=head1 NAME
+openssl-req,
req - PKCS#10 certificate request and certificate generating utility
=head1 SYNOPSIS
[B<-verify>]
[B<-modulus>]
[B<-new>]
-[B<-rand file(s)>]
+[B<-rand file...>]
+[B<-writerand file>]
[B<-newkey rsa:bits>]
[B<-newkey alg:file>]
[B<-nodes>]
[B<-keyform PEM|DER>]
[B<-keyout filename>]
[B<-keygen_engine id>]
-[B<-[digest]>]
+[B<-I<digest>>]
[B<-config filename>]
[B<-multivalue-rdn>]
[B<-x509>]
[B<-days n>]
[B<-set_serial n>]
[B<-newhdr>]
+[B<-addext ext>]
[B<-extensions section>]
[B<-reqexts section>]
[B<-precert>]
=item B<-outform DER|PEM>
-This specifies the output format, the options have the same meaning as the
-B<-inform> option.
+This specifies the output format, the options have the same meaning and default
+as the B<-inform> option.
=item B<-in filename>
If the B<-key> option is not used it will generate a new RSA private
key using information specified in the configuration file.
-=item B<-rand file(s)>
+=item B<-rand file...>
A file or files containing random data used to seed the random number
-generator, or an EGD socket (see L<RAND_egd(3)>).
+generator.
Multiple files can be specified separated by an OS-dependent character.
The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
all others.
+=item [B<-writerand file>]
+
+Writes random data to the specified I<file> upon exit.
+This can be used with a subsequent B<-rand> flag.
+
=item B<-newkey arg>
This option creates a new certificate request and a new private
If this option is specified then if a private key is created it
will not be encrypted.
-=item B<-[digest]>
+=item B<-I<digest>>
This specifies the message digest to sign the request.
Any digest supported by the OpenSSL B<dgst> command can be used.
using the B<set_serial> option, a large random number will be used for
the serial number.
+If existing request is specified with the B<-in> option, it is converted
+to the self signed certificate otherwise new request is created.
+
=item B<-days n>
When the B<-x509> option is being used this specifies the number of
-days to certify the certificate for. The default is 30 days.
+days to certify the certificate for, otherwise it is ignored. B<n> should
+be a positive integer. The default is 30 days.
=item B<-set_serial n>
Serial number to use when outputting a self signed certificate. This
may be specified as a decimal value or a hex value if preceded by B<0x>.
+=item B<-addext ext>
+
+Add a specific extension to the certificate (if the B<-x509> option is
+present) or certificate request. The argument must have the form of
+a key=value pair as it would appear in a config file.
+
+This option can be given multiple times.
+
=item B<-extensions section>
=item B<-reqexts section>
=item B<RANDFILE>
-This specifies a filename in which random number seed information is
-placed and read from, or an EGD socket (see L<RAND_egd(3)>).
+At startup the specified file is loaded into the random number generator,
+and at exit 256 bytes will be written to it.
It is used for private key generation.
=item B<encrypt_key>
[ req_attributes ]
challengePassword = A challenge password
+Example of giving the most common attributes (subject and extensions)
+on the command line:
+
+ openssl req -new -subj "/C=GB/CN=foo" \
+ -addext "subjectAltName = DNS:foo.co.uk" \
+ -addext "certificatePolicies = 1.2.3.4" \
+ -newkey rsa:2048 -keyout key.pem -out req.pem
+
=head1 NOTES