X-Git-Url: https://git.openssl.org/gitweb/?p=openssl.git;a=blobdiff_plain;f=doc%2Fapps%2Frsa.pod;h=69b2bef82cbed03fefbffc0bc76c36897386ad6c;hp=29886d52f363828b2e674c159ba9c0c03905ed36;hb=902efde1cca5910703af57cfc9b5e0fb7980f5b6;hpb=cc8709a090b9664ab77ed6d89decb0c0fa4c6e09 diff --git a/doc/apps/rsa.pod b/doc/apps/rsa.pod index 29886d52f3..69b2bef82c 100644 --- a/doc/apps/rsa.pod +++ b/doc/apps/rsa.pod @@ -11,11 +11,10 @@ B B [B<-inform PEM|NET|DER>] [B<-outform PEM|NET|DER>] [B<-in filename>] -[B<-passin password>] -[B<-envpassin var>] +[B<-passin arg>] [B<-out filename>] -[B<-passout password>] -[B<-envpassout var>] +[B<-passout arg>] +[B<-sgckey>] [B<-des>] [B<-des3>] [B<-idea>] @@ -25,6 +24,7 @@ B B [B<-check>] [B<-pubin>] [B<-pubout>] +[B<-engine id>] =head1 DESCRIPTION @@ -44,9 +44,8 @@ This specifies the input format. The B option uses an ASN1 DER encoded form compatible with the PKCS#1 RSAPrivateKey or SubjectPublicKeyInfo format. The B form is the default format: it consists of the B format base64 encoded with additional header and footer lines. On input PKCS#8 format private -keys are also accepted. The B form is a format compatible with older Netscape -servers and MS IIS, this uses unsalted RC4 for its encryption. It is not very -secure and so should only be used when necessary. +keys are also accepted. The B form is a format is described in the B +section. =item B<-outform DER|NET|PEM> @@ -59,14 +58,10 @@ This specifies the input filename to read a key from or standard input if this option is not specified. If the key is encrypted a pass phrase will be prompted for. -=item B<-passin password> +=item B<-passin arg> -the input file password. Since certain utilities like "ps" make the command line -visible this option should be used with caution. - -=item B<-envpassin var> - -read the input file password from the environment variable B. +the input file password source. For more information about the format of B +see the B section in L. =item B<-out filename> @@ -77,12 +72,13 @@ filename. =item B<-passout password> -the output file password. Since certain utilities like "ps" make the command line -visible this option should be used with caution. +the output file password source. For more information about the format of B +see the B section in L. -=item B<-envpassout var> +=item B<-sgckey> -read the output file password from the environment variable B. +use the modified NET algorithm used with some versions of Microsoft IIS and SGC +keys. =item B<-des|-des3|-idea> @@ -113,14 +109,21 @@ this option checks the consistency of an RSA private key. =item B<-pubin> -by default a private key is input file with this option a public key is input -instead. +by default a private key is read from the input file: with this +option a public key is read instead. =item B<-pubout> -by default a private key is output with this option a public -key will be output instead. This option is automatically set if the input is -a public key. +by default a private key is output: with this option a public +key will be output instead. This option is automatically set if +the input is a public key. + +=item B<-engine id> + +specifying an engine (by its unique B string) will cause B +to attempt to obtain a functional reference to the specified engine, +thus initialising it if needed. The engine will then be set as the default +for all available algorithms. =back @@ -131,30 +134,56 @@ The PEM private key format uses the header and footer lines: -----BEGIN RSA PRIVATE KEY----- -----END RSA PRIVATE KEY----- +The PEM public key format uses the header and footer lines: + + -----BEGIN PUBLIC KEY----- + -----END PUBLIC KEY----- + +The B form is a format compatible with older Netscape servers +and Microsoft IIS .key files, this uses unsalted RC4 for its encryption. +It is not very secure and so should only be used when necessary. + +Some newer version of IIS have additional data in the exported .key +files. To use these with the utility, view the file with a binary editor +and look for the string "private-key", then trace back to the byte +sequence 0x30, 0x82 (this is an ASN1 SEQUENCE). Copy all the data +from this point onwards to another file and use that as the input +to the B utility with the B<-inform NET> option. If you get +an error after entering the password try the B<-sgckey> option. + =head1 EXAMPLES To remove the pass phrase on an RSA private key: -C + openssl rsa -in key.pem -out keyout.pem To encrypt a private key using triple DES: -C + openssl rsa -in key.pem -des3 -out keyout.pem To convert a private key from PEM to DER format: -C + openssl rsa -in key.pem -outform DER -out keyout.der To print out the components of a private key to standard output: -C + openssl rsa -in key.pem -text -noout To just output the public part of a private key: -C + openssl rsa -in key.pem -pubout -out pubkey.pem + +=head1 BUGS + +The command line password arguments don't currently work with +B format. + +There should be an option that automatically handles .key files, +without having to manually edit them. =head1 SEE ALSO -pkcs8(1), dsa(1), genrsa(1), gendsa(1) +L, L, L, +L =cut