OLD | NEW |
(Empty) | |
| 1 =pod |
| 2 |
| 3 =head1 NAME |
| 4 |
| 5 ts - Time Stamping Authority tool (client/server) |
| 6 |
| 7 =head1 SYNOPSIS |
| 8 |
| 9 B<openssl> B<ts> |
| 10 B<-query> |
| 11 [B<-rand> file:file...] |
| 12 [B<-config> configfile] |
| 13 [B<-data> file_to_hash] |
| 14 [B<-digest> digest_bytes] |
| 15 [B<-md2>|B<-md4>|B<-md5>|B<-sha>|B<-sha1>|B<-mdc2>|B<-ripemd160>|B<...>] |
| 16 [B<-policy> object_id] |
| 17 [B<-no_nonce>] |
| 18 [B<-cert>] |
| 19 [B<-in> request.tsq] |
| 20 [B<-out> request.tsq] |
| 21 [B<-text>] |
| 22 |
| 23 B<openssl> B<ts> |
| 24 B<-reply> |
| 25 [B<-config> configfile] |
| 26 [B<-section> tsa_section] |
| 27 [B<-queryfile> request.tsq] |
| 28 [B<-passin> password_src] |
| 29 [B<-signer> tsa_cert.pem] |
| 30 [B<-inkey> private.pem] |
| 31 [B<-chain> certs_file.pem] |
| 32 [B<-policy> object_id] |
| 33 [B<-in> response.tsr] |
| 34 [B<-token_in>] |
| 35 [B<-out> response.tsr] |
| 36 [B<-token_out>] |
| 37 [B<-text>] |
| 38 [B<-engine> id] |
| 39 |
| 40 B<openssl> B<ts> |
| 41 B<-verify> |
| 42 [B<-data> file_to_hash] |
| 43 [B<-digest> digest_bytes] |
| 44 [B<-queryfile> request.tsq] |
| 45 [B<-in> response.tsr] |
| 46 [B<-token_in>] |
| 47 [B<-CApath> trusted_cert_path] |
| 48 [B<-CAfile> trusted_certs.pem] |
| 49 [B<-untrusted> cert_file.pem] |
| 50 |
| 51 =head1 DESCRIPTION |
| 52 |
| 53 The B<ts> command is a basic Time Stamping Authority (TSA) client and server |
| 54 application as specified in RFC 3161 (Time-Stamp Protocol, TSP). A |
| 55 TSA can be part of a PKI deployment and its role is to provide long |
| 56 term proof of the existence of a certain datum before a particular |
| 57 time. Here is a brief description of the protocol: |
| 58 |
| 59 =over 4 |
| 60 |
| 61 =item 1. |
| 62 |
| 63 The TSA client computes a one-way hash value for a data file and sends |
| 64 the hash to the TSA. |
| 65 |
| 66 =item 2. |
| 67 |
| 68 The TSA attaches the current date and time to the received hash value, |
| 69 signs them and sends the time stamp token back to the client. By |
| 70 creating this token the TSA certifies the existence of the original |
| 71 data file at the time of response generation. |
| 72 |
| 73 =item 3. |
| 74 |
| 75 The TSA client receives the time stamp token and verifies the |
| 76 signature on it. It also checks if the token contains the same hash |
| 77 value that it had sent to the TSA. |
| 78 |
| 79 =back |
| 80 |
| 81 There is one DER encoded protocol data unit defined for transporting a time |
| 82 stamp request to the TSA and one for sending the time stamp response |
| 83 back to the client. The B<ts> command has three main functions: |
| 84 creating a time stamp request based on a data file, |
| 85 creating a time stamp response based on a request, verifying if a |
| 86 response corresponds to a particular request or a data file. |
| 87 |
| 88 There is no support for sending the requests/responses automatically |
| 89 over HTTP or TCP yet as suggested in RFC 3161. The users must send the |
| 90 requests either by ftp or e-mail. |
| 91 |
| 92 =head1 OPTIONS |
| 93 |
| 94 =head2 Time Stamp Request generation |
| 95 |
| 96 The B<-query> switch can be used for creating and printing a time stamp |
| 97 request with the following options: |
| 98 |
| 99 =over 4 |
| 100 |
| 101 =item B<-rand> file:file... |
| 102 |
| 103 The files containing random data for seeding the random number |
| 104 generator. Multiple files can be specified, the separator is B<;> for |
| 105 MS-Windows, B<,> for VMS and B<:> for all other platforms. (Optional) |
| 106 |
| 107 =item B<-config> configfile |
| 108 |
| 109 The configuration file to use, this option overrides the |
| 110 B<OPENSSL_CONF> environment variable. Only the OID section |
| 111 of the config file is used with the B<-query> command. (Optional) |
| 112 |
| 113 =item B<-data> file_to_hash |
| 114 |
| 115 The data file for which the time stamp request needs to be |
| 116 created. stdin is the default if neither the B<-data> nor the B<-digest> |
| 117 parameter is specified. (Optional) |
| 118 |
| 119 =item B<-digest> digest_bytes |
| 120 |
| 121 It is possible to specify the message imprint explicitly without the data |
| 122 file. The imprint must be specified in a hexadecimal format, two characters |
| 123 per byte, the bytes optionally separated by colons (e.g. 1A:F6:01:... or |
| 124 1AF601...). The number of bytes must match the message digest algorithm |
| 125 in use. (Optional) |
| 126 |
| 127 =item B<-md2>|B<-md4>|B<-md5>|B<-sha>|B<-sha1>|B<-mdc2>|B<-ripemd160>|B<...> |
| 128 |
| 129 The message digest to apply to the data file, it supports all the message |
| 130 digest algorithms that are supported by the openssl B<dgst> command. |
| 131 The default is SHA-1. (Optional) |
| 132 |
| 133 =item B<-policy> object_id |
| 134 |
| 135 The policy that the client expects the TSA to use for creating the |
| 136 time stamp token. Either the dotted OID notation or OID names defined |
| 137 in the config file can be used. If no policy is requested the TSA will |
| 138 use its own default policy. (Optional) |
| 139 |
| 140 =item B<-no_nonce> |
| 141 |
| 142 No nonce is specified in the request if this option is |
| 143 given. Otherwise a 64 bit long pseudo-random none is |
| 144 included in the request. It is recommended to use nonce to |
| 145 protect against replay-attacks. (Optional) |
| 146 |
| 147 =item B<-cert> |
| 148 |
| 149 The TSA is expected to include its signing certificate in the |
| 150 response. (Optional) |
| 151 |
| 152 =item B<-in> request.tsq |
| 153 |
| 154 This option specifies a previously created time stamp request in DER |
| 155 format that will be printed into the output file. Useful when you need |
| 156 to examine the content of a request in human-readable |
| 157 |
| 158 format. (Optional) |
| 159 |
| 160 =item B<-out> request.tsq |
| 161 |
| 162 Name of the output file to which the request will be written. Default |
| 163 is stdout. (Optional) |
| 164 |
| 165 =item B<-text> |
| 166 |
| 167 If this option is specified the output is human-readable text format |
| 168 instead of DER. (Optional) |
| 169 |
| 170 =back |
| 171 |
| 172 =head2 Time Stamp Response generation |
| 173 |
| 174 A time stamp response (TimeStampResp) consists of a response status |
| 175 and the time stamp token itself (ContentInfo), if the token generation was |
| 176 successful. The B<-reply> command is for creating a time stamp |
| 177 response or time stamp token based on a request and printing the |
| 178 response/token in human-readable format. If B<-token_out> is not |
| 179 specified the output is always a time stamp response (TimeStampResp), |
| 180 otherwise it is a time stamp token (ContentInfo). |
| 181 |
| 182 =over 4 |
| 183 |
| 184 =item B<-config> configfile |
| 185 |
| 186 The configuration file to use, this option overrides the |
| 187 B<OPENSSL_CONF> environment variable. See B<CONFIGURATION FILE |
| 188 OPTIONS> for configurable variables. (Optional) |
| 189 |
| 190 =item B<-section> tsa_section |
| 191 |
| 192 The name of the config file section conatining the settings for the |
| 193 response generation. If not specified the default TSA section is |
| 194 used, see B<CONFIGURATION FILE OPTIONS> for details. (Optional) |
| 195 |
| 196 =item B<-queryfile> request.tsq |
| 197 |
| 198 The name of the file containing a DER encoded time stamp request. (Optional) |
| 199 |
| 200 =item B<-passin> password_src |
| 201 |
| 202 Specifies the password source for the private key of the TSA. See |
| 203 B<PASS PHRASE ARGUMENTS> in L<openssl(1)|openssl(1)>. (Optional) |
| 204 |
| 205 =item B<-signer> tsa_cert.pem |
| 206 |
| 207 The signer certificate of the TSA in PEM format. The TSA signing |
| 208 certificate must have exactly one extended key usage assigned to it: |
| 209 timeStamping. The extended key usage must also be critical, otherwise |
| 210 the certificate is going to be refused. Overrides the B<signer_cert> |
| 211 variable of the config file. (Optional) |
| 212 |
| 213 =item B<-inkey> private.pem |
| 214 |
| 215 The signer private key of the TSA in PEM format. Overrides the |
| 216 B<signer_key> config file option. (Optional) |
| 217 |
| 218 =item B<-chain> certs_file.pem |
| 219 |
| 220 The collection of certificates in PEM format that will all |
| 221 be included in the response in addition to the signer certificate if |
| 222 the B<-cert> option was used for the request. This file is supposed to |
| 223 contain the certificate chain for the signer certificate from its |
| 224 issuer upwards. The B<-reply> command does not build a certificate |
| 225 chain automatically. (Optional) |
| 226 |
| 227 =item B<-policy> object_id |
| 228 |
| 229 The default policy to use for the response unless the client |
| 230 explicitly requires a particular TSA policy. The OID can be specified |
| 231 either in dotted notation or with its name. Overrides the |
| 232 B<default_policy> config file option. (Optional) |
| 233 |
| 234 =item B<-in> response.tsr |
| 235 |
| 236 Specifies a previously created time stamp response or time stamp token |
| 237 (if B<-token_in> is also specified) in DER format that will be written |
| 238 to the output file. This option does not require a request, it is |
| 239 useful e.g. when you need to examine the content of a response or |
| 240 token or you want to extract the time stamp token from a response. If |
| 241 the input is a token and the output is a time stamp response a default |
| 242 'granted' status info is added to the token. (Optional) |
| 243 |
| 244 =item B<-token_in> |
| 245 |
| 246 This flag can be used together with the B<-in> option and indicates |
| 247 that the input is a DER encoded time stamp token (ContentInfo) instead |
| 248 of a time stamp response (TimeStampResp). (Optional) |
| 249 |
| 250 =item B<-out> response.tsr |
| 251 |
| 252 The response is written to this file. The format and content of the |
| 253 file depends on other options (see B<-text>, B<-token_out>). The default is |
| 254 stdout. (Optional) |
| 255 |
| 256 =item B<-token_out> |
| 257 |
| 258 The output is a time stamp token (ContentInfo) instead of time stamp |
| 259 response (TimeStampResp). (Optional) |
| 260 |
| 261 =item B<-text> |
| 262 |
| 263 If this option is specified the output is human-readable text format |
| 264 instead of DER. (Optional) |
| 265 |
| 266 =item B<-engine> id |
| 267 |
| 268 Specifying an engine (by its unique B<id> string) will cause B<ts> |
| 269 to attempt to obtain a functional reference to the specified engine, |
| 270 thus initialising it if needed. The engine will then be set as the default |
| 271 for all available algorithms. Default is builtin. (Optional) |
| 272 |
| 273 =back |
| 274 |
| 275 =head2 Time Stamp Response verification |
| 276 |
| 277 The B<-verify> command is for verifying if a time stamp response or time |
| 278 stamp token is valid and matches a particular time stamp request or |
| 279 data file. The B<-verify> command does not use the configuration file. |
| 280 |
| 281 =over 4 |
| 282 |
| 283 =item B<-data> file_to_hash |
| 284 |
| 285 The response or token must be verified against file_to_hash. The file |
| 286 is hashed with the message digest algorithm specified in the token. |
| 287 The B<-digest> and B<-queryfile> options must not be specified with this one. |
| 288 (Optional) |
| 289 |
| 290 =item B<-digest> digest_bytes |
| 291 |
| 292 The response or token must be verified against the message digest specified |
| 293 with this option. The number of bytes must match the message digest algorithm |
| 294 specified in the token. The B<-data> and B<-queryfile> options must not be |
| 295 specified with this one. (Optional) |
| 296 |
| 297 =item B<-queryfile> request.tsq |
| 298 |
| 299 The original time stamp request in DER format. The B<-data> and B<-digest> |
| 300 options must not be specified with this one. (Optional) |
| 301 |
| 302 =item B<-in> response.tsr |
| 303 |
| 304 The time stamp response that needs to be verified in DER format. (Mandatory) |
| 305 |
| 306 =item B<-token_in> |
| 307 |
| 308 This flag can be used together with the B<-in> option and indicates |
| 309 that the input is a DER encoded time stamp token (ContentInfo) instead |
| 310 of a time stamp response (TimeStampResp). (Optional) |
| 311 |
| 312 =item B<-CApath> trusted_cert_path |
| 313 |
| 314 The name of the directory containing the trused CA certificates of the |
| 315 client. See the similar option of L<verify(1)|verify(1)> for additional |
| 316 details. Either this option or B<-CAfile> must be specified. (Optional) |
| 317 |
| 318 |
| 319 =item B<-CAfile> trusted_certs.pem |
| 320 |
| 321 The name of the file containing a set of trusted self-signed CA |
| 322 certificates in PEM format. See the similar option of |
| 323 L<verify(1)|verify(1)> for additional details. Either this option |
| 324 or B<-CApath> must be specified. |
| 325 (Optional) |
| 326 |
| 327 =item B<-untrusted> cert_file.pem |
| 328 |
| 329 Set of additional untrusted certificates in PEM format which may be |
| 330 needed when building the certificate chain for the TSA's signing |
| 331 certificate. This file must contain the TSA signing certificate and |
| 332 all intermediate CA certificates unless the response includes them. |
| 333 (Optional) |
| 334 |
| 335 =back |
| 336 |
| 337 =head1 CONFIGURATION FILE OPTIONS |
| 338 |
| 339 The B<-query> and B<-reply> commands make use of a configuration file |
| 340 defined by the B<OPENSSL_CONF> environment variable. See L<config(5)|config(5)> |
| 341 for a general description of the syntax of the config file. The |
| 342 B<-query> command uses only the symbolic OID names section |
| 343 and it can work without it. However, the B<-reply> command needs the |
| 344 config file for its operation. |
| 345 |
| 346 When there is a command line switch equivalent of a variable the |
| 347 switch always overrides the settings in the config file. |
| 348 |
| 349 =over 4 |
| 350 |
| 351 =item B<tsa> section, B<default_tsa> |
| 352 |
| 353 This is the main section and it specifies the name of another section |
| 354 that contains all the options for the B<-reply> command. This default |
| 355 section can be overriden with the B<-section> command line switch. (Optional) |
| 356 |
| 357 =item B<oid_file> |
| 358 |
| 359 See L<ca(1)|ca(1)> for description. (Optional) |
| 360 |
| 361 =item B<oid_section> |
| 362 |
| 363 See L<ca(1)|ca(1)> for description. (Optional) |
| 364 |
| 365 =item B<RANDFILE> |
| 366 |
| 367 See L<ca(1)|ca(1)> for description. (Optional) |
| 368 |
| 369 =item B<serial> |
| 370 |
| 371 The name of the file containing the hexadecimal serial number of the |
| 372 last time stamp response created. This number is incremented by 1 for |
| 373 each response. If the file does not exist at the time of response |
| 374 generation a new file is created with serial number 1. (Mandatory) |
| 375 |
| 376 =item B<crypto_device> |
| 377 |
| 378 Specifies the OpenSSL engine that will be set as the default for |
| 379 all available algorithms. The default value is builtin, you can specify |
| 380 any other engines supported by OpenSSL (e.g. use chil for the NCipher HSM). |
| 381 (Optional) |
| 382 |
| 383 =item B<signer_cert> |
| 384 |
| 385 TSA signing certificate in PEM format. The same as the B<-signer> |
| 386 command line option. (Optional) |
| 387 |
| 388 =item B<certs> |
| 389 |
| 390 A file containing a set of PEM encoded certificates that need to be |
| 391 included in the response. The same as the B<-chain> command line |
| 392 option. (Optional) |
| 393 |
| 394 =item B<signer_key> |
| 395 |
| 396 The private key of the TSA in PEM format. The same as the B<-inkey> |
| 397 command line option. (Optional) |
| 398 |
| 399 =item B<default_policy> |
| 400 |
| 401 The default policy to use when the request does not mandate any |
| 402 policy. The same as the B<-policy> command line option. (Optional) |
| 403 |
| 404 =item B<other_policies> |
| 405 |
| 406 Comma separated list of policies that are also acceptable by the TSA |
| 407 and used only if the request explicitly specifies one of them. (Optional) |
| 408 |
| 409 =item B<digests> |
| 410 |
| 411 The list of message digest algorithms that the TSA accepts. At least |
| 412 one algorithm must be specified. (Mandatory) |
| 413 |
| 414 =item B<accuracy> |
| 415 |
| 416 The accuracy of the time source of the TSA in seconds, milliseconds |
| 417 and microseconds. E.g. secs:1, millisecs:500, microsecs:100. If any of |
| 418 the components is missing zero is assumed for that field. (Optional) |
| 419 |
| 420 =item B<clock_precision_digits> |
| 421 |
| 422 Specifies the maximum number of digits, which represent the fraction of |
| 423 seconds, that need to be included in the time field. The trailing zeroes |
| 424 must be removed from the time, so there might actually be fewer digits, |
| 425 or no fraction of seconds at all. Supported only on UNIX platforms. |
| 426 The maximum value is 6, default is 0. |
| 427 (Optional) |
| 428 |
| 429 =item B<ordering> |
| 430 |
| 431 If this option is yes the responses generated by this TSA can always |
| 432 be ordered, even if the time difference between two responses is less |
| 433 than the sum of their accuracies. Default is no. (Optional) |
| 434 |
| 435 =item B<tsa_name> |
| 436 |
| 437 Set this option to yes if the subject name of the TSA must be included in |
| 438 the TSA name field of the response. Default is no. (Optional) |
| 439 |
| 440 =item B<ess_cert_id_chain> |
| 441 |
| 442 The SignedData objects created by the TSA always contain the |
| 443 certificate identifier of the signing certificate in a signed |
| 444 attribute (see RFC 2634, Enhanced Security Services). If this option |
| 445 is set to yes and either the B<certs> variable or the B<-chain> option |
| 446 is specified then the certificate identifiers of the chain will also |
| 447 be included in the SigningCertificate signed attribute. If this |
| 448 variable is set to no, only the signing certificate identifier is |
| 449 included. Default is no. (Optional) |
| 450 |
| 451 =back |
| 452 |
| 453 =head1 ENVIRONMENT VARIABLES |
| 454 |
| 455 B<OPENSSL_CONF> contains the path of the configuration file and can be |
| 456 overriden by the B<-config> command line option. |
| 457 |
| 458 =head1 EXAMPLES |
| 459 |
| 460 All the examples below presume that B<OPENSSL_CONF> is set to a proper |
| 461 configuration file, e.g. the example configuration file |
| 462 openssl/apps/openssl.cnf will do. |
| 463 |
| 464 =head2 Time Stamp Request |
| 465 |
| 466 To create a time stamp request for design1.txt with SHA-1 |
| 467 without nonce and policy and no certificate is required in the response: |
| 468 |
| 469 openssl ts -query -data design1.txt -no_nonce \ |
| 470 -out design1.tsq |
| 471 |
| 472 To create a similar time stamp request with specifying the message imprint |
| 473 explicitly: |
| 474 |
| 475 openssl ts -query -digest b7e5d3f93198b38379852f2c04e78d73abdd0f4b \ |
| 476 -no_nonce -out design1.tsq |
| 477 |
| 478 To print the content of the previous request in human readable format: |
| 479 |
| 480 openssl ts -query -in design1.tsq -text |
| 481 |
| 482 To create a time stamp request which includes the MD-5 digest |
| 483 of design2.txt, requests the signer certificate and nonce, |
| 484 specifies a policy id (assuming the tsa_policy1 name is defined in the |
| 485 OID section of the config file): |
| 486 |
| 487 openssl ts -query -data design2.txt -md5 \ |
| 488 -policy tsa_policy1 -cert -out design2.tsq |
| 489 |
| 490 =head2 Time Stamp Response |
| 491 |
| 492 Before generating a response a signing certificate must be created for |
| 493 the TSA that contains the B<timeStamping> critical extended key usage extension |
| 494 without any other key usage extensions. You can add the |
| 495 'extendedKeyUsage = critical,timeStamping' line to the user certificate section |
| 496 of the config file to generate a proper certificate. See L<req(1)|req(1)>, |
| 497 L<ca(1)|ca(1)>, L<x509(1)|x509(1)> for instructions. The examples |
| 498 below assume that cacert.pem contains the certificate of the CA, |
| 499 tsacert.pem is the signing certificate issued by cacert.pem and |
| 500 tsakey.pem is the private key of the TSA. |
| 501 |
| 502 To create a time stamp response for a request: |
| 503 |
| 504 openssl ts -reply -queryfile design1.tsq -inkey tsakey.pem \ |
| 505 -signer tsacert.pem -out design1.tsr |
| 506 |
| 507 If you want to use the settings in the config file you could just write: |
| 508 |
| 509 openssl ts -reply -queryfile design1.tsq -out design1.tsr |
| 510 |
| 511 To print a time stamp reply to stdout in human readable format: |
| 512 |
| 513 openssl ts -reply -in design1.tsr -text |
| 514 |
| 515 To create a time stamp token instead of time stamp response: |
| 516 |
| 517 openssl ts -reply -queryfile design1.tsq -out design1_token.der -token_out |
| 518 |
| 519 To print a time stamp token to stdout in human readable format: |
| 520 |
| 521 openssl ts -reply -in design1_token.der -token_in -text -token_out |
| 522 |
| 523 To extract the time stamp token from a response: |
| 524 |
| 525 openssl ts -reply -in design1.tsr -out design1_token.der -token_out |
| 526 |
| 527 To add 'granted' status info to a time stamp token thereby creating a |
| 528 valid response: |
| 529 |
| 530 openssl ts -reply -in design1_token.der -token_in -out design1.tsr |
| 531 |
| 532 =head2 Time Stamp Verification |
| 533 |
| 534 To verify a time stamp reply against a request: |
| 535 |
| 536 openssl ts -verify -queryfile design1.tsq -in design1.tsr \ |
| 537 -CAfile cacert.pem -untrusted tsacert.pem |
| 538 |
| 539 To verify a time stamp reply that includes the certificate chain: |
| 540 |
| 541 openssl ts -verify -queryfile design2.tsq -in design2.tsr \ |
| 542 -CAfile cacert.pem |
| 543 |
| 544 To verify a time stamp token against the original data file: |
| 545 openssl ts -verify -data design2.txt -in design2.tsr \ |
| 546 -CAfile cacert.pem |
| 547 |
| 548 To verify a time stamp token against a message imprint: |
| 549 openssl ts -verify -digest b7e5d3f93198b38379852f2c04e78d73abdd0f4b \ |
| 550 -in design2.tsr -CAfile cacert.pem |
| 551 |
| 552 You could also look at the 'test' directory for more examples. |
| 553 |
| 554 =head1 BUGS |
| 555 |
| 556 If you find any bugs or you have suggestions please write to |
| 557 Zoltan Glozik <zglozik@opentsa.org>. Known issues: |
| 558 |
| 559 =over 4 |
| 560 |
| 561 =item * No support for time stamps over SMTP, though it is quite easy |
| 562 to implement an automatic e-mail based TSA with L<procmail(1)|procmail(1)> |
| 563 and L<perl(1)|perl(1)>. HTTP server support is provided in the form of |
| 564 a separate apache module. HTTP client support is provided by |
| 565 L<tsget(1)|tsget(1)>. Pure TCP/IP protocol is not supported. |
| 566 |
| 567 =item * The file containing the last serial number of the TSA is not |
| 568 locked when being read or written. This is a problem if more than one |
| 569 instance of L<openssl(1)|openssl(1)> is trying to create a time stamp |
| 570 response at the same time. This is not an issue when using the apache |
| 571 server module, it does proper locking. |
| 572 |
| 573 =item * Look for the FIXME word in the source files. |
| 574 |
| 575 =item * The source code should really be reviewed by somebody else, too. |
| 576 |
| 577 =item * More testing is needed, I have done only some basic tests (see |
| 578 test/testtsa). |
| 579 |
| 580 =back |
| 581 |
| 582 =cut |
| 583 |
| 584 =head1 AUTHOR |
| 585 |
| 586 Zoltan Glozik <zglozik@opentsa.org>, OpenTSA project (http://www.opentsa.org) |
| 587 |
| 588 =head1 SEE ALSO |
| 589 |
| 590 L<tsget(1)|tsget(1)>, L<openssl(1)|openssl(1)>, L<req(1)|req(1)>, |
| 591 L<x509(1)|x509(1)>, L<ca(1)|ca(1)>, L<genrsa(1)|genrsa(1)>, |
| 592 L<config(5)|config(5)> |
| 593 |
| 594 =cut |
OLD | NEW |