[B<-inform PEM|DER>]
[B<-outform PEM|DER>]
[B<-in filename>]
-[B<-passin password>]
-[B<-envpassin var>]
+[B<-passin arg>]
[B<-out filename>]
-[B<-passout password>]
-[B<-envpassout var>]
+[B<-passout arg>]
[B<-text>]
[B<-noout>]
[B<-verify>]
[B<-modulus>]
[B<-new>]
+[B<-rand file(s)>]
[B<-newkey rsa:bits>]
[B<-newkey dsa:file>]
[B<-nodes>]
[B<-config filename>]
[B<-x509>]
[B<-days n>]
-[B<-noasn1-kludge>]
+[B<-asn1-kludge>]
+[B<-newhdr>]
[B<-extensions section>]
[B<-reqexts section>]
if this option is not specified. A request is only read if the creation
options (B<-new> and B<-newkey>) are not specified.
-=item B<-passin password>
+=item B<-passin arg>
-the input file password. Since certain utilities like "ps" make the command line
-visible this option should be used with caution.
-
-=item B<-envpassin var>
-
-read the input file password from the environment variable B<var>.
+the input file password source. For more information about the format of B<arg>
+see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)|openssl(1)>.
=item B<-out filename>
This specifies the output filename to write to or standard output by
default.
-=item B<-passout password>
-
-the output file password. Since certain utilities like "ps" make the command line
-visible this option should be used with caution.
+=item B<-passout arg>
-=item B<-envpassout var>
-
-read the output file password from the environment variable B<var>.
+the output file password source. For more information about the format of B<arg>
+see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)|openssl(1)>.
=item B<-text>
If the B<-key> option is not used it will generate a new RSA private
key using information specified in the configuration file.
+=item B<-rand file(s)>
+
+a file or files containing random data used to seed the random number
+generator, or an EGD socket (see L<RAND_egd(3)|RAND_egd(3)>).
+Multiple files can be specified separated by a OS-dependent character.
+The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
+all others.
+
=item B<-newkey arg>
this option creates a new certificate request and a new private
days to certify the certificate for. The default is 30 days.
=item B<-extensions section>
+
=item B<-reqexts section>
these options specify alternative sections to include certificate
It should be noted that very few CAs still require the use of this option.
+=item B<-newhdr>
+
+Adds the word B<NEW> to the PEM file header and footer lines on the outputed
+request. Some software (Netscape certificate server) and some CAs need this.
+
=back
=head1 CONFIGURATION FILE FORMAT
The passwords for the input private key file (if present) and
the output private key file (if one will be created). The
-command line options B<passin>, B<envpassin>, B<passout> and
-B<envpassout> override the configuration file values.
+command line options B<passin> and B<passout> override the
+configuration file values.
=item B<default_bits>
=item B<RANDFILE>
This specifies a filename in which random number seed information is
-placed and read from. It is used for private key generation.
+placed and read from, or an EGD socket (see L<RAND_egd(3)|RAND_egd(3)>).
+It is used for private key generation.
=item B<encrypt_key>
CN=My Name
OU=My Organization
- emailAddress=someone@somehere.org
+ emailAddress=someone@somewhere.org
This allows external programs (e.g. GUI based) to generate a template file
with all the field names and values and just pass it to B<req>. An example
-of this kind of configuration files is contained in the B<EXAMPLES> section.
+of this kind of configuration file is contained in the B<EXAMPLES> section.
-Alternatively if the B<prompt> option is absent or not set to B<no> the the
+Alternatively if the B<prompt> option is absent or not set to B<no> then the
file contains field prompting information. It consists of lines of the form:
fieldName="prompt"
Some fields (such as organizationName) can be used more than once
in a DN. This presents a problem because configuration files will
not recognize the same name occurring twice. To avoid this problem
-if the fieldName contains an some characters followed by a full stop
+if the fieldName contains some characters followed by a full stop
they will be ignored. So for example a second organizationName can
be input by calling it "1.organizationName".
long names. These are compiled into OpenSSL and include the usual
values such as commonName, countryName, localityName, organizationName,
organizationUnitName, stateOrPrivinceName. Additionally emailAddress
-is include as well as name, surname, givenName initials and dnQualifier
-are supported.
+is include as well as name, surname, givenName initials and dnQualifier.
Additional object identifiers can be defined with the B<oid_file> or
B<oid_section> options in the configuration file. Any additional fields
=head1 NOTES
-The header and footer lines in the B<PEM> format are respectively:
+The header and footer lines in the B<PEM> format are normally:
-----BEGIN CERTIFICATE REQUEST----
-----END CERTIFICATE REQUEST----
-----BEGIN NEW CERTIFICATE REQUEST----
-----END NEW CERTIFICATE REQUEST----
-but is otherwise compatible. Either form is accepted on input.
+which is produced with the B<-newhdr> option but is otherwise compatible.
+Either form is accepted transparently on input.
The certificate requests generated by B<Xenroll> with MSIE have extensions
added. It includes the B<keyUsage> extension which determines the type of
=head1 SEE ALSO
-x509(1), ca(1), genrsa(1), gendsa(1), config(5)
+L<x509(1)|x509(1)>, L<ca(1)|ca(1)>, L<genrsa(1)|genrsa(1)>,
+L<gendsa(1)|gendsa(1)>, L<config(5)|config(5)>
=cut