openssl.1s

openssl [global_options] command [command_options]
openssl list-standard-commands
openssl list-cipher-commands
openssl list-message-digest-commands
openssl list-public-key-commands
openssl list-options

global_options
    Options that apply to the openssl command itself, before a specific subcommand is given. Examples include -help (displays general usage), -config <file> (specifies a configuration file), -rand <file> (seeds the PRNG), and -engine <id> (loads a cryptographic engine). For OpenSSL 3.0+, also includes -provider <name> and -propquery <query> for provider management.

command
    The specific subcommand to execute. openssl acts as a dispatcher for these commands. Each subcommand has its own specific set of options and arguments. Examples include: req, x509, enc, dgst, genrsa, s_client, and version.

command_options
    Options specific to the chosen command. These options vary widely depending on the subcommand. For instance, the req command uses options like -new, -newkey, -keyout, and -out, while the enc command uses options like -aes256, -in, and -out.

req
    Creates and processes Certificate Signing Requests (CSRs).

x509
    Displays, signs, and manages X.509 certificates.

enc
    Encrypts and decrypts data using various symmetric ciphers.

dgst
    Computes message digests (hashes) of files.

genrsa
    Generates RSA private keys.

s_client
    Implements a generic SSL/TLS client for testing purposes.

version
    Displays the OpenSSL version and build information.

The openssl command is a powerful and versatile command-line utility that provides access to the cryptographic functions of the OpenSSL library. It serves as a dispatcher for numerous sub-commands, each designed for specific cryptographic tasks.

It can be used for a wide array of operations including the generation and management of cryptographic keys (RSA, DSA, EC), creation and manipulation of X.509 certificates, Certificate Signing Requests (CSRs), and Certificate Revocation Lists (CRLs). Users can encrypt and decrypt data with various ciphers, compute message digests (hashes), handle PKCS#12 (PFX) files, and perform SSL/TLS client and server testing.

Essentially, openssl acts as a central hub for cryptographic operations, making it an indispensable tool for system administrators, developers, and security professionals working with secure communication protocols and digital certificates.

Using openssl for sensitive operations directly on the command line (e.g., providing passphrases as arguments) is insecure, as these might be visible in process lists. Always use prompts or secure methods like configuration files for sensitive data.

The command is powerful but requires a solid understanding of cryptographic concepts. Misuse or incorrect configuration can lead to insecure deployments.

The openssl command organizes its numerous subcommands into categories such as standard commands (e.g., version, help), cipher commands (e.g., enc), message digest commands (e.g., dgst), public key commands (e.g., genrsa), and utility commands (e.g., s_client). You can list these categories using commands like openssl list-standard-commands or openssl list-cipher-commands.

OpenSSL commands often leverage configuration files (e.g., openssl.cnf) to define default values, extensions for certificates, and other parameters. The path to a custom configuration file can be specified using the -config global option.

The OpenSSL project and its command-line tool openssl trace their origins back to SSLeay, an SSL/TLS library developed by Eric Young and Tim Hudson. OpenSSL was founded in 1998, building upon SSLeay. The openssl command has continuously evolved, expanding its functionality to support new cryptographic algorithms, standards, and features. A significant architectural change occurred with OpenSSL 3.0, which introduced the 'provider' concept, modularizing cryptographic implementations and affecting how certain functions are invoked or configured.

ssl(8), config(5), x509(1), req(1), pkcs12(1), s_client(1), s_server(1), openssl-req(1), openssl-x509(1), openssl-dgst(1), openssl-enc(1)