version 1.90, 2018/03/30 20:38:23 |
version 1.91, 2018/03/30 23:03:31 |
|
|
.Op Fl batch |
.Op Fl batch |
.Op Fl cert Ar file |
.Op Fl cert Ar file |
.Op Fl config Ar file |
.Op Fl config Ar file |
|
.Op Fl create_serial |
.Op Fl crl_CA_compromise Ar time |
.Op Fl crl_CA_compromise Ar time |
.Op Fl crl_compromise Ar time |
.Op Fl crl_compromise Ar time |
.Op Fl crl_hold Ar instruction |
.Op Fl crl_hold Ar instruction |
|
|
.Op Fl gencrl |
.Op Fl gencrl |
.Op Fl in Ar file |
.Op Fl in Ar file |
.Op Fl infiles |
.Op Fl infiles |
.Op Fl key Ar keyfile |
.Op Fl key Ar password |
.Op Fl keyfile Ar arg |
.Op Fl keyfile Ar arg |
.Op Fl keyform Ar pem |
.Op Fl keyform Cm pem | der |
.Op Fl md Ar arg |
.Op Fl md Ar arg |
.Op Fl msie_hack |
.Op Fl msie_hack |
|
.Op Fl multivalue\-rdn |
.Op Fl name Ar section |
.Op Fl name Ar section |
.Op Fl noemailDN |
.Op Fl noemailDN |
.Op Fl notext |
.Op Fl notext |
|
|
.Op Fl policy Ar arg |
.Op Fl policy Ar arg |
.Op Fl preserveDN |
.Op Fl preserveDN |
.Op Fl revoke Ar file |
.Op Fl revoke Ar file |
|
.Op Fl selfsign |
.Op Fl spkac Ar file |
.Op Fl spkac Ar file |
.Op Fl ss_cert Ar file |
.Op Fl ss_cert Ar file |
.Op Fl startdate Ar date |
.Op Fl startdate Ar date |
.Op Fl status Ar serial |
.Op Fl status Ar serial |
.Op Fl subj Ar arg |
.Op Fl subj Ar arg |
.Op Fl updatedb |
.Op Fl updatedb |
|
.Op Fl utf8 |
.Op Fl verbose |
.Op Fl verbose |
.nr nS 0 |
.nr nS 0 |
.Pp |
.Pp |
|
|
The CA certificate file. |
The CA certificate file. |
.It Fl config Ar file |
.It Fl config Ar file |
Specify an alternative configuration file. |
Specify an alternative configuration file. |
|
.It Fl create_serial |
|
If reading the serial from the text file as specified in the |
|
configuration fails, create a new random serial to be used as the |
|
next serial number. |
.It Fl days Ar arg |
.It Fl days Ar arg |
The number of days to certify the certificate for. |
The number of days to certify the certificate for. |
.It Fl enddate Ar date |
.It Fl enddate Ar date |
|
|
If the extension section is present |
If the extension section is present |
.Pq even if it is empty , |
.Pq even if it is empty , |
then a V3 certificate is created. |
then a V3 certificate is created. |
|
See the |
|
.Xr x509v3.cnf 5 |
|
manual page for details of the extension section format. |
.It Fl extfile Ar file |
.It Fl extfile Ar file |
An additional configuration |
An additional configuration |
.Ar file |
.Ar file |
|
|
.It Fl infiles |
.It Fl infiles |
If present, this should be the last option; all subsequent arguments |
If present, this should be the last option; all subsequent arguments |
are assumed to be the names of files containing certificate requests. |
are assumed to be the names of files containing certificate requests. |
.It Fl key Ar keyfile |
.It Fl key Ar password |
The password used to encrypt the private key. |
The |
|
.Fa password |
|
used to encrypt the private key. |
Since on some systems the command line arguments are visible, |
Since on some systems the command line arguments are visible, |
this option should be used with caution. |
this option should be used with caution. |
.It Fl keyfile Ar file |
.It Fl keyfile Ar file |
The private key to sign requests with. |
The private key to sign requests with. |
.It Fl keyform Ar pem |
.It Fl keyform Cm pem | der |
Private key file format. |
Private key file format. |
|
The default is |
|
.Cm pem . |
.It Fl md Ar alg |
.It Fl md Ar alg |
The message digest to use. |
The message digest to use. |
Possible values include |
Possible values include |
|
|
The newer control |
The newer control |
.Qq Xenroll |
.Qq Xenroll |
does not need this option. |
does not need this option. |
|
.It Fl multivalue\-rdn |
|
This option causes the |
|
.Fl subj |
|
argument to be interpreted with full support for multivalued RDNs, |
|
for example |
|
.Qq "/DC=org/DC=OpenSSL/DC=users/UID=123456+CN=John Doe" . |
|
If |
|
.Fl multivalue\-rdn |
|
is not used, the UID value is set to |
|
.Qq "123456+CN=John Doe" . |
.It Fl name Ar section |
.It Fl name Ar section |
Specifies the configuration file |
Specifies the configuration file |
.Ar section |
.Ar section |
|
|
.It Fl out Ar file |
.It Fl out Ar file |
The output file to output certificates to. |
The output file to output certificates to. |
The default is standard output. |
The default is standard output. |
The certificate details will also be printed out to this file. |
The certificate details will also be printed out to this file in |
|
PEM format, except that |
|
.Fl spkac |
|
outputs DER format. |
.It Fl outdir Ar directory |
.It Fl outdir Ar directory |
The |
The |
.Ar directory |
.Ar directory |
|
|
which would only accept certificates if their DNs matched the order of the |
which would only accept certificates if their DNs matched the order of the |
request. |
request. |
This is not needed for Xenroll. |
This is not needed for Xenroll. |
|
.It Fl selfsign |
|
Indicates the issued certificates are to be signed with the key the |
|
certificate requests were signed with, given with |
|
.Fl keyfile . |
|
Certificate requests signed with a different key are ignored. |
|
If |
|
.Fl gencrl , |
|
.Fl spkac , |
|
or |
|
.Fl ss_cert |
|
are given, |
|
.Fl selfsign |
|
is ignored. |
|
.Pp |
|
A consequence of using |
|
.Fl selfsign |
|
is that the self-signed certificate appears among the entries in |
|
the certificate database (see the configuration option |
|
.Cm database ) |
|
and uses the same serial number counter as all other certificates |
|
signed with the self-signed certificate. |
.It Fl spkac Ar file |
.It Fl spkac Ar file |
A file containing a single Netscape signed public key and challenge, |
A file containing a single Netscape signed public key and challenge, |
and additional field values to be signed by the CA. |
and additional field values to be signed by the CA. |
|
|
Set the start date. |
Set the start date. |
The format of the date is [YY]YYMMDDHHMMSSZ, |
The format of the date is [YY]YYMMDDHHMMSSZ, |
with all four year digits required for dates from 2050 onwards. |
with all four year digits required for dates from 2050 onwards. |
.It Fl status Ar serial |
.It Fl subj Ar arg |
Show the status of the certificate with serial number |
Supersedes the subject name given in the request. |
.Ar serial . |
The |
.It Fl updatedb |
.Ar arg |
Update database for expired certificates. |
must be formatted as |
|
.Sm off |
|
.Pf / Ar type0 Ns = Ar value0 Ns / Ar type 1 Ns = Ar value 1 Ns / |
|
.Ar type2 Ns = Ar ... ; |
|
.Sm on |
|
characters may be escaped by |
|
.Sq \e |
|
.Pq backslash , |
|
no spaces are skipped. |
|
.It Fl utf8 |
|
Interpret field values read from a terminal or obtained from a |
|
configuration file as UTF-8 strings. |
|
By default, they are interpreted as ASCII. |
.It Fl verbose |
.It Fl verbose |
Print extra details about the operations being performed. |
Print extra details about the operations being performed. |
.El |
.El |
|
|
then a V2 CRL is created. |
then a V2 CRL is created. |
The CRL extensions specified are CRL extensions and not CRL entry extensions. |
The CRL extensions specified are CRL extensions and not CRL entry extensions. |
It should be noted that some software can't handle V2 CRLs. |
It should be noted that some software can't handle V2 CRLs. |
|
See the |
|
.Xr x509v3.cnf 5 |
|
manual page for details of the extension section format. |
.It Fl crlhours Ar num |
.It Fl crlhours Ar num |
The number of hours before the next CRL is due. |
The number of hours before the next CRL is due. |
.It Fl gencrl |
.It Fl gencrl |
|
|
A |
A |
.Ar file |
.Ar file |
containing a certificate to revoke. |
containing a certificate to revoke. |
.It Fl subj Ar arg |
.It Fl status Ar serial |
Supersedes the subject name given in the request. |
Show the status of the certificate with serial number |
The |
.Ar serial . |
.Ar arg |
.It Fl updatedb |
must be formatted as |
Update the database index to purge expired certificates. |
.Ar /type0=value0/type1=value1/type2=... ; |
|
characters may be escaped by |
|
.Sq \e |
|
.Pq backslash , |
|
no spaces are skipped. |
|
.El |
.El |
.Pp |
.Pp |
Many of the options can be set in the |
Many of the options can be set in the |
|
|
value is set to |
value is set to |
.Cm copyall |
.Cm copyall |
and the user does not spot |
and the user does not spot |
this when the certificate is displayed, then this will hand the requestor |
this when the certificate is displayed, then this will hand the requester |
a valid CA certificate. |
a valid CA certificate. |
.Pp |
.Pp |
This situation can be avoided by setting |
This situation can be avoided by setting |