present then the string is obtained from the default section using the name
B<asn1>. The encoded data is passed through the ASN1 parser and printed out as
though it came from a file, the contents can thus be examined and written to a
-file using the B<out> option.
+file using the B<out> option.
=back
The output will typically contain lines like this:
- 0:d=0 hl=4 l= 681 cons: SEQUENCE
+ 0:d=0 hl=4 l= 681 cons: SEQUENCE
.....
- 229:d=3 hl=3 l= 141 prim: BIT STRING
- 373:d=2 hl=3 l= 162 cons: cont [ 3 ]
- 376:d=3 hl=3 l= 159 cons: SEQUENCE
- 379:d=4 hl=2 l= 29 cons: SEQUENCE
+ 229:d=3 hl=3 l= 141 prim: BIT STRING
+ 373:d=2 hl=3 l= 162 cons: cont [ 3 ]
+ 376:d=3 hl=3 l= 159 cons: SEQUENCE
+ 379:d=4 hl=2 l= 29 cons: SEQUENCE
381:d=5 hl=2 l= 3 prim: OBJECT :X509v3 Subject Key Identifier
- 386:d=5 hl=2 l= 22 prim: OCTET STRING
- 410:d=4 hl=2 l= 112 cons: SEQUENCE
+ 386:d=5 hl=2 l= 22 prim: OCTET STRING
+ 410:d=4 hl=2 l= 112 cons: SEQUENCE
412:d=5 hl=2 l= 3 prim: OBJECT :X509v3 Authority Key Identifier
- 417:d=5 hl=2 l= 105 prim: OCTET STRING
- 524:d=4 hl=2 l= 12 cons: SEQUENCE
+ 417:d=5 hl=2 l= 105 prim: OCTET STRING
+ 524:d=4 hl=2 l= 12 cons: SEQUENCE
.....
The B<-i> option can be used to make the output more readable.
-Some knowledge of the ASN.1 structure is needed to interpret the output.
+Some knowledge of the ASN.1 structure is needed to interpret the output.
In this example the BIT STRING at offset 229 is the certificate public key.
The contents octets of this will contain the public key information. This can
be examined using the option B<-strparse 229> to yield:
- 0:d=0 hl=3 l= 137 cons: SEQUENCE
+ 0:d=0 hl=3 l= 137 cons: SEQUENCE
3:d=1 hl=3 l= 129 prim: INTEGER :E5D21E1F5C8D208EA7A2166C7FAF9F6BDF2059669C60876DDB70840F1A5AAFA59699FE471F379F1DD6A487E7D5409AB6A88D4A9746E24B91D8CF55DB3521015460C8EDE44EE8A4189F7A7BE77D6CD3A9AF2696F486855CF58BF0EDF2B4068058C7A947F52548DDF7E15E96B385F86422BEA9064A3EE9E1158A56E4A6F47E5897
135:d=1 hl=2 l= 3 prim: INTEGER :010001
=head1 NOTES
If an OID is not part of OpenSSL's internal table it will be represented in
-numerical form (for example 1.2.3.4). The file passed to the B<-oid> option
+numerical form (for example 1.2.3.4). The file passed to the B<-oid> option
allows additional OIDs to be included. Each line consists of three columns,
the first column is the OID in numerical format and should be followed by white
space. The second column is the "short name" which is a single word followed
=item B<-infiles>
if present this should be the last option, all subsequent arguments
-are assumed to the the names of files containing certificate requests.
+are assumed to the the names of files containing certificate requests.
=item B<-out filename>
=item B<-preserveDN>
Normally the DN order of a certificate is the same as the order of the
-fields in the relevant policy section. When this option is set the order
+fields in the relevant policy section. When this option is set the order
is the same as the request. This is largely for compatibility with the
older IE enrollment control which would only accept certificates if their
DNs match the order of the request. This is not needed for Xenroll.
=item B<-utf8>
-this option causes field values to be interpreted as UTF8 strings, by
+this option causes field values to be interpreted as UTF8 strings, by
default they are interpreted as ASCII. This means that the field
values, whether prompted from a terminal or obtained from a
configuration file, must be valid UTF8 strings.
This specifies a file containing additional B<OBJECT IDENTIFIERS>.
Each line of the file should consist of the numerical form of the
object identifier followed by white space then the short name followed
-by white space and finally the long name.
+by white space and finally the long name.
=item B<oid_section>
=item B<default_days>
the same as the B<-days> option. The number of days to certify
-a certificate for.
+a certificate for.
=item B<default_startdate>
The input to the B<-spkac> command line option is a Netscape
signed public key and challenge. This will usually come from
-the B<KEYGEN> tag in an HTML form to create a new private key.
+the B<KEYGEN> tag in an HTML form to create a new private key.
It is however possible to create SPKACs using the B<spkac> utility.
The file should contain the variable SPKAC set to the value of
[ ca ]
default_ca = CA_default # The default ca section
-
+
[ CA_default ]
dir = ./demoCA # top dir
database = $dir/index.txt # index file.
new_certs_dir = $dir/newcerts # new certs dir
-
+
certificate = $dir/cacert.pem # The CA cert
serial = $dir/serial # serial no file
private_key = $dir/private/cakey.pem# CA private key
RANDFILE = $dir/private/.rand # random number file
-
+
default_days = 365 # how long to certify for
default_crl_days= 30 # how long before next CRL
default_md = md5 # md to use
=head1 RESTRICTIONS
-The text database index file is a critical part of the process and
+The text database index file is a critical part of the process and
if corrupted it can be difficult to fix. It is theoretically possible
to rebuild the index file from all the issued certificates and a current
CRL: however there is no option to do this.
=head1 SEE ALSO
L<req(1)|req(1)>, L<spkac(1)|spkac(1)>, L<x509(1)|x509(1)>, L<CA.pl(1)|CA.pl(1)>,
-L<config(5)|config(5)>, L<x509v3_config(5)|x509v3_config(5)>
+L<config(5)|config(5)>, L<x509v3_config(5)|x509v3_config(5)>
=cut
cipher suites using SHA1.
-=item B<aGOST>
+=item B<aGOST>
cipher suites using GOST R 34.10 (either 2001 or 94) for authenticaction
-(needs an engine supporting GOST algorithms).
+(needs an engine supporting GOST algorithms).
=item B<aGOST01>
=item B<-sign_receipt>
-Generate and output a signed receipt for the supplied message. The input
+Generate and output a signed receipt for the supplied message. The input
message B<must> contain a signed receipt request. Functionality is otherwise
similar to the B<-sign> operation.
=item B<-verify_receipt receipt>
-Verify a signed receipt in filename B<receipt>. The input message B<must>
+Verify a signed receipt in filename B<receipt>. The input message B<must>
contain the original receipt request. Functionality is otherwise similar
to the B<-verify> operation.
this option adds plain text (text/plain) MIME headers to the supplied
message if encrypting or signing. If decrypting or verifying it strips
-off text headers: if the decrypted or verified message is not of MIME
+off text headers: if the decrypted or verified message is not of MIME
type text/plain then an error occurs.
=item B<-noout>
the encryption algorithm to use. For example triple DES (168 bits) - B<-des3>
or 256 bit AES - B<-aes256>. Any standard algorithm name (as used by the
-EVP_get_cipherbyname() function) can also be used preceded by a dash, for
+EVP_get_cipherbyname() function) can also be used preceded by a dash, for
example B<-aes_128_cbc>. See L<B<enc>|enc(1)> for a list of ciphers
supported by your version of OpenSSL.
-If not specified triple DES is used. Only used with B<-encrypt> and
+If not specified triple DES is used. Only used with B<-encrypt> and
B<-EncryptedData_create> commands.
=item B<-nointern>
=item B<-receipt_request_to emailaddress>
-Add an explicit email address where signed receipts should be sent to. This
+Add an explicit email address where signed receipts should be sent to. This
option B<must> but supplied if a signed receipt it requested.
=item B<-receipt_request_print>
set the encapsulated content type to B<type> if not supplied the B<Data> type
is used. The B<type> argument can be any valid OID name in either text or
-numerical format.
+numerical format.
=item B<-inkey file>
=item B<cert.pem...>
one or more certificates of message recipients: used when encrypting
-a message.
+a message.
=item B<-to, -from, -subject>
the operation was completely successfully.
-=item 1
+=item 1
an error occurred parsing the command options.
-----BEGIN PKCS7-----
-----END PKCS7-----
-and using the command,
+and using the command,
openssl cms -verify -inform PEM -in signature.pem -content content.txt
unless an option is used in the sub command to use an alternative configuration
file.
-To enable library configuration the default section needs to contain an
+To enable library configuration the default section needs to contain an
appropriate line which points to the main configuration section. The default
name is B<openssl_conf> which is used by the B<openssl> utility. Other
applications may use an alternative name such as B<myapplicaton_conf>.
The configuration section should consist of a set of name value pairs which
contain specific module configuration information. The B<name> represents
-the name of the I<configuration module> the meaning of the B<value> is
+the name of the I<configuration module> the meaning of the B<value> is
module specific: it may, for example, represent a further configuration
section containing configuration module specific information. E.g.
as any compliant applications. For example:
[new_oids]
-
+
some_new_oid = 1.2.3.4
some_other_oid = 1.2.3.5
[bar_section]
... "bar" ENGINE specific commands ...
-The command B<engine_id> is used to give the ENGINE name. If used this
+The command B<engine_id> is used to give the ENGINE name. If used this
command must be first. For example:
[engine_section]
supply using the functions B<ENGINE_set_default_string()>
If the name matches none of the above command names it is assumed to be a
-ctrl command which is sent to the ENGINE. The value of the command is the
+ctrl command which is sent to the ENGINE. The value of the command is the
argument to the ctrl command. If the value is the string B<EMPTY> then no
value is sent to the command.
mentioned above.
# This is the default section.
-
+
HOME=/temp
RANDFILE= ${ENV::HOME}/.rnd
configdir=$ENV::HOME/config
set to any value at all. If you just include the environment variable
names and the variable doesn't exist then this will cause an error when
an attempt is made to load the configuration file. By making use of the
-default section both values can be looked up with B<TEMP> taking
+default section both values can be looked up with B<TEMP> taking
priority and B</tmp> used if neither is defined:
TMP=/tmp
=item B<-outform DER|PEM>
-This specifies the output format, the options have the same meaning as the
+This specifies the output format, the options have the same meaning as the
B<-inform> option.
=item B<-in filename>
Creates a PKCS#7 structure in DER format with no CRL from several
different certificates:
- openssl crl2pkcs7 -nocrl -certfile newcert.pem
+ openssl crl2pkcs7 -nocrl -certfile newcert.pem
-certfile demoCA/cacert.pem -outform DER -out p7.der
=head1 NOTES
=head1 SYNOPSIS
-B<openssl> B<dgst>
+B<openssl> B<dgst>
[B<-md5|-md4|-md2|-sha1|-sha|-mdc2|-ripemd160|-dss1>]
[B<-c>]
[B<-d>]
=over 8
=item B<key:string>
-
+
Specifies MAC key as alphnumeric string (use if key contain printable
characters only). String length must conform to any restrictions of
the MAC algorithm for example exactly 32 chars for gost-mac.
generator, or an EGD socket (see L<RAND_egd(3)|RAND_egd(3)>).
Multiple files can be specified separated by a OS-dependent character.
The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
-all others.
+all others.
=item B<file...>
=item B<-outform DER|PEM>
-This specifies the output format, the options have the same meaning as the
+This specifies the output format, the options have the same meaning as the
B<-inform> option.
=item B<-in> I<filename>
this option specifies that a parameter set should be generated of size
I<numbits>. It must be the last option. If not present then a value of 512
-is used. If this option is present then the input file is ignored and
+is used. If this option is present then the input file is ignored and
parameters are generated instead.
=item B<-noout>
The program B<dhparam> combines the functionality of the programs B<dh> and
B<gendh> in previous versions of OpenSSL and SSLeay. The B<dh> and B<gendh>
-programs are retained for now but may have different purposes in future
+programs are retained for now but may have different purposes in future
versions of OpenSSL.
=head1 NOTES
=item B<-outform DER|PEM>
-This specifies the output format, the options have the same meaning as the
+This specifies the output format, the options have the same meaning as the
B<-inform> option.
=item B<-in filename>
=item B<-des|-des3|-idea>
-These options encrypt the private key with the DES, triple DES, or the
+These options encrypt the private key with the DES, triple DES, or the
IDEA ciphers respectively before outputting it. A pass phrase is prompted for.
If none of these options is specified the key is written in plain text. This
means that using the B<dsa> utility to read in an encrypted key with no
openssl dsa -in key.pem -des3 -out keyout.pem
-To convert a private key from PEM to DER format:
+To convert a private key from PEM to DER format:
openssl dsa -in key.pem -outform DER -out keyout.der
=item B<-outform DER|PEM>
-This specifies the output format, the options have the same meaning as the
+This specifies the output format, the options have the same meaning as the
B<-inform> option.
=item B<-in filename>
=head1 DESCRIPTION
The B<ec> command processes EC keys. They can be converted between various
-forms and their components printed out. B<Note> OpenSSL uses the
+forms and their components printed out. B<Note> OpenSSL uses the
private key format specified in 'SEC 1: Elliptic Curve Cryptography'
(http://www.secg.org/). To convert a OpenSSL EC private key into the
PKCS#8 private key format use the B<pkcs8> command.
=item B<-outform DER|PEM>
-This specifies the output format, the options have the same meaning as the
+This specifies the output format, the options have the same meaning as the
B<-inform> option.
=item B<-in filename>
=item B<-des|-des3|-idea>
-These options encrypt the private key with the DES, triple DES, IDEA or
+These options encrypt the private key with the DES, triple DES, IDEA or
any other cipher supported by OpenSSL before outputting it. A pass phrase is
prompted for.
If none of these options is specified the key is written in plain text. This
This specifies how the elliptic curve parameters are encoded.
Possible value are: B<named_curve>, i.e. the ec parameters are
specified by a OID, or B<explicit> where the ec parameters are
-explicitly given (see RFC 3279 for the definition of the
+explicitly given (see RFC 3279 for the definition of the
EC parameters structures). The default value is B<named_curve>.
B<Note> the B<implicitlyCA> alternative ,as specified in RFC 3279,
is currently not implemented in OpenSSL.
openssl ec -in key.pem -des3 -out keyout.pem
-To convert a private key from PEM to DER format:
+To convert a private key from PEM to DER format:
openssl ec -in key.pem -outform DER -out keyout.der
This specifies the input format. The B<DER> option uses an ASN.1 DER encoded
form compatible with RFC 3279 EcpkParameters. The PEM form is the default
-format: it consists of the B<DER> format base64 encoded with additional
+format: it consists of the B<DER> format base64 encoded with additional
header and footer lines.
=item B<-outform DER|PEM>
-This specifies the output format, the options have the same meaning as the
+This specifies the output format, the options have the same meaning as the
B<-inform> option.
=item B<-in filename>
This specifies how the elliptic curve parameters are encoded.
Possible value are: B<named_curve>, i.e. the ec parameters are
specified by a OID, or B<explicit> where the ec parameters are
-explicitly given (see RFC 3279 for the definition of the
+explicitly given (see RFC 3279 for the definition of the
EC parameters structures). The default value is B<named_curve>.
B<Note> the B<implicitlyCA> alternative ,as specified in RFC 3279,
is currently not implemented in OpenSSL.
-----END EC PARAMETERS-----
OpenSSL is currently not able to generate new groups and therefore
-B<ecparam> can only create EC parameters from known (named) curves.
+B<ecparam> can only create EC parameters from known (named) curves.
=head1 EXAMPLES
=item B<-nosalt>
-do not use a salt
+do not use a salt
=item B<-salt>
desx DESX algorithm.
gost89 GOST 28147-89 in CFB mode (provided by ccgost engine)
- gost89-cnt `GOST 28147-89 in CNT mode (provided by ccgost engine)
+ gost89-cnt `GOST 28147-89 in CNT mode (provided by ccgost engine)
idea-cbc IDEA algorithm in CBC mode
idea same as idea-cbc
Decode the same file
- openssl base64 -d -in file.b64 -out file.bin
+ openssl base64 -d -in file.b64 -out file.bin
Encrypt a file using triple DES in CBC mode using a prompted password:
- openssl des3 -salt -in file.txt -out file.des3
+ openssl des3 -salt -in file.txt -out file.des3
Decrypt a file using a supplied password:
=head1 DESCRIPTION
Sometimes an application will not load error message and only
-numerical forms will be available. The B<errstr> utility can be used to
+numerical forms will be available. The B<errstr> utility can be used to
display the meaning of the hex code. The hex code is the hex digits after the
second colon.
27594:error:2006D080:lib(32):func(109):reason(128):bss_file.c:107:
can be displayed with:
-
+
openssl errstr 2006D080
to produce the error message:
=item B<-des|-des3|-idea>
-These options encrypt the private key with the DES, triple DES, or the
+These options encrypt the private key with the DES, triple DES, or the
IDEA ciphers respectively before outputting it. A pass phrase is prompted for.
If none of these options is specified no encryption is used.
=item B<-out filename>
the output filename. If this argument is not specified then standard output is
-used.
+used.
=item B<-outform DER|PEM>
Generate an RSA private key using default parameters:
- openssl genpkey -algorithm RSA -out key.pem
+ openssl genpkey -algorithm RSA -out key.pem
Encrypt output private key using 128 bit AES and the passphrase "hello":
Generate DSA key from parameters:
- openssl genpkey -paramfile dsap.pem -out dsakey.pem
+ openssl genpkey -paramfile dsap.pem -out dsakey.pem
Generate 1024 bit DH parameters:
Generate DH key from parameters:
- openssl genpkey -paramfile dhp.pem -out dhkey.pem
+ openssl genpkey -paramfile dhp.pem -out dhkey.pem
=cut
=item B<-out filename>
the output filename. If this argument is not specified then standard output is
-used.
+used.
=item B<-passout arg>
=item B<-des|-des3|-idea>
-These options encrypt the private key with the DES, triple DES, or the
+These options encrypt the private key with the DES, triple DES, or the
IDEA ciphers respectively before outputting it. If none of these options is
specified no encryption is used. If encryption is used a pass phrase is prompted
for if it is not supplied via the B<-passout> argument.
=item B<-md5|-sha1|-sha256|-ripemod160|...>
this option sets digest algorithm to use for certificate identification
-in the OCSP request. By default SHA-1 is used.
+in the OCSP request. By default SHA-1 is used.
=back
=item B<-nrequest number>
-The OCSP server will exit after receiving B<number> requests, default unlimited.
+The OCSP server will exit after receiving B<number> requests, default unlimited.
=item B<-nmin minutes>, B<-ndays days>
Number of minutes or days when fresh revocation information is available: used in the
-B<nextUpdate> field. If neither option is present then the B<nextUpdate> field is
+B<nextUpdate> field. If neither option is present then the B<nextUpdate> field is
omitted meaning fresh revocation information is immediately available.
=back
openssl ocsp -issuer issuer.pem -cert c1.pem -cert c2.pem -reqout req.der
-Send a query to an OCSP responder with URL http://ocsp.myhost.com/ save the
+Send a query to an OCSP responder with URL http://ocsp.myhost.com/ save the
response to a file and print it out in text form
openssl ocsp -issuer issuer.pem -cert c1.pem -cert c2.pem \
cryptography standards required by them.
The B<openssl> program is a command line tool for using the various
-cryptography functions of OpenSSL's B<crypto> library from the shell.
-It can be used for
+cryptography functions of OpenSSL's B<crypto> library from the shell.
+It can be used for
o Creation and management of private keys, public keys and parameters
o Public key cryptographic operations
- o Creation of X.509 certificates, CSRs and CRLs
+ o Creation of X.509 certificates, CSRs and CRLs
o Calculation of Message Digests
o Encryption and Decryption with Ciphers
o SSL/TLS Client and Server Tests
=item L<B<ca>|ca(1)>
-Certificate Authority (CA) Management.
+Certificate Authority (CA) Management.
=item L<B<ciphers>|ciphers(1)>
=item L<B<dhparam>|dhparam(1)>
-Generation and Management of Diffie-Hellman Parameters. Superseded by
+Generation and Management of Diffie-Hellman Parameters. Superseded by
L<B<genpkey>|genpkey(1)> and L<B<pkeyparam>|pkeyparam(1)>
=item L<B<dsaparam>|dsaparam(1)>
-DSA Parameter Generation and Management. Superseded by
+DSA Parameter Generation and Management. Superseded by
L<B<genpkey>|genpkey(1)> and L<B<pkeyparam>|pkeyparam(1)>
=item L<B<ec>|ec(1)>
=item L<B<gendsa>|gendsa(1)>
-Generation of DSA Private Key from Parameters. Superseded by
+Generation of DSA Private Key from Parameters. Superseded by
L<B<genpkey>|genpkey(1)> and L<B<pkey>|pkey(1)>
=item L<B<genpkey>|genpkey(1)>
RMD-160 Digest
-=item B<sha>
+=item B<sha>
SHA Digest
-=item B<sha1>
+=item B<sha1>
SHA-1 Digest
L<s_server(1)|s_server(1)>, L<s_time(1)|s_time(1)>,
L<smime(1)|smime(1)>, L<spkac(1)|spkac(1)>,
L<verify(1)|verify(1)>, L<version(1)|version(1)>, L<x509(1)|x509(1)>,
-L<crypto(3)|crypto(3)>, L<ssl(3)|ssl(3)>, L<x509v3_config(5)|x509v3_config(5)>
+L<crypto(3)|crypto(3)>, L<ssl(3)|ssl(3)>, L<x509v3_config(5)|x509v3_config(5)>
=head1 HISTORY
openssl pkcs12 -in file.p12 -clcerts -out file.pem
Don't encrypt the private key:
-
+
openssl pkcs12 -in file.p12 -out file.pem -nodes
Print some info about a PKCS#12 file:
=item B<-outform DER|PEM>
-This specifies the output format, the options have the same meaning as the
+This specifies the output format, the options have the same meaning as the
B<-inform> option.
=item B<-in filename>
There is no option to print out all the fields of a PKCS#7 file.
-This PKCS#7 routines only understand PKCS#7 v 1.5 as specified in RFC2315 they
+This PKCS#7 routines only understand PKCS#7 v 1.5 as specified in RFC2315 they
cannot currently parse, for example, the new CMS as described in RFC2630.
=head1 SEE ALSO
=item B<-outform DER|PEM>
-This specifies the output format, the options have the same meaning as the
+This specifies the output format, the options have the same meaning as the
B<-inform> option.
=item B<-in filename>
This option enables the use of PKCS#5 v2.0 algorithms. Normally PKCS#8
private keys are encrypted with the password based encryption algorithm
called B<pbeWithMD5AndDES-CBC> this uses 56 bit DES encryption but it
-was the strongest encryption algorithm supported in PKCS#5 v1.5. Using
+was the strongest encryption algorithm supported in PKCS#5 v1.5. Using
the B<-v2> option PKCS#5 v2.0 algorithms are used which can use any
encryption algorithm such as 168 bit triple DES or 128 bit RC2 however
not many implementations support PKCS#5 v2.0 yet. If you are just using
=head1 SEE ALSO
L<dsa(1)|dsa(1)>, L<rsa(1)|rsa(1)>, L<genrsa(1)|genrsa(1)>,
-L<gendsa(1)|gendsa(1)>
+L<gendsa(1)|gendsa(1)>
=cut
=item B<-outform DER|PEM>
-This specifies the output format, the options have the same meaning as the
+This specifies the output format, the options have the same meaning as the
B<-inform> option.
=item B<-in filename>
=item B<-text>
prints out the various public or private key components in
-plain text in addition to the encoded version.
+plain text in addition to the encoded version.
=item B<-text_pub>
openssl pkey -in key.pem -des3 -out keyout.pem
-To convert a private key from PEM to DER format:
+To convert a private key from PEM to DER format:
openssl pkey -in key.pem -outform DER -out keyout.der
=head1 SEE ALSO
L<genpkey(1)|genpkey(1)>, L<rsa(1)|rsa(1)>, L<pkcs8(1)|pkcs8(1)>,
-L<dsa(1)|dsa(1)>, L<genrsa(1)|genrsa(1)>, L<gendsa(1)|gendsa(1)>
+L<dsa(1)|dsa(1)>, L<genrsa(1)|genrsa(1)>, L<gendsa(1)|gendsa(1)>
=cut
=item B<-text>
-prints out the parameters in plain text in addition to the encoded version.
+prints out the parameters in plain text in addition to the encoded version.
=item B<-noout>
=head1 SEE ALSO
L<genpkey(1)|genpkey(1)>, L<rsa(1)|rsa(1)>, L<pkcs8(1)|pkcs8(1)>,
-L<dsa(1)|dsa(1)>, L<genrsa(1)|genrsa(1)>, L<gendsa(1)|gendsa(1)>
+L<dsa(1)|dsa(1)>, L<genrsa(1)|genrsa(1)>, L<gendsa(1)|gendsa(1)>
=cut
=item B<-pubin>
-the input file is a public key.
+the input file is a public key.
=item B<-certin>
-the input is a certificate containing a public key.
+the input is a certificate containing a public key.
=item B<-rev>
=head1 RSA ALGORITHM
The RSA algorithm supports encrypt, decrypt, sign, verify and verifyrecover
-operations in general. Some padding modes only support some of these
+operations in general. Some padding modes only support some of these
operations however.
=over 4
PKCS#1 padding, B<sslv23> for SSLv23 padding, B<none> for no padding, B<oaep>
for B<OAEP> mode, B<x931> for X9.31 mode and B<pss> for PSS.
-In PKCS#1 padding if the message digest is not set then the supplied data is
+In PKCS#1 padding if the message digest is not set then the supplied data is
signed or verified directly instead of using a B<DigestInfo> structure. If a
digest is set then the a B<DigestInfo> structure is used and its the length
must correspond to the digest type.
=item B<-outform DER|PEM>
-This specifies the output format, the options have the same meaning as the
+This specifies the output format, the options have the same meaning as the
B<-inform> option.
=item B<-in filename>
=item B<-utf8>
-this option causes field values to be interpreted as UTF8 strings, by
+this option causes field values to be interpreted as UTF8 strings, by
default they are interpreted as ASCII. This means that the field
values, whether prompted from a terminal or obtained from a
configuration file, must be valid UTF8 strings.
=item B<-reqopt>
customise the output format used with B<-text>. The B<option> argument can be
-a single option or multiple options separated by commas.
+a single option or multiple options separated by commas.
See discission of the B<-certopt> parameter in the L<B<x509>|x509(1)>
command.
This specifies a file containing additional B<OBJECT IDENTIFIERS>.
Each line of the file should consist of the numerical form of the
object identifier followed by white space then the short name followed
-by white space and finally the long name.
+by white space and finally the long name.
=item B<oid_section>
fields. Most users will not need to change this option.
It can be set to several values B<default> which is also the default
-option uses PrintableStrings, T61Strings and BMPStrings if the
+option uses PrintableStrings, T61Strings and BMPStrings if the
B<pkix> value is used then only PrintableStrings and BMPStrings will
be used. This follows the PKIX recommendation in RFC2459. If the
B<utf8only> option is used then only UTF8Strings will be used: this
this specifies the configuration file section containing a list of
extensions to add to the certificate request. It can be overridden
-by the B<-reqexts> command line switch. See the
+by the B<-reqexts> command line switch. See the
L<x509v3_config(5)|x509v3_config(5)> manual page for details of the
extension section format.
L<x509(1)|x509(1)>, L<ca(1)|ca(1)>, L<genrsa(1)|genrsa(1)>,
L<gendsa(1)|gendsa(1)>, L<config(5)|config(5)>,
-L<x509v3_config(5)|x509v3_config(5)>
+L<x509v3_config(5)|x509v3_config(5)>
=cut
=item B<-outform DER|NET|PEM>
-This specifies the output format, the options have the same meaning as the
+This specifies the output format, the options have the same meaning as the
B<-inform> option.
=item B<-in filename>
=item B<-des|-des3|-idea>
-These options encrypt the private key with the DES, triple DES, or the
+These options encrypt the private key with the DES, triple DES, or the
IDEA ciphers respectively before outputting it. A pass phrase is prompted for.
If none of these options is specified the key is written in plain text. This
means that using the B<rsa> utility to read in an encrypted key with no
=item B<-text>
prints out the various public or private key components in
-plain text in addition to the encoded version.
+plain text in addition to the encoded version.
=item B<-noout>
openssl rsa -in key.pem -des3 -out keyout.pem
-To convert a private key from PEM to DER format:
+To convert a private key from PEM to DER format:
openssl rsa -in key.pem -outform DER -out keyout.der
=head1 SEE ALSO
L<pkcs8(1)|pkcs8(1)>, L<dsa(1)|dsa(1)>, L<genrsa(1)|genrsa(1)>,
-L<gendsa(1)|gendsa(1)>
+L<gendsa(1)|gendsa(1)>
=cut
=item B<-pubin>
-the input file is an RSA public key.
+the input file is an RSA public key.
=item B<-certin>
-the input is a certificate containing an RSA public key.
+the input is a certificate containing an RSA public key.
=item B<-sign>
openssl asn1parse -in pca-cert.pem
- 0:d=0 hl=4 l= 742 cons: SEQUENCE
- 4:d=1 hl=4 l= 591 cons: SEQUENCE
- 8:d=2 hl=2 l= 3 cons: cont [ 0 ]
+ 0:d=0 hl=4 l= 742 cons: SEQUENCE
+ 4:d=1 hl=4 l= 591 cons: SEQUENCE
+ 8:d=2 hl=2 l= 3 cons: cont [ 0 ]
10:d=3 hl=2 l= 1 prim: INTEGER :02
13:d=2 hl=2 l= 1 prim: INTEGER :00
- 16:d=2 hl=2 l= 13 cons: SEQUENCE
+ 16:d=2 hl=2 l= 13 cons: SEQUENCE
18:d=3 hl=2 l= 9 prim: OBJECT :md5WithRSAEncryption
- 29:d=3 hl=2 l= 0 prim: NULL
- 31:d=2 hl=2 l= 92 cons: SEQUENCE
- 33:d=3 hl=2 l= 11 cons: SET
- 35:d=4 hl=2 l= 9 cons: SEQUENCE
+ 29:d=3 hl=2 l= 0 prim: NULL
+ 31:d=2 hl=2 l= 92 cons: SEQUENCE
+ 33:d=3 hl=2 l= 11 cons: SET
+ 35:d=4 hl=2 l= 9 cons: SEQUENCE
37:d=5 hl=2 l= 3 prim: OBJECT :countryName
42:d=5 hl=2 l= 2 prim: PRINTABLESTRING :AU
....
- 599:d=1 hl=2 l= 13 cons: SEQUENCE
+ 599:d=1 hl=2 l= 13 cons: SEQUENCE
601:d=2 hl=2 l= 9 prim: OBJECT :md5WithRSAEncryption
- 612:d=2 hl=2 l= 0 prim: NULL
- 614:d=1 hl=3 l= 129 prim: BIT STRING
+ 612:d=2 hl=2 l= 0 prim: NULL
+ 614:d=1 hl=3 l= 129 prim: BIT STRING
The final BIT STRING contains the actual signature. It can be extracted with:
openssl asn1parse -in pca-cert.pem -out sig -noout -strparse 614
The certificate public key can be extracted with:
-
+
openssl x509 -in test/testx509.pem -pubkey -noout >pubkey.pem
The signature can be analysed with:
openssl rsautl -in sig -verify -asn1parse -inkey pubkey.pem -pubin
- 0:d=0 hl=2 l= 32 cons: SEQUENCE
- 2:d=1 hl=2 l= 12 cons: SEQUENCE
+ 0:d=0 hl=2 l= 32 cons: SEQUENCE
+ 2:d=1 hl=2 l= 12 cons: SEQUENCE
4:d=2 hl=2 l= 8 prim: OBJECT :md5
- 14:d=2 hl=2 l= 0 prim: NULL
- 16:d=1 hl=2 l= 16 prim: OCTET STRING
+ 14:d=2 hl=2 l= 0 prim: NULL
+ 16:d=1 hl=2 l= 16 prim: OCTET STRING
0000 - f3 46 9e aa 1a 4a 73 c9-37 ea 93 00 48 25 08 b5 .F...Js.7...H%..
This is the parsed version of an ASN1 DigestInfo structure. It can be seen that
=item B<-no_ticket>
-disable RFC4507bis session ticket support.
+disable RFC4507bis session ticket support.
=item B<-sess_out filename>
=item B<-no_ticket>
-disable RFC4507bis session ticket support.
+disable RFC4507bis session ticket support.
=item B<-www>
If a connection request is established with an SSL client and neither the
B<-www> nor the B<-WWW> option has been used then normally any data received
-from the client is displayed and any key presses will be sent to the client.
+from the client is displayed and any key presses will be sent to the client.
Certain single letter commands are also recognized which perform special
operations: these are listed below.
=item B<-outform DER|PEM>
-This specifies the output format, the options have the same meaning as the
+This specifies the output format, the options have the same meaning as the
B<-inform> option.
=item B<-in filename>
=item B<-text>
prints out the various public or private key components in
-plain text in addition to the encoded version.
+plain text in addition to the encoded version.
=item B<-cert>
this option adds plain text (text/plain) MIME headers to the supplied
message if encrypting or signing. If decrypting or verifying it strips
-off text headers: if the decrypted or verified message is not of MIME
+off text headers: if the decrypted or verified message is not of MIME
type text/plain then an error occurs.
=item B<-CAfile file>
the encryption algorithm to use. For example DES (56 bits) - B<-des>,
triple DES (168 bits) - B<-des3>,
-EVP_get_cipherbyname() function) can also be used preceded by a dash, for
+EVP_get_cipherbyname() function) can also be used preceded by a dash, for
example B<-aes_128_cbc>. See L<B<enc>|enc(1)> for list of ciphers
supported by your version of OpenSSL.
=item B<cert.pem...>
one or more certificates of message recipients: used when encrypting
-a message.
+a message.
=item B<-to, -from, -subject>
the operation was completely successfully.
-=item 1
+=item 1
an error occurred parsing the command options.
-----BEGIN PKCS7-----
-----END PKCS7-----
-and using the command:
+and using the command:
openssl smime -verify -inform PEM -in signature.pem -content content.txt
It is possible to specify the message imprint explicitly without the data
file. The imprint must be specified in a hexadecimal format, two characters
per byte, the bytes optionally separated by colons (e.g. 1A:F6:01:... or
-1AF601...). The number of bytes must match the message digest algorithm
+1AF601...). The number of bytes must match the message digest algorithm
in use. (Optional)
=item B<-md2>|B<-md4>|B<-md5>|B<-sha>|B<-sha1>|B<-mdc2>|B<-ripemd160>|B<...>
=item B<-data> file_to_hash
The response or token must be verified against file_to_hash. The file
-is hashed with the message digest algorithm specified in the token.
+is hashed with the message digest algorithm specified in the token.
The B<-digest> and B<-queryfile> options must not be specified with this one.
(Optional)
=item B<-CAfile> trusted_certs.pem
-The name of the file containing a set of trusted self-signed CA
-certificates in PEM format. See the similar option of
-L<verify(1)|verify(1)> for additional details. Either this option
+The name of the file containing a set of trusted self-signed CA
+certificates in PEM format. See the similar option of
+L<verify(1)|verify(1)> for additional details. Either this option
or B<-CApath> must be specified.
(Optional)
=over 4
-=item B<tsa> section, B<default_tsa>
+=item B<tsa> section, B<default_tsa>
This is the main section and it specifies the name of another section
that contains all the options for the B<-reply> command. This default
=item B<crypto_device>
-Specifies the OpenSSL engine that will be set as the default for
-all available algorithms. The default value is builtin, you can specify
+Specifies the OpenSSL engine that will be set as the default for
+all available algorithms. The default value is builtin, you can specify
any other engines supported by OpenSSL (e.g. use chil for the NCipher HSM).
(Optional)
=item B<clock_precision_digits>
-Specifies the maximum number of digits, which represent the fraction of
+Specifies the maximum number of digits, which represent the fraction of
seconds, that need to be included in the time field. The trailing zeroes
must be removed from the time, so there might actually be fewer digits,
or no fraction of seconds at all. Supported only on UNIX platforms.
=head1 EXAMPLES
All the examples below presume that B<OPENSSL_CONF> is set to a proper
-configuration file, e.g. the example configuration file
+configuration file, e.g. the example configuration file
openssl/apps/openssl.cnf will do.
=head2 Time Stamp Request
-To create a time stamp request for design1.txt with SHA-1
+To create a time stamp request for design1.txt with SHA-1
without nonce and policy and no certificate is required in the response:
openssl ts -query -data design1.txt -no_nonce \
openssl ts -query -in design1.tsq -text
-To create a time stamp request which includes the MD-5 digest
+To create a time stamp request which includes the MD-5 digest
of design2.txt, requests the signer certificate and nonce,
specifies a policy id (assuming the tsa_policy1 name is defined in the
OID section of the config file):
=over 4
=item * No support for time stamps over SMTP, though it is quite easy
-to implement an automatic e-mail based TSA with L<procmail(1)|procmail(1)>
-and L<perl(1)|perl(1)>. HTTP server support is provided in the form of
+to implement an automatic e-mail based TSA with L<procmail(1)|procmail(1)>
+and L<perl(1)|perl(1)>. HTTP server support is provided in the form of
a separate apache module. HTTP client support is provided by
L<tsget(1)|tsget(1)>. Pure TCP/IP protocol is not supported.
=head1 SEE ALSO
-L<tsget(1)|tsget(1)>, L<openssl(1)|openssl(1)>, L<req(1)|req(1)>,
-L<x509(1)|x509(1)>, L<ca(1)|ca(1)>, L<genrsa(1)|genrsa(1)>,
+L<tsget(1)|tsget(1)>, L<openssl(1)|openssl(1)>, L<req(1)|req(1)>,
+L<x509(1)|x509(1)>, L<ca(1)|ca(1)>, L<genrsa(1)|genrsa(1)>,
L<config(5)|config(5)>
=cut
=item B<-crl_check>
Checks end entity certificate validity by attempting to look up a valid CRL.
-If a valid CRL cannot be found an error occurs.
+If a valid CRL cannot be found an error occurs.
=item B<-crl_check_all>
Firstly a certificate chain is built up starting from the supplied certificate
and ending in the root CA. It is an error if the whole chain cannot be built
up. The chain is built up by looking up the issuers certificate of the current
-certificate. If a certificate is found which is its own issuer it is assumed
+certificate. If a certificate is found which is its own issuer it is assumed
to be the root CA.
The process of 'looking up the issuers certificate' itself involves a number
of steps. In versions of OpenSSL before 0.9.5a the first certificate whose
subject name matched the issuer of the current certificate was assumed to be
the issuers certificate. In OpenSSL 0.9.6 and later all certificates
-whose subject name matches the issuer name of the current certificate are
+whose subject name matches the issuer name of the current certificate are
subject to further tests. The relevant authority key identifier components
of the current certificate (if present) must match the subject key identifier
(if present) and issuer and serial number of the candidate issuer, in addition
The third operation is to check the trust settings on the root CA. The root
CA should be trusted for the supplied purpose. For compatibility with previous
versions of SSLeay and OpenSSL a certificate with no trust settings is considered
-to be valid for all purposes.
+to be valid for all purposes.
The final operation is to check the validity of the certificate chain. The validity
period is checked against the current system time and the notBefore and notAfter
=item B<-outform DER|PEM|NET>
-This specifies the output format, the options have the same meaning as the
+This specifies the output format, the options have the same meaning as the
B<-inform> option.
=item B<-in filename>
=item B<-signkey filename>
this option causes the input file to be self signed using the supplied
-private key.
+private key.
If the input file is a certificate it sets the issuer name to the
subject name (i.e. makes it self signed) changes the public key to the
use the serial number is incremented and written out to the file again.
The default filename consists of the CA certificate file base name with
-".srl" appended. For example if the CA certificate file is called
+".srl" appended. For example if the CA certificate file is called
"mycacert.pem" it expects to find a serial number file called "mycacert.srl".
=item B<-CAcreateserial>
The extended key usage extension must be absent or include the "email
protection" OID. Netscape certificate type must be absent or must have the
S/MIME CA bit set: this is used as a work around if the basicConstraints
-extension is absent.
+extension is absent.
=item B<CRL Signing>
L<req(1)|req(1)>, L<ca(1)|ca(1)>, L<genrsa(1)|genrsa(1)>,
L<gendsa(1)|gendsa(1)>, L<verify(1)|verify(1)>,
-L<x509v3_config(5)|x509v3_config(5)>
+L<x509v3_config(5)|x509v3_config(5)>
=head1 HISTORY
The issuer alternative name option supports all the literal options of
subject alternative name. It does B<not> support the email:copy option because
that would not make sense. It does support an additional issuer:copy option
-that will copy all the subject alternative name values from the issuer
+that will copy all the subject alternative name values from the issuer
certificate (if possible).
Example:
O=Organisation
CN=Some Name
-
+
=head2 Certificate Policies.
This is a I<raw> extension. All the fields of this extension can be set by
The name constraints extension is a multi-valued extension. The name should
begin with the word B<permitted> or B<excluded> followed by a B<;>. The rest of
the name and the value follows the syntax of subjectAltName except email:copy
-is not supported and the B<IP> form should consist of an IP addresses and
+is not supported and the B<IP> form should consist of an IP addresses and
subnet mask separated by a B</>.
Examples:
[subject_alt_section]
subjectAltName=URI:ldap://somehost.com/CN=foo,OU=bar
-is valid.
+is valid.
Due to the behaviour of the OpenSSL B<conf> library the same field name
can only occur once in a section. This means that:
projects / openbsd / commitdiff