=pod =head1 NAME openssl-req, req - PKCS#10 certificate request and certificate generating utility =head1 SYNOPSIS B B [B<-help>] [B<-inform PEM|DER>] [B<-outform PEM|DER>] [B<-in filename>] [B<-passin arg>] [B<-out filename>] [B<-passout arg>] [B<-text>] [B<-pubkey>] [B<-noout>] [B<-verify>] [B<-modulus>] [B<-new>] [B<-rand file...>] [B<-writerand file>] [B<-newkey rsa:bits>] [B<-newkey alg:file>] [B<-nodes>] [B<-key filename>] [B<-keyform PEM|DER>] [B<-keyout filename>] [B<-keygen_engine id>] [B<-I>] [B<-config filename>] [B<-multivalue-rdn>] [B<-x509>] [B<-days n>] [B<-set_serial n>] [B<-newhdr>] [B<-addext ext>] [B<-extensions section>] [B<-reqexts section>] [B<-precert>] [B<-utf8>] [B<-nameopt>] [B<-reqopt>] [B<-subject>] [B<-subj arg>] [B<-batch>] [B<-verbose>] [B<-engine id>] =head1 DESCRIPTION The B command primarily creates and processes certificate requests in PKCS#10 format. It can additionally create self signed certificates for use as root CAs for example. =head1 OPTIONS =over 4 =item B<-help> Print out a usage message. =item B<-inform DER|PEM> This specifies the input format. The B option uses an ASN1 DER encoded form compatible with the PKCS#10. The B form is the default format: it consists of the B format base64 encoded with additional header and footer lines. =item B<-outform DER|PEM> This specifies the output format, the options have the same meaning and default as the B<-inform> option. =item B<-in filename> This specifies the input filename to read a request from or standard input if this option is not specified. A request is only read if the creation options (B<-new> and B<-newkey>) are not specified. =item B<-passin arg> The input file password source. For more information about the format of B see the B section in L. =item B<-out filename> This specifies the output filename to write to or standard output by default. =item B<-passout arg> The output file password source. For more information about the format of B see the B section in L. =item B<-text> Prints out the certificate request in text form. =item B<-subject> Prints out the request subject (or certificate subject if B<-x509> is specified) =item B<-pubkey> Outputs the public key. =item B<-noout> This option prevents output of the encoded version of the request. =item B<-modulus> This option prints out the value of the modulus of the public key contained in the request. =item B<-verify> Verifies the signature on the request. =item B<-new> This option generates a new certificate request. It will prompt the user for the relevant field values. The actual fields prompted for and their maximum and minimum sizes are specified in the configuration file and any requested extensions. If the B<-key> option is not used it will generate a new RSA private key using information specified in the configuration file. =item B<-rand file...> A file or files containing random data used to seed the random number generator. Multiple files can be specified separated by an OS-dependent character. The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for all others. =item [B<-writerand file>] Writes random data to the specified I upon exit. This can be used with a subsequent B<-rand> flag. =item B<-newkey arg> This option creates a new certificate request and a new private key. The argument takes one of several forms. B, where B is the number of bits, generates an RSA key B in size. If B is omitted, i.e. B<-newkey rsa> specified, the default key size, specified in the configuration file is used. All other algorithms support the B<-newkey alg:file> form, where file may be an algorithm parameter file, created by the B command or and X.509 certificate for a key with appropriate algorithm. B generates a key using the parameter file or certificate B, the algorithm is determined by the parameters. B use algorithm B and parameter file B: the two algorithms must match or an error occurs. B just uses algorithm B, and parameters, if necessary should be specified via B<-pkeyopt> parameter. B generates a DSA key using the parameters in the file B. B generates EC key (usable both with ECDSA or ECDH algorithms), B generates GOST R 34.10-2001 key (requires B engine configured in the configuration file). If just B is specified a parameter set should be specified by B<-pkeyopt paramset:X> =item B<-pkeyopt opt:value> Set the public key algorithm option B to B. The precise set of options supported depends on the public key algorithm used and its implementation. See B in the B manual page for more details. =item B<-key filename> This specifies the file to read the private key from. It also accepts PKCS#8 format private keys for PEM format files. =item B<-keyform PEM|DER> The format of the private key file specified in the B<-key> argument. PEM is the default. =item B<-keyout filename> This gives the filename to write the newly created private key to. If this option is not specified then the filename present in the configuration file is used. =item B<-nodes> If this option is specified then if a private key is created it will not be encrypted. =item B<-I> This specifies the message digest to sign the request. Any digest supported by the OpenSSL B command can be used. This overrides the digest algorithm specified in the configuration file. Some public key algorithms may override this choice. For instance, DSA signatures always use SHA1, GOST R 34.10 signatures always use GOST R 34.11-94 (B<-md_gost94>), Ed25519 and Ed448 never use any digest. =item B<-config filename> This allows an alternative configuration file to be specified. Optional; for a description of the default value, see L. =item B<-subj arg> Sets subject name for new request or supersedes the subject name when processing a request. The arg must be formatted as I. Keyword characters may be escaped by \ (backslash), and whitespace is retained. Empty values are permitted, but the corresponding type will not be included in the request. =item B<-multivalue-rdn> This option causes the -subj argument to be interpreted with full support for multivalued RDNs. Example: I If -multi-rdn is not used then the UID value is I<123456+CN=John Doe>. =item B<-x509> This option outputs a self signed certificate instead of a certificate request. This is typically used to generate a test certificate or a self signed root CA. The extensions added to the certificate (if any) are specified in the configuration file. Unless specified using the B option, a large random number will be used for the serial number. If existing request is specified with the B<-in> option, it is converted to the self signed certificate otherwise new request is created. =item B<-days n> When the B<-x509> option is being used this specifies the number of days to certify the certificate for, otherwise it is ignored. B should be a positive integer. The default is 30 days. =item B<-set_serial n> Serial number to use when outputting a self signed certificate. This may be specified as a decimal value or a hex value if preceded by B<0x>. =item B<-addext ext> Add a specific extension to the certificate (if the B<-x509> option is present) or certificate request. The argument must have the form of a key=value pair as it would appear in a config file. This option can be given multiple times. =item B<-extensions section> =item B<-reqexts section> These options specify alternative sections to include certificate extensions (if the B<-x509> option is present) or certificate request extensions. This allows several different sections to be used in the same configuration file to specify requests for a variety of purposes. =item B<-precert> A poison extension will be added to the certificate, making it a "pre-certificate" (see RFC6962). This can be submitted to Certificate Transparency logs in order to obtain signed certificate timestamps (SCTs). These SCTs can then be embedded into the pre-certificate as an extension, before removing the poison and signing the certificate. This implies the B<-new> flag. =item B<-utf8> This option causes field values to be interpreted as UTF8 strings, by default they are interpreted as ASCII. This means that the field values, whether prompted from a terminal or obtained from a configuration file, must be valid UTF8 strings. =item B<-nameopt option> Option which determines how the subject or issuer names are displayed. The B