private key and
certificates to be selected. Any PKCS#5 v1.5 or PKCS#12 \s-1PBE\s0 algorithm name
can be used (see \*(L"\s-1NOTES\*(R"\s0 section for more information). If a cipher name
(as output by \f(CW\*(C`openssl list \-cipher\-algorithms\*(C'\fR) is specified then it
is used with PKCS#5 v2.0. For interoperability reasons it is advisable to only
use PKCS#12 algorithms.
.Sp
Special value \f(CW\*(C`NONE\*(C'\fR disables encryption of the private key and certificates.
.IP "\fB\-descert\fR" 4
.IX Item "-descert"
Encrypt the certificates using triple \s-1DES.\s0 By default the private
key and the certificates are encrypted using \s-1AES\-256\-CBC\s0 unless
the '\-legacy' option is used. If '\-descert' is used with the '\-legacy'
then both, the private key and the certificates are encrypted using triple \s-1DES.\s0
.IP "\fB\-macalg\fR \fIdigest\fR" 4
.IX Item "-macalg digest"
Specify the \s-1MAC\s0 digest algorithm. If not included \s-1SHA256\s0 will be used.
.IP "\fB\-pbmac1_pbkdf2\fR" 4
.IX Item "-pbmac1_pbkdf2"
Use \s-1PBMAC1\s0 with \s-1PBKDF2\s0 for \s-1MAC\s0 protection of the PKCS#12 file.
.IP "\fB\-pbmac1_pbkdf2_md\fR \fIdigest\fR" 4
.IX Item "-pbmac1_pbkdf2_md digest"
Specify the \s-1PBKDF2 KDF\s0 digest algorithm. If not specified, \s-1SHA256\s0 will be used.
Unless \f(CW\*(C`\-pbmac1_pbkdf2\*(C'\fR is specified, this parameter is ignored.
.IP "\fB\-iter\fR \fIcount\fR" 4
.IX Item "-iter count"
This option specifies the iteration count for the encryption key and \s-1MAC.\s0 The
default value is 2048.
.Sp
To discourage attacks by using large dictionaries of common passwords the
algorithm that derives keys from passwords can have an iteration count applied
to it: this causes a certain part of the algorithm to be repeated and slows it
down. The \s-1MAC\s0 is used to check the file integrity but since it will normally
have the same password as the keys and certificates it could also be attacked.
.IP "\fB\-noiter\fR, \fB\-nomaciter\fR" 4
.IX Item "-noiter, -nomaciter"
By default both encryption and \s-1MAC\s0 iteration counts are set to 2048, using
these options the \s-1MAC\s0 and encryption iteration counts can be set to 1, since
this reduces the file security you should not use these options unless you
really have to. Most software supports both \s-1MAC\s0 and encryption iteration counts.
\&\s-1MSIE 4.0\s0 doesn't support \s-1MAC\s0 iteration counts so it needs the \fB\-nomaciter\fR
option.
.IP "\fB\-maciter\fR" 4
.IX Item "-maciter"
This option is included for compatibility with previous versions, it used
to be needed to use \s-1MAC\s0 iterations counts but they are now used by default.
.IP "\fB\-macsaltlen\fR" 4
.IX Item "-macsaltlen"
This option specifies the salt length in bytes for the \s-1MAC.\s0 The salt length
should be at least 16 bytes as per \s-1NIST SP 800\-132.\s0 The default value
is 8 bytes for backwards compatibility.
.IP "\fB\-nomac\fR" 4
.IX Item "-nomac"
Do not attempt to provide the \s-1MAC\s0 integrity. This can be useful with the \s-1FIPS\s0
provider as the \s-1PKCS12 MAC\s0 requires \s-1PKCS12KDF\s0 which is not an approved \s-1FIPS\s0
algorithm and cannot be supported by the \s-1FIPS\s0 provider.
.IP "\fB\-jdktrust\fR" 4
.IX Item "-jdktrust"
Export pkcs12 file in a format compatible with Java keystore usage. This option
accepts a string parameter indicating the trust oid name to be granted to the
certificate it is associated with. Currently only \*(L"anyExtendedKeyUsage\*(R" is
defined. Note that, as Java keystores do not accept \s-1PKCS12\s0 files with both
trusted certificates and keypairs, use of this option implies the setting of the
\&\fB\-nokeys\fR option
.SH "NOTES"
.IX Header "NOTES"
Although there are a large number of options most of them are very rarely
used. For PKCS#12 file parsing only \fB\-in\fR and \fB\-out\fR need to be used
for PKCS#12 file creation \fB\-export\fR and \fB\-name\fR are also used.
.PP
If none of the \fB\-clcerts\fR, \fB\-cacerts\fR or \fB\-nocerts\fR options are present
then all certificates will be output in the order they appear in the input
PKCS#12 files. There is no guarantee that the first certificate present is
the one corresponding to the private key.
Certain software which tries to get a private key and the corresponding
certificate might assume that the first certificate in the file is the one
corresponding to the private key, but that may not always be the case.
Using the \fB\-clcerts\fR option will solve this problem by only
outputting the certificate corresponding to the private key. If the \s-1CA\s0
certificates are required then they can be output to a separate file using
the \fB\-nokeys\fR \fB\-cacerts\fR options to just output \s-1CA\s0 certificates.
.PP
The \fB\-keypbe\fR and \fB\-certpbe\fR algorithms allow the precise encryption
algorithms for private keys and certificates to be specified. Normally
the defaults are fine but occasionally software can't handle triple \s-1DES\s0
encrypted private keys, then the option \fB\-keypbe\fR \fI\s-1PBE\-SHA1\-RC2\-40\s0\fR can
be used to reduce the private key encryption to 40 bit \s-1RC2. A\s0 complete
description of all algorithms is contained in \fBopenssl\-pkcs8\fR\|(1).
.PP
Prior 1.1 release passwords containing non-ASCII characters were encoded
in non-compliant manner, which limited interoperability, in first hand
with Windows. But switching to standard-compliant password encoding
poses problem accessing old data protected with broken encoding. For
this reason even legacy encodings is attempted when reading the
data. If you use PKCS#12 files in production application you are advised
to convert the data, because implemented heuristic approach is not
MT-safe, its sole goal is to facilitate the data upgrade with this
command.
.SH "EXAMPLES"
.IX Header "EXAMPLES"
Parse a PKCS#12 file and output it to a \s-1PEM\s0 file:
.PP
.Vb 1
\& openssl pkcs12 \-in file.p12 \-out file.pem
.Ve
.PP
Output only client certificates to a file:
.PP
.Vb 1
\& openssl pkcs12 \-in file.p12 \-clcerts \-out file.pem
.Ve
.PP
Don't encrypt the private key:
.PP
.Vb 1
\& openssl pkcs12 \-in file.p12 \-out file.pem \-noenc
.Ve
.PP
Print some info about a PKCS#12 file:
.PP
.Vb 1
\& openssl pkcs12 \-in file.p12 \-info \-noout
.Ve
.PP
Print some info about a PKCS#12 file in legacy mode:
.PP
.Vb 1
\& openssl pkcs12 \-in file.p12 \-info \-noout \-legacy
.Ve
.PP
Create a PKCS#12 file from a \s-1PEM\s0 file that may contain a key and certificates:
.PP
.Vb 1
\& openssl pkcs12 \-export \-in file.pem \-out file.p12 \-name "My PSE"
.Ve
.PP
Include some extra certificates:
.PP
.Vb 2
\& openssl pkcs12 \-export \-in file.pem \-out file.p12 \-name "My PSE" \e
\& \-certfile othercerts.pem
.Ve
.PP
Export a PKCS#12 file with data from a certificate \s-1PEM\s0 file and from a further
\&\s-1PEM\s0 file containing a key, with default algorithms as in the legacy provider:
.PP
.Vb 1
\& openssl pkcs12 \-export \-in cert.pem \-inkey key.pem \-out file.p12 \-legacy
.Ve
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBopenssl\fR\|(1),
\&\fBopenssl\-pkcs8\fR\|(1),
\&\fBossl_store\-file\fR\|(7)
.SH "HISTORY"
.IX Header "HISTORY"
The \fB\-engine\fR option was deprecated in OpenSSL 3.0.
The \fB\-nodes\fR option was deprecated in OpenSSL 3.0, too; use \fB\-noenc\fR instead.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2000\-2024 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the Apache License 2.0 (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.

243
openssl-install/share/man/man1/openssl-pkcs7.1ossl Normal file
View File

@@ -0,0 +1,243 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "OPENSSL-PKCS7 1ossl"
.TH OPENSSL-PKCS7 1ossl "2025-08-16" "3.4.2" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
openssl\-pkcs7 \- PKCS#7 command
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
\&\fBopenssl\fR \fBpkcs7\fR
[\fB\-help\fR]
[\fB\-inform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR]
[\fB\-outform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR]
[\fB\-in\fR \fIfilename\fR]
[\fB\-out\fR \fIfilename\fR]
[\fB\-print\fR]
[\fB\-print_certs\fR]
[\fB\-quiet\fR]
[\fB\-text\fR]
[\fB\-noout\fR]
[\fB\-engine\fR \fIid\fR]
[\fB\-provider\fR \fIname\fR]
[\fB\-provider\-path\fR \fIpath\fR]
[\fB\-propquery\fR \fIpropq\fR]
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
This command processes PKCS#7 files. Note that it only understands PKCS#7
v 1.5 as specified in \s-1IETF RFC 2315.\s0 It cannot currently parse \s-1CMS\s0 as
described in \s-1IETF RFC 2630.\s0
.SH "OPTIONS"
.IX Header "OPTIONS"
.IP "\fB\-help\fR" 4
.IX Item "-help"
Print out a usage message.
.IP "\fB\-inform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR, \fB\-outform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR" 4
.IX Item "-inform DER|PEM, -outform DER|PEM"
The input and formats; the default is \fB\s-1PEM\s0\fR.
See \fBopenssl\-format\-options\fR\|(1) for details.
.Sp
The data is a PKCS#7 Version 1.5 structure.
.IP "\fB\-in\fR \fIfilename\fR" 4
.IX Item "-in filename"
This specifies the input filename to read from or standard input if this
option is not specified.
.IP "\fB\-out\fR \fIfilename\fR" 4
.IX Item "-out filename"
Specifies the output filename to write to or standard output by
default.
.IP "\fB\-print\fR" 4
.IX Item "-print"
Print out the full \s-1PKCS7\s0 object.
.IP "\fB\-print_certs\fR" 4
.IX Item "-print_certs"
Prints out any certificates or CRLs contained in the file. They are
preceded by their subject and issuer names in one line format.
.IP "\fB\-quiet\fR" 4
.IX Item "-quiet"
When used with \-print_certs, prints out just the PEM-encoded
certificates without any other output.
.IP "\fB\-text\fR" 4
.IX Item "-text"
Prints out certificate details in full rather than just subject and
issuer names.
.IP "\fB\-noout\fR" 4
.IX Item "-noout"
Don't output the encoded version of the PKCS#7 structure (or certificates
if \fB\-print_certs\fR is set).
.IP "\fB\-engine\fR \fIid\fR" 4
.IX Item "-engine id"
See \*(L"Engine Options\*(R" in \fBopenssl\fR\|(1).
This option is deprecated.
.IP "\fB\-provider\fR \fIname\fR" 4
.IX Item "-provider name"
.PD 0
.IP "\fB\-provider\-path\fR \fIpath\fR" 4
.IX Item "-provider-path path"
.IP "\fB\-propquery\fR \fIpropq\fR" 4
.IX Item "-propquery propq"
.PD
See \*(L"Provider Options\*(R" in \fBopenssl\fR\|(1), \fBprovider\fR\|(7), and \fBproperty\fR\|(7).
.SH "EXAMPLES"
.IX Header "EXAMPLES"
Convert a PKCS#7 file from \s-1PEM\s0 to \s-1DER:\s0
.PP
.Vb 1
\& openssl pkcs7 \-in file.pem \-outform DER \-out file.der
.Ve
.PP
Output all certificates in a file:
.PP
.Vb 1
\& openssl pkcs7 \-in file.pem \-print_certs \-out certs.pem
.Ve
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBopenssl\fR\|(1),
\&\fBopenssl\-crl2pkcs7\fR\|(1)
.SH "HISTORY"
.IX Header "HISTORY"
The \fB\-engine\fR option was deprecated in OpenSSL 3.0.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2000\-2022 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the Apache License 2.0 (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.

424
openssl-install/share/man/man1/openssl-pkcs8.1ossl Normal file
View File

@@ -0,0 +1,424 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "OPENSSL-PKCS8 1ossl"
.TH OPENSSL-PKCS8 1ossl "2025-08-16" "3.4.2" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
openssl\-pkcs8 \- PKCS#8 format private key conversion command
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
\&\fBopenssl\fR \fBpkcs8\fR
[\fB\-help\fR]
[\fB\-topk8\fR]
[\fB\-inform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR]
[\fB\-outform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR]
[\fB\-in\fR \fIfilename\fR]
[\fB\-passin\fR \fIarg\fR]
[\fB\-out\fR \fIfilename\fR]
[\fB\-passout\fR \fIarg\fR]
[\fB\-iter\fR \fIcount\fR]
[\fB\-noiter\fR]
[\fB\-nocrypt\fR]
[\fB\-traditional\fR]
[\fB\-v2\fR \fIalg\fR]
[\fB\-v2prf\fR \fIalg\fR]
[\fB\-v1\fR \fIalg\fR]
[\fB\-scrypt\fR]
[\fB\-scrypt_N\fR \fIN\fR]
[\fB\-scrypt_r\fR \fIr\fR]
[\fB\-scrypt_p\fR \fIp\fR]
[\fB\-saltlen\fR \fIsize\fR]
[\fB\-rand\fR \fIfiles\fR]
[\fB\-writerand\fR \fIfile\fR]
[\fB\-engine\fR \fIid\fR]
[\fB\-provider\fR \fIname\fR]
[\fB\-provider\-path\fR \fIpath\fR]
[\fB\-propquery\fR \fIpropq\fR]
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
This command processes private keys in PKCS#8 format. It can handle
both unencrypted PKCS#8 PrivateKeyInfo format and EncryptedPrivateKeyInfo
format with a variety of PKCS#5 (v1.5 and v2.0) and PKCS#12 algorithms.
.SH "OPTIONS"
.IX Header "OPTIONS"
.IP "\fB\-help\fR" 4
.IX Item "-help"
Print out a usage message.
.IP "\fB\-topk8\fR" 4
.IX Item "-topk8"
Normally a PKCS#8 private key is expected on input and a private key will be
written to the output file. With the \fB\-topk8\fR option the situation is
reversed: it reads a private key and writes a PKCS#8 format key.
.IP "\fB\-inform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR, \fB\-outform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR" 4
.IX Item "-inform DER|PEM, -outform DER|PEM"
The input and formats; the default is \fB\s-1PEM\s0\fR.
See \fBopenssl\-format\-options\fR\|(1) for details.
.Sp
If a key is being converted from PKCS#8 form (i.e. the \fB\-topk8\fR option is
not used) then the input file must be in PKCS#8 format. An encrypted
key is expected unless \fB\-nocrypt\fR is included.
.Sp
If \fB\-topk8\fR is not used and \fB\s-1PEM\s0\fR mode is set the output file will be an
unencrypted private key in PKCS#8 format. If the \fB\-traditional\fR option is
used then a traditional format private key is written instead.
.Sp
If \fB\-topk8\fR is not used and \fB\s-1DER\s0\fR mode is set the output file will be an
unencrypted private key in traditional \s-1DER\s0 format.
.Sp
If \fB\-topk8\fR is used then any supported private key can be used for the input
file in a format specified by \fB\-inform\fR. The output file will be encrypted
PKCS#8 format using the specified encryption parameters unless \fB\-nocrypt\fR
is included.
.IP "\fB\-traditional\fR" 4
.IX Item "-traditional"
When this option is present and \fB\-topk8\fR is not a traditional format private
key is written.
.IP "\fB\-in\fR \fIfilename\fR" 4
.IX Item "-in filename"
This specifies the input filename to read a key from or standard input if this
option is not specified. If the key is encrypted a pass phrase will be
prompted for.
.IP "\fB\-passin\fR \fIarg\fR, \fB\-passout\fR \fIarg\fR" 4
.IX Item "-passin arg, -passout arg"
The password source for the input and output file.
For more information about the format of \fBarg\fR
see \fBopenssl\-passphrase\-options\fR\|(1).
.IP "\fB\-out\fR \fIfilename\fR" 4
.IX Item "-out filename"
This specifies the output filename to write a key to or standard output by
default. If any encryption options are set then a pass phrase will be
prompted for. The output filename should \fBnot\fR be the same as the input
filename.
.IP "\fB\-iter\fR \fIcount\fR" 4
.IX Item "-iter count"
When creating new PKCS#8 containers, use a given number of iterations on
the password in deriving the encryption key for the PKCS#8 output.
High values increase the time required to brute-force a PKCS#8 container.
.IP "\fB\-noiter\fR" 4
.IX Item "-noiter"
When creating new PKCS#8 containers, use 1 as iteration count.
.IP "\fB\-nocrypt\fR" 4
.IX Item "-nocrypt"
PKCS#8 keys generated or input are normally PKCS#8 EncryptedPrivateKeyInfo
structures using an appropriate password based encryption algorithm. With
this option an unencrypted PrivateKeyInfo structure is expected or output.
This option does not encrypt private keys at all and should only be used
when absolutely necessary. Certain software such as some versions of Java
code signing software used unencrypted private keys.
.IP "\fB\-v2\fR \fIalg\fR" 4
.IX Item "-v2 alg"
This option sets the PKCS#5 v2.0 algorithm.
.Sp
The \fIalg\fR argument is the encryption algorithm to use, valid values include
\&\fBaes128\fR, \fBaes256\fR and \fBdes3\fR. If this option isn't specified then \fBaes256\fR
is used.
.IP "\fB\-v2prf\fR \fIalg\fR" 4
.IX Item "-v2prf alg"
This option sets the \s-1PRF\s0 algorithm to use with PKCS#5 v2.0. A typical value
value would be \fBhmacWithSHA256\fR. If this option isn't set then the default
for the cipher is used or \fBhmacWithSHA256\fR if there is no default.
.Sp
Some implementations may not support custom \s-1PRF\s0 algorithms and may require
the \fBhmacWithSHA1\fR option to work.
.IP "\fB\-v1\fR \fIalg\fR" 4
.IX Item "-v1 alg"
This option indicates a PKCS#5 v1.5 or PKCS#12 algorithm should be used. Some
older implementations may not support PKCS#5 v2.0 and may require this option.
If not specified PKCS#5 v2.0 form is used.
.IP "\fB\-scrypt\fR" 4
.IX Item "-scrypt"
Uses the \fBscrypt\fR algorithm for private key encryption using default
parameters: currently N=16384, r=8 and p=1 and \s-1AES\s0 in \s-1CBC\s0 mode with a 256 bit
key. These parameters can be modified using the \fB\-scrypt_N\fR, \fB\-scrypt_r\fR,
\&\fB\-scrypt_p\fR and \fB\-v2\fR options.
.IP "\fB\-scrypt_N\fR \fIN\fR, \fB\-scrypt_r\fR \fIr\fR, \fB\-scrypt_p\fR \fIp\fR" 4
.IX Item "-scrypt_N N, -scrypt_r r, -scrypt_p p"
Sets the scrypt \fIN\fR, \fIr\fR or \fIp\fR parameters.
.IP "\fB\-saltlen\fR" 4
.IX Item "-saltlen"
Sets the length (in bytes) of the salt to use for the \s-1PBE\s0 algorithm.
If this value is not specified, the default for \s-1PBES2\s0 is 16 (128 bits)
and 8 (64 bits) for \s-1PBES1.\s0
.IP "\fB\-rand\fR \fIfiles\fR, \fB\-writerand\fR \fIfile\fR" 4
.IX Item "-rand files, -writerand file"
See \*(L"Random State Options\*(R" in \fBopenssl\fR\|(1) for details.
.IP "\fB\-engine\fR \fIid\fR" 4
.IX Item "-engine id"
See \*(L"Engine Options\*(R" in \fBopenssl\fR\|(1).
This option is deprecated.
.IP "\fB\-provider\fR \fIname\fR" 4
.IX Item "-provider name"
.PD 0
.IP "\fB\-provider\-path\fR \fIpath\fR" 4
.IX Item "-provider-path path"
.IP "\fB\-propquery\fR \fIpropq\fR" 4
.IX Item "-propquery propq"
.PD
See \*(L"Provider Options\*(R" in \fBopenssl\fR\|(1), \fBprovider\fR\|(7), and \fBproperty\fR\|(7).
.SH "NOTES"
.IX Header "NOTES"
By default, when converting a key to PKCS#8 format, PKCS#5 v2.0 using 256 bit
\&\s-1AES\s0 with \s-1HMAC\s0 and \s-1SHA256\s0 is used.
.PP
Some older implementations do not support PKCS#5 v2.0 format and require
the older PKCS#5 v1.5 form instead, possibly also requiring insecure weak
encryption algorithms such as 56 bit \s-1DES.\s0
.PP
Private keys encrypted using PKCS#5 v2.0 algorithms and high iteration
counts are more secure that those encrypted using the traditional
SSLeay compatible formats. So if additional security is considered
important the keys should be converted.
.PP
It is possible to write out \s-1DER\s0 encoded encrypted private keys in
PKCS#8 format because the encryption details are included at an \s-1ASN1\s0
level whereas the traditional format includes them at a \s-1PEM\s0 level.
.SH "PKCS#5 V1.5 AND PKCS#12 ALGORITHMS"
.IX Header "PKCS#5 V1.5 AND PKCS#12 ALGORITHMS"
Various algorithms can be used with the \fB\-v1\fR command line option,
including PKCS#5 v1.5 and PKCS#12. These are described in more detail
below.
.IP "\fB\s-1PBE\-MD2\-DES PBE\-MD5\-DES\s0\fR" 4
.IX Item "PBE-MD2-DES PBE-MD5-DES"
These algorithms were included in the original PKCS#5 v1.5 specification.
They only offer 56 bits of protection since they both use \s-1DES.\s0
.IP "\fB\s-1PBE\-SHA1\-RC2\-64\s0\fR, \fB\s-1PBE\-MD2\-RC2\-64\s0\fR, \fB\s-1PBE\-MD5\-RC2\-64\s0\fR, \fB\s-1PBE\-SHA1\-DES\s0\fR" 4
.IX Item "PBE-SHA1-RC2-64, PBE-MD2-RC2-64, PBE-MD5-RC2-64, PBE-SHA1-DES"
These algorithms are not mentioned in the original PKCS#5 v1.5 specification
but they use the same key derivation algorithm and are supported by some
software. They are mentioned in PKCS#5 v2.0. They use either 64 bit \s-1RC2\s0 or
56 bit \s-1DES.\s0
.IP "\fB\s-1PBE\-SHA1\-RC4\-128\s0\fR, \fB\s-1PBE\-SHA1\-RC4\-40\s0\fR, \fB\s-1PBE\-SHA1\-3DES\s0\fR, \fB\s-1PBE\-SHA1\-2DES\s0\fR, \fB\s-1PBE\-SHA1\-RC2\-128\s0\fR, \fB\s-1PBE\-SHA1\-RC2\-40\s0\fR" 4
.IX Item "PBE-SHA1-RC4-128, PBE-SHA1-RC4-40, PBE-SHA1-3DES, PBE-SHA1-2DES, PBE-SHA1-RC2-128, PBE-SHA1-RC2-40"
These algorithms use the PKCS#12 password based encryption algorithm and
allow strong encryption algorithms like triple \s-1DES\s0 or 128 bit \s-1RC2\s0 to be used.
.SH "EXAMPLES"
.IX Header "EXAMPLES"
Convert a private key to PKCS#8 format using default parameters (\s-1AES\s0 with
256 bit key and \fBhmacWithSHA256\fR):
.PP
.Vb 1
\& openssl pkcs8 \-in key.pem \-topk8 \-out enckey.pem
.Ve
.PP
Convert a private key to PKCS#8 unencrypted format:
.PP
.Vb 1
\& openssl pkcs8 \-in key.pem \-topk8 \-nocrypt \-out enckey.pem
.Ve
.PP
Convert a private key to PKCS#5 v2.0 format using triple \s-1DES:\s0
.PP
.Vb 1
\& openssl pkcs8 \-in key.pem \-topk8 \-v2 des3 \-out enckey.pem
.Ve
.PP
Convert a private key to PKCS#5 v2.0 format using \s-1AES\s0 with 256 bits in \s-1CBC\s0
mode and \fBhmacWithSHA512\fR \s-1PRF:\s0
.PP
.Vb 1
\& openssl pkcs8 \-in key.pem \-topk8 \-v2 aes\-256\-cbc \-v2prf hmacWithSHA512 \-out enckey.pem
.Ve
.PP
Convert a private key to PKCS#8 using a PKCS#5 1.5 compatible algorithm
(\s-1DES\s0):
.PP
.Vb 1
\& openssl pkcs8 \-in key.pem \-topk8 \-v1 PBE\-MD5\-DES \-out enckey.pem
.Ve
.PP
Convert a private key to PKCS#8 using a PKCS#12 compatible algorithm
(3DES):
.PP
.Vb 1
\& openssl pkcs8 \-in key.pem \-topk8 \-out enckey.pem \-v1 PBE\-SHA1\-3DES
.Ve
.PP
Read a \s-1DER\s0 unencrypted PKCS#8 format private key:
.PP
.Vb 1
\& openssl pkcs8 \-inform DER \-nocrypt \-in key.der \-out key.pem
.Ve
.PP
Convert a private key from any PKCS#8 encrypted format to traditional format:
.PP
.Vb 1
\& openssl pkcs8 \-in pk8.pem \-traditional \-out key.pem
.Ve
.PP
Convert a private key to PKCS#8 format, encrypting with \s-1AES\-256\s0 and with
one million iterations of the password:
.PP
.Vb 1
\& openssl pkcs8 \-in key.pem \-topk8 \-v2 aes\-256\-cbc \-iter 1000000 \-out pk8.pem
.Ve
.SH "STANDARDS"
.IX Header "STANDARDS"
Test vectors from this PKCS#5 v2.0 implementation were posted to the
pkcs-tng mailing list using triple \s-1DES, DES\s0 and \s-1RC2\s0 with high iteration
counts, several people confirmed that they could decrypt the private
keys produced and therefore, it can be assumed that the PKCS#5 v2.0
implementation is reasonably accurate at least as far as these
algorithms are concerned.
.PP
The format of PKCS#8 \s-1DSA\s0 (and other) private keys is not well documented:
it is hidden away in PKCS#11 v2.01, section 11.9. OpenSSL's default \s-1DSA\s0
PKCS#8 private key format complies with this standard.
.SH "BUGS"
.IX Header "BUGS"
There should be an option that prints out the encryption algorithm
in use and other details such as the iteration count.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBopenssl\fR\|(1),
\&\fBopenssl\-dsa\fR\|(1),
\&\fBopenssl\-rsa\fR\|(1),
\&\fBopenssl\-genrsa\fR\|(1),
\&\fBopenssl\-gendsa\fR\|(1)
.SH "HISTORY"
.IX Header "HISTORY"
The \fB\-iter\fR option was added in OpenSSL 1.1.0.
.PP
The \fB\-engine\fR option was deprecated in OpenSSL 3.0.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2000\-2023 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the Apache License 2.0 (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.

361
openssl-install/share/man/man1/openssl-pkey.1ossl Normal file
View File

@@ -0,0 +1,361 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "OPENSSL-PKEY 1ossl"
.TH OPENSSL-PKEY 1ossl "2025-08-16" "3.4.2" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
openssl\-pkey \- public or private key processing command
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
\&\fBopenssl\fR \fBpkey\fR
[\fB\-help\fR]
[\fB\-engine\fR \fIid\fR]
[\fB\-provider\fR \fIname\fR]
[\fB\-provider\-path\fR \fIpath\fR]
[\fB\-propquery\fR \fIpropq\fR]
[\fB\-check\fR]
[\fB\-pubcheck\fR]
[\fB\-in\fR \fIfilename\fR|\fIuri\fR]
[\fB\-inform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR|\fBP12\fR|\fB\s-1ENGINE\s0\fR]
[\fB\-passin\fR \fIarg\fR]
[\fB\-pubin\fR]
[\fB\-out\fR \fIfilename\fR]
[\fB\-outform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR]
[\fB\-\f(BIcipher\fB\fR]
[\fB\-passout\fR \fIarg\fR]
[\fB\-traditional\fR]
[\fB\-pubout\fR]
[\fB\-noout\fR]
[\fB\-text\fR]
[\fB\-text_pub\fR]
[\fB\-ec_conv_form\fR \fIarg\fR]
[\fB\-ec_param_enc\fR \fIarg\fR]
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
This command processes public or private keys. They can be
converted between various forms and their components printed.
.SH "OPTIONS"
.IX Header "OPTIONS"
.SS "General options"
.IX Subsection "General options"
.IP "\fB\-help\fR" 4
.IX Item "-help"
Print out a usage message.
.IP "\fB\-engine\fR \fIid\fR" 4
.IX Item "-engine id"
See \*(L"Engine Options\*(R" in \fBopenssl\fR\|(1).
This option is deprecated.
.IP "\fB\-provider\fR \fIname\fR" 4
.IX Item "-provider name"
.PD 0
.IP "\fB\-provider\-path\fR \fIpath\fR" 4
.IX Item "-provider-path path"
.IP "\fB\-propquery\fR \fIpropq\fR" 4
.IX Item "-propquery propq"
.PD
See \*(L"Provider Options\*(R" in \fBopenssl\fR\|(1), \fBprovider\fR\|(7), and \fBproperty\fR\|(7).
.IP "\fB\-check\fR" 4
.IX Item "-check"
This option checks the consistency of a key pair for both public and private
components.
.IP "\fB\-pubcheck\fR" 4
.IX Item "-pubcheck"
This option checks the correctness of either a public key
or the public component of a key pair.
.SS "Input options"
.IX Subsection "Input options"
.IP "\fB\-in\fR \fIfilename\fR|\fIuri\fR" 4
.IX Item "-in filename|uri"
This specifies the input to read a key from
or standard input if this option is not specified.
If the key input is encrypted and \fB\-passin\fR is not given
a pass phrase will be prompted for.
.IP "\fB\-inform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR|\fBP12\fR|\fB\s-1ENGINE\s0\fR" 4
.IX Item "-inform DER|PEM|P12|ENGINE"
The key input format; unspecified by default.
See \fBopenssl\-format\-options\fR\|(1) for details.
.IP "\fB\-passin\fR \fIarg\fR" 4
.IX Item "-passin arg"
The password source for the key input.
.Sp
For more information about the format of \fBarg\fR
see \fBopenssl\-passphrase\-options\fR\|(1).
.IP "\fB\-pubin\fR" 4
.IX Item "-pubin"
By default a private key is read from the input.
With this option a public key is read instead.
If the input contains no public key but a private key, its public part is used.
.SS "Output options"
.IX Subsection "Output options"
.IP "\fB\-out\fR \fIfilename\fR" 4
.IX Item "-out filename"
This specifies the output filename to save the encoded and/or text output of key
or standard output if this option is not specified.
If any cipher option is set but no \fB\-passout\fR is given
then a pass phrase will be prompted for.
The output filename should \fBnot\fR be the same as the input filename.
.IP "\fB\-outform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR" 4
.IX Item "-outform DER|PEM"
The key output format; the default is \fB\s-1PEM\s0\fR.
See \fBopenssl\-format\-options\fR\|(1) for details.
.IP "\fB\-\f(BIcipher\fB\fR" 4
.IX Item "-cipher"
Encrypt the \s-1PEM\s0 encoded private key with the supplied cipher. Any algorithm
name accepted by \fBEVP_get_cipherbyname()\fR is acceptable such as \fBaes128\fR.
Encryption is not supported for \s-1DER\s0 output.
.IP "\fB\-passout\fR \fIarg\fR" 4
.IX Item "-passout arg"
The password source for the output file.
.Sp
For more information about the format of \fBarg\fR
see \fBopenssl\-passphrase\-options\fR\|(1).
.IP "\fB\-traditional\fR" 4
.IX Item "-traditional"
Normally a private key is written using standard format: this is PKCS#8 form
with the appropriate encryption algorithm (if any). If the \fB\-traditional\fR
option is specified then the older \*(L"traditional\*(R" format is used instead.
.IP "\fB\-pubout\fR" 4
.IX Item "-pubout"
By default the private and public key is output;
this option restricts the output to the public components.
This option is automatically set if the input is a public key.
.Sp
When combined with \fB\-text\fR, this is equivalent to \fB\-text_pub\fR.
.IP "\fB\-noout\fR" 4
.IX Item "-noout"
Do not output the key in encoded form.
.IP "\fB\-text\fR" 4
.IX Item "-text"
Output the various key components in plain text
(possibly in addition to the \s-1PEM\s0 encoded form).
This cannot be combined with encoded output in \s-1DER\s0 format.
.IP "\fB\-text_pub\fR" 4
.IX Item "-text_pub"
Output in text form only the public key components (also for private keys).
This cannot be combined with encoded output in \s-1DER\s0 format.
.IP "\fB\-ec_conv_form\fR \fIarg\fR" 4
.IX Item "-ec_conv_form arg"
This option only applies to elliptic-curve based keys.
.Sp
This specifies how the points on the elliptic curve are converted
into octet strings. Possible values are: \fBcompressed\fR (the default
value), \fBuncompressed\fR and \fBhybrid\fR. For more information regarding
the point conversion forms please read the X9.62 standard.
\&\fBNote\fR Due to patent issues the \fBcompressed\fR option is disabled
by default for binary curves and can be enabled by defining
the preprocessor macro \fB\s-1OPENSSL_EC_BIN_PT_COMP\s0\fR at compile time.
.IP "\fB\-ec_param_enc\fR \fIarg\fR" 4
.IX Item "-ec_param_enc arg"
This option only applies to elliptic curve based public and private keys.
.Sp
This specifies how the elliptic curve parameters are encoded.
Possible value are: \fBnamed_curve\fR, i.e. the ec parameters are
specified by an \s-1OID,\s0 or \fBexplicit\fR where the ec parameters are
explicitly given (see \s-1RFC 3279\s0 for the definition of the
\&\s-1EC\s0 parameters structures). The default value is \fBnamed_curve\fR.
\&\fBNote\fR the \fBimplicitlyCA\fR alternative, as specified in \s-1RFC 3279,\s0
is currently not implemented in OpenSSL.
.SH "EXAMPLES"
.IX Header "EXAMPLES"
To remove the pass phrase on a private key:
.PP
.Vb 1
\& openssl pkey \-in key.pem \-out keyout.pem
.Ve
.PP
To encrypt a private key using triple \s-1DES:\s0
.PP
.Vb 1
\& openssl pkey \-in key.pem \-des3 \-out keyout.pem
.Ve
.PP
To convert a private key from \s-1PEM\s0 to \s-1DER\s0 format:
.PP
.Vb 1
\& openssl pkey \-in key.pem \-outform DER \-out keyout.der
.Ve
.PP
To print out the components of a private key to standard output:
.PP
.Vb 1
\& openssl pkey \-in key.pem \-text \-noout
.Ve
.PP
To print out the public components of a private key to standard output:
.PP
.Vb 1
\& openssl pkey \-in key.pem \-text_pub \-noout
.Ve
.PP
To just output the public part of a private key:
.PP
.Vb 1
\& openssl pkey \-in key.pem \-pubout \-out pubkey.pem
.Ve
.PP
To change the \s-1EC\s0 parameters encoding to \fBexplicit\fR:
.PP
.Vb 1
\& openssl pkey \-in key.pem \-ec_param_enc explicit \-out keyout.pem
.Ve
.PP
To change the \s-1EC\s0 point conversion form to \fBcompressed\fR:
.PP
.Vb 1
\& openssl pkey \-in key.pem \-ec_conv_form compressed \-out keyout.pem
.Ve
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBopenssl\fR\|(1),
\&\fBopenssl\-genpkey\fR\|(1),
\&\fBopenssl\-rsa\fR\|(1),
\&\fBopenssl\-pkcs8\fR\|(1),
\&\fBopenssl\-dsa\fR\|(1),
\&\fBopenssl\-genrsa\fR\|(1),
\&\fBopenssl\-gendsa\fR\|(1)
.SH "HISTORY"
.IX Header "HISTORY"
The \fB\-engine\fR option was deprecated in OpenSSL 3.0.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2006\-2023 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the Apache License 2.0 (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.

225
openssl-install/share/man/man1/openssl-pkeyparam.1ossl Normal file
View File

@@ -0,0 +1,225 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "OPENSSL-PKEYPARAM 1ossl"
.TH OPENSSL-PKEYPARAM 1ossl "2025-08-16" "3.4.2" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
openssl\-pkeyparam \- public key algorithm parameter processing command
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
\&\fBopenssl\fR \fBpkeyparam\fR
[\fB\-help\fR]
[\fB\-in\fR \fIfilename\fR]
[\fB\-out\fR \fIfilename\fR]
[\fB\-text\fR]
[\fB\-noout\fR]
[\fB\-check\fR]
[\fB\-engine\fR \fIid\fR]
[\fB\-provider\fR \fIname\fR]
[\fB\-provider\-path\fR \fIpath\fR]
[\fB\-propquery\fR \fIpropq\fR]
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
This command processes public key algorithm parameters.
They can be checked for correctness and their components printed out.
.SH "OPTIONS"
.IX Header "OPTIONS"
.IP "\fB\-help\fR" 4
.IX Item "-help"
Print out a usage message.
.IP "\fB\-in\fR \fIfilename\fR" 4
.IX Item "-in filename"
This specifies the input filename to read parameters from or standard input if
this option is not specified.
.IP "\fB\-out\fR \fIfilename\fR" 4
.IX Item "-out filename"
This specifies the output filename to write parameters to or standard output if
this option is not specified.
.IP "\fB\-text\fR" 4
.IX Item "-text"
Prints out the parameters in plain text in addition to the encoded version.
.IP "\fB\-noout\fR" 4
.IX Item "-noout"
Do not output the encoded version of the parameters.
.IP "\fB\-check\fR" 4
.IX Item "-check"
This option checks the correctness of parameters.
.IP "\fB\-engine\fR \fIid\fR" 4
.IX Item "-engine id"
See \*(L"Engine Options\*(R" in \fBopenssl\fR\|(1).
This option is deprecated.
.IP "\fB\-provider\fR \fIname\fR" 4
.IX Item "-provider name"
.PD 0
.IP "\fB\-provider\-path\fR \fIpath\fR" 4
.IX Item "-provider-path path"
.IP "\fB\-propquery\fR \fIpropq\fR" 4
.IX Item "-propquery propq"
.PD
See \*(L"Provider Options\*(R" in \fBopenssl\fR\|(1), \fBprovider\fR\|(7), and \fBproperty\fR\|(7).
.SH "EXAMPLES"
.IX Header "EXAMPLES"
Print out text version of parameters:
.PP
.Vb 1
\& openssl pkeyparam \-in param.pem \-text
.Ve
.SH "NOTES"
.IX Header "NOTES"
There are no \fB\-inform\fR or \fB\-outform\fR options for this command because only
\&\s-1PEM\s0 format is supported because the key type is determined by the \s-1PEM\s0 headers.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBopenssl\fR\|(1),
\&\fBopenssl\-genpkey\fR\|(1),
\&\fBopenssl\-rsa\fR\|(1),
\&\fBopenssl\-pkcs8\fR\|(1),
\&\fBopenssl\-dsa\fR\|(1),
\&\fBopenssl\-genrsa\fR\|(1),
\&\fBopenssl\-gendsa\fR\|(1)
.SH "HISTORY"
.IX Header "HISTORY"
The \fB\-engine\fR option was deprecated in OpenSSL 3.0.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2006\-2021 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the Apache License 2.0 (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.

615
openssl-install/share/man/man1/openssl-pkeyutl.1ossl Normal file
View File

@@ -0,0 +1,615 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "OPENSSL-PKEYUTL 1ossl"
.TH OPENSSL-PKEYUTL 1ossl "2025-08-16" "3.4.2" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
openssl\-pkeyutl \- asymmetric key command
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
\&\fBopenssl\fR \fBpkeyutl\fR
[\fB\-help\fR]
[\fB\-in\fR \fIfile\fR]
[\fB\-rawin\fR]
[\fB\-digest\fR \fIalgorithm\fR]
[\fB\-out\fR \fIfile\fR]
[\fB\-secret\fR \fIfile\fR]
[\fB\-sigfile\fR \fIfile\fR]
[\fB\-inkey\fR \fIfilename\fR|\fIuri\fR]
[\fB\-keyform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR|\fBP12\fR|\fB\s-1ENGINE\s0\fR]
[\fB\-passin\fR \fIarg\fR]
[\fB\-pubin\fR]
[\fB\-certin\fR]
[\fB\-rev\fR]
[\fB\-sign\fR]
[\fB\-verify\fR]
[\fB\-verifyrecover\fR]
[\fB\-encrypt\fR]
[\fB\-decrypt\fR]
[\fB\-derive\fR]
[\fB\-peerkey\fR \fIfile\fR]
[\fB\-peerform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR|\fBP12\fR|\fB\s-1ENGINE\s0\fR]
[\fB\-encap\fR]
[\fB\-decap\fR]
[\fB\-kdf\fR \fIalgorithm\fR]
[\fB\-kdflen\fR \fIlength\fR]
[\fB\-kemop\fR \fIoperation\fR]
[\fB\-pkeyopt\fR \fIopt\fR:\fIvalue\fR]
[\fB\-pkeyopt_passin\fR \fIopt\fR[:\fIpassarg\fR]]
[\fB\-hexdump\fR]
[\fB\-asn1parse\fR]
[\fB\-engine\fR \fIid\fR]
[\fB\-engine_impl\fR]
[\fB\-rand\fR \fIfiles\fR]
[\fB\-writerand\fR \fIfile\fR]
[\fB\-provider\fR \fIname\fR]
[\fB\-provider\-path\fR \fIpath\fR]
[\fB\-propquery\fR \fIpropq\fR]
[\fB\-config\fR \fIconfigfile\fR]
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
This command can be used to perform low-level operations
on asymmetric (public or private) keys using any supported algorithm.
.PP
By default the signing operation (see \fB\-sign\fR option) is assumed.
.SH "OPTIONS"
.IX Header "OPTIONS"
.IP "\fB\-help\fR" 4
.IX Item "-help"
Print out a usage message.
.IP "\fB\-in\fR \fIfilename\fR" 4
.IX Item "-in filename"
This specifies the input filename to read data from or standard input
if this option is not specified.
.IP "\fB\-rawin\fR" 4
.IX Item "-rawin"
This indicates that the signature or verification input data is raw data,
which is not hashed by any message digest algorithm.
Except with EdDSA,
the user can specify a digest algorithm by using the \fB\-digest\fR option.
For signature algorithms like \s-1RSA, DSA\s0 and \s-1ECDSA,\s0
the default digest algorithm is \s-1SHA256.\s0 For \s-1SM2,\s0 it is \s-1SM3.\s0
.Sp
This option can only be used with \fB\-sign\fR and \fB\-verify\fR.
For EdDSA (the Ed25519 and Ed448 algorithms) this option is required.
.IP "\fB\-digest\fR \fIalgorithm\fR" 4
.IX Item "-digest algorithm"
This option can only be used with \fB\-sign\fR and \fB\-verify\fR.
It specifies the digest algorithm that is used to hash the input data
before signing or verifying it with the input key. This option could be omitted
if the signature algorithm does not require preprocessing the input through
a pluggable hash function before signing (for instance, EdDSA). If this option
is omitted but the signature algorithm requires one and the \fB\-rawin\fR option
is given, a default value will be used (see \fB\-rawin\fR for details).
If this option is present, then the \fB\-rawin\fR option is required.
.Sp
At this time, HashEdDSA (the ph or \*(L"prehash\*(R" variant of EdDSA) is not supported,
so the \fB\-digest\fR option cannot be used with EdDSA.
.IP "\fB\-out\fR \fIfilename\fR" 4
.IX Item "-out filename"
Specifies the output filename to write to or standard output by default.
.IP "\fB\-secret\fR \fIfilename\fR" 4
.IX Item "-secret filename"
Specifies the output filename to write the secret to on \fI\-encap\fR.
.IP "\fB\-sigfile\fR \fIfile\fR" 4
.IX Item "-sigfile file"
Signature file, required and allowed for \fB\-verify\fR operations only.
.IP "\fB\-inkey\fR \fIfilename\fR|\fIuri\fR" 4
.IX Item "-inkey filename|uri"
The input key, by default it should be a private key.
.IP "\fB\-keyform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR|\fBP12\fR|\fB\s-1ENGINE\s0\fR" 4
.IX Item "-keyform DER|PEM|P12|ENGINE"
The key format; unspecified by default.
See \fBopenssl\-format\-options\fR\|(1) for details.
.IP "\fB\-passin\fR \fIarg\fR" 4
.IX Item "-passin arg"
The input key password source. For more information about the format of \fIarg\fR
see \fBopenssl\-passphrase\-options\fR\|(1).
.IP "\fB\-pubin\fR" 4
.IX Item "-pubin"
By default a private key is read from the key input.
With this option a public key is read instead.
If the input contains no public key but a private key, its public part is used.
.IP "\fB\-certin\fR" 4
.IX Item "-certin"
The input is a certificate containing a public key.
.IP "\fB\-rev\fR" 4
.IX Item "-rev"
Reverse the order of the input buffer. This is useful for some libraries
(such as CryptoAPI) which represent the buffer in little-endian format.
This cannot be used in conjunction with \fB\-rawin\fR.
.IP "\fB\-sign\fR" 4
.IX Item "-sign"
Sign the input data and output the signed result. This requires a private key.
Using a message digest operation along with this is recommended,
when applicable, see the \fB\-rawin\fR and \fB\-digest\fR options for details.
Otherwise, the input data given with the \fB\-in\fR option is assumed to already
be a digest, but this may then require an additional \fB\-pkeyopt\fR \f(CW\*(C`digest:\*(C'\fR\fImd\fR
in some cases (e.g., \s-1RSA\s0 with the default PKCS#1 padding mode).
Even for other algorithms like \s-1ECDSA,\s0 where the additional \fB\-pkeyopt\fR option
does not affect signature output, it is recommended, as it enables
checking that the input length is consistent with the intended digest.
.IP "\fB\-verify\fR" 4
.IX Item "-verify"
Verify the input data against the signature given with the \fB\-sigfile\fR option
and indicate if the verification succeeded or failed.
The input data given with the \fB\-in\fR option is assumed to be a hash value
unless the \fB\-rawin\fR option is specified or implied.
With raw data, when a digest algorithm is applicable, though it may be inferred
from the signature or take a default value, it should also be specified.
.IP "\fB\-verifyrecover\fR" 4
.IX Item "-verifyrecover"
Verify the given signature and output the recovered data (signature payload).
For example, in case of \s-1RSA\s0 PKCS#1 the recovered data is the \fBEMSA\-PKCS\-v1_5\fR
\&\s-1DER\s0 encoding of the digest algorithm \s-1OID\s0 and value as specified in
\&\s-1RFC8017\s0 Section 9.2 <https://datatracker.ietf.org/doc/html/rfc8017#section-9.2>.
.Sp
Note that here the input given with the \fB\-in\fR option is not a signature input
(as with the \fB\-sign\fR and \fB\-verify\fR options) but a signature output value,
typically produced using the \fB\-sign\fR option.
.Sp
This option is available only for use with \s-1RSA\s0 keys.
.IP "\fB\-encrypt\fR" 4
.IX Item "-encrypt"
Encrypt the input data using a public key.
.IP "\fB\-decrypt\fR" 4
.IX Item "-decrypt"
Decrypt the input data using a private key.
.IP "\fB\-derive\fR" 4
.IX Item "-derive"
Derive a shared secret using own private (\s-1EC\s0)DH key and peer key.
.IP "\fB\-peerkey\fR \fIfile\fR" 4
.IX Item "-peerkey file"
File containing the peer public or private (\s-1EC\s0)DH key
to use with the key derivation (agreement) operation.
Its type must match the type of the own private key given with \fB\-inkey\fR.
.IP "\fB\-peerform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR|\fBP12\fR|\fB\s-1ENGINE\s0\fR" 4
.IX Item "-peerform DER|PEM|P12|ENGINE"
The peer key format; unspecified by default.
See \fBopenssl\-format\-options\fR\|(1) for details.
.IP "\fB\-encap\fR" 4
.IX Item "-encap"
Encapsulate a generated secret using a private key.
The encapsulated result (binary data) is written to standard output by default,
or else to the file specified with \fI\-out\fR.
The \fI\-secret\fR option must also be provided to specify the output file for the
secret value generated in the encapsulation process.
.IP "\fB\-decap\fR" 4
.IX Item "-decap"
Decapsulate the secret using a private key.
The result (binary data) is written to standard output by default, or else to
the file specified with \fI\-out\fR.
.IP "\fB\-kemop\fR \fIoperation\fR" 4
.IX Item "-kemop operation"
This option is used for \fI\-encap\fR/\fI\-decap\fR commands and specifies the \s-1KEM\s0
operation specific for the key algorithm when there is no default \s-1KEM\s0
operation.
If the algorithm has the default \s-1KEM\s0 operation, this option can be omitted.
.Sp
See \fBEVP_PKEY_CTX_set_kem_op\fR\|(3) and algorithm-specific \s-1KEM\s0 documentation e.g.
\&\s-1\fBEVP_KEM\-RSA\s0\fR\|(7), \s-1\fBEVP_KEM\-EC\s0\fR\|(7), \s-1\fBEVP_KEM\-X25519\s0\fR\|(7), and
\&\s-1\fBEVP_KEM\-X448\s0\fR\|(7).
.IP "\fB\-kdf\fR \fIalgorithm\fR" 4
.IX Item "-kdf algorithm"
Use key derivation function \fIalgorithm\fR. The supported algorithms are
at present \fB\s-1TLS1\-PRF\s0\fR and \fB\s-1HKDF\s0\fR.
Note: additional parameters and the \s-1KDF\s0 output length will normally have to be
set for this to work.
See \fBEVP_PKEY_CTX_set_hkdf_md\fR\|(3) and \fBEVP_PKEY_CTX_set_tls1_prf_md\fR\|(3)
for the supported string parameters of each algorithm.
.IP "\fB\-kdflen\fR \fIlength\fR" 4
.IX Item "-kdflen length"
Set the output length for \s-1KDF.\s0
.IP "\fB\-pkeyopt\fR \fIopt\fR:\fIvalue\fR" 4
.IX Item "-pkeyopt opt:value"
Public key options specified as opt:value. See \s-1NOTES\s0 below for more details.
.IP "\fB\-pkeyopt_passin\fR \fIopt\fR[:\fIpassarg\fR]" 4
.IX Item "-pkeyopt_passin opt[:passarg]"
Allows reading a public key option \fIopt\fR from stdin or a password source.
If only \fIopt\fR is specified, the user will be prompted to enter a password on
stdin. Alternatively, \fIpassarg\fR can be specified which can be any value
supported by \fBopenssl\-passphrase\-options\fR\|(1).
.IP "\fB\-hexdump\fR" 4
.IX Item "-hexdump"
hex dump the output data.
.IP "\fB\-asn1parse\fR" 4
.IX Item "-asn1parse"
Parse the \s-1ASN.1\s0 output data to check its \s-1DER\s0 encoding and print any errors.
When combined with the \fB\-verifyrecover\fR option, this may be useful in case
an \s-1ASN.1\s0 DER-encoded structure had been signed directly (without hashing it)
and when checking a signature in PKCS#1 v1.5 format, which has a \s-1DER\s0 encoding.
.IP "\fB\-engine\fR \fIid\fR" 4
.IX Item "-engine id"
See \*(L"Engine Options\*(R" in \fBopenssl\fR\|(1).
This option is deprecated.
.IP "\fB\-engine_impl\fR" 4
.IX Item "-engine_impl"
When used with the \fB\-engine\fR option, it specifies to also use
engine \fIid\fR for crypto operations.
.IP "\fB\-rand\fR \fIfiles\fR, \fB\-writerand\fR \fIfile\fR" 4
.IX Item "-rand files, -writerand file"
See \*(L"Random State Options\*(R" in \fBopenssl\fR\|(1) for details.
.IP "\fB\-provider\fR \fIname\fR" 4
.IX Item "-provider name"
.PD 0
.IP "\fB\-provider\-path\fR \fIpath\fR" 4
.IX Item "-provider-path path"
.IP "\fB\-propquery\fR \fIpropq\fR" 4
.IX Item "-propquery propq"
.PD
See \*(L"Provider Options\*(R" in \fBopenssl\fR\|(1), \fBprovider\fR\|(7), and \fBproperty\fR\|(7).
.IP "\fB\-config\fR \fIconfigfile\fR" 4
.IX Item "-config configfile"
See \*(L"Configuration Option\*(R" in \fBopenssl\fR\|(1).
.SH "NOTES"
.IX Header "NOTES"
The operations and options supported vary according to the key algorithm
and its implementation. The OpenSSL operations and options are indicated below.
.PP
Unless otherwise mentioned, the \fB\-pkeyopt\fR option supports
for all public-key types the \f(CW\*(C`digest:\*(C'\fR\fIalg\fR argument,
which specifies the digest in use for the signing and verification operations.
The value \fIalg\fR should represent a digest name as used in the
\&\fBEVP_get_digestbyname()\fR function for example \fBsha256\fR. This value is not used to
hash the input data. It is used (by some algorithms) for sanity-checking the
lengths of data passed in and for creating the structures that make up the
signature (e.g., \fBDigestInfo\fR in \s-1RSASSA\s0 PKCS#1 v1.5 signatures).
.PP
For instance,
if the value of the \fB\-pkeyopt\fR option \f(CW\*(C`digest\*(C'\fR argument is \fBsha256\fR,
the signature or verification input should be the 32 bytes long binary value
of the \s-1SHA256\s0 hash function output.
.PP
Unless \fB\-rawin\fR is used or implied, this command does not hash the input data
but rather it will use the data directly as input to the signature algorithm.
Depending on the key type, signature type, and mode of padding, the maximum
sensible lengths of input data differ. With \s-1RSA\s0 the signed data cannot be longer
than the key modulus. In case of \s-1ECDSA\s0 and \s-1DSA\s0 the data should not be longer
than the field size, otherwise it will be silently truncated to the field size.
In any event the input size must not be larger than the largest supported digest
output size \fB\s-1EVP_MAX_MD_SIZE\s0\fR, which currently is 64 bytes.
.SH "RSA ALGORITHM"
.IX Header "RSA ALGORITHM"
The \s-1RSA\s0 algorithm generally supports the encrypt, decrypt, sign,
verify and verifyrecover operations. However, some padding modes
support only a subset of these operations. The following additional
\&\fBpkeyopt\fR values are supported:
.IP "\fBrsa_padding_mode:\fR\fImode\fR" 4
.IX Item "rsa_padding_mode:mode"
This sets the \s-1RSA\s0 padding mode. Acceptable values for \fImode\fR are \fBpkcs1\fR for
PKCS#1 padding, \fBnone\fR for no padding, \fBoaep\fR
for \fB\s-1OAEP\s0\fR mode, \fBx931\fR for X9.31 mode and \fBpss\fR for \s-1PSS.\s0
.Sp
In PKCS#1 padding, if the message digest is not set, then the supplied data is
signed or verified directly instead of using a \fBDigestInfo\fR structure. If a
digest is set, then the \fBDigestInfo\fR structure is used and its length
must correspond to the digest type.
.Sp
Note, for \fBpkcs1\fR padding, as a protection against the Bleichenbacher attack,
the decryption will not fail in case of padding check failures. Use \fBnone\fR
and manual inspection of the decrypted message to verify if the decrypted
value has correct PKCS#1 v1.5 padding.
.Sp
For \fBoaep\fR mode only encryption and decryption is supported.
.Sp
For \fBx931\fR if the digest type is set it is used to format the block data
otherwise the first byte is used to specify the X9.31 digest \s-1ID.\s0 Sign,
verify and verifyrecover are can be performed in this mode.
.Sp
For \fBpss\fR mode only sign and verify are supported and the digest type must be
specified.
.IP "\fBrsa_pss_saltlen:\fR\fIlen\fR" 4
.IX Item "rsa_pss_saltlen:len"
For \fBpss\fR mode only this option specifies the salt length. Three special
values are supported: \fBdigest\fR sets the salt length to the digest length,
\&\fBmax\fR sets the salt length to the maximum permissible value. When verifying
\&\fBauto\fR causes the salt length to be automatically determined based on the
\&\fB\s-1PSS\s0\fR block structure.
.IP "\fBrsa_mgf1_md:\fR\fIdigest\fR" 4
.IX Item "rsa_mgf1_md:digest"
For \s-1PSS\s0 and \s-1OAEP\s0 padding sets the \s-1MGF1\s0 digest. If the \s-1MGF1\s0 digest is not
explicitly set in \s-1PSS\s0 mode then the signing digest is used.
.IP "\fBrsa_oaep_md:\fR\fIdigest\fR" 4
.IX Item "rsa_oaep_md:digest"
Sets the digest used for the \s-1OAEP\s0 hash function. If not explicitly set then
\&\s-1SHA256\s0 is used.
.IP "\fBrsa_pkcs1_implicit_rejection:\fR\fIflag\fR" 4
.IX Item "rsa_pkcs1_implicit_rejection:flag"
Disables (when set to 0) or enables (when set to 1) the use of implicit
rejection with PKCS#1 v1.5 decryption. When enabled (the default), as a
protection against Bleichenbacher attack, the library will generate a
deterministic random plaintext that it will return to the caller in case
of padding check failure.
When disabled, it's the callers' responsibility to handle the returned
errors in a side-channel free manner.
.SH "RSA-PSS ALGORITHM"
.IX Header "RSA-PSS ALGORITHM"
The RSA-PSS algorithm is a restricted version of the \s-1RSA\s0 algorithm which only
supports the sign and verify operations with \s-1PSS\s0 padding. The following
additional \fB\-pkeyopt\fR values are supported:
.IP "\fBrsa_padding_mode:\fR\fImode\fR, \fBrsa_pss_saltlen:\fR\fIlen\fR, \fBrsa_mgf1_md:\fR\fIdigest\fR" 4
.IX Item "rsa_padding_mode:mode, rsa_pss_saltlen:len, rsa_mgf1_md:digest"
These have the same meaning as the \fB\s-1RSA\s0\fR algorithm with some additional
restrictions. The padding mode can only be set to \fBpss\fR which is the
default value.
.Sp
If the key has parameter restrictions then the digest, \s-1MGF1\s0
digest and salt length are set to the values specified in the parameters.
The digest and \s-1MG\s0 cannot be changed and the salt length cannot be set to a
value less than the minimum restriction.
.SH "DSA ALGORITHM"
.IX Header "DSA ALGORITHM"
The \s-1DSA\s0 algorithm supports signing and verification operations only. Currently
there are no additional \fB\-pkeyopt\fR options other than \fBdigest\fR. The \s-1SHA256\s0
digest is assumed by default.
.SH "DH ALGORITHM"
.IX Header "DH ALGORITHM"
The \s-1DH\s0 algorithm only supports the derivation operation and no additional
\&\fB\-pkeyopt\fR options.
.SH "EC ALGORITHM"
.IX Header "EC ALGORITHM"
The \s-1EC\s0 algorithm supports sign, verify and derive operations. The sign and
verify operations use \s-1ECDSA\s0 and derive uses \s-1ECDH. SHA256\s0 is assumed by default
for the \fB\-pkeyopt\fR \fBdigest\fR option.
.SH "X25519 AND X448 ALGORITHMS"
.IX Header "X25519 AND X448 ALGORITHMS"
The X25519 and X448 algorithms support key derivation only. Currently there are
no additional options.
.SH "ED25519 AND ED448 ALGORITHMS"
.IX Header "ED25519 AND ED448 ALGORITHMS"
These algorithms only support signing and verifying. OpenSSL only implements the
\&\*(L"pure\*(R" variants of these algorithms so raw data can be passed directly to them
without hashing them first. OpenSSL only supports
\&\*(L"oneshot\*(R" operation with these algorithms. This means that the entire file to
be signed/verified must be read into memory before processing it. Signing or
Verifying very large files should be avoided. Additionally the size of the file
must be known for this to work. If the size of the file cannot be determined
(for example if the input is stdin) then the sign or verify operation will fail.
.SH "SM2"
.IX Header "SM2"
The \s-1SM2\s0 algorithm supports sign, verify, encrypt and decrypt operations. For
the sign and verify operations, \s-1SM2\s0 requires an Distinguishing \s-1ID\s0 string to
be passed in. The following \fB\-pkeyopt\fR value is supported:
.IP "\fBdistid:\fR\fIstring\fR" 4
.IX Item "distid:string"
This sets the \s-1ID\s0 string used in \s-1SM2\s0 sign or verify operations. While verifying
an \s-1SM2\s0 signature, the \s-1ID\s0 string must be the same one used when signing the data.
Otherwise the verification will fail.
.IP "\fBhexdistid:\fR\fIhex_string\fR" 4
.IX Item "hexdistid:hex_string"
This sets the \s-1ID\s0 string used in \s-1SM2\s0 sign or verify operations. While verifying
an \s-1SM2\s0 signature, the \s-1ID\s0 string must be the same one used when signing the data.
Otherwise the verification will fail. The \s-1ID\s0 string provided with this option
should be a valid hexadecimal value.
.SH "EXAMPLES"
.IX Header "EXAMPLES"
Sign some data using a private key:
.PP
.Vb 1
\& openssl pkeyutl \-sign \-in file \-inkey key.pem \-out sig
.Ve
.PP
Recover the signed data (e.g. if an \s-1RSA\s0 key is used):
.PP
.Vb 1
\& openssl pkeyutl \-verifyrecover \-in sig \-inkey key.pem
.Ve
.PP
Verify the signature (e.g. a \s-1DSA\s0 key):
.PP
.Vb 1
\& openssl pkeyutl \-verify \-in file \-sigfile sig \-inkey key.pem
.Ve
.PP
Sign data using a message digest value (this is currently only valid for \s-1RSA\s0):
.PP
.Vb 1
\& openssl pkeyutl \-sign \-in file \-inkey key.pem \-out sig \-pkeyopt digest:sha256
.Ve
.PP
Derive a shared secret value:
.PP
.Vb 1
\& openssl pkeyutl \-derive \-inkey key.pem \-peerkey pubkey.pem \-out secret
.Ve
.PP
Hexdump 48 bytes of \s-1TLS1 PRF\s0 using digest \fB\s-1SHA256\s0\fR and shared secret and
seed consisting of the single byte 0xFF:
.PP
.Vb 2
\& openssl pkeyutl \-kdf TLS1\-PRF \-kdflen 48 \-pkeyopt md:SHA256 \e
\& \-pkeyopt hexsecret:ff \-pkeyopt hexseed:ff \-hexdump
.Ve
.PP
Derive a key using \fBscrypt\fR where the password is read from command line:
.PP
.Vb 2
\& openssl pkeyutl \-kdf scrypt \-kdflen 16 \-pkeyopt_passin pass \e
\& \-pkeyopt hexsalt:aabbcc \-pkeyopt N:16384 \-pkeyopt r:8 \-pkeyopt p:1
.Ve
.PP
Derive using the same algorithm, but read key from environment variable \s-1MYPASS:\s0
.PP
.Vb 2
\& openssl pkeyutl \-kdf scrypt \-kdflen 16 \-pkeyopt_passin pass:env:MYPASS \e
\& \-pkeyopt hexsalt:aabbcc \-pkeyopt N:16384 \-pkeyopt r:8 \-pkeyopt p:1
.Ve
.PP
Sign some data using an \s-1\fBSM2\s0\fR\|(7) private key and a specific \s-1ID:\s0
.PP
.Vb 2
\& openssl pkeyutl \-sign \-in file \-inkey sm2.key \-out sig \-rawin \-digest sm3 \e
\& \-pkeyopt distid:someid
.Ve
.PP
Verify some data using an \s-1\fBSM2\s0\fR\|(7) certificate and a specific \s-1ID:\s0
.PP
.Vb 2
\& openssl pkeyutl \-verify \-certin \-in file \-inkey sm2.cert \-sigfile sig \e
\& \-rawin \-digest sm3 \-pkeyopt distid:someid
.Ve
.PP
Decrypt some data using a private key with \s-1OAEP\s0 padding using \s-1SHA256:\s0
.PP
.Vb 2
\& openssl pkeyutl \-decrypt \-in file \-inkey key.pem \-out secret \e
\& \-pkeyopt rsa_padding_mode:oaep \-pkeyopt rsa_oaep_md:sha256
.Ve
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBopenssl\fR\|(1),
\&\fBopenssl\-genpkey\fR\|(1),
\&\fBopenssl\-pkey\fR\|(1),
\&\fBopenssl\-rsautl\fR\|(1)
\&\fBopenssl\-dgst\fR\|(1),
\&\fBopenssl\-rsa\fR\|(1),
\&\fBopenssl\-genrsa\fR\|(1),
\&\fBopenssl\-kdf\fR\|(1)
\&\fBEVP_PKEY_CTX_set_hkdf_md\fR\|(3),
\&\fBEVP_PKEY_CTX_set_tls1_prf_md\fR\|(3),
.SH "HISTORY"
.IX Header "HISTORY"
The \fB\-engine\fR option was deprecated in OpenSSL 3.0.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2006\-2025 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the Apache License 2.0 (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.

200
openssl-install/share/man/man1/openssl-prime.1ossl Normal file
View File

@@ -0,0 +1,200 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "OPENSSL-PRIME 1ossl"
.TH OPENSSL-PRIME 1ossl "2025-08-16" "3.4.2" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
openssl\-prime \- compute prime numbers
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
\&\fBopenssl prime\fR
[\fB\-help\fR]
[\fB\-hex\fR]
[\fB\-generate\fR]
[\fB\-bits\fR \fInum\fR]
[\fB\-safe\fR]
[\fB\-provider\fR \fIname\fR]
[\fB\-provider\-path\fR \fIpath\fR]
[\fB\-propquery\fR \fIpropq\fR]
[\fB\-checks\fR \fInum\fR]
[\fInumber\fR ...]
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
This command checks if the specified numbers are prime.
.PP
If no numbers are given on the command line, the \fB\-generate\fR flag should
be used to generate primes according to the requirements specified by the
rest of the flags.
.SH "OPTIONS"
.IX Header "OPTIONS"
.IP "\fB\-help\fR" 4
.IX Item "-help"
Display an option summary.
.IP "\fB\-hex\fR" 4
.IX Item "-hex"
Generate hex output.
.IP "\fB\-generate\fR" 4
.IX Item "-generate"
Generate a prime number.
.IP "\fB\-bits\fR \fInum\fR" 4
.IX Item "-bits num"
Generate a prime with \fInum\fR bits.
.IP "\fB\-safe\fR" 4
.IX Item "-safe"
When used with \fB\-generate\fR, generates a \*(L"safe\*(R" prime. If the number
generated is \fIn\fR, then check that \f(CW\*(C`(\f(CIn\f(CW\-1)/2\*(C'\fR is also prime.
.IP "\fB\-provider\fR \fIname\fR" 4
.IX Item "-provider name"
.PD 0
.IP "\fB\-provider\-path\fR \fIpath\fR" 4
.IX Item "-provider-path path"
.IP "\fB\-propquery\fR \fIpropq\fR" 4
.IX Item "-propquery propq"
.PD
See \*(L"Provider Options\*(R" in \fBopenssl\fR\|(1), \fBprovider\fR\|(7), and \fBproperty\fR\|(7).
.IP "\fB\-checks\fR \fInum\fR" 4
.IX Item "-checks num"
This parameter is ignored.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2017\-2020 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the Apache License 2.0 (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.

221
openssl-install/share/man/man1/openssl-rand.1ossl Normal file
View File

@@ -0,0 +1,221 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "OPENSSL-RAND 1ossl"
.TH OPENSSL-RAND 1ossl "2025-08-16" "3.4.2" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
openssl\-rand \- generate pseudo\-random bytes
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
\&\fBopenssl rand\fR
[\fB\-help\fR]
[\fB\-out\fR \fIfile\fR]
[\fB\-base64\fR]
[\fB\-hex\fR]
[\fB\-engine\fR \fIid\fR]
[\fB\-rand\fR \fIfiles\fR]
[\fB\-writerand\fR \fIfile\fR]
[\fB\-provider\fR \fIname\fR]
[\fB\-provider\-path\fR \fIpath\fR]
[\fB\-propquery\fR \fIpropq\fR]
\&\fInum\fR[K|M|G|T]
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
This command generates \fInum\fR random bytes using a cryptographically
secure pseudo random number generator (\s-1CSPRNG\s0). A suffix [K|M|G|T] may be
appended to the num value to indicate the requested value be scaled as a
multiple of KiB/MiB/GiB/TiB respectively. Note that suffixes are case
sensitive, and that the suffixes represent binary multiples
(K = 1024 bytes, M = 1024*1024 bytes, etc).
.PP
The string 'max' may be substituted for a numerical value in num, to request the
maximum number of bytes the \s-1CSPRNG\s0 can produce per instantiation. Currently,
this is restricted to 2^61 bytes as per \s-1NIST SP 800\-90C.\s0
.PP
The random bytes are generated using the \fBRAND_bytes\fR\|(3) function,
which provides a security level of 256 bits, provided it managed to
seed itself successfully from a trusted operating system entropy source.
Otherwise, the command will fail with a nonzero error code.
For more details, see \fBRAND_bytes\fR\|(3), \s-1\fBRAND\s0\fR\|(7), and \s-1\fBEVP_RAND\s0\fR\|(7).
.SH "OPTIONS"
.IX Header "OPTIONS"
.IP "\fB\-help\fR" 4
.IX Item "-help"
Print out a usage message.
.IP "\fB\-out\fR \fIfile\fR" 4
.IX Item "-out file"
Write to \fIfile\fR instead of standard output.
.IP "\fB\-base64\fR" 4
.IX Item "-base64"
Perform base64 encoding on the output.
.IP "\fB\-hex\fR" 4
.IX Item "-hex"
Show the output as a hex string.
.IP "\fB\-engine\fR \fIid\fR" 4
.IX Item "-engine id"
See \*(L"Engine Options\*(R" in \fBopenssl\fR\|(1).
This option is deprecated.
.IP "\fB\-rand\fR \fIfiles\fR, \fB\-writerand\fR \fIfile\fR" 4
.IX Item "-rand files, -writerand file"
See \*(L"Random State Options\*(R" in \fBopenssl\fR\|(1) for details.
.IP "\fB\-provider\fR \fIname\fR" 4
.IX Item "-provider name"
.PD 0
.IP "\fB\-provider\-path\fR \fIpath\fR" 4
.IX Item "-provider-path path"
.IP "\fB\-propquery\fR \fIpropq\fR" 4
.IX Item "-propquery propq"
.PD
See \*(L"Provider Options\*(R" in \fBopenssl\fR\|(1), \fBprovider\fR\|(7), and \fBproperty\fR\|(7).
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBopenssl\fR\|(1),
\&\fBRAND_bytes\fR\|(3),
\&\s-1\fBRAND\s0\fR\|(7),
\&\s-1\fBEVP_RAND\s0\fR\|(7)
.SH "HISTORY"
.IX Header "HISTORY"
The \fB\-engine\fR option was deprecated in OpenSSL 3.0.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2000\-2021 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the Apache License 2.0 (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.

281
openssl-install/share/man/man1/openssl-rehash.1ossl Normal file
View File

@@ -0,0 +1,281 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "OPENSSL-REHASH 1ossl"
.TH OPENSSL-REHASH 1ossl "2025-08-16" "3.4.2" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
openssl\-rehash, c_rehash \- Create symbolic links to files named by the hash
values
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
\&\fBopenssl\fR
\&\fBrehash\fR
[\fB\-h\fR]
[\fB\-help\fR]
[\fB\-old\fR]
[\fB\-compat\fR]
[\fB\-n\fR]
[\fB\-v\fR]
[\fB\-provider\fR \fIname\fR]
[\fB\-provider\-path\fR \fIpath\fR]
[\fB\-propquery\fR \fIpropq\fR]
[\fIdirectory\fR] ...
.PP
\&\fBc_rehash\fR
[\fB\-h\fR]
[\fB\-help\fR]
[\fB\-old\fR]
[\fB\-n\fR]
[\fB\-v\fR]
[\fB\-provider\fR \fIname\fR]
[\fB\-provider\-path\fR \fIpath\fR]
[\fB\-propquery\fR \fIpropq\fR]
[\fIdirectory\fR] ...
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
This command is generally equivalent to the external
script \fBc_rehash\fR,
except for minor differences noted below.
.PP
\&\fBopenssl rehash\fR scans directories and calculates a hash value of
each \fI.pem\fR, \fI.crt\fR, \fI.cer\fR, or \fI.crl\fR
file in the specified directory list and creates symbolic links
for each file, where the name of the link is the hash value.
(If the platform does not support symbolic links, a copy is made.)
This command is useful as many programs that use OpenSSL require
directories to be set up like this in order to find certificates.
.PP
If any directories are named on the command line, then those are
processed in turn. If not, then the \fB\s-1SSL_CERT_DIR\s0\fR environment variable
is consulted; this should be a colon-separated list of directories,
like the Unix \fB\s-1PATH\s0\fR variable.
If that is not set then the default directory (installation-specific
but often \fI/usr/local/ssl/certs\fR) is processed.
.PP
In order for a directory to be processed, the user must have write
permissions on that directory, otherwise an error will be generated.
.PP
The links created are of the form \fI\s-1HHHHHHHH.D\s0\fR, where each \fIH\fR
is a hexadecimal character and \fID\fR is a single decimal digit.
When a directory is processed, all links in it that have a name
in that syntax are first removed, even if they are being used for
some other purpose.
To skip the removal step, use the \fB\-n\fR flag.
Hashes for \s-1CRL\s0's look similar except the letter \fBr\fR appears after
the period, like this: \fI\s-1HHHHHHHH.\s0\fR\fBr\fR\fID\fR.
.PP
Multiple objects may have the same hash; they will be indicated by
incrementing the \fID\fR value. Duplicates are found by comparing the
full \s-1SHA\-1\s0 fingerprint. A warning will be displayed if a duplicate
is found.
.PP
A warning will also be displayed if there are files that
cannot be parsed as either a certificate or a \s-1CRL\s0 or if
more than one such object appears in the file.
.SS "Script Configuration"
.IX Subsection "Script Configuration"
The \fBc_rehash\fR script
uses the \fBopenssl\fR program to compute the hashes and
fingerprints. If not found in the user's \fB\s-1PATH\s0\fR, then set the
\&\fB\s-1OPENSSL\s0\fR environment variable to the full pathname.
Any program can be used, it will be invoked as follows for either
a certificate or \s-1CRL:\s0
.PP
.Vb 2
\& $OPENSSL x509 \-hash \-fingerprint \-noout \-in FILENAME
\& $OPENSSL crl \-hash \-fingerprint \-noout \-in FILENAME
.Ve
.PP
where \fI\s-1FILENAME\s0\fR is the filename. It must output the hash of the
file on the first line, and the fingerprint on the second,
optionally prefixed with some text and an equals sign.
.SH "OPTIONS"
.IX Header "OPTIONS"
.IP "\fB\-help\fR \fB\-h\fR" 4
.IX Item "-help -h"
Display a brief usage message.
.IP "\fB\-old\fR" 4
.IX Item "-old"
Use old-style hashing (\s-1MD5,\s0 as opposed to \s-1SHA\-1\s0) for generating
links to be used for releases before 1.0.0.
Note that current versions will not use the old style.
.IP "\fB\-n\fR" 4
.IX Item "-n"
Do not remove existing links.
This is needed when keeping new and old-style links in the same directory.
.IP "\fB\-compat\fR" 4
.IX Item "-compat"
Generate links for both old-style (\s-1MD5\s0) and new-style (\s-1SHA1\s0) hashing.
This allows releases before 1.0.0 to use these links along-side newer
releases.
.IP "\fB\-v\fR" 4
.IX Item "-v"
Print messages about old links removed and new links created.
By default, this command only lists each directory as it is processed.
.IP "\fB\-provider\fR \fIname\fR" 4
.IX Item "-provider name"
.PD 0
.IP "\fB\-provider\-path\fR \fIpath\fR" 4
.IX Item "-provider-path path"
.IP "\fB\-propquery\fR \fIpropq\fR" 4
.IX Item "-propquery propq"
.PD
See \*(L"Provider Options\*(R" in \fBopenssl\fR\|(1), \fBprovider\fR\|(7), and \fBproperty\fR\|(7).
.SH "ENVIRONMENT"
.IX Header "ENVIRONMENT"
.IP "\fB\s-1OPENSSL\s0\fR" 4
.IX Item "OPENSSL"
The path to an executable to use to generate hashes and
fingerprints (see above).
.IP "\fB\s-1SSL_CERT_DIR\s0\fR" 4
.IX Item "SSL_CERT_DIR"
Colon separated list of directories to operate on.
Ignored if directories are listed on the command line.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBopenssl\fR\|(1),
\&\fBopenssl\-crl\fR\|(1),
\&\fBopenssl\-x509\fR\|(1)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2015\-2020 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the Apache License 2.0 (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.

941
openssl-install/share/man/man1/openssl-req.1ossl Normal file
View File

@@ -0,0 +1,941 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "OPENSSL-REQ 1ossl"
.TH OPENSSL-REQ 1ossl "2025-08-16" "3.4.2" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
openssl\-req \- PKCS#10 certificate request and certificate generating command
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
\&\fBopenssl\fR \fBreq\fR
[\fB\-help\fR]
[\fB\-inform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR]
[\fB\-outform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR]
[\fB\-in\fR \fIfilename\fR]
[\fB\-passin\fR \fIarg\fR]
[\fB\-out\fR \fIfilename\fR]
[\fB\-passout\fR \fIarg\fR]
[\fB\-text\fR]
[\fB\-pubkey\fR]
[\fB\-noout\fR]
[\fB\-verify\fR]
[\fB\-modulus\fR]
[\fB\-new\fR]
[\fB\-newkey\fR \fIarg\fR]
[\fB\-pkeyopt\fR \fIopt\fR:\fIvalue\fR]
[\fB\-noenc\fR]
[\fB\-nodes\fR]
[\fB\-key\fR \fIfilename\fR|\fIuri\fR]
[\fB\-keyform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR|\fBP12\fR|\fB\s-1ENGINE\s0\fR]
[\fB\-keyout\fR \fIfilename\fR]
[\fB\-keygen_engine\fR \fIid\fR]
[\fB\-\f(BIdigest\fB\fR]
[\fB\-config\fR \fIfilename\fR]
[\fB\-section\fR \fIname\fR]
[\fB\-x509\fR]
[\fB\-x509v1\fR]
[\fB\-CA\fR \fIfilename\fR|\fIuri\fR]
[\fB\-CAkey\fR \fIfilename\fR|\fIuri\fR]
[\fB\-not_before\fR \fIdate\fR]
[\fB\-not_after\fR \fIdate\fR]
[\fB\-days\fR \fIn\fR]
[\fB\-set_serial\fR \fIn\fR]
[\fB\-newhdr\fR]
[\fB\-copy_extensions\fR \fIarg\fR]
[\fB\-extensions\fR \fIsection\fR]
[\fB\-reqexts\fR \fIsection\fR]
[\fB\-addext\fR \fIext\fR]
[\fB\-precert\fR]
[\fB\-utf8\fR]
[\fB\-reqopt\fR]
[\fB\-subject\fR]
[\fB\-subj\fR \fIarg\fR]
[\fB\-multivalue\-rdn\fR]
[\fB\-sigopt\fR \fInm\fR:\fIv\fR]
[\fB\-vfyopt\fR \fInm\fR:\fIv\fR]
[\fB\-batch\fR]
[\fB\-verbose\fR]
[\fB\-quiet\fR]
[\fB\-nameopt\fR \fIoption\fR]
[\fB\-rand\fR \fIfiles\fR]
[\fB\-writerand\fR \fIfile\fR]
[\fB\-engine\fR \fIid\fR]
[\fB\-provider\fR \fIname\fR]
[\fB\-provider\-path\fR \fIpath\fR]
[\fB\-propquery\fR \fIpropq\fR]
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
This command primarily creates and processes certificate requests (CSRs)
in PKCS#10 format. It can additionally create self-signed certificates
for use as root CAs for example.
.SH "OPTIONS"
.IX Header "OPTIONS"
.IP "\fB\-help\fR" 4
.IX Item "-help"
Print out a usage message.
.IP "\fB\-inform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR" 4
.IX Item "-inform DER|PEM"
The \s-1CSR\s0 input file format to use; by default \s-1PEM\s0 is tried first.
See \fBopenssl\-format\-options\fR\|(1) for details.
.IP "\fB\-outform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR" 4
.IX Item "-outform DER|PEM"
The output format; unspecified by default.
See \fBopenssl\-format\-options\fR\|(1) for details.
.Sp
The data is a PKCS#10 object.
.IP "\fB\-in\fR \fIfilename\fR" 4
.IX Item "-in filename"
This specifies the input filename to read a request from.
This defaults to standard input unless \fB\-x509\fR or \fB\-CA\fR is specified.
A request is only read if the creation options
(\fB\-new\fR or \fB\-newkey\fR or \fB\-precert\fR) are not specified.
.IP "\fB\-sigopt\fR \fInm\fR:\fIv\fR" 4
.IX Item "-sigopt nm:v"
Pass options to the signature algorithm during sign operations.
Names and values of these options are algorithm-specific.
.IP "\fB\-vfyopt\fR \fInm\fR:\fIv\fR" 4
.IX Item "-vfyopt nm:v"
Pass options to the signature algorithm during verify operations.
Names and values of these options are algorithm-specific.
.IP "\fB\-passin\fR \fIarg\fR" 4
.IX Item "-passin arg"
The password source for private key and certificate input.
For more information about the format of \fBarg\fR
see \fBopenssl\-passphrase\-options\fR\|(1).
.IP "\fB\-passout\fR \fIarg\fR" 4
.IX Item "-passout arg"
The password source for the output file.
For more information about the format of \fBarg\fR
see \fBopenssl\-passphrase\-options\fR\|(1).
.IP "\fB\-out\fR \fIfilename\fR" 4
.IX Item "-out filename"
This specifies the output filename to write to or standard output by default.
.IP "\fB\-text\fR" 4
.IX Item "-text"
Prints out the certificate request in text form.
.IP "\fB\-subject\fR" 4
.IX Item "-subject"
Prints out the certificate request subject
(or certificate subject if \fB\-x509\fR is in use).
.IP "\fB\-pubkey\fR" 4
.IX Item "-pubkey"
Prints out the public key.
.IP "\fB\-noout\fR" 4
.IX Item "-noout"
This option prevents output of the encoded version of the certificate request.
.IP "\fB\-modulus\fR" 4
.IX Item "-modulus"
Prints out the value of the modulus of the public key contained in the request.
.IP "\fB\-verify\fR" 4
.IX Item "-verify"
Verifies the self-signature on the request. If the verification fails,
the program will immediately exit, i.e. further option processing
(e.g. \fB\-text\fR) is skipped.
.IP "\fB\-new\fR" 4
.IX Item "-new"
This option generates a new certificate request. It will prompt
the user for the relevant field values. The actual fields
prompted for and their maximum and minimum sizes are specified
in the configuration file and any requested extensions.
.Sp
If the \fB\-key\fR option is not given it will generate a new private key
using information specified in the configuration file or given with
the \fB\-newkey\fR and \fB\-pkeyopt\fR options,
else by default an \s-1RSA\s0 key with 2048 bits length.
.IP "\fB\-newkey\fR \fIarg\fR" 4
.IX Item "-newkey arg"
This option is used to generate a new private key unless \fB\-key\fR is given.
It is subsequently used as if it was given using the \fB\-key\fR option.
.Sp
This option implies the \fB\-new\fR flag to create a new certificate request
or a new certificate in case \fB\-x509\fR is used.
.Sp
The argument takes one of several forms.
.Sp
[\fBrsa:\fR]\fInbits\fR generates an \s-1RSA\s0 key \fInbits\fR in size.
If \fInbits\fR is omitted, i.e., \fB\-newkey\fR \fBrsa\fR is specified,
the default key size specified in the configuration file
with the \fBdefault_bits\fR option is used if present, else 2048.
.Sp
All other algorithms support the \fB\-newkey\fR \fIalgname\fR:\fIfile\fR form, where
\&\fIfile\fR is an algorithm parameter file, created with \f(CW\*(C`openssl genpkey \-genparam\*(C'\fR
or an X.509 certificate for a key with appropriate algorithm.
.Sp
\&\fBparam:\fR\fIfile\fR generates a key using the parameter file or certificate
\&\fIfile\fR, the algorithm is determined by the parameters.
.Sp
\&\fIalgname\fR[:\fIfile\fR] generates a key using the given algorithm \fIalgname\fR.
If a parameter file \fIfile\fR is given then the parameters specified there
are used, where the algorithm parameters must match \fIalgname\fR.
If algorithm parameters are not given,
any necessary parameters should be specified via the \fB\-pkeyopt\fR option.
.Sp
\&\fBdsa:\fR\fIfilename\fR generates a \s-1DSA\s0 key using the parameters
in the file \fIfilename\fR. \fBec:\fR\fIfilename\fR generates \s-1EC\s0 key (usable both with
\&\s-1ECDSA\s0 or \s-1ECDH\s0 algorithms), \fBgost2001:\fR\fIfilename\fR generates \s-1GOST R
34.10\-2001\s0 key (requires \fBgost\fR engine configured in the configuration
file). If just \fBgost2001\fR is specified a parameter set should be
specified by \fB\-pkeyopt\fR \fIparamset:X\fR
.IP "\fB\-pkeyopt\fR \fIopt\fR:\fIvalue\fR" 4
.IX Item "-pkeyopt opt:value"
Set the public key algorithm option \fIopt\fR to \fIvalue\fR. The precise set of
options supported depends on the public key algorithm used and its
implementation.
See \*(L"\s-1KEY GENERATION OPTIONS\*(R"\s0 in \fBopenssl\-genpkey\fR\|(1) for more details.
.IP "\fB\-key\fR \fIfilename\fR|\fIuri\fR" 4
.IX Item "-key filename|uri"
This option provides the private key for signing a new certificate or
certificate request.
Unless \fB\-in\fR is given, the corresponding public key is placed in
the new certificate or certificate request, resulting in a self-signature.
.Sp
For certificate signing this option is overridden by the \fB\-CA\fR option.
.Sp
This option also accepts PKCS#8 format private keys for \s-1PEM\s0 format files.
.IP "\fB\-keyform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR|\fBP12\fR|\fB\s-1ENGINE\s0\fR" 4
.IX Item "-keyform DER|PEM|P12|ENGINE"
The format of the private key; unspecified by default.
See \fBopenssl\-format\-options\fR\|(1) for details.
.IP "\fB\-keyout\fR \fIfilename\fR" 4
.IX Item "-keyout filename"
This gives the filename to write any private key to that has been newly created
or read from \fB\-key\fR. If neither the \fB\-keyout\fR option nor the \fB\-key\fR option
are given then the filename specified in the configuration file with the
\&\fBdefault_keyfile\fR option is used, if present. Thus, if you want to write the
private key and the \fB\-key\fR option is provided, you should provide the
\&\fB\-keyout\fR option explicitly. If a new key is generated and no filename is
specified the key is written to standard output.
.IP "\fB\-noenc\fR" 4
.IX Item "-noenc"
If this option is specified then if a private key is created it
will not be encrypted.
.IP "\fB\-nodes\fR" 4
.IX Item "-nodes"
This option is deprecated since OpenSSL 3.0; use \fB\-noenc\fR instead.
.IP "\fB\-\f(BIdigest\fB\fR" 4
.IX Item "-digest"
This specifies the message digest to sign the request.
Any digest supported by the OpenSSL \fBdgst\fR command can be used.
This overrides the digest algorithm specified in
the configuration file.
.Sp
Some public key algorithms may override this choice. For instance, \s-1DSA\s0
signatures always use \s-1SHA1, GOST R 34.10\s0 signatures always use
\&\s-1GOST R 34.11\-94\s0 (\fB\-md_gost94\fR), Ed25519 and Ed448 never use any digest.
.IP "\fB\-config\fR \fIfilename\fR" 4
.IX Item "-config filename"
This allows an alternative configuration file to be specified.
Optional; for a description of the default value,
see \*(L"\s-1COMMAND SUMMARY\*(R"\s0 in \fBopenssl\fR\|(1).
.IP "\fB\-section\fR \fIname\fR" 4
.IX Item "-section name"
Specifies the name of the section to use; the default is \fBreq\fR.
.IP "\fB\-subj\fR \fIarg\fR" 4
.IX Item "-subj arg"
Sets subject name for new request or supersedes the subject name
when processing a certificate request.
.Sp
The arg must be formatted as \f(CW\*(C`/type0=value0/type1=value1/type2=...\*(C'\fR.
Special characters may be escaped by \f(CW\*(C`\e\*(C'\fR (backslash), whitespace is retained.
Empty values are permitted, but the corresponding type will not be included
in the request.
Giving a single \f(CW\*(C`/\*(C'\fR will lead to an empty sequence of RDNs (a NULL-DN).
Multi-valued RDNs can be formed by placing a \f(CW\*(C`+\*(C'\fR character instead of a \f(CW\*(C`/\*(C'\fR
between the AttributeValueAssertions (AVAs) that specify the members of the set.
Example:
.Sp
\&\f(CW\*(C`/DC=org/DC=OpenSSL/DC=users/UID=123456+CN=John Doe\*(C'\fR
.IP "\fB\-multivalue\-rdn\fR" 4
.IX Item "-multivalue-rdn"
This option has been deprecated and has no effect.
.IP "\fB\-x509\fR" 4
.IX Item "-x509"
This option outputs a certificate instead of a certificate request.
This is typically used to generate test certificates.
It is implied by the \fB\-CA\fR option.
.Sp
This option implies the \fB\-new\fR flag if \fB\-in\fR is not given.
.Sp
If an existing request is specified with the \fB\-in\fR option, it is converted
to a certificate; otherwise a request is created from scratch.
.Sp
Unless specified using the \fB\-set_serial\fR option,
a large random number will be used for the serial number.
.Sp
Unless the \fB\-copy_extensions\fR option is used,
X.509 extensions are not copied from any provided request input file.
.Sp
X.509 extensions to be added can be specified in the configuration file,
possibly using the \fB\-config\fR and \fB\-extensions\fR options,
and/or using the \fB\-addext\fR option.
.Sp
Unless \fB\-x509v1\fR is given, generated certificates bear X.509 version 3.
Unless specified otherwise,
key identifier extensions are included as described in \fBx509v3_config\fR\|(5).
.IP "\fB\-x509v1\fR" 4
.IX Item "-x509v1"
Request generation of certificates with X.509 version 1.
This implies \fB\-x509\fR.
If X.509 extensions are given, anyway X.509 version 3 is set.
.IP "\fB\-CA\fR \fIfilename\fR|\fIuri\fR" 4
.IX Item "-CA filename|uri"
Specifies the \*(L"\s-1CA\*(R"\s0 certificate to be used for signing a new certificate
and implies use of \fB\-x509\fR.
When present, this behaves like a \*(L"micro \s-1CA\*(R"\s0 as follows:
The subject name of the \*(L"\s-1CA\*(R"\s0 certificate is placed as issuer name in the new
certificate, which is then signed using the \*(L"\s-1CA\*(R"\s0 key given as specified below.
.IP "\fB\-CAkey\fR \fIfilename\fR|\fIuri\fR" 4
.IX Item "-CAkey filename|uri"
Sets the \*(L"\s-1CA\*(R"\s0 private key to sign a certificate with.
The private key must match the public key of the certificate given with \fB\-CA\fR.
If this option is not provided then the key must be present in the \fB\-CA\fR input.
.IP "\fB\-not_before\fR \fIdate\fR" 4
.IX Item "-not_before date"
When \fB\-x509\fR is in use this allows the start date to be explicitly set,
otherwise it is ignored. The format of \fIdate\fR is \s-1YYMMDDHHMMSSZ\s0 (the
same as an \s-1ASN1\s0 UTCTime structure), or \s-1YYYYMMDDHHMMSSZ\s0 (the same as an
\&\s-1ASN1\s0 GeneralizedTime structure). In both formats, seconds \s-1SS\s0 and
timezone Z must be present.
Alternatively, you can also use \*(L"today\*(R".
.IP "\fB\-not_after\fR \fIdate\fR" 4
.IX Item "-not_after date"
When \fB\-x509\fR is in use this allows the expiry date to be explicitly
set, otherwise it is ignored. The format of \fIdate\fR is \s-1YYMMDDHHMMSSZ\s0
(the same as an \s-1ASN1\s0 UTCTime structure), or \s-1YYYYMMDDHHMMSSZ\s0 (the same as
an \s-1ASN1\s0 GeneralizedTime structure). In both formats, seconds \s-1SS\s0 and
timezone Z must be present.
Alternatively, you can also use \*(L"today\*(R".
.Sp
This overrides the \fB\-days\fR option.
.IP "\fB\-days\fR \fIn\fR" 4
.IX Item "-days n"
When \fB\-x509\fR is in use this specifies the number of days from today to
certify the certificate for, otherwise it is ignored. \fIn\fR should
be a positive integer. The default is 30 days.
.Sp
Regardless of the option \fB\-not_before\fR, the days are always counted from
today.
When used together with the option \fB\-not_after\fR, the explicit expiry
date takes precedence.
.IP "\fB\-set_serial\fR \fIn\fR" 4
.IX Item "-set_serial n"
Serial number to use when outputting a self-signed certificate.
This may be specified as a decimal value or a hex value if preceded by \f(CW\*(C`0x\*(C'\fR.
If not given, a large random number will be used.
.IP "\fB\-copy_extensions\fR \fIarg\fR" 4
.IX Item "-copy_extensions arg"
Determines how X.509 extensions in certificate requests should be handled
when \fB\-x509\fR is in use.
If \fIarg\fR is \fBnone\fR or this option is not present then extensions are ignored.
If \fIarg\fR is \fBcopy\fR or \fBcopyall\fR then
all extensions in the request are copied to the certificate.
.Sp
The main use of this option is to allow a certificate request to supply
values for certain extensions such as subjectAltName.
.IP "\fB\-extensions\fR \fIsection\fR, \fB\-reqexts\fR \fIsection\fR" 4
.IX Item "-extensions section, -reqexts section"
Can be used to override the name of the configuration file section
from which X.509 extensions are included
in the certificate (when \fB\-x509\fR is in use) or certificate request.
This allows several different sections to be used in the same configuration
file to specify requests for a variety of purposes.
.IP "\fB\-addext\fR \fIext\fR" 4
.IX Item "-addext ext"
Add a specific extension to the certificate (if \fB\-x509\fR is in use)
or certificate request. The argument must have the form of
a \f(CW\*(C`key=value\*(C'\fR pair as it would appear in a config file.
.Sp
If an extension is added using this option that has the same \s-1OID\s0 as one
defined in the extension section of the config file, it overrides that one.
.Sp
This option can be given multiple times.
Doing so, the same key most not be given more than once.
.IP "\fB\-precert\fR" 4
.IX Item "-precert"
A poison extension will be added to the certificate, making it a
\&\*(L"pre-certificate\*(R" (see \s-1RFC6962\s0). This can be submitted to Certificate
Transparency logs in order to obtain signed certificate timestamps (SCTs).
These SCTs can then be embedded into the pre-certificate as an extension, before
removing the poison and signing the certificate.
.Sp
This implies the \fB\-new\fR flag.
.IP "\fB\-utf8\fR" 4
.IX Item "-utf8"
This option causes field values to be interpreted as \s-1UTF8\s0 strings, by
default they are interpreted as \s-1ASCII.\s0 This means that the field
values, whether prompted from a terminal or obtained from a
configuration file, must be valid \s-1UTF8\s0 strings.
.IP "\fB\-reqopt\fR \fIoption\fR" 4
.IX Item "-reqopt option"
Customise the printing format used with \fB\-text\fR. The \fIoption\fR argument can be
a single option or multiple options separated by commas.
.Sp
See discussion of the \fB\-certopt\fR parameter in the \fBopenssl\-x509\fR\|(1)
command.
.IP "\fB\-newhdr\fR" 4
.IX Item "-newhdr"
Adds the word \fB\s-1NEW\s0\fR to the \s-1PEM\s0 file header and footer lines on the outputted
request. Some software (Netscape certificate server) and some CAs need this.
.IP "\fB\-batch\fR" 4
.IX Item "-batch"
Non-interactive mode.
.IP "\fB\-verbose\fR" 4
.IX Item "-verbose"
Print extra details about the operations being performed.
.IP "\fB\-quiet\fR" 4
.IX Item "-quiet"
Print fewer details about the operations being performed, which may be
handy during batch scripts or pipelines (specifically \*(L"progress dots\*(R"
during key generation are suppressed).
.IP "\fB\-keygen_engine\fR \fIid\fR" 4
.IX Item "-keygen_engine id"
Specifies an engine (by its unique \fIid\fR string) which would be used
for key generation operations.
.IP "\fB\-nameopt\fR \fIoption\fR" 4
.IX Item "-nameopt option"
This specifies how the subject or issuer names are displayed.
See \fBopenssl\-namedisplay\-options\fR\|(1) for details.
.IP "\fB\-rand\fR \fIfiles\fR, \fB\-writerand\fR \fIfile\fR" 4
.IX Item "-rand files, -writerand file"
See \*(L"Random State Options\*(R" in \fBopenssl\fR\|(1) for details.
.IP "\fB\-engine\fR \fIid\fR" 4
.IX Item "-engine id"
See \*(L"Engine Options\*(R" in \fBopenssl\fR\|(1).
This option is deprecated.
.IP "\fB\-provider\fR \fIname\fR" 4
.IX Item "-provider name"
.PD 0
.IP "\fB\-provider\-path\fR \fIpath\fR" 4
.IX Item "-provider-path path"
.IP "\fB\-propquery\fR \fIpropq\fR" 4
.IX Item "-propquery propq"
.PD
See \*(L"Provider Options\*(R" in \fBopenssl\fR\|(1), \fBprovider\fR\|(7), and \fBproperty\fR\|(7).
.SH "CONFIGURATION FILE FORMAT"
.IX Header "CONFIGURATION FILE FORMAT"
The configuration options are specified in the \fBreq\fR section of
the configuration file. An alternate name be specified by using the
\&\fB\-section\fR option.
As with all configuration files, if no
value is specified in the specific section then
the initial unnamed or \fBdefault\fR section is searched too.
.PP
The options available are described in detail below.
.IP "\fBinput_password\fR, \fBoutput_password\fR" 4
.IX Item "input_password, output_password"
The passwords for the input private key file (if present) and
the output private key file (if one will be created). The
command line options \fBpassin\fR and \fBpassout\fR override the
configuration file values.
.IP "\fBdefault_bits\fR" 4
.IX Item "default_bits"
Specifies the default key size in bits.
.Sp
This option is used in conjunction with the \fB\-new\fR option to generate
a new key. It can be overridden by specifying an explicit key size in
the \fB\-newkey\fR option. The smallest accepted key size is 512 bits. If
no key size is specified then 2048 bits is used.
.IP "\fBdefault_keyfile\fR" 4
.IX Item "default_keyfile"
This is the default filename to write a private key to. If not
specified the key is written to standard output. This can be
overridden by the \fB\-keyout\fR option.
.IP "\fBoid_file\fR" 4
.IX Item "oid_file"
This specifies a file containing additional \fB\s-1OBJECT IDENTIFIERS\s0\fR.
Each line of the file should consist of the numerical form of the
object identifier followed by whitespace then the short name followed
by whitespace and finally the long name.
.IP "\fBoid_section\fR" 4
.IX Item "oid_section"
This specifies a section in the configuration file containing extra
object identifiers. Each line should consist of the short name of the
object identifier followed by \fB=\fR and the numerical form. The short
and long names are the same when this option is used.
.IP "\fB\s-1RANDFILE\s0\fR" 4
.IX Item "RANDFILE"
At startup the specified file is loaded into the random number generator,
and at exit 256 bytes will be written to it.
It is used for private key generation.
.IP "\fBencrypt_key\fR" 4
.IX Item "encrypt_key"
If this is set to \fBno\fR then if a private key is generated it is
\&\fBnot\fR encrypted. This is equivalent to the \fB\-noenc\fR command line
option. For compatibility \fBencrypt_rsa_key\fR is an equivalent option.
.IP "\fBdefault_md\fR" 4
.IX Item "default_md"
This option specifies the digest algorithm to use. Any digest supported by the
OpenSSL \fBdgst\fR command can be used. This option can be overridden on the
command line. Certain signing algorithms (i.e. Ed25519 and Ed448) will ignore
any digest that has been set.
.IP "\fBstring_mask\fR" 4
.IX Item "string_mask"
This option masks out the use of certain string types in certain
fields. Most users will not need to change this option. It can be set to
several values:
.RS 4
.IP "\fButf8only\fR \- only UTF8Strings are used (this is the default value)" 4
.IX Item "utf8only - only UTF8Strings are used (this is the default value)"
.PD 0
.IP "\fBpkix\fR \- any string type except T61Strings" 4
.IX Item "pkix - any string type except T61Strings"
.IP "\fBnombstr\fR \- any string type except BMPStrings and UTF8Strings" 4
.IX Item "nombstr - any string type except BMPStrings and UTF8Strings"
.IP "\fBdefault\fR \- any kind of string type" 4
.IX Item "default - any kind of string type"
.RE
.RS 4
.PD
.Sp
Note that \fButf8only\fR is the \s-1PKIX\s0 recommendation in \s-1RFC2459\s0 after 2003, and the
default \fBstring_mask\fR; \fBdefault\fR is not the default option. The \fBnombstr\fR
value is a workaround for some software that has problems with variable-sized
BMPStrings and UTF8Strings.
.RE
.IP "\fBreq_extensions\fR" 4
.IX Item "req_extensions"
This specifies the configuration file section containing a list of
extensions to add to the certificate request. It can be overridden
by the \fB\-reqexts\fR (or \fB\-extensions\fR) command line switch. See the
\&\fBx509v3_config\fR\|(5) manual page for details of the
extension section format.
.IP "\fBx509_extensions\fR" 4
.IX Item "x509_extensions"
This specifies the configuration file section containing a list of
extensions to add to certificate generated when \fB\-x509\fR is in use.
It can be overridden by the \fB\-extensions\fR command line switch.
.IP "\fBprompt\fR" 4
.IX Item "prompt"
If set to the value \fBno\fR this disables prompting of certificate fields
and just takes values from the config file directly. It also changes the
expected format of the \fBdistinguished_name\fR and \fBattributes\fR sections.
.IP "\fButf8\fR" 4
.IX Item "utf8"
If set to the value \fByes\fR then field values to be interpreted as \s-1UTF8\s0
strings, by default they are interpreted as \s-1ASCII.\s0 This means that
the field values, whether prompted from a terminal or obtained from a
configuration file, must be valid \s-1UTF8\s0 strings.
.IP "\fBattributes\fR" 4
.IX Item "attributes"
This specifies the section containing any request attributes: its format
is the same as \fBdistinguished_name\fR. Typically these may contain the
challengePassword or unstructuredName types. They are currently ignored
by OpenSSL's request signing utilities but some CAs might want them.
.IP "\fBdistinguished_name\fR" 4
.IX Item "distinguished_name"
This specifies the section containing the distinguished name fields to
prompt for when generating a certificate or certificate request. The format
is described in the next section.
.SH "DISTINGUISHED NAME AND ATTRIBUTE SECTION FORMAT"
.IX Header "DISTINGUISHED NAME AND ATTRIBUTE SECTION FORMAT"
There are two separate formats for the distinguished name and attribute
sections. If the \fBprompt\fR option is set to \fBno\fR then these sections
just consist of field names and values: for example,
.PP
.Vb 3
\& CN=My Name
\& OU=My Organization
\& emailAddress=someone@somewhere.org
.Ve
.PP
This allows external programs (e.g. \s-1GUI\s0 based) to generate a template file with
all the field names and values and just pass it to this command. An example
of this kind of configuration file is contained in the \fB\s-1EXAMPLES\s0\fR section.
.PP
Alternatively if the \fBprompt\fR option is absent or not set to \fBno\fR then the
file contains field prompting information. It consists of lines of the form:
.PP
.Vb 4
\& fieldName="prompt"
\& fieldName_default="default field value"
\& fieldName_min= 2
\& fieldName_max= 4
.Ve
.PP
\&\*(L"fieldName\*(R" is the field name being used, for example commonName (or \s-1CN\s0).
The \*(L"prompt\*(R" string is used to ask the user to enter the relevant
details. If the user enters nothing then the default value is used if no
default value is present then the field is omitted. A field can
still be omitted if a default value is present if the user just
enters the '.' character.
.PP
The number of characters entered must be between the fieldName_min and
fieldName_max limits: there may be additional restrictions based
on the field being used (for example countryName can only ever be
two characters long and must fit in a PrintableString).
.PP
Some fields (such as organizationName) can be used more than once
in a \s-1DN.\s0 This presents a problem because configuration files will
not recognize the same name occurring twice. To avoid this problem
if the fieldName contains some characters followed by a full stop
they will be ignored. So for example a second organizationName can
be input by calling it \*(L"1.organizationName\*(R".
.PP
The actual permitted field names are any object identifier short or
long names. These are compiled into OpenSSL and include the usual
values such as commonName, countryName, localityName, organizationName,
organizationalUnitName, stateOrProvinceName. Additionally emailAddress
is included as well as name, surname, givenName, initials, and dnQualifier.
.PP
Additional object identifiers can be defined with the \fBoid_file\fR or
\&\fBoid_section\fR options in the configuration file. Any additional fields
will be treated as though they were a DirectoryString.
.SH "EXAMPLES"
.IX Header "EXAMPLES"
Examine and verify certificate request:
.PP
.Vb 1
\& openssl req \-in req.pem \-text \-verify \-noout
.Ve
.PP
Create a private key and then generate a certificate request from it:
.PP
.Vb 2
\& openssl genrsa \-out key.pem 2048
\& openssl req \-new \-key key.pem \-out req.pem
.Ve
.PP
The same but just using req:
.PP
.Vb 1
\& openssl req \-newkey rsa:2048 \-keyout key.pem \-out req.pem
.Ve
.PP
Generate a self-signed root certificate:
.PP
.Vb 1
\& openssl req \-x509 \-newkey rsa:2048 \-keyout key.pem \-out req.pem
.Ve
.PP
Create an \s-1SM2\s0 private key and then generate a certificate request from it:
.PP
.Vb 2
\& openssl ecparam \-genkey \-name SM2 \-out sm2.key
\& openssl req \-new \-key sm2.key \-out sm2.csr \-sm3 \-sigopt "distid:1234567812345678"
.Ve
.PP
Examine and verify an \s-1SM2\s0 certificate request:
.PP
.Vb 1
\& openssl req \-verify \-in sm2.csr \-sm3 \-vfyopt "distid:1234567812345678"
.Ve
.PP
Example of a file pointed to by the \fBoid_file\fR option:
.PP
.Vb 2
\& 1.2.3.4 shortName A longer Name
\& 1.2.3.6 otherName Other longer Name
.Ve
.PP
Example of a section pointed to by \fBoid_section\fR making use of variable
expansion:
.PP
.Vb 2
\& testoid1=1.2.3.5
\& testoid2=${testoid1}.6
.Ve
.PP
Sample configuration file prompting for field values:
.PP
.Vb 6
\& [ req ]
\& default_bits = 2048
\& default_keyfile = privkey.pem
\& distinguished_name = req_distinguished_name
\& attributes = req_attributes
\& req_extensions = v3_ca
\&
\& dirstring_type = nombstr
\&
\& [ req_distinguished_name ]
\& countryName = Country Name (2 letter code)
\& countryName_default = AU
\& countryName_min = 2
\& countryName_max = 2
\&
\& localityName = Locality Name (eg, city)
\&
\& organizationalUnitName = Organizational Unit Name (eg, section)
\&
\& commonName = Common Name (eg, YOUR name)
\& commonName_max = 64
\&
\& emailAddress = Email Address
\& emailAddress_max = 40
\&
\& [ req_attributes ]
\& challengePassword = A challenge password
\& challengePassword_min = 4
\& challengePassword_max = 20
\&
\& [ v3_ca ]
\&
\& subjectKeyIdentifier=hash
\& authorityKeyIdentifier=keyid:always,issuer:always
\& basicConstraints = critical, CA:true
.Ve
.PP
Sample configuration containing all field values:
.PP
.Vb 7
\& [ req ]
\& default_bits = 2048
\& default_keyfile = keyfile.pem
\& distinguished_name = req_distinguished_name
\& attributes = req_attributes
\& prompt = no
\& output_password = mypass
\&
\& [ req_distinguished_name ]
\& C = GB
\& ST = Test State or Province
\& L = Test Locality
\& O = Organization Name
\& OU = Organizational Unit Name
\& CN = Common Name
\& emailAddress = test@email.address
\&
\& [ req_attributes ]
\& challengePassword = A challenge password
.Ve
.PP
Example of giving the most common attributes (subject and extensions)
on the command line:
.PP
.Vb 4
\& openssl req \-new \-subj "/C=GB/CN=foo" \e
\& \-addext "subjectAltName = DNS:foo.co.uk" \e
\& \-addext "certificatePolicies = 1.2.3.4" \e
\& \-newkey rsa:2048 \-keyout key.pem \-out req.pem
.Ve
.SH "NOTES"
.IX Header "NOTES"
The certificate requests generated by \fBXenroll\fR with \s-1MSIE\s0 have extensions
added. It includes the \fBkeyUsage\fR extension which determines the type of
key (signature only or general purpose) and any additional OIDs entered
by the script in an \fBextendedKeyUsage\fR extension.
.SH "DIAGNOSTICS"
.IX Header "DIAGNOSTICS"
The following messages are frequently asked about:
.PP
.Vb 2
\& Using configuration from /some/path/openssl.cnf
\& Unable to load config info
.Ve
.PP
This is followed some time later by:
.PP
.Vb 2
\& unable to find \*(Aqdistinguished_name\*(Aq in config
\& problems making Certificate Request
.Ve
.PP
The first error message is the clue: it can't find the configuration
file! Certain operations (like examining a certificate request) don't
need a configuration file so its use isn't enforced. Generation of
certificates or requests however does need a configuration file. This
could be regarded as a bug.
.PP
Another puzzling message is this:
.PP
.Vb 2
\& Attributes:
\& a0:00
.Ve
.PP
this is displayed when no attributes are present and the request includes
the correct empty \fB\s-1SET OF\s0\fR structure (the \s-1DER\s0 encoding of which is 0xa0
0x00). If you just see:
.PP
.Vb 1
\& Attributes:
.Ve
.PP
then the \fB\s-1SET OF\s0\fR is missing and the encoding is technically invalid (but
it is tolerated). See the description of the command line option \fB\-asn1\-kludge\fR
for more information.
.SH "BUGS"
.IX Header "BUGS"
OpenSSL's handling of T61Strings (aka TeletexStrings) is broken: it effectively
treats them as \s-1ISO\-8859\-1\s0 (Latin 1), Netscape and \s-1MSIE\s0 have similar behaviour.
This can cause problems if you need characters that aren't available in
PrintableStrings and you don't want to or can't use BMPStrings.
.PP
As a consequence of the T61String handling the only correct way to represent
accented characters in OpenSSL is to use a BMPString: unfortunately Netscape
currently chokes on these. If you have to use accented characters with Netscape
and \s-1MSIE\s0 then you currently need to use the invalid T61String form.
.PP
The current prompting is not very friendly. It doesn't allow you to confirm what
you've just entered. Other things like extensions in certificate requests are
statically defined in the configuration file. Some of these: like an email
address in subjectAltName should be input by the user.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBopenssl\fR\|(1),
\&\fBopenssl\-x509\fR\|(1),
\&\fBopenssl\-ca\fR\|(1),
\&\fBopenssl\-genrsa\fR\|(1),
\&\fBopenssl\-gendsa\fR\|(1),
\&\fBconfig\fR\|(5),
\&\fBx509v3_config\fR\|(5)
.SH "HISTORY"
.IX Header "HISTORY"
The \fB\-section\fR option was added in OpenSSL 3.0.0.
.PP
The \fB\-multivalue\-rdn\fR option has become obsolete in OpenSSL 3.0.0 and
has no effect.
.PP
The \fB\-engine\fR option was deprecated in OpenSSL 3.0.
The <\-nodes> option was deprecated in OpenSSL 3.0, too; use \fB\-noenc\fR instead.
.PP
The \fB\-reqexts\fR option has been made an alias of \fB\-extensions\fR in OpenSSL 3.2.
.PP
Since OpenSSL 3.2,
generated certificates bear X.509 version 3 unless \fB\-x509v1\fR is given,
and key identifier extensions are included by default.
.PP
Since OpenSSL 3.3, the \fB\-verify\fR option will exit with 1 on failure.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2000\-2025 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the Apache License 2.0 (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.

341
openssl-install/share/man/man1/openssl-rsa.1ossl Normal file
View File

@@ -0,0 +1,341 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "OPENSSL-RSA 1ossl"
.TH OPENSSL-RSA 1ossl "2025-08-16" "3.4.2" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
openssl\-rsa \- RSA key processing command
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
\&\fBopenssl\fR \fBrsa\fR
[\fB\-help\fR]
[\fB\-inform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR|\fBP12\fR|\fB\s-1ENGINE\s0\fR]
[\fB\-outform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR]
[\fB\-in\fR \fIfilename\fR|\fIuri\fR]
[\fB\-passin\fR \fIarg\fR]
[\fB\-out\fR \fIfilename\fR]
[\fB\-passout\fR \fIarg\fR]
[\fB\-aes128\fR]
[\fB\-aes192\fR]
[\fB\-aes256\fR]
[\fB\-aria128\fR]
[\fB\-aria192\fR]
[\fB\-aria256\fR]
[\fB\-camellia128\fR]
[\fB\-camellia192\fR]
[\fB\-camellia256\fR]
[\fB\-des\fR]
[\fB\-des3\fR]
[\fB\-idea\fR]
[\fB\-text\fR]
[\fB\-noout\fR]
[\fB\-modulus\fR]
[\fB\-traditional\fR]
[\fB\-check\fR]
[\fB\-pubin\fR]
[\fB\-pubout\fR]
[\fB\-RSAPublicKey_in\fR]
[\fB\-RSAPublicKey_out\fR]
[\fB\-pvk\-strong\fR]
[\fB\-pvk\-weak\fR]
[\fB\-pvk\-none\fR]
[\fB\-engine\fR \fIid\fR]
[\fB\-provider\fR \fIname\fR]
[\fB\-provider\-path\fR \fIpath\fR]
[\fB\-propquery\fR \fIpropq\fR]
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
This command processes \s-1RSA\s0 keys. They can be converted between
various forms and their components printed out.
.SH "OPTIONS"
.IX Header "OPTIONS"
.IP "\fB\-help\fR" 4
.IX Item "-help"
Print out a usage message.
.IP "\fB\-inform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR|\fBP12\fR|\fB\s-1ENGINE\s0\fR" 4
.IX Item "-inform DER|PEM|P12|ENGINE"
The key input format; unspecified by default.
See \fBopenssl\-format\-options\fR\|(1) for details.
.IP "\fB\-outform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR" 4
.IX Item "-outform DER|PEM"
The key output format; the default is \fB\s-1PEM\s0\fR.
See \fBopenssl\-format\-options\fR\|(1) for details.
.IP "\fB\-traditional\fR" 4
.IX Item "-traditional"
When writing a private key, use the traditional PKCS#1 format
instead of the PKCS#8 format.
.IP "\fB\-in\fR \fIfilename\fR|\fIuri\fR" 4
.IX Item "-in filename|uri"
This specifies the input to read a key from or standard input if this
option is not specified. If the key is encrypted a pass phrase will be
prompted for.
.IP "\fB\-passin\fR \fIarg\fR, \fB\-passout\fR \fIarg\fR" 4
.IX Item "-passin arg, -passout arg"
The password source for the input and output file.
For more information about the format of \fBarg\fR
see \fBopenssl\-passphrase\-options\fR\|(1).
.IP "\fB\-out\fR \fIfilename\fR" 4
.IX Item "-out filename"
This specifies the output filename to write a key to or standard output if this
option is not specified. If any encryption options are set then a pass phrase
will be prompted for. The output filename should \fBnot\fR be the same as the input
filename.
.IP "\fB\-aes128\fR, \fB\-aes192\fR, \fB\-aes256\fR, \fB\-aria128\fR, \fB\-aria192\fR, \fB\-aria256\fR, \fB\-camellia128\fR, \fB\-camellia192\fR, \fB\-camellia256\fR, \fB\-des\fR, \fB\-des3\fR, \fB\-idea\fR" 4
.IX Item "-aes128, -aes192, -aes256, -aria128, -aria192, -aria256, -camellia128, -camellia192, -camellia256, -des, -des3, -idea"
These options encrypt the private key with the specified
cipher before outputting it. A pass phrase is prompted for.
If none of these options is specified the key is written in plain text. This
means that this command can be used to remove the pass phrase from a key
by not giving any encryption option is given, or to add or change the pass
phrase by setting them.
These options can only be used with \s-1PEM\s0 format output files.
.IP "\fB\-text\fR" 4
.IX Item "-text"
Prints out the various public or private key components in
plain text in addition to the encoded version.
.IP "\fB\-noout\fR" 4
.IX Item "-noout"
This option prevents output of the encoded version of the key.
.IP "\fB\-modulus\fR" 4
.IX Item "-modulus"
This option prints out the value of the modulus of the key.
.IP "\fB\-check\fR" 4
.IX Item "-check"
This option checks the consistency of an \s-1RSA\s0 private key.
.IP "\fB\-pubin\fR" 4
.IX Item "-pubin"
By default a private key is read from the input.
With this option a public key is read instead.
If the input contains no public key but a private key, its public part is used.
.IP "\fB\-pubout\fR" 4
.IX Item "-pubout"
By default a private key is output: with this option a public
key will be output instead. This option is automatically set if
the input is a public key.
.IP "\fB\-RSAPublicKey_in\fR, \fB\-RSAPublicKey_out\fR" 4
.IX Item "-RSAPublicKey_in, -RSAPublicKey_out"
Like \fB\-pubin\fR and \fB\-pubout\fR except \fBRSAPublicKey\fR format is used instead.
.IP "\fB\-pvk\-strong\fR" 4
.IX Item "-pvk-strong"
Enable 'Strong' \s-1PVK\s0 encoding level (default).
.IP "\fB\-pvk\-weak\fR" 4
.IX Item "-pvk-weak"
Enable 'Weak' \s-1PVK\s0 encoding level.
.IP "\fB\-pvk\-none\fR" 4
.IX Item "-pvk-none"
Don't enforce \s-1PVK\s0 encoding.
.IP "\fB\-engine\fR \fIid\fR" 4
.IX Item "-engine id"
See \*(L"Engine Options\*(R" in \fBopenssl\fR\|(1).
This option is deprecated.
.IP "\fB\-provider\fR \fIname\fR" 4
.IX Item "-provider name"
.PD 0
.IP "\fB\-provider\-path\fR \fIpath\fR" 4
.IX Item "-provider-path path"
.IP "\fB\-propquery\fR \fIpropq\fR" 4
.IX Item "-propquery propq"
.PD
See \*(L"Provider Options\*(R" in \fBopenssl\fR\|(1), \fBprovider\fR\|(7), and \fBproperty\fR\|(7).
.SH "NOTES"
.IX Header "NOTES"
The \fBopenssl\-pkey\fR\|(1) command is capable of performing all the operations
this command can, as well as supporting other public key types.
.SH "EXAMPLES"
.IX Header "EXAMPLES"
The documentation for the \fBopenssl\-pkey\fR\|(1) command contains examples
equivalent to the ones listed here.
.PP
To remove the pass phrase on an \s-1RSA\s0 private key:
.PP
.Vb 1
\& openssl rsa \-in key.pem \-out keyout.pem
.Ve
.PP
To encrypt a private key using triple \s-1DES:\s0
.PP
.Vb 1
\& openssl rsa \-in key.pem \-des3 \-out keyout.pem
.Ve
.PP
To convert a private key from \s-1PEM\s0 to \s-1DER\s0 format:
.PP
.Vb 1
\& openssl rsa \-in key.pem \-outform DER \-out keyout.der
.Ve
.PP
To print out the components of a private key to standard output:
.PP
.Vb 1
\& openssl rsa \-in key.pem \-text \-noout
.Ve
.PP
To just output the public part of a private key:
.PP
.Vb 1
\& openssl rsa \-in key.pem \-pubout \-out pubkey.pem
.Ve
.PP
Output the public part of a private key in \fBRSAPublicKey\fR format:
.PP
.Vb 1
\& openssl rsa \-in key.pem \-RSAPublicKey_out \-out pubkey.pem
.Ve
.SH "BUGS"
.IX Header "BUGS"
There should be an option that automatically handles \fI.key\fR files,
without having to manually edit them.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBopenssl\fR\|(1),
\&\fBopenssl\-pkey\fR\|(1),
\&\fBopenssl\-pkcs8\fR\|(1),
\&\fBopenssl\-dsa\fR\|(1),
\&\fBopenssl\-genrsa\fR\|(1),
\&\fBopenssl\-gendsa\fR\|(1)
.SH "HISTORY"
.IX Header "HISTORY"
The \fB\-engine\fR option was deprecated in OpenSSL 3.0.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2000\-2023 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the Apache License 2.0 (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.

387
openssl-install/share/man/man1/openssl-rsautl.1ossl Normal file
View File

@@ -0,0 +1,387 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "OPENSSL-RSAUTL 1ossl"
.TH OPENSSL-RSAUTL 1ossl "2025-08-16" "3.4.2" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
openssl\-rsautl \- RSA command
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
\&\fBopenssl\fR \fBrsautl\fR
[\fB\-help\fR]
[\fB\-in\fR \fIfile\fR]
[\fB\-passin\fR \fIarg\fR]
[\fB\-rev\fR]
[\fB\-out\fR \fIfile\fR]
[\fB\-inkey\fR \fIfilename\fR|\fIuri\fR]
[\fB\-keyform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR|\fBP12\fR|\fB\s-1ENGINE\s0\fR]
[\fB\-pubin\fR]
[\fB\-certin\fR]
[\fB\-sign\fR]
[\fB\-verify\fR]
[\fB\-encrypt\fR]
[\fB\-decrypt\fR]
[\fB\-pkcs\fR]
[\fB\-x931\fR]
[\fB\-oaep\fR]
[\fB\-raw\fR]
[\fB\-hexdump\fR]
[\fB\-asn1parse\fR]
[\fB\-engine\fR \fIid\fR]
[\fB\-rand\fR \fIfiles\fR]
[\fB\-writerand\fR \fIfile\fR]
[\fB\-provider\fR \fIname\fR]
[\fB\-provider\-path\fR \fIpath\fR]
[\fB\-propquery\fR \fIpropq\fR]
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
This command has been deprecated.
The \fBopenssl\-pkeyutl\fR\|(1) command should be used instead.
.PP
This command can be used to sign, verify, encrypt and decrypt
data using the \s-1RSA\s0 algorithm.
.SH "OPTIONS"
.IX Header "OPTIONS"
.IP "\fB\-help\fR" 4
.IX Item "-help"
Print out a usage message.
.IP "\fB\-in\fR \fIfilename\fR" 4
.IX Item "-in filename"
This specifies the input filename to read data from or standard input
if this option is not specified.
.IP "\fB\-passin\fR \fIarg\fR" 4
.IX Item "-passin arg"
The passphrase used in the output file.
See see \fBopenssl\-passphrase\-options\fR\|(1).
.IP "\fB\-rev\fR" 4
.IX Item "-rev"
Reverse the order of the input.
.IP "\fB\-out\fR \fIfilename\fR" 4
.IX Item "-out filename"
Specifies the output filename to write to or standard output by
default.
.IP "\fB\-inkey\fR \fIfilename\fR|\fIuri\fR" 4
.IX Item "-inkey filename|uri"
The input key, by default it should be an \s-1RSA\s0 private key.
.IP "\fB\-keyform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR|\fBP12\fR|\fB\s-1ENGINE\s0\fR" 4
.IX Item "-keyform DER|PEM|P12|ENGINE"
The key format; unspecified by default.
See \fBopenssl\-format\-options\fR\|(1) for details.
.IP "\fB\-pubin\fR" 4
.IX Item "-pubin"
By default a private key is read from the key input.
With this option a public key is read instead.
If the input contains no public key but a private key, its public part is used.
.IP "\fB\-certin\fR" 4
.IX Item "-certin"
The input is a certificate containing an \s-1RSA\s0 public key.
.IP "\fB\-sign\fR" 4
.IX Item "-sign"
Sign the input data and output the signed result. This requires
an \s-1RSA\s0 private key.
.IP "\fB\-verify\fR" 4
.IX Item "-verify"
Verify the input data and output the recovered data.
.IP "\fB\-encrypt\fR" 4
.IX Item "-encrypt"
Encrypt the input data using an \s-1RSA\s0 public key.
.IP "\fB\-decrypt\fR" 4
.IX Item "-decrypt"
Decrypt the input data using an \s-1RSA\s0 private key.
.IP "\fB\-pkcs\fR, \fB\-oaep\fR, \fB\-x931\fR, \fB\-raw\fR" 4
.IX Item "-pkcs, -oaep, -x931, -raw"
The padding to use: PKCS#1 v1.5 (the default), PKCS#1 \s-1OAEP,
ANSI X9.31,\s0 or no padding, respectively.
For signatures, only \fB\-pkcs\fR and \fB\-raw\fR can be used.
.Sp
Note: because of protection against Bleichenbacher attacks, decryption
using PKCS#1 v1.5 mode will not return errors in case padding check failed.
Use \fB\-raw\fR and inspect the returned value manually to check if the
padding is correct.
.IP "\fB\-hexdump\fR" 4
.IX Item "-hexdump"
Hex dump the output data.
.IP "\fB\-asn1parse\fR" 4
.IX Item "-asn1parse"
Parse the \s-1ASN.1\s0 output data, this is useful when combined with the
\&\fB\-verify\fR option.
.IP "\fB\-engine\fR \fIid\fR" 4
.IX Item "-engine id"
See \*(L"Engine Options\*(R" in \fBopenssl\fR\|(1).
This option is deprecated.
.IP "\fB\-rand\fR \fIfiles\fR, \fB\-writerand\fR \fIfile\fR" 4
.IX Item "-rand files, -writerand file"
See \*(L"Random State Options\*(R" in \fBopenssl\fR\|(1) for details.
.IP "\fB\-provider\fR \fIname\fR" 4
.IX Item "-provider name"
.PD 0
.IP "\fB\-provider\-path\fR \fIpath\fR" 4
.IX Item "-provider-path path"
.IP "\fB\-propquery\fR \fIpropq\fR" 4
.IX Item "-propquery propq"
.PD
See \*(L"Provider Options\*(R" in \fBopenssl\fR\|(1), \fBprovider\fR\|(7), and \fBproperty\fR\|(7).
.SH "NOTES"
.IX Header "NOTES"
Since this command uses the \s-1RSA\s0 algorithm directly, it can only be
used to sign or verify small pieces of data.
.SH "EXAMPLES"
.IX Header "EXAMPLES"
Examples equivalent to these can be found in the documentation for the
non-deprecated \fBopenssl\-pkeyutl\fR\|(1) command.
.PP
Sign some data using a private key:
.PP
.Vb 1
\& openssl rsautl \-sign \-in file \-inkey key.pem \-out sig
.Ve
.PP
Recover the signed data
.PP
.Vb 1
\& openssl rsautl \-verify \-in sig \-inkey key.pem
.Ve
.PP
Examine the raw signed data:
.PP
.Vb 1
\& openssl rsautl \-verify \-in sig \-inkey key.pem \-raw \-hexdump
\&
\& 0000 \- 00 01 ff ff ff ff ff ff\-ff ff ff ff ff ff ff ff ................
\& 0010 \- ff ff ff ff ff ff ff ff\-ff ff ff ff ff ff ff ff ................
\& 0020 \- ff ff ff ff ff ff ff ff\-ff ff ff ff ff ff ff ff ................
\& 0030 \- ff ff ff ff ff ff ff ff\-ff ff ff ff ff ff ff ff ................
\& 0040 \- ff ff ff ff ff ff ff ff\-ff ff ff ff ff ff ff ff ................
\& 0050 \- ff ff ff ff ff ff ff ff\-ff ff ff ff ff ff ff ff ................
\& 0060 \- ff ff ff ff ff ff ff ff\-ff ff ff ff ff ff ff ff ................
\& 0070 \- ff ff ff ff 00 68 65 6c\-6c 6f 20 77 6f 72 6c 64 .....hello world
.Ve
.PP
The PKCS#1 block formatting is evident from this. If this was done using
encrypt and decrypt the block would have been of type 2 (the second byte)
and random padding data visible instead of the 0xff bytes.
.PP
It is possible to analyse the signature of certificates using this
command in conjunction with \fBopenssl\-asn1parse\fR\|(1). Consider the self signed
example in \fIcerts/pca\-cert.pem\fR. Running \fBopenssl\-asn1parse\fR\|(1) as follows
yields:
.PP
.Vb 1
\& openssl asn1parse \-in pca\-cert.pem
\&
\& 0:d=0 hl=4 l= 742 cons: SEQUENCE
\& 4:d=1 hl=4 l= 591 cons: SEQUENCE
\& 8:d=2 hl=2 l= 3 cons: cont [ 0 ]
\& 10:d=3 hl=2 l= 1 prim: INTEGER :02
\& 13:d=2 hl=2 l= 1 prim: INTEGER :00
\& 16:d=2 hl=2 l= 13 cons: SEQUENCE
\& 18:d=3 hl=2 l= 9 prim: OBJECT :md5WithRSAEncryption
\& 29:d=3 hl=2 l= 0 prim: NULL
\& 31:d=2 hl=2 l= 92 cons: SEQUENCE
\& 33:d=3 hl=2 l= 11 cons: SET
\& 35:d=4 hl=2 l= 9 cons: SEQUENCE
\& 37:d=5 hl=2 l= 3 prim: OBJECT :countryName
\& 42:d=5 hl=2 l= 2 prim: PRINTABLESTRING :AU
\& ....
\& 599:d=1 hl=2 l= 13 cons: SEQUENCE
\& 601:d=2 hl=2 l= 9 prim: OBJECT :md5WithRSAEncryption
\& 612:d=2 hl=2 l= 0 prim: NULL
\& 614:d=1 hl=3 l= 129 prim: BIT STRING
.Ve
.PP
The final \s-1BIT STRING\s0 contains the actual signature. It can be extracted with:
.PP
.Vb 1
\& openssl asn1parse \-in pca\-cert.pem \-out sig \-noout \-strparse 614
.Ve
.PP
The certificate public key can be extracted with:
.PP
.Vb 1
\& openssl x509 \-in test/testx509.pem \-pubkey \-noout >pubkey.pem
.Ve
.PP
The signature can be analysed with:
.PP
.Vb 1
\& openssl rsautl \-in sig \-verify \-asn1parse \-inkey pubkey.pem \-pubin
\&
\& 0:d=0 hl=2 l= 32 cons: SEQUENCE
\& 2:d=1 hl=2 l= 12 cons: SEQUENCE
\& 4:d=2 hl=2 l= 8 prim: OBJECT :md5
\& 14:d=2 hl=2 l= 0 prim: NULL
\& 16:d=1 hl=2 l= 16 prim: OCTET STRING
\& 0000 \- f3 46 9e aa 1a 4a 73 c9\-37 ea 93 00 48 25 08 b5 .F...Js.7...H%..
.Ve
.PP
This is the parsed version of an \s-1ASN1\s0 DigestInfo structure. It can be seen that
the digest used was md5. The actual part of the certificate that was signed can
be extracted with:
.PP
.Vb 1
\& openssl asn1parse \-in pca\-cert.pem \-out tbs \-noout \-strparse 4
.Ve
.PP
and its digest computed with:
.PP
.Vb 2
\& openssl md5 \-c tbs
\& MD5(tbs)= f3:46:9e:aa:1a:4a:73:c9:37:ea:93:00:48:25:08:b5
.Ve
.PP
which it can be seen agrees with the recovered value above.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBopenssl\fR\|(1),
\&\fBopenssl\-pkeyutl\fR\|(1),
\&\fBopenssl\-dgst\fR\|(1),
\&\fBopenssl\-rsa\fR\|(1),
\&\fBopenssl\-genrsa\fR\|(1)
.SH "HISTORY"
.IX Header "HISTORY"
This command was deprecated in OpenSSL 3.0.
.PP
The \fB\-engine\fR option was deprecated in OpenSSL 3.0.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2000\-2023 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the Apache License 2.0 (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.

1219
openssl-install/share/man/man1/openssl-s_client.1ossl Normal file
View File

File diff suppressed because it is too large Load Diff

1124
openssl-install/share/man/man1/openssl-s_server.1ossl Normal file
View File

File diff suppressed because it is too large Load Diff

327
openssl-install/share/man/man1/openssl-s_time.1ossl Normal file
View File

@@ -0,0 +1,327 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "OPENSSL-S_TIME 1ossl"
.TH OPENSSL-S_TIME 1ossl "2025-08-16" "3.4.2" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
openssl\-s_time \- SSL/TLS performance timing program
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
\&\fBopenssl\fR \fBs_time\fR
[\fB\-help\fR]
[\fB\-connect\fR \fIhost\fR:\fIport\fR]
[\fB\-www\fR \fIpage\fR]
[\fB\-cert\fR \fIfilename\fR]
[\fB\-key\fR \fIfilename\fR]
[\fB\-reuse\fR]
[\fB\-new\fR]
[\fB\-verify\fR \fIdepth\fR]
[\fB\-time\fR \fIseconds\fR]
[\fB\-ssl3\fR]
[\fB\-tls1\fR]
[\fB\-tls1_1\fR]
[\fB\-tls1_2\fR]
[\fB\-tls1_3\fR]
[\fB\-bugs\fR]
[\fB\-cipher\fR \fIcipherlist\fR]
[\fB\-ciphersuites\fR \fIval\fR]
[\fB\-nameopt\fR \fIoption\fR]
[\fB\-cafile\fR \fIfile\fR]
[\fB\-CAfile\fR \fIfile\fR]
[\fB\-no\-CAfile\fR]
[\fB\-CApath\fR \fIdir\fR]
[\fB\-no\-CApath\fR]
[\fB\-CAstore\fR \fIuri\fR]
[\fB\-no\-CAstore\fR]
[\fB\-provider\fR \fIname\fR]
[\fB\-provider\-path\fR \fIpath\fR]
[\fB\-propquery\fR \fIpropq\fR]
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
This command implements a generic \s-1SSL/TLS\s0 client which
connects to a remote host using \s-1SSL/TLS.\s0 It can request a page from the server
and includes the time to transfer the payload data in its timing measurements.
It measures the number of connections within a given timeframe, the amount of
data transferred (if any), and calculates the average time spent for one
connection.
.SH "OPTIONS"
.IX Header "OPTIONS"
.IP "\fB\-help\fR" 4
.IX Item "-help"
Print out a usage message.
.IP "\fB\-connect\fR \fIhost\fR:\fIport\fR" 4
.IX Item "-connect host:port"
This specifies the host and optional port to connect to.
If the host string is an IPv6 address, it must be enclosed in \f(CW\*(C`[\*(C'\fR and \f(CW\*(C`]\*(C'\fR.
.IP "\fB\-www\fR \fIpage\fR" 4
.IX Item "-www page"
This specifies the page to \s-1GET\s0 from the server. A value of '/' gets the
\&\fIindex.html\fR page. If this parameter is not specified, then this command
will only perform the handshake to establish \s-1SSL\s0 connections but not transfer
any payload data.
.IP "\fB\-cert\fR \fIcertname\fR" 4
.IX Item "-cert certname"
The certificate to use, if one is requested by the server. The default is
not to use a certificate. The file is in \s-1PEM\s0 format.
.IP "\fB\-key\fR \fIkeyfile\fR" 4
.IX Item "-key keyfile"
The private key to use. If not specified then the certificate file will
be used. The file is in \s-1PEM\s0 format.
.IP "\fB\-verify\fR \fIdepth\fR" 4
.IX Item "-verify depth"
The verify depth to use. This specifies the maximum length of the
server certificate chain and turns on server certificate verification.
Currently the verify operation continues after errors so all the problems
with a certificate chain can be seen. As a side effect the connection
will never fail due to a server certificate verify failure.
.IP "\fB\-new\fR" 4
.IX Item "-new"
Performs the timing test using a new session \s-1ID\s0 for each connection.
If neither \fB\-new\fR nor \fB\-reuse\fR are specified, they are both on by default
and executed in sequence.
.IP "\fB\-reuse\fR" 4
.IX Item "-reuse"
Performs the timing test using the same session \s-1ID\s0; this can be used as a test
that session caching is working. If neither \fB\-new\fR nor \fB\-reuse\fR are
specified, they are both on by default and executed in sequence.
.IP "\fB\-bugs\fR" 4
.IX Item "-bugs"
There are several known bugs in \s-1SSL\s0 and \s-1TLS\s0 implementations. Adding this
option enables various workarounds.
.IP "\fB\-cipher\fR \fIcipherlist\fR" 4
.IX Item "-cipher cipherlist"
This allows the TLSv1.2 and below cipher list sent by the client to be modified.
This list will be combined with any TLSv1.3 ciphersuites that have been
configured. Although the server determines which cipher suite is used it should
take the first supported cipher in the list sent by the client. See
\&\fBopenssl\-ciphers\fR\|(1) for more information.
.IP "\fB\-ciphersuites\fR \fIval\fR" 4
.IX Item "-ciphersuites val"
This allows the TLSv1.3 ciphersuites sent by the client to be modified. This
list will be combined with any TLSv1.2 and below ciphersuites that have been
configured. Although the server determines which cipher suite is used it should
take the first supported cipher in the list sent by the client. See
\&\fBopenssl\-ciphers\fR\|(1) for more information. The format for this list is a
simple colon (\*(L":\*(R") separated list of TLSv1.3 ciphersuite names.
.IP "\fB\-time\fR \fIlength\fR" 4
.IX Item "-time length"
Specifies how long (in seconds) this command should establish connections
and optionally transfer payload data from a server. Server and client
performance and the link speed determine how many connections it
can establish.
.IP "\fB\-nameopt\fR \fIoption\fR" 4
.IX Item "-nameopt option"
This specifies how the subject or issuer names are displayed.
See \fBopenssl\-namedisplay\-options\fR\|(1) for details.
.IP "\fB\-CAfile\fR \fIfile\fR, \fB\-no\-CAfile\fR, \fB\-CApath\fR \fIdir\fR, \fB\-no\-CApath\fR, \fB\-CAstore\fR \fIuri\fR, \fB\-no\-CAstore\fR" 4
.IX Item "-CAfile file, -no-CAfile, -CApath dir, -no-CApath, -CAstore uri, -no-CAstore"
See \*(L"Trusted Certificate Options\*(R" in \fBopenssl\-verification\-options\fR\|(1) for details.
.IP "\fB\-provider\fR \fIname\fR" 4
.IX Item "-provider name"
.PD 0
.IP "\fB\-provider\-path\fR \fIpath\fR" 4
.IX Item "-provider-path path"
.IP "\fB\-propquery\fR \fIpropq\fR" 4
.IX Item "-propquery propq"
.PD
See \*(L"Provider Options\*(R" in \fBopenssl\fR\|(1), \fBprovider\fR\|(7), and \fBproperty\fR\|(7).
.IP "\fB\-cafile\fR \fIfile\fR" 4
.IX Item "-cafile file"
This is an obsolete synonym for \fB\-CAfile\fR.
.IP "\fB\-ssl3\fR, \fB\-tls1\fR, \fB\-tls1_1\fR, \fB\-tls1_2\fR, \fB\-tls1_3\fR" 4
.IX Item "-ssl3, -tls1, -tls1_1, -tls1_2, -tls1_3"
See \*(L"\s-1TLS\s0 Version Options\*(R" in \fBopenssl\fR\|(1).
.SH "NOTES"
.IX Header "NOTES"
This command can be used to measure the performance of an \s-1SSL\s0 connection.
To connect to an \s-1SSL HTTP\s0 server and get the default page the command
.PP
.Vb 1
\& openssl s_time \-connect servername:443 \-www / \-CApath yourdir \-CAfile yourfile.pem \-cipher commoncipher [\-ssl3]
.Ve
.PP
would typically be used (https uses port 443). \fIcommoncipher\fR is a cipher to
which both client and server can agree, see the \fBopenssl\-ciphers\fR\|(1) command
for details.
.PP
If the handshake fails then there are several possible causes, if it is
nothing obvious like no client certificate then the \fB\-bugs\fR and
\&\fB\-ssl3\fR options can be tried
in case it is a buggy server. In particular you should play with these
options \fBbefore\fR submitting a bug report to an OpenSSL mailing list.
.PP
A frequent problem when attempting to get client certificates working
is that a web client complains it has no certificates or gives an empty
list to choose from. This is normally because the server is not sending
the clients certificate authority in its \*(L"acceptable \s-1CA\s0 list\*(R" when it
requests a certificate. By using \fBopenssl\-s_client\fR\|(1) the \s-1CA\s0 list can be
viewed and checked. However, some servers only request client authentication
after a specific \s-1URL\s0 is requested. To obtain the list in this case it
is necessary to use the \fB\-prexit\fR option of \fBopenssl\-s_client\fR\|(1) and
send an \s-1HTTP\s0 request for an appropriate page.
.PP
If a certificate is specified on the command line using the \fB\-cert\fR
option it will not be used unless the server specifically requests
a client certificate. Therefore, merely including a client certificate
on the command line is no guarantee that the certificate works.
.SH "BUGS"
.IX Header "BUGS"
Because this program does not have all the options of the
\&\fBopenssl\-s_client\fR\|(1) program to turn protocols on and off, you may not
be able to measure the performance of all protocols with all servers.
.PP
The \fB\-verify\fR option should really exit if the server verification
fails.
.SH "HISTORY"
.IX Header "HISTORY"
The \fB\-cafile\fR option was deprecated in OpenSSL 3.0.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBopenssl\fR\|(1),
\&\fBopenssl\-s_client\fR\|(1),
\&\fBopenssl\-s_server\fR\|(1),
\&\fBopenssl\-ciphers\fR\|(1),
\&\fBossl_store\-file\fR\|(7)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2004\-2024 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the Apache License 2.0 (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.

267
openssl-install/share/man/man1/openssl-sess_id.1ossl Normal file
View File

@@ -0,0 +1,267 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "OPENSSL-SESS_ID 1ossl"
.TH OPENSSL-SESS_ID 1ossl "2025-08-16" "3.4.2" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
openssl\-sess_id \- SSL/TLS session handling command
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
\&\fBopenssl\fR \fBsess_id\fR
[\fB\-help\fR]
[\fB\-inform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR]
[\fB\-outform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR|\fB\s-1NSS\s0\fR]
[\fB\-in\fR \fIfilename\fR]
[\fB\-out\fR \fIfilename\fR]
[\fB\-text\fR]
[\fB\-cert\fR]
[\fB\-noout\fR]
[\fB\-context\fR \fI\s-1ID\s0\fR]
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
This command processes the encoded version of the \s-1SSL\s0 session
structure and optionally prints out \s-1SSL\s0 session details (for example
the \s-1SSL\s0 session master key) in human readable format. Since this is a
diagnostic tool that needs some knowledge of the \s-1SSL\s0 protocol to use
properly, most users will not need to use it.
.PP
The precise format of the data can vary across OpenSSL versions and
is not documented.
.SH "OPTIONS"
.IX Header "OPTIONS"
.IP "\fB\-help\fR" 4
.IX Item "-help"
Print out a usage message.
.IP "\fB\-inform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR, \fB\-outform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR|\fB\s-1NSS\s0\fR" 4
.IX Item "-inform DER|PEM, -outform DER|PEM|NSS"
The input and output formats; the default is \s-1PEM.\s0
See \fBopenssl\-format\-options\fR\|(1) for details.
.Sp
For \fB\s-1NSS\s0\fR output, the session \s-1ID\s0 and master key are reported in \s-1NSS\s0 \*(L"keylog\*(R"
format.
.IP "\fB\-in\fR \fIfilename\fR" 4
.IX Item "-in filename"
This specifies the input filename to read session information from or standard
input by default.
.IP "\fB\-out\fR \fIfilename\fR" 4
.IX Item "-out filename"
This specifies the output filename to write session information to or standard
output if this option is not specified.
.IP "\fB\-text\fR" 4
.IX Item "-text"
Prints out the various public or private key components in
plain text in addition to the encoded version.
.IP "\fB\-cert\fR" 4
.IX Item "-cert"
If a certificate is present in the session it will be output using this option,
if the \fB\-text\fR option is also present then it will be printed out in text form.
.IP "\fB\-noout\fR" 4
.IX Item "-noout"
This option prevents output of the encoded version of the session.
.IP "\fB\-context\fR \fI\s-1ID\s0\fR" 4
.IX Item "-context ID"
This option can set the session id so the output session information uses the
supplied \s-1ID.\s0 The \s-1ID\s0 can be any string of characters. This option won't normally
be used.
.SH "OUTPUT"
.IX Header "OUTPUT"
Typical output:
.PP
.Vb 10
\& SSL\-Session:
\& Protocol : TLSv1
\& Cipher : 0016
\& Session\-ID: 871E62626C554CE95488823752CBD5F3673A3EF3DCE9C67BD916C809914B40ED
\& Session\-ID\-ctx: 01000000
\& Master\-Key: A7CEFC571974BE02CAC305269DC59F76EA9F0B180CB6642697A68251F2D2BB57E51DBBB4C7885573192AE9AEE220FACD
\& Key\-Arg : None
\& Start Time: 948459261
\& Timeout : 300 (sec)
\& Verify return code 0 (ok)
.Ve
.PP
These are described below in more detail.
.IP "\fBProtocol\fR" 4
.IX Item "Protocol"
This is the protocol in use TLSv1.3, TLSv1.2, TLSv1.1, TLSv1 or SSLv3.
.IP "\fBCipher\fR" 4
.IX Item "Cipher"
The cipher used this is the actual raw \s-1SSL\s0 or \s-1TLS\s0 cipher code, see the \s-1SSL\s0
or \s-1TLS\s0 specifications for more information.
.IP "\fBSession-ID\fR" 4
.IX Item "Session-ID"
The \s-1SSL\s0 session \s-1ID\s0 in hex format.
.IP "\fBSession-ID-ctx\fR" 4
.IX Item "Session-ID-ctx"
The session \s-1ID\s0 context in hex format.
.IP "\fBMaster-Key\fR" 4
.IX Item "Master-Key"
This is the \s-1SSL\s0 session master key.
.IP "\fBStart Time\fR" 4
.IX Item "Start Time"
This is the session start time represented as an integer in standard
Unix format.
.IP "\fBTimeout\fR" 4
.IX Item "Timeout"
The timeout in seconds.
.IP "\fBVerify return code\fR" 4
.IX Item "Verify return code"
This is the return code when an \s-1SSL\s0 client certificate is verified.
.SH "NOTES"
.IX Header "NOTES"
Since the \s-1SSL\s0 session output contains the master key it is
possible to read the contents of an encrypted session using this
information. Therefore, appropriate security precautions should be taken if
the information is being output by a \*(L"real\*(R" application. This is however
strongly discouraged and should only be used for debugging purposes.
.SH "BUGS"
.IX Header "BUGS"
The cipher and start time should be printed out in human readable form.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBopenssl\fR\|(1),
\&\fBopenssl\-ciphers\fR\|(1),
\&\fBopenssl\-s_server\fR\|(1)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2000\-2020 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the Apache License 2.0 (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.

642
openssl-install/share/man/man1/openssl-smime.1ossl Normal file
View File

@@ -0,0 +1,642 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "OPENSSL-SMIME 1ossl"
.TH OPENSSL-SMIME 1ossl "2025-08-16" "3.4.2" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
openssl\-smime \- S/MIME command
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
\&\fBopenssl\fR \fBsmime\fR
[\fB\-help\fR]
[\fB\-encrypt\fR]
[\fB\-decrypt\fR]
[\fB\-sign\fR]
[\fB\-resign\fR]
[\fB\-verify\fR]
[\fB\-pk7out\fR]
[\fB\-binary\fR]
[\fB\-crlfeol\fR]
[\fB\-\f(BIcipher\fB\fR]
[\fB\-in\fR \fIfile\fR]
[\fB\-certfile\fR \fIfile\fR]
[\fB\-signer\fR \fIfile\fR]
[\fB\-nointern\fR]
[\fB\-noverify\fR]
[\fB\-nochain\fR]
[\fB\-nosigs\fR]
[\fB\-nocerts\fR]
[\fB\-noattr\fR]
[\fB\-nodetach\fR]
[\fB\-nosmimecap\fR]
[\fB\-recip\fR \fI file\fR]
[\fB\-inform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR|\fB\s-1SMIME\s0\fR]
[\fB\-outform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR|\fB\s-1SMIME\s0\fR]
[\fB\-keyform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR|\fBP12\fR|\fB\s-1ENGINE\s0\fR]
[\fB\-passin\fR \fIarg\fR]
[\fB\-inkey\fR \fIfilename\fR|\fIuri\fR]
[\fB\-out\fR \fIfile\fR]
[\fB\-content\fR \fIfile\fR]
[\fB\-to\fR \fIaddr\fR]
[\fB\-from\fR \fIad\fR]
[\fB\-subject\fR \fIs\fR]
[\fB\-text\fR]
[\fB\-indef\fR]
[\fB\-noindef\fR]
[\fB\-stream\fR]
[\fB\-md\fR \fIdigest\fR]
[\fB\-CAfile\fR \fIfile\fR]
[\fB\-no\-CAfile\fR]
[\fB\-CApath\fR \fIdir\fR]
[\fB\-no\-CApath\fR]
[\fB\-CAstore\fR \fIuri\fR]
[\fB\-no\-CAstore\fR]
[\fB\-engine\fR \fIid\fR]
[\fB\-rand\fR \fIfiles\fR]
[\fB\-writerand\fR \fIfile\fR]
[\fB\-allow_proxy_certs\fR]
[\fB\-attime\fR \fItimestamp\fR]
[\fB\-no_check_time\fR]
[\fB\-check_ss_sig\fR]
[\fB\-crl_check\fR]
[\fB\-crl_check_all\fR]
[\fB\-explicit_policy\fR]
[\fB\-extended_crl\fR]
[\fB\-ignore_critical\fR]
[\fB\-inhibit_any\fR]
[\fB\-inhibit_map\fR]
[\fB\-partial_chain\fR]
[\fB\-policy\fR \fIarg\fR]
[\fB\-policy_check\fR]
[\fB\-policy_print\fR]
[\fB\-purpose\fR \fIpurpose\fR]
[\fB\-suiteB_128\fR]
[\fB\-suiteB_128_only\fR]
[\fB\-suiteB_192\fR]
[\fB\-trusted_first\fR]
[\fB\-no_alt_chains\fR]
[\fB\-use_deltas\fR]
[\fB\-auth_level\fR \fInum\fR]
[\fB\-verify_depth\fR \fInum\fR]
[\fB\-verify_email\fR \fIemail\fR]
[\fB\-verify_hostname\fR \fIhostname\fR]
[\fB\-verify_ip\fR \fIip\fR]
[\fB\-verify_name\fR \fIname\fR]
[\fB\-x509_strict\fR]
[\fB\-issuer_checks\fR]
[\fB\-provider\fR \fIname\fR]
[\fB\-provider\-path\fR \fIpath\fR]
[\fB\-propquery\fR \fIpropq\fR]
[\fB\-config\fR \fIconfigfile\fR]
\&\fIrecipcert\fR ...
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
This command handles S/MIME mail. It can encrypt, decrypt, sign
and verify S/MIME messages.
.SH "OPTIONS"
.IX Header "OPTIONS"
There are six operation options that set the type of operation to be performed:
\&\fB\-encrypt\fR, \fB\-decrypt\fR, \fB\-sign\fR, \fB\-resign\fR, \fB\-verify\fR, and \fB\-pk7out\fR.
These are mutually exclusive.
The meaning of the other options varies according to the operation type.
.IP "\fB\-help\fR" 4
.IX Item "-help"
Print out a usage message.
.IP "\fB\-encrypt\fR" 4
.IX Item "-encrypt"
Encrypt mail for the given recipient certificates. Input file is the message
to be encrypted. The output file is the encrypted mail in \s-1MIME\s0 format.
.Sp
Note that no revocation check is done for the recipient cert, so if that
key has been compromised, others may be able to decrypt the text.
.IP "\fB\-decrypt\fR" 4
.IX Item "-decrypt"
Decrypt mail using the supplied certificate and private key. Expects an
encrypted mail message in \s-1MIME\s0 format for the input file. The decrypted mail
is written to the output file.
.IP "\fB\-sign\fR" 4
.IX Item "-sign"
Sign mail using the supplied certificate and private key. Input file is
the message to be signed. The signed message in \s-1MIME\s0 format is written
to the output file.
.IP "\fB\-resign\fR" 4
.IX Item "-resign"
Resign a message: take an existing message and one or more new signers.
.IP "\fB\-verify\fR" 4
.IX Item "-verify"
Verify signed mail. Expects a signed mail message on input and outputs
the signed data. Both clear text and opaque signing is supported.
.IP "\fB\-pk7out\fR" 4
.IX Item "-pk7out"
Takes an input message and writes out a \s-1PEM\s0 encoded PKCS#7 structure.
.IP "\fB\-in\fR \fIfilename\fR" 4
.IX Item "-in filename"
The input message to be encrypted or signed or the \s-1MIME\s0 message to
be decrypted or verified.
.IP "\fB\-out\fR \fIfilename\fR" 4
.IX Item "-out filename"
The message text that has been decrypted or verified or the output \s-1MIME\s0
format message that has been signed or verified.
.IP "\fB\-inform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR|\fB\s-1SMIME\s0\fR" 4
.IX Item "-inform DER|PEM|SMIME"
The input format of the PKCS#7 (S/MIME) structure (if one is being read);
the default is \fB\s-1SMIME\s0\fR.
See \fBopenssl\-format\-options\fR\|(1) for details.
.IP "\fB\-outform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR|\fB\s-1SMIME\s0\fR" 4
.IX Item "-outform DER|PEM|SMIME"
The output format of the PKCS#7 (S/MIME) structure (if one is being written);
the default is \fB\s-1SMIME\s0\fR.
See \fBopenssl\-format\-options\fR\|(1) for details.
.IP "\fB\-keyform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR|\fBP12\fR|\fB\s-1ENGINE\s0\fR" 4
.IX Item "-keyform DER|PEM|P12|ENGINE"
The key format; unspecified by default.
See \fBopenssl\-format\-options\fR\|(1) for details.
.IP "\fB\-stream\fR, \fB\-indef\fR, \fB\-noindef\fR" 4
.IX Item "-stream, -indef, -noindef"
The \fB\-stream\fR and \fB\-indef\fR options are equivalent and enable streaming I/O
for encoding operations. This permits single pass processing of data without
the need to hold the entire contents in memory, potentially supporting very
large files. Streaming is automatically set for S/MIME signing with detached
data if the output format is \fB\s-1SMIME\s0\fR it is currently off by default for all
other operations.
.IP "\fB\-noindef\fR" 4
.IX Item "-noindef"
Disable streaming I/O where it would produce and indefinite length constructed
encoding. This option currently has no effect. In future streaming will be
enabled by default on all relevant operations and this option will disable it.
.IP "\fB\-content\fR \fIfilename\fR" 4
.IX Item "-content filename"
This specifies a file containing the detached content, this is only
useful with the \fB\-verify\fR command. This is only usable if the PKCS#7
structure is using the detached signature form where the content is
not included. This option will override any content if the input format
is S/MIME and it uses the multipart/signed \s-1MIME\s0 content type.
.IP "\fB\-text\fR" 4
.IX Item "-text"
This option adds plain text (text/plain) \s-1MIME\s0 headers to the supplied
message if encrypting or signing. If decrypting or verifying it strips
off text headers: if the decrypted or verified message is not of \s-1MIME\s0
type text/plain then an error occurs.
.IP "\fB\-md\fR \fIdigest\fR" 4
.IX Item "-md digest"
Digest algorithm to use when signing or resigning. If not present then the
default digest algorithm for the signing key will be used (usually \s-1SHA1\s0).
.IP "\fB\-\f(BIcipher\fB\fR" 4
.IX Item "-cipher"
The encryption algorithm to use. For example \s-1DES\s0 (56 bits) \- \fB\-des\fR,
triple \s-1DES\s0 (168 bits) \- \fB\-des3\fR,
\&\fBEVP_get_cipherbyname()\fR function) can also be used preceded by a dash, for
example \fB\-aes\-128\-cbc\fR. See \fBopenssl\-enc\fR\|(1) for list of ciphers
supported by your version of OpenSSL.
.Sp
If not specified triple \s-1DES\s0 is used. Only used with \fB\-encrypt\fR.
.IP "\fB\-nointern\fR" 4
.IX Item "-nointern"
When verifying a message normally certificates (if any) included in
the message are searched for the signing certificate. With this option
only the certificates specified in the \fB\-certfile\fR option are used.
The supplied certificates can still be used as untrusted CAs however.
.IP "\fB\-noverify\fR" 4
.IX Item "-noverify"
Do not verify the signers certificate of a signed message.
.IP "\fB\-nochain\fR" 4
.IX Item "-nochain"
Do not do chain verification of signers certificates; that is, do not
use the certificates in the signed message as untrusted CAs.
.IP "\fB\-nosigs\fR" 4
.IX Item "-nosigs"
Don't try to verify the signatures on the message.
.IP "\fB\-nocerts\fR" 4
.IX Item "-nocerts"
When signing a message, the signer's certificate is normally included.
With this option it is excluded. This will reduce the size of the
signed message, but the verifier must have a copy of the signers certificate
available locally (passed using the \fB\-certfile\fR option for example).
.IP "\fB\-noattr\fR" 4
.IX Item "-noattr"
Normally, when a message is signed, a set of attributes are included which
include the signing time and supported symmetric algorithms. With this
option they are not included.
.IP "\fB\-nodetach\fR" 4
.IX Item "-nodetach"
When signing a message use opaque signing. This form is more resistant
to translation by mail relays but it cannot be read by mail agents that
do not support S/MIME. Without this option cleartext signing with
the \s-1MIME\s0 type multipart/signed is used.
.IP "\fB\-nosmimecap\fR" 4
.IX Item "-nosmimecap"
When signing a message, do not include the \fBSMIMECapabilities\fR attribute.
.IP "\fB\-binary\fR" 4
.IX Item "-binary"
Normally the input message is converted to \*(L"canonical\*(R" format which is
effectively using \s-1CR\s0 and \s-1LF\s0 as end of line: as required by the S/MIME
specification. When this option is present no translation occurs. This
is useful when handling binary data which may not be in \s-1MIME\s0 format.
.IP "\fB\-crlfeol\fR" 4
.IX Item "-crlfeol"
Normally the output file uses a single \fB\s-1LF\s0\fR as end of line. When this
option is present \fB\s-1CRLF\s0\fR is used instead.
.IP "\fB\-certfile\fR \fIfile\fR" 4
.IX Item "-certfile file"
Allows additional certificates to be specified. When signing these will
be included with the message. When verifying, these will be searched for
signer certificates and will be used for chain building.
.Sp
The input can be in \s-1PEM, DER,\s0 or PKCS#12 format.
.IP "\fB\-signer\fR \fIfile\fR" 4
.IX Item "-signer file"
A signing certificate when signing or resigning a message, this option can be
used multiple times if more than one signer is required. If a message is being
verified then the signers certificates will be written to this file if the
verification was successful.
.IP "\fB\-recip\fR \fIfile\fR" 4
.IX Item "-recip file"
The recipients certificate when decrypting a message. This certificate
must match one of the recipients of the message or an error occurs.
.IP "\fB\-inkey\fR \fIfilename\fR|\fIuri\fR" 4
.IX Item "-inkey filename|uri"
The private key to use when signing or decrypting. This must match the
corresponding certificate. If this option is not specified then the
private key must be included in the certificate file specified with
the \fB\-recip\fR or \fB\-signer\fR file. When signing this option can be used
multiple times to specify successive keys.
.IP "\fB\-passin\fR \fIarg\fR" 4
.IX Item "-passin arg"
The private key password source. For more information about the format of \fIarg\fR
see \fBopenssl\-passphrase\-options\fR\|(1).
.IP "\fB\-to\fR, \fB\-from\fR, \fB\-subject\fR" 4
.IX Item "-to, -from, -subject"
The relevant mail headers. These are included outside the signed
portion of a message so they may be included manually. If signing
then many S/MIME mail clients check the signers certificate's email
address matches that specified in the From: address.
.IP "\fB\-allow_proxy_certs\fR, \fB\-attime\fR, \fB\-no_check_time\fR, \fB\-check_ss_sig\fR, \fB\-crl_check\fR, \fB\-crl_check_all\fR, \fB\-explicit_policy\fR, \fB\-extended_crl\fR, \fB\-ignore_critical\fR, \fB\-inhibit_any\fR, \fB\-inhibit_map\fR, \fB\-no_alt_chains\fR, \fB\-partial_chain\fR, \fB\-policy\fR, \fB\-policy_check\fR, \fB\-policy_print\fR, \fB\-purpose\fR, \fB\-suiteB_128\fR, \fB\-suiteB_128_only\fR, \fB\-suiteB_192\fR, \fB\-trusted_first\fR, \fB\-use_deltas\fR, \fB\-auth_level\fR, \fB\-verify_depth\fR, \fB\-verify_email\fR, \fB\-verify_hostname\fR, \fB\-verify_ip\fR, \fB\-verify_name\fR, \fB\-x509_strict\fR \fB\-issuer_checks\fR" 4
.IX Item "-allow_proxy_certs, -attime, -no_check_time, -check_ss_sig, -crl_check, -crl_check_all, -explicit_policy, -extended_crl, -ignore_critical, -inhibit_any, -inhibit_map, -no_alt_chains, -partial_chain, -policy, -policy_check, -policy_print, -purpose, -suiteB_128, -suiteB_128_only, -suiteB_192, -trusted_first, -use_deltas, -auth_level, -verify_depth, -verify_email, -verify_hostname, -verify_ip, -verify_name, -x509_strict -issuer_checks"
Set various options of certificate chain verification.
See \*(L"Verification Options\*(R" in \fBopenssl\-verification\-options\fR\|(1) for details.
.Sp
Any verification errors cause the command to exit.
.IP "\fB\-CAfile\fR \fIfile\fR, \fB\-no\-CAfile\fR, \fB\-CApath\fR \fIdir\fR, \fB\-no\-CApath\fR, \fB\-CAstore\fR \fIuri\fR, \fB\-no\-CAstore\fR" 4
.IX Item "-CAfile file, -no-CAfile, -CApath dir, -no-CApath, -CAstore uri, -no-CAstore"
See \*(L"Trusted Certificate Options\*(R" in \fBopenssl\-verification\-options\fR\|(1) for details.
.IP "\fB\-engine\fR \fIid\fR" 4
.IX Item "-engine id"
See \*(L"Engine Options\*(R" in \fBopenssl\fR\|(1).
This option is deprecated.
.IP "\fB\-rand\fR \fIfiles\fR, \fB\-writerand\fR \fIfile\fR" 4
.IX Item "-rand files, -writerand file"
See \*(L"Random State Options\*(R" in \fBopenssl\fR\|(1) for details.
.IP "\fB\-provider\fR \fIname\fR" 4
.IX Item "-provider name"
.PD 0
.IP "\fB\-provider\-path\fR \fIpath\fR" 4
.IX Item "-provider-path path"
.IP "\fB\-propquery\fR \fIpropq\fR" 4
.IX Item "-propquery propq"
.PD
See \*(L"Provider Options\*(R" in \fBopenssl\fR\|(1), \fBprovider\fR\|(7), and \fBproperty\fR\|(7).
.IP "\fB\-config\fR \fIconfigfile\fR" 4
.IX Item "-config configfile"
See \*(L"Configuration Option\*(R" in \fBopenssl\fR\|(1).
.IP "\fIrecipcert\fR ..." 4
.IX Item "recipcert ..."
One or more certificates of message recipients, used when encrypting
a message.
.SH "NOTES"
.IX Header "NOTES"
The \s-1MIME\s0 message must be sent without any blank lines between the
headers and the output. Some mail programs will automatically add
a blank line. Piping the mail directly to sendmail is one way to
achieve the correct format.
.PP
The supplied message to be signed or encrypted must include the
necessary \s-1MIME\s0 headers or many S/MIME clients won't display it
properly (if at all). You can use the \fB\-text\fR option to automatically
add plain text headers.
.PP
A \*(L"signed and encrypted\*(R" message is one where a signed message is
then encrypted. This can be produced by encrypting an already signed
message: see the examples section.
.PP
This version of the program only allows one signer per message but it
will verify multiple signers on received messages. Some S/MIME clients
choke if a message contains multiple signers. It is possible to sign
messages \*(L"in parallel\*(R" by signing an already signed message.
.PP
The options \fB\-encrypt\fR and \fB\-decrypt\fR reflect common usage in S/MIME
clients. Strictly speaking these process PKCS#7 enveloped data: PKCS#7
encrypted data is used for other purposes.
.PP
The \fB\-resign\fR option uses an existing message digest when adding a new
signer. This means that attributes must be present in at least one existing
signer using the same message digest or this operation will fail.
.PP
The \fB\-stream\fR and \fB\-indef\fR options enable streaming I/O support.
As a result the encoding is \s-1BER\s0 using indefinite length constructed encoding
and no longer \s-1DER.\s0 Streaming is supported for the \fB\-encrypt\fR operation and the
\&\fB\-sign\fR operation if the content is not detached.
.PP
Streaming is always used for the \fB\-sign\fR operation with detached data but
since the content is no longer part of the PKCS#7 structure the encoding
remains \s-1DER.\s0
.SH "EXIT CODES"
.IX Header "EXIT CODES"
.IP "0" 4
The operation was completely successfully.
.IP "1" 4
.IX Item "1"
An error occurred parsing the command options.
.IP "2" 4
.IX Item "2"
One of the input files could not be read.
.IP "3" 4
.IX Item "3"
An error occurred creating the PKCS#7 file or when reading the \s-1MIME\s0
message.
.IP "4" 4
.IX Item "4"
An error occurred decrypting or verifying the message.
.IP "5" 4
.IX Item "5"
The message was verified correctly but an error occurred writing out
the signers certificates.
.SH "EXAMPLES"
.IX Header "EXAMPLES"
Create a cleartext signed message:
.PP
.Vb 2
\& openssl smime \-sign \-in message.txt \-text \-out mail.msg \e
\& \-signer mycert.pem
.Ve
.PP
Create an opaque signed message:
.PP
.Vb 2
\& openssl smime \-sign \-in message.txt \-text \-out mail.msg \-nodetach \e
\& \-signer mycert.pem
.Ve
.PP
Create a signed message, include some additional certificates and
read the private key from another file:
.PP
.Vb 2
\& openssl smime \-sign \-in in.txt \-text \-out mail.msg \e
\& \-signer mycert.pem \-inkey mykey.pem \-certfile mycerts.pem
.Ve
.PP
Create a signed message with two signers:
.PP
.Vb 2
\& openssl smime \-sign \-in message.txt \-text \-out mail.msg \e
\& \-signer mycert.pem \-signer othercert.pem
.Ve
.PP
Send a signed message under Unix directly to sendmail, including headers:
.PP
.Vb 3
\& openssl smime \-sign \-in in.txt \-text \-signer mycert.pem \e
\& \-from steve@openssl.org \-to someone@somewhere \e
\& \-subject "Signed message" | sendmail someone@somewhere
.Ve
.PP
Verify a message and extract the signer's certificate if successful:
.PP
.Vb 1
\& openssl smime \-verify \-in mail.msg \-signer user.pem \-out signedtext.txt
.Ve
.PP
Send encrypted mail using triple \s-1DES:\s0
.PP
.Vb 3
\& openssl smime \-encrypt \-in in.txt \-out mail.msg \-from steve@openssl.org \e
\& \-to someone@somewhere \-subject "Encrypted message" \e
\& \-des3 user.pem
.Ve
.PP
Sign and encrypt mail:
.PP
.Vb 4
\& openssl smime \-sign \-in ml.txt \-signer my.pem \-text \e
\& | openssl smime \-encrypt \-out mail.msg \e
\& \-from steve@openssl.org \-to someone@somewhere \e
\& \-subject "Signed and Encrypted message" \-des3 user.pem
.Ve
.PP
Note: the encryption command does not include the \fB\-text\fR option because the
message being encrypted already has \s-1MIME\s0 headers.
.PP
Decrypt mail:
.PP
.Vb 1
\& openssl smime \-decrypt \-in mail.msg \-recip mycert.pem \-inkey key.pem
.Ve
.PP
The output from Netscape form signing is a PKCS#7 structure with the
detached signature format. You can use this program to verify the
signature by line wrapping the base64 encoded structure and surrounding
it with:
.PP
.Vb 2
\& \-\-\-\-\-BEGIN PKCS7\-\-\-\-\-
\& \-\-\-\-\-END PKCS7\-\-\-\-\-
.Ve
.PP
and using the command:
.PP
.Vb 1
\& openssl smime \-verify \-inform PEM \-in signature.pem \-content content.txt
.Ve
.PP
Alternatively you can base64 decode the signature and use:
.PP
.Vb 1
\& openssl smime \-verify \-inform DER \-in signature.der \-content content.txt
.Ve
.PP
Create an encrypted message using 128 bit Camellia:
.PP
.Vb 1
\& openssl smime \-encrypt \-in plain.txt \-camellia128 \-out mail.msg cert.pem
.Ve
.PP
Add a signer to an existing message:
.PP
.Vb 1
\& openssl smime \-resign \-in mail.msg \-signer newsign.pem \-out mail2.msg
.Ve
.SH "BUGS"
.IX Header "BUGS"
The \s-1MIME\s0 parser isn't very clever: it seems to handle most messages that I've
thrown at it but it may choke on others.
.PP
The code currently will only write out the signer's certificate to a file: if
the signer has a separate encryption certificate this must be manually
extracted. There should be some heuristic that determines the correct
encryption certificate.
.PP
Ideally a database should be maintained of a certificates for each email
address.
.PP
The code doesn't currently take note of the permitted symmetric encryption
algorithms as supplied in the SMIMECapabilities signed attribute. This means the
user has to manually include the correct encryption algorithm. It should store
the list of permitted ciphers in a database and only use those.
.PP
No revocation checking is done on the signer's certificate.
.PP
The current code can only handle S/MIME v2 messages, the more complex S/MIME v3
structures may cause parsing errors.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBossl_store\-file\fR\|(7)
.SH "HISTORY"
.IX Header "HISTORY"
The use of multiple \fB\-signer\fR options and the \fB\-resign\fR command were first
added in OpenSSL 1.0.0
.PP
The \-no_alt_chains option was added in OpenSSL 1.1.0.
.PP
The \fB\-engine\fR option was deprecated in OpenSSL 3.0.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2000\-2024 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the Apache License 2.0 (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.

297
openssl-install/share/man/man1/openssl-speed.1ossl Normal file
View File

@@ -0,0 +1,297 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "OPENSSL-SPEED 1ossl"
.TH OPENSSL-SPEED 1ossl "2025-08-16" "3.4.2" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
openssl\-speed \- test library performance
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
\&\fBopenssl speed\fR
[\fB\-help\fR]
[\fB\-config\fR \fIfilename\fR]
[\fB\-elapsed\fR]
[\fB\-evp\fR \fIalgo\fR]
[\fB\-hmac\fR \fIalgo\fR]
[\fB\-cmac\fR \fIalgo\fR]
[\fB\-mb\fR]
[\fB\-aead\fR]
[\fB\-kem\-algorithms\fR]
[\fB\-signature\-algorithms\fR]
[\fB\-multi\fR \fInum\fR]
[\fB\-async_jobs\fR \fInum\fR]
[\fB\-misalign\fR \fInum\fR]
[\fB\-decrypt\fR]
[\fB\-primes\fR \fInum\fR]
[\fB\-seconds\fR \fInum\fR]
[\fB\-bytes\fR \fInum\fR]
[\fB\-mr\fR]
[\fB\-mlock\fR]
[\fB\-testmode\fR]
[\fB\-rand\fR \fIfiles\fR]
[\fB\-writerand\fR \fIfile\fR]
[\fB\-engine\fR \fIid\fR]
[\fB\-provider\fR \fIname\fR]
[\fB\-provider\-path\fR \fIpath\fR]
[\fB\-propquery\fR \fIpropq\fR]
[\fIalgorithm\fR ...]
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
This command is used to test the performance of cryptographic algorithms.
.SH "OPTIONS"
.IX Header "OPTIONS"
.IP "\fB\-help\fR" 4
.IX Item "-help"
Print out a usage message.
.IP "\fB\-config\fR \fIfilename\fR" 4
.IX Item "-config filename"
Specifies the configuration file to use.
Optional; for a description of the default value,
see \*(L"\s-1COMMAND SUMMARY\*(R"\s0 in \fBopenssl\fR\|(1).
.IP "\fB\-elapsed\fR" 4
.IX Item "-elapsed"
When calculating operations\- or bytes-per-second, use wall-clock time
instead of \s-1CPU\s0 user time as divisor. It can be useful when testing speed
of hardware engines.
.IP "\fB\-evp\fR \fIalgo\fR" 4
.IX Item "-evp algo"
Use the specified cipher or message digest algorithm via the \s-1EVP\s0 interface.
If \fIalgo\fR is an \s-1AEAD\s0 cipher, then you can pass \fB\-aead\fR to benchmark a
TLS-like sequence. And if \fIalgo\fR is a multi-buffer capable cipher, e.g.
aes\-128\-cbc\-hmac\-sha1, then \fB\-mb\fR will time multi-buffer operation.
.Sp
To see the algorithms supported with this option, use
\&\f(CW\*(C`openssl list \-digest\-algorithms\*(C'\fR or \f(CW\*(C`openssl list \-cipher\-algorithms\*(C'\fR
command.
.IP "\fB\-multi\fR \fInum\fR" 4
.IX Item "-multi num"
Run multiple operations in parallel.
.IP "\fB\-async_jobs\fR \fInum\fR" 4
.IX Item "-async_jobs num"
Enable async mode and start specified number of jobs.
.IP "\fB\-misalign\fR \fInum\fR" 4
.IX Item "-misalign num"
Misalign the buffers by the specified number of bytes.
.IP "\fB\-hmac\fR \fIdigest\fR" 4
.IX Item "-hmac digest"
Time the \s-1HMAC\s0 algorithm using the specified message digest.
.IP "\fB\-cmac\fR \fIcipher\fR" 4
.IX Item "-cmac cipher"
Time the \s-1CMAC\s0 algorithm using the specified cipher e.g.
\&\f(CW\*(C`openssl speed \-cmac aes128\*(C'\fR.
.IP "\fB\-decrypt\fR" 4
.IX Item "-decrypt"
Time the decryption instead of encryption. Affects only the \s-1EVP\s0 testing.
.IP "\fB\-mb\fR" 4
.IX Item "-mb"
Enable multi-block mode on EVP-named cipher.
.IP "\fB\-aead\fR" 4
.IX Item "-aead"
Benchmark EVP-named \s-1AEAD\s0 cipher in TLS-like sequence.
.IP "\fB\-kem\-algorithms\fR" 4
.IX Item "-kem-algorithms"
Benchmark \s-1KEM\s0 algorithms: key generation, encapsulation, decapsulation.
.IP "\fB\-signature\-algorithms\fR" 4
.IX Item "-signature-algorithms"
Benchmark signature algorithms: key generation, signature, verification.
.IP "\fB\-primes\fR \fInum\fR" 4
.IX Item "-primes num"
Generate a \fInum\fR\-prime \s-1RSA\s0 key and use it to run the benchmarks. This option
is only effective if \s-1RSA\s0 algorithm is specified to test.
.IP "\fB\-seconds\fR \fInum\fR" 4
.IX Item "-seconds num"
Run benchmarks for \fInum\fR seconds.
.IP "\fB\-bytes\fR \fInum\fR" 4
.IX Item "-bytes num"
Run benchmarks on \fInum\fR\-byte buffers. Affects ciphers, digests and the \s-1CSPRNG.\s0
The limit on the size of the buffer is \s-1INT_MAX\s0 \- 64 bytes, which for a 32\-bit
int would be 2147483583 bytes.
.IP "\fB\-mr\fR" 4
.IX Item "-mr"
Produce the summary in a mechanical, machine-readable, format.
.IP "\fB\-mlock\fR" 4
.IX Item "-mlock"
Lock memory into \s-1RAM\s0 for more deterministic measurements.
.IP "\fB\-testmode\fR" 4
.IX Item "-testmode"
Runs the speed command in testmode. Runs only 1 iteration of each algorithm test
regardless of any \fB\-seconds\fR value. In the event that any operation fails then
the speed command will return with a failure result.
.IP "\fB\-rand\fR \fIfiles\fR, \fB\-writerand\fR \fIfile\fR" 4
.IX Item "-rand files, -writerand file"
See \*(L"Random State Options\*(R" in \fBopenssl\fR\|(1) for details.
.IP "\fB\-engine\fR \fIid\fR" 4
.IX Item "-engine id"
See \*(L"Engine Options\*(R" in \fBopenssl\fR\|(1).
This option is deprecated.
.IP "\fB\-provider\fR \fIname\fR" 4
.IX Item "-provider name"
.PD 0
.IP "\fB\-provider\-path\fR \fIpath\fR" 4
.IX Item "-provider-path path"
.IP "\fB\-propquery\fR \fIpropq\fR" 4
.IX Item "-propquery propq"
.PD
See \*(L"Provider Options\*(R" in \fBopenssl\fR\|(1), \fBprovider\fR\|(7), and \fBproperty\fR\|(7).
.IP "\fIalgorithm\fR ..." 4
.IX Item "algorithm ..."
If any \fIalgorithm\fR is given, then those algorithms are tested, otherwise a
pre-compiled grand selection is tested.
.SH "BUGS"
.IX Header "BUGS"
The \fIalgorithm\fR can be selected only from a pre-compiled subset of things
that the \f(CW\*(C`openssl speed\*(C'\fR command knows about. To test any additional digest
or cipher algorithm supported by OpenSSL use the \f(CW\*(C`\-evp\*(C'\fR option.
.PP
There is no way to test the speed of any additional public key algorithms
supported by third party providers with the \f(CW\*(C`openssl speed\*(C'\fR command.
.SH "HISTORY"
.IX Header "HISTORY"
The \fB\-engine\fR option was deprecated in OpenSSL 3.0.
.PP
\&\s-1DSA512\s0 was removed in OpenSSL 3.2.
.PP
The \fB\-testmode\fR option was added in OpenSSL 3.4.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2000\-2024 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the Apache License 2.0 (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.

295
openssl-install/share/man/man1/openssl-spkac.1ossl Normal file
View File

@@ -0,0 +1,295 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "OPENSSL-SPKAC 1ossl"
.TH OPENSSL-SPKAC 1ossl "2025-08-16" "3.4.2" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
openssl\-spkac \- SPKAC printing and generating command
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
\&\fBopenssl\fR \fBspkac\fR
[\fB\-help\fR]
[\fB\-in\fR \fIfilename\fR]
[\fB\-out\fR \fIfilename\fR]
[\fB\-digest\fR \fIdigest\fR]
[\fB\-key\fR \fIfilename\fR|\fIuri\fR]
[\fB\-keyform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR|\fBP12\fR|\fB\s-1ENGINE\s0\fR]
[\fB\-passin\fR \fIarg\fR]
[\fB\-challenge\fR \fIstring\fR]
[\fB\-pubkey\fR]
[\fB\-spkac\fR \fIspkacname\fR]
[\fB\-spksect\fR \fIsection\fR]
[\fB\-noout\fR]
[\fB\-verify\fR]
[\fB\-engine\fR \fIid\fR]
[\fB\-provider\fR \fIname\fR]
[\fB\-provider\-path\fR \fIpath\fR]
[\fB\-propquery\fR \fIpropq\fR]
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
This command processes Netscape signed public key and challenge
(\s-1SPKAC\s0) files. It can print out their contents, verify the signature and
produce its own SPKACs from a supplied private key.
.SH "OPTIONS"
.IX Header "OPTIONS"
.IP "\fB\-help\fR" 4
.IX Item "-help"
Print out a usage message.
.IP "\fB\-in\fR \fIfilename\fR" 4
.IX Item "-in filename"
This specifies the input filename to read from or standard input if this
option is not specified. Ignored if the \fB\-key\fR option is used.
.IP "\fB\-out\fR \fIfilename\fR" 4
.IX Item "-out filename"
Specifies the output filename to write to or standard output by
default.
.IP "\fB\-digest\fR \fIdigest\fR" 4
.IX Item "-digest digest"
Use the specified \fIdigest\fR to sign a created \s-1SPKAC\s0 file.
The default digest algorithm is \s-1MD5.\s0
.IP "\fB\-key\fR \fIfilename\fR|\fIuri\fR" 4
.IX Item "-key filename|uri"
Create an \s-1SPKAC\s0 file using the private key specified by \fIfilename\fR or \fIuri\fR.
The \fB\-in\fR, \fB\-noout\fR, \fB\-spksect\fR and \fB\-verify\fR options are ignored if
present.
.IP "\fB\-keyform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR|\fBP12\fR|\fB\s-1ENGINE\s0\fR" 4
.IX Item "-keyform DER|PEM|P12|ENGINE"
The key format; unspecified by default.
See \fBopenssl\-format\-options\fR\|(1) for details.
.IP "\fB\-passin\fR \fIarg\fR" 4
.IX Item "-passin arg"
The input file password source. For more information about the format of \fIarg\fR
see \fBopenssl\-passphrase\-options\fR\|(1).
.IP "\fB\-challenge\fR \fIstring\fR" 4
.IX Item "-challenge string"
Specifies the challenge string if an \s-1SPKAC\s0 is being created.
.IP "\fB\-spkac\fR \fIspkacname\fR" 4
.IX Item "-spkac spkacname"
Allows an alternative name form the variable containing the
\&\s-1SPKAC.\s0 The default is \*(L"\s-1SPKAC\*(R".\s0 This option affects both
generated and input \s-1SPKAC\s0 files.
.IP "\fB\-spksect\fR \fIsection\fR" 4
.IX Item "-spksect section"
Allows an alternative name form the section containing the
\&\s-1SPKAC.\s0 The default is the default section.
.IP "\fB\-noout\fR" 4
.IX Item "-noout"
Don't output the text version of the \s-1SPKAC\s0 (not used if an
\&\s-1SPKAC\s0 is being created).
.IP "\fB\-pubkey\fR" 4
.IX Item "-pubkey"
Output the public key of an \s-1SPKAC\s0 (not used if an \s-1SPKAC\s0 is
being created).
.IP "\fB\-verify\fR" 4
.IX Item "-verify"
Verifies the digital signature on the supplied \s-1SPKAC.\s0
.IP "\fB\-engine\fR \fIid\fR" 4
.IX Item "-engine id"
See \*(L"Engine Options\*(R" in \fBopenssl\fR\|(1).
This option is deprecated.
.IP "\fB\-provider\fR \fIname\fR" 4
.IX Item "-provider name"
.PD 0
.IP "\fB\-provider\-path\fR \fIpath\fR" 4
.IX Item "-provider-path path"
.IP "\fB\-propquery\fR \fIpropq\fR" 4
.IX Item "-propquery propq"
.PD
See \*(L"Provider Options\*(R" in \fBopenssl\fR\|(1), \fBprovider\fR\|(7), and \fBproperty\fR\|(7).
.SH "EXAMPLES"
.IX Header "EXAMPLES"
Print out the contents of an \s-1SPKAC:\s0
.PP
.Vb 1
\& openssl spkac \-in spkac.cnf
.Ve
.PP
Verify the signature of an \s-1SPKAC:\s0
.PP
.Vb 1
\& openssl spkac \-in spkac.cnf \-noout \-verify
.Ve
.PP
Create an \s-1SPKAC\s0 using the challenge string \*(L"hello\*(R":
.PP
.Vb 1
\& openssl spkac \-key key.pem \-challenge hello \-out spkac.cnf
.Ve
.PP
Example of an \s-1SPKAC,\s0 (long lines split up for clarity):
.PP
.Vb 6
\& SPKAC=MIG5MGUwXDANBgkqhkiG9w0BAQEFAANLADBIAkEA\e
\& 1cCoq2Wa3Ixs47uI7FPVwHVIPDx5yso105Y6zpozam135a\e
\& 8R0CpoRvkkigIyXfcCjiVi5oWk+6FfPaD03uPFoQIDAQAB\e
\& FgVoZWxsbzANBgkqhkiG9w0BAQQFAANBAFpQtY/FojdwkJ\e
\& h1bEIYuc2EeM2KHTWPEepWYeawvHD0gQ3DngSC75YCWnnD\e
\& dq+NQ3F+X4deMx9AaEglZtULwV4=
.Ve
.SH "NOTES"
.IX Header "NOTES"
A created \s-1SPKAC\s0 with suitable \s-1DN\s0 components appended can be fed to
\&\fBopenssl\-ca\fR\|(1).
.PP
SPKACs are typically generated by Netscape when a form is submitted
containing the \fB\s-1KEYGEN\s0\fR tag as part of the certificate enrollment
process.
.PP
The challenge string permits a primitive form of proof of possession
of private key. By checking the \s-1SPKAC\s0 signature and a random challenge
string some guarantee is given that the user knows the private key
corresponding to the public key being certified. This is important in
some applications. Without this it is possible for a previous \s-1SPKAC\s0
to be used in a \*(L"replay attack\*(R".
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBopenssl\fR\|(1),
\&\fBopenssl\-ca\fR\|(1)
.SH "HISTORY"
.IX Header "HISTORY"
The \fB\-engine\fR option was deprecated in OpenSSL 3.0.
.PP
The \fB\-digest\fR option was added in OpenSSL 3.0.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2000\-2021 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the Apache License 2.0 (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.

249
openssl-install/share/man/man1/openssl-srp.1ossl Normal file
View File

@@ -0,0 +1,249 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "OPENSSL-SRP 1ossl"
.TH OPENSSL-SRP 1ossl "2025-08-16" "3.4.2" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
openssl\-srp \- maintain SRP password file
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
\&\fBopenssl srp\fR
[\fB\-help\fR]
[\fB\-verbose\fR]
[\fB\-add\fR]
[\fB\-modify\fR]
[\fB\-delete\fR]
[\fB\-list\fR]
[\fB\-name\fR \fIsection\fR]
[\fB\-srpvfile\fR \fIfile\fR]
[\fB\-gn\fR \fIidentifier\fR]
[\fB\-userinfo\fR \fItext\fR]
[\fB\-passin\fR \fIarg\fR]
[\fB\-passout\fR \fIarg\fR]
[\fB\-engine\fR \fIid\fR]
[\fB\-rand\fR \fIfiles\fR]
[\fB\-writerand\fR \fIfile\fR]
[\fB\-provider\fR \fIname\fR]
[\fB\-provider\-path\fR \fIpath\fR]
[\fB\-propquery\fR \fIpropq\fR]
[\fB\-config\fR \fIconfigfile\fR]
[\fIuser\fR ...]
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
This command is deprecated. It is used to maintain an \s-1SRP\s0 (secure remote
password) file. At most one of the \fB\-add\fR, \fB\-modify\fR, \fB\-delete\fR, and \fB\-list\fR
options can be specified.
These options take zero or more usernames as parameters and perform the
appropriate operation on the \s-1SRP\s0 file.
For \fB\-list\fR, if no \fIuser\fR is given then all users are displayed.
.PP
The configuration file to use, and the section within the file, can be
specified with the \fB\-config\fR and \fB\-name\fR flags, respectively.
.SH "OPTIONS"
.IX Header "OPTIONS"
.IP "\fB\-help\fR" 4
.IX Item "-help"
Display an option summary.
.IP "\fB\-verbose\fR" 4
.IX Item "-verbose"
Generate verbose output while processing.
.IP "\fB\-add\fR" 4
.IX Item "-add"
Add a user and \s-1SRP\s0 verifier.
.IP "\fB\-modify\fR" 4
.IX Item "-modify"
Modify the \s-1SRP\s0 verifier of an existing user.
.IP "\fB\-delete\fR" 4
.IX Item "-delete"
Delete user from verifier file.
.IP "\fB\-list\fR" 4
.IX Item "-list"
List users.
.IP "\fB\-name\fR" 4
.IX Item "-name"
The particular \s-1SRP\s0 definition to use.
.IP "\fB\-srpvfile\fR \fIfile\fR" 4
.IX Item "-srpvfile file"
If the config file is not specified,
\&\fB\-srpvfile\fR can be used to specify the file to operate on.
.IP "\fB\-gn\fR" 4
.IX Item "-gn"
Specifies the \fBg\fR and \fBN\fR values, using one of
the strengths defined in \s-1IETF RFC 5054.\s0
.IP "\fB\-userinfo\fR" 4
.IX Item "-userinfo"
specifies additional information to add when
adding or modifying a user.
.IP "\fB\-passin\fR \fIarg\fR, \fB\-passout\fR \fIarg\fR" 4
.IX Item "-passin arg, -passout arg"
The password source for the input and output file.
For more information about the format of \fBarg\fR
see \fBopenssl\-passphrase\-options\fR\|(1).
.IP "\fB\-engine\fR \fIid\fR" 4
.IX Item "-engine id"
See \*(L"Engine Options\*(R" in \fBopenssl\fR\|(1).
This option is deprecated.
.IP "\fB\-rand\fR \fIfiles\fR, \fB\-writerand\fR \fIfile\fR" 4
.IX Item "-rand files, -writerand file"
See \*(L"Random State Options\*(R" in \fBopenssl\fR\|(1) for details.
.IP "\fB\-provider\fR \fIname\fR" 4
.IX Item "-provider name"
.PD 0
.IP "\fB\-provider\-path\fR \fIpath\fR" 4
.IX Item "-provider-path path"
.IP "\fB\-propquery\fR \fIpropq\fR" 4
.IX Item "-propquery propq"
.PD
See \*(L"Provider Options\*(R" in \fBopenssl\fR\|(1), \fBprovider\fR\|(7), and \fBproperty\fR\|(7).
.IP "\fB\-config\fR \fIconfigfile\fR" 4
.IX Item "-config configfile"
See \*(L"Configuration Option\*(R" in \fBopenssl\fR\|(1).
.Sp
[\fB\-rand\fR \fIfiles\fR]
[\fB\-writerand\fR \fIfile\fR]
.SH "HISTORY"
.IX Header "HISTORY"
The \fB\-engine\fR option was deprecated in OpenSSL 3.0.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2017\-2021 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the Apache License 2.0 (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.

274
openssl-install/share/man/man1/openssl-storeutl.1ossl Normal file
View File

@@ -0,0 +1,274 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "OPENSSL-STOREUTL 1ossl"
.TH OPENSSL-STOREUTL 1ossl "2025-08-16" "3.4.2" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
openssl\-storeutl \- STORE command
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
\&\fBopenssl\fR \fBstoreutl\fR
[\fB\-help\fR]
[\fB\-out\fR \fIfile\fR]
[\fB\-noout\fR]
[\fB\-passin\fR \fIarg\fR]
[\fB\-text\fR \fIarg\fR]
[\fB\-r\fR]
[\fB\-certs\fR]
[\fB\-keys\fR]
[\fB\-crls\fR]
[\fB\-subject\fR \fIarg\fR]
[\fB\-issuer\fR \fIarg\fR]
[\fB\-serial\fR \fIarg\fR]
[\fB\-alias\fR \fIarg\fR]
[\fB\-fingerprint\fR \fIarg\fR]
[\fB\-\f(BIdigest\fB\fR]
[\fB\-engine\fR \fIid\fR]
[\fB\-provider\fR \fIname\fR]
[\fB\-provider\-path\fR \fIpath\fR]
[\fB\-propquery\fR \fIpropq\fR]
\&\fIuri\fR
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
This command can be used to display the contents (after
decryption as the case may be) fetched from the given \s-1URI.\s0
.SH "OPTIONS"
.IX Header "OPTIONS"
.IP "\fB\-help\fR" 4
.IX Item "-help"
Print out a usage message.
.IP "\fB\-out\fR \fIfilename\fR" 4
.IX Item "-out filename"
specifies the output filename to write to or standard output by
default.
.IP "\fB\-noout\fR" 4
.IX Item "-noout"
this option prevents output of the \s-1PEM\s0 data.
.IP "\fB\-passin\fR \fIarg\fR" 4
.IX Item "-passin arg"
the key password source. For more information about the format of \fIarg\fR
see \fBopenssl\-passphrase\-options\fR\|(1).
.IP "\fB\-text\fR" 4
.IX Item "-text"
Prints out the objects in text form, similarly to the \fB\-text\fR output from
\&\fBopenssl\-x509\fR\|(1), \fBopenssl\-pkey\fR\|(1), etc.
.IP "\fB\-r\fR" 4
.IX Item "-r"
Fetch objects recursively when possible.
.IP "\fB\-certs\fR" 4
.IX Item "-certs"
.PD 0
.IP "\fB\-keys\fR" 4
.IX Item "-keys"
.IP "\fB\-crls\fR" 4
.IX Item "-crls"
.PD
Only select the certificates, keys or CRLs from the given \s-1URI.\s0
However, if this \s-1URI\s0 would return a set of names (URIs), those are always
returned.
.Sp
Note that all options must be given before the \fIuri\fR argument.
.Sp
Note \fI\-keys\fR selects exclusively private keys, there is no selector for public
keys only.
.IP "\fB\-subject\fR \fIarg\fR" 4
.IX Item "-subject arg"
Search for an object having the subject name \fIarg\fR.
.Sp
The arg must be formatted as \f(CW\*(C`/type0=value0/type1=value1/type2=...\*(C'\fR.
Special characters may be escaped by \f(CW\*(C`\e\*(C'\fR (backslash), whitespace is retained.
Empty values are permitted but are ignored for the search. That is,
a search with an empty value will have the same effect as not specifying
the type at all.
Giving a single \f(CW\*(C`/\*(C'\fR will lead to an empty sequence of RDNs (a NULL-DN).
Multi-valued RDNs can be formed by placing a \f(CW\*(C`+\*(C'\fR character instead of a \f(CW\*(C`/\*(C'\fR
between the AttributeValueAssertions (AVAs) that specify the members of the set.
.Sp
Example:
.Sp
\&\f(CW\*(C`/DC=org/DC=OpenSSL/DC=users/UID=123456+CN=John Doe\*(C'\fR
.IP "\fB\-issuer\fR \fIarg\fR" 4
.IX Item "-issuer arg"
.PD 0
.IP "\fB\-serial\fR \fIarg\fR" 4
.IX Item "-serial arg"
.PD
Search for an object having the given issuer name and serial number.
These two options \fImust\fR be used together.
The issuer arg must be formatted as \f(CW\*(C`/type0=value0/type1=value1/type2=...\*(C'\fR,
characters may be escaped by \e (backslash), no spaces are skipped.
The serial arg may be specified as a decimal value or a hex value if preceded
by \f(CW\*(C`0x\*(C'\fR.
.IP "\fB\-alias\fR \fIarg\fR" 4
.IX Item "-alias arg"
Search for an object having the given alias.
.IP "\fB\-fingerprint\fR \fIarg\fR" 4
.IX Item "-fingerprint arg"
Search for an object having the given fingerprint.
.IP "\fB\-\f(BIdigest\fB\fR" 4
.IX Item "-digest"
The digest that was used to compute the fingerprint given with \fB\-fingerprint\fR.
.IP "\fB\-engine\fR \fIid\fR" 4
.IX Item "-engine id"
See \*(L"Engine Options\*(R" in \fBopenssl\fR\|(1).
This option is deprecated.
.IP "\fB\-provider\fR \fIname\fR" 4
.IX Item "-provider name"
.PD 0
.IP "\fB\-provider\-path\fR \fIpath\fR" 4
.IX Item "-provider-path path"
.IP "\fB\-propquery\fR \fIpropq\fR" 4
.IX Item "-propquery propq"
.PD
See \*(L"Provider Options\*(R" in \fBopenssl\fR\|(1), \fBprovider\fR\|(7), and \fBproperty\fR\|(7).
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBopenssl\fR\|(1)
.SH "HISTORY"
.IX Header "HISTORY"
This command was added in OpenSSL 1.1.1.
.PP
The \fB\-engine\fR option was deprecated in OpenSSL 3.0.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2016\-2024 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the Apache License 2.0 (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.

766
openssl-install/share/man/man1/openssl-ts.1ossl Normal file
View File

@@ -0,0 +1,766 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "OPENSSL-TS 1ossl"
.TH OPENSSL-TS 1ossl "2025-08-16" "3.4.2" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
openssl\-ts \- Time Stamping Authority command
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
\&\fBopenssl\fR \fBts\fR
\&\fB\-help\fR
.PP
\&\fBopenssl\fR \fBts\fR
\&\fB\-query\fR
[\fB\-config\fR \fIconfigfile\fR]
[\fB\-data\fR \fIfile_to_hash\fR]
[\fB\-digest\fR \fIdigest_bytes\fR]
[\fB\-\f(BIdigest\fB\fR]
[\fB\-tspolicy\fR \fIobject_id\fR]
[\fB\-no_nonce\fR]
[\fB\-cert\fR]
[\fB\-in\fR \fIrequest.tsq\fR]
[\fB\-out\fR \fIrequest.tsq\fR]
[\fB\-text\fR]
[\fB\-rand\fR \fIfiles\fR]
[\fB\-writerand\fR \fIfile\fR]
[\fB\-provider\fR \fIname\fR]
[\fB\-provider\-path\fR \fIpath\fR]
[\fB\-propquery\fR \fIpropq\fR]
.PP
\&\fBopenssl\fR \fBts\fR
\&\fB\-reply\fR
[\fB\-config\fR \fIconfigfile\fR]
[\fB\-section\fR \fItsa_section\fR]
[\fB\-queryfile\fR \fIrequest.tsq\fR]
[\fB\-passin\fR \fIpassword_src\fR]
[\fB\-signer\fR \fItsa_cert.pem\fR]
[\fB\-inkey\fR \fIfilename\fR|\fIuri\fR]
[\fB\-\f(BIdigest\fB\fR]
[\fB\-chain\fR \fIcerts_file.pem\fR]
[\fB\-tspolicy\fR \fIobject_id\fR]
[\fB\-in\fR \fIresponse.tsr\fR]
[\fB\-token_in\fR]
[\fB\-out\fR \fIresponse.tsr\fR]
[\fB\-token_out\fR]
[\fB\-text\fR]
[\fB\-engine\fR \fIid\fR]
[\fB\-provider\fR \fIname\fR]
[\fB\-provider\-path\fR \fIpath\fR]
[\fB\-propquery\fR \fIpropq\fR]
.PP
\&\fBopenssl\fR \fBts\fR
\&\fB\-verify\fR
[\fB\-data\fR \fIfile_to_hash\fR]
[\fB\-digest\fR \fIdigest_bytes\fR]
[\fB\-queryfile\fR \fIrequest.tsq\fR]
[\fB\-in\fR \fIresponse.tsr\fR]
[\fB\-token_in\fR]
[\fB\-untrusted\fR \fIfiles\fR|\fIuris\fR]
[\fB\-CAfile\fR \fIfile\fR]
[\fB\-CApath\fR \fIdir\fR]
[\fB\-CAstore\fR \fIuri\fR]
[\fB\-allow_proxy_certs\fR]
[\fB\-attime\fR \fItimestamp\fR]
[\fB\-no_check_time\fR]
[\fB\-check_ss_sig\fR]
[\fB\-crl_check\fR]
[\fB\-crl_check_all\fR]
[\fB\-explicit_policy\fR]
[\fB\-extended_crl\fR]
[\fB\-ignore_critical\fR]
[\fB\-inhibit_any\fR]
[\fB\-inhibit_map\fR]
[\fB\-partial_chain\fR]
[\fB\-policy\fR \fIarg\fR]
[\fB\-policy_check\fR]
[\fB\-policy_print\fR]
[\fB\-purpose\fR \fIpurpose\fR]
[\fB\-suiteB_128\fR]
[\fB\-suiteB_128_only\fR]
[\fB\-suiteB_192\fR]
[\fB\-trusted_first\fR]
[\fB\-no_alt_chains\fR]
[\fB\-use_deltas\fR]
[\fB\-auth_level\fR \fInum\fR]
[\fB\-verify_depth\fR \fInum\fR]
[\fB\-verify_email\fR \fIemail\fR]
[\fB\-verify_hostname\fR \fIhostname\fR]
[\fB\-verify_ip\fR \fIip\fR]
[\fB\-verify_name\fR \fIname\fR]
[\fB\-x509_strict\fR]
[\fB\-issuer_checks\fR]
[\fB\-provider\fR \fIname\fR]
[\fB\-provider\-path\fR \fIpath\fR]
[\fB\-propquery\fR \fIpropq\fR]
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
This command is a basic Time Stamping Authority (\s-1TSA\s0) client and
server application as specified in \s-1RFC 3161\s0 (Time-Stamp Protocol, \s-1TSP\s0). A
\&\s-1TSA\s0 can be part of a \s-1PKI\s0 deployment and its role is to provide long
term proof of the existence of a certain datum before a particular
time. Here is a brief description of the protocol:
.IP "1." 4
The \s-1TSA\s0 client computes a one-way hash value for a data file and sends
the hash to the \s-1TSA.\s0
.IP "2." 4
The \s-1TSA\s0 attaches the current date and time to the received hash value,
signs them and sends the timestamp token back to the client. By
creating this token the \s-1TSA\s0 certifies the existence of the original
data file at the time of response generation.
.IP "3." 4
The \s-1TSA\s0 client receives the timestamp token and verifies the
signature on it. It also checks if the token contains the same hash
value that it had sent to the \s-1TSA.\s0
.PP
There is one \s-1DER\s0 encoded protocol data unit defined for transporting a
timestamp request to the \s-1TSA\s0 and one for sending the timestamp response
back to the client. This command has three main functions:
creating a timestamp request based on a data file,
creating a timestamp response based on a request, verifying if a
response corresponds to a particular request or a data file.
.PP
There is no support for sending the requests/responses automatically
over \s-1HTTP\s0 or \s-1TCP\s0 yet as suggested in \s-1RFC 3161.\s0 The users must send the
requests either by ftp or e\-mail.
.SH "OPTIONS"
.IX Header "OPTIONS"
.IP "\fB\-help\fR" 4
.IX Item "-help"
Print out a usage message.
.IP "\fB\-query\fR" 4
.IX Item "-query"
Generate a \s-1TS\s0 query. For details see \*(L"Timestamp Request generation\*(R".
.IP "\fB\-reply\fR" 4
.IX Item "-reply"
Generate a \s-1TS\s0 reply. For details see \*(L"Timestamp Response generation\*(R".
.IP "\fB\-verify\fR" 4
.IX Item "-verify"
Verify a \s-1TS\s0 response. For details see \*(L"Timestamp Response verification\*(R".
.SS "Timestamp Request generation"
.IX Subsection "Timestamp Request generation"
The \fB\-query\fR command can be used for creating and printing a timestamp
request with the following options:
.IP "\fB\-config\fR \fIconfigfile\fR" 4
.IX Item "-config configfile"
The configuration file to use.
Optional; for a description of the default value,
see \*(L"\s-1COMMAND SUMMARY\*(R"\s0 in \fBopenssl\fR\|(1).
.IP "\fB\-data\fR \fIfile_to_hash\fR" 4
.IX Item "-data file_to_hash"
The data file for which the timestamp request needs to be
created. stdin is the default if neither the \fB\-data\fR nor the \fB\-digest\fR
parameter is specified. (Optional)
.IP "\fB\-digest\fR \fIdigest_bytes\fR" 4
.IX Item "-digest digest_bytes"
It is possible to specify the message imprint explicitly without the data
file. The imprint must be specified in a hexadecimal format, two characters
per byte, the bytes optionally separated by colons (e.g. 1A:F6:01:... or
1AF601...). The number of bytes must match the message digest algorithm
in use. (Optional)
.IP "\fB\-\f(BIdigest\fB\fR" 4
.IX Item "-digest"
The message digest to apply to the data file.
Any digest supported by the \fBopenssl\-dgst\fR\|(1) command can be used.
The default is \s-1SHA\-256.\s0 (Optional)
.IP "\fB\-tspolicy\fR \fIobject_id\fR" 4
.IX Item "-tspolicy object_id"
The policy that the client expects the \s-1TSA\s0 to use for creating the
timestamp token. Either the dotted \s-1OID\s0 notation or \s-1OID\s0 names defined
in the config file can be used. If no policy is requested the \s-1TSA\s0 will
use its own default policy. (Optional)
.IP "\fB\-no_nonce\fR" 4
.IX Item "-no_nonce"
No nonce is specified in the request if this option is
given. Otherwise, a 64\-bit long pseudo-random nonce is
included in the request. It is recommended to use a nonce to
protect against replay attacks. (Optional)
.IP "\fB\-cert\fR" 4
.IX Item "-cert"
The \s-1TSA\s0 is expected to include its signing certificate in the
response. (Optional)
.IP "\fB\-in\fR \fIrequest.tsq\fR" 4
.IX Item "-in request.tsq"
This option specifies a previously created timestamp request in \s-1DER\s0
format that will be printed into the output file. Useful when you need
to examine the content of a request in human-readable
format. (Optional)
.IP "\fB\-out\fR \fIrequest.tsq\fR" 4
.IX Item "-out request.tsq"
Name of the output file to which the request will be written. Default
is stdout. (Optional)
.IP "\fB\-text\fR" 4
.IX Item "-text"
If this option is specified the output is human-readable text format
instead of \s-1DER.\s0 (Optional)
.IP "\fB\-rand\fR \fIfiles\fR, \fB\-writerand\fR \fIfile\fR" 4
.IX Item "-rand files, -writerand file"
See \*(L"Random State Options\*(R" in \fBopenssl\fR\|(1) for details.
.SS "Timestamp Response generation"
.IX Subsection "Timestamp Response generation"
A timestamp response (TimeStampResp) consists of a response status
and the timestamp token itself (ContentInfo), if the token generation was
successful. The \fB\-reply\fR command is for creating a timestamp
response or timestamp token based on a request and printing the
response/token in human-readable format. If \fB\-token_out\fR is not
specified the output is always a timestamp response (TimeStampResp),
otherwise it is a timestamp token (ContentInfo).
.IP "\fB\-config\fR \fIconfigfile\fR" 4
.IX Item "-config configfile"
The configuration file to use.
Optional; for a description of the default value,
see \*(L"\s-1COMMAND SUMMARY\*(R"\s0 in \fBopenssl\fR\|(1).
See \*(L"\s-1CONFIGURATION FILE OPTIONS\*(R"\s0 for configurable variables.
.IP "\fB\-section\fR \fItsa_section\fR" 4
.IX Item "-section tsa_section"
The name of the config file section containing the settings for the
response generation. If not specified the default \s-1TSA\s0 section is
used, see \*(L"\s-1CONFIGURATION FILE OPTIONS\*(R"\s0 for details. (Optional)
.IP "\fB\-queryfile\fR \fIrequest.tsq\fR" 4
.IX Item "-queryfile request.tsq"
The name of the file containing a \s-1DER\s0 encoded timestamp request. (Optional)
.IP "\fB\-passin\fR \fIpassword_src\fR" 4
.IX Item "-passin password_src"
Specifies the password source for the private key of the \s-1TSA.\s0 See
description in \fBopenssl\fR\|(1). (Optional)
.IP "\fB\-signer\fR \fItsa_cert.pem\fR" 4
.IX Item "-signer tsa_cert.pem"
The signer certificate of the \s-1TSA\s0 in \s-1PEM\s0 format. The \s-1TSA\s0 signing
certificate must have exactly one extended key usage assigned to it:
timeStamping. The extended key usage must also be critical, otherwise
the certificate is going to be refused. Overrides the \fBsigner_cert\fR
variable of the config file. (Optional)
.IP "\fB\-inkey\fR \fIfilename\fR|\fIuri\fR" 4
.IX Item "-inkey filename|uri"
The signer private key of the \s-1TSA\s0 in \s-1PEM\s0 format. Overrides the
\&\fBsigner_key\fR config file option. (Optional)
.IP "\fB\-\f(BIdigest\fB\fR" 4
.IX Item "-digest"
Signing digest to use. Overrides the \fBsigner_digest\fR config file
option. (Mandatory unless specified in the config file)
.IP "\fB\-chain\fR \fIcerts_file.pem\fR" 4
.IX Item "-chain certs_file.pem"
The collection of certificates in \s-1PEM\s0 format that will all
be included in the response in addition to the signer certificate if
the \fB\-cert\fR option was used for the request. This file is supposed to
contain the certificate chain for the signer certificate from its
issuer upwards. The \fB\-reply\fR command does not build a certificate
chain automatically. (Optional)
.IP "\fB\-tspolicy\fR \fIobject_id\fR" 4
.IX Item "-tspolicy object_id"
The default policy to use for the response unless the client
explicitly requires a particular \s-1TSA\s0 policy. The \s-1OID\s0 can be specified
either in dotted notation or with its name. Overrides the
\&\fBdefault_policy\fR config file option. (Optional)
.IP "\fB\-in\fR \fIresponse.tsr\fR" 4
.IX Item "-in response.tsr"
Specifies a previously created timestamp response or timestamp token
(if \fB\-token_in\fR is also specified) in \s-1DER\s0 format that will be written
to the output file. This option does not require a request, it is
useful e.g. when you need to examine the content of a response or
token or you want to extract the timestamp token from a response. If
the input is a token and the output is a timestamp response a default
\&'granted' status info is added to the token. (Optional)
.IP "\fB\-token_in\fR" 4
.IX Item "-token_in"
This flag can be used together with the \fB\-in\fR option and indicates
that the input is a \s-1DER\s0 encoded timestamp token (ContentInfo) instead
of a timestamp response (TimeStampResp). (Optional)
.IP "\fB\-out\fR \fIresponse.tsr\fR" 4
.IX Item "-out response.tsr"
The response is written to this file. The format and content of the
file depends on other options (see \fB\-text\fR, \fB\-token_out\fR). The default is
stdout. (Optional)
.IP "\fB\-token_out\fR" 4
.IX Item "-token_out"
The output is a timestamp token (ContentInfo) instead of timestamp
response (TimeStampResp). (Optional)
.IP "\fB\-text\fR" 4
.IX Item "-text"
If this option is specified the output is human-readable text format
instead of \s-1DER.\s0 (Optional)
.IP "\fB\-engine\fR \fIid\fR" 4
.IX Item "-engine id"
See \*(L"Engine Options\*(R" in \fBopenssl\fR\|(1).
This option is deprecated.
.IP "\fB\-provider\fR \fIname\fR" 4
.IX Item "-provider name"
.PD 0
.IP "\fB\-provider\-path\fR \fIpath\fR" 4
.IX Item "-provider-path path"
.IP "\fB\-propquery\fR \fIpropq\fR" 4
.IX Item "-propquery propq"
.PD
See \*(L"Provider Options\*(R" in \fBopenssl\fR\|(1), \fBprovider\fR\|(7), and \fBproperty\fR\|(7).
.SS "Timestamp Response verification"
.IX Subsection "Timestamp Response verification"
The \fB\-verify\fR command is for verifying if a timestamp response or
timestamp token is valid and matches a particular timestamp request or
data file. The \fB\-verify\fR command does not use the configuration file.
.IP "\fB\-data\fR \fIfile_to_hash\fR" 4
.IX Item "-data file_to_hash"
The response or token must be verified against file_to_hash. The file
is hashed with the message digest algorithm specified in the token.
The \fB\-digest\fR and \fB\-queryfile\fR options must not be specified with this one.
(Optional)
.IP "\fB\-digest\fR \fIdigest_bytes\fR" 4
.IX Item "-digest digest_bytes"
The response or token must be verified against the message digest specified
with this option. The number of bytes must match the message digest algorithm
specified in the token. The \fB\-data\fR and \fB\-queryfile\fR options must not be
specified with this one. (Optional)
.IP "\fB\-queryfile\fR \fIrequest.tsq\fR" 4
.IX Item "-queryfile request.tsq"
The original timestamp request in \s-1DER\s0 format. The \fB\-data\fR and \fB\-digest\fR
options must not be specified with this one. (Optional)
.IP "\fB\-in\fR \fIresponse.tsr\fR" 4
.IX Item "-in response.tsr"
The timestamp response that needs to be verified in \s-1DER\s0 format. (Mandatory)
.IP "\fB\-token_in\fR" 4
.IX Item "-token_in"
This flag can be used together with the \fB\-in\fR option and indicates
that the input is a \s-1DER\s0 encoded timestamp token (ContentInfo) instead
of a timestamp response (TimeStampResp). (Optional)
.IP "\fB\-untrusted\fR \fIfiles\fR|\fIuris\fR" 4
.IX Item "-untrusted files|uris"
A set of additional untrusted certificates which may be
needed when building the certificate chain for the \s-1TSA\s0's signing certificate.
These do not need to contain the \s-1TSA\s0 signing certificate and intermediate \s-1CA\s0
certificates as far as the response already includes them.
(Optional)
.Sp
Multiple sources may be given, separated by commas and/or whitespace.
Each file may contain multiple certificates.
.IP "\fB\-CAfile\fR \fIfile\fR, \fB\-CApath\fR \fIdir\fR, \fB\-CAstore\fR \fIuri\fR" 4
.IX Item "-CAfile file, -CApath dir, -CAstore uri"
See \*(L"Trusted Certificate Options\*(R" in \fBopenssl\-verification\-options\fR\|(1) for details.
At least one of \fB\-CAfile\fR, \fB\-CApath\fR or \fB\-CAstore\fR must be specified.
.IP "\fB\-allow_proxy_certs\fR, \fB\-attime\fR, \fB\-no_check_time\fR, \fB\-check_ss_sig\fR, \fB\-crl_check\fR, \fB\-crl_check_all\fR, \fB\-explicit_policy\fR, \fB\-extended_crl\fR, \fB\-ignore_critical\fR, \fB\-inhibit_any\fR, \fB\-inhibit_map\fR, \fB\-no_alt_chains\fR, \fB\-partial_chain\fR, \fB\-policy\fR, \fB\-policy_check\fR, \fB\-policy_print\fR, \fB\-purpose\fR, \fB\-suiteB_128\fR, \fB\-suiteB_128_only\fR, \fB\-suiteB_192\fR, \fB\-trusted_first\fR, \fB\-use_deltas\fR, \fB\-auth_level\fR, \fB\-verify_depth\fR, \fB\-verify_email\fR, \fB\-verify_hostname\fR, \fB\-verify_ip\fR, \fB\-verify_name\fR, \fB\-x509_strict\fR \fB\-issuer_checks\fR" 4
.IX Item "-allow_proxy_certs, -attime, -no_check_time, -check_ss_sig, -crl_check, -crl_check_all, -explicit_policy, -extended_crl, -ignore_critical, -inhibit_any, -inhibit_map, -no_alt_chains, -partial_chain, -policy, -policy_check, -policy_print, -purpose, -suiteB_128, -suiteB_128_only, -suiteB_192, -trusted_first, -use_deltas, -auth_level, -verify_depth, -verify_email, -verify_hostname, -verify_ip, -verify_name, -x509_strict -issuer_checks"
Set various options of certificate chain verification.
See \*(L"Verification Options\*(R" in \fBopenssl\-verification\-options\fR\|(1) for details.
.Sp
Any verification errors cause the command to exit.
.SH "CONFIGURATION FILE OPTIONS"
.IX Header "CONFIGURATION FILE OPTIONS"
The \fB\-query\fR and \fB\-reply\fR commands make use of a configuration file.
See \fBconfig\fR\|(5)
for a general description of the syntax of the config file. The
\&\fB\-query\fR command uses only the symbolic \s-1OID\s0 names section
and it can work without it. However, the \fB\-reply\fR command needs the
config file for its operation.
.PP
When there is a command line switch equivalent of a variable the
switch always overrides the settings in the config file.
.IP "\fBtsa\fR section, \fBdefault_tsa\fR" 4
.IX Item "tsa section, default_tsa"
This is the main section and it specifies the name of another section
that contains all the options for the \fB\-reply\fR command. This default
section can be overridden with the \fB\-section\fR command line switch. (Optional)
.IP "\fBoid_file\fR" 4
.IX Item "oid_file"
This specifies a file containing additional \fB\s-1OBJECT IDENTIFIERS\s0\fR.
Each line of the file should consist of the numerical form of the
object identifier followed by whitespace then the short name followed
by whitespace and finally the long name. (Optional)
.IP "\fBoid_section\fR" 4
.IX Item "oid_section"
This specifies a section in the configuration file containing extra
object identifiers. Each line should consist of the short name of the
object identifier followed by \fB=\fR and the numerical form. The short
and long names are the same when this option is used. (Optional)
.IP "\fB\s-1RANDFILE\s0\fR" 4
.IX Item "RANDFILE"
At startup the specified file is loaded into the random number generator,
and at exit 256 bytes will be written to it. (Note: Using a \s-1RANDFILE\s0 is
not necessary anymore, see the \*(L"\s-1HISTORY\*(R"\s0 section.
.IP "\fBserial\fR" 4
.IX Item "serial"
The name of the file containing the hexadecimal serial number of the
last timestamp response created. This number is incremented by 1 for
each response. If the file does not exist at the time of response
generation a new file is created with serial number 1. (Mandatory)
.IP "\fBcrypto_device\fR" 4
.IX Item "crypto_device"
Specifies the OpenSSL engine that will be set as the default for
all available algorithms. The default value is built-in, you can specify
any other engines supported by OpenSSL (e.g. use chil for the NCipher \s-1HSM\s0).
(Optional)
.IP "\fBsigner_cert\fR" 4
.IX Item "signer_cert"
\&\s-1TSA\s0 signing certificate in \s-1PEM\s0 format. The same as the \fB\-signer\fR
command line option. (Optional)
.IP "\fBcerts\fR" 4
.IX Item "certs"
A file containing a set of \s-1PEM\s0 encoded certificates that need to be
included in the response. The same as the \fB\-chain\fR command line
option. (Optional)
.IP "\fBsigner_key\fR" 4
.IX Item "signer_key"
The private key of the \s-1TSA\s0 in \s-1PEM\s0 format. The same as the \fB\-inkey\fR
command line option. (Optional)
.IP "\fBsigner_digest\fR" 4
.IX Item "signer_digest"
Signing digest to use. The same as the
\&\fB\-\f(BIdigest\fB\fR command line option. (Mandatory unless specified on the command
line)
.IP "\fBdefault_policy\fR" 4
.IX Item "default_policy"
The default policy to use when the request does not mandate any
policy. The same as the \fB\-tspolicy\fR command line option. (Optional)
.IP "\fBother_policies\fR" 4
.IX Item "other_policies"
Comma separated list of policies that are also acceptable by the \s-1TSA\s0
and used only if the request explicitly specifies one of them. (Optional)
.IP "\fBdigests\fR" 4
.IX Item "digests"
The list of message digest algorithms that the \s-1TSA\s0 accepts. At least
one algorithm must be specified. (Mandatory)
.IP "\fBaccuracy\fR" 4
.IX Item "accuracy"
The accuracy of the time source of the \s-1TSA\s0 in seconds, milliseconds
and microseconds. E.g. secs:1, millisecs:500, microsecs:100. If any of
the components is missing zero is assumed for that field. (Optional)
.IP "\fBclock_precision_digits\fR" 4
.IX Item "clock_precision_digits"
Specifies the maximum number of digits, which represent the fraction of
seconds, that need to be included in the time field. The trailing zeros
must be removed from the time, so there might actually be fewer digits,
or no fraction of seconds at all. Supported only on \s-1UNIX\s0 platforms.
The maximum value is 6, default is 0.
(Optional)
.IP "\fBordering\fR" 4
.IX Item "ordering"
If this option is yes the responses generated by this \s-1TSA\s0 can always
be ordered, even if the time difference between two responses is less
than the sum of their accuracies. Default is no. (Optional)
.IP "\fBtsa_name\fR" 4
.IX Item "tsa_name"
Set this option to yes if the subject name of the \s-1TSA\s0 must be included in
the \s-1TSA\s0 name field of the response. Default is no. (Optional)
.IP "\fBess_cert_id_chain\fR" 4
.IX Item "ess_cert_id_chain"
The SignedData objects created by the \s-1TSA\s0 always contain the
certificate identifier of the signing certificate in a signed
attribute (see \s-1RFC 2634,\s0 Enhanced Security Services).
If this variable is set to no, only this signing certificate identifier
is included in the SigningCertificate signed attribute.
If this variable is set to yes and the \fBcerts\fR variable or the \fB\-chain\fR option
is specified then the certificate identifiers of the chain will also
be included, where the \fB\-chain\fR option overrides the \fBcerts\fR variable.
Default is no. (Optional)
.IP "\fBess_cert_id_alg\fR" 4
.IX Item "ess_cert_id_alg"
This option specifies the hash function to be used to calculate the \s-1TSA\s0's
public key certificate identifier. Default is sha256. (Optional)
.SH "EXAMPLES"
.IX Header "EXAMPLES"
All the examples below presume that \fB\s-1OPENSSL_CONF\s0\fR is set to a proper
configuration file, e.g. the example configuration file
\&\fIopenssl/apps/openssl.cnf\fR will do.
.SS "Timestamp Request"
.IX Subsection "Timestamp Request"
To create a timestamp request for \fIdesign1.txt\fR with \s-1SHA\-256\s0 digest,
without nonce and policy, and without requirement for a certificate
in the response:
.PP
.Vb 2
\& openssl ts \-query \-data design1.txt \-no_nonce \e
\& \-out design1.tsq
.Ve
.PP
To create a similar timestamp request with specifying the message imprint
explicitly:
.PP
.Vb 2
\& openssl ts \-query \-digest b7e5d3f93198b38379852f2c04e78d73abdd0f4b \e
\& \-no_nonce \-out design1.tsq
.Ve
.PP
To print the content of the previous request in human readable format:
.PP
.Vb 1
\& openssl ts \-query \-in design1.tsq \-text
.Ve
.PP
To create a timestamp request which includes the \s-1SHA\-512\s0 digest
of \fIdesign2.txt\fR, requests the signer certificate and nonce, and
specifies a policy id (assuming the tsa_policy1 name is defined in the
\&\s-1OID\s0 section of the config file):
.PP
.Vb 2
\& openssl ts \-query \-data design2.txt \-sha512 \e
\& \-tspolicy tsa_policy1 \-cert \-out design2.tsq
.Ve
.SS "Timestamp Response"
.IX Subsection "Timestamp Response"
Before generating a response a signing certificate must be created for
the \s-1TSA\s0 that contains the \fBtimeStamping\fR critical extended key usage extension
without any other key usage extensions. You can add this line to the
user certificate section of the config file to generate a proper certificate;
.PP
.Vb 1
\& extendedKeyUsage = critical,timeStamping
.Ve
.PP
See \fBopenssl\-req\fR\|(1), \fBopenssl\-ca\fR\|(1), and \fBopenssl\-x509\fR\|(1) for
instructions. The examples below assume that \fIcacert.pem\fR contains the
certificate of the \s-1CA,\s0 \fItsacert.pem\fR is the signing certificate issued
by \fIcacert.pem\fR and \fItsakey.pem\fR is the private key of the \s-1TSA.\s0
.PP
To create a timestamp response for a request:
.PP
.Vb 2
\& openssl ts \-reply \-queryfile design1.tsq \-inkey tsakey.pem \e
\& \-signer tsacert.pem \-out design1.tsr
.Ve
.PP
If you want to use the settings in the config file you could just write:
.PP
.Vb 1
\& openssl ts \-reply \-queryfile design1.tsq \-out design1.tsr
.Ve
.PP
To print a timestamp reply to stdout in human readable format:
.PP
.Vb 1
\& openssl ts \-reply \-in design1.tsr \-text
.Ve
.PP
To create a timestamp token instead of timestamp response:
.PP
.Vb 1
\& openssl ts \-reply \-queryfile design1.tsq \-out design1_token.der \-token_out
.Ve
.PP
To print a timestamp token to stdout in human readable format:
.PP
.Vb 1
\& openssl ts \-reply \-in design1_token.der \-token_in \-text \-token_out
.Ve
.PP
To extract the timestamp token from a response:
.PP
.Vb 1
\& openssl ts \-reply \-in design1.tsr \-out design1_token.der \-token_out
.Ve
.PP
To add 'granted' status info to a timestamp token thereby creating a
valid response:
.PP
.Vb 1
\& openssl ts \-reply \-in design1_token.der \-token_in \-out design1.tsr
.Ve
.SS "Timestamp Verification"
.IX Subsection "Timestamp Verification"
To verify a timestamp reply against a request:
.PP
.Vb 2
\& openssl ts \-verify \-queryfile design1.tsq \-in design1.tsr \e
\& \-CAfile cacert.pem \-untrusted tsacert.pem
.Ve
.PP
To verify a timestamp reply that includes the certificate chain:
.PP
.Vb 2
\& openssl ts \-verify \-queryfile design2.tsq \-in design2.tsr \e
\& \-CAfile cacert.pem
.Ve
.PP
To verify a timestamp token against the original data file:
.PP
.Vb 2
\& openssl ts \-verify \-data design2.txt \-in design2.tsr \e
\& \-CAfile cacert.pem
.Ve
.PP
To verify a timestamp token against a message imprint:
.PP
.Vb 2
\& openssl ts \-verify \-digest b7e5d3f93198b38379852f2c04e78d73abdd0f4b \e
\& \-in design2.tsr \-CAfile cacert.pem
.Ve
.PP
You could also look at the 'test' directory for more examples.
.SH "BUGS"
.IX Header "BUGS"
.IP "\(bu" 2
No support for timestamps over \s-1SMTP,\s0 though it is quite easy
to implement an automatic e\-mail based \s-1TSA\s0 with \fBprocmail\fR\|(1)
and \fBperl\fR\|(1). \s-1HTTP\s0 server support is provided in the form of
a separate apache module. \s-1HTTP\s0 client support is provided by
\&\fBtsget\fR\|(1). Pure \s-1TCP/IP\s0 protocol is not supported.
.IP "\(bu" 2
The file containing the last serial number of the \s-1TSA\s0 is not
locked when being read or written. This is a problem if more than one
instance of \fBopenssl\fR\|(1) is trying to create a timestamp
response at the same time. This is not an issue when using the apache
server module, it does proper locking.
.IP "\(bu" 2
Look for the \s-1FIXME\s0 word in the source files.
.IP "\(bu" 2
The source code should really be reviewed by somebody else, too.
.IP "\(bu" 2
More testing is needed, I have done only some basic tests (see
test/testtsa).
.SH "HISTORY"
.IX Header "HISTORY"
OpenSSL 1.1.1 introduced a new random generator (\s-1CSPRNG\s0) with an improved
seeding mechanism. The new seeding mechanism makes it unnecessary to
define a \s-1RANDFILE\s0 for saving and restoring randomness. This option is
retained mainly for compatibility reasons.
.PP
The \fB\-engine\fR option was deprecated in OpenSSL 3.0.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBopenssl\fR\|(1),
\&\fBtsget\fR\|(1),
\&\fBopenssl\-req\fR\|(1),
\&\fBopenssl\-x509\fR\|(1),
\&\fBopenssl\-ca\fR\|(1),
\&\fBopenssl\-genrsa\fR\|(1),
\&\fBconfig\fR\|(5),
\&\fBossl_store\-file\fR\|(7)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2006\-2024 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the Apache License 2.0 (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.

768
openssl-install/share/man/man1/openssl-verification-options.1ossl Normal file
View File

@@ -0,0 +1,768 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "OPENSSL-VERIFICATION-OPTIONS 1ossl"
.TH OPENSSL-VERIFICATION-OPTIONS 1ossl "2025-07-01" "3.4.2" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
openssl\-verification\-options \- generic X.509 certificate verification options
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
\&\fBopenssl\fR
\&\fIcommand\fR
[ \fIoptions\fR ... ]
[ \fIparameters\fR ... ]
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
There are many situations where X.509 certificates are verified
within the OpenSSL libraries and in various OpenSSL commands.
.PP
Certificate verification is implemented by \fBX509_verify_cert\fR\|(3).
It is a complicated process consisting of a number of steps
and depending on numerous options.
The most important of them are detailed in the following sections.
.PP
In a nutshell, a valid chain of certificates needs to be built up and verified
starting from the \fItarget certificate\fR that is to be verified
and ending in a certificate that due to some policy is trusted.
Certificate validation can be performed in the context of a \fIpurpose\fR, which
is a high-level specification of the intended use of the target certificate,
such as \f(CW\*(C`sslserver\*(C'\fR for \s-1TLS\s0 servers, or (by default) for any purpose.
.PP
The details of how each OpenSSL command handles errors
are documented on the specific command page.
.PP
\&\s-1DANE\s0 support is documented in \fBopenssl\-s_client\fR\|(1),
\&\fBSSL_CTX_dane_enable\fR\|(3), \fBSSL_set1_host\fR\|(3),
\&\fBX509_VERIFY_PARAM_set_flags\fR\|(3), and \fBX509_check_host\fR\|(3).
.SS "Trust Anchors"
.IX Subsection "Trust Anchors"
In general, according to \s-1RFC 4158\s0 and \s-1RFC 5280,\s0 a \fItrust anchor\fR is
any public key and related subject distinguished name (\s-1DN\s0) that
for some reason is considered trusted
and thus is acceptable as the root of a chain of certificates.
.PP
In practice, trust anchors are given in the form of certificates,
where their essential fields are the public key and the subject \s-1DN.\s0
In addition to the requirements in \s-1RFC 5280,\s0
OpenSSL checks the validity period of such certificates
and makes use of some further fields.
In particular, the subject key identifier extension, if present,
is used for matching trust anchors during chain building.
.PP
In the most simple and common case, trust anchors are by default
all self-signed \*(L"root\*(R" \s-1CA\s0 certificates that are placed in the \fItrust store\fR,
which is a collection of certificates that are trusted for certain uses.
This is akin to what is used in the trust stores of Mozilla Firefox,
or Apple's and Microsoft's certificate stores, ...
.PP
From the OpenSSL perspective, a trust anchor is a certificate
that should be augmented with an explicit designation for which
uses of a target certificate the certificate may serve as a trust anchor.
In \s-1PEM\s0 encoding, this is indicated by the \f(CW\*(C`TRUSTED CERTIFICATE\*(C'\fR string.
Such a designation provides a set of positive trust attributes
explicitly stating trust for the listed purposes
and/or a set of negative trust attributes
explicitly rejecting the use for the listed purposes.
The purposes are encoded using the values defined for the extended key usages
(EKUs) that may be given in X.509 extensions of end-entity certificates.
See also the \*(L"Extended Key Usage\*(R" section below.
.PP
The currently recognized uses are
\&\fBclientAuth\fR (\s-1SSL\s0 client use), \fBserverAuth\fR (\s-1SSL\s0 server use),
\&\fBemailProtection\fR (S/MIME email use), \fBcodeSigning\fR (object signer use),
\&\fBOCSPSigning\fR (\s-1OCSP\s0 responder use), \fB\s-1OCSP\s0\fR (\s-1OCSP\s0 request use),
\&\fBtimeStamping\fR (\s-1TSA\s0 server use), and \fBanyExtendedKeyUsage\fR.
As of OpenSSL 1.1.0, the last of these blocks all uses when rejected or
enables all uses when trusted.
.PP
A certificate, which may be \s-1CA\s0 certificate or an end-entity certificate,
is considered a trust anchor for the given use
if and only if all the following conditions hold:
.IP "\(bu" 4
It is an an element of the trust store.
.IP "\(bu" 4
It does not have a negative trust attribute rejecting the given use.
.IP "\(bu" 4
It has a positive trust attribute accepting the given use
or (by default) one of the following compatibility conditions apply:
It is self-signed or the \fB\-partial_chain\fR option is given
(which corresponds to the \fBX509_V_FLAG_PARTIAL_CHAIN\fR flag being set).
.SS "Certification Path Building"
.IX Subsection "Certification Path Building"
First, a certificate chain is built up starting from the target certificate
and ending in a trust anchor.
.PP
The chain is built up iteratively, looking up in turn
a certificate with suitable key usage that
matches as an issuer of the current \*(L"subject\*(R" certificate as described below.
If there is such a certificate, the first one found that is currently valid
is taken, otherwise the one that expired most recently of all such certificates.
For efficiency, no backtracking is performed, thus
any further candidate issuer certificates that would match equally are ignored.
.PP
When a self-signed certificate has been added, chain construction stops.
In this case it must fully match a trust anchor, otherwise chain building fails.
.PP
A candidate issuer certificate matches a subject certificate
if all of the following conditions hold:
.IP "\(bu" 4
Its subject name matches the issuer name of the subject certificate.
.IP "\(bu" 4
If the subject certificate has an authority key identifier extension,
each of its sub-fields equals the corresponding subject key identifier, serial
number, and issuer field of the candidate issuer certificate,
as far as the respective fields are present in both certificates.
.IP "\(bu" 4
The certificate signature algorithm used to sign the subject certificate
is supported and
equals the public key algorithm of the candidate issuer certificate.
.PP
The lookup first searches for issuer certificates in the trust store.
If it does not find a match there it consults
the list of untrusted (\*(L"intermediate\*(R" \s-1CA\s0) certificates, if provided.
.SS "Certification Path Validation"
.IX Subsection "Certification Path Validation"
When the certificate chain building process was successful
the chain components and their links are checked thoroughly.
.PP
The first step is to check that each certificate is well-formed.
Part of these checks are enabled only if the \fB\-x509_strict\fR option is given.
.PP
The second step is to check the X.509v3 extensions of every certificate
for consistency with the intended specific purpose, if any.
If the \fB\-purpose\fR option is not given then no such checks are done except for
\&\s-1CMS\s0 signature checking, where by default \f(CW\*(C`smimesign\*(C'\fR is checked, and \s-1SSL/\s0(D)TLS
connection setup, where by default \f(CW\*(C`sslserver\*(C'\fR or \f(CW\*(C`sslclient\*(C'\fR are checked.
The X.509v3 extensions of the target or \*(L"leaf\*(R" certificate
must be compatible with the specified purpose.
All other certificates down the chain are checked to be valid \s-1CA\s0 certificates,
and possibly also further non-standard checks are performed.
The precise extensions required are described in detail
in the \*(L"Certificate Extensions\*(R" section below.
.PP
The third step is to check the trust settings on the last certificate
(which typically is a self-signed root \s-1CA\s0 certificate).
It must be trusted for the given use.
For compatibility with previous versions of OpenSSL, a self-signed certificate
with no trust attributes is considered to be valid for all uses.
.PP
The fourth, and final, step is to check the validity of the certificate chain.
For each element in the chain, including the root \s-1CA\s0 certificate,
the validity period as specified by the \f(CW\*(C`notBefore\*(C'\fR and \f(CW\*(C`notAfter\*(C'\fR fields
is checked against the current system time.
The \fB\-attime\fR flag may be used to use a reference time other than \*(L"now.\*(R"
The certificate signature is checked as well
(except for the signature of the typically self-signed root \s-1CA\s0 certificate,
which is verified only if the \fB\-check_ss_sig\fR option is given).
When verifying a certificate signature
the keyUsage extension (if present) of the candidate issuer certificate
is checked to permit digitalSignature for signing proxy certificates
or to permit keyCertSign for signing other certificates, respectively.
If all operations complete successfully then certificate is considered
valid. If any operation fails then the certificate is not valid.
.SH "OPTIONS"
.IX Header "OPTIONS"
.SS "Trusted Certificate Options"
.IX Subsection "Trusted Certificate Options"
The following options specify how to supply the certificates
that can be used as trust anchors for certain uses.
As mentioned, a collection of such certificates is called a \fItrust store\fR.
.PP
Note that OpenSSL does not provide a default set of trust anchors. Many
Linux distributions include a system default and configure OpenSSL to point
to that. Mozilla maintains an influential trust store that can be found at
<https://www.mozilla.org/en\-US/about/governance/policies/security\-group/certs/>.
.PP
The certificates to add to the trust store
can be specified using following options.
.IP "\fB\-CAfile\fR \fIfile\fR" 4
.IX Item "-CAfile file"
Load the specified file which contains a trusted certificate in \s-1DER\s0 format
or potentially several of them in case the input is in \s-1PEM\s0 format.
PEM-encoded certificates may also have trust attributes set.
.IP "\fB\-no\-CAfile\fR" 4
.IX Item "-no-CAfile"
Do not load the default file of trusted certificates.
.IP "\fB\-CApath\fR \fIdir\fR" 4
.IX Item "-CApath dir"
Use the specified directory as a collection of trusted certificates,
i.e., a trust store.
Files should be named with the hash value of the X.509 SubjectName of each
certificate. This is so that the library can extract the IssuerName,
hash it, and directly lookup the file to get the issuer certificate.
See \fBopenssl\-rehash\fR\|(1) for information on creating this type of directory.
.IP "\fB\-no\-CApath\fR" 4
.IX Item "-no-CApath"
Do not use the default directory of trusted certificates.
.IP "\fB\-CAstore\fR \fIuri\fR" 4
.IX Item "-CAstore uri"
Use \fIuri\fR as a store of \s-1CA\s0 certificates.
The \s-1URI\s0 may indicate a single certificate, as well as a collection of them.
With URIs in the \f(CW\*(C`file:\*(C'\fR scheme, this acts as \fB\-CAfile\fR or
\&\fB\-CApath\fR, depending on if the \s-1URI\s0 indicates a single file or
directory.
See \fBossl_store\-file\fR\|(7) for more information on the \f(CW\*(C`file:\*(C'\fR scheme.
.Sp
These certificates are also used when building the server certificate
chain (for example with \fBopenssl\-s_server\fR\|(1)) or client certificate
chain (for example with \fBopenssl\-s_time\fR\|(1)).
.IP "\fB\-no\-CAstore\fR" 4
.IX Item "-no-CAstore"
Do not use the default store of trusted \s-1CA\s0 certificates.
.SS "Verification Options"
.IX Subsection "Verification Options"
The certificate verification can be fine-tuned with the following flags.
.IP "\fB\-verbose\fR" 4
.IX Item "-verbose"
Print extra information about the operations being performed.
.IP "\fB\-attime\fR \fItimestamp\fR" 4
.IX Item "-attime timestamp"
Perform validation checks using time specified by \fItimestamp\fR and not
current system time. \fItimestamp\fR is the number of seconds since
January 1, 1970 (i.e., the Unix Epoch).
.IP "\fB\-no_check_time\fR" 4
.IX Item "-no_check_time"
This option suppresses checking the validity period of certificates and CRLs
against the current time. If option \fB\-attime\fR is used to specify
a verification time, the check is not suppressed.
.IP "\fB\-x509_strict\fR" 4
.IX Item "-x509_strict"
This disables non-compliant workarounds for broken certificates.
Thus errors are thrown on certificates not compliant with \s-1RFC 5280.\s0
.Sp
When this option is set,
among others, the following certificate well-formedness conditions are checked:
.RS 4
.IP "\(bu" 4
The basicConstraints of \s-1CA\s0 certificates must be marked critical.
.IP "\(bu" 4
\&\s-1CA\s0 certificates must explicitly include the keyUsage extension.
.IP "\(bu" 4
If a pathlenConstraint is given the key usage keyCertSign must be allowed.
.IP "\(bu" 4
The pathlenConstraint must not be given for non-CA certificates.
.IP "\(bu" 4
The issuer name of any certificate must not be empty.
.IP "\(bu" 4
The subject name of \s-1CA\s0 certs, certs with keyUsage crlSign, and certs
without subjectAlternativeName must not be empty.
.IP "\(bu" 4
If a subjectAlternativeName extension is given it must not be empty.
.IP "\(bu" 4
The signatureAlgorithm field and the cert signature must be consistent.
.IP "\(bu" 4
Any given authorityKeyIdentifier and any given subjectKeyIdentifier
must not be marked critical.
.IP "\(bu" 4
The authorityKeyIdentifier must be given for X.509v3 certs unless they
are self-signed.
.IP "\(bu" 4
The subjectKeyIdentifier must be given for all X.509v3 \s-1CA\s0 certs.
.RE
.RS 4
.RE
.IP "\fB\-ignore_critical\fR" 4
.IX Item "-ignore_critical"
Normally if an unhandled critical extension is present that is not
supported by OpenSSL the certificate is rejected (as required by \s-1RFC5280\s0).
If this option is set critical extensions are ignored.
.IP "\fB\-issuer_checks\fR" 4
.IX Item "-issuer_checks"
Ignored.
.IP "\fB\-crl_check\fR" 4
.IX Item "-crl_check"
Checks end entity certificate validity by attempting to look up a valid \s-1CRL.\s0
If a valid \s-1CRL\s0 cannot be found an error occurs.
.IP "\fB\-crl_check_all\fR" 4
.IX Item "-crl_check_all"
Checks the validity of \fBall\fR certificates in the chain by attempting
to look up valid CRLs.
.IP "\fB\-use_deltas\fR" 4
.IX Item "-use_deltas"
Enable support for delta CRLs.
.IP "\fB\-extended_crl\fR" 4
.IX Item "-extended_crl"
Enable extended \s-1CRL\s0 features such as indirect CRLs and alternate \s-1CRL\s0
signing keys.
.IP "\fB\-suiteB_128_only\fR, \fB\-suiteB_128\fR, \fB\-suiteB_192\fR" 4
.IX Item "-suiteB_128_only, -suiteB_128, -suiteB_192"
Enable the Suite B mode operation at 128 bit Level of Security, 128 bit or
192 bit, or only 192 bit Level of Security respectively.
See \s-1RFC6460\s0 for details. In particular the supported signature algorithms are
reduced to support only \s-1ECDSA\s0 and \s-1SHA256\s0 or \s-1SHA384\s0 and only the elliptic curves
P\-256 and P\-384.
.IP "\fB\-auth_level\fR \fIlevel\fR" 4
.IX Item "-auth_level level"
Set the certificate chain authentication security level to \fIlevel\fR.
The authentication security level determines the acceptable signature and
public key strength when verifying certificate chains. For a certificate
chain to validate, the public keys of all the certificates must meet the
specified security \fIlevel\fR. The signature algorithm security level is
enforced for all the certificates in the chain except for the chain's
\&\fItrust anchor\fR, which is either directly trusted or validated by means
other than its signature. See \fBSSL_CTX_set_security_level\fR\|(3) for the
definitions of the available levels. The default security level is \-1,
or \*(L"not set\*(R". At security level 0 or lower all algorithms are acceptable.
Security level 1 requires at least 80\-bit\-equivalent security and is broadly
interoperable, though it will, for example, reject \s-1MD5\s0 signatures or \s-1RSA\s0
keys shorter than 1024 bits.
.IP "\fB\-partial_chain\fR" 4
.IX Item "-partial_chain"
Allow verification to succeed if an incomplete chain can be built.
That is, a chain ending in a certificate that normally would not be trusted
(because it has no matching positive trust attributes and is not self-signed)
but is an element of the trust store.
This certificate may be self-issued or belong to an intermediate \s-1CA.\s0
.IP "\fB\-check_ss_sig\fR" 4
.IX Item "-check_ss_sig"
Verify the signature of
the last certificate in a chain if the certificate is supposedly self-signed.
This is prohibited and will result in an error if it is a non-conforming \s-1CA\s0
certificate with key usage restrictions not including the keyCertSign bit.
This verification is disabled by default because it doesn't add any security.
.IP "\fB\-allow_proxy_certs\fR" 4
.IX Item "-allow_proxy_certs"
Allow the verification of proxy certificates.
.IP "\fB\-trusted_first\fR" 4
.IX Item "-trusted_first"
As of OpenSSL 1.1.0 this option is on by default and cannot be disabled.
.Sp
When constructing the certificate chain, the trusted certificates specified
via \fB\-CAfile\fR, \fB\-CApath\fR, \fB\-CAstore\fR or \fB\-trusted\fR are always used
before any certificates specified via \fB\-untrusted\fR.
.IP "\fB\-no_alt_chains\fR" 4
.IX Item "-no_alt_chains"
As of OpenSSL 1.1.0, since \fB\-trusted_first\fR always on, this option has no
effect.
.IP "\fB\-trusted\fR \fIfile\fR" 4
.IX Item "-trusted file"
Parse \fIfile\fR as a set of one or more certificates.
Each of them qualifies as trusted if has a suitable positive trust attribute
or it is self-signed or the \fB\-partial_chain\fR option is specified.
This option implies the \fB\-no\-CAfile\fR, \fB\-no\-CApath\fR, and \fB\-no\-CAstore\fR options
and it cannot be used with the \fB\-CAfile\fR, \fB\-CApath\fR or \fB\-CAstore\fR options, so
only certificates specified using the \fB\-trusted\fR option are trust anchors.
This option may be used multiple times.
.IP "\fB\-untrusted\fR \fIfile\fR" 4
.IX Item "-untrusted file"
Parse \fIfile\fR as a set of one or more certificates.
All certificates (typically of intermediate CAs) are considered untrusted
and may be used to
construct a certificate chain from the target certificate to a trust anchor.
This option may be used multiple times.
.IP "\fB\-policy\fR \fIarg\fR" 4
.IX Item "-policy arg"
Enable policy processing and add \fIarg\fR to the user-initial-policy-set (see
\&\s-1RFC5280\s0). The policy \fIarg\fR can be an object name or an \s-1OID\s0 in numeric form.
This argument can appear more than once.
.IP "\fB\-explicit_policy\fR" 4
.IX Item "-explicit_policy"
Set policy variable require-explicit-policy (see \s-1RFC5280\s0).
.IP "\fB\-policy_check\fR" 4
.IX Item "-policy_check"
Enables certificate policy processing.
.IP "\fB\-policy_print\fR" 4
.IX Item "-policy_print"
Print out diagnostics related to policy processing.
.IP "\fB\-inhibit_any\fR" 4
.IX Item "-inhibit_any"
Set policy variable inhibit-any-policy (see \s-1RFC5280\s0).
.IP "\fB\-inhibit_map\fR" 4
.IX Item "-inhibit_map"
Set policy variable inhibit-policy-mapping (see \s-1RFC5280\s0).
.IP "\fB\-purpose\fR \fIpurpose\fR" 4
.IX Item "-purpose purpose"
A high-level specification of the intended use of the target certificate.
Currently predefined purposes are \f(CW\*(C`sslclient\*(C'\fR, \f(CW\*(C`sslserver\*(C'\fR, \f(CW\*(C`nssslserver\*(C'\fR,
\&\f(CW\*(C`smimesign\*(C'\fR, \f(CW\*(C`smimeencrypt\*(C'\fR, \f(CW\*(C`crlsign\*(C'\fR, \f(CW\*(C`ocsphelper\*(C'\fR, \f(CW\*(C`timestampsign\*(C'\fR,
\&\f(CW\*(C`codesign\*(C'\fR and \f(CW\*(C`any\*(C'\fR.
If peer certificate verification is enabled, by default the \s-1TLS\s0 implementation
and thus the commands \fBopenssl\-s_client\fR\|(1) and \fBopenssl\-s_server\fR\|(1)
check for consistency with
\&\s-1TLS\s0 server (\f(CW\*(C`sslserver\*(C'\fR) or \s-1TLS\s0 client use (\f(CW\*(C`sslclient\*(C'\fR), respectively.
By default, \s-1CMS\s0 signature validation, which can be done via \fBopenssl\-cms\fR\|(1),
checks for consistency with S/MIME signing use (\f(CW\*(C`smimesign\*(C'\fR).
.Sp
While \s-1IETF RFC 5280\s0 says that \fBid-kp-serverAuth\fR and \fBid-kp-clientAuth\fR
are only for \s-1WWW\s0 use, in practice they are used for all kinds of \s-1TLS\s0 clients
and servers, and this is what OpenSSL assumes as well.
.IP "\fB\-verify_depth\fR \fInum\fR" 4
.IX Item "-verify_depth num"
Limit the certificate chain to \fInum\fR intermediate \s-1CA\s0 certificates.
A maximal depth chain can have up to \fInum\fR+2 certificates, since neither the
end-entity certificate nor the trust-anchor certificate count against the
\&\fB\-verify_depth\fR limit.
.IP "\fB\-verify_email\fR \fIemail\fR" 4
.IX Item "-verify_email email"
Verify if \fIemail\fR matches the email address in Subject Alternative Name or
the email in the subject Distinguished Name.
.IP "\fB\-verify_hostname\fR \fIhostname\fR" 4
.IX Item "-verify_hostname hostname"
Verify if \fIhostname\fR matches \s-1DNS\s0 name in Subject Alternative Name or
Common Name in the subject certificate.
.IP "\fB\-verify_ip\fR \fIip\fR" 4
.IX Item "-verify_ip ip"
Verify if \fIip\fR matches the \s-1IP\s0 address in Subject Alternative Name of
the subject certificate.
.IP "\fB\-verify_name\fR \fIname\fR" 4
.IX Item "-verify_name name"
Use a set of verification parameters, also known as verification method,
identified by \fIname\fR. The currently predefined methods are named \f(CW\*(C`ssl_client\*(C'\fR,
\&\f(CW\*(C`ssl_server\*(C'\fR, \f(CW\*(C`smime_sign\*(C'\fR with alias \f(CW\*(C`pkcs7\*(C'\fR, \f(CW\*(C`code_sign\*(C'\fR, and \f(CW\*(C`default\*(C'\fR.
These mimic the combinations of purpose and trust settings used in \s-1SSL/\s0(D)TLS,
\&\s-1CMS/PKCS7\s0 (including S/MIME), and code signing.
.Sp
The verification parameters include the trust model, various flags that can
partly be set also via other command-line options, and the verification purpose,
which in turn implies certificate key usage and extended key usage requirements.
.Sp
The trust model determines which auxiliary trust or reject OIDs are applicable
to verifying the given certificate chain.
They can be given using the \fB\-addtrust\fR and \fB\-addreject\fR options
for \fBopenssl\-x509\fR\|(1).
.SS "Extended Verification Options"
.IX Subsection "Extended Verification Options"
Sometimes there may be more than one certificate chain leading to an
end-entity certificate.
This usually happens when a root or intermediate \s-1CA\s0 signs a certificate
for another a \s-1CA\s0 in other organization.
Another reason is when a \s-1CA\s0 might have intermediates that use two different
signature formats, such as a \s-1SHA\-1\s0 and a \s-1SHA\-256\s0 digest.
.PP
The following options can be used to provide data that will allow the
OpenSSL command to generate an alternative chain.
.IP "\fB\-xkey\fR \fIinfile\fR, \fB\-xcert\fR \fIinfile\fR, \fB\-xchain\fR" 4
.IX Item "-xkey infile, -xcert infile, -xchain"
Specify an extra certificate, private key and certificate chain. These behave
in the same manner as the \fB\-cert\fR, \fB\-key\fR and \fB\-cert_chain\fR options. When
specified, the callback returning the first valid chain will be in use by the
client.
.IP "\fB\-xchain_build\fR" 4
.IX Item "-xchain_build"
Specify whether the application should build the certificate chain to be
provided to the server for the extra certificates via the \fB\-xkey\fR,
\&\fB\-xcert\fR, and \fB\-xchain\fR options.
.IP "\fB\-xcertform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR|\fBP12\fR" 4
.IX Item "-xcertform DER|PEM|P12"
The input format for the extra certificate.
This option has no effect and is retained for backward compatibility only.
.IP "\fB\-xkeyform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR|\fBP12\fR" 4
.IX Item "-xkeyform DER|PEM|P12"
The input format for the extra key.
This option has no effect and is retained for backward compatibility only.
.SS "Certificate Extensions"
.IX Subsection "Certificate Extensions"
Options like \fB\-purpose\fR and \fB\-verify_name\fR trigger the processing of specific
certificate extensions, which determine what certificates can be used for.
.PP
\fIBasic Constraints\fR
.IX Subsection "Basic Constraints"
.PP
The basicConstraints extension \s-1CA\s0 flag is used to determine whether the
certificate can be used as a \s-1CA.\s0 If the \s-1CA\s0 flag is true then it is a \s-1CA,\s0
if the \s-1CA\s0 flag is false then it is not a \s-1CA.\s0 \fBAll\fR CAs should have the
\&\s-1CA\s0 flag set to true.
.PP
If the basicConstraints extension is absent,
which includes the case that it is an X.509v1 certificate,
then the certificate is considered to be a \*(L"possible \s-1CA\*(R"\s0 and
other extensions are checked according to the intended use of the certificate.
The treatment of certificates without basicConstraints as a \s-1CA\s0
is presently supported, but this could change in the future.
.PP
\fIKey Usage\fR
.IX Subsection "Key Usage"
.PP
If the keyUsage extension is present then additional restraints are
made on the uses of the certificate. A \s-1CA\s0 certificate \fBmust\fR have the
keyCertSign bit set if the keyUsage extension is present.
.PP
\fIExtended Key Usage\fR
.IX Subsection "Extended Key Usage"
.PP
The extKeyUsage (\s-1EKU\s0) extension places additional restrictions on
certificate use. If this extension is present (whether critical or not)
in an end-entity certficiate, the key is allowed only for the uses specified,
while the special \s-1EKU\s0 \fBanyExtendedKeyUsage\fR allows for all uses.
.PP
Note that according to \s-1RFC 5280\s0 section 4.2.1.12,
the Extended Key Usage extension will appear only in end-entity certificates,
and consequently the standard certification path validation described
in its section 6 does not include \s-1EKU\s0 checks for \s-1CA\s0 certificates.
The CA/Browser Forum requires for \s-1TLS\s0 server, S/MIME, and code signing use
the presence of respective EKUs in subordinate \s-1CA\s0 certificates (while excluding
them for root \s-1CA\s0 certificates), while taking over from \s-1RFC 5280\s0
the certificate validity concept and certificate path validation.
.PP
For historic reasons, OpenSSL has its own way of interpreting and checking
\&\s-1EKU\s0 extensions on \s-1CA\s0 certificates, which may change in the future.
It does not require the presence of \s-1EKU\s0 extensions in \s-1CA\s0 certificates,
but in case the verification purpose is
\&\f(CW\*(C`sslclient\*(C'\fR, \f(CW\*(C`nssslserver\*(C'\fR, \f(CW\*(C`sslserver\*(C'\fR, \f(CW\*(C`smimesign\*(C'\fR, or \f(CW\*(C`smimeencrypt\*(C'\fR,
it checks that any present \s-1EKU\s0 extension (that does not contain
\&\fBanyExtendedKeyUsage\fR) contains the respective \s-1EKU\s0 as detailed below.
Moreover, it does these checks even for trust anchor certificates.
.PP
\fIChecks Implied by Specific Predefined Policies\fR
.IX Subsection "Checks Implied by Specific Predefined Policies"
.PP
A specific description of each check is given below. The comments about
basicConstraints and keyUsage and X.509v1 certificates above apply to \fBall\fR
\&\s-1CA\s0 certificates.
.ie n .IP "\fB(D)TLS Client\fR (""sslclient"")" 4
.el .IP "\fB(D)TLS Client\fR (\f(CWsslclient\fR)" 4
.IX Item "(D)TLS Client (sslclient)"
Any given extended key usage extension must allow for \f(CW\*(C`clientAuth\*(C'\fR
(\*(L"\s-1TLS WWW\s0 client authentication\*(R").
.Sp
For target certificates,
the key usage must allow for \f(CW\*(C`digitalSignature\*(C'\fR and/or \f(CW\*(C`keyAgreement\*(C'\fR.
The Netscape certificate type must be absent or have the \s-1SSL\s0 client bit set.
.Sp
For all other certificates the normal \s-1CA\s0 checks apply. In addition,
the Netscape certificate type must be absent or have the \s-1SSL CA\s0 bit set.
This is used as a workaround if the basicConstraints extension is absent.
.ie n .IP "\fB(D)TLS Server\fR (""sslserver"")" 4
.el .IP "\fB(D)TLS Server\fR (\f(CWsslserver\fR)" 4
.IX Item "(D)TLS Server (sslserver)"
Any given extended key usage extension must allow for \f(CW\*(C`serverAuth\*(C'\fR
(\*(L"\s-1TLS WWW\s0 server authentication\*(R") and/or include one of the \s-1SGC\s0 OIDs.
.Sp
For target certificates, the key usage must
allow for \f(CW\*(C`digitalSignature\*(C'\fR, \f(CW\*(C`keyEncipherment\*(C'\fR, and/or \f(CW\*(C`keyAgreement\*(C'\fR.
The Netscape certificate type must be absent or have the \s-1SSL\s0 server bit set.
.Sp
For all other certificates the normal \s-1CA\s0 checks apply. In addition,
the Netscape certificate type must be absent or have the \s-1SSL CA\s0 bit set.
This is used as a workaround if the basicConstraints extension is absent.
.ie n .IP "\fBNetscape \s-1SSL\s0 Server\fR (""nssslserver"")" 4
.el .IP "\fBNetscape \s-1SSL\s0 Server\fR (\f(CWnssslserver\fR)" 4
.IX Item "Netscape SSL Server (nssslserver)"
In addition to what has been described for \fBsslserver\fR, for a Netscape
\&\s-1SSL\s0 client to connect to an \s-1SSL\s0 server, its \s-1EE\s0 certficate must have the
\&\fBkeyEncipherment\fR bit set if the keyUsage extension is present. This isn't
always valid because some cipher suites use the key for digital signing.
Otherwise it is the same as a normal \s-1SSL\s0 server.
.IP "\fBCommon S/MIME Checks\fR" 4
.IX Item "Common S/MIME Checks"
Any given extended key usage extension must allow for \f(CW\*(C`emailProtection\*(C'\fR.
.Sp
For target certificates,
the Netscape certificate type must be absent or should have the S/MIME bit set.
If the S/MIME bit is not set in the Netscape certificate type
then the \s-1SSL\s0 client bit is tolerated as an alternative but a warning is shown.
This is because some Verisign certificates don't set the S/MIME bit.
.Sp
For all other certificates the normal \s-1CA\s0 checks apply. In addition,
the Netscape certificate type must be absent or have the S/MIME \s-1CA\s0 bit set.
This is used as a workaround if the basicConstraints extension is absent.
.ie n .IP "\fBS/MIME Signing\fR (""smimesign"")" 4
.el .IP "\fBS/MIME Signing\fR (\f(CWsmimesign\fR)" 4
.IX Item "S/MIME Signing (smimesign)"
In addition to the common S/MIME checks, for target certficiates
the key usage must allow for \f(CW\*(C`digitalSignature\*(C'\fR and/or \fBnonRepudiation\fR.
.ie n .IP "\fBS/MIME Encryption\fR (""smimeencrypt"")" 4
.el .IP "\fBS/MIME Encryption\fR (\f(CWsmimeencrypt\fR)" 4
.IX Item "S/MIME Encryption (smimeencrypt)"
In addition to the common S/MIME checks, for target certficiates
the key usage must allow for \f(CW\*(C`keyEncipherment\*(C'\fR.
.ie n .IP "\fB\s-1CRL\s0 Signing\fR (""crlsign"")" 4
.el .IP "\fB\s-1CRL\s0 Signing\fR (\f(CWcrlsign\fR)" 4
.IX Item "CRL Signing (crlsign)"
For target certificates, the key usage must allow for \f(CW\*(C`cRLSign\*(C'\fR.
.Sp
For all other certifcates the normal \s-1CA\s0 checks apply.
Except in this case the basicConstraints extension must be present.
.ie n .IP "\fB\s-1OCSP\s0 Helper\fR (""ocsphelper"")" 4
.el .IP "\fB\s-1OCSP\s0 Helper\fR (\f(CWocsphelper\fR)" 4
.IX Item "OCSP Helper (ocsphelper)"
For target certificates, no checks are performed at this stage,
but special checks apply; see \fBOCSP_basic_verify\fR\|(3).
.Sp
For all other certifcates the normal \s-1CA\s0 checks apply.
.ie n .IP "\fBTimestamp Signing\fR (""timestampsign"")" 4
.el .IP "\fBTimestamp Signing\fR (\f(CWtimestampsign\fR)" 4
.IX Item "Timestamp Signing (timestampsign)"
For target certificates, if the key usage extension is present, it must include
\&\f(CW\*(C`digitalSignature\*(C'\fR and/or \f(CW\*(C`nonRepudiation\*(C'\fR and must not include other bits.
The \s-1EKU\s0 extension must be present and contain \f(CW\*(C`timeStamping\*(C'\fR only.
Moreover, it must be marked as critical.
.Sp
For all other certifcates the normal \s-1CA\s0 checks apply.
.ie n .IP "\fBCode Signing\fR (""codesign"")" 4
.el .IP "\fBCode Signing\fR (\f(CWcodesign\fR)" 4
.IX Item "Code Signing (codesign)"
For target certificates,
the key usage extension must be present and marked critical and
include <digitalSignature>, but must not include \f(CW\*(C`keyCertSign\*(C'\fR nor \f(CW\*(C`cRLSign\*(C'\fR.
The \s-1EKU\s0 extension must be present and contain \f(CW\*(C`codeSign\*(C'\fR,
but must not include \f(CW\*(C`anyExtendedKeyUsage\*(C'\fR nor \f(CW\*(C`serverAuth\*(C'\fR.
.Sp
For all other certifcates the normal \s-1CA\s0 checks apply.
.SH "BUGS"
.IX Header "BUGS"
The issuer checks still suffer from limitations in the underlying X509_LOOKUP
\&\s-1API.\s0 One consequence of this is that trusted certificates with matching
subject name must appear in a file (as specified by the \fB\-CAfile\fR option),
a directory (as specified by \fB\-CApath\fR),
or a store (as specified by \fB\-CAstore\fR).
If there are multiple such matches, possibly in multiple locations,
only the first one (in the mentioned order of locations) is recognised.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBX509_verify_cert\fR\|(3),
\&\fBOCSP_basic_verify\fR\|(3),
\&\fBopenssl\-verify\fR\|(1),
\&\fBopenssl\-ocsp\fR\|(1),
\&\fBopenssl\-ts\fR\|(1),
\&\fBopenssl\-s_client\fR\|(1),
\&\fBopenssl\-s_server\fR\|(1),
\&\fBopenssl\-smime\fR\|(1),
\&\fBopenssl\-cmp\fR\|(1),
\&\fBopenssl\-cms\fR\|(1)
.SH "HISTORY"
.IX Header "HISTORY"
The checks enabled by \fB\-x509_strict\fR have been extended in OpenSSL 3.0.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2000\-2024 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the Apache License 2.0 (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.

316
openssl-install/share/man/man1/openssl-verify.1ossl Normal file
View File

@@ -0,0 +1,316 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "OPENSSL-VERIFY 1ossl"
.TH OPENSSL-VERIFY 1ossl "2025-08-16" "3.4.2" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
openssl\-verify \- certificate verification command
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
\&\fBopenssl\fR \fBverify\fR
[\fB\-help\fR]
[\fB\-CRLfile\fR \fIfilename\fR|\fIuri\fR]
[\fB\-crl_download\fR]
[\fB\-show_chain\fR]
[\fB\-verbose\fR]
[\fB\-trusted\fR \fIfilename\fR|\fIuri\fR]
[\fB\-untrusted\fR \fIfilename\fR|\fIuri\fR]
[\fB\-vfyopt\fR \fInm\fR:\fIv\fR]
[\fB\-nameopt\fR \fIoption\fR]
[\fB\-CAfile\fR \fIfile\fR]
[\fB\-no\-CAfile\fR]
[\fB\-CApath\fR \fIdir\fR]
[\fB\-no\-CApath\fR]
[\fB\-CAstore\fR \fIuri\fR]
[\fB\-no\-CAstore\fR]
[\fB\-engine\fR \fIid\fR]
[\fB\-allow_proxy_certs\fR]
[\fB\-attime\fR \fItimestamp\fR]
[\fB\-no_check_time\fR]
[\fB\-check_ss_sig\fR]
[\fB\-crl_check\fR]
[\fB\-crl_check_all\fR]
[\fB\-explicit_policy\fR]
[\fB\-extended_crl\fR]
[\fB\-ignore_critical\fR]
[\fB\-inhibit_any\fR]
[\fB\-inhibit_map\fR]
[\fB\-partial_chain\fR]
[\fB\-policy\fR \fIarg\fR]
[\fB\-policy_check\fR]
[\fB\-policy_print\fR]
[\fB\-purpose\fR \fIpurpose\fR]
[\fB\-suiteB_128\fR]
[\fB\-suiteB_128_only\fR]
[\fB\-suiteB_192\fR]
[\fB\-trusted_first\fR]
[\fB\-no_alt_chains\fR]
[\fB\-use_deltas\fR]
[\fB\-auth_level\fR \fInum\fR]
[\fB\-verify_depth\fR \fInum\fR]
[\fB\-verify_email\fR \fIemail\fR]
[\fB\-verify_hostname\fR \fIhostname\fR]
[\fB\-verify_ip\fR \fIip\fR]
[\fB\-verify_name\fR \fIname\fR]
[\fB\-x509_strict\fR]
[\fB\-issuer_checks\fR]
[\fB\-provider\fR \fIname\fR]
[\fB\-provider\-path\fR \fIpath\fR]
[\fB\-propquery\fR \fIpropq\fR]
[\fB\-\-\fR]
[\fIcertificate\fR ...]
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
This command verifies certificate chains. If a certificate chain has multiple
problems, this program attempts to display all of them.
.SH "OPTIONS"
.IX Header "OPTIONS"
.IP "\fB\-help\fR" 4
.IX Item "-help"
Print out a usage message.
.IP "\fB\-CRLfile\fR \fIfilename\fR|\fIuri\fR" 4
.IX Item "-CRLfile filename|uri"
The file or \s-1URI\s0 should contain one or more CRLs in \s-1PEM\s0 or \s-1DER\s0 format.
This option can be specified more than once to include CRLs from multiple
sources.
.IP "\fB\-crl_download\fR" 4
.IX Item "-crl_download"
Attempt to download \s-1CRL\s0 information for certificates via their \s-1CDP\s0 entries.
.IP "\fB\-show_chain\fR" 4
.IX Item "-show_chain"
Display information about the certificate chain that has been built (if
successful). Certificates in the chain that came from the untrusted list will be
flagged as \*(L"untrusted\*(R".
.IP "\fB\-verbose\fR" 4
.IX Item "-verbose"
Print extra information about the operations being performed.
.IP "\fB\-trusted\fR \fIfilename\fR|\fIuri\fR" 4
.IX Item "-trusted filename|uri"
A file or \s-1URI\s0 of (more or less) trusted certificates.
See \fBopenssl\-verification\-options\fR\|(1) for more information on trust settings.
.Sp
This option can be specified more than once to load certificates from multiple
sources.
.IP "\fB\-untrusted\fR \fIfilename\fR|\fIuri\fR" 4
.IX Item "-untrusted filename|uri"
A file or \s-1URI\s0 of untrusted certificates to use for chain building.
This option can be specified more than once to load certificates from multiple
sources.
.IP "\fB\-vfyopt\fR \fInm\fR:\fIv\fR" 4
.IX Item "-vfyopt nm:v"
Pass options to the signature algorithm during verify operations.
Names and values of these options are algorithm-specific.
.IP "\fB\-nameopt\fR \fIoption\fR" 4
.IX Item "-nameopt option"
This specifies how the subject or issuer names are displayed.
See \fBopenssl\-namedisplay\-options\fR\|(1) for details.
.IP "\fB\-engine\fR \fIid\fR" 4
.IX Item "-engine id"
See \*(L"Engine Options\*(R" in \fBopenssl\fR\|(1).
This option is deprecated.
.Sp
To load certificates or CRLs that require engine support, specify the
\&\fB\-engine\fR option before any of the
\&\fB\-trusted\fR, \fB\-untrusted\fR or \fB\-CRLfile\fR options.
.IP "\fB\-CAfile\fR \fIfile\fR, \fB\-no\-CAfile\fR, \fB\-CApath\fR \fIdir\fR, \fB\-no\-CApath\fR, \fB\-CAstore\fR \fIuri\fR, \fB\-no\-CAstore\fR" 4
.IX Item "-CAfile file, -no-CAfile, -CApath dir, -no-CApath, -CAstore uri, -no-CAstore"
See \*(L"Trusted Certificate Options\*(R" in \fBopenssl\-verification\-options\fR\|(1) for details.
.IP "\fB\-allow_proxy_certs\fR, \fB\-attime\fR, \fB\-no_check_time\fR, \fB\-check_ss_sig\fR, \fB\-crl_check\fR, \fB\-crl_check_all\fR, \fB\-explicit_policy\fR, \fB\-extended_crl\fR, \fB\-ignore_critical\fR, \fB\-inhibit_any\fR, \fB\-inhibit_map\fR, \fB\-no_alt_chains\fR, \fB\-partial_chain\fR, \fB\-policy\fR, \fB\-policy_check\fR, \fB\-policy_print\fR, \fB\-purpose\fR, \fB\-suiteB_128\fR, \fB\-suiteB_128_only\fR, \fB\-suiteB_192\fR, \fB\-trusted_first\fR, \fB\-use_deltas\fR, \fB\-auth_level\fR, \fB\-verify_depth\fR, \fB\-verify_email\fR, \fB\-verify_hostname\fR, \fB\-verify_ip\fR, \fB\-verify_name\fR, \fB\-x509_strict\fR \fB\-issuer_checks\fR" 4
.IX Item "-allow_proxy_certs, -attime, -no_check_time, -check_ss_sig, -crl_check, -crl_check_all, -explicit_policy, -extended_crl, -ignore_critical, -inhibit_any, -inhibit_map, -no_alt_chains, -partial_chain, -policy, -policy_check, -policy_print, -purpose, -suiteB_128, -suiteB_128_only, -suiteB_192, -trusted_first, -use_deltas, -auth_level, -verify_depth, -verify_email, -verify_hostname, -verify_ip, -verify_name, -x509_strict -issuer_checks"
Set various options of certificate chain verification.
See \*(L"Verification Options\*(R" in \fBopenssl\-verification\-options\fR\|(1) for details.
.IP "\fB\-provider\fR \fIname\fR" 4
.IX Item "-provider name"
.PD 0
.IP "\fB\-provider\-path\fR \fIpath\fR" 4
.IX Item "-provider-path path"
.IP "\fB\-propquery\fR \fIpropq\fR" 4
.IX Item "-propquery propq"
.PD
See \*(L"Provider Options\*(R" in \fBopenssl\fR\|(1), \fBprovider\fR\|(7), and \fBproperty\fR\|(7).
.IP "\fB\-\-\fR" 4
.IX Item "--"
Indicates the last option. All arguments following this are assumed to be
certificate files. This is useful if the first certificate filename begins
with a \fB\-\fR.
.IP "\fIcertificate\fR ..." 4
.IX Item "certificate ..."
One or more target certificates to verify, one per file. If no certificates are
given, this command will attempt to read a single certificate from standard
input.
.SH "DIAGNOSTICS"
.IX Header "DIAGNOSTICS"
When a verify operation fails the output messages can be somewhat cryptic. The
general form of the error message is:
.PP
.Vb 2
\& server.pem: /C=AU/ST=Queensland/O=CryptSoft Pty Ltd/CN=Test CA (1024 bit)
\& error 24 at 1 depth lookup:invalid CA certificate
.Ve
.PP
The first line contains the name of the certificate being verified followed by
the subject name of the certificate. The second line contains the error number
and the depth. The depth is number of the certificate being verified when a
problem was detected starting with zero for the target (\*(L"leaf\*(R") certificate
itself then 1 for the \s-1CA\s0 that signed the target certificate and so on.
Finally a textual version of the error number is presented.
.PP
A list of the error codes and messages can be found in
\&\fBX509_STORE_CTX_get_error\fR\|(3); the full list is defined in the header file
\&\fI<openssl/x509_vfy.h>\fR.
.PP
This command ignores many errors, in order to allow all the problems with a
certificate chain to be determined.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBopenssl\-verification\-options\fR\|(1),
\&\fBopenssl\-x509\fR\|(1),
\&\fBossl_store\-file\fR\|(7)
.SH "HISTORY"
.IX Header "HISTORY"
The \fB\-show_chain\fR option was added in OpenSSL 1.1.0.
.PP
The \fB\-engine option\fR was deprecated in OpenSSL 3.0.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2000\-2021 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the Apache License 2.0 (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.

231
openssl-install/share/man/man1/openssl-version.1ossl Normal file
View File

@@ -0,0 +1,231 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "OPENSSL-VERSION 1ossl"
.TH OPENSSL-VERSION 1ossl "2025-08-16" "3.4.2" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
openssl\-version \- print OpenSSL version information
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
\&\fBopenssl version\fR
[\fB\-help\fR]
[\fB\-a\fR]
[\fB\-v\fR]
[\fB\-b\fR]
[\fB\-o\fR]
[\fB\-f\fR]
[\fB\-p\fR]
[\fB\-d\fR]
[\fB\-e\fR]
[\fB\-m\fR]
[\fB\-r\fR]
[\fB\-c\fR]
[\fB\-w\fR]
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
This command is used to print out version information about OpenSSL.
.SH "OPTIONS"
.IX Header "OPTIONS"
.IP "\fB\-help\fR" 4
.IX Item "-help"
Print out a usage message.
.IP "\fB\-a\fR" 4
.IX Item "-a"
All information, this is the same as setting all the other flags.
.IP "\fB\-v\fR" 4
.IX Item "-v"
The current OpenSSL version.
.IP "\fB\-b\fR" 4
.IX Item "-b"
The date the current version of OpenSSL was built.
.IP "\fB\-o\fR" 4
.IX Item "-o"
Option information: various options set when the library was built.
.IP "\fB\-f\fR" 4
.IX Item "-f"
Compilation flags.
.IP "\fB\-p\fR" 4
.IX Item "-p"
Platform setting.
.IP "\fB\-d\fR" 4
.IX Item "-d"
\&\s-1OPENSSLDIR\s0 setting.
.IP "\fB\-e\fR" 4
.IX Item "-e"
\&\s-1ENGINESDIR\s0 settings.
.IP "\fB\-m\fR" 4
.IX Item "-m"
\&\s-1MODULESDIR\s0 settings.
.IP "\fB\-r\fR" 4
.IX Item "-r"
The random number generator source settings.
.IP "\fB\-c\fR" 4
.IX Item "-c"
The OpenSSL \s-1CPU\s0 settings info.
.IP "\fB\-w\fR" 4
.IX Item "-w"
The OpenSSL \fB\s-1OSSL_WINCTX\s0\fR build time variable, if set.
Used for computing Windows registry key names. This option is unavailable on
non-Windows platforms.
.SH "HISTORY"
.IX Header "HISTORY"
In OpenSSL versions prior to 3.4, OpenSSL had a limitation regarding the
\&\fB\s-1OPENSSLDIR\s0\fR, \fB\s-1MODULESDIR\s0\fR and \fB\s-1ENGINESDIR\s0\fR build time macros. These macros
were defined at build time, and represented filesystem paths. This is common
practice on unix like systems, as there was an expectation that a given build
would be installed to a pre-determined location. On Windows however, there is
no such expectation, as libraries can be installed to arbitrary locations.
\&\fB\s-1OSSL_WINCTX\s0\fR was introduced as a new build time variable to define a set of
registry keys identified by the name openssl\-<version>\-<ctx>, in which the
<version> value is derived from the version string in the openssl source, and
the <ctx> extension is derived from the \fB\s-1OSSL_WINCTX\s0\fR variable. The values of
\&\fB\s-1OPENSSLDIR\s0\fR, \fB\s-1ENGINESDIR\s0\fR and \fB\s-1MODULESDIR\s0\fR can be set to various paths
underneath this key to break the requirement to predict the installation path at
build time.
.SH "NOTES"
.IX Header "NOTES"
The output of \f(CW\*(C`openssl version \-a\*(C'\fR would typically be used when sending
in a bug report.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2000\-2024 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the Apache License 2.0 (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.

891
openssl-install/share/man/man1/openssl-x509.1ossl Normal file
View File

@@ -0,0 +1,891 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "OPENSSL-X509 1ossl"
.TH OPENSSL-X509 1ossl "2025-08-16" "3.4.2" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
openssl\-x509 \- Certificate display and signing command
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
\&\fBopenssl\fR \fBx509\fR
[\fB\-help\fR]
[\fB\-in\fR \fIfilename\fR|\fIuri\fR]
[\fB\-passin\fR \fIarg\fR]
[\fB\-new\fR]
[\fB\-x509toreq\fR]
[\fB\-req\fR]
[\fB\-copy_extensions\fR \fIarg\fR]
[\fB\-inform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR]
[\fB\-vfyopt\fR \fInm\fR:\fIv\fR]
[\fB\-key\fR \fIfilename\fR|\fIuri\fR]
[\fB\-keyform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR|\fBP12\fR|\fB\s-1ENGINE\s0\fR]
[\fB\-signkey\fR \fIfilename\fR|\fIuri\fR]
[\fB\-out\fR \fIfilename\fR]
[\fB\-outform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR]
[\fB\-nocert\fR]
[\fB\-noout\fR]
[\fB\-dateopt\fR]
[\fB\-text\fR]
[\fB\-certopt\fR \fIoption\fR]
[\fB\-fingerprint\fR]
[\fB\-alias\fR]
[\fB\-serial\fR]
[\fB\-startdate\fR]
[\fB\-enddate\fR]
[\fB\-dates\fR]
[\fB\-subject\fR]
[\fB\-issuer\fR]
[\fB\-nameopt\fR \fIoption\fR]
[\fB\-email\fR]
[\fB\-hash\fR]
[\fB\-subject_hash\fR]
[\fB\-subject_hash_old\fR]
[\fB\-issuer_hash\fR]
[\fB\-issuer_hash_old\fR]
[\fB\-ext\fR \fIextensions\fR]
[\fB\-ocspid\fR]
[\fB\-ocsp_uri\fR]
[\fB\-purpose\fR]
[\fB\-pubkey\fR]
[\fB\-modulus\fR]
[\fB\-checkend\fR \fInum\fR]
[\fB\-checkhost\fR \fIhost\fR]
[\fB\-checkemail\fR \fIhost\fR]
[\fB\-checkip\fR \fIipaddr\fR]
[\fB\-set_serial\fR \fIn\fR]
[\fB\-next_serial\fR]
[\fB\-not_before\fR \fIdate\fR]
[\fB\-not_after\fR \fIdate\fR]
[\fB\-days\fR \fIarg\fR]
[\fB\-preserve_dates\fR]
[\fB\-set_issuer\fR \fIarg\fR]
[\fB\-set_subject\fR \fIarg\fR]
[\fB\-subj\fR \fIarg\fR]
[\fB\-force_pubkey\fR \fIfilename\fR]
[\fB\-clrext\fR]
[\fB\-extfile\fR \fIfilename\fR]
[\fB\-extensions\fR \fIsection\fR]
[\fB\-sigopt\fR \fInm\fR:\fIv\fR]
[\fB\-badsig\fR]
[\fB\-\f(BIdigest\fB\fR]
[\fB\-CA\fR \fIfilename\fR|\fIuri\fR]
[\fB\-CAform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR|\fBP12\fR]
[\fB\-CAkey\fR \fIfilename\fR|\fIuri\fR]
[\fB\-CAkeyform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR|\fBP12\fR|\fB\s-1ENGINE\s0\fR]
[\fB\-CAserial\fR \fIfilename\fR]
[\fB\-CAcreateserial\fR]
[\fB\-trustout\fR]
[\fB\-setalias\fR \fIarg\fR]
[\fB\-clrtrust\fR]
[\fB\-addtrust\fR \fIarg\fR]
[\fB\-clrreject\fR]
[\fB\-addreject\fR \fIarg\fR]
[\fB\-rand\fR \fIfiles\fR]
[\fB\-writerand\fR \fIfile\fR]
[\fB\-engine\fR \fIid\fR]
[\fB\-provider\fR \fIname\fR]
[\fB\-provider\-path\fR \fIpath\fR]
[\fB\-propquery\fR \fIpropq\fR]
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
This command is a multi-purposes certificate handling command.
It can be used to print certificate information,
convert certificates to various forms, edit certificate trust settings,
generate certificates from scratch or from certification requests
and then self-signing them or signing them like a \*(L"micro \s-1CA\*(R".\s0
.PP
Generated certificates bear X.509 version 3.
Unless specified otherwise,
key identifier extensions are included as described in \fBx509v3_config\fR\|(5).
.PP
Since there are a large number of options they will split up into
various sections.
.SH "OPTIONS"
.IX Header "OPTIONS"
.SS "Input, Output, and General Purpose Options"
.IX Subsection "Input, Output, and General Purpose Options"
.IP "\fB\-help\fR" 4
.IX Item "-help"
Print out a usage message.
.IP "\fB\-in\fR \fIfilename\fR|\fIuri\fR" 4
.IX Item "-in filename|uri"
This specifies the input to read a certificate from
or the input file for reading a certificate request if the \fB\-req\fR flag is used.
In both cases this defaults to standard input.
.Sp
This option cannot be combined with the \fB\-new\fR flag.
.IP "\fB\-passin\fR \fIarg\fR" 4
.IX Item "-passin arg"
The key and certificate file password source.
For more information about the format of \fIarg\fR
see \fBopenssl\-passphrase\-options\fR\|(1).
.IP "\fB\-new\fR" 4
.IX Item "-new"
Generate a certificate from scratch, not using an input certificate
or certificate request.
So this excludes the \fB\-in\fR and \fB\-req\fR options.
Instead, the \fB\-set_subject\fR option needs to be given.
The public key to include can be given with the \fB\-force_pubkey\fR option
and defaults to the key given with the \fB\-key\fR (or \fB\-signkey\fR) option,
which implies self-signature.
.IP "\fB\-x509toreq\fR" 4
.IX Item "-x509toreq"
Output a PKCS#10 certificate request (rather than a certificate).
The \fB\-key\fR (or \fB\-signkey\fR) option must be used to provide the private key for
self-signing; the corresponding public key is placed in the subjectPKInfo field.
.Sp
X.509 extensions included in a certificate input are not copied by default.
X.509 extensions to be added can be specified using the \fB\-extfile\fR option.
.IP "\fB\-req\fR" 4
.IX Item "-req"
By default a certificate is expected on input.
With this option a PKCS#10 certificate request is expected instead,
which must be correctly self-signed.
.Sp
X.509 extensions included in the request are not copied by default.
X.509 extensions to be added can be specified using the \fB\-extfile\fR option.
.IP "\fB\-copy_extensions\fR \fIarg\fR" 4
.IX Item "-copy_extensions arg"
Determines how to handle X.509 extensions
when converting from a certificate to a request using the \fB\-x509toreq\fR option
or converting from a request to a certificate using the \fB\-req\fR option.
If \fIarg\fR is \fBnone\fR or this option is not present then extensions are ignored.
If \fIarg\fR is \fBcopy\fR or \fBcopyall\fR then all extensions are copied,
except that subject identifier and authority key identifier extensions
are not taken over when producing a certificate request.
.Sp
The \fB\-ext\fR option can be used to further restrict which extensions to copy.
.IP "\fB\-inform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR" 4
.IX Item "-inform DER|PEM"
The input file format to use; by default \s-1PEM\s0 is tried first.
See \fBopenssl\-format\-options\fR\|(1) for details.
.IP "\fB\-vfyopt\fR \fInm\fR:\fIv\fR" 4
.IX Item "-vfyopt nm:v"
Pass options to the signature algorithm during verify operations.
Names and values of these options are algorithm-specific.
.IP "\fB\-key\fR \fIfilename\fR|\fIuri\fR" 4
.IX Item "-key filename|uri"
This option provides the private key for signing a new certificate or
certificate request.
Unless \fB\-force_pubkey\fR is given, the corresponding public key is placed in
the new certificate or certificate request, resulting in a self-signature.
.Sp
This option cannot be used in conjunction with the \fB\-CA\fR option.
.Sp
It sets the issuer name to the subject name (i.e., makes it self-issued).
Unless the \fB\-preserve_dates\fR option is supplied,
it sets the validity start date to the current time
and the end date to a value determined by the \fB\-days\fR option.
Start date and end date can also be explicitly supplied with options
\&\fB\-not_before\fR and \fB\-not_after\fR.
.IP "\fB\-signkey\fR \fIfilename\fR|\fIuri\fR" 4
.IX Item "-signkey filename|uri"
This option is an alias of \fB\-key\fR.
.IP "\fB\-keyform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR|\fBP12\fR|\fB\s-1ENGINE\s0\fR" 4
.IX Item "-keyform DER|PEM|P12|ENGINE"
The key input format; unspecified by default.
See \fBopenssl\-format\-options\fR\|(1) for details.
.IP "\fB\-out\fR \fIfilename\fR" 4
.IX Item "-out filename"
This specifies the output filename to write to or standard output by default.
.IP "\fB\-outform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR" 4
.IX Item "-outform DER|PEM"
The output format; the default is \fB\s-1PEM\s0\fR.
See \fBopenssl\-format\-options\fR\|(1) for details.
.IP "\fB\-nocert\fR" 4
.IX Item "-nocert"
Do not output a certificate (except for printing as requested by below options).
.IP "\fB\-noout\fR" 4
.IX Item "-noout"
This option prevents output except for printing as requested by below options.
.SS "Certificate Printing Options"
.IX Subsection "Certificate Printing Options"
Note: the \fB\-alias\fR and \fB\-purpose\fR options are also printing options
but are described in the \*(L"Trust Settings\*(R" section.
.IP "\fB\-dateopt\fR" 4
.IX Item "-dateopt"
Specify the date output format. Values are: rfc_822 and iso_8601.
Defaults to rfc_822.
.IP "\fB\-text\fR" 4
.IX Item "-text"
Prints out the certificate in text form. Full details are printed including the
public key, signature algorithms, issuer and subject names, serial number
any extensions present and any trust settings.
.IP "\fB\-certopt\fR \fIoption\fR" 4
.IX Item "-certopt option"
Customise the print format used with \fB\-text\fR. The \fIoption\fR argument
can be a single option or multiple options separated by commas.
The \fB\-certopt\fR switch may be also be used more than once to set multiple
options. See the \*(L"Text Printing Flags\*(R" section for more information.
.IP "\fB\-fingerprint\fR" 4
.IX Item "-fingerprint"
Calculates and prints the digest of the \s-1DER\s0 encoded version of the entire
certificate (see digest options).
This is commonly called a \*(L"fingerprint\*(R". Because of the nature of message
digests, the fingerprint of a certificate is unique to that certificate and
two certificates with the same fingerprint can be considered to be the same.
.IP "\fB\-alias\fR" 4
.IX Item "-alias"
Prints the certificate \*(L"alias\*(R" (nickname), if any.
.IP "\fB\-serial\fR" 4
.IX Item "-serial"
Prints the certificate serial number.
.IP "\fB\-startdate\fR" 4
.IX Item "-startdate"
Prints out the start date of the certificate, that is the notBefore date.
.IP "\fB\-enddate\fR" 4
.IX Item "-enddate"
Prints out the expiry date of the certificate, that is the notAfter date.
.IP "\fB\-dates\fR" 4
.IX Item "-dates"
Prints out the start and expiry dates of a certificate.
.IP "\fB\-subject\fR" 4
.IX Item "-subject"
Prints the subject name.
.IP "\fB\-issuer\fR" 4
.IX Item "-issuer"
Prints the issuer name.
.IP "\fB\-nameopt\fR \fIoption\fR" 4
.IX Item "-nameopt option"
This specifies how the subject or issuer names are displayed.
See \fBopenssl\-namedisplay\-options\fR\|(1) for details.
.IP "\fB\-email\fR" 4
.IX Item "-email"
Prints the email address(es) if any.
.IP "\fB\-hash\fR" 4
.IX Item "-hash"
Synonym for \*(L"\-subject_hash\*(R" for backward compatibility reasons.
.IP "\fB\-subject_hash\fR" 4
.IX Item "-subject_hash"
Prints the \*(L"hash\*(R" of the certificate subject name. This is used in OpenSSL to
form an index to allow certificates in a directory to be looked up by subject
name.
.IP "\fB\-subject_hash_old\fR" 4
.IX Item "-subject_hash_old"
Prints the \*(L"hash\*(R" of the certificate subject name using the older algorithm
as used by OpenSSL before version 1.0.0.
.IP "\fB\-issuer_hash\fR" 4
.IX Item "-issuer_hash"
Prints the \*(L"hash\*(R" of the certificate issuer name.
.IP "\fB\-issuer_hash_old\fR" 4
.IX Item "-issuer_hash_old"
Prints the \*(L"hash\*(R" of the certificate issuer name using the older algorithm
as used by OpenSSL before version 1.0.0.
.IP "\fB\-ext\fR \fIextensions\fR" 4
.IX Item "-ext extensions"
Prints out the certificate extensions in text form.
Can also be used to restrict which extensions to copy.
Extensions are specified
with a comma separated string, e.g., \*(L"subjectAltName, subjectKeyIdentifier\*(R".
See the \fBx509v3_config\fR\|(5) manual page for the extension names.
.IP "\fB\-ocspid\fR" 4
.IX Item "-ocspid"
Prints the \s-1OCSP\s0 hash values for the subject name and public key.
.IP "\fB\-ocsp_uri\fR" 4
.IX Item "-ocsp_uri"
Prints the \s-1OCSP\s0 responder address(es) if any.
.IP "\fB\-purpose\fR" 4
.IX Item "-purpose"
This option performs tests on the certificate extensions and outputs
the results. For a more complete description see
\&\*(L"Certificate Extensions\*(R" in \fBopenssl\-verification\-options\fR\|(1).
.IP "\fB\-pubkey\fR" 4
.IX Item "-pubkey"
Prints the certificate's SubjectPublicKeyInfo block in \s-1PEM\s0 format.
.IP "\fB\-modulus\fR" 4
.IX Item "-modulus"
This option prints out the value of the modulus of the public key
contained in the certificate.
.SS "Certificate Checking Options"
.IX Subsection "Certificate Checking Options"
.IP "\fB\-checkend\fR \fIarg\fR" 4
.IX Item "-checkend arg"
Checks if the certificate expires within the next \fIarg\fR seconds and exits
nonzero if yes it will expire or zero if not.
.IP "\fB\-checkhost\fR \fIhost\fR" 4
.IX Item "-checkhost host"
Check that the certificate matches the specified host.
.IP "\fB\-checkemail\fR \fIemail\fR" 4
.IX Item "-checkemail email"
Check that the certificate matches the specified email address.
.IP "\fB\-checkip\fR \fIipaddr\fR" 4
.IX Item "-checkip ipaddr"
Check that the certificate matches the specified \s-1IP\s0 address.
.SS "Certificate Output Options"
.IX Subsection "Certificate Output Options"
.IP "\fB\-set_serial\fR \fIn\fR" 4
.IX Item "-set_serial n"
Specifies the serial number to use.
This option can be used with the \fB\-key\fR, \fB\-signkey\fR, or \fB\-CA\fR options.
If used in conjunction with the \fB\-CA\fR option
the serial number file (as specified by the \fB\-CAserial\fR option) is not used.
.Sp
The serial number can be decimal or hex (if preceded by \f(CW\*(C`0x\*(C'\fR).
.IP "\fB\-next_serial\fR" 4
.IX Item "-next_serial"
Set the serial to be one more than the number in the certificate.
.IP "\fB\-not_before\fR \fIdate\fR" 4
.IX Item "-not_before date"
This allows the start date to be explicitly set. The format of the
date is \s-1YYMMDDHHMMSSZ\s0 (the same as an \s-1ASN1\s0 UTCTime structure), or
\&\s-1YYYYMMDDHHMMSSZ\s0 (the same as an \s-1ASN1\s0 GeneralizedTime structure). In
both formats, seconds \s-1SS\s0 and timezone Z must be present.
Alternatively, you can also use \*(L"today\*(R".
.Sp
Cannot be used together with the \fB\-preserve_dates\fR option.
.IP "\fB\-not_after\fR \fIdate\fR" 4
.IX Item "-not_after date"
This allows the expiry date to be explicitly set. The format of the
date is \s-1YYMMDDHHMMSSZ\s0 (the same as an \s-1ASN1\s0 UTCTime structure), or
\&\s-1YYYYMMDDHHMMSSZ\s0 (the same as an \s-1ASN1\s0 GeneralizedTime structure). In
both formats, seconds \s-1SS\s0 and timezone Z must be present.
Alternatively, you can also use \*(L"today\*(R".
.Sp
Cannot be used together with the \fB\-preserve_dates\fR option.
This overrides the option \fB\-days\fR.
.IP "\fB\-days\fR \fIarg\fR" 4
.IX Item "-days arg"
Specifies the number of days from today until a newly generated certificate expires.
The default is 30.
.Sp
Cannot be used together with the option \fB\-preserve_dates\fR.
If option \fB\-not_after\fR is set, the explicit expiry date takes precedence.
.IP "\fB\-preserve_dates\fR" 4
.IX Item "-preserve_dates"
When signing a certificate, preserve \*(L"notBefore\*(R" and \*(L"notAfter\*(R" dates of any
input certificate instead of adjusting them to current time and duration.
Cannot be used together with the options \fB\-days\fR, \fB\-not_before\fR and \fB\-not_after\fR.
.IP "\fB\-set_issuer\fR \fIarg\fR" 4
.IX Item "-set_issuer arg"
When a certificate is created set its issuer name to the given value.
.Sp
See \fB\-set_subject\fR on how the arg must be formatted.
.IP "\fB\-set_subject\fR \fIarg\fR" 4
.IX Item "-set_subject arg"
When a certificate is created set its subject name to the given value.
When the certificate is self-signed the issuer name is set to the same value,
unless the \fB\-set_issuer\fR option is given.
.Sp
The arg must be formatted as \f(CW\*(C`/type0=value0/type1=value1/type2=...\*(C'\fR.
Special characters may be escaped by \f(CW\*(C`\e\*(C'\fR (backslash), whitespace is retained.
Empty values are permitted, but the corresponding type will not be included
in the certificate.
Giving a single \f(CW\*(C`/\*(C'\fR will lead to an empty sequence of RDNs (a NULL-DN).
Multi-valued RDNs can be formed by placing a \f(CW\*(C`+\*(C'\fR character instead of a \f(CW\*(C`/\*(C'\fR
between the AttributeValueAssertions (AVAs) that specify the members of the set.
Example:
.Sp
\&\f(CW\*(C`/DC=org/DC=OpenSSL/DC=users/UID=123456+CN=John Doe\*(C'\fR
.Sp
This option can be used with the \fB\-new\fR and \fB\-force_pubkey\fR options to create
a new certificate without providing an input certificate or certificate request.
.IP "\fB\-subj\fR \fIarg\fR" 4
.IX Item "-subj arg"
This option is an alias of \fB\-set_subject\fR.
.IP "\fB\-force_pubkey\fR \fIfilename\fR" 4
.IX Item "-force_pubkey filename"
When a new certificate or certificate request is created
set its public key to the given key
instead of the key contained in the input
or given with the \fB\-key\fR (or \fB\-signkey\fR) option.
If the input contains no public key but a private key, its public part is used.
.Sp
This option can be used in conjunction with b<\-new> and \fB\-set_subject\fR
to directly generate a certificate containing any desired public key.
.Sp
This option is also useful for creating self-issued certificates that are not
self-signed, for instance when the key cannot be used for signing, such as \s-1DH.\s0
.IP "\fB\-clrext\fR" 4
.IX Item "-clrext"
When transforming a certificate to a new certificate
by default all certificate extensions are retained.
.Sp
When transforming a certificate or certificate request,
the \fB\-clrext\fR option prevents taking over any extensions from the source.
In any case, when producing a certificate request,
neither subject identifier nor authority key identifier extensions are included.
.IP "\fB\-extfile\fR \fIfilename\fR" 4
.IX Item "-extfile filename"
Configuration file containing certificate and request X.509 extensions to add.
.IP "\fB\-extensions\fR \fIsection\fR" 4
.IX Item "-extensions section"
The section in the extfile to add X.509 extensions from.
If this option is not
specified then the extensions should either be contained in the unnamed
(default) section or the default section should contain a variable called
\&\*(L"extensions\*(R" which contains the section to use.
.Sp
See the \fBx509v3_config\fR\|(5) manual page for details of the
extension section format.
.Sp
Unless specified otherwise,
key identifier extensions are included as described in \fBx509v3_config\fR\|(5).
.IP "\fB\-sigopt\fR \fInm\fR:\fIv\fR" 4
.IX Item "-sigopt nm:v"
Pass options to the signature algorithm during sign operations.
This option may be given multiple times.
Names and values provided using this option are algorithm-specific.
.IP "\fB\-badsig\fR" 4
.IX Item "-badsig"
Corrupt the signature before writing it; this can be useful
for testing.
.IP "\fB\-\f(BIdigest\fB\fR" 4
.IX Item "-digest"
The digest to use.
This affects any signing or printing option that uses a message
digest, such as the \fB\-fingerprint\fR, \fB\-key\fR, and \fB\-CA\fR options.
Any digest supported by the \fBopenssl\-dgst\fR\|(1) command can be used.
If not specified then \s-1SHA1\s0 is used with \fB\-fingerprint\fR or
the default digest for the signing algorithm is used, typically \s-1SHA256.\s0
.SS "Micro-CA Options"
.IX Subsection "Micro-CA Options"
.IP "\fB\-CA\fR \fIfilename\fR|\fIuri\fR" 4
.IX Item "-CA filename|uri"
Specifies the \*(L"\s-1CA\*(R"\s0 certificate to be used for signing.
When present, this behaves like a \*(L"micro \s-1CA\*(R"\s0 as follows:
The subject name of the \*(L"\s-1CA\*(R"\s0 certificate is placed as issuer name in the new
certificate, which is then signed using the \*(L"\s-1CA\*(R"\s0 key given as detailed below.
.Sp
This option cannot be used in conjunction with \fB\-key\fR (or \fB\-signkey\fR).
This option is normally combined with the \fB\-req\fR option referencing a \s-1CSR.\s0
Without the \fB\-req\fR option the input must be an existing certificate
unless the \fB\-new\fR option is given, which generates a certificate from scratch.
.IP "\fB\-CAform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR|\fBP12\fR," 4
.IX Item "-CAform DER|PEM|P12,"
The format for the \s-1CA\s0 certificate; unspecified by default.
See \fBopenssl\-format\-options\fR\|(1) for details.
.IP "\fB\-CAkey\fR \fIfilename\fR|\fIuri\fR" 4
.IX Item "-CAkey filename|uri"
Sets the \s-1CA\s0 private key to sign a certificate with.
The private key must match the public key of the certificate given with \fB\-CA\fR.
If this option is not provided then the key must be present in the \fB\-CA\fR input.
.IP "\fB\-CAkeyform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR|\fBP12\fR|\fB\s-1ENGINE\s0\fR" 4
.IX Item "-CAkeyform DER|PEM|P12|ENGINE"
The format for the \s-1CA\s0 key; unspecified by default.
See \fBopenssl\-format\-options\fR\|(1) for details.
.IP "\fB\-CAserial\fR \fIfilename\fR" 4
.IX Item "-CAserial filename"
Sets the \s-1CA\s0 serial number file to use.
.Sp
When creating a certificate with this option and with the \fB\-CA\fR option,
the certificate serial number is stored in the given file.
This file consists of one line containing
an even number of hex digits with the serial number used last time.
After reading this number, it is incremented and used, and the file is updated.
.Sp
The default filename consists of the \s-1CA\s0 certificate file base name with
\&\fI.srl\fR appended. For example if the \s-1CA\s0 certificate file is called
\&\fImycacert.pem\fR it expects to find a serial number file called
\&\fImycacert.srl\fR.
.Sp
If the \fB\-CA\fR option is specified and neither <\-CAserial> or <\-CAcreateserial>
is given and the default serial number file does not exist,
a random number is generated; this is the recommended practice.
.IP "\fB\-CAcreateserial\fR" 4
.IX Item "-CAcreateserial"
With this option and the \fB\-CA\fR option
the \s-1CA\s0 serial number file is created if it does not exist.
A random number is generated, used for the certificate,
and saved into the serial number file determined as described above.
.SS "Trust Settings"
.IX Subsection "Trust Settings"
A \fBtrusted certificate\fR is an ordinary certificate which has several
additional pieces of information attached to it such as the permitted
and prohibited uses of the certificate and possibly an \*(L"alias\*(R" (nickname).
.PP
Normally when a certificate is being verified at least one certificate
must be \*(L"trusted\*(R". By default a trusted certificate must be stored
locally and must be a root \s-1CA:\s0 any certificate chain ending in this \s-1CA\s0
is then usable for any purpose.
.PP
Trust settings currently are only used with a root \s-1CA.\s0
They allow a finer control over the purposes the root \s-1CA\s0 can be used for.
For example, a \s-1CA\s0 may be trusted for \s-1SSL\s0 client but not \s-1SSL\s0 server use.
.PP
See \fBopenssl\-verification\-options\fR\|(1) for more information
on the meaning of trust settings.
.PP
Future versions of OpenSSL will recognize trust settings on any
certificate: not just root CAs.
.IP "\fB\-trustout\fR" 4
.IX Item "-trustout"
Mark any certificate \s-1PEM\s0 output as <trusted> certificate rather than ordinary.
An ordinary or trusted certificate can be input but by default an ordinary
certificate is output and any trust settings are discarded.
With the \fB\-trustout\fR option a trusted certificate is output. A trusted
certificate is automatically output if any trust settings are modified.
.IP "\fB\-setalias\fR \fIarg\fR" 4
.IX Item "-setalias arg"
Sets the \*(L"alias\*(R" of the certificate. This will allow the certificate
to be referred to using a nickname for example \*(L"Steve's Certificate\*(R".
.IP "\fB\-clrtrust\fR" 4
.IX Item "-clrtrust"
Clears all the permitted or trusted uses of the certificate.
.IP "\fB\-addtrust\fR \fIarg\fR" 4
.IX Item "-addtrust arg"
Adds a trusted certificate use.
Any object name can be used here but currently only \fBclientAuth\fR,
\&\fBserverAuth\fR, \fBemailProtection\fR, and \fBanyExtendedKeyUsage\fR are defined.
As of OpenSSL 1.1.0, the last of these blocks all purposes when rejected or
enables all purposes when trusted.
Other OpenSSL applications may define additional uses.
.IP "\fB\-clrreject\fR" 4
.IX Item "-clrreject"
Clears all the prohibited or rejected uses of the certificate.
.IP "\fB\-addreject\fR \fIarg\fR" 4
.IX Item "-addreject arg"
Adds a prohibited trust anchor purpose.
It accepts the same values as the \fB\-addtrust\fR option.
.SS "Generic options"
.IX Subsection "Generic options"
.IP "\fB\-rand\fR \fIfiles\fR, \fB\-writerand\fR \fIfile\fR" 4
.IX Item "-rand files, -writerand file"
See \*(L"Random State Options\*(R" in \fBopenssl\fR\|(1) for details.
.IP "\fB\-engine\fR \fIid\fR" 4
.IX Item "-engine id"
See \*(L"Engine Options\*(R" in \fBopenssl\fR\|(1).
This option is deprecated.
.IP "\fB\-provider\fR \fIname\fR" 4
.IX Item "-provider name"
.PD 0
.IP "\fB\-provider\-path\fR \fIpath\fR" 4
.IX Item "-provider-path path"
.IP "\fB\-propquery\fR \fIpropq\fR" 4
.IX Item "-propquery propq"
.PD
See \*(L"Provider Options\*(R" in \fBopenssl\fR\|(1), \fBprovider\fR\|(7), and \fBproperty\fR\|(7).
.SS "Text Printing Flags"
.IX Subsection "Text Printing Flags"
As well as customising the name printing format, it is also possible to
customise the actual fields printed using the \fBcertopt\fR option when
the \fBtext\fR option is present. The default behaviour is to print all fields.
.IP "\fBcompatible\fR" 4
.IX Item "compatible"
Use the old format. This is equivalent to specifying no printing options at all.
.IP "\fBno_header\fR" 4
.IX Item "no_header"
Don't print header information: that is the lines saying \*(L"Certificate\*(R"
and \*(L"Data\*(R".
.IP "\fBno_version\fR" 4
.IX Item "no_version"
Don't print out the version number.
.IP "\fBno_serial\fR" 4
.IX Item "no_serial"
Don't print out the serial number.
.IP "\fBno_signame\fR" 4
.IX Item "no_signame"
Don't print out the signature algorithm used.
.IP "\fBno_validity\fR" 4
.IX Item "no_validity"
Don't print the validity, that is the \fBnotBefore\fR and \fBnotAfter\fR fields.
.IP "\fBno_subject\fR" 4
.IX Item "no_subject"
Don't print out the subject name.
.IP "\fBno_issuer\fR" 4
.IX Item "no_issuer"
Don't print out the issuer name.
.IP "\fBno_pubkey\fR" 4
.IX Item "no_pubkey"
Don't print out the public key.
.IP "\fBno_sigdump\fR" 4
.IX Item "no_sigdump"
Don't give a hexadecimal dump of the certificate signature.
.IP "\fBno_aux\fR" 4
.IX Item "no_aux"
Don't print out certificate trust information.
.IP "\fBno_extensions\fR" 4
.IX Item "no_extensions"
Don't print out any X509V3 extensions.
.IP "\fBext_default\fR" 4
.IX Item "ext_default"
Retain default extension behaviour: attempt to print out unsupported
certificate extensions.
.IP "\fBext_error\fR" 4
.IX Item "ext_error"
Print an error message for unsupported certificate extensions.
.IP "\fBext_parse\fR" 4
.IX Item "ext_parse"
\&\s-1ASN1\s0 parse unsupported extensions.
.IP "\fBext_dump\fR" 4
.IX Item "ext_dump"
Hex dump unsupported extensions.
.IP "\fBca_default\fR" 4
.IX Item "ca_default"
The value used by \fBopenssl\-ca\fR\|(1), equivalent to \fBno_issuer\fR, \fBno_pubkey\fR,
\&\fBno_header\fR, and \fBno_version\fR.
.SH "EXAMPLES"
.IX Header "EXAMPLES"
Note: in these examples the '\e' means the example should be all on one
line.
.PP
Print the contents of a certificate:
.PP
.Vb 1
\& openssl x509 \-in cert.pem \-noout \-text
.Ve
.PP
Print the \*(L"Subject Alternative Name\*(R" extension of a certificate:
.PP
.Vb 1
\& openssl x509 \-in cert.pem \-noout \-ext subjectAltName
.Ve
.PP
Print more extensions of a certificate:
.PP
.Vb 1
\& openssl x509 \-in cert.pem \-noout \-ext subjectAltName,nsCertType
.Ve
.PP
Print the certificate serial number:
.PP
.Vb 1
\& openssl x509 \-in cert.pem \-noout \-serial
.Ve
.PP
Print the certificate subject name:
.PP
.Vb 1
\& openssl x509 \-in cert.pem \-noout \-subject
.Ve
.PP
Print the certificate subject name in \s-1RFC2253\s0 form:
.PP
.Vb 1
\& openssl x509 \-in cert.pem \-noout \-subject \-nameopt RFC2253
.Ve
.PP
Print the certificate subject name in oneline form on a terminal
supporting \s-1UTF8:\s0
.PP
.Vb 1
\& openssl x509 \-in cert.pem \-noout \-subject \-nameopt oneline,\-esc_msb
.Ve
.PP
Print the certificate \s-1SHA1\s0 fingerprint:
.PP
.Vb 1
\& openssl x509 \-sha1 \-in cert.pem \-noout \-fingerprint
.Ve
.PP
Convert a certificate from \s-1PEM\s0 to \s-1DER\s0 format:
.PP
.Vb 1
\& openssl x509 \-in cert.pem \-inform PEM \-out cert.der \-outform DER
.Ve
.PP
Convert a certificate to a certificate request:
.PP
.Vb 1
\& openssl x509 \-x509toreq \-in cert.pem \-out req.pem \-key key.pem
.Ve
.PP
Convert a certificate request into a self-signed certificate using
extensions for a \s-1CA:\s0
.PP
.Vb 2
\& openssl x509 \-req \-in careq.pem \-extfile openssl.cnf \-extensions v3_ca \e
\& \-key key.pem \-out cacert.pem
.Ve
.PP
Sign a certificate request using the \s-1CA\s0 certificate above and add user
certificate extensions:
.PP
.Vb 2
\& openssl x509 \-req \-in req.pem \-extfile openssl.cnf \-extensions v3_usr \e
\& \-CA cacert.pem \-CAkey key.pem \-CAcreateserial
.Ve
.PP
Set a certificate to be trusted for \s-1SSL\s0 client use and change set its alias to
\&\*(L"Steve's Class 1 \s-1CA\*(R"\s0
.PP
.Vb 2
\& openssl x509 \-in cert.pem \-addtrust clientAuth \e
\& \-setalias "Steve\*(Aqs Class 1 CA" \-out trust.pem
.Ve
.SH "NOTES"
.IX Header "NOTES"
The conversion to \s-1UTF8\s0 format used with the name options assumes that
T61Strings use the \s-1ISO8859\-1\s0 character set. This is wrong but Netscape
and \s-1MSIE\s0 do this as do many certificates. So although this is incorrect
it is more likely to print the majority of certificates correctly.
.PP
The \fB\-email\fR option searches the subject name and the subject alternative
name extension. Only unique email addresses will be printed out: it will
not print the same address more than once.
.SH "BUGS"
.IX Header "BUGS"
It is possible to produce invalid certificates or requests by specifying the
wrong private key, using unsuitable X.509 extensions,
or using inconsistent options in some cases: these should be checked.
.PP
There should be options to explicitly set such things as start and end
dates rather than an offset from the current time.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBopenssl\fR\|(1),
\&\fBopenssl\-req\fR\|(1),
\&\fBopenssl\-ca\fR\|(1),
\&\fBopenssl\-genrsa\fR\|(1),
\&\fBopenssl\-gendsa\fR\|(1),
\&\fBopenssl\-verify\fR\|(1),
\&\fBx509v3_config\fR\|(5)
.SH "HISTORY"
.IX Header "HISTORY"
The hash algorithm used in the \fB\-subject_hash\fR and \fB\-issuer_hash\fR options
before OpenSSL 1.0.0 was based on the deprecated \s-1MD5\s0 algorithm and the encoding
of the distinguished name. In OpenSSL 1.0.0 and later it is based on a canonical
version of the \s-1DN\s0 using \s-1SHA1.\s0 This means that any directories using the old
form must have their links rebuilt using \fBopenssl\-rehash\fR\|(1) or similar.
.PP
The \fB\-signkey\fR option has been renamed to \fB\-key\fR in OpenSSL 3.0,
keeping the old name as an alias.
.PP
The \fB\-engine\fR option was deprecated in OpenSSL 3.0.
.PP
The \fB\-C\fR option was removed in OpenSSL 3.0.
.PP
Since OpenSSL 3.2, generated certificates bear X.509 version 3,
and key identifier extensions are included by default.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2000\-2024 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the Apache License 2.0 (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.

775
openssl-install/share/man/man1/openssl.1ossl Normal file
View File

@@ -0,0 +1,775 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "OPENSSL 1ossl"
.TH OPENSSL 1ossl "2025-07-01" "3.4.2" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
openssl \- OpenSSL command line program
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
\&\fBopenssl\fR
\&\fIcommand\fR
[ \fIoptions\fR ... ]
[ \fIparameters\fR ... ]
.PP
\&\fBopenssl\fR \fBno\-\fR\fI\s-1XXX\s0\fR [ \fIoptions\fR ]
.PP
\&\fBopenssl\fR \fB\-help\fR | \fB\-version\fR
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
OpenSSL is a cryptography toolkit implementing the Secure Sockets Layer (\s-1SSL\s0)
and Transport Layer Security (\s-1TLS\s0) network protocols and related
cryptography standards required by them.
.PP
The \fBopenssl\fR program is a command line program for using the various
cryptography functions of OpenSSL's \fBcrypto\fR library from the shell.
It can be used for
.PP
.Vb 8
\& o Creation and management of private keys, public keys and parameters
\& o Public key cryptographic operations
\& o Creation of X.509 certificates, CSRs and CRLs
\& o Calculation of Message Digests and Message Authentication Codes
\& o Encryption and Decryption with Ciphers
\& o SSL/TLS Client and Server Tests
\& o Handling of S/MIME signed or encrypted mail
\& o Timestamp requests, generation and verification
.Ve
.SH "COMMAND SUMMARY"
.IX Header "COMMAND SUMMARY"
The \fBopenssl\fR program provides a rich variety of commands (\fIcommand\fR in
the \*(L"\s-1SYNOPSIS\*(R"\s0 above).
Each command can have many options and argument parameters, shown above as
\&\fIoptions\fR and \fIparameters\fR.
.PP
Detailed documentation and use cases for most standard subcommands are available
(e.g., \fBopenssl\-x509\fR\|(1)). The subcommand \fBopenssl\-list\fR\|(1) may be used to list
subcommands.
.PP
The command \fBno\-\fR\fI\s-1XXX\s0\fR tests whether a command of the
specified name is available. If no command named \fI\s-1XXX\s0\fR exists, it
returns 0 (success) and prints \fBno\-\fR\fI\s-1XXX\s0\fR; otherwise it returns 1
and prints \fI\s-1XXX\s0\fR. In both cases, the output goes to \fBstdout\fR and
nothing is printed to \fBstderr\fR. Additional command line arguments
are always ignored. Since for each cipher there is a command of the
same name, this provides an easy way for shell scripts to test for the
availability of ciphers in the \fBopenssl\fR program. (\fBno\-\fR\fI\s-1XXX\s0\fR is
not able to detect pseudo-commands such as \fBquit\fR,
\&\fBlist\fR, or \fBno\-\fR\fI\s-1XXX\s0\fR itself.)
.SS "Configuration Option"
.IX Subsection "Configuration Option"
Many commands use an external configuration file for some or all of their
arguments and have a \fB\-config\fR option to specify that file.
The default name of the file is \fIopenssl.cnf\fR in the default certificate
storage area, which can be determined from the \fBopenssl\-version\fR\|(1)
command using the \fB\-d\fR or \fB\-a\fR option.
The environment variable \fB\s-1OPENSSL_CONF\s0\fR can be used to specify a different
file location or to disable loading a configuration (using the empty string).
.PP
Among others, the configuration file can be used to load modules
and to specify parameters for generating certificates and random numbers.
See \fBconfig\fR\|(5) for details.
.SS "Standard Commands"
.IX Subsection "Standard Commands"
.IP "\fBasn1parse\fR" 4
.IX Item "asn1parse"
Parse an \s-1ASN.1\s0 sequence.
.IP "\fBca\fR" 4
.IX Item "ca"
Certificate Authority (\s-1CA\s0) Management.
.IP "\fBciphers\fR" 4
.IX Item "ciphers"
Cipher Suite Description Determination.
.IP "\fBcms\fR" 4
.IX Item "cms"
\&\s-1CMS\s0 (Cryptographic Message Syntax) command.
.IP "\fBcrl\fR" 4
.IX Item "crl"
Certificate Revocation List (\s-1CRL\s0) Management.
.IP "\fBcrl2pkcs7\fR" 4
.IX Item "crl2pkcs7"
\&\s-1CRL\s0 to PKCS#7 Conversion.
.IP "\fBdgst\fR" 4
.IX Item "dgst"
Message Digest calculation. \s-1MAC\s0 calculations are superseded by
\&\fBopenssl\-mac\fR\|(1).
.IP "\fBdhparam\fR" 4
.IX Item "dhparam"
Generation and Management of Diffie-Hellman Parameters. Superseded by
\&\fBopenssl\-genpkey\fR\|(1) and \fBopenssl\-pkeyparam\fR\|(1).
.IP "\fBdsa\fR" 4
.IX Item "dsa"
\&\s-1DSA\s0 Data Management.
.IP "\fBdsaparam\fR" 4
.IX Item "dsaparam"
\&\s-1DSA\s0 Parameter Generation and Management. Superseded by
\&\fBopenssl\-genpkey\fR\|(1) and \fBopenssl\-pkeyparam\fR\|(1).
.IP "\fBec\fR" 4
.IX Item "ec"
\&\s-1EC\s0 (Elliptic curve) key processing.
.IP "\fBecparam\fR" 4
.IX Item "ecparam"
\&\s-1EC\s0 parameter manipulation and generation.
.IP "\fBenc\fR" 4
.IX Item "enc"
Encryption, decryption, and encoding.
.IP "\fBengine\fR" 4
.IX Item "engine"
Engine (loadable module) information and manipulation.
.IP "\fBerrstr\fR" 4
.IX Item "errstr"
Error Number to Error String Conversion.
.IP "\fBfipsinstall\fR" 4
.IX Item "fipsinstall"
\&\s-1FIPS\s0 configuration installation.
.IP "\fBgendsa\fR" 4
.IX Item "gendsa"
Generation of \s-1DSA\s0 Private Key from Parameters. Superseded by
\&\fBopenssl\-genpkey\fR\|(1) and \fBopenssl\-pkey\fR\|(1).
.IP "\fBgenpkey\fR" 4
.IX Item "genpkey"
Generation of Private Key or Parameters.
.IP "\fBgenrsa\fR" 4
.IX Item "genrsa"
Generation of \s-1RSA\s0 Private Key. Superseded by \fBopenssl\-genpkey\fR\|(1).
.IP "\fBhelp\fR" 4
.IX Item "help"
Display information about a command's options.
.IP "\fBinfo\fR" 4
.IX Item "info"
Display diverse information built into the OpenSSL libraries.
.IP "\fBkdf\fR" 4
.IX Item "kdf"
Key Derivation Functions.
.IP "\fBlist\fR" 4
.IX Item "list"
List algorithms and features.
.IP "\fBmac\fR" 4
.IX Item "mac"
Message Authentication Code Calculation.
.IP "\fBnseq\fR" 4
.IX Item "nseq"
Create or examine a Netscape certificate sequence.
.IP "\fBocsp\fR" 4
.IX Item "ocsp"
Online Certificate Status Protocol command.
.IP "\fBpasswd\fR" 4
.IX Item "passwd"
Generation of hashed passwords.
.IP "\fBpkcs12\fR" 4
.IX Item "pkcs12"
PKCS#12 Data Management.
.IP "\fBpkcs7\fR" 4
.IX Item "pkcs7"
PKCS#7 Data Management.
.IP "\fBpkcs8\fR" 4
.IX Item "pkcs8"
PKCS#8 format private key conversion command.
.IP "\fBpkey\fR" 4
.IX Item "pkey"
Public and private key management.
.IP "\fBpkeyparam\fR" 4
.IX Item "pkeyparam"
Public key algorithm parameter management.
.IP "\fBpkeyutl\fR" 4
.IX Item "pkeyutl"
Public key algorithm cryptographic operation command.
.IP "\fBprime\fR" 4
.IX Item "prime"
Compute prime numbers.
.IP "\fBrand\fR" 4
.IX Item "rand"
Generate pseudo-random bytes.
.IP "\fBrehash\fR" 4
.IX Item "rehash"
Create symbolic links to certificate and \s-1CRL\s0 files named by the hash values.
.IP "\fBreq\fR" 4
.IX Item "req"
PKCS#10 X.509 Certificate Signing Request (\s-1CSR\s0) Management.
.IP "\fBrsa\fR" 4
.IX Item "rsa"
\&\s-1RSA\s0 key management.
.IP "\fBrsautl\fR" 4
.IX Item "rsautl"
\&\s-1RSA\s0 command for signing, verification, encryption, and decryption. Superseded
by \fBopenssl\-pkeyutl\fR\|(1).
.IP "\fBs_client\fR" 4
.IX Item "s_client"
This implements a generic \s-1SSL/TLS\s0 client which can establish a transparent
connection to a remote server speaking \s-1SSL/TLS.\s0 It's intended for testing
purposes only and provides only rudimentary interface functionality but
internally uses mostly all functionality of the OpenSSL \fBssl\fR library.
.IP "\fBs_server\fR" 4
.IX Item "s_server"
This implements a generic \s-1SSL/TLS\s0 server which accepts connections from remote
clients speaking \s-1SSL/TLS.\s0 It's intended for testing purposes only and provides
only rudimentary interface functionality but internally uses mostly all
functionality of the OpenSSL \fBssl\fR library. It provides both an own command
line oriented protocol for testing \s-1SSL\s0 functions and a simple \s-1HTTP\s0 response
facility to emulate an SSL/TLS\-aware webserver.
.IP "\fBs_time\fR" 4
.IX Item "s_time"
\&\s-1SSL\s0 Connection Timer.
.IP "\fBsess_id\fR" 4
.IX Item "sess_id"
\&\s-1SSL\s0 Session Data Management.
.IP "\fBsmime\fR" 4
.IX Item "smime"
S/MIME mail processing.
.IP "\fBspeed\fR" 4
.IX Item "speed"
Algorithm Speed Measurement.
.IP "\fBspkac\fR" 4
.IX Item "spkac"
\&\s-1SPKAC\s0 printing and generating command.
.IP "\fBsrp\fR" 4
.IX Item "srp"
Maintain \s-1SRP\s0 password file. This command is deprecated.
.IP "\fBstoreutl\fR" 4
.IX Item "storeutl"
Command to list and display certificates, keys, CRLs, etc.
.IP "\fBts\fR" 4
.IX Item "ts"
Time Stamping Authority command.
.IP "\fBverify\fR" 4
.IX Item "verify"
X.509 Certificate Verification.
See also the \fBopenssl\-verification\-options\fR\|(1) manual page.
.IP "\fBversion\fR" 4
.IX Item "version"
OpenSSL Version Information.
.IP "\fBx509\fR" 4
.IX Item "x509"
X.509 Certificate Data Management.
.SS "Message Digest Commands"
.IX Subsection "Message Digest Commands"
.IP "\fBblake2b512\fR" 4
.IX Item "blake2b512"
BLAKE2b\-512 Digest
.IP "\fBblake2s256\fR" 4
.IX Item "blake2s256"
BLAKE2s\-256 Digest
.IP "\fBmd2\fR" 4
.IX Item "md2"
\&\s-1MD2\s0 Digest
.IP "\fBmd4\fR" 4
.IX Item "md4"
\&\s-1MD4\s0 Digest
.IP "\fBmd5\fR" 4
.IX Item "md5"
\&\s-1MD5\s0 Digest
.IP "\fBmdc2\fR" 4
.IX Item "mdc2"
\&\s-1MDC2\s0 Digest
.IP "\fBrmd160\fR" 4
.IX Item "rmd160"
\&\s-1RMD\-160\s0 Digest
.IP "\fBsha1\fR" 4
.IX Item "sha1"
\&\s-1SHA\-1\s0 Digest
.IP "\fBsha224\fR" 4
.IX Item "sha224"
\&\s-1SHA\-2 224\s0 Digest
.IP "\fBsha256\fR" 4
.IX Item "sha256"
\&\s-1SHA\-2 256\s0 Digest
.IP "\fBsha384\fR" 4
.IX Item "sha384"
\&\s-1SHA\-2 384\s0 Digest
.IP "\fBsha512\fR" 4
.IX Item "sha512"
\&\s-1SHA\-2 512\s0 Digest
.IP "\fBsha3\-224\fR" 4
.IX Item "sha3-224"
\&\s-1SHA\-3 224\s0 Digest
.IP "\fBsha3\-256\fR" 4
.IX Item "sha3-256"
\&\s-1SHA\-3 256\s0 Digest
.IP "\fBsha3\-384\fR" 4
.IX Item "sha3-384"
\&\s-1SHA\-3 384\s0 Digest
.IP "\fBsha3\-512\fR" 4
.IX Item "sha3-512"
\&\s-1SHA\-3 512\s0 Digest
.IP "\fBkeccak\-224\fR" 4
.IX Item "keccak-224"
\&\s-1KECCAK 224\s0 Digest
.IP "\fBkeccak\-256\fR" 4
.IX Item "keccak-256"
\&\s-1KECCAK 256\s0 Digest
.IP "\fBkeccak\-384\fR" 4
.IX Item "keccak-384"
\&\s-1KECCAK 384\s0 Digest
.IP "\fBkeccak\-512\fR" 4
.IX Item "keccak-512"
\&\s-1KECCAK 512\s0 Digest
.IP "\fBshake128\fR" 4
.IX Item "shake128"
\&\s-1SHA\-3 SHAKE128\s0 Digest
.IP "\fBshake256\fR" 4
.IX Item "shake256"
\&\s-1SHA\-3 SHAKE256\s0 Digest
.IP "\fBsm3\fR" 4
.IX Item "sm3"
\&\s-1SM3\s0 Digest
.SS "Encryption, Decryption, and Encoding Commands"
.IX Subsection "Encryption, Decryption, and Encoding Commands"
The following aliases provide convenient access to the most used encodings
and ciphers.
.PP
Depending on how OpenSSL was configured and built, not all ciphers listed
here may be present. See \fBopenssl\-enc\fR\|(1) for more information.
.IP "\fBaes128\fR, \fBaes\-128\-cbc\fR, \fBaes\-128\-cfb\fR, \fBaes\-128\-ctr\fR, \fBaes\-128\-ecb\fR, \fBaes\-128\-ofb\fR" 4
.IX Item "aes128, aes-128-cbc, aes-128-cfb, aes-128-ctr, aes-128-ecb, aes-128-ofb"
\&\s-1AES\-128\s0 Cipher
.IP "\fBaes192\fR, \fBaes\-192\-cbc\fR, \fBaes\-192\-cfb\fR, \fBaes\-192\-ctr\fR, \fBaes\-192\-ecb\fR, \fBaes\-192\-ofb\fR" 4
.IX Item "aes192, aes-192-cbc, aes-192-cfb, aes-192-ctr, aes-192-ecb, aes-192-ofb"
\&\s-1AES\-192\s0 Cipher
.IP "\fBaes256\fR, \fBaes\-256\-cbc\fR, \fBaes\-256\-cfb\fR, \fBaes\-256\-ctr\fR, \fBaes\-256\-ecb\fR, \fBaes\-256\-ofb\fR" 4
.IX Item "aes256, aes-256-cbc, aes-256-cfb, aes-256-ctr, aes-256-ecb, aes-256-ofb"
\&\s-1AES\-256\s0 Cipher
.IP "\fBaria128\fR, \fBaria\-128\-cbc\fR, \fBaria\-128\-cfb\fR, \fBaria\-128\-ctr\fR, \fBaria\-128\-ecb\fR, \fBaria\-128\-ofb\fR" 4
.IX Item "aria128, aria-128-cbc, aria-128-cfb, aria-128-ctr, aria-128-ecb, aria-128-ofb"
Aria\-128 Cipher
.IP "\fBaria192\fR, \fBaria\-192\-cbc\fR, \fBaria\-192\-cfb\fR, \fBaria\-192\-ctr\fR, \fBaria\-192\-ecb\fR, \fBaria\-192\-ofb\fR" 4
.IX Item "aria192, aria-192-cbc, aria-192-cfb, aria-192-ctr, aria-192-ecb, aria-192-ofb"
Aria\-192 Cipher
.IP "\fBaria256\fR, \fBaria\-256\-cbc\fR, \fBaria\-256\-cfb\fR, \fBaria\-256\-ctr\fR, \fBaria\-256\-ecb\fR, \fBaria\-256\-ofb\fR" 4
.IX Item "aria256, aria-256-cbc, aria-256-cfb, aria-256-ctr, aria-256-ecb, aria-256-ofb"
Aria\-256 Cipher
.IP "\fBbase64\fR" 4
.IX Item "base64"
Base64 Encoding
.IP "\fBbf\fR, \fBbf-cbc\fR, \fBbf-cfb\fR, \fBbf-ecb\fR, \fBbf-ofb\fR" 4
.IX Item "bf, bf-cbc, bf-cfb, bf-ecb, bf-ofb"
Blowfish Cipher
.IP "\fBcamellia128\fR, \fBcamellia\-128\-cbc\fR, \fBcamellia\-128\-cfb\fR, \fBcamellia\-128\-ctr\fR, \fBcamellia\-128\-ecb\fR, \fBcamellia\-128\-ofb\fR" 4
.IX Item "camellia128, camellia-128-cbc, camellia-128-cfb, camellia-128-ctr, camellia-128-ecb, camellia-128-ofb"
Camellia\-128 Cipher
.IP "\fBcamellia192\fR, \fBcamellia\-192\-cbc\fR, \fBcamellia\-192\-cfb\fR, \fBcamellia\-192\-ctr\fR, \fBcamellia\-192\-ecb\fR, \fBcamellia\-192\-ofb\fR" 4
.IX Item "camellia192, camellia-192-cbc, camellia-192-cfb, camellia-192-ctr, camellia-192-ecb, camellia-192-ofb"
Camellia\-192 Cipher
.IP "\fBcamellia256\fR, \fBcamellia\-256\-cbc\fR, \fBcamellia\-256\-cfb\fR, \fBcamellia\-256\-ctr\fR, \fBcamellia\-256\-ecb\fR, \fBcamellia\-256\-ofb\fR" 4
.IX Item "camellia256, camellia-256-cbc, camellia-256-cfb, camellia-256-ctr, camellia-256-ecb, camellia-256-ofb"
Camellia\-256 Cipher
.IP "\fBcast\fR, \fBcast-cbc\fR" 4
.IX Item "cast, cast-cbc"
\&\s-1CAST\s0 Cipher
.IP "\fBcast5\-cbc\fR, \fBcast5\-cfb\fR, \fBcast5\-ecb\fR, \fBcast5\-ofb\fR" 4
.IX Item "cast5-cbc, cast5-cfb, cast5-ecb, cast5-ofb"
\&\s-1CAST5\s0 Cipher
.IP "\fBchacha20\fR" 4
.IX Item "chacha20"
Chacha20 Cipher
.IP "\fBdes\fR, \fBdes-cbc\fR, \fBdes-cfb\fR, \fBdes-ecb\fR, \fBdes-ede\fR, \fBdes-ede-cbc\fR, \fBdes-ede-cfb\fR, \fBdes-ede-ofb\fR, \fBdes-ofb\fR" 4
.IX Item "des, des-cbc, des-cfb, des-ecb, des-ede, des-ede-cbc, des-ede-cfb, des-ede-ofb, des-ofb"
\&\s-1DES\s0 Cipher
.IP "\fBdes3\fR, \fBdesx\fR, \fBdes\-ede3\fR, \fBdes\-ede3\-cbc\fR, \fBdes\-ede3\-cfb\fR, \fBdes\-ede3\-ofb\fR" 4
.IX Item "des3, desx, des-ede3, des-ede3-cbc, des-ede3-cfb, des-ede3-ofb"
Triple-DES Cipher
.IP "\fBidea\fR, \fBidea-cbc\fR, \fBidea-cfb\fR, \fBidea-ecb\fR, \fBidea-ofb\fR" 4
.IX Item "idea, idea-cbc, idea-cfb, idea-ecb, idea-ofb"
\&\s-1IDEA\s0 Cipher
.IP "\fBrc2\fR, \fBrc2\-cbc\fR, \fBrc2\-cfb\fR, \fBrc2\-ecb\fR, \fBrc2\-ofb\fR" 4
.IX Item "rc2, rc2-cbc, rc2-cfb, rc2-ecb, rc2-ofb"
\&\s-1RC2\s0 Cipher
.IP "\fBrc4\fR" 4
.IX Item "rc4"
\&\s-1RC4\s0 Cipher
.IP "\fBrc5\fR, \fBrc5\-cbc\fR, \fBrc5\-cfb\fR, \fBrc5\-ecb\fR, \fBrc5\-ofb\fR" 4
.IX Item "rc5, rc5-cbc, rc5-cfb, rc5-ecb, rc5-ofb"
\&\s-1RC5\s0 Cipher
.IP "\fBseed\fR, \fBseed-cbc\fR, \fBseed-cfb\fR, \fBseed-ecb\fR, \fBseed-ofb\fR" 4
.IX Item "seed, seed-cbc, seed-cfb, seed-ecb, seed-ofb"
\&\s-1SEED\s0 Cipher
.IP "\fBsm4\fR, \fBsm4\-cbc\fR, \fBsm4\-cfb\fR, \fBsm4\-ctr\fR, \fBsm4\-ecb\fR, \fBsm4\-ofb\fR" 4
.IX Item "sm4, sm4-cbc, sm4-cfb, sm4-ctr, sm4-ecb, sm4-ofb"
\&\s-1SM4\s0 Cipher
.SH "OPTIONS"
.IX Header "OPTIONS"
Details of which options are available depend on the specific command.
This section describes some common options with common behavior.
.SS "Program Options"
.IX Subsection "Program Options"
These options can be specified without a command specified to get help
or version information.
.IP "\fB\-help\fR" 4
.IX Item "-help"
Provides a terse summary of all options.
For more detailed information, each command supports a \fB\-help\fR option.
Accepts \fB\-\-help\fR as well.
.IP "\fB\-version\fR" 4
.IX Item "-version"
Provides a terse summary of the \fBopenssl\fR program version.
For more detailed information see \fBopenssl\-version\fR\|(1).
Accepts \fB\-\-version\fR as well.
.SS "Common Options"
.IX Subsection "Common Options"
.IP "\fB\-help\fR" 4
.IX Item "-help"
If an option takes an argument, the \*(L"type\*(R" of argument is also given.
.IP "\fB\-\-\fR" 4
.IX Item "--"
This terminates the list of options. It is mostly useful if any filename
parameters start with a minus sign:
.Sp
.Vb 1
\& openssl verify [flags...] \-\- \-cert1.pem...
.Ve
.SS "Format Options"
.IX Subsection "Format Options"
See \fBopenssl\-format\-options\fR\|(1) for manual page.
.SS "Pass Phrase Options"
.IX Subsection "Pass Phrase Options"
See the \fBopenssl\-passphrase\-options\fR\|(1) manual page.
.SS "Random State Options"
.IX Subsection "Random State Options"
Prior to OpenSSL 1.1.1, it was common for applications to store information
about the state of the random-number generator in a file that was loaded
at startup and rewritten upon exit. On modern operating systems, this is
generally no longer necessary as OpenSSL will seed itself from a trusted
entropy source provided by the operating system. These flags are still
supported for special platforms or circumstances that might require them.
.PP
It is generally an error to use the same seed file more than once and
every use of \fB\-rand\fR should be paired with \fB\-writerand\fR.
.IP "\fB\-rand\fR \fIfiles\fR" 4
.IX Item "-rand files"
A file or files containing random data used to seed the random number
generator.
Multiple files can be specified separated by an OS-dependent character.
The separator is \f(CW\*(C`;\*(C'\fR for MS-Windows, \f(CW\*(C`,\*(C'\fR for OpenVMS, and \f(CW\*(C`:\*(C'\fR for
all others. Another way to specify multiple files is to repeat this flag
with different filenames.
.IP "\fB\-writerand\fR \fIfile\fR" 4
.IX Item "-writerand file"
Writes the seed data to the specified \fIfile\fR upon exit.
This file can be used in a subsequent command invocation.
.SS "Certificate Verification Options"
.IX Subsection "Certificate Verification Options"
See the \fBopenssl\-verification\-options\fR\|(1) manual page.
.SS "Name Format Options"
.IX Subsection "Name Format Options"
See the \fBopenssl\-namedisplay\-options\fR\|(1) manual page.
.SS "\s-1TLS\s0 Version Options"
.IX Subsection "TLS Version Options"
Several commands use \s-1SSL, TLS,\s0 or \s-1DTLS.\s0 By default, the commands use \s-1TLS\s0 and
clients will offer the lowest and highest protocol version they support,
and servers will pick the highest version that the client offers that is also
supported by the server.
.PP
The options below can be used to limit which protocol versions are used,
and whether \s-1TCP\s0 (\s-1SSL\s0 and \s-1TLS\s0) or \s-1UDP\s0 (\s-1DTLS\s0) is used.
Note that not all protocols and flags may be available, depending on how
OpenSSL was built.
.IP "\fB\-ssl3\fR, \fB\-tls1\fR, \fB\-tls1_1\fR, \fB\-tls1_2\fR, \fB\-tls1_3\fR, \fB\-no_ssl3\fR, \fB\-no_tls1\fR, \fB\-no_tls1_1\fR, \fB\-no_tls1_2\fR, \fB\-no_tls1_3\fR" 4
.IX Item "-ssl3, -tls1, -tls1_1, -tls1_2, -tls1_3, -no_ssl3, -no_tls1, -no_tls1_1, -no_tls1_2, -no_tls1_3"
These options require or disable the use of the specified \s-1SSL\s0 or \s-1TLS\s0 protocols.
When a specific \s-1TLS\s0 version is required, only that version will be offered or
accepted.
Only one specific protocol can be given and it cannot be combined with any of
the \fBno_\fR options.
The \fBno_*\fR options do not work with \fBs_time\fR and \fBciphers\fR commands but work with
\&\fBs_client\fR and \fBs_server\fR commands.
.IP "\fB\-dtls\fR, \fB\-dtls1\fR, \fB\-dtls1_2\fR" 4
.IX Item "-dtls, -dtls1, -dtls1_2"
These options specify to use \s-1DTLS\s0 instead of \s-1TLS.\s0
With \fB\-dtls\fR, clients will negotiate any supported \s-1DTLS\s0 protocol version.
Use the \fB\-dtls1\fR or \fB\-dtls1_2\fR options to support only \s-1DTLS1.0\s0 or \s-1DTLS1.2,\s0
respectively.
.SS "Engine Options"
.IX Subsection "Engine Options"
.IP "\fB\-engine\fR \fIid\fR" 4
.IX Item "-engine id"
Load the engine identified by \fIid\fR and use all the methods it implements
(algorithms, key storage, etc.), unless specified otherwise in the
command-specific documentation or it is configured to do so, as described in
\&\*(L"Engine Configuration\*(R" in \fBconfig\fR\|(5).
.Sp
The engine will be used for key ids specified with \fB\-key\fR and similar
options when an option like \fB\-keyform engine\fR is given.
.Sp
A special case is the \f(CW\*(C`loader_attic\*(C'\fR engine, which
is meant just for internal OpenSSL testing purposes and
supports loading keys, parameters, certificates, and CRLs from files.
When this engine is used, files with such credentials are read via this engine.
Using the \f(CW\*(C`file:\*(C'\fR schema is optional; a plain file (path) name will do.
.PP
Options specifying keys, like \fB\-key\fR and similar, can use the generic
OpenSSL engine key loading \s-1URI\s0 scheme \f(CW\*(C`org.openssl.engine:\*(C'\fR to retrieve
private keys and public keys. The \s-1URI\s0 syntax is as follows, in simplified
form:
.PP
.Vb 1
\& org.openssl.engine:{engineid}:{keyid}
.Ve
.PP
Where \f(CW\*(C`{engineid}\*(C'\fR is the identity/name of the engine, and \f(CW\*(C`{keyid}\*(C'\fR is a
key identifier that's acceptable by that engine. For example, when using an
engine that interfaces against a PKCS#11 implementation, the generic key \s-1URI\s0
would be something like this (this happens to be an example for the PKCS#11
engine that's part of OpenSC):
.PP
.Vb 1
\& \-key org.openssl.engine:pkcs11:label_some\-private\-key
.Ve
.PP
As a third possibility, for engines and providers that have implemented
their own \s-1\fBOSSL_STORE_LOADER\s0\fR\|(3), \f(CW\*(C`org.openssl.engine:\*(C'\fR should not be
necessary. For a PKCS#11 implementation that has implemented such a loader,
the PKCS#11 \s-1URI\s0 as defined in \s-1RFC 7512\s0 should be possible to use directly:
.PP
.Vb 1
\& \-key pkcs11:object=some\-private\-key;pin\-value=1234
.Ve
.SS "Provider Options"
.IX Subsection "Provider Options"
.IP "\fB\-provider\fR \fIname\fR" 4
.IX Item "-provider name"
Load and initialize the provider identified by \fIname\fR. The \fIname\fR
can be also a path to the provider module. In that case the provider name
will be the specified path and not just the provider module name.
Interpretation of relative paths is platform specific. The configured
\&\*(L"\s-1MODULESDIR\*(R"\s0 path, \fB\s-1OPENSSL_MODULES\s0\fR environment variable, or the path
specified by \fB\-provider\-path\fR is prepended to relative paths.
See \fBprovider\fR\|(7) for a more detailed description.
.IP "\fB\-provider\-path\fR \fIpath\fR" 4
.IX Item "-provider-path path"
Specifies the search path that is to be used for looking for providers.
Equivalently, the \fB\s-1OPENSSL_MODULES\s0\fR environment variable may be set.
.IP "\fB\-propquery\fR \fIpropq\fR" 4
.IX Item "-propquery propq"
Specifies the \fIproperty query clause\fR to be used when fetching algorithms
from the loaded providers.
See \fBproperty\fR\|(7) for a more detailed description.
.SH "ENVIRONMENT"
.IX Header "ENVIRONMENT"
The OpenSSL libraries can take some configuration parameters from the
environment.
.PP
For information about all environment variables used by the OpenSSL libraries,
such as \fB\s-1OPENSSL_CONF\s0\fR, \fB\s-1OPENSSL_MODULES\s0\fR, and \fB\s-1OPENSSL_TRACE\s0\fR,
see \fBopenssl\-env\fR\|(7).
.PP
For information about the use of environment variables in configuration,
see \*(L"\s-1ENVIRONMENT\*(R"\s0 in \fBconfig\fR\|(5).
.PP
For information about specific commands, see \fBopenssl\-engine\fR\|(1),
\&\fBopenssl\-rehash\fR\|(1), and \fBtsget\fR\|(1).
.PP
For information about querying or specifying \s-1CPU\s0 architecture flags, see
\&\fBOPENSSL_ia32cap\fR\|(3), \fBOPENSSL_s390xcap\fR\|(3) and \fBOPENSSL_riscvcap\fR\|(3).
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBopenssl\-asn1parse\fR\|(1),
\&\fBopenssl\-ca\fR\|(1),
\&\fBopenssl\-ciphers\fR\|(1),
\&\fBopenssl\-cms\fR\|(1),
\&\fBopenssl\-crl\fR\|(1),
\&\fBopenssl\-crl2pkcs7\fR\|(1),
\&\fBopenssl\-dgst\fR\|(1),
\&\fBopenssl\-dhparam\fR\|(1),
\&\fBopenssl\-dsa\fR\|(1),
\&\fBopenssl\-dsaparam\fR\|(1),
\&\fBopenssl\-ec\fR\|(1),
\&\fBopenssl\-ecparam\fR\|(1),
\&\fBopenssl\-enc\fR\|(1),
\&\fBopenssl\-engine\fR\|(1),
\&\fBopenssl\-errstr\fR\|(1),
\&\fBopenssl\-gendsa\fR\|(1),
\&\fBopenssl\-genpkey\fR\|(1),
\&\fBopenssl\-genrsa\fR\|(1),
\&\fBopenssl\-kdf\fR\|(1),
\&\fBopenssl\-list\fR\|(1),
\&\fBopenssl\-mac\fR\|(1),
\&\fBopenssl\-nseq\fR\|(1),
\&\fBopenssl\-ocsp\fR\|(1),
\&\fBopenssl\-passwd\fR\|(1),
\&\fBopenssl\-pkcs12\fR\|(1),
\&\fBopenssl\-pkcs7\fR\|(1),
\&\fBopenssl\-pkcs8\fR\|(1),
\&\fBopenssl\-pkey\fR\|(1),
\&\fBopenssl\-pkeyparam\fR\|(1),
\&\fBopenssl\-pkeyutl\fR\|(1),
\&\fBopenssl\-prime\fR\|(1),
\&\fBopenssl\-rand\fR\|(1),
\&\fBopenssl\-rehash\fR\|(1),
\&\fBopenssl\-req\fR\|(1),
\&\fBopenssl\-rsa\fR\|(1),
\&\fBopenssl\-rsautl\fR\|(1),
\&\fBopenssl\-s_client\fR\|(1),
\&\fBopenssl\-s_server\fR\|(1),
\&\fBopenssl\-s_time\fR\|(1),
\&\fBopenssl\-sess_id\fR\|(1),
\&\fBopenssl\-smime\fR\|(1),
\&\fBopenssl\-speed\fR\|(1),
\&\fBopenssl\-spkac\fR\|(1),
\&\fBopenssl\-srp\fR\|(1),
\&\fBopenssl\-storeutl\fR\|(1),
\&\fBopenssl\-ts\fR\|(1),
\&\fBopenssl\-verify\fR\|(1),
\&\fBopenssl\-version\fR\|(1),
\&\fBopenssl\-x509\fR\|(1),
\&\fBconfig\fR\|(5),
\&\fBcrypto\fR\|(7),
\&\fBopenssl\-env\fR\|(7).
\&\fBssl\fR\|(7),
\&\fBx509v3_config\fR\|(5)
.SH "HISTORY"
.IX Header "HISTORY"
The \fBlist\fR \-\fI\s-1XXX\s0\fR\fB\-algorithms\fR options were added in OpenSSL 1.0.0;
For notes on the availability of other commands, see their individual
manual pages.
.PP
The \fB\-issuer_checks\fR option is deprecated as of OpenSSL 1.1.0 and
is silently ignored.
.PP
The \fB\-xcertform\fR and \fB\-xkeyform\fR options
are obsolete since OpenSSL 3.0 and have no effect.
.PP
The interactive mode, which could be invoked by running \f(CW\*(C`openssl\*(C'\fR
with no further arguments, was removed in OpenSSL 3.0, and running
that program with no arguments is now equivalent to \f(CW\*(C`openssl help\*(C'\fR.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2000\-2024 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the Apache License 2.0 (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.

1
openssl-install/share/man/man1/passwd.1ossl Symbolic link
View File

@@ -0,0 +1 @@
openssl-cmds.1ossl

1
openssl-install/share/man/man1/pkcs12.1ossl Symbolic link
View File

@@ -0,0 +1 @@
openssl-cmds.1ossl

1
openssl-install/share/man/man1/pkcs7.1ossl Symbolic link
View File

@@ -0,0 +1 @@
openssl-cmds.1ossl

1
openssl-install/share/man/man1/pkcs8.1ossl Symbolic link
View File

@@ -0,0 +1 @@
openssl-cmds.1ossl

1
openssl-install/share/man/man1/pkey.1ossl Symbolic link
View File

@@ -0,0 +1 @@
openssl-cmds.1ossl

1
openssl-install/share/man/man1/pkeyparam.1ossl Symbolic link
View File

@@ -0,0 +1 @@
openssl-cmds.1ossl

1
openssl-install/share/man/man1/pkeyutl.1ossl Symbolic link
View File

@@ -0,0 +1 @@
openssl-cmds.1ossl

1
openssl-install/share/man/man1/prime.1ossl Symbolic link
View File

@@ -0,0 +1 @@
openssl-cmds.1ossl

1
openssl-install/share/man/man1/rand.1ossl Symbolic link
View File

@@ -0,0 +1 @@
openssl-cmds.1ossl

1
openssl-install/share/man/man1/rehash.1ossl Symbolic link
View File

@@ -0,0 +1 @@
openssl-cmds.1ossl

1
openssl-install/share/man/man1/req.1ossl Symbolic link
View File

@@ -0,0 +1 @@
openssl-cmds.1ossl

1
openssl-install/share/man/man1/rsa.1ossl Symbolic link
View File

@@ -0,0 +1 @@
openssl-cmds.1ossl

1
openssl-install/share/man/man1/rsautl.1ossl Symbolic link
View File

@@ -0,0 +1 @@
openssl-cmds.1ossl

1
openssl-install/share/man/man1/s_client.1ossl Symbolic link
View File

@@ -0,0 +1 @@
openssl-cmds.1ossl

1
openssl-install/share/man/man1/s_server.1ossl Symbolic link
View File

@@ -0,0 +1 @@
openssl-cmds.1ossl

1
openssl-install/share/man/man1/s_time.1ossl Symbolic link
View File

@@ -0,0 +1 @@
openssl-cmds.1ossl

Some files were not shown because too many files have changed in this diff Show More