7. Aufrufparameter und Optionen von openssl

openssl

openssl

Standard commands
asn1parse      ca             ciphers        crl            crl2pkcs7      
dgst           dh             dsa            dsaparam       enc            
errstr         gendh          gendsa         genrsa         nseq           
pkcs7          req            rsa            s_client       s_server       
s_time         sess_id        speed          verify         version        
x509           

Message Digest commands (see the `dgst' command for more details)
md2            md5            mdc2           rmd160         sha            
sha1           

Cipher commands (see the `enc' command for more details)
base64         bf             bf-cbc         bf-cfb         bf-ecb         
bf-ofb         cast           cast-cbc       cast5-cbc      cast5-cfb      
cast5-ecb      cast5-ofb      des            des-cbc        des-cfb        
des-ecb        des-ede        des-ede-cbc    des-ede-cfb    des-ede-ofb    
des-ede3       des-ede3-cbc   des-ede3-cfb   des-ede3-ofb   des-ofb        
des3           desx           idea           idea-cbc       idea-cfb       
idea-ecb       idea-ofb       rc2            rc2-cbc        rc2-cfb        
rc2-ecb        rc2-ofb        rc4            rc5            rc5-cbc        
rc5-cfb        rc5-ecb        rc5-ofb        

asn1parse

asn1parse [options] < infile

where options are
 -inform arg   input format - one of DER TXT PEM
 -in arg       input file
 -offset arg   offset into file
 -length arg   lenth of chapion in file
 -i            indent entries
 -oid file     file of extra oid definitions
 -strparse offset
               a series of these can be used to 'dig' into multiple
               ASN1 blob wrappings

ca

usage: ca args

 -verbose        - Talk alot while doing things
 -config file    - A config file
 -name arg       - The particular CA definition to use
 -gencrl         - Generate a new CRL
 -crldays days   - Days is when the next CRL is due
 -crlhours hours - Hours is when the next CRL is due
 -days arg       - number of days to certify the certificate for
 -md arg         - md to use, one of md2, md5, sha or sha1
 -policy arg     - The CA 'policy' to support
 -keyfile arg    - PEM private key file
 -key arg        - key to decode the private key if it is encrypted
 -cert file      - The CA certificate
 -in file        - The input PEM encoded certificate request(s)
 -out file       - Where to put the output file(s)
 -outdir dir     - Where to put output certificates
 -infiles ....   - The last argument, requests to process
 -spkac file     - File contains DN and signed public key and challenge
 -ss_cert file   - File contains a self signed cert to sign
 -preserveDN     - Don't re-order the DN
 -batch   - Don't ask questions
 -msie_hack       - msie modifications to handle all those universal strings

ciphers

usage: ciphers args

 -v          - verbose mode, a textual listing of the ciphers in SSLeay
 -ssl2       - SSL2 mode
 -ssl3       - SSL3 mode

crl

usage: crl args

 -inform arg     - input format - default PEM (one of DER, TXT or PEM)
 -outform arg    - output format - default PEM
 -text           - print out a text format version
 -in arg         - input file - default stdin
 -out arg        - output file - default stdout
 -hash           - print hash value
 -issuer         - print issuer DN
 -lastupdate     - lastUpdate field
 -nextupdate     - nextUpdate field
 -noout          - no CRL output

crl2pkcs7

crl2pkcs7 [options] < infile > outfile

where options are
 -inform arg    input format - one of DER TXT PEM
 -outform arg   output format - one of DER TXT PEM
 -in arg        input file
 -out arg       output file
 -certfile arg  certificates file of chain to a trusted CA
                (can be used more than once)
 -nocrl         no crl to load, just certs from '-certfile'

dgst

options are

-c   to output the digest with separating colons
-d   to output debug info
-md5 to use the md5 message digest algorithm (default)
-md2 to use the md2 message digest algorithm
-sha1 to use the sha1 message digest algorithm
-sha to use the sha message digest algorithm
-mdc2 to use the mdc2 message digest algorithm
-ripemd160 to use the ripemd160 message digest algorithm

dh

dh [options] < infile > outfile

where options are
 -inform arg   input format - one of DER TXT PEM
 -outform arg  output format - one of DER TXT PEM
 -in arg       input file
 -out arg      output file
 -check        check the DH parameters
 -text         print a text form of the DH parameters
 -C            Output C code
 -noout        no output

dsa

dsa [options] < infile > outfile

where options are
 -inform arg   input format - one of DER NET PEM
 -outform arg  output format - one of DER NET PEM
 -in arg       input file
 -out arg      output file
 -des          encrypt PEM output with cbc des
 -des3         encrypt PEM output with ede cbc des using 168 bit key
 -idea         encrypt PEM output with cbc idea
 -text         print the key in text
 -noout        don't print key out
 -modulus      print the DSA public value

dsaparam

dsaparam [options] [bits] < infile > outfile

where options are
 -inform arg   input format - one of DER TXT PEM
 -outform arg  output format - one of DER TXT PEM
 -in arg       input file
 -out arg      output file
 -text         check the DSA parameters
 -C            Output C code
 -noout        no output
 -rand         files to use for random number input
 number        number of bits to use for generating private key

enc

enc

options are
-in <file>     input file
-out <file>    output fileencrypt
-e             encrypt
-d             decrypt
-a/-base64     base64 encode/decode, depending on encryption flag
-k             key is the next argument
-kfile         key is the first line of the file argument
-K/-iv         key/iv in hex is the next argument
-[pP]          print the iv/key (then exit if -P)
-bufsize <n>   buffer size
Cipher Types
des     : 56 bit key DES encryption
des_ede :112 bit key ede DES encryption
des_ede3:168 bit key ede DES encryption
idea    :128 bit key IDEA encryption
rc2     :128 bit key RC2 encryption
bf      :128 bit key BlowFish encryption
 -rc4   :128 bit key RC4 encryption
 -des-ecb      -des-cbc      -des-cfb      -des-ofb      -des  (des-cbc)
 -des-ede      -des-ede-cbc  -des-ede-cfb  -des-ede-ofb  -desx -none
 -des-ede3     -des-ede3-cbc -des-ede3-cfb -des-ede3-ofb -des3 (des-ede3-cbc)
 -idea-ecb     -idea-cbc     -idea-cfb     -idea-ofb     -idea (idea-cbc)
 -rc2-ecb      -rc2-cbc      -rc2-cfb      -rc2-ofb      -rc2  (rc2-cbc)
 -bf-ecb       -bf-cbc       -bf-cfb       -bf-ofb       -bf   (bf-cbc)
 -cast5-ecb    -cast5-cbc    -cast5-cfb    -cast5-ofb    -cast (cast5-cbc)
 -rc5-ecb      -rc5-cbc      -rc5-cfb      -rc5-ofb      -rc5  (rc5-cbc)

errstr

usage: errstr [-stats] <errno> ...

gendh

usage: gendh [args] [numbits]

 -out file - output the key to 'file
 -2    use 2 as the generator value
 -5    use 5 as the generator value
 -rand file:file:...
           - load the file (or the files in the directory) into
             the random number generator

genrsa

usage: genrsa [args] [numbits]

 -des      - encrypt the generated key with DES in cbc mode
 -des3     - encrypt the generated key with DES in ede cbc mode (168 bit key)
 -idea     - encrypt the generated key with IDEA in cbc mode
 -out file - output the key to 'file
 -f4       - use F4 (0x10001) for the E value
 -3        - use 3 for the E value
 -rand file:file:...
           - load the file (or the files in the directory) into
             the random number generator

nseq

Usage nseq [options]

where options are
-in file  input file
-out file output file
-toseq    output NS Sequence file

pkcs7

pkcs7 [options] < infile > outfile

where options are
 -inform arg   input format - one of DER TXT PEM
 -outform arg  output format - one of DER TXT PEM
 -in arg       input file
 -out arg      output file
 -print_certs  print any certs or crl in the input
 -des          encrypt PEM output with cbc des
 -des3         encrypt PEM output with ede cbc des using 168 bit key
 -idea         encrypt PEM output with cbc idea

req

req [options] < infile > outfile

where options  are
 -inform arg    input format - one of DER TXT PEM
 -outform arg   output format - one of DER TXT PEM
 -in arg        input file
 -out arg       output file
 -text          text form of request
 -noout         do not output REQ
 -verify        verify signature on REQ
 -modulus       RSA modulus
 -nodes         don't encrypt the output key
 -key file      use the private key contained in file
 -keyform arg   key file format
 -keyout arg    file to send the key to
 -newkey rsa:bits generate a new RSA key of 'bits' in size
 -newkey dsa:file generate a new DSA key, parameters taken from CA in 'file'
 -[digest]      Digest to sign with (md5, sha1, md2, mdc2)
 -config file   request template file.
 -new           new request.
 -x509          output a x509 structure instead of a cert. req.
 -days          number of days a x509 generated by -x509 is valid for.
 -asn1-kludge   Output the 'request' in a format that is wrong but some CA's
                have been reported as requiring
                [ It is now always turned on but can be turned off with -no-asn1-kludge ]

rsa

rsa [options] < infile > outfile

where options are
 -inform arg   input format - one of DER NET PEM
 -outform arg  output format - one of DER NET PEM
 -in arg       input file
 -out arg      output file
 -des          encrypt PEM output with cbc des
 -des3         encrypt PEM output with ede cbc des using 168 bit key
 -idea         encrypt PEM output with cbc idea
 -text         print the key in text
 -noout        don't print key out
 -modulus      print the RSA key modulus

s_client

usage: s_client args

 -host host     - use -connect instead
 -port port     - use -connect instead
 -connect host:port - who to connect to (default is localhost:4433)
 -verify arg   - turn on peer certificate verification
 -cert arg     - certificate file to use, PEM format assumed
 -key arg      - Private key file to use, PEM format assumed, in cert file if
                 not specified but cert file is.
 -CApath arg   - PEM format directory of CA's
 -CAfile arg   - PEM format file of CA's
 -reconnect    - Drop and re-make the connection with the same Session-ID
 -pause        - sleep(1) after each read(2) and write(2) system call
 -debug        - extra output
 -nbio_test    - more ssl protocol testing
 -state        - print the 'ssl' states
 -nbio         - Run with non-blocking IO
 -quiet        - no s_client output
 -ssl2         - just use SSLv2
 -ssl3         - just use SSLv3
 -tls1         - just use TLSv1
 -no_tls1/-no_ssl3/-no_ssl2 - turn off that protocol
 -bugs         - Switch on all SSL implementation bug workarounds
 -cipher       - prefered cipher to use, use the 'openssl ciphers'
                 command to see what is available

s_server

usage: s_server [args ...]

 -accept arg   - port to accept on (default is 4433)
 -context arg  - set session ID context
 -verify arg   - turn on peer certificate verification
 -Verify arg   - turn on peer certificate verification, must have a cert.
 -cert arg     - certificate file to use, PEM format assumed
                 (default is server.pem)
 -key arg      - RSA file to use, PEM format assumed, in cert file if
                 not specified (default is server.pem)
 -dcert arg    - second certificate file to use (usually for DSA)
 -dkey arg     - second private key file to use (usually for DSA)
 -nbio         - Run with non-blocking IO
 -nbio_test    - test with the non-blocking test bio
 -debug        - Print more output
 -state        - Print the SSL states
 -CApath arg   - PEM format directory of CA's
 -CAfile arg   - PEM format file of CA's
 -nocert       - Don't use any certificates (Anon-DH)
 -cipher arg   - play with 'openssl ciphers' to see what goes here
 -quiet        - No server output
 -no_tmp_rsa   - Do not generate a tmp RSA key
 -ssl2         - Just talk SSLv2
 -ssl3         - Just talk SSLv3
 -tls1         - Just talk TLSv1
 -no_ssl2      - Just disable SSLv2
 -no_ssl3      - Just disable SSLv3
 -no_tls1      - Just disable TLSv1
 -bugs         - Turn on SSL bug compatability
 -www          - Respond to a 'GET /' with a status page
 -WWW          - Respond to a 'GET /<path> HTTP/1.0' with file ./<path>

s_time

usage: s_time <args>

-connect host:port - host:port to connect to (default is localhost:4433)
-nbio         - Run with non-blocking IO
-ssl2         - Just use SSLv2
-ssl3         - Just use SSLv3
-bugs         - Turn on SSL bug compatability
-new          - Just time new connections
-reuse        - Just time connection reuse
-www page     - Retrieve 'page' from the site
-time arg     - max number of seconds to collect data, default 30
-verify arg   - turn on peer certificate verification, arg == depth
-cert arg     - certificate file to use, PEM format assumed
-key arg      - RSA file to use, PEM format assumed, key is in cert file
                file if not specified by this option
-CApath arg   - PEM format directory of CA's
-CAfile arg   - PEM format file of CA's
-cipher       - prefered cipher to use, play with 'openssl ciphers'

sess_id

usage: sess_id args

 -inform arg     - input format - default PEM (one of DER, TXT or PEM)
 -outform arg    - output format - default PEM
 -in arg         - input file - default stdin
 -out arg        - output file - default stdout
 -text           - print ssl session id details
 -cert           - output certificate 
 -noout          - no CRL output
 -context arg    - set the session ID context

speed

speed

md2      mdc2   md5      hmac      sha1    rmd160
idea-cbc rc2-cbc  rc5-cbc  bf-cbc
des-cbc  des-ede3 rc4
rsa512   rsa1024  rsa2048  rsa4096

dsa512   dsa1024  dsa2048
idea     rc2      des      rsa    blowfish

verify

usage: verify [-verbose] [-CApath path] [-CAfile fcert] cert1 1cert2 ...

version

usage:version -[avbofp]

x509

usage: x509 args

 -inform arg     - input format - default PEM (one of DER, NET or PEM)
 -outform arg    - output format - default PEM (one of DER, NET or PEM
 -keyform arg    - private key format - default PEM
 -CAform arg     - CA format - default PEM
 -CAkeyform arg  - CA key format - default PEM
 -in arg         - input file - default stdin
 -out arg        - output file - default stdout
 -serial         - print serial number value
 -hash           - print hash value
 -subject        - print subject DN
 -issuer         - print issuer DN
 -startdate      - notBefore field
 -enddate        - notAfter field
 -dates          - both Before and After dates
 -modulus        - print the RSA key modulus
 -fingerprint    - print the certificate fingerprint
 -noout          - no certificate output
 -days arg       - How long till expiry of a signed certificate - def 30 days
 -signkey arg    - self sign cert with arg
 -x509toreq      - output a certification request object
 -req            - input is a certificate request, sign and output.
 -CA arg         - set the CA certificate, must be PEM format.
 -CAkey arg      - set the CA key, must be PEM format
                   missing, it is asssumed to be in the CA file.
 -CAcreateserial - create serial number file if it does not exist
 -CAserial       - serial file
 -text           - print the certificate in text form
 -C              - print out C code forms
 -md2/-md5/-sha1/-mdc2 - digest to do an RSA sign with

Copyright © 1996 - 2000 by DFN-PCA / certify@pca.dfn.de