[B<-new>]
[B<-x509toreq>]
[B<-req>]
+[B<-copy_extensions> I<arg>]
[B<-inform> B<DER>|B<PEM>]
[B<-vfyopt> I<nm>:I<v>]
[B<-signkey> I<filename>|I<uri>]
=item B<-x509toreq>
-Output a certificate request (rather than a certificate).
+Output a PKCS#10 certificate request (rather than a certificate).
The B<-signkey> option must be used to provide the private key for self-signing;
the corresponding public key is placed in the subjectPKInfo field.
-Any X.509 extensions included in an input file are ignored.
+X.509 extensions included in a certificate input are not copied by default.
X.509 extensions to be added can be specified using the B<-extfile> option.
=item B<-req>
By default a certificate is expected on input.
-With this option a certificate request is expected instead,
-which is transformed into a certificate.
+With this option a PKCS#10 certificate request is expected instead,
+which must be correctly self-signed.
-Any X.509 extensions included in the request file are ignored.
+X.509 extensions included in the request are not copied by default.
X.509 extensions to be added can be specified using the B<-extfile> option.
+=item B<-copy_extensions> I<arg>
+
+Determines how to handle X.509 extensions
+when converting from a certificate to a request using the B<-x509toreq> option
+or converting from a request to a certificate using the B<-req> option.
+If I<arg> is B<none> or this option is not present then extensions are ignored.
+If I<arg> is B<copy> or B<copyall> then all extensions are copied,
+except that subject identifier and authority key identifier extensions
+are not taken over when producing a certificate request.
+
+The B<-ext> option can be used to further restrict which extensions to copy.
+
=item B<-inform> B<DER>|B<PEM>
The CSR input file format; the default is B<PEM>.
Unless the B<-preserve_dates> option is supplied,
it sets the validity start date to the current time
and the end date to a value determined by the B<-days> option.
-Unless the B<-clrext> option is supplied, it retains all certificate extensions
-except for any subject identifier and authority key identifier.
-For those, new values are generated unless prohibited by configuration.
=item B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>
=item B<-ext> I<extensions>
-Prints out the certificate extensions in text form. Extensions are specified
+Prints out the certificate extensions in text form.
+Can also be used to restrict which extensions to copy.
+Extensions are specified
with a comma separated string, e.g., "subjectAltName,subjectKeyIdentifier".
See the L<x509v3_config(5)> manual page for the extension names.
=item B<-clrext>
-Delete any extensions from a certificate. This option is used when a
-certificate is being created from another certificate (for example with
-either the B<-signkey> or the B<-CA> option).
-Normally all extensions are retained.
+When transforming a certificate to a new certificate
+by default all certificate extensions are retained.
+
+When transforming a certificate or certificate request,
+the B<-clrext> option prevents taking over any extensions from the source.
+In any case, when producing a certificate request,
+neither subject identifier nor authority key identifier extensions are included.
=item B<-extfile> I<filename>
-Configuration file containing certificate extensions to add.
+Configuration file containing certificate and request X.509 extensions to add.
=item B<-extensions> I<section>
-The section in the extfile to add certificate extensions from.
+The section in the extfile to add X.509 extensions from.
If this option is not
specified then the extensions should either be contained in the unnamed
(default) section or the default section should contain a variable called
=item B<-sigopt> I<nm>:I<v>
Pass options to the signature algorithm during sign operations.
-Names and values of these options are algorithm-specific.
+This option may be given multiple times.
+Names and values provided using this option are algorithm-specific.
=item B<-badsig>
=head1 BUGS
-Extensions in certificates are not transferred to certificate requests and
-vice versa.
-
It is possible to produce invalid certificates or requests by specifying the
-wrong private key or using inconsistent options in some cases: these should
-be checked.
+wrong private key, using unsuitable X.509 extensions,
+or using inconsistent options in some cases: these should be checked.
There should be options to explicitly set such things as start and end
dates rather than an offset from the current time.
=head1 COPYRIGHT
-Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
projects / openssl.git / blobdiff