openssl-storeutl.1ossl - Man Page

STORE command

Synopsis

openssl storeutl [-help] [-out file] [-noout] [-passin arg] [-text arg] [-r] [-certs] [-keys] [-crls] [-subject arg] [-issuer arg] [-serial arg] [-alias arg] [-fingerprint arg] [-digest] [-engine id] [-provider name] [-provider-path path] [-provparam [name:]key=value] [-propquery propq] uri

Description

This command can be used to display the contents (after decryption as the case may be) fetched from the given URI.

Options

-help

Print out a usage message.

-out filename

This specifies the output file to write to. Standard output is used if this option is not present. The output file can be the same as the input, which leads to replacing the file contents. Note that file I/O is not atomic. The output file is truncated and then written.

-noout

this option prevents output of the PEM data.

-passin arg

the key password source. For more information about the format of arg see openssl-passphrase-options(1).

-text

Prints out the objects in text form, similarly to the -text output from openssl-x509(1), openssl-pkey(1), etc.

-r

Fetch objects recursively when possible.

-certs
-keys
-crls

Only select the certificates, keys or CRLs from the given URI. However, if this URI would return a set of names (URIs), those are always returned.

Note that all options must be given before the uri argument.

Note -keys selects exclusively private keys, there is no selector for public keys only.

-subject arg

Search for an object having the subject name arg.

The arg must be formatted as /type0=value0/type1=value1/type2=.... Special characters may be escaped by \ (backslash), whitespace is retained. Empty values are permitted but are ignored for the search.  That is, a search with an empty value will have the same effect as not specifying the type at all. Giving a single / will lead to an empty sequence of RDNs (a NULL-DN). Multi-valued RDNs can be formed by placing a + character instead of a / between the AttributeValueAssertions (AVAs) that specify the members of the set.

Example:

/DC=org/DC=OpenSSL/DC=users/UID=123456+CN=John Doe

-issuer arg
-serial arg

Search for an object having the given issuer name and serial number. These two options must be used together. The issuer arg must be formatted as /type0=value0/type1=value1/type2=..., characters may be escaped by \ (backslash), no spaces are skipped. The serial arg may be specified as a decimal value or a hex value if preceded by 0x.

-alias arg

Search for an object having the given alias.

-fingerprint arg

Search for an object having the given fingerprint.

-digest

The digest that was used to compute the fingerprint given with -fingerprint.

-engine id

See "Engine Options" in openssl(1). This option is deprecated.

-provider name
-provider-path path
-provparam [name:]key=value
-propquery propq

See "Provider Options" in openssl(1), provider(7), and property(7).

See Also

openssl(1)

History

This command was added in OpenSSL 1.1.1.

The -engine option was deprecated in OpenSSL 3.0.

Referenced By

openssl.1ossl(1), openssl-cmds.1ossl(1).

2025-04-15 3.5.0 OpenSSL