{
    "mode": "info",
    "parameter": "OPENSSL-FIPSINSTALL",
    "section": "",
    "url": "https://www.chedong.com/phpMan.php/info/OPENSSL-FIPSINSTALL/json",
    "generated": "2026-07-05T11:47:26Z",
    "synopsis": "openssl fipsinstall [-help] [-in configfilename] [-out configfilename]\n[-module modulefilename] [-providername providername] [-sectionname\nsectionname] [-verify] [-macname macname] [-macopt nm:v] [-noout]\n[-quiet] [-noconditionalerrors] [-nosecuritychecks]\n[-selftestonload] [-corruptdesc selftestdescription] [-corrupttype\nselftesttype] [-config parentconfig]",
    "sections": {
        "NAME": {
            "content": "openssl-fipsinstall - perform FIPS configuration installation\n",
            "subsections": []
        },
        "SYNOPSIS": {
            "content": "openssl fipsinstall [-help] [-in configfilename] [-out configfilename]\n[-module modulefilename] [-providername providername] [-sectionname\nsectionname] [-verify] [-macname macname] [-macopt nm:v] [-noout]\n[-quiet] [-noconditionalerrors] [-nosecuritychecks]\n[-selftestonload] [-corruptdesc selftestdescription] [-corrupttype\nselftesttype] [-config parentconfig]\n",
            "subsections": []
        },
        "DESCRIPTION": {
            "content": "This command is used to generate a FIPS module configuration file.\nThis configuration file can be used each time a FIPS module is loaded\nin order to pass data to the FIPS module self tests. The FIPS module\nalways verifies its MAC, but optionally only needs to run the KAT's\nonce, at installation.\n\nThe generated configuration file consists of:\n\n- A MAC of the FIPS module file.\n- A test status indicator.\nThis indicates if the Known Answer Self Tests (KAT's) have\nsuccessfully run.\n\n- A MAC of the status indicator.\n- A control for conditional self tests errors.\nBy default if a continuous test (e.g a key pair test) fails then\nthe FIPS module will enter an error state, and no services or\ncryptographic algorithms will be able to be accessed after this\npoint.  The default value of '1' will cause the fips module error\nstate to be entered.  If the value is '0' then the module error\nstate will not be entered.  Regardless of whether the error state\nis entered or not, the current operation (e.g. key generation) will\nreturn an error. The user is responsible for retrying the operation\nif the module error state is not entered.\n\n- A control to indicate whether run-time security checks are done.\nThis indicates if run-time checks related to enforcement of\nsecurity parameters such as minimum security strength of keys and\napproved curve names are used.  The default value of '1' will\nperform the checks.  If the value is '0' the checks are not\nperformed and FIPS compliance must be done by procedures documented\nin the relevant Security Policy.\n\nThis file is described in fipsconfig(5).\n",
            "subsections": []
        },
        "OPTIONS": {
            "content": "",
            "subsections": [
                {
                    "name": "-help",
                    "content": "Print a usage message.\n\n-module filename\nFilename of the FIPS module to perform an integrity check on.  The\npath provided in the filename is used to load the module when it is\nactivated, and this overrides the environment variable\nOPENSSLMODULES.\n\n-out configfilename\nFilename to output the configuration data to; the default is\nstandard output.\n\n-in configfilename\nInput filename to load configuration data from.  Must be used if\nthe -verify option is specified.\n"
                },
                {
                    "name": "-verify",
                    "content": "Verify that the input configuration file contains the correct\ninformation.\n\n-providername providername\nName of the provider inside the configuration file.  The default\nvalue is \"fips\".\n\n-sectionname sectionname\nName of the section inside the configuration file.  The default\nvalue is \"fipssect\".\n\n-macname name\nSpecifies the name of a supported MAC algorithm which will be used.\nThe MAC mechanisms that are available will depend on the options\nused when building OpenSSL.  To see the list of supported MAC's use\nthe command \"openssl list -mac-algorithms\".  The default is HMAC.\n\n-macopt nm:v\nPasses options to the MAC algorithm.  A comprehensive list of\ncontrols can be found in the EVPMAC implementation documentation.\nCommon control strings used for this command are:\n\nkey:string\nSpecifies the MAC key as an alphanumeric string (use if the key\ncontains printable characters only).  The string length must\nconform to any restrictions of the MAC algorithm.  A key must\nbe specified for every MAC algorithm.  If no key is provided,\nthe default that was specified when OpenSSL was configured is\nused.\n\nhexkey:string\nSpecifies the MAC key in hexadecimal form (two hex digits per\nbyte).  The key length must conform to any restrictions of the\nMAC algorithm.  A key must be specified for every MAC\nalgorithm.  If no key is provided, the default that was\nspecified when OpenSSL was configured is used.\n\ndigest:string\nUsed by HMAC as an alphanumeric string (use if the key contains\nprintable characters only).  The string length must conform to\nany restrictions of the MAC algorithm.  To see the list of\nsupported digests, use the command \"openssl list\n-digest-commands\".  The default digest is SHA-256.\n"
                },
                {
                    "name": "-noout",
                    "content": "Disable logging of the self tests.\n"
                },
                {
                    "name": "-no_conditional_errors",
                    "content": "Configure the module to not enter an error state if a conditional\nself test fails as described above.\n"
                },
                {
                    "name": "-no_security_checks",
                    "content": "Configure the module to not perform run-time security checks as\ndescribed above.\n"
                },
                {
                    "name": "-self_test_onload",
                    "content": "Do not write the two fields related to the \"test status indicator\"\nand \"MAC status indicator\" to the output configuration file.\nWithout these fields the self tests KATS will run each time the\nmodule is loaded. This option could be used for cross compiling,\nsince the self tests need to run at least once on each target\nmachine. Once the self tests have run on the target machine the\nuser could possibly then add the 2 fields into the configuration\nusing some other mechanism.\n"
                },
                {
                    "name": "-quiet",
                    "content": "Do not output pass/fail messages. Implies -noout.\n\n-corruptdesc selftestdescription, -corrupttype selftesttype\nThe corrupt options can be used to test failure of one or more self\ntests by name.  Either option or both may be used to select the\ntests to corrupt.  Refer to the entries for st-desc and st-type in\nOSSLPROVIDER-FIPS(7) for values that can be used.\n\n-config parentconfig\nTest that a FIPS provider can be loaded from the specified\nconfiguration file.  A previous call to this application needs to\ngenerate the extra configuration data that is included by the base\n\"parentconfig\" configuration file.  See config(5) for further\ninformation on how to set up a provider section.  All other options\nare ignored if '-config' is used.\n"
                }
            ]
        },
        "NOTES": {
            "content": "Self tests results are logged by default if the options -quiet and\n-noout are not specified, or if either of the options -corruptdesc or\n-corrupttype are used.  If the base configuration file is set up to\nautoload the fips module, then the fips module will be loaded and self\ntested BEFORE the fipsinstall application has a chance to set up its\nown self test callback. As a result of this the self test output and\nthe options -corruptdesc and -corrupttype will be ignored.  For\nnormal usage the base configuration file should use the default\nprovider when generating the fips configuration file.\n",
            "subsections": []
        },
        "EXAMPLES": {
            "content": "Calculate the mac of a FIPS module fips.so and run a FIPS self test for\nthe module, and save the fips.cnf configuration file:\n\nopenssl fipsinstall -module ./fips.so -out fips.cnf -providername fips\n\nVerify that the configuration file fips.cnf contains the correct info:\n\nopenssl fipsinstall -module ./fips.so -in fips.cnf  -providername fips -verify\n\nCorrupt any self tests which have the description \"SHA1\":\n\nopenssl fipsinstall -module ./fips.so -out fips.cnf -providername fips \\\n-corruptdesc 'SHA1'\n\nValidate that the fips module can be loaded from a base configuration\nfile:\n\nexport OPENSSLCONFINCLUDE=<path of configuration files>\nexport OPENSSLMODULES=<provider-path>\nopenssl fipsinstall -config' 'default.cnf'\n",
            "subsections": []
        },
        "SEE ALSO": {
            "content": "config(5), fipsconfig(5), OSSLPROVIDER-FIPS(7), EVPMAC(3)\n",
            "subsections": []
        },
        "COPYRIGHT": {
            "content": "Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved.\n\nLicensed under the Apache License 2.0 (the \"License\").  You may not use\nthis file except in compliance with the License.  You can obtain a copy\nin the file LICENSE in the source distribution or at\n<https://www.openssl.org/source/license.html>.\n\n3.0.2                             2026-06-02         OPENSSL-FIPSINSTALL(1SSL)",
            "subsections": []
        }
    },
    "summary": "openssl-fipsinstall - perform FIPS configuration installation",
    "flags": [
        {
            "flag": "",
            "long": null,
            "arg": null,
            "description": "Print a usage message. -module filename Filename of the FIPS module to perform an integrity check on. The path provided in the filename is used to load the module when it is activated, and this overrides the environment variable OPENSSLMODULES. -out configfilename Filename to output the configuration data to; the default is standard output. -in configfilename Input filename to load configuration data from. Must be used if the -verify option is specified."
        },
        {
            "flag": "",
            "long": null,
            "arg": null,
            "description": "Verify that the input configuration file contains the correct information. -providername providername Name of the provider inside the configuration file. The default value is \"fips\". -sectionname sectionname Name of the section inside the configuration file. The default value is \"fipssect\". -macname name Specifies the name of a supported MAC algorithm which will be used. The MAC mechanisms that are available will depend on the options used when building OpenSSL. To see the list of supported MAC's use the command \"openssl list -mac-algorithms\". The default is HMAC. -macopt nm:v Passes options to the MAC algorithm. A comprehensive list of controls can be found in the EVPMAC implementation documentation. Common control strings used for this command are: key:string Specifies the MAC key as an alphanumeric string (use if the key contains printable characters only). The string length must conform to any restrictions of the MAC algorithm. A key must be specified for every MAC algorithm. If no key is provided, the default that was specified when OpenSSL was configured is used. hexkey:string Specifies the MAC key in hexadecimal form (two hex digits per byte). The key length must conform to any restrictions of the MAC algorithm. A key must be specified for every MAC algorithm. If no key is provided, the default that was specified when OpenSSL was configured is used. digest:string Used by HMAC as an alphanumeric string (use if the key contains printable characters only). The string length must conform to any restrictions of the MAC algorithm. To see the list of supported digests, use the command \"openssl list -digest-commands\". The default digest is SHA-256."
        },
        {
            "flag": "",
            "long": null,
            "arg": null,
            "description": "Disable logging of the self tests."
        },
        {
            "flag": "",
            "long": null,
            "arg": null,
            "description": "Configure the module to not enter an error state if a conditional self test fails as described above."
        },
        {
            "flag": "",
            "long": null,
            "arg": null,
            "description": "Configure the module to not perform run-time security checks as described above."
        },
        {
            "flag": "",
            "long": null,
            "arg": null,
            "description": "Do not write the two fields related to the \"test status indicator\" and \"MAC status indicator\" to the output configuration file. Without these fields the self tests KATS will run each time the module is loaded. This option could be used for cross compiling, since the self tests need to run at least once on each target machine. Once the self tests have run on the target machine the user could possibly then add the 2 fields into the configuration using some other mechanism."
        },
        {
            "flag": "",
            "long": null,
            "arg": null,
            "description": "Do not output pass/fail messages. Implies -noout. -corruptdesc selftestdescription, -corrupttype selftesttype The corrupt options can be used to test failure of one or more self tests by name. Either option or both may be used to select the tests to corrupt. Refer to the entries for st-desc and st-type in OSSLPROVIDER-FIPS(7) for values that can be used. -config parentconfig Test that a FIPS provider can be loaded from the specified configuration file. A previous call to this application needs to generate the extra configuration data that is included by the base \"parentconfig\" configuration file. See config(5) for further information on how to set up a provider section. All other options are ignored if '-config' is used."
        }
    ],
    "examples": [
        "Calculate the mac of a FIPS module fips.so and run a FIPS self test for",
        "the module, and save the fips.cnf configuration file:",
        "openssl fipsinstall -module ./fips.so -out fips.cnf -providername fips",
        "Verify that the configuration file fips.cnf contains the correct info:",
        "openssl fipsinstall -module ./fips.so -in fips.cnf  -providername fips -verify",
        "Corrupt any self tests which have the description \"SHA1\":",
        "openssl fipsinstall -module ./fips.so -out fips.cnf -providername fips \\",
        "-corruptdesc 'SHA1'",
        "Validate that the fips module can be loaded from a base configuration",
        "file:",
        "export OPENSSLCONFINCLUDE=<path of configuration files>",
        "export OPENSSLMODULES=<provider-path>",
        "openssl fipsinstall -config' 'default.cnf'"
    ],
    "see_also": [
        {
            "name": "config",
            "section": "5",
            "url": "https://www.chedong.com/phpMan.php/man/config/5/json"
        },
        {
            "name": "fipsconfig",
            "section": "5",
            "url": "https://www.chedong.com/phpMan.php/man/fipsconfig/5/json"
        },
        {
            "name": "OSSLPROVIDER-FIPS",
            "section": "7",
            "url": "https://www.chedong.com/phpMan.php/man/OSSLPROVIDER-FIPS/7/json"
        },
        {
            "name": "EVPMAC",
            "section": "3",
            "url": "https://www.chedong.com/phpMan.php/man/EVPMAC/3/json"
        }
    ]
}