Command Line Utilities
OpenSSL site command line tools
When installed on your system openssl binary is entry point for many functions.
- launching openssl without any parameter will enter an interactive mode with an OpenSSL> prompt
- to quit: quit
- enter a command it will set a command context in which parameters depends on command.
- to known what commands and parameters you can issue for openssl do :
- openssl help
openssl:Error: 'help' is an invalid command. Standard commands asn1parse ca ciphers cms crl crl2pkcs7 dgst dh dhparam dsa dsaparam ec ecparam enc engine errstr gendh gendsa genpkey genrsa nseq ocsp passwd pkcs12 pkcs7 pkcs8 pkey pkeyparam pkeyutl prime rand req rsa rsautl s_client s_server s_time sess_id smime speed spkac srp ts verify version x509 Message Digest commands (see the `dgst' command for more details) md4 md5 rmd160 sha sha1 Cipher commands (see the `enc' command for more details) aes-128-cbc aes-128-ecb aes-192-cbc aes-192-ecb aes-256-cbc aes-256-ecb base64 bf bf-cbc bf-cfb bf-ecb bf-ofb camellia-128-cbc camellia-128-ecb camellia-192-cbc camellia-192-ecb camellia-256-cbc camellia-256-ecb cast cast-cbc cast5-cbc cast5-cfb cast5-ecb cast5-ofb des des-cbc des-cfb des-ecb des-ede des-ede-cbc des-ede-cfb des-ede-ofb des-ede3 des-ede3-cbc des-ede3-cfb des-ede3-ofb des-ofb des3 desx rc2 rc2-40-cbc rc2-64-cbc rc2-cbc rc2-cfb rc2-ecb rc2-ofb rc4 rc4-40 seed seed-cbc seed-cfb seed-ecb seed-ofb zlib
commands
Get information about your openssl toolkit
version
OpenSSL> version OpenSSL 1.0.1e 11 Feb 2013
ciphers
returns SSL/TLS ciphers supported.
OpenSSL> ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:SRP-DSS-AES-256-CBC-SHA:SRP-RSA-AES-256-CBC-SHA:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:PSK-AES256-CBC-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:SRP-DSS-3DES-EDE-CBC-SHA:SRP-RSA-3DES-EDE-CBC-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:ECDH-RSA-DES-CBC3-SHA:ECDH-ECDSA-DES-CBC3-SHA:DES-CBC3-SHA:PSK-3DES-EDE-CBC-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:SRP-DSS-AES-128-CBC-SHA:SRP-RSA-AES-128-CBC-SHA:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-SEED-SHA:DHE-DSS-SEED-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:ECDH-RSA-AES128-SHA:ECDH-ECDSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:SEED-SHA:CAMELLIA128-SHA:PSK-AES128-CBC-SHA:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:RC4-SHA:RC4-MD5:PSK-RC4-SHA:EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:DES-CBC-SHA:EXP-EDH-RSA-DES-CBC-SHA:EXP-EDH-DSS-DES-CBC-SHA:EXP-DES-CBC-SHA:EXP-RC2-CBC-MD5:EXP-RC4-MD5
engine
OpenSSL> engine (rsax) RSAX engine support (dynamic) Dynamic engine loading support
speed
returns informations of toolkit performance on cryptographic functions computations.
( Ex: on Linux 3.1.0-1-amd64 #1 SMP x86_64 GNU/Linux, HP dv7 i7 4Gb )
Doing md4 for 3s on 16 size blocks: 12430613 md4's in 3.00s ... Doing md5 for 3s on 16 size blocks: 8943943 md5's in 2.99s Doing md5 for 3s on 64 size blocks: 6560162 md5's in 3.00s Doing md5 for 3s on 256 size blocks: 3674563 md5's in 3.00s Doing md5 for 3s on 1024 size blocks: 1325803 md5's in 3.00s Doing md5 for 3s on 8192 size blocks: 190271 md5's in 3.00s Doing hmac(md5) for 3s on 16 size blocks: 7289025 hmac(md5)'s in 3.00s Doing hmac(md5) for 3s on 64 size blocks: 5519732 hmac(md5)'s in 3.00s Doing hmac(md5) for 3s on 256 size blocks: 3319123 hmac(md5)'s in 3.00s Doing hmac(md5) for 3s on 1024 size blocks: 1275475 hmac(md5)'s in 3.00s Doing hmac(md5) for 3s on 8192 size blocks: 187134 hmac(md5)'s in 3.00s Doing sha1 for 3s on 16 size blocks: 10089842 sha1's in 2.99s Doing sha1 for 3s on 64 size blocks: 7033355 sha1's in 3.00s Doing sha1 for 3s on 256 size blocks: 3919372 sha1's in 3.00s Doing sha1 for 3s on 1024 size blocks: 1374314 sha1's in 3.00s Doing sha1 for 3s on 8192 size blocks: 198808 sha1's in 3.00s Doing sha256 for 3s on 16 size blocks: 6462822 sha256's in 3.00s Doing sha256 for 3s on 64 size blocks: 3504641 sha256's in 3.00s Doing sha256 for 3s on 256 size blocks: 1486771 sha256's in 3.00s Doing sha256 for 3s on 1024 size blocks: 440613 sha256's in 3.00s Doing sha256 for 3s on 8192 size blocks: 58418 sha256's in 3.00s Doing sha512 for 3s on 16 size blocks: 5040453 sha512's in 2.99s Doing sha512 for 3s on 64 size blocks: 5089425 sha512's in 3.00s Doing sha512 for 3s on 256 size blocks: 1865240 sha512's in 3.00s Doing sha512 for 3s on 1024 size blocks: 643708 sha512's in 3.00s Doing sha512 for 3s on 8192 size blocks: 90615 sha512's in 3.00s ... Doing whirlpool for 3s on 8192 size blocks: 33204 whirlpool's in 3.00s ... Doing rmd160 for 3s on 8192 size blocks: 66719 rmd160's in 3.00s ... Doing rc4 for 3s on 8192 size blocks: 238972 rc4's in 3.00s ... Doing des cbc for 3s on 8192 size blocks: 19837 des cbc's in 3.00s ... Doing des ede3 for 3s on 8192 size blocks: 7706 des ede3's in 3.00s ... Doing aes-128 cbc for 3s on 8192 size blocks: 35217 aes-128 cbc's in 3.00s ... Doing aes-192 cbc for 3s on 8192 size blocks: 29225 aes-192 cbc's in 3.01s ... Doing aes-256 cbc for 3s on 8192 size blocks: 24414 aes-256 cbc's in 3.00s ... Doing aes-256 ige for 3s on 8192 size blocks: 23331 aes-256 ige's in 2.99s ...
Basic encryption
to cipher a file or data to protect and share it protected by a shared key.
symetric cipher : AES Blowfish RC4 3DES RC2 DES CAST5 SEED
block to stream conversion : ECB CBC OFB CFB
compression : ZLIB
Cipher commands (see the `enc' command for more details) aes-128-cbc aes-128-ecb aes-192-cbc aes-192-ecb aes-256-cbc aes-256-ecb base64 bf bf-cbc bf-cfb bf-ecb bf-ofb camellia-128-cbc camellia-128-ecb camellia-192-cbc camellia-192-ecb camellia-256-cbc camellia-256-ecb cast cast-cbc cast5-cbc cast5-cfb cast5-ecb cast5-ofb des des-cbc des-cfb des-ecb des-ede des-ede-cbc des-ede-cfb des-ede-ofb des-ede3 des-ede3-cbc des-ede3-cfb des-ede3-ofb des-ofb des3 desx rc2 rc2-40-cbc rc2-64-cbc rc2-cbc rc2-cfb rc2-ecb rc2-ofb rc4 rc4-40 seed seed-cbc seed-cfb seed-ecb seed-ofb zlib
Create / Handle Public Key Certificates
This requires you have a knowledge of what PKI is ( Certificate Authorities, Certificate Request, Certificate, Public Key, Private Key )
Classical use case is to obtain a valid Certificate for a Secured Web site ( https protocol ). First you create a Private Key ( will be created together with Public key ). Then create a Certificate Request for that private key with some informations for purpose of future Certificate. Then send that Certificate Request to a Certificate Authority ( CA ) that will issue a Certificate that CA signed. For well known CA you need to pay. Up to you to install your Private key together with the received Certificate on your system.
It exists graphical front-end to operate openssl wihtin a GUI : XCA
Key Generation
rsa
RSA is the most common type of Public/Private Key. Private Key part should never de disclosed while public key part is ... public.
rsa help unknown option help rsa [options] <infile >outfile where options are
-inform arg input format - one of DER NET PEM
-outform arg output format - one of DER NET PEM
-in arg input file
-sgckey Use IIS SGC key format
-passin arg input file pass phrase source
-out arg output file
-passout arg output file pass phrase source
-des encrypt PEM output with cbc des
-des3 encrypt PEM output with ede cbc des using 168 bit key
-seed encrypt PEM output with cbc seed
-aes128, -aes192, -aes256
encrypt PEM output with cbc aes
-camellia128, -camellia192, -camellia256
encrypt PEM output with cbc camellia
-text print the key in text
-noout don't print key out
-modulus print the RSA key modulus
-check verify key consistency
-pubin expect a public key in input file
-pubout output a public key
-engine e use engine e, possibly a hardware device.
error in rsa
dsa
dsa is a less common Public/Private key scheme, but can be seen anyway, so ...
OpenSSL> dsa help
unknown option help
dsa [options] <infile >outfile
where options are
-inform arg input format - DER or PEM
-outform arg output format - DER or PEM
-in arg input file
-passin arg input file pass phrase source
-out arg output file
-passout arg output file pass phrase source
-engine e use engine e, possibly a hardware device.
-des encrypt PEM output with cbc des
-des3 encrypt PEM output with ede cbc des using 168 bit key
-aes128, -aes192, -aes256
encrypt PEM output with cbc aes
-camellia128, -camellia192, -camellia256
encrypt PEM output with cbc camellia
-seed encrypt PEM output with cbc seed
-text print the key in text
-noout don't print key out
-modulus print the DSA public value
error in dsa
Elliptic Curves / ec
ec [options] <infile >outfile
where options are
-inform arg input format - DER or PEM
-outform arg output format - DER or PEM
-in arg input file
-passin arg input file pass phrase source
-out arg output file
-passout arg output file pass phrase source
-engine e use engine e, possibly a hardware device.
-des encrypt PEM output, instead of 'des' every other
cipher supported by OpenSSL can be used
-text print the key
-noout don't print key out
-param_out print the elliptic curve parameters
-conv_form arg specifies the point conversion form
possible values: compressed
uncompressed (default)
hybrid
-param_enc arg specifies the way the ec parameters are encoded
in the asn1 der encoding
possible values: named_curve (default)
explicit
ca
OpenSSL> ca Using configuration from /usr/lib/ssl/openssl.cnf Error opening CA private key ./demoCA/private/cakey.pem 140492277311144:error:02001002:system library:fopen:No such file or directory:bss_file.c:398:fopen('./demoCA/private/cakey.pem','r') 140492277311144:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:400: unable to load CA private key error in ca
By default you don't have ca created...
Certificate Request / req
OpenSSL> req ? unknown option ? req [options] <infile >outfile where options are
-inform arg input format - DER or PEM
-outform arg output format - DER or PEM
-in arg input file
-out arg output file
-text text form of request
-pubkey output public key
-noout do not output REQ
-verify verify signature on REQ
-modulus RSA modulus
-nodes don't encrypt the output key
-engine e use engine e, possibly a hardware device
-subject output the request's subject
-passin private key password source
-key file use the private key contained in file
-keyform arg key file format
-keyout arg file to send the key to
-rand file:file:...
load the file (or the files in the directory) into
the random number generator
-newkey rsa:bits generate a new RSA key of 'bits' in size
-newkey dsa:file generate a new DSA key, parameters taken from CA in 'file'
-newkey ec:file generate a new EC key, parameters taken from CA in 'file'
-[digest] Digest to sign with (md5, sha1, md2, mdc2, md4)
-config file request template file.
-subj arg set or modify request subject
-multivalue-rdn enable support for multivalued RDNs
-new new request.
-batch do not ask anything during request generation
-x509 output a x509 structure instead of a cert. req.
-days number of days a certificate generated by -x509 is valid for.
-set_serial serial number to use for a certificate generated by -x509.
-newhdr output "NEW" in the header lines
-asn1-kludge Output the 'request' in a format that is wrong but some CA's
have been reported as requiring
-extensions .. specify certificate extension section (override value in config file)
-reqexts .. specify request extension section (override value in config file)
-utf8 input characters are UTF8 (default ASCII)
-nameopt arg - various certificate name options
-reqopt arg - various request text options
error in req
Certificates AKA x509
x509 command allows you to display content of a x509 certificate and to convert it from/to PEM, NET or DER formats.
OpenSSL> x509 help unknown option help usage: x509 args
-inform arg - input format - default PEM (one of DER, NET or PEM)
-outform arg - output format - default PEM (one of DER, NET or PEM)
-keyform arg - private key format - default PEM
-CAform arg - CA format - default PEM
-CAkeyform arg - CA key format - default PEM
-in arg - input file - default stdin
-out arg - output file - default stdout
-passin arg - private key password source
-serial - print serial number value
-subject_hash - print subject hash value
-subject_hash_old - print old-style (MD5) subject hash value
-issuer_hash - print issuer hash value
-issuer_hash_old - print old-style (MD5) issuer hash value
-hash - synonym for -subject_hash
-subject - print subject DN
-issuer - print issuer DN
-email - print email address(es)
-startdate - notBefore field
-enddate - notAfter field
-purpose - print out certificate purposes
-dates - both Before and After dates
-modulus - print the RSA key modulus
-pubkey - output the public key
-fingerprint - print the certificate fingerprint
-alias - output certificate alias
-noout - no certificate output
-ocspid - print OCSP hash values for the subject name and public key
-ocsp_uri - print OCSP Responder URL(s)
-trustout - output a "trusted" certificate
-clrtrust - clear all trusted purposes
-clrreject - clear all rejected purposes
-addtrust arg - trust certificate for a given purpose
-addreject arg - reject certificate for a given purpose
-setalias arg - set certificate alias
-days arg - How long till expiry of a signed certificate - def 30 days
-checkend arg - check whether the cert expires in the next arg seconds
exit 1 if so, 0 if not
-signkey arg - self sign cert with arg
-x509toreq - output a certification request object
-req - input is a certificate request, sign and output.
-CA arg - set the CA certificate, must be PEM format.
-CAkey arg - set the CA key, must be PEM format
missing, it is assumed to be in the CA file.
-CAcreateserial - create serial number file if it does not exist
-CAserial arg - serial file
-set_serial - serial number to use
-text - print the certificate in text form
-C - print out C code forms
-md2/-md5/-sha1/-mdc2 - digest to use
-extfile - configuration file with X509V3 extensions to add
-extensions - section from config file with X509V3 extensions to add
-clrext - delete extensions before signing and input certificate
-nameopt arg - various certificate name options
-engine e - use engine e, possibly a hardware device.
-certopt arg - various certificate text options
Client Certificates AKA pkcs12
Client Certificate is a language abuse, but anyway it is knid of file you need to install on your system when SSL/TLS server require Client Authentication. Those kind of certificates credentials are known as pkcs12 or pfx files. They contains a x509 Certificate and the public/private key of client. Those files are then very sensible to handle with same security as a private key.
Usage: pkcs12 [options]
where options are
-export output PKCS12 file
-chain add certificate chain
-inkey file private key if not infile
-certfile f add all certs in f
-CApath arg - PEM format directory of CA's
-CAfile arg - PEM format file of CA's
-name "name" use name as friendly name
-caname "nm" use nm as CA friendly name (can be used more than once).
-in infile input filename
-out outfile output filename
-noout don't output anything, just verify.
-nomacver don't verify MAC.
-nocerts don't output certificates.
-clcerts only output client certificates.
-cacerts only output CA certificates.
-nokeys don't output private keys.
-info give info about PKCS#12 structure.
-des encrypt private keys with DES
-des3 encrypt private keys with triple DES (default)
-seed encrypt private keys with seed
-aes128, -aes192, -aes256
encrypt PEM output with cbc aes
-camellia128, -camellia192, -camellia256
encrypt PEM output with cbc camellia
-nodes don't encrypt private keys
-noiter don't use encryption iteration
-nomaciter don't use MAC iteration
-maciter use MAC iteration
-nomac don't generate MAC
-twopass separate MAC, encryption passwords
-descert encrypt PKCS#12 certificates with triple DES (default RC2-40)
-certpbe alg specify certificate PBE algorithm (default RC2-40)
-keypbe alg specify private key PBE algorithm (default 3DES)
-macalg alg digest algorithm used in MAC (default SHA1)
-keyex set MS key exchange type
-keysig set MS key signature type
-password p set import/export password source
-passin p input file pass phrase source
-passout p output file pass phrase source
-engine e use engine e, possibly a hardware device.
-rand file:file:...
load the file (or the files in the directory) into
the random number generator
-CSP name Microsoft CSP name
-LMK Add local machine keyset attribute to private key
