=head1 NAME
-req - PKCS#10 certificate and certificate generating utility.
+req - PKCS#10 certificate request and certificate generating utility.
=head1 SYNOPSIS
[B<-verify>]
[B<-modulus>]
[B<-new>]
+[B<-rand file(s)>]
[B<-newkey rsa:bits>]
[B<-newkey dsa:file>]
[B<-nodes>]
[B<-keyout filename>]
[B<-[md5|sha1|md2|mdc2]>]
[B<-config filename>]
+[B<-subj arg>]
[B<-x509>]
[B<-days n>]
+[B<-set_serial n>]
[B<-asn1-kludge>]
[B<-newhdr>]
[B<-extensions section>]
[B<-reqexts section>]
+[B<-utf8>]
+[B<-batch>]
+[B<-verbose>]
=head1 DESCRIPTION
If the B<-key> option is not used it will generate a new RSA private
key using information specified in the configuration file.
+=item B<-rand file(s)>
+
+a file or files containing random data used to seed the random number
+generator, or an EGD socket (see L<RAND_egd(3)|RAND_egd(3)>).
+Multiple files can be specified separated by a OS-dependent character.
+The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
+all others.
+
=item B<-newkey arg>
this option creates a new certificate request and a new private
this overrides the compile time filename or any specified in
the B<OPENSSL_CONF> environment variable.
+=item B<-subj arg>
+
+sets subject name for new request or supersedes the subject name
+when processing a request.
+
=item B<-x509>
this option outputs a self signed certificate instead of a certificate
request. This is typically used to generate a test certificate or
a self signed root CA. The extensions added to the certificate
-(if any) are specified in the configuration file.
+(if any) are specified in the configuration file. Unless specified
+using the B<set_serial> option B<0> will be used for the serial
+number.
=item B<-days n>
when the B<-x509> option is being used this specifies the number of
days to certify the certificate for. The default is 30 days.
+=item B<-set_serial n>
+
+serial number to use when outputting a self signed certificate. This
+may be specified as a decimal value or a hex value if preceded by B<0x>.
+It is possible to use negative serial numbers but this is not recommended.
+
=item B<-extensions section>
+
=item B<-reqexts section>
these options specify alternative sections to include certificate
be used in the same configuration file to specify requests for
a variety of purposes.
+=item B<-utf8>
+
+this option causes field values to be interpreted as UTF8 strings, by
+default they are interpreted as ASCII. This means that the field
+values, whether prompted from a terminal or obtained from a
+configuration file, must be valid UTF8 strings.
+
=item B<-asn1-kludge>
by default the B<req> command outputs certificate requests containing
Adds the word B<NEW> to the PEM file header and footer lines on the outputed
request. Some software (Netscape certificate server) and some CAs need this.
+=item B<-batch>
+
+non-interactive mode.
+
+=item B<-verbose>
+
+print extra details about the operations being performed.
+
=back
=head1 CONFIGURATION FILE FORMAT
and just takes values from the config file directly. It also changes the
expected format of the B<distinguished_name> and B<attributes> sections.
+=item B<utf8>
+
+if set to the value B<yes> then field values to be interpreted as UTF8
+strings, by default they are interpreted as ASCII. This means that
+the field values, whether prompted from a terminal or obtained from a
+configuration file, must be valid UTF8 strings.
+
=item B<attributes>
this specifies the section containing any request attributes: its format