openssl: Adjust manual pages for 1.0.1h.
[dragonfly.git] / secure / usr.bin / openssl / man / x509.1
CommitLineData
11c7e1cd 1.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.20)
8b0cefbb
JR
2.\"
3.\" Standard preamble:
4.\" ========================================================================
8b0cefbb 5.de Sp \" Vertical space (when we can't use .PP)
984263bc
MD
6.if t .sp .5v
7.if n .sp
8..
8b0cefbb 9.de Vb \" Begin verbatim text
984263bc
MD
10.ft CW
11.nf
12.ne \\$1
13..
8b0cefbb 14.de Ve \" End verbatim text
984263bc 15.ft R
984263bc
MD
16.fi
17..
8b0cefbb
JR
18.\" Set up some character translations and predefined strings. \*(-- will
19.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
e257b235
PA
20.\" double quote, and \*(R" will give a right double quote. \*(C+ will
21.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
22.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
23.\" nothing in troff, for use with C<>.
24.tr \(*W-
8b0cefbb 25.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
984263bc 26.ie n \{\
8b0cefbb
JR
27. ds -- \(*W-
28. ds PI pi
29. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
30. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
31. ds L" ""
32. ds R" ""
33. ds C` ""
34. ds C' ""
984263bc
MD
35'br\}
36.el\{\
8b0cefbb
JR
37. ds -- \|\(em\|
38. ds PI \(*p
39. ds L" ``
40. ds R" ''
984263bc 41'br\}
8b0cefbb 42.\"
e257b235
PA
43.\" Escape single quotes in literal strings from groff's Unicode transform.
44.ie \n(.g .ds Aq \(aq
45.el .ds Aq '
46.\"
8b0cefbb 47.\" If the F register is turned on, we'll generate index entries on stderr for
01185282 48.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
8b0cefbb
JR
49.\" entries marked with X<> in POD. Of course, you'll have to process the
50.\" output yourself in some meaningful fashion.
e257b235 51.ie \nF \{\
8b0cefbb
JR
52. de IX
53. tm Index:\\$1\t\\n%\t"\\$2"
984263bc 54..
8b0cefbb
JR
55. nr % 0
56. rr F
984263bc 57.\}
e257b235
PA
58.el \{\
59. de IX
60..
61.\}
aac4ff6f 62.\"
8b0cefbb
JR
63.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
64.\" Fear. Run. Save yourself. No user-serviceable parts.
65. \" fudge factors for nroff and troff
984263bc 66.if n \{\
8b0cefbb
JR
67. ds #H 0
68. ds #V .8m
69. ds #F .3m
70. ds #[ \f1
71. ds #] \fP
984263bc
MD
72.\}
73.if t \{\
8b0cefbb
JR
74. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
75. ds #V .6m
76. ds #F 0
77. ds #[ \&
78. ds #] \&
984263bc 79.\}
8b0cefbb 80. \" simple accents for nroff and troff
984263bc 81.if n \{\
8b0cefbb
JR
82. ds ' \&
83. ds ` \&
84. ds ^ \&
85. ds , \&
86. ds ~ ~
87. ds /
984263bc
MD
88.\}
89.if t \{\
8b0cefbb
JR
90. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
91. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
92. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
93. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
94. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
95. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
984263bc 96.\}
8b0cefbb 97. \" troff and (daisy-wheel) nroff accents
984263bc
MD
98.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
99.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
100.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
101.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
102.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
103.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
104.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
105.ds ae a\h'-(\w'a'u*4/10)'e
106.ds Ae A\h'-(\w'A'u*4/10)'E
8b0cefbb 107. \" corrections for vroff
984263bc
MD
108.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
109.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
8b0cefbb 110. \" for low resolution devices (crt and lpr)
984263bc
MD
111.if \n(.H>23 .if \n(.V>19 \
112\{\
8b0cefbb
JR
113. ds : e
114. ds 8 ss
115. ds o a
116. ds d- d\h'-1'\(ga
117. ds D- D\h'-1'\(hy
118. ds th \o'bp'
119. ds Th \o'LP'
120. ds ae ae
121. ds Ae AE
984263bc
MD
122.\}
123.rm #[ #] #H #V #F C
8b0cefbb
JR
124.\" ========================================================================
125.\"
126.IX Title "X509 1"
34240b21 127.TH X509 1 "2014-06-05" "1.0.1h" "OpenSSL"
e257b235
PA
128.\" For nroff, turn off justification. Always turn off hyphenation; it makes
129.\" way too many mistakes in technical documents.
130.if n .ad l
131.nh
984263bc
MD
132.SH "NAME"
133x509 \- Certificate display and signing utility
134.SH "SYNOPSIS"
8b0cefbb
JR
135.IX Header "SYNOPSIS"
136\&\fBopenssl\fR \fBx509\fR
984263bc
MD
137[\fB\-inform DER|PEM|NET\fR]
138[\fB\-outform DER|PEM|NET\fR]
139[\fB\-keyform DER|PEM\fR]
140[\fB\-CAform DER|PEM\fR]
141[\fB\-CAkeyform DER|PEM\fR]
142[\fB\-in filename\fR]
143[\fB\-out filename\fR]
144[\fB\-serial\fR]
145[\fB\-hash\fR]
a561f9ff
SS
146[\fB\-subject_hash\fR]
147[\fB\-issuer_hash\fR]
984263bc
MD
148[\fB\-subject\fR]
149[\fB\-issuer\fR]
150[\fB\-nameopt option\fR]
151[\fB\-email\fR]
01185282 152[\fB\-ocsp_uri\fR]
984263bc
MD
153[\fB\-startdate\fR]
154[\fB\-enddate\fR]
155[\fB\-purpose\fR]
156[\fB\-dates\fR]
157[\fB\-modulus\fR]
58e4c0cf 158[\fB\-pubkey\fR]
984263bc
MD
159[\fB\-fingerprint\fR]
160[\fB\-alias\fR]
161[\fB\-noout\fR]
162[\fB\-trustout\fR]
163[\fB\-clrtrust\fR]
164[\fB\-clrreject\fR]
165[\fB\-addtrust arg\fR]
166[\fB\-addreject arg\fR]
167[\fB\-setalias arg\fR]
168[\fB\-days arg\fR]
169[\fB\-set_serial n\fR]
170[\fB\-signkey filename\fR]
171[\fB\-x509toreq\fR]
172[\fB\-req\fR]
173[\fB\-CA filename\fR]
174[\fB\-CAkey filename\fR]
175[\fB\-CAcreateserial\fR]
176[\fB\-CAserial filename\fR]
177[\fB\-text\fR]
178[\fB\-C\fR]
179[\fB\-md2|\-md5|\-sha1|\-mdc2\fR]
180[\fB\-clrext\fR]
181[\fB\-extfile filename\fR]
182[\fB\-extensions section\fR]
183[\fB\-engine id\fR]
184.SH "DESCRIPTION"
8b0cefbb 185.IX Header "DESCRIPTION"
984263bc
MD
186The \fBx509\fR command is a multi purpose certificate utility. It can be
187used to display certificate information, convert certificates to
8b0cefbb 188various forms, sign certificate requests like a \*(L"mini \s-1CA\s0\*(R" or edit
984263bc
MD
189certificate trust settings.
190.PP
191Since there are a large number of options they will split up into
192various sections.
193.SH "OPTIONS"
8b0cefbb 194.IX Header "OPTIONS"
01185282 195.SS "\s-1INPUT\s0, \s-1OUTPUT\s0 \s-1AND\s0 \s-1GENERAL\s0 \s-1PURPOSE\s0 \s-1OPTIONS\s0"
8b0cefbb
JR
196.IX Subsection "INPUT, OUTPUT AND GENERAL PURPOSE OPTIONS"
197.IP "\fB\-inform DER|PEM|NET\fR" 4
198.IX Item "-inform DER|PEM|NET"
984263bc
MD
199This specifies the input format normally the command will expect an X509
200certificate but this can change if other options such as \fB\-req\fR are
201present. The \s-1DER\s0 format is the \s-1DER\s0 encoding of the certificate and \s-1PEM\s0
202is the base64 encoding of the \s-1DER\s0 encoding with header and footer lines
203added. The \s-1NET\s0 option is an obscure Netscape server format that is now
204obsolete.
8b0cefbb
JR
205.IP "\fB\-outform DER|PEM|NET\fR" 4
206.IX Item "-outform DER|PEM|NET"
984263bc 207This specifies the output format, the options have the same meaning as the
8b0cefbb
JR
208\&\fB\-inform\fR option.
209.IP "\fB\-in filename\fR" 4
210.IX Item "-in filename"
984263bc
MD
211This specifies the input filename to read a certificate from or standard input
212if this option is not specified.
8b0cefbb
JR
213.IP "\fB\-out filename\fR" 4
214.IX Item "-out filename"
984263bc
MD
215This specifies the output filename to write to or standard output by
216default.
8b0cefbb
JR
217.IP "\fB\-md2|\-md5|\-sha1|\-mdc2\fR" 4
218.IX Item "-md2|-md5|-sha1|-mdc2"
984263bc 219the digest to use. This affects any signing or display option that uses a message
8b0cefbb 220digest, such as the \fB\-fingerprint\fR, \fB\-signkey\fR and \fB\-CA\fR options. If not
a561f9ff
SS
221specified then \s-1SHA1\s0 is used. If the key being used to sign with is a \s-1DSA\s0 key
222then this option has no effect: \s-1SHA1\s0 is always used with \s-1DSA\s0 keys.
8b0cefbb
JR
223.IP "\fB\-engine id\fR" 4
224.IX Item "-engine id"
01185282 225specifying an engine (by its unique \fBid\fR string) will cause \fBx509\fR
984263bc
MD
226to attempt to obtain a functional reference to the specified engine,
227thus initialising it if needed. The engine will then be set as the default
228for all available algorithms.
01185282 229.SS "\s-1DISPLAY\s0 \s-1OPTIONS\s0"
8b0cefbb 230.IX Subsection "DISPLAY OPTIONS"
984263bc
MD
231Note: the \fB\-alias\fR and \fB\-purpose\fR options are also display options
232but are described in the \fB\s-1TRUST\s0 \s-1SETTINGS\s0\fR section.
8b0cefbb
JR
233.IP "\fB\-text\fR" 4
234.IX Item "-text"
984263bc
MD
235prints out the certificate in text form. Full details are output including the
236public key, signature algorithms, issuer and subject names, serial number
237any extensions present and any trust settings.
8b0cefbb
JR
238.IP "\fB\-certopt option\fR" 4
239.IX Item "-certopt option"
984263bc
MD
240customise the output format used with \fB\-text\fR. The \fBoption\fR argument can be
241a single option or multiple options separated by commas. The \fB\-certopt\fR switch
242may be also be used more than once to set multiple options. See the \fB\s-1TEXT\s0 \s-1OPTIONS\s0\fR
243section for more information.
8b0cefbb
JR
244.IP "\fB\-noout\fR" 4
245.IX Item "-noout"
984263bc 246this option prevents output of the encoded version of the request.
58e4c0cf
PA
247.IP "\fB\-pubkey\fR" 4
248.IX Item "-pubkey"
249outputs the the certificate's SubjectPublicKeyInfo block in \s-1PEM\s0 format.
8b0cefbb
JR
250.IP "\fB\-modulus\fR" 4
251.IX Item "-modulus"
984263bc
MD
252this option prints out the value of the modulus of the public key
253contained in the certificate.
8b0cefbb
JR
254.IP "\fB\-serial\fR" 4
255.IX Item "-serial"
984263bc 256outputs the certificate serial number.
a561f9ff
SS
257.IP "\fB\-subject_hash\fR" 4
258.IX Item "-subject_hash"
984263bc
MD
259outputs the \*(L"hash\*(R" of the certificate subject name. This is used in OpenSSL to
260form an index to allow certificates in a directory to be looked up by subject
261name.
a561f9ff
SS
262.IP "\fB\-issuer_hash\fR" 4
263.IX Item "-issuer_hash"
264outputs the \*(L"hash\*(R" of the certificate issuer name.
265.IP "\fB\-hash\fR" 4
266.IX Item "-hash"
405d0527 267synonym for \*(L"\-subject_hash\*(R" for backward compatibility reasons.
01185282
PA
268.IP "\fB\-subject_hash_old\fR" 4
269.IX Item "-subject_hash_old"
270outputs the \*(L"hash\*(R" of the certificate subject name using the older algorithm
271as used by OpenSSL versions before 1.0.0.
272.IP "\fB\-issuer_hash_old\fR" 4
273.IX Item "-issuer_hash_old"
274outputs the \*(L"hash\*(R" of the certificate issuer name using the older algorithm
275as used by OpenSSL versions before 1.0.0.
8b0cefbb
JR
276.IP "\fB\-subject\fR" 4
277.IX Item "-subject"
984263bc 278outputs the subject name.
8b0cefbb
JR
279.IP "\fB\-issuer\fR" 4
280.IX Item "-issuer"
984263bc 281outputs the issuer name.
8b0cefbb
JR
282.IP "\fB\-nameopt option\fR" 4
283.IX Item "-nameopt option"
984263bc 284option which determines how the subject or issuer names are displayed. The
8b0cefbb 285\&\fBoption\fR argument can be a single option or multiple options separated by
984263bc
MD
286commas. Alternatively the \fB\-nameopt\fR switch may be used more than once to
287set multiple options. See the \fB\s-1NAME\s0 \s-1OPTIONS\s0\fR section for more information.
8b0cefbb
JR
288.IP "\fB\-email\fR" 4
289.IX Item "-email"
290outputs the email address(es) if any.
01185282
PA
291.IP "\fB\-ocsp_uri\fR" 4
292.IX Item "-ocsp_uri"
293outputs the \s-1OCSP\s0 responder address(es) if any.
8b0cefbb
JR
294.IP "\fB\-startdate\fR" 4
295.IX Item "-startdate"
984263bc 296prints out the start date of the certificate, that is the notBefore date.
8b0cefbb
JR
297.IP "\fB\-enddate\fR" 4
298.IX Item "-enddate"
984263bc 299prints out the expiry date of the certificate, that is the notAfter date.
8b0cefbb
JR
300.IP "\fB\-dates\fR" 4
301.IX Item "-dates"
984263bc 302prints out the start and expiry dates of a certificate.
8b0cefbb
JR
303.IP "\fB\-fingerprint\fR" 4
304.IX Item "-fingerprint"
984263bc
MD
305prints out the digest of the \s-1DER\s0 encoded version of the whole certificate
306(see digest options).
8b0cefbb
JR
307.IP "\fB\-C\fR" 4
308.IX Item "-C"
984263bc 309this outputs the certificate in the form of a C source file.
01185282 310.SS "\s-1TRUST\s0 \s-1SETTINGS\s0"
8b0cefbb 311.IX Subsection "TRUST SETTINGS"
984263bc
MD
312Please note these options are currently experimental and may well change.
313.PP
314A \fBtrusted certificate\fR is an ordinary certificate which has several
315additional pieces of information attached to it such as the permitted
316and prohibited uses of the certificate and an \*(L"alias\*(R".
317.PP
318Normally when a certificate is being verified at least one certificate
319must be \*(L"trusted\*(R". By default a trusted certificate must be stored
8b0cefbb 320locally and must be a root \s-1CA:\s0 any certificate chain ending in this \s-1CA\s0
984263bc
MD
321is then usable for any purpose.
322.PP
323Trust settings currently are only used with a root \s-1CA\s0. They allow a finer
324control over the purposes the root \s-1CA\s0 can be used for. For example a \s-1CA\s0
325may be trusted for \s-1SSL\s0 client but not \s-1SSL\s0 server use.
326.PP
327See the description of the \fBverify\fR utility for more information on the
328meaning of trust settings.
329.PP
330Future versions of OpenSSL will recognize trust settings on any
331certificate: not just root CAs.
8b0cefbb
JR
332.IP "\fB\-trustout\fR" 4
333.IX Item "-trustout"
984263bc
MD
334this causes \fBx509\fR to output a \fBtrusted\fR certificate. An ordinary
335or trusted certificate can be input but by default an ordinary
336certificate is output and any trust settings are discarded. With the
8b0cefbb 337\&\fB\-trustout\fR option a trusted certificate is output. A trusted
984263bc 338certificate is automatically output if any trust settings are modified.
8b0cefbb
JR
339.IP "\fB\-setalias arg\fR" 4
340.IX Item "-setalias arg"
984263bc
MD
341sets the alias of the certificate. This will allow the certificate
342to be referred to using a nickname for example \*(L"Steve's Certificate\*(R".
8b0cefbb
JR
343.IP "\fB\-alias\fR" 4
344.IX Item "-alias"
984263bc 345outputs the certificate alias, if any.
8b0cefbb
JR
346.IP "\fB\-clrtrust\fR" 4
347.IX Item "-clrtrust"
984263bc 348clears all the permitted or trusted uses of the certificate.
8b0cefbb
JR
349.IP "\fB\-clrreject\fR" 4
350.IX Item "-clrreject"
984263bc 351clears all the prohibited or rejected uses of the certificate.
8b0cefbb
JR
352.IP "\fB\-addtrust arg\fR" 4
353.IX Item "-addtrust arg"
984263bc
MD
354adds a trusted certificate use. Any object name can be used here
355but currently only \fBclientAuth\fR (\s-1SSL\s0 client use), \fBserverAuth\fR
8b0cefbb 356(\s-1SSL\s0 server use) and \fBemailProtection\fR (S/MIME email) are used.
984263bc 357Other OpenSSL applications may define additional uses.
8b0cefbb
JR
358.IP "\fB\-addreject arg\fR" 4
359.IX Item "-addreject arg"
984263bc
MD
360adds a prohibited use. It accepts the same values as the \fB\-addtrust\fR
361option.
8b0cefbb
JR
362.IP "\fB\-purpose\fR" 4
363.IX Item "-purpose"
984263bc
MD
364this option performs tests on the certificate extensions and outputs
365the results. For a more complete description see the \fB\s-1CERTIFICATE\s0
8b0cefbb 366\&\s-1EXTENSIONS\s0\fR section.
01185282 367.SS "\s-1SIGNING\s0 \s-1OPTIONS\s0"
8b0cefbb 368.IX Subsection "SIGNING OPTIONS"
984263bc
MD
369The \fBx509\fR utility can be used to sign certificates and requests: it
370can thus behave like a \*(L"mini \s-1CA\s0\*(R".
8b0cefbb
JR
371.IP "\fB\-signkey filename\fR" 4
372.IX Item "-signkey filename"
984263bc 373this option causes the input file to be self signed using the supplied
e257b235 374private key.
984263bc
MD
375.Sp
376If the input file is a certificate it sets the issuer name to the
377subject name (i.e. makes it self signed) changes the public key to the
378supplied value and changes the start and end dates. The start date is
379set to the current time and the end date is set to a value determined
380by the \fB\-days\fR option. Any certificate extensions are retained unless
381the \fB\-clrext\fR option is supplied.
382.Sp
383If the input is a certificate request then a self signed certificate
384is created using the supplied private key using the subject name in
385the request.
8b0cefbb
JR
386.IP "\fB\-clrext\fR" 4
387.IX Item "-clrext"
984263bc
MD
388delete any extensions from a certificate. This option is used when a
389certificate is being created from another certificate (for example with
8b0cefbb 390the \fB\-signkey\fR or the \fB\-CA\fR options). Normally all extensions are
984263bc 391retained.
8b0cefbb
JR
392.IP "\fB\-keyform PEM|DER\fR" 4
393.IX Item "-keyform PEM|DER"
984263bc 394specifies the format (\s-1DER\s0 or \s-1PEM\s0) of the private key file used in the
8b0cefbb
JR
395\&\fB\-signkey\fR option.
396.IP "\fB\-days arg\fR" 4
397.IX Item "-days arg"
984263bc
MD
398specifies the number of days to make a certificate valid for. The default
399is 30 days.
8b0cefbb
JR
400.IP "\fB\-x509toreq\fR" 4
401.IX Item "-x509toreq"
984263bc
MD
402converts a certificate into a certificate request. The \fB\-signkey\fR option
403is used to pass the required private key.
8b0cefbb
JR
404.IP "\fB\-req\fR" 4
405.IX Item "-req"
984263bc
MD
406by default a certificate is expected on input. With this option a
407certificate request is expected instead.
8b0cefbb
JR
408.IP "\fB\-set_serial n\fR" 4
409.IX Item "-set_serial n"
984263bc 410specifies the serial number to use. This option can be used with either
8b0cefbb 411the \fB\-signkey\fR or \fB\-CA\fR options. If used in conjunction with the \fB\-CA\fR
984263bc 412option the serial number file (as specified by the \fB\-CAserial\fR or
8b0cefbb 413\&\fB\-CAcreateserial\fR options) is not used.
984263bc
MD
414.Sp
415The serial number can be decimal or hex (if preceded by \fB0x\fR). Negative
416serial numbers can also be specified but their use is not recommended.
8b0cefbb
JR
417.IP "\fB\-CA filename\fR" 4
418.IX Item "-CA filename"
984263bc
MD
419specifies the \s-1CA\s0 certificate to be used for signing. When this option is
420present \fBx509\fR behaves like a \*(L"mini \s-1CA\s0\*(R". The input file is signed by this
8b0cefbb 421\&\s-1CA\s0 using this option: that is its issuer name is set to the subject name
984263bc
MD
422of the \s-1CA\s0 and it is digitally signed using the CAs private key.
423.Sp
424This option is normally combined with the \fB\-req\fR option. Without the
8b0cefbb
JR
425\&\fB\-req\fR option the input is a certificate which must be self signed.
426.IP "\fB\-CAkey filename\fR" 4
427.IX Item "-CAkey filename"
984263bc
MD
428sets the \s-1CA\s0 private key to sign a certificate with. If this option is
429not specified then it is assumed that the \s-1CA\s0 private key is present in
430the \s-1CA\s0 certificate file.
8b0cefbb
JR
431.IP "\fB\-CAserial filename\fR" 4
432.IX Item "-CAserial filename"
984263bc
MD
433sets the \s-1CA\s0 serial number file to use.
434.Sp
8b0cefbb 435When the \fB\-CA\fR option is used to sign a certificate it uses a serial
984263bc
MD
436number specified in a file. This file consist of one line containing
437an even number of hex digits with the serial number to use. After each
438use the serial number is incremented and written out to the file again.
439.Sp
440The default filename consists of the \s-1CA\s0 certificate file base name with
8b0cefbb
JR
441\&\*(L".srl\*(R" appended. For example if the \s-1CA\s0 certificate file is called
442\&\*(L"mycacert.pem\*(R" it expects to find a serial number file called \*(L"mycacert.srl\*(R".
443.IP "\fB\-CAcreateserial\fR" 4
444.IX Item "-CAcreateserial"
984263bc
MD
445with this option the \s-1CA\s0 serial number file is created if it does not exist:
446it will contain the serial number \*(L"02\*(R" and the certificate being signed will
8b0cefbb 447have the 1 as its serial number. Normally if the \fB\-CA\fR option is specified
984263bc 448and the serial number file does not exist it is an error.
8b0cefbb
JR
449.IP "\fB\-extfile filename\fR" 4
450.IX Item "-extfile filename"
984263bc
MD
451file containing certificate extensions to use. If not specified then
452no extensions are added to the certificate.
8b0cefbb
JR
453.IP "\fB\-extensions section\fR" 4
454.IX Item "-extensions section"
984263bc
MD
455the section to add certificate extensions from. If this option is not
456specified then the extensions should either be contained in the unnamed
457(default) section or the default section should contain a variable called
01185282
PA
458\&\*(L"extensions\*(R" which contains the section to use. See the
459\&\fIx509v3_config\fR\|(5) manual page for details of the
460extension section format.
461.SS "\s-1NAME\s0 \s-1OPTIONS\s0"
8b0cefbb 462.IX Subsection "NAME OPTIONS"
984263bc
MD
463The \fBnameopt\fR command line switch determines how the subject and issuer
464names are displayed. If no \fBnameopt\fR switch is present the default \*(L"oneline\*(R"
465format is used which is compatible with previous versions of OpenSSL.
466Each option is described in detail below, all options can be preceded by
e3cdf75b 467a \fB\-\fR to turn the option off. Only the first four will normally be used.
8b0cefbb
JR
468.IP "\fBcompat\fR" 4
469.IX Item "compat"
984263bc 470use the old format. This is equivalent to specifying no name options at all.
8b0cefbb
JR
471.IP "\fB\s-1RFC2253\s0\fR" 4
472.IX Item "RFC2253"
984263bc 473displays names compatible with \s-1RFC2253\s0 equivalent to \fBesc_2253\fR, \fBesc_ctrl\fR,
8b0cefbb
JR
474\&\fBesc_msb\fR, \fButf8\fR, \fBdump_nostr\fR, \fBdump_unknown\fR, \fBdump_der\fR,
475\&\fBsep_comma_plus\fR, \fBdn_rev\fR and \fBsname\fR.
476.IP "\fBoneline\fR" 4
477.IX Item "oneline"
984263bc
MD
478a oneline format which is more readable than \s-1RFC2253\s0. It is equivalent to
479specifying the \fBesc_2253\fR, \fBesc_ctrl\fR, \fBesc_msb\fR, \fButf8\fR, \fBdump_nostr\fR,
edae4a78 480\&\fBdump_der\fR, \fBuse_quote\fR, \fBsep_comma_plus_space\fR, \fBspace_eq\fR and \fBsname\fR
984263bc 481options.
8b0cefbb
JR
482.IP "\fBmultiline\fR" 4
483.IX Item "multiline"
984263bc 484a multiline format. It is equivalent \fBesc_ctrl\fR, \fBesc_msb\fR, \fBsep_multiline\fR,
edae4a78 485\&\fBspace_eq\fR, \fBlname\fR and \fBalign\fR.
8b0cefbb
JR
486.IP "\fBesc_2253\fR" 4
487.IX Item "esc_2253"
984263bc 488escape the \*(L"special\*(R" characters required by \s-1RFC2253\s0 in a field That is
8b0cefbb 489\&\fB,+"<>;\fR. Additionally \fB#\fR is escaped at the beginning of a string
984263bc 490and a space character at the beginning or end of a string.
8b0cefbb
JR
491.IP "\fBesc_ctrl\fR" 4
492.IX Item "esc_ctrl"
984263bc
MD
493escape control characters. That is those with \s-1ASCII\s0 values less than
4940x20 (space) and the delete (0x7f) character. They are escaped using the
8b0cefbb 495\&\s-1RFC2253\s0 \eXX notation (where \s-1XX\s0 are two hex digits representing the
984263bc 496character value).
8b0cefbb
JR
497.IP "\fBesc_msb\fR" 4
498.IX Item "esc_msb"
984263bc
MD
499escape characters with the \s-1MSB\s0 set, that is with \s-1ASCII\s0 values larger than
500127.
8b0cefbb
JR
501.IP "\fBuse_quote\fR" 4
502.IX Item "use_quote"
503escapes some characters by surrounding the whole string with \fB"\fR characters,
984263bc 504without the option all escaping is done with the \fB\e\fR character.
8b0cefbb
JR
505.IP "\fButf8\fR" 4
506.IX Item "utf8"
984263bc
MD
507convert all strings to \s-1UTF8\s0 format first. This is required by \s-1RFC2253\s0. If
508you are lucky enough to have a \s-1UTF8\s0 compatible terminal then the use
509of this option (and \fBnot\fR setting \fBesc_msb\fR) may result in the correct
510display of multibyte (international) characters. Is this option is not
511present then multibyte characters larger than 0xff will be represented
512using the format \eUXXXX for 16 bits and \eWXXXXXXXX for 32 bits.
513Also if this option is off any UTF8Strings will be converted to their
514character form first.
8b0cefbb
JR
515.IP "\fBno_type\fR" 4
516.IX Item "no_type"
984263bc
MD
517this option does not attempt to interpret multibyte characters in any
518way. That is their content octets are merely dumped as though one octet
519represents each character. This is useful for diagnostic purposes but
520will result in rather odd looking output.
8b0cefbb
JR
521.IP "\fBshow_type\fR" 4
522.IX Item "show_type"
984263bc 523show the type of the \s-1ASN1\s0 character string. The type precedes the
8b0cefbb
JR
524field contents. For example \*(L"\s-1BMPSTRING:\s0 Hello World\*(R".
525.IP "\fBdump_der\fR" 4
526.IX Item "dump_der"
984263bc
MD
527when this option is set any fields that need to be hexdumped will
528be dumped using the \s-1DER\s0 encoding of the field. Otherwise just the
529content octets will be displayed. Both options use the \s-1RFC2253\s0
8b0cefbb
JR
530\&\fB#XXXX...\fR format.
531.IP "\fBdump_nostr\fR" 4
532.IX Item "dump_nostr"
984263bc
MD
533dump non character string types (for example \s-1OCTET\s0 \s-1STRING\s0) if this
534option is not set then non character string types will be displayed
535as though each content octet represents a single character.
8b0cefbb
JR
536.IP "\fBdump_all\fR" 4
537.IX Item "dump_all"
984263bc 538dump all fields. This option when used with \fBdump_der\fR allows the
8b0cefbb
JR
539\&\s-1DER\s0 encoding of the structure to be unambiguously determined.
540.IP "\fBdump_unknown\fR" 4
541.IX Item "dump_unknown"
984263bc 542dump any field whose \s-1OID\s0 is not recognised by OpenSSL.
8b0cefbb
JR
543.IP "\fBsep_comma_plus\fR, \fBsep_comma_plus_space\fR, \fBsep_semi_plus_space\fR, \fBsep_multiline\fR" 4
544.IX Item "sep_comma_plus, sep_comma_plus_space, sep_semi_plus_space, sep_multiline"
984263bc
MD
545these options determine the field separators. The first character is
546between RDNs and the second between multiple AVAs (multiple AVAs are
547very rare and their use is discouraged). The options ending in
8b0cefbb 548\&\*(L"space\*(R" additionally place a space after the separator to make it
984263bc
MD
549more readable. The \fBsep_multiline\fR uses a linefeed character for
550the \s-1RDN\s0 separator and a spaced \fB+\fR for the \s-1AVA\s0 separator. It also
551indents the fields by four characters.
8b0cefbb
JR
552.IP "\fBdn_rev\fR" 4
553.IX Item "dn_rev"
984263bc
MD
554reverse the fields of the \s-1DN\s0. This is required by \s-1RFC2253\s0. As a side
555effect this also reverses the order of multiple AVAs but this is
556permissible.
8b0cefbb
JR
557.IP "\fBnofname\fR, \fBsname\fR, \fBlname\fR, \fBoid\fR" 4
558.IX Item "nofname, sname, lname, oid"
984263bc
MD
559these options alter how the field name is displayed. \fBnofname\fR does
560not display the field at all. \fBsname\fR uses the \*(L"short name\*(R" form
561(\s-1CN\s0 for commonName for example). \fBlname\fR uses the long form.
8b0cefbb 562\&\fBoid\fR represents the \s-1OID\s0 in numerical form and is useful for
984263bc 563diagnostic purpose.
8b0cefbb
JR
564.IP "\fBalign\fR" 4
565.IX Item "align"
984263bc 566align field values for a more readable output. Only usable with
8b0cefbb 567\&\fBsep_multiline\fR.
edae4a78
PA
568.IP "\fBspace_eq\fR" 4
569.IX Item "space_eq"
984263bc
MD
570places spaces round the \fB=\fR character which follows the field
571name.
01185282 572.SS "\s-1TEXT\s0 \s-1OPTIONS\s0"
8b0cefbb 573.IX Subsection "TEXT OPTIONS"
984263bc
MD
574As well as customising the name output format, it is also possible to
575customise the actual fields printed using the \fBcertopt\fR options when
576the \fBtext\fR option is present. The default behaviour is to print all fields.
8b0cefbb
JR
577.IP "\fBcompatible\fR" 4
578.IX Item "compatible"
984263bc 579use the old format. This is equivalent to specifying no output options at all.
8b0cefbb
JR
580.IP "\fBno_header\fR" 4
581.IX Item "no_header"
984263bc 582don't print header information: that is the lines saying \*(L"Certificate\*(R" and \*(L"Data\*(R".
8b0cefbb
JR
583.IP "\fBno_version\fR" 4
584.IX Item "no_version"
984263bc 585don't print out the version number.
8b0cefbb
JR
586.IP "\fBno_serial\fR" 4
587.IX Item "no_serial"
984263bc 588don't print out the serial number.
8b0cefbb
JR
589.IP "\fBno_signame\fR" 4
590.IX Item "no_signame"
984263bc 591don't print out the signature algorithm used.
8b0cefbb
JR
592.IP "\fBno_validity\fR" 4
593.IX Item "no_validity"
984263bc 594don't print the validity, that is the \fBnotBefore\fR and \fBnotAfter\fR fields.
8b0cefbb
JR
595.IP "\fBno_subject\fR" 4
596.IX Item "no_subject"
984263bc 597don't print out the subject name.
8b0cefbb
JR
598.IP "\fBno_issuer\fR" 4
599.IX Item "no_issuer"
984263bc 600don't print out the issuer name.
8b0cefbb
JR
601.IP "\fBno_pubkey\fR" 4
602.IX Item "no_pubkey"
984263bc 603don't print out the public key.
8b0cefbb
JR
604.IP "\fBno_sigdump\fR" 4
605.IX Item "no_sigdump"
984263bc 606don't give a hexadecimal dump of the certificate signature.
8b0cefbb
JR
607.IP "\fBno_aux\fR" 4
608.IX Item "no_aux"
984263bc 609don't print out certificate trust information.
8b0cefbb
JR
610.IP "\fBno_extensions\fR" 4
611.IX Item "no_extensions"
984263bc 612don't print out any X509V3 extensions.
8b0cefbb
JR
613.IP "\fBext_default\fR" 4
614.IX Item "ext_default"
984263bc 615retain default extension behaviour: attempt to print out unsupported certificate extensions.
8b0cefbb
JR
616.IP "\fBext_error\fR" 4
617.IX Item "ext_error"
984263bc 618print an error message for unsupported certificate extensions.
8b0cefbb
JR
619.IP "\fBext_parse\fR" 4
620.IX Item "ext_parse"
621\&\s-1ASN1\s0 parse unsupported extensions.
622.IP "\fBext_dump\fR" 4
623.IX Item "ext_dump"
984263bc 624hex dump unsupported extensions.
8b0cefbb
JR
625.IP "\fBca_default\fR" 4
626.IX Item "ca_default"
984263bc 627the value used by the \fBca\fR utility, equivalent to \fBno_issuer\fR, \fBno_pubkey\fR, \fBno_header\fR,
8b0cefbb 628\&\fBno_version\fR, \fBno_sigdump\fR and \fBno_signame\fR.
984263bc 629.SH "EXAMPLES"
8b0cefbb
JR
630.IX Header "EXAMPLES"
631Note: in these examples the '\e' means the example should be all on one
984263bc
MD
632line.
633.PP
634Display the contents of a certificate:
635.PP
636.Vb 1
e257b235 637\& openssl x509 \-in cert.pem \-noout \-text
984263bc 638.Ve
8b0cefbb 639.PP
984263bc
MD
640Display the certificate serial number:
641.PP
642.Vb 1
e257b235 643\& openssl x509 \-in cert.pem \-noout \-serial
984263bc 644.Ve
8b0cefbb 645.PP
984263bc
MD
646Display the certificate subject name:
647.PP
648.Vb 1
e257b235 649\& openssl x509 \-in cert.pem \-noout \-subject
984263bc 650.Ve
8b0cefbb
JR
651.PP
652Display the certificate subject name in \s-1RFC2253\s0 form:
984263bc
MD
653.PP
654.Vb 1
e257b235 655\& openssl x509 \-in cert.pem \-noout \-subject \-nameopt RFC2253
984263bc 656.Ve
8b0cefbb 657.PP
984263bc 658Display the certificate subject name in oneline form on a terminal
8b0cefbb 659supporting \s-1UTF8:\s0
984263bc
MD
660.PP
661.Vb 1
e257b235 662\& openssl x509 \-in cert.pem \-noout \-subject \-nameopt oneline,\-esc_msb
984263bc 663.Ve
8b0cefbb
JR
664.PP
665Display the certificate \s-1MD5\s0 fingerprint:
984263bc
MD
666.PP
667.Vb 1
e257b235 668\& openssl x509 \-in cert.pem \-noout \-fingerprint
984263bc 669.Ve
8b0cefbb
JR
670.PP
671Display the certificate \s-1SHA1\s0 fingerprint:
984263bc
MD
672.PP
673.Vb 1
e257b235 674\& openssl x509 \-sha1 \-in cert.pem \-noout \-fingerprint
984263bc 675.Ve
8b0cefbb
JR
676.PP
677Convert a certificate from \s-1PEM\s0 to \s-1DER\s0 format:
984263bc
MD
678.PP
679.Vb 1
e257b235 680\& openssl x509 \-in cert.pem \-inform PEM \-out cert.der \-outform DER
984263bc 681.Ve
8b0cefbb 682.PP
984263bc
MD
683Convert a certificate to a certificate request:
684.PP
685.Vb 1
e257b235 686\& openssl x509 \-x509toreq \-in cert.pem \-out req.pem \-signkey key.pem
984263bc 687.Ve
8b0cefbb 688.PP
984263bc 689Convert a certificate request into a self signed certificate using
8b0cefbb 690extensions for a \s-1CA:\s0
984263bc
MD
691.PP
692.Vb 2
e257b235
PA
693\& openssl x509 \-req \-in careq.pem \-extfile openssl.cnf \-extensions v3_ca \e
694\& \-signkey key.pem \-out cacert.pem
984263bc 695.Ve
8b0cefbb
JR
696.PP
697Sign a certificate request using the \s-1CA\s0 certificate above and add user
984263bc
MD
698certificate extensions:
699.PP
700.Vb 2
e257b235
PA
701\& openssl x509 \-req \-in req.pem \-extfile openssl.cnf \-extensions v3_usr \e
702\& \-CA cacert.pem \-CAkey key.pem \-CAcreateserial
984263bc 703.Ve
8b0cefbb
JR
704.PP
705Set a certificate to be trusted for \s-1SSL\s0 client use and change set its alias to
706\&\*(L"Steve's Class 1 \s-1CA\s0\*(R"
984263bc
MD
707.PP
708.Vb 2
e257b235
PA
709\& openssl x509 \-in cert.pem \-addtrust clientAuth \e
710\& \-setalias "Steve\*(Aqs Class 1 CA" \-out trust.pem
984263bc
MD
711.Ve
712.SH "NOTES"
8b0cefbb
JR
713.IX Header "NOTES"
714The \s-1PEM\s0 format uses the header and footer lines:
984263bc
MD
715.PP
716.Vb 2
e257b235
PA
717\& \-\-\-\-\-BEGIN CERTIFICATE\-\-\-\-\-
718\& \-\-\-\-\-END CERTIFICATE\-\-\-\-\-
984263bc 719.Ve
8b0cefbb 720.PP
984263bc
MD
721it will also handle files containing:
722.PP
723.Vb 2
e257b235
PA
724\& \-\-\-\-\-BEGIN X509 CERTIFICATE\-\-\-\-\-
725\& \-\-\-\-\-END X509 CERTIFICATE\-\-\-\-\-
984263bc 726.Ve
8b0cefbb 727.PP
984263bc
MD
728Trusted certificates have the lines
729.PP
730.Vb 2
e257b235
PA
731\& \-\-\-\-\-BEGIN TRUSTED CERTIFICATE\-\-\-\-\-
732\& \-\-\-\-\-END TRUSTED CERTIFICATE\-\-\-\-\-
984263bc 733.Ve
8b0cefbb
JR
734.PP
735The conversion to \s-1UTF8\s0 format used with the name options assumes that
736T61Strings use the \s-1ISO8859\-1\s0 character set. This is wrong but Netscape
737and \s-1MSIE\s0 do this as do many certificates. So although this is incorrect
984263bc
MD
738it is more likely to display the majority of certificates correctly.
739.PP
8b0cefbb 740The \fB\-fingerprint\fR option takes the digest of the \s-1DER\s0 encoded certificate.
984263bc
MD
741This is commonly called a \*(L"fingerprint\*(R". Because of the nature of message
742digests the fingerprint of a certificate is unique to that certificate and
743two certificates with the same fingerprint can be considered to be the same.
744.PP
8b0cefbb 745The Netscape fingerprint uses \s-1MD5\s0 whereas \s-1MSIE\s0 uses \s-1SHA1\s0.
984263bc
MD
746.PP
747The \fB\-email\fR option searches the subject name and the subject alternative
748name extension. Only unique email addresses will be printed out: it will
749not print the same address more than once.
750.SH "CERTIFICATE EXTENSIONS"
8b0cefbb 751.IX Header "CERTIFICATE EXTENSIONS"
984263bc
MD
752The \fB\-purpose\fR option checks the certificate extensions and determines
753what the certificate can be used for. The actual checks done are rather
754complex and include various hacks and workarounds to handle broken
755certificates and software.
756.PP
757The same code is used when verifying untrusted certificates in chains
758so this section is useful if a chain is rejected by the verify code.
759.PP
8b0cefbb
JR
760The basicConstraints extension \s-1CA\s0 flag is used to determine whether the
761certificate can be used as a \s-1CA\s0. If the \s-1CA\s0 flag is true then it is a \s-1CA\s0,
762if the \s-1CA\s0 flag is false then it is not a \s-1CA\s0. \fBAll\fR CAs should have the
763\&\s-1CA\s0 flag set to true.
984263bc
MD
764.PP
765If the basicConstraints extension is absent then the certificate is
8b0cefbb 766considered to be a \*(L"possible \s-1CA\s0\*(R" other extensions are checked according
984263bc 767to the intended use of the certificate. A warning is given in this case
8b0cefbb
JR
768because the certificate should really not be regarded as a \s-1CA:\s0 however
769it is allowed to be a \s-1CA\s0 to work around some broken software.
984263bc
MD
770.PP
771If the certificate is a V1 certificate (and thus has no extensions) and
8b0cefbb 772it is self signed it is also assumed to be a \s-1CA\s0 but a warning is again
984263bc
MD
773given: this is to work around the problem of Verisign roots which are V1
774self signed certificates.
775.PP
776If the keyUsage extension is present then additional restraints are
8b0cefbb 777made on the uses of the certificate. A \s-1CA\s0 certificate \fBmust\fR have the
984263bc
MD
778keyCertSign bit set if the keyUsage extension is present.
779.PP
780The extended key usage extension places additional restrictions on the
781certificate uses. If this extension is present (whether critical or not)
782the key can only be used for the purposes specified.
783.PP
784A complete description of each test is given below. The comments about
785basicConstraints and keyUsage and V1 certificates above apply to \fBall\fR
8b0cefbb
JR
786\&\s-1CA\s0 certificates.
787.IP "\fB\s-1SSL\s0 Client\fR" 4
788.IX Item "SSL Client"
984263bc
MD
789The extended key usage extension must be absent or include the \*(L"web client
790authentication\*(R" \s-1OID\s0. keyUsage must be absent or it must have the
791digitalSignature bit set. Netscape certificate type must be absent or it must
792have the \s-1SSL\s0 client bit set.
8b0cefbb
JR
793.IP "\fB\s-1SSL\s0 Client \s-1CA\s0\fR" 4
794.IX Item "SSL Client CA"
984263bc
MD
795The extended key usage extension must be absent or include the \*(L"web client
796authentication\*(R" \s-1OID\s0. Netscape certificate type must be absent or it must have
797the \s-1SSL\s0 \s-1CA\s0 bit set: this is used as a work around if the basicConstraints
798extension is absent.
8b0cefbb
JR
799.IP "\fB\s-1SSL\s0 Server\fR" 4
800.IX Item "SSL Server"
984263bc
MD
801The extended key usage extension must be absent or include the \*(L"web server
802authentication\*(R" and/or one of the \s-1SGC\s0 OIDs. keyUsage must be absent or it
803must have the digitalSignature, the keyEncipherment set or both bits set.
804Netscape certificate type must be absent or have the \s-1SSL\s0 server bit set.
8b0cefbb
JR
805.IP "\fB\s-1SSL\s0 Server \s-1CA\s0\fR" 4
806.IX Item "SSL Server CA"
984263bc
MD
807The extended key usage extension must be absent or include the \*(L"web server
808authentication\*(R" and/or one of the \s-1SGC\s0 OIDs. Netscape certificate type must
809be absent or the \s-1SSL\s0 \s-1CA\s0 bit must be set: this is used as a work around if the
810basicConstraints extension is absent.
8b0cefbb
JR
811.IP "\fBNetscape \s-1SSL\s0 Server\fR" 4
812.IX Item "Netscape SSL Server"
984263bc
MD
813For Netscape \s-1SSL\s0 clients to connect to an \s-1SSL\s0 server it must have the
814keyEncipherment bit set if the keyUsage extension is present. This isn't
815always valid because some cipher suites use the key for digital signing.
816Otherwise it is the same as a normal \s-1SSL\s0 server.
8b0cefbb
JR
817.IP "\fBCommon S/MIME Client Tests\fR" 4
818.IX Item "Common S/MIME Client Tests"
984263bc
MD
819The extended key usage extension must be absent or include the \*(L"email
820protection\*(R" \s-1OID\s0. Netscape certificate type must be absent or should have the
8b0cefbb 821S/MIME bit set. If the S/MIME bit is not set in netscape certificate type
984263bc 822then the \s-1SSL\s0 client bit is tolerated as an alternative but a warning is shown:
8b0cefbb
JR
823this is because some Verisign certificates don't set the S/MIME bit.
824.IP "\fBS/MIME Signing\fR" 4
825.IX Item "S/MIME Signing"
826In addition to the common S/MIME client tests the digitalSignature bit must
984263bc 827be set if the keyUsage extension is present.
8b0cefbb
JR
828.IP "\fBS/MIME Encryption\fR" 4
829.IX Item "S/MIME Encryption"
830In addition to the common S/MIME tests the keyEncipherment bit must be set
984263bc 831if the keyUsage extension is present.
8b0cefbb
JR
832.IP "\fBS/MIME \s-1CA\s0\fR" 4
833.IX Item "S/MIME CA"
984263bc
MD
834The extended key usage extension must be absent or include the \*(L"email
835protection\*(R" \s-1OID\s0. Netscape certificate type must be absent or must have the
8b0cefbb 836S/MIME \s-1CA\s0 bit set: this is used as a work around if the basicConstraints
e257b235 837extension is absent.
8b0cefbb
JR
838.IP "\fB\s-1CRL\s0 Signing\fR" 4
839.IX Item "CRL Signing"
984263bc
MD
840The keyUsage extension must be absent or it must have the \s-1CRL\s0 signing bit
841set.
8b0cefbb
JR
842.IP "\fB\s-1CRL\s0 Signing \s-1CA\s0\fR" 4
843.IX Item "CRL Signing CA"
984263bc
MD
844The normal \s-1CA\s0 tests apply. Except in this case the basicConstraints extension
845must be present.
846.SH "BUGS"
8b0cefbb 847.IX Header "BUGS"
984263bc
MD
848Extensions in certificates are not transferred to certificate requests and
849vice versa.
850.PP
851It is possible to produce invalid certificates or requests by specifying the
852wrong private key or using inconsistent options in some cases: these should
853be checked.
854.PP
855There should be options to explicitly set such things as start and end
856dates rather than an offset from the current time.
857.PP
8b0cefbb 858The code to implement the verify behaviour described in the \fB\s-1TRUST\s0 \s-1SETTINGS\s0\fR
984263bc
MD
859is currently being developed. It thus describes the intended behaviour rather
860than the current behaviour. It is hoped that it will represent reality in
861OpenSSL 0.9.5 and later.
862.SH "SEE ALSO"
e3cdf75b 863.IX Header "SEE ALSO"
8b0cefbb 864\&\fIreq\fR\|(1), \fIca\fR\|(1), \fIgenrsa\fR\|(1),
01185282
PA
865\&\fIgendsa\fR\|(1), \fIverify\fR\|(1),
866\&\fIx509v3_config\fR\|(5)
a561f9ff
SS
867.SH "HISTORY"
868.IX Header "HISTORY"
869Before OpenSSL 0.9.8, the default digest for \s-1RSA\s0 keys was \s-1MD5\s0.
01185282
PA
870.PP
871The hash algorithm used in the \fB\-subject_hash\fR and \fB\-issuer_hash\fR options
872before OpenSSL 1.0.0 was based on the deprecated \s-1MD5\s0 algorithm and the encoding
873of the distinguished name. In OpenSSL 1.0.0 and later it is based on a
874canonical version of the \s-1DN\s0 using \s-1SHA1\s0. This means that any directories using
875the old form must have their links rebuilt using \fBc_rehash\fR or similar.