-
=pod
=head1 NAME
=head1 OPTIONS
-=head2 INPUT, OUTPUT AND GENERAL PURPOSE OPTIONS
+=head2 Input, Output, and General Purpose Options
=over 4
=item B<-outform DER|PEM|NET>
-This specifies the output format, the options have the same meaning as the
+This specifies the output format, the options have the same meaning as the
B<-inform> option.
=item B<-in filename>
This affects any signing or display option that uses a message
digest, such as the B<-fingerprint>, B<-signkey> and B<-CA> options.
Any digest supported by the OpenSSL B<dgst> command can be used.
-If not specified then SHA1 is used.
-Note that if a DSA key is used for signing, then this flag is ignored
-and SHA1 is used.
+If not specified then SHA1 is used with B<-fingerprint> or
+the default digest for the signing algorithm is used, typically SHA256.
=item B<-engine id>
=back
-=head2 DISPLAY OPTIONS
+=head2 Display Options
Note: the B<-alias> and B<-purpose> options are also display options
but are described in the B<TRUST SETTINGS> section.
=item B<-pubkey>
-outputs the the certificate's SubjectPublicKeyInfo block in PEM format.
+outputs the certificate's SubjectPublicKeyInfo block in PEM format.
=item B<-modulus>
=back
-=head2 TRUST SETTINGS
-
-Please note these options are currently experimental and may well change.
+=head2 Trust Settings
A B<trusted certificate> is an ordinary certificate which has several
additional pieces of information attached to it such as the permitted
=back
-=head2 SIGNING OPTIONS
+=head2 Signing Options
The B<x509> utility can be used to sign certificates and requests: it
can thus behave like a "mini CA".
=item B<-signkey filename>
this option causes the input file to be self signed using the supplied
-private key.
+private key.
If the input file is a certificate it sets the issuer name to the
subject name (i.e. makes it self signed) changes the public key to the
use the serial number is incremented and written out to the file again.
The default filename consists of the CA certificate file base name with
-".srl" appended. For example if the CA certificate file is called
+".srl" appended. For example if the CA certificate file is called
"mycacert.pem" it expects to find a serial number file called "mycacert.srl".
=item B<-CAcreateserial>
=back
-=head2 NAME OPTIONS
+=head2 Name Options
The B<nameopt> command line switch determines how the subject and issuer
names are displayed. If no B<nameopt> switch is present the default "oneline"
=item B<esc_2253>
-escape the "special" characters required by RFC2253 in a field That is
+escape the "special" characters required by RFC2253 in a field. That is
B<,+"E<lt>E<gt>;>. Additionally B<#> is escaped at the beginning of a string
and a space character at the beginning or end of a string.
+=item B<esc_2254>
+
+escape the "special" characters required by RFC2254 in a field. That is
+the B<NUL> character as well as and B<()*>.
+
=item B<esc_ctrl>
escape control characters. That is those with ASCII values less than
=back
-=head2 TEXT OPTIONS
+=head2 Text Options
As well as customising the name output format, it is also possible to
customise the actual fields printed using the B<certopt> options when
=item B<ca_default>
-the value used by the B<ca> utility, equivalent to B<no_issuer>, B<no_pubkey>, B<no_header>,
-B<no_version>, B<no_sigdump> and B<no_signame>.
+the value used by the B<ca> utility, equivalent to B<no_issuer>, B<no_pubkey>,
+B<no_header>, and B<no_version>.
=back
extensions for a CA:
openssl x509 -req -in careq.pem -extfile openssl.cnf -extensions v3_ca \
- -signkey key.pem -out cacert.pem
+ -signkey key.pem -out cacert.pem
Sign a certificate request using the CA certificate above and add user
certificate extensions:
openssl x509 -req -in req.pem -extfile openssl.cnf -extensions v3_usr \
- -CA cacert.pem -CAkey key.pem -CAcreateserial
+ -CA cacert.pem -CAkey key.pem -CAcreateserial
Set a certificate to be trusted for SSL client use and change set its alias to
"Steve's Class 1 CA"
openssl x509 -in cert.pem -addtrust clientAuth \
- -setalias "Steve's Class 1 CA" -out trust.pem
+ -setalias "Steve's Class 1 CA" -out trust.pem
=head1 NOTES
The extended key usage extension must be absent or include the "email
protection" OID. Netscape certificate type must be absent or must have the
S/MIME CA bit set: this is used as a work around if the basicConstraints
-extension is absent.
+extension is absent.
=item B<CRL Signing>
L<req(1)>, L<ca(1)>, L<genrsa(1)>,
L<gendsa(1)>, L<verify(1)>,
-L<x509v3_config(5)>
+L<x509v3_config(5)>
=head1 HISTORY
before OpenSSL 1.0.0 was based on the deprecated MD5 algorithm and the encoding
of the distinguished name. In OpenSSL 1.0.0 and later it is based on a
canonical version of the DN using SHA1. This means that any directories using
-the old form must have their links rebuilt using B<c_rehash> or similar.
+the old form must have their links rebuilt using B<c_rehash> or similar.
+
+=head1 COPYRIGHT
+
+Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.
+
+Licensed under the OpenSSL license (the "License"). You may not use
+this file except in compliance with the License. You can obtain a copy
+in the file LICENSE in the source distribution or at
+L<https://www.openssl.org/source/license.html>.
=cut
projects / openssl.git / blobdiff