2 {- OpenSSL::safe::output_do_not_edit_headers(); -}
6 openssl-ca - sample minimal CA application
14 [B<-config> I<filename>]
16 [B<-section> I<section>]
20 [B<-status> I<serial>]
22 [B<-crl_reason> I<reason>]
23 [B<-crl_hold> I<instruction>]
24 [B<-crl_compromise> I<time>]
25 [B<-crl_CA_compromise> I<time>]
26 [B<-crl_lastupdate> I<date>]
27 [B<-crl_nextupdate> I<date>]
29 [B<-crlhours> I<hours>]
30 [B<-crlsec> I<seconds>]
31 [B<-crlexts> I<section>]
32 [B<-startdate> I<date>]
37 [B<-keyfile> I<filename>|I<uri>]
38 [B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>]
42 [B<-certform> B<DER>|B<PEM>|B<P12>]
45 [B<-inform> B<DER>|<PEM>]
57 [B<-extensions> I<section>]
58 [B<-extfile> I<section>]
61 [B<-sigopt> I<nm>:I<v>]
62 [B<-vfyopt> I<nm>:I<v>]
66 {- $OpenSSL::safe::opt_r_synopsis -}
67 {- $OpenSSL::safe::opt_engine_synopsis -}{- $OpenSSL::safe::opt_provider_synopsis -}
72 This command emulates a CA application.
73 See the B<WARNINGS> especially when considering to use it productively.
74 It can be used to sign certificate requests (CSRs) in a variety of forms
75 and generate certificate revocation lists (CRLs).
76 It also maintains a text database of issued certificates and their status.
77 When signing certificates, a single request can be specified
78 with the B<-in> option, or multiple requests can be processed by
79 specifying a set of B<certreq> files after all options.
81 Note that there are also very lean ways of generating certificates:
82 the B<req> and B<x509> commands can be used for directly creating certificates.
83 See L<openssl-req(1)> and L<openssl-x509(1)> for details.
85 The descriptions of the B<ca> command options are divided into each purpose.
93 Print out a usage message.
97 This prints extra details about the operations being performed.
101 This prints fewer details about the operations being performed, which may
102 be handy during batch scripts or pipelines.
104 =item B<-config> I<filename>
106 Specifies the configuration file to use.
107 Optional; for a description of the default value,
108 see L<openssl(1)/COMMAND SUMMARY>.
110 =item B<-name> I<section>, B<-section> I<section>
112 Specifies the configuration file section to use (overrides
113 B<default_ca> in the B<ca> section).
115 =item B<-in> I<filename>
117 An input filename containing a single certificate request (CSR) to be
120 =item B<-inform> B<DER>|B<PEM>
122 The format of the data in certificate request input files;
123 unspecified by default.
124 See L<openssl-format-options(1)> for details.
126 =item B<-ss_cert> I<filename>
128 A single self-signed certificate to be signed by the CA.
130 =item B<-spkac> I<filename>
132 A file containing a single Netscape signed public key and challenge
133 and additional field values to be signed by the CA. See the B<SPKAC FORMAT>
134 section for information on the required input and output format.
138 If present this should be the last option, all subsequent arguments
139 are taken as the names of files containing certificate requests.
141 =item B<-out> I<filename>
143 The output file to output certificates to. The default is standard
144 output. The certificate details will also be printed out to this
145 file in PEM format (except that B<-spkac> outputs DER format).
147 =item B<-outdir> I<directory>
149 The directory to output certificates to. The certificate will be
150 written to a filename consisting of the serial number in hex with
153 =item B<-cert> I<filename>
155 The CA certificate, which must match with B<-keyfile>.
157 =item B<-certform> B<DER>|B<PEM>|B<P12>
159 The format of the data in certificate input files; unspecified by default.
160 See L<openssl-format-options(1)> for details.
162 =item B<-keyfile> I<filename>|I<uri>
164 The CA private key to sign certificate requests with.
165 This must match with B<-cert>.
167 =item B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>
169 The format of the private key input file; unspecified by default.
170 See L<openssl-format-options(1)> for details.
172 =item B<-sigopt> I<nm>:I<v>
174 Pass options to the signature algorithm during sign operations.
175 Names and values of these options are algorithm-specific.
177 =item B<-vfyopt> I<nm>:I<v>
179 Pass options to the signature algorithm during verify operations.
180 Names and values of these options are algorithm-specific.
182 This often needs to be given while signing too, because the self-signature of
183 a certificate signing request (CSR) is verified against the included public key,
184 and that verification may need its own set of options.
186 =item B<-key> I<password>
188 =for openssl foreign manual ps(1)
190 The password used to encrypt the private key. Since on some
191 systems the command line arguments are visible (e.g., when using
193 this option should be used with caution.
194 Better use B<-passin>.
196 =item B<-passin> I<arg>
198 The key password source for key files and certificate PKCS#12 files.
199 For more information about the format of B<arg>
200 see L<openssl-passphrase-options(1)>.
204 Indicates the issued certificates are to be signed with the key
205 the certificate requests were signed with (given with B<-keyfile>).
206 Certificate requests signed with a different key are ignored.
207 If B<-spkac>, B<-ss_cert> or B<-gencrl> are given, B<-selfsign> is ignored.
209 A consequence of using B<-selfsign> is that the self-signed
210 certificate appears among the entries in the certificate database
211 (see the configuration option B<database>), and uses the same
212 serial number counter as all other certificates sign with the
213 self-signed certificate.
217 Don't output the text form of a certificate to the output file.
221 Specify the date output format. Values are: rfc_822 and iso_8601.
224 =item B<-startdate> I<date>
226 This allows the start date to be explicitly set. The format of the
227 date is YYMMDDHHMMSSZ (the same as an ASN1 UTCTime structure), or
228 YYYYMMDDHHMMSSZ (the same as an ASN1 GeneralizedTime structure). In
229 both formats, seconds SS and timezone Z must be present.
231 =item B<-enddate> I<date>
233 This allows the expiry date to be explicitly set. The format of the
234 date is YYMMDDHHMMSSZ (the same as an ASN1 UTCTime structure), or
235 YYYYMMDDHHMMSSZ (the same as an ASN1 GeneralizedTime structure). In
236 both formats, seconds SS and timezone Z must be present.
238 =item B<-days> I<arg>
240 The number of days to certify the certificate for.
244 The message digest to use.
245 Any digest supported by the L<openssl-dgst(1)> command can be used. For signing
246 algorithms that do not support a digest (i.e. Ed25519 and Ed448) any message
247 digest that is set is ignored. This option also applies to CRLs.
249 =item B<-policy> I<arg>
251 This option defines the CA "policy" to use. This is a section in
252 the configuration file which decides which fields should be mandatory
253 or match the CA certificate. Check out the B<POLICY FORMAT> section
254 for more information.
258 This is a deprecated option to make this command work with very old versions
259 of the IE certificate enrollment control "certenr3". It used UniversalStrings
260 for almost everything. Since the old control has various security bugs
261 its use is strongly discouraged.
265 Normally the DN order of a certificate is the same as the order of the
266 fields in the relevant policy section. When this option is set the order
267 is the same as the request. This is largely for compatibility with the
268 older IE enrollment control which would only accept certificates if their
269 DNs match the order of the request. This is not needed for Xenroll.
273 The DN of a certificate can contain the EMAIL field if present in the
274 request DN, however, it is good policy just having the e-mail set into
275 the altName extension of the certificate. When this option is set the
276 EMAIL field is removed from the certificate' subject and set only in
277 the, eventually present, extensions. The B<email_in_dn> keyword can be
278 used in the configuration file to enable this behaviour.
282 This sets the batch mode. In this mode no questions will be asked
283 and all certificates will be certified automatically.
285 =item B<-extensions> I<section>
287 The section of the configuration file containing certificate extensions
288 to be added when a certificate is issued (defaults to B<x509_extensions>
289 unless the B<-extfile> option is used).
290 If no X.509 extensions are specified then a V1 certificate is created,
291 else a V3 certificate is created.
292 See the L<x509v3_config(5)> manual page for details of the
293 extension section format.
295 =item B<-extfile> I<file>
297 An additional configuration file to read certificate extensions from
298 (using the default section unless the B<-extensions> option is also
301 =item B<-subj> I<arg>
303 Supersedes subject name given in the request.
305 The arg must be formatted as C</type0=value0/type1=value1/type2=...>.
306 Special characters may be escaped by C<\> (backslash), whitespace is retained.
307 Empty values are permitted, but the corresponding type will not be included
308 in the resulting certificate.
309 Giving a single C</> will lead to an empty sequence of RDNs (a NULL-DN).
310 Multi-valued RDNs can be formed by placing a C<+> character instead of a C</>
311 between the AttributeValueAssertions (AVAs) that specify the members of the set.
314 C</DC=org/DC=OpenSSL/DC=users/UID=123456+CN=John Doe>
318 This option causes field values to be interpreted as UTF8 strings, by
319 default they are interpreted as ASCII. This means that the field
320 values, whether prompted from a terminal or obtained from a
321 configuration file, must be valid UTF8 strings.
323 =item B<-create_serial>
325 If reading serial from the text file as specified in the configuration
326 fails, specifying this option creates a new random serial to be used as next
328 To get random serial numbers, use the B<-rand_serial> flag instead; this
329 should only be used for simple error-recovery.
331 =item B<-rand_serial>
333 Generate a large random number to use as the serial number.
334 This overrides any option or configuration to use a serial number file.
336 =item B<-multivalue-rdn>
338 This option has been deprecated and has no effect.
340 {- $OpenSSL::safe::opt_r_item -}
342 {- $OpenSSL::safe::opt_engine_item -}
344 {- $OpenSSL::safe::opt_provider_item -}
354 This option generates a CRL based on information in the index file.
356 =item B<-crl_lastupdate> I<time>
358 Allows the value of the CRL's lastUpdate field to be explicitly set; if
359 this option is not present, the current time is used. Accepts times in
360 YYMMDDHHMMSSZ format (the same as an ASN1 UTCTime structure) or
361 YYYYMMDDHHMMSSZ format (the same as an ASN1 GeneralizedTime structure).
363 =item B<-crl_nextupdate> I<time>
365 Allows the value of the CRL's nextUpdate field to be explicitly set; if
366 this option is present, any values given for B<-crldays>, B<-crlhours>
367 and B<-crlsec> are ignored. Accepts times in the same formats as
370 =item B<-crldays> I<num>
372 The number of days before the next CRL is due. That is the days from
373 now to place in the CRL nextUpdate field.
375 =item B<-crlhours> I<num>
377 The number of hours before the next CRL is due.
379 =item B<-crlsec> I<num>
381 The number of seconds before the next CRL is due.
383 =item B<-revoke> I<filename>
385 A filename containing a certificate to revoke.
387 =item B<-valid> I<filename>
389 A filename containing a certificate to add a Valid certificate entry.
391 =item B<-status> I<serial>
393 Displays the revocation status of the certificate with the specified
394 serial number and exits.
398 Updates the database index to purge expired certificates.
400 =item B<-crl_reason> I<reason>
402 Revocation reason, where I<reason> is one of: B<unspecified>, B<keyCompromise>,
403 B<CACompromise>, B<affiliationChanged>, B<superseded>, B<cessationOfOperation>,
404 B<certificateHold> or B<removeFromCRL>. The matching of I<reason> is case
405 insensitive. Setting any revocation reason will make the CRL v2.
407 In practice B<removeFromCRL> is not particularly useful because it is only used
408 in delta CRLs which are not currently implemented.
410 =item B<-crl_hold> I<instruction>
412 This sets the CRL revocation reason code to B<certificateHold> and the hold
413 instruction to I<instruction> which must be an OID. Although any OID can be
414 used only B<holdInstructionNone> (the use of which is discouraged by RFC2459)
415 B<holdInstructionCallIssuer> or B<holdInstructionReject> will normally be used.
417 =item B<-crl_compromise> I<time>
419 This sets the revocation reason to B<keyCompromise> and the compromise time to
420 I<time>. I<time> should be in GeneralizedTime format that is I<YYYYMMDDHHMMSSZ>.
422 =item B<-crl_CA_compromise> I<time>
424 This is the same as B<crl_compromise> except the revocation reason is set to
427 =item B<-crlexts> I<section>
429 The section of the configuration file containing CRL extensions to
430 include. If no CRL extension section is present then a V1 CRL is
431 created, if the CRL extension section is present (even if it is
432 empty) then a V2 CRL is created. The CRL extensions specified are
433 CRL extensions and B<not> CRL entry extensions. It should be noted
434 that some software (for example Netscape) can't handle V2 CRLs. See
435 L<x509v3_config(5)> manual page for details of the
436 extension section format.
440 =head1 CONFIGURATION FILE OPTIONS
442 The section of the configuration file containing options for this command
443 is found as follows: If the B<-name> command line option is used,
444 then it names the section to be used. Otherwise the section to
445 be used must be named in the B<default_ca> option of the B<ca> section
446 of the configuration file (or in the default section of the
447 configuration file). Besides B<default_ca>, the following options are
448 read directly from the B<ca> section:
452 With the exception of B<RANDFILE>, this is probably a bug and may
453 change in future releases.
455 Many of the configuration file options are identical to command line
456 options. Where the option is present in the configuration file
457 and the command line the command line value is used. Where an
458 option is described as mandatory then it must be present in
459 the configuration file or the command line equivalent (if
466 This specifies a file containing additional B<OBJECT IDENTIFIERS>.
467 Each line of the file should consist of the numerical form of the
468 object identifier followed by whitespace then the short name followed
469 by whitespace and finally the long name.
473 This specifies a section in the configuration file containing extra
474 object identifiers. Each line should consist of the short name of the
475 object identifier followed by B<=> and the numerical form. The short
476 and long names are the same when this option is used.
478 =item B<new_certs_dir>
480 The same as the B<-outdir> command line option. It specifies
481 the directory where new certificates will be placed. Mandatory.
485 The same as B<-cert>. It gives the file containing the CA
486 certificate. Mandatory.
490 Same as the B<-keyfile> option. The file containing the
491 CA private key. Mandatory.
495 At startup the specified file is loaded into the random number generator,
496 and at exit 256 bytes will be written to it. (Note: Using a RANDFILE is
497 not necessary anymore, see the L</HISTORY> section.
499 =item B<default_days>
501 The same as the B<-days> option. The number of days to certify
504 =item B<default_startdate>
506 The same as the B<-startdate> option. The start date to certify
507 a certificate for. If not set the current time is used.
509 =item B<default_enddate>
511 The same as the B<-enddate> option. Either this option or
512 B<default_days> (or the command line equivalents) must be
515 =item B<default_crl_hours default_crl_days>
517 The same as the B<-crlhours> and the B<-crldays> options. These
518 will only be used if neither command line option is present. At
519 least one of these must be present to generate a CRL.
523 The same as the B<-md> option. Mandatory except where the signing algorithm does
524 not require a digest (i.e. Ed25519 and Ed448).
528 The text database file to use. Mandatory. This file must be present
529 though initially it will be empty.
531 =item B<unique_subject>
533 If the value B<yes> is given, the valid certificate entries in the
534 database must have unique subjects. if the value B<no> is given,
535 several valid certificate entries may have the exact same subject.
536 The default value is B<yes>, to be compatible with older (pre 0.9.8)
537 versions of OpenSSL. However, to make CA certificate roll-over easier,
538 it's recommended to use the value B<no>, especially if combined with
539 the B<-selfsign> command line option.
541 Note that it is valid in some circumstances for certificates to be created
542 without any subject. In the case where there are multiple certificates without
543 subjects this does not count as a duplicate.
547 A text file containing the next serial number to use in hex. Mandatory.
548 This file must be present and contain a valid serial number.
552 A text file containing the next CRL number to use in hex. The crl number
553 will be inserted in the CRLs only if this file exists. If this file is
554 present, it must contain a valid CRL number.
556 =item B<x509_extensions>
558 A fallback to the B<-extensions> option.
560 =item B<crl_extensions>
562 A fallback to the B<-crlexts> option.
566 The same as B<-preserveDN>
570 The same as B<-noemailDN>. If you want the EMAIL field to be removed
571 from the DN of the certificate simply set this to 'no'. If not present
572 the default is to allow for the EMAIL filed in the certificate's DN.
576 The same as B<-msie_hack>
580 The same as B<-policy>. Mandatory. See the B<POLICY FORMAT> section
581 for more information.
583 =item B<name_opt>, B<cert_opt>
585 These options allow the format used to display the certificate details
586 when asking the user to confirm signing. All the options supported by
587 the B<x509> utilities B<-nameopt> and B<-certopt> switches can be used
588 here, except the B<no_signame> and B<no_sigdump> are permanently set
589 and cannot be disabled (this is because the certificate signature cannot
590 be displayed because the certificate has not been signed at this point).
592 For convenience the values B<ca_default> are accepted by both to produce
595 If neither option is present the format used in earlier versions of
596 OpenSSL is used. Use of the old format is B<strongly> discouraged because
597 it only displays fields mentioned in the B<policy> section, mishandles
598 multicharacter string types and does not display extensions.
600 =item B<copy_extensions>
602 Determines how extensions in certificate requests should be handled.
603 If set to B<none> or this option is not present then extensions are
604 ignored and not copied to the certificate. If set to B<copy> then any
605 extensions present in the request that are not already present are copied
606 to the certificate. If set to B<copyall> then all extensions in the
607 request are copied to the certificate: if the extension is already present
608 in the certificate it is deleted first. See the B<WARNINGS> section before
611 The main use of this option is to allow a certificate request to supply
612 values for certain extensions such as subjectAltName.
618 The policy section consists of a set of variables corresponding to
619 certificate DN fields. If the value is "match" then the field value
620 must match the same field in the CA certificate. If the value is
621 "supplied" then it must be present. If the value is "optional" then
622 it may be present. Any fields not mentioned in the policy section
623 are silently deleted, unless the B<-preserveDN> option is set but
624 this can be regarded more of a quirk than intended behaviour.
628 The input to the B<-spkac> command line option is a Netscape
629 signed public key and challenge. This will usually come from
630 the B<KEYGEN> tag in an HTML form to create a new private key.
631 It is however possible to create SPKACs using L<openssl-spkac(1)>.
633 The file should contain the variable SPKAC set to the value of
634 the SPKAC and also the required DN components as name value pairs.
635 If you need to include the same component twice then it can be
636 preceded by a number and a '.'.
638 When processing SPKAC format, the output is DER if the B<-out>
639 flag is used, but PEM format if sending to stdout or the B<-outdir>
644 Note: these examples assume that the directory structure this command
645 assumes is already set up and the relevant files already exist. This
646 usually involves creating a CA certificate and private key with
647 L<openssl-req(1)>, a serial number file and an empty index file and
648 placing them in the relevant directories.
650 To use the sample configuration file below the directories F<demoCA>,
651 F<demoCA/private> and F<demoCA/newcerts> would be created. The CA
652 certificate would be copied to F<demoCA/cacert.pem> and its private
653 key to F<demoCA/private/cakey.pem>. A file F<demoCA/serial> would be
654 created containing for example "01" and the empty index file
658 Sign a certificate request:
660 openssl ca -in req.pem -out newcert.pem
662 Sign an SM2 certificate request:
664 openssl ca -in sm2.csr -out sm2.crt -md sm3 \
665 -sigopt "distid:1234567812345678" \
666 -vfyopt "distid:1234567812345678"
668 Sign a certificate request, using CA extensions:
670 openssl ca -in req.pem -extensions v3_ca -out newcert.pem
674 openssl ca -gencrl -out crl.pem
676 Sign several requests:
678 openssl ca -infiles req1.pem req2.pem req3.pem
680 Certify a Netscape SPKAC:
682 openssl ca -spkac spkac.txt
684 A sample SPKAC file (the SPKAC line has been truncated for clarity):
686 SPKAC=MIG0MGAwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAn7PDhCeV/xIxUg8V70YRxK2A5
688 emailAddress=steve@openssl.org
692 A sample configuration file with the relevant sections for this command:
695 default_ca = CA_default # The default ca section
699 dir = ./demoCA # top dir
700 database = $dir/index.txt # index file.
701 new_certs_dir = $dir/newcerts # new certs dir
703 certificate = $dir/cacert.pem # The CA cert
704 serial = $dir/serial # serial no file
705 #rand_serial = yes # for random serial#'s
706 private_key = $dir/private/cakey.pem# CA private key
708 default_days = 365 # how long to certify for
709 default_crl_days= 30 # how long before next CRL
710 default_md = md5 # md to use
712 policy = policy_any # default policy
713 email_in_dn = no # Don't add the email into cert DN
715 name_opt = ca_default # Subject name display option
716 cert_opt = ca_default # Certificate display option
717 copy_extensions = none # Don't copy extensions from request
720 countryName = supplied
721 stateOrProvinceName = optional
722 organizationName = optional
723 organizationalUnitName = optional
724 commonName = supplied
725 emailAddress = optional
729 Note: the location of all files can change either by compile time options,
730 configuration file entries, environment variables or command line options.
731 The values below reflect the default values.
733 /usr/local/ssl/lib/openssl.cnf - master configuration file
734 ./demoCA - main CA directory
735 ./demoCA/cacert.pem - CA certificate
736 ./demoCA/private/cakey.pem - CA private key
737 ./demoCA/serial - CA serial number file
738 ./demoCA/serial.old - CA serial number backup file
739 ./demoCA/index.txt - CA text database file
740 ./demoCA/index.txt.old - CA text database backup file
741 ./demoCA/certs - certificate output file
745 The text database index file is a critical part of the process and
746 if corrupted it can be difficult to fix. It is theoretically possible
747 to rebuild the index file from all the issued certificates and a current
748 CRL: however there is no option to do this.
750 V2 CRL features like delta CRLs are not currently supported.
752 Although several requests can be input and handled at once it is only
753 possible to include one SPKAC or self-signed certificate.
757 This command is quirky and at times downright unfriendly.
759 The use of an in-memory text database can cause problems when large
760 numbers of certificates are present because, as the name implies
761 the database has to be kept in memory.
763 This command really needs rewriting or the required functionality
764 exposed at either a command or interface level so that a more user-friendly
765 replacement could handle things properly. The script
766 B<CA.pl> helps a little but not very much.
768 Any fields in a request that are not present in a policy are silently
769 deleted. This does not happen if the B<-preserveDN> option is used. To
770 enforce the absence of the EMAIL field within the DN, as suggested by
771 RFCs, regardless the contents of the request' subject the B<-noemailDN>
772 option can be used. The behaviour should be more friendly and
775 Canceling some commands by refusing to certify a certificate can
776 create an empty file.
780 This command was originally meant as an example of how to do things in a CA.
781 Its code does not have production quality.
782 It was not supposed to be used as a full blown CA itself,
783 nevertheless some people are using it for this purpose at least internally.
784 When doing so, specific care should be taken to
785 properly secure the private key(s) used for signing certificates.
786 It is advisable to keep them in a secure HW storage such as a smart card or HSM
787 and access them via a suitable engine or crypto provider.
789 This command is effectively a single user command: no locking
790 is done on the various files and attempts to run more than one B<openssl ca>
791 command on the same database can have unpredictable results.
793 The B<copy_extensions> option should be used with caution. If care is
794 not taken then it can be a security risk. For example if a certificate
795 request contains a basicConstraints extension with CA:TRUE and the
796 B<copy_extensions> value is set to B<copyall> and the user does not spot
797 this when the certificate is displayed then this will hand the requester
798 a valid CA certificate.
799 This situation can be avoided by setting B<copy_extensions> to B<copy>
800 and including basicConstraints with CA:FALSE in the configuration file.
801 Then if the request contains a basicConstraints extension it will be
804 It is advisable to also include values for other extensions such
805 as B<keyUsage> to prevent a request supplying its own values.
807 Additional restrictions can be placed on the CA certificate itself.
808 For example if the CA certificate has:
810 basicConstraints = CA:TRUE, pathlen:0
812 then even if a certificate is issued with CA:TRUE it will not be valid.
816 Since OpenSSL 1.1.1, the program follows RFC5280. Specifically,
817 certificate validity period (specified by any of B<-startdate>,
818 B<-enddate> and B<-days>) and CRL last/next update time (specified by
819 any of B<-crl_lastupdate>, B<-crl_nextupdate>, B<-crldays>, B<-crlhours>
820 and B<-crlsec>) will be encoded as UTCTime if the dates are
821 earlier than year 2049 (included), and as GeneralizedTime if the dates
822 are in year 2050 or later.
824 OpenSSL 1.1.1 introduced a new random generator (CSPRNG) with an improved
825 seeding mechanism. The new seeding mechanism makes it unnecessary to
826 define a RANDFILE for saving and restoring randomness. This option is
827 retained mainly for compatibility reasons.
829 The B<-section> option was added in OpenSSL 3.0.0.
831 The B<-multivalue-rdn> option has become obsolete in OpenSSL 3.0.0 and
834 The B<-engine> option was deprecated in OpenSSL 3.0.
848 Copyright 2000-2022 The OpenSSL Project Authors. All Rights Reserved.
850 Licensed under the Apache License 2.0 (the "License"). You may not use
851 this file except in compliance with the License. You can obtain a copy
852 in the file LICENSE in the source distribution or at
853 L<https://www.openssl.org/source/license.html>.