openssl 命令手册
文章目录
NAME
openssl -- OpenSSL command line tool
SYNOPSIS
openssl command [command_opts] [command_args]
openssl list-standard-commands | list-message-digest-commands | list-cipher-commands | list-cipher-algorithms | list-message-digest-algorithms | list-public-key-algorithms
openssl no-command
DESCRIPTION
OpenSSL is a cryptography toolkit implementing the Transport Layer Security (TLS v1) network protocol, as well as related cryptography standards.
The openssl program is a command line tool for using the various cryptography functions of openssl's crypto library from the shell.
The pseudo-commands list-standard-commands, list-message-digest-commands, and list-cipher-commands output a list (one entry per line) of the names of all standard commands, message digest commands, or cipher commands, respectively, that are available in the present openssl utility.
The pseudo-commands list-cipher-algorithms and list-message-digest-algorithms list all cipher and message digest names, one entry per line. Aliases are listed as:
from => to
The pseudo-command list-public-key-algorithms lists all supported public key algorithms.
The pseudo-command no-command tests whether a command of the specified name is available. If command does not exist, it returns 0 and prints no-command; otherwise it returns 1 and prints command. In both cases, the output goes to stdout and nothing is printed to stderr. Additional command line arguments
are always ignored. Since for each cipher there is a command of the same name, this provides an easy way for shell scripts to test for the availability of ciphers in the openssl program.
Note: no-command is not able to detect pseudo-commands such as quit, list-...-commands, or no-command itself.
ASN1PARSE
openssl asn1parse [-i] [-dlimit number] [-dump] [-genconf file] [-genstr str] [-in file] [-inform der | pem | txt] [-length number] [-noout] [-offset number] [-oid file] [-out file] [-strparse offset]
The asn1parse command is a diagnostic utility that can parse ASN.1 structures. It can also be used to extract data from ASN.1 formatted data.
The options are as follows:
-dlimit number
Dump the first number bytes of unknown data in hex form.
-dump Dump unknown data in hex form.
-genconf file, -genstr str
Generate encoded data based on string str, file file, or both, using the format described in ASN1_generate_nconf(3). If only file is present then the string is obtained from the default section using the name ``asn1''. The encoded data is passed through the ASN.1 parser and printed out as though it
came from a file; the contents can thus be examined and written to a file using the -out option.
-i Indent the output according to the "depth" of the structures.
-in file
The input file to read from, or standard input if not specified.
-inform der | pem | txt
The input format.
-length number
Number of bytes to parse; the default is until end of file.
-noout Do not output the parsed version of the input file.
-offset number
Starting offset to begin parsing; the default is start of file.
-oid file
A file containing additional object identifiers (OIDs). If an OID (object identifier) is not part of openssl's internal table it will be represented in numerical form (for example 1.2.3.4).
Each line consists of three columns: the first column is the OID in numerical format and should be followed by whitespace. The second column is the "short name", which is a single word followed by whitespace. The final column is the rest of the line and is the "long name". asn1parse displays the
long name.
-out file
The DER-encoded output file; the default is no encoded output (useful when combined with -strparse).
-strparse offset
Parse the content octets of the ASN.1 object starting at offset. This option can be used multiple times to "drill down" into a nested structure.
CA
openssl ca [-batch] [-cert file] [-config file] [-crl_CA_compromise time] [-crl_compromise time] [-crl_hold instruction] [-crl_reason reason] [-crldays days] [-crlexts section] [-crlhours hours] [-days arg] [-enddate date] [-extensions section] [-extfile section] [-gencrl] [-in file] [-infiles] [-key keyfile]
[-keyfile arg] [-keyform pem] [-md arg] [-msie_hack] [-name section] [-noemailDN] [-notext] [-out file] [-outdir dir] [-passin arg] [-policy arg] [-preserveDN] [-revoke file] [-spkac file] [-ss_cert file] [-startdate date] [-status serial] [-subj arg] [-updatedb] [-verbose]
The ca command is a minimal certificate authority (CA) application. It can be used to sign certificate requests in a variety of forms and generate certificate revocation lists (CRLs). It also maintains a text database of issued certificates and their status.
The options relevant to CAs are as follows:
-batch
Batch mode. In this mode no questions will be asked and all certificates will be certified automatically.
-cert file
The CA certificate file.
-config file
Specify an alternative configuration file.
-days arg
The number of days to certify the certificate for.
-enddate date
Set the expiry date. The format of the date is YYMMDDHHMMSSZ (the same as an ASN.1 UTCTime structure).
-extensions section
The section of the configuration file containing certificate extensions to be added when a certificate is issued (defaults to x509_extensions unless the -extfile option is used). If no extension section is present, a V1 certificate is created. If the extension section is present (even if it is empty),
then a V3 certificate is created.
-extfile file
An additional configuration file to read certificate extensions from (using the default section unless the -extensions option is also used).
-in file
An input file containing a single certificate request to be signed by the CA.
-infiles
If present, this should be the last option; all subsequent arguments are assumed to be the names of files containing certificate requests.
-key keyfile
The password used to encrypt the private key. Since on some systems the command line arguments are visible, this option should be used with caution.
-keyfile file
The private key to sign requests with.
-keyform pem
Private key file format.
-md alg
The message digest to use. Possible values include md5 and sha1. This option also applies to CRLs.
-msie_hack
This is a legacy option to make ca work with very old versions of the IE certificate enrollment control "certenr3". It used UniversalStrings for almost everything. Since the old control has various security bugs, its use is strongly discouraged. The newer control "Xenroll" does not need this option.
-name section
Specifies the configuration file section to use (overrides default_ca in the ca section).
-noemailDN
The DN of a certificate can contain the EMAIL field if present in the request DN, however it is good policy just having the email set into the altName extension of the certificate. When this option is set, the EMAIL field is removed from the certificate's subject and set only in the, eventually
present, extensions. The email_in_dn keyword can be used in the configuration file to enable this behaviour.
-notext
Don't output the text form of a certificate to the output file.
-out file
The output file to output certificates to. The default is standard output. The certificate details will also be printed out to this file.
-outdir directory
The directory to output certificates to. The certificate will be written to a file consisting of the serial number in hex with ".pem" appended.
-passin arg
The key password source.
-policy arg
Define the CA "policy" to use. The policy section in the configuration file consists of a set of variables corresponding to certificate DN fields. The values may be one of "match" (the value must match the same field in the CA certificate), "supplied" (the value must be present), or "optional" (the
value may be present). Any fields not mentioned in the policy section are silently deleted, unless the -preserveDN option is set, but this can be regarded more of a quirk than intended behaviour.
-preserveDN
Normally, the DN order of a certificate is the same as the order of the fields in the relevant policy section. When this option is set, the order is the same as the request. This is largely for compatibility with the older IE enrollment control which would only accept certificates if their DNs matched
the order of the request. This is not needed for Xenroll.
-spkac file
A file containing a single Netscape signed public key and challenge, and additional field values to be signed by the CA. This will usually come from the KEYGEN tag in an HTML form to create a new private key. It is, however, possible to create SPKACs using the spkac utility.
The file should contain the variable SPKAC set to the value of the SPKAC and also the required DN components as name value pairs. If it's necessary to include the same component twice, then it can be preceded by a number and a `.'.
-ss_cert file
A single self-signed certificate to be signed by the CA.
-startdate date
Set the start date. The format of the date is YYMMDDHHMMSSZ (the same as an ASN.1 UTCTime structure).
-status serial
Show the status of the certificate with serial number serial.
-updatedb
Update database for expired certificates.
-verbose
Print extra details about the operations being performed.
The options relevant to CRLs are as follows:
-crl_CA_compromise time
This is the same as -crl_compromise, except the revocation reason is set to CACompromise.
-crl_compromise time
Set the revocation reason to keyCompromise and the compromise time to time. time should be in GeneralizedTime format, i.e. YYYYMMDDHHMMSSZ.
-crl_hold instruction
Set the CRL revocation reason code to certificateHold and the hold instruction to instruction which must be an OID. Although any OID can be used, only holdInstructionNone (the use of which is discouraged by RFC 2459), holdInstructionCallIssuer or holdInstructionReject will normally be used.
-crl_reason reason
Revocation reason, where reason is one of: unspecified, keyCompromise, CACompromise, affiliationChanged, superseded, cessationOfOperation, certificateHold or removeFromCRL. The matching of reason is case insensitive. Setting any revocation reason will make the CRL v2. In practice, removeFromCRL is
not particularly useful because it is only used in delta CRLs which are not currently implemented.
-crldays num
The number of days before the next CRL is due. This is the days from now to place in the CRL nextUpdate field.
-crlexts section
The section of the configuration file containing CRL extensions to include. If no CRL extension section is present then a V1 CRL is created; if the CRL extension section is present (even if it is empty) then a V2 CRL is created. The CRL extensions specified are CRL extensions and not CRL entry exten-
sions. It should be noted that some software can't handle V2 CRLs.
-crlhours num
The number of hours before the next CRL is due.
-gencrl
Generate a CRL based on information in the index file.
-revoke file
A file containing a certificate to revoke.
-subj arg
Supersedes the subject name given in the request. The arg must be formatted as /type0=value0/type1=value1/type2=...; characters may be escaped by `\' (backslash), no spaces are skipped.
Many of the options can be set in the ca section of the configuration file (or in the default section of the configuration file), specified using default_ca or -name. The options preserve and msie_hack are read directly from the ca section.
Many of the configuration file options are identical to command line options. Where the option is present in the configuration file and the command line, the command line value is used. Where an option is described as mandatory, then it must be present in the configuration file or the command line equiva-
lent (if any) used.
certificate
The same as -cert. It gives the file containing the CA certificate. Mandatory.
copy_extensions
Determines how extensions in certificate requests should be handled. If set to none or this option is not present, then extensions are ignored and not copied to the certificate. If set to copy, then any extensions present in the request that are not already present are copied to the certificate. If
set to copyall, then all extensions in the request are copied to the certificate: if the extension is already present in the certificate it is deleted first.
The copy_extensions option should be used with caution. If care is not taken, it can be a security risk. For example, if a certificate request contains a basicConstraints extension with CA:TRUE and the copy_extensions value is set to copyall and the user does not spot this when the certificate is dis-
played, then this will hand the requestor a valid CA certificate.
This situation can be avoided by setting copy_extensions to copy and including basicConstraints with CA:FALSE in the configuration file. Then if the request contains a basicConstraints extension, it will be ignored.
The main use of this option is to allow a certificate request to supply values for certain extensions such as subjectAltName.
crl_extensions
The same as -crlexts.
crlnumber
A text file containing the next CRL number to use in hex. The CRL number will be inserted in the CRLs only if this file exists. If this file is present, it must contain a valid CRL number.
database
The text database file to use. Mandatory. This file must be present, though initially it will be empty.
default_crl_hours, default_crl_days
The same as the -crlhours and -crldays options. These will only be used if neither command line option is present. At least one of these must be present to generate a CRL.
default_days
The same as the -days option. The number of days to certify a certificate for.
default_enddate
The same as the -enddate option. Either this option or default_days (or the command line equivalents) must be present.
default_md
The same as the -md option. The message digest to use. Mandatory.
default_startdate
The same as the -startdate option. The start date to certify a certificate for. If not set, the current time is used.
email_in_dn
The same as -noemailDN. If the EMAIL field is to be removed from the DN of the certificate, simply set this to "no". If not present, the default is to allow for the EMAIL field in the certificate's DN.
msie_hack
The same as -msie_hack.
name_opt, cert_opt
These options allow the format used to display the certificate details when asking the user to confirm signing. All the options supported by the x509 utilities' -nameopt and -certopt switches can be used here, except that no_signame and no_sigdump are permanently set and cannot be disabled (this is
because the certificate signature cannot be displayed because the certificate has not been signed at this point).
For convenience, the value ca_default is accepted by both to produce a reasonable output.
If neither option is present, the format used in earlier versions of openssl is used. Use of the old format is strongly discouraged because it only displays fields mentioned in the policy section, mishandles multicharacter string types and does not display extensions.
new_certs_dir
The same as the -outdir command line option. It specifies the directory where new certificates will be placed. Mandatory.
oid_file
This specifies a file containing additional object identifiers. Each line of the file should consist of the numerical form of the object identifier followed by whitespace, then the short name followed by whitespace and finally the long name.
oid_section
This specifies a section in the configuration file containing extra object identifiers. Each line should consist of the short name of the object identifier followed by `=' and the numerical form. The short and long names are the same when this option is used.
policy
The same as -policy. Mandatory.
preserve
The same as -preserveDN.
private_key
Same as the -keyfile option. The file containing the CA private key. Mandatory.
serial
A text file containing the next serial number to use in hex. Mandatory. This file must be present and contain a valid serial number.
unique_subject
If the value yes is given, the valid certificate entries in the database must have unique subjects. If the value no is given, several valid certificate entries may have the exact same subject. The default value is yes.
x509_extensions
The same as -extensions.
CIPHERS
openssl ciphers [-hVv] [-tls1] [cipherlist]
The ciphers command converts openssl cipher lists into ordered SSL cipher preference lists. It can be used as a way to determine the appropriate cipher list.
The options are as follows:
-h, -? Print a brief usage message.
-tls1 Only include TLS v1 ciphers.
-V Verbose. List ciphers with a complete description of protocol version, key exchange, authentication, encryption and mac algorithms, any key size restrictions, and cipher suite codes (hex format).
-v Like -V, but without cipher suite codes.
cipherlist
A cipher list to convert to a cipher preference list. If it is not included, the default cipher list will be used.
The cipher list consists of one or more cipher strings separated by colons. Commas or spaces are also acceptable separators, but colons are normally used.
The actual cipher string can take several different forms:
It can consist of a single cipher suite, such as RC4-SHA.
It can represent a list of cipher suites containing a certain algorithm, or cipher suites of a certain type. For example SHA1 represents all cipher suites using the digest algorithm SHA1.
Lists of cipher suites can be combined in a single cipher string using the `+' character (logical AND operation). For example, SHA1+DES represents all cipher suites containing the SHA1 and DES algorithms.
Each cipher string can be optionally preceded by the characters `!', `-', or `+'. If `!' is used, then the ciphers are permanently deleted from the list. The ciphers deleted can never reappear in the list even if they are explicitly stated. If `-' is used, then the ciphers are deleted from the
list, but some or all of the ciphers can be added again by later options. If `+' is used, then the ciphers are moved to the end of the list. This option doesn't add any new ciphers, it just moves matching existing ones.
If none of these characters is present, the string is just interpreted as a list of ciphers to be appended to the current preference list. If the list includes any ciphers already present, they will be ignored; that is, they will not be moved to the end of the list.
Additionally, the cipher string @STRENGTH can be used at any point to sort the current cipher list in order of encryption algorithm key length.
The following is a list of all permitted cipher strings and their meanings.
DEFAULT
The default cipher list. This is determined at compile time and is currently ALL:!aNULL:!eNULL:!SSLv2. This must be the first cipher string specified.
COMPLEMENTOFDEFAULT
The ciphers included in ALL, but not enabled by default. Currently this is ADH. Note that this rule does not cover eNULL, which is not included by ALL (use COMPLEMENTOFALL if necessary).
ALL All cipher suites except the eNULL ciphers, which must be explicitly enabled.
COMPLEMENTOFALL
The cipher suites not enabled by ALL, currently being eNULL.
HIGH "High" encryption cipher suites. This currently means those with key lengths larger than 128 bits.
MEDIUM
"Medium" encryption cipher suites, currently those using 128-bit encryption.
LOW "Low" encryption cipher suites, currently those using 64- or 56-bit encryption algorithms.
eNULL, NULL
The "NULL" ciphers; that is, those offering no encryption. Because these offer no encryption at all and are a security risk, they are disabled unless explicitly included.
aNULL
The cipher suites offering no authentication. This is currently the anonymous DH algorithms. These cipher suites are vulnerable to a "man in the middle" attack, so their use is normally discouraged.
kRSA, RSA
Cipher suites using RSA key exchange.
kEDH Cipher suites using ephemeral DH key agreement.
aRSA Cipher suites using RSA authentication, i.e. the certificates carry RSA keys.
aDSS, DSS
Cipher suites using DSS authentication, i.e. the certificates carry DSS keys.
TLSv1
TLS v1.0 cipher suites.
DH Cipher suites using DH, including anonymous DH.
ADH Anonymous DH cipher suites.
AES Cipher suites using AES.
3DES Cipher suites using triple DES.
DES Cipher suites using DES (not triple DES).
RC4 Cipher suites using RC4.
CAMELLIA
Cipher suites using Camellia.
CHACHA20
Cipher suites using ChaCha20.
IDEA Cipher suites using IDEA.
MD5 Cipher suites using MD5.
SHA1, SHA
Cipher suites using SHA1.
CRL
openssl crl [-CAfile file] [-CApath dir] [-fingerprint] [-hash] [-in file] [-inform der | pem] [-issuer] [-lastupdate] [-nextupdate] [-noout] [-out file] [-outform der | pem] [-text]
The crl command processes CRL files in DER or PEM format.
The options are as follows:
-CAfile file
Verify the signature on a CRL by looking up the issuing certificate in file.
-CApath directory
Verify the signature on a CRL by looking up the issuing certificate in dir. This directory must be a standard certificate directory, i.e. a hash of each subject name (using x509 -hash) should be linked to each certificate.
-fingerprint
Print the CRL fingerprint.
-hash Output a hash of the issuer name. This can be used to look up CRLs in a directory by issuer name.
-in file
The input file to read from, or standard input if not specified.
-inform der | pem
The input format.
-issuer
Output the issuer name.
-lastupdate
Output the lastUpdate field.
-nextupdate
Output the nextUpdate field.
-noout Do not output the encoded version of the CRL.
-out file
The output file to write to, or standard output if not specified.
-outform der | pem
The output format.
-text Print the CRL in plain text.
CRL2PKCS7
openssl crl2pkcs7 [-certfile file] [-in file] [-inform der | pem] [-nocrl] [-out file] [-outform der | pem]
The crl2pkcs7 command takes an optional CRL and one or more certificates and converts them into a PKCS#7 degenerate "certificates only" structure.
The options are as follows:
-certfile file
Add the certificates in PEM file to the PKCS#7 structure. This option can be used more than once to read certificates from multiple files.
-in file
Read the CRL from file, or standard input if not specified.
-inform der | pem
The input format.
-nocrl Normally, a CRL is included in the output file. With this option, no CRL is included in the output file and a CRL is not read from the input file.
-out file
Write the PKCS#7 structure to file, or standard output if not specified.
-outform der | pem
The output format.
DGST
openssl dgst [-cd] [-binary] [-digest] [-hex] [-hmac key] [-keyform pem] [-mac algorithm] [-macopt nm:v] [-out file] [-passin arg] [-prverify file] [-sign file] [-signature file] [-sigopt nm:v] [-verify file] [file ...]
The digest functions output the message digest of a supplied file or files in hexadecimal form. They can also be used for digital signing and verification.
The options are as follows:
-binary
Output the digest or signature in binary form.
-c Print the digest in two-digit groups separated by colons.
-d Print BIO debugging information.
-digest
Use the specified message digest. The default is MD5. The available digests can be displayed using openssl list-message-digest-commands. The following are equivalent: openssl dgst -md5 and openssl md5.
-hex Digest is to be output as a hex dump. This is the default case for a "normal" digest as opposed to a digital signature.
-hmac key
Create a hashed MAC using key.
-keyform pem
Specifies the key format to sign the digest with.
-mac algorithm
Create a keyed Message Authentication Code (MAC). The most popular MAC algorithm is HMAC (hash-based MAC), but there are other MAC algorithms which are not based on hash. MAC keys and other options should be set via the -macopt parameter.
-macopt nm:v
Passes options to the MAC algorithm, specified by -mac. The following options are supported by HMAC:
key:string
Specifies the MAC key as an alphanumeric string (use if the key contain printable characters only). String length must conform to any restrictions of the MAC algorithm.
hexkey:string
Specifies the MAC key in hexadecimal form (two hex digits per byte). Key length must conform to any restrictions of the MAC algorithm.
-out file
The output file to write to, or standard output if not specified.
-passin arg
The key password source.
-prverify file
Verify the signature using the private key in file. The output is either "Verification OK" or "Verification Failure".
-sign file
Digitally sign the digest using the private key in file.
-signature file
The actual signature to verify.
-sigopt nm:v
Pass options to the signature algorithm during sign or verify operations. The names and values of these options are algorithm-specific.
-verify file
Verify the signature using the public key in file. The output is either "Verification OK" or "Verification Failure".
file ...
File or files to digest. If no files are specified then standard input is used.
###DHPARAM
DHPARAM
openssl dhparam [-2 | -5] [-C] [-check] [-dsaparam] [-in file] [-inform der | pem] [-noout] [-out file] [-outform der | pem] [-text] [numbits]
The dhparam command is used to manipulate DH parameter files. Only the older PKCS#3 DH is supported, not the newer X9.42 DH.
The options are as follows:
-2, -5 The generator to use; 2 is the default. If present, the input file is ignored and parameters are generated instead.
-C Convert the parameters into C code. The parameters can then be loaded by calling the get_dhnumbits function.
-check Check the DH parameters.
-dsaparam
Read or create DSA parameters, converted to DH format on output. Otherwise, "strong" primes (such that (p-1)/2 is also prime) will be used for DH parameter generation.
DH parameter generation with the -dsaparam option is much faster, and the recommended exponent length is shorter, which makes DH key exchange more efficient. Beware that with such DSA-style DH parameters, a fresh DH key should be created for each use to avoid small-subgroup attacks that may be possi-
ble otherwise.
-in file
The input file to read from, or standard input if not specified.
-inform der | pem
The input format.
-noout Do not output the encoded version of the parameters.
-out file
The output file to write to, or standard output if not specified.
-outform der | pem
The output format.
-text Print the DH parameters in plain text.
numbits
Generate a parameter set of size numbits. It must be the last option. If not present, a value of 2048 is used. If this value is present, the input file is ignored and parameters are generated instead.
DSA
openssl dsa [-aes128 | -aes192 | -aes256 | -des | -des3] [-in file] [-inform der | pem] [-modulus] [-noout] [-out file] [-outform der | pem] [-passin arg] [-passout arg] [-pubin] [-pubout] [-text]
The dsa command processes DSA keys. They can be converted between various forms and their components printed out.
Note: This command uses the traditional SSLeay compatible format for private key encryption: newer applications should use the more secure PKCS#8 format using the pkcs8 command.
The options are as follows:
-aes128 | -aes192 | -aes256 | -des | -des3
Encrypt the private key with the AES, DES, or the triple DES ciphers, respectively, before outputting it. A pass phrase is prompted for. If none of these options are specified, the key is written in plain text. This means that using the dsa utility to read an encrypted key with no encryption option
can be used to remove the pass phrase from a key, or by setting the encryption options it can be used to add or change the pass phrase. These options can only be used with PEM format output files.
-in file
The input file to read from, or standard input if not specified. If the key is encrypted, a pass phrase will be prompted for.
-inform der | pem
The input format.
-modulus
Print the value of the public key component of the key.
-noout Do not output the encoded version of the key.
-out file
The output file to write to, or standard output if not specified. If any encryption options are set then a pass phrase will be prompted for.
-outform der | pem
The output format.
-passin arg
The key password source.
-passout arg
The output file password source.
-pubin Read in a public key, not a private key.
-pubout
Output a public key, not a private key. Automatically set if the input is a public key.
-text Print the public/private key in plain text.
DSAPARAM
openssl dsaparam [-C] [-genkey] [-in file] [-inform der | pem] [-noout] [-out file] [-outform der | pem] [-text] [numbits]
The dsaparam command is used to manipulate or generate DSA parameter files.
The options are as follows:
-C Convert the parameters into C code. The parameters can then be loaded by calling the get_dsaXXX function.
-genkey
Generate a DSA key either using the specified or generated parameters.
-in file
The input file to read from, or standard input if not specified. If the numbits parameter is included, then this option is ignored.
-inform der | pem
The input format.
-noout Do not output the encoded version of the parameters.
-out file
The output file to write to, or standard output if not specified.
-outform der | pem
The output format.
-text Print the DSA parameters in plain text.
numbits
Generate a parameter set of size numbits. If this option is included, the input file is ignored.
EC
openssl ec [-conv_form arg] [-des] [-des3] [-in file] [-inform der | pem] [-noout] [-out file] [-outform der | pem] [-param_enc arg] [-param_out] [-passin arg] [-passout arg] [-pubin] [-pubout] [-text]
The ec command processes EC keys. They can be converted between various forms and their components printed out. openssl uses the private key format specified in ``SEC 1: Elliptic Curve Cryptography'' (http://www.secg.org/). To convert an EC private key into the PKCS#8 private key format use the pkcs8 com-
mand.
The options are as follows:
-conv_form arg
Specify how the points on the elliptic curve are converted into octet strings. Possible values are: compressed (the default), uncompressed, and hybrid. For more information regarding the point conversion forms see the X9.62 standard. Note: Due to patent issues the compressed option is disabled by
default for binary curves and can be enabled by defining the preprocessor macro OPENSSL_EC_BIN_PT_COMP at compile time.
-des | -des3
Encrypt the private key with DES, triple DES, or any other cipher supported by openssl. A pass phrase is prompted for. If none of these options is specified the key is written in plain text. This means that using the ec utility to read in an encrypted key with no encryption option can be used to
remove the pass phrase from a key, or by setting the encryption options it can be used to add or change the pass phrase. These options can only be used with PEM format output files.
-in file
The input file to read a key from, or standard input if not specified. If the key is encrypted a pass phrase will be prompted for.
-inform der | pem
The input format.
-noout Do not output the encoded version of the key.
-out file
The output filename to write to, or standard output if not specified. If any encryption options are set then a pass phrase will be prompted for.
-outform der | pem
The output format.
-param_enc arg
Specify how the elliptic curve parameters are encoded. Possible value are: named_curve, i.e. the EC parameters are specified by an OID; or explicit, where the EC parameters are explicitly given (see RFC 3279 for the definition of the EC parameter structures). The default value is named_curve. Note:
the implicitlyCA alternative, as specified in RFC 3279, is currently not implemented.
-passin arg
The key password source.
-passout arg
The output file password source.
-pubin Read in a public key, not a private key.
-pubout
Output a public key, not a private key. Automatically set if the input is a public key.
-text Print the public/private key in plain text.
ECPARAM
openssl ecparam [-C] [-check] [-conv_form arg] [-genkey] [-in file] [-inform der | pem] [-list_curves] [-name arg] [-no_seed] [-noout] [-out file] [-outform der | pem] [-param_enc arg] [-text]
The ecparam command is used to manipulate or generate EC parameter files. openssl is not able to generate new groups so ecparam can only create EC parameters from known (named) curves.
The options are as follows:
-C Convert the EC parameters into C code. The parameters can then be loaded by calling the get_ec_group_XXX function.
-check Validate the elliptic curve parameters.
-conv_form arg
Specify how the points on the elliptic curve are converted into octet strings. Possible values are: compressed (the default), uncompressed, and hybrid. For more information regarding the point conversion forms see the X9.62 standard. Note: Due to patent issues the compressed option is disabled by
default for binary curves and can be enabled by defining the preprocessor macro OPENSSL_EC_BIN_PT_COMP at compile time.
-genkey
Generate an EC private key using the specified parameters.
-in file
The input file to read from, or standard input if not specified.
-inform der | pem
The input format.
-list_curves
Print a list of all currently implemented EC parameter names and exit.
-name arg
Use the EC parameters with the specified "short" name.
-no_seed
Do not include the seed for the param
最低0.47元/天 解锁文章
1236
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
