Lines Matching +full:pre +full:- +full:configurable
2 {- OpenSSL::safe::output_do_not_edit_headers(); -}
6 openssl-ca - sample minimal CA application
11 [B<-help>]
12 [B<-verbose>]
13 [B<-config> I<filename>]
14 [B<-name> I<section>]
15 [B<-section> I<section>]
16 [B<-gencrl>]
17 [B<-revoke> I<file>]
18 [B<-valid> I<file>]
19 [B<-status> I<serial>]
20 [B<-updatedb>]
21 [B<-crl_reason> I<reason>]
22 [B<-crl_hold> I<instruction>]
23 [B<-crl_compromise> I<time>]
24 [B<-crl_CA_compromise> I<time>]
25 [B<-crl_lastupdate> I<date>]
26 [B<-crl_nextupdate> I<date>]
27 [B<-crldays> I<days>]
28 [B<-crlhours> I<hours>]
29 [B<-crlsec> I<seconds>]
30 [B<-crlexts> I<section>]
31 [B<-startdate> I<date>]
32 [B<-enddate> I<date>]
33 [B<-days> I<arg>]
34 [B<-md> I<arg>]
35 [B<-policy> I<arg>]
36 [B<-keyfile> I<filename>|I<uri>]
37 [B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>]
38 [B<-key> I<arg>]
39 [B<-passin> I<arg>]
40 [B<-cert> I<file>]
41 [B<-certform> B<DER>|B<PEM>|B<P12>]
42 [B<-selfsign>]
43 [B<-in> I<file>]
44 [B<-inform> B<DER>|<PEM>]
45 [B<-out> I<file>]
46 [B<-notext>]
47 [B<-dateopt>]
48 [B<-outdir> I<dir>]
49 [B<-infiles>]
50 [B<-spkac> I<file>]
51 [B<-ss_cert> I<file>]
52 [B<-preserveDN>]
53 [B<-noemailDN>]
54 [B<-batch>]
55 [B<-msie_hack>]
56 [B<-extensions> I<section>]
57 [B<-extfile> I<section>]
58 [B<-subj> I<arg>]
59 [B<-utf8>]
60 [B<-sigopt> I<nm>:I<v>]
61 [B<-vfyopt> I<nm>:I<v>]
62 [B<-create_serial>]
63 [B<-rand_serial>]
64 [B<-multivalue-rdn>]
65 {- $OpenSSL::safe::opt_r_synopsis -}
66 {- $OpenSSL::safe::opt_engine_synopsis -}{- $OpenSSL::safe::opt_provider_synopsis -}
77 with the B<-in> option, or multiple requests can be processed by
82 See L<openssl-req(1)> and L<openssl-x509(1)> for details.
90 =item B<-help>
94 =item B<-verbose>
98 =item B<-config> I<filename>
104 =item B<-name> I<section>, B<-section> I<section>
109 =item B<-in> I<filename>
114 =item B<-inform> B<DER>|B<PEM>
118 See L<openssl-format-options(1)> for details.
120 =item B<-ss_cert> I<filename>
122 A single self-signed certificate to be signed by the CA.
124 =item B<-spkac> I<filename>
130 =item B<-infiles>
135 =item B<-out> I<filename>
139 file in PEM format (except that B<-spkac> outputs DER format).
141 =item B<-outdir> I<directory>
147 =item B<-cert> I<filename>
149 The CA certificate, which must match with B<-keyfile>.
151 =item B<-certform> B<DER>|B<PEM>|B<P12>
154 See L<openssl-format-options(1)> for details.
156 =item B<-keyfile> I<filename>|I<uri>
159 This must match with B<-cert>.
161 =item B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>
164 See L<openssl-format-options(1)> for details.
166 =item B<-sigopt> I<nm>:I<v>
169 Names and values of these options are algorithm-specific.
171 =item B<-vfyopt> I<nm>:I<v>
174 Names and values of these options are algorithm-specific.
176 This often needs to be given while signing too, because the self-signature of
180 =item B<-key> I<password>
188 Better use B<-passin>.
190 =item B<-passin> I<arg>
194 see L<openssl-passphrase-options(1)>.
196 =item B<-selfsign>
199 the certificate requests were signed with (given with B<-keyfile>).
201 If B<-spkac>, B<-ss_cert> or B<-gencrl> are given, B<-selfsign> is ignored.
203 A consequence of using B<-selfsign> is that the self-signed
207 self-signed certificate.
209 =item B<-notext>
213 =item B<-dateopt>
218 =item B<-startdate> I<date>
225 =item B<-enddate> I<date>
232 =item B<-days> I<arg>
236 =item B<-md> I<alg>
239 Any digest supported by the L<openssl-dgst(1)> command can be used. For signing
243 =item B<-policy> I<arg>
250 =item B<-msie_hack>
257 =item B<-preserveDN>
265 =item B<-noemailDN>
268 request DN, however, it is good policy just having the e-mail set into
274 =item B<-batch>
279 =item B<-extensions> I<section>
283 unless the B<-extfile> option is used).
289 =item B<-extfile> I<file>
292 (using the default section unless the B<-extensions> option is also
295 =item B<-subj> I<arg>
303 Giving a single C</> will lead to an empty sequence of RDNs (a NULL-DN).
304 Multi-valued RDNs can be formed by placing a C<+> character instead of a C</>
310 =item B<-utf8>
317 =item B<-create_serial>
322 To get random serial numbers, use the B<-rand_serial> flag instead; this
323 should only be used for simple error-recovery.
325 =item B<-rand_serial>
330 =item B<-multivalue-rdn>
334 {- $OpenSSL::safe::opt_r_item -}
336 {- $OpenSSL::safe::opt_engine_item -}
338 {- $OpenSSL::safe::opt_provider_item -}
346 =item B<-gencrl>
350 =item B<-crl_lastupdate> I<time>
357 =item B<-crl_nextupdate> I<time>
360 this option is present, any values given for B<-crldays>, B<-crlhours>
361 and B<-crlsec> are ignored. Accepts times in the same formats as
362 B<-crl_lastupdate>.
364 =item B<-crldays> I<num>
369 =item B<-crlhours> I<num>
373 =item B<-crlsec> I<num>
377 =item B<-revoke> I<filename>
381 =item B<-valid> I<filename>
385 =item B<-status> I<serial>
390 =item B<-updatedb>
394 =item B<-crl_reason> I<reason>
404 =item B<-crl_hold> I<instruction>
411 =item B<-crl_compromise> I<time>
416 =item B<-crl_CA_compromise> I<time>
421 =item B<-crlexts> I<section>
437 is found as follows: If the B<-name> command line option is used,
474 The same as the B<-outdir> command line option. It specifies
479 The same as B<-cert>. It gives the file containing the CA
484 Same as the B<-keyfile> option. The file containing the
495 The same as the B<-days> option. The number of days to certify
500 The same as the B<-startdate> option. The start date to certify
505 The same as the B<-enddate> option. Either this option or
511 The same as the B<-crlhours> and the B<-crldays> options. These
517 The same as the B<-md> option. Mandatory except where the signing algorithm does
530 The default value is B<yes>, to be compatible with older (pre 0.9.8)
531 versions of OpenSSL. However, to make CA certificate roll-over easier,
533 the B<-selfsign> command line option.
552 A fallback to the B<-extensions> option.
556 A fallback to the B<-crlexts> option.
560 The same as B<-preserveDN>
564 The same as B<-noemailDN>. If you want the EMAIL field to be removed
570 The same as B<-msie_hack>
574 The same as B<-policy>. Mandatory. See the B<POLICY FORMAT> section
581 the B<x509> utilities B<-nameopt> and B<-certopt> switches can be used
617 are silently deleted, unless the B<-preserveDN> option is set but
622 The input to the B<-spkac> command line option is a Netscape
625 It is however possible to create SPKACs using L<openssl-spkac(1)>.
632 When processing SPKAC format, the output is DER if the B<-out>
633 flag is used, but PEM format if sending to stdout or the B<-outdir>
641 L<openssl-req(1)>, a serial number file and an empty index file and
654 openssl ca -in req.pem -out newcert.pem
658 openssl ca -in sm2.csr -out sm2.crt -md sm3 \
659 -sigopt "distid:1234567812345678" \
660 -vfyopt "distid:1234567812345678"
664 openssl ca -in req.pem -extensions v3_ca -out newcert.pem
668 openssl ca -gencrl -out crl.pem
672 openssl ca -infiles req1.pem req2.pem req3.pem
676 openssl ca -spkac spkac.txt
727 /usr/local/ssl/lib/openssl.cnf - master configuration file
728 ./demoCA - main CA directory
729 ./demoCA/cacert.pem - CA certificate
730 ./demoCA/private/cakey.pem - CA private key
731 ./demoCA/serial - CA serial number file
732 ./demoCA/serial.old - CA serial number backup file
733 ./demoCA/index.txt - CA text database file
734 ./demoCA/index.txt.old - CA text database backup file
735 ./demoCA/certs - certificate output file
747 possible to include one SPKAC or self-signed certificate.
753 The use of an in-memory text database can cause problems when large
758 exposed at either a command or interface level so that a more user-friendly
763 deleted. This does not happen if the B<-preserveDN> option is used. To
765 RFCs, regardless the contents of the request' subject the B<-noemailDN>
767 configurable.
811 certificate validity period (specified by any of B<-startdate>,
812 B<-enddate> and B<-days>) and CRL last/next update time (specified by
813 any of B<-crl_lastupdate>, B<-crl_nextupdate>, B<-crldays>, B<-crlhours>
814 and B<-crlsec>) will be encoded as UTCTime if the dates are
823 The B<-section> option was added in OpenSSL 3.0.0.
825 The B<-multivalue-rdn> option has become obsolete in OpenSSL 3.0.0 and
828 The B<-engine> option was deprecated in OpenSSL 3.0.
833 L<openssl-req(1)>,
834 L<openssl-spkac(1)>,
835 L<openssl-x509(1)>,
842 Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved.