diff options
Diffstat (limited to 'secure/lib/libcrypto/man/req.1')
| -rw-r--r-- | secure/lib/libcrypto/man/req.1 | 646 |
1 files changed, 0 insertions, 646 deletions
diff --git a/secure/lib/libcrypto/man/req.1 b/secure/lib/libcrypto/man/req.1 deleted file mode 100644 index 9915eea..0000000 --- a/secure/lib/libcrypto/man/req.1 +++ /dev/null @@ -1,646 +0,0 @@ -.\" Automatically generated by Pod::Man version 1.15 -.\" Tue Jul 30 09:20:52 2002 -.\" -.\" Standard preamble: -.\" ====================================================================== -.de Sh \" Subsection heading -.br -.if t .Sp -.ne 5 -.PP -\fB\\$1\fR -.PP -.. -.de Sp \" Vertical space (when we can't use .PP) -.if t .sp .5v -.if n .sp -.. -.de Ip \" List item -.br -.ie \\n(.$>=3 .ne \\$3 -.el .ne 3 -.IP "\\$1" \\$2 -.. -.de Vb \" Begin verbatim text -.ft CW -.nf -.ne \\$1 -.. -.de Ve \" End verbatim text -.ft R - -.fi -.. -.\" Set up some character translations and predefined strings. \*(-- will -.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left -.\" double quote, and \*(R" will give a right double quote. | will give a -.\" real vertical bar. \*(C+ will give a nicer C++. Capital omega is used -.\" to do unbreakable dashes and therefore won't be available. \*(C` and -.\" \*(C' expand to `' in nroff, nothing in troff, for use with C<> -.tr \(*W-|\(bv\*(Tr -.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' -.ie n \{\ -. ds -- \(*W- -. ds PI pi -. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch -. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch -. ds L" "" -. ds R" "" -. ds C` "" -. ds C' "" -'br\} -.el\{\ -. ds -- \|\(em\| -. ds PI \(*p -. ds L" `` -. ds R" '' -'br\} -.\" -.\" If the F register is turned on, we'll generate index entries on stderr -.\" for titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and -.\" index entries marked with X<> in POD. Of course, you'll have to process -.\" the output yourself in some meaningful fashion. -.if \nF \{\ -. de IX -. tm Index:\\$1\t\\n%\t"\\$2" -.. -. nr % 0 -. rr F -.\} -.\" -.\" For nroff, turn off justification. Always turn off hyphenation; it -.\" makes way too many mistakes in technical documents. -.hy 0 -.if n .na -.\" -.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). -.\" Fear. Run. Save yourself. No user-serviceable parts. -.bd B 3 -. \" fudge factors for nroff and troff -.if n \{\ -. ds #H 0 -. ds #V .8m -. ds #F .3m -. ds #[ \f1 -. ds #] \fP -.\} -.if t \{\ -. ds #H ((1u-(\\\\n(.fu%2u))*.13m) -. ds #V .6m -. ds #F 0 -. ds #[ \& -. ds #] \& -.\} -. \" simple accents for nroff and troff -.if n \{\ -. ds ' \& -. ds ` \& -. ds ^ \& -. ds , \& -. ds ~ ~ -. ds / -.\} -.if t \{\ -. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" -. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' -. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' -. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' -. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' -. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' -.\} -. \" troff and (daisy-wheel) nroff accents -.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' -.ds 8 \h'\*(#H'\(*b\h'-\*(#H' -.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] -.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' -.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' -.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] -.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] -.ds ae a\h'-(\w'a'u*4/10)'e -.ds Ae A\h'-(\w'A'u*4/10)'E -. \" corrections for vroff -.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' -.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' -. \" for low resolution devices (crt and lpr) -.if \n(.H>23 .if \n(.V>19 \ -\{\ -. ds : e -. ds 8 ss -. ds o a -. ds d- d\h'-1'\(ga -. ds D- D\h'-1'\(hy -. ds th \o'bp' -. ds Th \o'LP' -. ds ae ae -. ds Ae AE -.\} -.rm #[ #] #H #V #F C -.\" ====================================================================== -.\" -.IX Title "REQ 1" -.TH REQ 1 "0.9.6e" "2000-11-12" "OpenSSL" -.UC -.SH "NAME" -req \- PKCS#10 certificate and certificate generating utility. -.SH "SYNOPSIS" -.IX Header "SYNOPSIS" -\&\fBopenssl\fR \fBreq\fR -[\fB\-inform PEM|DER\fR] -[\fB\-outform PEM|DER\fR] -[\fB\-in filename\fR] -[\fB\-passin arg\fR] -[\fB\-out filename\fR] -[\fB\-passout arg\fR] -[\fB\-text\fR] -[\fB\-noout\fR] -[\fB\-verify\fR] -[\fB\-modulus\fR] -[\fB\-new\fR] -[\fB\-rand \f(BIfile\fB\|(s)\fR] -[\fB\-newkey rsa:bits\fR] -[\fB\-newkey dsa:file\fR] -[\fB\-nodes\fR] -[\fB\-key filename\fR] -[\fB\-keyform PEM|DER\fR] -[\fB\-keyout filename\fR] -[\fB\-[md5|sha1|md2|mdc2]\fR] -[\fB\-config filename\fR] -[\fB\-x509\fR] -[\fB\-days n\fR] -[\fB\-asn1\-kludge\fR] -[\fB\-newhdr\fR] -[\fB\-extensions section\fR] -[\fB\-reqexts section\fR] -.SH "DESCRIPTION" -.IX Header "DESCRIPTION" -The \fBreq\fR command primarily creates and processes certificate requests -in PKCS#10 format. It can additionally create self signed certificates -for use as root CAs for example. -.SH "COMMAND OPTIONS" -.IX Header "COMMAND OPTIONS" -.Ip "\fB\-inform DER|PEM\fR" 4 -.IX Item "-inform DER|PEM" -This specifies the input format. The \fB\s-1DER\s0\fR option uses an \s-1ASN1\s0 \s-1DER\s0 encoded -form compatible with the PKCS#10. The \fB\s-1PEM\s0\fR form is the default format: it -consists of the \fB\s-1DER\s0\fR format base64 encoded with additional header and -footer lines. -.Ip "\fB\-outform DER|PEM\fR" 4 -.IX Item "-outform DER|PEM" -This specifies the output format, the options have the same meaning as the -\&\fB\-inform\fR option. -.Ip "\fB\-in filename\fR" 4 -.IX Item "-in filename" -This specifies the input filename to read a request from or standard input -if this option is not specified. A request is only read if the creation -options (\fB\-new\fR and \fB\-newkey\fR) are not specified. -.Ip "\fB\-passin arg\fR" 4 -.IX Item "-passin arg" -the input file password source. For more information about the format of \fBarg\fR -see the \fB\s-1PASS\s0 \s-1PHRASE\s0 \s-1ARGUMENTS\s0\fR section in openssl(1). -.Ip "\fB\-out filename\fR" 4 -.IX Item "-out filename" -This specifies the output filename to write to or standard output by -default. -.Ip "\fB\-passout arg\fR" 4 -.IX Item "-passout arg" -the output file password source. For more information about the format of \fBarg\fR -see the \fB\s-1PASS\s0 \s-1PHRASE\s0 \s-1ARGUMENTS\s0\fR section in openssl(1). -.Ip "\fB\-text\fR" 4 -.IX Item "-text" -prints out the certificate request in text form. -.Ip "\fB\-noout\fR" 4 -.IX Item "-noout" -this option prevents output of the encoded version of the request. -.Ip "\fB\-modulus\fR" 4 -.IX Item "-modulus" -this option prints out the value of the modulus of the public key -contained in the request. -.Ip "\fB\-verify\fR" 4 -.IX Item "-verify" -verifies the signature on the request. -.Ip "\fB\-new\fR" 4 -.IX Item "-new" -this option generates a new certificate request. It will prompt -the user for the relevant field values. The actual fields -prompted for and their maximum and minimum sizes are specified -in the configuration file and any requested extensions. -.Sp -If the \fB\-key\fR option is not used it will generate a new \s-1RSA\s0 private -key using information specified in the configuration file. -.Ip "\fB\-rand \f(BIfile\fB\|(s)\fR" 4 -.IX Item "-rand file" -a file or files containing random data used to seed the random number -generator, or an \s-1EGD\s0 socket (see RAND_egd(3)). -Multiple files can be specified separated by a OS-dependent character. -The separator is \fB;\fR for MS-Windows, \fB,\fR for OpenVMS, and \fB:\fR for -all others. -.Ip "\fB\-newkey arg\fR" 4 -.IX Item "-newkey arg" -this option creates a new certificate request and a new private -key. The argument takes one of two forms. \fBrsa:nbits\fR, where -\&\fBnbits\fR is the number of bits, generates an \s-1RSA\s0 key \fBnbits\fR -in size. \fBdsa:filename\fR generates a \s-1DSA\s0 key using the parameters -in the file \fBfilename\fR. -.Ip "\fB\-key filename\fR" 4 -.IX Item "-key filename" -This specifies the file to read the private key from. It also -accepts PKCS#8 format private keys for \s-1PEM\s0 format files. -.Ip "\fB\-keyform PEM|DER\fR" 4 -.IX Item "-keyform PEM|DER" -the format of the private key file specified in the \fB\-key\fR -argument. \s-1PEM\s0 is the default. -.Ip "\fB\-keyout filename\fR" 4 -.IX Item "-keyout filename" -this gives the filename to write the newly created private key to. -If this option is not specified then the filename present in the -configuration file is used. -.Ip "\fB\-nodes\fR" 4 -.IX Item "-nodes" -if this option is specified then if a private key is created it -will not be encrypted. -.Ip "\fB\-[md5|sha1|md2|mdc2]\fR" 4 -.IX Item "-[md5|sha1|md2|mdc2]" -this specifies the message digest to sign the request with. This -overrides the digest algorithm specified in the configuration file. -This option is ignored for \s-1DSA\s0 requests: they always use \s-1SHA1\s0. -.Ip "\fB\-config filename\fR" 4 -.IX Item "-config filename" -this allows an alternative configuration file to be specified, -this overrides the compile time filename or any specified in -the \fB\s-1OPENSSL_CONF\s0\fR environment variable. -.Ip "\fB\-x509\fR" 4 -.IX Item "-x509" -this option outputs a self signed certificate instead of a certificate -request. This is typically used to generate a test certificate or -a self signed root \s-1CA\s0. The extensions added to the certificate -(if any) are specified in the configuration file. -.Ip "\fB\-days n\fR" 4 -.IX Item "-days n" -when the \fB\-x509\fR option is being used this specifies the number of -days to certify the certificate for. The default is 30 days. -.Ip "\fB\-extensions section\fR" 4 -.IX Item "-extensions section" -.PD 0 -.Ip "\fB\-reqexts section\fR" 4 -.IX Item "-reqexts section" -.PD -these options specify alternative sections to include certificate -extensions (if the \fB\-x509\fR option is present) or certificate -request extensions. This allows several different sections to -be used in the same configuration file to specify requests for -a variety of purposes. -.Ip "\fB\-asn1\-kludge\fR" 4 -.IX Item "-asn1-kludge" -by default the \fBreq\fR command outputs certificate requests containing -no attributes in the correct PKCS#10 format. However certain CAs will only -accept requests containing no attributes in an invalid form: this -option produces this invalid format. -.Sp -More precisely the \fBAttributes\fR in a PKCS#10 certificate request -are defined as a \fB\s-1SET\s0 \s-1OF\s0 Attribute\fR. They are \fBnot \s-1OPTIONAL\s0\fR so -if no attributes are present then they should be encoded as an -empty \fB\s-1SET\s0 \s-1OF\s0\fR. The invalid form does not include the empty -\&\fB\s-1SET\s0 \s-1OF\s0\fR whereas the correct form does. -.Sp -It should be noted that very few CAs still require the use of this option. -.Ip "\fB\-newhdr\fR" 4 -.IX Item "-newhdr" -Adds the word \fB\s-1NEW\s0\fR to the \s-1PEM\s0 file header and footer lines on the outputed -request. Some software (Netscape certificate server) and some CAs need this. -.SH "CONFIGURATION FILE FORMAT" -.IX Header "CONFIGURATION FILE FORMAT" -The configuration options are specified in the \fBreq\fR section of -the configuration file. As with all configuration files if no -value is specified in the specific section (i.e. \fBreq\fR) then -the initial unnamed or \fBdefault\fR section is searched too. -.PP -The options available are described in detail below. -.Ip "\fBinput_password output_password\fR" 4 -.IX Item "input_password output_password" -The passwords for the input private key file (if present) and -the output private key file (if one will be created). The -command line options \fBpassin\fR and \fBpassout\fR override the -configuration file values. -.Ip "\fBdefault_bits\fR" 4 -.IX Item "default_bits" -This specifies the default key size in bits. If not specified then -512 is used. It is used if the \fB\-new\fR option is used. It can be -overridden by using the \fB\-newkey\fR option. -.Ip "\fBdefault_keyfile\fR" 4 -.IX Item "default_keyfile" -This is the default filename to write a private key to. If not -specified the key is written to standard output. This can be -overridden by the \fB\-keyout\fR option. -.Ip "\fBoid_file\fR" 4 -.IX Item "oid_file" -This specifies a file containing additional \fB\s-1OBJECT\s0 \s-1IDENTIFIERS\s0\fR. -Each line of the file should consist of the numerical form of the -object identifier followed by white space then the short name followed -by white space and finally the long name. -.Ip "\fBoid_section\fR" 4 -.IX Item "oid_section" -This specifies a section in the configuration file containing extra -object identifiers. Each line should consist of the short name of the -object identifier followed by \fB=\fR and the numerical form. The short -and long names are the same when this option is used. -.Ip "\fB\s-1RANDFILE\s0\fR" 4 -.IX Item "RANDFILE" -This specifies a filename in which random number seed information is -placed and read from, or an \s-1EGD\s0 socket (see RAND_egd(3)). -It is used for private key generation. -.Ip "\fBencrypt_key\fR" 4 -.IX Item "encrypt_key" -If this is set to \fBno\fR then if a private key is generated it is -\&\fBnot\fR encrypted. This is equivalent to the \fB\-nodes\fR command line -option. For compatibility \fBencrypt_rsa_key\fR is an equivalent option. -.Ip "\fBdefault_md\fR" 4 -.IX Item "default_md" -This option specifies the digest algorithm to use. Possible values -include \fBmd5 sha1 mdc2\fR. If not present then \s-1MD5\s0 is used. This -option can be overridden on the command line. -.Ip "\fBstring_mask\fR" 4 -.IX Item "string_mask" -This option masks out the use of certain string types in certain -fields. Most users will not need to change this option. -.Sp -It can be set to several values \fBdefault\fR which is also the default -option uses PrintableStrings, T61Strings and BMPStrings if the -\&\fBpkix\fR value is used then only PrintableStrings and BMPStrings will -be used. This follows the \s-1PKIX\s0 recommendation in \s-1RFC2459\s0. If the -\&\fButf8only\fR option is used then only UTF8Strings will be used: this -is the \s-1PKIX\s0 recommendation in \s-1RFC2459\s0 after 2003. Finally the \fBnombstr\fR -option just uses PrintableStrings and T61Strings: certain software has -problems with BMPStrings and UTF8Strings: in particular Netscape. -.Ip "\fBreq_extensions\fR" 4 -.IX Item "req_extensions" -this specifies the configuration file section containing a list of -extensions to add to the certificate request. It can be overridden -by the \fB\-reqexts\fR command line switch. -.Ip "\fBx509_extensions\fR" 4 -.IX Item "x509_extensions" -this specifies the configuration file section containing a list of -extensions to add to certificate generated when the \fB\-x509\fR switch -is used. It can be overridden by the \fB\-extensions\fR command line switch. -.Ip "\fBprompt\fR" 4 -.IX Item "prompt" -if set to the value \fBno\fR this disables prompting of certificate fields -and just takes values from the config file directly. It also changes the -expected format of the \fBdistinguished_name\fR and \fBattributes\fR sections. -.Ip "\fBattributes\fR" 4 -.IX Item "attributes" -this specifies the section containing any request attributes: its format -is the same as \fBdistinguished_name\fR. Typically these may contain the -challengePassword or unstructuredName types. They are currently ignored -by OpenSSL's request signing utilities but some CAs might want them. -.Ip "\fBdistinguished_name\fR" 4 -.IX Item "distinguished_name" -This specifies the section containing the distinguished name fields to -prompt for when generating a certificate or certificate request. The format -is described in the next section. -.SH "DISTINGUISHED NAME AND ATTRIBUTE SECTION FORMAT" -.IX Header "DISTINGUISHED NAME AND ATTRIBUTE SECTION FORMAT" -There are two separate formats for the distinguished name and attribute -sections. If the \fBprompt\fR option is set to \fBno\fR then these sections -just consist of field names and values: for example, -.PP -.Vb 3 -\& CN=My Name -\& OU=My Organization -\& emailAddress=someone@somewhere.org -.Ve -This allows external programs (e.g. \s-1GUI\s0 based) to generate a template file -with all the field names and values and just pass it to \fBreq\fR. An example -of this kind of configuration file is contained in the \fB\s-1EXAMPLES\s0\fR section. -.PP -Alternatively if the \fBprompt\fR option is absent or not set to \fBno\fR then the -file contains field prompting information. It consists of lines of the form: -.PP -.Vb 4 -\& fieldName="prompt" -\& fieldName_default="default field value" -\& fieldName_min= 2 -\& fieldName_max= 4 -.Ve -\&\*(L"fieldName\*(R" is the field name being used, for example commonName (or \s-1CN\s0). -The \*(L"prompt\*(R" string is used to ask the user to enter the relevant -details. If the user enters nothing then the default value is used if no -default value is present then the field is omitted. A field can -still be omitted if a default value is present if the user just -enters the '.' character. -.PP -The number of characters entered must be between the fieldName_min and -fieldName_max limits: there may be additional restrictions based -on the field being used (for example countryName can only ever be -two characters long and must fit in a PrintableString). -.PP -Some fields (such as organizationName) can be used more than once -in a \s-1DN\s0. This presents a problem because configuration files will -not recognize the same name occurring twice. To avoid this problem -if the fieldName contains some characters followed by a full stop -they will be ignored. So for example a second organizationName can -be input by calling it \*(L"1.organizationName\*(R". -.PP -The actual permitted field names are any object identifier short or -long names. These are compiled into OpenSSL and include the usual -values such as commonName, countryName, localityName, organizationName, -organizationUnitName, stateOrPrivinceName. Additionally emailAddress -is include as well as name, surname, givenName initials and dnQualifier. -.PP -Additional object identifiers can be defined with the \fBoid_file\fR or -\&\fBoid_section\fR options in the configuration file. Any additional fields -will be treated as though they were a DirectoryString. -.SH "EXAMPLES" -.IX Header "EXAMPLES" -Examine and verify certificate request: -.PP -.Vb 1 -\& openssl req -in req.pem -text -verify -noout -.Ve -Create a private key and then generate a certificate request from it: -.PP -.Vb 2 -\& openssl genrsa -out key.pem 1024 -\& openssl req -new -key key.pem -out req.pem -.Ve -The same but just using req: -.PP -.Vb 1 -\& openssl req -newkey rsa:1024 -keyout key.pem -out req.pem -.Ve -Generate a self signed root certificate: -.PP -.Vb 1 -\& openssl req -x509 -newkey rsa:1024 -keyout key.pem -out req.pem -.Ve -Example of a file pointed to by the \fBoid_file\fR option: -.PP -.Vb 2 -\& 1.2.3.4 shortName A longer Name -\& 1.2.3.6 otherName Other longer Name -.Ve -Example of a section pointed to by \fBoid_section\fR making use of variable -expansion: -.PP -.Vb 2 -\& testoid1=1.2.3.5 -\& testoid2=${testoid1}.6 -.Ve -Sample configuration file prompting for field values: -.PP -.Vb 6 -\& [ req ] -\& default_bits = 1024 -\& default_keyfile = privkey.pem -\& distinguished_name = req_distinguished_name -\& attributes = req_attributes -\& x509_extensions = v3_ca -.Ve -.Vb 1 -\& dirstring_type = nobmp -.Ve -.Vb 5 -\& [ req_distinguished_name ] -\& countryName = Country Name (2 letter code) -\& countryName_default = AU -\& countryName_min = 2 -\& countryName_max = 2 -.Ve -.Vb 1 -\& localityName = Locality Name (eg, city) -.Ve -.Vb 1 -\& organizationalUnitName = Organizational Unit Name (eg, section) -.Ve -.Vb 2 -\& commonName = Common Name (eg, YOUR name) -\& commonName_max = 64 -.Ve -.Vb 2 -\& emailAddress = Email Address -\& emailAddress_max = 40 -.Ve -.Vb 4 -\& [ req_attributes ] -\& challengePassword = A challenge password -\& challengePassword_min = 4 -\& challengePassword_max = 20 -.Ve -.Vb 1 -\& [ v3_ca ] -.Ve -.Vb 3 -\& subjectKeyIdentifier=hash -\& authorityKeyIdentifier=keyid:always,issuer:always -\& basicConstraints = CA:true -.Ve -Sample configuration containing all field values: -.PP -.Vb 1 -\& RANDFILE = $ENV::HOME/.rnd -.Ve -.Vb 7 -\& [ req ] -\& default_bits = 1024 -\& default_keyfile = keyfile.pem -\& distinguished_name = req_distinguished_name -\& attributes = req_attributes -\& prompt = no -\& output_password = mypass -.Ve -.Vb 8 -\& [ req_distinguished_name ] -\& C = GB -\& ST = Test State or Province -\& L = Test Locality -\& O = Organization Name -\& OU = Organizational Unit Name -\& CN = Common Name -\& emailAddress = test@email.address -.Ve -.Vb 2 -\& [ req_attributes ] -\& challengePassword = A challenge password -.Ve -.SH "NOTES" -.IX Header "NOTES" -The header and footer lines in the \fB\s-1PEM\s0\fR format are normally: -.PP -.Vb 2 -\& -----BEGIN CERTIFICATE REQUEST---- -\& -----END CERTIFICATE REQUEST---- -.Ve -some software (some versions of Netscape certificate server) instead needs: -.PP -.Vb 2 -\& -----BEGIN NEW CERTIFICATE REQUEST---- -\& -----END NEW CERTIFICATE REQUEST---- -.Ve -which is produced with the \fB\-newhdr\fR option but is otherwise compatible. -Either form is accepted transparently on input. -.PP -The certificate requests generated by \fBXenroll\fR with \s-1MSIE\s0 have extensions -added. It includes the \fBkeyUsage\fR extension which determines the type of -key (signature only or general purpose) and any additional OIDs entered -by the script in an extendedKeyUsage extension. -.SH "DIAGNOSTICS" -.IX Header "DIAGNOSTICS" -The following messages are frequently asked about: -.PP -.Vb 2 -\& Using configuration from /some/path/openssl.cnf -\& Unable to load config info -.Ve -This is followed some time later by... -.PP -.Vb 2 -\& unable to find 'distinguished_name' in config -\& problems making Certificate Request -.Ve -The first error message is the clue: it can't find the configuration -file! Certain operations (like examining a certificate request) don't -need a configuration file so its use isn't enforced. Generation of -certificates or requests however does need a configuration file. This -could be regarded as a bug. -.PP -Another puzzling message is this: -.PP -.Vb 2 -\& Attributes: -\& a0:00 -.Ve -this is displayed when no attributes are present and the request includes -the correct empty \fB\s-1SET\s0 \s-1OF\s0\fR structure (the \s-1DER\s0 encoding of which is 0xa0 -0x00). If you just see: -.PP -.Vb 1 -\& Attributes: -.Ve -then the \fB\s-1SET\s0 \s-1OF\s0\fR is missing and the encoding is technically invalid (but -it is tolerated). See the description of the command line option \fB\-asn1\-kludge\fR -for more information. -.SH "ENVIRONMENT VARIABLES" -.IX Header "ENVIRONMENT VARIABLES" -The variable \fB\s-1OPENSSL_CONF\s0\fR if defined allows an alternative configuration -file location to be specified, it will be overridden by the \fB\-config\fR command -line switch if it is present. For compatibility reasons the \fB\s-1SSLEAY_CONF\s0\fR -environment variable serves the same purpose but its use is discouraged. -.SH "BUGS" -.IX Header "BUGS" -OpenSSL's handling of T61Strings (aka TeletexStrings) is broken: it effectively -treats them as \s-1ISO-8859\-1\s0 (Latin 1), Netscape and \s-1MSIE\s0 have similar behaviour. -This can cause problems if you need characters that aren't available in -PrintableStrings and you don't want to or can't use BMPStrings. -.PP -As a consequence of the T61String handling the only correct way to represent -accented characters in OpenSSL is to use a BMPString: unfortunately Netscape -currently chokes on these. If you have to use accented characters with Netscape -and \s-1MSIE\s0 then you currently need to use the invalid T61String form. -.PP -The current prompting is not very friendly. It doesn't allow you to confirm what -you've just entered. Other things like extensions in certificate requests are -statically defined in the configuration file. Some of these: like an email -address in subjectAltName should be input by the user. -.SH "SEE ALSO" -.IX Header "SEE ALSO" -x509(1), ca(1), genrsa(1), -gendsa(1), config(5) |
