=head1 NAME
+openssl-x509,
x509 - Certificate display and signing utility
=head1 SYNOPSIS
B<openssl> B<x509>
[B<-help>]
-[B<-inform DER|PEM|NET>]
-[B<-outform DER|PEM|NET>]
+[B<-inform DER|PEM>]
+[B<-outform DER|PEM>]
[B<-keyform DER|PEM>]
[B<-CAform DER|PEM>]
[B<-CAkeyform DER|PEM>]
[B<-CAserial filename>]
[B<-force_pubkey key>]
[B<-text>]
+[B<-ext extensions>]
[B<-certopt option>]
[B<-C>]
-[B<-[digest]>]
+[B<-I<digest>>]
[B<-clrext>]
[B<-extfile filename>]
[B<-extensions section>]
+[B<-rand file...>]
+[B<-writerand file>]
[B<-engine id>]
[B<-preserve_dates>]
Print out a usage message.
-=item B<-inform DER|PEM|NET>
+=item B<-inform DER|PEM>
This specifies the input format normally the command will expect an X509
certificate but this can change if other options such as B<-req> are
present. The DER format is the DER encoding of the certificate and PEM
is the base64 encoding of the DER encoding with header and footer lines
-added. The NET option is an obscure Netscape server format that is now
-obsolete.
+added. The default format is PEM.
-=item B<-outform DER|PEM|NET>
+=item B<-outform DER|PEM>
-This specifies the output format, the options have the same meaning as the
-B<-inform> option.
+This specifies the output format, the options have the same meaning and default
+as the B<-inform> option.
=item B<-in filename>
This specifies the output filename to write to or standard output by
default.
-=item B<-[digest]>
+=item B<-I<digest>>
The digest to use.
This affects any signing or display option that uses a message
If not specified then SHA1 is used with B<-fingerprint> or
the default digest for the signing algorithm is used, typically SHA256.
+=item B<-rand file...>
+
+A file or files containing random data used to seed the random number
+generator.
+Multiple files can be specified separated by an OS-dependent character.
+The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
+all others.
+
+=item [B<-writerand file>]
+
+Writes random data to the specified I<file> upon exit.
+This can be used with a subsequent B<-rand> flag.
+
=item B<-engine id>
Specifying an engine (by its unique B<id> string) will cause B<x509>
public key, signature algorithms, issuer and subject names, serial number
any extensions present and any trust settings.
+=item B<-ext extensions>
+
+Prints out the certificate extensions in text form. Extensions are specified
+with a comma separated string, e.g., "subjectAltName,subjectKeyIdentifier".
+See the L<x509v3_config(5)> manual page for the extension names.
+
=item B<-certopt option>
Customise the output format used with B<-text>. The B<option> argument
=item B<-fingerprint>
-Prints out the digest of the DER encoded version of the whole certificate
-(see digest options).
+Calculates and outputs the digest of the DER encoded version of the entire
+certificate (see digest options).
+This is commonly called a "fingerprint". Because of the nature of message
+digests, the fingerprint of a certificate is unique to that certificate and
+two certificates with the same fingerprint can be considered to be the same.
=item B<-C>
Sets the CA serial number file to use.
When the B<-CA> option is used to sign a certificate it uses a serial
-number specified in a file. This file consist of one line containing
+number specified in a file. This file consists of one line containing
an even number of hex digits with the serial number to use. After each
use the serial number is incremented and written out to the file again.
B<sep_multiline>
These options determine the field separators. The first character is
-between RDNs and the second between multiple AVAs (multiple AVAs are
+between Relative Distinguished Names (RDNs) and the second is between
+multiple Attribute Value Assertions (AVAs, multiple AVAs are
very rare and their use is discouraged). The options ending in
"space" additionally place a space after the separator to make it
more readable. The B<sep_multiline> uses a linefeed character for
openssl x509 -in cert.pem -noout -text
+Display the "Subject Alternative Name" extension of a certificate:
+
+ openssl x509 -in cert.pem -noout -ext subjectAltName
+
+Display more extensions of a certificate:
+
+ openssl x509 -in cert.pem -noout -ext subjectAltName,nsCertType
+
Display the certificate serial number:
openssl x509 -in cert.pem -noout -serial
openssl x509 -in cert.pem -noout -subject -nameopt oneline,-esc_msb
-Display the certificate MD5 fingerprint:
-
- openssl x509 -in cert.pem -noout -fingerprint
-
Display the certificate SHA1 fingerprint:
openssl x509 -sha1 -in cert.pem -noout -fingerprint
and MSIE do this as do many certificates. So although this is incorrect
it is more likely to display the majority of certificates correctly.
-The B<-fingerprint> option takes the digest of the DER encoded certificate.
-This is commonly called a "fingerprint". Because of the nature of message
-digests the fingerprint of a certificate is unique to that certificate and
-two certificates with the same fingerprint can be considered to be the same.
-
-The Netscape fingerprint uses MD5 whereas MSIE uses SHA1.
-
The B<-email> option searches the subject name and the subject alternative
name extension. Only unique email addresses will be printed out: it will
not print the same address more than once.
=item B<S/MIME Signing>
-In addition to the common S/MIME client tests the digitalSignature bit must
-be set if the keyUsage extension is present.
+In addition to the common S/MIME client tests the digitalSignature bit or
+the nonRepudiation bit must be set if the keyUsage extension is present.
=item B<S/MIME Encryption>
=head1 COPYRIGHT
-Copyright 2000-2017 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2018 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
projects / openssl.git / blobdiff