1 The 'req' command is used to manipulate and deal with pkcs#10
4 It's default mode of operation is to load a certificate and then
7 By default the 'req' is read from stdin in 'PEM' format.
8 The -inform option can be used to specify 'pem' format or 'der'
9 format. PEM format is the base64 encoding of the DER format.
11 By default 'req' then writes the request back out. -outform can be used
12 to indicate the desired output format, be it 'pem' or 'der'.
14 To specify an input file, use the '-in' option and the '-out' option
15 can be used to specify the output file.
17 If you wish to perform a command and not output the certificate
18 request afterwards, use the '-noout' option.
20 When a certificate is loaded, it can be printed in a human readable
21 ascii format via the '-text' option.
23 To check that the signature on a certificate request is correct, use
24 the '-verify' option to make sure that the private key contained in the
25 certificate request corresponds to the signature.
27 Besides the default mode, there is also the 'generate a certificate
28 request' mode. There are several flags that trigger this mode.
30 -new will generate a new RSA key (if required) and then prompts
31 the user for details for the certificate request.
32 -newkey has an argument that is the number of bits to make the new
33 key. This function also triggers '-new'.
35 The '-new' option can have a key to use specified instead of having to
36 load one, '-key' is used to specify the file containg the key.
37 -keyform can be used to specify the format of the key. Only
38 'pem' and 'der' formats are supported, later, 'netscape' format may be added.
40 Finally there is the '-x509' options which makes req output a self
41 signed x509 certificate instead of a certificate request.
43 Now as you may have noticed, there are lots of default options that
44 cannot be specified via the command line. They are held in a 'template'
45 or 'configuration file'. The -config option specifies which configuration
46 file to use. See conf.doc for details on the syntax of this file.
48 The req command uses the 'req' section of the config file.
51 # The following variables are defined. For this example I will populate
54 default_bits = 512 # default number of bits to use.
55 default_keyfile = testkey.pem # Where to write the generated keyfile
57 distinguished_name= req_dn # The section that contains the
58 # information about which 'object' we
59 # want to put in the DN.
60 attributes = req_attr # The objects we want for the
62 encrypt_rsa_key = no # Should we encrypt newly generated
63 # keys. I strongly recommend 'yes'.
65 # The distinguished name section. For the following entries, the
66 # object names must exist in the SSLeay header file objects.h. If they
67 # do not, they will be silently ignored. The entries have the following
69 # <object_name> => string to prompt with
70 # <object_name>_default => default value for people
71 # <object_name>_value => Automatically use this value for this field.
72 # <object_name>_min => minimum number of characters for data (def. 0)
73 # <object_name>_max => maximum number of characters for data (def. inf.)
74 # All of these entries are optional except for the first one.
76 countryName = Country Name (2 letter code)
77 countryName_default = AU
79 stateOrProvinceName = State or Province Name (full name)
80 stateOrProvinceName_default = Queensland
82 localityName = Locality Name (eg, city)
84 organizationName = Organization Name (eg, company)
85 organizationName_default = Mincom Pty Ltd
87 organizationalUnitName = Organizational Unit Name (eg, section)
88 organizationalUnitName_default = MTR
90 commonName = Common Name (eg, YOUR name)
93 emailAddress = Email Address
96 # The next section is the attributes section. This is exactly the
97 # same as for the previous section except that the resulting objects are
98 # put in the attributes field.
100 challengePassword = A challenge password
101 challengePassword_min = 4
102 challengePassword_max = 20
104 unstructuredName = An optional company name
107 Also note that the order that attributes appear in this file is the
108 order they will be put into the distinguished name.
110 Once this request has been generated, it can be sent to a CA for
114 A few quick examples....
116 To generate a new request and a new key
119 To generate a new request and a 1058 bit key
122 To generate a new request using a pre-existing key
123 req -new -key key.pem
125 To generate a self signed x509 certificate from a certificate
126 request using a supplied key, and we want to see the text form of the
127 output certificate (which we will put in the file selfSign.pem
128 req -x509 -in req.pem -key key.pem -text -out selfSign.pem
130 Verify that the signature is correct on a certificate request.
131 req -verify -in req.pem
133 Verify that the signature was made using a specified public key.
134 req -verify -in req.pem -key key.pem
136 Print the contents of a certificate request
137 req -text -in req.pem