{"keygen_engine", OPT_KEYGEN_ENGINE, 's',
"Specify engine to be used for key generation operations"},
#endif
- {"in", OPT_IN, '<', "X.509 request input file"},
+ {"in", OPT_IN, '<', "X.509 request input file (default stdin)"},
{"inform", OPT_INFORM, 'F', "Input format - DER or PEM"},
{"verify", OPT_VERIFY, '-', "Verify self-signature on the request"},
"Cert extension section (override value in config file)"},
{"reqexts", OPT_REQEXTS, 's',
"Request extension section (override value in config file)"},
- {"precert", OPT_PRECERT, '-', "Add a poison extension (implies -new)"},
+ {"precert", OPT_PRECERT, '-', "Add a poison extension to generated cert (implies -new)"},
OPT_SECTION("Keys and Signing"),
- {"key", OPT_KEY, 's', "Key to include and to use for self-signature"},
+ {"key", OPT_KEY, 's', "Key for signing, and to include unless -in given"},
{"keyform", OPT_KEYFORM, 'f', "Key file format (ENGINE, other values ignored)"},
{"pubkey", OPT_PUBKEY, '-', "Output public key"},
{"keyout", OPT_KEYOUT, '>', "File to write private key to"},
if (ext_copy == EXT_COPY_NONE)
BIO_printf(bio_err, "Ignoring -copy_extensions 'none' when -x509 is not given\n");
}
- if (gen_x509 && infile == NULL)
- newreq = 1;
+ if (infile == NULL) {
+ if (gen_x509)
+ newreq = 1;
+ else
+ BIO_printf(bio_err,
+ "Warning: Will read cert request from stdin since no -in option is given\n");
+ }
if (!app_passwd(passargin, passargout, &passin, &passout)) {
BIO_printf(bio_err, "Error getting passwords\n");
goto end;
app_RAND_load_conf(req_conf, section);
}
+ if (keyalg != NULL && pkey != NULL) {
+ BIO_printf(bio_err,
+ "Warning: Not generating key via given -newkey option since -key is given\n");
+ /* Better throw an error in this case */
+ }
if (newreq && pkey == NULL) {
app_RAND_load_conf(req_conf, section);
goto end;
if (!newreq) {
- req = load_csr(infile, informat, "X509 request");
+ if (keyfile != NULL)
+ BIO_printf(bio_err,
+ "Warning: Not placing -key in cert or request since request is used\n");
+ req = load_csr(infile /* if NULL, reads from stdin */,
+ informat, "X509 request");
if (req == NULL)
goto end;
+ } else if (infile != NULL) {
+ BIO_printf(bio_err,
+ "Warning: Ignoring -in option since -new or -newkey or -precert is given\n");
+ /* Better throw an error in this case, as done in the x509 app */
}
if (CAkeyfile == NULL)
if (CAkeyfile != NULL) {
if (CAfile == NULL) {
BIO_printf(bio_err,
- "Ignoring -CAkey option since no -CA option is given\n");
+ "Warning: Ignoring -CAkey option since no -CA option is given\n");
} else {
if ((CAkey = load_key(CAkeyfile, FORMAT_UNDEF,
0, passin, e,
BIO_printf(bio_err, "Error making certificate request\n");
goto end;
}
+ /* Note that -x509 can take over -key and -subj option values. */
}
if (gen_x509) {
EVP_PKEY *pub_key = X509_REQ_get0_pubkey(req);
X509_NAME *n_subj = fsubj != NULL ? fsubj :
X509_REQ_get_subject_name(req);
+ if (CAcert != NULL && keyfile != NULL)
+ BIO_printf(bio_err,
+ "Warning: Not using -key or -newkey for signing since -CA option is given\n");
+
if ((new_x509 = X509_new_ex(app_get0_libctx(),
app_get0_propq())) == NULL)
goto end;
} else {
X509V3_CTX ext_ctx;
+ if (precert) {
+ BIO_printf(bio_err,
+ "Warning: Ignoring -precert flag since no cert is produced\n");
+ }
/* Set up V3 context struct */
X509V3_set_ctx(&ext_ctx, NULL, NULL, req, NULL, 0);
X509V3_set_nconf(&ext_ctx, req_conf);
{"help", OPT_HELP, '-', "Display this summary"},
{"in", OPT_IN, '<',
- "Certificate input (default stdin), or CSR input file with -req"},
+ "Certificate input, or CSR input file with -req (default stdin)"},
{"passin", OPT_PASSIN, 's', "Private key and cert file pass-phrase source"},
{"new", OPT_NEW, '-', "Generate a certificate from scratch"},
{"x509toreq", OPT_X509TOREQ, '-',
"CSR input file format (DER or PEM) - default PEM"},
{"vfyopt", OPT_VFYOPT, 's', "CSR verification parameter in n:v form"},
{"key", OPT_KEY, 's',
- "Key to be used in certificate or cert request"},
+ "Key for signing, and to include unless using -force_pubkey"},
{"signkey", OPT_SIGNKEY, 's',
"Same as -key"},
{"keyform", OPT_KEYFORM, 'E',
}
if (privkeyfile == NULL && pubkeyfile == NULL) {
BIO_printf(bio_err,
- "The -new option without -key requires using -force_pubkey\n");
+ "The -new option requires using the -key or -force_pubkey option\n");
goto end;
}
}
CAkeyfile = CAfile;
if (CAfile != NULL) {
if (privkeyfile != NULL) {
- BIO_printf(bio_err, "Cannot use both -key and -CA option\n");
+ BIO_printf(bio_err, "Cannot use both -key/-signkey and -CA option\n");
goto end;
}
} else if (CAkeyfile != NULL) {
}
if (reqfile) {
+ if (infile == NULL)
+ BIO_printf(bio_err,
+ "Warning: Reading cert request from stdin since no -in option is given\n");
req = load_csr(infile, informat, "certificate request input");
if (req == NULL)
goto end;
}
}
} else {
+ if (infile == NULL)
+ BIO_printf(bio_err,
+ "Warning: Reading certificate from stdin since no -in option is given\n");
x = load_cert_pass(infile, informat, 1, passin, "certificate");
if (x == NULL)
goto end;
if (x509toreq) { /* also works in conjunction with -req */
if (privkey == NULL) {
- BIO_printf(bio_err, "Must specify request key using -key\n");
+ BIO_printf(bio_err, "Must specify request signing key using -key\n");
goto end;
}
if (clrext && ext_copy != EXT_COPY_NONE) {
=item B<-in> I<filename>
-This specifies the input filename to read a request from or standard input
-if this option is not specified. A request is only read if the creation
-options (B<-new> or B<-newkey>) are not specified.
+This specifies the input filename to read a request from.
+This defaults to standard input unless B<-x509> or B<-CA> is specified.
+A request is only read if the creation options
+(B<-new> or B<-newkey> or B<-precert>) are not specified.
=item B<-sigopt> I<nm>:I<v>
=item B<-newkey> I<arg>
-This option creates a new certificate request and a new private
-key. The argument takes one of several forms.
+This option is used to generate a new private key unless B<-key> is given.
+It is subsequently used as if it was given using the B<-key> option.
+
+This option implies the B<-new> flag to create a new certificate request
+or a new certificate in case B<-x509> is given.
+
+The argument takes one of several forms.
[B<rsa:>]I<nbits> generates an RSA key I<nbits> in size.
If I<nbits> is omitted, i.e., B<-newkey> B<rsa> is specified,
=item B<-key> I<filename>|I<uri>
-This specifies the key to include and to use for request self-signature
-and for self-signing certificates produced with the B<-x509> option.
-It also accepts PKCS#8 format private keys for PEM format files.
+This option provides the private key for signing a new certificate or
+certificate request.
+Unless B<-in> is given, the corresponding public key is placed in
+the new certificate or certificate request, resulting in a self-signature.
+
+For certificate signing this option is overridden by the B<-CA> option.
+
+This option also accepts PKCS#8 format private keys for PEM format files.
=item B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>
This is typically used to generate test certificates.
It is implied by the B<-CA> option.
+This option implies the B<-new> flag if B<-in> is not given.
+
If an existing request is specified with the B<-in> option, it is converted
to the a certificate; otherwise a request is created from scratch.
=item B<-in> I<filename>|I<uri>
-If the B<-req> option is not used this specifies the input
-to read a certificate from or standard input if this option is not specified.
-With the B<-req> option this specifies a certificate request file.
+This specifies the input to read a certificate from
+or the input file for reading a certificate request if the B<-req> flag is used.
+In both cases this defaults to standard input.
+
+This option cannot be combined with the B<-new> flag.
=item B<-passin> I<arg>
=item B<-key> I<filename>|I<uri>
-This option causes the new certificate or certificate request
-to be self-signed using the supplied private key.
-This cannot be used in conjunction with the B<-CA> option.
+This option provides the private key for signing a new certificate or
+certificate request.
+Unless B<-force_pubkey> is given, the corresponding public key is placed in
+the new certificate or certificate request, resulting in a self-signature.
+
+This option cannot be used in conjunction with the B<-CA> option.
It sets the issuer name to the subject name (i.e., makes it self-issued)
and changes the public key to the supplied value (unless overridden
This option cannot be used in conjunction with the B<-key> option.
This option is normally combined with the B<-req> option referencing a CSR.
-Without the B<-req> option the input must be a self-signed certificate
+Without the B<-req> option the input must be an existing certificate
unless the B<-new> option is given, which generates a certificate from scratch.
=item B<-CAform> B<DER>|B<PEM>|B<P12>,