version 1.80, 2016/09/22 13:30:49 |
version 1.81, 2016/09/22 13:44:02 |
|
|
.Op Fl infiles |
.Op Fl infiles |
.Op Fl key Ar keyfile |
.Op Fl key Ar keyfile |
.Op Fl keyfile Ar arg |
.Op Fl keyfile Ar arg |
.Op Fl keyform Ar PEM |
.Op Fl keyform Ar pem |
.Op Fl md Ar arg |
.Op Fl md Ar arg |
.Op Fl msie_hack |
.Op Fl msie_hack |
.Op Fl name Ar section |
.Op Fl name Ar section |
|
|
this option should be used with caution. |
this option should be used with caution. |
.It Fl keyfile Ar file |
.It Fl keyfile Ar file |
The private key to sign requests with. |
The private key to sign requests with. |
.It Fl keyform Ar PEM |
.It Fl keyform Ar pem |
Private key file format. |
Private key file format. |
.It Fl md Ar alg |
.It Fl md Ar alg |
The message digest to use. |
The message digest to use. |
|
|
of the configuration file containing CRL extensions to include. |
of the configuration file containing CRL extensions to include. |
If no CRL extension section is present then a V1 CRL is created; |
If no CRL extension section is present then a V1 CRL is created; |
if the CRL extension section is present |
if the CRL extension section is present |
.Pq even if it is empty |
(even if it is empty) |
then a V2 CRL is created. |
then a V2 CRL is created. |
The CRL extensions specified are CRL extensions and |
The CRL extensions specified are CRL extensions and not CRL entry extensions. |
.Em not |
It should be noted that some software can't handle V2 CRLs. |
CRL entry extensions. |
|
It should be noted that some software |
|
.Pq for example Netscape |
|
can't handle V2 CRLs. |
|
.It Fl crlhours Ar num |
.It Fl crlhours Ar num |
The number of hours before the next CRL is due. |
The number of hours before the next CRL is due. |
.It Fl gencrl |
.It Fl gencrl |
|
|
If neither option is present, the format used in earlier versions of |
If neither option is present, the format used in earlier versions of |
.Nm openssl |
.Nm openssl |
is used. |
is used. |
Use of the old format is |
Use of the old format is strongly discouraged |
.Em strongly |
because it only displays fields mentioned in the |
discouraged because it only displays fields mentioned in the |
|
.Cm policy |
.Cm policy |
section, |
section, |
mishandles multicharacter string types and does not display extensions. |
mishandles multicharacter string types and does not display extensions. |
|
|
Disable standard block padding. |
Disable standard block padding. |
.It Fl nosalt |
.It Fl nosalt |
Don't use a salt in the key derivation routines. |
Don't use a salt in the key derivation routines. |
This option should |
This option should never be used |
.Em NEVER |
|
be used |
|
since it makes it possible to perform efficient dictionary |
since it makes it possible to perform efficient dictionary |
attacks on the password and to attack stream cipher encrypted data. |
attacks on the password and to attack stream cipher encrypted data. |
.It Fl out Ar file |
.It Fl out Ar file |
|
|
.Pa / |
.Pa / |
by default. |
by default. |
.It Fl issuer Ar file |
.It Fl issuer Ar file |
The current issuer certificate, |
The current issuer certificate, in PEM format. |
in PEM format. |
Can be used multiple times and must come before any |
Can be used multiple times |
|
and must come before any |
|
.Fl cert |
.Fl cert |
options. |
options. |
.It Fl no_cert_checks |
.It Fl no_cert_checks |
|
|
which can give details about multiple CAs |
which can give details about multiple CAs |
and has its own separate certificate chain, |
and has its own separate certificate chain, |
then its root CA can be trusted for OCSP signing. |
then its root CA can be trusted for OCSP signing. |
For example: |
|
.Bd -literal -offset indent |
|
$ openssl x509 -in ocspCA.pem -addtrust OCSPSigning \e |
|
-out trustedCA.pem |
|
.Ed |
|
.Pp |
|
Alternatively, the responder certificate itself can be explicitly trusted |
Alternatively, the responder certificate itself can be explicitly trusted |
with the |
with the |
.Fl VAfile |
.Fl VAfile |
|
|
Create a PKCS#12 file (rather than parsing one). |
Create a PKCS#12 file (rather than parsing one). |
.It Fl in Ar file |
.It Fl in Ar file |
The input file to read from, |
The input file to read from, |
or standard input if not specified, |
or standard input if not specified. |
in PEM format. |
|
The order doesn't matter but one private key and its corresponding |
The order doesn't matter but one private key and its corresponding |
certificate should be present. |
certificate should be present. |
If additional certificates are present, they will also be included |
If additional certificates are present, they will also be included |
|
|
Don't attempt to provide the MAC integrity. |
Don't attempt to provide the MAC integrity. |
.It Fl nomaciter , noiter |
.It Fl nomaciter , noiter |
Affect the iteration counts on the MAC and key algorithms. |
Affect the iteration counts on the MAC and key algorithms. |
Unless you wish to produce files compatible with MSIE 4.0, you should leave |
|
these options alone. |
|
.Pp |
.Pp |
To discourage attacks by using large dictionaries of common passwords, |
To discourage attacks by using large dictionaries of common passwords, |
the algorithm that derives keys from passwords can have an iteration count |
the algorithm that derives keys from passwords can have an iteration count |
|
|
Since this reduces the file security you should not use these options |
Since this reduces the file security you should not use these options |
unless you really have to. |
unless you really have to. |
Most software supports both MAC and key iteration counts. |
Most software supports both MAC and key iteration counts. |
MSIE 4.0 doesn't support MAC iteration counts, so it needs the |
|
.Fl nomaciter |
|
option. |
|
.It Fl out Ar file |
.It Fl out Ar file |
The output file to write to, |
The output file to write to, |
or standard output if not specified. |
or standard output if not specified. |
|
|
The options are as follows: |
The options are as follows: |
.Bl -tag -width Ds |
.Bl -tag -width Ds |
.It Fl base64 |
.It Fl base64 |
Perform |
Perform base64 encoding on the output. |
.Em base64 |
|
encoding on the output. |
|
.It Fl hex |
.It Fl hex |
Specify hexadecimal output. |
Specify hexadecimal output. |
.It Fl out Ar file |
.It Fl out Ar file |
|
|
The format of the private key file specified in the |
The format of the private key file specified in the |
.Fl key |
.Fl key |
argument. |
argument. |
The default is PEM. |
The default is |
|
.Cm pem . |
.It Fl keyout Ar file |
.It Fl keyout Ar file |
The file to write the newly created private key to. |
The file to write the newly created private key to. |
If this option is not specified, |
If this option is not specified, |
|
|
Generate SSL/TLS session IDs prefixed by |
Generate SSL/TLS session IDs prefixed by |
.Ar arg . |
.Ar arg . |
This is mostly useful for testing any SSL/TLS code |
This is mostly useful for testing any SSL/TLS code |
(e.g. proxies) |
that wish to deal with multiple servers, |
that wish to deal with multiple servers, when each of which might be |
when each of which might be generating a unique range of session IDs. |
generating a unique range of session IDs |
|
(e.g. with a certain prefix). |
|
.It Fl key Ar keyfile |
.It Fl key Ar keyfile |
The private key to use. |
The private key to use. |
If not specified, the certificate file will be used. |
If not specified, the certificate file will be used. |
|
|
.It Ev OPENSSL_CONF |
.It Ev OPENSSL_CONF |
The location of the master configuration file. |
The location of the master configuration file. |
.El |
.El |
.\" |
|
.\" FILES |
|
.\" |
|
.Sh FILES |
.Sh FILES |
.Bl -tag -width "/etc/ssl/openssl.cnf" -compact |
.Bl -tag -width "/etc/ssl/openssl.cnf" -compact |
.It Pa /etc/ssl/ |
.It Pa /etc/ssl/ |
|
|
.Nm x509 |
.Nm x509 |
certificates. |
certificates. |
.El |
.El |
.\" |
|
.\" SEE ALSO |
|
.\" |
|
.Sh SEE ALSO |
.Sh SEE ALSO |
.Xr acme-client 1 , |
.Xr acme-client 1 , |
.Xr nc 1 , |
.Xr nc 1 , |