openssl

openssl - OpenSSL 命令行程序

概要

openssl 命令 [选项... ] [参数... ]

openssl list 标准命令摘要命令密码命令密码算法摘要算法mac 算法公钥算法

openssl no-XXX [ options ]

描述

OpenSSL 是一个加密工具包,实现了安全套接字层 (SSL) 和传输层安全 (TLS) 网络协议以及它们所需的相关加密标准。

openssl程序是一个命令行程序,用于从 shell使用 OpenSSL加密库的各种加密功能。它可用于

o  Creation and management of private keys, public keys and parameters      # 私钥、公钥和参数的创建和管理
o Public key cryptographic operations # 公开密钥加密操作
o Creation of X.509 certificates, CSRs and CRLs # 创建X.509证书、CSR和CRL
o Calculation of Message Digests and Message Authentication Codes # 计算消息摘要和消息验证码
o Encryption and Decryption with Ciphers # 使用密码进行加密和解密
o SSL/TLS Client and Server Tests # SSL/TLS客户端和服务器测试
o Handling of S/MIME signed or encrypted mail # 处理S/MIME签名或加密邮件
o Timestamp requests, generation and verification # 时间戳请求、生成和验证

help

显示有关命令选项的信息。

查看代码

 # openssl help
Standard commands
asn1parse ca ciphers cms
crl crl2pkcs7 dgst dhparam
dsa dsaparam ec ecparam
enc engine errstr gendsa
genpkey genrsa help list
nseq ocsp passwd pkcs12
pkcs7 pkcs8 pkey pkeyparam
pkeyutl prime rand rehash
req rsa rsautl s_client
s_server s_time sess_id smime
speed spkac srp storeutl
ts verify version x509

Message Digest commands (see the `dgst' command for more details)
blake2b512 blake2s256 gost md4
md5 rmd160 sha1 sha224
sha256 sha3-224 sha3-256 sha3-384
sha3-512 sha384 sha512 sha512-224
sha512-256 shake128 shake256 sm3

Cipher commands (see the `enc' command for more details)
aes-128-cbc aes-128-ecb aes-192-cbc aes-192-ecb
aes-256-cbc aes-256-ecb aria-128-cbc aria-128-cfb
aria-128-cfb1 aria-128-cfb8 aria-128-ctr aria-128-ecb
aria-128-ofb aria-192-cbc aria-192-cfb aria-192-cfb1
aria-192-cfb8 aria-192-ctr aria-192-ecb aria-192-ofb
aria-256-cbc aria-256-cfb aria-256-cfb1 aria-256-cfb8
aria-256-ctr aria-256-ecb aria-256-ofb base64
bf bf-cbc bf-cfb bf-ecb
bf-ofb camellia-128-cbc camellia-128-ecb camellia-192-cbc
camellia-192-ecb camellia-256-cbc camellia-256-ecb cast
cast-cbc cast5-cbc cast5-cfb cast5-ecb
cast5-ofb des des-cbc des-cfb
des-ecb des-ede des-ede-cbc des-ede-cfb
des-ede-ofb des-ede3 des-ede3-cbc des-ede3-cfb
des-ede3-ofb des-ofb des3 desx
rc2 rc2-40-cbc rc2-64-cbc rc2-cbc
rc2-cfb rc2-ecb rc2-ofb rc4
rc4-40 seed seed-cbc seed-cfb
seed-ecb seed-ofb sm4-cbc sm4-cfb
sm4-ctr sm4-ecb sm4-ofb

genrsa

生成 RSA 私钥。

查看代码

 # openssl genrsa -help
Usage: genrsa [options]
Valid options are:
-help Display this summary
-3 Use 3 for the E value
-F4 Use F4 (0x10001) for the E value
-f4 Use F4 (0x10001) for the E value
-out outfile Output the key to specified file
-rand val Load the file(s) into the random number generator
-writerand outfile Write random data to the specified file
-passout val Output file pass phrase source
-* Encrypt the output with any supported cipher
-engine val Use engine, possibly a hardware device
-primes +int Specify number of primes

req

PKCS#10 X.509 证书签名请求 (CSR) 管理。

查看代码

 # openssl req -help
Usage: req [options]
Valid options are:
-help Display this summary
-inform PEM|DER Input format - DER or PEM
-outform PEM|DER Output format - DER or PEM
-in infile Input file
-out outfile Output file
-key val Private key to use
-keyform format Key file format
-pubkey Output public key
-new New request
-config infile Request template file
-keyout outfile File to send the key to
-passin val Private key password source
-passout val Output file pass phrase source
-rand val Load the file(s) into the random number generator
-writerand outfile Write random data to the specified file
-newkey val Specify as type:bits
-pkeyopt val Public key options as opt:value
-sigopt val Signature parameter in n:v form
-batch Do not ask anything during request generation
-newhdr Output "NEW" in the header lines
-modulus RSA modulus
-verify Verify signature on REQ
-nodes Don't encrypt the output key
-noout Do not output REQ
-verbose Verbose output
-utf8 Input characters are UTF8 (default ASCII)
-nameopt val Various certificate name options
-reqopt val Various request text options
-text Text form of request
-x509 Output a x509 structure instead of a cert request
(Required by some CA's)
-subj val Set or modify request subject
-subject Output the request's subject
-multivalue-rdn Enable support for multivalued RDNs
-days +int Number of days cert is valid for
-set_serial val Serial number to use
-addext val Additional cert extension key=value pair (may be given more than once)
-extensions val Cert extension section (override value in config file)
-reqexts val Request extension section (override value in config file)
-precert Add a poison extension (implies -new)
-* Any supported digest
-engine val Use engine, possibly a hardware device
-keygen_engine val Specify engine to be used for key generation operations

ca

证书颁发机构 (CA) 管理。

查看代码

 # openssl ca -help
Usage: ca [options]
Valid options are:
-help Display this summary
-verbose Verbose output during processing
-config val A config file
-name val The particular CA definition to use
-subj val Use arg instead of request's subject
-utf8 Input characters are UTF8 (default ASCII)
-create_serial If reading serial fails, create a new random serial
-rand_serial Always create a random serial; do not store it
-multivalue-rdn Enable support for multivalued RDNs
-startdate val Cert notBefore, YYMMDDHHMMSSZ
-enddate val YYMMDDHHMMSSZ cert notAfter (overrides -days)
-days +int Number of days to certify the cert for
-md val md to use; one of md2, md5, sha or sha1
-policy val The CA 'policy' to support
-keyfile val Private key
-keyform format Private key file format (PEM or ENGINE)
-passin val Input file pass phrase source
-key val Key to decode the private key if it is encrypted
-cert infile The CA cert
-selfsign Sign a cert with the key associated with it
-in infile The input PEM encoded cert request(s)
-out outfile Where to put the output file(s)
-outdir dir Where to put output cert
-sigopt val Signature parameter in n:v form
-notext Do not print the generated certificate
-batch Don't ask questions
-preserveDN Don't re-order the DN
-noemailDN Don't add the EMAIL field to the DN
-gencrl Generate a new CRL
-msie_hack msie modifications to handle all those universal strings
-crldays +int Days until the next CRL is due
-crlhours +int Hours until the next CRL is due
-crlsec +int Seconds until the next CRL is due
-infiles The last argument, requests to process
-ss_cert infile File contains a self signed cert to sign
-spkac infile File contains DN and signed public key and challenge
-revoke infile Revoke a cert (given in file)
-valid val Add a Valid(not-revoked) DB entry about a cert (given in file)
-extensions val Extension section (override value in config file)
-extfile infile Configuration file with X509v3 extensions to add
-status val Shows cert status given the serial number
-updatedb Updates db for expired cert
-crlexts val CRL extension section (override value in config file)
-crl_reason val revocation reason
-crl_hold val the hold instruction, an OID. Sets revocation reason to certificateHold
-crl_compromise val sets compromise time to val and the revocation reason to keyCompromise
-crl_CA_compromise val sets compromise time to val and the revocation reason to CACompromise
-rand val Load the file(s) into the random number generator
-writerand outfile Write random data to the specified file
-engine val Use engine, possibly a hardware device

passwd

生成散列密码。

查看代码

 # openssl passwd -help
Usage: passwd [options]
Valid options are:
-help Display this summary
-in infile Read passwords from file
-noverify Never verify when reading password from terminal
-quiet No warnings
-table Format output as table
-reverse Switch table columns
-salt val Use provided salt
-stdin Read passwords from stdin
-6 SHA512-based password algorithm
-5 SHA256-based password algorithm
-apr1 MD5-based password algorithm, Apache variant
-1 MD5-based password algorithm
-aixmd5 AIX MD5-based password algorithm
-crypt Standard Unix password algorithm (default)
-rand val Load the file(s) into the random number generator
-writerand outfile Write random data to the specified file

x509

X.509 证书数据管理。

查看代码

 # openssl x509 -help
Usage: x509 [options]
Valid options are:
-help Display this summary
-inform format Input format - default PEM (one of DER or PEM)
-in infile Input file - default stdin
-outform format Output format - default PEM (one of DER or PEM)
-out outfile Output file - default stdout
-keyform PEM|DER|ENGINE Private key format - default PEM
-passin val Private key password/pass-phrase source
-serial Print serial number value
-subject_hash Print subject hash value
-issuer_hash Print issuer hash value
-hash Synonym for -subject_hash
-subject Print subject DN
-issuer Print issuer DN
-email Print email address(es)
-startdate Set notBefore field
-enddate Set notAfter field
-purpose Print out certificate purposes
-dates Both Before and After dates
-modulus Print the RSA key modulus
-pubkey Output the public key
-fingerprint Print the certificate fingerprint
-alias Output certificate alias
-noout No output, just status
-nocert No certificate output
-ocspid Print OCSP hash values for the subject name and public key
-ocsp_uri Print OCSP Responder URL(s)
-trustout Output a trusted certificate
-clrtrust Clear all trusted purposes
-clrext Clear all certificate extensions
-addtrust val Trust certificate for a given purpose
-addreject val Reject certificate for a given purpose
-setalias val Set certificate alias
-days int How long till expiry of a signed certificate - def 30 days
-checkend intmax Check whether the cert expires in the next arg seconds
Exit 1 if so, 0 if not
-signkey val Self sign cert with arg
-x509toreq Output a certification request object
-req Input is a certificate request, sign and output
-CA infile Set the CA certificate, must be PEM format
-CAkey val The CA key, must be PEM format; if not in CAfile
-CAcreateserial Create serial number file if it does not exist
-CAserial val Serial file
-set_serial val Serial number to use
-text Print the certificate in text form
-ext val Print various X509V3 extensions
-C Print out C code forms
-extfile infile File with X509V3 extensions to add
-rand val Load the file(s) into the random number generator
-writerand outfile Write random data to the specified file
-extensions val Section from config file to use
-nameopt val Various certificate name options
-certopt val Various certificate text options
-checkhost val Check certificate matches host
-checkemail val Check certificate matches email
-checkip val Check certificate matches ipaddr
-CAform PEM|DER CA format - default PEM
-CAkeyform PEM|DER|ENGINE CA key format - default PEM
-sigopt val Signature parameter in n:v form
-force_pubkey infile Force the Key to put inside certificate
-next_serial Increment current certificate serial number
-clrreject Clears all the prohibited or rejected uses of the certificate
-badsig Corrupt last byte of certificate signature (for test)
-* Any supported digest
-subject_hash_old Print old-style (MD5) issuer hash value
-issuer_hash_old Print old-style (MD5) subject hash value
-engine val Use engine, possibly a hardware device
-preserve_dates preserve existing dates when signing