diff options
Diffstat (limited to 'secure/usr.bin/openssl/man/x509.1')
| -rw-r--r-- | secure/usr.bin/openssl/man/x509.1 | 955 |
1 files changed, 0 insertions, 955 deletions
diff --git a/secure/usr.bin/openssl/man/x509.1 b/secure/usr.bin/openssl/man/x509.1 deleted file mode 100644 index 8eb5d69cb3fe..000000000000 --- a/secure/usr.bin/openssl/man/x509.1 +++ /dev/null @@ -1,955 +0,0 @@ -.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.40) -.\" -.\" Standard preamble: -.\" ======================================================================== -.de Sp \" Vertical space (when we can't use .PP) -.if t .sp .5v -.if n .sp -.. -.de Vb \" Begin verbatim text -.ft CW -.nf -.ne \\$1 -.. -.de Ve \" End verbatim text -.ft R -.fi -.. -.\" Set up some character translations and predefined strings. \*(-- will -.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left -.\" double quote, and \*(R" will give a right double quote. \*(C+ will -.\" give a nicer C++. Capital omega is used to do unbreakable dashes and -.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, -.\" nothing in troff, for use with C<>. -.tr \(*W- -.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' -.ie n \{\ -. ds -- \(*W- -. ds PI pi -. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch -. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch -. ds L" "" -. ds R" "" -. ds C` "" -. ds C' "" -'br\} -.el\{\ -. ds -- \|\(em\| -. ds PI \(*p -. ds L" `` -. ds R" '' -. ds C` -. ds C' -'br\} -.\" -.\" Escape single quotes in literal strings from groff's Unicode transform. -.ie \n(.g .ds Aq \(aq -.el .ds Aq ' -.\" -.\" If the F register is >0, we'll generate index entries on stderr for -.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index -.\" entries marked with X<> in POD. Of course, you'll have to process the -.\" output yourself in some meaningful fashion. -.\" -.\" Avoid warning from groff about undefined register 'F'. -.de IX -.. -.nr rF 0 -.if \n(.g .if rF .nr rF 1 -.if (\n(rF:(\n(.g==0)) \{\ -. if \nF \{\ -. de IX -. tm Index:\\$1\t\\n%\t"\\$2" -.. -. if !\nF==2 \{\ -. nr % 0 -. nr F 2 -. \} -. \} -.\} -.rr rF -.\" -.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). -.\" Fear. Run. Save yourself. No user-serviceable parts. -. \" fudge factors for nroff and troff -.if n \{\ -. ds #H 0 -. ds #V .8m -. ds #F .3m -. ds #[ \f1 -. ds #] \fP -.\} -.if t \{\ -. ds #H ((1u-(\\\\n(.fu%2u))*.13m) -. ds #V .6m -. ds #F 0 -. ds #[ \& -. ds #] \& -.\} -. \" simple accents for nroff and troff -.if n \{\ -. ds ' \& -. ds ` \& -. ds ^ \& -. ds , \& -. ds ~ ~ -. ds / -.\} -.if t \{\ -. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" -. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' -. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' -. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' -. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' -. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' -.\} -. \" troff and (daisy-wheel) nroff accents -.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' -.ds 8 \h'\*(#H'\(*b\h'-\*(#H' -.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] -.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' -.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' -.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] -.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] -.ds ae a\h'-(\w'a'u*4/10)'e -.ds Ae A\h'-(\w'A'u*4/10)'E -. \" corrections for vroff -.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' -.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' -. \" for low resolution devices (crt and lpr) -.if \n(.H>23 .if \n(.V>19 \ -\{\ -. ds : e -. ds 8 ss -. ds o a -. ds d- d\h'-1'\(ga -. ds D- D\h'-1'\(hy -. ds th \o'bp' -. ds Th \o'LP' -. ds ae ae -. ds Ae AE -.\} -.rm #[ #] #H #V #F C -.\" ======================================================================== -.\" -.IX Title "X509 1" -.TH X509 1 "2022-06-21" "1.1.1p" "OpenSSL" -.\" For nroff, turn off justification. Always turn off hyphenation; it makes -.\" way too many mistakes in technical documents. -.if n .ad l -.nh -.SH "NAME" -openssl\-x509, x509 \- Certificate display and signing utility -.SH "SYNOPSIS" -.IX Header "SYNOPSIS" -\&\fBopenssl\fR \fBx509\fR -[\fB\-help\fR] -[\fB\-inform DER|PEM\fR] -[\fB\-outform DER|PEM\fR] -[\fB\-keyform DER|PEM|ENGINE\fR] -[\fB\-CAform DER|PEM\fR] -[\fB\-CAkeyform DER|PEM\fR] -[\fB\-in filename\fR] -[\fB\-out filename\fR] -[\fB\-serial\fR] -[\fB\-hash\fR] -[\fB\-subject_hash\fR] -[\fB\-issuer_hash\fR] -[\fB\-ocspid\fR] -[\fB\-subject\fR] -[\fB\-issuer\fR] -[\fB\-nameopt option\fR] -[\fB\-email\fR] -[\fB\-ocsp_uri\fR] -[\fB\-startdate\fR] -[\fB\-enddate\fR] -[\fB\-purpose\fR] -[\fB\-dates\fR] -[\fB\-checkend num\fR] -[\fB\-modulus\fR] -[\fB\-pubkey\fR] -[\fB\-fingerprint\fR] -[\fB\-alias\fR] -[\fB\-noout\fR] -[\fB\-trustout\fR] -[\fB\-clrtrust\fR] -[\fB\-clrreject\fR] -[\fB\-addtrust arg\fR] -[\fB\-addreject arg\fR] -[\fB\-setalias arg\fR] -[\fB\-days arg\fR] -[\fB\-set_serial n\fR] -[\fB\-signkey arg\fR] -[\fB\-passin arg\fR] -[\fB\-x509toreq\fR] -[\fB\-req\fR] -[\fB\-CA filename\fR] -[\fB\-CAkey filename\fR] -[\fB\-CAcreateserial\fR] -[\fB\-CAserial filename\fR] -[\fB\-force_pubkey key\fR] -[\fB\-text\fR] -[\fB\-ext extensions\fR] -[\fB\-certopt option\fR] -[\fB\-C\fR] -[\fB\-\f(BIdigest\fB\fR] -[\fB\-clrext\fR] -[\fB\-extfile filename\fR] -[\fB\-extensions section\fR] -[\fB\-sigopt nm:v\fR] -[\fB\-rand file...\fR] -[\fB\-writerand file\fR] -[\fB\-engine id\fR] -[\fB\-preserve_dates\fR] -.SH "DESCRIPTION" -.IX Header "DESCRIPTION" -The \fBx509\fR command is a multi purpose certificate utility. It can be -used to display certificate information, convert certificates to -various forms, sign certificate requests like a \*(L"mini \s-1CA\*(R"\s0 or edit -certificate trust settings. -.PP -Since there are a large number of options they will split up into -various sections. -.SH "OPTIONS" -.IX Header "OPTIONS" -.SS "Input, Output, and General Purpose Options" -.IX Subsection "Input, Output, and General Purpose Options" -.IP "\fB\-help\fR" 4 -.IX Item "-help" -Print out a usage message. -.IP "\fB\-inform DER|PEM\fR" 4 -.IX Item "-inform DER|PEM" -This specifies the input format normally the command will expect an X509 -certificate but this can change if other options such as \fB\-req\fR are -present. The \s-1DER\s0 format is the \s-1DER\s0 encoding of the certificate and \s-1PEM\s0 -is the base64 encoding of the \s-1DER\s0 encoding with header and footer lines -added. The default format is \s-1PEM.\s0 -.IP "\fB\-outform DER|PEM\fR" 4 -.IX Item "-outform DER|PEM" -This specifies the output format, the options have the same meaning and default -as the \fB\-inform\fR option. -.IP "\fB\-in filename\fR" 4 -.IX Item "-in filename" -This specifies the input filename to read a certificate from or standard input -if this option is not specified. -.IP "\fB\-out filename\fR" 4 -.IX Item "-out filename" -This specifies the output filename to write to or standard output by -default. -.IP "\fB\-\f(BIdigest\fB\fR" 4 -.IX Item "-digest" -The digest to use. -This affects any signing or display option that uses a message -digest, such as the \fB\-fingerprint\fR, \fB\-signkey\fR and \fB\-CA\fR options. -Any digest supported by the OpenSSL \fBdgst\fR command can be used. -If not specified then \s-1SHA1\s0 is used with \fB\-fingerprint\fR or -the default digest for the signing algorithm is used, typically \s-1SHA256.\s0 -.IP "\fB\-rand file...\fR" 4 -.IX Item "-rand file..." -A file or files containing random data used to seed the random number -generator. -Multiple files can be specified separated by an OS-dependent character. -The separator is \fB;\fR for MS-Windows, \fB,\fR for OpenVMS, and \fB:\fR for -all others. -.IP "[\fB\-writerand file\fR]" 4 -.IX Item "[-writerand file]" -Writes random data to the specified \fIfile\fR upon exit. -This can be used with a subsequent \fB\-rand\fR flag. -.IP "\fB\-engine id\fR" 4 -.IX Item "-engine id" -Specifying an engine (by its unique \fBid\fR string) will cause \fBx509\fR -to attempt to obtain a functional reference to the specified engine, -thus initialising it if needed. The engine will then be set as the default -for all available algorithms. -.IP "\fB\-preserve_dates\fR" 4 -.IX Item "-preserve_dates" -When signing a certificate, preserve the \*(L"notBefore\*(R" and \*(L"notAfter\*(R" dates instead -of adjusting them to current time and duration. Cannot be used with the \fB\-days\fR option. -.SS "Display Options" -.IX Subsection "Display Options" -Note: the \fB\-alias\fR and \fB\-purpose\fR options are also display options -but are described in the \fB\s-1TRUST SETTINGS\s0\fR section. -.IP "\fB\-text\fR" 4 -.IX Item "-text" -Prints out the certificate in text form. Full details are output including the -public key, signature algorithms, issuer and subject names, serial number -any extensions present and any trust settings. -.IP "\fB\-ext extensions\fR" 4 -.IX Item "-ext extensions" -Prints out the certificate extensions in text form. Extensions are specified -with a comma separated string, e.g., \*(L"subjectAltName,subjectKeyIdentifier\*(R". -See the \fBx509v3_config\fR\|(5) manual page for the extension names. -.IP "\fB\-certopt option\fR" 4 -.IX Item "-certopt option" -Customise the output format used with \fB\-text\fR. The \fBoption\fR argument -can be a single option or multiple options separated by commas. The -\&\fB\-certopt\fR switch may be also be used more than once to set multiple -options. See the \fB\s-1TEXT OPTIONS\s0\fR section for more information. -.IP "\fB\-noout\fR" 4 -.IX Item "-noout" -This option prevents output of the encoded version of the certificate. -.IP "\fB\-pubkey\fR" 4 -.IX Item "-pubkey" -Outputs the certificate's SubjectPublicKeyInfo block in \s-1PEM\s0 format. -.IP "\fB\-modulus\fR" 4 -.IX Item "-modulus" -This option prints out the value of the modulus of the public key -contained in the certificate. -.IP "\fB\-serial\fR" 4 -.IX Item "-serial" -Outputs the certificate serial number. -.IP "\fB\-subject_hash\fR" 4 -.IX Item "-subject_hash" -Outputs the \*(L"hash\*(R" of the certificate subject name. This is used in OpenSSL to -form an index to allow certificates in a directory to be looked up by subject -name. -.IP "\fB\-issuer_hash\fR" 4 -.IX Item "-issuer_hash" -Outputs the \*(L"hash\*(R" of the certificate issuer name. -.IP "\fB\-ocspid\fR" 4 -.IX Item "-ocspid" -Outputs the \s-1OCSP\s0 hash values for the subject name and public key. -.IP "\fB\-hash\fR" 4 -.IX Item "-hash" -Synonym for \*(L"\-subject_hash\*(R" for backward compatibility reasons. -.IP "\fB\-subject_hash_old\fR" 4 -.IX Item "-subject_hash_old" -Outputs the \*(L"hash\*(R" of the certificate subject name using the older algorithm -as used by OpenSSL before version 1.0.0. -.IP "\fB\-issuer_hash_old\fR" 4 -.IX Item "-issuer_hash_old" -Outputs the \*(L"hash\*(R" of the certificate issuer name using the older algorithm -as used by OpenSSL before version 1.0.0. -.IP "\fB\-subject\fR" 4 -.IX Item "-subject" -Outputs the subject name. -.IP "\fB\-issuer\fR" 4 -.IX Item "-issuer" -Outputs the issuer name. -.IP "\fB\-nameopt option\fR" 4 -.IX Item "-nameopt option" -Option which determines how the subject or issuer names are displayed. The -\&\fBoption\fR argument can be a single option or multiple options separated by -commas. Alternatively the \fB\-nameopt\fR switch may be used more than once to -set multiple options. See the \fB\s-1NAME OPTIONS\s0\fR section for more information. -.IP "\fB\-email\fR" 4 -.IX Item "-email" -Outputs the email address(es) if any. -.IP "\fB\-ocsp_uri\fR" 4 -.IX Item "-ocsp_uri" -Outputs the \s-1OCSP\s0 responder address(es) if any. -.IP "\fB\-startdate\fR" 4 -.IX Item "-startdate" -Prints out the start date of the certificate, that is the notBefore date. -.IP "\fB\-enddate\fR" 4 -.IX Item "-enddate" -Prints out the expiry date of the certificate, that is the notAfter date. -.IP "\fB\-dates\fR" 4 -.IX Item "-dates" -Prints out the start and expiry dates of a certificate. -.IP "\fB\-checkend arg\fR" 4 -.IX Item "-checkend arg" -Checks if the certificate expires within the next \fBarg\fR seconds and exits -nonzero if yes it will expire or zero if not. -.IP "\fB\-fingerprint\fR" 4 -.IX Item "-fingerprint" -Calculates and outputs the digest of the \s-1DER\s0 encoded version of the entire -certificate (see digest options). -This is commonly called a \*(L"fingerprint\*(R". Because of the nature of message -digests, the fingerprint of a certificate is unique to that certificate and -two certificates with the same fingerprint can be considered to be the same. -.IP "\fB\-C\fR" 4 -.IX Item "-C" -This outputs the certificate in the form of a C source file. -.SS "Trust Settings" -.IX Subsection "Trust Settings" -A \fBtrusted certificate\fR is an ordinary certificate which has several -additional pieces of information attached to it such as the permitted -and prohibited uses of the certificate and an \*(L"alias\*(R". -.PP -Normally when a certificate is being verified at least one certificate -must be \*(L"trusted\*(R". By default a trusted certificate must be stored -locally and must be a root \s-1CA:\s0 any certificate chain ending in this \s-1CA\s0 -is then usable for any purpose. -.PP -Trust settings currently are only used with a root \s-1CA.\s0 They allow a finer -control over the purposes the root \s-1CA\s0 can be used for. For example a \s-1CA\s0 -may be trusted for \s-1SSL\s0 client but not \s-1SSL\s0 server use. -.PP -See the description of the \fBverify\fR utility for more information on the -meaning of trust settings. -.PP -Future versions of OpenSSL will recognize trust settings on any -certificate: not just root CAs. -.IP "\fB\-trustout\fR" 4 -.IX Item "-trustout" -This causes \fBx509\fR to output a \fBtrusted\fR certificate. An ordinary -or trusted certificate can be input but by default an ordinary -certificate is output and any trust settings are discarded. With the -\&\fB\-trustout\fR option a trusted certificate is output. A trusted -certificate is automatically output if any trust settings are modified. -.IP "\fB\-setalias arg\fR" 4 -.IX Item "-setalias arg" -Sets the alias of the certificate. This will allow the certificate -to be referred to using a nickname for example \*(L"Steve's Certificate\*(R". -.IP "\fB\-alias\fR" 4 -.IX Item "-alias" -Outputs the certificate alias, if any. -.IP "\fB\-clrtrust\fR" 4 -.IX Item "-clrtrust" -Clears all the permitted or trusted uses of the certificate. -.IP "\fB\-clrreject\fR" 4 -.IX Item "-clrreject" -Clears all the prohibited or rejected uses of the certificate. -.IP "\fB\-addtrust arg\fR" 4 -.IX Item "-addtrust arg" -Adds a trusted certificate use. -Any object name can be used here but currently only \fBclientAuth\fR (\s-1SSL\s0 client -use), \fBserverAuth\fR (\s-1SSL\s0 server use), \fBemailProtection\fR (S/MIME email) and -\&\fBanyExtendedKeyUsage\fR are used. -As of OpenSSL 1.1.0, the last of these blocks all purposes when rejected or -enables all purposes when trusted. -Other OpenSSL applications may define additional uses. -.IP "\fB\-addreject arg\fR" 4 -.IX Item "-addreject arg" -Adds a prohibited use. It accepts the same values as the \fB\-addtrust\fR -option. -.IP "\fB\-purpose\fR" 4 -.IX Item "-purpose" -This option performs tests on the certificate extensions and outputs -the results. For a more complete description see the \fB\s-1CERTIFICATE -EXTENSIONS\s0\fR section. -.SS "Signing Options" -.IX Subsection "Signing Options" -The \fBx509\fR utility can be used to sign certificates and requests: it -can thus behave like a \*(L"mini \s-1CA\*(R".\s0 -.IP "\fB\-signkey arg\fR" 4 -.IX Item "-signkey arg" -This option causes the input file to be self signed using the supplied -private key or engine. The private key's format is specified with the -\&\fB\-keyform\fR option. -.Sp -If the input file is a certificate it sets the issuer name to the -subject name (i.e. makes it self signed) changes the public key to the -supplied value and changes the start and end dates. The start date is -set to the current time and the end date is set to a value determined -by the \fB\-days\fR option. Any certificate extensions are retained unless -the \fB\-clrext\fR option is supplied; this includes, for example, any existing -key identifier extensions. -.Sp -If the input is a certificate request then a self signed certificate -is created using the supplied private key using the subject name in -the request. -.IP "\fB\-sigopt nm:v\fR" 4 -.IX Item "-sigopt nm:v" -Pass options to the signature algorithm during sign or verify operations. -Names and values of these options are algorithm-specific. -.IP "\fB\-passin arg\fR" 4 -.IX Item "-passin arg" -The key password source. For more information about the format of \fBarg\fR -see \*(L"Pass Phrase Options\*(R" in \fBopenssl\fR\|(1). -.IP "\fB\-clrext\fR" 4 -.IX Item "-clrext" -Delete any extensions from a certificate. This option is used when a -certificate is being created from another certificate (for example with -the \fB\-signkey\fR or the \fB\-CA\fR options). Normally all extensions are -retained. -.IP "\fB\-keyform PEM|DER|ENGINE\fR" 4 -.IX Item "-keyform PEM|DER|ENGINE" -Specifies the format (\s-1DER\s0 or \s-1PEM\s0) of the private key file used in the -\&\fB\-signkey\fR option. -.IP "\fB\-days arg\fR" 4 -.IX Item "-days arg" -Specifies the number of days to make a certificate valid for. The default -is 30 days. Cannot be used with the \fB\-preserve_dates\fR option. -.IP "\fB\-x509toreq\fR" 4 -.IX Item "-x509toreq" -Converts a certificate into a certificate request. The \fB\-signkey\fR option -is used to pass the required private key. -.IP "\fB\-req\fR" 4 -.IX Item "-req" -By default a certificate is expected on input. With this option a -certificate request is expected instead. -.IP "\fB\-set_serial n\fR" 4 -.IX Item "-set_serial n" -Specifies the serial number to use. This option can be used with either -the \fB\-signkey\fR or \fB\-CA\fR options. If used in conjunction with the \fB\-CA\fR -option the serial number file (as specified by the \fB\-CAserial\fR or -\&\fB\-CAcreateserial\fR options) is not used. -.Sp -The serial number can be decimal or hex (if preceded by \fB0x\fR). -.IP "\fB\-CA filename\fR" 4 -.IX Item "-CA filename" -Specifies the \s-1CA\s0 certificate to be used for signing. When this option is -present \fBx509\fR behaves like a \*(L"mini \s-1CA\*(R".\s0 The input file is signed by this -\&\s-1CA\s0 using this option: that is its issuer name is set to the subject name -of the \s-1CA\s0 and it is digitally signed using the CAs private key. -.Sp -This option is normally combined with the \fB\-req\fR option. Without the -\&\fB\-req\fR option the input is a certificate which must be self signed. -.IP "\fB\-CAkey filename\fR" 4 -.IX Item "-CAkey filename" -Sets the \s-1CA\s0 private key to sign a certificate with. If this option is -not specified then it is assumed that the \s-1CA\s0 private key is present in -the \s-1CA\s0 certificate file. -.IP "\fB\-CAserial filename\fR" 4 -.IX Item "-CAserial filename" -Sets the \s-1CA\s0 serial number file to use. -.Sp -When the \fB\-CA\fR option is used to sign a certificate it uses a serial -number specified in a file. This file consists of one line containing -an even number of hex digits with the serial number to use. After each -use the serial number is incremented and written out to the file again. -.Sp -The default filename consists of the \s-1CA\s0 certificate file base name with -\&\*(L".srl\*(R" appended. For example if the \s-1CA\s0 certificate file is called -\&\*(L"mycacert.pem\*(R" it expects to find a serial number file called \*(L"mycacert.srl\*(R". -.IP "\fB\-CAcreateserial\fR" 4 -.IX Item "-CAcreateserial" -With this option the \s-1CA\s0 serial number file is created if it does not exist: -it will contain the serial number \*(L"02\*(R" and the certificate being signed will -have the 1 as its serial number. If the \fB\-CA\fR option is specified -and the serial number file does not exist a random number is generated; -this is the recommended practice. -.IP "\fB\-extfile filename\fR" 4 -.IX Item "-extfile filename" -File containing certificate extensions to use. If not specified then -no extensions are added to the certificate. -.IP "\fB\-extensions section\fR" 4 -.IX Item "-extensions section" -The section to add certificate extensions from. If this option is not -specified then the extensions should either be contained in the unnamed -(default) section or the default section should contain a variable called -\&\*(L"extensions\*(R" which contains the section to use. See the -\&\fBx509v3_config\fR\|(5) manual page for details of the -extension section format. -.IP "\fB\-force_pubkey key\fR" 4 -.IX Item "-force_pubkey key" -When a certificate is created set its public key to \fBkey\fR instead of the -key in the certificate or certificate request. This option is useful for -creating certificates where the algorithm can't normally sign requests, for -example \s-1DH.\s0 -.Sp -The format or \fBkey\fR can be specified using the \fB\-keyform\fR option. -.SS "Name Options" -.IX Subsection "Name Options" -The \fBnameopt\fR command line switch determines how the subject and issuer -names are displayed. If no \fBnameopt\fR switch is present the default \*(L"oneline\*(R" -format is used which is compatible with previous versions of OpenSSL. -Each option is described in detail below, all options can be preceded by -a \fB\-\fR to turn the option off. Only the first four will normally be used. -.IP "\fBcompat\fR" 4 -.IX Item "compat" -Use the old format. -.IP "\fB\s-1RFC2253\s0\fR" 4 -.IX Item "RFC2253" -Displays names compatible with \s-1RFC2253\s0 equivalent to \fBesc_2253\fR, \fBesc_ctrl\fR, -\&\fBesc_msb\fR, \fButf8\fR, \fBdump_nostr\fR, \fBdump_unknown\fR, \fBdump_der\fR, -\&\fBsep_comma_plus\fR, \fBdn_rev\fR and \fBsname\fR. -.IP "\fBoneline\fR" 4 -.IX Item "oneline" -A oneline format which is more readable than \s-1RFC2253.\s0 It is equivalent to -specifying the \fBesc_2253\fR, \fBesc_ctrl\fR, \fBesc_msb\fR, \fButf8\fR, \fBdump_nostr\fR, -\&\fBdump_der\fR, \fBuse_quote\fR, \fBsep_comma_plus_space\fR, \fBspace_eq\fR and \fBsname\fR -options. This is the \fIdefault\fR of no name options are given explicitly. -.IP "\fBmultiline\fR" 4 -.IX Item "multiline" -A multiline format. It is equivalent \fBesc_ctrl\fR, \fBesc_msb\fR, \fBsep_multiline\fR, -\&\fBspace_eq\fR, \fBlname\fR and \fBalign\fR. -.IP "\fBesc_2253\fR" 4 -.IX Item "esc_2253" -Escape the \*(L"special\*(R" characters required by \s-1RFC2253\s0 in a field. That is -\&\fB,+"<>;\fR. Additionally \fB#\fR is escaped at the beginning of a string -and a space character at the beginning or end of a string. -.IP "\fBesc_2254\fR" 4 -.IX Item "esc_2254" -Escape the \*(L"special\*(R" characters required by \s-1RFC2254\s0 in a field. That is -the \fB\s-1NUL\s0\fR character as well as and \fB()*\fR. -.IP "\fBesc_ctrl\fR" 4 -.IX Item "esc_ctrl" -Escape control characters. That is those with \s-1ASCII\s0 values less than -0x20 (space) and the delete (0x7f) character. They are escaped using the -\&\s-1RFC2253\s0 \eXX notation (where \s-1XX\s0 are two hex digits representing the -character value). -.IP "\fBesc_msb\fR" 4 -.IX Item "esc_msb" -Escape characters with the \s-1MSB\s0 set, that is with \s-1ASCII\s0 values larger than -127. -.IP "\fBuse_quote\fR" 4 -.IX Item "use_quote" -Escapes some characters by surrounding the whole string with \fB"\fR characters, -without the option all escaping is done with the \fB\e\fR character. -.IP "\fButf8\fR" 4 -.IX Item "utf8" -Convert all strings to \s-1UTF8\s0 format first. This is required by \s-1RFC2253.\s0 If -you are lucky enough to have a \s-1UTF8\s0 compatible terminal then the use -of this option (and \fBnot\fR setting \fBesc_msb\fR) may result in the correct -display of multibyte (international) characters. Is this option is not -present then multibyte characters larger than 0xff will be represented -using the format \eUXXXX for 16 bits and \eWXXXXXXXX for 32 bits. -Also if this option is off any UTF8Strings will be converted to their -character form first. -.IP "\fBignore_type\fR" 4 -.IX Item "ignore_type" -This option does not attempt to interpret multibyte characters in any -way. That is their content octets are merely dumped as though one octet -represents each character. This is useful for diagnostic purposes but -will result in rather odd looking output. -.IP "\fBshow_type\fR" 4 -.IX Item "show_type" -Show the type of the \s-1ASN1\s0 character string. The type precedes the -field contents. For example \*(L"\s-1BMPSTRING:\s0 Hello World\*(R". -.IP "\fBdump_der\fR" 4 -.IX Item "dump_der" -When this option is set any fields that need to be hexdumped will -be dumped using the \s-1DER\s0 encoding of the field. Otherwise just the -content octets will be displayed. Both options use the \s-1RFC2253\s0 -\&\fB#XXXX...\fR format. -.IP "\fBdump_nostr\fR" 4 -.IX Item "dump_nostr" -Dump non character string types (for example \s-1OCTET STRING\s0) if this -option is not set then non character string types will be displayed -as though each content octet represents a single character. -.IP "\fBdump_all\fR" 4 -.IX Item "dump_all" -Dump all fields. This option when used with \fBdump_der\fR allows the -\&\s-1DER\s0 encoding of the structure to be unambiguously determined. -.IP "\fBdump_unknown\fR" 4 -.IX Item "dump_unknown" -Dump any field whose \s-1OID\s0 is not recognised by OpenSSL. -.IP "\fBsep_comma_plus\fR, \fBsep_comma_plus_space\fR, \fBsep_semi_plus_space\fR, \fBsep_multiline\fR" 4 -.IX Item "sep_comma_plus, sep_comma_plus_space, sep_semi_plus_space, sep_multiline" -These options determine the field separators. The first character is -between RDNs and the second between multiple AVAs (multiple AVAs are -very rare and their use is discouraged). The options ending in -\&\*(L"space\*(R" additionally place a space after the separator to make it -more readable. The \fBsep_multiline\fR uses a linefeed character for -the \s-1RDN\s0 separator and a spaced \fB+\fR for the \s-1AVA\s0 separator. It also -indents the fields by four characters. If no field separator is specified -then \fBsep_comma_plus_space\fR is used by default. -.IP "\fBdn_rev\fR" 4 -.IX Item "dn_rev" -Reverse the fields of the \s-1DN.\s0 This is required by \s-1RFC2253.\s0 As a side -effect this also reverses the order of multiple AVAs but this is -permissible. -.IP "\fBnofname\fR, \fBsname\fR, \fBlname\fR, \fBoid\fR" 4 -.IX Item "nofname, sname, lname, oid" -These options alter how the field name is displayed. \fBnofname\fR does -not display the field at all. \fBsname\fR uses the \*(L"short name\*(R" form -(\s-1CN\s0 for commonName for example). \fBlname\fR uses the long form. -\&\fBoid\fR represents the \s-1OID\s0 in numerical form and is useful for -diagnostic purpose. -.IP "\fBalign\fR" 4 -.IX Item "align" -Align field values for a more readable output. Only usable with -\&\fBsep_multiline\fR. -.IP "\fBspace_eq\fR" 4 -.IX Item "space_eq" -Places spaces round the \fB=\fR character which follows the field -name. -.SS "Text Options" -.IX Subsection "Text Options" -As well as customising the name output format, it is also possible to -customise the actual fields printed using the \fBcertopt\fR options when -the \fBtext\fR option is present. The default behaviour is to print all fields. -.IP "\fBcompatible\fR" 4 -.IX Item "compatible" -Use the old format. This is equivalent to specifying no output options at all. -.IP "\fBno_header\fR" 4 -.IX Item "no_header" -Don't print header information: that is the lines saying \*(L"Certificate\*(R" -and \*(L"Data\*(R". -.IP "\fBno_version\fR" 4 -.IX Item "no_version" -Don't print out the version number. -.IP "\fBno_serial\fR" 4 -.IX Item "no_serial" -Don't print out the serial number. -.IP "\fBno_signame\fR" 4 -.IX Item "no_signame" -Don't print out the signature algorithm used. -.IP "\fBno_validity\fR" 4 -.IX Item "no_validity" -Don't print the validity, that is the \fBnotBefore\fR and \fBnotAfter\fR fields. -.IP "\fBno_subject\fR" 4 -.IX Item "no_subject" -Don't print out the subject name. -.IP "\fBno_issuer\fR" 4 -.IX Item "no_issuer" -Don't print out the issuer name. -.IP "\fBno_pubkey\fR" 4 -.IX Item "no_pubkey" -Don't print out the public key. -.IP "\fBno_sigdump\fR" 4 -.IX Item "no_sigdump" -Don't give a hexadecimal dump of the certificate signature. -.IP "\fBno_aux\fR" 4 -.IX Item "no_aux" -Don't print out certificate trust information. -.IP "\fBno_extensions\fR" 4 -.IX Item "no_extensions" -Don't print out any X509V3 extensions. -.IP "\fBext_default\fR" 4 -.IX Item "ext_default" -Retain default extension behaviour: attempt to print out unsupported -certificate extensions. -.IP "\fBext_error\fR" 4 -.IX Item "ext_error" -Print an error message for unsupported certificate extensions. -.IP "\fBext_parse\fR" 4 -.IX Item "ext_parse" -\&\s-1ASN1\s0 parse unsupported extensions. -.IP "\fBext_dump\fR" 4 -.IX Item "ext_dump" -Hex dump unsupported extensions. -.IP "\fBca_default\fR" 4 -.IX Item "ca_default" -The value used by the \fBca\fR utility, equivalent to \fBno_issuer\fR, \fBno_pubkey\fR, -\&\fBno_header\fR, and \fBno_version\fR. -.SH "EXAMPLES" -.IX Header "EXAMPLES" -Note: in these examples the '\e' means the example should be all on one -line. -.PP -Display the contents of a certificate: -.PP -.Vb 1 -\& openssl x509 \-in cert.pem \-noout \-text -.Ve -.PP -Display the \*(L"Subject Alternative Name\*(R" extension of a certificate: -.PP -.Vb 1 -\& openssl x509 \-in cert.pem \-noout \-ext subjectAltName -.Ve -.PP -Display more extensions of a certificate: -.PP -.Vb 1 -\& openssl x509 \-in cert.pem \-noout \-ext subjectAltName,nsCertType -.Ve -.PP -Display the certificate serial number: -.PP -.Vb 1 -\& openssl x509 \-in cert.pem \-noout \-serial -.Ve -.PP -Display the certificate subject name: -.PP -.Vb 1 -\& openssl x509 \-in cert.pem \-noout \-subject -.Ve -.PP -Display the certificate subject name in \s-1RFC2253\s0 form: -.PP -.Vb 1 -\& openssl x509 \-in cert.pem \-noout \-subject \-nameopt RFC2253 -.Ve -.PP -Display the certificate subject name in oneline form on a terminal -supporting \s-1UTF8:\s0 -.PP -.Vb 1 -\& openssl x509 \-in cert.pem \-noout \-subject \-nameopt oneline,\-esc_msb -.Ve -.PP -Display the certificate \s-1SHA1\s0 fingerprint: -.PP -.Vb 1 -\& openssl x509 \-sha1 \-in cert.pem \-noout \-fingerprint -.Ve -.PP -Convert a certificate from \s-1PEM\s0 to \s-1DER\s0 format: -.PP -.Vb 1 -\& openssl x509 \-in cert.pem \-inform PEM \-out cert.der \-outform DER -.Ve -.PP -Convert a certificate to a certificate request: -.PP -.Vb 1 -\& openssl x509 \-x509toreq \-in cert.pem \-out req.pem \-signkey key.pem -.Ve -.PP -Convert a certificate request into a self signed certificate using -extensions for a \s-1CA:\s0 -.PP -.Vb 2 -\& openssl x509 \-req \-in careq.pem \-extfile openssl.cnf \-extensions v3_ca \e -\& \-signkey key.pem \-out cacert.pem -.Ve -.PP -Sign a certificate request using the \s-1CA\s0 certificate above and add user -certificate extensions: -.PP -.Vb 2 -\& openssl x509 \-req \-in req.pem \-extfile openssl.cnf \-extensions v3_usr \e -\& \-CA cacert.pem \-CAkey key.pem \-CAcreateserial -.Ve -.PP -Set a certificate to be trusted for \s-1SSL\s0 client use and change set its alias to -\&\*(L"Steve's Class 1 \s-1CA\*(R"\s0 -.PP -.Vb 2 -\& openssl x509 \-in cert.pem \-addtrust clientAuth \e -\& \-setalias "Steve\*(Aqs Class 1 CA" \-out trust.pem -.Ve -.SH "NOTES" -.IX Header "NOTES" -The \s-1PEM\s0 format uses the header and footer lines: -.PP -.Vb 2 -\& \-\-\-\-\-BEGIN CERTIFICATE\-\-\-\-\- -\& \-\-\-\-\-END CERTIFICATE\-\-\-\-\- -.Ve -.PP -it will also handle files containing: -.PP -.Vb 2 -\& \-\-\-\-\-BEGIN X509 CERTIFICATE\-\-\-\-\- -\& \-\-\-\-\-END X509 CERTIFICATE\-\-\-\-\- -.Ve -.PP -Trusted certificates have the lines -.PP -.Vb 2 -\& \-\-\-\-\-BEGIN TRUSTED CERTIFICATE\-\-\-\-\- -\& \-\-\-\-\-END TRUSTED CERTIFICATE\-\-\-\-\- -.Ve -.PP -The conversion to \s-1UTF8\s0 format used with the name options assumes that -T61Strings use the \s-1ISO8859\-1\s0 character set. This is wrong but Netscape -and \s-1MSIE\s0 do this as do many certificates. So although this is incorrect -it is more likely to display the majority of certificates correctly. -.PP -The \fB\-email\fR option searches the subject name and the subject alternative -name extension. Only unique email addresses will be printed out: it will -not print the same address more than once. -.SH "CERTIFICATE EXTENSIONS" -.IX Header "CERTIFICATE EXTENSIONS" -The \fB\-purpose\fR option checks the certificate extensions and determines -what the certificate can be used for. The actual checks done are rather -complex and include various hacks and workarounds to handle broken -certificates and software. -.PP -The same code is used when verifying untrusted certificates in chains -so this section is useful if a chain is rejected by the verify code. -.PP -The basicConstraints extension \s-1CA\s0 flag is used to determine whether the -certificate can be used as a \s-1CA.\s0 If the \s-1CA\s0 flag is true then it is a \s-1CA,\s0 -if the \s-1CA\s0 flag is false then it is not a \s-1CA.\s0 \fBAll\fR CAs should have the -\&\s-1CA\s0 flag set to true. -.PP -If the basicConstraints extension is absent then the certificate is -considered to be a \*(L"possible \s-1CA\*(R"\s0 other extensions are checked according -to the intended use of the certificate. A warning is given in this case -because the certificate should really not be regarded as a \s-1CA:\s0 however -it is allowed to be a \s-1CA\s0 to work around some broken software. -.PP -If the certificate is a V1 certificate (and thus has no extensions) and -it is self signed it is also assumed to be a \s-1CA\s0 but a warning is again -given: this is to work around the problem of Verisign roots which are V1 -self signed certificates. -.PP -If the keyUsage extension is present then additional restraints are -made on the uses of the certificate. A \s-1CA\s0 certificate \fBmust\fR have the -keyCertSign bit set if the keyUsage extension is present. -.PP -The extended key usage extension places additional restrictions on the -certificate uses. If this extension is present (whether critical or not) -the key can only be used for the purposes specified. -.PP -A complete description of each test is given below. The comments about -basicConstraints and keyUsage and V1 certificates above apply to \fBall\fR -\&\s-1CA\s0 certificates. -.IP "\fB\s-1SSL\s0 Client\fR" 4 -.IX Item "SSL Client" -The extended key usage extension must be absent or include the \*(L"web client -authentication\*(R" \s-1OID.\s0 keyUsage must be absent or it must have the -digitalSignature bit set. Netscape certificate type must be absent or it must -have the \s-1SSL\s0 client bit set. -.IP "\fB\s-1SSL\s0 Client \s-1CA\s0\fR" 4 -.IX Item "SSL Client CA" -The extended key usage extension must be absent or include the \*(L"web client -authentication\*(R" \s-1OID.\s0 Netscape certificate type must be absent or it must have -the \s-1SSL CA\s0 bit set: this is used as a work around if the basicConstraints -extension is absent. -.IP "\fB\s-1SSL\s0 Server\fR" 4 -.IX Item "SSL Server" -The extended key usage extension must be absent or include the \*(L"web server -authentication\*(R" and/or one of the \s-1SGC\s0 OIDs. keyUsage must be absent or it -must have the digitalSignature, the keyEncipherment set or both bits set. -Netscape certificate type must be absent or have the \s-1SSL\s0 server bit set. -.IP "\fB\s-1SSL\s0 Server \s-1CA\s0\fR" 4 -.IX Item "SSL Server CA" -The extended key usage extension must be absent or include the \*(L"web server -authentication\*(R" and/or one of the \s-1SGC\s0 OIDs. Netscape certificate type must -be absent or the \s-1SSL CA\s0 bit must be set: this is used as a work around if the -basicConstraints extension is absent. -.IP "\fBNetscape \s-1SSL\s0 Server\fR" 4 -.IX Item "Netscape SSL Server" -For Netscape \s-1SSL\s0 clients to connect to an \s-1SSL\s0 server it must have the -keyEncipherment bit set if the keyUsage extension is present. This isn't -always valid because some cipher suites use the key for digital signing. -Otherwise it is the same as a normal \s-1SSL\s0 server. -.IP "\fBCommon S/MIME Client Tests\fR" 4 -.IX Item "Common S/MIME Client Tests" -The extended key usage extension must be absent or include the \*(L"email -protection\*(R" \s-1OID.\s0 Netscape certificate type must be absent or should have the -S/MIME bit set. If the S/MIME bit is not set in Netscape certificate type -then the \s-1SSL\s0 client bit is tolerated as an alternative but a warning is shown: -this is because some Verisign certificates don't set the S/MIME bit. -.IP "\fBS/MIME Signing\fR" 4 -.IX Item "S/MIME Signing" -In addition to the common S/MIME client tests the digitalSignature bit or -the nonRepudiation bit must be set if the keyUsage extension is present. -.IP "\fBS/MIME Encryption\fR" 4 -.IX Item "S/MIME Encryption" -In addition to the common S/MIME tests the keyEncipherment bit must be set -if the keyUsage extension is present. -.IP "\fBS/MIME \s-1CA\s0\fR" 4 -.IX Item "S/MIME CA" -The extended key usage extension must be absent or include the \*(L"email -protection\*(R" \s-1OID.\s0 Netscape certificate type must be absent or must have the -S/MIME \s-1CA\s0 bit set: this is used as a work around if the basicConstraints -extension is absent. -.IP "\fB\s-1CRL\s0 Signing\fR" 4 -.IX Item "CRL Signing" -The keyUsage extension must be absent or it must have the \s-1CRL\s0 signing bit -set. -.IP "\fB\s-1CRL\s0 Signing \s-1CA\s0\fR" 4 -.IX Item "CRL Signing CA" -The normal \s-1CA\s0 tests apply. Except in this case the basicConstraints extension -must be present. -.SH "BUGS" -.IX Header "BUGS" -Extensions in certificates are not transferred to certificate requests and -vice versa. -.PP -It is possible to produce invalid certificates or requests by specifying the -wrong private key or using inconsistent options in some cases: these should -be checked. -.PP -There should be options to explicitly set such things as start and end -dates rather than an offset from the current time. -.SH "SEE ALSO" -.IX Header "SEE ALSO" -\&\fBreq\fR\|(1), \fBca\fR\|(1), \fBgenrsa\fR\|(1), -\&\fBgendsa\fR\|(1), \fBverify\fR\|(1), -\&\fBx509v3_config\fR\|(5) -.SH "HISTORY" -.IX Header "HISTORY" -The hash algorithm used in the \fB\-subject_hash\fR and \fB\-issuer_hash\fR options -before OpenSSL 1.0.0 was based on the deprecated \s-1MD5\s0 algorithm and the encoding -of the distinguished name. In OpenSSL 1.0.0 and later it is based on a -canonical version of the \s-1DN\s0 using \s-1SHA1.\s0 This means that any directories using -the old form must have their links rebuilt using \fBc_rehash\fR or similar. -.SH "COPYRIGHT" -.IX Header "COPYRIGHT" -Copyright 2000\-2021 The OpenSSL Project Authors. All Rights Reserved. -.PP -Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use -this file except in compliance with the License. You can obtain a copy -in the file \s-1LICENSE\s0 in the source distribution or at -<https://www.openssl.org/source/license.html>. |