=head1 NAME
+openssl-x509,
x509 - Certificate display and signing utility
=head1 SYNOPSIS
[B<-ext extensions>]
[B<-certopt option>]
[B<-C>]
-[B<-[digest]>]
+[B<-I<digest>>]
[B<-clrext>]
[B<-extfile filename>]
[B<-extensions section>]
present. The DER format is the DER encoding of the certificate and PEM
is the base64 encoding of the DER encoding with header and footer lines
added. The NET option is an obscure Netscape server format that is now
-obsolete.
+obsolete. The default format is PEM.
=item B<-outform DER|PEM|NET>
-This specifies the output format, the options have the same meaning as the
-B<-inform> option.
+This specifies the output format, the options have the same meaning and default
+as the B<-inform> option.
=item B<-in filename>
This specifies the output filename to write to or standard output by
default.
-=item B<-[digest]>
+=item B<-I<digest>>
The digest to use.
This affects any signing or display option that uses a message
=item B<-fingerprint>
-Prints out the digest of the DER encoded version of the whole certificate
-(see digest options).
+Calculates and outputs the digest of the DER encoded version of the entire
+certificate (see digest options).
+This is commonly called a "fingerprint". Because of the nature of message
+digests, the fingerprint of a certificate is unique to that certificate and
+two certificates with the same fingerprint can be considered to be the same.
=item B<-C>
openssl x509 -in cert.pem -noout -ext subjectAltName
-Display the more extensions of a certificate:
+Display more extensions of a certificate:
openssl x509 -in cert.pem -noout -ext subjectAltName,nsCertType
openssl x509 -in cert.pem -noout -subject -nameopt oneline,-esc_msb
-Display the certificate MD5 fingerprint:
-
- openssl x509 -in cert.pem -noout -fingerprint
-
Display the certificate SHA1 fingerprint:
openssl x509 -sha1 -in cert.pem -noout -fingerprint
and MSIE do this as do many certificates. So although this is incorrect
it is more likely to display the majority of certificates correctly.
-The B<-fingerprint> option takes the digest of the DER encoded certificate.
-This is commonly called a "fingerprint". Because of the nature of message
-digests the fingerprint of a certificate is unique to that certificate and
-two certificates with the same fingerprint can be considered to be the same.
-
-The Netscape fingerprint uses MD5 whereas MSIE uses SHA1.
-
The B<-email> option searches the subject name and the subject alternative
name extension. Only unique email addresses will be printed out: it will
not print the same address more than once.