=head1 NAME
-req - PKCS#10 certificate and certificate generating utility.
+req - PKCS#10 certificate request and certificate generating utility.
=head1 SYNOPSIS
[B<-out filename>]
[B<-passout arg>]
[B<-text>]
+[B<-pubkey>]
[B<-noout>]
[B<-verify>]
[B<-modulus>]
[B<-subj arg>]
[B<-x509>]
[B<-days n>]
+[B<-set_serial n>]
[B<-asn1-kludge>]
[B<-newhdr>]
[B<-extensions section>]
[B<-reqexts section>]
+[B<-utf8>]
+[B<-nameopt>]
[B<-batch>]
[B<-verbose>]
prints out the certificate request in text form.
+=item B<-pubkey>
+
+outputs the public key.
+
=item B<-noout>
this option prevents output of the encoded version of the request.
sets subject name for new request or supersedes the subject name
when processing a request.
+The arg must be formatted as I</type0=value0/type1=value1/type2=...>,
+characters may be escaped by \ (backslash), no spaces are skipped.
=item B<-x509>
this option outputs a self signed certificate instead of a certificate
request. This is typically used to generate a test certificate or
a self signed root CA. The extensions added to the certificate
-(if any) are specified in the configuration file.
+(if any) are specified in the configuration file. Unless specified
+using the B<set_serial> option B<0> will be used for the serial
+number.
=item B<-days n>
when the B<-x509> option is being used this specifies the number of
days to certify the certificate for. The default is 30 days.
+=item B<-set_serial n>
+
+serial number to use when outputting a self signed certificate. This
+may be specified as a decimal value or a hex value if preceded by B<0x>.
+It is possible to use negative serial numbers but this is not recommended.
+
=item B<-extensions section>
=item B<-reqexts section>
be used in the same configuration file to specify requests for
a variety of purposes.
+=item B<-utf8>
+
+this option causes field values to be interpreted as UTF8 strings, by
+default they are interpreted as ASCII. This means that the field
+values, whether prompted from a terminal or obtained from a
+configuration file, must be valid UTF8 strings.
+
+=item B<-nameopt option>
+
+option which determines how the subject or issuer names are displayed. The
+B<option> argument can be a single option or multiple options separated by
+commas. Alternatively the B<-nameopt> switch may be used more than once to
+set multiple options. See the L<x509(1)|x509(1)> manual page for details.
+
=item B<-asn1-kludge>
by default the B<req> command outputs certificate requests containing
and just takes values from the config file directly. It also changes the
expected format of the B<distinguished_name> and B<attributes> sections.
+=item B<utf8>
+
+if set to the value B<yes> then field values to be interpreted as UTF8
+strings, by default they are interpreted as ASCII. This means that
+the field values, whether prompted from a terminal or obtained from a
+configuration file, must be valid UTF8 strings.
+
=item B<attributes>
this specifies the section containing any request attributes: its format
The header and footer lines in the B<PEM> format are normally:
- -----BEGIN CERTIFICATE REQUEST----
- -----END CERTIFICATE REQUEST----
+ -----BEGIN CERTIFICATE REQUEST-----
+ -----END CERTIFICATE REQUEST-----
some software (some versions of Netscape certificate server) instead needs:
- -----BEGIN NEW CERTIFICATE REQUEST----
- -----END NEW CERTIFICATE REQUEST----
+ -----BEGIN NEW CERTIFICATE REQUEST-----
+ -----END NEW CERTIFICATE REQUEST-----
which is produced with the B<-newhdr> option but is otherwise compatible.
Either form is accepted transparently on input.