Scroll to navigation



openssl-storeutl - STORE command


openssl storeutl [-help] [-out file] [-noout] [-passin arg] [-text arg] [-r] [-certs] [-keys] [-crls] [-subject arg] [-issuer arg] [-serial arg] [-alias arg] [-fingerprint arg] [-digest] [-engine id] [-provider name] [-provider-path path] [-propquery propq] uri ...


This command can be used to display the contents (after decryption as the case may be) fetched from the given URIs.


Print out a usage message.
-out filename
specifies the output filename to write to or standard output by default.
this option prevents output of the PEM data.
-passin arg
the key password source. For more information about the format of arg see openssl-passphrase-options(1).
Prints out the objects in text form, similarly to the -text output from openssl-x509(1), openssl-pkey(1), etc.
Fetch objects recursively when possible.
Only select the certificates, keys or CRLs from the given URI. However, if this URI would return a set of names (URIs), those are always returned.
-subject arg
Search for an object having the subject name arg.

The arg must be formatted as "/type0=value0/type1=value1/type2=...". Special characters may be escaped by "\" (backslash), whitespace is retained. Empty values are permitted but are ignored for the search. That is, a search with an empty value will have the same effect as not specifying the type at all. Giving a single "/" will lead to an empty sequence of RDNs (a NULL-DN). Multi-valued RDNs can be formed by placing a "+" character instead of a "/" between the AttributeValueAssertions (AVAs) that specify the members of the set.


"/DC=org/DC=OpenSSL/DC=users/UID=123456+CN=John Doe"

-issuer arg
-serial arg
Search for an object having the given issuer name and serial number. These two options must be used together. The issuer arg must be formatted as "/type0=value0/type1=value1/type2=...", characters may be escaped by \ (backslash), no spaces are skipped. The serial arg may be specified as a decimal value or a hex value if preceded by "0x".
-alias arg
Search for an object having the given alias.
-fingerprint arg
Search for an object having the given fingerprint.
The digest that was used to compute the fingerprint given with -fingerprint.
-engine id
See "Engine Options" in openssl(1). This option is deprecated.
-provider name
-provider-path path
-propquery propq
See "Provider Options" in openssl(1), provider(7), and property(7).




This command was added in OpenSSL 1.1.1.

The -engine option was deprecated in OpenSSL 3.0.


Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved.

Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy in the file LICENSE in the source distribution or at <>.

2021-05-06 3.0.0-alpha16