Submitted by:
Reviewed by:
PR:
13 files changed:
-This is *very* preliminiary documentation for some
+This is *very* preliminary documentation for some
of the main commands in the openssl utility. The
information reflects the way the commands may work
when OpenSSL 0.9.5 is released. They are subject
of the main commands in the openssl utility. The
information reflects the way the commands may work
when OpenSSL 0.9.5 is released. They are subject
-don't ouput the parsed version of the input file.
+don't output the parsed version of the input file.
-the password used to encrrypt the private key. Since on some
+the password used to encrypt the private key. Since on some
systems the command line arguments are visible (e.g. Unix with
the 'ps' utility) this option should be used with caution.
systems the command line arguments are visible (e.g. Unix with
the 'ps' utility) this option should be used with caution.
Normally the DN order of a certificate is the same as the order of the
fields in the relevant policy section. When this option is set the order
Normally the DN order of a certificate is the same as the order of the
fields in the relevant policy section. When this option is set the order
-is the same as the request. This is largely for compatability with the
+is the same as the request. This is largely for compatibility with the
older IE enrollment control which would only accept certificates if their
DNs match the order of the request. This is not needed for Xenroll.
older IE enrollment control which would only accept certificates if their
DNs match the order of the request. This is not needed for Xenroll.
=head1 FILES
Note: the location of all files can change either by compile time options,
=head1 FILES
Note: the location of all files can change either by compile time options,
-configration file entries, environment variables or command line options.
+configuration file entries, environment variables or command line options.
The values below reflect the default values.
/usr/local/ssl/lib/openssl.cnf - master configuration file
The values below reflect the default values.
/usr/local/ssl/lib/openssl.cnf - master configuration file
-config - OpenSSL CONF library configuaration files
+config - OpenSSL CONF library configuration files
-The OpenSSL CONF library can be used to read confiuration files.
+The OpenSSL CONF library can be used to read configuration files.
It is used for the OpenSSL master configuration file B<openssl.cnf>
and in a few other places like B<SPKAC> files and certificate extension
files for the B<x509> utility.
It is used for the OpenSSL master configuration file B<openssl.cnf>
and in a few other places like B<SPKAC> files and certificate extension
files for the B<x509> utility.
including the form B<$var> or B<${var}>: this will substitute the value
of the named variable in the current section. It is also possible to
substitute a value from another section using the syntax B<$section::name>
including the form B<$var> or B<${var}>: this will substitute the value
of the named variable in the current section. It is also possible to
substitute a value from another section using the syntax B<$section::name>
-or B<${section::name}>. By using the form B<$ENV::name> environement
+or B<${section::name}>. By using the form B<$ENV::name> environment
variables can be substituted. It is also possible to assign values to
environment variables by using the name B<ENV::name>, this will work
if the program looks up environment variables using the B<CONF> library
variables can be substituted. It is also possible to assign values to
environment variables by using the name B<ENV::name>, this will work
if the program looks up environment variables using the B<CONF> library
-If a configuration file attempts to expand a varible that doesn't exist
+If a configuration file attempts to expand a variable that doesn't exist
then an error is flagged and the file will not load. This can happen
if an attempt is made to expand an environment variable that doesn't
exist. For example the default OpenSSL master configuration file used
then an error is flagged and the file will not load. This can happen
if an attempt is made to expand an environment variable that doesn't
exist. For example the default OpenSSL master configuration file used
=head1 NAME
dgst, md5, md2, sha1, sha, mdc2, ripemd160 - message digests
=head1 NAME
dgst, md5, md2, sha1, sha, mdc2, ripemd160 - message digests
=head1 NAME
enc - symmetric cipher routines
=head1 NAME
enc - symmetric cipher routines
-The symmetric cipher commands allow data to be encrytped or decrypted
+The symmetric cipher commands allow data to be encrypted or decrypted
using various block and stream ciphers using keys based on passwords
or explicitly provided. Base64 encoding or decoding can also be performed
either by itself or in addition to the encryption or decryption.
using various block and stream ciphers using keys based on passwords
or explicitly provided. Base64 encoding or decoding can also be performed
either by itself or in addition to the encryption or decryption.
=item B<-salt>
use a salt in the key derivation routines. This option should B<ALWAYS>
=item B<-salt>
use a salt in the key derivation routines. This option should B<ALWAYS>
-be used unless compatability with previous versions of OpenSSL or SSLeay
+be used unless compatibility with previous versions of OpenSSL or SSLeay
is required. This option is only present on OpenSSL versions 0.9.5 or
above.
=item B<-nosalt>
don't use a salt in the key derivation routines. This is the default for
is required. This option is only present on OpenSSL versions 0.9.5 or
above.
=item B<-nosalt>
don't use a salt in the key derivation routines. This is the default for
-compatability with previous versions of OpenSSL and SSLeay.
+compatibility with previous versions of OpenSSL and SSLeay.
A password will be prompted for to derive the key and IV if necessary.
The B<-salt> option should B<ALWAYS> be used if the key is being derived
A password will be prompted for to derive the key and IV if necessary.
The B<-salt> option should B<ALWAYS> be used if the key is being derived
-from a password unless you want compatability with previous versions of
+from a password unless you want compatibility with previous versions of
OpenSSL and SSLeay.
Without the B<-salt> option it is possible to perform efficient dictionary
OpenSSL and SSLeay.
Without the B<-salt> option it is possible to perform efficient dictionary
bf-cbc Blowfish in CBC mode
bf Alias for bf-cbc
bf-cbc Blowfish in CBC mode
bf Alias for bf-cbc
- bf-cfb Blowish in CFB mode
+ bf-cfb Blowfish in CFB mode
bf-ecb Blowfish in ECB mode
bf-ofb Blowfish in OFB mode
bf-ecb Blowfish in ECB mode
bf-ofb Blowfish in OFB mode
A Netscape certificate sequence is a Netscape specific form that can be sent
to browsers as an alternative to the standard PKCS#7 format when several
A Netscape certificate sequence is a Netscape specific form that can be sent
to browsers as an alternative to the standard PKCS#7 format when several
-certificates are sent to the browser: for example during certificate erollment.
+certificates are sent to the browser: for example during certificate enrollment.
It is used by Netscape certificate server for example.
=head1 BUGS
It is used by Netscape certificate server for example.
=head1 BUGS
in use and other details such as the iteration count.
PKCS#8 using triple DES and PKCS#5 v2.0 should be the default private
in use and other details such as the iteration count.
PKCS#8 using triple DES and PKCS#5 v2.0 should be the default private
-key format for OpenSSL: for compatability several of the utilities use
+key format for OpenSSL: for compatibility several of the utilities use
the old format at present.
=head1 SEE ALSO
the old format at present.
=head1 SEE ALSO
=head1 CONFIGURATION FILE FORMAT
=head1 CONFIGURATION FILE FORMAT
-The configuation options are specified in the B<req> section of
+The configuration options are specified in the B<req> section of
the configuration file. As with all configuration files if no
value is specified in the specific section (i.e. B<req>) then
the initial unnamed or B<default> section is searched too.
the configuration file. As with all configuration files if no
value is specified in the specific section (i.e. B<req>) then
the initial unnamed or B<default> section is searched too.
This specifies the default key size in bits. If not specified then
512 is used. It is used if the B<-new> option is used. It can be
This specifies the default key size in bits. If not specified then
512 is used. It is used if the B<-new> option is used. It can be
-overriden by using the B<-newkey> option.
+overridden by using the B<-newkey> option.
=item B<default_keyfile>
This is the default filename to write a private key to. If not
specified the key is written to standard output. This can be
=item B<default_keyfile>
This is the default filename to write a private key to. If not
specified the key is written to standard output. This can be
-overriden by the B<-keyout> option.
+overridden by the B<-keyout> option.
If this is set to B<no> then if a private key is generated it is
B<not> encrypted. This is equivalent to the B<-nodes> command line
If this is set to B<no> then if a private key is generated it is
B<not> encrypted. This is equivalent to the B<-nodes> command line
-option. For compatability B<encrypt_rsai_key> is an equivalent option.
+option. For compatibility B<encrypt_rsai_key> is an equivalent option.
this specifies the section containing any request attributes: its format
is the same as B<distinguished_name> described below. Typically these
may contain the challengePassword or unstructuredName types. They are
this specifies the section containing any request attributes: its format
is the same as B<distinguished_name> described below. Typically these
may contain the challengePassword or unstructuredName types. They are
-currently ignored by OpenSSLs request signing utilities but some CAs
+currently ignored by OpenSSL's request signing utilities but some CAs
might want them.
=item B<distinguished_name>
might want them.
=item B<distinguished_name>
-This specifies the section containing the distiguished name fields to
+This specifies the section containing the distinguished name fields to
prompt for when generating a certificate or certificate request. This
consists of lines of the form:
prompt for when generating a certificate or certificate request. This
consists of lines of the form:
fieldName_max= 4
"fieldName" is the field name being used, for example commonName (or CN).
fieldName_max= 4
"fieldName" is the field name being used, for example commonName (or CN).
-The "prompt" string is used to ask the user to enter the relvant
+The "prompt" string is used to ask the user to enter the relevant
details. If the user enters nothing then the default value is used if no
default value is present then the field is omitted. A field can
still be omitted if a default value is present if the user just
details. If the user enters nothing then the default value is used if no
default value is present then the field is omitted. A field can
still be omitted if a default value is present if the user just
The first error message is the clue: it can't find the configuration
file! Certain operations (like examining a certificate request) don't
need a configuration file so its use isn't enforced. Generation of
The first error message is the clue: it can't find the configuration
file! Certain operations (like examining a certificate request) don't
need a configuration file so its use isn't enforced. Generation of
-certficates or requests however does need a configuration file. This
+certificates or requests however does need a configuration file. This
could be regarded as a bug.
Another puzzling message is this:
could be regarded as a bug.
Another puzzling message is this:
The variable B<OPENSSL_CONF> if defined allows an alternative configuration
file location to be specified, it will be overridden by the B<-config> command
The variable B<OPENSSL_CONF> if defined allows an alternative configuration
file location to be specified, it will be overridden by the B<-config> command
-line switch if it is present. For compatability reasons the B<SSLEAY_CONF>
+line switch if it is present. For compatibility reasons the B<SSLEAY_CONF>
environment variable serves the same purpose but its use is discouraged.
=head1 BUGS
environment variable serves the same purpose but its use is discouraged.
=head1 BUGS
-OpenSSLs handling of T61Strings (aka TeletexStrings) is broken: it effectively
-treats them as ISO-8859-1 (latin 1), Netscape and MSIE have similar behaviour.
+OpenSSL's handling of T61Strings (aka TeletexStrings) is broken: it effectively
+treats them as ISO-8859-1 (Latin 1), Netscape and MSIE have similar behaviour.
This can cause problems if you need characters that aren't available in
PrintableStrings and you don't want to or can't use BMPStrings.
This can cause problems if you need characters that aren't available in
PrintableStrings and you don't want to or can't use BMPStrings.
-do not do chain verification of signers certfificates: that is don't
+do not do chain verification of signers certificates: that is don't
use the certificates in the signed message as untrusted CAs.
=item B<-nosigs>
use the certificates in the signed message as untrusted CAs.
=item B<-nosigs>
This version of the program only allows one signer per message but it
will verify multiple signers on received messages. Some S/MIME clients
This version of the program only allows one signer per message but it
will verify multiple signers on received messages. Some S/MIME clients
-choke if a message contains mutiple signers. It is possible to sign
+choke if a message contains multiple signers. It is possible to sign
messages "in parallel" by signing an already signed message.
The options B<-encrypt> and B<-decrypt> reflect common usage in S/MIME
messages "in parallel" by signing an already signed message.
The options B<-encrypt> and B<-decrypt> reflect common usage in S/MIME
-the message was verified correctly but an error occured writing out
+the message was verified correctly but an error occurred writing out
the signers certificates.
=back
the signers certificates.
=back
Print out the contents of an SPKAC:
Print out the contents of an SPKAC:
- openssl spkac -in skpac.cnf
+ openssl spkac -in spkac.cnf
Verify the signature of an SPKAC:
Verify the signature of an SPKAC:
- openssl spkac -in skpac.cnf -noout -verify
+ openssl spkac -in spkac.cnf -noout -verify
Create an SPKAC using the challenge string "hello":
Create an SPKAC using the challenge string "hello":
matches the issuer name of the current certificate. If a certificate is found
whose subject and issuer names are identical it is assumed to be the root CA.
The lookup first looks in the list of untrusted certificates and if no match
matches the issuer name of the current certificate. If a certificate is found
whose subject and issuer names are identical it is assumed to be the root CA.
The lookup first looks in the list of untrusted certificates and if no match
-is found the remaining lookups are from the trusted certficates. The root CA
+is found the remaining lookups are from the trusted certificates. The root CA
is always looked up in the trusted certificate list: if the certificate to
verify is a root certificate then an exact match must be found in the trusted
list.
is always looked up in the trusted certificate list: if the certificate to
verify is a root certificate then an exact match must be found in the trusted
list.
the B<CERTIFICATE EXTENSIONS> section of the B<x509> utility.
The third operation is to check the trust settings on the root CA. The root
the B<CERTIFICATE EXTENSIONS> section of the B<x509> utility.
The third operation is to check the trust settings on the root CA. The root
-CA should be trusted for the supplied purpose. For compatability with previous
+CA should be trusted for the supplied purpose. For compatibility with previous
versions of SSLeay and OpenSSL a certificate with no trust settings is considered
to be valid for all purposes.
versions of SSLeay and OpenSSL a certificate with no trust settings is considered
to be valid for all purposes.
could not be determined rather than it not matching the expected value, this is only
meaningful for RSA keys.
could not be determined rather than it not matching the expected value, this is only
meaningful for RSA keys.
-=item B<5 X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE: unable to decrypt CRL's's signature>
+=item B<5 X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE: unable to decrypt CRL's signature>
the CRL signature could not be decrypted: this means that the actual signature value
could not be determined rather than it not matching the expected value. Unused.
the CRL signature could not be decrypted: this means that the actual signature value
could not be determined rather than it not matching the expected value. Unused.
=item B<17 X509_V_ERR_OUT_OF_MEM: out of memory>
=item B<17 X509_V_ERR_OUT_OF_MEM: out of memory>
-an error occured trying to allocate memory. This should never happen.
+an error occurred trying to allocate memory. This should never happen.
=item B<18 X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT: self signed certificate>
=item B<18 X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT: self signed certificate>
=head1 DISPLAY OPTIONS
Note: the B<-alias> and B<-purpose> options are also display options
=head1 DISPLAY OPTIONS
Note: the B<-alias> and B<-purpose> options are also display options
-but are desribed in the B<TRUST OPTIONS> section.
+but are described in the B<TRUST OPTIONS> section.
=item B<-setalias arg>
sets the alias of the certificate. This will allow the certificate
=item B<-setalias arg>
sets the alias of the certificate. This will allow the certificate
-to be reffered to using a nickname for example "Steve's Certificate".
+to be referred to using a nickname for example "Steve's Certificate".
openssl x509 -req -in careq.pem -config openssl.cnf -extensions v3_ca \
-signkey key.pem -out cacert.pem
openssl x509 -req -in careq.pem -config openssl.cnf -extensions v3_ca \
-signkey key.pem -out cacert.pem
-Sign a certificate request using the CA certifcate above and add user
+Sign a certificate request using the CA certificate above and add user
certificate extensions:
openssl x509 -req -in req.pem -config openssl.cnf -extensions v3_usr \
certificate extensions:
openssl x509 -req -in req.pem -config openssl.cnf -extensions v3_usr \
projects / openssl.git / commitdiff