Lines Matching +full:serial +full:- +full:output
18 .\" Set up some character translations and predefined strings. \*(-- will
24 .tr \(*W-
27 . ds -- \(*W-
29 . if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
30 . if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
37 . ds -- \|\(em\|
52 .\" output yourself in some meaningful fashion.
71 .\" Fear. Run. Save yourself. No user-serviceable parts.
81 . ds #H ((1u-(\\\\n(.fu%2u))*.13m)
97 . ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
98 . ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
99 . ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
100 . ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
101 . ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
102 . ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
104 . \" troff and (daisy-wheel) nroff accents
123 . ds d- d\h'-1'\(ga
124 . ds D- D\h'-1'\(hy
133 .IX Title "OPENSSL-CA 1ossl"
134 .TH OPENSSL-CA 1ossl "2023-09-22" "3.0.11" "OpenSSL"
140 openssl\-ca \- sample minimal CA application
144 [\fB\-help\fR]
145 [\fB\-verbose\fR]
146 [\fB\-config\fR \fIfilename\fR]
147 [\fB\-name\fR \fIsection\fR]
148 [\fB\-section\fR \fIsection\fR]
149 [\fB\-gencrl\fR]
150 [\fB\-revoke\fR \fIfile\fR]
151 [\fB\-valid\fR \fIfile\fR]
152 [\fB\-status\fR \fIserial\fR]
153 [\fB\-updatedb\fR]
154 [\fB\-crl_reason\fR \fIreason\fR]
155 [\fB\-crl_hold\fR \fIinstruction\fR]
156 [\fB\-crl_compromise\fR \fItime\fR]
157 [\fB\-crl_CA_compromise\fR \fItime\fR]
158 [\fB\-crl_lastupdate\fR \fIdate\fR]
159 [\fB\-crl_nextupdate\fR \fIdate\fR]
160 [\fB\-crldays\fR \fIdays\fR]
161 [\fB\-crlhours\fR \fIhours\fR]
162 [\fB\-crlsec\fR \fIseconds\fR]
163 [\fB\-crlexts\fR \fIsection\fR]
164 [\fB\-startdate\fR \fIdate\fR]
165 [\fB\-enddate\fR \fIdate\fR]
166 [\fB\-days\fR \fIarg\fR]
167 [\fB\-md\fR \fIarg\fR]
168 [\fB\-policy\fR \fIarg\fR]
169 [\fB\-keyfile\fR \fIfilename\fR|\fIuri\fR]
170 [\fB\-keyform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR|\fBP12\fR|\fB\s-1ENGINE\s0\fR]
171 [\fB\-key\fR \fIarg\fR]
172 [\fB\-passin\fR \fIarg\fR]
173 [\fB\-cert\fR \fIfile\fR]
174 [\fB\-certform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR|\fBP12\fR]
175 [\fB\-selfsign\fR]
176 [\fB\-in\fR \fIfile\fR]
177 [\fB\-inform\fR \fB\s-1DER\s0\fR|<\s-1PEM\s0>]
178 [\fB\-out\fR \fIfile\fR]
179 [\fB\-notext\fR]
180 [\fB\-dateopt\fR]
181 [\fB\-outdir\fR \fIdir\fR]
182 [\fB\-infiles\fR]
183 [\fB\-spkac\fR \fIfile\fR]
184 [\fB\-ss_cert\fR \fIfile\fR]
185 [\fB\-preserveDN\fR]
186 [\fB\-noemailDN\fR]
187 [\fB\-batch\fR]
188 [\fB\-msie_hack\fR]
189 [\fB\-extensions\fR \fIsection\fR]
190 [\fB\-extfile\fR \fIsection\fR]
191 [\fB\-subj\fR \fIarg\fR]
192 [\fB\-utf8\fR]
193 [\fB\-sigopt\fR \fInm\fR:\fIv\fR]
194 [\fB\-vfyopt\fR \fInm\fR:\fIv\fR]
195 [\fB\-create_serial\fR]
196 [\fB\-rand_serial\fR]
197 [\fB\-multivalue\-rdn\fR]
198 [\fB\-rand\fR \fIfiles\fR]
199 [\fB\-writerand\fR \fIfile\fR]
200 [\fB\-engine\fR \fIid\fR]
201 [\fB\-provider\fR \fIname\fR]
202 [\fB\-provider\-path\fR \fIpath\fR]
203 [\fB\-propquery\fR \fIpropq\fR]
207 This command emulates a \s-1CA\s0 application.
208 See the \fB\s-1WARNINGS\s0\fR especially when considering to use it productively.
213 with the \fB\-in\fR option, or multiple requests can be processed by
218 See \fBopenssl\-req\fR\|(1) and \fBopenssl\-x509\fR\|(1) for details.
223 .IP "\fB\-help\fR" 4
224 .IX Item "-help"
226 .IP "\fB\-verbose\fR" 4
227 .IX Item "-verbose"
229 .IP "\fB\-config\fR \fIfilename\fR" 4
230 .IX Item "-config filename"
233 see \*(L"\s-1COMMAND SUMMARY\*(R"\s0 in \fBopenssl\fR\|(1).
234 .IP "\fB\-name\fR \fIsection\fR, \fB\-section\fR \fIsection\fR" 4
235 .IX Item "-name section, -section section"
238 .IP "\fB\-in\fR \fIfilename\fR" 4
239 .IX Item "-in filename"
240 An input filename containing a single certificate request (\s-1CSR\s0) to be
241 signed by the \s-1CA.\s0
242 .IP "\fB\-inform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR" 4
243 .IX Item "-inform DER|PEM"
246 See \fBopenssl\-format\-options\fR\|(1) for details.
247 .IP "\fB\-ss_cert\fR \fIfilename\fR" 4
248 .IX Item "-ss_cert filename"
249 A single self-signed certificate to be signed by the \s-1CA.\s0
250 .IP "\fB\-spkac\fR \fIfilename\fR" 4
251 .IX Item "-spkac filename"
253 and additional field values to be signed by the \s-1CA.\s0 See the \fB\s-1SPKAC FORMAT\s0\fR
254 section for information on the required input and output format.
255 .IP "\fB\-infiles\fR" 4
256 .IX Item "-infiles"
259 .IP "\fB\-out\fR \fIfilename\fR" 4
260 .IX Item "-out filename"
261 The output file to output certificates to. The default is standard
262 output. The certificate details will also be printed out to this
263 file in \s-1PEM\s0 format (except that \fB\-spkac\fR outputs \s-1DER\s0 format).
264 .IP "\fB\-outdir\fR \fIdirectory\fR" 4
265 .IX Item "-outdir directory"
266 The directory to output certificates to. The certificate will be
267 written to a filename consisting of the serial number in hex with
269 .IP "\fB\-cert\fR \fIfilename\fR" 4
270 .IX Item "-cert filename"
271 The \s-1CA\s0 certificate, which must match with \fB\-keyfile\fR.
272 .IP "\fB\-certform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR|\fBP12\fR" 4
273 .IX Item "-certform DER|PEM|P12"
275 See \fBopenssl\-format\-options\fR\|(1) for details.
276 .IP "\fB\-keyfile\fR \fIfilename\fR|\fIuri\fR" 4
277 .IX Item "-keyfile filename|uri"
278 The \s-1CA\s0 private key to sign certificate requests with.
279 This must match with \fB\-cert\fR.
280 .IP "\fB\-keyform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR|\fBP12\fR|\fB\s-1ENGINE\s0\fR" 4
281 .IX Item "-keyform DER|PEM|P12|ENGINE"
283 See \fBopenssl\-format\-options\fR\|(1) for details.
284 .IP "\fB\-sigopt\fR \fInm\fR:\fIv\fR" 4
285 .IX Item "-sigopt nm:v"
287 Names and values of these options are algorithm-specific.
288 .IP "\fB\-vfyopt\fR \fInm\fR:\fIv\fR" 4
289 .IX Item "-vfyopt nm:v"
291 Names and values of these options are algorithm-specific.
293 This often needs to be given while signing too, because the self-signature of
294 a certificate signing request (\s-1CSR\s0) is verified against the included public key,
296 .IP "\fB\-key\fR \fIpassword\fR" 4
297 .IX Item "-key password"
302 Better use \fB\-passin\fR.
303 .IP "\fB\-passin\fR \fIarg\fR" 4
304 .IX Item "-passin arg"
307 see \fBopenssl\-passphrase\-options\fR\|(1).
308 .IP "\fB\-selfsign\fR" 4
309 .IX Item "-selfsign"
311 the certificate requests were signed with (given with \fB\-keyfile\fR).
313 If \fB\-spkac\fR, \fB\-ss_cert\fR or \fB\-gencrl\fR are given, \fB\-selfsign\fR is ignored.
315 A consequence of using \fB\-selfsign\fR is that the self-signed
318 serial number counter as all other certificates sign with the
319 self-signed certificate.
320 .IP "\fB\-notext\fR" 4
321 .IX Item "-notext"
322 Don't output the text form of a certificate to the output file.
323 .IP "\fB\-dateopt\fR" 4
324 .IX Item "-dateopt"
325 Specify the date output format. Values are: rfc_822 and iso_8601.
327 .IP "\fB\-startdate\fR \fIdate\fR" 4
328 .IX Item "-startdate date"
330 date is \s-1YYMMDDHHMMSSZ\s0 (the same as an \s-1ASN1\s0 UTCTime structure), or
331 \&\s-1YYYYMMDDHHMMSSZ\s0 (the same as an \s-1ASN1\s0 GeneralizedTime structure). In
332 both formats, seconds \s-1SS\s0 and timezone Z must be present.
333 .IP "\fB\-enddate\fR \fIdate\fR" 4
334 .IX Item "-enddate date"
336 date is \s-1YYMMDDHHMMSSZ\s0 (the same as an \s-1ASN1\s0 UTCTime structure), or
337 \&\s-1YYYYMMDDHHMMSSZ\s0 (the same as an \s-1ASN1\s0 GeneralizedTime structure). In
338 both formats, seconds \s-1SS\s0 and timezone Z must be present.
339 .IP "\fB\-days\fR \fIarg\fR" 4
340 .IX Item "-days arg"
342 .IP "\fB\-md\fR \fIalg\fR" 4
343 .IX Item "-md alg"
345 Any digest supported by the \fBopenssl\-dgst\fR\|(1) command can be used. For signing
348 .IP "\fB\-policy\fR \fIarg\fR" 4
349 .IX Item "-policy arg"
350 This option defines the \s-1CA\s0 \*(L"policy\*(R" to use. This is a section in
352 or match the \s-1CA\s0 certificate. Check out the \fB\s-1POLICY FORMAT\s0\fR section
354 .IP "\fB\-msie_hack\fR" 4
355 .IX Item "-msie_hack"
357 of the \s-1IE\s0 certificate enrollment control \*(L"certenr3\*(R". It used UniversalStrings
360 .IP "\fB\-preserveDN\fR" 4
361 .IX Item "-preserveDN"
362 Normally the \s-1DN\s0 order of a certificate is the same as the order of the
365 older \s-1IE\s0 enrollment control which would only accept certificates if their
367 .IP "\fB\-noemailDN\fR" 4
368 .IX Item "-noemailDN"
369 The \s-1DN\s0 of a certificate can contain the \s-1EMAIL\s0 field if present in the
370 request \s-1DN,\s0 however, it is good policy just having the e\-mail set into
372 \&\s-1EMAIL\s0 field is removed from the certificate' subject and set only in
375 .IP "\fB\-batch\fR" 4
376 .IX Item "-batch"
379 .IP "\fB\-extensions\fR \fIsection\fR" 4
380 .IX Item "-extensions section"
383 unless the \fB\-extfile\fR option is used).
388 .IP "\fB\-extfile\fR \fIfile\fR" 4
389 .IX Item "-extfile file"
391 (using the default section unless the \fB\-extensions\fR option is also
393 .IP "\fB\-subj\fR \fIarg\fR" 4
394 .IX Item "-subj arg"
401 Giving a single \f(CW\*(C`/\*(C'\fR will lead to an empty sequence of RDNs (a NULL-DN).
402 Multi-valued RDNs can be formed by placing a \f(CW\*(C`+\*(C'\fR character instead of a \f(CW\*(C`/…
407 .IP "\fB\-utf8\fR" 4
408 .IX Item "-utf8"
409 This option causes field values to be interpreted as \s-1UTF8\s0 strings, by
410 default they are interpreted as \s-1ASCII.\s0 This means that the field
412 configuration file, must be valid \s-1UTF8\s0 strings.
413 .IP "\fB\-create_serial\fR" 4
414 .IX Item "-create_serial"
415 If reading serial from the text file as specified in the configuration
416 fails, specifying this option creates a new random serial to be used as next
417 serial number.
418 To get random serial numbers, use the \fB\-rand_serial\fR flag instead; this
419 should only be used for simple error-recovery.
420 .IP "\fB\-rand_serial\fR" 4
421 .IX Item "-rand_serial"
422 Generate a large random number to use as the serial number.
423 This overrides any option or configuration to use a serial number file.
424 .IP "\fB\-multivalue\-rdn\fR" 4
425 .IX Item "-multivalue-rdn"
427 .IP "\fB\-rand\fR \fIfiles\fR, \fB\-writerand\fR \fIfile\fR" 4
428 .IX Item "-rand files, -writerand file"
430 .IP "\fB\-engine\fR \fIid\fR" 4
431 .IX Item "-engine id"
434 .IP "\fB\-provider\fR \fIname\fR" 4
435 .IX Item "-provider name"
437 .IP "\fB\-provider\-path\fR \fIpath\fR" 4
438 .IX Item "-provider-path path"
439 .IP "\fB\-propquery\fR \fIpropq\fR" 4
440 .IX Item "-propquery propq"
445 .IP "\fB\-gencrl\fR" 4
446 .IX Item "-gencrl"
447 This option generates a \s-1CRL\s0 based on information in the index file.
448 .IP "\fB\-crl_lastupdate\fR \fItime\fR" 4
449 .IX Item "-crl_lastupdate time"
450 Allows the value of the \s-1CRL\s0's lastUpdate field to be explicitly set; if
452 \&\s-1YYMMDDHHMMSSZ\s0 format (the same as an \s-1ASN1\s0 UTCTime structure) or
453 \&\s-1YYYYMMDDHHMMSSZ\s0 format (the same as an \s-1ASN1\s0 GeneralizedTime structure).
454 .IP "\fB\-crl_nextupdate\fR \fItime\fR" 4
455 .IX Item "-crl_nextupdate time"
456 Allows the value of the \s-1CRL\s0's nextUpdate field to be explicitly set; if
457 this option is present, any values given for \fB\-crldays\fR, \fB\-crlhours\fR
458 and \fB\-crlsec\fR are ignored. Accepts times in the same formats as
459 \&\fB\-crl_lastupdate\fR.
460 .IP "\fB\-crldays\fR \fInum\fR" 4
461 .IX Item "-crldays num"
462 The number of days before the next \s-1CRL\s0 is due. That is the days from
463 now to place in the \s-1CRL\s0 nextUpdate field.
464 .IP "\fB\-crlhours\fR \fInum\fR" 4
465 .IX Item "-crlhours num"
466 The number of hours before the next \s-1CRL\s0 is due.
467 .IP "\fB\-crlsec\fR \fInum\fR" 4
468 .IX Item "-crlsec num"
469 The number of seconds before the next \s-1CRL\s0 is due.
470 .IP "\fB\-revoke\fR \fIfilename\fR" 4
471 .IX Item "-revoke filename"
473 .IP "\fB\-valid\fR \fIfilename\fR" 4
474 .IX Item "-valid filename"
476 .IP "\fB\-status\fR \fIserial\fR" 4
477 .IX Item "-status serial"
479 serial number and exits.
480 .IP "\fB\-updatedb\fR" 4
481 .IX Item "-updatedb"
483 .IP "\fB\-crl_reason\fR \fIreason\fR" 4
484 .IX Item "-crl_reason reason"
488 insensitive. Setting any revocation reason will make the \s-1CRL\s0 v2.
492 .IP "\fB\-crl_hold\fR \fIinstruction\fR" 4
493 .IX Item "-crl_hold instruction"
494 This sets the \s-1CRL\s0 revocation reason code to \fBcertificateHold\fR and the hold
495 instruction to \fIinstruction\fR which must be an \s-1OID.\s0 Although any \s-1OID\s0 can be
496 used only \fBholdInstructionNone\fR (the use of which is discouraged by \s-1RFC2459\s0)
498 .IP "\fB\-crl_compromise\fR \fItime\fR" 4
499 .IX Item "-crl_compromise time"
501 \&\fItime\fR. \fItime\fR should be in GeneralizedTime format that is \fI\s-1YYYYMMDDHHMMSSZ\s0\fR.
502 .IP "\fB\-crl_CA_compromise\fR \fItime\fR" 4
503 .IX Item "-crl_CA_compromise time"
506 .IP "\fB\-crlexts\fR \fIsection\fR" 4
507 .IX Item "-crlexts section"
508 The section of the configuration file containing \s-1CRL\s0 extensions to
509 include. If no \s-1CRL\s0 extension section is present then a V1 \s-1CRL\s0 is
510 created, if the \s-1CRL\s0 extension section is present (even if it is
511 empty) then a V2 \s-1CRL\s0 is created. The \s-1CRL\s0 extensions specified are
512 \&\s-1CRL\s0 extensions and \fBnot\fR \s-1CRL\s0 entry extensions. It should be noted
519 is found as follows: If the \fB\-name\fR command line option is used,
525 \s-1RANDFILE\s0
528 With the exception of \fB\s-1RANDFILE\s0\fR, this is probably a bug and may
539 This specifies a file containing additional \fB\s-1OBJECT IDENTIFIERS\s0\fR.
551 The same as the \fB\-outdir\fR command line option. It specifies
555 The same as \fB\-cert\fR. It gives the file containing the \s-1CA\s0
559 Same as the \fB\-keyfile\fR option. The file containing the
560 \&\s-1CA\s0 private key. Mandatory.
561 .IP "\fB\s-1RANDFILE\s0\fR" 4
564 and at exit 256 bytes will be written to it. (Note: Using a \s-1RANDFILE\s0 is
565 not necessary anymore, see the \*(L"\s-1HISTORY\*(R"\s0 section.
568 The same as the \fB\-days\fR option. The number of days to certify
572 The same as the \fB\-startdate\fR option. The start date to certify
576 The same as the \fB\-enddate\fR option. Either this option or
581 The same as the \fB\-crlhours\fR and the \fB\-crldays\fR options. These
583 least one of these must be present to generate a \s-1CRL.\s0
586 The same as the \fB\-md\fR option. Mandatory except where the signing algorithm does
598 versions of OpenSSL. However, to make \s-1CA\s0 certificate roll-over easier,
600 the \fB\-selfsign\fR command line option.
605 .IP "\fBserial\fR" 4
606 .IX Item "serial"
607 A text file containing the next serial number to use in hex. Mandatory.
608 This file must be present and contain a valid serial number.
611 A text file containing the next \s-1CRL\s0 number to use in hex. The crl number
613 present, it must contain a valid \s-1CRL\s0 number.
616 A fallback to the \fB\-extensions\fR option.
619 A fallback to the \fB\-crlexts\fR option.
622 The same as \fB\-preserveDN\fR
625 The same as \fB\-noemailDN\fR. If you want the \s-1EMAIL\s0 field to be removed
626 from the \s-1DN\s0 of the certificate simply set this to 'no'. If not present
627 the default is to allow for the \s-1EMAIL\s0 filed in the certificate's \s-1DN.\s0
630 The same as \fB\-msie_hack\fR
633 The same as \fB\-policy\fR. Mandatory. See the \fB\s-1POLICY FORMAT\s0\fR section
639 the \fBx509\fR utilities \fB\-nameopt\fR and \fB\-certopt\fR switches can be used
645 a reasonable output.
659 in the certificate it is deleted first. See the \fB\s-1WARNINGS\s0\fR section before
667 certificate \s-1DN\s0 fields. If the value is \*(L"match\*(R" then the field value
668 must match the same field in the \s-1CA\s0 certificate. If the value is
671 are silently deleted, unless the \fB\-preserveDN\fR option is set but
675 The input to the \fB\-spkac\fR command line option is a Netscape
677 the \fB\s-1KEYGEN\s0\fR tag in an \s-1HTML\s0 form to create a new private key.
678 It is however possible to create SPKACs using \fBopenssl\-spkac\fR\|(1).
680 The file should contain the variable \s-1SPKAC\s0 set to the value of
681 the \s-1SPKAC\s0 and also the required \s-1DN\s0 components as name value pairs.
685 When processing \s-1SPKAC\s0 format, the output is \s-1DER\s0 if the \fB\-out\fR
686 flag is used, but \s-1PEM\s0 format if sending to stdout or the \fB\-outdir\fR
692 usually involves creating a \s-1CA\s0 certificate and private key with
693 \&\fBopenssl\-req\fR\|(1), a serial number file and an empty index file and
697 \&\fIdemoCA/private\fR and \fIdemoCA/newcerts\fR would be created. The \s-1CA\s0
699 key to \fIdemoCA/private/cakey.pem\fR. A file \fIdemoCA/serial\fR would be
706 \& openssl ca \-in req.pem \-out newcert.pem
709 Sign an \s-1SM2\s0 certificate request:
712 \& openssl ca \-in sm2.csr \-out sm2.crt \-md sm3 \e
713 \& \-sigopt "distid:1234567812345678" \e
714 \& \-vfyopt "distid:1234567812345678"
717 Sign a certificate request, using \s-1CA\s0 extensions:
720 \& openssl ca \-in req.pem \-extensions v3_ca \-out newcert.pem
723 Generate a \s-1CRL\s0
726 \& openssl ca \-gencrl \-out crl.pem
732 \& openssl ca \-infiles req1.pem req2.pem req3.pem
735 Certify a Netscape \s-1SPKAC:\s0
738 \& openssl ca \-spkac spkac.txt
741 A sample \s-1SPKAC\s0 file (the \s-1SPKAC\s0 line has been truncated for clarity):
764 \& serial = $dir/serial # serial no file
765 \& #rand_serial = yes # for random serial#\*(Aqs
794 \& /etc/ssl/openssl.cnf \- master configuration file
795 \& ./demoCA \- main CA directory
796 \& ./demoCA/cacert.pem \- CA certificate
797 \& ./demoCA/private/cakey.pem \- CA private key
798 \& ./demoCA/serial \- CA serial number file
799 \& ./demoCA/serial.old \- CA serial number backup file
800 \& ./demoCA/index.txt \- CA text database file
801 \& ./demoCA/index.txt.old \- CA text database backup file
802 \& ./demoCA/certs \- certificate output file
809 \&\s-1CRL:\s0 however there is no option to do this.
811 V2 \s-1CRL\s0 features like delta CRLs are not currently supported.
814 possible to include one \s-1SPKAC\s0 or self-signed certificate.
819 The use of an in-memory text database can cause problems when large
824 exposed at either a command or interface level so that a more user-friendly
826 \&\fB\s-1CA\s0.pl\fR helps a little but not very much.
829 deleted. This does not happen if the \fB\-preserveDN\fR option is used. To
830 enforce the absence of the \s-1EMAIL\s0 field within the \s-1DN,\s0 as suggested by
831 RFCs, regardless the contents of the request' subject the \fB\-noemailDN\fR
839 This command was originally meant as an example of how to do things in a \s-1CA.\s0
841 It was not supposed to be used as a full blown \s-1CA\s0 itself,
845 It is advisable to keep them in a secure \s-1HW\s0 storage such as a smart card or \s-1HSM\s0
854 request contains a basicConstraints extension with \s-1CA:TRUE\s0 and the
857 a valid \s-1CA\s0 certificate.
859 and including basicConstraints with \s-1CA:FALSE\s0 in the configuration file.
866 Additional restrictions can be placed on the \s-1CA\s0 certificate itself.
867 For example if the \s-1CA\s0 certificate has:
873 then even if a certificate is issued with \s-1CA:TRUE\s0 it will not be valid.
876 Since OpenSSL 1.1.1, the program follows \s-1RFC5280.\s0 Specifically,
877 certificate validity period (specified by any of \fB\-startdate\fR,
878 \&\fB\-enddate\fR and \fB\-days\fR) and \s-1CRL\s0 last/next update time (specified by
879 any of \fB\-crl_lastupdate\fR, \fB\-crl_nextupdate\fR, \fB\-crldays\fR, \fB\-crlhours\fR
880 and \fB\-crlsec\fR) will be encoded as UTCTime if the dates are
884 OpenSSL 1.1.1 introduced a new random generator (\s-1CSPRNG\s0) with an improved
886 define a \s-1RANDFILE\s0 for saving and restoring randomness. This option is
889 The \fB\-section\fR option was added in OpenSSL 3.0.0.
891 The \fB\-multivalue\-rdn\fR option has become obsolete in OpenSSL 3.0.0 and
894 The \fB\-engine\fR option was deprecated in OpenSSL 3.0.
898 \&\fBopenssl\-req\fR\|(1),
899 \&\fBopenssl\-spkac\fR\|(1),
900 \&\fBopenssl\-x509\fR\|(1),
901 \&\s-1\fBCA\s0.pl\fR\|(1),
906 Copyright 2000\-2021 The OpenSSL Project Authors. All Rights Reserved.
910 in the file \s-1LICENSE\s0 in the source distribution or at