Command Line Utilities

From OpenSSLWiki
Jump to navigationJump to search

When installed on your system openssl binary is entry point for many functions.

  • launching openssl without any parameter will enter an interactive mode with an OpenSSL> prompt
    • to quit: quit
    • enter a command it will set a command context in which parameters depends on command.
  • to known what commands and parameters you can issue for openssl do :
    • openssl help
openssl:Error: 'help' is an invalid command.

Standard commands
asn1parse         ca                ciphers           cms               
crl               crl2pkcs7         dgst              dh                
dhparam           dsa               dsaparam          ec                
ecparam           enc               engine            errstr            
gendh             gendsa            genpkey           genrsa            
nseq              ocsp              passwd            pkcs12            
pkcs7             pkcs8             pkey              pkeyparam         
pkeyutl           prime             rand              req               
rsa               rsautl            s_client          s_server          
s_time            sess_id           smime             speed             
spkac             srp               ts                verify            
version           x509              

Message Digest commands (see the `dgst' command for more details)
md4               md5               rmd160            sha               
sha1              

Cipher commands (see the `enc' command for more details)
aes-128-cbc       aes-128-ecb       aes-192-cbc       aes-192-ecb       
aes-256-cbc       aes-256-ecb       base64            bf                
bf-cbc            bf-cfb            bf-ecb            bf-ofb            
camellia-128-cbc  camellia-128-ecb  camellia-192-cbc  camellia-192-ecb  
camellia-256-cbc  camellia-256-ecb  cast              cast-cbc          
cast5-cbc         cast5-cfb         cast5-ecb         cast5-ofb         
des               des-cbc           des-cfb           des-ecb           
des-ede           des-ede-cbc       des-ede-cfb       des-ede-ofb       
des-ede3          des-ede3-cbc      des-ede3-cfb      des-ede3-ofb      
des-ofb           des3              desx              rc2               
rc2-40-cbc        rc2-64-cbc        rc2-cbc           rc2-cfb           
rc2-ecb           rc2-ofb           rc4               rc4-40            
seed              seed-cbc          seed-cfb          seed-ecb          
seed-ofb          zlib              

commands

Get information about your openssl toolkit

version

OpenSSL> version OpenSSL 1.0.1e 11 Feb 2013

ciphers

returns SSL/TLS ciphers supported.

OpenSSL> ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:SRP-DSS-AES-256-CBC-SHA:SRP-RSA-AES-256-CBC-SHA:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:PSK-AES256-CBC-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:SRP-DSS-3DES-EDE-CBC-SHA:SRP-RSA-3DES-EDE-CBC-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:ECDH-RSA-DES-CBC3-SHA:ECDH-ECDSA-DES-CBC3-SHA:DES-CBC3-SHA:PSK-3DES-EDE-CBC-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:SRP-DSS-AES-128-CBC-SHA:SRP-RSA-AES-128-CBC-SHA:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-SEED-SHA:DHE-DSS-SEED-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:ECDH-RSA-AES128-SHA:ECDH-ECDSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:SEED-SHA:CAMELLIA128-SHA:PSK-AES128-CBC-SHA:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:RC4-SHA:RC4-MD5:PSK-RC4-SHA:EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:DES-CBC-SHA:EXP-EDH-RSA-DES-CBC-SHA:EXP-EDH-DSS-DES-CBC-SHA:EXP-DES-CBC-SHA:EXP-RC2-CBC-MD5:EXP-RC4-MD5

engine

OpenSSL> engine (rsax) RSAX engine support (dynamic) Dynamic engine loading support

speed

returns informations of toolkit performance on cryptographic functions computations.

( Ex: on Linux 3.1.0-1-amd64 #1 SMP x86_64 GNU/Linux, HP dv7 i7 4Gb )

Doing md4 for 3s on 16 size blocks: 12430613 md4's in 3.00s
...
Doing md5 for 3s on 16 size blocks: 8943943 md5's in 2.99s
Doing md5 for 3s on 64 size blocks: 6560162 md5's in 3.00s
Doing md5 for 3s on 256 size blocks: 3674563 md5's in 3.00s
Doing md5 for 3s on 1024 size blocks: 1325803 md5's in 3.00s
Doing md5 for 3s on 8192 size blocks: 190271 md5's in 3.00s
Doing hmac(md5) for 3s on 16 size blocks: 7289025 hmac(md5)'s in 3.00s
Doing hmac(md5) for 3s on 64 size blocks: 5519732 hmac(md5)'s in 3.00s
Doing hmac(md5) for 3s on 256 size blocks: 3319123 hmac(md5)'s in 3.00s
Doing hmac(md5) for 3s on 1024 size blocks: 1275475 hmac(md5)'s in 3.00s
Doing hmac(md5) for 3s on 8192 size blocks: 187134 hmac(md5)'s in 3.00s
Doing sha1 for 3s on 16 size blocks: 10089842 sha1's in 2.99s
Doing sha1 for 3s on 64 size blocks: 7033355 sha1's in 3.00s
Doing sha1 for 3s on 256 size blocks: 3919372 sha1's in 3.00s
Doing sha1 for 3s on 1024 size blocks: 1374314 sha1's in 3.00s
Doing sha1 for 3s on 8192 size blocks: 198808 sha1's in 3.00s
Doing sha256 for 3s on 16 size blocks: 6462822 sha256's in 3.00s
Doing sha256 for 3s on 64 size blocks: 3504641 sha256's in 3.00s
Doing sha256 for 3s on 256 size blocks: 1486771 sha256's in 3.00s
Doing sha256 for 3s on 1024 size blocks: 440613 sha256's in 3.00s
Doing sha256 for 3s on 8192 size blocks: 58418 sha256's in 3.00s
Doing sha512 for 3s on 16 size blocks: 5040453 sha512's in 2.99s
Doing sha512 for 3s on 64 size blocks: 5089425 sha512's in 3.00s
Doing sha512 for 3s on 256 size blocks: 1865240 sha512's in 3.00s
Doing sha512 for 3s on 1024 size blocks: 643708 sha512's in 3.00s
Doing sha512 for 3s on 8192 size blocks: 90615 sha512's in 3.00s
...
Doing whirlpool for 3s on 8192 size blocks: 33204 whirlpool's in 3.00s
...
Doing rmd160 for 3s on 8192 size blocks: 66719 rmd160's in 3.00s
...
Doing rc4 for 3s on 8192 size blocks: 238972 rc4's in 3.00s
...
Doing des cbc for 3s on 8192 size blocks: 19837 des cbc's in 3.00s
...
Doing des ede3 for 3s on 8192 size blocks: 7706 des ede3's in 3.00s
...
Doing aes-128 cbc for 3s on 8192 size blocks: 35217 aes-128 cbc's in 3.00s
...
Doing aes-192 cbc for 3s on 8192 size blocks: 29225 aes-192 cbc's in 3.01s
...
Doing aes-256 cbc for 3s on 8192 size blocks: 24414 aes-256 cbc's in 3.00s
...
Doing aes-256 ige for 3s on 8192 size blocks: 23331 aes-256 ige's in 2.99s
...

Create / Handle Public Key Certificates

This requires you have a knowledge of what PKI is ( Certificate Authorities, Certificate Request, Certificate, Public Key, Private Key )

Classical use case is to obtain a valid Certificate for a Secured Web site ( https protocol ). First you create a Private Key ( will be created together with Public key ). Then create a Certificate Request for that private key with some informations for purpose of future Certificate. Then send that Certificate Request to a Certificate Authority ( CA ) that will issue a Certificate that CA signed. For well known CA you need to pay. Up to you to install your Private key together with the received Certificate on your system.

ca

OpenSSL> ca Using configuration from /usr/lib/ssl/openssl.cnf Error opening CA private key ./demoCA/private/cakey.pem 140492277311144:error:02001002:system library:fopen:No such file or directory:bss_file.c:398:fopen('./demoCA/private/cakey.pem','r') 140492277311144:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:400: unable to load CA private key error in ca

By default you don't have ca created...

req

OpenSSL> req ? unknown option ? req [options] <infile >outfile where options are

-inform arg    input format - DER or PEM
-outform arg   output format - DER or PEM
-in arg        input file
-out arg       output file
-text          text form of request
-pubkey        output public key
-noout         do not output REQ
-verify        verify signature on REQ
-modulus       RSA modulus
-nodes         don't encrypt the output key
-engine e      use engine e, possibly a hardware device
-subject       output the request's subject
-passin        private key password source
-key file      use the private key contained in file
-keyform arg   key file format
-keyout arg    file to send the key to
-rand file:file:...
               load the file (or the files in the directory) into
               the random number generator
-newkey rsa:bits generate a new RSA key of 'bits' in size
-newkey dsa:file generate a new DSA key, parameters taken from CA in 'file'
-newkey ec:file generate a new EC key, parameters taken from CA in 'file'
-[digest]      Digest to sign with (md5, sha1, md2, mdc2, md4)
-config file   request template file.
-subj arg      set or modify request subject
-multivalue-rdn enable support for multivalued RDNs
-new           new request.
-batch         do not ask anything during request generation
-x509          output a x509 structure instead of a cert. req.
-days          number of days a certificate generated by -x509 is valid for.
-set_serial    serial number to use for a certificate generated by -x509.
-newhdr        output "NEW" in the header lines
-asn1-kludge   Output the 'request' in a format that is wrong but some CA's
               have been reported as requiring
-extensions .. specify certificate extension section (override value in config file)
-reqexts ..    specify request extension section (override value in config file)
-utf8          input characters are UTF8 (default ASCII)
-nameopt arg    - various certificate name options
-reqopt arg    - various request text options

error in req

rsa

rsa help unknown option help rsa [options] <infile >outfile where options are

-inform arg     input format - one of DER NET PEM
-outform arg    output format - one of DER NET PEM
-in arg         input file
-sgckey         Use IIS SGC key format
-passin arg     input file pass phrase source
-out arg        output file
-passout arg    output file pass phrase source
-des            encrypt PEM output with cbc des
-des3           encrypt PEM output with ede cbc des using 168 bit key
-seed           encrypt PEM output with cbc seed
-aes128, -aes192, -aes256
                encrypt PEM output with cbc aes
-camellia128, -camellia192, -camellia256
                encrypt PEM output with cbc camellia
-text           print the key in text
-noout          don't print key out
-modulus        print the RSA key modulus
-check          verify key consistency
-pubin          expect a public key in input file
-pubout         output a public key
-engine e       use engine e, possibly a hardware device.

error in rsa

dsa

OpenSSL> dsa help unknown option help dsa [options] <infile >outfile where options are

-inform arg     input format - DER or PEM
-outform arg    output format - DER or PEM
-in arg         input file
-passin arg     input file pass phrase source
-out arg        output file
-passout arg    output file pass phrase source
-engine e       use engine e, possibly a hardware device.
-des            encrypt PEM output with cbc des
-des3           encrypt PEM output with ede cbc des using 168 bit key
-aes128, -aes192, -aes256
                encrypt PEM output with cbc aes
-camellia128, -camellia192, -camellia256
                encrypt PEM output with cbc camellia
-seed           encrypt PEM output with cbc seed
-text           print the key in text
-noout          don't print key out
-modulus        print the DSA public value

error in dsa


x509

OpenSSL> x509 help unknown option help usage: x509 args

-inform arg     - input format - default PEM (one of DER, NET or PEM)
-outform arg    - output format - default PEM (one of DER, NET or PEM)
-keyform arg    - private key format - default PEM
-CAform arg     - CA format - default PEM
-CAkeyform arg  - CA key format - default PEM
-in arg         - input file - default stdin
-out arg        - output file - default stdout
-passin arg     - private key password source
-serial         - print serial number value
-subject_hash   - print subject hash value
-subject_hash_old   - print old-style (MD5) subject hash value
-issuer_hash    - print issuer hash value
-issuer_hash_old    - print old-style (MD5) issuer hash value
-hash           - synonym for -subject_hash
-subject        - print subject DN
-issuer         - print issuer DN
-email          - print email address(es)
-startdate      - notBefore field
-enddate        - notAfter field
-purpose        - print out certificate purposes
-dates          - both Before and After dates
-modulus        - print the RSA key modulus
-pubkey         - output the public key
-fingerprint    - print the certificate fingerprint
-alias          - output certificate alias
-noout          - no certificate output
-ocspid         - print OCSP hash values for the subject name and public key
-ocsp_uri       - print OCSP Responder URL(s)
-trustout       - output a "trusted" certificate
-clrtrust       - clear all trusted purposes
-clrreject      - clear all rejected purposes
-addtrust arg   - trust certificate for a given purpose
-addreject arg  - reject certificate for a given purpose
-setalias arg   - set certificate alias
-days arg       - How long till expiry of a signed certificate - def 30 days
-checkend arg   - check whether the cert expires in the next arg seconds
                  exit 1 if so, 0 if not
-signkey arg    - self sign cert with arg
-x509toreq      - output a certification request object
-req            - input is a certificate request, sign and output.
-CA arg         - set the CA certificate, must be PEM format.
-CAkey arg      - set the CA key, must be PEM format
                  missing, it is assumed to be in the CA file.
-CAcreateserial - create serial number file if it does not exist
-CAserial arg   - serial file
-set_serial     - serial number to use
-text           - print the certificate in text form
-C              - print out C code forms
-md2/-md5/-sha1/-mdc2 - digest to use
-extfile        - configuration file with X509V3 extensions to add
-extensions     - section from config file with X509V3 extensions to add
-clrext         - delete extensions before signing and input certificate
-nameopt arg    - various certificate name options
-engine e       - use engine e, possibly a hardware device.
-certopt arg    - various certificate text options