1586 lines
64 KiB
HTML
Executable File
1586 lines
64 KiB
HTML
Executable File
<?xml version="1.0" ?>
|
|
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
|
|
<html xmlns="http://www.w3.org/1999/xhtml">
|
|
<head>
|
|
<title>openssl</title>
|
|
<meta http-equiv="content-type" content="text/html; charset=utf-8" />
|
|
<link rev="made" href="mailto:root@localhost" />
|
|
</head>
|
|
|
|
<body style="background-color: white">
|
|
|
|
|
|
<!-- INDEX BEGIN -->
|
|
<div name="index">
|
|
<p><a name="__index__"></a></p>
|
|
|
|
<ul>
|
|
|
|
<li><a href="#name">NAME</a></li>
|
|
<li><a href="#synopsis">SYNOPSIS</a></li>
|
|
<li><a href="#description">DESCRIPTION</a></li>
|
|
<li><a href="#command_summary">COMMAND SUMMARY</a></li>
|
|
<ul>
|
|
|
|
<li><a href="#standard_commands">Standard Commands</a></li>
|
|
<li><a href="#message_digest_commands">Message Digest Commands</a></li>
|
|
<li><a href="#encryption__decryption__and_encoding_commands">Encryption, Decryption, and Encoding Commands</a></li>
|
|
</ul>
|
|
|
|
<li><a href="#options">OPTIONS</a></li>
|
|
<ul>
|
|
|
|
<li><a href="#common_options">Common Options</a></li>
|
|
<li><a href="#format_options">Format Options</a></li>
|
|
<li><a href="#pass_phrase_options">Pass Phrase Options</a></li>
|
|
<li><a href="#trusted_certificate_options">Trusted Certificate Options</a></li>
|
|
<li><a href="#random_state_options">Random State Options</a></li>
|
|
<li><a href="#extended_verification_options">Extended Verification Options</a></li>
|
|
<li><a href="#verification_options">Verification Options</a></li>
|
|
<li><a href="#name_format_options">Name Format Options</a></li>
|
|
<li><a href="#tls_version_options">TLS Version Options</a></li>
|
|
<li><a href="#engine_options">Engine Options</a></li>
|
|
</ul>
|
|
|
|
<li><a href="#environment">ENVIRONMENT</a></li>
|
|
<li><a href="#see_also">SEE ALSO</a></li>
|
|
<li><a href="#history">HISTORY</a></li>
|
|
<li><a href="#copyright">COPYRIGHT</a></li>
|
|
</ul>
|
|
|
|
<hr name="index" />
|
|
</div>
|
|
<!-- INDEX END -->
|
|
|
|
<p>
|
|
</p>
|
|
<hr />
|
|
<h1><a name="name">NAME</a></h1>
|
|
<p>openssl - OpenSSL command line tool</p>
|
|
<p>
|
|
</p>
|
|
<hr />
|
|
<h1><a name="synopsis">SYNOPSIS</a></h1>
|
|
<p><strong>openssl</strong>
|
|
<em>command</em>
|
|
[ <em>options</em> ... ]
|
|
[ <em>parameters</em> ... ]</p>
|
|
<p><strong>openssl</strong>
|
|
<strong>list</strong>
|
|
<strong>-standard-commands</strong> |
|
|
<strong>-digest-commands</strong> |
|
|
<strong>-cipher-commands</strong> |
|
|
<strong>-cipher-algorithms</strong> |
|
|
<strong>-digest-algorithms</strong> |
|
|
<strong>-mac-algorithms</strong> |
|
|
<strong>-public-key-algorithms</strong></p>
|
|
<p><strong>openssl</strong> <strong>no-</strong><em>XXX</em> [ <em>options</em> ]</p>
|
|
<p>
|
|
</p>
|
|
<hr />
|
|
<h1><a name="description">DESCRIPTION</a></h1>
|
|
<p>OpenSSL is a cryptography toolkit implementing the Secure Sockets Layer (SSL
|
|
v2/v3) and Transport Layer Security (TLS v1) network protocols and related
|
|
cryptography standards required by them.</p>
|
|
<p>The <strong>openssl</strong> program is a command line tool for using the various
|
|
cryptography functions of OpenSSL's <strong>crypto</strong> library from the shell.
|
|
It can be used for</p>
|
|
<pre>
|
|
o Creation and management of private keys, public keys and parameters
|
|
o Public key cryptographic operations
|
|
o Creation of X.509 certificates, CSRs and CRLs
|
|
o Calculation of Message Digests and Message Authentication Codes
|
|
o Encryption and Decryption with Ciphers
|
|
o SSL/TLS Client and Server Tests
|
|
o Handling of S/MIME signed or encrypted mail
|
|
o Timestamp requests, generation and verification</pre>
|
|
<p>
|
|
</p>
|
|
<hr />
|
|
<h1><a name="command_summary">COMMAND SUMMARY</a></h1>
|
|
<p>The <strong>openssl</strong> program provides a rich variety of commands (<em>command</em> in
|
|
the <a href="#synopsis">SYNOPSIS</a> above).
|
|
Each command can have many options and argument parameters, shown above as
|
|
<em>options</em> and <em>parameters</em>.</p>
|
|
<p>Detailed documentation and use cases for most standard subcommands are available
|
|
(e.g., <a href="#x509">openssl-x509(1)</a>).</p>
|
|
<p>Many commands use an external configuration file for some or all of their
|
|
arguments and have a <strong>-config</strong> option to specify that file.
|
|
The default name of the file is <em class="file">openssl.cnf</em> in the default certificate
|
|
storage area, which can be determined from the <a href="#version">openssl-version(1)</a>
|
|
command.
|
|
The environment variable <strong>OPENSSL_CONF</strong> can be used to specify
|
|
a different location of the file.
|
|
See <em>openssl-env(7)</em>.</p>
|
|
<p>The list options <strong>-standard-commands</strong>, <strong>-digest-commands</strong>,
|
|
and <strong>-cipher-commands</strong> output a list (one entry per line) of the names
|
|
of all standard commands, message digest commands, or cipher commands,
|
|
respectively, that are available.</p>
|
|
<p>The list parameters <strong>-cipher-algorithms</strong>, <strong>-digest-algorithms</strong>,
|
|
and <strong>-mac-algorithms</strong> list all cipher, message digest, and message
|
|
authentication code names, one entry per line. Aliases are listed as:</p>
|
|
<pre>
|
|
from => to</pre>
|
|
<p>The list parameter <strong>-public-key-algorithms</strong> lists all supported public
|
|
key algorithms.</p>
|
|
<p>The command <strong>no-</strong><em>XXX</em> tests whether a command of the
|
|
specified name is available. If no command named <em>XXX</em> exists, it
|
|
returns 0 (success) and prints <strong>no-</strong><em>XXX</em>; otherwise it returns 1
|
|
and prints <em>XXX</em>. In both cases, the output goes to <strong>stdout</strong> and
|
|
nothing is printed to <strong>stderr</strong>. Additional command line arguments
|
|
are always ignored. Since for each cipher there is a command of the
|
|
same name, this provides an easy way for shell scripts to test for the
|
|
availability of ciphers in the <strong>openssl</strong> program. (<strong>no-</strong><em>XXX</em> is
|
|
not able to detect pseudo-commands such as <strong>quit</strong>,
|
|
<strong>list</strong>, or <strong>no-</strong><em>XXX</em> itself.)</p>
|
|
<p>
|
|
</p>
|
|
<h2><a name="standard_commands">Standard Commands</a></h2>
|
|
<dl>
|
|
<dt><strong><a name="asn1parse" class="item"><strong>asn1parse</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>Parse an ASN.1 sequence.</p>
|
|
</dd>
|
|
<dt><strong><a name="ca" class="item"><strong>ca</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>Certificate Authority (CA) Management.</p>
|
|
</dd>
|
|
<dt><strong><a name="ciphers" class="item"><strong>ciphers</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>Cipher Suite Description Determination.</p>
|
|
</dd>
|
|
<dt><strong><a name="cms" class="item"><strong>cms</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>CMS (Cryptographic Message Syntax) utility.</p>
|
|
</dd>
|
|
<dt><strong><a name="crl" class="item"><strong>crl</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>Certificate Revocation List (CRL) Management.</p>
|
|
</dd>
|
|
<dt><strong><a name="crl2pkcs7" class="item"><strong>crl2pkcs7</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>CRL to PKCS#7 Conversion.</p>
|
|
</dd>
|
|
<dt><strong><a name="dgst" class="item"><strong>dgst</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>Message Digest calculation. MAC calculations are superseded by
|
|
<a href="#mac">openssl-mac(1)</a>.</p>
|
|
</dd>
|
|
<dt><strong><a name="dhparam" class="item"><strong>dhparam</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>Generation and Management of Diffie-Hellman Parameters. Superseded by
|
|
<a href="#genpkey">openssl-genpkey(1)</a> and <a href="#pkeyparam">openssl-pkeyparam(1)</a>.</p>
|
|
</dd>
|
|
<dt><strong><a name="dsa" class="item"><strong>dsa</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>DSA Data Management.</p>
|
|
</dd>
|
|
<dt><strong><a name="dsaparam" class="item"><strong>dsaparam</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>DSA Parameter Generation and Management. Superseded by
|
|
<a href="#genpkey">openssl-genpkey(1)</a> and <a href="#pkeyparam">openssl-pkeyparam(1)</a>.</p>
|
|
</dd>
|
|
<dt><strong><a name="ec" class="item"><strong>ec</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>EC (Elliptic curve) key processing.</p>
|
|
</dd>
|
|
<dt><strong><a name="ecparam" class="item"><strong>ecparam</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>EC parameter manipulation and generation.</p>
|
|
</dd>
|
|
<dt><strong><a name="enc" class="item"><strong>enc</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>Encryption, decryption, and encoding.</p>
|
|
</dd>
|
|
<dt><strong><a name="engine" class="item"><strong>engine</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>Engine (loadable module) information and manipulation.</p>
|
|
</dd>
|
|
<dt><strong><a name="errstr" class="item"><strong>errstr</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>Error Number to Error String Conversion.</p>
|
|
</dd>
|
|
<dt><strong><a name="fipsinstall" class="item"><strong>fipsinstall</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>FIPS configuration installation.</p>
|
|
</dd>
|
|
<dt><strong><a name="gendsa" class="item"><strong>gendsa</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>Generation of DSA Private Key from Parameters. Superseded by
|
|
<a href="#genpkey">openssl-genpkey(1)</a> and <a href="#pkey">openssl-pkey(1)</a>.</p>
|
|
</dd>
|
|
<dt><strong><a name="genpkey" class="item"><strong>genpkey</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>Generation of Private Key or Parameters.</p>
|
|
</dd>
|
|
<dt><strong><a name="genrsa" class="item"><strong>genrsa</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>Generation of RSA Private Key. Superseded by <a href="#genpkey">openssl-genpkey(1)</a>.</p>
|
|
</dd>
|
|
<dt><strong><a name="help" class="item"><strong>help</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>Display information about a command's options.</p>
|
|
</dd>
|
|
<dt><strong><a name="info" class="item"><strong>info</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>Display diverse information built into the OpenSSL libraries.</p>
|
|
</dd>
|
|
<dt><strong><a name="kdf" class="item"><strong>kdf</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>Key Derivation Functions.</p>
|
|
</dd>
|
|
<dt><strong><a name="list" class="item"><strong>list</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>List algorithms and features.</p>
|
|
</dd>
|
|
<dt><strong><a name="mac" class="item"><strong>mac</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>Message Authentication Code Calculation.</p>
|
|
</dd>
|
|
<dt><strong><a name="nseq" class="item"><strong>nseq</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>Create or examine a Netscape certificate sequence.</p>
|
|
</dd>
|
|
<dt><strong><a name="ocsp" class="item"><strong>ocsp</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>Online Certificate Status Protocol utility.</p>
|
|
</dd>
|
|
<dt><strong><a name="passwd" class="item"><strong>passwd</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>Generation of hashed passwords.</p>
|
|
</dd>
|
|
<dt><strong><a name="pkcs12" class="item"><strong>pkcs12</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>PKCS#12 Data Management.</p>
|
|
</dd>
|
|
<dt><strong><a name="pkcs7" class="item"><strong>pkcs7</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>PKCS#7 Data Management.</p>
|
|
</dd>
|
|
<dt><strong><a name="pkcs8" class="item"><strong>pkcs8</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>PKCS#8 format private key conversion tool.</p>
|
|
</dd>
|
|
<dt><strong><a name="pkey" class="item"><strong>pkey</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>Public and private key management.</p>
|
|
</dd>
|
|
<dt><strong><a name="pkeyparam" class="item"><strong>pkeyparam</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>Public key algorithm parameter management.</p>
|
|
</dd>
|
|
<dt><strong><a name="pkeyutl" class="item"><strong>pkeyutl</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>Public key algorithm cryptographic operation utility.</p>
|
|
</dd>
|
|
<dt><strong><a name="prime" class="item"><strong>prime</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>Compute prime numbers.</p>
|
|
</dd>
|
|
<dt><strong><a name="provider" class="item"><strong>provider</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>Load and query providers.</p>
|
|
</dd>
|
|
<dt><strong><a name="rand" class="item"><strong>rand</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>Generate pseudo-random bytes.</p>
|
|
</dd>
|
|
<dt><strong><a name="rehash" class="item"><strong>rehash</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>Create symbolic links to certificate and CRL files named by the hash values.</p>
|
|
</dd>
|
|
<dt><strong><a name="req" class="item"><strong>req</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>PKCS#10 X.509 Certificate Signing Request (CSR) Management.</p>
|
|
</dd>
|
|
<dt><strong><a name="rsa" class="item"><strong>rsa</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>RSA key management.</p>
|
|
</dd>
|
|
<dt><strong><a name="rsautl" class="item"><strong>rsautl</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>RSA utility for signing, verification, encryption, and decryption. Superseded
|
|
by <a href="#pkeyutl">openssl-pkeyutl(1)</a>.</p>
|
|
</dd>
|
|
<dt><strong><a name="s_client" class="item"><strong>s_client</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>This implements a generic SSL/TLS client which can establish a transparent
|
|
connection to a remote server speaking SSL/TLS. It's intended for testing
|
|
purposes only and provides only rudimentary interface functionality but
|
|
internally uses mostly all functionality of the OpenSSL <strong>ssl</strong> library.</p>
|
|
</dd>
|
|
<dt><strong><a name="s_server" class="item"><strong>s_server</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>This implements a generic SSL/TLS server which accepts connections from remote
|
|
clients speaking SSL/TLS. It's intended for testing purposes only and provides
|
|
only rudimentary interface functionality but internally uses mostly all
|
|
functionality of the OpenSSL <strong>ssl</strong> library. It provides both an own command
|
|
line oriented protocol for testing SSL functions and a simple HTTP response
|
|
facility to emulate an SSL/TLS-aware webserver.</p>
|
|
</dd>
|
|
<dt><strong><a name="s_time" class="item"><strong>s_time</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>SSL Connection Timer.</p>
|
|
</dd>
|
|
<dt><strong><a name="sess_id" class="item"><strong>sess_id</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>SSL Session Data Management.</p>
|
|
</dd>
|
|
<dt><strong><a name="smime" class="item"><strong>smime</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>S/MIME mail processing.</p>
|
|
</dd>
|
|
<dt><strong><a name="speed" class="item"><strong>speed</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>Algorithm Speed Measurement.</p>
|
|
</dd>
|
|
<dt><strong><a name="spkac" class="item"><strong>spkac</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>SPKAC printing and generating utility.</p>
|
|
</dd>
|
|
<dt><strong><a name="srp" class="item"><strong>srp</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>Maintain SRP password file.</p>
|
|
</dd>
|
|
<dt><strong><a name="storeutl" class="item"><strong>storeutl</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>Utility to list and display certificates, keys, CRLs, etc.</p>
|
|
</dd>
|
|
<dt><strong><a name="ts" class="item"><strong>ts</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>Time Stamping Authority tool (client/server).</p>
|
|
</dd>
|
|
<dt><strong><a name="verify" class="item"><strong>verify</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>X.509 Certificate Verification.</p>
|
|
</dd>
|
|
<dt><strong><a name="version" class="item"><strong>version</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>OpenSSL Version Information.</p>
|
|
</dd>
|
|
<dt><strong><a name="x509" class="item"><strong>x509</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>X.509 Certificate Data Management.</p>
|
|
</dd>
|
|
</dl>
|
|
<p>
|
|
</p>
|
|
<h2><a name="message_digest_commands">Message Digest Commands</a></h2>
|
|
<dl>
|
|
<dt><strong><a name="blake2b512" class="item"><strong>blake2b512</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>BLAKE2b-512 Digest</p>
|
|
</dd>
|
|
<dt><strong><a name="blake2s256" class="item"><strong>blake2s256</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>BLAKE2s-256 Digest</p>
|
|
</dd>
|
|
<dt><strong><a name="md2" class="item"><strong>md2</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>MD2 Digest</p>
|
|
</dd>
|
|
<dt><strong><a name="md4" class="item"><strong>md4</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>MD4 Digest</p>
|
|
</dd>
|
|
<dt><strong><a name="md5" class="item"><strong>md5</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>MD5 Digest</p>
|
|
</dd>
|
|
<dt><strong><a name="mdc2" class="item"><strong>mdc2</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>MDC2 Digest</p>
|
|
</dd>
|
|
<dt><strong><a name="rmd160" class="item"><strong>rmd160</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>RMD-160 Digest</p>
|
|
</dd>
|
|
<dt><strong><a name="sha1" class="item"><strong>sha1</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>SHA-1 Digest</p>
|
|
</dd>
|
|
<dt><strong><a name="sha224" class="item"><strong>sha224</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>SHA-2 224 Digest</p>
|
|
</dd>
|
|
<dt><strong><a name="sha256" class="item"><strong>sha256</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>SHA-2 256 Digest</p>
|
|
</dd>
|
|
<dt><strong><a name="sha384" class="item"><strong>sha384</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>SHA-2 384 Digest</p>
|
|
</dd>
|
|
<dt><strong><a name="sha512" class="item"><strong>sha512</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>SHA-2 512 Digest</p>
|
|
</dd>
|
|
<dt><strong><a name="sha3_224" class="item"><strong>sha3-224</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>SHA-3 224 Digest</p>
|
|
</dd>
|
|
<dt><strong><a name="sha3_256" class="item"><strong>sha3-256</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>SHA-3 256 Digest</p>
|
|
</dd>
|
|
<dt><strong><a name="sha3_384" class="item"><strong>sha3-384</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>SHA-3 384 Digest</p>
|
|
</dd>
|
|
<dt><strong><a name="sha3_512" class="item"><strong>sha3-512</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>SHA-3 512 Digest</p>
|
|
</dd>
|
|
<dt><strong><a name="shake128" class="item"><strong>shake128</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>SHA-3 SHAKE128 Digest</p>
|
|
</dd>
|
|
<dt><strong><a name="shake256" class="item"><strong>shake256</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>SHA-3 SHAKE256 Digest</p>
|
|
</dd>
|
|
<dt><strong><a name="sm3" class="item"><strong>sm3</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>SM3 Digest</p>
|
|
</dd>
|
|
</dl>
|
|
<p>
|
|
</p>
|
|
<h2><a name="encryption__decryption__and_encoding_commands">Encryption, Decryption, and Encoding Commands</a></h2>
|
|
<p>The following aliases provide convenient access to the most used encodings
|
|
and ciphers.</p>
|
|
<p>Depending on how OpenSSL was configured and built, not all ciphers listed
|
|
here may be present. See <a href="#enc">openssl-enc(1)</a> for more information.</p>
|
|
<dl>
|
|
<dt><strong><a name="aes128_aes_128_cbc_aes_128_cfb_aes_128_ctr_aes_128_ecb_aes_128_ofb" class="item"><strong>aes128</strong>, <strong>aes-128-cbc</strong>, <strong>aes-128-cfb</strong>, <strong>aes-128-ctr</strong>, <strong>aes-128-ecb</strong>, <strong>aes-128-ofb</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>AES-128 Cipher</p>
|
|
</dd>
|
|
<dt><strong><a name="aes192_aes_192_cbc_aes_192_cfb_aes_192_ctr_aes_192_ecb_aes_192_ofb" class="item"><strong>aes192</strong>, <strong>aes-192-cbc</strong>, <strong>aes-192-cfb</strong>, <strong>aes-192-ctr</strong>, <strong>aes-192-ecb</strong>, <strong>aes-192-ofb</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>AES-192 Cipher</p>
|
|
</dd>
|
|
<dt><strong><a name="aes256_aes_256_cbc_aes_256_cfb_aes_256_ctr_aes_256_ecb_aes_256_ofb" class="item"><strong>aes256</strong>, <strong>aes-256-cbc</strong>, <strong>aes-256-cfb</strong>, <strong>aes-256-ctr</strong>, <strong>aes-256-ecb</strong>, <strong>aes-256-ofb</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>AES-256 Cipher</p>
|
|
</dd>
|
|
<dt><strong><a name="aria128_aria_128_cbc_aria_128_cfb_aria_128_ctr_aria_128_ecb_aria_128_ofb" class="item"><strong>aria128</strong>, <strong>aria-128-cbc</strong>, <strong>aria-128-cfb</strong>, <strong>aria-128-ctr</strong>, <strong>aria-128-ecb</strong>, <strong>aria-128-ofb</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>Aria-128 Cipher</p>
|
|
</dd>
|
|
<dt><strong><a name="aria192_aria_192_cbc_aria_192_cfb_aria_192_ctr_aria_192_ecb_aria_192_ofb" class="item"><strong>aria192</strong>, <strong>aria-192-cbc</strong>, <strong>aria-192-cfb</strong>, <strong>aria-192-ctr</strong>, <strong>aria-192-ecb</strong>, <strong>aria-192-ofb</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>Aria-192 Cipher</p>
|
|
</dd>
|
|
<dt><strong><a name="aria256_aria_256_cbc_aria_256_cfb_aria_256_ctr_aria_256_ecb_aria_256_ofb" class="item"><strong>aria256</strong>, <strong>aria-256-cbc</strong>, <strong>aria-256-cfb</strong>, <strong>aria-256-ctr</strong>, <strong>aria-256-ecb</strong>, <strong>aria-256-ofb</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>Aria-256 Cipher</p>
|
|
</dd>
|
|
<dt><strong><a name="base64" class="item"><strong>base64</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>Base64 Encoding</p>
|
|
</dd>
|
|
<dt><strong><a name="bf_bf_cbc_bf_cfb_bf_ecb_bf_ofb" class="item"><strong>bf</strong>, <strong>bf-cbc</strong>, <strong>bf-cfb</strong>, <strong>bf-ecb</strong>, <strong>bf-ofb</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>Blowfish Cipher</p>
|
|
</dd>
|
|
<dt><strong><a name="camellia128_camellia_128_cbc_camellia_128_cfb_camellia_128_ctr_camellia_128_ecb_camellia_128_ofb" class="item"><strong>camellia128</strong>, <strong>camellia-128-cbc</strong>, <strong>camellia-128-cfb</strong>, <strong>camellia-128-ctr</strong>, <strong>camellia-128-ecb</strong>, <strong>camellia-128-ofb</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>Camellia-128 Cipher</p>
|
|
</dd>
|
|
<dt><strong><a name="camellia192_camellia_192_cbc_camellia_192_cfb_camellia_192_ctr_camellia_192_ecb_camellia_192_ofb" class="item"><strong>camellia192</strong>, <strong>camellia-192-cbc</strong>, <strong>camellia-192-cfb</strong>, <strong>camellia-192-ctr</strong>, <strong>camellia-192-ecb</strong>, <strong>camellia-192-ofb</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>Camellia-192 Cipher</p>
|
|
</dd>
|
|
<dt><strong><a name="camellia256_camellia_256_cbc_camellia_256_cfb_camellia_256_ctr_camellia_256_ecb_camellia_256_ofb" class="item"><strong>camellia256</strong>, <strong>camellia-256-cbc</strong>, <strong>camellia-256-cfb</strong>, <strong>camellia-256-ctr</strong>, <strong>camellia-256-ecb</strong>, <strong>camellia-256-ofb</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>Camellia-256 Cipher</p>
|
|
</dd>
|
|
<dt><strong><a name="cast_cast_cbc" class="item"><strong>cast</strong>, <strong>cast-cbc</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>CAST Cipher</p>
|
|
</dd>
|
|
<dt><strong><a name="cast5_cbc_cast5_cfb_cast5_ecb_cast5_ofb" class="item"><strong>cast5-cbc</strong>, <strong>cast5-cfb</strong>, <strong>cast5-ecb</strong>, <strong>cast5-ofb</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>CAST5 Cipher</p>
|
|
</dd>
|
|
<dt><strong><a name="chacha20" class="item"><strong>chacha20</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>Chacha20 Cipher</p>
|
|
</dd>
|
|
<dt><strong><a name="des_des_cbc_des_cfb_des_ecb_des_ede_des_ede_cbc_des_ede_cfb_des_ede_ofb_des_ofb" class="item"><strong>des</strong>, <strong>des-cbc</strong>, <strong>des-cfb</strong>, <strong>des-ecb</strong>, <strong>des-ede</strong>, <strong>des-ede-cbc</strong>, <strong>des-ede-cfb</strong>, <strong>des-ede-ofb</strong>, <strong>des-ofb</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>DES Cipher</p>
|
|
</dd>
|
|
<dt><strong><a name="des3_desx_des_ede3_des_ede3_cbc_des_ede3_cfb_des_ede3_ofb" class="item"><strong>des3</strong>, <strong>desx</strong>, <strong>des-ede3</strong>, <strong>des-ede3-cbc</strong>, <strong>des-ede3-cfb</strong>, <strong>des-ede3-ofb</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>Triple-DES Cipher</p>
|
|
</dd>
|
|
<dt><strong><a name="idea_idea_cbc_idea_cfb_idea_ecb_idea_ofb" class="item"><strong>idea</strong>, <strong>idea-cbc</strong>, <strong>idea-cfb</strong>, <strong>idea-ecb</strong>, <strong>idea-ofb</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>IDEA Cipher</p>
|
|
</dd>
|
|
<dt><strong><a name="rc2_rc2_cbc_rc2_cfb_rc2_ecb_rc2_ofb" class="item"><strong>rc2</strong>, <strong>rc2-cbc</strong>, <strong>rc2-cfb</strong>, <strong>rc2-ecb</strong>, <strong>rc2-ofb</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>RC2 Cipher</p>
|
|
</dd>
|
|
<dt><strong><a name="rc4" class="item"><strong>rc4</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>RC4 Cipher</p>
|
|
</dd>
|
|
<dt><strong><a name="rc5_rc5_cbc_rc5_cfb_rc5_ecb_rc5_ofb" class="item"><strong>rc5</strong>, <strong>rc5-cbc</strong>, <strong>rc5-cfb</strong>, <strong>rc5-ecb</strong>, <strong>rc5-ofb</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>RC5 Cipher</p>
|
|
</dd>
|
|
<dt><strong><a name="seed_seed_cbc_seed_cfb_seed_ecb_seed_ofb" class="item"><strong>seed</strong>, <strong>seed-cbc</strong>, <strong>seed-cfb</strong>, <strong>seed-ecb</strong>, <strong>seed-ofb</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>SEED Cipher</p>
|
|
</dd>
|
|
<dt><strong><a name="sm4_sm4_cbc_sm4_cfb_sm4_ctr_sm4_ecb_sm4_ofb" class="item"><strong>sm4</strong>, <strong>sm4-cbc</strong>, <strong>sm4-cfb</strong>, <strong>sm4-ctr</strong>, <strong>sm4-ecb</strong>, <strong>sm4-ofb</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>SM4 Cipher</p>
|
|
</dd>
|
|
</dl>
|
|
<p>
|
|
</p>
|
|
<hr />
|
|
<h1><a name="options">OPTIONS</a></h1>
|
|
<p>Details of which options are available depend on the specific command.
|
|
This section describes some common options with common behavior.</p>
|
|
<p>
|
|
</p>
|
|
<h2><a name="common_options">Common Options</a></h2>
|
|
<dl>
|
|
<dt><strong><strong>-help</strong></strong></dt>
|
|
|
|
<dd>
|
|
<p>Provides a terse summary of all options.
|
|
If an option takes an argument, the "type" of argument is also given.</p>
|
|
</dd>
|
|
<dt><strong><a name="__" class="item"><strong>--</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>This terminates the list of options. It is mostly useful if any filename
|
|
parameters start with a minus sign:</p>
|
|
<pre>
|
|
openssl verify [flags...] -- -cert1.pem...</pre>
|
|
</dd>
|
|
</dl>
|
|
<p>
|
|
</p>
|
|
<h2><a name="format_options">Format Options</a></h2>
|
|
<p>Several OpenSSL commands can take input or generate output in a variety
|
|
of formats. The list of acceptable formats, and the default, is
|
|
described in each command documentation. The list of formats is
|
|
described below. Both uppercase and lowercase are accepted.</p>
|
|
<dl>
|
|
<dt><strong><a name="der" class="item"><strong>DER</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>A binary format, encoded or parsed according to Distinguished Encoding Rules
|
|
(DER) of the ASN.1 data language.</p>
|
|
</dd>
|
|
<dt><strong><a name="engine" class="item"><strong>ENGINE</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>Used to specify that the cryptographic material is in an OpenSSL <strong>engine</strong>.
|
|
An engine must be configured or specified using the <strong>-engine</strong> option.
|
|
In addition, the <strong>-input</strong> flag can be used to name a specific object in
|
|
the engine.
|
|
A password, such as the <strong>-passin</strong> flag often must be specified as well.</p>
|
|
</dd>
|
|
<dt><strong><a name="p12" class="item"><strong>P12</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>A DER-encoded file containing a PKCS#12 object.
|
|
It might be necessary to provide a decryption password to retrieve
|
|
the private key.</p>
|
|
</dd>
|
|
<dt><strong><a name="pem" class="item"><strong>PEM</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>A text format defined in IETF <a href="http://www.ietf.org/rfc/rfc1421.txt" class="rfc">RFC 1421</a> and IETF <a href="http://www.ietf.org/rfc/rfc7468.txt" class="rfc">RFC 7468</a>. Briefly, this is
|
|
a block of base-64 encoding (defined in IETF <a href="http://www.ietf.org/rfc/rfc4648.txt" class="rfc">RFC 4648</a>), with specific
|
|
lines used to mark the start and end:</p>
|
|
<pre>
|
|
Text before the BEGIN line is ignored.
|
|
----- BEGIN object-type -----
|
|
OT43gQKBgQC/2OHZoko6iRlNOAQ/tMVFNq7fL81GivoQ9F1U0Qr+DH3ZfaH8eIkX
|
|
xT0ToMPJUzWAn8pZv0snA0um6SIgvkCuxO84OkANCVbttzXImIsL7pFzfcwV/ERK
|
|
UM6j0ZuSMFOCr/lGPAoOQU0fskidGEHi1/kW+suSr28TqsyYZpwBDQ==
|
|
----- END object-type -----
|
|
Text after the END line is also ignored</pre>
|
|
<p>The <em>object-type</em> must match the type of object that is expected.
|
|
For example a <code>BEGIN X509 CERTIFICATE</code> will not match if the command
|
|
is trying to read a private key. The types supported include:</p>
|
|
<pre>
|
|
ANY PRIVATE KEY
|
|
CERTIFICATE
|
|
CERTIFICATE REQUEST
|
|
CMS
|
|
DH PARAMETERS
|
|
DSA PARAMETERS
|
|
DSA PUBLIC KEY
|
|
EC PARAMETERS
|
|
EC PRIVATE KEY
|
|
ECDSA PUBLIC KEY
|
|
ENCRYPTED PRIVATE KEY
|
|
PARAMETERS
|
|
PKCS #7 SIGNED DATA
|
|
PKCS7
|
|
PRIVATE KEY
|
|
PUBLIC KEY
|
|
RSA PRIVATE KEY
|
|
SSL SESSION PARAMETERS
|
|
TRUSTED CERTIFICATE
|
|
X509 CRL
|
|
X9.42 DH PARAMETERS</pre>
|
|
<p>The following legacy <em>object-type</em>'s are also supported for compatibility
|
|
with earlier releases:</p>
|
|
<pre>
|
|
DSA PRIVATE KEY
|
|
NEW CERTIFICATE REQUEST
|
|
RSA PUBLIC KEY
|
|
X509 CERTIFICATE</pre>
|
|
</dd>
|
|
<dt><strong><a name="smime" class="item"><strong>SMIME</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>An S/MIME object as described in IETF <a href="http://www.ietf.org/rfc/rfc8551.txt" class="rfc">RFC 8551</a>.
|
|
Earlier versions were known as CMS and are compatible.
|
|
Note that the parsing is simple and might fail to parse some legal data.</p>
|
|
</dd>
|
|
</dl>
|
|
<p>The options to specify the format are as follows. Refer to the individual
|
|
manpage to see which options are accepted.</p>
|
|
<dl>
|
|
<dt><strong><a name="inform_format_outform_format" class="item"><strong>-inform</strong> <em>format</em>, <strong>-outform</strong> <em>format</em></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>The format of the input or output streams.</p>
|
|
</dd>
|
|
<dt><strong><a name="keyform_format" class="item"><strong>-keyform</strong> <em>format</em></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>Format of a private key input source.</p>
|
|
</dd>
|
|
<dt><strong><a name="crlform_format" class="item"><strong>-CRLform</strong> <em>format</em></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>Format of a CRL input source.</p>
|
|
</dd>
|
|
</dl>
|
|
<p>
|
|
</p>
|
|
<h2><a name="pass_phrase_options">Pass Phrase Options</a></h2>
|
|
<p>Several commands accept password arguments, typically using <strong>-passin</strong>
|
|
and <strong>-passout</strong> for input and output passwords respectively. These allow
|
|
the password to be obtained from a variety of sources. Both of these
|
|
options take a single argument whose format is described below. If no
|
|
password argument is given and a password is required then the user is
|
|
prompted to enter one: this will typically be read from the current
|
|
terminal with echoing turned off.</p>
|
|
<p>Note that character encoding may be relevant, please see
|
|
<em>passphrase-encoding(7)</em>.</p>
|
|
<dl>
|
|
<dt><strong><a name="pass_password" class="item"><strong>pass:</strong><em>password</em></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>The actual password is <em>password</em>. Since the password is visible
|
|
to utilities (like 'ps' under Unix) this form should only be used
|
|
where security is not important.</p>
|
|
</dd>
|
|
<dt><strong><a name="env_var" class="item"><strong>env:</strong><em>var</em></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>Obtain the password from the environment variable <em>var</em>. Since
|
|
the environment of other processes is visible on certain platforms
|
|
(e.g. ps under certain Unix OSes) this option should be used with caution.</p>
|
|
</dd>
|
|
<dt><strong><a name="file_pathname" class="item"><strong>file:</strong><em>pathname</em></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>The first line of <em>pathname</em> is the password. If the same <em>pathname</em>
|
|
argument is supplied to <strong>-passin</strong> and <strong>-passout</strong> arguments then the first
|
|
line will be used for the input password and the next line for the output
|
|
password. <em>pathname</em> need not refer to a regular file: it could for example
|
|
refer to a device or named pipe.</p>
|
|
</dd>
|
|
<dt><strong><a name="fd_number" class="item"><strong>fd:</strong><em>number</em></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>Read the password from the file descriptor <em>number</em>. This can be used to
|
|
send the data via a pipe for example.</p>
|
|
</dd>
|
|
<dt><strong><a name="stdin" class="item"><strong>stdin</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>Read the password from standard input.</p>
|
|
</dd>
|
|
</dl>
|
|
<p>
|
|
</p>
|
|
<h2><a name="trusted_certificate_options">Trusted Certificate Options</a></h2>
|
|
<p>Part of validating a certificate includes verifying that the chain of CA's
|
|
can be traced up to an existing trusted root. The following options specify
|
|
how to list the trusted roots, also known as trust anchors. A collection
|
|
of trusted roots is called a <em>trust store</em>.</p>
|
|
<p>Note that OpenSSL does not provide a default set of trust anchors. Many
|
|
Linux distributions include a system default and configure OpenSSL to point
|
|
to that. Mozilla maintains an influential trust store that can be found at
|
|
<a href="https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/">https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/</a>.</p>
|
|
<dl>
|
|
<dt><strong><a name="cafile_file" class="item"><strong>-CAfile</strong> <em>file</em></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>Load the specified file which contains one or more PEM-format certificates
|
|
of CA's that are trusted.</p>
|
|
</dd>
|
|
<dt><strong><a name="no_cafile" class="item"><strong>-no-CAfile</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>Do not load the default file of trusted certificates.</p>
|
|
</dd>
|
|
<dt><strong><a name="capath_dir" class="item"><strong>-CApath</strong> <em>dir</em></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>Use the specified directory as a list of trust certificates. That is,
|
|
files should be named with the hash of the X.509 SubjectName of each
|
|
certificate. This is so that the library can extract the IssuerName,
|
|
hash it, and directly lookup the file to get the issuer certificate.
|
|
See <a href="#rehash">openssl-rehash(1)</a> for information on creating this type of directory.</p>
|
|
</dd>
|
|
<dt><strong><a name="no_capath" class="item"><strong>-no-CApath</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>Do not use the default directory of trusted certificates.</p>
|
|
</dd>
|
|
<dt><strong><a name="castore_uri" class="item"><strong>-CAstore</strong> <em>uri</em></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>Use <em>uri</em> as a store of trusted CA certificates. The URI may
|
|
indicate a single certificate, as well as a collection of them.
|
|
With URIs in the <code>file:</code> scheme, this acts as <strong>-CAfile</strong> or
|
|
<strong>-CApath</strong>, depending on if the URI indicates a single file or
|
|
directory.
|
|
See <em>ossl_store-file(7)</em> for more information on the <code>file:</code> scheme.</p>
|
|
<p>These certificates are also used when building the server certificate
|
|
chain (for example with <a href="#s_server">openssl-s_server(1)</a>) or client certificate
|
|
chain (for example with <a href="#s_time">openssl-s_time(1)</a>).</p>
|
|
</dd>
|
|
<dt><strong><a name="no_castore" class="item"><strong>-no-CAstore</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>Do not use the default store.</p>
|
|
</dd>
|
|
</dl>
|
|
<p>
|
|
</p>
|
|
<h2><a name="random_state_options">Random State Options</a></h2>
|
|
<p>Prior to OpenSSL 3.0, it was common for applications to store information
|
|
about the state of the random-number generator in a file that was loaded
|
|
at startup and rewritten upon exit. On modern operating systems, this is
|
|
generally no longer necessary as OpenSSL will seed itself from the
|
|
appropriate CPU flags, device files, and so on. These flags are still
|
|
supported for special platforms or circumstances that might require them.</p>
|
|
<p>It is generally an error to use the same seed file more than once and
|
|
every use of <strong>-rand</strong> should be paired with <strong>-writerand</strong>.</p>
|
|
<dl>
|
|
<dt><strong><a name="rand_files" class="item"><strong>-rand</strong> <em>files</em></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>A file or files containing random data used to seed the random number
|
|
generator.
|
|
Multiple files can be specified separated by an OS-dependent character.
|
|
The separator is <code>;</code> for MS-Windows, <code>,</code> for OpenVMS, and <code>:</code> for
|
|
all others. Another way to specify multiple files is to repeat this flag
|
|
with different filenames.</p>
|
|
</dd>
|
|
<dt><strong><a name="writerand_file" class="item"><strong>-writerand</strong> <em>file</em></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>Writes the seed data to the specified <em>file</em> upon exit.
|
|
This file can be used in a subsequent command invocation.</p>
|
|
</dd>
|
|
</dl>
|
|
<p>
|
|
</p>
|
|
<h2><a name="extended_verification_options">Extended Verification Options</a></h2>
|
|
<p>Sometimes there may be more than one certificate chain leading to an
|
|
end-entity certificate.
|
|
This usually happens when a root or intermediate CA signs a certificate
|
|
for another a CA in other organization.
|
|
Another reason is when a CA might have intermediates that use two different
|
|
signature formats, such as a SHA-1 and a SHA-256 digest.</p>
|
|
<p>The following options can be used to provide data that will allow the
|
|
OpenSSL command to generate an alternative chain.</p>
|
|
<dl>
|
|
<dt><strong><a name="xchain_build" class="item"><strong>-xchain_build</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>Specify whether the application should build the certificate chain to be
|
|
provided to the server for the extra certificates via the <strong>-xkey</strong>,
|
|
<strong>-xcert</strong>, and <strong>-xchain</strong> options.</p>
|
|
</dd>
|
|
<dt><strong><a name="xkey_infile_xcert_infile_xchain" class="item"><strong>-xkey</strong> <em>infile</em>, <strong>-xcert</strong> <em>infile</em>, <strong>-xchain</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>Specify an extra certificate, private key and certificate chain. These behave
|
|
in the same manner as the <strong>-cert</strong>, <strong>-key</strong> and <strong>-cert_chain</strong> options. When
|
|
specified, the callback returning the first valid chain will be in use by the
|
|
client.</p>
|
|
</dd>
|
|
<dt><strong><a name="xcertform_der_pem_xkeyform_der_pem" class="item"><strong>-xcertform</strong> <strong>DER</strong>|<strong>PEM</strong>, <strong>-xkeyform</strong> <strong>DER</strong>|<strong>PEM</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>The input format for the extra certificate and key, respectively.
|
|
See <em>openssl(1)/Format Options</em> for details.</p>
|
|
</dd>
|
|
<dt><strong><a name="xchain_build2" class="item"><strong>-xchain_build</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>Specify whether the application should build the certificate chain to be
|
|
provided to the server for the extra certificates via the <strong>-xkey</strong>,
|
|
<strong>-xcert</strong>, and <strong>-xchain</strong> options.</p>
|
|
</dd>
|
|
<dt><strong><a name="xcertform_der_pem_xkeyform_der_pem2" class="item"><strong>-xcertform</strong> <strong>DER</strong>|<strong>PEM</strong>, <strong>-xkeyform</strong> <strong>DER</strong>|<strong>PEM</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>The input format for the extra certificate and key, respectively.
|
|
See <em>openssl(1)/Format Options</em> for details.</p>
|
|
</dd>
|
|
</dl>
|
|
<p>
|
|
</p>
|
|
<h2><a name="verification_options">Verification Options</a></h2>
|
|
<p>Many OpenSSL commands verify certificates. The details of how each
|
|
command handles errors are documented on the specific command page.</p>
|
|
<p>Verification is a complicated process, consisting of a number of separate
|
|
steps that are detailed in the following paragraphs.</p>
|
|
<p>First, a certificate chain is built up starting from the supplied certificate
|
|
and ending in a root CA. It is an error if the whole chain cannot be
|
|
built up. The chain is built up by looking up the certificate that
|
|
signed (or issued) the certificate. It then repeats the process, until
|
|
it gets to a certificate that is self-issued.</p>
|
|
<p>The process of looking up the issuer's certificate itself involves a number
|
|
of steps. After all certificates whose subject name matches the issuer
|
|
name of the current certificate are subject to further tests. The relevant
|
|
authority key identifier components of the current certificate (if present)
|
|
must match the subject key identifier (if present) and issuer and serial
|
|
number of the candidate issuer, in addition the keyUsage extension of the
|
|
candidate issuer (if present) must permit certificate signing.</p>
|
|
<p>The lookup first looks in the list of untrusted certificates and if no match
|
|
is found the remaining lookups are from the trusted certificates. The root CA
|
|
is always looked up in the trusted certificate list: if the certificate to
|
|
verify is a root certificate then an exact match must be found in the trusted
|
|
list.</p>
|
|
<p>The second step is to check every untrusted certificate's extensions
|
|
for consistency with the supplied purpose. If the <strong>-purpose</strong> option is
|
|
not included then no checks are done. The supplied or "leaf" certificate
|
|
must have extensions compatible with the supplied purpose and all other
|
|
certificates must also be valid CA certificates. The precise extensions
|
|
required are described in more detail in
|
|
<em>openssl-x509(1)/CERTIFICATE EXTENSIONS</em>.</p>
|
|
<p>The third step is to check the trust settings on the root CA. The root
|
|
CA should be trusted for the supplied purpose. For compatibility with
|
|
previous versions of OpenSSL, a certificate with no trust settings is
|
|
considered to be valid for all purposes.</p>
|
|
<p>The fourth, and final, step is to check the validity of the certificate
|
|
chain. The validity period is checked against the system time
|
|
and the <code>notBefore</code> and <code>notAfter</code> dates in the certificate. The certificate
|
|
signatures are also checked at this point. The <strong>-attime</strong> flag may be
|
|
used to specify a time other than "now."</p>
|
|
<p>If all operations complete successfully then certificate is considered
|
|
valid. If any operation fails then the certificate is not valid.</p>
|
|
<p>The details of the processing steps can be fine-tuned with the
|
|
following flags.</p>
|
|
<dl>
|
|
<dt><strong><a name="verbose" class="item"><strong>-verbose</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>Print extra information about the operations being performed.</p>
|
|
</dd>
|
|
<dt><strong><a name="attime_timestamp" class="item"><strong>-attime</strong> <em>timestamp</em></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>Perform validation checks using time specified by <em>timestamp</em> and not
|
|
current system time. <em>timestamp</em> is the number of seconds since
|
|
January 1, 1970 (i.e., the Unix Epoch).</p>
|
|
</dd>
|
|
<dt><strong><a name="no_check_time" class="item"><strong>-no_check_time</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>This option suppresses checking the validity period of certificates and CRLs
|
|
against the current time. If option <strong>-attime</strong> is used to specify
|
|
a verification time, the check is not suppressed.</p>
|
|
</dd>
|
|
<dt><strong><a name="x509_strict" class="item"><strong>-x509_strict</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>This disables non-compliant workarounds for broken certificates.</p>
|
|
</dd>
|
|
<dt><strong><a name="ignore_critical" class="item"><strong>-ignore_critical</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>Normally if an unhandled critical extension is present which is not
|
|
supported by OpenSSL the certificate is rejected (as required by <a href="http://www.ietf.org/rfc/rfc5280.txt" class="rfc">RFC5280</a>).
|
|
If this option is set critical extensions are ignored.</p>
|
|
</dd>
|
|
<dt><strong><a name="issuer_checks" class="item"><strong>-issuer_checks</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>Ignored.</p>
|
|
</dd>
|
|
<dt><strong><a name="crl_check" class="item"><strong>-crl_check</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>Checks end entity certificate validity by attempting to look up a valid CRL.
|
|
If a valid CRL cannot be found an error occurs.</p>
|
|
</dd>
|
|
<dt><strong><a name="crl_check_all" class="item"><strong>-crl_check_all</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>Checks the validity of <strong>all</strong> certificates in the chain by attempting
|
|
to look up valid CRLs.</p>
|
|
</dd>
|
|
<dt><strong><a name="use_deltas" class="item"><strong>-use_deltas</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>Enable support for delta CRLs.</p>
|
|
</dd>
|
|
<dt><strong><a name="extended_crl" class="item"><strong>-extended_crl</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>Enable extended CRL features such as indirect CRLs and alternate CRL
|
|
signing keys.</p>
|
|
</dd>
|
|
<dt><strong><a name="suiteb_128_only_suiteb_128_suiteb_192" class="item"><strong>-suiteB_128_only</strong>, <strong>-suiteB_128</strong>, <strong>-suiteB_192</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>Enable the Suite B mode operation at 128 bit Level of Security, 128 bit or
|
|
192 bit, or only 192 bit Level of Security respectively.
|
|
See <a href="http://www.ietf.org/rfc/rfc6460.txt" class="rfc">RFC6460</a> for details. In particular the supported signature algorithms are
|
|
reduced to support only ECDSA and SHA256 or SHA384 and only the elliptic curves
|
|
P-256 and P-384.</p>
|
|
</dd>
|
|
<dt><strong><a name="auth_level_level" class="item"><strong>-auth_level</strong> <em>level</em></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>Set the certificate chain authentication security level to <em>level</em>.
|
|
The authentication security level determines the acceptable signature and
|
|
public key strength when verifying certificate chains. For a certificate
|
|
chain to validate, the public keys of all the certificates must meet the
|
|
specified security <em>level</em>. The signature algorithm security level is
|
|
enforced for all the certificates in the chain except for the chain's
|
|
<em>trust anchor</em>, which is either directly trusted or validated by means
|
|
other than its signature. See <em>SSL_CTX_set_security_level(3)</em> for the
|
|
definitions of the available levels. The default security level is -1,
|
|
or "not set". At security level 0 or lower all algorithms are acceptable.
|
|
Security level 1 requires at least 80-bit-equivalent security and is broadly
|
|
interoperable, though it will, for example, reject MD5 signatures or RSA
|
|
keys shorter than 1024 bits.</p>
|
|
</dd>
|
|
<dt><strong><a name="partial_chain" class="item"><strong>-partial_chain</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>Allow verification to succeed even if a <em>complete</em> chain cannot be built to a
|
|
self-signed trust-anchor, provided it is possible to construct a chain to a
|
|
trusted certificate that might not be self-signed.</p>
|
|
</dd>
|
|
<dt><strong><a name="check_ss_sig" class="item"><strong>-check_ss_sig</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>Verify the signature on the self-signed root CA. This is disabled by default
|
|
because it doesn't add any security.</p>
|
|
</dd>
|
|
<dt><strong><a name="allow_proxy_certs" class="item"><strong>-allow_proxy_certs</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>Allow the verification of proxy certificates.</p>
|
|
</dd>
|
|
<dt><strong><a name="trusted_first" class="item"><strong>-trusted_first</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>As of OpenSSL 1.1.0 this option is on by default and cannot be disabled.</p>
|
|
</dd>
|
|
<dt><strong><a name="no_alt_chains" class="item"><strong>-no_alt_chains</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>As of OpenSSL 1.1.0, since <strong>-trusted_first</strong> always on, this option has no
|
|
effect.</p>
|
|
</dd>
|
|
<dt><strong><a name="trusted_file" class="item"><strong>-trusted</strong> <em>file</em></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>Parse <em>file</em> as a set of one or more certificates in PEM format.
|
|
All certificates must be self-signed, unless the
|
|
<strong>-partial_chain</strong> option is specified.
|
|
This option implies the <strong>-no-CAfile</strong> and <strong>-no-CApath</strong> options and it
|
|
cannot be used with either the <strong>-CAfile</strong> or <strong>-CApath</strong> options, so
|
|
only certificates in the file are trust anchors.
|
|
This option may be used multiple times.</p>
|
|
</dd>
|
|
<dt><strong><a name="untrusted_file" class="item"><strong>-untrusted</strong> <em>file</em></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>Parse <em>file</em> as a set of one or more certificates in PEM format.
|
|
All certificates are untrusted certificates that may be used to
|
|
construct a certificate chain from the subject certificate to a trust anchor.
|
|
This option may be used multiple times.</p>
|
|
</dd>
|
|
<dt><strong><a name="policy_arg" class="item"><strong>-policy</strong> <em>arg</em></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>Enable policy processing and add <em>arg</em> to the user-initial-policy-set (see
|
|
<a href="http://www.ietf.org/rfc/rfc5280.txt" class="rfc">RFC5280</a>). The policy <em>arg</em> can be an object name an OID in numeric form.
|
|
This argument can appear more than once.</p>
|
|
</dd>
|
|
<dt><strong><a name="explicit_policy" class="item"><strong>-explicit_policy</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>Set policy variable require-explicit-policy (see <a href="http://www.ietf.org/rfc/rfc5280.txt" class="rfc">RFC5280</a>).</p>
|
|
</dd>
|
|
<dt><strong><a name="policy_check" class="item"><strong>-policy_check</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>Enables certificate policy processing.</p>
|
|
</dd>
|
|
<dt><strong><a name="policy_print" class="item"><strong>-policy_print</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>Print out diagnostics related to policy processing.</p>
|
|
</dd>
|
|
<dt><strong><a name="inhibit_any" class="item"><strong>-inhibit_any</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>Set policy variable inhibit-any-policy (see <a href="http://www.ietf.org/rfc/rfc5280.txt" class="rfc">RFC5280</a>).</p>
|
|
</dd>
|
|
<dt><strong><a name="inhibit_map" class="item"><strong>-inhibit_map</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>Set policy variable inhibit-policy-mapping (see <a href="http://www.ietf.org/rfc/rfc5280.txt" class="rfc">RFC5280</a>).</p>
|
|
</dd>
|
|
<dt><strong><a name="purpose_purpose" class="item"><strong>-purpose</strong> <em>purpose</em></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>The intended use for the certificate. If this option is not specified, this
|
|
command will not consider certificate purpose during chain verification.
|
|
Currently accepted uses are <strong>sslclient</strong>, <strong>sslserver</strong>, <strong>nssslserver</strong>,
|
|
<strong>smimesign</strong>, <strong>smimeencrypt</strong>.</p>
|
|
</dd>
|
|
<dt><strong><a name="verify_depth_num" class="item"><strong>-verify_depth</strong> <em>num</em></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>Limit the certificate chain to <em>num</em> intermediate CA certificates.
|
|
A maximal depth chain can have up to <em>num</em>+2 certificates, since neither the
|
|
end-entity certificate nor the trust-anchor certificate count against the
|
|
<strong>-verify_depth</strong> limit.</p>
|
|
</dd>
|
|
<dt><strong><a name="verify_email_email" class="item"><strong>-verify_email</strong> <em>email</em></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>Verify if <em>email</em> matches the email address in Subject Alternative Name or
|
|
the email in the subject Distinguished Name.</p>
|
|
</dd>
|
|
<dt><strong><a name="verify_hostname_hostname" class="item"><strong>-verify_hostname</strong> <em>hostname</em></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>Verify if <em>hostname</em> matches DNS name in Subject Alternative Name or
|
|
Common Name in the subject certificate.</p>
|
|
</dd>
|
|
<dt><strong><a name="verify_ip_ip" class="item"><strong>-verify_ip</strong> <em>ip</em></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>Verify if <em>ip</em> matches the IP address in Subject Alternative Name of
|
|
the subject certificate.</p>
|
|
</dd>
|
|
<dt><strong><a name="verify_name_name" class="item"><strong>-verify_name</strong> <em>name</em></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>Use default verification policies like trust model and required certificate
|
|
policies identified by <em>name</em>.
|
|
The trust model determines which auxiliary trust or reject OIDs are applicable
|
|
to verifying the given certificate chain.
|
|
See the <strong>-addtrust</strong> and <strong>-addreject</strong> options for <a href="#x509">openssl-x509(1)</a>.
|
|
Supported policy names include: <strong>default</strong>, <strong>pkcs7</strong>, <strong>smime_sign</strong>,
|
|
<strong>ssl_client</strong>, <strong>ssl_server</strong>.
|
|
These mimics the combinations of purpose and trust settings used in SSL, CMS
|
|
and S/MIME.
|
|
As of OpenSSL 1.1.0, the trust model is inferred from the purpose when not
|
|
specified, so the <strong>-verify_name</strong> options are functionally equivalent to the
|
|
corresponding <strong>-purpose</strong> settings.</p>
|
|
</dd>
|
|
</dl>
|
|
<p>
|
|
</p>
|
|
<h2><a name="name_format_options">Name Format Options</a></h2>
|
|
<p>OpenSSL provides fine-grain control over how the subject and issuer DN's are
|
|
displayed.
|
|
This is specified by using the <strong>-nameopt</strong> option, which takes a
|
|
comma-separated list of options from the following set.
|
|
An option may be preceded by a minus sign, <code>-</code>, to turn it off.
|
|
The default value is <a href="#oneline"><code>oneline</code></a>.
|
|
The first four are the most commonly used.</p>
|
|
<dl>
|
|
<dt><strong><a name="compat" class="item"><strong>compat</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>Display the name using an old format from previous OpenSSL versions.</p>
|
|
</dd>
|
|
<dt><strong><a name="rfc2253" class="item"><strong>RFC2253</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>Display the name using the format defined in <a href="http://www.ietf.org/rfc/rfc2253.txt" class="rfc">RFC 2253</a>.
|
|
It is equivalent to <strong>esc_2253</strong>, <strong>esc_ctrl</strong>, <strong>esc_msb</strong>, <strong>utf8</strong>,
|
|
<strong>dump_nostr</strong>, <strong>dump_unknown</strong>, <strong>dump_der</strong>, <strong>sep_comma_plus</strong>, <strong>dn_rev</strong>
|
|
and <strong>sname</strong>.</p>
|
|
</dd>
|
|
<dt><strong><a name="oneline" class="item"><strong>oneline</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>Display the name in one line, using a format that is more readable
|
|
<a href="http://www.ietf.org/rfc/rfc2253.txt" class="rfc">RFC 2253</a>.
|
|
It is equivalent to <strong>esc_2253</strong>, <strong>esc_ctrl</strong>, <strong>esc_msb</strong>, <strong>utf8</strong>,
|
|
<strong>dump_nostr</strong>, <strong>dump_der</strong>, <strong>use_quote</strong>, <strong>sep_comma_plus_space</strong>,
|
|
<strong>space_eq</strong> and <strong>sname</strong> options.</p>
|
|
</dd>
|
|
<dt><strong><a name="multiline" class="item"><strong>multiline</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>Display the name using multiple lines.
|
|
It is equivalent to <strong>esc_ctrl</strong>, <strong>esc_msb</strong>, <strong>sep_multiline</strong>, <strong>space_eq</strong>,
|
|
<strong>lname</strong> and <strong>align</strong>.</p>
|
|
</dd>
|
|
<dt><strong><a name="esc_2253" class="item"><strong>esc_2253</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>Escape the "special" characters in a field, as required by <a href="http://www.ietf.org/rfc/rfc2253.txt" class="rfc">RFC 2253</a>.
|
|
That is, any of the characters <code>,+"<>;</code>, <code>#</code> at the beginning of
|
|
a string and leading or trailing spaces.</p>
|
|
</dd>
|
|
<dt><strong><a name="esc_2254" class="item"><strong>esc_2254</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>Escape the "special" characters in a field as required by <a href="http://www.ietf.org/rfc/rfc2254.txt" class="rfc">RFC 2254</a> in a field.
|
|
That is, the <strong>NUL</strong> character and and of <code>()*</code>.</p>
|
|
</dd>
|
|
<dt><strong><a name="esc_ctrl" class="item"><strong>esc_ctrl</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>Escape non-printable ASCII characters, codes less than 0x20 (space)
|
|
or greater than 0x7F (DELETE). They are displayed using <a href="http://www.ietf.org/rfc/rfc2253.txt" class="rfc">RFC 2253</a> <code>\XX</code>
|
|
notation where <strong>XX</strong> are the two hex digits representing the character value.</p>
|
|
</dd>
|
|
<dt><strong><a name="esc_msb" class="item"><strong>esc_msb</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>Escape any characters with the most significant bit set, that is with
|
|
values larger than 127, as described in <strong>esc_ctrl</strong>.</p>
|
|
</dd>
|
|
<dt><strong><a name="use_quote" class="item"><strong>use_quote</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>Escapes some characters by surrounding the entire string with quotation
|
|
marks, <code>"</code>.
|
|
Without this option, individual special characters are preceeded with
|
|
a backslash character, <code>\</code>.</p>
|
|
</dd>
|
|
<dt><strong><a name="utf8" class="item"><strong>utf8</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>Convert all strings to UTF-8 format first as required by <a href="http://www.ietf.org/rfc/rfc2253.txt" class="rfc">RFC 2253</a>.
|
|
If the output device is UTF-8 compatible, then using this option (and
|
|
not setting <strong>esc_msb</strong>) may give the correct display of multibyte
|
|
characters.
|
|
If this option is not set, then multibyte characters larger than 0xFF
|
|
will be output as <code>\UXXXX</code> for 16 bits or <code>\WXXXXXXXX</code> for 32 bits.
|
|
In addition, any UTF8Strings will be converted to their character form first.</p>
|
|
</dd>
|
|
<dt><strong><a name="ignore_type" class="item"><strong>ignore_type</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>This option does not attempt to interpret multibyte characters in any
|
|
way. That is, the content octets are merely dumped as though one octet
|
|
represents each character. This is useful for diagnostic purposes but
|
|
will result in rather odd looking output.</p>
|
|
</dd>
|
|
<dt><strong><a name="show_type" class="item"><strong>show_type</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>Display the type of the ASN1 character string before the value,
|
|
such as <code>BMPSTRING: Hello World</code>.</p>
|
|
</dd>
|
|
<dt><strong><a name="dump_der" class="item"><strong>dump_der</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>Any fields that would be output in hex format are displayed using
|
|
the DER encoding of the field.
|
|
If not set, just the content octets are displayed.
|
|
Either way, the <strong>#XXXX...</strong> format of <a href="http://www.ietf.org/rfc/rfc2253.txt" class="rfc">RFC 2253</a> is used.</p>
|
|
</dd>
|
|
<dt><strong><a name="dump_nostr" class="item"><strong>dump_nostr</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>Dump non-character strings, such as ASN.1 <strong>OCTET STRING</strong>.
|
|
If this option is not set, then non character string types will be displayed
|
|
as though each content octet represents a single character.</p>
|
|
</dd>
|
|
<dt><strong><a name="dump_all" class="item"><strong>dump_all</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>Dump all fields. When this used with <strong>dump_der</strong>, this allows the
|
|
DER encoding of the structure to be unambiguously determined.</p>
|
|
</dd>
|
|
<dt><strong><a name="dump_unknown" class="item"><strong>dump_unknown</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>Dump any field whose OID is not recognised by OpenSSL.</p>
|
|
</dd>
|
|
<dt><strong><a name="sep_comma_plus_sep_comma_plus_space_sep_semi_plus_space_sep_multiline" class="item"><strong>sep_comma_plus</strong>, <strong>sep_comma_plus_space</strong>, <strong>sep_semi_plus_space</strong>,
|
|
<strong>sep_multiline</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>Specify the field separators. The first word is used between the
|
|
Relative Distinguished Names (RDNs) and the second is between
|
|
multiple Attribute Value Assertions (AVAs). Multiple AVAs are
|
|
very rare and their use is discouraged.
|
|
The options ending in "space" additionally place a space after the separator to make it more readable.
|
|
The <strong>sep_multiline</strong> starts each field on its own line, and uses "plus space"
|
|
for the AVA separator.
|
|
It also indents the fields by four characters.
|
|
The default value is <strong>sep_comma_plus_space</strong>.</p>
|
|
</dd>
|
|
<dt><strong><a name="dn_rev" class="item"><strong>dn_rev</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>Reverse the fields of the DN as required by <a href="http://www.ietf.org/rfc/rfc2253.txt" class="rfc">RFC 2253</a>.
|
|
This also reverses the order of multiple AVAs in a field, but this is
|
|
permissible as there is no ordering on values.</p>
|
|
</dd>
|
|
<dt><strong><a name="nofname_sname_lname_oid" class="item"><strong>nofname</strong>, <strong>sname</strong>, <strong>lname</strong>, <strong>oid</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>Specify how the field name is displayed.
|
|
<strong>nofname</strong> does not display the field at all.
|
|
<strong>sname</strong> uses the "short name" form (CN for commonName for example).
|
|
<strong>lname</strong> uses the long form.
|
|
<strong>oid</strong> represents the OID in numerical form and is useful for
|
|
diagnostic purpose.</p>
|
|
</dd>
|
|
<dt><strong><a name="align" class="item"><strong>align</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>Align field values for a more readable output. Only usable with
|
|
<strong>sep_multiline</strong>.</p>
|
|
</dd>
|
|
<dt><strong><a name="space_eq" class="item"><strong>space_eq</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>Places spaces round the equal sign, <code>=</code>, character which follows the field
|
|
name.</p>
|
|
</dd>
|
|
</dl>
|
|
<p>
|
|
</p>
|
|
<h2><a name="tls_version_options">TLS Version Options</a></h2>
|
|
<p>Several commands use SSL, TLS, or DTLS. By default, the commands use TLS and
|
|
clients will offer the lowest and highest protocol version they support,
|
|
and servers will pick the highest version that the client offers that is also
|
|
supported by the server.</p>
|
|
<p>The options below can be used to limit which protocol versions are used,
|
|
and whether TCP (SSL and TLS) or UDP (DTLS) is used.
|
|
Note that not all protocols and flags may be available, depending on how
|
|
OpenSSL was built.</p>
|
|
<dl>
|
|
<dt><strong><a name="ssl3_tls1_tls1_1_tls1_2_tls1_3_no_ssl3_no_tls1_no_tls1_1_no_tls1_2_no_tls1_3" class="item"><strong>-ssl3</strong>, <strong>-tls1</strong>, <strong>-tls1_1</strong>, <strong>-tls1_2</strong>, <strong>-tls1_3</strong>, <strong>-no_ssl3</strong>, <strong>-no_tls1</strong>, <strong>-no_tls1_1</strong>, <strong>-no_tls1_2</strong>, <strong>-no_tls1_3</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>These options require or disable the use of the specified SSL or TLS protocols.
|
|
When a specific TLS version is required, only that version will be offered or
|
|
accepted.
|
|
Only one specific protocol can be given and it cannot be combined with any of
|
|
the <strong>no_</strong> options.</p>
|
|
</dd>
|
|
<dt><strong><a name="dtls_dtls1_dtls1_2" class="item"><strong>-dtls</strong>, <strong>-dtls1</strong>, <strong>-dtls1_2</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>These options specify to use DTLS instead of DLTS.
|
|
With <strong>-dtls</strong>, clients will negotiate any supported DTLS protocol version.
|
|
Use the <strong>-dtls1</strong> or <strong>-dtls1_2</strong> options to support only DTLS1.0 or DTLS1.2,
|
|
respectively.</p>
|
|
</dd>
|
|
</dl>
|
|
<p>
|
|
</p>
|
|
<h2><a name="engine_options">Engine Options</a></h2>
|
|
<dl>
|
|
<dt><strong><a name="engine_id" class="item"><strong>-engine</strong> <em>id</em></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>Use the engine identified by <em>id</em> and use all the methods it
|
|
implements (algorithms, key storage, etc.), unless specified otherwise in
|
|
the command-specific documentation or it is configured to do so, as described
|
|
in <em>config(5)/Engine Configuration Module</em>.</p>
|
|
</dd>
|
|
</dl>
|
|
<p>
|
|
</p>
|
|
<hr />
|
|
<h1><a name="environment">ENVIRONMENT</a></h1>
|
|
<p>The OpenSSL library can be take some configuration parameters from the
|
|
environment. Some of these variables are listed below. For information
|
|
about specific commands, see <a href="#engine">openssl-engine(1)</a>, <a href="#provider">openssl-provider(1)</a>,
|
|
<a href="#rehash">openssl-rehash(1)</a>, and <em>tsget(1)</em>.</p>
|
|
<p>For information about the use of environment variables in configuration,
|
|
see <em>config(5)/ENVIRONMENT</em>.</p>
|
|
<p>For information about querying or specifying CPU architecture flags, see
|
|
<em>OPENSSL_ia32cap(3)</em>, and <em>OPENSSL_s390xcap(3)</em>.</p>
|
|
<p>For information about all environment variables used by the OpenSSL libraries,
|
|
see <em>openssl-env(7)</em>.</p>
|
|
<dl>
|
|
<dt><strong><a name="openssl_trace_name" class="item"><strong>OPENSSL_TRACE=</strong><em>name</em>[,...]</a></strong></dt>
|
|
|
|
<dd>
|
|
<p>Enable tracing output of OpenSSL library, by name.
|
|
This output will only make sense if you know OpenSSL internals well.
|
|
Also, it might not give you any output at all, depending on how
|
|
OpenSSL was built.</p>
|
|
<p>The value is a comma separated list of names, with the following
|
|
available:</p>
|
|
<dl>
|
|
<dt><strong><a name="trace" class="item"><strong>TRACE</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>The tracing functionality.</p>
|
|
</dd>
|
|
<dt><strong><a name="tls" class="item"><strong>TLS</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>General SSL/TLS.</p>
|
|
</dd>
|
|
<dt><strong><a name="tls_cipher" class="item"><strong>TLS_CIPHER</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>SSL/TLS cipher.</p>
|
|
</dd>
|
|
<dt><strong><a name="engine_conf" class="item"><strong>ENGINE_CONF</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>ENGINE configuration.</p>
|
|
</dd>
|
|
<dt><strong><a name="engine_table" class="item"><strong>ENGINE_TABLE</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>The function that is used by RSA, DSA (etc) code to select registered
|
|
ENGINEs, cache defaults and functional references (etc), will generate
|
|
debugging summaries.</p>
|
|
</dd>
|
|
<dt><strong><a name="engine_ref_count" class="item"><strong>ENGINE_REF_COUNT</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>Reference counts in the ENGINE structure will be monitored with a line
|
|
of generated for each change.</p>
|
|
</dd>
|
|
<dt><strong><a name="pkcs5v2" class="item"><strong>PKCS5V2</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>PKCS#5 v2 keygen.</p>
|
|
</dd>
|
|
<dt><strong><a name="pkcs12_keygen" class="item"><strong>PKCS12_KEYGEN</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>PKCS#12 key generation.</p>
|
|
</dd>
|
|
<dt><strong><a name="pkcs12_decrypt" class="item"><strong>PKCS12_DECRYPT</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>PKCS#12 decryption.</p>
|
|
</dd>
|
|
<dt><strong><a name="x509v3_policy" class="item"><strong>X509V3_POLICY</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>Generates the complete policy tree at various point during X.509 v3
|
|
policy evaluation.</p>
|
|
</dd>
|
|
<dt><strong><a name="bn_ctx" class="item"><strong>BN_CTX</strong></a></strong></dt>
|
|
|
|
<dd>
|
|
<p>BIGNUM context.</p>
|
|
</dd>
|
|
</dl>
|
|
</dd>
|
|
</dl>
|
|
<p>
|
|
</p>
|
|
<hr />
|
|
<h1><a name="see_also">SEE ALSO</a></h1>
|
|
<p><a href="#asn1parse">openssl-asn1parse(1)</a>,
|
|
<a href="#ca">openssl-ca(1)</a>,
|
|
<a href="#ciphers">openssl-ciphers(1)</a>,
|
|
<a href="#cms">openssl-cms(1)</a>,
|
|
<a href="#crl">openssl-crl(1)</a>,
|
|
<a href="#crl2pkcs7">openssl-crl2pkcs7(1)</a>,
|
|
<a href="#dgst">openssl-dgst(1)</a>,
|
|
<a href="#dhparam">openssl-dhparam(1)</a>,
|
|
<a href="#dsa">openssl-dsa(1)</a>,
|
|
<a href="#dsaparam">openssl-dsaparam(1)</a>,
|
|
<a href="#ec">openssl-ec(1)</a>,
|
|
<a href="#ecparam">openssl-ecparam(1)</a>,
|
|
<a href="#enc">openssl-enc(1)</a>,
|
|
<a href="#engine">openssl-engine(1)</a>,
|
|
<a href="#errstr">openssl-errstr(1)</a>,
|
|
<a href="#gendsa">openssl-gendsa(1)</a>,
|
|
<a href="#genpkey">openssl-genpkey(1)</a>,
|
|
<a href="#genrsa">openssl-genrsa(1)</a>,
|
|
<a href="#kdf">openssl-kdf(1)</a>,
|
|
<a href="#mac">openssl-mac(1)</a>,
|
|
<a href="#nseq">openssl-nseq(1)</a>,
|
|
<a href="#ocsp">openssl-ocsp(1)</a>,
|
|
<a href="#passwd">openssl-passwd(1)</a>,
|
|
<a href="#pkcs12">openssl-pkcs12(1)</a>,
|
|
<a href="#pkcs7">openssl-pkcs7(1)</a>,
|
|
<a href="#pkcs8">openssl-pkcs8(1)</a>,
|
|
<a href="#pkey">openssl-pkey(1)</a>,
|
|
<a href="#pkeyparam">openssl-pkeyparam(1)</a>,
|
|
<a href="#pkeyutl">openssl-pkeyutl(1)</a>,
|
|
<a href="#prime">openssl-prime(1)</a>,
|
|
<a href="#rand">openssl-rand(1)</a>,
|
|
<a href="#rehash">openssl-rehash(1)</a>,
|
|
<a href="#req">openssl-req(1)</a>,
|
|
<a href="#rsa">openssl-rsa(1)</a>,
|
|
<a href="#rsautl">openssl-rsautl(1)</a>,
|
|
<a href="#s_client">openssl-s_client(1)</a>,
|
|
<a href="#s_server">openssl-s_server(1)</a>,
|
|
<a href="#s_time">openssl-s_time(1)</a>,
|
|
<a href="#sess_id">openssl-sess_id(1)</a>,
|
|
<a href="#smime">openssl-smime(1)</a>,
|
|
<a href="#speed">openssl-speed(1)</a>,
|
|
<a href="#spkac">openssl-spkac(1)</a>,
|
|
<a href="#srp">openssl-srp(1)</a>,
|
|
<a href="#storeutl">openssl-storeutl(1)</a>,
|
|
<a href="#ts">openssl-ts(1)</a>,
|
|
<a href="#verify">openssl-verify(1)</a>,
|
|
<a href="#version">openssl-version(1)</a>,
|
|
<a href="#x509">openssl-x509(1)</a>,
|
|
<em>config(5)</em>,
|
|
<em>crypto(7)</em>,
|
|
<em>openssl-env(7)</em>.
|
|
<em>ssl(7)</em>,
|
|
<em>x509v3_config(5)</em></p>
|
|
<p>
|
|
</p>
|
|
<hr />
|
|
<h1><a name="history">HISTORY</a></h1>
|
|
<p>The <strong>list</strong> -<em>XXX</em><strong>-algorithms</strong> options were added in OpenSSL 1.0.0;
|
|
For notes on the availability of other commands, see their individual
|
|
manual pages.</p>
|
|
<p>The <strong>-issuer_checks</strong> option is deprecated as of OpenSSL 1.1.0 and
|
|
is silently ignored.</p>
|
|
<p>
|
|
</p>
|
|
<hr />
|
|
<h1><a name="copyright">COPYRIGHT</a></h1>
|
|
<p>Copyright 2000-2019 The OpenSSL Project Authors. All Rights Reserved.</p>
|
|
<p>Licensed under the Apache License 2.0 (the "License"). You may not use
|
|
this file except in compliance with the License. You can obtain a copy
|
|
in the file LICENSE in the source distribution or at
|
|
<a href="https://www.openssl.org/source/license.html">https://www.openssl.org/source/license.html</a>.</p>
|
|
|
|
</body>
|
|
|
|
</html>
|