Update files for OpenSSL-1.0.0f import.
[dragonfly.git] / secure / usr.bin / openssl / man / x509.1
CommitLineData
e3261593 1.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.19)
8b0cefbb
JR
2.\"
3.\" Standard preamble:
4.\" ========================================================================
8b0cefbb 5.de Sp \" Vertical space (when we can't use .PP)
984263bc
MD
6.if t .sp .5v
7.if n .sp
8..
8b0cefbb 9.de Vb \" Begin verbatim text
984263bc
MD
10.ft CW
11.nf
12.ne \\$1
13..
8b0cefbb 14.de Ve \" End verbatim text
984263bc 15.ft R
984263bc
MD
16.fi
17..
8b0cefbb
JR
18.\" Set up some character translations and predefined strings. \*(-- will
19.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
e257b235
PA
20.\" double quote, and \*(R" will give a right double quote. \*(C+ will
21.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
22.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
23.\" nothing in troff, for use with C<>.
24.tr \(*W-
8b0cefbb 25.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
984263bc 26.ie n \{\
8b0cefbb
JR
27. ds -- \(*W-
28. ds PI pi
29. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
30. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
31. ds L" ""
32. ds R" ""
33. ds C` ""
34. ds C' ""
984263bc
MD
35'br\}
36.el\{\
8b0cefbb
JR
37. ds -- \|\(em\|
38. ds PI \(*p
39. ds L" ``
40. ds R" ''
984263bc 41'br\}
8b0cefbb 42.\"
e257b235
PA
43.\" Escape single quotes in literal strings from groff's Unicode transform.
44.ie \n(.g .ds Aq \(aq
45.el .ds Aq '
46.\"
8b0cefbb 47.\" If the F register is turned on, we'll generate index entries on stderr for
01185282 48.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
8b0cefbb
JR
49.\" entries marked with X<> in POD. Of course, you'll have to process the
50.\" output yourself in some meaningful fashion.
e257b235 51.ie \nF \{\
8b0cefbb
JR
52. de IX
53. tm Index:\\$1\t\\n%\t"\\$2"
984263bc 54..
8b0cefbb
JR
55. nr % 0
56. rr F
984263bc 57.\}
e257b235
PA
58.el \{\
59. de IX
60..
61.\}
aac4ff6f 62.\"
8b0cefbb
JR
63.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
64.\" Fear. Run. Save yourself. No user-serviceable parts.
65. \" fudge factors for nroff and troff
984263bc 66.if n \{\
8b0cefbb
JR
67. ds #H 0
68. ds #V .8m
69. ds #F .3m
70. ds #[ \f1
71. ds #] \fP
984263bc
MD
72.\}
73.if t \{\
8b0cefbb
JR
74. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
75. ds #V .6m
76. ds #F 0
77. ds #[ \&
78. ds #] \&
984263bc 79.\}
8b0cefbb 80. \" simple accents for nroff and troff
984263bc 81.if n \{\
8b0cefbb
JR
82. ds ' \&
83. ds ` \&
84. ds ^ \&
85. ds , \&
86. ds ~ ~
87. ds /
984263bc
MD
88.\}
89.if t \{\
8b0cefbb
JR
90. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
91. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
92. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
93. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
94. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
95. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
984263bc 96.\}
8b0cefbb 97. \" troff and (daisy-wheel) nroff accents
984263bc
MD
98.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
99.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
100.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
101.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
102.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
103.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
104.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
105.ds ae a\h'-(\w'a'u*4/10)'e
106.ds Ae A\h'-(\w'A'u*4/10)'E
8b0cefbb 107. \" corrections for vroff
984263bc
MD
108.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
109.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
8b0cefbb 110. \" for low resolution devices (crt and lpr)
984263bc
MD
111.if \n(.H>23 .if \n(.V>19 \
112\{\
8b0cefbb
JR
113. ds : e
114. ds 8 ss
115. ds o a
116. ds d- d\h'-1'\(ga
117. ds D- D\h'-1'\(hy
118. ds th \o'bp'
119. ds Th \o'LP'
120. ds ae ae
121. ds Ae AE
984263bc
MD
122.\}
123.rm #[ #] #H #V #F C
8b0cefbb
JR
124.\" ========================================================================
125.\"
126.IX Title "X509 1"
e3261593 127.TH X509 1 "2012-01-04" "1.0.0f" "OpenSSL"
e257b235
PA
128.\" For nroff, turn off justification. Always turn off hyphenation; it makes
129.\" way too many mistakes in technical documents.
130.if n .ad l
131.nh
984263bc
MD
132.SH "NAME"
133x509 \- Certificate display and signing utility
134.SH "SYNOPSIS"
8b0cefbb
JR
135.IX Header "SYNOPSIS"
136\&\fBopenssl\fR \fBx509\fR
984263bc
MD
137[\fB\-inform DER|PEM|NET\fR]
138[\fB\-outform DER|PEM|NET\fR]
139[\fB\-keyform DER|PEM\fR]
140[\fB\-CAform DER|PEM\fR]
141[\fB\-CAkeyform DER|PEM\fR]
142[\fB\-in filename\fR]
143[\fB\-out filename\fR]
144[\fB\-serial\fR]
145[\fB\-hash\fR]
a561f9ff
SS
146[\fB\-subject_hash\fR]
147[\fB\-issuer_hash\fR]
984263bc
MD
148[\fB\-subject\fR]
149[\fB\-issuer\fR]
150[\fB\-nameopt option\fR]
151[\fB\-email\fR]
01185282 152[\fB\-ocsp_uri\fR]
984263bc
MD
153[\fB\-startdate\fR]
154[\fB\-enddate\fR]
155[\fB\-purpose\fR]
156[\fB\-dates\fR]
157[\fB\-modulus\fR]
158[\fB\-fingerprint\fR]
159[\fB\-alias\fR]
160[\fB\-noout\fR]
161[\fB\-trustout\fR]
162[\fB\-clrtrust\fR]
163[\fB\-clrreject\fR]
164[\fB\-addtrust arg\fR]
165[\fB\-addreject arg\fR]
166[\fB\-setalias arg\fR]
167[\fB\-days arg\fR]
168[\fB\-set_serial n\fR]
169[\fB\-signkey filename\fR]
170[\fB\-x509toreq\fR]
171[\fB\-req\fR]
172[\fB\-CA filename\fR]
173[\fB\-CAkey filename\fR]
174[\fB\-CAcreateserial\fR]
175[\fB\-CAserial filename\fR]
176[\fB\-text\fR]
177[\fB\-C\fR]
178[\fB\-md2|\-md5|\-sha1|\-mdc2\fR]
179[\fB\-clrext\fR]
180[\fB\-extfile filename\fR]
181[\fB\-extensions section\fR]
182[\fB\-engine id\fR]
183.SH "DESCRIPTION"
8b0cefbb 184.IX Header "DESCRIPTION"
984263bc
MD
185The \fBx509\fR command is a multi purpose certificate utility. It can be
186used to display certificate information, convert certificates to
8b0cefbb 187various forms, sign certificate requests like a \*(L"mini \s-1CA\s0\*(R" or edit
984263bc
MD
188certificate trust settings.
189.PP
190Since there are a large number of options they will split up into
191various sections.
192.SH "OPTIONS"
8b0cefbb 193.IX Header "OPTIONS"
01185282 194.SS "\s-1INPUT\s0, \s-1OUTPUT\s0 \s-1AND\s0 \s-1GENERAL\s0 \s-1PURPOSE\s0 \s-1OPTIONS\s0"
8b0cefbb
JR
195.IX Subsection "INPUT, OUTPUT AND GENERAL PURPOSE OPTIONS"
196.IP "\fB\-inform DER|PEM|NET\fR" 4
197.IX Item "-inform DER|PEM|NET"
984263bc
MD
198This specifies the input format normally the command will expect an X509
199certificate but this can change if other options such as \fB\-req\fR are
200present. The \s-1DER\s0 format is the \s-1DER\s0 encoding of the certificate and \s-1PEM\s0
201is the base64 encoding of the \s-1DER\s0 encoding with header and footer lines
202added. The \s-1NET\s0 option is an obscure Netscape server format that is now
203obsolete.
8b0cefbb
JR
204.IP "\fB\-outform DER|PEM|NET\fR" 4
205.IX Item "-outform DER|PEM|NET"
984263bc 206This specifies the output format, the options have the same meaning as the
8b0cefbb
JR
207\&\fB\-inform\fR option.
208.IP "\fB\-in filename\fR" 4
209.IX Item "-in filename"
984263bc
MD
210This specifies the input filename to read a certificate from or standard input
211if this option is not specified.
8b0cefbb
JR
212.IP "\fB\-out filename\fR" 4
213.IX Item "-out filename"
984263bc
MD
214This specifies the output filename to write to or standard output by
215default.
8b0cefbb
JR
216.IP "\fB\-md2|\-md5|\-sha1|\-mdc2\fR" 4
217.IX Item "-md2|-md5|-sha1|-mdc2"
984263bc 218the digest to use. This affects any signing or display option that uses a message
8b0cefbb 219digest, such as the \fB\-fingerprint\fR, \fB\-signkey\fR and \fB\-CA\fR options. If not
a561f9ff
SS
220specified then \s-1SHA1\s0 is used. If the key being used to sign with is a \s-1DSA\s0 key
221then this option has no effect: \s-1SHA1\s0 is always used with \s-1DSA\s0 keys.
8b0cefbb
JR
222.IP "\fB\-engine id\fR" 4
223.IX Item "-engine id"
01185282 224specifying an engine (by its unique \fBid\fR string) will cause \fBx509\fR
984263bc
MD
225to attempt to obtain a functional reference to the specified engine,
226thus initialising it if needed. The engine will then be set as the default
227for all available algorithms.
01185282 228.SS "\s-1DISPLAY\s0 \s-1OPTIONS\s0"
8b0cefbb 229.IX Subsection "DISPLAY OPTIONS"
984263bc
MD
230Note: the \fB\-alias\fR and \fB\-purpose\fR options are also display options
231but are described in the \fB\s-1TRUST\s0 \s-1SETTINGS\s0\fR section.
8b0cefbb
JR
232.IP "\fB\-text\fR" 4
233.IX Item "-text"
984263bc
MD
234prints out the certificate in text form. Full details are output including the
235public key, signature algorithms, issuer and subject names, serial number
236any extensions present and any trust settings.
8b0cefbb
JR
237.IP "\fB\-certopt option\fR" 4
238.IX Item "-certopt option"
984263bc
MD
239customise the output format used with \fB\-text\fR. The \fBoption\fR argument can be
240a single option or multiple options separated by commas. The \fB\-certopt\fR switch
241may be also be used more than once to set multiple options. See the \fB\s-1TEXT\s0 \s-1OPTIONS\s0\fR
242section for more information.
8b0cefbb
JR
243.IP "\fB\-noout\fR" 4
244.IX Item "-noout"
984263bc 245this option prevents output of the encoded version of the request.
8b0cefbb
JR
246.IP "\fB\-modulus\fR" 4
247.IX Item "-modulus"
984263bc
MD
248this option prints out the value of the modulus of the public key
249contained in the certificate.
8b0cefbb
JR
250.IP "\fB\-serial\fR" 4
251.IX Item "-serial"
984263bc 252outputs the certificate serial number.
a561f9ff
SS
253.IP "\fB\-subject_hash\fR" 4
254.IX Item "-subject_hash"
984263bc
MD
255outputs the \*(L"hash\*(R" of the certificate subject name. This is used in OpenSSL to
256form an index to allow certificates in a directory to be looked up by subject
257name.
a561f9ff
SS
258.IP "\fB\-issuer_hash\fR" 4
259.IX Item "-issuer_hash"
260outputs the \*(L"hash\*(R" of the certificate issuer name.
261.IP "\fB\-hash\fR" 4
262.IX Item "-hash"
405d0527 263synonym for \*(L"\-subject_hash\*(R" for backward compatibility reasons.
01185282
PA
264.IP "\fB\-subject_hash_old\fR" 4
265.IX Item "-subject_hash_old"
266outputs the \*(L"hash\*(R" of the certificate subject name using the older algorithm
267as used by OpenSSL versions before 1.0.0.
268.IP "\fB\-issuer_hash_old\fR" 4
269.IX Item "-issuer_hash_old"
270outputs the \*(L"hash\*(R" of the certificate issuer name using the older algorithm
271as used by OpenSSL versions before 1.0.0.
8b0cefbb
JR
272.IP "\fB\-subject\fR" 4
273.IX Item "-subject"
984263bc 274outputs the subject name.
8b0cefbb
JR
275.IP "\fB\-issuer\fR" 4
276.IX Item "-issuer"
984263bc 277outputs the issuer name.
8b0cefbb
JR
278.IP "\fB\-nameopt option\fR" 4
279.IX Item "-nameopt option"
984263bc 280option which determines how the subject or issuer names are displayed. The
8b0cefbb 281\&\fBoption\fR argument can be a single option or multiple options separated by
984263bc
MD
282commas. Alternatively the \fB\-nameopt\fR switch may be used more than once to
283set multiple options. See the \fB\s-1NAME\s0 \s-1OPTIONS\s0\fR section for more information.
8b0cefbb
JR
284.IP "\fB\-email\fR" 4
285.IX Item "-email"
286outputs the email address(es) if any.
01185282
PA
287.IP "\fB\-ocsp_uri\fR" 4
288.IX Item "-ocsp_uri"
289outputs the \s-1OCSP\s0 responder address(es) if any.
8b0cefbb
JR
290.IP "\fB\-startdate\fR" 4
291.IX Item "-startdate"
984263bc 292prints out the start date of the certificate, that is the notBefore date.
8b0cefbb
JR
293.IP "\fB\-enddate\fR" 4
294.IX Item "-enddate"
984263bc 295prints out the expiry date of the certificate, that is the notAfter date.
8b0cefbb
JR
296.IP "\fB\-dates\fR" 4
297.IX Item "-dates"
984263bc 298prints out the start and expiry dates of a certificate.
8b0cefbb
JR
299.IP "\fB\-fingerprint\fR" 4
300.IX Item "-fingerprint"
984263bc
MD
301prints out the digest of the \s-1DER\s0 encoded version of the whole certificate
302(see digest options).
8b0cefbb
JR
303.IP "\fB\-C\fR" 4
304.IX Item "-C"
984263bc 305this outputs the certificate in the form of a C source file.
01185282 306.SS "\s-1TRUST\s0 \s-1SETTINGS\s0"
8b0cefbb 307.IX Subsection "TRUST SETTINGS"
984263bc
MD
308Please note these options are currently experimental and may well change.
309.PP
310A \fBtrusted certificate\fR is an ordinary certificate which has several
311additional pieces of information attached to it such as the permitted
312and prohibited uses of the certificate and an \*(L"alias\*(R".
313.PP
314Normally when a certificate is being verified at least one certificate
315must be \*(L"trusted\*(R". By default a trusted certificate must be stored
8b0cefbb 316locally and must be a root \s-1CA:\s0 any certificate chain ending in this \s-1CA\s0
984263bc
MD
317is then usable for any purpose.
318.PP
319Trust settings currently are only used with a root \s-1CA\s0. They allow a finer
320control over the purposes the root \s-1CA\s0 can be used for. For example a \s-1CA\s0
321may be trusted for \s-1SSL\s0 client but not \s-1SSL\s0 server use.
322.PP
323See the description of the \fBverify\fR utility for more information on the
324meaning of trust settings.
325.PP
326Future versions of OpenSSL will recognize trust settings on any
327certificate: not just root CAs.
8b0cefbb
JR
328.IP "\fB\-trustout\fR" 4
329.IX Item "-trustout"
984263bc
MD
330this causes \fBx509\fR to output a \fBtrusted\fR certificate. An ordinary
331or trusted certificate can be input but by default an ordinary
332certificate is output and any trust settings are discarded. With the
8b0cefbb 333\&\fB\-trustout\fR option a trusted certificate is output. A trusted
984263bc 334certificate is automatically output if any trust settings are modified.
8b0cefbb
JR
335.IP "\fB\-setalias arg\fR" 4
336.IX Item "-setalias arg"
984263bc
MD
337sets the alias of the certificate. This will allow the certificate
338to be referred to using a nickname for example \*(L"Steve's Certificate\*(R".
8b0cefbb
JR
339.IP "\fB\-alias\fR" 4
340.IX Item "-alias"
984263bc 341outputs the certificate alias, if any.
8b0cefbb
JR
342.IP "\fB\-clrtrust\fR" 4
343.IX Item "-clrtrust"
984263bc 344clears all the permitted or trusted uses of the certificate.
8b0cefbb
JR
345.IP "\fB\-clrreject\fR" 4
346.IX Item "-clrreject"
984263bc 347clears all the prohibited or rejected uses of the certificate.
8b0cefbb
JR
348.IP "\fB\-addtrust arg\fR" 4
349.IX Item "-addtrust arg"
984263bc
MD
350adds a trusted certificate use. Any object name can be used here
351but currently only \fBclientAuth\fR (\s-1SSL\s0 client use), \fBserverAuth\fR
8b0cefbb 352(\s-1SSL\s0 server use) and \fBemailProtection\fR (S/MIME email) are used.
984263bc 353Other OpenSSL applications may define additional uses.
8b0cefbb
JR
354.IP "\fB\-addreject arg\fR" 4
355.IX Item "-addreject arg"
984263bc
MD
356adds a prohibited use. It accepts the same values as the \fB\-addtrust\fR
357option.
8b0cefbb
JR
358.IP "\fB\-purpose\fR" 4
359.IX Item "-purpose"
984263bc
MD
360this option performs tests on the certificate extensions and outputs
361the results. For a more complete description see the \fB\s-1CERTIFICATE\s0
8b0cefbb 362\&\s-1EXTENSIONS\s0\fR section.
01185282 363.SS "\s-1SIGNING\s0 \s-1OPTIONS\s0"
8b0cefbb 364.IX Subsection "SIGNING OPTIONS"
984263bc
MD
365The \fBx509\fR utility can be used to sign certificates and requests: it
366can thus behave like a \*(L"mini \s-1CA\s0\*(R".
8b0cefbb
JR
367.IP "\fB\-signkey filename\fR" 4
368.IX Item "-signkey filename"
984263bc 369this option causes the input file to be self signed using the supplied
e257b235 370private key.
984263bc
MD
371.Sp
372If the input file is a certificate it sets the issuer name to the
373subject name (i.e. makes it self signed) changes the public key to the
374supplied value and changes the start and end dates. The start date is
375set to the current time and the end date is set to a value determined
376by the \fB\-days\fR option. Any certificate extensions are retained unless
377the \fB\-clrext\fR option is supplied.
378.Sp
379If the input is a certificate request then a self signed certificate
380is created using the supplied private key using the subject name in
381the request.
8b0cefbb
JR
382.IP "\fB\-clrext\fR" 4
383.IX Item "-clrext"
984263bc
MD
384delete any extensions from a certificate. This option is used when a
385certificate is being created from another certificate (for example with
8b0cefbb 386the \fB\-signkey\fR or the \fB\-CA\fR options). Normally all extensions are
984263bc 387retained.
8b0cefbb
JR
388.IP "\fB\-keyform PEM|DER\fR" 4
389.IX Item "-keyform PEM|DER"
984263bc 390specifies the format (\s-1DER\s0 or \s-1PEM\s0) of the private key file used in the
8b0cefbb
JR
391\&\fB\-signkey\fR option.
392.IP "\fB\-days arg\fR" 4
393.IX Item "-days arg"
984263bc
MD
394specifies the number of days to make a certificate valid for. The default
395is 30 days.
8b0cefbb
JR
396.IP "\fB\-x509toreq\fR" 4
397.IX Item "-x509toreq"
984263bc
MD
398converts a certificate into a certificate request. The \fB\-signkey\fR option
399is used to pass the required private key.
8b0cefbb
JR
400.IP "\fB\-req\fR" 4
401.IX Item "-req"
984263bc
MD
402by default a certificate is expected on input. With this option a
403certificate request is expected instead.
8b0cefbb
JR
404.IP "\fB\-set_serial n\fR" 4
405.IX Item "-set_serial n"
984263bc 406specifies the serial number to use. This option can be used with either
8b0cefbb 407the \fB\-signkey\fR or \fB\-CA\fR options. If used in conjunction with the \fB\-CA\fR
984263bc 408option the serial number file (as specified by the \fB\-CAserial\fR or
8b0cefbb 409\&\fB\-CAcreateserial\fR options) is not used.
984263bc
MD
410.Sp
411The serial number can be decimal or hex (if preceded by \fB0x\fR). Negative
412serial numbers can also be specified but their use is not recommended.
8b0cefbb
JR
413.IP "\fB\-CA filename\fR" 4
414.IX Item "-CA filename"
984263bc
MD
415specifies the \s-1CA\s0 certificate to be used for signing. When this option is
416present \fBx509\fR behaves like a \*(L"mini \s-1CA\s0\*(R". The input file is signed by this
8b0cefbb 417\&\s-1CA\s0 using this option: that is its issuer name is set to the subject name
984263bc
MD
418of the \s-1CA\s0 and it is digitally signed using the CAs private key.
419.Sp
420This option is normally combined with the \fB\-req\fR option. Without the
8b0cefbb
JR
421\&\fB\-req\fR option the input is a certificate which must be self signed.
422.IP "\fB\-CAkey filename\fR" 4
423.IX Item "-CAkey filename"
984263bc
MD
424sets the \s-1CA\s0 private key to sign a certificate with. If this option is
425not specified then it is assumed that the \s-1CA\s0 private key is present in
426the \s-1CA\s0 certificate file.
8b0cefbb
JR
427.IP "\fB\-CAserial filename\fR" 4
428.IX Item "-CAserial filename"
984263bc
MD
429sets the \s-1CA\s0 serial number file to use.
430.Sp
8b0cefbb 431When the \fB\-CA\fR option is used to sign a certificate it uses a serial
984263bc
MD
432number specified in a file. This file consist of one line containing
433an even number of hex digits with the serial number to use. After each
434use the serial number is incremented and written out to the file again.
435.Sp
436The default filename consists of the \s-1CA\s0 certificate file base name with
8b0cefbb
JR
437\&\*(L".srl\*(R" appended. For example if the \s-1CA\s0 certificate file is called
438\&\*(L"mycacert.pem\*(R" it expects to find a serial number file called \*(L"mycacert.srl\*(R".
439.IP "\fB\-CAcreateserial\fR" 4
440.IX Item "-CAcreateserial"
984263bc
MD
441with this option the \s-1CA\s0 serial number file is created if it does not exist:
442it will contain the serial number \*(L"02\*(R" and the certificate being signed will
8b0cefbb 443have the 1 as its serial number. Normally if the \fB\-CA\fR option is specified
984263bc 444and the serial number file does not exist it is an error.
8b0cefbb
JR
445.IP "\fB\-extfile filename\fR" 4
446.IX Item "-extfile filename"
984263bc
MD
447file containing certificate extensions to use. If not specified then
448no extensions are added to the certificate.
8b0cefbb
JR
449.IP "\fB\-extensions section\fR" 4
450.IX Item "-extensions section"
984263bc
MD
451the section to add certificate extensions from. If this option is not
452specified then the extensions should either be contained in the unnamed
453(default) section or the default section should contain a variable called
01185282
PA
454\&\*(L"extensions\*(R" which contains the section to use. See the
455\&\fIx509v3_config\fR\|(5) manual page for details of the
456extension section format.
457.SS "\s-1NAME\s0 \s-1OPTIONS\s0"
8b0cefbb 458.IX Subsection "NAME OPTIONS"
984263bc
MD
459The \fBnameopt\fR command line switch determines how the subject and issuer
460names are displayed. If no \fBnameopt\fR switch is present the default \*(L"oneline\*(R"
461format is used which is compatible with previous versions of OpenSSL.
462Each option is described in detail below, all options can be preceded by
e3cdf75b 463a \fB\-\fR to turn the option off. Only the first four will normally be used.
8b0cefbb
JR
464.IP "\fBcompat\fR" 4
465.IX Item "compat"
984263bc 466use the old format. This is equivalent to specifying no name options at all.
8b0cefbb
JR
467.IP "\fB\s-1RFC2253\s0\fR" 4
468.IX Item "RFC2253"
984263bc 469displays names compatible with \s-1RFC2253\s0 equivalent to \fBesc_2253\fR, \fBesc_ctrl\fR,
8b0cefbb
JR
470\&\fBesc_msb\fR, \fButf8\fR, \fBdump_nostr\fR, \fBdump_unknown\fR, \fBdump_der\fR,
471\&\fBsep_comma_plus\fR, \fBdn_rev\fR and \fBsname\fR.
472.IP "\fBoneline\fR" 4
473.IX Item "oneline"
984263bc
MD
474a oneline format which is more readable than \s-1RFC2253\s0. It is equivalent to
475specifying the \fBesc_2253\fR, \fBesc_ctrl\fR, \fBesc_msb\fR, \fButf8\fR, \fBdump_nostr\fR,
edae4a78 476\&\fBdump_der\fR, \fBuse_quote\fR, \fBsep_comma_plus_space\fR, \fBspace_eq\fR and \fBsname\fR
984263bc 477options.
8b0cefbb
JR
478.IP "\fBmultiline\fR" 4
479.IX Item "multiline"
984263bc 480a multiline format. It is equivalent \fBesc_ctrl\fR, \fBesc_msb\fR, \fBsep_multiline\fR,
edae4a78 481\&\fBspace_eq\fR, \fBlname\fR and \fBalign\fR.
8b0cefbb
JR
482.IP "\fBesc_2253\fR" 4
483.IX Item "esc_2253"
984263bc 484escape the \*(L"special\*(R" characters required by \s-1RFC2253\s0 in a field That is
8b0cefbb 485\&\fB,+"<>;\fR. Additionally \fB#\fR is escaped at the beginning of a string
984263bc 486and a space character at the beginning or end of a string.
8b0cefbb
JR
487.IP "\fBesc_ctrl\fR" 4
488.IX Item "esc_ctrl"
984263bc
MD
489escape control characters. That is those with \s-1ASCII\s0 values less than
4900x20 (space) and the delete (0x7f) character. They are escaped using the
8b0cefbb 491\&\s-1RFC2253\s0 \eXX notation (where \s-1XX\s0 are two hex digits representing the
984263bc 492character value).
8b0cefbb
JR
493.IP "\fBesc_msb\fR" 4
494.IX Item "esc_msb"
984263bc
MD
495escape characters with the \s-1MSB\s0 set, that is with \s-1ASCII\s0 values larger than
496127.
8b0cefbb
JR
497.IP "\fBuse_quote\fR" 4
498.IX Item "use_quote"
499escapes some characters by surrounding the whole string with \fB"\fR characters,
984263bc 500without the option all escaping is done with the \fB\e\fR character.
8b0cefbb
JR
501.IP "\fButf8\fR" 4
502.IX Item "utf8"
984263bc
MD
503convert all strings to \s-1UTF8\s0 format first. This is required by \s-1RFC2253\s0. If
504you are lucky enough to have a \s-1UTF8\s0 compatible terminal then the use
505of this option (and \fBnot\fR setting \fBesc_msb\fR) may result in the correct
506display of multibyte (international) characters. Is this option is not
507present then multibyte characters larger than 0xff will be represented
508using the format \eUXXXX for 16 bits and \eWXXXXXXXX for 32 bits.
509Also if this option is off any UTF8Strings will be converted to their
510character form first.
8b0cefbb
JR
511.IP "\fBno_type\fR" 4
512.IX Item "no_type"
984263bc
MD
513this option does not attempt to interpret multibyte characters in any
514way. That is their content octets are merely dumped as though one octet
515represents each character. This is useful for diagnostic purposes but
516will result in rather odd looking output.
8b0cefbb
JR
517.IP "\fBshow_type\fR" 4
518.IX Item "show_type"
984263bc 519show the type of the \s-1ASN1\s0 character string. The type precedes the
8b0cefbb
JR
520field contents. For example \*(L"\s-1BMPSTRING:\s0 Hello World\*(R".
521.IP "\fBdump_der\fR" 4
522.IX Item "dump_der"
984263bc
MD
523when this option is set any fields that need to be hexdumped will
524be dumped using the \s-1DER\s0 encoding of the field. Otherwise just the
525content octets will be displayed. Both options use the \s-1RFC2253\s0
8b0cefbb
JR
526\&\fB#XXXX...\fR format.
527.IP "\fBdump_nostr\fR" 4
528.IX Item "dump_nostr"
984263bc
MD
529dump non character string types (for example \s-1OCTET\s0 \s-1STRING\s0) if this
530option is not set then non character string types will be displayed
531as though each content octet represents a single character.
8b0cefbb
JR
532.IP "\fBdump_all\fR" 4
533.IX Item "dump_all"
984263bc 534dump all fields. This option when used with \fBdump_der\fR allows the
8b0cefbb
JR
535\&\s-1DER\s0 encoding of the structure to be unambiguously determined.
536.IP "\fBdump_unknown\fR" 4
537.IX Item "dump_unknown"
984263bc 538dump any field whose \s-1OID\s0 is not recognised by OpenSSL.
8b0cefbb
JR
539.IP "\fBsep_comma_plus\fR, \fBsep_comma_plus_space\fR, \fBsep_semi_plus_space\fR, \fBsep_multiline\fR" 4
540.IX Item "sep_comma_plus, sep_comma_plus_space, sep_semi_plus_space, sep_multiline"
984263bc
MD
541these options determine the field separators. The first character is
542between RDNs and the second between multiple AVAs (multiple AVAs are
543very rare and their use is discouraged). The options ending in
8b0cefbb 544\&\*(L"space\*(R" additionally place a space after the separator to make it
984263bc
MD
545more readable. The \fBsep_multiline\fR uses a linefeed character for
546the \s-1RDN\s0 separator and a spaced \fB+\fR for the \s-1AVA\s0 separator. It also
547indents the fields by four characters.
8b0cefbb
JR
548.IP "\fBdn_rev\fR" 4
549.IX Item "dn_rev"
984263bc
MD
550reverse the fields of the \s-1DN\s0. This is required by \s-1RFC2253\s0. As a side
551effect this also reverses the order of multiple AVAs but this is
552permissible.
8b0cefbb
JR
553.IP "\fBnofname\fR, \fBsname\fR, \fBlname\fR, \fBoid\fR" 4
554.IX Item "nofname, sname, lname, oid"
984263bc
MD
555these options alter how the field name is displayed. \fBnofname\fR does
556not display the field at all. \fBsname\fR uses the \*(L"short name\*(R" form
557(\s-1CN\s0 for commonName for example). \fBlname\fR uses the long form.
8b0cefbb 558\&\fBoid\fR represents the \s-1OID\s0 in numerical form and is useful for
984263bc 559diagnostic purpose.
8b0cefbb
JR
560.IP "\fBalign\fR" 4
561.IX Item "align"
984263bc 562align field values for a more readable output. Only usable with
8b0cefbb 563\&\fBsep_multiline\fR.
edae4a78
PA
564.IP "\fBspace_eq\fR" 4
565.IX Item "space_eq"
984263bc
MD
566places spaces round the \fB=\fR character which follows the field
567name.
01185282 568.SS "\s-1TEXT\s0 \s-1OPTIONS\s0"
8b0cefbb 569.IX Subsection "TEXT OPTIONS"
984263bc
MD
570As well as customising the name output format, it is also possible to
571customise the actual fields printed using the \fBcertopt\fR options when
572the \fBtext\fR option is present. The default behaviour is to print all fields.
8b0cefbb
JR
573.IP "\fBcompatible\fR" 4
574.IX Item "compatible"
984263bc 575use the old format. This is equivalent to specifying no output options at all.
8b0cefbb
JR
576.IP "\fBno_header\fR" 4
577.IX Item "no_header"
984263bc 578don't print header information: that is the lines saying \*(L"Certificate\*(R" and \*(L"Data\*(R".
8b0cefbb
JR
579.IP "\fBno_version\fR" 4
580.IX Item "no_version"
984263bc 581don't print out the version number.
8b0cefbb
JR
582.IP "\fBno_serial\fR" 4
583.IX Item "no_serial"
984263bc 584don't print out the serial number.
8b0cefbb
JR
585.IP "\fBno_signame\fR" 4
586.IX Item "no_signame"
984263bc 587don't print out the signature algorithm used.
8b0cefbb
JR
588.IP "\fBno_validity\fR" 4
589.IX Item "no_validity"
984263bc 590don't print the validity, that is the \fBnotBefore\fR and \fBnotAfter\fR fields.
8b0cefbb
JR
591.IP "\fBno_subject\fR" 4
592.IX Item "no_subject"
984263bc 593don't print out the subject name.
8b0cefbb
JR
594.IP "\fBno_issuer\fR" 4
595.IX Item "no_issuer"
984263bc 596don't print out the issuer name.
8b0cefbb
JR
597.IP "\fBno_pubkey\fR" 4
598.IX Item "no_pubkey"
984263bc 599don't print out the public key.
8b0cefbb
JR
600.IP "\fBno_sigdump\fR" 4
601.IX Item "no_sigdump"
984263bc 602don't give a hexadecimal dump of the certificate signature.
8b0cefbb
JR
603.IP "\fBno_aux\fR" 4
604.IX Item "no_aux"
984263bc 605don't print out certificate trust information.
8b0cefbb
JR
606.IP "\fBno_extensions\fR" 4
607.IX Item "no_extensions"
984263bc 608don't print out any X509V3 extensions.
8b0cefbb
JR
609.IP "\fBext_default\fR" 4
610.IX Item "ext_default"
984263bc 611retain default extension behaviour: attempt to print out unsupported certificate extensions.
8b0cefbb
JR
612.IP "\fBext_error\fR" 4
613.IX Item "ext_error"
984263bc 614print an error message for unsupported certificate extensions.
8b0cefbb
JR
615.IP "\fBext_parse\fR" 4
616.IX Item "ext_parse"
617\&\s-1ASN1\s0 parse unsupported extensions.
618.IP "\fBext_dump\fR" 4
619.IX Item "ext_dump"
984263bc 620hex dump unsupported extensions.
8b0cefbb
JR
621.IP "\fBca_default\fR" 4
622.IX Item "ca_default"
984263bc 623the value used by the \fBca\fR utility, equivalent to \fBno_issuer\fR, \fBno_pubkey\fR, \fBno_header\fR,
8b0cefbb 624\&\fBno_version\fR, \fBno_sigdump\fR and \fBno_signame\fR.
984263bc 625.SH "EXAMPLES"
8b0cefbb
JR
626.IX Header "EXAMPLES"
627Note: in these examples the '\e' means the example should be all on one
984263bc
MD
628line.
629.PP
630Display the contents of a certificate:
631.PP
632.Vb 1
e257b235 633\& openssl x509 \-in cert.pem \-noout \-text
984263bc 634.Ve
8b0cefbb 635.PP
984263bc
MD
636Display the certificate serial number:
637.PP
638.Vb 1
e257b235 639\& openssl x509 \-in cert.pem \-noout \-serial
984263bc 640.Ve
8b0cefbb 641.PP
984263bc
MD
642Display the certificate subject name:
643.PP
644.Vb 1
e257b235 645\& openssl x509 \-in cert.pem \-noout \-subject
984263bc 646.Ve
8b0cefbb
JR
647.PP
648Display the certificate subject name in \s-1RFC2253\s0 form:
984263bc
MD
649.PP
650.Vb 1
e257b235 651\& openssl x509 \-in cert.pem \-noout \-subject \-nameopt RFC2253
984263bc 652.Ve
8b0cefbb 653.PP
984263bc 654Display the certificate subject name in oneline form on a terminal
8b0cefbb 655supporting \s-1UTF8:\s0
984263bc
MD
656.PP
657.Vb 1
e257b235 658\& openssl x509 \-in cert.pem \-noout \-subject \-nameopt oneline,\-esc_msb
984263bc 659.Ve
8b0cefbb
JR
660.PP
661Display the certificate \s-1MD5\s0 fingerprint:
984263bc
MD
662.PP
663.Vb 1
e257b235 664\& openssl x509 \-in cert.pem \-noout \-fingerprint
984263bc 665.Ve
8b0cefbb
JR
666.PP
667Display the certificate \s-1SHA1\s0 fingerprint:
984263bc
MD
668.PP
669.Vb 1
e257b235 670\& openssl x509 \-sha1 \-in cert.pem \-noout \-fingerprint
984263bc 671.Ve
8b0cefbb
JR
672.PP
673Convert a certificate from \s-1PEM\s0 to \s-1DER\s0 format:
984263bc
MD
674.PP
675.Vb 1
e257b235 676\& openssl x509 \-in cert.pem \-inform PEM \-out cert.der \-outform DER
984263bc 677.Ve
8b0cefbb 678.PP
984263bc
MD
679Convert a certificate to a certificate request:
680.PP
681.Vb 1
e257b235 682\& openssl x509 \-x509toreq \-in cert.pem \-out req.pem \-signkey key.pem
984263bc 683.Ve
8b0cefbb 684.PP
984263bc 685Convert a certificate request into a self signed certificate using
8b0cefbb 686extensions for a \s-1CA:\s0
984263bc
MD
687.PP
688.Vb 2
e257b235
PA
689\& openssl x509 \-req \-in careq.pem \-extfile openssl.cnf \-extensions v3_ca \e
690\& \-signkey key.pem \-out cacert.pem
984263bc 691.Ve
8b0cefbb
JR
692.PP
693Sign a certificate request using the \s-1CA\s0 certificate above and add user
984263bc
MD
694certificate extensions:
695.PP
696.Vb 2
e257b235
PA
697\& openssl x509 \-req \-in req.pem \-extfile openssl.cnf \-extensions v3_usr \e
698\& \-CA cacert.pem \-CAkey key.pem \-CAcreateserial
984263bc 699.Ve
8b0cefbb
JR
700.PP
701Set a certificate to be trusted for \s-1SSL\s0 client use and change set its alias to
702\&\*(L"Steve's Class 1 \s-1CA\s0\*(R"
984263bc
MD
703.PP
704.Vb 2
e257b235
PA
705\& openssl x509 \-in cert.pem \-addtrust clientAuth \e
706\& \-setalias "Steve\*(Aqs Class 1 CA" \-out trust.pem
984263bc
MD
707.Ve
708.SH "NOTES"
8b0cefbb
JR
709.IX Header "NOTES"
710The \s-1PEM\s0 format uses the header and footer lines:
984263bc
MD
711.PP
712.Vb 2
e257b235
PA
713\& \-\-\-\-\-BEGIN CERTIFICATE\-\-\-\-\-
714\& \-\-\-\-\-END CERTIFICATE\-\-\-\-\-
984263bc 715.Ve
8b0cefbb 716.PP
984263bc
MD
717it will also handle files containing:
718.PP
719.Vb 2
e257b235
PA
720\& \-\-\-\-\-BEGIN X509 CERTIFICATE\-\-\-\-\-
721\& \-\-\-\-\-END X509 CERTIFICATE\-\-\-\-\-
984263bc 722.Ve
8b0cefbb 723.PP
984263bc
MD
724Trusted certificates have the lines
725.PP
726.Vb 2
e257b235
PA
727\& \-\-\-\-\-BEGIN TRUSTED CERTIFICATE\-\-\-\-\-
728\& \-\-\-\-\-END TRUSTED CERTIFICATE\-\-\-\-\-
984263bc 729.Ve
8b0cefbb
JR
730.PP
731The conversion to \s-1UTF8\s0 format used with the name options assumes that
732T61Strings use the \s-1ISO8859\-1\s0 character set. This is wrong but Netscape
733and \s-1MSIE\s0 do this as do many certificates. So although this is incorrect
984263bc
MD
734it is more likely to display the majority of certificates correctly.
735.PP
8b0cefbb 736The \fB\-fingerprint\fR option takes the digest of the \s-1DER\s0 encoded certificate.
984263bc
MD
737This is commonly called a \*(L"fingerprint\*(R". Because of the nature of message
738digests the fingerprint of a certificate is unique to that certificate and
739two certificates with the same fingerprint can be considered to be the same.
740.PP
8b0cefbb 741The Netscape fingerprint uses \s-1MD5\s0 whereas \s-1MSIE\s0 uses \s-1SHA1\s0.
984263bc
MD
742.PP
743The \fB\-email\fR option searches the subject name and the subject alternative
744name extension. Only unique email addresses will be printed out: it will
745not print the same address more than once.
746.SH "CERTIFICATE EXTENSIONS"
8b0cefbb 747.IX Header "CERTIFICATE EXTENSIONS"
984263bc
MD
748The \fB\-purpose\fR option checks the certificate extensions and determines
749what the certificate can be used for. The actual checks done are rather
750complex and include various hacks and workarounds to handle broken
751certificates and software.
752.PP
753The same code is used when verifying untrusted certificates in chains
754so this section is useful if a chain is rejected by the verify code.
755.PP
8b0cefbb
JR
756The basicConstraints extension \s-1CA\s0 flag is used to determine whether the
757certificate can be used as a \s-1CA\s0. If the \s-1CA\s0 flag is true then it is a \s-1CA\s0,
758if the \s-1CA\s0 flag is false then it is not a \s-1CA\s0. \fBAll\fR CAs should have the
759\&\s-1CA\s0 flag set to true.
984263bc
MD
760.PP
761If the basicConstraints extension is absent then the certificate is
8b0cefbb 762considered to be a \*(L"possible \s-1CA\s0\*(R" other extensions are checked according
984263bc 763to the intended use of the certificate. A warning is given in this case
8b0cefbb
JR
764because the certificate should really not be regarded as a \s-1CA:\s0 however
765it is allowed to be a \s-1CA\s0 to work around some broken software.
984263bc
MD
766.PP
767If the certificate is a V1 certificate (and thus has no extensions) and
8b0cefbb 768it is self signed it is also assumed to be a \s-1CA\s0 but a warning is again
984263bc
MD
769given: this is to work around the problem of Verisign roots which are V1
770self signed certificates.
771.PP
772If the keyUsage extension is present then additional restraints are
8b0cefbb 773made on the uses of the certificate. A \s-1CA\s0 certificate \fBmust\fR have the
984263bc
MD
774keyCertSign bit set if the keyUsage extension is present.
775.PP
776The extended key usage extension places additional restrictions on the
777certificate uses. If this extension is present (whether critical or not)
778the key can only be used for the purposes specified.
779.PP
780A complete description of each test is given below. The comments about
781basicConstraints and keyUsage and V1 certificates above apply to \fBall\fR
8b0cefbb
JR
782\&\s-1CA\s0 certificates.
783.IP "\fB\s-1SSL\s0 Client\fR" 4
784.IX Item "SSL Client"
984263bc
MD
785The extended key usage extension must be absent or include the \*(L"web client
786authentication\*(R" \s-1OID\s0. keyUsage must be absent or it must have the
787digitalSignature bit set. Netscape certificate type must be absent or it must
788have the \s-1SSL\s0 client bit set.
8b0cefbb
JR
789.IP "\fB\s-1SSL\s0 Client \s-1CA\s0\fR" 4
790.IX Item "SSL Client CA"
984263bc
MD
791The extended key usage extension must be absent or include the \*(L"web client
792authentication\*(R" \s-1OID\s0. Netscape certificate type must be absent or it must have
793the \s-1SSL\s0 \s-1CA\s0 bit set: this is used as a work around if the basicConstraints
794extension is absent.
8b0cefbb
JR
795.IP "\fB\s-1SSL\s0 Server\fR" 4
796.IX Item "SSL Server"
984263bc
MD
797The extended key usage extension must be absent or include the \*(L"web server
798authentication\*(R" and/or one of the \s-1SGC\s0 OIDs. keyUsage must be absent or it
799must have the digitalSignature, the keyEncipherment set or both bits set.
800Netscape certificate type must be absent or have the \s-1SSL\s0 server bit set.
8b0cefbb
JR
801.IP "\fB\s-1SSL\s0 Server \s-1CA\s0\fR" 4
802.IX Item "SSL Server CA"
984263bc
MD
803The extended key usage extension must be absent or include the \*(L"web server
804authentication\*(R" and/or one of the \s-1SGC\s0 OIDs. Netscape certificate type must
805be absent or the \s-1SSL\s0 \s-1CA\s0 bit must be set: this is used as a work around if the
806basicConstraints extension is absent.
8b0cefbb
JR
807.IP "\fBNetscape \s-1SSL\s0 Server\fR" 4
808.IX Item "Netscape SSL Server"
984263bc
MD
809For Netscape \s-1SSL\s0 clients to connect to an \s-1SSL\s0 server it must have the
810keyEncipherment bit set if the keyUsage extension is present. This isn't
811always valid because some cipher suites use the key for digital signing.
812Otherwise it is the same as a normal \s-1SSL\s0 server.
8b0cefbb
JR
813.IP "\fBCommon S/MIME Client Tests\fR" 4
814.IX Item "Common S/MIME Client Tests"
984263bc
MD
815The extended key usage extension must be absent or include the \*(L"email
816protection\*(R" \s-1OID\s0. Netscape certificate type must be absent or should have the
8b0cefbb 817S/MIME bit set. If the S/MIME bit is not set in netscape certificate type
984263bc 818then the \s-1SSL\s0 client bit is tolerated as an alternative but a warning is shown:
8b0cefbb
JR
819this is because some Verisign certificates don't set the S/MIME bit.
820.IP "\fBS/MIME Signing\fR" 4
821.IX Item "S/MIME Signing"
822In addition to the common S/MIME client tests the digitalSignature bit must
984263bc 823be set if the keyUsage extension is present.
8b0cefbb
JR
824.IP "\fBS/MIME Encryption\fR" 4
825.IX Item "S/MIME Encryption"
826In addition to the common S/MIME tests the keyEncipherment bit must be set
984263bc 827if the keyUsage extension is present.
8b0cefbb
JR
828.IP "\fBS/MIME \s-1CA\s0\fR" 4
829.IX Item "S/MIME CA"
984263bc
MD
830The extended key usage extension must be absent or include the \*(L"email
831protection\*(R" \s-1OID\s0. Netscape certificate type must be absent or must have the
8b0cefbb 832S/MIME \s-1CA\s0 bit set: this is used as a work around if the basicConstraints
e257b235 833extension is absent.
8b0cefbb
JR
834.IP "\fB\s-1CRL\s0 Signing\fR" 4
835.IX Item "CRL Signing"
984263bc
MD
836The keyUsage extension must be absent or it must have the \s-1CRL\s0 signing bit
837set.
8b0cefbb
JR
838.IP "\fB\s-1CRL\s0 Signing \s-1CA\s0\fR" 4
839.IX Item "CRL Signing CA"
984263bc
MD
840The normal \s-1CA\s0 tests apply. Except in this case the basicConstraints extension
841must be present.
842.SH "BUGS"
8b0cefbb 843.IX Header "BUGS"
984263bc
MD
844Extensions in certificates are not transferred to certificate requests and
845vice versa.
846.PP
847It is possible to produce invalid certificates or requests by specifying the
848wrong private key or using inconsistent options in some cases: these should
849be checked.
850.PP
851There should be options to explicitly set such things as start and end
852dates rather than an offset from the current time.
853.PP
8b0cefbb 854The code to implement the verify behaviour described in the \fB\s-1TRUST\s0 \s-1SETTINGS\s0\fR
984263bc
MD
855is currently being developed. It thus describes the intended behaviour rather
856than the current behaviour. It is hoped that it will represent reality in
857OpenSSL 0.9.5 and later.
858.SH "SEE ALSO"
e3cdf75b 859.IX Header "SEE ALSO"
8b0cefbb 860\&\fIreq\fR\|(1), \fIca\fR\|(1), \fIgenrsa\fR\|(1),
01185282
PA
861\&\fIgendsa\fR\|(1), \fIverify\fR\|(1),
862\&\fIx509v3_config\fR\|(5)
a561f9ff
SS
863.SH "HISTORY"
864.IX Header "HISTORY"
865Before OpenSSL 0.9.8, the default digest for \s-1RSA\s0 keys was \s-1MD5\s0.
01185282
PA
866.PP
867The hash algorithm used in the \fB\-subject_hash\fR and \fB\-issuer_hash\fR options
868before OpenSSL 1.0.0 was based on the deprecated \s-1MD5\s0 algorithm and the encoding
869of the distinguished name. In OpenSSL 1.0.0 and later it is based on a
870canonical version of the \s-1DN\s0 using \s-1SHA1\s0. This means that any directories using
871the old form must have their links rebuilt using \fBc_rehash\fR or similar.