Lines Matching +full:csr +full:- +full:2 +full:l
2 {- OpenSSL::safe::output_do_not_edit_headers(); -}
6 openssl-req - PKCS#10 certificate request and certificate generating command
11 [B<-help>]
12 [B<-inform> B<DER>|B<PEM>]
13 [B<-outform> B<DER>|B<PEM>]
14 [B<-in> I<filename>]
15 [B<-passin> I<arg>]
16 [B<-out> I<filename>]
17 [B<-passout> I<arg>]
18 [B<-text>]
19 [B<-pubkey>]
20 [B<-noout>]
21 [B<-verify>]
22 [B<-modulus>]
23 [B<-new>]
24 [B<-newkey> I<arg>]
25 [B<-pkeyopt> I<opt>:I<value>]
26 [B<-noenc>]
27 [B<-nodes>]
28 [B<-key> I<filename>|I<uri>]
29 [B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>]
30 [B<-keyout> I<filename>]
31 [B<-keygen_engine> I<id>]
32 [B<-I<digest>>]
33 [B<-config> I<filename>]
34 [B<-section> I<name>]
35 [B<-x509>]
36 [B<-CA> I<filename>|I<uri>]
37 [B<-CAkey> I<filename>|I<uri>]
38 [B<-days> I<n>]
39 [B<-set_serial> I<n>]
40 [B<-newhdr>]
41 [B<-copy_extensions> I<arg>]
42 [B<-addext> I<ext>]
43 [B<-extensions> I<section>]
44 [B<-reqexts> I<section>]
45 [B<-precert>]
46 [B<-utf8>]
47 [B<-reqopt>]
48 [B<-subject>]
49 [B<-subj> I<arg>]
50 [B<-multivalue-rdn>]
51 [B<-sigopt> I<nm>:I<v>]
52 [B<-vfyopt> I<nm>:I<v>]
53 [B<-batch>]
54 [B<-verbose>]
55 {- $OpenSSL::safe::opt_name_synopsis -}
56 {- $OpenSSL::safe::opt_r_synopsis -}
57 {- $OpenSSL::safe::opt_engine_synopsis -}{- $OpenSSL::safe::opt_provider_synopsis -}
62 in PKCS#10 format. It can additionally create self-signed certificates
69 =item B<-help>
73 =item B<-inform> B<DER>|B<PEM>, B<-outform> B<DER>|B<PEM>
76 See L<openssl-format-options(1)> for details.
80 =item B<-in> I<filename>
83 This defaults to standard input unless B<-x509> or B<-CA> is specified.
85 (B<-new> or B<-newkey> or B<-precert>) are not specified.
87 =item B<-sigopt> I<nm>:I<v>
90 Names and values of these options are algorithm-specific.
92 =item B<-vfyopt> I<nm>:I<v>
95 Names and values of these options are algorithm-specific.
99 Maybe it would be preferable to only have -opts instead of -sigopt and
100 -vfyopt? They are both present here to be compatible with L<openssl-ca(1)>,
105 =item B<-passin> I<arg>
109 see L<openssl-passphrase-options(1)>.
111 =item B<-passout> I<arg>
115 see L<openssl-passphrase-options(1)>.
117 =item B<-out> I<filename>
121 =item B<-text>
125 =item B<-subject>
128 (or certificate subject if B<-x509> is in use).
130 =item B<-pubkey>
134 =item B<-noout>
138 =item B<-modulus>
142 =item B<-verify>
144 Verifies the self-signature on the request.
146 =item B<-new>
153 If the B<-key> option is not given it will generate a new private key
155 the B<-newkey> and B<-pkeyopt> options,
158 =item B<-newkey> I<arg>
160 This option is used to generate a new private key unless B<-key> is given.
161 It is subsequently used as if it was given using the B<-key> option.
163 This option implies the B<-new> flag to create a new certificate request
164 or a new certificate in case B<-x509> is given.
169 If I<nbits> is omitted, i.e., B<-newkey> B<rsa> is specified,
173 All other algorithms support the B<-newkey> I<algname>:I<file> form, where
174 I<file> is an algorithm parameter file, created with C<openssl genpkey -genparam>
184 any necessary parameters should be specified via the B<-pkeyopt> option.
189 34.10-2001 key (requires B<gost> engine configured in the configuration
191 specified by B<-pkeyopt> I<paramset:X>
193 =item B<-pkeyopt> I<opt>:I<value>
198 See L<openssl-genpkey(1)/KEY GENERATION OPTIONS> for more details.
200 =item B<-key> I<filename>|I<uri>
204 Unless B<-in> is given, the corresponding public key is placed in
205 the new certificate or certificate request, resulting in a self-signature.
207 For certificate signing this option is overridden by the B<-CA> option.
211 =item B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>
214 See L<openssl-format-options(1)> for details.
216 =item B<-keyout> I<filename>
219 or read from B<-key>. If neither the B<-keyout> option nor the B<-key> option
222 private key and the B<-key> option is provided, you should provide the
223 B<-keyout> option explicitly. If a new key is generated and no filename is
226 =item B<-noenc>
231 =item B<-nodes>
233 This option is deprecated since OpenSSL 3.0; use B<-noenc> instead.
235 =item B<-I<digest>>
244 GOST R 34.11-94 (B<-md_gost94>), Ed25519 and Ed448 never use any digest.
246 =item B<-config> I<filename>
250 see L<openssl(1)/COMMAND SUMMARY>.
252 =item B<-section> I<name>
256 =item B<-subj> I<arg>
265 Giving a single C</> will lead to an empty sequence of RDNs (a NULL-DN).
266 Multi-valued RDNs can be formed by placing a C<+> character instead of a C</>
272 =item B<-multivalue-rdn>
276 =item B<-x509>
280 It is implied by the B<-CA> option.
282 This option implies the B<-new> flag if B<-in> is not given.
284 If an existing request is specified with the B<-in> option, it is converted
287 Unless specified using the B<-set_serial> option,
290 Unless the B<-copy_extensions> option is used,
294 or using the B<-addext> option.
296 =item B<-CA> I<filename>|I<uri>
299 and implies use of B<-x509>.
304 =item B<-CAkey> I<filename>|I<uri>
307 The private key must match the public key of the certificate given with B<-CA>.
308 If this option is not provided then the key must be present in the B<-CA> input.
310 =item B<-days> I<n>
312 When B<-x509> is in use this specifies the number of
316 =item B<-set_serial> I<n>
318 Serial number to use when outputting a self-signed certificate.
322 =item B<-copy_extensions> I<arg>
325 when B<-x509> is in use.
333 =item B<-addext> I<ext>
335 Add a specific extension to the certificate (if B<-x509> is in use)
341 =item B<-extensions> I<section>
343 =item B<-reqexts> I<section>
346 extensions (if B<-x509> is in use) or certificate request extensions.
351 =item B<-precert>
354 "pre-certificate" (see RFC6962). This can be submitted to Certificate
356 These SCTs can then be embedded into the pre-certificate as an extension, before
359 This implies the B<-new> flag.
361 =item B<-utf8>
368 =item B<-reqopt> I<option>
370 Customise the printing format used with B<-text>. The I<option> argument can be
373 See discussion of the B<-certopt> parameter in the L<openssl-x509(1)>
376 =item B<-newhdr>
381 =item B<-batch>
383 Non-interactive mode.
385 =item B<-verbose>
389 =item B<-keygen_engine> I<id>
394 {- $OpenSSL::safe::opt_name_item -}
396 {- $OpenSSL::safe::opt_r_item -}
398 {- $OpenSSL::safe::opt_engine_item -}
400 {- $OpenSSL::safe::opt_provider_item -}
408 B<-section> option.
428 This option is used in conjunction with the B<-new> option to generate
430 the B<-newkey> option. The smallest accepted key size is 512 bits. If
437 overridden by the B<-keyout> option.
462 B<not> encrypted. This is equivalent to the B<-noenc> command line
481 - only UTF8Strings are used (this is the default value)
484 - any string type except T61Strings
487 - any string type except BMPStrings and UTF8Strings
490 - any kind of string type
496 value is a workaround for some software that has problems with variable-sized
503 by the B<-reqexts> command line switch. See the
504 L<x509v3_config(5)> manual page for details of the
510 extensions to add to certificate generated when B<-x509> is in use.
511 It can be overridden by the B<-extensions> command line switch.
560 fieldName_min= 2
597 openssl req -in req.pem -text -verify -noout
601 openssl genrsa -out key.pem 2048
602 openssl req -new -key key.pem -out req.pem
606 openssl req -newkey rsa:2048 -keyout key.pem -out req.pem
608 Generate a self-signed root certificate:
610 openssl req -x509 -newkey rsa:2048 -keyout key.pem -out req.pem
614 openssl ecparam -genkey -name SM2 -out sm2.key
615 openssl req -new -key sm2.key -out sm2.csr -sm3 -sigopt "distid:1234567812345678"
619 openssl req -verify -in sm2.csr -sm3 -vfyopt "distid:1234567812345678"
644 countryName = Country Name (2 letter code)
646 countryName_min = 2
647 countryName_max = 2
684 L = Test Locality
696 openssl req -new -subj "/C=GB/CN=foo" \
697 -addext "subjectAltName = DNS:foo.co.uk" \
698 -addext "certificatePolicies = 1.2.3.4" \
699 -newkey rsa:2048 -keyout key.pem -out req.pem
739 it is tolerated). See the description of the command line option B<-asn1-kludge>
745 treats them as ISO-8859-1 (Latin 1), Netscape and MSIE have similar behaviour.
761 L<openssl(1)>,
762 L<openssl-x509(1)>,
763 L<openssl-ca(1)>,
764 L<openssl-genrsa(1)>,
765 L<openssl-gendsa(1)>,
766 L<config(5)>,
767 L<x509v3_config(5)>
771 The B<-section> option was added in OpenSSL 3.0.0.
773 The B<-multivalue-rdn> option has become obsolete in OpenSSL 3.0.0 and
776 The B<-engine> option was deprecated in OpenSSL 3.0.
777 The <-nodes> option was deprecated in OpenSSL 3.0, too; use B<-noenc> instead.
781 Copyright 2000-2024 The OpenSSL Project Authors. All Rights Reserved.
786 L<https://www.openssl.org/source/license.html>.