src/usr.bin/openssl/openssl.1 - diff

Return to openssl.1 CVS log

Up to [local] / src / usr.bin / openssl

Diff for /src/usr.bin/openssl/openssl.1 between version 1.90 and 1.91

version 1.90, 2018/03/30 20:38:23

version 1.91, 2018/03/30 23:03:31

Line 300

.Op Fl batch

.Op Fl cert Ar file

.Op Fl config Ar file

.Op Fl create_serial

.Op Fl crl_CA_compromise Ar time

.Op Fl crl_compromise Ar time

.Op Fl crl_hold Ar instruction

Line 314

Line 315

.Op Fl gencrl

.Op Fl in Ar file

.Op Fl infiles

.Op Fl key Ar keyfile

.Op Fl key Ar password

.Op Fl keyfile Ar arg

.Op Fl keyform Ar pem

.Op Fl keyform Cm pem | der

.Op Fl md Ar arg

.Op Fl msie_hack

.Op Fl multivalue\-rdn

.Op Fl name Ar section

.Op Fl noemailDN

.Op Fl notext

Line 328

Line 330

.Op Fl policy Ar arg

.Op Fl preserveDN

.Op Fl revoke Ar file

.Op Fl selfsign

.Op Fl spkac Ar file

.Op Fl ss_cert Ar file

.Op Fl startdate Ar date

.Op Fl status Ar serial

.Op Fl subj Ar arg

.Op Fl updatedb

.Op Fl utf8

.Op Fl verbose

.nr nS 0

.Pp

Line 354

Line 358

The CA certificate file.

.It Fl config Ar file

Specify an alternative configuration file.

.It Fl create_serial

If reading the serial from the text file as specified in the

configuration fails, create a new random serial to be used as the

next serial number.

.It Fl days Ar arg

The number of days to certify the certificate for.

.It Fl enddate Ar date

Line 371

Line 379

If the extension section is present

.Pq even if it is empty ,

then a V3 certificate is created.

See the

.Xr x509v3.cnf 5

manual page for details of the extension section format.

.It Fl extfile Ar file

An additional configuration

.Ar file

Line 385

Line 396

.It Fl infiles

If present, this should be the last option; all subsequent arguments

are assumed to be the names of files containing certificate requests.

.It Fl key Ar keyfile

.It Fl key Ar password

The password used to encrypt the private key.

The

.Fa password

used to encrypt the private key.

Since on some systems the command line arguments are visible,

this option should be used with caution.

.It Fl keyfile Ar file

The private key to sign requests with.

.It Fl keyform Ar pem

.It Fl keyform Cm pem | der

Private key file format.

The default is

.Cm pem .

.It Fl md Ar alg

The message digest to use.

Possible values include

Line 411

Line 426

The newer control

.Qq Xenroll

does not need this option.

.It Fl multivalue\-rdn

This option causes the

.Fl subj

argument to be interpreted with full support for multivalued RDNs,

for example

.Qq "/DC=org/DC=OpenSSL/DC=users/UID=123456+CN=John Doe" .

.Fl multivalue\-rdn

is not used, the UID value is set to

.Qq "123456+CN=John Doe" .

.It Fl name Ar section

Specifies the configuration file

.Ar section

Line 435

Line 460

.It Fl out Ar file

The output file to output certificates to.

The default is standard output.

The certificate details will also be printed out to this file.

The certificate details will also be printed out to this file in

PEM format, except that

.Fl spkac

outputs DER format.

.It Fl outdir Ar directory

The

.Ar directory

Line 472

Line 500

which would only accept certificates if their DNs matched the order of the

request.

This is not needed for Xenroll.

.It Fl selfsign

Indicates the issued certificates are to be signed with the key the

certificate requests were signed with, given with

.Fl keyfile .

Certificate requests signed with a different key are ignored.

.Fl gencrl ,

.Fl spkac ,

.Fl ss_cert

are given,

.Fl selfsign

is ignored.

.Pp

A consequence of using

.Fl selfsign

is that the self-signed certificate appears among the entries in

the certificate database (see the configuration option

.Cm database )

and uses the same serial number counter as all other certificates

signed with the self-signed certificate.

.It Fl spkac Ar file

A file containing a single Netscape signed public key and challenge,

and additional field values to be signed by the CA.

Line 492

Line 541

Set the start date.

The format of the date is [YY]YYMMDDHHMMSSZ,

with all four year digits required for dates from 2050 onwards.

.It Fl status Ar serial

.It Fl subj Ar arg

Show the status of the certificate with serial number

Supersedes the subject name given in the request.

.Ar serial .

The

.It Fl updatedb

.Ar arg

Update database for expired certificates.

must be formatted as

.Sm off

.Pf / Ar type0 Ns = Ar value0 Ns / Ar type 1 Ns = Ar value 1 Ns /

.Ar type2 Ns = Ar ... ;

.Sm on

characters may be escaped by

.Sq \e

.Pq backslash ,

no spaces are skipped.

.It Fl utf8

Interpret field values read from a terminal or obtained from a

configuration file as UTF-8 strings.

By default, they are interpreted as ASCII.

.It Fl verbose

Print extra details about the operations being performed.

.El

Line 547

Line 608

then a V2 CRL is created.

The CRL extensions specified are CRL extensions and not CRL entry extensions.

It should be noted that some software can't handle V2 CRLs.

See the

.Xr x509v3.cnf 5

manual page for details of the extension section format.

.It Fl crlhours Ar num

The number of hours before the next CRL is due.

.It Fl gencrl

Line 555

Line 619

.Ar file

containing a certificate to revoke.

.It Fl subj Ar arg

.It Fl status Ar serial

Supersedes the subject name given in the request.

Show the status of the certificate with serial number

The

.Ar serial .

.Ar arg

.It Fl updatedb

must be formatted as

Update the database index to purge expired certificates.

.Ar /type0=value0/type1=value1/type2=... ;

characters may be escaped by

.Sq \e

.Pq backslash ,

no spaces are skipped.

.El

.Pp

Many of the options can be set in the

Line 623

Line 682

value is set to

.Cm copyall

and the user does not spot

this when the certificate is displayed, then this will hand the requestor

this when the certificate is displayed, then this will hand the requester

a valid CA certificate.

.Pp

This situation can be avoided by setting