{ "mode": "man", "parameter": "openssl-fipsinstall", "section": "1ssl", "url": "https://www.chedong.com/phpMan.php/man/openssl-fipsinstall/1ssl/json", "generated": "2026-06-03T01:48:46Z", "synopsis": "openssl fipsinstall [-help] [-in configfilename] [-out configfilename] [-module\nmodulefilename] [-providername providername] [-sectionname sectionname] [-verify]\n[-macname macname] [-macopt nm:v] [-noout] [-quiet] [-noconditionalerrors]\n[-nosecuritychecks] [-selftestonload] [-corruptdesc selftestdescription] [-corrupttype\nselftesttype] [-config parentconfig]", "sections": { "NAME": { "content": "openssl-fipsinstall - perform FIPS configuration installation\n", "subsections": [] }, "SYNOPSIS": { "content": "openssl fipsinstall [-help] [-in configfilename] [-out configfilename] [-module\nmodulefilename] [-providername providername] [-sectionname sectionname] [-verify]\n[-macname macname] [-macopt nm:v] [-noout] [-quiet] [-noconditionalerrors]\n[-nosecuritychecks] [-selftestonload] [-corruptdesc selftestdescription] [-corrupttype\nselftesttype] [-config parentconfig]\n", "subsections": [] }, "DESCRIPTION": { "content": "This command is used to generate a FIPS module configuration file. This configuration file\ncan be used each time a FIPS module is loaded in order to pass data to the FIPS module self\ntests. The FIPS module always verifies its MAC, but optionally only needs to run the KAT's\nonce, at installation.\n\nThe generated configuration file consists of:\n\n- A MAC of the FIPS module file.\n- A test status indicator.\nThis indicates if the Known Answer Self Tests (KAT's) have successfully run.\n\n- A MAC of the status indicator.\n- A control for conditional self tests errors.\nBy default if a continuous test (e.g a key pair test) fails then the FIPS module will\nenter an error state, and no services or cryptographic algorithms will be able to be\naccessed after this point. The default value of '1' will cause the fips module error\nstate to be entered. If the value is '0' then the module error state will not be\nentered. Regardless of whether the error state is entered or not, the current operation\n(e.g. key generation) will return an error. The user is responsible for retrying the\noperation if the module error state is not entered.\n\n- A control to indicate whether run-time security checks are done.\nThis indicates if run-time checks related to enforcement of security parameters such as\nminimum security strength of keys and approved curve names are used. The default value\nof '1' will perform the checks. If the value is '0' the checks are not performed and\nFIPS compliance must be done by procedures documented in the relevant Security Policy.\n\nThis file is described in fipsconfig(5).\n", "subsections": [] }, "OPTIONS": { "content": "", "subsections": [ { "name": "-help", "content": "Print a usage message.\n" }, { "name": "-module", "content": "Filename of the FIPS module to perform an integrity check on. The path provided in the\nfilename is used to load the module when it is activated, and this overrides the\nenvironment variable OPENSSLMODULES.\n" }, { "name": "-out", "content": "Filename to output the configuration data to; the default is standard output.\n" }, { "name": "-in", "content": "Input filename to load configuration data from. Must be used if the -verify option is\nspecified.\n" }, { "name": "-verify", "content": "Verify that the input configuration file contains the correct information.\n" }, { "name": "-provider", "content": "Name of the provider inside the configuration file. The default value is \"fips\".\n" }, { "name": "-section", "content": "Name of the section inside the configuration file. The default value is \"fipssect\".\n" }, { "name": "-mac", "content": "Specifies the name of a supported MAC algorithm which will be used. The MAC mechanisms\nthat are available will depend on the options used when building OpenSSL. To see the\nlist of supported MAC's use the command \"openssl list -mac-algorithms\". The default is\nHMAC.\n" }, { "name": "-macopt", "content": "Passes options to the MAC algorithm. A comprehensive list of controls can be found in\nthe EVPMAC implementation documentation. Common control strings used for this command\nare:\n\nkey:string\nSpecifies the MAC key as an alphanumeric string (use if the key contains printable\ncharacters only). The string length must conform to any restrictions of the MAC\nalgorithm. A key must be specified for every MAC algorithm. If no key is provided,\nthe default that was specified when OpenSSL was configured is used.\n\nhexkey:string\nSpecifies the MAC key in hexadecimal form (two hex digits per byte). The key length\nmust conform to any restrictions of the MAC algorithm. A key must be specified for\nevery MAC algorithm. If no key is provided, the default that was specified when\nOpenSSL was configured is used.\n\ndigest:string\nUsed by HMAC as an alphanumeric string (use if the key contains printable characters\nonly). The string length must conform to any restrictions of the MAC algorithm. To\nsee the list of supported digests, use the command \"openssl list -digest-commands\".\nThe default digest is SHA-256.\n" }, { "name": "-noout", "content": "Disable logging of the self tests.\n" }, { "name": "-no", "content": "Configure the module to not enter an error state if a conditional self test fails as\ndescribed above.\n" }, { "name": "-no", "content": "Configure the module to not perform run-time security checks as described above.\n" }, { "name": "-self", "content": "Do not write the two fields related to the \"test status indicator\" and \"MAC status\nindicator\" to the output configuration file. Without these fields the self tests KATS\nwill run each time the module is loaded. This option could be used for cross compiling,\nsince the self tests need to run at least once on each target machine. Once the self\ntests have run on the target machine the user could possibly then add the 2 fields into\nthe configuration using some other mechanism.\n" }, { "name": "-quiet", "content": "Do not output pass/fail messages. Implies -noout.\n" }, { "name": "-corrupt -corrupt", "content": "The corrupt options can be used to test failure of one or more self tests by name.\nEither option or both may be used to select the tests to corrupt. Refer to the entries\nfor st-desc and st-type in OSSLPROVIDER-FIPS(7) for values that can be used.\n" }, { "name": "-config", "content": "Test that a FIPS provider can be loaded from the specified configuration file. A\nprevious call to this application needs to generate the extra configuration data that is\nincluded by the base \"parentconfig\" configuration file. See config(5) for further\ninformation on how to set up a provider section. All other options are ignored if\n'-config' is used.\n" } ] }, "NOTES": { "content": "Self tests results are logged by default if the options -quiet and -noout are not specified,\nor if either of the options -corruptdesc or -corrupttype are used. If the base\nconfiguration file is set up to autoload the fips module, then the fips module will be loaded\nand self tested BEFORE the fipsinstall application has a chance to set up its own self test\ncallback. As a result of this the self test output and the options -corruptdesc and", "subsections": [ { "name": "-corrupt", "content": "default provider when generating the fips configuration file.\n" } ] }, "EXAMPLES": { "content": "Calculate the mac of a FIPS module fips.so and run a FIPS self test for the module, and save\nthe fips.cnf configuration file:\n\nopenssl fipsinstall -module ./fips.so -out fips.cnf -providername fips\n\nVerify that the configuration file fips.cnf contains the correct info:\n\nopenssl fipsinstall -module ./fips.so -in fips.cnf -providername fips -verify\n\nCorrupt any self tests which have the description \"SHA1\":\n\nopenssl fipsinstall -module ./fips.so -out fips.cnf -providername fips \\\n-corruptdesc 'SHA1'\n\nValidate that the fips module can be loaded from a base configuration file:\n\nexport OPENSSLCONFINCLUDE=\nexport OPENSSLMODULES=\nopenssl fipsinstall -config' 'default.cnf'\n", "subsections": [] }, "SEE ALSO": { "content": "config(5), fipsconfig(5), OSSLPROVIDER-FIPS(7), EVPMAC(3)\n", "subsections": [] }, "COPYRIGHT": { "content": "Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved.\n\nLicensed under the Apache License 2.0 (the \"License\"). You may not use this file except in\ncompliance with the License. You can obtain a copy in the file LICENSE in the source\ndistribution or at .\n\n\n\n3.0.2 2026-04-07 OPENSSL-FIPSINSTALL(1SSL)", "subsections": [] } }, "summary": "openssl-fipsinstall - perform FIPS configuration installation", "flags": [ { "flag": "", "long": null, "arg": null, "description": "Print a usage message." }, { "flag": "", "long": null, "arg": null, "description": "Filename of the FIPS module to perform an integrity check on. The path provided in the filename is used to load the module when it is activated, and this overrides the environment variable OPENSSLMODULES." }, { "flag": "", "long": null, "arg": null, "description": "Filename to output the configuration data to; the default is standard output." }, { "flag": "", "long": null, "arg": null, "description": "Input filename to load configuration data from. Must be used if the -verify option is specified." }, { "flag": "", "long": null, "arg": null, "description": "Verify that the input configuration file contains the correct information." }, { "flag": "", "long": null, "arg": null, "description": "Name of the provider inside the configuration file. The default value is \"fips\"." }, { "flag": "", "long": null, "arg": null, "description": "Name of the section inside the configuration file. The default value is \"fipssect\"." }, { "flag": "", "long": null, "arg": null, "description": "Specifies the name of a supported MAC algorithm which will be used. The MAC mechanisms that are available will depend on the options used when building OpenSSL. To see the list of supported MAC's use the command \"openssl list -mac-algorithms\". The default is HMAC." }, { "flag": "", "long": null, "arg": null, "description": "Passes options to the MAC algorithm. A comprehensive list of controls can be found in the EVPMAC implementation documentation. Common control strings used for this command are: key:string Specifies the MAC key as an alphanumeric string (use if the key contains printable characters only). The string length must conform to any restrictions of the MAC algorithm. A key must be specified for every MAC algorithm. If no key is provided, the default that was specified when OpenSSL was configured is used. hexkey:string Specifies the MAC key in hexadecimal form (two hex digits per byte). The key length must conform to any restrictions of the MAC algorithm. A key must be specified for every MAC algorithm. If no key is provided, the default that was specified when OpenSSL was configured is used. digest:string Used by HMAC as an alphanumeric string (use if the key contains printable characters only). The string length must conform to any restrictions of the MAC algorithm. To see the list of supported digests, use the command \"openssl list -digest-commands\". The default digest is SHA-256." }, { "flag": "", "long": null, "arg": null, "description": "Disable logging of the self tests." }, { "flag": "", "long": null, "arg": null, "description": "Configure the module to not enter an error state if a conditional self test fails as described above." }, { "flag": "", "long": null, "arg": null, "description": "Configure the module to not perform run-time security checks as described above." }, { "flag": "", "long": null, "arg": null, "description": "Do not write the two fields related to the \"test status indicator\" and \"MAC status indicator\" to the output configuration file. Without these fields the self tests KATS will run each time the module is loaded. This option could be used for cross compiling, since the self tests need to run at least once on each target machine. Once the self tests have run on the target machine the user could possibly then add the 2 fields into the configuration using some other mechanism." }, { "flag": "", "long": null, "arg": null, "description": "Do not output pass/fail messages. Implies -noout." }, { "flag": "", "long": null, "arg": null, "description": "The corrupt options can be used to test failure of one or more self tests by name. Either option or both may be used to select the tests to corrupt. Refer to the entries for st-desc and st-type in OSSLPROVIDER-FIPS(7) for values that can be used." }, { "flag": "", "long": null, "arg": null, "description": "Test that a FIPS provider can be loaded from the specified configuration file. A previous call to this application needs to generate the extra configuration data that is included by the base \"parentconfig\" configuration file. See config(5) for further information on how to set up a provider section. All other options are ignored if '-config' is used." } ], "examples": [ "Calculate the mac of a FIPS module fips.so and run a FIPS self test for the module, and save", "the fips.cnf configuration file:", "openssl fipsinstall -module ./fips.so -out fips.cnf -providername fips", "Verify that the configuration file fips.cnf contains the correct info:", "openssl fipsinstall -module ./fips.so -in fips.cnf -providername fips -verify", "Corrupt any self tests which have the description \"SHA1\":", "openssl fipsinstall -module ./fips.so -out fips.cnf -providername fips \\", "-corruptdesc 'SHA1'", "Validate that the fips module can be loaded from a base configuration file:", "export OPENSSLCONFINCLUDE=", "export OPENSSLMODULES=", "openssl fipsinstall -config' 'default.cnf'" ], "see_also": [ { "name": "config", "section": "5", "url": "https://www.chedong.com/phpMan.php/man/config/5/json" }, { "name": "fipsconfig", "section": "5", "url": "https://www.chedong.com/phpMan.php/man/fipsconfig/5/json" }, { "name": "OSSLPROVIDER-FIPS", "section": "7", "url": "https://www.chedong.com/phpMan.php/man/OSSLPROVIDER-FIPS/7/json" }, { "name": "EVPMAC", "section": "3", "url": "https://www.chedong.com/phpMan.php/man/EVPMAC/3/json" } ] }