Site Navigation

FreeBSD Manual Pages

   man apropos
 
   All Sections 1 - General Commands 2 - System Calls 3 - Subroutines 4 - Special Files 5 - File Formats 6 - Games 7 - Macros and Conventions 8 - Maintenance Commands 9 - Kernel Interface n - New Commands FreeBSD 16.0-CURRENT FreeBSD 15.0-RELEASE FreeBSD 15.0-RELEASE and Ports FreeBSD 15.0-STABLE FreeBSD 14.3-RELEASE FreeBSD 14.3-RELEASE and Ports FreeBSD 14.3-STABLE FreeBSD 14.2-RELEASE FreeBSD 14.2-RELEASE and Ports FreeBSD 14.1-RELEASE FreeBSD 14.1-RELEASE and Ports FreeBSD 14.0-RELEASE FreeBSD 14.0-RELEASE and Ports FreeBSD 13.5-RELEASE FreeBSD 13.5-RELEASE and Ports FreeBSD 13.5-STABLE FreeBSD 13.4-RELEASE FreeBSD 13.4-RELEASE and Ports FreeBSD 13.3-RELEASE FreeBSD 13.3-RELEASE and Ports FreeBSD 13.2-RELEASE FreeBSD 13.2-RELEASE and Ports FreeBSD 13.1-RELEASE FreeBSD 13.1-RELEASE and Ports FreeBSD 13.0-RELEASE FreeBSD 13.0-RELEASE and Ports FreeBSD 12.4-RELEASE FreeBSD 12.4-RELEASE and Ports FreeBSD 12.3-RELEASE FreeBSD 12.3-RELEASE and Ports FreeBSD 12.2-RELEASE FreeBSD 12.2-RELEASE and Ports FreeBSD 12.1-RELEASE FreeBSD 12.1-RELEASE and Ports FreeBSD 12.0-RELEASE FreeBSD 12.0-RELEASE and Ports FreeBSD 11.4-RELEASE FreeBSD 11.4-RELEASE and Ports FreeBSD 11.3-RELEASE FreeBSD 11.3-RELEASE and Ports FreeBSD 11.2-RELEASE FreeBSD 11.2-RELEASE and Ports FreeBSD 11.1-RELEASE FreeBSD 11.1-RELEASE and Ports FreeBSD 11.0-RELEASE FreeBSD 11.0-RELEASE and Ports FreeBSD 10.4-RELEASE FreeBSD 10.4-RELEASE and Ports FreeBSD 10.3-RELEASE FreeBSD 10.3-RELEASE and Ports FreeBSD 10.2-RELEASE FreeBSD 10.2-RELEASE and Ports FreeBSD 10.1-RELEASE FreeBSD 10.1-RELEASE and Ports FreeBSD 10.0-RELEASE FreeBSD 10.0-RELEASE and Ports FreeBSD 9.3-RELEASE FreeBSD 9.3-RELEASE and Ports FreeBSD 9.2-RELEASE FreeBSD 9.2-RELEASE and Ports FreeBSD 9.1-RELEASE FreeBSD 9.1-RELEASE and Ports FreeBSD 9.0-RELEASE FreeBSD 9.0-RELEASE and Ports FreeBSD 8.4-RELEASE FreeBSD 8.4-RELEASE and Ports FreeBSD 8.3-RELEASE FreeBSD 8.3-RELEASE and Ports FreeBSD 8.2-RELEASE FreeBSD 8.2-RELEASE and Ports FreeBSD 8.1-RELEASE FreeBSD 8.1-RELEASE and Ports FreeBSD 8.0-RELEASE FreeBSD 8.0-RELEASE and Ports FreeBSD 7.4-RELEASE FreeBSD 7.4-RELEASE and Ports FreeBSD 7.3-RELEASE FreeBSD 7.3-RELEASE and Ports FreeBSD 7.2-RELEASE FreeBSD 7.2-RELEASE and Ports FreeBSD 7.1-RELEASE FreeBSD 7.1-RELEASE and Ports FreeBSD 7.0-RELEASE FreeBSD 6.4-RELEASE FreeBSD 6.4-RELEASE and Ports FreeBSD 6.3-RELEASE FreeBSD 6.3-RELEASE and Ports FreeBSD 6.2-RELEASE FreeBSD 6.1-RELEASE FreeBSD 6.0-RELEASE FreeBSD 6.0-RELEASE and Ports FreeBSD 5.5-RELEASE FreeBSD 5.5-RELEASE and Ports FreeBSD 5.4-RELEASE FreeBSD 5.4-RELEASE and Ports FreeBSD 5.3-RELEASE FreeBSD 5.3-RELEASE and Ports FreeBSD 5.2.1-RELEASE FreeBSD 5.2.1-RELEASE and Ports FreeBSD 5.2-RELEASE FreeBSD 5.2-RELEASE and Ports FreeBSD 5.1-RELEASE FreeBSD 5.0-RELEASE FreeBSD 4.11-RELEASE FreeBSD 4.11-RELEASE and Ports FreeBSD 4.10-RELEASE FreeBSD 4.10-RELEASE and Ports FreeBSD 4.9-RELEASE FreeBSD 4.9-RELEASE and Ports FreeBSD 4.8-RELEASE FreeBSD 4.8-RELEASE and Ports FreeBSD 4.7-RELEASE FreeBSD 4.6.2-RELEASE FreeBSD 4.6.2-RELEASE and Ports FreeBSD 4.6-RELEASE FreeBSD 4.6-RELEASE and Ports FreeBSD 4.5-RELEASE FreeBSD 4.5-RELEASE and Ports FreeBSD 4.4-RELEASE FreeBSD 4.3-RELEASE FreeBSD 4.3-RELEASE and Ports FreeBSD 4.2-RELEASE FreeBSD 4.2-RELEASE and Ports FreeBSD 4.1.1-RELEASE FreeBSD 4.1.1-RELEASE and Ports FreeBSD 4.1-RELEASE FreeBSD 4.0-RELEASE FreeBSD 3.5.1-RELEASE FreeBSD 3.5.1-RELEASE and Ports FreeBSD 3.5-RELEASE and Ports FreeBSD 3.4-RELEASE FreeBSD 3.4-RELEASE and Ports FreeBSD 3.3-RELEASE FreeBSD 3.2-RELEASE FreeBSD 3.1-RELEASE FreeBSD 3.0-RELEASE FreeBSD 2.2.8-RELEASE FreeBSD 2.2.8-RELEASE and Ports FreeBSD 2.2.7-RELEASE FreeBSD 2.2.6-RELEASE FreeBSD 2.2.5-RELEASE FreeBSD 2.2.2-RELEASE FreeBSD 2.2.1-RELEASE FreeBSD 2.1.7.1-RELEASE FreeBSD 2.1.6.1-RELEASE FreeBSD 2.1.5-RELEASE FreeBSD 2.1.0-RELEASE FreeBSD 2.0.5-RELEASE FreeBSD 2.0-RELEASE FreeBSD 1.1.5.1-RELEASE FreeBSD 1.1-RELEASE FreeBSD 1.0-RELEASE FreeBSD Ports 15.0 FreeBSD Ports 14.3 FreeBSD Ports 14.3.quarterly FreeBSD Ports 14.2 FreeBSD Ports 14.1 FreeBSD Ports 14.0 FreeBSD Ports 13.5 FreeBSD Ports 13.4 FreeBSD Ports 13.3 FreeBSD Ports 13.2 FreeBSD Ports 13.1 FreeBSD Ports 13.0 FreeBSD Ports 12.4 FreeBSD Ports 12.3 FreeBSD Ports 12.2 FreeBSD Ports 12.1 FreeBSD Ports 12.0 FreeBSD Ports 11.4 FreeBSD Ports 11.3 FreeBSD Ports 11.2 FreeBSD Ports 11.1 FreeBSD Ports 11.0 FreeBSD Ports 10.4 FreeBSD Ports 10.3 FreeBSD Ports 10.2 FreeBSD Ports 10.1 FreeBSD Ports 10.0 FreeBSD Ports 9.3 FreeBSD Ports 9.2 FreeBSD Ports 9.1 FreeBSD Ports 9.0 FreeBSD Ports 8.4 FreeBSD Ports 8.3 FreeBSD Ports 8.2 FreeBSD Ports 8.1 FreeBSD Ports 8.0 FreeBSD Ports 7.4 FreeBSD Ports 7.3 FreeBSD Ports 7.2 FreeBSD Ports 7.1 FreeBSD Ports 7.0 FreeBSD Ports 6.4 FreeBSD Ports 6.3 FreeBSD Ports 6.2 FreeBSD Ports 6.0 FreeBSD Ports 5.5 FreeBSD Ports 5.4 FreeBSD Ports 5.3 FreeBSD Ports 5.2.1 FreeBSD Ports 5.2 FreeBSD Ports 5.1 FreeBSD Ports 4.11 FreeBSD Ports 4.10 FreeBSD Ports 4.9 FreeBSD Ports 4.8 FreeBSD Ports 4.7 FreeBSD Ports 4.6.2 FreeBSD Ports 4.6 FreeBSD Ports 4.5 FreeBSD Ports 4.3 FreeBSD Ports 4.2 FreeBSD Ports 4.1.1 FreeBSD Ports 3.5.1 FreeBSD Ports 3.5 FreeBSD Ports 3.4 FreeBSD Ports 2.2.8 4.4BSD Lite2 4.3BSD NET/2 4.3BSD Reno 2.11 BSD 2.10 BSD 2.9.1 BSD 2.8 BSD 386BSD 0.1 386BSD 0.0 CentOS 7.9 CentOS 7.8 CentOS 7.7 CentOS 7.6 CentOS 7.5 CentOS 7.4 CentOS 7.3 CentOS 7.2 CentOS 7.1 CentOS 7.0 CentOS 6.10 CentOS 6.9 CentOS 6.8 CentOS 6.7 CentOS 6.6 CentOS 6.5 CentOS 6.4 CentOS 6.3 CentOS 6.2 CentOS 6.1 CentOS 6.0 CentOS 5.11 CentOS 5.10 CentOS 5.9 CentOS 5.8 CentOS 5.7 CentOS 5.6 CentOS 5.5 CentOS 5.4 CentOS 4.8 CentOS 3.9 Darwin 8.0.1/ppc Darwin 7.0.1 Darwin 6.0.2/x86 Darwin 1.4.1/x86 Darwin 1.3.1/x86 Debian 14.0 unstable Debian 13.1.0 Debian 12.12.0 Debian 11.11.0 Debian 10.13.0 Debian 9.13.0 Debian 8.11.1 Debian 7.11.0 Debian 6.0.10 Debian 5.0.10 Debian 4.0.9 Debian 3.1.8 Debian 2.2.7 Debian 2.0.0 Dell UNIX SVR4 2.2 DragonFly 6.4.0 DragonFly 5.8.3 DragonFly 4.8.1 DragonFly 3.8.2 DragonFly 2.10.1 DragonFly 1.12.1 DragonFly 1.0A HP-UX 11.22 HP-UX 11.20 HP-UX 11.11 HP-UX 11.00 HP-UX 10.20 HP-UX 10.10 HP-UX 10.01 HP-UX 9.07 HP-UX 8.07 Inferno 4th Edition IRIX 6.5.30 Linux Slackware 3.1 MACH 2.5/i386 macOS 26.0 macOS 15.7 macOS 14.8 macOS 13.6.5 macOS 12.7.3 macOS 11.1 macOS 10.15.7 macOS 10.13.6 macOS 10.12.0 Minix 3.3.0 Minix 3.2.1 Minix 3.2.0 Minix 3.1.7 Minix 3.1.6 Minix 3.1.5 Minix 2.0.0 NetBSD 10.1 NetBSD 10.0 NetBSD 9.4 NetBSD 9.3 NetBSD 9.2 NetBSD 9.1 NetBSD 9.0 NetBSD 8.3 NetBSD 8.2 NetBSD 8.1 NetBSD 8.0 NetBSD 7.2 NetBSD 7.1.2 NetBSD 7.1 NetBSD 7.0 NetBSD 6.1.5 NetBSD 6.0 NetBSD 5.2.3 NetBSD 5.2 NetBSD 5.1 NetBSD 5.0 NetBSD 4.0.1 NetBSD 4.0 NetBSD 3.1 NetBSD 3.0 NetBSD 2.1 NetBSD 2.0.2 NetBSD 2.0 NetBSD 1.6.2 NetBSD 1.6.1 NetBSD 1.6 NetBSD 1.5.3 NetBSD 1.5.2 NetBSD 1.5.1 NetBSD 1.5 NetBSD 1.4.3 NetBSD 1.4.2 NetBSD 1.4.1 NetBSD 1.4 NetBSD 1.3.3 NetBSD 1.3.2 NetBSD 1.3.1 NetBSD 1.3 NetBSD 1.2.1 NetBSD 1.2 NetBSD 1.1 NetBSD 1.0 NeXTSTEP 3.3 OpenBSD 7.8 OpenBSD 7.7 OpenBSD 7.6 OpenBSD 7.5 OpenBSD 7.4 OpenBSD 7.3 OpenBSD 7.2 OpenBSD 7.1 OpenBSD 7.0 OpenBSD 6.9 OpenBSD 6.8 OpenBSD 6.7 OpenBSD 6.6 OpenBSD 6.5 OpenBSD 6.4 OpenBSD 6.3 OpenBSD 6.2 OpenBSD 6.1 OpenBSD 6.0 OpenBSD 5.9 OpenBSD 5.8 OpenBSD 5.7 OpenBSD 5.6 OpenBSD 5.5 OpenBSD 5.4 OpenBSD 5.3 OpenBSD 5.2 OpenBSD 5.1 OpenBSD 5.0 OpenBSD 4.9 OpenBSD 4.8 OpenBSD 4.7 OpenBSD 4.6 OpenBSD 4.5 OpenBSD 4.4 OpenBSD 4.3 OpenBSD 4.2 OpenBSD 4.1 OpenBSD 4.0 OpenBSD 3.9 OpenBSD 3.8 OpenBSD 3.7 OpenBSD 3.6 OpenBSD 3.5 OpenBSD 3.4 OpenBSD 3.3 OpenBSD 3.2 OpenBSD 3.1 OpenBSD 3.0 OpenBSD 2.9 OpenBSD 2.8 OpenBSD 2.7 OpenBSD 2.6 OpenBSD 2.5 OpenBSD 2.4 OpenBSD 2.3 OpenBSD 2.2 OpenBSD 2.1 OpenBSD 2.0 OpenDarwin 7.2.1 OpenDarwin 6.6.2/x86 OpenDarwin 6.6.1/x86 OpenDarwin 20030208pre4/ppc OpenIndiana 2024.10 OpenIndiana 2022.10 OpenIndiana 2020.10 OpenIndiana 2017.10 OpenIndiana 2015.10 OpenIndiana 2013.08 OpenSolaris 2010.03 OpenSolaris 2009.06 OpenStep 4.2 openSUSE 42.3 openSUSE 42.2 openSUSE 42.1 openSUSE 16.0 openSUSE 15.6 openSUSE 15.5 openSUSE 15.4 openSUSE 15.3 openSUSE 15.2 openSUSE 15.1 openSUSE 15.0 openSUSE 13.2 openSUSE 13.1 openSUSE 11.4 openSUSE 11.3 openSUSE 11.2 openSUSE 10.3 openSUSE 10.2 OSF1 V5.1/alpha OSF1 V4.0/alpha OSF1 V1.0/mips Plan 9 Red Hat 9.0 Red Hat 8.0 Red Hat 7.3 Red Hat 7.2 Red Hat 7.1 Red Hat 7.0 Red Hat 6.2 Red Hat 6.1 Red Hat 5.2 Red Hat 5.0 Red Hat 4.2 Rhapsody DR1 Rhapsody DR2 Rocky 10.0 Rocky 9.6 Rocky 9.5 Rocky 9.4 Rocky 9.3 Rocky 9.2 Rocky 9.1 Rocky 9.0 Rocky 8.10 Rocky 8.9 Rocky 8.8 Rocky 8.7 Rocky 8.6 Rocky 8.5 Rocky 8.4 Rocky 8.3 Sun UNIX 0.4 SunOS 5.10 SunOS 5.9 SunOS 5.8 SunOS 5.7 SunOS 5.6 SunOS 5.5.1 SunOS 4.1.3 SuSE 11.3 SuSE 11.2 SuSE 11.1 SuSE 11.0 SuSE 10.3 SuSE 10.2 SuSE 10.1 SuSE 10.0 SuSE 9.3 SuSE 9.2 SuSE 8.2 SuSE 8.1 SuSE 8.0 SuSE 7.3 SuSE 7.2 SuSE 7.1 SuSE 7.0 SuSE 6.4 SuSE 6.3 SuSE 6.1 SuSE 6.0 SuSE 5.3 SuSE 5.2 SuSE 5.0 SuSE 4.3 SuSE ES 10 SP1 Ubuntu 24.04 noble Ubuntu 23.10 mantic Ubuntu 22.04 jammy Ubuntu 20.04 focal Ubuntu 18.04 bionic Ubuntu 16.04 xenial Ubuntu 14.04 trusty ULTRIX 4.2 Ultrix-32 2.0/VAX Unix Seventh Edition X11R7.4 X11R7.3.2 X11R7.2 X11R6.9.0 X11R6.8.2 X11R6.7.0 XFree86 4.8.0 XFree86 4.7.0 XFree86 4.6.0 XFree86 4.5.0 XFree86 4.4.0 XFree86 4.3.0 XFree86 4.2.99.3 XFree86 4.2.0 XFree86 4.1.0 XFree86 4.0.2 XFree86 4.0.1 XFree86 4.0 XFree86 3.3.6 XFree86 3.3 XFree86 2.1 All Architectures html pdf ascii

home | help

---

OPENSSL-FIPSINSTALL(1ossl)	    OpenSSL	    OPENSSL-FIPSINSTALL(1ossl)

NAME
       openssl-fipsinstall - perform FIPS configuration	installation

SYNOPSIS
       openssl fipsinstall [-help] [-in	configfilename]	[-out configfilename]
       [-module	modulefilename]	[-provider_name	providername] [-section_name
       sectionname] [-verify] [-mac_name macname] [-macopt nm:v] [-noout]
       [-quiet]	[-pedantic] [-no_conditional_errors] [-no_security_checks]
       [-hmac_key_check] [-kmac_key_check] [-ems_check]
       [-no_drbg_truncated_digests] [-signature_digest_check]
       [-hkdf_digest_check] [-tls13_kdf_digest_check] [-tls1_prf_digest_check]
       [-sshkdf_digest_check] [-sskdf_digest_check] [-x963kdf_digest_check]
       [-dsa_sign_disabled] [-no_pbkdf2_lower_bound_check] [-no_short_mac]
       [-tdes_encrypt_disabled]	[-rsa_pkcs15_padding_disabled]
       [-rsa_pss_saltlen_check]	[-rsa_sign_x931_disabled] [-hkdf_key_check]
       [-kbkdf_key_check] [-tls13_kdf_key_check] [-tls1_prf_key_check]
       [-sshkdf_key_check] [-sskdf_key_check] [-x963kdf_key_check]
       [-x942kdf_key_check] [-ecdh_cofactor_check] [-self_test_onload]
       [-self_test_oninstall] [-corrupt_desc selftest_description]
       [-corrupt_type selftest_type] [-config parent_config]

DESCRIPTION
       This command is used to generate	a FIPS module configuration file.
       This configuration file can be used each	time a FIPS module is loaded
       in order	to pass	data to	the FIPS module	self tests. The	FIPS module
       always verifies its MAC,	but optionally only needs to run the KAT's
       once, at	installation.

       The generated configuration file	consists of:

       - A MAC of the FIPS module file.
       - A test	status indicator.
	   This	 indicates  if	the  Known  Answer  Self  Tests	 (KAT's)  have
	   successfully	run.

       - A MAC of the status indicator.
       - A control for conditional self	tests errors.
	   By default if a continuous test (e.g	a key pair  test)  fails  then
	   the	FIPS  module  will  enter  an  error state, and	no services or
	   cryptographic algorithms will be able to  be	 accessed  after  this
	   point.   The	 default value of '1' will cause the fips module error
	   state to be entered.	 If the	value is '0'  then  the	 module	 error
	   state  will	not be entered.	 Regardless of whether the error state
	   is entered or not, the current operation (e.g. key generation) will
	   return an error. The	user is	responsible for	retrying the operation
	   if the module error state is	not entered.

       - A control to indicate whether run-time	security checks	are done.
	   This	 indicates  if	run-time  checks  related  to  enforcement  of
	   security  parameters	 such as minimum security strength of keys and
	   approved curve names	are used.   The	 default  value	 of  '1'  will
	   perform  the	 checks.   If  the  value  is  '0'  the	checks are not
	   performed and FIPS compliance must be done by procedures documented
	   in the relevant Security Policy.

       This file is described in fips_config(5).

OPTIONS
       -help
	   Print a usage message.

       -module filename
	   Filename of the FIPS	module to perform an integrity check on.   The
	   path	provided in the	filename is used to load the module when it is
	   activated,	 and   this   overrides	  the	environment   variable
	   OPENSSL_MODULES.

       -out configfilename
	   Filename to output  the  configuration  data	 to;  the  default  is
	   standard output.

       -in configfilename
	   Input  filename  to	load configuration data	from.  Must be used if
	   the -verify option is specified.

       -verify
	   Verify that the  input  configuration  file	contains  the  correct
	   information.

       -provider_name providername
	   Name	 of  the  provider inside the configuration file.  The default
	   value is "fips".

       -section_name sectionname
	   Name	of the section inside the  configuration  file.	  The  default
	   value is "fips_sect".

       -mac_name name
	   Specifies the name of a supported MAC algorithm which will be used.
	   The	MAC  mechanisms	 that are available will depend	on the options
	   used	when building OpenSSL.	To see the list	of supported MAC's use
	   the command "openssl	list -mac-algorithms".	The default is HMAC.

       -macopt nm:v
	   Passes options to the  MAC  algorithm.   A  comprehensive  list  of
	   controls  can be found in the EVP_MAC implementation	documentation.
	   Common control strings used for this	command	are:

	   key:string
	       Specifies the MAC key as	an alphanumeric	string (use if the key
	       contains	printable characters only).  The  string  length  must
	       conform	to  any	restrictions of	the MAC	algorithm.  A key must
	       be specified for	every MAC algorithm.  If no key	 is  provided,
	       the  default  that was specified	when OpenSSL was configured is
	       used.

	   hexkey:string
	       Specifies the MAC key in	hexadecimal form (two hex  digits  per
	       byte).	The key	length must conform to any restrictions	of the
	       MAC  algorithm.	 A  key	 must  be  specified  for  every   MAC
	       algorithm.   If	no  key	 is  provided,	the  default  that was
	       specified when OpenSSL was configured is	used.

	   digest:string
	       Used by HMAC as an alphanumeric string (use if the key contains
	       printable characters only).  The	string length must conform  to
	       any  restrictions  of  the  MAC	algorithm.  To see the list of
	       supported   digests,   use   the	   command    "openssl	  list
	       -digest-commands".  The default digest is SHA-256.

       -noout
	   Disable logging of the self tests.

       -pedantic
	   Configure  the  module so that it is	strictly FIPS compliant	rather
	   than	being backwards	compatible.  This enables conditional  errors,
	   security  checks etc.  Note that any	previous configuration options
	   will	be overwritten and any subsequent configuration	 options  that
	   violate FIPS	compliance will	result in an error.

       -no_conditional_errors
	   Configure  the  module to not enter an error	state if a conditional
	   self	test fails as described	above.

       -no_security_checks
	   Configure the module	to not perform	run-time  security  checks  as
	   described above.

	   Enabling the	configuration option "no-fips-securitychecks" provides
	   another way to turn off the check at	compile	time.

       -ems_check
	   Configure  the  module  to enable a run-time	Extended Master	Secret
	   (EMS) check when using the TLS1_PRF KDF algorithm.  This  check  is
	   disabled by default.	 See RFC 7627 for information related to EMS.

       -no_short_mac
	   Configure  the  module  to  not  allow  short  MAC outputs.	See SP
	   800-185 8.4.2 and FIPS 140-3	ID C.D for details.

       -hmac_key_check
	   Configure the module	to not allow small keys	sizes when using HMAC.
	   See SP 800-131Ar2 for details.

       -kmac_key_check
	   Configure the module	to not allow small keys	sizes when using KMAC.
	   See SP 800-131Ar2 for details.

       -no_drbg_truncated_digests
	   Configure the module	to not allow truncated digests to be used with
	   Hash	and HMAC DRBGs.	 See FIPS 140-3	IG D.R for details.

       -signature_digest_check
	   Configure the module	to enforce signature algorithms	to use digests
	   that	are explicitly permitted by the	various	standards.

       -hkdf_digest_check
	   This	option is deprecated.

       -tls13_kdf_digest_check
	   Configure the  module  to  enable  a	 run-time  digest  check  when
	   deriving a key by TLS13 KDF.	 See RFC 8446 for details.

       -tls1_prf_digest_check
	   Configure  the  module  to  enable  a  run-time  digest  check when
	   deriving a key by TLS_PRF.  See NIST	SP 800-135r1 for details.

       -sshkdf_digest_check
	   Configure the  module  to  enable  a	 run-time  digest  check  when
	   deriving a key by SSHKDF.  See NIST SP 800-135r1 for	details.

       -sskdf_digest_check
	   This	option is deprecated.

       -x963kdf_digest_check
	   Configure  the  module  to  enable  a  run-time  digest  check when
	   deriving a key by X963KDF.  See NIST	SP 800-131Ar2 for details.

       -dsa_sign_disabled
	   Configure the module	 to  not  allow	 DSA  signing  (DSA  signature
	   verification	is still allowed). See FIPS 140-3 IG C.K for details.

       -tdes_encrypt_disabled
	   Configure  the  module to not allow Triple-DES encryption.  Triple-
	   DES	decryption  is	still  allowed	for  legacy   purposes.	   See
	   SP800-131Ar2	for details.

       -rsa_pkcs15_padding_disabled
	   Configure  the module to not	allow PKCS#1 version 1.5 padding to be
	   used	with RSA for key transport and key agreement.  See  NIST's  SP
	   800-131A Revision 2 for details.

       -rsa_pss_saltlen_check
	   Configure  the  module  to enable a run-time	salt length check when
	   generating or verifying a RSA-PSS signature.	 See  FIPS  186-5  5.4
	   (g) for details.

       -rsa_sign_x931_disabled
	   Configure  the  module  to  not allow X9.31 padding to be used when
	   signing with	RSA.  See FIPS 140-3 IG	C.K for	details.

       -hkdf_key_check
	   Configure the module	to enable a run-time short key-derivation  key
	   check  when	deriving  a  key  by HKDF.  See	NIST SP	800-131Ar2 for
	   details.

       -kbkdf_key_check
	   Configure the module	to enable a run-time short key-derivation  key
	   check  when	deriving  a  key by KBKDF.  See	NIST SP	800-131Ar2 for
	   details.

       -tls13_kdf_key_check
	   Configure the module	to enable a run-time short key-derivation  key
	   check when deriving a key by	TLS13 KDF.  See	NIST SP	800-131Ar2 for
	   details.

       -tls1_prf_key_check
	   Configure  the module to enable a run-time short key-derivation key
	   check when deriving a key by	TLS_PRF.  See NIST SP  800-131Ar2  for
	   details.

       -sshkdf_key_check
	   Configure  the module to enable a run-time short key-derivation key
	   check when deriving a key by	SSHKDF.	 See NIST  SP  800-131Ar2  for
	   details.

       -sskdf_key_check
	   Configure  the module to enable a run-time short key-derivation key
	   check when deriving a key by	SSKDF.	See  NIST  SP  800-131Ar2  for
	   details.

       -x963kdf_key_check
	   Configure  the module to enable a run-time short key-derivation key
	   check when deriving a key by	X963KDF.  See NIST SP  800-131Ar2  for
	   details.

       -x942kdf_key_check
	   Configure  the module to enable a run-time short key-derivation key
	   check when deriving a key by	X942KDF.  See NIST SP  800-131Ar2  for
	   details.

       -no_pbkdf2_lower_bound_check
	   Configure  the module to not	perform	run-time lower bound check for
	   PBKDF2.  See	NIST SP	800-132	for details.

       -ecdh_cofactor_check
	   Configure the module	to enable a run-time check that	ECDH uses  the
	   EC curves cofactor value when deriving a key. This only affects the
	   'B' and 'K' curves.	See SP 800-56A r3 Section 5.7.1.2 for details.

       -self_test_onload
	   Do  not write the two fields	related	to the "test status indicator"
	   and "MAC  status  indicator"	 to  the  output  configuration	 file.
	   Without  these  fields  the	self tests KATS	will run each time the
	   module is loaded. This option could be used	for  cross  compiling,
	   since  the  self  tests  need  to  run at least once	on each	target
	   machine. Once the self tests	have run on  the  target  machine  the
	   user	 could	possibly  then add the 2 fields	into the configuration
	   using some other mechanism.	This option  defaults  to  0  for  any
	   OpenSSL  FIPS  140-2	provider (OpenSSL 3.0.X).  and is not relevant
	   for an OpenSSL  FIPS	 140-3	provider,  since  this	is  no	longer
	   allowed.

       -self_test_oninstall
	   The	converse  of  -self_test_oninstall.  The two fields related to
	   the "test status indicator" and "MAC	status indicator" are  written
	   to  the  output configuration file.	This field is not relevant for
	   an OpenSSL FIPS 140-3 provider, since this is no longer allowed.

       -quiet
	   Do not output pass/fail messages. Implies -noout.

       -corrupt_desc selftest_description, -corrupt_type selftest_type
	   The corrupt options can be used to test failure of one or more self
	   tests by name.  Either option or both may be	 used  to  select  the
	   tests  to corrupt.  Refer to	the entries for	st-desc	and st-type in
	   OSSL_PROVIDER-FIPS(7) for values that can be	used.

       -config parent_config
	   Test	that  a	 FIPS  provider	 can  be  loaded  from	the  specified
	   configuration  file.	  A previous call to this application needs to
	   generate the	extra configuration data that is included by the  base
	   "parent_config"  configuration  file.   See	config(5)  for further
	   information on how to set up	a provider section.  All other options
	   are ignored if '-config' is used.

NOTES
       Self tests results are logged by	default	 if  the  options  -quiet  and
       -noout  are not specified, or if	either of the options -corrupt_desc or
       -corrupt_type are used.	If the base configuration file is  set	up  to
       autoload	 the fips module, then the fips	module will be loaded and self
       tested BEFORE the fipsinstall application has a chance to  set  up  its
       own  self  test	callback. As a result of this the self test output and
       the options -corrupt_desc  and  -corrupt_type  will  be	ignored.   For
       normal  usage  the  base	 configuration	file  should  use  the default
       provider	when generating	the fips configuration file.

       The -self_test_oninstall	option was  added  and	the  -self_test_onload
       option was made the default in OpenSSL 3.1.

       The command and all remaining options were added	in OpenSSL 3.0.

EXAMPLES
       Calculate the mac of a FIPS module fips.so and run a FIPS self test for
       the module, and save the	fips.cnf configuration file:

	openssl	fipsinstall -module ./fips.so -out fips.cnf -provider_name fips

       Verify that the configuration file fips.cnf contains the	correct	info:

	openssl	fipsinstall -module ./fips.so -in fips.cnf  -provider_name fips	-verify

       Corrupt any self	tests which have the description "SHA1":

	openssl	fipsinstall -module ./fips.so -out fips.cnf -provider_name fips	\
		-corrupt_desc 'SHA1'

       Validate	 that  the fips	module can be loaded from a base configuration
       file:

	export OPENSSL_CONF_INCLUDE=<path of configuration files>
	export OPENSSL_MODULES=<provider-path>
	openssl	fipsinstall -config' 'default.cnf'

SEE ALSO
       config(5), fips_config(5), OSSL_PROVIDER-FIPS(7), EVP_MAC(3)

HISTORY
       The openssl-fipsinstall application was added in	OpenSSL	3.0.

       The following options were added	in OpenSSL 3.1:

       -ems_check, -self_test_oninstall

       The following options were added	in OpenSSL 3.2:

       -pedantic, -no_drbg_truncated_digests

       The following options were added	in OpenSSL 3.4:

       -hmac_key_check,	      -kmac_key_check,	      -signature_digest_check,
       -hkdf_digest_check,   -tls13_kdf_digest_check,  -tls1_prf_digest_check,
       -sshkdf_digest_check,	-sskdf_digest_check,	-x963kdf_digest_check,
       -dsa_sign_disabled,     -no_pbkdf2_lower_bound_check,	-no_short_mac,
       -tdes_encrypt_disabled,			 -rsa_pkcs15_padding_disabled,
       -rsa_pss_saltlen_check,	  -rsa_sign_x931_disabled,    -hkdf_key_check,
       -kbkdf_key_check,      -tls13_kdf_key_check,	  -tls1_prf_key_check,
       -sshkdf_key_check,	  -sskdf_key_check,	   -x963kdf_key_check,
       -x942kdf_key_check, -ecdh_cofactor_check

COPYRIGHT
       Copyright 2019-2025 The OpenSSL Project Authors.	All Rights Reserved.

       Licensed	under the Apache License 2.0 (the "License").  You may not use
       this file except	in compliance with the License.	 You can obtain	a copy
       in   the	  file	 LICENSE   in	the   source   distribution   or    at
       <https://www.openssl.org/source/license.html>.

3.5.4				  2025-09-30	    OPENSSL-FIPSINSTALL(1ossl)

---

NAME | SYNOPSIS | DESCRIPTION | OPTIONS | NOTES | EXAMPLES | SEE ALSO | HISTORY | COPYRIGHT

Want to link to this manual page? Use this URL:
<https://man.freebsd.org/cgi/man.cgi?query=openssl-fipsinstall&sektion=1&manpath=FreeBSD+15.0-RELEASE+and+Ports>

home | help

---

Legal Notices | © 1995-2025 The FreeBSD Project. All rights reserved.

Contact