openssl
openssl
openssl
Standard commands asn1parse ca ciphers crl crl2pkcs7 dgst dh dsa dsaparam enc errstr gendh gendsa genrsa nseq pkcs7 req rsa s_client s_server s_time sess_id speed verify version x509 Message Digest commands (see the `dgst' command for more details) md2 md5 mdc2 rmd160 sha sha1 Cipher commands (see the `enc' command for more details) base64 bf bf-cbc bf-cfb bf-ecb bf-ofb cast cast-cbc cast5-cbc cast5-cfb cast5-ecb cast5-ofb des des-cbc des-cfb des-ecb des-ede des-ede-cbc des-ede-cfb des-ede-ofb des-ede3 des-ede3-cbc des-ede3-cfb des-ede3-ofb des-ofb des3 desx idea idea-cbc idea-cfb idea-ecb idea-ofb rc2 rc2-cbc rc2-cfb rc2-ecb rc2-ofb rc4 rc5 rc5-cbc rc5-cfb rc5-ecb rc5-ofb
asn1parse
asn1parse [options] < infile
where options are -inform arg input format - one of DER TXT PEM -in arg input file -offset arg offset into file -length arg lenth of chapion in file -i indent entries -oid file file of extra oid definitions -strparse offset a series of these can be used to 'dig' into multiple ASN1 blob wrappings
ca
usage: ca args
-verbose - Talk alot while doing things -config file - A config file -name arg - The particular CA definition to use -gencrl - Generate a new CRL -crldays days - Days is when the next CRL is due -crlhours hours - Hours is when the next CRL is due -days arg - number of days to certify the certificate for -md arg - md to use, one of md2, md5, sha or sha1 -policy arg - The CA 'policy' to support -keyfile arg - PEM private key file -key arg - key to decode the private key if it is encrypted -cert file - The CA certificate -in file - The input PEM encoded certificate request(s) -out file - Where to put the output file(s) -outdir dir - Where to put output certificates -infiles .... - The last argument, requests to process -spkac file - File contains DN and signed public key and challenge -ss_cert file - File contains a self signed cert to sign -preserveDN - Don't re-order the DN -batch - Don't ask questions -msie_hack - msie modifications to handle all those universal strings
ciphers
usage: ciphers args
-v - verbose mode, a textual listing of the ciphers in SSLeay -ssl2 - SSL2 mode -ssl3 - SSL3 mode
crl
usage: crl args
-inform arg - input format - default PEM (one of DER, TXT or PEM) -outform arg - output format - default PEM -text - print out a text format version -in arg - input file - default stdin -out arg - output file - default stdout -hash - print hash value -issuer - print issuer DN -lastupdate - lastUpdate field -nextupdate - nextUpdate field -noout - no CRL output
crl2pkcs7
crl2pkcs7 [options] < infile > outfile
where options are -inform arg input format - one of DER TXT PEM -outform arg output format - one of DER TXT PEM -in arg input file -out arg output file -certfile arg certificates file of chain to a trusted CA (can be used more than once) -nocrl no crl to load, just certs from '-certfile'
dgst
options are
-c to output the digest with separating colons -d to output debug info -md5 to use the md5 message digest algorithm (default) -md2 to use the md2 message digest algorithm -sha1 to use the sha1 message digest algorithm -sha to use the sha message digest algorithm -mdc2 to use the mdc2 message digest algorithm -ripemd160 to use the ripemd160 message digest algorithm
dh
dh [options] < infile > outfile
where options are -inform arg input format - one of DER TXT PEM -outform arg output format - one of DER TXT PEM -in arg input file -out arg output file -check check the DH parameters -text print a text form of the DH parameters -C Output C code -noout no output
dsa
dsa [options] < infile > outfile
where options are -inform arg input format - one of DER NET PEM -outform arg output format - one of DER NET PEM -in arg input file -out arg output file -des encrypt PEM output with cbc des -des3 encrypt PEM output with ede cbc des using 168 bit key -idea encrypt PEM output with cbc idea -text print the key in text -noout don't print key out -modulus print the DSA public value
dsaparam
dsaparam [options] [bits] < infile > outfile
where options are -inform arg input format - one of DER TXT PEM -outform arg output format - one of DER TXT PEM -in arg input file -out arg output file -text check the DSA parameters -C Output C code -noout no output -rand files to use for random number input number number of bits to use for generating private key
enc
enc
options are -in <file> input file -out <file> output fileencrypt -e encrypt -d decrypt -a/-base64 base64 encode/decode, depending on encryption flag -k key is the next argument -kfile key is the first line of the file argument -K/-iv key/iv in hex is the next argument -[pP] print the iv/key (then exit if -P) -bufsize <n> buffer size Cipher Types des : 56 bit key DES encryption des_ede :112 bit key ede DES encryption des_ede3:168 bit key ede DES encryption idea :128 bit key IDEA encryption rc2 :128 bit key RC2 encryption bf :128 bit key BlowFish encryption -rc4 :128 bit key RC4 encryption -des-ecb -des-cbc -des-cfb -des-ofb -des (des-cbc) -des-ede -des-ede-cbc -des-ede-cfb -des-ede-ofb -desx -none -des-ede3 -des-ede3-cbc -des-ede3-cfb -des-ede3-ofb -des3 (des-ede3-cbc) -idea-ecb -idea-cbc -idea-cfb -idea-ofb -idea (idea-cbc) -rc2-ecb -rc2-cbc -rc2-cfb -rc2-ofb -rc2 (rc2-cbc) -bf-ecb -bf-cbc -bf-cfb -bf-ofb -bf (bf-cbc) -cast5-ecb -cast5-cbc -cast5-cfb -cast5-ofb -cast (cast5-cbc) -rc5-ecb -rc5-cbc -rc5-cfb -rc5-ofb -rc5 (rc5-cbc)
errstr
usage: errstr [-stats] <errno> ...
gendh
usage: gendh [args] [numbits]
-out file - output the key to 'file -2 use 2 as the generator value -5 use 5 as the generator value -rand file:file:... - load the file (or the files in the directory) into the random number generator
genrsa
usage: genrsa [args] [numbits]
-des - encrypt the generated key with DES in cbc mode -des3 - encrypt the generated key with DES in ede cbc mode (168 bit key) -idea - encrypt the generated key with IDEA in cbc mode -out file - output the key to 'file -f4 - use F4 (0x10001) for the E value -3 - use 3 for the E value -rand file:file:... - load the file (or the files in the directory) into the random number generator
nseq
Usage nseq [options]
where options are -in file input file -out file output file -toseq output NS Sequence file
pkcs7
pkcs7 [options] < infile > outfile
where options are -inform arg input format - one of DER TXT PEM -outform arg output format - one of DER TXT PEM -in arg input file -out arg output file -print_certs print any certs or crl in the input -des encrypt PEM output with cbc des -des3 encrypt PEM output with ede cbc des using 168 bit key -idea encrypt PEM output with cbc idea
req
req [options] < infile > outfile
where options are -inform arg input format - one of DER TXT PEM -outform arg output format - one of DER TXT PEM -in arg input file -out arg output file -text text form of request -noout do not output REQ -verify verify signature on REQ -modulus RSA modulus -nodes don't encrypt the output key -key file use the private key contained in file -keyform arg key file format -keyout arg file to send the key to -newkey rsa:bits generate a new RSA key of 'bits' in size -newkey dsa:file generate a new DSA key, parameters taken from CA in 'file' -[digest] Digest to sign with (md5, sha1, md2, mdc2) -config file request template file. -new new request. -x509 output a x509 structure instead of a cert. req. -days number of days a x509 generated by -x509 is valid for. -asn1-kludge Output the 'request' in a format that is wrong but some CA's have been reported as requiring [ It is now always turned on but can be turned off with -no-asn1-kludge ]
rsa
rsa [options] < infile > outfile
where options are -inform arg input format - one of DER NET PEM -outform arg output format - one of DER NET PEM -in arg input file -out arg output file -des encrypt PEM output with cbc des -des3 encrypt PEM output with ede cbc des using 168 bit key -idea encrypt PEM output with cbc idea -text print the key in text -noout don't print key out -modulus print the RSA key modulus
s_client
usage: s_client args
-host host - use -connect instead -port port - use -connect instead -connect host:port - who to connect to (default is localhost:4433) -verify arg - turn on peer certificate verification -cert arg - certificate file to use, PEM format assumed -key arg - Private key file to use, PEM format assumed, in cert file if not specified but cert file is. -CApath arg - PEM format directory of CA's -CAfile arg - PEM format file of CA's -reconnect - Drop and re-make the connection with the same Session-ID -pause - sleep(1) after each read(2) and write(2) system call -debug - extra output -nbio_test - more ssl protocol testing -state - print the 'ssl' states -nbio - Run with non-blocking IO -quiet - no s_client output -ssl2 - just use SSLv2 -ssl3 - just use SSLv3 -tls1 - just use TLSv1 -no_tls1/-no_ssl3/-no_ssl2 - turn off that protocol -bugs - Switch on all SSL implementation bug workarounds -cipher - prefered cipher to use, use the 'openssl ciphers' command to see what is available
s_server
usage: s_server [args ...]
-accept arg - port to accept on (default is 4433) -context arg - set session ID context -verify arg - turn on peer certificate verification -Verify arg - turn on peer certificate verification, must have a cert. -cert arg - certificate file to use, PEM format assumed (default is server.pem) -key arg - RSA file to use, PEM format assumed, in cert file if not specified (default is server.pem) -dcert arg - second certificate file to use (usually for DSA) -dkey arg - second private key file to use (usually for DSA) -nbio - Run with non-blocking IO -nbio_test - test with the non-blocking test bio -debug - Print more output -state - Print the SSL states -CApath arg - PEM format directory of CA's -CAfile arg - PEM format file of CA's -nocert - Don't use any certificates (Anon-DH) -cipher arg - play with 'openssl ciphers' to see what goes here -quiet - No server output -no_tmp_rsa - Do not generate a tmp RSA key -ssl2 - Just talk SSLv2 -ssl3 - Just talk SSLv3 -tls1 - Just talk TLSv1 -no_ssl2 - Just disable SSLv2 -no_ssl3 - Just disable SSLv3 -no_tls1 - Just disable TLSv1 -bugs - Turn on SSL bug compatability -www - Respond to a 'GET /' with a status page -WWW - Respond to a 'GET /<path> HTTP/1.0' with file ./<path>
s_time
usage: s_time <args>
-connect host:port - host:port to connect to (default is localhost:4433) -nbio - Run with non-blocking IO -ssl2 - Just use SSLv2 -ssl3 - Just use SSLv3 -bugs - Turn on SSL bug compatability -new - Just time new connections -reuse - Just time connection reuse -www page - Retrieve 'page' from the site -time arg - max number of seconds to collect data, default 30 -verify arg - turn on peer certificate verification, arg == depth -cert arg - certificate file to use, PEM format assumed -key arg - RSA file to use, PEM format assumed, key is in cert file file if not specified by this option -CApath arg - PEM format directory of CA's -CAfile arg - PEM format file of CA's -cipher - prefered cipher to use, play with 'openssl ciphers'
sess_id
usage: sess_id args
-inform arg - input format - default PEM (one of DER, TXT or PEM) -outform arg - output format - default PEM -in arg - input file - default stdin -out arg - output file - default stdout -text - print ssl session id details -cert - output certificate -noout - no CRL output -context arg - set the session ID context
speed
speed
md2 mdc2 md5 hmac sha1 rmd160 idea-cbc rc2-cbc rc5-cbc bf-cbc des-cbc des-ede3 rc4 rsa512 rsa1024 rsa2048 rsa4096 dsa512 dsa1024 dsa2048 idea rc2 des rsa blowfish
verify
usage: verify [-verbose] [-CApath path] [-CAfile fcert] cert1
1cert2 ...
version
usage:version -[avbofp]
x509
usage: x509 args
-inform arg - input format - default PEM (one of DER, NET or PEM) -outform arg - output format - default PEM (one of DER, NET or PEM -keyform arg - private key format - default PEM -CAform arg - CA format - default PEM -CAkeyform arg - CA key format - default PEM -in arg - input file - default stdin -out arg - output file - default stdout -serial - print serial number value -hash - print hash value -subject - print subject DN -issuer - print issuer DN -startdate - notBefore field -enddate - notAfter field -dates - both Before and After dates -modulus - print the RSA key modulus -fingerprint - print the certificate fingerprint -noout - no certificate output -days arg - How long till expiry of a signed certificate - def 30 days -signkey arg - self sign cert with arg -x509toreq - output a certification request object -req - input is a certificate request, sign and output. -CA arg - set the CA certificate, must be PEM format. -CAkey arg - set the CA key, must be PEM format missing, it is asssumed to be in the CA file. -CAcreateserial - create serial number file if it does not exist -CAserial - serial file -text - print the certificate in text form -C - print out C code forms -md2/-md5/-sha1/-mdc2 - digest to do an RSA sign with