Lines Matching +full:serial +full:- +full:number
1 .\" -*- mode: troff; coding: utf-8 -*-
57 .IX Title "OPENSSL-CA 1ossl"
58 .TH OPENSSL-CA 1ossl 2025-09-30 3.5.4 OpenSSL
64 openssl\-ca \- sample minimal CA application
68 [\fB\-help\fR]
69 [\fB\-verbose\fR]
70 [\fB\-quiet\fR]
71 [\fB\-config\fR \fIfilename\fR]
72 [\fB\-name\fR \fIsection\fR]
73 [\fB\-section\fR \fIsection\fR]
74 [\fB\-gencrl\fR]
75 [\fB\-revoke\fR \fIfile\fR]
76 [\fB\-valid\fR \fIfile\fR]
77 [\fB\-status\fR \fIserial\fR]
78 [\fB\-updatedb\fR]
79 [\fB\-crl_reason\fR \fIreason\fR]
80 [\fB\-crl_hold\fR \fIinstruction\fR]
81 [\fB\-crl_compromise\fR \fItime\fR]
82 [\fB\-crl_CA_compromise\fR \fItime\fR]
83 [\fB\-crl_lastupdate\fR \fIdate\fR]
84 [\fB\-crl_nextupdate\fR \fIdate\fR]
85 [\fB\-crldays\fR \fIdays\fR]
86 [\fB\-crlhours\fR \fIhours\fR]
87 [\fB\-crlsec\fR \fIseconds\fR]
88 [\fB\-crlexts\fR \fIsection\fR]
89 [\fB\-startdate\fR \fIdate\fR]
90 [\fB\-not_before\fR \fIdate\fR]
91 [\fB\-enddate\fR \fIdate\fR]
92 [\fB\-not_after\fR \fIdate\fR]
93 [\fB\-days\fR \fIarg\fR]
94 [\fB\-md\fR \fIarg\fR]
95 [\fB\-policy\fR \fIarg\fR]
96 [\fB\-keyfile\fR \fIfilename\fR|\fIuri\fR]
97 [\fB\-keyform\fR \fBDER\fR|\fBPEM\fR|\fBP12\fR|\fBENGINE\fR]
98 [\fB\-key\fR \fIarg\fR]
99 [\fB\-passin\fR \fIarg\fR]
100 [\fB\-cert\fR \fIfile\fR]
101 [\fB\-certform\fR \fBDER\fR|\fBPEM\fR|\fBP12\fR]
102 [\fB\-selfsign\fR]
103 [\fB\-in\fR \fIfile\fR]
104 [\fB\-inform\fR \fBDER\fR|<PEM>]
105 [\fB\-out\fR \fIfile\fR]
106 [\fB\-notext\fR]
107 [\fB\-dateopt\fR]
108 [\fB\-outdir\fR \fIdir\fR]
109 [\fB\-infiles\fR]
110 [\fB\-spkac\fR \fIfile\fR]
111 [\fB\-ss_cert\fR \fIfile\fR]
112 [\fB\-preserveDN\fR]
113 [\fB\-noemailDN\fR]
114 [\fB\-batch\fR]
115 [\fB\-msie_hack\fR]
116 [\fB\-extensions\fR \fIsection\fR]
117 [\fB\-extfile\fR \fIsection\fR]
118 [\fB\-subj\fR \fIarg\fR]
119 [\fB\-utf8\fR]
120 [\fB\-sigopt\fR \fInm\fR:\fIv\fR]
121 [\fB\-vfyopt\fR \fInm\fR:\fIv\fR]
122 [\fB\-create_serial\fR]
123 [\fB\-rand_serial\fR]
124 [\fB\-multivalue\-rdn\fR]
125 [\fB\-rand\fR \fIfiles\fR]
126 [\fB\-writerand\fR \fIfile\fR]
127 [\fB\-engine\fR \fIid\fR]
128 [\fB\-provider\fR \fIname\fR]
129 [\fB\-provider\-path\fR \fIpath\fR]
130 [\fB\-provparam\fR \fI[name:]key=value\fR]
131 [\fB\-propquery\fR \fIpropq\fR]
146 with the \fB\-in\fR option, or multiple requests can be processed by
151 See \fBopenssl\-req\fR\|(1) and \fBopenssl\-x509\fR\|(1) for details.
156 .IP \fB\-help\fR 4
157 .IX Item "-help"
159 .IP \fB\-verbose\fR 4
160 .IX Item "-verbose"
162 .IP \fB\-quiet\fR 4
163 .IX Item "-quiet"
166 .IP "\fB\-config\fR \fIfilename\fR" 4
167 .IX Item "-config filename"
171 .IP "\fB\-name\fR \fIsection\fR, \fB\-section\fR \fIsection\fR" 4
172 .IX Item "-name section, -section section"
175 .IP "\fB\-in\fR \fIfilename\fR" 4
176 .IX Item "-in filename"
179 .IP "\fB\-inform\fR \fBDER\fR|\fBPEM\fR" 4
180 .IX Item "-inform DER|PEM"
183 See \fBopenssl\-format\-options\fR\|(1) for details.
184 .IP "\fB\-ss_cert\fR \fIfilename\fR" 4
185 .IX Item "-ss_cert filename"
186 A single self-signed certificate to be signed by the CA.
187 .IP "\fB\-spkac\fR \fIfilename\fR" 4
188 .IX Item "-spkac filename"
192 .IP \fB\-infiles\fR 4
193 .IX Item "-infiles"
196 .IP "\fB\-out\fR \fIfilename\fR" 4
197 .IX Item "-out filename"
200 file in PEM format (except that \fB\-spkac\fR outputs DER format).
201 .IP "\fB\-outdir\fR \fIdirectory\fR" 4
202 .IX Item "-outdir directory"
204 written to a filename consisting of the serial number in hex with
206 .IP "\fB\-cert\fR \fIfilename\fR" 4
207 .IX Item "-cert filename"
208 The CA certificate, which must match with \fB\-keyfile\fR.
209 .IP "\fB\-certform\fR \fBDER\fR|\fBPEM\fR|\fBP12\fR" 4
210 .IX Item "-certform DER|PEM|P12"
212 See \fBopenssl\-format\-options\fR\|(1) for details.
213 .IP "\fB\-keyfile\fR \fIfilename\fR|\fIuri\fR" 4
214 .IX Item "-keyfile filename|uri"
216 This must match with \fB\-cert\fR.
217 .IP "\fB\-keyform\fR \fBDER\fR|\fBPEM\fR|\fBP12\fR|\fBENGINE\fR" 4
218 .IX Item "-keyform DER|PEM|P12|ENGINE"
220 See \fBopenssl\-format\-options\fR\|(1) for details.
221 .IP "\fB\-sigopt\fR \fInm\fR:\fIv\fR" 4
222 .IX Item "-sigopt nm:v"
224 Names and values of these options are algorithm-specific and
225 documented in "Signature parameters" in \fBprovider\-signature\fR\|(7).
226 .IP "\fB\-vfyopt\fR \fInm\fR:\fIv\fR" 4
227 .IX Item "-vfyopt nm:v"
229 Names and values of these options are algorithm-specific.
231 This often needs to be given while signing too, because the self-signature of
234 .IP "\fB\-key\fR \fIpassword\fR" 4
235 .IX Item "-key password"
240 Better use \fB\-passin\fR.
241 .IP "\fB\-passin\fR \fIarg\fR" 4
242 .IX Item "-passin arg"
245 see \fBopenssl\-passphrase\-options\fR\|(1).
246 .IP \fB\-selfsign\fR 4
247 .IX Item "-selfsign"
249 the certificate requests were signed with (given with \fB\-keyfile\fR).
251 If \fB\-spkac\fR, \fB\-ss_cert\fR or \fB\-gencrl\fR are given, \fB\-selfsign\fR is ignored.
253 A consequence of using \fB\-selfsign\fR is that the self-signed
256 serial number counter as all other certificates sign with the
257 self-signed certificate.
258 .IP \fB\-notext\fR 4
259 .IX Item "-notext"
261 .IP \fB\-dateopt\fR 4
262 .IX Item "-dateopt"
265 .IP "\fB\-startdate\fR \fIdate\fR, \fB\-not_before\fR \fIdate\fR" 4
266 .IX Item "-startdate date, -not_before date"
272 .IP "\fB\-enddate\fR \fIdate\fR, \fB\-not_after\fR \fIdate\fR" 4
273 .IX Item "-enddate date, -not_after date"
280 This overrides the \fB\-days\fR option.
281 .IP "\fB\-days\fR \fIarg\fR" 4
282 .IX Item "-days arg"
283 The number of days from today to certify the certificate for.
285 Regardless of the option \fB\-not_before\fR, the days are always counted from
287 When used together with the option \fB\-not_after\fR/\fB\-startdate\fR, the explicit
289 .IP "\fB\-md\fR \fIalg\fR" 4
290 .IX Item "-md alg"
292 Any digest supported by the \fBopenssl\-dgst\fR\|(1) command can be used. For signing
295 .IP "\fB\-policy\fR \fIarg\fR" 4
296 .IX Item "-policy arg"
301 .IP \fB\-msie_hack\fR 4
302 .IX Item "-msie_hack"
307 .IP \fB\-preserveDN\fR 4
308 .IX Item "-preserveDN"
314 .IP \fB\-noemailDN\fR 4
315 .IX Item "-noemailDN"
317 request DN, however, it is good policy just having the e\-mail set into
322 .IP \fB\-batch\fR 4
323 .IX Item "-batch"
326 .IP "\fB\-extensions\fR \fIsection\fR" 4
327 .IX Item "-extensions section"
330 unless the \fB\-extfile\fR option is used).
334 .IP "\fB\-extfile\fR \fIfile\fR" 4
335 .IX Item "-extfile file"
337 (using the default section unless the \fB\-extensions\fR option is also
339 .IP "\fB\-subj\fR \fIarg\fR" 4
340 .IX Item "-subj arg"
347 Giving a single \f(CW\*(C`/\*(C'\fR will lead to an empty sequence of RDNs (a NULL-DN).
348 Multi-valued RDNs can be formed by placing a \f(CW\*(C`+\*(C'\fR character instead of a \f(CW\*(C`/…
353 .IP \fB\-utf8\fR 4
354 .IX Item "-utf8"
359 .IP \fB\-create_serial\fR 4
360 .IX Item "-create_serial"
361 If reading serial from the text file as specified in the configuration
362 fails, specifying this option creates a new random serial to be used as next
363 serial number.
364 To get random serial numbers, use the \fB\-rand_serial\fR flag instead; this
365 should only be used for simple error-recovery.
366 .IP \fB\-rand_serial\fR 4
367 .IX Item "-rand_serial"
368 Generate a large random number to use as the serial number.
369 This overrides any option or configuration to use a serial number file.
370 .IP \fB\-multivalue\-rdn\fR 4
371 .IX Item "-multivalue-rdn"
373 .IP "\fB\-rand\fR \fIfiles\fR, \fB\-writerand\fR \fIfile\fR" 4
374 .IX Item "-rand files, -writerand file"
376 .IP "\fB\-engine\fR \fIid\fR" 4
377 .IX Item "-engine id"
380 .IP "\fB\-provider\fR \fIname\fR" 4
381 .IX Item "-provider name"
383 .IP "\fB\-provider\-path\fR \fIpath\fR" 4
384 .IX Item "-provider-path path"
385 .IP "\fB\-provparam\fR \fI[name:]key=value\fR" 4
386 .IX Item "-provparam [name:]key=value"
387 .IP "\fB\-propquery\fR \fIpropq\fR" 4
388 .IX Item "-propquery propq"
393 .IP \fB\-gencrl\fR 4
394 .IX Item "-gencrl"
396 .IP "\fB\-crl_lastupdate\fR \fItime\fR" 4
397 .IX Item "-crl_lastupdate time"
402 .IP "\fB\-crl_nextupdate\fR \fItime\fR" 4
403 .IX Item "-crl_nextupdate time"
405 this option is present, any values given for \fB\-crldays\fR, \fB\-crlhours\fR
406 and \fB\-crlsec\fR are ignored. Accepts times in the same formats as
407 \&\fB\-crl_lastupdate\fR.
408 .IP "\fB\-crldays\fR \fInum\fR" 4
409 .IX Item "-crldays num"
410 The number of days before the next CRL is due. That is the days from
412 .IP "\fB\-crlhours\fR \fInum\fR" 4
413 .IX Item "-crlhours num"
414 The number of hours before the next CRL is due.
415 .IP "\fB\-crlsec\fR \fInum\fR" 4
416 .IX Item "-crlsec num"
417 The number of seconds before the next CRL is due.
418 .IP "\fB\-revoke\fR \fIfilename\fR" 4
419 .IX Item "-revoke filename"
421 .IP "\fB\-valid\fR \fIfilename\fR" 4
422 .IX Item "-valid filename"
424 .IP "\fB\-status\fR \fIserial\fR" 4
425 .IX Item "-status serial"
427 serial number and exits.
428 .IP \fB\-updatedb\fR 4
429 .IX Item "-updatedb"
431 .IP "\fB\-crl_reason\fR \fIreason\fR" 4
432 .IX Item "-crl_reason reason"
440 .IP "\fB\-crl_hold\fR \fIinstruction\fR" 4
441 .IX Item "-crl_hold instruction"
446 .IP "\fB\-crl_compromise\fR \fItime\fR" 4
447 .IX Item "-crl_compromise time"
450 .IP "\fB\-crl_CA_compromise\fR \fItime\fR" 4
451 .IX Item "-crl_CA_compromise time"
454 .IP "\fB\-crlexts\fR \fIsection\fR" 4
455 .IX Item "-crlexts section"
467 is found as follows: If the \fB\-name\fR command line option is used,
499 The same as the \fB\-outdir\fR command line option. It specifies
503 The same as \fB\-cert\fR. It gives the file containing the CA
507 Same as the \fB\-keyfile\fR option. The file containing the
511 At startup the specified file is loaded into the random number generator,
516 The same as the \fB\-days\fR option. The number of days from today to certify
520 The same as the \fB\-startdate\fR option. The start date to certify
524 The same as the \fB\-enddate\fR option. Either this option or
529 The same as the \fB\-crlhours\fR and the \fB\-crldays\fR options. These
534 The same as the \fB\-md\fR option. Mandatory except where the signing algorithm does
546 versions of OpenSSL. However, to make CA certificate roll-over easier,
548 the \fB\-selfsign\fR command line option.
553 .IP \fBserial\fR 4
554 .IX Item "serial"
555 A text file containing the next serial number to use in hex. Mandatory.
556 This file must be present and contain a valid serial number.
559 A text file containing the next CRL number to use in hex. The crl number
561 present, it must contain a valid CRL number.
564 A fallback to the \fB\-extensions\fR option.
567 A fallback to the \fB\-crlexts\fR option.
570 The same as \fB\-preserveDN\fR
573 The same as \fB\-noemailDN\fR. If you want the EMAIL field to be removed
578 The same as \fB\-msie_hack\fR
581 The same as \fB\-policy\fR. Mandatory. See the \fBPOLICY FORMAT\fR section
587 the \fBx509\fR utilities \fB\-nameopt\fR and \fB\-certopt\fR switches can be used
619 are silently deleted, unless the \fB\-preserveDN\fR option is set but
623 The input to the \fB\-spkac\fR command line option is a Netscape
626 It is however possible to create SPKACs using \fBopenssl\-spkac\fR\|(1).
631 preceded by a number and a '.'.
633 When processing SPKAC format, the output is DER if the \fB\-out\fR
634 flag is used, but PEM format if sending to stdout or the \fB\-outdir\fR
641 \&\fBopenssl\-req\fR\|(1), a serial number file and an empty index file and
647 key to \fIdemoCA/private/cakey.pem\fR. A file \fIdemoCA/serial\fR would be
654 \& openssl ca \-in req.pem \-out newcert.pem
660 \& openssl ca \-in sm2.csr \-out sm2.crt \-md sm3 \e
661 \& \-sigopt "distid:1234567812345678" \e
662 \& \-vfyopt "distid:1234567812345678"
668 \& openssl ca \-in req.pem \-extensions v3_ca \-out newcert.pem
674 \& openssl ca \-gencrl \-out crl.pem
680 \& openssl ca \-infiles req1.pem req2.pem req3.pem
686 \& openssl ca \-spkac spkac.txt
712 \& serial = $dir/serial # serial no file
713 \& #rand_serial = yes # for random serial#\*(Aqs
742 \& /usr/local/ssl/lib/openssl.cnf \- master configuration file
743 \& ./demoCA \- main CA directory
744 \& ./demoCA/cacert.pem \- CA certificate
745 \& ./demoCA/private/cakey.pem \- CA private key
746 \& ./demoCA/serial \- CA serial number file
747 \& ./demoCA/serial.old \- CA serial number backup file
748 \& ./demoCA/index.txt \- CA text database file
749 \& ./demoCA/index.txt.old \- CA text database backup file
750 \& ./demoCA/certs \- certificate output file
762 possible to include one SPKAC or self-signed certificate.
767 The use of an in-memory text database can cause problems when large
772 exposed at either a command or interface level so that a more user-friendly
777 deleted. This does not happen if the \fB\-preserveDN\fR option is used. To
779 RFCs, regardless the contents of the request' subject the \fB\-noemailDN\fR
825 certificate validity period (specified by any of \fB\-startdate\fR,
826 \&\fB\-enddate\fR and \fB\-days\fR) and CRL last/next update time (specified by
827 any of \fB\-crl_lastupdate\fR, \fB\-crl_nextupdate\fR, \fB\-crldays\fR, \fB\-crlhours\fR
828 and \fB\-crlsec\fR) will be encoded as UTCTime if the dates are
837 The \fB\-section\fR option was added in OpenSSL 3.0.0.
839 The \fB\-multivalue\-rdn\fR option has become obsolete in OpenSSL 3.0.0 and
842 The \fB\-engine\fR option was deprecated in OpenSSL 3.0.
849 \&\fBopenssl\-req\fR\|(1),
850 \&\fBopenssl\-spkac\fR\|(1),
851 \&\fBopenssl\-x509\fR\|(1),
857 Copyright 2000\-2024 The OpenSSL Project Authors. All Rights Reserved.