Lines Matching +full:serial +full:- +full:number
2 {- OpenSSL::safe::output_do_not_edit_headers(); -}
6 openssl-x509 - Certificate display and signing command
11 [B<-help>]
12 [B<-in> I<filename>|I<uri>]
13 [B<-passin> I<arg>]
14 [B<-new>]
15 [B<-x509toreq>]
16 [B<-req>]
17 [B<-copy_extensions> I<arg>]
18 [B<-inform> B<DER>|B<PEM>]
19 [B<-vfyopt> I<nm>:I<v>]
20 [B<-key> I<filename>|I<uri>]
21 [B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>]
22 [B<-signkey> I<filename>|I<uri>]
23 [B<-out> I<filename>]
24 [B<-outform> B<DER>|B<PEM>]
25 [B<-nocert>]
26 [B<-noout>]
27 [B<-dateopt>]
28 [B<-text>]
29 [B<-certopt> I<option>]
30 [B<-fingerprint>]
31 [B<-alias>]
32 [B<-serial>]
33 [B<-startdate>]
34 [B<-enddate>]
35 [B<-dates>]
36 [B<-subject>]
37 [B<-issuer>]
38 {- $OpenSSL::safe::opt_name_synopsis -}
39 [B<-email>]
40 [B<-hash>]
41 [B<-subject_hash>]
42 [B<-subject_hash_old>]
43 [B<-issuer_hash>]
44 [B<-issuer_hash_old>]
45 [B<-ext> I<extensions>]
46 [B<-ocspid>]
47 [B<-ocsp_uri>]
48 [B<-purpose>]
49 [B<-pubkey>]
50 [B<-modulus>]
51 [B<-checkend> I<num>]
52 [B<-checkhost> I<host>]
53 [B<-checkemail> I<host>]
54 [B<-checkip> I<ipaddr>]
55 [B<-set_serial> I<n>]
56 [B<-next_serial>]
57 [B<-not_before> I<date>]
58 [B<-not_after> I<date>]
59 [B<-days> I<arg>]
60 [B<-preserve_dates>]
61 [B<-set_issuer> I<arg>]
62 [B<-set_subject> I<arg>]
63 [B<-subj> I<arg>]
64 [B<-force_pubkey> I<filename>]
65 [B<-clrext>]
66 [B<-extfile> I<filename>]
67 [B<-extensions> I<section>]
68 [B<-sigopt> I<nm>:I<v>]
69 [B<-badsig>]
70 [B<-I<digest>>]
71 [B<-CA> I<filename>|I<uri>]
72 [B<-CAform> B<DER>|B<PEM>|B<P12>]
73 [B<-CAkey> I<filename>|I<uri>]
74 [B<-CAkeyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>]
75 [B<-CAserial> I<filename>]
76 [B<-CAcreateserial>]
77 [B<-trustout>]
78 [B<-setalias> I<arg>]
79 [B<-clrtrust>]
80 [B<-addtrust> I<arg>]
81 [B<-clrreject>]
82 [B<-addreject> I<arg>]
83 {- $OpenSSL::safe::opt_r_synopsis -}
84 {- $OpenSSL::safe::opt_engine_synopsis -}{- $OpenSSL::safe::opt_provider_synopsis -}
88 This command is a multi-purposes certificate handling command.
92 and then self-signing them or signing them like a "micro CA".
98 Since there are a large number of options they will split up into
107 =item B<-help>
111 =item B<-in> I<filename>|I<uri>
114 or the input file for reading a certificate request if the B<-req> flag is used.
117 This option cannot be combined with the B<-new> flag.
119 =item B<-passin> I<arg>
123 see L<openssl-passphrase-options(1)>.
125 =item B<-new>
129 So this excludes the B<-in> and B<-req> options.
130 Instead, the B<-set_subject> option needs to be given.
131 The public key to include can be given with the B<-force_pubkey> option
132 and defaults to the key given with the B<-key> (or B<-signkey>) option,
133 which implies self-signature.
135 =item B<-x509toreq>
138 The B<-key> (or B<-signkey>) option must be used to provide the private key for
139 self-signing; the corresponding public key is placed in the subjectPKInfo field.
142 X.509 extensions to be added can be specified using the B<-extfile> option.
144 =item B<-req>
148 which must be correctly self-signed.
151 X.509 extensions to be added can be specified using the B<-extfile> option.
153 =item B<-copy_extensions> I<arg>
156 when converting from a certificate to a request using the B<-x509toreq> option
157 or converting from a request to a certificate using the B<-req> option.
163 The B<-ext> option can be used to further restrict which extensions to copy.
165 =item B<-inform> B<DER>|B<PEM>
168 See L<openssl-format-options(1)> for details.
170 =item B<-vfyopt> I<nm>:I<v>
173 Names and values of these options are algorithm-specific.
175 =item B<-key> I<filename>|I<uri>
179 Unless B<-force_pubkey> is given, the corresponding public key is placed in
180 the new certificate or certificate request, resulting in a self-signature.
182 This option cannot be used in conjunction with the B<-CA> option.
184 It sets the issuer name to the subject name (i.e., makes it self-issued).
185 Unless the B<-preserve_dates> option is supplied,
187 and the end date to a value determined by the B<-days> option.
189 B<-not_before> and B<-not_after>.
191 =item B<-signkey> I<filename>|I<uri>
193 This option is an alias of B<-key>.
195 =item B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>
198 See L<openssl-format-options(1)> for details.
200 =item B<-out> I<filename>
204 =item B<-outform> B<DER>|B<PEM>
207 See L<openssl-format-options(1)> for details.
209 =item B<-nocert>
213 =item B<-noout>
221 Note: the B<-alias> and B<-purpose> options are also printing options
226 =item B<-dateopt>
231 =item B<-text>
234 public key, signature algorithms, issuer and subject names, serial number
237 =item B<-certopt> I<option>
239 Customise the print format used with B<-text>. The I<option> argument
241 The B<-certopt> switch may be also be used more than once to set multiple
244 =item B<-fingerprint>
252 =item B<-alias>
256 =item B<-serial>
258 Prints the certificate serial number.
260 =item B<-startdate>
264 =item B<-enddate>
268 =item B<-dates>
272 =item B<-subject>
276 =item B<-issuer>
280 {- $OpenSSL::safe::opt_name_item -}
282 =item B<-email>
286 =item B<-hash>
288 Synonym for "-subject_hash" for backward compatibility reasons.
290 =item B<-subject_hash>
296 =item B<-subject_hash_old>
301 =item B<-issuer_hash>
305 =item B<-issuer_hash_old>
310 =item B<-ext> I<extensions>
318 =item B<-ocspid>
322 =item B<-ocsp_uri>
326 =item B<-purpose>
330 L<openssl-verification-options(1)/Certificate Extensions>.
332 =item B<-pubkey>
336 =item B<-modulus>
347 =item B<-checkend> I<arg>
352 =item B<-checkhost> I<host>
356 =item B<-checkemail> I<email>
360 =item B<-checkip> I<ipaddr>
370 =item B<-set_serial> I<n>
372 Specifies the serial number to use.
373 This option can be used with the B<-key>, B<-signkey>, or B<-CA> options.
374 If used in conjunction with the B<-CA> option
375 the serial number file (as specified by the B<-CAserial> option) is not used.
377 The serial number can be decimal or hex (if preceded by C<0x>).
379 =item B<-next_serial>
381 Set the serial to be one more than the number in the certificate.
383 =item B<-not_before> I<date>
391 Cannot be used together with the B<-preserve_dates> option.
393 =item B<-not_after> I<date>
401 Cannot be used together with the B<-preserve_dates> option.
402 This overrides the option B<-days>.
404 =item B<-days> I<arg>
406 Specifies the number of days from today until a newly generated certificate expires.
409 Cannot be used together with the option B<-preserve_dates>.
410 If option B<-not_after> is set, the explicit expiry date takes precedence.
412 =item B<-preserve_dates>
416 Cannot be used together with the options B<-days>, B<-not_before> and B<-not_after>.
418 =item B<-set_issuer> I<arg>
422 See B<-set_subject> on how the arg must be formatted.
424 =item B<-set_subject> I<arg>
427 When the certificate is self-signed the issuer name is set to the same value,
428 unless the B<-set_issuer> option is given.
434 Giving a single C</> will lead to an empty sequence of RDNs (a NULL-DN).
435 Multi-valued RDNs can be formed by placing a C<+> character instead of a C</>
441 This option can be used with the B<-new> and B<-force_pubkey> options to create
444 =item B<-subj> I<arg>
446 This option is an alias of B<-set_subject>.
448 =item B<-force_pubkey> I<filename>
453 or given with the B<-key> (or B<-signkey>) option.
456 This option can be used in conjunction with b<-new> and B<-set_subject>
459 This option is also useful for creating self-issued certificates that are not
460 self-signed, for instance when the key cannot be used for signing, such as DH.
462 =item B<-clrext>
468 the B<-clrext> option prevents taking over any extensions from the source.
472 =item B<-extfile> I<filename>
476 =item B<-extensions> I<section>
490 =item B<-sigopt> I<nm>:I<v>
494 Names and values provided using this option are algorithm-specific.
496 =item B<-badsig>
501 =item B<-I<digest>>
505 digest, such as the B<-fingerprint>, B<-key>, and B<-CA> options.
506 Any digest supported by the L<openssl-dgst(1)> command can be used.
507 If not specified then SHA1 is used with B<-fingerprint> or
512 =head2 Micro-CA Options
516 =item B<-CA> I<filename>|I<uri>
523 This option cannot be used in conjunction with B<-key> (or B<-signkey>).
524 This option is normally combined with the B<-req> option referencing a CSR.
525 Without the B<-req> option the input must be an existing certificate
526 unless the B<-new> option is given, which generates a certificate from scratch.
528 =item B<-CAform> B<DER>|B<PEM>|B<P12>,
531 See L<openssl-format-options(1)> for details.
533 =item B<-CAkey> I<filename>|I<uri>
536 The private key must match the public key of the certificate given with B<-CA>.
537 If this option is not provided then the key must be present in the B<-CA> input.
539 =item B<-CAkeyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>
542 See L<openssl-format-options(1)> for details.
544 =item B<-CAserial> I<filename>
546 Sets the CA serial number file to use.
548 When creating a certificate with this option and with the B<-CA> option,
549 the certificate serial number is stored in the given file.
551 an even number of hex digits with the serial number used last time.
552 After reading this number, it is incremented and used, and the file is updated.
556 F<mycacert.pem> it expects to find a serial number file called
559 If the B<-CA> option is specified and neither <-CAserial> or <-CAcreateserial>
560 is given and the default serial number file does not exist,
561 a random number is generated; this is the recommended practice.
563 =item B<-CAcreateserial>
565 With this option and the B<-CA> option
566 the CA serial number file is created if it does not exist.
567 A random number is generated, used for the certificate,
568 and saved into the serial number file determined as described above.
587 See L<openssl-verification-options(1)> for more information
595 =item B<-trustout>
600 With the B<-trustout> option a trusted certificate is output. A trusted
603 =item B<-setalias> I<arg>
608 =item B<-clrtrust>
612 =item B<-addtrust> I<arg>
621 =item B<-clrreject>
625 =item B<-addreject> I<arg>
628 It accepts the same values as the B<-addtrust> option.
636 {- $OpenSSL::safe::opt_r_item -}
638 {- $OpenSSL::safe::opt_engine_item -}
640 {- $OpenSSL::safe::opt_provider_item -}
663 Don't print out the version number.
667 Don't print out the serial number.
720 The value used by L<openssl-ca(1)>, equivalent to B<no_issuer>, B<no_pubkey>,
732 openssl x509 -in cert.pem -noout -text
736 openssl x509 -in cert.pem -noout -ext subjectAltName
740 openssl x509 -in cert.pem -noout -ext subjectAltName,nsCertType
742 Print the certificate serial number:
744 openssl x509 -in cert.pem -noout -serial
748 openssl x509 -in cert.pem -noout -subject
752 openssl x509 -in cert.pem -noout -subject -nameopt RFC2253
757 openssl x509 -in cert.pem -noout -subject -nameopt oneline,-esc_msb
761 openssl x509 -sha1 -in cert.pem -noout -fingerprint
765 openssl x509 -in cert.pem -inform PEM -out cert.der -outform DER
769 openssl x509 -x509toreq -in cert.pem -out req.pem -key key.pem
771 Convert a certificate request into a self-signed certificate using
774 openssl x509 -req -in careq.pem -extfile openssl.cnf -extensions v3_ca \
775 -key key.pem -out cacert.pem
780 openssl x509 -req -in req.pem -extfile openssl.cnf -extensions v3_usr \
781 -CA cacert.pem -CAkey key.pem -CAcreateserial
786 openssl x509 -in cert.pem -addtrust clientAuth \
787 -setalias "Steve's Class 1 CA" -out trust.pem
792 T61Strings use the ISO8859-1 character set. This is wrong but Netscape
796 The B<-email> option searches the subject name and the subject alternative
812 L<openssl-req(1)>,
813 L<openssl-ca(1)>,
814 L<openssl-genrsa(1)>,
815 L<openssl-gendsa(1)>,
816 L<openssl-verify(1)>,
821 The hash algorithm used in the B<-subject_hash> and B<-issuer_hash> options
825 form must have their links rebuilt using L<openssl-rehash(1)> or similar.
827 The B<-signkey> option has been renamed to B<-key> in OpenSSL 3.0,
830 The B<-engine> option was deprecated in OpenSSL 3.0.
832 The B<-C> option was removed in OpenSSL 3.0.
839 Copyright 2000-2024 The OpenSSL Project Authors. All Rights Reserved.