2 {- OpenSSL::safe::output_do_not_edit_headers(); -}
6 openssl-ca - sample minimal CA application
13 [B<-config> I<filename>]
15 [B<-section> I<section>]
19 [B<-status> I<serial>]
21 [B<-crl_reason> I<reason>]
22 [B<-crl_hold> I<instruction>]
23 [B<-crl_compromise> I<time>]
24 [B<-crl_CA_compromise> I<time>]
25 [B<-crl_lastupdate> I<date>]
26 [B<-crl_nextupdate> I<date>]
28 [B<-crlhours> I<hours>]
29 [B<-crlsec> I<seconds>]
30 [B<-crlexts> I<section>]
31 [B<-startdate> I<date>]
36 [B<-keyfile> I<filename>|I<uri>]
37 [B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>]
41 [B<-certform> B<DER>|B<PEM>|B<P12>]
44 [B<-inform> B<DER>|<PEM>]
56 [B<-extensions> I<section>]
57 [B<-extfile> I<section>]
60 [B<-sigopt> I<nm>:I<v>]
61 [B<-vfyopt> I<nm>:I<v>]
65 {- $OpenSSL::safe::opt_r_synopsis -}
66 {- $OpenSSL::safe::opt_engine_synopsis -}{- $OpenSSL::safe::opt_provider_synopsis -}
71 This command emulates a CA application.
72 See the B<WARNINGS> especially when considering to use it productively.
73 It can be used to sign certificate requests (CSRs) in a variety of forms
74 and generate certificate revocation lists (CRLs).
75 It also maintains a text database of issued certificates and their status.
76 When signing certificates, a single request can be specified
77 with the B<-in> option, or multiple requests can be processed by
78 specifying a set of B<certreq> files after all options.
80 Note that there are also very lean ways of generating certificates:
81 the B<req> and B<x509> commands can be used for directly creating certificates.
82 See L<openssl-req(1)> and L<openssl-x509(1)> for details.
84 The descriptions of the B<ca> command options are divided into each purpose.
92 Print out a usage message.
96 This prints extra details about the operations being performed.
98 =item B<-config> I<filename>
100 Specifies the configuration file to use.
101 Optional; for a description of the default value,
102 see L<openssl(1)/COMMAND SUMMARY>.
104 =item B<-name> I<section>, B<-section> I<section>
106 Specifies the configuration file section to use (overrides
107 B<default_ca> in the B<ca> section).
109 =item B<-in> I<filename>
111 An input filename containing a single certificate request (CSR) to be
114 =item B<-inform> B<DER>|B<PEM>
116 The format of the data in certificate request input files;
117 unspecified by default.
118 See L<openssl-format-options(1)> for details.
120 =item B<-ss_cert> I<filename>
122 A single self-signed certificate to be signed by the CA.
124 =item B<-spkac> I<filename>
126 A file containing a single Netscape signed public key and challenge
127 and additional field values to be signed by the CA. See the B<SPKAC FORMAT>
128 section for information on the required input and output format.
132 If present this should be the last option, all subsequent arguments
133 are taken as the names of files containing certificate requests.
135 =item B<-out> I<filename>
137 The output file to output certificates to. The default is standard
138 output. The certificate details will also be printed out to this
139 file in PEM format (except that B<-spkac> outputs DER format).
141 =item B<-outdir> I<directory>
143 The directory to output certificates to. The certificate will be
144 written to a filename consisting of the serial number in hex with
147 =item B<-cert> I<filename>
149 The CA certificate, which must match with B<-keyfile>.
151 =item B<-certform> B<DER>|B<PEM>|B<P12>
153 The format of the data in certificate input files; unspecified by default.
154 See L<openssl-format-options(1)> for details.
156 =item B<-keyfile> I<filename>|I<uri>
158 The CA private key to sign certificate requests with.
159 This must match with B<-cert>.
161 =item B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>
163 The format of the private key input file; unspecified by default.
164 See L<openssl-format-options(1)> for details.
166 =item B<-sigopt> I<nm>:I<v>
168 Pass options to the signature algorithm during sign operations.
169 Names and values of these options are algorithm-specific.
171 =item B<-vfyopt> I<nm>:I<v>
173 Pass options to the signature algorithm during verify operations.
174 Names and values of these options are algorithm-specific.
176 This often needs to be given while signing too, because the self-signature of
177 a certificate signing request (CSR) is verified against the included public key,
178 and that verification may need its own set of options.
180 =item B<-key> I<password>
182 =for openssl foreign manual ps(1)
184 The password used to encrypt the private key. Since on some
185 systems the command line arguments are visible (e.g., when using
187 this option should be used with caution.
188 Better use B<-passin>.
190 =item B<-passin> I<arg>
192 The key password source for key files and certificate PKCS#12 files.
193 For more information about the format of B<arg>
194 see L<openssl-passphrase-options(1)>.
198 Indicates the issued certificates are to be signed with the key
199 the certificate requests were signed with (given with B<-keyfile>).
200 Certificate requests signed with a different key are ignored.
201 If B<-spkac>, B<-ss_cert> or B<-gencrl> are given, B<-selfsign> is ignored.
203 A consequence of using B<-selfsign> is that the self-signed
204 certificate appears among the entries in the certificate database
205 (see the configuration option B<database>), and uses the same
206 serial number counter as all other certificates sign with the
207 self-signed certificate.
211 Don't output the text form of a certificate to the output file.
215 Specify the date output format. Values are: rfc_822 and iso_8601.
218 =item B<-startdate> I<date>
220 This allows the start date to be explicitly set. The format of the
221 date is YYMMDDHHMMSSZ (the same as an ASN1 UTCTime structure), or
222 YYYYMMDDHHMMSSZ (the same as an ASN1 GeneralizedTime structure). In
223 both formats, seconds SS and timezone Z must be present.
225 =item B<-enddate> I<date>
227 This allows the expiry date to be explicitly set. The format of the
228 date is YYMMDDHHMMSSZ (the same as an ASN1 UTCTime structure), or
229 YYYYMMDDHHMMSSZ (the same as an ASN1 GeneralizedTime structure). In
230 both formats, seconds SS and timezone Z must be present.
232 =item B<-days> I<arg>
234 The number of days to certify the certificate for.
238 The message digest to use.
239 Any digest supported by the L<openssl-dgst(1)> command can be used. For signing
240 algorithms that do not support a digest (i.e. Ed25519 and Ed448) any message
241 digest that is set is ignored. This option also applies to CRLs.
243 =item B<-policy> I<arg>
245 This option defines the CA "policy" to use. This is a section in
246 the configuration file which decides which fields should be mandatory
247 or match the CA certificate. Check out the B<POLICY FORMAT> section
248 for more information.
252 This is a deprecated option to make this command work with very old versions
253 of the IE certificate enrollment control "certenr3". It used UniversalStrings
254 for almost everything. Since the old control has various security bugs
255 its use is strongly discouraged.
259 Normally the DN order of a certificate is the same as the order of the
260 fields in the relevant policy section. When this option is set the order
261 is the same as the request. This is largely for compatibility with the
262 older IE enrollment control which would only accept certificates if their
263 DNs match the order of the request. This is not needed for Xenroll.
267 The DN of a certificate can contain the EMAIL field if present in the
268 request DN, however, it is good policy just having the e-mail set into
269 the altName extension of the certificate. When this option is set the
270 EMAIL field is removed from the certificate' subject and set only in
271 the, eventually present, extensions. The B<email_in_dn> keyword can be
272 used in the configuration file to enable this behaviour.
276 This sets the batch mode. In this mode no questions will be asked
277 and all certificates will be certified automatically.
279 =item B<-extensions> I<section>
281 The section of the configuration file containing certificate extensions
282 to be added when a certificate is issued (defaults to B<x509_extensions>
283 unless the B<-extfile> option is used).
284 If no X.509 extensions are specified then a V1 certificate is created,
285 else a V3 certificate is created.
286 See the L<x509v3_config(5)> manual page for details of the
287 extension section format.
289 =item B<-extfile> I<file>
291 An additional configuration file to read certificate extensions from
292 (using the default section unless the B<-extensions> option is also
295 =item B<-subj> I<arg>
297 Supersedes subject name given in the request.
299 The arg must be formatted as C</type0=value0/type1=value1/type2=...>.
300 Special characters may be escaped by C<\> (backslash), whitespace is retained.
301 Empty values are permitted, but the corresponding type will not be included
302 in the resulting certificate.
303 Giving a single C</> will lead to an empty sequence of RDNs (a NULL-DN).
304 Multi-valued RDNs can be formed by placing a C<+> character instead of a C</>
305 between the AttributeValueAssertions (AVAs) that specify the members of the set.
308 C</DC=org/DC=OpenSSL/DC=users/UID=123456+CN=John Doe>
312 This option causes field values to be interpreted as UTF8 strings, by
313 default they are interpreted as ASCII. This means that the field
314 values, whether prompted from a terminal or obtained from a
315 configuration file, must be valid UTF8 strings.
317 =item B<-create_serial>
319 If reading serial from the text file as specified in the configuration
320 fails, specifying this option creates a new random serial to be used as next
322 To get random serial numbers, use the B<-rand_serial> flag instead; this
323 should only be used for simple error-recovery.
325 =item B<-rand_serial>
327 Generate a large random number to use as the serial number.
328 This overrides any option or configuration to use a serial number file.
330 =item B<-multivalue-rdn>
332 This option has been deprecated and has no effect.
334 {- $OpenSSL::safe::opt_r_item -}
336 {- $OpenSSL::safe::opt_engine_item -}
338 {- $OpenSSL::safe::opt_provider_item -}
348 This option generates a CRL based on information in the index file.
350 =item B<-crl_lastupdate> I<time>
352 Allows the value of the CRL's lastUpdate field to be explicitly set; if
353 this option is not present, the current time is used. Accepts times in
354 YYMMDDHHMMSSZ format (the same as an ASN1 UTCTime structure) or
355 YYYYMMDDHHMMSSZ format (the same as an ASN1 GeneralizedTime structure).
357 =item B<-crl_nextupdate> I<time>
359 Allows the value of the CRL's nextUpdate field to be explicitly set; if
360 this option is present, any values given for B<-crldays>, B<-crlhours>
361 and B<-crlsec> are ignored. Accepts times in the same formats as
364 =item B<-crldays> I<num>
366 The number of days before the next CRL is due. That is the days from
367 now to place in the CRL nextUpdate field.
369 =item B<-crlhours> I<num>
371 The number of hours before the next CRL is due.
373 =item B<-crlsec> I<num>
375 The number of seconds before the next CRL is due.
377 =item B<-revoke> I<filename>
379 A filename containing a certificate to revoke.
381 =item B<-valid> I<filename>
383 A filename containing a certificate to add a Valid certificate entry.
385 =item B<-status> I<serial>
387 Displays the revocation status of the certificate with the specified
388 serial number and exits.
392 Updates the database index to purge expired certificates.
394 =item B<-crl_reason> I<reason>
396 Revocation reason, where I<reason> is one of: B<unspecified>, B<keyCompromise>,
397 B<CACompromise>, B<affiliationChanged>, B<superseded>, B<cessationOfOperation>,
398 B<certificateHold> or B<removeFromCRL>. The matching of I<reason> is case
399 insensitive. Setting any revocation reason will make the CRL v2.
401 In practice B<removeFromCRL> is not particularly useful because it is only used
402 in delta CRLs which are not currently implemented.
404 =item B<-crl_hold> I<instruction>
406 This sets the CRL revocation reason code to B<certificateHold> and the hold
407 instruction to I<instruction> which must be an OID. Although any OID can be
408 used only B<holdInstructionNone> (the use of which is discouraged by RFC2459)
409 B<holdInstructionCallIssuer> or B<holdInstructionReject> will normally be used.
411 =item B<-crl_compromise> I<time>
413 This sets the revocation reason to B<keyCompromise> and the compromise time to
414 I<time>. I<time> should be in GeneralizedTime format that is I<YYYYMMDDHHMMSSZ>.
416 =item B<-crl_CA_compromise> I<time>
418 This is the same as B<crl_compromise> except the revocation reason is set to
421 =item B<-crlexts> I<section>
423 The section of the configuration file containing CRL extensions to
424 include. If no CRL extension section is present then a V1 CRL is
425 created, if the CRL extension section is present (even if it is
426 empty) then a V2 CRL is created. The CRL extensions specified are
427 CRL extensions and B<not> CRL entry extensions. It should be noted
428 that some software (for example Netscape) can't handle V2 CRLs. See
429 L<x509v3_config(5)> manual page for details of the
430 extension section format.
434 =head1 CONFIGURATION FILE OPTIONS
436 The section of the configuration file containing options for this command
437 is found as follows: If the B<-name> command line option is used,
438 then it names the section to be used. Otherwise the section to
439 be used must be named in the B<default_ca> option of the B<ca> section
440 of the configuration file (or in the default section of the
441 configuration file). Besides B<default_ca>, the following options are
442 read directly from the B<ca> section:
446 With the exception of B<RANDFILE>, this is probably a bug and may
447 change in future releases.
449 Many of the configuration file options are identical to command line
450 options. Where the option is present in the configuration file
451 and the command line the command line value is used. Where an
452 option is described as mandatory then it must be present in
453 the configuration file or the command line equivalent (if
460 This specifies a file containing additional B<OBJECT IDENTIFIERS>.
461 Each line of the file should consist of the numerical form of the
462 object identifier followed by whitespace then the short name followed
463 by whitespace and finally the long name.
467 This specifies a section in the configuration file containing extra
468 object identifiers. Each line should consist of the short name of the
469 object identifier followed by B<=> and the numerical form. The short
470 and long names are the same when this option is used.
472 =item B<new_certs_dir>
474 The same as the B<-outdir> command line option. It specifies
475 the directory where new certificates will be placed. Mandatory.
479 The same as B<-cert>. It gives the file containing the CA
480 certificate. Mandatory.
484 Same as the B<-keyfile> option. The file containing the
485 CA private key. Mandatory.
489 At startup the specified file is loaded into the random number generator,
490 and at exit 256 bytes will be written to it. (Note: Using a RANDFILE is
491 not necessary anymore, see the L</HISTORY> section.
493 =item B<default_days>
495 The same as the B<-days> option. The number of days to certify
498 =item B<default_startdate>
500 The same as the B<-startdate> option. The start date to certify
501 a certificate for. If not set the current time is used.
503 =item B<default_enddate>
505 The same as the B<-enddate> option. Either this option or
506 B<default_days> (or the command line equivalents) must be
509 =item B<default_crl_hours default_crl_days>
511 The same as the B<-crlhours> and the B<-crldays> options. These
512 will only be used if neither command line option is present. At
513 least one of these must be present to generate a CRL.
517 The same as the B<-md> option. Mandatory except where the signing algorithm does
518 not require a digest (i.e. Ed25519 and Ed448).
522 The text database file to use. Mandatory. This file must be present
523 though initially it will be empty.
525 =item B<unique_subject>
527 If the value B<yes> is given, the valid certificate entries in the
528 database must have unique subjects. if the value B<no> is given,
529 several valid certificate entries may have the exact same subject.
530 The default value is B<yes>, to be compatible with older (pre 0.9.8)
531 versions of OpenSSL. However, to make CA certificate roll-over easier,
532 it's recommended to use the value B<no>, especially if combined with
533 the B<-selfsign> command line option.
535 Note that it is valid in some circumstances for certificates to be created
536 without any subject. In the case where there are multiple certificates without
537 subjects this does not count as a duplicate.
541 A text file containing the next serial number to use in hex. Mandatory.
542 This file must be present and contain a valid serial number.
546 A text file containing the next CRL number to use in hex. The crl number
547 will be inserted in the CRLs only if this file exists. If this file is
548 present, it must contain a valid CRL number.
550 =item B<x509_extensions>
552 A fallback to the B<-extensions> option.
554 =item B<crl_extensions>
556 A fallback to the B<-crlexts> option.
560 The same as B<-preserveDN>
564 The same as B<-noemailDN>. If you want the EMAIL field to be removed
565 from the DN of the certificate simply set this to 'no'. If not present
566 the default is to allow for the EMAIL filed in the certificate's DN.
570 The same as B<-msie_hack>
574 The same as B<-policy>. Mandatory. See the B<POLICY FORMAT> section
575 for more information.
577 =item B<name_opt>, B<cert_opt>
579 These options allow the format used to display the certificate details
580 when asking the user to confirm signing. All the options supported by
581 the B<x509> utilities B<-nameopt> and B<-certopt> switches can be used
582 here, except the B<no_signame> and B<no_sigdump> are permanently set
583 and cannot be disabled (this is because the certificate signature cannot
584 be displayed because the certificate has not been signed at this point).
586 For convenience the values B<ca_default> are accepted by both to produce
589 If neither option is present the format used in earlier versions of
590 OpenSSL is used. Use of the old format is B<strongly> discouraged because
591 it only displays fields mentioned in the B<policy> section, mishandles
592 multicharacter string types and does not display extensions.
594 =item B<copy_extensions>
596 Determines how extensions in certificate requests should be handled.
597 If set to B<none> or this option is not present then extensions are
598 ignored and not copied to the certificate. If set to B<copy> then any
599 extensions present in the request that are not already present are copied
600 to the certificate. If set to B<copyall> then all extensions in the
601 request are copied to the certificate: if the extension is already present
602 in the certificate it is deleted first. See the B<WARNINGS> section before
605 The main use of this option is to allow a certificate request to supply
606 values for certain extensions such as subjectAltName.
612 The policy section consists of a set of variables corresponding to
613 certificate DN fields. If the value is "match" then the field value
614 must match the same field in the CA certificate. If the value is
615 "supplied" then it must be present. If the value is "optional" then
616 it may be present. Any fields not mentioned in the policy section
617 are silently deleted, unless the B<-preserveDN> option is set but
618 this can be regarded more of a quirk than intended behaviour.
622 The input to the B<-spkac> command line option is a Netscape
623 signed public key and challenge. This will usually come from
624 the B<KEYGEN> tag in an HTML form to create a new private key.
625 It is however possible to create SPKACs using L<openssl-spkac(1)>.
627 The file should contain the variable SPKAC set to the value of
628 the SPKAC and also the required DN components as name value pairs.
629 If you need to include the same component twice then it can be
630 preceded by a number and a '.'.
632 When processing SPKAC format, the output is DER if the B<-out>
633 flag is used, but PEM format if sending to stdout or the B<-outdir>
638 Note: these examples assume that the directory structure this command
639 assumes is already set up and the relevant files already exist. This
640 usually involves creating a CA certificate and private key with
641 L<openssl-req(1)>, a serial number file and an empty index file and
642 placing them in the relevant directories.
644 To use the sample configuration file below the directories F<demoCA>,
645 F<demoCA/private> and F<demoCA/newcerts> would be created. The CA
646 certificate would be copied to F<demoCA/cacert.pem> and its private
647 key to F<demoCA/private/cakey.pem>. A file F<demoCA/serial> would be
648 created containing for example "01" and the empty index file
652 Sign a certificate request:
654 openssl ca -in req.pem -out newcert.pem
656 Sign an SM2 certificate request:
658 openssl ca -in sm2.csr -out sm2.crt -md sm3 \
659 -sigopt "distid:1234567812345678" \
660 -vfyopt "distid:1234567812345678"
662 Sign a certificate request, using CA extensions:
664 openssl ca -in req.pem -extensions v3_ca -out newcert.pem
668 openssl ca -gencrl -out crl.pem
670 Sign several requests:
672 openssl ca -infiles req1.pem req2.pem req3.pem
674 Certify a Netscape SPKAC:
676 openssl ca -spkac spkac.txt
678 A sample SPKAC file (the SPKAC line has been truncated for clarity):
680 SPKAC=MIG0MGAwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAn7PDhCeV/xIxUg8V70YRxK2A5
682 emailAddress=steve@openssl.org
686 A sample configuration file with the relevant sections for this command:
689 default_ca = CA_default # The default ca section
693 dir = ./demoCA # top dir
694 database = $dir/index.txt # index file.
695 new_certs_dir = $dir/newcerts # new certs dir
697 certificate = $dir/cacert.pem # The CA cert
698 serial = $dir/serial # serial no file
699 #rand_serial = yes # for random serial#'s
700 private_key = $dir/private/cakey.pem# CA private key
702 default_days = 365 # how long to certify for
703 default_crl_days= 30 # how long before next CRL
704 default_md = md5 # md to use
706 policy = policy_any # default policy
707 email_in_dn = no # Don't add the email into cert DN
709 name_opt = ca_default # Subject name display option
710 cert_opt = ca_default # Certificate display option
711 copy_extensions = none # Don't copy extensions from request
714 countryName = supplied
715 stateOrProvinceName = optional
716 organizationName = optional
717 organizationalUnitName = optional
718 commonName = supplied
719 emailAddress = optional
723 Note: the location of all files can change either by compile time options,
724 configuration file entries, environment variables or command line options.
725 The values below reflect the default values.
727 /usr/local/ssl/lib/openssl.cnf - master configuration file
728 ./demoCA - main CA directory
729 ./demoCA/cacert.pem - CA certificate
730 ./demoCA/private/cakey.pem - CA private key
731 ./demoCA/serial - CA serial number file
732 ./demoCA/serial.old - CA serial number backup file
733 ./demoCA/index.txt - CA text database file
734 ./demoCA/index.txt.old - CA text database backup file
735 ./demoCA/certs - certificate output file
739 The text database index file is a critical part of the process and
740 if corrupted it can be difficult to fix. It is theoretically possible
741 to rebuild the index file from all the issued certificates and a current
742 CRL: however there is no option to do this.
744 V2 CRL features like delta CRLs are not currently supported.
746 Although several requests can be input and handled at once it is only
747 possible to include one SPKAC or self-signed certificate.
751 This command is quirky and at times downright unfriendly.
753 The use of an in-memory text database can cause problems when large
754 numbers of certificates are present because, as the name implies
755 the database has to be kept in memory.
757 This command really needs rewriting or the required functionality
758 exposed at either a command or interface level so that a more user-friendly
759 replacement could handle things properly. The script
760 B<CA.pl> helps a little but not very much.
762 Any fields in a request that are not present in a policy are silently
763 deleted. This does not happen if the B<-preserveDN> option is used. To
764 enforce the absence of the EMAIL field within the DN, as suggested by
765 RFCs, regardless the contents of the request' subject the B<-noemailDN>
766 option can be used. The behaviour should be more friendly and
769 Canceling some commands by refusing to certify a certificate can
770 create an empty file.
774 This command was originally meant as an example of how to do things in a CA.
775 Its code does not have production quality.
776 It was not supposed to be used as a full blown CA itself,
777 nevertheless some people are using it for this purpose at least internally.
778 When doing so, specific care should be taken to
779 properly secure the private key(s) used for signing certificates.
780 It is advisable to keep them in a secure HW storage such as a smart card or HSM
781 and access them via a suitable engine or crypto provider.
783 This command command is effectively a single user command: no locking
784 is done on the various files and attempts to run more than one B<openssl ca>
785 command on the same database can have unpredictable results.
787 The B<copy_extensions> option should be used with caution. If care is
788 not taken then it can be a security risk. For example if a certificate
789 request contains a basicConstraints extension with CA:TRUE and the
790 B<copy_extensions> value is set to B<copyall> and the user does not spot
791 this when the certificate is displayed then this will hand the requester
792 a valid CA certificate.
793 This situation can be avoided by setting B<copy_extensions> to B<copy>
794 and including basicConstraints with CA:FALSE in the configuration file.
795 Then if the request contains a basicConstraints extension it will be
798 It is advisable to also include values for other extensions such
799 as B<keyUsage> to prevent a request supplying its own values.
801 Additional restrictions can be placed on the CA certificate itself.
802 For example if the CA certificate has:
804 basicConstraints = CA:TRUE, pathlen:0
806 then even if a certificate is issued with CA:TRUE it will not be valid.
810 Since OpenSSL 1.1.1, the program follows RFC5280. Specifically,
811 certificate validity period (specified by any of B<-startdate>,
812 B<-enddate> and B<-days>) and CRL last/next update time (specified by
813 any of B<-crl_lastupdate>, B<-crl_nextupdate>, B<-crldays>, B<-crlhours>
814 and B<-crlsec>) will be encoded as UTCTime if the dates are
815 earlier than year 2049 (included), and as GeneralizedTime if the dates
816 are in year 2050 or later.
818 OpenSSL 1.1.1 introduced a new random generator (CSPRNG) with an improved
819 seeding mechanism. The new seeding mechanism makes it unnecessary to
820 define a RANDFILE for saving and restoring randomness. This option is
821 retained mainly for compatibility reasons.
823 The B<-section> option was added in OpenSSL 3.0.0.
825 The B<-multivalue-rdn> option has become obsolete in OpenSSL 3.0.0 and
828 The B<-engine> option was deprecated in OpenSSL 3.0.
842 Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved.
844 Licensed under the Apache License 2.0 (the "License"). You may not use
845 this file except in compliance with the License. You can obtain a copy
846 in the file LICENSE in the source distribution or at
847 L<https://www.openssl.org/source/license.html>.