X-Git-Url: https://git.openssl.org/?p=openssl.git;a=blobdiff_plain;f=doc%2Fapps%2Freq.pod;h=46bbfe614e61c28c34c850ceac6cd984ef1b56e4;hp=a66410dbb4be3e50af8cc0e30ba36605e52cc081;hb=c03726ca4153fca8d66185837008aa078969d386;hpb=657e60fa00ddde3618600d6306be913214d30457;ds=sidebyside

diff --git a/doc/apps/req.pod b/doc/apps/req.pod
index a66410dbb4..46bbfe614e 100644
--- a/doc/apps/req.pod
+++ b/doc/apps/req.pod
@@ -3,7 +3,7 @@
 
 =head1 NAME
 
-req - PKCS#10 certificate and certificate generating utility.
+req - PKCS#10 certificate request and certificate generating utility.
 
 =head1 SYNOPSIS
 
@@ -11,29 +11,42 @@ B<openssl> B<req>
 [B<-inform PEM|DER>]
 [B<-outform PEM|DER>]
 [B<-in filename>]
-[B<-passin password>]
-[B<-envpassin var>]
+[B<-passin arg>]
 [B<-out filename>]
-[B<-passout password>]
-[B<-envpassout var>]
+[B<-passout arg>]
 [B<-text>]
+[B<-pubkey>]
 [B<-noout>]
 [B<-verify>]
 [B<-modulus>]
 [B<-new>]
+[B<-rand file(s)>]
 [B<-newkey rsa:bits>]
-[B<-newkey dsa:file>]
+[B<-newkey alg:file>]
 [B<-nodes>]
 [B<-key filename>]
 [B<-keyform PEM|DER>]
 [B<-keyout filename>]
-[B<-[md5|sha1|md2|mdc2]>]
+[B<-keygen_engine id>]
+[B<-[digest]>]
 [B<-config filename>]
+[B<-multivalue-rdn>]
 [B<-x509>]
 [B<-days n>]
-[B<-noasn1-kludge>]
+[B<-set_serial n>]
+[B<-asn1-kludge>]
+[B<-no-asn1-kludge>]
+[B<-newhdr>]
 [B<-extensions section>]
 [B<-reqexts section>]
+[B<-utf8>]
+[B<-nameopt>]
+[B<-reqopt>]
+[B<-subject>]
+[B<-subj arg>]
+[B<-batch>]
+[B<-verbose>]
+[B<-engine id>]
 
 =head1 DESCRIPTION
 
@@ -63,33 +76,34 @@ This specifies the input filename to read a request from or standard input
 if this option is not specified. A request is only read if the creation
 options (B<-new> and B<-newkey>) are not specified.
 
-=item B<-passin password>
+=item B<-passin arg>
 
-the input file password. Since certain utilities like "ps" make the command line
-visible this option should be used with caution.
-
-=item B<-envpassin var>
-
-read the input file password from the environment variable B<var>.
+the input file password source. For more information about the format of B<arg>
+see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
 
 =item B<-out filename>
 
 This specifies the output filename to write to or standard output by
 default.
 
-=item B<-passout password>
-
-the output file password. Since certain utilities like "ps" make the command line
-visible this option should be used with caution.
+=item B<-passout arg>
 
-=item B<-envpassout var>
-
-read the output file password from the environment variable B<var>.
+the output file password source. For more information about the format of B<arg>
+see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
 
 =item B<-text>
 
 prints out the certificate request in text form.
 
+=item B<-subject>
+
+prints out the request subject (or certificate subject if B<-x509> is
+specified)
+
+=item B<-pubkey>
+
+outputs the public key.
+
 =item B<-noout>
 
 this option prevents output of the encoded version of the request.
@@ -113,13 +127,46 @@ in the configuration file and any requested extensions.
 If the B<-key> option is not used it will generate a new RSA private
 key using information specified in the configuration file.
 
+=item B<-rand file(s)>
+
+a file or files containing random data used to seed the random number
+generator, or an EGD socket (see L<RAND_egd(3)>).
+Multiple files can be specified separated by a OS-dependent character.
+The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
+all others.
+
 =item B<-newkey arg>
 
 this option creates a new certificate request and a new private
-key. The argument takes one of two forms. B<rsa:nbits>, where
+key. The argument takes one of several forms. B<rsa:nbits>, where
 B<nbits> is the number of bits, generates an RSA key B<nbits>
-in size. B<dsa:filename> generates a DSA key using the parameters
-in the file B<filename>.
+in size. If B<nbits> is omitted, i.e. B<-newkey rsa> specified,
+the default key size, specified in the configuration file is used.
+
+All other algorithms support the B<-newkey alg:file> form, where file may be
+an algorithm parameter file, created by the B<genpkey -genparam> command
+or and X.509 certificate for a key with appropriate algorithm.
+
+B<param:file> generates a key using the parameter file or certificate B<file>,
+the algorithm is determined by the parameters. B<algname:file> use algorithm
+B<algname> and parameter file B<file>: the two algorithms must match or an
+error occurs. B<algname> just uses algorithm B<algname>, and parameters,
+if necessary should be specified via B<-pkeyopt> parameter.
+
+B<dsa:filename> generates a DSA key using the parameters
+in the file B<filename>. B<ec:filename> generates EC key (usable both with
+ECDSA or ECDH algorithms), B<gost2001:filename> generates GOST R
+34.10-2001 key (requires B<ccgost> engine configured in the configuration
+file). If just B<gost2001> is specified a parameter set should be
+specified by B<-pkeyopt paramset:X>
+
+
+=item B<-pkeyopt opt:value>
+
+set the public key algorithm option B<opt> to B<value>. The precise set of
+options supported depends on the public key algorithm used and its
+implementation. See B<KEY GENERATION OPTIONS> in the B<genpkey> manual page
+for more details.
 
 =item B<-key filename>
 
@@ -142,11 +189,16 @@ configuration file is used.
 if this option is specified then if a private key is created it
 will not be encrypted.
 
-=item B<-[md5|sha1|md2|mdc2]>
+=item B<-[digest]>
+
+this specifies the message digest to sign the request.
+Any digest supported by the OpenSSL B<dgst> command can be used.
+This overrides the digest algorithm specified in
+the configuration file.
 
-this specifies the message digest to sign the request with. This
-overrides the digest algorithm specified in the configuration file.
-This option is ignored for DSA requests: they always use SHA1.
+Some public key algorithms may override this choice. For instance, DSA
+signatures always use SHA1, GOST R 34.10 signatures always use
+GOST R 34.11-94 (B<-md_gost94>).
 
 =item B<-config filename>
 
@@ -154,19 +206,44 @@ this allows an alternative configuration file to be specified,
 this overrides the compile time filename or any specified in
 the B<OPENSSL_CONF> environment variable.
 
+=item B<-subj arg>
+
+sets subject name for new request or supersedes the subject name
+when processing a request.
+The arg must be formatted as I</type0=value0/type1=value1/type2=...>,
+characters may be escaped by \ (backslash), no spaces are skipped.
+
+=item B<-multivalue-rdn>
+
+this option causes the -subj argument to be interpreted with full
+support for multivalued RDNs. Example:
+
+I</DC=org/DC=OpenSSL/DC=users/UID=123456+CN=John Doe>
+
+If -multi-rdn is not used then the UID value is I<123456+CN=John Doe>.
+
 =item B<-x509>
 
 this option outputs a self signed certificate instead of a certificate
 request. This is typically used to generate a test certificate or
 a self signed root CA. The extensions added to the certificate
-(if any) are specified in the configuration file.
+(if any) are specified in the configuration file. Unless specified
+using the B<set_serial> option, a large random number will be used for
+the serial number.
 
 =item B<-days n>
 
 when the B<-x509> option is being used this specifies the number of
 days to certify the certificate for. The default is 30 days.
 
+=item B<-set_serial n>
+
+serial number to use when outputting a self signed certificate. This
+may be specified as a decimal value or a hex value if preceded by B<0x>.
+It is possible to use negative serial numbers but this is not recommended.
+
 =item B<-extensions section>
+
 =item B<-reqexts section>
 
 these options specify alternative sections to include certificate
@@ -175,6 +252,29 @@ request extensions. This allows several different sections to
 be used in the same configuration file to specify requests for
 a variety of purposes.
 
+=item B<-utf8>
+
+this option causes field values to be interpreted as UTF8 strings, by 
+default they are interpreted as ASCII. This means that the field
+values, whether prompted from a terminal or obtained from a
+configuration file, must be valid UTF8 strings.
+
+=item B<-nameopt option>
+
+option which determines how the subject or issuer names are displayed. The
+B<option> argument can be a single option or multiple options separated by
+commas.  Alternatively the B<-nameopt> switch may be used more than once to
+set multiple options. See the L<x509(1)> manual page for details.
+
+=item B<-reqopt>
+
+customise the output format used with B<-text>. The B<option> argument can be
+a single option or multiple options separated by commas. 
+
+See discussion of the  B<-certopt> parameter in the L<x509(1)>
+command.
+
+
 =item B<-asn1-kludge>
 
 by default the B<req> command outputs certificate requests containing
@@ -190,6 +290,35 @@ B<SET OF> whereas the correct form does.
 
 It should be noted that very few CAs still require the use of this option.
 
+=item B<-no-asn1-kludge>
+
+Reverses effect of B<-asn1-kludge>
+
+=item B<-newhdr>
+
+Adds the word B<NEW> to the PEM file header and footer lines on the outputted
+request. Some software (Netscape certificate server) and some CAs need this.
+
+=item B<-batch>
+
+non-interactive mode.
+
+=item B<-verbose>
+
+print extra details about the operations being performed.
+
+=item B<-engine id>
+
+specifying an engine (by its unique B<id> string) will cause B<req>
+to attempt to obtain a functional reference to the specified engine,
+thus initialising it if needed. The engine will then be set as the default
+for all available algorithms.
+
+=item B<-keygen_engine id>
+
+specifies an engine (by its unique B<id> string) which would be used
+for key generation operations.
+
 =back
 
 =head1 CONFIGURATION FILE FORMAT
@@ -207,8 +336,8 @@ The options available are described in detail below.
 
 The passwords for the input private key file (if present) and
 the output private key file (if one will be created). The
-command line options B<passin>, B<envpassin>, B<passout> and
-B<envpassout> override the configuration file values.
+command line options B<passin> and B<passout> override the
+configuration file values.
 
 =item B<default_bits>
 
@@ -239,7 +368,8 @@ and long names are the same when this option is used.
 =item B<RANDFILE>
 
 This specifies a filename in which random number seed information is
-placed and read from. It is used for private key generation.
+placed and read from, or an EGD socket (see L<RAND_egd(3)>).
+It is used for private key generation.
 
 =item B<encrypt_key>
 
@@ -249,9 +379,10 @@ option. For compatibility B<encrypt_rsa_key> is an equivalent option.
 
 =item B<default_md>
 
-This option specifies the digest algorithm to use. Possible values
-include B<md5 sha1 mdc2>. If not present then MD5 is used. This
-option can be overridden on the command line.
+This option specifies the digest algorithm to use.
+Any digest supported by the OpenSSL B<dgst> command can be used.
+If not present then MD5 is used.
+This option can be overridden on the command line.
 
 =item B<string_mask>
 
@@ -271,7 +402,9 @@ problems with BMPStrings and UTF8Strings: in particular Netscape.
 
 this specifies the configuration file section containing a list of
 extensions to add to the certificate request. It can be overridden
-by the B<-reqexts> command line switch.
+by the B<-reqexts> command line switch. See the 
+L<x509v3_config(5)> manual page for details of the
+extension section format.
 
 =item B<x509_extensions>
 
@@ -285,6 +418,13 @@ if set to the value B<no> this disables prompting of certificate fields
 and just takes values from the config file directly. It also changes the
 expected format of the B<distinguished_name> and B<attributes> sections.
 
+=item B<utf8>
+
+if set to the value B<yes> then field values to be interpreted as UTF8
+strings, by default they are interpreted as ASCII. This means that
+the field values, whether prompted from a terminal or obtained from a
+configuration file, must be valid UTF8 strings.
+
 =item B<attributes>
 
 this specifies the section containing any request attributes: its format
@@ -312,9 +452,9 @@ just consist of field names and values: for example,
 
 This allows external programs (e.g. GUI based) to generate a template file
 with all the field names and values and just pass it to B<req>. An example
-of this kind of configuration files is contained in the B<EXAMPLES> section.
+of this kind of configuration file is contained in the B<EXAMPLES> section.
 
-Alternatively if the B<prompt> option is absent or not set to B<no> the the
+Alternatively if the B<prompt> option is absent or not set to B<no> then the
 file contains field prompting information. It consists of lines of the form:
 
  fieldName="prompt"
@@ -337,16 +477,15 @@ two characters long and must fit in a PrintableString).
 Some fields (such as organizationName) can be used more than once
 in a DN. This presents a problem because configuration files will
 not recognize the same name occurring twice. To avoid this problem
-if the fieldName contains an some characters followed by a full stop
+if the fieldName contains some characters followed by a full stop
 they will be ignored. So for example a second organizationName can
 be input by calling it "1.organizationName".
 
 The actual permitted field names are any object identifier short or
 long names. These are compiled into OpenSSL and include the usual
 values such as commonName, countryName, localityName, organizationName,
-organizationUnitName, stateOrPrivinceName. Additionally emailAddress
-is include as well as name, surname, givenName initials and dnQualifier
-are supported.
+organizationalUnitName, stateOrProvinceName. Additionally emailAddress
+is include as well as name, surname, givenName initials and dnQualifier.
 
 Additional object identifiers can be defined with the B<oid_file> or
 B<oid_section> options in the configuration file. Any additional fields
@@ -361,16 +500,16 @@ Examine and verify certificate request:
 
 Create a private key and then generate a certificate request from it:
 
- openssl genrsa -out key.pem 1024
+ openssl genrsa -out key.pem 2048
  openssl req -new -key key.pem -out req.pem
 
 The same but just using req:
 
- openssl req -newkey rsa:1024 -keyout key.pem -out req.pem
+ openssl req -newkey rsa:2048 -keyout key.pem -out req.pem
 
 Generate a self signed root certificate:
 
- openssl req -x509 -newkey rsa:1024 -keyout key.pem -out req.pem
+ openssl req -x509 -newkey rsa:2048 -keyout key.pem -out req.pem
 
 Example of a file pointed to by the B<oid_file> option:
 
@@ -386,11 +525,11 @@ expansion:
 Sample configuration file prompting for field values:
 
  [ req ]
- default_bits		= 1024
+ default_bits		= 2048
  default_keyfile 	= privkey.pem
  distinguished_name	= req_distinguished_name
  attributes		= req_attributes
- x509_extensions	= v3_ca
+ req_extensions		= v3_ca
 
  dirstring_type = nobmp
 
@@ -427,7 +566,7 @@ Sample configuration containing all field values:
  RANDFILE		= $ENV::HOME/.rnd
 
  [ req ]
- default_bits		= 1024
+ default_bits		= 2048
  default_keyfile 	= keyfile.pem
  distinguished_name	= req_distinguished_name
  attributes		= req_attributes
@@ -449,17 +588,18 @@ Sample configuration containing all field values:
 
 =head1 NOTES
 
-The header and footer lines in the B<PEM> format are respectively:
+The header and footer lines in the B<PEM> format are normally:
 
- -----BEGIN CERTIFICATE REQUEST----
- -----END CERTIFICATE REQUEST----
+ -----BEGIN CERTIFICATE REQUEST-----
+ -----END CERTIFICATE REQUEST-----
 
 some software (some versions of Netscape certificate server) instead needs:
 
- -----BEGIN NEW CERTIFICATE REQUEST----
- -----END NEW CERTIFICATE REQUEST----
+ -----BEGIN NEW CERTIFICATE REQUEST-----
+ -----END NEW CERTIFICATE REQUEST-----
 
-but is otherwise compatible. Either form is accepted on input.
+which is produced with the B<-newhdr> option but is otherwise compatible.
+Either form is accepted transparently on input.
 
 The certificate requests generated by B<Xenroll> with MSIE have extensions
 added. It includes the B<keyUsage> extension which determines the type of
@@ -525,7 +665,8 @@ address in subjectAltName should be input by the user.
 
 =head1 SEE ALSO
 
-L<x509(1)|x509(1)>, L<ca(1)|ca(1)>, L<genrsa(1)|genrsa(1)>,
-L<gendsa(1)|gendsa(1)>, L<config(5)|config(5)>
+L<x509(1)>, L<ca(1)>, L<genrsa(1)>,
+L<gendsa(1)>, L<config(5)>,
+L<x509v3_config(5)> 
 
 =cut