summaryrefslogtreecommitdiffstats
path: root/crypto/openssl/doc/apps/x509.pod
diff options
context:
space:
mode:
Diffstat (limited to 'crypto/openssl/doc/apps/x509.pod')
-rw-r--r--crypto/openssl/doc/apps/x509.pod147
1 files changed, 126 insertions, 21 deletions
diff --git a/crypto/openssl/doc/apps/x509.pod b/crypto/openssl/doc/apps/x509.pod
index 84f76cb..674bfd1 100644
--- a/crypto/openssl/doc/apps/x509.pod
+++ b/crypto/openssl/doc/apps/x509.pod
@@ -36,6 +36,7 @@ B<openssl> B<x509>
[B<-addreject arg>]
[B<-setalias arg>]
[B<-days arg>]
+[B<-set_serial n>]
[B<-signkey filename>]
[B<-x509toreq>]
[B<-req>]
@@ -60,8 +61,9 @@ certificate trust settings.
Since there are a large number of options they will split up into
various sections.
+=head1 OPTIONS
-=head1 INPUT, OUTPUT AND GENERAL PURPOSE OPTIONS
+=head2 INPUT, OUTPUT AND GENERAL PURPOSE OPTIONS
=over 4
@@ -99,10 +101,10 @@ this option has no effect: SHA1 is always used with DSA keys.
=back
-=head1 DISPLAY OPTIONS
+=head2 DISPLAY OPTIONS
Note: the B<-alias> and B<-purpose> options are also display options
-but are described in the B<TRUST OPTIONS> section.
+but are described in the B<TRUST SETTINGS> section.
=over 4
@@ -112,6 +114,13 @@ prints out the certificate in text form. Full details are output including the
public key, signature algorithms, issuer and subject names, serial number
any extensions present and any trust settings.
+=item B<-certopt option>
+
+customise the output format used with B<-text>. The B<option> argument can be
+a single option or multiple options separated by commas. The B<-certopt> switch
+may be also be used more than once to set multiple options. See the B<TEXT OPTIONS>
+section for more information.
+
=item B<-noout>
this option prevents output of the encoded version of the request.
@@ -141,9 +150,10 @@ outputs the issuer name.
=item B<-nameopt option>
-option which determine how the subject or issuer names are displayed. This
-option may be used more than once to set multiple options. See the B<NAME
-OPTIONS> section for more information.
+option which determines how the subject or issuer names are displayed. The
+B<option> argument can be a single option or multiple options separated by
+commas. Alternatively the B<-nameopt> switch may be used more than once to
+set multiple options. See the B<NAME OPTIONS> section for more information.
=item B<-email>
@@ -163,7 +173,8 @@ prints out the start and expiry dates of a certificate.
=item B<-fingerprint>
-prints out the digest of the DER encoded version of the whole certificate.
+prints out the digest of the DER encoded version of the whole certificate
+(see digest options).
=item B<-C>
@@ -171,7 +182,7 @@ this outputs the certificate in the form of a C source file.
=back
-=head1 TRUST SETTINGS
+=head2 TRUST SETTINGS
Please note these options are currently experimental and may well change.
@@ -242,7 +253,7 @@ EXTENSIONS> section.
=back
-=head1 SIGNING OPTIONS
+=head2 SIGNING OPTIONS
The B<x509> utility can be used to sign certificates and requests: it
can thus behave like a "mini CA".
@@ -292,6 +303,16 @@ is used to pass the required private key.
by default a certificate is expected on input. With this option a
certificate request is expected instead.
+=item B<-set_serial n>
+
+specifies the serial number to use. This option can be used with either
+the B<-signkey> or B<-CA> options. If used in conjunction with the B<-CA>
+option the serial number file (as specified by the B<-CAserial> or
+B<-CAcreateserial> options) is not used.
+
+The serial number can be decimal or hex (if preceded by B<0x>). Negative
+serial numbers can also be specified but their use is not recommended.
+
=item B<-CA filename>
specifies the CA certificate to be used for signing. When this option is
@@ -321,7 +342,7 @@ The default filename consists of the CA certificate file base name with
".srl" appended. For example if the CA certificate file is called
"mycacert.pem" it expects to find a serial number file called "mycacert.srl".
-=item B<-CAcreateserial filename>
+=item B<-CAcreateserial>
with this option the CA serial number file is created if it does not exist:
it will contain the serial number "02" and the certificate being signed will
@@ -342,7 +363,7 @@ specified then the extensions should either be contained in the unnamed
=back
-=head1 NAME OPTIONS
+=head2 NAME OPTIONS
The B<nameopt> command line switch determines how the subject and issuer
names are displayed. If no B<nameopt> switch is present the default "oneline"
@@ -372,12 +393,12 @@ options.
=item B<multiline>
a multiline format. It is equivalent B<esc_ctrl>, B<esc_msb>, B<sep_multiline>,
-B<spc_eq> and B<lname>.
+B<spc_eq>, B<lname> and B<align>.
=item B<esc_2253>
escape the "special" characters required by RFC2253 in a field That is
-B<,+"E<lt>E<gt>;>. Additionally B<#> is escaped at the beginnging of a string
+B<,+"E<lt>E<gt>;>. Additionally B<#> is escaped at the beginning of a string
and a space character at the beginning or end of a string.
=item B<esc_ctrl>
@@ -431,7 +452,7 @@ B<#XXXX...> format.
dump non character string types (for example OCTET STRING) if this
option is not set then non character string types will be displayed
-as though each content octet repesents a single character.
+as though each content octet represents a single character.
=item B<dump_all>
@@ -467,6 +488,11 @@ not display the field at all. B<sname> uses the "short name" form
B<oid> represents the OID in numerical form and is useful for
diagnostic purpose.
+=item B<align>
+
+align field values for a more readable output. Only usable with
+B<sep_multiline>.
+
=item B<spc_eq>
places spaces round the B<=> character which follows the field
@@ -474,6 +500,85 @@ name.
=back
+=head2 TEXT OPTIONS
+
+As well as customising the name output format, it is also possible to
+customise the actual fields printed using the B<certopt> options when
+the B<text> option is present. The default behaviour is to print all fields.
+
+=over 4
+
+=item B<compatible>
+
+use the old format. This is equivalent to specifying no output options at all.
+
+=item B<no_header>
+
+don't print header information: that is the lines saying "Certificate" and "Data".
+
+=item B<no_version>
+
+don't print out the version number.
+
+=item B<no_serial>
+
+don't print out the serial number.
+
+=item B<no_signame>
+
+don't print out the signature algorithm used.
+
+=item B<no_validity>
+
+don't print the validity, that is the B<notBefore> and B<notAfter> fields.
+
+=item B<no_subject>
+
+don't print out the subject name.
+
+=item B<no_issuer>
+
+don't print out the issuer name.
+
+=item B<no_pubkey>
+
+don't print out the public key.
+
+=item B<no_sigdump>
+
+don't give a hexadecimal dump of the certificate signature.
+
+=item B<no_aux>
+
+don't print out certificate trust information.
+
+=item B<no_extensions>
+
+don't print out any X509V3 extensions.
+
+=item B<ext_default>
+
+retain default extension behaviour: attempt to print out unsupported certificate extensions.
+
+=item B<ext_error>
+
+print an error message for unsupported certificate extensions.
+
+=item B<ext_parse>
+
+ASN1 parse unsupported extensions.
+
+=item B<ext_dump>
+
+hex dump unsupported extensions.
+
+=item B<ca_default>
+
+the value used by the B<ca> utility, equivalent to B<no_issuer>, B<no_pubkey>, B<no_header>,
+B<no_version>, B<no_sigdump> and B<no_signame>.
+
+=back
+
=head1 EXAMPLES
Note: in these examples the '\' means the example should be all on one
@@ -498,7 +603,7 @@ Display the certificate subject name in RFC2253 form:
Display the certificate subject name in oneline form on a terminal
supporting UTF8:
- openssl x509 -in cert.pem -noout -subject -nameopt oneline -nameopt -escmsb
+ openssl x509 -in cert.pem -noout -subject -nameopt oneline,-escmsb
Display the certificate MD5 fingerprint:
@@ -539,18 +644,18 @@ Set a certificate to be trusted for SSL client use and change set its alias to
The PEM format uses the header and footer lines:
- -----BEGIN CERTIFICATE----
- -----END CERTIFICATE----
+ -----BEGIN CERTIFICATE-----
+ -----END CERTIFICATE-----
it will also handle files containing:
- -----BEGIN X509 CERTIFICATE----
- -----END X509 CERTIFICATE----
+ -----BEGIN X509 CERTIFICATE-----
+ -----END X509 CERTIFICATE-----
Trusted certificates have the lines
- -----BEGIN TRUSTED CERTIFICATE----
- -----END TRUSTED CERTIFICATE----
+ -----BEGIN TRUSTED CERTIFICATE-----
+ -----END TRUSTED CERTIFICATE-----
The conversion to UTF8 format used with the name options assumes that
T61Strings use the ISO8859-1 character set. This is wrong but Netscape
OpenPOWER on IntegriCloud