Lines Matching +full:message +full:- +full:based
2 {- OpenSSL::safe::output_do_not_edit_headers(); -}
6 openssl-cmp - Certificate Management Protocol (CMP, RFC 4210) application
11 [B<-help>]
12 [B<-config> I<filename>]
13 [B<-section> I<names>]
14 [B<-verbosity> I<level>]
16 Generic message options:
18 [B<-cmd> I<ir|cr|kur|p10cr|rr|genm>]
19 [B<-infotype> I<name>]
20 [B<-profile> I<name>]
21 [B<-geninfo> I<values>]
22 [B<-template> I<filename>]
23 [B<-keyspec> I<filename>]
27 [B<-newkey> I<filename>|I<uri>]
28 [B<-newkeypass> I<arg>]
29 [B<-centralkeygen>
30 [B<-newkeyout> I<filename>]
31 [B<-subject> I<name>]
32 [B<-days> I<number>]
33 [B<-reqexts> I<name>]
34 [B<-sans> I<spec>]
35 [B<-san_nodefault>]
36 [B<-policies> I<name>]
37 [B<-policy_oids> I<names>]
38 [B<-policy_oids_critical>]
39 [B<-popo> I<number>]
40 [B<-csr> I<filename>]
41 [B<-out_trusted> I<filenames>|I<uris>]
42 [B<-implicit_confirm>]
43 [B<-disable_confirm>]
44 [B<-certout> I<filename>]
45 [B<-chainout> I<filename>]
49 [B<-oldcert> I<filename>|I<uri>]
50 [B<-issuer> I<name>]
51 [B<-serial> I<number>]
52 [B<-revreason> I<number>]
54 Message transfer options:
56 [B<-server> I<[http[s]://][userinfo@]host[:port][/path][?query][#fragment]>]
57 [B<-proxy> I<[http[s]://][userinfo@]host[:port][/path][?query][#fragment]>]
58 [B<-no_proxy> I<addresses>]
59 [B<-recipient> I<name>]
60 [B<-path> I<remote_path>]
61 [B<-keep_alive> I<value>]
62 [B<-msg_timeout> I<seconds>]
63 [B<-total_timeout> I<seconds>]
67 [B<-trusted> I<filenames>|I<uris>]
68 [B<-untrusted> I<filenames>|I<uris>]
69 [B<-srvcert> I<filename>|I<uri>]
70 [B<-expect_sender> I<name>]
71 [B<-ignore_keyusage>]
72 [B<-unprotected_errors>]
73 [B<-no_cache_extracerts>]
74 [B<-srvcertout> I<filename>]
75 [B<-extracertsout> I<filename>]
76 [B<-cacertsout> I<filename>]
77 [B<-oldwithold> I<filename>]
78 [B<-newwithnew> I<filename>]
79 [B<-newwithold> I<filename>]
80 [B<-oldwithnew> I<filename>]
81 [B<-crlcert> I<filename>]
82 [B<-oldcrl> I<filename>]
83 [B<-crlout> I<filename>]
87 [B<-ref> I<value>]
88 [B<-secret> I<arg>]
89 [B<-cert> I<filename>|I<uri>]
90 [B<-own_trusted> I<filenames>|I<uris>]
91 [B<-key> I<filename>|I<uri>]
92 [B<-keypass> I<arg>]
93 [B<-digest> I<name>]
94 [B<-mac> I<name>]
95 [B<-extracerts> I<filenames>|I<uris>]
96 [B<-unprotected_requests>]
100 [B<-certform> I<PEM|DER>]
101 [B<-crlform> I<PEM|DER>]
102 [B<-keyform> I<PEM|DER|P12|ENGINE>]
103 [B<-otherpass> I<arg>]
104 {- $OpenSSL::safe::opt_engine_synopsis -}{- $OpenSSL::safe::opt_provider_synopsis -}
108 {- $OpenSSL::safe::opt_r_synopsis -}
112 [B<-tls_used>]
113 [B<-tls_cert> I<filename>|I<uri>]
114 [B<-tls_key> I<filename>|I<uri>]
115 [B<-tls_keypass> I<arg>]
116 [B<-tls_extra> I<filenames>|I<uris>]
117 [B<-tls_trusted> I<filenames>|I<uris>]
118 [B<-tls_host> I<name>]
120 Client-side debugging options:
122 [B<-batch>]
123 [B<-repeat> I<number>]
124 [B<-reqin> I<filenames>]
125 [B<-reqin_new_tid>]
126 [B<-reqout> I<filenames>]
127 [B<-reqout_only> I<filename>]
128 [B<-rspin> I<filenames>]
129 [B<-rspout> I<filenames>]
130 [B<-use_mock_srv>]
134 [B<-port> I<number>]
135 [B<-max_msgs> I<number>]
136 [B<-srv_ref> I<value>]
137 [B<-srv_secret> I<arg>]
138 [B<-srv_cert> I<filename>|I<uri>]
139 [B<-srv_key> I<filename>|I<uri>]
140 [B<-srv_keypass> I<arg>]
141 [B<-srv_trusted> I<filenames>|I<uris>]
142 [B<-srv_untrusted> I<filenames>|I<uris>]
143 [B<-ref_cert> I<filename>|I<uri>]
144 [B<-rsp_cert> I<filename>|I<uri>]
145 [B<-rsp_key> I<filename>|I<uri>]
146 [B<-rsp_keypass> I<filename>|I<uri>]
147 [B<-rsp_crl> I<filename>|I<uri>]
148 [B<-rsp_extracerts> I<filenames>|I<uris>]
149 [B<-rsp_capubs> I<filenames>|I<uris>]
150 [B<-rsp_newwithnew> I<filename>|I<uri>]
151 [B<-rsp_newwithold> I<filename>|I<uri>]
152 [B<-rsp_oldwithnew> I<filename>|I<uri>]
153 [B<-poll_count> I<number>]
154 [B<-check_after> I<number>]
155 [B<-grant_implicitconf>]
156 [B<-pkistatus> I<number>]
157 [B<-failure> I<number>]
158 [B<-failurebits> I<number>]
159 [B<-statusstring> I<arg>]
160 [B<-send_error>]
161 [B<-send_unprotected>]
162 [B<-send_unprot_err>]
163 [B<-accept_unprotected>]
164 [B<-accept_unprot_err>]
165 [B<-accept_raverified>]
169 {- $OpenSSL::safe::opt_v_synopsis -}
183 =item B<-help>
187 =item B<-config> I<filename>
193 =item B<-section> I<names>
203 section (as far as present) can provide per-option fallback values.
205 =item B<-verbosity> I<level>
214 =head2 Generic message options
218 =item B<-cmd> I<ir|cr|kur|p10cr|rr|genm>
225 =item ir E<nbsp> - Initialization Request
227 =item cr E<nbsp> - Certificate Request
229 =item p10cr - PKCS#10 Certification Request (for legacy support)
231 =item kur E<nbsp>E<nbsp>- Key Update Request
233 =item rr E<nbsp> - Revocation Request
235 =item genm - General Message
252 B<genm> requests information using a General Message, where optionally
257 =item B<-infotype> I<name>
264 =item B<-profile> I<name>
269 =item B<-geninfo> I<values>
271 A comma-separated list of InfoTypeAndValue to place in
275 e.g., C<'1.2.3.4:int:56789, id-kp:str:name'>.
277 =item B<-template> I<filename>
280 received in a genp message with id-it-certReqTemplate.
282 =item B<-keyspec> I<filename>
285 present in a genp message with id-it-keyGenParameters.
295 =item B<-newkey> I<filename>|I<uri>
298 Defaults to the public key in the PKCS#10 CSR given with the B<-csr> option,
303 Unless B<-cmd> I<p10cr>, B<-popo> I<-1>, or B<-popo> I<0> is given, the
305 where the B<-key> option may provide a fallback.
307 =item B<-newkeypass> I<arg>
309 Pass phrase source for the key given with the B<-newkey> option.
313 L<openssl-passphrase-options(1)>.
315 =item B<-centralkeygen>
318 This applies to B<-cmd> I<ir|cr|kur|p10cr>.
320 =item B<-newkeyout> I<filename>
324 =item B<-subject> I<name>
328 If the NULL-DN (C</>) is given then no subject is placed in the template.
329 Default is the subject DN of any PKCS#10 CSR given with the B<-csr> option.
331 of the reference certificate (see B<-oldcert>) if provided.
334 If provided and neither of B<-cert>, B<-oldcert>, or B<-csr> is given,
340 Giving a single C</> will lead to an empty sequence of RDNs (a NULL-DN).
341 Multi-valued RDNs can be formed by placing a C<+> character instead of a C</>
347 =item B<-days> I<number>
354 =item B<-reqexts> I<name>
357 If the B<-csr> option is present, these extensions augment the extensions
360 =item B<-sans> I<spec>
367 Cannot be used if any Subject Alternative Name extension is set via B<-reqexts>.
369 =item B<-san_nodefault>
371 When Subject Alternative Names are not given via B<-sans>
372 nor defined via B<-reqexts>,
373 they are copied by default from the reference certificate (see B<-oldcert>).
374 This can be disabled by giving the B<-san_nodefault> option.
376 =item B<-policies> I<name>
380 This option cannot be used together with B<-policy_oids>.
382 =item B<-policy_oids> I<names>
387 This option cannot be used together with B<-policies>.
389 =item B<-policy_oids_critical>
391 Flag the policies given with B<-policy_oids> as critical.
393 =item B<-popo> I<number>
395 Proof-of-possession (POPO) method to use for IR/CR/KUR; values: C<-1>..<2> where
396 C<-1> = NONE, which implies central key generation,
399 Note that a signature-based POPO can only be produced if a private key
400 is provided via the B<-newkey> or B<-key> options.
402 =item B<-csr> I<filename>
405 With B<-cmd> I<p10cr> it is used directly in a legacy P10CR message.
407 When used with B<-cmd> I<ir>, I<cr>, or I<kur>,
409 In this case, a private key must be provided (with B<-newkey> or B<-key>)
410 for the proof of possession (unless B<-popo> I<-1> or B<-popo> I<0> is used)
414 PKCS#10 CSR input may also be used with B<-cmd> I<rr>
417 Its subject is used as fallback sender in CMP message headers
418 if B<-cert> and B<-oldcert> are not given.
420 =item B<-out_trusted> I<filenames>|I<uris>
430 B<-verify_hostname>, B<-verify_ip>, and B<-verify_email>
433 =item B<-implicit_confirm>
437 =item B<-disable_confirm>
439 Do not send certificate confirmation message for newly enrolled certificate
444 =item B<-certout> I<filename>
448 =item B<-chainout> I<filename>
454 If the B<-certout> option is given, too, with equal I<filename> argument,
464 =item B<-oldcert> I<filename>|I<uri>
466 The certificate to be updated (i.e., renewed or re-keyed) in Key Update Request
468 For KUR the certificate to be updated defaults to B<-cert>,
470 For RR the certificate to be revoked can also be specified using B<-csr>.
471 B<-oldcert> and B<-csr> is ignored if B<-issuer> and B<-serial> is provided.
477 Its subject is used as sender of outgoing messages if B<-cert> is not given.
478 Its issuer is used as default recipient in CMP message headers
479 if neither B<-recipient>, B<-srvcert>, nor B<-issuer> is given.
481 =item B<-issuer> I<name>
485 If the NULL-DN (C</>) is given then no issuer is placed in the template.
487 If provided and neither B<-recipient> nor B<-srvcert> is given,
491 For details see the description of the B<-subject> option.
493 =item B<-serial> I<number>
498 =item B<-revreason> I<number>
501 or C<-1> for none (which is the default).
513 -- value 7 is not used
521 =head2 Message transfer options
525 =item B<-server> I<[http[s]://][userinfo@]host[:port][/path][?query][#fragment]>
532 This option excludes I<-port> and I<-use_mock_srv>.
533 It is ignored if I<-rspin> is given with enough filename arguments.
535 If the scheme C<https> is given, the B<-tls_used> option is implied.
539 If a path is included it provides the default value for the B<-path> option.
541 =item B<-proxy> I<[http[s]://][userinfo@]host[:port][/path][?query][#fragment]>
543 The HTTP(S) proxy server to use for reaching the CMP server unless B<-no_proxy>
548 may be required by B<-tls_used> or B<-server> with the prefix C<https>),
552 This option is ignored if I<-server> is not given.
554 =item B<-no_proxy> I<addresses>
560 This option is ignored if I<-server> is not given.
562 =item B<-recipient> I<name>
564 Distinguished Name (DN) to use in the recipient field of CMP request message
567 The recipient field in the header of a CMP message is mandatory.
569 the subject of the CMP server certificate given with the B<-srvcert> option,
570 the B<-issuer> option,
571 the issuer of the certificate given with the B<-oldcert> option,
572 the issuer of the CMP client certificate (B<-cert> option),
573 as far as any of those is present, else the NULL-DN as last resort.
576 For details see the description of the B<-subject> option.
578 =item B<-path> I<remote_path>
581 Defaults to any path given with B<-server>, else C<"/">.
583 =item B<-keep_alive> I<value>
594 =item B<-msg_timeout> I<seconds>
596 Number of seconds a CMP request-response message round trip
599 Default is to use the B<-total_timeout> setting.
601 =item B<-total_timeout> I<seconds>
614 =item B<-trusted> I<filenames>|I<uris>
617 when validating signature-based protection of CMP response messages.
618 This option is ignored if the B<-srvcert> option is given as well.
619 It provides more flexibility than B<-srvcert> because the CMP protection
623 If none of B<-trusted>, B<-srvcert>, and B<-secret> is given, message validation
624 errors will be thrown unless B<-unprotected_errors> permits an exception.
631 B<-verify_hostname>, B<-verify_ip>, and B<-verify_email>
634 =item B<-untrusted> I<filenames>|I<uris>
636 Non-trusted intermediate CA certificate(s).
637 Any extra certificates given with the B<-cert> option are appended to it.
642 when validating server certificates (checking signature-based
643 CMP message protection) and when validating newly enrolled certificates.
649 =item B<-srvcert> I<filename>|I<uri>
652 expired) when verifying signature-based protection of CMP response messages.
653 This pins the accepted server and results in ignoring the B<-trusted> option.
659 =item B<-expect_sender> I<name>
662 Defaults to the subject DN of the pinned B<-srvcert>, if any.
665 CMP message signer, and attackers are not able to use arbitrary certificates
667 Note that this option gives slightly more freedom than setting the B<-srvcert>,
672 For details see the description of the B<-subject> option.
674 =item B<-ignore_keyusage>
677 signature-based protection of incoming CMP messages.
681 =item B<-unprotected_errors>
684 This applies to the following message types and contents:
707 used to protect a message [...] because other protection, external to PKIX, will
713 =item * appendix D.4 shows PKIConf message having protection
717 =item B<-no_cache_extracerts>
723 =item B<-srvcertout> I<filename>
726 that the CMP server used for signature-based response message protection.
727 If there is no such certificate, typically because the protection was MAC-based,
730 =item B<-extracertsout> I<filename>
733 field of the last received response message that is not a pollRep nor PKIConf.
735 =item B<-cacertsout> I<filename>
738 if a positive certificate response (i.e., IP, CP, or KUP) message was received
739 or contained in a general response (genp) message with infoType C<caCerts>.
741 =item B<-oldwithold> I<filename>
747 =item B<-newwithnew> I<filename>
749 This option must be provided when B<-infotype> I<rootCaCert> is given.
751 received in a genp message of type C<rootCaKeyUpdate>.
757 and the certificate provided with B<-oldwithold> as the (only) trust anchor,
758 or if not provided, using the certificates given with the B<-trusted> option.
763 the B<-oldwithold> certificate if present, otherwise it cannot be stronger than
764 the weakest trust placed in any of the B<-trusted> certificates.
766 =item B<-newwithold> I<filename>
769 received in a genp message of infoType C<rootCaKeyUpdate>.
772 =item B<-oldwithnew> I<filename>
775 received in a genp message of infoType C<rootCaKeyUpdate>.
778 =item B<-crlcert> I<filename>
784 =item B<-oldcrl> I<filename>
787 Unless the B<-crlcert> option is provided as well,
792 =item B<-crlout> I<filename>
794 The file to save any CRL received in a genp message of infoType C<crls>.
803 =item B<-ref> I<value>
806 if no sender name can be determined from the B<-cert> or <-subject> options and
807 is typically used when authenticating with pre-shared key (password-based MAC).
809 =item B<-secret> I<arg>
811 Provides the source of a secret value to use with MAC-based message protection.
812 This takes precedence over the B<-cert> and B<-key> options.
813 The secret is used for creating MAC-based protection of outgoing messages
814 and for validating incoming messages that have MAC-based protection.
815 The algorithm used by default is Password-Based Message Authentication Code (PBM)
819 L<openssl-passphrase-options(1)>.
821 =item B<-cert> I<filename>|I<uri>
824 Requires the corresponding key to be given with B<-key>.
830 while the subject of B<-oldcert> or B<-subjectName> may provide fallback values.
835 When performing signature-based message protection,
843 the certificate to be updated if the B<-oldcert> option is not given.
847 is included in the extraCerts field in signature-protected request messages.
849 =item B<-own_trusted> I<filenames>|I<uris>
852 the client-side CMP signer certificate given with the B<-cert> option
860 B<-verify_hostname>, B<-verify_ip>, and B<-verify_email>
863 =item B<-key> I<filename>|I<uri>
866 the B<-cert> option.
867 This will be used for signature-based message protection unless the B<-secret>
868 option indicating MAC-based protection or B<-unprotected_requests> is given.
870 It is also used as a fallback for the B<-newkey> option with IR/CR/KUR messages.
872 =item B<-keypass> I<arg>
874 Pass phrase source for the private key given with the B<-key> option.
875 Also used for B<-cert> and B<-oldcert> in case it is an encrypted PKCS#12 file.
879 L<openssl-passphrase-options(1)>.
881 =item B<-digest> I<name>
884 and as the one-way function (OWF) in C<MSG_MAC_ALG>.
885 If applicable, this is used for message protection and
886 proof-of-possession (POPO) signatures.
887 To see the list of supported digests, use C<openssl list -digest-commands>.
890 =item B<-mac> I<name>
893 To get the names of supported MAC algorithms use C<openssl list -mac-algorithms>
896 Defaults to C<hmac-sha1> as per RFC 4210.
898 =item B<-extracerts> I<filenames>|I<uris>
907 =item B<-unprotected_requests>
909 Send request messages without CMP-level protection.
917 =item B<-certform> I<PEM|DER>
922 =item B<-crlform> I<PEM|DER>
929 =item B<-keyform> I<PEM|DER|P12|ENGINE>
934 =item B<-otherpass> I<arg>
936 Pass phrase source for certificate given with the B<-trusted>, B<-untrusted>,
937 B<-own_trusted>, B<-srvcert>, B<-crlcert>, B<-out_trusted>, B<-extracerts>,
938 B<-srv_trusted>, B<-srv_untrusted>, B<-ref_cert>,
939 B<-rsp_extracerts>, B<-rsp_capubs>,
940 B<-rsp_newwithnew>, B<-rsp_newwithold>, B<-rsp_oldwithnew>,
941 B<-tls_extra>, and B<-tls_trusted> options.
945 L<openssl-passphrase-options(1)>.
947 {- $OpenSSL::safe::opt_engine_item -}
949 {- output_off() if $disabled{"deprecated-3.0"}; "" -}
952 -engine {engineid} -key {keyid} -keyform ENGINE
954 ... it's also possible to just give the key ID in URI form to B<-key>,
957 -key org.openssl.engine:{engineid}:{keyid}
959 This applies to all options specifying keys: B<-key>, B<-newkey>, and
960 B<-tls_key>.
961 {- output_on() if $disabled{"deprecated-3.0"}; "" -}
969 {- $OpenSSL::safe::opt_provider_item -}
977 {- $OpenSSL::safe::opt_r_item -}
985 =item B<-tls_used>
987 Make the CMP client use TLS (regardless if other TLS-related options are set)
988 for message exchange with the server via HTTP.
989 This option is not supported with the I<-port> option.
990 It is implied if the B<-server> option is given with the scheme C<https>.
991 It is ignored if the B<-server> option is not given or B<-use_mock_srv> is given
992 or B<-rspin> is given with enough filename arguments.
994 The following TLS-related options are ignored if TLS is not used.
996 =item B<-tls_cert> I<filename>|I<uri>
999 If the source includes further certs they are used (along with B<-untrusted>
1002 =item B<-tls_key> I<filename>|I<uri>
1006 =item B<-tls_keypass> I<arg>
1008 Pass phrase source for client's private TLS key B<-tls_key>.
1009 Also used for B<-tls_cert> in case it is an encrypted PKCS#12 file.
1013 L<openssl-passphrase-options(1)>.
1015 =item B<-tls_extra> I<filenames>|I<uris>
1019 =item B<-tls_trusted> I<filenames>|I<uris>
1029 B<-verify_hostname>, B<-verify_ip>, and B<-verify_email>
1032 =item B<-tls_host> I<name>
1036 If not given it defaults to the B<-server> address.
1040 =head2 Client-side options for debugging and offline scenarios
1044 =item B<-batch>
1049 =item B<-repeat> I<number>
1054 =item B<-reqin> I<filenames>
1062 This option is ignored if the B<-rspin> option is given
1067 (such as B<-cmd> and all options providing the required parameters)
1068 need to be given also when the B<-reqin> option is present.
1070 If the B<-reqin> option is given for a certificate request
1071 and no B<-newkey>, B<-key>, B<-oldcert>, or B<-csr> option is given,
1072 a fallback public key is taken from the request message file
1075 Hint: In case the B<-reqin> option is given for a certificate request, there are
1079 certificate request message will not be sent), and its generation
1080 can be disabled using the options B<-popo> I<-1> or B<-popo> I<0>.
1092 This causes re-protection (if protecting requests is required).
1094 =item B<-reqin_new_tid>
1096 Use a fresh transactionID for CMP request messages read using B<-reqin>,
1101 =item B<-reqout> I<filenames>
1104 These requests are not sent to the server if the B<-reqin> option is used, too.
1112 =item B<-reqout_only> I<filename>
1120 =item B<-rspin> I<filenames>
1128 Any server specified via the I<-server> or I<-use_mock_srv> options is contacted
1133 =item B<-rspout> I<filenames>
1136 These have been received from the server unless B<-rspin> takes effect.
1144 =item B<-use_mock_srv>
1146 Test the client using the internal CMP server mock-up at API level,
1147 bypassing socket-based transfer via HTTP.
1148 This excludes the B<-server> and B<-port> options.
1156 =item B<-port> I<number>
1158 Act as HTTP-based CMP server mock-up listening on the given local port.
1160 This option excludes the B<-server> and B<-use_mock_srv> options.
1161 The B<-rspin>, B<-rspout>, B<-reqin>, and B<-reqout> options
1164 =item B<-max_msgs> I<number>
1166 Maximum number of CMP (request) messages the CMP HTTP server mock-up
1170 detects a CMP-level error that it can successfully answer with an error message.
1172 =item B<-srv_ref> I<value>
1174 Reference value to use as senderKID of server in case no B<-srv_cert> is given.
1176 =item B<-srv_secret> I<arg>
1178 Password source for server authentication with a pre-shared key (secret).
1180 =item B<-srv_cert> I<filename>|I<uri>
1184 =item B<-srv_key> I<filename>|I<uri>
1188 =item B<-srv_keypass> I<arg>
1192 =item B<-srv_trusted> I<filenames>|I<uris>
1197 B<-verify_hostname>, B<-verify_ip>, and B<-verify_email>
1200 =item B<-srv_untrusted> I<filenames>|I<uris>
1204 =item B<-ref_cert> I<filename>|I<uri>
1208 =item B<-rsp_cert> I<filename>|I<uri>
1212 =item B<-rsp_key> I<filename>|I<uri>
1216 =item B<-rsp_keypass> I<arg>
1220 =item B<-rsp_crl> I<filename>|I<uri>
1224 =item B<-rsp_extracerts> I<filenames>|I<uris>
1228 =item B<-rsp_capubs> I<filenames>|I<uris>
1230 CA certificates to be included in mock Initialization Response (IP) message.
1232 =item B<-rsp_newwithnew> I<filename>|I<uri>
1236 =item B<-rsp_newwithold> I<filename>|I<uri>
1240 =item B<-rsp_oldwithnew> I<filename>|I<uri>
1244 =item B<-poll_count> I<number>
1248 =item B<-check_after> I<number>
1252 =item B<-grant_implicitconf>
1256 =item B<-pkistatus> I<number>
1261 =item B<-failure> I<number>
1266 =item B<-failurebits> I<number>
1268 Valid range is 0 .. 2^27 - 1.
1270 =item B<-statusstring> I<arg>
1274 =item B<-send_error>
1276 Force server to reply with error message.
1278 =item B<-send_unprotected>
1280 Send response messages without CMP-level protection.
1282 =item B<-send_unprot_err>
1288 =item B<-accept_unprotected>
1292 =item B<-accept_unprot_err>
1297 =item B<-accept_raverified>
1307 {- $OpenSSL::safe::opt_v_item -}
1310 B<-verify_hostname>, B<-verify_ip>, and B<-verify_email>
1311 only affect the certificate verification enabled via the B<-out_trusted> option.
1322 using B<-trusted> and related options for certificate-based authentication
1323 or B<-secret> for MAC-based protection.
1324 If authentication is certificate-based, the B<-srvcertout> option
1326 and perform an authorization check based on it.
1331 check the protection of the CMP response message.
1336 B<-unprotected_errors> option, which allows accepting such negative messages.
1338 If OpenSSL was built with trace support enabled (e.g., C<./config enable-trace>)
1357 wget 'http://pki.certificate.fi:8081/install-ca-cert.html/ca-certificate.crt\
1358 ?ca-id=632&download-certificate=1' -O insta.ca.crt
1362 openssl genrsa -out insta.priv.pem
1363 openssl cmp -section insta
1369 openssl x509 -noout -text -in insta.cert.pem
1372 via the environment variable B<http_proxy> or via the B<-proxy> option in the
1373 configuration file or the CMP command-line argument B<-proxy>, for example
1375 -proxy http://192.168.1.1:8080
1377 In the Insta Demo CA scenario both clients and the server may use the pre-shared
1380 Alternatively, CMP messages may be protected in signature-based manner,
1386 openssl cmp -section insta,signature
1388 By default the CMP IR message type is used, yet CR works equally here.
1391 openssl cmp -section insta -cmd cr
1395 openssl cmp -section insta,cr
1399 openssl cmp -section insta,kur,signature
1401 using signature-based protection with the certificate that is to be updated.
1402 For certificate updates, MAC-based protection should generally not be used.
1406 openssl cmp -section insta,rr -trusted insta.ca.crt
1410 openssl cmp -section insta,rr,signature
1414 For instance, the B<-reqexts> CLI option may refer to a section in the
1418 openssl cmp -section insta,cr -reqexts v3_req
1427 and sends an initial request message to the local CMP server
1428 using a pre-shared secret key for mutual authentication.
1430 so we specify the name of the CA with the B<-recipient> option
1436 openssl genrsa -out cl_key.pem
1437 openssl cmp -cmd ir -server 127.0.0.1:80/pkix/ -recipient "/CN=CMPserver" \
1438 -ref 1234 -secret pass:1234-5678 \
1439 -newkey cl_key.pem -subject "/CN=MyName" \
1440 -cacertsout capubs.pem -certout cl_cert.pem
1450 openssl genrsa -out cl_key_new.pem
1451 openssl cmp -cmd kur -server 127.0.0.1:80/pkix/ \
1452 -trusted capubs.pem \
1453 -cert cl_cert.pem -key cl_key.pem \
1454 -newkey cl_key_new.pem -certout cl_cert.pem
1461 Requesting "all relevant information" with an empty General Message.
1464 openssl cmp -cmd genm -server 127.0.0.1/pkix/ -recipient "/CN=CMPserver" \
1465 -ref 1234 -secret pass:1234-5678
1470 usually many parameters need to be set, which is tedious and error-prone to do
1494 secret = pass:1234-5678-1234-567
1500 openssl cmp -section cmp,init
1501 openssl cmp -cmd kur -newkey cl_key_new.pem
1503 and the above transaction using a general message reduces to
1505 openssl cmp -section cmp,init -cmd genm
1509 L<openssl-genrsa(1)>, L<openssl-ecparam(1)>, L<openssl-list(1)>,
1510 L<openssl-req(1)>, L<openssl-x509(1)>, L<x509v3_config(5)>
1516 The B<-engine> option was deprecated in OpenSSL 3.0.
1518 The B<-oldwithold>, B<-newwithnew>, B<-newwithold>, B<-oldwithnew>,
1519 The B<-srvcertout>, and B<-serial> option were added in OpenSSL 3.2, as well
1520 as an extension of B<-cacertsout> to use when getting CA certificates.
1521 Since then, the B<-issuer> may be used also for certificates to be revoked.
1523 The B<-profile> and B<-no_cache_extracerts> options were added in OpenSSL 3.3,
1526 The B<-template>, B<-crlcert>, B<-oldcrl>, B<-crlout>, B<-crlform>
1527 and B<-rsp_crl> options were added in OpenSSL 3.4.
1529 B<-centralkeygen>, b<-newkeyout>, B<-rsp_key> and
1530 B<-rsp_keypass> were added in OpenSSL 3.5.
1534 Copyright 2007-2025 The OpenSSL Project Authors. All Rights Reserved.