version 1.62, 2016/08/25 14:37:28 |
version 1.63, 2016/08/27 20:43:05 |
|
|
.It Fl verifyrecover |
.It Fl verifyrecover |
Verify the input data and output the recovered data. |
Verify the input data and output the recovered data. |
.El |
.El |
.\" |
|
.\" PRIME |
|
.\" |
|
.Sh PRIME |
.Sh PRIME |
.Cm openssl prime |
.Cm openssl prime |
.Op Fl bits Ar n |
.Op Fl bits Ar n |
|
|
.Ar p |
.Ar p |
is prime. |
is prime. |
.El |
.El |
.\" |
|
.\" RAND |
|
.\" |
|
.Sh RAND |
.Sh RAND |
.nr nS 1 |
.nr nS 1 |
.Nm "openssl rand" |
.Nm "openssl rand" |
|
|
.It Fl hex |
.It Fl hex |
Specify hexadecimal output. |
Specify hexadecimal output. |
.It Fl out Ar file |
.It Fl out Ar file |
Write to |
The output file to write to, |
.Ar file |
or standard output if not specified. |
instead of standard output. |
|
.El |
.El |
.\" |
|
.\" REQ |
|
.\" |
|
.Sh REQ |
.Sh REQ |
.nr nS 1 |
.nr nS 1 |
.Nm "openssl req" |
.Nm "openssl req" |
.Bk -words |
|
.Op Fl asn1-kludge |
.Op Fl asn1-kludge |
.Op Fl batch |
.Op Fl batch |
.Op Fl config Ar file |
.Op Fl config Ar file |
.Op Fl days Ar n |
.Op Fl days Ar n |
.Op Fl extensions Ar section |
.Op Fl extensions Ar section |
.Op Fl in Ar file |
.Op Fl in Ar file |
.Op Fl inform Ar DER | PEM |
.Op Fl inform Cm der | pem |
.Op Fl key Ar keyfile |
.Op Fl key Ar keyfile |
.Op Fl keyform Ar DER | PEM |
.Op Fl keyform Cm der | pem |
.Op Fl keyout Ar file |
.Op Fl keyout Ar file |
.Op Fl md4 | md5 | sha1 |
.Op Fl md4 | md5 | sha1 |
.Op Fl modulus |
.Op Fl modulus |
|
|
.Op Fl nodes |
.Op Fl nodes |
.Op Fl noout |
.Op Fl noout |
.Op Fl out Ar file |
.Op Fl out Ar file |
.Op Fl outform Ar DER | PEM |
.Op Fl outform Cm der | pem |
.Op Fl passin Ar arg |
.Op Fl passin Ar arg |
.Op Fl passout Ar arg |
.Op Fl passout Ar arg |
.Op Fl pubkey |
.Op Fl pubkey |
|
|
.Op Fl verbose |
.Op Fl verbose |
.Op Fl verify |
.Op Fl verify |
.Op Fl x509 |
.Op Fl x509 |
.Ek |
|
.nr nS 0 |
.nr nS 0 |
.Pp |
.Pp |
The |
The |
|
|
The options are as follows: |
The options are as follows: |
.Bl -tag -width Ds |
.Bl -tag -width Ds |
.It Fl asn1-kludge |
.It Fl asn1-kludge |
By default, the |
Produce requests in an invalid format for certain picky CAs. |
.Nm req |
Very few CAs still require the use of this option. |
command outputs certificate requests containing |
|
no attributes in the correct PKCS#10 format. |
|
However certain CAs will only |
|
accept requests containing no attributes in an invalid form: this |
|
option produces this invalid format. |
|
.Pp |
|
More precisely, the |
|
.Em Attributes |
|
in a PKCS#10 certificate request are defined as a SET OF Attribute. |
|
They are |
|
.Em not |
|
optional, so if no attributes are present then they should be encoded as an |
|
empty SET OF. |
|
The invalid form does not include the empty |
|
SET OF, whereas the correct form does. |
|
.Pp |
|
It should be noted that very few CAs still require the use of this option. |
|
.It Fl batch |
.It Fl batch |
Non-interactive mode. |
Non-interactive mode. |
.It Fl config Ar file |
.It Fl config Ar file |
This allows an alternative configuration file to be specified; |
Specify an alternative configuration file. |
this overrides the compile time filename or any specified in |
|
the |
|
.Ev OPENSSL_CONF |
|
environment variable. |
|
.It Fl days Ar n |
.It Fl days Ar n |
When the |
Specify the number of days to certify the certificate for. |
.Fl x509 |
|
option is being used, this specifies the number of |
|
days to certify the certificate for. |
|
The default is 30 days. |
The default is 30 days. |
.It Fl extensions Ar section , Fl reqexts Ar section |
Used with the |
These options specify alternative sections to include certificate |
|
extensions (if the |
|
.Fl x509 |
.Fl x509 |
option is present) or certificate request extensions. |
option. |
This allows several different sections to |
.It Fl extensions Ar section , Fl reqexts Ar section |
be used in the same configuration file to specify requests for |
Specify alternative sections to include certificate |
a variety of purposes. |
extensions (with |
|
.Fl x509 ) |
|
or certificate request extensions, |
|
allowing several different sections to be used in the same configuration file. |
.It Fl in Ar file |
.It Fl in Ar file |
This specifies the input |
The input file to read a request from, |
.Ar file |
or standard input if not specified. |
to read a request from, or standard input |
|
if this option is not specified. |
|
A request is only read if the creation options |
A request is only read if the creation options |
.Fl new |
.Fl new |
and |
and |
.Fl newkey |
.Fl newkey |
are not specified. |
are not specified. |
.It Fl inform Ar DER | PEM |
.It Fl inform Cm der | pem |
This specifies the input format. |
The input format. |
The |
.Cm der |
.Ar DER |
uses an ASN1 DER-encoded form compatible with the PKCS#10. |
argument uses an ASN1 DER-encoded form compatible with the PKCS#10. |
.Cm pem |
The |
is the default format: |
.Ar PEM |
|
form is the default format: |
|
it consists of the DER format base64-encoded with additional header and |
it consists of the DER format base64-encoded with additional header and |
footer lines. |
footer lines. |
.It Fl key Ar keyfile |
.It Fl key Ar keyfile |
This specifies the file to read the private key from. |
The file to read the private key from. |
It also accepts PKCS#8 format private keys for PEM format files. |
It also accepts PKCS#8 format private keys for PEM format files. |
.It Fl keyform Ar DER | PEM |
.It Fl keyform Cm der | pem |
The format of the private key file specified in the |
The format of the private key file specified in the |
.Fl key |
.Fl key |
argument. |
argument. |
.Ar PEM |
The default is PEM. |
is the default. |
|
.It Fl keyout Ar file |
.It Fl keyout Ar file |
This gives the |
The file to write the newly created private key to. |
.Ar file |
If this option is not specified, |
to write the newly created private key to. |
the filename present in the configuration file is used. |
If this option is not specified, the filename present in the |
|
configuration file is used. |
|
.It Fl md5 | sha1 | sha256 |
.It Fl md5 | sha1 | sha256 |
This specifies the message digest to sign the request with. |
The message digest to sign the request with. |
This overrides the digest algorithm specified in the configuration file. |
This overrides the digest algorithm specified in the configuration file. |
.Pp |
.Pp |
Some public key algorithms may override this choice. |
Some public key algorithms may override this choice. |
For instance, DSA signatures always use SHA1. |
For instance, DSA signatures always use SHA1. |
.It Fl modulus |
.It Fl modulus |
This option prints out the value of the modulus of the public key |
Print the value of the modulus of the public key contained in the request. |
contained in the request. |
|
.It Fl nameopt Ar option , Fl reqopt Ar option |
.It Fl nameopt Ar option , Fl reqopt Ar option |
These options determine how the subject or issuer names are displayed. |
Determine how the subject or issuer names are displayed. |
The |
|
.Ar option |
.Ar option |
argument can be a single option or multiple options separated by commas. |
can be a single option or multiple options separated by commas. |
Alternatively, these options may be used more than once to set multiple options. |
Alternatively, these options may be used more than once to set multiple options. |
See the |
See the |
.Sx X509 |
.Sx X509 |
section below for details. |
section below for details. |
.It Fl new |
.It Fl new |
This option generates a new certificate request. |
Generate a new certificate request. |
It will prompt the user for the relevant field values. |
The user is prompted for the relevant field values. |
The actual fields prompted for and their maximum and minimum sizes |
The actual fields prompted for and their maximum and minimum sizes |
are specified in the configuration file and any requested extensions. |
are specified in the configuration file and any requested extensions. |
.Pp |
.Pp |
|
|
option is not used, it will generate a new RSA private |
option is not used, it will generate a new RSA private |
key using information specified in the configuration file. |
key using information specified in the configuration file. |
.It Fl newhdr |
.It Fl newhdr |
Adds the word NEW to the PEM file header and footer lines |
Add the word NEW to the PEM file header and footer lines |
on the outputed request. |
on the outputed request. |
Some software |
Some software and CAs need this. |
.Pq Netscape certificate server |
|
and some CAs need this. |
|
.It Fl newkey Ar arg |
.It Fl newkey Ar arg |
This option creates a new certificate request and a new private key. |
Create a new certificate request and a new private key. |
The argument takes one of several forms. |
The argument takes one of several forms. |
.Ar rsa : Ns Ar nbits , |
.Pp |
where |
.No rsa : Ns Ar nbits |
|
generates an RSA key |
.Ar nbits |
.Ar nbits |
is the number of bits, generates an RSA key |
|
.Ar nbits |
|
in size. |
in size. |
If |
If |
.Ar nbits |
.Ar nbits |
is omitted, i.e.\& |
is omitted |
.Cm -newkey rsa |
the default key size is used. |
specified, |
|
the default key size, specified in the configuration file, is used. |
|
.Pp |
.Pp |
All other algorithms support the |
.No dsa : Ns Ar file |
.Ar alg : Ns Ar file |
generates a DSA key using the parameters in |
form, |
.Ar file . |
|
.Pp |
|
.No param : Ns Ar file |
|
generates a key using the parameters or certificate in |
|
.Ar file . |
|
.Pp |
|
All other algorithms support the form |
|
.Ar algorithm : Ns Ar file , |
where file may be an algorithm parameter file, |
where file may be an algorithm parameter file, |
created by the |
created by the |
.Cm genpkey -genparam |
.Cm genpkey -genparam |
command or an X.509 certificate for a key with appropriate algorithm. |
command or an X.509 certificate for a key with appropriate algorithm. |
.Pp |
.Ar file |
.Ar param : Ns Ar file |
can be omitted, |
generates a key using the parameter file or certificate |
in which case any parameters can be specified via the |
.Ar file ; |
|
the algorithm is determined by the parameters. |
|
.Ar algname : Ns Ar file |
|
use algorithm |
|
.Ar algname |
|
and parameter file |
|
.Ar file : |
|
the two algorithms must match or an error occurs. |
|
.Ar algname |
|
just uses algorithm |
|
.Ar algname , |
|
and parameters, if necessary, |
|
should be specified via the |
|
.Fl pkeyopt |
.Fl pkeyopt |
option. |
option. |
.Pp |
|
.Ar dsa : Ns Ar file |
|
generates a DSA key using the parameters in the file |
|
.Ar file . |
|
.It Fl no-asn1-kludge |
.It Fl no-asn1-kludge |
Reverses the effect of |
Reverse the effect of |
.Fl asn1-kludge . |
.Fl asn1-kludge . |
.It Fl nodes |
.It Fl nodes |
If this option is specified and a private key is created, it |
Do not encrypt the private key. |
will not be encrypted. |
|
.It Fl noout |
.It Fl noout |
This option prevents output of the encoded version of the request. |
Do not output the encoded version of the request. |
.It Fl out Ar file |
.It Fl out Ar file |
This specifies the output |
The output file to write to, |
.Ar file |
or standard output if not spceified. |
to write to, or standard output by default. |
.It Fl outform Cm der | pem |
.It Fl outform Ar DER | PEM |
The output format. |
This specifies the output format; the options have the same meaning as the |
|
.Fl inform |
|
option. |
|
.It Fl passin Ar arg |
.It Fl passin Ar arg |
The key password source. |
The key password source. |
.It Fl passout Ar arg |
.It Fl passout Ar arg |
The output file password source. |
The output file password source. |
.It Fl pubkey |
.It Fl pubkey |
Outputs the public key. |
Output the public key. |
.It Fl reqopt Ar option |
.It Fl reqopt Ar option |
Customise the output format used with |
Customise the output format used with |
.Fl text . |
.Fl text . |
The |
The |
.Ar option |
.Ar option |
argument can be a single option or multiple options separated by commas. |
argument can be a single option or multiple options separated by commas. |
.Pp |
See also the discussion of |
See the discussion of the |
|
.Fl certopt |
.Fl certopt |
option in the |
in the |
.Nm x509 |
.Nm x509 |
command. |
command. |
.It Fl set_serial Ar n |
.It Fl set_serial Ar n |
|
|
.Sq 0x . |
.Sq 0x . |
It is possible to use negative serial numbers but this is not recommended. |
It is possible to use negative serial numbers but this is not recommended. |
.It Fl subj Ar arg |
.It Fl subj Ar arg |
Replaces subject field of input request with specified data and outputs |
Replaces the subject field of an input request |
modified request. |
with the specified data and output the modified request. |
The arg must be formatted as |
.Ar arg |
.Em /type0=value0/type1=value1/type2=... ; |
must be formatted as /type0=value0/type1=value1/type2=...; |
characters may be escaped by |
characters may be escaped by |
.Sq \e |
.Sq \e |
.Pq backslash ; |
(backslash); |
no spaces are skipped. |
no spaces are skipped. |
.It Fl subject |
.It Fl subject |
Prints out the request subject (or certificate subject if |
Print the request subject (or certificate subject if |
.Fl x509 |
.Fl x509 |
is specified. |
is specified). |
.It Fl text |
.It Fl text |
Prints out the certificate request in text form. |
Print the certificate request in text form. |
.It Fl utf8 |
.It Fl utf8 |
This option causes field values to be interpreted as UTF8 strings; |
Interpret field values as UTF8 strings, not ASCII. |
by default they are interpreted as ASCII. |
|
This means that the field values, whether prompted from a terminal or |
|
obtained from a configuration file, must be valid UTF8 strings. |
|
.It Fl verbose |
.It Fl verbose |
Print extra details about the operations being performed. |
Print extra details about the operations being performed. |
.It Fl verify |
.It Fl verify |
Verifies the signature on the request. |
Verify the signature on the request. |
.It Fl x509 |
.It Fl x509 |
This option outputs a self-signed certificate instead of a certificate |
Output a self-signed certificate instead of a certificate request. |
request. |
This is typically used to generate a test certificate or a self-signed root CA. |
This is typically used to generate a test certificate or |
The extensions added to the certificate (if any) |
a self-signed root CA. |
|
The extensions added to the certificate |
|
.Pq if any |
|
are specified in the configuration file. |
are specified in the configuration file. |
Unless specified using the |
Unless specified using the |
.Fl set_serial |
.Fl set_serial |
option, 0 will be used for the serial number. |
option, 0 is used for the serial number. |
.El |
.El |
.Sh REQ CONFIGURATION FILE FORMAT |
.Pp |
The configuration options are specified in the |
The configuration options are specified in the |
.Em req |
.Qq req |
section of the configuration file. |
section of the configuration file. |
As with all configuration files, if no value is specified in the specific |
As with all configuration files, if no value is specified in the specific |
section (i.e.\& |
section then the initial unnamed or default section is searched too. |
.Em req ) |
|
then the initial unnamed or |
|
.Em default |
|
section is searched too. |
|
.Pp |
.Pp |
The options available are described in detail below. |
The options available are as follows: |
.Bl -tag -width "XXXX" |
.Bl -tag -width "XXXX" |
.It Ar attributes |
.It Cm attributes |
This specifies the section containing any request attributes: its format |
The section containing any request attributes: its format |
is the same as |
is the same as |
.Ar distinguished_name . |
.Cm distinguished_name . |
Typically these may contain the |
Typically these may contain the challengePassword or unstructuredName types. |
.Em challengePassword |
They are currently ignored by the |
or |
.Nm openssl |
.Em unstructuredName |
|
types. |
|
They are currently ignored by |
|
.Nm OpenSSL Ns Li 's |
|
request signing utilities, but some CAs might want them. |
request signing utilities, but some CAs might want them. |
.It Ar default_bits |
.It Cm default_bits |
This specifies the default key size in bits. |
The default key size, in bits. |
If not specified, 2048 is used. |
The default is 2048. |
It is used if the |
It is used if the |
.Fl new |
.Fl new |
option is used. |
option is used and can be overridden by using the |
It can be overridden by using the |
|
.Fl newkey |
.Fl newkey |
option. |
option. |
.It Ar default_keyfile |
.It Cm default_keyfile |
This is the default file to write a private key to. |
The default file to write a private key to, |
If not specified, the key is written to standard output. |
or standard output if not specified. |
This can be overridden by the |
It can be overridden by the |
.Fl keyout |
.Fl keyout |
option. |
option. |
.It Ar default_md |
.It Cm default_md |
This option specifies the digest algorithm to use. |
The digest algorithm to use. |
Possible values include |
Possible values include |
.Ar md5 , |
.Cm md5 , |
.Ar sha1 |
.Cm sha1 |
and |
and |
.Ar sha256 . |
.Cm sha256 |
If not present, SHA256 is used. |
(the default). |
This option can be overridden on the command line. |
It can be overridden on the command line. |
.It Ar distinguished_name |
.It Cm distinguished_name |
This specifies the section containing the distinguished name fields to |
The section containing the distinguished name fields to |
prompt for when generating a certificate or certificate request. |
prompt for when generating a certificate or certificate request. |
The format is described in the next section. |
The format is described below. |
.It Ar encrypt_key |
.It Cm encrypt_key |
If this is set to |
If set to |
.Em no |
.Qq no |
and a private key is generated, it is |
and a private key is generated, it is not encrypted. |
.Em not |
It is equivalent to the |
encrypted. |
|
This is equivalent to the |
|
.Fl nodes |
.Fl nodes |
command line option. |
option. |
For compatibility, |
For compatibility, |
.Ar encrypt_rsa_key |
.Cm encrypt_rsa_key |
is an equivalent option. |
is an equivalent option. |
.It Ar input_password | output_password |
.It Cm input_password | output_password |
The passwords for the input private key file |
The passwords for the input private key file (if present) |
.Pq if present |
and the output private key file (if one will be created). |
and the output private key file |
|
.Pq if one will be created . |
|
The command line options |
The command line options |
.Fl passin |
.Fl passin |
and |
and |
.Fl passout |
.Fl passout |
override the configuration file values. |
override the configuration file values. |
.It Ar oid_file |
.It Cm oid_file |
This specifies a file containing additional OBJECT IDENTIFIERS. |
A file containing additional OBJECT IDENTIFIERS. |
Each line of the file should consist of the numerical form of the |
Each line of the file should consist of the numerical form of the |
object identifier, followed by whitespace, then the short name followed |
object identifier, followed by whitespace, then the short name followed |
by whitespace and finally the long name. |
by whitespace and finally the long name. |
.It Ar oid_section |
.It Cm oid_section |
This specifies a section in the configuration file containing extra |
Specify a section in the configuration file containing extra |
object identifiers. |
object identifiers. |
Each line should consist of the short name of the |
Each line should consist of the short name of the |
object identifier followed by |
object identifier followed by |
.Sq = |
.Sq = |
and the numerical form. |
and the numerical form. |
The short and long names are the same when this option is used. |
The short and long names are the same when this option is used. |
.It Ar prompt |
.It Cm prompt |
If set to the value |
If set to |
.Em no , |
.Qq no , |
this disables prompting of certificate fields |
it disables prompting of certificate fields |
and just takes values from the config file directly. |
and just takes values from the config file directly. |
It also changes the expected format of the |
It also changes the expected format of the |
.Em distinguished_name |
.Cm distinguished_name |
and |
and |
.Em attributes |
.Cm attributes |
sections. |
sections. |
.It Ar req_extensions |
.It Cm req_extensions |
This specifies the configuration file section containing a list of |
The configuration file section containing a list of |
extensions to add to the certificate request. |
extensions to add to the certificate request. |
It can be overridden by the |
It can be overridden by the |
.Fl reqexts |
.Fl reqexts |
command line switch. |
option. |
.It Ar string_mask |
.It Cm string_mask |
This option limits the string types for encoding certain |
Limit the string types for encoding certain fields. |
fields. |
|
The following values may be used, limiting strings to the indicated types: |
The following values may be used, limiting strings to the indicated types: |
.Bl -tag -width "MASK:number" |
.Bl -tag -width "MASK:number" |
.It Ar utf8only |
.It Cm utf8only |
.Em UTF8String. |
UTF8String. |
This is the default, as recommended by PKIX in RFC 2459. |
This is the default, as recommended by PKIX in RFC 2459. |
.It Ar default |
.It Cm default |
.Em PrintableString , IA5String , T61String , BMPString , UTF8String . |
PrintableString, IA5String, T61String, BMPString, UTF8String. |
.It Ar pkix |
.It Cm pkix |
.Em PrintableString , IA5String , BMPString , UTF8String . |
PrintableString, IA5String, BMPString, UTF8String. |
This was inspired by the PKIX recommendation in RFC 2459 for certificates |
Inspired by the PKIX recommendation in RFC 2459 for certificates |
generated before 2004, but differs by also permitting |
generated before 2004, but differs by also permitting IA5String. |
.Em IA5String . |
.It Cm nombstr |
.It Ar nombstr |
PrintableString, IA5String, T61String, UniversalString. |
.Em PrintableString , IA5String , T61String , UniversalString . |
A workaround for some ancient software that had problems |
This was a workaround for some ancient software that had problems |
with the variable-sized BMPString and UTF8String types. |
with the variable-sized |
|
.Em BMPString |
|
and |
|
.Em UTF8String |
|
types. |
|
.It Cm MASK : Ns Ar number |
.It Cm MASK : Ns Ar number |
This is an explicit bitmask of permitted types, where |
An explicit bitmask of permitted types, where |
.Ar number |
.Ar number |
is a C-style hex, decimal, or octal number that's a bit-wise OR of |
is a C-style hex, decimal, or octal number that's a bit-wise OR of |
.Dv B_ASN1_* |
.Dv B_ASN1_* |
values from |
values from |
.In openssl/asn1.h . |
.In openssl/asn1.h . |
.El |
.El |
.It Ar utf8 |
.It Cm utf8 |
If set to the value |
If set to |
.Em yes , |
.Qq yes , |
then field values are interpreted as UTF8 strings; |
field values are interpreted as UTF8 strings, not ASCII. |
by default they are interpreted as ASCII. |
.It Cm x509_extensions |
This means that the field values, whether prompted from a terminal or |
The configuration file section containing a list of |
obtained from a configuration file, must be valid UTF8 strings. |
|
.It Ar x509_extensions |
|
This specifies the configuration file section containing a list of |
|
extensions to add to a certificate generated when the |
extensions to add to a certificate generated when the |
.Fl x509 |
.Fl x509 |
switch is used. |
switch is used. |
It can be overridden by the |
It can be overridden by the |
.Fl extensions |
.Fl extensions |
command line switch. |
option. |
.El |
.El |
.Sh REQ DISTINGUISHED NAME AND ATTRIBUTE SECTION FORMAT |
.Pp |
There are two separate formats for the distinguished name and attribute |
There are two separate formats for the distinguished name and attribute |
sections. |
sections. |
If the |
If the |
.Fl prompt |
.Fl prompt |
option is set to |
option is set to |
.Em no , |
.Qq no , |
then these sections just consist of field names and values: for example, |
the sections consist of just field names and values, |
.Bd -unfilled -offset indent |
which allows external programs to generate a template file |
CN=My Name |
with all the field names and values and just pass it to |
OU=My Organization |
|
emailAddress=someone@somewhere.org |
|
.Ed |
|
.Pp |
|
This allows external programs |
|
.Pq e.g. GUI based |
|
to generate a template file with all the field names and values |
|
and just pass it to |
|
.Nm req . |
.Nm req . |
An example of this kind of configuration file is contained in the |
|
.Sx REQ EXAMPLES |
|
section. |
|
.Pp |
.Pp |
Alternatively if the |
Alternatively if the |
.Fl prompt |
.Fl prompt |
option is absent or not set to |
option is absent or not set to |
.Em no , |
.Qq no , |
then the file contains field prompting information. |
then the file contains field prompting information. |
It consists of lines of the form: |
It consists of lines of the form: |
.Bd -unfilled -offset indent |
.Bd -unfilled -offset indent |
|
|
.Pp |
.Pp |
.Qq fieldName |
.Qq fieldName |
is the field name being used, for example |
is the field name being used, for example |
.Em commonName |
.Cm commonName |
.Pq or CN . |
(or CN). |
The |
The |
.Qq prompt |
.Qq prompt |
string is used to ask the user to enter the relevant details. |
string is used to ask the user to enter the relevant details. |
|
|
character. |
character. |
.Pp |
.Pp |
The number of characters entered must be between the |
The number of characters entered must be between the |
.Em fieldName_min |
fieldName_min and fieldName_max limits: |
and |
|
.Em fieldName_max |
|
limits: |
|
there may be additional restrictions based on the field being used |
there may be additional restrictions based on the field being used |
(for example |
(for example |
.Em countryName |
.Cm countryName |
can only ever be two characters long and must fit in a |
can only ever be two characters long and must fit in a |
.Em PrintableString ) . |
.Cm PrintableString ) . |
.Pp |
.Pp |
Some fields (such as |
Some fields (such as |
.Em organizationName ) |
.Cm organizationName ) |
can be used more than once in a DN. |
can be used more than once in a DN. |
This presents a problem because configuration files will |
This presents a problem because configuration files will |
not recognize the same name occurring twice. |
not recognize the same name occurring twice. |
To avoid this problem, if the |
To avoid this problem, if the |
.Em fieldName |
.Cm fieldName |
contains some characters followed by a full stop, they will be ignored. |
contains some characters followed by a full stop, they will be ignored. |
So, for example, a second |
So, for example, a second |
.Em organizationName |
.Cm organizationName |
can be input by calling it |
can be input by calling it |
.Qq 1.organizationName . |
.Qq 1.organizationName . |
.Pp |
.Pp |
The actual permitted field names are any object identifier short or |
The actual permitted field names are any object identifier short or |
long names. |
long names. |
These are compiled into |
These are compiled into |
.Nm OpenSSL |
.Nm openssl |
and include the usual values such as |
and include the usual values such as |
.Em commonName , countryName , localityName , organizationName , |
.Cm commonName , countryName , localityName , organizationName , |
.Em organizationUnitName , stateOrProvinceName . |
.Cm organizationUnitName , stateOrProvinceName . |
Additionally, |
Additionally, |
.Em emailAddress |
.Cm emailAddress |
is included as well as |
is included as well as |
.Em name , surname , givenName initials |
.Cm name , surname , givenName , initials |
and |
and |
.Em dnQualifier . |
.Cm dnQualifier . |
.Pp |
.Pp |
Additional object identifiers can be defined with the |
Additional object identifiers can be defined with the |
.Ar oid_file |
.Cm oid_file |
or |
or |
.Ar oid_section |
.Cm oid_section |
options in the configuration file. |
options in the configuration file. |
Any additional fields will be treated as though they were a |
Any additional fields will be treated as though they were a |
.Em DirectoryString . |
.Cm DirectoryString . |
.Sh REQ EXAMPLES |
|
Examine and verify a certificate request: |
|
.Pp |
.Pp |
.Dl $ openssl req -in req.pem -text -verify -noout |
|
.Pp |
|
Create a private key and then generate a certificate request from it: |
|
.Bd -literal -offset indent |
|
$ openssl genrsa -out key.pem 2048 |
|
$ openssl req -new -key key.pem -out req.pem |
|
.Ed |
|
.Pp |
|
The same but just using req: |
|
.Pp |
|
.Dl $ openssl req -newkey rsa:2048 -keyout key.pem -out req.pem |
|
.Pp |
|
Generate a self-signed root certificate: |
|
.Pp |
|
.Dl "$ openssl req -x509 -newkey rsa:2048 -keyout key.pem -out req.pem" |
|
.Pp |
|
Example of a file pointed to by the |
|
.Ar oid_file |
|
option: |
|
.Bd -unfilled -offset indent |
|
1.2.3.4 shortName A longer Name |
|
1.2.3.6 otherName Other longer Name |
|
.Ed |
|
.Pp |
|
Example of a section pointed to by |
|
.Ar oid_section |
|
making use of variable expansion: |
|
.Bd -unfilled -offset indent |
|
testoid1=1.2.3.5 |
|
testoid2=${testoid1}.6 |
|
.Ed |
|
.Pp |
|
Sample configuration file prompting for field values: |
|
.Bd -literal |
|
\& [ req ] |
|
\& default_bits = 1024 |
|
\& default_keyfile = privkey.pem |
|
\& distinguished_name = req_distinguished_name |
|
\& attributes = req_attributes |
|
\& x509_extensions = v3_ca |
|
|
|
\& dirstring_type = nobmp |
|
|
|
\& [ req_distinguished_name ] |
|
\& countryName = Country Name (2 letter code) |
|
\& countryName_default = AU |
|
\& countryName_min = 2 |
|
\& countryName_max = 2 |
|
|
|
\& localityName = Locality Name (eg, city) |
|
|
|
\& organizationalUnitName = Organizational Unit Name (eg, section) |
|
|
|
\& commonName = Common Name (eg, YOUR name) |
|
\& commonName_max = 64 |
|
|
|
\& emailAddress = Email Address |
|
\& emailAddress_max = 40 |
|
|
|
\& [ req_attributes ] |
|
\& challengePassword = A challenge password |
|
\& challengePassword_min = 4 |
|
\& challengePassword_max = 20 |
|
|
|
\& [ v3_ca ] |
|
|
|
\& subjectKeyIdentifier=hash |
|
\& authorityKeyIdentifier=keyid:always,issuer:always |
|
\& basicConstraints = CA:true |
|
.Ed |
|
.Pp |
|
Sample configuration containing all field values: |
|
.Bd -literal |
|
|
|
\& [ req ] |
|
\& default_bits = 1024 |
|
\& default_keyfile = keyfile.pem |
|
\& distinguished_name = req_distinguished_name |
|
\& attributes = req_attributes |
|
\& prompt = no |
|
\& output_password = mypass |
|
|
|
\& [ req_distinguished_name ] |
|
\& C = GB |
|
\& ST = Test State or Province |
|
\& L = Test Locality |
|
\& O = Organization Name |
|
\& OU = Organizational Unit Name |
|
\& CN = Common Name |
|
\& emailAddress = test@email.address |
|
|
|
\& [ req_attributes ] |
|
\& challengePassword = A challenge password |
|
.Ed |
|
.Sh REQ NOTES |
|
The header and footer lines in the PEM format are normally: |
The header and footer lines in the PEM format are normally: |
.Bd -unfilled -offset indent |
.Bd -unfilled -offset indent |
-----BEGIN CERTIFICATE REQUEST----- |
-----BEGIN CERTIFICATE REQUEST----- |
-----END CERTIFICATE REQUEST----- |
-----END CERTIFICATE REQUEST----- |
.Ed |
.Ed |
.Pp |
.Pp |
Some software |
Some software instead needs: |
.Pq some versions of Netscape certificate server |
|
instead needs: |
|
.Bd -unfilled -offset indent |
.Bd -unfilled -offset indent |
-----BEGIN NEW CERTIFICATE REQUEST----- |
-----BEGIN NEW CERTIFICATE REQUEST----- |
-----END NEW CERTIFICATE REQUEST----- |
-----END NEW CERTIFICATE REQUEST----- |
.Ed |
.Ed |
.Pp |
.Pp |
which is produced with the |
|
.Fl newhdr |
|
option but is otherwise compatible. |
|
Either form is accepted transparently on input. |
|
.Pp |
|
The certificate requests generated by Xenroll with MSIE have extensions added. |
|
It includes the |
|
.Em keyUsage |
|
extension which determines the type of key |
|
.Pq signature only or general purpose |
|
and any additional OIDs entered by the script in an |
|
.Em extendedKeyUsage |
|
extension. |
|
.Sh REQ DIAGNOSTICS |
|
The following messages are frequently asked about: |
The following messages are frequently asked about: |
.Bd -unfilled -offset indent |
.Bd -unfilled -offset indent |
Using configuration from /some/path/openssl.cnf |
Using configuration from /some/path/openssl.cnf |
Unable to load config info |
Unable to load config info |
.Ed |
\&... |
.Pp |
|
This is followed some time later by... |
|
.Bd -unfilled -offset indent |
|
unable to find 'distinguished_name' in config |
unable to find 'distinguished_name' in config |
problems making Certificate Request |
problems making Certificate Request |
.Ed |
.Ed |
.Pp |
.Pp |
The first error message is the clue: it can't find the configuration |
In this case it can't find the configuration file! |
file! |
|
Certain operations |
|
.Pq like examining a certificate request |
|
don't need a configuration file so its use isn't enforced. |
|
Generation of certificates or requests, however, do need a configuration file. |
|
This could be regarded as a bug. |
|
.Pp |
.Pp |
Another puzzling message is this: |
Another puzzling message is: |
.Bd -unfilled -offset indent |
.Bd -unfilled -offset indent |
Attributes: |
Attributes: |
a0:00 |
a0:00 |
|
|
.Pp |
.Pp |
This is displayed when no attributes are present and the request includes |
This is displayed when no attributes are present and the request includes |
the correct empty SET OF structure |
the correct empty SET OF structure |
.Pq the DER encoding of which is 0xa0 0x00 . |
(the DER encoding of which is 0xa0 0x00). |
If you just see: |
If the message is instead: |
.Pp |
.Pp |
.D1 Attributes: |
.D1 Attributes: |
.Pp |
.Pp |
then the SET OF is missing and the encoding is technically invalid |
then the SET OF is missing and the encoding is technically invalid |
.Pq but it is tolerated . |
(but it is tolerated). |
See the description of the command line option |
See the description |
.Fl asn1-kludge |
.Fl asn1-kludge |
for more information. |
for more information. |
.Sh REQ ENVIRONMENT VARIABLES |
|
The variable |
|
.Ev OPENSSL_CONF , |
|
if defined, allows an alternative configuration |
|
file location to be specified; it will be overridden by the |
|
.Fl config |
|
command line switch if it is present. |
|
.Sh REQ BUGS |
|
.Nm OpenSSL Ns Li 's |
|
handling of T61Strings |
|
.Pq aka TeletexStrings |
|
is broken: it effectively treats them as ISO 8859-1 |
|
.Pq Latin 1 ; |
|
Netscape and MSIE have similar behaviour. |
|
This can cause problems if you need characters that aren't available in |
|
.Em PrintableStrings |
|
and you don't want to or can't use |
|
.Em BMPStrings . |
|
.Pp |
|
As a consequence of the T61String handling, the only correct way to represent |
|
accented characters in |
|
.Nm OpenSSL |
|
is to use a |
|
.Em BMPString : |
|
unfortunately Netscape currently chokes on these. |
|
If you have to use accented characters with Netscape |
|
and MSIE then you currently need to use the invalid T61String form. |
|
.Pp |
|
The current prompting is not very friendly. |
|
It doesn't allow you to confirm what you've just entered. |
|
Other things, like extensions in certificate requests, are |
|
statically defined in the configuration file. |
|
Some of these, like an email address in |
|
.Em subjectAltName , |
|
should be input by the user. |
|
.\" |
.\" |
.\" RSA |
.\" RSA |
.\" |
.\" |