Lines Matching +full:serial +full:- +full:number
2 {- OpenSSL::safe::output_do_not_edit_headers(); -}
6 openssl-ca - sample minimal CA application
11 [B<-help>]
12 [B<-verbose>]
13 [B<-quiet>]
14 [B<-config> I<filename>]
15 [B<-name> I<section>]
16 [B<-section> I<section>]
17 [B<-gencrl>]
18 [B<-revoke> I<file>]
19 [B<-valid> I<file>]
20 [B<-status> I<serial>]
21 [B<-updatedb>]
22 [B<-crl_reason> I<reason>]
23 [B<-crl_hold> I<instruction>]
24 [B<-crl_compromise> I<time>]
25 [B<-crl_CA_compromise> I<time>]
26 [B<-crl_lastupdate> I<date>]
27 [B<-crl_nextupdate> I<date>]
28 [B<-crldays> I<days>]
29 [B<-crlhours> I<hours>]
30 [B<-crlsec> I<seconds>]
31 [B<-crlexts> I<section>]
32 [B<-startdate> I<date>]
33 [B<-not_before> I<date>]
34 [B<-enddate> I<date>]
35 [B<-not_after> I<date>]
36 [B<-days> I<arg>]
37 [B<-md> I<arg>]
38 [B<-policy> I<arg>]
39 [B<-keyfile> I<filename>|I<uri>]
40 [B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>]
41 [B<-key> I<arg>]
42 [B<-passin> I<arg>]
43 [B<-cert> I<file>]
44 [B<-certform> B<DER>|B<PEM>|B<P12>]
45 [B<-selfsign>]
46 [B<-in> I<file>]
47 [B<-inform> B<DER>|<PEM>]
48 [B<-out> I<file>]
49 [B<-notext>]
50 [B<-dateopt>]
51 [B<-outdir> I<dir>]
52 [B<-infiles>]
53 [B<-spkac> I<file>]
54 [B<-ss_cert> I<file>]
55 [B<-preserveDN>]
56 [B<-noemailDN>]
57 [B<-batch>]
58 [B<-msie_hack>]
59 [B<-extensions> I<section>]
60 [B<-extfile> I<section>]
61 [B<-subj> I<arg>]
62 [B<-utf8>]
63 [B<-sigopt> I<nm>:I<v>]
64 [B<-vfyopt> I<nm>:I<v>]
65 [B<-create_serial>]
66 [B<-rand_serial>]
67 [B<-multivalue-rdn>]
68 {- $OpenSSL::safe::opt_r_synopsis -}
69 {- $OpenSSL::safe::opt_engine_synopsis -}{- $OpenSSL::safe::opt_provider_synopsis -}
85 with the B<-in> option, or multiple requests can be processed by
90 See L<openssl-req(1)> and L<openssl-x509(1)> for details.
98 =item B<-help>
102 =item B<-verbose>
106 =item B<-quiet>
111 =item B<-config> I<filename>
117 =item B<-name> I<section>, B<-section> I<section>
122 =item B<-in> I<filename>
127 =item B<-inform> B<DER>|B<PEM>
131 See L<openssl-format-options(1)> for details.
133 =item B<-ss_cert> I<filename>
135 A single self-signed certificate to be signed by the CA.
137 =item B<-spkac> I<filename>
143 =item B<-infiles>
148 =item B<-out> I<filename>
152 file in PEM format (except that B<-spkac> outputs DER format).
154 =item B<-outdir> I<directory>
157 written to a filename consisting of the serial number in hex with
160 =item B<-cert> I<filename>
162 The CA certificate, which must match with B<-keyfile>.
164 =item B<-certform> B<DER>|B<PEM>|B<P12>
167 See L<openssl-format-options(1)> for details.
169 =item B<-keyfile> I<filename>|I<uri>
172 This must match with B<-cert>.
174 =item B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>
177 See L<openssl-format-options(1)> for details.
179 =item B<-sigopt> I<nm>:I<v>
182 Names and values of these options are algorithm-specific and
183 documented in L<provider-signature(7)/Signature parameters>.
185 =item B<-vfyopt> I<nm>:I<v>
188 Names and values of these options are algorithm-specific.
190 This often needs to be given while signing too, because the self-signature of
194 =item B<-key> I<password>
202 Better use B<-passin>.
204 =item B<-passin> I<arg>
208 see L<openssl-passphrase-options(1)>.
210 =item B<-selfsign>
213 the certificate requests were signed with (given with B<-keyfile>).
215 If B<-spkac>, B<-ss_cert> or B<-gencrl> are given, B<-selfsign> is ignored.
217 A consequence of using B<-selfsign> is that the self-signed
220 serial number counter as all other certificates sign with the
221 self-signed certificate.
223 =item B<-notext>
227 =item B<-dateopt>
232 =item B<-startdate> I<date>, B<-not_before> I<date>
240 =item B<-enddate> I<date>, B<-not_after> I<date>
248 This overrides the B<-days> option.
250 =item B<-days> I<arg>
252 The number of days from today to certify the certificate for.
254 Regardless of the option B<-not_before>, the days are always counted from
256 When used together with the option B<-not_after>/B<-startdate>, the explicit
259 =item B<-md> I<alg>
262 Any digest supported by the L<openssl-dgst(1)> command can be used. For signing
266 =item B<-policy> I<arg>
273 =item B<-msie_hack>
280 =item B<-preserveDN>
288 =item B<-noemailDN>
291 request DN, however, it is good policy just having the e-mail set into
297 =item B<-batch>
302 =item B<-extensions> I<section>
306 unless the B<-extfile> option is used).
311 =item B<-extfile> I<file>
314 (using the default section unless the B<-extensions> option is also
317 =item B<-subj> I<arg>
325 Giving a single C</> will lead to an empty sequence of RDNs (a NULL-DN).
326 Multi-valued RDNs can be formed by placing a C<+> character instead of a C</>
332 =item B<-utf8>
339 =item B<-create_serial>
341 If reading serial from the text file as specified in the configuration
342 fails, specifying this option creates a new random serial to be used as next
343 serial number.
344 To get random serial numbers, use the B<-rand_serial> flag instead; this
345 should only be used for simple error-recovery.
347 =item B<-rand_serial>
349 Generate a large random number to use as the serial number.
350 This overrides any option or configuration to use a serial number file.
352 =item B<-multivalue-rdn>
356 {- $OpenSSL::safe::opt_r_item -}
358 {- $OpenSSL::safe::opt_engine_item -}
360 {- $OpenSSL::safe::opt_provider_item -}
368 =item B<-gencrl>
372 =item B<-crl_lastupdate> I<time>
379 =item B<-crl_nextupdate> I<time>
382 this option is present, any values given for B<-crldays>, B<-crlhours>
383 and B<-crlsec> are ignored. Accepts times in the same formats as
384 B<-crl_lastupdate>.
386 =item B<-crldays> I<num>
388 The number of days before the next CRL is due. That is the days from
391 =item B<-crlhours> I<num>
393 The number of hours before the next CRL is due.
395 =item B<-crlsec> I<num>
397 The number of seconds before the next CRL is due.
399 =item B<-revoke> I<filename>
403 =item B<-valid> I<filename>
407 =item B<-status> I<serial>
410 serial number and exits.
412 =item B<-updatedb>
416 =item B<-crl_reason> I<reason>
426 =item B<-crl_hold> I<instruction>
433 =item B<-crl_compromise> I<time>
438 =item B<-crl_CA_compromise> I<time>
443 =item B<-crlexts> I<section>
459 is found as follows: If the B<-name> command line option is used,
496 The same as the B<-outdir> command line option. It specifies
501 The same as B<-cert>. It gives the file containing the CA
506 Same as the B<-keyfile> option. The file containing the
511 At startup the specified file is loaded into the random number generator,
517 The same as the B<-days> option. The number of days from today to certify
522 The same as the B<-startdate> option. The start date to certify
527 The same as the B<-enddate> option. Either this option or
533 The same as the B<-crlhours> and the B<-crldays> options. These
539 The same as the B<-md> option. Mandatory except where the signing algorithm does
553 versions of OpenSSL. However, to make CA certificate roll-over easier,
555 the B<-selfsign> command line option.
561 =item B<serial>
563 A text file containing the next serial number to use in hex. Mandatory.
564 This file must be present and contain a valid serial number.
568 A text file containing the next CRL number to use in hex. The crl number
570 present, it must contain a valid CRL number.
574 A fallback to the B<-extensions> option.
578 A fallback to the B<-crlexts> option.
582 The same as B<-preserveDN>
586 The same as B<-noemailDN>. If you want the EMAIL field to be removed
592 The same as B<-msie_hack>
596 The same as B<-policy>. Mandatory. See the B<POLICY FORMAT> section
603 the B<x509> utilities B<-nameopt> and B<-certopt> switches can be used
639 are silently deleted, unless the B<-preserveDN> option is set but
644 The input to the B<-spkac> command line option is a Netscape
647 It is however possible to create SPKACs using L<openssl-spkac(1)>.
652 preceded by a number and a '.'.
654 When processing SPKAC format, the output is DER if the B<-out>
655 flag is used, but PEM format if sending to stdout or the B<-outdir>
663 L<openssl-req(1)>, a serial number file and an empty index file and
669 key to F<demoCA/private/cakey.pem>. A file F<demoCA/serial> would be
676 openssl ca -in req.pem -out newcert.pem
680 openssl ca -in sm2.csr -out sm2.crt -md sm3 \
681 -sigopt "distid:1234567812345678" \
682 -vfyopt "distid:1234567812345678"
686 openssl ca -in req.pem -extensions v3_ca -out newcert.pem
690 openssl ca -gencrl -out crl.pem
694 openssl ca -infiles req1.pem req2.pem req3.pem
698 openssl ca -spkac spkac.txt
720 serial = $dir/serial # serial no file
721 #rand_serial = yes # for random serial#'s
749 /usr/local/ssl/lib/openssl.cnf - master configuration file
750 ./demoCA - main CA directory
751 ./demoCA/cacert.pem - CA certificate
752 ./demoCA/private/cakey.pem - CA private key
753 ./demoCA/serial - CA serial number file
754 ./demoCA/serial.old - CA serial number backup file
755 ./demoCA/index.txt - CA text database file
756 ./demoCA/index.txt.old - CA text database backup file
757 ./demoCA/certs - certificate output file
769 possible to include one SPKAC or self-signed certificate.
775 The use of an in-memory text database can cause problems when large
780 exposed at either a command or interface level so that a more user-friendly
785 deleted. This does not happen if the B<-preserveDN> option is used. To
787 RFCs, regardless the contents of the request' subject the B<-noemailDN>
833 certificate validity period (specified by any of B<-startdate>,
834 B<-enddate> and B<-days>) and CRL last/next update time (specified by
835 any of B<-crl_lastupdate>, B<-crl_nextupdate>, B<-crldays>, B<-crlhours>
836 and B<-crlsec>) will be encoded as UTCTime if the dates are
845 The B<-section> option was added in OpenSSL 3.0.0.
847 The B<-multivalue-rdn> option has become obsolete in OpenSSL 3.0.0 and
850 The B<-engine> option was deprecated in OpenSSL 3.0.
858 L<openssl-req(1)>,
859 L<openssl-spkac(1)>,
860 L<openssl-x509(1)>,
867 Copyright 2000-2024 The OpenSSL Project Authors. All Rights Reserved.