Lines Matching +full:csr +full:- +full:2 +full:l
2 {- OpenSSL::safe::output_do_not_edit_headers(); -}
6 openssl-cmp - Certificate Management Protocol (CMP, RFC 4210) application
11 [B<-help>]
12 [B<-config> I<filename>]
13 [B<-section> I<names>]
14 [B<-verbosity> I<level>]
18 [B<-cmd> I<ir|cr|kur|p10cr|rr|genm>]
19 [B<-infotype> I<name>]
20 [B<-geninfo> I<OID:int:N>]
24 [B<-newkey> I<filename>|I<uri>]
25 [B<-newkeypass> I<arg>]
26 [B<-subject> I<name>]
27 [B<-issuer> I<name>]
28 [B<-days> I<number>]
29 [B<-reqexts> I<name>]
30 [B<-sans> I<spec>]
31 [B<-san_nodefault>]
32 [B<-policies> I<name>]
33 [B<-policy_oids> I<names>]
34 [B<-policy_oids_critical>]
35 [B<-popo> I<number>]
36 [B<-csr> I<filename>]
37 [B<-out_trusted> I<filenames>|I<uris>]
38 [B<-implicit_confirm>]
39 [B<-disable_confirm>]
40 [B<-certout> I<filename>]
41 [B<-chainout> I<filename>]
45 [B<-oldcert> I<filename>|I<uri>]
46 [B<-revreason> I<number>]
50 [B<-server> I<[http[s]://][userinfo@]host[:port][/path][?query][#fragment]>]
51 [B<-proxy> I<[http[s]://][userinfo@]host[:port][/path][?query][#fragment]>]
52 [B<-no_proxy> I<addresses>]
53 [B<-recipient> I<name>]
54 [B<-path> I<remote_path>]
55 [B<-keep_alive> I<value>]
56 [B<-msg_timeout> I<seconds>]
57 [B<-total_timeout> I<seconds>]
61 [B<-trusted> I<filenames>|I<uris>]
62 [B<-untrusted> I<filenames>|I<uris>]
63 [B<-srvcert> I<filename>|I<uri>]
64 [B<-expect_sender> I<name>]
65 [B<-ignore_keyusage>]
66 [B<-unprotected_errors>]
67 [B<-extracertsout> I<filename>]
68 [B<-cacertsout> I<filename>]
72 [B<-ref> I<value>]
73 [B<-secret> I<arg>]
74 [B<-cert> I<filename>|I<uri>]
75 [B<-own_trusted> I<filenames>|I<uris>]
76 [B<-key> I<filename>|I<uri>]
77 [B<-keypass> I<arg>]
78 [B<-digest> I<name>]
79 [B<-mac> I<name>]
80 [B<-extracerts> I<filenames>|I<uris>]
81 [B<-unprotected_requests>]
85 [B<-certform> I<PEM|DER>]
86 [B<-keyform> I<PEM|DER|P12|ENGINE>]
87 [B<-otherpass> I<arg>]
88 {- $OpenSSL::safe::opt_engine_synopsis -}{- $OpenSSL::safe::opt_provider_synopsis -}
92 {- $OpenSSL::safe::opt_r_synopsis -}
96 [B<-tls_used>]
97 [B<-tls_cert> I<filename>|I<uri>]
98 [B<-tls_key> I<filename>|I<uri>]
99 [B<-tls_keypass> I<arg>]
100 [B<-tls_extra> I<filenames>|I<uris>]
101 [B<-tls_trusted> I<filenames>|I<uris>]
102 [B<-tls_host> I<name>]
104 Client-side debugging options:
106 [B<-batch>]
107 [B<-repeat> I<number>]
108 [B<-reqin> I<filenames>]
109 [B<-reqin_new_tid>]
110 [B<-reqout> I<filenames>]
111 [B<-rspin> I<filenames>]
112 [B<-rspout> I<filenames>]
113 [B<-use_mock_srv>]
117 [B<-port> I<number>]
118 [B<-max_msgs> I<number>]
119 [B<-srv_ref> I<value>]
120 [B<-srv_secret> I<arg>]
121 [B<-srv_cert> I<filename>|I<uri>]
122 [B<-srv_key> I<filename>|I<uri>]
123 [B<-srv_keypass> I<arg>]
124 [B<-srv_trusted> I<filenames>|I<uris>]
125 [B<-srv_untrusted> I<filenames>|I<uris>]
126 [B<-rsp_cert> I<filename>|I<uri>]
127 [B<-rsp_extracerts> I<filenames>|I<uris>]
128 [B<-rsp_capubs> I<filenames>|I<uris>]
129 [B<-poll_count> I<number>]
130 [B<-check_after> I<number>]
131 [B<-grant_implicitconf>]
132 [B<-pkistatus> I<number>]
133 [B<-failure> I<number>]
134 [B<-failurebits> I<number>]
135 [B<-statusstring> I<arg>]
136 [B<-send_error>]
137 [B<-send_unprotected>]
138 [B<-send_unprot_err>]
139 [B<-accept_unprotected>]
140 [B<-accept_unprot_err>]
141 [B<-accept_raverified>]
145 {- $OpenSSL::safe::opt_v_synopsis -}
159 =item B<-help>
163 =item B<-config> I<filename>
169 =item B<-section> I<names>
179 section (as far as present) can provide per-option fallback values.
181 =item B<-verbosity> I<level>
184 0 = EMERG, 1 = ALERT, 2 = CRIT, 3 = ERR, 4 = WARN, 5 = NOTE,
194 =item B<-cmd> I<ir|cr|kur|p10cr|rr|genm>
201 =item ir E<nbsp> - Initialization Request
203 =item cr E<nbsp> - Certificate Request
205 =item p10cr - PKCS#10 Certification Request (for legacy support)
207 =item kur E<nbsp>E<nbsp>- Key Update Request
209 =item rr E<nbsp> - Revocation Request
211 =item genm - General Message
222 but using legacy PKCS#10 CSR format.
233 =item B<-infotype> I<name>
238 =item B<-geninfo> I<OID:int:N>
249 =item B<-newkey> I<filename>|I<uri>
252 Defaults to the public key in the PKCS#10 CSR given with the B<-csr> option,
257 Unless B<-cmd> I<p10cr>, B<-popo> I<-1>, or B<-popo> I<0> is given, the
259 where the B<-key> option may provide a fallback.
261 =item B<-newkeypass> I<arg>
263 Pass phrase source for the key given with the B<-newkey> option.
267 L<openssl-passphrase-options(1)>.
269 =item B<-subject> I<name>
273 If the NULL-DN (C<"/">) is given then no subject is placed in the template.
274 Default is the subject DN of any PKCS#10 CSR given with the B<-csr> option.
276 of the reference certificate (see B<-oldcert>) if provided.
279 If provided and neither B<-cert> nor B<-oldcert> is given,
285 Giving a single C</> will lead to an empty sequence of RDNs (a NULL-DN).
286 Multi-valued RDNs can be formed by placing a C<+> character instead of a C</>
292 =item B<-issuer> I<name>
296 If the NULL-DN (C<"/">) is given then no issuer is placed in the template.
298 If provided and neither B<-recipient> nor B<-srvcert> is given,
302 For details see the description of the B<-subject> option.
304 =item B<-days> I<number>
311 =item B<-reqexts> I<name>
314 If the B<-csr> option is present, these extensions augment the extensions
315 contained the given PKCS#10 CSR, overriding any extensions with same OIDs.
317 =item B<-sans> I<spec>
323 Cannot be used if any Subject Alternative Name extension is set via B<-reqexts>.
325 =item B<-san_nodefault>
327 When Subject Alternative Names are not given via B<-sans>
328 nor defined via B<-reqexts>,
329 they are copied by default from the reference certificate (see B<-oldcert>).
330 This can be disabled by giving the B<-san_nodefault> option.
332 =item B<-policies> I<name>
336 This option cannot be used together with B<-policy_oids>.
338 =item B<-policy_oids> I<names>
343 This option cannot be used together with B<-policies>.
345 =item B<-policy_oids_critical>
347 Flag the policies given with B<-policy_oids> as critical.
349 =item B<-popo> I<number>
351 Proof-of-possession (POPO) method to use for IR/CR/KUR; values: C<-1>..<2> where
352 C<-1> = NONE, C<0> = RAVERIFIED, C<1> = SIGNATURE (default), C<2> = KEYENC.
354 Note that a signature-based POPO can only be produced if a private key
355 is provided via the B<-newkey> or B<-key> options.
357 =item B<-csr> I<filename>
359 PKCS#10 CSR in PEM or DER format containing a certificate request.
360 With B<-cmd> I<p10cr> it is used directly in a legacy P10CR message.
362 When used with B<-cmd> I<ir>, I<cr>, or I<kur>,
364 In this case, a private key must be provided (with B<-newkey> or B<-key>)
365 for the proof of possession (unless B<-popo> I<-1> or B<-popo> I<0> is used)
367 (rather than taking over the public key contained in the PKCS#10 CSR).
369 PKCS#10 CSR input may also be used with B<-cmd> I<rr>
373 =item B<-out_trusted> I<filenames>|I<uris>
383 B<-verify_hostname>, B<-verify_ip>, and B<-verify_email>
386 =item B<-implicit_confirm>
390 =item B<-disable_confirm>
397 =item B<-certout> I<filename>
401 =item B<-chainout> I<filename>
411 =item B<-oldcert> I<filename>|I<uri>
413 The certificate to be updated (i.e., renewed or re-keyed) in Key Update Request
415 For KUR the certificate to be updated defaults to B<-cert>,
417 For RR the certificate to be revoked can also be specified using B<-csr>.
423 Its subject is used as sender of outgoing messages if B<-cert> is not given.
425 if neither B<-recipient>, B<-srvcert>, nor B<-issuer> is given.
427 =item B<-revreason> I<number>
430 or C<-1> for none (which is the default).
437 cACompromise (2),
442 -- value 7 is not used
454 =item B<-server> I<[http[s]://][userinfo@]host[:port][/path][?query][#fragment]>
458 This option excludes I<-port> and I<-use_mock_srv>.
459 It is ignored if I<-rspin> is given with enough filename arguments.
461 The scheme C<https> may be given only if the B<-tls_used> option is used.
465 If a path is included it provides the default value for the B<-path> option.
467 =item B<-proxy> I<[http[s]://][userinfo@]host[:port][/path][?query][#fragment]>
469 The HTTP(S) proxy server to use for reaching the CMP server unless B<-no_proxy>
473 selected by B<-tls_used>), as well as any path, userinfo, and query, and fragment
477 This option is ignored if I<-server> is not given.
479 =item B<-no_proxy> I<addresses>
485 This option is ignored if I<-server> is not given.
487 =item B<-recipient> I<name>
494 the subject of the CMP server certificate given with the B<-srvcert> option,
495 the B<-issuer> option,
496 the issuer of the certificate given with the B<-oldcert> option,
497 the issuer of the CMP client certificate (B<-cert> option),
498 as far as any of those is present, else the NULL-DN as last resort.
501 For details see the description of the B<-subject> option.
503 =item B<-path> I<remote_path>
506 Defaults to any path given with B<-server>, else C<"/">.
508 =item B<-keep_alive> I<value>
512 If the value is 1 or 2 then persistent connections are requested.
513 If the value is 2 then persistent connections are required,
517 =item B<-msg_timeout> I<seconds>
519 Number of seconds a CMP request-response message round trip
522 Default is to use the B<-total_timeout> setting.
524 =item B<-total_timeout> I<seconds>
537 =item B<-trusted> I<filenames>|I<uris>
540 when validating signature-based protection of CMP response messages.
541 This option is ignored if the B<-srvcert> option is given as well.
542 It provides more flexibility than B<-srvcert> because the CMP protection
546 If none of B<-trusted>, B<-srvcert>, and B<-secret> is given, message validation
547 errors will be thrown unless B<-unprotected_errors> permits an exception.
554 B<-verify_hostname>, B<-verify_ip>, and B<-verify_email>
557 =item B<-untrusted> I<filenames>|I<uris>
559 Non-trusted intermediate CA certificate(s).
560 Any extra certificates given with the B<-cert> option are appended to it.
565 when validating server certificates (checking signature-based
571 =item B<-srvcert> I<filename>|I<uri>
574 expired) when verifying signature-based protection of CMP response messages.
575 This pins the accepted server and results in ignoring the B<-trusted> option.
581 =item B<-expect_sender> I<name>
584 Defaults to the subject DN of the pinned B<-srvcert>, if any.
589 Note that this option gives slightly more freedom than setting the B<-srvcert>,
594 For details see the description of the B<-subject> option.
596 =item B<-ignore_keyusage>
599 signature-based protection of incoming CMP messages.
602 =item B<-unprotected_errors>
638 =item B<-extracertsout> I<filename>
643 =item B<-cacertsout> I<filename>
654 =item B<-ref> I<value>
657 if no sender name can be determined from the B<-cert> or <-subject> options and
658 is typically used when authenticating with pre-shared key (password-based MAC).
660 =item B<-secret> I<arg>
662 Provides the source of a secret value to use with MAC-based message protection.
663 This takes precedence over the B<-cert> and B<-key> options.
664 The secret is used for creating MAC-based protection of outgoing messages
665 and for validating incoming messages that have MAC-based protection.
666 The algorithm used by default is Password-Based Message Authentication Code (PBM)
670 L<openssl-passphrase-options(1)>.
672 =item B<-cert> I<filename>|I<uri>
675 Requires the corresponding key to be given with B<-key>.
681 while the subject of B<-oldcert> or B<-subjectName> may provide fallback values.
686 When performing signature-based message protection,
694 the certificate to be updated if the B<-oldcert> option is not given.
698 is included in the extraCerts field in signature-protected request messages.
700 =item B<-own_trusted> I<filenames>|I<uris>
703 the client-side CMP signer certificate given with the B<-cert> option
711 B<-verify_hostname>, B<-verify_ip>, and B<-verify_email>
714 =item B<-key> I<filename>|I<uri>
717 the B<-cert> option.
718 This will be used for signature-based message protection unless the B<-secret>
719 option indicating MAC-based protection or B<-unprotected_requests> is given.
721 It is also used as a fallback for the B<-newkey> option with IR/CR/KUR messages.
723 =item B<-keypass> I<arg>
725 Pass phrase source for the private key given with the B<-key> option.
726 Also used for B<-cert> and B<-oldcert> in case it is an encrypted PKCS#12 file.
730 L<openssl-passphrase-options(1)>.
732 =item B<-digest> I<name>
735 and as the one-way function (OWF) in C<MSG_MAC_ALG>.
737 proof-of-possession (POPO) signatures.
738 To see the list of supported digests, use C<openssl list -digest-commands>.
741 =item B<-mac> I<name>
744 To get the names of supported MAC algorithms use C<openssl list -mac-algorithms>
747 Defaults to C<hmac-sha1> as per RFC 4210.
749 =item B<-extracerts> I<filenames>|I<uris>
758 =item B<-unprotected_requests>
760 Send request messages without CMP-level protection.
768 =item B<-certform> I<PEM|DER>
773 =item B<-keyform> I<PEM|DER|P12|ENGINE>
776 See L<openssl(1)/Format Options> for details.
778 =item B<-otherpass> I<arg>
780 Pass phrase source for certificate given with the B<-trusted>, B<-untrusted>,
781 B<-own_trusted>, B<-srvcert>, B<-out_trusted>, B<-extracerts>,
782 B<-srv_trusted>, B<-srv_untrusted>, B<-rsp_extracerts>, B<-rsp_capubs>,
783 B<-tls_extra>, and B<-tls_trusted> options.
787 L<openssl-passphrase-options(1)>.
789 {- $OpenSSL::safe::opt_engine_item -}
791 {- output_off() if $disabled{"deprecated-3.0"}; "" -}
794 -engine {engineid} -key {keyid} -keyform ENGINE
796 ... it's also possible to just give the key ID in URI form to B<-key>,
799 -key org.openssl.engine:{engineid}:{keyid}
801 This applies to all options specifying keys: B<-key>, B<-newkey>, and
802 B<-tls_key>.
803 {- output_on() if $disabled{"deprecated-3.0"}; "" -}
811 {- $OpenSSL::safe::opt_provider_item -}
819 {- $OpenSSL::safe::opt_r_item -}
827 =item B<-tls_used>
829 Enable using TLS (even when other TLS-related options are not set)
831 This option is not supported with the I<-port> option.
832 It is ignored if the I<-server> option is not given or I<-use_mock_srv> is given
833 or I<-rspin> is given with enough filename arguments.
835 The following TLS-related options are ignored
836 if B<-tls_used> is not given or does not take effect.
838 =item B<-tls_cert> I<filename>|I<uri>
841 If the source includes further certs they are used (along with B<-untrusted>
844 =item B<-tls_key> I<filename>|I<uri>
848 =item B<-tls_keypass> I<arg>
850 Pass phrase source for client's private TLS key B<-tls_key>.
851 Also used for B<-tls_cert> in case it is an encrypted PKCS#12 file.
855 L<openssl-passphrase-options(1)>.
857 =item B<-tls_extra> I<filenames>|I<uris>
861 =item B<-tls_trusted> I<filenames>|I<uris>
871 B<-verify_hostname>, B<-verify_ip>, and B<-verify_email>
874 =item B<-tls_host> I<name>
878 If not given it defaults to the B<-server> address.
882 =head2 Client-side debugging options
886 =item B<-batch>
891 =item B<-repeat> I<number>
896 =item B<-reqin> I<filenames>
901 This option is ignored if the B<-rspin> option is given
914 This causes re-protection (if protecting requests is required).
916 =item B<-reqin_new_tid>
918 Use a fresh transactionID for CMP request messages read using B<-reqin>,
923 =item B<-reqout> I<filenames>
926 These requests are not sent to the server if the B<-reqin> option is used, too.
934 =item B<-rspin> I<filenames>
942 Any server specified via the I<-server> or I<-use_mock_srv> options is contacted
947 =item B<-rspout> I<filenames>
950 These have been received from the server unless B<-rspin> takes effect.
958 =item B<-use_mock_srv>
960 Test the client using the internal CMP server mock-up at API level,
961 bypassing socket-based transfer via HTTP.
962 This excludes the B<-server> and B<-port> options.
970 =item B<-port> I<number>
972 Act as HTTP-based CMP server mock-up listening on the given port.
973 This excludes the B<-server> and B<-use_mock_srv> options.
974 The B<-rspin>, B<-rspout>, B<-reqin>, and B<-reqout> options
977 =item B<-max_msgs> I<number>
979 Maximum number of CMP (request) messages the CMP HTTP server mock-up
983 detects a CMP-level error that it can successfully answer with an error message.
985 =item B<-srv_ref> I<value>
987 Reference value to use as senderKID of server in case no B<-srv_cert> is given.
989 =item B<-srv_secret> I<arg>
991 Password source for server authentication with a pre-shared key (secret).
993 =item B<-srv_cert> I<filename>|I<uri>
997 =item B<-srv_key> I<filename>|I<uri>
1001 =item B<-srv_keypass> I<arg>
1005 =item B<-srv_trusted> I<filenames>|I<uris>
1010 B<-verify_hostname>, B<-verify_ip>, and B<-verify_email>
1013 =item B<-srv_untrusted> I<filenames>|I<uris>
1017 =item B<-rsp_cert> I<filename>|I<uri>
1021 =item B<-rsp_extracerts> I<filenames>|I<uris>
1025 =item B<-rsp_capubs> I<filenames>|I<uris>
1029 =item B<-poll_count> I<number>
1033 =item B<-check_after> I<number>
1037 =item B<-grant_implicitconf>
1041 =item B<-pkistatus> I<number>
1046 =item B<-failure> I<number>
1051 =item B<-failurebits> I<number>
1053 Valid range is 0 .. 2^27 - 1.
1055 =item B<-statusstring> I<arg>
1059 =item B<-send_error>
1063 =item B<-send_unprotected>
1065 Send response messages without CMP-level protection.
1067 =item B<-send_unprot_err>
1073 =item B<-accept_unprotected>
1077 =item B<-accept_unprot_err>
1082 =item B<-accept_raverified>
1092 {- $OpenSSL::safe::opt_v_item -}
1095 B<-verify_hostname>, B<-verify_ip>, and B<-verify_email>
1096 only affect the certificate verification enabled via the B<-out_trusted> option.
1106 using B<-trusted> and related options for certificate-based authentication
1107 or B<-secret> for MAC-based protection.
1117 B<-unprotected_errors> option, which allows accepting such negative messages.
1134 wget 'http://pki.certificate.fi:8081/install-ca-cert.html/ca-certificate.crt\
1135 ?ca-id=632&download-certificate=1' -O insta.ca.crt
1139 openssl genrsa -out insta.priv.pem
1140 openssl cmp -section insta
1146 openssl x509 -noout -text -in insta.cert.pem
1149 via the environment variable B<http_proxy> or via the B<-proxy> option in the
1150 configuration file or the CMP command-line argument B<-proxy>, for example
1152 -proxy http://192.168.1.1:8080
1154 In the Insta Demo CA scenario both clients and the server may use the pre-shared
1157 Alternatively, CMP messages may be protected in signature-based manner,
1163 openssl cmp -section insta,signature
1168 openssl cmp -section insta -cmd cr
1172 openssl cmp -section insta,cr
1176 openssl cmp -section insta,kur
1178 using MAC-based protection with PBM or
1180 openssl cmp -section insta,kur,signature
1182 using signature-based protection.
1186 openssl cmp -section insta,rr -trusted insta.ca.crt
1190 openssl cmp -section insta,rr,signature
1194 For instance, the B<-reqexts> CLI option may refer to a section in the
1198 openssl cmp -section insta,cr -reqexts v3_req
1208 using a pre-shared secret key for mutual authentication.
1210 so we specify the name of the CA with the B<-recipient> option
1216 openssl genrsa -out cl_key.pem
1217 openssl cmp -cmd ir -server 127.0.0.1:80/pkix/ -recipient "/CN=CMPserver" \
1218 -ref 1234 -secret pass:1234-5678 \
1219 -newkey cl_key.pem -subject "/CN=MyName" \
1220 -cacertsout capubs.pem -certout cl_cert.pem
1230 openssl genrsa -out cl_key_new.pem
1231 openssl cmp -cmd kur -server 127.0.0.1:80/pkix/ \
1232 -trusted capubs.pem \
1233 -cert cl_cert.pem -key cl_key.pem \
1234 -newkey cl_key_new.pem -certout cl_cert.pem
1244 openssl cmp -cmd genm -server 127.0.0.1/pkix/ -recipient "/CN=CMPserver" \
1245 -ref 1234 -secret pass:1234-5678
1250 usually many parameters need to be set, which is tedious and error-prone to do
1274 secret = pass:1234-5678-1234-567
1280 openssl cmp -section cmp,init
1281 openssl cmp -cmd kur -newkey cl_key_new.pem
1285 openssl cmp -section cmp,init -cmd genm
1289 L<openssl-genrsa(1)>, L<openssl-ecparam(1)>, L<openssl-list(1)>,
1290 L<openssl-req(1)>, L<openssl-x509(1)>, L<x509v3_config(5)>
1296 The B<-engine option> was deprecated in OpenSSL 3.0.
1300 Copyright 2007-2023 The OpenSSL Project Authors. All Rights Reserved.
1305 L<https://www.openssl.org/source/license.html>.