OLD | NEW |
1 | 1 |
2 =pod | 2 =pod |
3 | 3 |
4 =head1 NAME | 4 =head1 NAME |
5 | 5 |
6 req - PKCS#10 certificate request and certificate generating utility. | 6 req - PKCS#10 certificate request and certificate generating utility. |
7 | 7 |
8 =head1 SYNOPSIS | 8 =head1 SYNOPSIS |
9 | 9 |
10 B<openssl> B<req> | 10 B<openssl> B<req> |
11 [B<-inform PEM|DER>] | 11 [B<-inform PEM|DER>] |
12 [B<-outform PEM|DER>] | 12 [B<-outform PEM|DER>] |
13 [B<-in filename>] | 13 [B<-in filename>] |
14 [B<-passin arg>] | 14 [B<-passin arg>] |
15 [B<-out filename>] | 15 [B<-out filename>] |
16 [B<-passout arg>] | 16 [B<-passout arg>] |
17 [B<-text>] | 17 [B<-text>] |
18 [B<-pubkey>] | 18 [B<-pubkey>] |
19 [B<-noout>] | 19 [B<-noout>] |
20 [B<-verify>] | 20 [B<-verify>] |
21 [B<-modulus>] | 21 [B<-modulus>] |
22 [B<-new>] | 22 [B<-new>] |
23 [B<-rand file(s)>] | 23 [B<-rand file(s)>] |
24 [B<-newkey rsa:bits>] | 24 [B<-newkey rsa:bits>] |
25 [B<-newkey dsa:file>] | 25 [B<-newkey alg:file>] |
26 [B<-nodes>] | 26 [B<-nodes>] |
27 [B<-key filename>] | 27 [B<-key filename>] |
28 [B<-keyform PEM|DER>] | 28 [B<-keyform PEM|DER>] |
29 [B<-keyout filename>] | 29 [B<-keyout filename>] |
30 [B<-[md5|sha1|md2|mdc2]>] | 30 [B<-keygen_engine id>] |
| 31 [B<-[digest]>] |
31 [B<-config filename>] | 32 [B<-config filename>] |
32 [B<-subj arg>] | 33 [B<-subj arg>] |
33 [B<-multivalue-rdn>] | 34 [B<-multivalue-rdn>] |
34 [B<-x509>] | 35 [B<-x509>] |
35 [B<-days n>] | 36 [B<-days n>] |
36 [B<-set_serial n>] | 37 [B<-set_serial n>] |
37 [B<-asn1-kludge>] | 38 [B<-asn1-kludge>] |
| 39 [B<-no-asn1-kludge>] |
38 [B<-newhdr>] | 40 [B<-newhdr>] |
39 [B<-extensions section>] | 41 [B<-extensions section>] |
40 [B<-reqexts section>] | 42 [B<-reqexts section>] |
41 [B<-utf8>] | 43 [B<-utf8>] |
42 [B<-nameopt>] | 44 [B<-nameopt>] |
| 45 [B<-reqopt>] |
| 46 [B<-subject>] |
| 47 [B<-subj arg>] |
43 [B<-batch>] | 48 [B<-batch>] |
44 [B<-verbose>] | 49 [B<-verbose>] |
45 [B<-engine id>] | 50 [B<-engine id>] |
46 | 51 |
47 =head1 DESCRIPTION | 52 =head1 DESCRIPTION |
48 | 53 |
49 The B<req> command primarily creates and processes certificate requests | 54 The B<req> command primarily creates and processes certificate requests |
50 in PKCS#10 format. It can additionally create self signed certificates | 55 in PKCS#10 format. It can additionally create self signed certificates |
51 for use as root CAs for example. | 56 for use as root CAs for example. |
52 | 57 |
(...skipping 31 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
84 | 89 |
85 =item B<-passout arg> | 90 =item B<-passout arg> |
86 | 91 |
87 the output file password source. For more information about the format of B<arg> | 92 the output file password source. For more information about the format of B<arg> |
88 see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)|openssl(1)>. | 93 see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)|openssl(1)>. |
89 | 94 |
90 =item B<-text> | 95 =item B<-text> |
91 | 96 |
92 prints out the certificate request in text form. | 97 prints out the certificate request in text form. |
93 | 98 |
| 99 =item B<-subject> |
| 100 |
| 101 prints out the request subject (or certificate subject if B<-x509> is |
| 102 specified) |
| 103 |
94 =item B<-pubkey> | 104 =item B<-pubkey> |
95 | 105 |
96 outputs the public key. | 106 outputs the public key. |
97 | 107 |
98 =item B<-noout> | 108 =item B<-noout> |
99 | 109 |
100 this option prevents output of the encoded version of the request. | 110 this option prevents output of the encoded version of the request. |
101 | 111 |
102 =item B<-modulus> | 112 =item B<-modulus> |
103 | 113 |
104 this option prints out the value of the modulus of the public key | 114 this option prints out the value of the modulus of the public key |
105 contained in the request. | 115 contained in the request. |
106 | 116 |
107 =item B<-verify> | 117 =item B<-verify> |
108 | 118 |
109 verifies the signature on the request. | 119 verifies the signature on the request. |
110 | 120 |
111 =item B<-new> | 121 =item B<-new> |
112 | 122 |
113 this option generates a new certificate request. It will prompt | 123 this option generates a new certificate request. It will prompt |
114 the user for the relevant field values. The actual fields | 124 the user for the relevant field values. The actual fields |
115 prompted for and their maximum and minimum sizes are specified | 125 prompted for and their maximum and minimum sizes are specified |
116 in the configuration file and any requested extensions. | 126 in the configuration file and any requested extensions. |
117 | 127 |
118 If the B<-key> option is not used it will generate a new RSA private | 128 If the B<-key> option is not used it will generate a new RSA private |
119 key using information specified in the configuration file. | 129 key using information specified in the configuration file. |
120 | 130 |
| 131 =item B<-subj arg> |
| 132 |
| 133 Replaces subject field of input request with specified data and outputs |
| 134 modified request. The arg must be formatted as |
| 135 I</type0=value0/type1=value1/type2=...>, |
| 136 characters may be escaped by \ (backslash), no spaces are skipped. |
| 137 |
121 =item B<-rand file(s)> | 138 =item B<-rand file(s)> |
122 | 139 |
123 a file or files containing random data used to seed the random number | 140 a file or files containing random data used to seed the random number |
124 generator, or an EGD socket (see L<RAND_egd(3)|RAND_egd(3)>). | 141 generator, or an EGD socket (see L<RAND_egd(3)|RAND_egd(3)>). |
125 Multiple files can be specified separated by a OS-dependent character. | 142 Multiple files can be specified separated by a OS-dependent character. |
126 The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for | 143 The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for |
127 all others. | 144 all others. |
128 | 145 |
129 =item B<-newkey arg> | 146 =item B<-newkey arg> |
130 | 147 |
131 this option creates a new certificate request and a new private | 148 this option creates a new certificate request and a new private |
132 key. The argument takes one of two forms. B<rsa:nbits>, where | 149 key. The argument takes one of several forms. B<rsa:nbits>, where |
133 B<nbits> is the number of bits, generates an RSA key B<nbits> | 150 B<nbits> is the number of bits, generates an RSA key B<nbits> |
134 in size. B<dsa:filename> generates a DSA key using the parameters | 151 in size. If B<nbits> is omitted, i.e. B<-newkey rsa> specified, |
135 in the file B<filename>. | 152 the default key size, specified in the configuration file is used. |
| 153 |
| 154 All other algorithms support the B<-newkey alg:file> form, where file may be |
| 155 an algorithm parameter file, created by the B<genpkey -genparam> command |
| 156 or and X.509 certificate for a key with approriate algorithm. |
| 157 |
| 158 B<param:file> generates a key using the parameter file or certificate B<file>, |
| 159 the algorithm is determined by the parameters. B<algname:file> use algorithm |
| 160 B<algname> and parameter file B<file>: the two algorithms must match or an |
| 161 error occurs. B<algname> just uses algorithm B<algname>, and parameters, |
| 162 if neccessary should be specified via B<-pkeyopt> parameter. |
| 163 |
| 164 B<dsa:filename> generates a DSA key using the parameters |
| 165 in the file B<filename>. B<ec:filename> generates EC key (usable both with |
| 166 ECDSA or ECDH algorithms), B<gost2001:filename> generates GOST R |
| 167 34.10-2001 key (requires B<ccgost> engine configured in the configuration |
| 168 file). If just B<gost2001> is specified a parameter set should be |
| 169 specified by B<-pkeyopt paramset:X> |
| 170 |
| 171 |
| 172 =item B<-pkeyopt opt:value> |
| 173 |
| 174 set the public key algorithm option B<opt> to B<value>. The precise set of |
| 175 options supported depends on the public key algorithm used and its |
| 176 implementation. See B<KEY GENERATION OPTIONS> in the B<genpkey> manual page |
| 177 for more details. |
136 | 178 |
137 =item B<-key filename> | 179 =item B<-key filename> |
138 | 180 |
139 This specifies the file to read the private key from. It also | 181 This specifies the file to read the private key from. It also |
140 accepts PKCS#8 format private keys for PEM format files. | 182 accepts PKCS#8 format private keys for PEM format files. |
141 | 183 |
142 =item B<-keyform PEM|DER> | 184 =item B<-keyform PEM|DER> |
143 | 185 |
144 the format of the private key file specified in the B<-key> | 186 the format of the private key file specified in the B<-key> |
145 argument. PEM is the default. | 187 argument. PEM is the default. |
146 | 188 |
147 =item B<-keyout filename> | 189 =item B<-keyout filename> |
148 | 190 |
149 this gives the filename to write the newly created private key to. | 191 this gives the filename to write the newly created private key to. |
150 If this option is not specified then the filename present in the | 192 If this option is not specified then the filename present in the |
151 configuration file is used. | 193 configuration file is used. |
152 | 194 |
153 =item B<-nodes> | 195 =item B<-nodes> |
154 | 196 |
155 if this option is specified then if a private key is created it | 197 if this option is specified then if a private key is created it |
156 will not be encrypted. | 198 will not be encrypted. |
157 | 199 |
158 =item B<-[md5|sha1|md2|mdc2]> | 200 =item B<-[digest]> |
159 | 201 |
160 this specifies the message digest to sign the request with. This | 202 this specifies the message digest to sign the request with (such as |
161 overrides the digest algorithm specified in the configuration file. | 203 B<-md5>, B<-sha1>). This overrides the digest algorithm specified in |
162 This option is ignored for DSA requests: they always use SHA1. | 204 the configuration file. |
| 205 |
| 206 Some public key algorithms may override this choice. For instance, DSA |
| 207 signatures always use SHA1, GOST R 34.10 signatures always use |
| 208 GOST R 34.11-94 (B<-md_gost94>). |
163 | 209 |
164 =item B<-config filename> | 210 =item B<-config filename> |
165 | 211 |
166 this allows an alternative configuration file to be specified, | 212 this allows an alternative configuration file to be specified, |
167 this overrides the compile time filename or any specified in | 213 this overrides the compile time filename or any specified in |
168 the B<OPENSSL_CONF> environment variable. | 214 the B<OPENSSL_CONF> environment variable. |
169 | 215 |
170 =item B<-subj arg> | 216 =item B<-subj arg> |
171 | 217 |
172 sets subject name for new request or supersedes the subject name | 218 sets subject name for new request or supersedes the subject name |
(...skipping 47 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
220 values, whether prompted from a terminal or obtained from a | 266 values, whether prompted from a terminal or obtained from a |
221 configuration file, must be valid UTF8 strings. | 267 configuration file, must be valid UTF8 strings. |
222 | 268 |
223 =item B<-nameopt option> | 269 =item B<-nameopt option> |
224 | 270 |
225 option which determines how the subject or issuer names are displayed. The | 271 option which determines how the subject or issuer names are displayed. The |
226 B<option> argument can be a single option or multiple options separated by | 272 B<option> argument can be a single option or multiple options separated by |
227 commas. Alternatively the B<-nameopt> switch may be used more than once to | 273 commas. Alternatively the B<-nameopt> switch may be used more than once to |
228 set multiple options. See the L<x509(1)|x509(1)> manual page for details. | 274 set multiple options. See the L<x509(1)|x509(1)> manual page for details. |
229 | 275 |
| 276 =item B<-reqopt> |
| 277 |
| 278 customise the output format used with B<-text>. The B<option> argument can be |
| 279 a single option or multiple options separated by commas. |
| 280 |
| 281 See discission of the B<-certopt> parameter in the L<B<x509>|x509(1)> |
| 282 command. |
| 283 |
| 284 |
230 =item B<-asn1-kludge> | 285 =item B<-asn1-kludge> |
231 | 286 |
232 by default the B<req> command outputs certificate requests containing | 287 by default the B<req> command outputs certificate requests containing |
233 no attributes in the correct PKCS#10 format. However certain CAs will only | 288 no attributes in the correct PKCS#10 format. However certain CAs will only |
234 accept requests containing no attributes in an invalid form: this | 289 accept requests containing no attributes in an invalid form: this |
235 option produces this invalid format. | 290 option produces this invalid format. |
236 | 291 |
237 More precisely the B<Attributes> in a PKCS#10 certificate request | 292 More precisely the B<Attributes> in a PKCS#10 certificate request |
238 are defined as a B<SET OF Attribute>. They are B<not OPTIONAL> so | 293 are defined as a B<SET OF Attribute>. They are B<not OPTIONAL> so |
239 if no attributes are present then they should be encoded as an | 294 if no attributes are present then they should be encoded as an |
240 empty B<SET OF>. The invalid form does not include the empty | 295 empty B<SET OF>. The invalid form does not include the empty |
241 B<SET OF> whereas the correct form does. | 296 B<SET OF> whereas the correct form does. |
242 | 297 |
243 It should be noted that very few CAs still require the use of this option. | 298 It should be noted that very few CAs still require the use of this option. |
244 | 299 |
| 300 =item B<-no-asn1-kludge> |
| 301 |
| 302 Reverses effect of B<-asn1-kludge> |
| 303 |
245 =item B<-newhdr> | 304 =item B<-newhdr> |
246 | 305 |
247 Adds the word B<NEW> to the PEM file header and footer lines on the outputed | 306 Adds the word B<NEW> to the PEM file header and footer lines on the outputed |
248 request. Some software (Netscape certificate server) and some CAs need this. | 307 request. Some software (Netscape certificate server) and some CAs need this. |
249 | 308 |
250 =item B<-batch> | 309 =item B<-batch> |
251 | 310 |
252 non-interactive mode. | 311 non-interactive mode. |
253 | 312 |
254 =item B<-verbose> | 313 =item B<-verbose> |
255 | 314 |
256 print extra details about the operations being performed. | 315 print extra details about the operations being performed. |
257 | 316 |
258 =item B<-engine id> | 317 =item B<-engine id> |
259 | 318 |
260 specifying an engine (by it's unique B<id> string) will cause B<req> | 319 specifying an engine (by its unique B<id> string) will cause B<req> |
261 to attempt to obtain a functional reference to the specified engine, | 320 to attempt to obtain a functional reference to the specified engine, |
262 thus initialising it if needed. The engine will then be set as the default | 321 thus initialising it if needed. The engine will then be set as the default |
263 for all available algorithms. | 322 for all available algorithms. |
264 | 323 |
| 324 =item B<-keygen_engine id> |
| 325 |
| 326 specifies an engine (by its unique B<id> string) which would be used |
| 327 for key generation operations. |
| 328 |
265 =back | 329 =back |
266 | 330 |
267 =head1 CONFIGURATION FILE FORMAT | 331 =head1 CONFIGURATION FILE FORMAT |
268 | 332 |
269 The configuration options are specified in the B<req> section of | 333 The configuration options are specified in the B<req> section of |
270 the configuration file. As with all configuration files if no | 334 the configuration file. As with all configuration files if no |
271 value is specified in the specific section (i.e. B<req>) then | 335 value is specified in the specific section (i.e. B<req>) then |
272 the initial unnamed or B<default> section is searched too. | 336 the initial unnamed or B<default> section is searched too. |
273 | 337 |
274 The options available are described in detail below. | 338 The options available are described in detail below. |
(...skipping 62 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
337 be used. This follows the PKIX recommendation in RFC2459. If the | 401 be used. This follows the PKIX recommendation in RFC2459. If the |
338 B<utf8only> option is used then only UTF8Strings will be used: this | 402 B<utf8only> option is used then only UTF8Strings will be used: this |
339 is the PKIX recommendation in RFC2459 after 2003. Finally the B<nombstr> | 403 is the PKIX recommendation in RFC2459 after 2003. Finally the B<nombstr> |
340 option just uses PrintableStrings and T61Strings: certain software has | 404 option just uses PrintableStrings and T61Strings: certain software has |
341 problems with BMPStrings and UTF8Strings: in particular Netscape. | 405 problems with BMPStrings and UTF8Strings: in particular Netscape. |
342 | 406 |
343 =item B<req_extensions> | 407 =item B<req_extensions> |
344 | 408 |
345 this specifies the configuration file section containing a list of | 409 this specifies the configuration file section containing a list of |
346 extensions to add to the certificate request. It can be overridden | 410 extensions to add to the certificate request. It can be overridden |
347 by the B<-reqexts> command line switch. | 411 by the B<-reqexts> command line switch. See the |
| 412 L<x509v3_config(5)|x509v3_config(5)> manual page for details of the |
| 413 extension section format. |
348 | 414 |
349 =item B<x509_extensions> | 415 =item B<x509_extensions> |
350 | 416 |
351 this specifies the configuration file section containing a list of | 417 this specifies the configuration file section containing a list of |
352 extensions to add to certificate generated when the B<-x509> switch | 418 extensions to add to certificate generated when the B<-x509> switch |
353 is used. It can be overridden by the B<-extensions> command line switch. | 419 is used. It can be overridden by the B<-extensions> command line switch. |
354 | 420 |
355 =item B<prompt> | 421 =item B<prompt> |
356 | 422 |
357 if set to the value B<no> this disables prompting of certificate fields | 423 if set to the value B<no> this disables prompting of certificate fields |
(...skipping 241 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
599 and MSIE then you currently need to use the invalid T61String form. | 665 and MSIE then you currently need to use the invalid T61String form. |
600 | 666 |
601 The current prompting is not very friendly. It doesn't allow you to confirm what | 667 The current prompting is not very friendly. It doesn't allow you to confirm what |
602 you've just entered. Other things like extensions in certificate requests are | 668 you've just entered. Other things like extensions in certificate requests are |
603 statically defined in the configuration file. Some of these: like an email | 669 statically defined in the configuration file. Some of these: like an email |
604 address in subjectAltName should be input by the user. | 670 address in subjectAltName should be input by the user. |
605 | 671 |
606 =head1 SEE ALSO | 672 =head1 SEE ALSO |
607 | 673 |
608 L<x509(1)|x509(1)>, L<ca(1)|ca(1)>, L<genrsa(1)|genrsa(1)>, | 674 L<x509(1)|x509(1)>, L<ca(1)|ca(1)>, L<genrsa(1)|genrsa(1)>, |
609 L<gendsa(1)|gendsa(1)>, L<config(5)|config(5)> | 675 L<gendsa(1)|gendsa(1)>, L<config(5)|config(5)>, |
| 676 L<x509v3_config(5)|x509v3_config(5)> |
610 | 677 |
611 =cut | 678 =cut |
OLD | NEW |