Difference between revisions of "Command Line Utilities"
(→Base64) |
|||
Line 805: | Line 805: | ||
Welcome to openssl wiki | Welcome to openssl wiki | ||
− | warning base64 line length is limited to 64 characters by default in openssl : | + | warning '''base64 line length is limited to 64 characters by default in openssl''' : |
openssl base64 -e <<< 'Welcome to openssl wiki with a very long line that splits...' | openssl base64 -e <<< 'Welcome to openssl wiki with a very long line that splits...' |
Revision as of 17:59, 23 March 2013
OpenSSL site command line tools
When installed on your system openssl binary is entry point for many functions.
- launching openssl without any parameter will enter an interactive mode with an OpenSSL> prompt
- to quit: quit
- enter a command it will set a command context in which parameters depends on command.
- to known what commands and parameters you can issue for openssl do :
- openssl help
openssl:Error: 'help' is an invalid command. Standard commands asn1parse ca ciphers cms crl crl2pkcs7 dgst dh dhparam dsa dsaparam ec ecparam enc engine errstr gendh gendsa genpkey genrsa nseq ocsp passwd pkcs12 pkcs7 pkcs8 pkey pkeyparam pkeyutl prime rand req rsa rsautl s_client s_server s_time sess_id smime speed spkac srp ts verify version x509 Message Digest commands (see the `dgst' command for more details) md4 md5 rmd160 sha sha1 Cipher commands (see the `enc' command for more details) aes-128-cbc aes-128-ecb aes-192-cbc aes-192-ecb aes-256-cbc aes-256-ecb base64 bf bf-cbc bf-cfb bf-ecb bf-ofb camellia-128-cbc camellia-128-ecb camellia-192-cbc camellia-192-ecb camellia-256-cbc camellia-256-ecb cast cast-cbc cast5-cbc cast5-cfb cast5-ecb cast5-ofb des des-cbc des-cfb des-ecb des-ede des-ede-cbc des-ede-cfb des-ede-ofb des-ede3 des-ede3-cbc des-ede3-cfb des-ede3-ofb des-ofb des3 desx rc2 rc2-40-cbc rc2-64-cbc rc2-cbc rc2-cfb rc2-ecb rc2-ofb rc4 rc4-40 seed seed-cbc seed-cfb seed-ecb seed-ofb zlib
Commands by purpose
Following commands are grouped by purpose using a different grouping than of default openssl documentation / help.
Get information about your openssl toolkit
version
OpenSSL> version OpenSSL 1.0.1e 11 Feb 2013
ciphers
returns SSL/TLS ciphers supported.
OpenSSL> ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:SRP-DSS-AES-256-CBC-SHA:SRP-RSA-AES-256-CBC-SHA:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:PSK-AES256-CBC-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:SRP-DSS-3DES-EDE-CBC-SHA:SRP-RSA-3DES-EDE-CBC-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:ECDH-RSA-DES-CBC3-SHA:ECDH-ECDSA-DES-CBC3-SHA:DES-CBC3-SHA:PSK-3DES-EDE-CBC-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:SRP-DSS-AES-128-CBC-SHA:SRP-RSA-AES-128-CBC-SHA:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-SEED-SHA:DHE-DSS-SEED-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:ECDH-RSA-AES128-SHA:ECDH-ECDSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:SEED-SHA:CAMELLIA128-SHA:PSK-AES128-CBC-SHA:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:RC4-SHA:RC4-MD5:PSK-RC4-SHA:EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:DES-CBC-SHA:EXP-EDH-RSA-DES-CBC-SHA:EXP-EDH-DSS-DES-CBC-SHA:EXP-DES-CBC-SHA:EXP-RC2-CBC-MD5:EXP-RC4-MD5
openssl list-cipher-algorithms
openssl list-public-key-algorithms
Name: OpenSSL RSA method Type: Builtin Algorithm OID: rsaEncryption PEM string: RSA Name: rsa Type: Alias to rsaEncryption Name: OpenSSL PKCS#3 DH method Type: Builtin Algorithm OID: dhKeyAgreement PEM string: DH Name: dsaWithSHA Type: Alias to dsaEncryption Name: dsaEncryption-old Type: Alias to dsaEncryption Name: dsaWithSHA1-old Type: Alias to dsaEncryption Name: dsaWithSHA1 Type: Alias to dsaEncryption Name: OpenSSL DSA method Type: Builtin Algorithm OID: dsaEncryption PEM string: DSA Name: OpenSSL EC algorithm Type: Builtin Algorithm OID: id-ecPublicKey PEM string: EC Name: OpenSSL HMAC method Type: Builtin Algorithm OID: hmac PEM string: HMAC Name: OpenSSL CMAC method Type: Builtin Algorithm OID: cmac PEM string: CMAC
engine
OpenSSL> engine (rsax) RSAX engine support (dynamic) Dynamic engine loading support
speed
returns informations of toolkit performance on cryptographic functions computations.
( Ex: on Linux 3.1.0-1-amd64 #1 SMP x86_64 GNU/Linux, HP dv7 i7 4Gb )
Doing md4 for 3s on 16 size blocks: 12430613 md4's in 3.00s ... Doing md5 for 3s on 16 size blocks: 8943943 md5's in 2.99s Doing md5 for 3s on 64 size blocks: 6560162 md5's in 3.00s Doing md5 for 3s on 256 size blocks: 3674563 md5's in 3.00s Doing md5 for 3s on 1024 size blocks: 1325803 md5's in 3.00s Doing md5 for 3s on 8192 size blocks: 190271 md5's in 3.00s Doing hmac(md5) for 3s on 16 size blocks: 7289025 hmac(md5)'s in 3.00s Doing hmac(md5) for 3s on 64 size blocks: 5519732 hmac(md5)'s in 3.00s Doing hmac(md5) for 3s on 256 size blocks: 3319123 hmac(md5)'s in 3.00s Doing hmac(md5) for 3s on 1024 size blocks: 1275475 hmac(md5)'s in 3.00s Doing hmac(md5) for 3s on 8192 size blocks: 187134 hmac(md5)'s in 3.00s Doing sha1 for 3s on 16 size blocks: 10089842 sha1's in 2.99s Doing sha1 for 3s on 64 size blocks: 7033355 sha1's in 3.00s Doing sha1 for 3s on 256 size blocks: 3919372 sha1's in 3.00s Doing sha1 for 3s on 1024 size blocks: 1374314 sha1's in 3.00s Doing sha1 for 3s on 8192 size blocks: 198808 sha1's in 3.00s Doing sha256 for 3s on 16 size blocks: 6462822 sha256's in 3.00s Doing sha256 for 3s on 64 size blocks: 3504641 sha256's in 3.00s Doing sha256 for 3s on 256 size blocks: 1486771 sha256's in 3.00s Doing sha256 for 3s on 1024 size blocks: 440613 sha256's in 3.00s Doing sha256 for 3s on 8192 size blocks: 58418 sha256's in 3.00s Doing sha512 for 3s on 16 size blocks: 5040453 sha512's in 2.99s Doing sha512 for 3s on 64 size blocks: 5089425 sha512's in 3.00s Doing sha512 for 3s on 256 size blocks: 1865240 sha512's in 3.00s Doing sha512 for 3s on 1024 size blocks: 643708 sha512's in 3.00s Doing sha512 for 3s on 8192 size blocks: 90615 sha512's in 3.00s ... Doing whirlpool for 3s on 8192 size blocks: 33204 whirlpool's in 3.00s ... Doing rmd160 for 3s on 8192 size blocks: 66719 rmd160's in 3.00s ... Doing rc4 for 3s on 8192 size blocks: 238972 rc4's in 3.00s ... Doing des cbc for 3s on 8192 size blocks: 19837 des cbc's in 3.00s ... Doing des ede3 for 3s on 8192 size blocks: 7706 des ede3's in 3.00s ... Doing aes-128 cbc for 3s on 8192 size blocks: 35217 aes-128 cbc's in 3.00s ... Doing aes-192 cbc for 3s on 8192 size blocks: 29225 aes-192 cbc's in 3.01s ... Doing aes-256 cbc for 3s on 8192 size blocks: 24414 aes-256 cbc's in 3.00s ... Doing aes-256 ige for 3s on 8192 size blocks: 23331 aes-256 ige's in 2.99s ...
Basic encryption
Basic file
to cipher a file or data to protect and share it protected by a shared key.
symetric cipher : AES Blowfish RC4 3DES RC2 DES CAST5 SEED
block to stream conversion : ECB CBC OFB CFB CTR XTS GCM
compression : ZLIB
Cipher commands (see the `enc' command for more details) aes-128-cbc aes-128-ecb aes-192-cbc aes-192-ecb aes-256-cbc aes-256-ecb base64 bf bf-cbc bf-cfb bf-ecb bf-ofb camellia-128-cbc camellia-128-ecb camellia-192-cbc camellia-192-ecb camellia-256-cbc camellia-256-ecb cast cast-cbc cast5-cbc cast5-cfb cast5-ecb cast5-ofb des des-cbc des-cfb des-ecb des-ede des-ede-cbc des-ede-cfb des-ede-ofb des-ede3 des-ede3-cbc des-ede3-cfb des-ede3-ofb des-ofb des3 desx rc2 rc2-40-cbc rc2-64-cbc rc2-cbc rc2-cfb rc2-ecb rc2-ofb rc4 rc4-40 seed seed-cbc seed-cfb seed-ecb seed-ofb zlib
openssl enc --help unknown option '--help' options are -in <file> input file -out <file> output file -pass <arg> pass phrase source -e encrypt -d decrypt -a/-base64 base64 encode/decode, depending on encryption flag -k passphrase is the next argument -kfile passphrase is the first line of the file argument -md the next argument is the md to use to create a key from a passphrase. One of md2, md5, sha or sha1 -S salt in hex is the next argument -K/-iv key/iv in hex is the next argument -[pP] print the iv/key (then exit if -P) -bufsize <n> buffer size -nopad disable standard block padding -engine e use engine e, possibly a hardware device. Cipher Types -aes-128-cbc -aes-128-cfb -aes-128-cfb1 -aes-128-cfb8 -aes-128-ctr -aes-128-ecb -aes-128-gcm -aes-128-ofb -aes-128-xts -aes-192-cbc -aes-192-cfb -aes-192-cfb1 -aes-192-cfb8 -aes-192-ctr -aes-192-ecb -aes-192-gcm -aes-192-ofb -aes-256-cbc -aes-256-cfb -aes-256-cfb1 -aes-256-cfb8 -aes-256-ctr -aes-256-ecb -aes-256-gcm -aes-256-ofb -aes-256-xts -aes128 -aes192 -aes256 -bf -bf-cbc -bf-cfb -bf-ecb -bf-ofb -blowfish -camellia-128-cbc -camellia-128-cfb -camellia-128-cfb1 -camellia-128-cfb8 -camellia-128-ecb -camellia-128-ofb -camellia-192-cbc -camellia-192-cfb -camellia-192-cfb1 -camellia-192-cfb8 -camellia-192-ecb -camellia-192-ofb -camellia-256-cbc -camellia-256-cfb -camellia-256-cfb1 -camellia-256-cfb8 -camellia-256-ecb -camellia-256-ofb -camellia128 -camellia192 -camellia256 -cast -cast-cbc -cast5-cbc -cast5-cfb -cast5-ecb -cast5-ofb -des -des-cbc -des-cfb -des-cfb1 -des-cfb8 -des-ecb -des-ede -des-ede-cbc -des-ede-cfb -des-ede-ofb -des-ede3 -des-ede3-cbc -des-ede3-cfb -des-ede3-cfb1 -des-ede3-cfb8 -des-ede3-ofb -des-ofb -des3 -desx -desx-cbc -id-aes128-GCM -id-aes192-GCM -id-aes256-GCM -rc2 -rc2-40-cbc -rc2-64-cbc -rc2-cbc -rc2-cfb -rc2-ecb -rc2-ofb -rc4 -rc4-40 -rc4-hmac-md5 -seed -seed-cbc -seed-cfb -seed-ecb -seed-ofb
Mail / SMIME
smime v2 pkcs7 1.5
openssl smime --help Usage smime [options] cert.pem ... where options are -encrypt encrypt message -decrypt decrypt encrypted message -sign sign message -verify verify signed message -pk7out output PKCS#7 structure -des3 encrypt with triple DES -des encrypt with DES -seed encrypt with SEED -rc2-40 encrypt with RC2-40 (default) -rc2-64 encrypt with RC2-64 -rc2-128 encrypt with RC2-128 -aes128, -aes192, -aes256 encrypt PEM output with cbc aes -camellia128, -camellia192, -camellia256 encrypt PEM output with cbc camellia -nointern don't search certificates in message for signer -nosigs don't verify message signature -noverify don't verify signers certificate -nocerts don't include signers certificate when signing -nodetach use opaque signing -noattr don't include any signed attributes -binary don't translate message to text -certfile file other certificates file -signer file signer certificate file -recip file recipient certificate file for decryption -in file input file -inform arg input format SMIME (default), PEM or DER -inkey file input private key (if not signer or recipient) -keyform arg input private key format (PEM or ENGINE) -out file output file -outform arg output format SMIME (default), PEM or DER -content file supply or override content for detached signature -to addr to address -from ad from address -subject s subject -text include or delete text MIME headers -CApath dir trusted certificates directory -CAfile file trusted certificates file -crl_check check revocation status of signer's certificate using CRLs -crl_check_all check revocation status of signer's certificate chain using CRLs -engine e use engine e, possibly a hardware device. -passin arg input file pass phrase source -rand file:file:... load the file (or the files in the directory) into the random number generator cert.pem recipient certificate(s) for encryption
smime v3 cms
openssl cms --help Usage cms [options] cert.pem ... where options are -encrypt encrypt message -decrypt decrypt encrypted message -sign sign message -verify verify signed message -cmsout output CMS structure -des3 encrypt with triple DES -des encrypt with DES -seed encrypt with SEED -rc2-40 encrypt with RC2-40 (default) -rc2-64 encrypt with RC2-64 -rc2-128 encrypt with RC2-128 -aes128, -aes192, -aes256 encrypt PEM output with cbc aes -camellia128, -camellia192, -camellia256 encrypt PEM output with cbc camellia -nointern don't search certificates in message for signer -nosigs don't verify message signature -noverify don't verify signers certificate -nocerts don't include signers certificate when signing -nodetach use opaque signing -noattr don't include any signed attributes -binary don't translate message to text -certfile file other certificates file -certsout file certificate output file -signer file signer certificate file -recip file recipient certificate file for decryption -keyid use subject key identifier -in file input file -inform arg input format SMIME (default), PEM or DER -inkey file input private key (if not signer or recipient) -keyform arg input private key format (PEM or ENGINE) -out file output file -outform arg output format SMIME (default), PEM or DER -content file supply or override content for detached signature -to addr to address -from ad from address -subject s subject -text include or delete text MIME headers -CApath dir trusted certificates directory -CAfile file trusted certificates file -crl_check check revocation status of signer's certificate using CRLs -crl_check_all check revocation status of signer's certificate chain using CRLs -engine e use engine e, possibly a hardware device. -passin arg input file pass phrase source -rand file:file:... load the file (or the files in the directory) into the random number generator cert.pem recipient certificate(s) for encryption
Create / Handle Public Key Certificates
This requires you have a knowledge of what PKI is ( Certificate Authorities, Certificate Request, Certificate, Public Key, Private Key )
Classical use case is to obtain a valid Certificate for a Secured Web site ( https protocol ). First you create a Private Key ( will be created together with Public key ). Then create a Certificate Request for that private key with some informations for purpose of future Certificate. Then send that Certificate Request to a Certificate Authority ( CA ) that will issue a Certificate that CA signed. For well known CA you need to pay. Up to you to install your Private key together with the received Certificate on your system.
It exists graphical front-end to operate openssl wihtin a GUI : XCA
Key Generation
rsa / genrsa
RSA is the most common type of Public/Private Key. Private Key part should never de disclosed while public key part is ... public.
openssl genrsa --help usage: genrsa [args] [numbits] -des encrypt the generated key with DES in cbc mode -des3 encrypt the generated key with DES in ede cbc mode (168 bit key) -seed encrypt PEM output with cbc seed -aes128, -aes192, -aes256 encrypt PEM output with cbc aes -camellia128, -camellia192, -camellia256 encrypt PEM output with cbc camellia -out file output the key to 'file -passout arg output file pass phrase source -f4 use F4 (0x10001) for the E value -3 use 3 for the E value -engine e use engine e, possibly a hardware device. -rand file:file:... load the file (or the files in the directory) into the random number generator
rsa help unknown option help rsa [options] <infile >outfile where options are -inform arg input format - one of DER NET PEM -outform arg output format - one of DER NET PEM -in arg input file -sgckey Use IIS SGC key format -passin arg input file pass phrase source -out arg output file -passout arg output file pass phrase source -des encrypt PEM output with cbc des -des3 encrypt PEM output with ede cbc des using 168 bit key -seed encrypt PEM output with cbc seed -aes128, -aes192, -aes256 encrypt PEM output with cbc aes -camellia128, -camellia192, -camellia256 encrypt PEM output with cbc camellia -text print the key in text -noout don't print key out -modulus print the RSA key modulus -check verify key consistency -pubin expect a public key in input file -pubout output a public key -engine e use engine e, possibly a hardware device. error in rsa
dsa / gendsa
dsa is a less common Public/Private key scheme, but can be seen anyway, so ...
openssl gendsa usage: gendsa [args] dsaparam-file -out file - output the key to 'file' -des - encrypt the generated key with DES in cbc mode -des3 - encrypt the generated key with DES in ede cbc mode (168 bit key) -seed encrypt PEM output with cbc seed -aes128, -aes192, -aes256 encrypt PEM output with cbc aes -camellia128, -camellia192, -camellia256 encrypt PEM output with cbc camellia -engine e - use engine e, possibly a hardware device. -rand file:file:... - load the file (or the files in the directory) into the random number generator dsaparam-file - a DSA parameter file as generated by the dsaparam command
OpenSSL> dsa help unknown option help dsa [options] <infile >outfile where options are -inform arg input format - DER or PEM -outform arg output format - DER or PEM -in arg input file -passin arg input file pass phrase source -out arg output file -passout arg output file pass phrase source -engine e use engine e, possibly a hardware device. -des encrypt PEM output with cbc des -des3 encrypt PEM output with ede cbc des using 168 bit key -aes128, -aes192, -aes256 encrypt PEM output with cbc aes -camellia128, -camellia192, -camellia256 encrypt PEM output with cbc camellia -seed encrypt PEM output with cbc seed -text print the key in text -noout don't print key out -modulus print the DSA public value error in dsa
Elliptic Curves / ec ecparam
openssl ecparam --help unknown option --help ecparam [options] <infile >outfile where options are -inform arg input format - default PEM (DER or PEM) -outform arg output format - default PEM -in arg input file - default stdin -out arg output file - default stdout -noout do not print the ec parameter -text print the ec parameters in text form -check validate the ec parameters -C print a 'C' function creating the parameters -name arg use the ec parameters with 'short name' name -list_curves prints a list of all currently available curve 'short names' -conv_form arg specifies the point conversion form possible values: compressed uncompressed (default) hybrid -param_enc arg specifies the way the ec parameters are encoded in the asn1 der encoding possible values: named_curve (default) explicit -no_seed if 'explicit' parameters are chosen do not use the seed -genkey generate ec key -rand file files to use for random number input -engine e use engine e, possibly a hardware device
ec [options] <infile >outfile where options are -inform arg input format - DER or PEM -outform arg output format - DER or PEM -in arg input file -passin arg input file pass phrase source -out arg output file -passout arg output file pass phrase source -engine e use engine e, possibly a hardware device. -des encrypt PEM output, instead of 'des' every other cipher supported by OpenSSL can be used -text print the key -noout don't print key out -param_out print the elliptic curve parameters -conv_form arg specifies the point conversion form possible values: compressed uncompressed (default) hybrid -param_enc arg specifies the way the ec parameters are encoded in the asn1 der encoding possible values: named_curve (default) explicit
Certificate Authority / ca
When you want to act as a Certificate Authority.
OpenSSL> ca Using configuration from /usr/lib/ssl/openssl.cnf Error opening CA private key ./demoCA/private/cakey.pem 140492277311144:error:02001002:system library:fopen:No such file or directory:bss_file.c:398:fopen('./demoCA/private/cakey.pem','r') 140492277311144:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:400: unable to load CA private key error in ca
By default you don't have ca created...
Certificate Request / pkcs10 / req
OpenSSL> req ? unknown option ? req [options] <infile >outfile where options are
-inform arg input format - DER or PEM -outform arg output format - DER or PEM -in arg input file -out arg output file -text text form of request -pubkey output public key -noout do not output REQ -verify verify signature on REQ -modulus RSA modulus -nodes don't encrypt the output key -engine e use engine e, possibly a hardware device -subject output the request's subject -passin private key password source -key file use the private key contained in file -keyform arg key file format -keyout arg file to send the key to -rand file:file:... load the file (or the files in the directory) into the random number generator -newkey rsa:bits generate a new RSA key of 'bits' in size -newkey dsa:file generate a new DSA key, parameters taken from CA in 'file' -newkey ec:file generate a new EC key, parameters taken from CA in 'file' -[digest] Digest to sign with (md5, sha1, md2, mdc2, md4) -config file request template file. -subj arg set or modify request subject -multivalue-rdn enable support for multivalued RDNs -new new request. -batch do not ask anything during request generation -x509 output a x509 structure instead of a cert. req. -days number of days a certificate generated by -x509 is valid for. -set_serial serial number to use for a certificate generated by -x509. -newhdr output "NEW" in the header lines -asn1-kludge Output the 'request' in a format that is wrong but some CA's have been reported as requiring -extensions .. specify certificate extension section (override value in config file) -reqexts .. specify request extension section (override value in config file) -utf8 input characters are UTF8 (default ASCII) -nameopt arg - various certificate name options -reqopt arg - various request text options
error in req
Certificates AKA x509
x509 command allows you to display content of a x509 certificate and to convert it from/to PEM, NET or DER formats.
OpenSSL> x509 help unknown option help usage: x509 args
-inform arg - input format - default PEM (one of DER, NET or PEM) -outform arg - output format - default PEM (one of DER, NET or PEM) -keyform arg - private key format - default PEM -CAform arg - CA format - default PEM -CAkeyform arg - CA key format - default PEM -in arg - input file - default stdin -out arg - output file - default stdout -passin arg - private key password source -serial - print serial number value -subject_hash - print subject hash value -subject_hash_old - print old-style (MD5) subject hash value -issuer_hash - print issuer hash value -issuer_hash_old - print old-style (MD5) issuer hash value -hash - synonym for -subject_hash -subject - print subject DN -issuer - print issuer DN -email - print email address(es) -startdate - notBefore field -enddate - notAfter field -purpose - print out certificate purposes -dates - both Before and After dates -modulus - print the RSA key modulus -pubkey - output the public key -fingerprint - print the certificate fingerprint -alias - output certificate alias -noout - no certificate output -ocspid - print OCSP hash values for the subject name and public key -ocsp_uri - print OCSP Responder URL(s) -trustout - output a "trusted" certificate -clrtrust - clear all trusted purposes -clrreject - clear all rejected purposes -addtrust arg - trust certificate for a given purpose -addreject arg - reject certificate for a given purpose -setalias arg - set certificate alias -days arg - How long till expiry of a signed certificate - def 30 days -checkend arg - check whether the cert expires in the next arg seconds exit 1 if so, 0 if not -signkey arg - self sign cert with arg -x509toreq - output a certification request object -req - input is a certificate request, sign and output. -CA arg - set the CA certificate, must be PEM format. -CAkey arg - set the CA key, must be PEM format missing, it is assumed to be in the CA file. -CAcreateserial - create serial number file if it does not exist -CAserial arg - serial file -set_serial - serial number to use -text - print the certificate in text form -C - print out C code forms -md2/-md5/-sha1/-mdc2 - digest to use -extfile - configuration file with X509V3 extensions to add -extensions - section from config file with X509V3 extensions to add -clrext - delete extensions before signing and input certificate -nameopt arg - various certificate name options -engine e - use engine e, possibly a hardware device. -certopt arg - various certificate text options
Client Certificates AKA pkcs12
Client Certificate is a language abuse, but anyway it is knid of file you need to install on your system when SSL/TLS server require Client Authentication. Those kind of certificates credentials are known as pkcs12 or pfx files. They contains a x509 Certificate and the public/private key of client. Those files are then very sensible to handle with same security as a private key.
Usage: pkcs12 [options] where options are -export output PKCS12 file -chain add certificate chain -inkey file private key if not infile -certfile f add all certs in f -CApath arg - PEM format directory of CA's -CAfile arg - PEM format file of CA's -name "name" use name as friendly name -caname "nm" use nm as CA friendly name (can be used more than once). -in infile input filename -out outfile output filename -noout don't output anything, just verify. -nomacver don't verify MAC. -nocerts don't output certificates. -clcerts only output client certificates. -cacerts only output CA certificates. -nokeys don't output private keys. -info give info about PKCS#12 structure. -des encrypt private keys with DES -des3 encrypt private keys with triple DES (default) -seed encrypt private keys with seed -aes128, -aes192, -aes256 encrypt PEM output with cbc aes -camellia128, -camellia192, -camellia256 encrypt PEM output with cbc camellia -nodes don't encrypt private keys -noiter don't use encryption iteration -nomaciter don't use MAC iteration -maciter use MAC iteration -nomac don't generate MAC -twopass separate MAC, encryption passwords -descert encrypt PKCS#12 certificates with triple DES (default RC2-40) -certpbe alg specify certificate PBE algorithm (default RC2-40) -keypbe alg specify private key PBE algorithm (default 3DES) -macalg alg digest algorithm used in MAC (default SHA1) -keyex set MS key exchange type -keysig set MS key signature type -password p set import/export password source -passin p input file pass phrase source -passout p output file pass phrase source -engine e use engine e, possibly a hardware device. -rand file:file:... load the file (or the files in the directory) into the random number generator -CSP name Microsoft CSP name -LMK Add local machine keyset attribute to private key
SSL/TLS and Certificates ONLINE services
s_server
s_client
ocsp
Signing / Digest and Timestamping
Signing / Digest
openssl dgst --help unknown option '--help' options are -c to output the digest with separating colons -r to output the digest in coreutils format -d to output debug info -hex output as hex dump -binary output in binary form -hmac arg set the HMAC key to arg -non-fips-allow allow use of non FIPS digest -sign file sign digest using private key in file -verify file verify a signature using public key in file -prverify file verify a signature using private key in file -keyform arg key file format (PEM or ENGINE) -out filename output to filename rather than stdout -signature file signature to verify -sigopt nm:v signature parameter -hmac key create hashed MAC with key -mac algorithm create MAC (not neccessarily HMAC) -macopt nm:v MAC algorithm parameters or key -engine e use engine e, possibly a hardware device. -md4 to use the md4 message digest algorithm -md5 to use the md5 message digest algorithm -ripemd160 to use the ripemd160 message digest algorithm -sha to use the sha message digest algorithm -sha1 to use the sha1 message digest algorithm -sha224 to use the sha224 message digest algorithm -sha256 to use the sha256 message digest algorithm -sha384 to use the sha384 message digest algorithm -sha512 to use the sha512 message digest algorithm -whirlpool to use the whirlpool message digest algorithm
timestamping
openssl ts
usage: ts -query [-rand file:file:...] [-config configfile] [-data file_to_hash] [-digest digest_bytes][-md2|-md4|-md5|-sha|-sha1|-mdc2|-ripemd160] [-policy object_id] [-no_nonce] [-cert] [-in request.tsq] [-out request.tsq] [-text] or ts -reply [-config configfile] [-section tsa_section] [-queryfile request.tsq] [-passin password] [-signer tsa_cert.pem] [-inkey private_key.pem] [-chain certs_file.pem] [-policy object_id] [-in response.tsr] [-token_in] [-out response.tsr] [-token_out] [-text] [-engine id] or ts -verify [-data file_to_hash] [-digest digest_bytes] [-queryfile request.tsq] -in response.tsr [-token_in] -CApath ca_path -CAfile ca_file.pem -untrusted cert_file.pem
Data handling
ASN.1
DER decoding
openssl asn1parse
Base64
base64 encoding / decoding
a String
openssl base64 -e <<< 'Welcome to openssl wiki' V2VsY29tZSB0byBvcGVuc3NsIHdpa2kK openssl base64 -d <<< 'V2VsY29tZSB0byBvcGVuc3NsIHdpa2kK' Welcome to openssl wiki
warning base64 line length is limited to 64 characters by default in openssl :
openssl base64 -e <<< 'Welcome to openssl wiki with a very long line that splits...' V2VsY29tZSB0byBvcGVuc3NsIHdpa2kgd2l0aCBhIHZlcnkgbG9uZyBsaW5lIHRo YXQgc3BsaXRzLi4uCg== openssl base64 -d <<< 'V2VsY29tZSB0byBvcGVuc3NsIHdpa2kgd2l0aCBhIHZlcnkgbG9uZyBsaW5lIHRoYXQgc3BsaXRzLi4uCg==' => NOTHING !
to be able to decode a base64 line wihout line feed that exceed 64 characters use -A option :
openssl base64 -d -A <<< 'V2VsY29tZSB0byBvcGVuc3NsIHdpa2kgd2l0aCBhIHZlcnkgbG9uZyBsaW5lIHRoYXQgc3BsaXRzLi4uCg==' Welcome to openssl wiki with a very long line that splits...
DER <-> PEM conversion
on each command handling PEM and DER format an inform and outform options are provided to specify it. Then it is easy to read it in format and write it in another
pkcs8 / pkcs5
pkcs8 is a format to store private keys. pkcs8 uses various pkcs5 version as subformat.
openssl pkcs8 --help Usage pkcs8 [options] where options are -in file input file -inform X input format (DER or PEM) -passin arg input file pass phrase source -outform X output format (DER or PEM) -out file output file -passout arg output file pass phrase source -topk8 output PKCS8 file -nooct use (nonstandard) no octet format -embed use (nonstandard) embedded DSA parameters format -nsdb use (nonstandard) DSA Netscape DB format -noiter use 1 as iteration count -nocrypt use or expect unencrypted private key -v2 alg use PKCS#5 v2.0 and cipher "alg" -v1 obj use PKCS#5 v1.5 and cipher "alg" -engine e use engine e, possibly a hardware device.