| version 1.80, 2016/09/22 13:30:49 |
version 1.81, 2016/09/22 13:44:02 |
|
|
| .Op Fl infiles |
.Op Fl infiles |
| .Op Fl key Ar keyfile |
.Op Fl key Ar keyfile |
| .Op Fl keyfile Ar arg |
.Op Fl keyfile Ar arg |
| .Op Fl keyform Ar PEM |
.Op Fl keyform Ar pem |
| .Op Fl md Ar arg |
.Op Fl md Ar arg |
| .Op Fl msie_hack |
.Op Fl msie_hack |
| .Op Fl name Ar section |
.Op Fl name Ar section |
|
|
| this option should be used with caution. |
this option should be used with caution. |
| .It Fl keyfile Ar file |
.It Fl keyfile Ar file |
| The private key to sign requests with. |
The private key to sign requests with. |
| .It Fl keyform Ar PEM |
.It Fl keyform Ar pem |
| Private key file format. |
Private key file format. |
| .It Fl md Ar alg |
.It Fl md Ar alg |
| The message digest to use. |
The message digest to use. |
|
|
| of the configuration file containing CRL extensions to include. |
of the configuration file containing CRL extensions to include. |
| If no CRL extension section is present then a V1 CRL is created; |
If no CRL extension section is present then a V1 CRL is created; |
| if the CRL extension section is present |
if the CRL extension section is present |
| .Pq even if it is empty |
(even if it is empty) |
| then a V2 CRL is created. |
then a V2 CRL is created. |
| The CRL extensions specified are CRL extensions and |
The CRL extensions specified are CRL extensions and not CRL entry extensions. |
| .Em not |
It should be noted that some software can't handle V2 CRLs. |
| CRL entry extensions. |
|
| It should be noted that some software |
|
| .Pq for example Netscape |
|
| can't handle V2 CRLs. |
|
| .It Fl crlhours Ar num |
.It Fl crlhours Ar num |
| The number of hours before the next CRL is due. |
The number of hours before the next CRL is due. |
| .It Fl gencrl |
.It Fl gencrl |
|
|
| If neither option is present, the format used in earlier versions of |
If neither option is present, the format used in earlier versions of |
| .Nm openssl |
.Nm openssl |
| is used. |
is used. |
| Use of the old format is |
Use of the old format is strongly discouraged |
| .Em strongly |
because it only displays fields mentioned in the |
| discouraged because it only displays fields mentioned in the |
|
| .Cm policy |
.Cm policy |
| section, |
section, |
| mishandles multicharacter string types and does not display extensions. |
mishandles multicharacter string types and does not display extensions. |
|
|
| Disable standard block padding. |
Disable standard block padding. |
| .It Fl nosalt |
.It Fl nosalt |
| Don't use a salt in the key derivation routines. |
Don't use a salt in the key derivation routines. |
| This option should |
This option should never be used |
| .Em NEVER |
|
| be used |
|
| since it makes it possible to perform efficient dictionary |
since it makes it possible to perform efficient dictionary |
| attacks on the password and to attack stream cipher encrypted data. |
attacks on the password and to attack stream cipher encrypted data. |
| .It Fl out Ar file |
.It Fl out Ar file |
|
|
| .Pa / |
.Pa / |
| by default. |
by default. |
| .It Fl issuer Ar file |
.It Fl issuer Ar file |
| The current issuer certificate, |
The current issuer certificate, in PEM format. |
| in PEM format. |
Can be used multiple times and must come before any |
| Can be used multiple times |
|
| and must come before any |
|
| .Fl cert |
.Fl cert |
| options. |
options. |
| .It Fl no_cert_checks |
.It Fl no_cert_checks |
|
|
| which can give details about multiple CAs |
which can give details about multiple CAs |
| and has its own separate certificate chain, |
and has its own separate certificate chain, |
| then its root CA can be trusted for OCSP signing. |
then its root CA can be trusted for OCSP signing. |
| For example: |
|
| .Bd -literal -offset indent |
|
| $ openssl x509 -in ocspCA.pem -addtrust OCSPSigning \e |
|
| -out trustedCA.pem |
|
| .Ed |
|
| .Pp |
|
| Alternatively, the responder certificate itself can be explicitly trusted |
Alternatively, the responder certificate itself can be explicitly trusted |
| with the |
with the |
| .Fl VAfile |
.Fl VAfile |
|
|
| Create a PKCS#12 file (rather than parsing one). |
Create a PKCS#12 file (rather than parsing one). |
| .It Fl in Ar file |
.It Fl in Ar file |
| The input file to read from, |
The input file to read from, |
| or standard input if not specified, |
or standard input if not specified. |
| in PEM format. |
|
| The order doesn't matter but one private key and its corresponding |
The order doesn't matter but one private key and its corresponding |
| certificate should be present. |
certificate should be present. |
| If additional certificates are present, they will also be included |
If additional certificates are present, they will also be included |
|
|
| Don't attempt to provide the MAC integrity. |
Don't attempt to provide the MAC integrity. |
| .It Fl nomaciter , noiter |
.It Fl nomaciter , noiter |
| Affect the iteration counts on the MAC and key algorithms. |
Affect the iteration counts on the MAC and key algorithms. |
| Unless you wish to produce files compatible with MSIE 4.0, you should leave |
|
| these options alone. |
|
| .Pp |
.Pp |
| To discourage attacks by using large dictionaries of common passwords, |
To discourage attacks by using large dictionaries of common passwords, |
| the algorithm that derives keys from passwords can have an iteration count |
the algorithm that derives keys from passwords can have an iteration count |
|
|
| Since this reduces the file security you should not use these options |
Since this reduces the file security you should not use these options |
| unless you really have to. |
unless you really have to. |
| Most software supports both MAC and key iteration counts. |
Most software supports both MAC and key iteration counts. |
| MSIE 4.0 doesn't support MAC iteration counts, so it needs the |
|
| .Fl nomaciter |
|
| option. |
|
| .It Fl out Ar file |
.It Fl out Ar file |
| The output file to write to, |
The output file to write to, |
| or standard output if not specified. |
or standard output if not specified. |
|
|
| The options are as follows: |
The options are as follows: |
| .Bl -tag -width Ds |
.Bl -tag -width Ds |
| .It Fl base64 |
.It Fl base64 |
| Perform |
Perform base64 encoding on the output. |
| .Em base64 |
|
| encoding on the output. |
|
| .It Fl hex |
.It Fl hex |
| Specify hexadecimal output. |
Specify hexadecimal output. |
| .It Fl out Ar file |
.It Fl out Ar file |
|
|
| The format of the private key file specified in the |
The format of the private key file specified in the |
| .Fl key |
.Fl key |
| argument. |
argument. |
| The default is PEM. |
The default is |
| |
.Cm pem . |
| .It Fl keyout Ar file |
.It Fl keyout Ar file |
| The file to write the newly created private key to. |
The file to write the newly created private key to. |
| If this option is not specified, |
If this option is not specified, |
|
|
| Generate SSL/TLS session IDs prefixed by |
Generate SSL/TLS session IDs prefixed by |
| .Ar arg . |
.Ar arg . |
| This is mostly useful for testing any SSL/TLS code |
This is mostly useful for testing any SSL/TLS code |
| (e.g. proxies) |
that wish to deal with multiple servers, |
| that wish to deal with multiple servers, when each of which might be |
when each of which might be generating a unique range of session IDs. |
| generating a unique range of session IDs |
|
| (e.g. with a certain prefix). |
|
| .It Fl key Ar keyfile |
.It Fl key Ar keyfile |
| The private key to use. |
The private key to use. |
| If not specified, the certificate file will be used. |
If not specified, the certificate file will be used. |
|
|
| .It Ev OPENSSL_CONF |
.It Ev OPENSSL_CONF |
| The location of the master configuration file. |
The location of the master configuration file. |
| .El |
.El |
| .\" |
|
| .\" FILES |
|
| .\" |
|
| .Sh FILES |
.Sh FILES |
| .Bl -tag -width "/etc/ssl/openssl.cnf" -compact |
.Bl -tag -width "/etc/ssl/openssl.cnf" -compact |
| .It Pa /etc/ssl/ |
.It Pa /etc/ssl/ |
|
|
| .Nm x509 |
.Nm x509 |
| certificates. |
certificates. |
| .El |
.El |
| .\" |
|
| .\" SEE ALSO |
|
| .\" |
|
| .Sh SEE ALSO |
.Sh SEE ALSO |
| .Xr acme-client 1 , |
.Xr acme-client 1 , |
| .Xr nc 1 , |
.Xr nc 1 , |
![[BACK]](/icons/back.gif){kind=icon}
Return to openssl.1 CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [local] / src / usr.bin / openssl