Lines Matching +full:serial +full:- +full:output
2 {- OpenSSL::safe::output_do_not_edit_headers(); -}
6 openssl-ca - sample minimal CA application
11 [B<-help>]
12 [B<-verbose>]
13 [B<-config> I<filename>]
14 [B<-name> I<section>]
15 [B<-section> I<section>]
16 [B<-gencrl>]
17 [B<-revoke> I<file>]
18 [B<-valid> I<file>]
19 [B<-status> I<serial>]
20 [B<-updatedb>]
21 [B<-crl_reason> I<reason>]
22 [B<-crl_hold> I<instruction>]
23 [B<-crl_compromise> I<time>]
24 [B<-crl_CA_compromise> I<time>]
25 [B<-crl_lastupdate> I<date>]
26 [B<-crl_nextupdate> I<date>]
27 [B<-crldays> I<days>]
28 [B<-crlhours> I<hours>]
29 [B<-crlsec> I<seconds>]
30 [B<-crlexts> I<section>]
31 [B<-startdate> I<date>]
32 [B<-enddate> I<date>]
33 [B<-days> I<arg>]
34 [B<-md> I<arg>]
35 [B<-policy> I<arg>]
36 [B<-keyfile> I<filename>|I<uri>]
37 [B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>]
38 [B<-key> I<arg>]
39 [B<-passin> I<arg>]
40 [B<-cert> I<file>]
41 [B<-certform> B<DER>|B<PEM>|B<P12>]
42 [B<-selfsign>]
43 [B<-in> I<file>]
44 [B<-inform> B<DER>|<PEM>]
45 [B<-out> I<file>]
46 [B<-notext>]
47 [B<-dateopt>]
48 [B<-outdir> I<dir>]
49 [B<-infiles>]
50 [B<-spkac> I<file>]
51 [B<-ss_cert> I<file>]
52 [B<-preserveDN>]
53 [B<-noemailDN>]
54 [B<-batch>]
55 [B<-msie_hack>]
56 [B<-extensions> I<section>]
57 [B<-extfile> I<section>]
58 [B<-subj> I<arg>]
59 [B<-utf8>]
60 [B<-sigopt> I<nm>:I<v>]
61 [B<-vfyopt> I<nm>:I<v>]
62 [B<-create_serial>]
63 [B<-rand_serial>]
64 [B<-multivalue-rdn>]
65 {- $OpenSSL::safe::opt_r_synopsis -}
66 {- $OpenSSL::safe::opt_engine_synopsis -}{- $OpenSSL::safe::opt_provider_synopsis -}
77 with the B<-in> option, or multiple requests can be processed by
82 See L<openssl-req(1)> and L<openssl-x509(1)> for details.
90 =item B<-help>
94 =item B<-verbose>
98 =item B<-config> I<filename>
104 =item B<-name> I<section>, B<-section> I<section>
109 =item B<-in> I<filename>
114 =item B<-inform> B<DER>|B<PEM>
118 See L<openssl-format-options(1)> for details.
120 =item B<-ss_cert> I<filename>
122 A single self-signed certificate to be signed by the CA.
124 =item B<-spkac> I<filename>
128 section for information on the required input and output format.
130 =item B<-infiles>
135 =item B<-out> I<filename>
137 The output file to output certificates to. The default is standard
138 output. The certificate details will also be printed out to this
139 file in PEM format (except that B<-spkac> outputs DER format).
141 =item B<-outdir> I<directory>
143 The directory to output certificates to. The certificate will be
144 written to a filename consisting of the serial number in hex with
147 =item B<-cert> I<filename>
149 The CA certificate, which must match with B<-keyfile>.
151 =item B<-certform> B<DER>|B<PEM>|B<P12>
154 See L<openssl-format-options(1)> for details.
156 =item B<-keyfile> I<filename>|I<uri>
159 This must match with B<-cert>.
161 =item B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>
164 See L<openssl-format-options(1)> for details.
166 =item B<-sigopt> I<nm>:I<v>
169 Names and values of these options are algorithm-specific.
171 =item B<-vfyopt> I<nm>:I<v>
174 Names and values of these options are algorithm-specific.
176 This often needs to be given while signing too, because the self-signature of
180 =item B<-key> I<password>
188 Better use B<-passin>.
190 =item B<-passin> I<arg>
194 see L<openssl-passphrase-options(1)>.
196 =item B<-selfsign>
199 the certificate requests were signed with (given with B<-keyfile>).
201 If B<-spkac>, B<-ss_cert> or B<-gencrl> are given, B<-selfsign> is ignored.
203 A consequence of using B<-selfsign> is that the self-signed
206 serial number counter as all other certificates sign with the
207 self-signed certificate.
209 =item B<-notext>
211 Don't output the text form of a certificate to the output file.
213 =item B<-dateopt>
215 Specify the date output format. Values are: rfc_822 and iso_8601.
218 =item B<-startdate> I<date>
225 =item B<-enddate> I<date>
232 =item B<-days> I<arg>
236 =item B<-md> I<alg>
239 Any digest supported by the L<openssl-dgst(1)> command can be used. For signing
243 =item B<-policy> I<arg>
250 =item B<-msie_hack>
257 =item B<-preserveDN>
265 =item B<-noemailDN>
268 request DN, however, it is good policy just having the e-mail set into
274 =item B<-batch>
279 =item B<-extensions> I<section>
283 unless the B<-extfile> option is used).
289 =item B<-extfile> I<file>
292 (using the default section unless the B<-extensions> option is also
295 =item B<-subj> I<arg>
303 Giving a single C</> will lead to an empty sequence of RDNs (a NULL-DN).
304 Multi-valued RDNs can be formed by placing a C<+> character instead of a C</>
310 =item B<-utf8>
317 =item B<-create_serial>
319 If reading serial from the text file as specified in the configuration
320 fails, specifying this option creates a new random serial to be used as next
321 serial number.
322 To get random serial numbers, use the B<-rand_serial> flag instead; this
323 should only be used for simple error-recovery.
325 =item B<-rand_serial>
327 Generate a large random number to use as the serial number.
328 This overrides any option or configuration to use a serial number file.
330 =item B<-multivalue-rdn>
334 {- $OpenSSL::safe::opt_r_item -}
336 {- $OpenSSL::safe::opt_engine_item -}
338 {- $OpenSSL::safe::opt_provider_item -}
346 =item B<-gencrl>
350 =item B<-crl_lastupdate> I<time>
357 =item B<-crl_nextupdate> I<time>
360 this option is present, any values given for B<-crldays>, B<-crlhours>
361 and B<-crlsec> are ignored. Accepts times in the same formats as
362 B<-crl_lastupdate>.
364 =item B<-crldays> I<num>
369 =item B<-crlhours> I<num>
373 =item B<-crlsec> I<num>
377 =item B<-revoke> I<filename>
381 =item B<-valid> I<filename>
385 =item B<-status> I<serial>
388 serial number and exits.
390 =item B<-updatedb>
394 =item B<-crl_reason> I<reason>
404 =item B<-crl_hold> I<instruction>
411 =item B<-crl_compromise> I<time>
416 =item B<-crl_CA_compromise> I<time>
421 =item B<-crlexts> I<section>
437 is found as follows: If the B<-name> command line option is used,
474 The same as the B<-outdir> command line option. It specifies
479 The same as B<-cert>. It gives the file containing the CA
484 Same as the B<-keyfile> option. The file containing the
495 The same as the B<-days> option. The number of days to certify
500 The same as the B<-startdate> option. The start date to certify
505 The same as the B<-enddate> option. Either this option or
511 The same as the B<-crlhours> and the B<-crldays> options. These
517 The same as the B<-md> option. Mandatory except where the signing algorithm does
531 versions of OpenSSL. However, to make CA certificate roll-over easier,
533 the B<-selfsign> command line option.
539 =item B<serial>
541 A text file containing the next serial number to use in hex. Mandatory.
542 This file must be present and contain a valid serial number.
552 A fallback to the B<-extensions> option.
556 A fallback to the B<-crlexts> option.
560 The same as B<-preserveDN>
564 The same as B<-noemailDN>. If you want the EMAIL field to be removed
570 The same as B<-msie_hack>
574 The same as B<-policy>. Mandatory. See the B<POLICY FORMAT> section
581 the B<x509> utilities B<-nameopt> and B<-certopt> switches can be used
587 a reasonable output.
617 are silently deleted, unless the B<-preserveDN> option is set but
622 The input to the B<-spkac> command line option is a Netscape
625 It is however possible to create SPKACs using L<openssl-spkac(1)>.
632 When processing SPKAC format, the output is DER if the B<-out>
633 flag is used, but PEM format if sending to stdout or the B<-outdir>
641 L<openssl-req(1)>, a serial number file and an empty index file and
647 key to F<demoCA/private/cakey.pem>. A file F<demoCA/serial> would be
654 openssl ca -in req.pem -out newcert.pem
658 openssl ca -in sm2.csr -out sm2.crt -md sm3 \
659 -sigopt "distid:1234567812345678" \
660 -vfyopt "distid:1234567812345678"
664 openssl ca -in req.pem -extensions v3_ca -out newcert.pem
668 openssl ca -gencrl -out crl.pem
672 openssl ca -infiles req1.pem req2.pem req3.pem
676 openssl ca -spkac spkac.txt
698 serial = $dir/serial # serial no file
699 #rand_serial = yes # for random serial#'s
727 /usr/local/ssl/lib/openssl.cnf - master configuration file
728 ./demoCA - main CA directory
729 ./demoCA/cacert.pem - CA certificate
730 ./demoCA/private/cakey.pem - CA private key
731 ./demoCA/serial - CA serial number file
732 ./demoCA/serial.old - CA serial number backup file
733 ./demoCA/index.txt - CA text database file
734 ./demoCA/index.txt.old - CA text database backup file
735 ./demoCA/certs - certificate output file
747 possible to include one SPKAC or self-signed certificate.
753 The use of an in-memory text database can cause problems when large
758 exposed at either a command or interface level so that a more user-friendly
763 deleted. This does not happen if the B<-preserveDN> option is used. To
765 RFCs, regardless the contents of the request' subject the B<-noemailDN>
811 certificate validity period (specified by any of B<-startdate>,
812 B<-enddate> and B<-days>) and CRL last/next update time (specified by
813 any of B<-crl_lastupdate>, B<-crl_nextupdate>, B<-crldays>, B<-crlhours>
814 and B<-crlsec>) will be encoded as UTCTime if the dates are
823 The B<-section> option was added in OpenSSL 3.0.0.
825 The B<-multivalue-rdn> option has become obsolete in OpenSSL 3.0.0 and
828 The B<-engine> option was deprecated in OpenSSL 3.0.
833 L<openssl-req(1)>,
834 L<openssl-spkac(1)>,
835 L<openssl-x509(1)>,
842 Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved.