OLD | NEW |
1 | 1 |
2 =pod | 2 =pod |
3 | 3 |
4 =head1 NAME | 4 =head1 NAME |
5 | 5 |
6 x509 - Certificate display and signing utility | 6 x509 - Certificate display and signing utility |
7 | 7 |
8 =head1 SYNOPSIS | 8 =head1 SYNOPSIS |
9 | 9 |
10 B<openssl> B<x509> | 10 B<openssl> B<x509> |
11 [B<-inform DER|PEM|NET>] | 11 [B<-inform DER|PEM|NET>] |
12 [B<-outform DER|PEM|NET>] | 12 [B<-outform DER|PEM|NET>] |
13 [B<-keyform DER|PEM>] | 13 [B<-keyform DER|PEM>] |
14 [B<-CAform DER|PEM>] | 14 [B<-CAform DER|PEM>] |
15 [B<-CAkeyform DER|PEM>] | 15 [B<-CAkeyform DER|PEM>] |
16 [B<-in filename>] | 16 [B<-in filename>] |
17 [B<-out filename>] | 17 [B<-out filename>] |
18 [B<-serial>] | 18 [B<-serial>] |
19 [B<-hash>] | 19 [B<-hash>] |
20 [B<-subject_hash>] | 20 [B<-subject_hash>] |
21 [B<-issuer_hash>] | 21 [B<-issuer_hash>] |
22 [B<-subject>] | 22 [B<-subject>] |
23 [B<-issuer>] | 23 [B<-issuer>] |
24 [B<-nameopt option>] | 24 [B<-nameopt option>] |
25 [B<-email>] | 25 [B<-email>] |
| 26 [B<-ocsp_uri>] |
26 [B<-startdate>] | 27 [B<-startdate>] |
27 [B<-enddate>] | 28 [B<-enddate>] |
28 [B<-purpose>] | 29 [B<-purpose>] |
29 [B<-dates>] | 30 [B<-dates>] |
30 [B<-modulus>] | 31 [B<-modulus>] |
31 [B<-fingerprint>] | 32 [B<-fingerprint>] |
32 [B<-alias>] | 33 [B<-alias>] |
33 [B<-noout>] | 34 [B<-noout>] |
34 [B<-trustout>] | 35 [B<-trustout>] |
35 [B<-clrtrust>] | 36 [B<-clrtrust>] |
(...skipping 60 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
96 | 97 |
97 =item B<-md2|-md5|-sha1|-mdc2> | 98 =item B<-md2|-md5|-sha1|-mdc2> |
98 | 99 |
99 the digest to use. This affects any signing or display option that uses a messag
e | 100 the digest to use. This affects any signing or display option that uses a messag
e |
100 digest, such as the B<-fingerprint>, B<-signkey> and B<-CA> options. If not | 101 digest, such as the B<-fingerprint>, B<-signkey> and B<-CA> options. If not |
101 specified then SHA1 is used. If the key being used to sign with is a DSA key | 102 specified then SHA1 is used. If the key being used to sign with is a DSA key |
102 then this option has no effect: SHA1 is always used with DSA keys. | 103 then this option has no effect: SHA1 is always used with DSA keys. |
103 | 104 |
104 =item B<-engine id> | 105 =item B<-engine id> |
105 | 106 |
106 specifying an engine (by it's unique B<id> string) will cause B<req> | 107 specifying an engine (by its unique B<id> string) will cause B<x509> |
107 to attempt to obtain a functional reference to the specified engine, | 108 to attempt to obtain a functional reference to the specified engine, |
108 thus initialising it if needed. The engine will then be set as the default | 109 thus initialising it if needed. The engine will then be set as the default |
109 for all available algorithms. | 110 for all available algorithms. |
110 | 111 |
111 =back | 112 =back |
112 | 113 |
113 =head2 DISPLAY OPTIONS | 114 =head2 DISPLAY OPTIONS |
114 | 115 |
115 Note: the B<-alias> and B<-purpose> options are also display options | 116 Note: the B<-alias> and B<-purpose> options are also display options |
116 but are described in the B<TRUST SETTINGS> section. | 117 but are described in the B<TRUST SETTINGS> section. |
(...skipping 33 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
150 name. | 151 name. |
151 | 152 |
152 =item B<-issuer_hash> | 153 =item B<-issuer_hash> |
153 | 154 |
154 outputs the "hash" of the certificate issuer name. | 155 outputs the "hash" of the certificate issuer name. |
155 | 156 |
156 =item B<-hash> | 157 =item B<-hash> |
157 | 158 |
158 synonym for "-subject_hash" for backward compatibility reasons. | 159 synonym for "-subject_hash" for backward compatibility reasons. |
159 | 160 |
| 161 =item B<-subject_hash_old> |
| 162 |
| 163 outputs the "hash" of the certificate subject name using the older algorithm |
| 164 as used by OpenSSL versions before 1.0.0. |
| 165 |
| 166 =item B<-issuer_hash_old> |
| 167 |
| 168 outputs the "hash" of the certificate issuer name using the older algorithm |
| 169 as used by OpenSSL versions before 1.0.0. |
| 170 |
160 =item B<-subject> | 171 =item B<-subject> |
161 | 172 |
162 outputs the subject name. | 173 outputs the subject name. |
163 | 174 |
164 =item B<-issuer> | 175 =item B<-issuer> |
165 | 176 |
166 outputs the issuer name. | 177 outputs the issuer name. |
167 | 178 |
168 =item B<-nameopt option> | 179 =item B<-nameopt option> |
169 | 180 |
170 option which determines how the subject or issuer names are displayed. The | 181 option which determines how the subject or issuer names are displayed. The |
171 B<option> argument can be a single option or multiple options separated by | 182 B<option> argument can be a single option or multiple options separated by |
172 commas. Alternatively the B<-nameopt> switch may be used more than once to | 183 commas. Alternatively the B<-nameopt> switch may be used more than once to |
173 set multiple options. See the B<NAME OPTIONS> section for more information. | 184 set multiple options. See the B<NAME OPTIONS> section for more information. |
174 | 185 |
175 =item B<-email> | 186 =item B<-email> |
176 | 187 |
177 outputs the email address(es) if any. | 188 outputs the email address(es) if any. |
178 | 189 |
| 190 =item B<-ocsp_uri> |
| 191 |
| 192 outputs the OCSP responder address(es) if any. |
| 193 |
179 =item B<-startdate> | 194 =item B<-startdate> |
180 | 195 |
181 prints out the start date of the certificate, that is the notBefore date. | 196 prints out the start date of the certificate, that is the notBefore date. |
182 | 197 |
183 =item B<-enddate> | 198 =item B<-enddate> |
184 | 199 |
185 prints out the expiry date of the certificate, that is the notAfter date. | 200 prints out the expiry date of the certificate, that is the notAfter date. |
186 | 201 |
187 =item B<-dates> | 202 =item B<-dates> |
188 | 203 |
(...skipping 180 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
369 =item B<-extfile filename> | 384 =item B<-extfile filename> |
370 | 385 |
371 file containing certificate extensions to use. If not specified then | 386 file containing certificate extensions to use. If not specified then |
372 no extensions are added to the certificate. | 387 no extensions are added to the certificate. |
373 | 388 |
374 =item B<-extensions section> | 389 =item B<-extensions section> |
375 | 390 |
376 the section to add certificate extensions from. If this option is not | 391 the section to add certificate extensions from. If this option is not |
377 specified then the extensions should either be contained in the unnamed | 392 specified then the extensions should either be contained in the unnamed |
378 (default) section or the default section should contain a variable called | 393 (default) section or the default section should contain a variable called |
379 "extensions" which contains the section to use. | 394 "extensions" which contains the section to use. See the |
| 395 L<x509v3_config(5)|x509v3_config(5)> manual page for details of the |
| 396 extension section format. |
380 | 397 |
381 =back | 398 =back |
382 | 399 |
383 =head2 NAME OPTIONS | 400 =head2 NAME OPTIONS |
384 | 401 |
385 The B<nameopt> command line switch determines how the subject and issuer | 402 The B<nameopt> command line switch determines how the subject and issuer |
386 names are displayed. If no B<nameopt> switch is present the default "oneline" | 403 names are displayed. If no B<nameopt> switch is present the default "oneline" |
387 format is used which is compatible with previous versions of OpenSSL. | 404 format is used which is compatible with previous versions of OpenSSL. |
388 Each option is described in detail below, all options can be preceded by | 405 Each option is described in detail below, all options can be preceded by |
389 a B<-> to turn the option off. Only the first four will normally be used. | 406 a B<-> to turn the option off. Only the first four will normally be used. |
(...skipping 426 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
816 dates rather than an offset from the current time. | 833 dates rather than an offset from the current time. |
817 | 834 |
818 The code to implement the verify behaviour described in the B<TRUST SETTINGS> | 835 The code to implement the verify behaviour described in the B<TRUST SETTINGS> |
819 is currently being developed. It thus describes the intended behaviour rather | 836 is currently being developed. It thus describes the intended behaviour rather |
820 than the current behaviour. It is hoped that it will represent reality in | 837 than the current behaviour. It is hoped that it will represent reality in |
821 OpenSSL 0.9.5 and later. | 838 OpenSSL 0.9.5 and later. |
822 | 839 |
823 =head1 SEE ALSO | 840 =head1 SEE ALSO |
824 | 841 |
825 L<req(1)|req(1)>, L<ca(1)|ca(1)>, L<genrsa(1)|genrsa(1)>, | 842 L<req(1)|req(1)>, L<ca(1)|ca(1)>, L<genrsa(1)|genrsa(1)>, |
826 L<gendsa(1)|gendsa(1)>, L<verify(1)|verify(1)> | 843 L<gendsa(1)|gendsa(1)>, L<verify(1)|verify(1)>, |
| 844 L<x509v3_config(5)|x509v3_config(5)> |
827 | 845 |
828 =head1 HISTORY | 846 =head1 HISTORY |
829 | 847 |
830 Before OpenSSL 0.9.8, the default digest for RSA keys was MD5. | 848 Before OpenSSL 0.9.8, the default digest for RSA keys was MD5. |
831 | 849 |
| 850 The hash algorithm used in the B<-subject_hash> and B<-issuer_hash> options |
| 851 before OpenSSL 1.0.0 was based on the deprecated MD5 algorithm and the encoding |
| 852 of the distinguished name. In OpenSSL 1.0.0 and later it is based on a |
| 853 canonical version of the DN using SHA1. This means that any directories using |
| 854 the old form must have their links rebuilt using B<c_rehash> or similar. |
| 855 |
832 =cut | 856 =cut |
OLD | NEW |