=head1 NAME
+openssl-ts,
ts - Time Stamping Authority tool (client/server)
=head1 SYNOPSIS
B<openssl> B<ts>
B<-query>
-[B<-rand> file:file...]
+[B<-rand file...>]
+[B<-writerand file>]
[B<-config> configfile]
[B<-data> file_to_hash]
[B<-digest> digest_bytes]
-[B<-[digest]>]
+[B<-I<digest>>]
[B<-tspolicy> object_id]
[B<-no_nonce>]
[B<-cert>]
[B<-queryfile> request.tsq]
[B<-passin> password_src]
[B<-signer> tsa_cert.pem]
-[B<-inkey> private.pem]
-[B<-sha1|-sha224|-sha256|-sha384|-sha512>]
+[B<-inkey> file_or_id]
+[B<-I<digest>>]
[B<-chain> certs_file.pem]
[B<-tspolicy> object_id]
[B<-in> response.tsr]
=over 4
-=item B<-rand> file:file...
+=item B<-rand file...>
-The files containing random data for seeding the random number
-generator. Multiple files can be specified, the separator is B<;> for
-MS-Windows, B<,> for VMS and B<:> for all other platforms. (Optional)
+A file or files containing random data used to seed the random number
+generator.
+Multiple files can be specified separated by an OS-dependent character.
+The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
+all others.
+
+=item [B<-writerand file>]
+
+Writes random data to the specified I<file> upon exit.
+This can be used with a subsequent B<-rand> flag.
=item B<-config> configfile
1AF601...). The number of bytes must match the message digest algorithm
in use. (Optional)
-=item B<-[digest]>
+=item B<-I<digest>>
The message digest to apply to the data file.
Any digest supported by the OpenSSL B<dgst> command can be used.
-The default is SHA-1. (Optional)
+The default is SHA-256. (Optional)
=item B<-tspolicy> object_id
the certificate is going to be refused. Overrides the B<signer_cert>
variable of the config file. (Optional)
-=item B<-inkey> private.pem
+=item B<-inkey> file_or_id
The signer private key of the TSA in PEM format. Overrides the
B<signer_key> config file option. (Optional)
+If no engine is used, the argument is taken as a file; if an engine is
+specified, the argument is given to the engine as a key identifier.
-=item B<-sha1|-sha224|-sha256|-sha384|-sha512>
+=item B<-I<digest>>
Signing digest to use. Overrides the B<signer_digest> config file
-option. (Optional)
+option. (Mandatory unless specified in the config file)
=item B<-chain> certs_file.pem
=item B<signer_digest>
Signing digest to use. The same as the
-B<-sha1|-sha224|-sha256|-sha384|-sha512> command line option. (Optional)
+B<-I<digest>> command line option. (Mandatory unless specified on the command
+line)
=item B<default_policy>
=item B<ess_cert_id_alg>
This option specifies the hash function to be used to calculate the TSA's
-public key certificate identifier. Default is sha1. (Optional)
+public key certificate identifier. Default is sha256. (Optional)
=back
=head2 Time Stamp Request
-To create a time stamp request for design1.txt with SHA-1
-without nonce and policy and no certificate is required in the response:
+To create a time stamp request for design1.txt with SHA-256 digest,
+without nonce and policy, and without requirement for a certificate
+in the response:
openssl ts -query -data design1.txt -no_nonce \
-out design1.tsq
openssl ts -query -in design1.tsq -text
-To create a time stamp request which includes the MD-5 digest
-of design2.txt, requests the signer certificate and nonce,
+To create a time stamp request which includes the SHA-512 digest
+of design2.txt, requests the signer certificate and nonce, and
specifies a policy id (assuming the tsa_policy1 name is defined in the
OID section of the config file):
- openssl ts -query -data design2.txt -md5 \
+ openssl ts -query -data design2.txt -sha512 \
-tspolicy tsa_policy1 -cert -out design2.tsq
=head2 Time Stamp Response
Before generating a response a signing certificate must be created for
the TSA that contains the B<timeStamping> critical extended key usage extension
-without any other key usage extensions. You can add the
-'extendedKeyUsage = critical,timeStamping' line to the user certificate section
-of the config file to generate a proper certificate. See L<req(1)>,
-L<ca(1)>, L<x509(1)> for instructions. The examples
+without any other key usage extensions. You can add this line to the
+user certificate section of the config file to generate a proper certificate;
+
+ extendedKeyUsage = critical,timeStamping
+
+See L<req(1)>, L<ca(1)>, and L<x509(1)> for instructions. The examples
below assume that cacert.pem contains the certificate of the CA,
tsacert.pem is the signing certificate issued by cacert.pem and
tsakey.pem is the private key of the TSA.
=head1 COPYRIGHT
-Copyright 2006-2017 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2006-2018 The OpenSSL Project Authors. All Rights Reserved.
-Licensed under the OpenSSL license (the "License"). You may not use
+Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file LICENSE in the source distribution or at
L<https://www.openssl.org/source/license.html>.