| 1 | .\" Automatically generated by Pod::Man v1.37, Pod::Parser v1.14 |
| 2 | .\" |
| 3 | .\" Standard preamble: |
| 4 | .\" ======================================================================== |
| 5 | .de Sh \" Subsection heading |
| 6 | .br |
| 7 | .if t .Sp |
| 8 | .ne 5 |
| 9 | .PP |
| 10 | \fB\\$1\fR |
| 11 | .PP |
| 12 | .. |
| 13 | .de Sp \" Vertical space (when we can't use .PP) |
| 14 | .if t .sp .5v |
| 15 | .if n .sp |
| 16 | .. |
| 17 | .de Vb \" Begin verbatim text |
| 18 | .ft CW |
| 19 | .nf |
| 20 | .ne \\$1 |
| 21 | .. |
| 22 | .de Ve \" End verbatim text |
| 23 | .ft R |
| 24 | .fi |
| 25 | .. |
| 26 | .\" Set up some character translations and predefined strings. \*(-- will |
| 27 | .\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left |
| 28 | .\" double quote, and \*(R" will give a right double quote. | will give a |
| 29 | .\" real vertical bar. \*(C+ will give a nicer C++. Capital omega is used to |
| 30 | .\" do unbreakable dashes and therefore won't be available. \*(C` and \*(C' |
| 31 | .\" expand to `' in nroff, nothing in troff, for use with C<>. |
| 32 | .tr \(*W-|\(bv\*(Tr |
| 33 | .ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' |
| 34 | .ie n \{\ |
| 35 | . ds -- \(*W- |
| 36 | . ds PI pi |
| 37 | . if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch |
| 38 | . if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch |
| 39 | . ds L" "" |
| 40 | . ds R" "" |
| 41 | . ds C` "" |
| 42 | . ds C' "" |
| 43 | 'br\} |
| 44 | .el\{\ |
| 45 | . ds -- \|\(em\| |
| 46 | . ds PI \(*p |
| 47 | . ds L" `` |
| 48 | . ds R" '' |
| 49 | 'br\} |
| 50 | .\" |
| 51 | .\" If the F register is turned on, we'll generate index entries on stderr for |
| 52 | .\" titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and index |
| 53 | .\" entries marked with X<> in POD. Of course, you'll have to process the |
| 54 | .\" output yourself in some meaningful fashion. |
| 55 | .if \nF \{\ |
| 56 | . de IX |
| 57 | . tm Index:\\$1\t\\n%\t"\\$2" |
| 58 | .. |
| 59 | . nr % 0 |
| 60 | . rr F |
| 61 | .\} |
| 62 | .\" |
| 63 | .\" For nroff, turn off justification. Always turn off hyphenation; it makes |
| 64 | .\" way too many mistakes in technical documents. |
| 65 | .hy 0 |
| 66 | .if n .na |
| 67 | .\" |
| 68 | .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). |
| 69 | .\" Fear. Run. Save yourself. No user-serviceable parts. |
| 70 | . \" fudge factors for nroff and troff |
| 71 | .if n \{\ |
| 72 | . ds #H 0 |
| 73 | . ds #V .8m |
| 74 | . ds #F .3m |
| 75 | . ds #[ \f1 |
| 76 | . ds #] \fP |
| 77 | .\} |
| 78 | .if t \{\ |
| 79 | . ds #H ((1u-(\\\\n(.fu%2u))*.13m) |
| 80 | . ds #V .6m |
| 81 | . ds #F 0 |
| 82 | . ds #[ \& |
| 83 | . ds #] \& |
| 84 | .\} |
| 85 | . \" simple accents for nroff and troff |
| 86 | .if n \{\ |
| 87 | . ds ' \& |
| 88 | . ds ` \& |
| 89 | . ds ^ \& |
| 90 | . ds , \& |
| 91 | . ds ~ ~ |
| 92 | . ds / |
| 93 | .\} |
| 94 | .if t \{\ |
| 95 | . ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" |
| 96 | . ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' |
| 97 | . ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' |
| 98 | . ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' |
| 99 | . ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' |
| 100 | . ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' |
| 101 | .\} |
| 102 | . \" troff and (daisy-wheel) nroff accents |
| 103 | .ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' |
| 104 | .ds 8 \h'\*(#H'\(*b\h'-\*(#H' |
| 105 | .ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] |
| 106 | .ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' |
| 107 | .ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' |
| 108 | .ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] |
| 109 | .ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] |
| 110 | .ds ae a\h'-(\w'a'u*4/10)'e |
| 111 | .ds Ae A\h'-(\w'A'u*4/10)'E |
| 112 | . \" corrections for vroff |
| 113 | .if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' |
| 114 | .if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' |
| 115 | . \" for low resolution devices (crt and lpr) |
| 116 | .if \n(.H>23 .if \n(.V>19 \ |
| 117 | \{\ |
| 118 | . ds : e |
| 119 | . ds 8 ss |
| 120 | . ds o a |
| 121 | . ds d- d\h'-1'\(ga |
| 122 | . ds D- D\h'-1'\(hy |
| 123 | . ds th \o'bp' |
| 124 | . ds Th \o'LP' |
| 125 | . ds ae ae |
| 126 | . ds Ae AE |
| 127 | .\} |
| 128 | .rm #[ #] #H #V #F C |
| 129 | .\" ======================================================================== |
| 130 | .\" |
| 131 | .IX Title "X509 1" |
| 132 | .TH X509 1 "2005-07-06" "0.9.8" "OpenSSL" |
| 133 | .SH "NAME" |
| 134 | x509 \- Certificate display and signing utility |
| 135 | .SH "SYNOPSIS" |
| 136 | .IX Header "SYNOPSIS" |
| 137 | \&\fBopenssl\fR \fBx509\fR |
| 138 | [\fB\-inform DER|PEM|NET\fR] |
| 139 | [\fB\-outform DER|PEM|NET\fR] |
| 140 | [\fB\-keyform DER|PEM\fR] |
| 141 | [\fB\-CAform DER|PEM\fR] |
| 142 | [\fB\-CAkeyform DER|PEM\fR] |
| 143 | [\fB\-in filename\fR] |
| 144 | [\fB\-out filename\fR] |
| 145 | [\fB\-serial\fR] |
| 146 | [\fB\-hash\fR] |
| 147 | [\fB\-subject_hash\fR] |
| 148 | [\fB\-issuer_hash\fR] |
| 149 | [\fB\-subject\fR] |
| 150 | [\fB\-issuer\fR] |
| 151 | [\fB\-nameopt option\fR] |
| 152 | [\fB\-email\fR] |
| 153 | [\fB\-startdate\fR] |
| 154 | [\fB\-enddate\fR] |
| 155 | [\fB\-purpose\fR] |
| 156 | [\fB\-dates\fR] |
| 157 | [\fB\-modulus\fR] |
| 158 | [\fB\-fingerprint\fR] |
| 159 | [\fB\-alias\fR] |
| 160 | [\fB\-noout\fR] |
| 161 | [\fB\-trustout\fR] |
| 162 | [\fB\-clrtrust\fR] |
| 163 | [\fB\-clrreject\fR] |
| 164 | [\fB\-addtrust arg\fR] |
| 165 | [\fB\-addreject arg\fR] |
| 166 | [\fB\-setalias arg\fR] |
| 167 | [\fB\-days arg\fR] |
| 168 | [\fB\-set_serial n\fR] |
| 169 | [\fB\-signkey filename\fR] |
| 170 | [\fB\-x509toreq\fR] |
| 171 | [\fB\-req\fR] |
| 172 | [\fB\-CA filename\fR] |
| 173 | [\fB\-CAkey filename\fR] |
| 174 | [\fB\-CAcreateserial\fR] |
| 175 | [\fB\-CAserial filename\fR] |
| 176 | [\fB\-text\fR] |
| 177 | [\fB\-C\fR] |
| 178 | [\fB\-md2|\-md5|\-sha1|\-mdc2\fR] |
| 179 | [\fB\-clrext\fR] |
| 180 | [\fB\-extfile filename\fR] |
| 181 | [\fB\-extensions section\fR] |
| 182 | [\fB\-engine id\fR] |
| 183 | .SH "DESCRIPTION" |
| 184 | .IX Header "DESCRIPTION" |
| 185 | The \fBx509\fR command is a multi purpose certificate utility. It can be |
| 186 | used to display certificate information, convert certificates to |
| 187 | various forms, sign certificate requests like a \*(L"mini \s-1CA\s0\*(R" or edit |
| 188 | certificate trust settings. |
| 189 | .PP |
| 190 | Since there are a large number of options they will split up into |
| 191 | various sections. |
| 192 | .SH "OPTIONS" |
| 193 | .IX Header "OPTIONS" |
| 194 | .Sh "\s-1INPUT\s0, \s-1OUTPUT\s0 \s-1AND\s0 \s-1GENERAL\s0 \s-1PURPOSE\s0 \s-1OPTIONS\s0" |
| 195 | .IX Subsection "INPUT, OUTPUT AND GENERAL PURPOSE OPTIONS" |
| 196 | .IP "\fB\-inform DER|PEM|NET\fR" 4 |
| 197 | .IX Item "-inform DER|PEM|NET" |
| 198 | This specifies the input format normally the command will expect an X509 |
| 199 | certificate but this can change if other options such as \fB\-req\fR are |
| 200 | present. The \s-1DER\s0 format is the \s-1DER\s0 encoding of the certificate and \s-1PEM\s0 |
| 201 | is the base64 encoding of the \s-1DER\s0 encoding with header and footer lines |
| 202 | added. The \s-1NET\s0 option is an obscure Netscape server format that is now |
| 203 | obsolete. |
| 204 | .IP "\fB\-outform DER|PEM|NET\fR" 4 |
| 205 | .IX Item "-outform DER|PEM|NET" |
| 206 | This specifies the output format, the options have the same meaning as the |
| 207 | \&\fB\-inform\fR option. |
| 208 | .IP "\fB\-in filename\fR" 4 |
| 209 | .IX Item "-in filename" |
| 210 | This specifies the input filename to read a certificate from or standard input |
| 211 | if this option is not specified. |
| 212 | .IP "\fB\-out filename\fR" 4 |
| 213 | .IX Item "-out filename" |
| 214 | This specifies the output filename to write to or standard output by |
| 215 | default. |
| 216 | .IP "\fB\-md2|\-md5|\-sha1|\-mdc2\fR" 4 |
| 217 | .IX Item "-md2|-md5|-sha1|-mdc2" |
| 218 | the digest to use. This affects any signing or display option that uses a message |
| 219 | digest, such as the \fB\-fingerprint\fR, \fB\-signkey\fR and \fB\-CA\fR options. If not |
| 220 | specified then \s-1SHA1\s0 is used. If the key being used to sign with is a \s-1DSA\s0 key |
| 221 | then this option has no effect: \s-1SHA1\s0 is always used with \s-1DSA\s0 keys. |
| 222 | .IP "\fB\-engine id\fR" 4 |
| 223 | .IX Item "-engine id" |
| 224 | specifying an engine (by it's unique \fBid\fR string) will cause \fBreq\fR |
| 225 | to attempt to obtain a functional reference to the specified engine, |
| 226 | thus initialising it if needed. The engine will then be set as the default |
| 227 | for all available algorithms. |
| 228 | .Sh "\s-1DISPLAY\s0 \s-1OPTIONS\s0" |
| 229 | .IX Subsection "DISPLAY OPTIONS" |
| 230 | Note: the \fB\-alias\fR and \fB\-purpose\fR options are also display options |
| 231 | but are described in the \fB\s-1TRUST\s0 \s-1SETTINGS\s0\fR section. |
| 232 | .IP "\fB\-text\fR" 4 |
| 233 | .IX Item "-text" |
| 234 | prints out the certificate in text form. Full details are output including the |
| 235 | public key, signature algorithms, issuer and subject names, serial number |
| 236 | any extensions present and any trust settings. |
| 237 | .IP "\fB\-certopt option\fR" 4 |
| 238 | .IX Item "-certopt option" |
| 239 | customise the output format used with \fB\-text\fR. The \fBoption\fR argument can be |
| 240 | a single option or multiple options separated by commas. The \fB\-certopt\fR switch |
| 241 | may be also be used more than once to set multiple options. See the \fB\s-1TEXT\s0 \s-1OPTIONS\s0\fR |
| 242 | section for more information. |
| 243 | .IP "\fB\-noout\fR" 4 |
| 244 | .IX Item "-noout" |
| 245 | this option prevents output of the encoded version of the request. |
| 246 | .IP "\fB\-modulus\fR" 4 |
| 247 | .IX Item "-modulus" |
| 248 | this option prints out the value of the modulus of the public key |
| 249 | contained in the certificate. |
| 250 | .IP "\fB\-serial\fR" 4 |
| 251 | .IX Item "-serial" |
| 252 | outputs the certificate serial number. |
| 253 | .IP "\fB\-subject_hash\fR" 4 |
| 254 | .IX Item "-subject_hash" |
| 255 | outputs the \*(L"hash\*(R" of the certificate subject name. This is used in OpenSSL to |
| 256 | form an index to allow certificates in a directory to be looked up by subject |
| 257 | name. |
| 258 | .IP "\fB\-issuer_hash\fR" 4 |
| 259 | .IX Item "-issuer_hash" |
| 260 | outputs the \*(L"hash\*(R" of the certificate issuer name. |
| 261 | .IP "\fB\-hash\fR" 4 |
| 262 | .IX Item "-hash" |
| 263 | synonym for \*(L"\-hash\*(R" for backward compatibility reasons. |
| 264 | .IP "\fB\-subject\fR" 4 |
| 265 | .IX Item "-subject" |
| 266 | outputs the subject name. |
| 267 | .IP "\fB\-issuer\fR" 4 |
| 268 | .IX Item "-issuer" |
| 269 | outputs the issuer name. |
| 270 | .IP "\fB\-nameopt option\fR" 4 |
| 271 | .IX Item "-nameopt option" |
| 272 | option which determines how the subject or issuer names are displayed. The |
| 273 | \&\fBoption\fR argument can be a single option or multiple options separated by |
| 274 | commas. Alternatively the \fB\-nameopt\fR switch may be used more than once to |
| 275 | set multiple options. See the \fB\s-1NAME\s0 \s-1OPTIONS\s0\fR section for more information. |
| 276 | .IP "\fB\-email\fR" 4 |
| 277 | .IX Item "-email" |
| 278 | outputs the email address(es) if any. |
| 279 | .IP "\fB\-startdate\fR" 4 |
| 280 | .IX Item "-startdate" |
| 281 | prints out the start date of the certificate, that is the notBefore date. |
| 282 | .IP "\fB\-enddate\fR" 4 |
| 283 | .IX Item "-enddate" |
| 284 | prints out the expiry date of the certificate, that is the notAfter date. |
| 285 | .IP "\fB\-dates\fR" 4 |
| 286 | .IX Item "-dates" |
| 287 | prints out the start and expiry dates of a certificate. |
| 288 | .IP "\fB\-fingerprint\fR" 4 |
| 289 | .IX Item "-fingerprint" |
| 290 | prints out the digest of the \s-1DER\s0 encoded version of the whole certificate |
| 291 | (see digest options). |
| 292 | .IP "\fB\-C\fR" 4 |
| 293 | .IX Item "-C" |
| 294 | this outputs the certificate in the form of a C source file. |
| 295 | .Sh "\s-1TRUST\s0 \s-1SETTINGS\s0" |
| 296 | .IX Subsection "TRUST SETTINGS" |
| 297 | Please note these options are currently experimental and may well change. |
| 298 | .PP |
| 299 | A \fBtrusted certificate\fR is an ordinary certificate which has several |
| 300 | additional pieces of information attached to it such as the permitted |
| 301 | and prohibited uses of the certificate and an \*(L"alias\*(R". |
| 302 | .PP |
| 303 | Normally when a certificate is being verified at least one certificate |
| 304 | must be \*(L"trusted\*(R". By default a trusted certificate must be stored |
| 305 | locally and must be a root \s-1CA:\s0 any certificate chain ending in this \s-1CA\s0 |
| 306 | is then usable for any purpose. |
| 307 | .PP |
| 308 | Trust settings currently are only used with a root \s-1CA\s0. They allow a finer |
| 309 | control over the purposes the root \s-1CA\s0 can be used for. For example a \s-1CA\s0 |
| 310 | may be trusted for \s-1SSL\s0 client but not \s-1SSL\s0 server use. |
| 311 | .PP |
| 312 | See the description of the \fBverify\fR utility for more information on the |
| 313 | meaning of trust settings. |
| 314 | .PP |
| 315 | Future versions of OpenSSL will recognize trust settings on any |
| 316 | certificate: not just root CAs. |
| 317 | .IP "\fB\-trustout\fR" 4 |
| 318 | .IX Item "-trustout" |
| 319 | this causes \fBx509\fR to output a \fBtrusted\fR certificate. An ordinary |
| 320 | or trusted certificate can be input but by default an ordinary |
| 321 | certificate is output and any trust settings are discarded. With the |
| 322 | \&\fB\-trustout\fR option a trusted certificate is output. A trusted |
| 323 | certificate is automatically output if any trust settings are modified. |
| 324 | .IP "\fB\-setalias arg\fR" 4 |
| 325 | .IX Item "-setalias arg" |
| 326 | sets the alias of the certificate. This will allow the certificate |
| 327 | to be referred to using a nickname for example \*(L"Steve's Certificate\*(R". |
| 328 | .IP "\fB\-alias\fR" 4 |
| 329 | .IX Item "-alias" |
| 330 | outputs the certificate alias, if any. |
| 331 | .IP "\fB\-clrtrust\fR" 4 |
| 332 | .IX Item "-clrtrust" |
| 333 | clears all the permitted or trusted uses of the certificate. |
| 334 | .IP "\fB\-clrreject\fR" 4 |
| 335 | .IX Item "-clrreject" |
| 336 | clears all the prohibited or rejected uses of the certificate. |
| 337 | .IP "\fB\-addtrust arg\fR" 4 |
| 338 | .IX Item "-addtrust arg" |
| 339 | adds a trusted certificate use. Any object name can be used here |
| 340 | but currently only \fBclientAuth\fR (\s-1SSL\s0 client use), \fBserverAuth\fR |
| 341 | (\s-1SSL\s0 server use) and \fBemailProtection\fR (S/MIME email) are used. |
| 342 | Other OpenSSL applications may define additional uses. |
| 343 | .IP "\fB\-addreject arg\fR" 4 |
| 344 | .IX Item "-addreject arg" |
| 345 | adds a prohibited use. It accepts the same values as the \fB\-addtrust\fR |
| 346 | option. |
| 347 | .IP "\fB\-purpose\fR" 4 |
| 348 | .IX Item "-purpose" |
| 349 | this option performs tests on the certificate extensions and outputs |
| 350 | the results. For a more complete description see the \fB\s-1CERTIFICATE\s0 |
| 351 | \&\s-1EXTENSIONS\s0\fR section. |
| 352 | .Sh "\s-1SIGNING\s0 \s-1OPTIONS\s0" |
| 353 | .IX Subsection "SIGNING OPTIONS" |
| 354 | The \fBx509\fR utility can be used to sign certificates and requests: it |
| 355 | can thus behave like a \*(L"mini \s-1CA\s0\*(R". |
| 356 | .IP "\fB\-signkey filename\fR" 4 |
| 357 | .IX Item "-signkey filename" |
| 358 | this option causes the input file to be self signed using the supplied |
| 359 | private key. |
| 360 | .Sp |
| 361 | If the input file is a certificate it sets the issuer name to the |
| 362 | subject name (i.e. makes it self signed) changes the public key to the |
| 363 | supplied value and changes the start and end dates. The start date is |
| 364 | set to the current time and the end date is set to a value determined |
| 365 | by the \fB\-days\fR option. Any certificate extensions are retained unless |
| 366 | the \fB\-clrext\fR option is supplied. |
| 367 | .Sp |
| 368 | If the input is a certificate request then a self signed certificate |
| 369 | is created using the supplied private key using the subject name in |
| 370 | the request. |
| 371 | .IP "\fB\-clrext\fR" 4 |
| 372 | .IX Item "-clrext" |
| 373 | delete any extensions from a certificate. This option is used when a |
| 374 | certificate is being created from another certificate (for example with |
| 375 | the \fB\-signkey\fR or the \fB\-CA\fR options). Normally all extensions are |
| 376 | retained. |
| 377 | .IP "\fB\-keyform PEM|DER\fR" 4 |
| 378 | .IX Item "-keyform PEM|DER" |
| 379 | specifies the format (\s-1DER\s0 or \s-1PEM\s0) of the private key file used in the |
| 380 | \&\fB\-signkey\fR option. |
| 381 | .IP "\fB\-days arg\fR" 4 |
| 382 | .IX Item "-days arg" |
| 383 | specifies the number of days to make a certificate valid for. The default |
| 384 | is 30 days. |
| 385 | .IP "\fB\-x509toreq\fR" 4 |
| 386 | .IX Item "-x509toreq" |
| 387 | converts a certificate into a certificate request. The \fB\-signkey\fR option |
| 388 | is used to pass the required private key. |
| 389 | .IP "\fB\-req\fR" 4 |
| 390 | .IX Item "-req" |
| 391 | by default a certificate is expected on input. With this option a |
| 392 | certificate request is expected instead. |
| 393 | .IP "\fB\-set_serial n\fR" 4 |
| 394 | .IX Item "-set_serial n" |
| 395 | specifies the serial number to use. This option can be used with either |
| 396 | the \fB\-signkey\fR or \fB\-CA\fR options. If used in conjunction with the \fB\-CA\fR |
| 397 | option the serial number file (as specified by the \fB\-CAserial\fR or |
| 398 | \&\fB\-CAcreateserial\fR options) is not used. |
| 399 | .Sp |
| 400 | The serial number can be decimal or hex (if preceded by \fB0x\fR). Negative |
| 401 | serial numbers can also be specified but their use is not recommended. |
| 402 | .IP "\fB\-CA filename\fR" 4 |
| 403 | .IX Item "-CA filename" |
| 404 | specifies the \s-1CA\s0 certificate to be used for signing. When this option is |
| 405 | present \fBx509\fR behaves like a \*(L"mini \s-1CA\s0\*(R". The input file is signed by this |
| 406 | \&\s-1CA\s0 using this option: that is its issuer name is set to the subject name |
| 407 | of the \s-1CA\s0 and it is digitally signed using the CAs private key. |
| 408 | .Sp |
| 409 | This option is normally combined with the \fB\-req\fR option. Without the |
| 410 | \&\fB\-req\fR option the input is a certificate which must be self signed. |
| 411 | .IP "\fB\-CAkey filename\fR" 4 |
| 412 | .IX Item "-CAkey filename" |
| 413 | sets the \s-1CA\s0 private key to sign a certificate with. If this option is |
| 414 | not specified then it is assumed that the \s-1CA\s0 private key is present in |
| 415 | the \s-1CA\s0 certificate file. |
| 416 | .IP "\fB\-CAserial filename\fR" 4 |
| 417 | .IX Item "-CAserial filename" |
| 418 | sets the \s-1CA\s0 serial number file to use. |
| 419 | .Sp |
| 420 | When the \fB\-CA\fR option is used to sign a certificate it uses a serial |
| 421 | number specified in a file. This file consist of one line containing |
| 422 | an even number of hex digits with the serial number to use. After each |
| 423 | use the serial number is incremented and written out to the file again. |
| 424 | .Sp |
| 425 | The default filename consists of the \s-1CA\s0 certificate file base name with |
| 426 | \&\*(L".srl\*(R" appended. For example if the \s-1CA\s0 certificate file is called |
| 427 | \&\*(L"mycacert.pem\*(R" it expects to find a serial number file called \*(L"mycacert.srl\*(R". |
| 428 | .IP "\fB\-CAcreateserial\fR" 4 |
| 429 | .IX Item "-CAcreateserial" |
| 430 | with this option the \s-1CA\s0 serial number file is created if it does not exist: |
| 431 | it will contain the serial number \*(L"02\*(R" and the certificate being signed will |
| 432 | have the 1 as its serial number. Normally if the \fB\-CA\fR option is specified |
| 433 | and the serial number file does not exist it is an error. |
| 434 | .IP "\fB\-extfile filename\fR" 4 |
| 435 | .IX Item "-extfile filename" |
| 436 | file containing certificate extensions to use. If not specified then |
| 437 | no extensions are added to the certificate. |
| 438 | .IP "\fB\-extensions section\fR" 4 |
| 439 | .IX Item "-extensions section" |
| 440 | the section to add certificate extensions from. If this option is not |
| 441 | specified then the extensions should either be contained in the unnamed |
| 442 | (default) section or the default section should contain a variable called |
| 443 | \&\*(L"extensions\*(R" which contains the section to use. |
| 444 | .Sh "\s-1NAME\s0 \s-1OPTIONS\s0" |
| 445 | .IX Subsection "NAME OPTIONS" |
| 446 | The \fBnameopt\fR command line switch determines how the subject and issuer |
| 447 | names are displayed. If no \fBnameopt\fR switch is present the default \*(L"oneline\*(R" |
| 448 | format is used which is compatible with previous versions of OpenSSL. |
| 449 | Each option is described in detail below, all options can be preceded by |
| 450 | a \fB\-\fR to turn the option off. Only the first four will normally be used. |
| 451 | .IP "\fBcompat\fR" 4 |
| 452 | .IX Item "compat" |
| 453 | use the old format. This is equivalent to specifying no name options at all. |
| 454 | .IP "\fB\s-1RFC2253\s0\fR" 4 |
| 455 | .IX Item "RFC2253" |
| 456 | displays names compatible with \s-1RFC2253\s0 equivalent to \fBesc_2253\fR, \fBesc_ctrl\fR, |
| 457 | \&\fBesc_msb\fR, \fButf8\fR, \fBdump_nostr\fR, \fBdump_unknown\fR, \fBdump_der\fR, |
| 458 | \&\fBsep_comma_plus\fR, \fBdn_rev\fR and \fBsname\fR. |
| 459 | .IP "\fBoneline\fR" 4 |
| 460 | .IX Item "oneline" |
| 461 | a oneline format which is more readable than \s-1RFC2253\s0. It is equivalent to |
| 462 | specifying the \fBesc_2253\fR, \fBesc_ctrl\fR, \fBesc_msb\fR, \fButf8\fR, \fBdump_nostr\fR, |
| 463 | \&\fBdump_der\fR, \fBuse_quote\fR, \fBsep_comma_plus_spc\fR, \fBspc_eq\fR and \fBsname\fR |
| 464 | options. |
| 465 | .IP "\fBmultiline\fR" 4 |
| 466 | .IX Item "multiline" |
| 467 | a multiline format. It is equivalent \fBesc_ctrl\fR, \fBesc_msb\fR, \fBsep_multiline\fR, |
| 468 | \&\fBspc_eq\fR, \fBlname\fR and \fBalign\fR. |
| 469 | .IP "\fBesc_2253\fR" 4 |
| 470 | .IX Item "esc_2253" |
| 471 | escape the \*(L"special\*(R" characters required by \s-1RFC2253\s0 in a field That is |
| 472 | \&\fB,+"<>;\fR. Additionally \fB#\fR is escaped at the beginning of a string |
| 473 | and a space character at the beginning or end of a string. |
| 474 | .IP "\fBesc_ctrl\fR" 4 |
| 475 | .IX Item "esc_ctrl" |
| 476 | escape control characters. That is those with \s-1ASCII\s0 values less than |
| 477 | 0x20 (space) and the delete (0x7f) character. They are escaped using the |
| 478 | \&\s-1RFC2253\s0 \eXX notation (where \s-1XX\s0 are two hex digits representing the |
| 479 | character value). |
| 480 | .IP "\fBesc_msb\fR" 4 |
| 481 | .IX Item "esc_msb" |
| 482 | escape characters with the \s-1MSB\s0 set, that is with \s-1ASCII\s0 values larger than |
| 483 | 127. |
| 484 | .IP "\fBuse_quote\fR" 4 |
| 485 | .IX Item "use_quote" |
| 486 | escapes some characters by surrounding the whole string with \fB"\fR characters, |
| 487 | without the option all escaping is done with the \fB\e\fR character. |
| 488 | .IP "\fButf8\fR" 4 |
| 489 | .IX Item "utf8" |
| 490 | convert all strings to \s-1UTF8\s0 format first. This is required by \s-1RFC2253\s0. If |
| 491 | you are lucky enough to have a \s-1UTF8\s0 compatible terminal then the use |
| 492 | of this option (and \fBnot\fR setting \fBesc_msb\fR) may result in the correct |
| 493 | display of multibyte (international) characters. Is this option is not |
| 494 | present then multibyte characters larger than 0xff will be represented |
| 495 | using the format \eUXXXX for 16 bits and \eWXXXXXXXX for 32 bits. |
| 496 | Also if this option is off any UTF8Strings will be converted to their |
| 497 | character form first. |
| 498 | .IP "\fBno_type\fR" 4 |
| 499 | .IX Item "no_type" |
| 500 | this option does not attempt to interpret multibyte characters in any |
| 501 | way. That is their content octets are merely dumped as though one octet |
| 502 | represents each character. This is useful for diagnostic purposes but |
| 503 | will result in rather odd looking output. |
| 504 | .IP "\fBshow_type\fR" 4 |
| 505 | .IX Item "show_type" |
| 506 | show the type of the \s-1ASN1\s0 character string. The type precedes the |
| 507 | field contents. For example \*(L"\s-1BMPSTRING:\s0 Hello World\*(R". |
| 508 | .IP "\fBdump_der\fR" 4 |
| 509 | .IX Item "dump_der" |
| 510 | when this option is set any fields that need to be hexdumped will |
| 511 | be dumped using the \s-1DER\s0 encoding of the field. Otherwise just the |
| 512 | content octets will be displayed. Both options use the \s-1RFC2253\s0 |
| 513 | \&\fB#XXXX...\fR format. |
| 514 | .IP "\fBdump_nostr\fR" 4 |
| 515 | .IX Item "dump_nostr" |
| 516 | dump non character string types (for example \s-1OCTET\s0 \s-1STRING\s0) if this |
| 517 | option is not set then non character string types will be displayed |
| 518 | as though each content octet represents a single character. |
| 519 | .IP "\fBdump_all\fR" 4 |
| 520 | .IX Item "dump_all" |
| 521 | dump all fields. This option when used with \fBdump_der\fR allows the |
| 522 | \&\s-1DER\s0 encoding of the structure to be unambiguously determined. |
| 523 | .IP "\fBdump_unknown\fR" 4 |
| 524 | .IX Item "dump_unknown" |
| 525 | dump any field whose \s-1OID\s0 is not recognised by OpenSSL. |
| 526 | .IP "\fBsep_comma_plus\fR, \fBsep_comma_plus_space\fR, \fBsep_semi_plus_space\fR, \fBsep_multiline\fR" 4 |
| 527 | .IX Item "sep_comma_plus, sep_comma_plus_space, sep_semi_plus_space, sep_multiline" |
| 528 | these options determine the field separators. The first character is |
| 529 | between RDNs and the second between multiple AVAs (multiple AVAs are |
| 530 | very rare and their use is discouraged). The options ending in |
| 531 | \&\*(L"space\*(R" additionally place a space after the separator to make it |
| 532 | more readable. The \fBsep_multiline\fR uses a linefeed character for |
| 533 | the \s-1RDN\s0 separator and a spaced \fB+\fR for the \s-1AVA\s0 separator. It also |
| 534 | indents the fields by four characters. |
| 535 | .IP "\fBdn_rev\fR" 4 |
| 536 | .IX Item "dn_rev" |
| 537 | reverse the fields of the \s-1DN\s0. This is required by \s-1RFC2253\s0. As a side |
| 538 | effect this also reverses the order of multiple AVAs but this is |
| 539 | permissible. |
| 540 | .IP "\fBnofname\fR, \fBsname\fR, \fBlname\fR, \fBoid\fR" 4 |
| 541 | .IX Item "nofname, sname, lname, oid" |
| 542 | these options alter how the field name is displayed. \fBnofname\fR does |
| 543 | not display the field at all. \fBsname\fR uses the \*(L"short name\*(R" form |
| 544 | (\s-1CN\s0 for commonName for example). \fBlname\fR uses the long form. |
| 545 | \&\fBoid\fR represents the \s-1OID\s0 in numerical form and is useful for |
| 546 | diagnostic purpose. |
| 547 | .IP "\fBalign\fR" 4 |
| 548 | .IX Item "align" |
| 549 | align field values for a more readable output. Only usable with |
| 550 | \&\fBsep_multiline\fR. |
| 551 | .IP "\fBspc_eq\fR" 4 |
| 552 | .IX Item "spc_eq" |
| 553 | places spaces round the \fB=\fR character which follows the field |
| 554 | name. |
| 555 | .Sh "\s-1TEXT\s0 \s-1OPTIONS\s0" |
| 556 | .IX Subsection "TEXT OPTIONS" |
| 557 | As well as customising the name output format, it is also possible to |
| 558 | customise the actual fields printed using the \fBcertopt\fR options when |
| 559 | the \fBtext\fR option is present. The default behaviour is to print all fields. |
| 560 | .IP "\fBcompatible\fR" 4 |
| 561 | .IX Item "compatible" |
| 562 | use the old format. This is equivalent to specifying no output options at all. |
| 563 | .IP "\fBno_header\fR" 4 |
| 564 | .IX Item "no_header" |
| 565 | don't print header information: that is the lines saying \*(L"Certificate\*(R" and \*(L"Data\*(R". |
| 566 | .IP "\fBno_version\fR" 4 |
| 567 | .IX Item "no_version" |
| 568 | don't print out the version number. |
| 569 | .IP "\fBno_serial\fR" 4 |
| 570 | .IX Item "no_serial" |
| 571 | don't print out the serial number. |
| 572 | .IP "\fBno_signame\fR" 4 |
| 573 | .IX Item "no_signame" |
| 574 | don't print out the signature algorithm used. |
| 575 | .IP "\fBno_validity\fR" 4 |
| 576 | .IX Item "no_validity" |
| 577 | don't print the validity, that is the \fBnotBefore\fR and \fBnotAfter\fR fields. |
| 578 | .IP "\fBno_subject\fR" 4 |
| 579 | .IX Item "no_subject" |
| 580 | don't print out the subject name. |
| 581 | .IP "\fBno_issuer\fR" 4 |
| 582 | .IX Item "no_issuer" |
| 583 | don't print out the issuer name. |
| 584 | .IP "\fBno_pubkey\fR" 4 |
| 585 | .IX Item "no_pubkey" |
| 586 | don't print out the public key. |
| 587 | .IP "\fBno_sigdump\fR" 4 |
| 588 | .IX Item "no_sigdump" |
| 589 | don't give a hexadecimal dump of the certificate signature. |
| 590 | .IP "\fBno_aux\fR" 4 |
| 591 | .IX Item "no_aux" |
| 592 | don't print out certificate trust information. |
| 593 | .IP "\fBno_extensions\fR" 4 |
| 594 | .IX Item "no_extensions" |
| 595 | don't print out any X509V3 extensions. |
| 596 | .IP "\fBext_default\fR" 4 |
| 597 | .IX Item "ext_default" |
| 598 | retain default extension behaviour: attempt to print out unsupported certificate extensions. |
| 599 | .IP "\fBext_error\fR" 4 |
| 600 | .IX Item "ext_error" |
| 601 | print an error message for unsupported certificate extensions. |
| 602 | .IP "\fBext_parse\fR" 4 |
| 603 | .IX Item "ext_parse" |
| 604 | \&\s-1ASN1\s0 parse unsupported extensions. |
| 605 | .IP "\fBext_dump\fR" 4 |
| 606 | .IX Item "ext_dump" |
| 607 | hex dump unsupported extensions. |
| 608 | .IP "\fBca_default\fR" 4 |
| 609 | .IX Item "ca_default" |
| 610 | the value used by the \fBca\fR utility, equivalent to \fBno_issuer\fR, \fBno_pubkey\fR, \fBno_header\fR, |
| 611 | \&\fBno_version\fR, \fBno_sigdump\fR and \fBno_signame\fR. |
| 612 | .SH "EXAMPLES" |
| 613 | .IX Header "EXAMPLES" |
| 614 | Note: in these examples the '\e' means the example should be all on one |
| 615 | line. |
| 616 | .PP |
| 617 | Display the contents of a certificate: |
| 618 | .PP |
| 619 | .Vb 1 |
| 620 | \& openssl x509 -in cert.pem -noout -text |
| 621 | .Ve |
| 622 | .PP |
| 623 | Display the certificate serial number: |
| 624 | .PP |
| 625 | .Vb 1 |
| 626 | \& openssl x509 -in cert.pem -noout -serial |
| 627 | .Ve |
| 628 | .PP |
| 629 | Display the certificate subject name: |
| 630 | .PP |
| 631 | .Vb 1 |
| 632 | \& openssl x509 -in cert.pem -noout -subject |
| 633 | .Ve |
| 634 | .PP |
| 635 | Display the certificate subject name in \s-1RFC2253\s0 form: |
| 636 | .PP |
| 637 | .Vb 1 |
| 638 | \& openssl x509 -in cert.pem -noout -subject -nameopt RFC2253 |
| 639 | .Ve |
| 640 | .PP |
| 641 | Display the certificate subject name in oneline form on a terminal |
| 642 | supporting \s-1UTF8:\s0 |
| 643 | .PP |
| 644 | .Vb 1 |
| 645 | \& openssl x509 -in cert.pem -noout -subject -nameopt oneline,-escmsb |
| 646 | .Ve |
| 647 | .PP |
| 648 | Display the certificate \s-1MD5\s0 fingerprint: |
| 649 | .PP |
| 650 | .Vb 1 |
| 651 | \& openssl x509 -in cert.pem -noout -fingerprint |
| 652 | .Ve |
| 653 | .PP |
| 654 | Display the certificate \s-1SHA1\s0 fingerprint: |
| 655 | .PP |
| 656 | .Vb 1 |
| 657 | \& openssl x509 -sha1 -in cert.pem -noout -fingerprint |
| 658 | .Ve |
| 659 | .PP |
| 660 | Convert a certificate from \s-1PEM\s0 to \s-1DER\s0 format: |
| 661 | .PP |
| 662 | .Vb 1 |
| 663 | \& openssl x509 -in cert.pem -inform PEM -out cert.der -outform DER |
| 664 | .Ve |
| 665 | .PP |
| 666 | Convert a certificate to a certificate request: |
| 667 | .PP |
| 668 | .Vb 1 |
| 669 | \& openssl x509 -x509toreq -in cert.pem -out req.pem -signkey key.pem |
| 670 | .Ve |
| 671 | .PP |
| 672 | Convert a certificate request into a self signed certificate using |
| 673 | extensions for a \s-1CA:\s0 |
| 674 | .PP |
| 675 | .Vb 2 |
| 676 | \& openssl x509 -req -in careq.pem -extfile openssl.cnf -extensions v3_ca \e |
| 677 | \& -signkey key.pem -out cacert.pem |
| 678 | .Ve |
| 679 | .PP |
| 680 | Sign a certificate request using the \s-1CA\s0 certificate above and add user |
| 681 | certificate extensions: |
| 682 | .PP |
| 683 | .Vb 2 |
| 684 | \& openssl x509 -req -in req.pem -extfile openssl.cnf -extensions v3_usr \e |
| 685 | \& -CA cacert.pem -CAkey key.pem -CAcreateserial |
| 686 | .Ve |
| 687 | .PP |
| 688 | Set a certificate to be trusted for \s-1SSL\s0 client use and change set its alias to |
| 689 | \&\*(L"Steve's Class 1 \s-1CA\s0\*(R" |
| 690 | .PP |
| 691 | .Vb 2 |
| 692 | \& openssl x509 -in cert.pem -addtrust clientAuth \e |
| 693 | \& -setalias "Steve's Class 1 CA" -out trust.pem |
| 694 | .Ve |
| 695 | .SH "NOTES" |
| 696 | .IX Header "NOTES" |
| 697 | The \s-1PEM\s0 format uses the header and footer lines: |
| 698 | .PP |
| 699 | .Vb 2 |
| 700 | \& -----BEGIN CERTIFICATE----- |
| 701 | \& -----END CERTIFICATE----- |
| 702 | .Ve |
| 703 | .PP |
| 704 | it will also handle files containing: |
| 705 | .PP |
| 706 | .Vb 2 |
| 707 | \& -----BEGIN X509 CERTIFICATE----- |
| 708 | \& -----END X509 CERTIFICATE----- |
| 709 | .Ve |
| 710 | .PP |
| 711 | Trusted certificates have the lines |
| 712 | .PP |
| 713 | .Vb 2 |
| 714 | \& -----BEGIN TRUSTED CERTIFICATE----- |
| 715 | \& -----END TRUSTED CERTIFICATE----- |
| 716 | .Ve |
| 717 | .PP |
| 718 | The conversion to \s-1UTF8\s0 format used with the name options assumes that |
| 719 | T61Strings use the \s-1ISO8859\-1\s0 character set. This is wrong but Netscape |
| 720 | and \s-1MSIE\s0 do this as do many certificates. So although this is incorrect |
| 721 | it is more likely to display the majority of certificates correctly. |
| 722 | .PP |
| 723 | The \fB\-fingerprint\fR option takes the digest of the \s-1DER\s0 encoded certificate. |
| 724 | This is commonly called a \*(L"fingerprint\*(R". Because of the nature of message |
| 725 | digests the fingerprint of a certificate is unique to that certificate and |
| 726 | two certificates with the same fingerprint can be considered to be the same. |
| 727 | .PP |
| 728 | The Netscape fingerprint uses \s-1MD5\s0 whereas \s-1MSIE\s0 uses \s-1SHA1\s0. |
| 729 | .PP |
| 730 | The \fB\-email\fR option searches the subject name and the subject alternative |
| 731 | name extension. Only unique email addresses will be printed out: it will |
| 732 | not print the same address more than once. |
| 733 | .SH "CERTIFICATE EXTENSIONS" |
| 734 | .IX Header "CERTIFICATE EXTENSIONS" |
| 735 | The \fB\-purpose\fR option checks the certificate extensions and determines |
| 736 | what the certificate can be used for. The actual checks done are rather |
| 737 | complex and include various hacks and workarounds to handle broken |
| 738 | certificates and software. |
| 739 | .PP |
| 740 | The same code is used when verifying untrusted certificates in chains |
| 741 | so this section is useful if a chain is rejected by the verify code. |
| 742 | .PP |
| 743 | The basicConstraints extension \s-1CA\s0 flag is used to determine whether the |
| 744 | certificate can be used as a \s-1CA\s0. If the \s-1CA\s0 flag is true then it is a \s-1CA\s0, |
| 745 | if the \s-1CA\s0 flag is false then it is not a \s-1CA\s0. \fBAll\fR CAs should have the |
| 746 | \&\s-1CA\s0 flag set to true. |
| 747 | .PP |
| 748 | If the basicConstraints extension is absent then the certificate is |
| 749 | considered to be a \*(L"possible \s-1CA\s0\*(R" other extensions are checked according |
| 750 | to the intended use of the certificate. A warning is given in this case |
| 751 | because the certificate should really not be regarded as a \s-1CA:\s0 however |
| 752 | it is allowed to be a \s-1CA\s0 to work around some broken software. |
| 753 | .PP |
| 754 | If the certificate is a V1 certificate (and thus has no extensions) and |
| 755 | it is self signed it is also assumed to be a \s-1CA\s0 but a warning is again |
| 756 | given: this is to work around the problem of Verisign roots which are V1 |
| 757 | self signed certificates. |
| 758 | .PP |
| 759 | If the keyUsage extension is present then additional restraints are |
| 760 | made on the uses of the certificate. A \s-1CA\s0 certificate \fBmust\fR have the |
| 761 | keyCertSign bit set if the keyUsage extension is present. |
| 762 | .PP |
| 763 | The extended key usage extension places additional restrictions on the |
| 764 | certificate uses. If this extension is present (whether critical or not) |
| 765 | the key can only be used for the purposes specified. |
| 766 | .PP |
| 767 | A complete description of each test is given below. The comments about |
| 768 | basicConstraints and keyUsage and V1 certificates above apply to \fBall\fR |
| 769 | \&\s-1CA\s0 certificates. |
| 770 | .IP "\fB\s-1SSL\s0 Client\fR" 4 |
| 771 | .IX Item "SSL Client" |
| 772 | The extended key usage extension must be absent or include the \*(L"web client |
| 773 | authentication\*(R" \s-1OID\s0. keyUsage must be absent or it must have the |
| 774 | digitalSignature bit set. Netscape certificate type must be absent or it must |
| 775 | have the \s-1SSL\s0 client bit set. |
| 776 | .IP "\fB\s-1SSL\s0 Client \s-1CA\s0\fR" 4 |
| 777 | .IX Item "SSL Client CA" |
| 778 | The extended key usage extension must be absent or include the \*(L"web client |
| 779 | authentication\*(R" \s-1OID\s0. Netscape certificate type must be absent or it must have |
| 780 | the \s-1SSL\s0 \s-1CA\s0 bit set: this is used as a work around if the basicConstraints |
| 781 | extension is absent. |
| 782 | .IP "\fB\s-1SSL\s0 Server\fR" 4 |
| 783 | .IX Item "SSL Server" |
| 784 | The extended key usage extension must be absent or include the \*(L"web server |
| 785 | authentication\*(R" and/or one of the \s-1SGC\s0 OIDs. keyUsage must be absent or it |
| 786 | must have the digitalSignature, the keyEncipherment set or both bits set. |
| 787 | Netscape certificate type must be absent or have the \s-1SSL\s0 server bit set. |
| 788 | .IP "\fB\s-1SSL\s0 Server \s-1CA\s0\fR" 4 |
| 789 | .IX Item "SSL Server CA" |
| 790 | The extended key usage extension must be absent or include the \*(L"web server |
| 791 | authentication\*(R" and/or one of the \s-1SGC\s0 OIDs. Netscape certificate type must |
| 792 | be absent or the \s-1SSL\s0 \s-1CA\s0 bit must be set: this is used as a work around if the |
| 793 | basicConstraints extension is absent. |
| 794 | .IP "\fBNetscape \s-1SSL\s0 Server\fR" 4 |
| 795 | .IX Item "Netscape SSL Server" |
| 796 | For Netscape \s-1SSL\s0 clients to connect to an \s-1SSL\s0 server it must have the |
| 797 | keyEncipherment bit set if the keyUsage extension is present. This isn't |
| 798 | always valid because some cipher suites use the key for digital signing. |
| 799 | Otherwise it is the same as a normal \s-1SSL\s0 server. |
| 800 | .IP "\fBCommon S/MIME Client Tests\fR" 4 |
| 801 | .IX Item "Common S/MIME Client Tests" |
| 802 | The extended key usage extension must be absent or include the \*(L"email |
| 803 | protection\*(R" \s-1OID\s0. Netscape certificate type must be absent or should have the |
| 804 | S/MIME bit set. If the S/MIME bit is not set in netscape certificate type |
| 805 | then the \s-1SSL\s0 client bit is tolerated as an alternative but a warning is shown: |
| 806 | this is because some Verisign certificates don't set the S/MIME bit. |
| 807 | .IP "\fBS/MIME Signing\fR" 4 |
| 808 | .IX Item "S/MIME Signing" |
| 809 | In addition to the common S/MIME client tests the digitalSignature bit must |
| 810 | be set if the keyUsage extension is present. |
| 811 | .IP "\fBS/MIME Encryption\fR" 4 |
| 812 | .IX Item "S/MIME Encryption" |
| 813 | In addition to the common S/MIME tests the keyEncipherment bit must be set |
| 814 | if the keyUsage extension is present. |
| 815 | .IP "\fBS/MIME \s-1CA\s0\fR" 4 |
| 816 | .IX Item "S/MIME CA" |
| 817 | The extended key usage extension must be absent or include the \*(L"email |
| 818 | protection\*(R" \s-1OID\s0. Netscape certificate type must be absent or must have the |
| 819 | S/MIME \s-1CA\s0 bit set: this is used as a work around if the basicConstraints |
| 820 | extension is absent. |
| 821 | .IP "\fB\s-1CRL\s0 Signing\fR" 4 |
| 822 | .IX Item "CRL Signing" |
| 823 | The keyUsage extension must be absent or it must have the \s-1CRL\s0 signing bit |
| 824 | set. |
| 825 | .IP "\fB\s-1CRL\s0 Signing \s-1CA\s0\fR" 4 |
| 826 | .IX Item "CRL Signing CA" |
| 827 | The normal \s-1CA\s0 tests apply. Except in this case the basicConstraints extension |
| 828 | must be present. |
| 829 | .SH "BUGS" |
| 830 | .IX Header "BUGS" |
| 831 | Extensions in certificates are not transferred to certificate requests and |
| 832 | vice versa. |
| 833 | .PP |
| 834 | It is possible to produce invalid certificates or requests by specifying the |
| 835 | wrong private key or using inconsistent options in some cases: these should |
| 836 | be checked. |
| 837 | .PP |
| 838 | There should be options to explicitly set such things as start and end |
| 839 | dates rather than an offset from the current time. |
| 840 | .PP |
| 841 | The code to implement the verify behaviour described in the \fB\s-1TRUST\s0 \s-1SETTINGS\s0\fR |
| 842 | is currently being developed. It thus describes the intended behaviour rather |
| 843 | than the current behaviour. It is hoped that it will represent reality in |
| 844 | OpenSSL 0.9.5 and later. |
| 845 | .SH "SEE ALSO" |
| 846 | .IX Header "SEE ALSO" |
| 847 | \&\fIreq\fR\|(1), \fIca\fR\|(1), \fIgenrsa\fR\|(1), |
| 848 | \&\fIgendsa\fR\|(1), \fIverify\fR\|(1) |
| 849 | .SH "HISTORY" |
| 850 | .IX Header "HISTORY" |
| 851 | Before OpenSSL 0.9.8, the default digest for \s-1RSA\s0 keys was \s-1MD5\s0. |