this specifies the message digest to sign the request with. This
overrides the digest algorithm specified in the configuration file.
-This option is ignore for DSA requests: they always use SHA1.
+This option is ignored for DSA requests: they always use SHA1.
=item B<-config filename>
=head1 CONFIGURATION FILE FORMAT
-The configuation options are specified in the B<req> section of
+The configuration options are specified in the B<req> section of
the configuration file. As with all configuration files if no
value is specified in the specific section (i.e. B<req>) then
the initial unnamed or B<default> section is searched too.
=over 4
+=item B<input_password output_password>
+
+The passwords for the input private key file (if present) and
+the output private key file (if one will be created). The
+command line options B<passin>, B<envpassin>, B<passout> and
+B<envpassout> override the configuration file values.
+
=item B<default_bits>
This specifies the default key size in bits. If not specified then
512 is used. It is used if the B<-new> option is used. It can be
-overriden by using the B<-newkey> option.
+overridden by using the B<-newkey> option.
=item B<default_keyfile>
This is the default filename to write a private key to. If not
specified the key is written to standard output. This can be
-overriden by the B<-keyout> option.
+overridden by the B<-keyout> option.
=item B<oid_file>
This specifies a filename in which random number seed information is
placed and read from. It is used for private key generation.
-=item B<encrypt_rsa_key|encrypt_key>
+=item B<encrypt_key>
If this is set to B<no> then if a private key is generated it is
B<not> encrypted. This is equivalent to the B<-nodes> command line
-option.
+option. For compatibility B<encrypt_rsai_key> is an equivalent option.
=item B<default_md>
include B<md5 sha1 mdc2>. If not present then MD5 is used. This
option can be overridden on the command line.
-=item B<dirstring_type>
+=item B<string_mask>
-This option specifies which string types are permissible in a
-B<DirectoryString>. Most users will not need to change this option.
+This option masks out the use of certain string types in certain
+fields. Most users will not need to change this option.
It can be set to several values B<default> which is also the default
option uses PrintableStrings, T61Strings and BMPStrings if the
B<pkix> value is used then only PrintableStrings and BMPStrings will
be used. This follows the PKIX recommendation in RFC2459. If the
B<utf8only> option is used then only UTF8Strings will be used: this
-is the PKIX recommendation in RFC2459 after 2003. Finally the B<nobmp>
+is the PKIX recommendation in RFC2459 after 2003. Finally the B<nombstr>
option just uses PrintableStrings and T61Strings: certain software has
-problems with BMPStrings.
+problems with BMPStrings and UTF8Strings: in particular Netscape.
=item B<req_extensions>
this specifies the section containing any request attributes: its format
is the same as B<distinguished_name> described below. Typically these
may contain the challengePassword or unstructuredName types. They are
-currently ignored by OpenSSLs request signing utilities but some CAs might want
-want them.
+currently ignored by OpenSSL's request signing utilities but some CAs
+might want them.
=item B<distinguished_name>
-This specifies the section containing the distiguished name fields to
+This specifies the section containing the distinguished name fields to
prompt for when generating a certificate or certificate request. This
consists of lines of the form:
fieldName_max= 4
"fieldName" is the field name being used, for example commonName (or CN).
-The "prompt" string is used to ask the user to enter the relvant
+The "prompt" string is used to ask the user to enter the relevant
details. If the user enters nothing then the default value is used if no
default value is present then the field is omitted. A field can
still be omitted if a default value is present if the user just
The first error message is the clue: it can't find the configuration
file! Certain operations (like examining a certificate request) don't
need a configuration file so its use isn't enforced. Generation of
-certficates or requests however does need a configuration file. This
+certificates or requests however does need a configuration file. This
could be regarded as a bug.
Another puzzling message is this:
The variable B<OPENSSL_CONF> if defined allows an alternative configuration
file location to be specified, it will be overridden by the B<-config> command
-line switch if it is present. For compatability reasons the B<SSLEAY_CONF>
+line switch if it is present. For compatibility reasons the B<SSLEAY_CONF>
environment variable serves the same purpose but its use is discouraged.
=head1 BUGS
-OpenSSLs handling of T61Strings (aka TeletexStrings) is broken: it effectively
-treats them as ISO-8859-1 (latin 1), Netscape and MSIE have similar behaviour.
+OpenSSL's handling of T61Strings (aka TeletexStrings) is broken: it effectively
+treats them as ISO-8859-1 (Latin 1), Netscape and MSIE have similar behaviour.
This can cause problems if you need characters that aren't available in
PrintableStrings and you don't want to or can't use BMPStrings.
projects / openssl.git / blobdiff