diff options
Diffstat (limited to 'secure/usr.bin/openssl/man/req.1')
-rw-r--r-- | secure/usr.bin/openssl/man/req.1 | 760 |
1 files changed, 760 insertions, 0 deletions
diff --git a/secure/usr.bin/openssl/man/req.1 b/secure/usr.bin/openssl/man/req.1 new file mode 100644 index 0000000..84bc6f0 --- /dev/null +++ b/secure/usr.bin/openssl/man/req.1 @@ -0,0 +1,760 @@ +.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is turned on, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.ie \nF \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. nr % 0 +. rr F +.\} +.el \{\ +. de IX +.. +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "REQ 1" +.TH REQ 1 "2013-02-11" "1.0.1e" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +req \- PKCS#10 certificate request and certificate generating utility. +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +\&\fBopenssl\fR \fBreq\fR +[\fB\-inform PEM|DER\fR] +[\fB\-outform PEM|DER\fR] +[\fB\-in filename\fR] +[\fB\-passin arg\fR] +[\fB\-out filename\fR] +[\fB\-passout arg\fR] +[\fB\-text\fR] +[\fB\-pubkey\fR] +[\fB\-noout\fR] +[\fB\-verify\fR] +[\fB\-modulus\fR] +[\fB\-new\fR] +[\fB\-rand file(s)\fR] +[\fB\-newkey rsa:bits\fR] +[\fB\-newkey alg:file\fR] +[\fB\-nodes\fR] +[\fB\-key filename\fR] +[\fB\-keyform PEM|DER\fR] +[\fB\-keyout filename\fR] +[\fB\-keygen_engine id\fR] +[\fB\-[digest]\fR] +[\fB\-config filename\fR] +[\fB\-subj arg\fR] +[\fB\-multivalue\-rdn\fR] +[\fB\-x509\fR] +[\fB\-days n\fR] +[\fB\-set_serial n\fR] +[\fB\-asn1\-kludge\fR] +[\fB\-no\-asn1\-kludge\fR] +[\fB\-newhdr\fR] +[\fB\-extensions section\fR] +[\fB\-reqexts section\fR] +[\fB\-utf8\fR] +[\fB\-nameopt\fR] +[\fB\-reqopt\fR] +[\fB\-subject\fR] +[\fB\-subj arg\fR] +[\fB\-batch\fR] +[\fB\-verbose\fR] +[\fB\-engine id\fR] +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +The \fBreq\fR command primarily creates and processes certificate requests +in PKCS#10 format. It can additionally create self signed certificates +for use as root CAs for example. +.SH "COMMAND OPTIONS" +.IX Header "COMMAND OPTIONS" +.IP "\fB\-inform DER|PEM\fR" 4 +.IX Item "-inform DER|PEM" +This specifies the input format. The \fB\s-1DER\s0\fR option uses an \s-1ASN1\s0 \s-1DER\s0 encoded +form compatible with the PKCS#10. The \fB\s-1PEM\s0\fR form is the default format: it +consists of the \fB\s-1DER\s0\fR format base64 encoded with additional header and +footer lines. +.IP "\fB\-outform DER|PEM\fR" 4 +.IX Item "-outform DER|PEM" +This specifies the output format, the options have the same meaning as the +\&\fB\-inform\fR option. +.IP "\fB\-in filename\fR" 4 +.IX Item "-in filename" +This specifies the input filename to read a request from or standard input +if this option is not specified. A request is only read if the creation +options (\fB\-new\fR and \fB\-newkey\fR) are not specified. +.IP "\fB\-passin arg\fR" 4 +.IX Item "-passin arg" +the input file password source. For more information about the format of \fBarg\fR +see the \fB\s-1PASS\s0 \s-1PHRASE\s0 \s-1ARGUMENTS\s0\fR section in \fIopenssl\fR\|(1). +.IP "\fB\-out filename\fR" 4 +.IX Item "-out filename" +This specifies the output filename to write to or standard output by +default. +.IP "\fB\-passout arg\fR" 4 +.IX Item "-passout arg" +the output file password source. For more information about the format of \fBarg\fR +see the \fB\s-1PASS\s0 \s-1PHRASE\s0 \s-1ARGUMENTS\s0\fR section in \fIopenssl\fR\|(1). +.IP "\fB\-text\fR" 4 +.IX Item "-text" +prints out the certificate request in text form. +.IP "\fB\-subject\fR" 4 +.IX Item "-subject" +prints out the request subject (or certificate subject if \fB\-x509\fR is +specified) +.IP "\fB\-pubkey\fR" 4 +.IX Item "-pubkey" +outputs the public key. +.IP "\fB\-noout\fR" 4 +.IX Item "-noout" +this option prevents output of the encoded version of the request. +.IP "\fB\-modulus\fR" 4 +.IX Item "-modulus" +this option prints out the value of the modulus of the public key +contained in the request. +.IP "\fB\-verify\fR" 4 +.IX Item "-verify" +verifies the signature on the request. +.IP "\fB\-new\fR" 4 +.IX Item "-new" +this option generates a new certificate request. It will prompt +the user for the relevant field values. The actual fields +prompted for and their maximum and minimum sizes are specified +in the configuration file and any requested extensions. +.Sp +If the \fB\-key\fR option is not used it will generate a new \s-1RSA\s0 private +key using information specified in the configuration file. +.IP "\fB\-subj arg\fR" 4 +.IX Item "-subj arg" +Replaces subject field of input request with specified data and outputs +modified request. The arg must be formatted as +\&\fI/type0=value0/type1=value1/type2=...\fR, +characters may be escaped by \e (backslash), no spaces are skipped. +.IP "\fB\-rand file(s)\fR" 4 +.IX Item "-rand file(s)" +a file or files containing random data used to seed the random number +generator, or an \s-1EGD\s0 socket (see \fIRAND_egd\fR\|(3)). +Multiple files can be specified separated by a OS-dependent character. +The separator is \fB;\fR for MS-Windows, \fB,\fR for OpenVMS, and \fB:\fR for +all others. +.IP "\fB\-newkey arg\fR" 4 +.IX Item "-newkey arg" +this option creates a new certificate request and a new private +key. The argument takes one of several forms. \fBrsa:nbits\fR, where +\&\fBnbits\fR is the number of bits, generates an \s-1RSA\s0 key \fBnbits\fR +in size. If \fBnbits\fR is omitted, i.e. \fB\-newkey rsa\fR specified, +the default key size, specified in the configuration file is used. +.Sp +All other algorithms support the \fB\-newkey alg:file\fR form, where file may be +an algorithm parameter file, created by the \fBgenpkey \-genparam\fR command +or and X.509 certificate for a key with approriate algorithm. +.Sp +\&\fBparam:file\fR generates a key using the parameter file or certificate \fBfile\fR, +the algorithm is determined by the parameters. \fBalgname:file\fR use algorithm +\&\fBalgname\fR and parameter file \fBfile\fR: the two algorithms must match or an +error occurs. \fBalgname\fR just uses algorithm \fBalgname\fR, and parameters, +if neccessary should be specified via \fB\-pkeyopt\fR parameter. +.Sp +\&\fBdsa:filename\fR generates a \s-1DSA\s0 key using the parameters +in the file \fBfilename\fR. \fBec:filename\fR generates \s-1EC\s0 key (usable both with +\&\s-1ECDSA\s0 or \s-1ECDH\s0 algorithms), \fBgost2001:filename\fR generates \s-1GOST\s0 R +34.10\-2001 key (requires \fBccgost\fR engine configured in the configuration +file). If just \fBgost2001\fR is specified a parameter set should be +specified by \fB\-pkeyopt paramset:X\fR +.IP "\fB\-pkeyopt opt:value\fR" 4 +.IX Item "-pkeyopt opt:value" +set the public key algorithm option \fBopt\fR to \fBvalue\fR. The precise set of +options supported depends on the public key algorithm used and its +implementation. See \fB\s-1KEY\s0 \s-1GENERATION\s0 \s-1OPTIONS\s0\fR in the \fBgenpkey\fR manual page +for more details. +.IP "\fB\-key filename\fR" 4 +.IX Item "-key filename" +This specifies the file to read the private key from. It also +accepts PKCS#8 format private keys for \s-1PEM\s0 format files. +.IP "\fB\-keyform PEM|DER\fR" 4 +.IX Item "-keyform PEM|DER" +the format of the private key file specified in the \fB\-key\fR +argument. \s-1PEM\s0 is the default. +.IP "\fB\-keyout filename\fR" 4 +.IX Item "-keyout filename" +this gives the filename to write the newly created private key to. +If this option is not specified then the filename present in the +configuration file is used. +.IP "\fB\-nodes\fR" 4 +.IX Item "-nodes" +if this option is specified then if a private key is created it +will not be encrypted. +.IP "\fB\-[digest]\fR" 4 +.IX Item "-[digest]" +this specifies the message digest to sign the request with (such as +\&\fB\-md5\fR, \fB\-sha1\fR). This overrides the digest algorithm specified in +the configuration file. +.Sp +Some public key algorithms may override this choice. For instance, \s-1DSA\s0 +signatures always use \s-1SHA1\s0, \s-1GOST\s0 R 34.10 signatures always use +\&\s-1GOST\s0 R 34.11\-94 (\fB\-md_gost94\fR). +.IP "\fB\-config filename\fR" 4 +.IX Item "-config filename" +this allows an alternative configuration file to be specified, +this overrides the compile time filename or any specified in +the \fB\s-1OPENSSL_CONF\s0\fR environment variable. +.IP "\fB\-subj arg\fR" 4 +.IX Item "-subj arg" +sets subject name for new request or supersedes the subject name +when processing a request. +The arg must be formatted as \fI/type0=value0/type1=value1/type2=...\fR, +characters may be escaped by \e (backslash), no spaces are skipped. +.IP "\fB\-multivalue\-rdn\fR" 4 +.IX Item "-multivalue-rdn" +this option causes the \-subj argument to be interpreted with full +support for multivalued RDNs. Example: +.Sp +\&\fI/DC=org/DC=OpenSSL/DC=users/UID=123456+CN=John Doe\fR +.Sp +If \-multi\-rdn is not used then the \s-1UID\s0 value is \fI123456+CN=John Doe\fR. +.IP "\fB\-x509\fR" 4 +.IX Item "-x509" +this option outputs a self signed certificate instead of a certificate +request. This is typically used to generate a test certificate or +a self signed root \s-1CA\s0. The extensions added to the certificate +(if any) are specified in the configuration file. Unless specified +using the \fBset_serial\fR option \fB0\fR will be used for the serial +number. +.IP "\fB\-days n\fR" 4 +.IX Item "-days n" +when the \fB\-x509\fR option is being used this specifies the number of +days to certify the certificate for. The default is 30 days. +.IP "\fB\-set_serial n\fR" 4 +.IX Item "-set_serial n" +serial number to use when outputting a self signed certificate. This +may be specified as a decimal value or a hex value if preceded by \fB0x\fR. +It is possible to use negative serial numbers but this is not recommended. +.IP "\fB\-extensions section\fR" 4 +.IX Item "-extensions section" +.PD 0 +.IP "\fB\-reqexts section\fR" 4 +.IX Item "-reqexts section" +.PD +these options specify alternative sections to include certificate +extensions (if the \fB\-x509\fR option is present) or certificate +request extensions. This allows several different sections to +be used in the same configuration file to specify requests for +a variety of purposes. +.IP "\fB\-utf8\fR" 4 +.IX Item "-utf8" +this option causes field values to be interpreted as \s-1UTF8\s0 strings, by +default they are interpreted as \s-1ASCII\s0. This means that the field +values, whether prompted from a terminal or obtained from a +configuration file, must be valid \s-1UTF8\s0 strings. +.IP "\fB\-nameopt option\fR" 4 +.IX Item "-nameopt option" +option which determines how the subject or issuer names are displayed. The +\&\fBoption\fR argument can be a single option or multiple options separated by +commas. Alternatively the \fB\-nameopt\fR switch may be used more than once to +set multiple options. See the \fIx509\fR\|(1) manual page for details. +.IP "\fB\-reqopt\fR" 4 +.IX Item "-reqopt" +customise the output format used with \fB\-text\fR. The \fBoption\fR argument can be +a single option or multiple options separated by commas. +.Sp +See discission of the \fB\-certopt\fR parameter in the \fBx509\fR +command. +.IP "\fB\-asn1\-kludge\fR" 4 +.IX Item "-asn1-kludge" +by default the \fBreq\fR command outputs certificate requests containing +no attributes in the correct PKCS#10 format. However certain CAs will only +accept requests containing no attributes in an invalid form: this +option produces this invalid format. +.Sp +More precisely the \fBAttributes\fR in a PKCS#10 certificate request +are defined as a \fB\s-1SET\s0 \s-1OF\s0 Attribute\fR. They are \fBnot \s-1OPTIONAL\s0\fR so +if no attributes are present then they should be encoded as an +empty \fB\s-1SET\s0 \s-1OF\s0\fR. The invalid form does not include the empty +\&\fB\s-1SET\s0 \s-1OF\s0\fR whereas the correct form does. +.Sp +It should be noted that very few CAs still require the use of this option. +.IP "\fB\-no\-asn1\-kludge\fR" 4 +.IX Item "-no-asn1-kludge" +Reverses effect of \fB\-asn1\-kludge\fR +.IP "\fB\-newhdr\fR" 4 +.IX Item "-newhdr" +Adds the word \fB\s-1NEW\s0\fR to the \s-1PEM\s0 file header and footer lines on the outputed +request. Some software (Netscape certificate server) and some CAs need this. +.IP "\fB\-batch\fR" 4 +.IX Item "-batch" +non-interactive mode. +.IP "\fB\-verbose\fR" 4 +.IX Item "-verbose" +print extra details about the operations being performed. +.IP "\fB\-engine id\fR" 4 +.IX Item "-engine id" +specifying an engine (by its unique \fBid\fR string) will cause \fBreq\fR +to attempt to obtain a functional reference to the specified engine, +thus initialising it if needed. The engine will then be set as the default +for all available algorithms. +.IP "\fB\-keygen_engine id\fR" 4 +.IX Item "-keygen_engine id" +specifies an engine (by its unique \fBid\fR string) which would be used +for key generation operations. +.SH "CONFIGURATION FILE FORMAT" +.IX Header "CONFIGURATION FILE FORMAT" +The configuration options are specified in the \fBreq\fR section of +the configuration file. As with all configuration files if no +value is specified in the specific section (i.e. \fBreq\fR) then +the initial unnamed or \fBdefault\fR section is searched too. +.PP +The options available are described in detail below. +.IP "\fBinput_password output_password\fR" 4 +.IX Item "input_password output_password" +The passwords for the input private key file (if present) and +the output private key file (if one will be created). The +command line options \fBpassin\fR and \fBpassout\fR override the +configuration file values. +.IP "\fBdefault_bits\fR" 4 +.IX Item "default_bits" +This specifies the default key size in bits. If not specified then +512 is used. It is used if the \fB\-new\fR option is used. It can be +overridden by using the \fB\-newkey\fR option. +.IP "\fBdefault_keyfile\fR" 4 +.IX Item "default_keyfile" +This is the default filename to write a private key to. If not +specified the key is written to standard output. This can be +overridden by the \fB\-keyout\fR option. +.IP "\fBoid_file\fR" 4 +.IX Item "oid_file" +This specifies a file containing additional \fB\s-1OBJECT\s0 \s-1IDENTIFIERS\s0\fR. +Each line of the file should consist of the numerical form of the +object identifier followed by white space then the short name followed +by white space and finally the long name. +.IP "\fBoid_section\fR" 4 +.IX Item "oid_section" +This specifies a section in the configuration file containing extra +object identifiers. Each line should consist of the short name of the +object identifier followed by \fB=\fR and the numerical form. The short +and long names are the same when this option is used. +.IP "\fB\s-1RANDFILE\s0\fR" 4 +.IX Item "RANDFILE" +This specifies a filename in which random number seed information is +placed and read from, or an \s-1EGD\s0 socket (see \fIRAND_egd\fR\|(3)). +It is used for private key generation. +.IP "\fBencrypt_key\fR" 4 +.IX Item "encrypt_key" +If this is set to \fBno\fR then if a private key is generated it is +\&\fBnot\fR encrypted. This is equivalent to the \fB\-nodes\fR command line +option. For compatibility \fBencrypt_rsa_key\fR is an equivalent option. +.IP "\fBdefault_md\fR" 4 +.IX Item "default_md" +This option specifies the digest algorithm to use. Possible values +include \fBmd5 sha1 mdc2\fR. If not present then \s-1MD5\s0 is used. This +option can be overridden on the command line. +.IP "\fBstring_mask\fR" 4 +.IX Item "string_mask" +This option masks out the use of certain string types in certain +fields. Most users will not need to change this option. +.Sp +It can be set to several values \fBdefault\fR which is also the default +option uses PrintableStrings, T61Strings and BMPStrings if the +\&\fBpkix\fR value is used then only PrintableStrings and BMPStrings will +be used. This follows the \s-1PKIX\s0 recommendation in \s-1RFC2459\s0. If the +\&\fButf8only\fR option is used then only UTF8Strings will be used: this +is the \s-1PKIX\s0 recommendation in \s-1RFC2459\s0 after 2003. Finally the \fBnombstr\fR +option just uses PrintableStrings and T61Strings: certain software has +problems with BMPStrings and UTF8Strings: in particular Netscape. +.IP "\fBreq_extensions\fR" 4 +.IX Item "req_extensions" +this specifies the configuration file section containing a list of +extensions to add to the certificate request. It can be overridden +by the \fB\-reqexts\fR command line switch. See the +\&\fIx509v3_config\fR\|(5) manual page for details of the +extension section format. +.IP "\fBx509_extensions\fR" 4 +.IX Item "x509_extensions" +this specifies the configuration file section containing a list of +extensions to add to certificate generated when the \fB\-x509\fR switch +is used. It can be overridden by the \fB\-extensions\fR command line switch. +.IP "\fBprompt\fR" 4 +.IX Item "prompt" +if set to the value \fBno\fR this disables prompting of certificate fields +and just takes values from the config file directly. It also changes the +expected format of the \fBdistinguished_name\fR and \fBattributes\fR sections. +.IP "\fButf8\fR" 4 +.IX Item "utf8" +if set to the value \fByes\fR then field values to be interpreted as \s-1UTF8\s0 +strings, by default they are interpreted as \s-1ASCII\s0. This means that +the field values, whether prompted from a terminal or obtained from a +configuration file, must be valid \s-1UTF8\s0 strings. +.IP "\fBattributes\fR" 4 +.IX Item "attributes" +this specifies the section containing any request attributes: its format +is the same as \fBdistinguished_name\fR. Typically these may contain the +challengePassword or unstructuredName types. They are currently ignored +by OpenSSL's request signing utilities but some CAs might want them. +.IP "\fBdistinguished_name\fR" 4 +.IX Item "distinguished_name" +This specifies the section containing the distinguished name fields to +prompt for when generating a certificate or certificate request. The format +is described in the next section. +.SH "DISTINGUISHED NAME AND ATTRIBUTE SECTION FORMAT" +.IX Header "DISTINGUISHED NAME AND ATTRIBUTE SECTION FORMAT" +There are two separate formats for the distinguished name and attribute +sections. If the \fBprompt\fR option is set to \fBno\fR then these sections +just consist of field names and values: for example, +.PP +.Vb 3 +\& CN=My Name +\& OU=My Organization +\& emailAddress=someone@somewhere.org +.Ve +.PP +This allows external programs (e.g. \s-1GUI\s0 based) to generate a template file +with all the field names and values and just pass it to \fBreq\fR. An example +of this kind of configuration file is contained in the \fB\s-1EXAMPLES\s0\fR section. +.PP +Alternatively if the \fBprompt\fR option is absent or not set to \fBno\fR then the +file contains field prompting information. It consists of lines of the form: +.PP +.Vb 4 +\& fieldName="prompt" +\& fieldName_default="default field value" +\& fieldName_min= 2 +\& fieldName_max= 4 +.Ve +.PP +\&\*(L"fieldName\*(R" is the field name being used, for example commonName (or \s-1CN\s0). +The \*(L"prompt\*(R" string is used to ask the user to enter the relevant +details. If the user enters nothing then the default value is used if no +default value is present then the field is omitted. A field can +still be omitted if a default value is present if the user just +enters the '.' character. +.PP +The number of characters entered must be between the fieldName_min and +fieldName_max limits: there may be additional restrictions based +on the field being used (for example countryName can only ever be +two characters long and must fit in a PrintableString). +.PP +Some fields (such as organizationName) can be used more than once +in a \s-1DN\s0. This presents a problem because configuration files will +not recognize the same name occurring twice. To avoid this problem +if the fieldName contains some characters followed by a full stop +they will be ignored. So for example a second organizationName can +be input by calling it \*(L"1.organizationName\*(R". +.PP +The actual permitted field names are any object identifier short or +long names. These are compiled into OpenSSL and include the usual +values such as commonName, countryName, localityName, organizationName, +organizationUnitName, stateOrProvinceName. Additionally emailAddress +is include as well as name, surname, givenName initials and dnQualifier. +.PP +Additional object identifiers can be defined with the \fBoid_file\fR or +\&\fBoid_section\fR options in the configuration file. Any additional fields +will be treated as though they were a DirectoryString. +.SH "EXAMPLES" +.IX Header "EXAMPLES" +Examine and verify certificate request: +.PP +.Vb 1 +\& openssl req \-in req.pem \-text \-verify \-noout +.Ve +.PP +Create a private key and then generate a certificate request from it: +.PP +.Vb 2 +\& openssl genrsa \-out key.pem 1024 +\& openssl req \-new \-key key.pem \-out req.pem +.Ve +.PP +The same but just using req: +.PP +.Vb 1 +\& openssl req \-newkey rsa:1024 \-keyout key.pem \-out req.pem +.Ve +.PP +Generate a self signed root certificate: +.PP +.Vb 1 +\& openssl req \-x509 \-newkey rsa:1024 \-keyout key.pem \-out req.pem +.Ve +.PP +Example of a file pointed to by the \fBoid_file\fR option: +.PP +.Vb 2 +\& 1.2.3.4 shortName A longer Name +\& 1.2.3.6 otherName Other longer Name +.Ve +.PP +Example of a section pointed to by \fBoid_section\fR making use of variable +expansion: +.PP +.Vb 2 +\& testoid1=1.2.3.5 +\& testoid2=${testoid1}.6 +.Ve +.PP +Sample configuration file prompting for field values: +.PP +.Vb 6 +\& [ req ] +\& default_bits = 1024 +\& default_keyfile = privkey.pem +\& distinguished_name = req_distinguished_name +\& attributes = req_attributes +\& x509_extensions = v3_ca +\& +\& dirstring_type = nobmp +\& +\& [ req_distinguished_name ] +\& countryName = Country Name (2 letter code) +\& countryName_default = AU +\& countryName_min = 2 +\& countryName_max = 2 +\& +\& localityName = Locality Name (eg, city) +\& +\& organizationalUnitName = Organizational Unit Name (eg, section) +\& +\& commonName = Common Name (eg, YOUR name) +\& commonName_max = 64 +\& +\& emailAddress = Email Address +\& emailAddress_max = 40 +\& +\& [ req_attributes ] +\& challengePassword = A challenge password +\& challengePassword_min = 4 +\& challengePassword_max = 20 +\& +\& [ v3_ca ] +\& +\& subjectKeyIdentifier=hash +\& authorityKeyIdentifier=keyid:always,issuer:always +\& basicConstraints = CA:true +.Ve +.PP +Sample configuration containing all field values: +.PP +.Vb 1 +\& RANDFILE = $ENV::HOME/.rnd +\& +\& [ req ] +\& default_bits = 1024 +\& default_keyfile = keyfile.pem +\& distinguished_name = req_distinguished_name +\& attributes = req_attributes +\& prompt = no +\& output_password = mypass +\& +\& [ req_distinguished_name ] +\& C = GB +\& ST = Test State or Province +\& L = Test Locality +\& O = Organization Name +\& OU = Organizational Unit Name +\& CN = Common Name +\& emailAddress = test@email.address +\& +\& [ req_attributes ] +\& challengePassword = A challenge password +.Ve +.SH "NOTES" +.IX Header "NOTES" +The header and footer lines in the \fB\s-1PEM\s0\fR format are normally: +.PP +.Vb 2 +\& \-\-\-\-\-BEGIN CERTIFICATE REQUEST\-\-\-\-\- +\& \-\-\-\-\-END CERTIFICATE REQUEST\-\-\-\-\- +.Ve +.PP +some software (some versions of Netscape certificate server) instead needs: +.PP +.Vb 2 +\& \-\-\-\-\-BEGIN NEW CERTIFICATE REQUEST\-\-\-\-\- +\& \-\-\-\-\-END NEW CERTIFICATE REQUEST\-\-\-\-\- +.Ve +.PP +which is produced with the \fB\-newhdr\fR option but is otherwise compatible. +Either form is accepted transparently on input. +.PP +The certificate requests generated by \fBXenroll\fR with \s-1MSIE\s0 have extensions +added. It includes the \fBkeyUsage\fR extension which determines the type of +key (signature only or general purpose) and any additional OIDs entered +by the script in an extendedKeyUsage extension. +.SH "DIAGNOSTICS" +.IX Header "DIAGNOSTICS" +The following messages are frequently asked about: +.PP +.Vb 2 +\& Using configuration from /some/path/openssl.cnf +\& Unable to load config info +.Ve +.PP +This is followed some time later by... +.PP +.Vb 2 +\& unable to find \*(Aqdistinguished_name\*(Aq in config +\& problems making Certificate Request +.Ve +.PP +The first error message is the clue: it can't find the configuration +file! Certain operations (like examining a certificate request) don't +need a configuration file so its use isn't enforced. Generation of +certificates or requests however does need a configuration file. This +could be regarded as a bug. +.PP +Another puzzling message is this: +.PP +.Vb 2 +\& Attributes: +\& a0:00 +.Ve +.PP +this is displayed when no attributes are present and the request includes +the correct empty \fB\s-1SET\s0 \s-1OF\s0\fR structure (the \s-1DER\s0 encoding of which is 0xa0 +0x00). If you just see: +.PP +.Vb 1 +\& Attributes: +.Ve +.PP +then the \fB\s-1SET\s0 \s-1OF\s0\fR is missing and the encoding is technically invalid (but +it is tolerated). See the description of the command line option \fB\-asn1\-kludge\fR +for more information. +.SH "ENVIRONMENT VARIABLES" +.IX Header "ENVIRONMENT VARIABLES" +The variable \fB\s-1OPENSSL_CONF\s0\fR if defined allows an alternative configuration +file location to be specified, it will be overridden by the \fB\-config\fR command +line switch if it is present. For compatibility reasons the \fB\s-1SSLEAY_CONF\s0\fR +environment variable serves the same purpose but its use is discouraged. +.SH "BUGS" +.IX Header "BUGS" +OpenSSL's handling of T61Strings (aka TeletexStrings) is broken: it effectively +treats them as \s-1ISO\-8859\-1\s0 (Latin 1), Netscape and \s-1MSIE\s0 have similar behaviour. +This can cause problems if you need characters that aren't available in +PrintableStrings and you don't want to or can't use BMPStrings. +.PP +As a consequence of the T61String handling the only correct way to represent +accented characters in OpenSSL is to use a BMPString: unfortunately Netscape +currently chokes on these. If you have to use accented characters with Netscape +and \s-1MSIE\s0 then you currently need to use the invalid T61String form. +.PP +The current prompting is not very friendly. It doesn't allow you to confirm what +you've just entered. Other things like extensions in certificate requests are +statically defined in the configuration file. Some of these: like an email +address in subjectAltName should be input by the user. +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fIx509\fR\|(1), \fIca\fR\|(1), \fIgenrsa\fR\|(1), +\&\fIgendsa\fR\|(1), \fIconfig\fR\|(5), +\&\fIx509v3_config\fR\|(5) |