403 lines
14 KiB
Groff
403 lines
14 KiB
Groff
.\" $NetBSD: openssl.1,v 1.13 2005/03/26 03:26:47 christos Exp $
|
|
.\"
|
|
.\" Automatically generated by Pod::Man v1.37, Pod::Parser v1.14
|
|
.\"
|
|
.\" Standard preamble:
|
|
.\" ========================================================================
|
|
.de Sh \" Subsection heading
|
|
.br
|
|
.if t .Sp
|
|
.ne 5
|
|
.PP
|
|
\fB\\$1\fR
|
|
.PP
|
|
..
|
|
.de Sp \" Vertical space (when we can't use .PP)
|
|
.if t .sp .5v
|
|
.if n .sp
|
|
..
|
|
.de Vb \" Begin verbatim text
|
|
.ft CW
|
|
.nf
|
|
.ne \\$1
|
|
..
|
|
.de Ve \" End verbatim text
|
|
.ft R
|
|
.fi
|
|
..
|
|
.\" Set up some character translations and predefined strings. \*(-- will
|
|
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
|
|
.\" double quote, and \*(R" will give a right double quote. | will give a
|
|
.\" real vertical bar. \*(C+ will give a nicer C++. Capital omega is used to
|
|
.\" do unbreakable dashes and therefore won't be available. \*(C` and \*(C'
|
|
.\" expand to `' in nroff, nothing in troff, for use with C<>.
|
|
.tr \(*W-|\(bv\*(Tr
|
|
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
|
|
.ie n \{\
|
|
. ds -- \(*W-
|
|
. ds PI pi
|
|
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
|
|
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
|
|
. ds L" ""
|
|
. ds R" ""
|
|
. ds C` ""
|
|
. ds C' ""
|
|
'br\}
|
|
.el\{\
|
|
. ds -- \|\(em\|
|
|
. ds PI \(*p
|
|
. ds L" ``
|
|
. ds R" ''
|
|
'br\}
|
|
.\"
|
|
.\" If the F register is turned on, we'll generate index entries on stderr for
|
|
.\" titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and index
|
|
.\" entries marked with X<> in POD. Of course, you'll have to process the
|
|
.\" output yourself in some meaningful fashion.
|
|
.if \nF \{\
|
|
. de IX
|
|
. tm Index:\\$1\t\\n%\t"\\$2"
|
|
..
|
|
. nr % 0
|
|
. rr F
|
|
.\}
|
|
.\"
|
|
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
|
|
.\" way too many mistakes in technical documents.
|
|
.hy 0
|
|
.if n .na
|
|
.\"
|
|
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
|
|
.\" Fear. Run. Save yourself. No user-serviceable parts.
|
|
. \" fudge factors for nroff and troff
|
|
.if n \{\
|
|
. ds #H 0
|
|
. ds #V .8m
|
|
. ds #F .3m
|
|
. ds #[ \f1
|
|
. ds #] \fP
|
|
.\}
|
|
.if t \{\
|
|
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
|
|
. ds #V .6m
|
|
. ds #F 0
|
|
. ds #[ \&
|
|
. ds #] \&
|
|
.\}
|
|
. \" simple accents for nroff and troff
|
|
.if n \{\
|
|
. ds ' \&
|
|
. ds ` \&
|
|
. ds ^ \&
|
|
. ds , \&
|
|
. ds ~ ~
|
|
. ds /
|
|
.\}
|
|
.if t \{\
|
|
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
|
|
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
|
|
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
|
|
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
|
|
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
|
|
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
|
|
.\}
|
|
. \" troff and (daisy-wheel) nroff accents
|
|
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
|
|
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
|
|
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
|
|
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
|
|
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
|
|
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
|
|
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
|
|
.ds ae a\h'-(\w'a'u*4/10)'e
|
|
.ds Ae A\h'-(\w'A'u*4/10)'E
|
|
. \" corrections for vroff
|
|
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
|
|
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
|
|
. \" for low resolution devices (crt and lpr)
|
|
.if \n(.H>23 .if \n(.V>19 \
|
|
\{\
|
|
. ds : e
|
|
. ds 8 ss
|
|
. ds o a
|
|
. ds d- d\h'-1'\(ga
|
|
. ds D- D\h'-1'\(hy
|
|
. ds th \o'bp'
|
|
. ds Th \o'LP'
|
|
. ds ae ae
|
|
. ds Ae AE
|
|
.\}
|
|
.rm #[ #] #H #V #F C
|
|
.\" ========================================================================
|
|
.\"
|
|
.IX Title "OPENSSL 1"
|
|
.TH OPENSSL 1 "2004-03-19" "0.9.7f" "OpenSSL"
|
|
.SH "NAME"
|
|
openssl \- OpenSSL command line tool
|
|
.SH "LIBRARY"
|
|
libcrypto, -lcrypto
|
|
.SH "SYNOPSIS"
|
|
.IX Header "SYNOPSIS"
|
|
\&\fBopenssl\fR
|
|
\&\fIcommand\fR
|
|
[ \fIcommand_opts\fR ]
|
|
[ \fIcommand_args\fR ]
|
|
.PP
|
|
\&\fBopenssl\fR [ \fBlist-standard-commands\fR | \fBlist-message-digest-commands\fR | \fBlist-cipher-commands\fR ]
|
|
.PP
|
|
\&\fBopenssl\fR \fBno\-\fR\fI\s-1XXX\s0\fR [ \fIarbitrary options\fR ]
|
|
.SH "DESCRIPTION"
|
|
.IX Header "DESCRIPTION"
|
|
OpenSSL is a cryptography toolkit implementing the Secure Sockets Layer (\s-1SSL\s0
|
|
v2/v3) and Transport Layer Security (\s-1TLS\s0 v1) network protocols and related
|
|
cryptography standards required by them.
|
|
.PP
|
|
The \fBopenssl\fR program is a command line tool for using the various
|
|
cryptography functions of OpenSSL's \fBcrypto\fR library from the shell.
|
|
It can be used for
|
|
.PP
|
|
.Vb 6
|
|
\& o Creation of RSA, DH and DSA key parameters
|
|
\& o Creation of X.509 certificates, CSRs and CRLs
|
|
\& o Calculation of Message Digests
|
|
\& o Encryption and Decryption with Ciphers
|
|
\& o SSL/TLS Client and Server Tests
|
|
\& o Handling of S/MIME signed or encrypted mail
|
|
.Ve
|
|
.SH "COMMAND SUMMARY"
|
|
.IX Header "COMMAND SUMMARY"
|
|
The \fBopenssl\fR program provides a rich variety of commands (\fIcommand\fR in the
|
|
\&\s-1SYNOPSIS\s0 above), each of which often has a wealth of options and arguments
|
|
(\fIcommand_opts\fR and \fIcommand_args\fR in the \s-1SYNOPSIS\s0).
|
|
.PP
|
|
The pseudo-commands \fBlist-standard-commands\fR, \fBlist-message-digest-commands\fR,
|
|
and \fBlist-cipher-commands\fR output a list (one entry per line) of the names
|
|
of all standard commands, message digest commands, or cipher commands,
|
|
respectively, that are available in the present \fBopenssl\fR utility.
|
|
.PP
|
|
The pseudo-command \fBno\-\fR\fI\s-1XXX\s0\fR tests whether a command of the
|
|
specified name is available. If no command named \fI\s-1XXX\s0\fR exists, it
|
|
returns 0 (success) and prints \fBno\-\fR\fI\s-1XXX\s0\fR; otherwise it returns 1
|
|
and prints \fI\s-1XXX\s0\fR. In both cases, the output goes to \fBstdout\fR and
|
|
nothing is printed to \fBstderr\fR. Additional command line arguments
|
|
are always ignored. Since for each cipher there is a command of the
|
|
same name, this provides an easy way for shell scripts to test for the
|
|
availability of ciphers in the \fBopenssl\fR program. (\fBno\-\fR\fI\s-1XXX\s0\fR is
|
|
not able to detect pseudo-commands such as \fBquit\fR,
|
|
\&\fBlist\-\fR\fI...\fR\fB\-commands\fR, or \fBno\-\fR\fI\s-1XXX\s0\fR itself.)
|
|
.Sh "\s-1STANDARD\s0 \s-1COMMANDS\s0"
|
|
.IX Subsection "STANDARD COMMANDS"
|
|
.IP "\fBasn1parse\fR" 10
|
|
.IX Item "asn1parse"
|
|
Parse an \s-1ASN\s0.1 sequence.
|
|
.IP "\fBca\fR" 10
|
|
.IX Item "ca"
|
|
Certificate Authority (\s-1CA\s0) Management.
|
|
.IP "\fBciphers\fR" 10
|
|
.IX Item "ciphers"
|
|
Cipher Suite Description Determination.
|
|
.IP "\fBcrl\fR" 10
|
|
.IX Item "crl"
|
|
Certificate Revocation List (\s-1CRL\s0) Management.
|
|
.IP "\fBcrl2pkcs7\fR" 10
|
|
.IX Item "crl2pkcs7"
|
|
\&\s-1CRL\s0 to PKCS#7 Conversion.
|
|
.IP "\fBdgst\fR" 10
|
|
.IX Item "dgst"
|
|
Message Digest Calculation.
|
|
.IP "\fBdh\fR" 10
|
|
.IX Item "dh"
|
|
Diffie-Hellman Parameter Management.
|
|
Obsoleted by \fBdhparam\fR.
|
|
.IP "\fBdsa\fR" 10
|
|
.IX Item "dsa"
|
|
\&\s-1DSA\s0 Data Management.
|
|
.IP "\fBdsaparam\fR" 10
|
|
.IX Item "dsaparam"
|
|
\&\s-1DSA\s0 Parameter Generation.
|
|
.IP "\fBenc\fR" 10
|
|
.IX Item "enc"
|
|
Encoding with Ciphers.
|
|
.IP "\fBerrstr\fR" 10
|
|
.IX Item "errstr"
|
|
Error Number to Error String Conversion.
|
|
.IP "\fBdhparam\fR" 10
|
|
.IX Item "dhparam"
|
|
Generation and Management of Diffie-Hellman Parameters.
|
|
.IP "\fBgendh\fR" 10
|
|
.IX Item "gendh"
|
|
Generation of Diffie-Hellman Parameters.
|
|
Obsoleted by \fBdhparam\fR.
|
|
.IP "\fBgendsa\fR" 10
|
|
.IX Item "gendsa"
|
|
Generation of \s-1DSA\s0 Parameters.
|
|
.IP "\fBgenrsa\fR" 10
|
|
.IX Item "genrsa"
|
|
Generation of \s-1RSA\s0 Parameters.
|
|
.IP "\fBocsp\fR" 10
|
|
.IX Item "ocsp"
|
|
Online Certificate Status Protocol utility.
|
|
.IP "\fBpasswd\fR" 10
|
|
.IX Item "passwd"
|
|
Generation of hashed passwords.
|
|
.IP "\fBpkcs12\fR" 10
|
|
.IX Item "pkcs12"
|
|
PKCS#12 Data Management.
|
|
.IP "\fBpkcs7\fR" 10
|
|
.IX Item "pkcs7"
|
|
PKCS#7 Data Management.
|
|
.IP "\fBrand\fR" 10
|
|
.IX Item "rand"
|
|
Generate pseudo-random bytes.
|
|
.IP "\fBreq\fR" 10
|
|
.IX Item "req"
|
|
X.509 Certificate Signing Request (\s-1CSR\s0) Management.
|
|
.IP "\fBrsa\fR" 10
|
|
.IX Item "rsa"
|
|
\&\s-1RSA\s0 Data Management.
|
|
.IP "\fBrsautl\fR" 10
|
|
.IX Item "rsautl"
|
|
\&\s-1RSA\s0 utility for signing, verification, encryption, and decryption.
|
|
.IP "\fBs_client\fR" 10
|
|
.IX Item "s_client"
|
|
This implements a generic \s-1SSL/TLS\s0 client which can establish a transparent
|
|
connection to a remote server speaking \s-1SSL/TLS\s0. It's intended for testing
|
|
purposes only and provides only rudimentary interface functionality but
|
|
internally uses mostly all functionality of the OpenSSL \fBssl\fR library.
|
|
.IP "\fBs_server\fR" 10
|
|
.IX Item "s_server"
|
|
This implements a generic \s-1SSL/TLS\s0 server which accepts connections from remote
|
|
clients speaking \s-1SSL/TLS\s0. It's intended for testing purposes only and provides
|
|
only rudimentary interface functionality but internally uses mostly all
|
|
functionality of the OpenSSL \fBssl\fR library. It provides both an own command
|
|
line oriented protocol for testing \s-1SSL\s0 functions and a simple \s-1HTTP\s0 response
|
|
facility to emulate an SSL/TLS\-aware webserver.
|
|
.IP "\fBs_time\fR" 10
|
|
.IX Item "s_time"
|
|
\&\s-1SSL\s0 Connection Timer.
|
|
.IP "\fBsess_id\fR" 10
|
|
.IX Item "sess_id"
|
|
\&\s-1SSL\s0 Session Data Management.
|
|
.IP "\fBsmime\fR" 10
|
|
.IX Item "smime"
|
|
S/MIME mail processing.
|
|
.IP "\fBspeed\fR" 10
|
|
.IX Item "speed"
|
|
Algorithm Speed Measurement.
|
|
.IP "\fBverify\fR" 10
|
|
.IX Item "verify"
|
|
X.509 Certificate Verification.
|
|
.IP "\fBversion\fR" 10
|
|
.IX Item "version"
|
|
OpenSSL Version Information.
|
|
.IP "\fBx509\fR" 10
|
|
.IX Item "x509"
|
|
X.509 Certificate Data Management.
|
|
.Sh "\s-1MESSAGE\s0 \s-1DIGEST\s0 \s-1COMMANDS\s0"
|
|
.IX Subsection "MESSAGE DIGEST COMMANDS"
|
|
.IP "\fBmd2\fR" 10
|
|
.IX Item "md2"
|
|
\&\s-1MD2\s0 Digest
|
|
.IP "\fBmd5\fR" 10
|
|
.IX Item "md5"
|
|
\&\s-1MD5\s0 Digest
|
|
.IP "\fBmdc2\fR" 10
|
|
.IX Item "mdc2"
|
|
\&\s-1MDC2\s0 Digest
|
|
.IP "\fBrmd160\fR" 10
|
|
.IX Item "rmd160"
|
|
\&\s-1RMD\-160\s0 Digest
|
|
.IP "\fBsha\fR" 10
|
|
.IX Item "sha"
|
|
\&\s-1SHA\s0 Digest
|
|
.IP "\fBsha1\fR" 10
|
|
.IX Item "sha1"
|
|
\&\s-1SHA\-1\s0 Digest
|
|
.Sh "\s-1ENCODING\s0 \s-1AND\s0 \s-1CIPHER\s0 \s-1COMMANDS\s0"
|
|
.IX Subsection "ENCODING AND CIPHER COMMANDS"
|
|
.IP "\fBbase64\fR" 10
|
|
.IX Item "base64"
|
|
Base64 Encoding
|
|
.IP "\fBbf bf-cbc bf-cfb bf-ecb bf-ofb\fR" 10
|
|
.IX Item "bf bf-cbc bf-cfb bf-ecb bf-ofb"
|
|
Blowfish Cipher
|
|
.IP "\fBcast cast-cbc\fR" 10
|
|
.IX Item "cast cast-cbc"
|
|
\&\s-1CAST\s0 Cipher
|
|
.IP "\fBcast5\-cbc cast5\-cfb cast5\-ecb cast5\-ofb\fR" 10
|
|
.IX Item "cast5-cbc cast5-cfb cast5-ecb cast5-ofb"
|
|
\&\s-1CAST5\s0 Cipher
|
|
.IP "\fBdes des-cbc des-cfb des-ecb des-ede des-ede-cbc des-ede-cfb des-ede-ofb des-ofb\fR" 10
|
|
.IX Item "des des-cbc des-cfb des-ecb des-ede des-ede-cbc des-ede-cfb des-ede-ofb des-ofb"
|
|
\&\s-1DES\s0 Cipher
|
|
.IP "\fBdes3 desx des\-ede3 des\-ede3\-cbc des\-ede3\-cfb des\-ede3\-ofb\fR" 10
|
|
.IX Item "des3 desx des-ede3 des-ede3-cbc des-ede3-cfb des-ede3-ofb"
|
|
Triple-DES Cipher
|
|
.IP "\fBidea idea-cbc idea-cfb idea-ecb idea-ofb\fR" 10
|
|
.IX Item "idea idea-cbc idea-cfb idea-ecb idea-ofb"
|
|
\&\s-1IDEA\s0 Cipher
|
|
.IP "\fBrc2 rc2\-cbc rc2\-cfb rc2\-ecb rc2\-ofb\fR" 10
|
|
.IX Item "rc2 rc2-cbc rc2-cfb rc2-ecb rc2-ofb"
|
|
\&\s-1RC2\s0 Cipher
|
|
.IP "\fBrc4\fR" 10
|
|
.IX Item "rc4"
|
|
\&\s-1RC4\s0 Cipher
|
|
.IP "\fBrc5 rc5\-cbc rc5\-cfb rc5\-ecb rc5\-ofb\fR" 10
|
|
.IX Item "rc5 rc5-cbc rc5-cfb rc5-ecb rc5-ofb"
|
|
\&\s-1RC5\s0 Cipher
|
|
.SH "PASS PHRASE ARGUMENTS"
|
|
.IX Header "PASS PHRASE ARGUMENTS"
|
|
Several commands accept password arguments, typically using \fB\-passin\fR
|
|
and \fB\-passout\fR for input and output passwords respectively. These allow
|
|
the password to be obtained from a variety of sources. Both of these
|
|
options take a single argument whose format is described below. If no
|
|
password argument is given and a password is required then the user is
|
|
prompted to enter one: this will typically be read from the current
|
|
terminal with echoing turned off.
|
|
.IP "\fBpass:password\fR" 10
|
|
.IX Item "pass:password"
|
|
the actual password is \fBpassword\fR. Since the password is visible
|
|
to utilities (like 'ps' under Unix) this form should only be used
|
|
where security is not important.
|
|
.IP "\fBenv:var\fR" 10
|
|
.IX Item "env:var"
|
|
obtain the password from the environment variable \fBvar\fR. Since
|
|
the environment of other processes is visible on certain platforms
|
|
(e.g. ps under certain Unix OSes) this option should be used with caution.
|
|
.IP "\fBfile:pathname\fR" 10
|
|
.IX Item "file:pathname"
|
|
the first line of \fBpathname\fR is the password. If the same \fBpathname\fR
|
|
argument is supplied to \fB\-passin\fR and \fB\-passout\fR arguments then the first
|
|
line will be used for the input password and the next line for the output
|
|
password. \fBpathname\fR need not refer to a regular file: it could for example
|
|
refer to a device or named pipe.
|
|
.IP "\fBfd:number\fR" 10
|
|
.IX Item "fd:number"
|
|
read the password from the file descriptor \fBnumber\fR. This can be used to
|
|
send the data via a pipe for example.
|
|
.IP "\fBstdin\fR" 10
|
|
.IX Item "stdin"
|
|
read the password from standard input.
|
|
.SH "SEE ALSO"
|
|
.IX Header "SEE ALSO"
|
|
\&\fIasn1parse\fR\|(1), \fIca\fR\|(1), \fIconfig\fR\|(5),
|
|
\&\fIcrl\fR\|(1), \fIcrl2pkcs7\fR\|(1), \fIdgst\fR\|(1),
|
|
\&\fIdhparam\fR\|(1), \fIdsa\fR\|(1), \fIdsaparam\fR\|(1),
|
|
\&\fIenc\fR\|(1), \fIgendsa\fR\|(1),
|
|
\&\fIgenrsa\fR\|(1), \fInseq\fR\|(1), \fIopenssl\fR\|(1),
|
|
\&\fIpasswd\fR\|(1),
|
|
\&\fIpkcs12\fR\|(1), \fIpkcs7\fR\|(1), \fIpkcs8\fR\|(1),
|
|
\&\fIrand\fR\|(1), \fIreq\fR\|(1), \fIrsa\fR\|(1),
|
|
\&\fIrsautl\fR\|(1), \fIs_client\fR\|(1),
|
|
\&\fIs_server\fR\|(1), \fIs_time\fR\|(1),
|
|
\&\fIsmime\fR\|(1), \fIspkac\fR\|(1),
|
|
\&\fIverify\fR\|(1), \fIversion\fR\|(1), \fIx509\fR\|(1),
|
|
\&\fIcrypto\fR\|(3), \fIssl\fR\|(3)
|
|
.SH "HISTORY"
|
|
.IX Header "HISTORY"
|
|
The \fIopenssl\fR\|(1) document appeared in OpenSSL 0.9.2.
|
|
The \fBlist\-\fR\fI\s-1XXX\s0\fR\fB\-commands\fR pseudo-commands were added in OpenSSL 0.9.3;
|
|
the \fBno\-\fR\fI\s-1XXX\s0\fR pseudo-commands were added in OpenSSL 0.9.5a.
|
|
For notes on the availability of other commands, see their individual
|
|
manual pages.
|