Lines Matching +full:message +full:- +full:based
1 .\" -*- mode: troff; coding: utf-8 -*-
57 .IX Title "OPENSSL-CMP 1ossl"
58 .TH OPENSSL-CMP 1ossl 2025-09-30 3.5.4 OpenSSL
64 openssl\-cmp \- Certificate Management Protocol (CMP, RFC 4210) application
68 [\fB\-help\fR]
69 [\fB\-config\fR \fIfilename\fR]
70 [\fB\-section\fR \fInames\fR]
71 [\fB\-verbosity\fR \fIlevel\fR]
73 Generic message options:
75 [\fB\-cmd\fR \fIir|cr|kur|p10cr|rr|genm\fR]
76 [\fB\-infotype\fR \fIname\fR]
77 [\fB\-profile\fR \fIname\fR]
78 [\fB\-geninfo\fR \fIvalues\fR]
79 [\fB\-template\fR \fIfilename\fR]
80 [\fB\-keyspec\fR \fIfilename\fR]
84 [\fB\-newkey\fR \fIfilename\fR|\fIuri\fR]
85 [\fB\-newkeypass\fR \fIarg\fR]
86 [\fB\-centralkeygen\fR
87 [\fB\-newkeyout\fR \fIfilename\fR]
88 [\fB\-subject\fR \fIname\fR]
89 [\fB\-days\fR \fInumber\fR]
90 [\fB\-reqexts\fR \fIname\fR]
91 [\fB\-sans\fR \fIspec\fR]
92 [\fB\-san_nodefault\fR]
93 [\fB\-policies\fR \fIname\fR]
94 [\fB\-policy_oids\fR \fInames\fR]
95 [\fB\-policy_oids_critical\fR]
96 [\fB\-popo\fR \fInumber\fR]
97 [\fB\-csr\fR \fIfilename\fR]
98 [\fB\-out_trusted\fR \fIfilenames\fR|\fIuris\fR]
99 [\fB\-implicit_confirm\fR]
100 [\fB\-disable_confirm\fR]
101 [\fB\-certout\fR \fIfilename\fR]
102 [\fB\-chainout\fR \fIfilename\fR]
106 [\fB\-oldcert\fR \fIfilename\fR|\fIuri\fR]
107 [\fB\-issuer\fR \fIname\fR]
108 [\fB\-serial\fR \fInumber\fR]
109 [\fB\-revreason\fR \fInumber\fR]
111 Message transfer options:
113 [\fB\-server\fR \fI[http[s]://][userinfo@]host[:port][/path][?query][#fragment]\fR]
114 [\fB\-proxy\fR \fI[http[s]://][userinfo@]host[:port][/path][?query][#fragment]\fR]
115 [\fB\-no_proxy\fR \fIaddresses\fR]
116 [\fB\-recipient\fR \fIname\fR]
117 [\fB\-path\fR \fIremote_path\fR]
118 [\fB\-keep_alive\fR \fIvalue\fR]
119 [\fB\-msg_timeout\fR \fIseconds\fR]
120 [\fB\-total_timeout\fR \fIseconds\fR]
124 [\fB\-trusted\fR \fIfilenames\fR|\fIuris\fR]
125 [\fB\-untrusted\fR \fIfilenames\fR|\fIuris\fR]
126 [\fB\-srvcert\fR \fIfilename\fR|\fIuri\fR]
127 [\fB\-expect_sender\fR \fIname\fR]
128 [\fB\-ignore_keyusage\fR]
129 [\fB\-unprotected_errors\fR]
130 [\fB\-no_cache_extracerts\fR]
131 [\fB\-srvcertout\fR \fIfilename\fR]
132 [\fB\-extracertsout\fR \fIfilename\fR]
133 [\fB\-cacertsout\fR \fIfilename\fR]
134 [\fB\-oldwithold\fR \fIfilename\fR]
135 [\fB\-newwithnew\fR \fIfilename\fR]
136 [\fB\-newwithold\fR \fIfilename\fR]
137 [\fB\-oldwithnew\fR \fIfilename\fR]
138 [\fB\-crlcert\fR \fIfilename\fR]
139 [\fB\-oldcrl\fR \fIfilename\fR]
140 [\fB\-crlout\fR \fIfilename\fR]
144 [\fB\-ref\fR \fIvalue\fR]
145 [\fB\-secret\fR \fIarg\fR]
146 [\fB\-cert\fR \fIfilename\fR|\fIuri\fR]
147 [\fB\-own_trusted\fR \fIfilenames\fR|\fIuris\fR]
148 [\fB\-key\fR \fIfilename\fR|\fIuri\fR]
149 [\fB\-keypass\fR \fIarg\fR]
150 [\fB\-digest\fR \fIname\fR]
151 [\fB\-mac\fR \fIname\fR]
152 [\fB\-extracerts\fR \fIfilenames\fR|\fIuris\fR]
153 [\fB\-unprotected_requests\fR]
157 [\fB\-certform\fR \fIPEM|DER\fR]
158 [\fB\-crlform\fR \fIPEM|DER\fR]
159 [\fB\-keyform\fR \fIPEM|DER|P12|ENGINE\fR]
160 [\fB\-otherpass\fR \fIarg\fR]
161 [\fB\-engine\fR \fIid\fR]
162 [\fB\-provider\fR \fIname\fR]
163 [\fB\-provider\-path\fR \fIpath\fR]
164 [\fB\-provparam\fR \fI[name:]key=value\fR]
165 [\fB\-propquery\fR \fIpropq\fR]
169 [\fB\-rand\fR \fIfiles\fR]
170 [\fB\-writerand\fR \fIfile\fR]
174 [\fB\-tls_used\fR]
175 [\fB\-tls_cert\fR \fIfilename\fR|\fIuri\fR]
176 [\fB\-tls_key\fR \fIfilename\fR|\fIuri\fR]
177 [\fB\-tls_keypass\fR \fIarg\fR]
178 [\fB\-tls_extra\fR \fIfilenames\fR|\fIuris\fR]
179 [\fB\-tls_trusted\fR \fIfilenames\fR|\fIuris\fR]
180 [\fB\-tls_host\fR \fIname\fR]
182 Client-side debugging options:
184 [\fB\-batch\fR]
185 [\fB\-repeat\fR \fInumber\fR]
186 [\fB\-reqin\fR \fIfilenames\fR]
187 [\fB\-reqin_new_tid\fR]
188 [\fB\-reqout\fR \fIfilenames\fR]
189 [\fB\-reqout_only\fR \fIfilename\fR]
190 [\fB\-rspin\fR \fIfilenames\fR]
191 [\fB\-rspout\fR \fIfilenames\fR]
192 [\fB\-use_mock_srv\fR]
196 [\fB\-port\fR \fInumber\fR]
197 [\fB\-max_msgs\fR \fInumber\fR]
198 [\fB\-srv_ref\fR \fIvalue\fR]
199 [\fB\-srv_secret\fR \fIarg\fR]
200 [\fB\-srv_cert\fR \fIfilename\fR|\fIuri\fR]
201 [\fB\-srv_key\fR \fIfilename\fR|\fIuri\fR]
202 [\fB\-srv_keypass\fR \fIarg\fR]
203 [\fB\-srv_trusted\fR \fIfilenames\fR|\fIuris\fR]
204 [\fB\-srv_untrusted\fR \fIfilenames\fR|\fIuris\fR]
205 [\fB\-ref_cert\fR \fIfilename\fR|\fIuri\fR]
206 [\fB\-rsp_cert\fR \fIfilename\fR|\fIuri\fR]
207 [\fB\-rsp_key\fR \fIfilename\fR|\fIuri\fR]
208 [\fB\-rsp_keypass\fR \fIfilename\fR|\fIuri\fR]
209 [\fB\-rsp_crl\fR \fIfilename\fR|\fIuri\fR]
210 [\fB\-rsp_extracerts\fR \fIfilenames\fR|\fIuris\fR]
211 [\fB\-rsp_capubs\fR \fIfilenames\fR|\fIuris\fR]
212 [\fB\-rsp_newwithnew\fR \fIfilename\fR|\fIuri\fR]
213 [\fB\-rsp_newwithold\fR \fIfilename\fR|\fIuri\fR]
214 [\fB\-rsp_oldwithnew\fR \fIfilename\fR|\fIuri\fR]
215 [\fB\-poll_count\fR \fInumber\fR]
216 [\fB\-check_after\fR \fInumber\fR]
217 [\fB\-grant_implicitconf\fR]
218 [\fB\-pkistatus\fR \fInumber\fR]
219 [\fB\-failure\fR \fInumber\fR]
220 [\fB\-failurebits\fR \fInumber\fR]
221 [\fB\-statusstring\fR \fIarg\fR]
222 [\fB\-send_error\fR]
223 [\fB\-send_unprotected\fR]
224 [\fB\-send_unprot_err\fR]
225 [\fB\-accept_unprotected\fR]
226 [\fB\-accept_unprot_err\fR]
227 [\fB\-accept_raverified\fR]
231 [\fB\-allow_proxy_certs\fR]
232 [\fB\-attime\fR \fItimestamp\fR]
233 [\fB\-no_check_time\fR]
234 [\fB\-check_ss_sig\fR]
235 [\fB\-crl_check\fR]
236 [\fB\-crl_check_all\fR]
237 [\fB\-explicit_policy\fR]
238 [\fB\-extended_crl\fR]
239 [\fB\-ignore_critical\fR]
240 [\fB\-inhibit_any\fR]
241 [\fB\-inhibit_map\fR]
242 [\fB\-partial_chain\fR]
243 [\fB\-policy\fR \fIarg\fR]
244 [\fB\-policy_check\fR]
245 [\fB\-policy_print\fR]
246 [\fB\-purpose\fR \fIpurpose\fR]
247 [\fB\-suiteB_128\fR]
248 [\fB\-suiteB_128_only\fR]
249 [\fB\-suiteB_192\fR]
250 [\fB\-trusted_first\fR]
251 [\fB\-no_alt_chains\fR]
252 [\fB\-use_deltas\fR]
253 [\fB\-auth_level\fR \fInum\fR]
254 [\fB\-verify_depth\fR \fInum\fR]
255 [\fB\-verify_email\fR \fIemail\fR]
256 [\fB\-verify_hostname\fR \fIhostname\fR]
257 [\fB\-verify_ip\fR \fIip\fR]
258 [\fB\-verify_name\fR \fIname\fR]
259 [\fB\-x509_strict\fR]
260 [\fB\-issuer_checks\fR]
270 .IP \fB\-help\fR 4
271 .IX Item "-help"
273 .IP "\fB\-config\fR \fIfilename\fR" 4
274 .IX Item "-config filename"
278 .IP "\fB\-section\fR \fInames\fR" 4
279 .IX Item "-section names"
288 section (as far as present) can provide per-option fallback values.
289 .IP "\fB\-verbosity\fR \fIlevel\fR" 4
290 .IX Item "-verbosity level"
295 .SS "Generic message options"
296 .IX Subsection "Generic message options"
297 .IP "\fB\-cmd\fR \fIir|cr|kur|p10cr|rr|genm\fR" 4
298 .IX Item "-cmd ir|cr|kur|p10cr|rr|genm"
302 .IP "ir \ \- Initialization Request" 8
303 .IX Item "ir \ - Initialization Request"
305 .IP "cr \ \- Certificate Request" 8
306 .IX Item "cr \ - Certificate Request"
307 .IP "p10cr \- PKCS#10 Certification Request (for legacy support)" 8
308 .IX Item "p10cr - PKCS#10 Certification Request (for legacy support)"
309 .IP "kur \ \ \- Key Update Request" 8
310 .IX Item "kur \ \ - Key Update Request"
311 .IP "rr \ \- Revocation Request" 8
312 .IX Item "rr \ - Revocation Request"
313 .IP "genm \- General Message" 8
314 .IX Item "genm - General Message"
332 \&\fBgenm\fR requests information using a General Message, where optionally
337 .IP "\fB\-infotype\fR \fIname\fR" 4
338 .IX Item "-infotype name"
343 .IP "\fB\-profile\fR \fIname\fR" 4
344 .IX Item "-profile name"
347 .IP "\fB\-geninfo\fR \fIvalues\fR" 4
348 .IX Item "-geninfo values"
349 A comma-separated list of InfoTypeAndValue to place in
353 e.g., \f(CW\*(Aq1.2.3.4:int:56789, id\-kp:str:name\*(Aq\fR.
354 .IP "\fB\-template\fR \fIfilename\fR" 4
355 .IX Item "-template filename"
357 received in a genp message with id-it-certReqTemplate.
358 .IP "\fB\-keyspec\fR \fIfilename\fR" 4
359 .IX Item "-keyspec filename"
361 present in a genp message with id-it-keyGenParameters.
366 .IP "\fB\-newkey\fR \fIfilename\fR|\fIuri\fR" 4
367 .IX Item "-newkey filename|uri"
369 Defaults to the public key in the PKCS#10 CSR given with the \fB\-csr\fR option,
374 Unless \fB\-cmd\fR \fIp10cr\fR, \fB\-popo\fR \fI\-1\fR, or \fB\-popo\fR \fI0\fR is given, the
376 where the \fB\-key\fR option may provide a fallback.
377 .IP "\fB\-newkeypass\fR \fIarg\fR" 4
378 .IX Item "-newkeypass arg"
379 Pass phrase source for the key given with the \fB\-newkey\fR option.
383 \&\fBopenssl\-passphrase\-options\fR\|(1).
384 .IP \fB\-centralkeygen\fR 4
385 .IX Item "-centralkeygen"
387 This applies to \fB\-cmd\fR \fIir|cr|kur|p10cr\fR.
388 .IP "\fB\-newkeyout\fR \fIfilename\fR" 4
389 .IX Item "-newkeyout filename"
391 .IP "\fB\-subject\fR \fIname\fR" 4
392 .IX Item "-subject name"
395 If the NULL-DN (\f(CW\*(C`/\*(C'\fR) is given then no subject is placed in the template.
396 Default is the subject DN of any PKCS#10 CSR given with the \fB\-csr\fR option.
398 of the reference certificate (see \fB\-oldcert\fR) if provided.
401 If provided and neither of \fB\-cert\fR, \fB\-oldcert\fR, or \fB\-csr\fR is given,
407 Giving a single \f(CW\*(C`/\*(C'\fR will lead to an empty sequence of RDNs (a NULL-DN).
408 Multi-valued RDNs can be formed by placing a \f(CW\*(C`+\*(C'\fR character instead of a \f(CW\*(C`/…
413 .IP "\fB\-days\fR \fInumber\fR" 4
414 .IX Item "-days number"
419 .IP "\fB\-reqexts\fR \fIname\fR" 4
420 .IX Item "-reqexts name"
422 If the \fB\-csr\fR option is present, these extensions augment the extensions
424 .IP "\fB\-sans\fR \fIspec\fR" 4
425 .IX Item "-sans spec"
431 Cannot be used if any Subject Alternative Name extension is set via \fB\-reqexts\fR.
432 .IP \fB\-san_nodefault\fR 4
433 .IX Item "-san_nodefault"
434 When Subject Alternative Names are not given via \fB\-sans\fR
435 nor defined via \fB\-reqexts\fR,
436 they are copied by default from the reference certificate (see \fB\-oldcert\fR).
437 This can be disabled by giving the \fB\-san_nodefault\fR option.
438 .IP "\fB\-policies\fR \fIname\fR" 4
439 .IX Item "-policies name"
442 This option cannot be used together with \fB\-policy_oids\fR.
443 .IP "\fB\-policy_oids\fR \fInames\fR" 4
444 .IX Item "-policy_oids names"
448 This option cannot be used together with \fB\-policies\fR.
449 .IP \fB\-policy_oids_critical\fR 4
450 .IX Item "-policy_oids_critical"
451 Flag the policies given with \fB\-policy_oids\fR as critical.
452 .IP "\fB\-popo\fR \fInumber\fR" 4
453 .IX Item "-popo number"
454 Proof-of-possession (POPO) method to use for IR/CR/KUR; values: \f(CW\-1\fR..<2> where
455 \&\f(CW\-1\fR = NONE, which implies central key generation,
458 Note that a signature-based POPO can only be produced if a private key
459 is provided via the \fB\-newkey\fR or \fB\-key\fR options.
460 .IP "\fB\-csr\fR \fIfilename\fR" 4
461 .IX Item "-csr filename"
463 With \fB\-cmd\fR \fIp10cr\fR it is used directly in a legacy P10CR message.
465 When used with \fB\-cmd\fR \fIir\fR, \fIcr\fR, or \fIkur\fR,
467 In this case, a private key must be provided (with \fB\-newkey\fR or \fB\-key\fR)
468 for the proof of possession (unless \fB\-popo\fR \fI\-1\fR or \fB\-popo\fR \fI0\fR is used)
472 PKCS#10 CSR input may also be used with \fB\-cmd\fR \fIrr\fR
475 Its subject is used as fallback sender in CMP message headers
476 if \fB\-cert\fR and \fB\-oldcert\fR are not given.
477 .IP "\fB\-out_trusted\fR \fIfilenames\fR|\fIuris\fR" 4
478 .IX Item "-out_trusted filenames|uris"
487 \&\fB\-verify_hostname\fR, \fB\-verify_ip\fR, and \fB\-verify_email\fR
489 .IP \fB\-implicit_confirm\fR 4
490 .IX Item "-implicit_confirm"
492 .IP \fB\-disable_confirm\fR 4
493 .IX Item "-disable_confirm"
494 Do not send certificate confirmation message for newly enrolled certificate
498 .IP "\fB\-certout\fR \fIfilename\fR" 4
499 .IX Item "-certout filename"
501 .IP "\fB\-chainout\fR \fIfilename\fR" 4
502 .IX Item "-chainout filename"
507 If the \fB\-certout\fR option is given, too, with equal \fIfilename\fR argument,
512 .IP "\fB\-oldcert\fR \fIfilename\fR|\fIuri\fR" 4
513 .IX Item "-oldcert filename|uri"
514 The certificate to be updated (i.e., renewed or re-keyed) in Key Update Request
516 For KUR the certificate to be updated defaults to \fB\-cert\fR,
518 For RR the certificate to be revoked can also be specified using \fB\-csr\fR.
519 \&\fB\-oldcert\fR and \fB\-csr\fR is ignored if \fB\-issuer\fR and \fB\-serial\fR is provided.
525 Its subject is used as sender of outgoing messages if \fB\-cert\fR is not given.
526 Its issuer is used as default recipient in CMP message headers
527 if neither \fB\-recipient\fR, \fB\-srvcert\fR, nor \fB\-issuer\fR is given.
528 .IP "\fB\-issuer\fR \fIname\fR" 4
529 .IX Item "-issuer name"
532 If the NULL-DN (\f(CW\*(C`/\*(C'\fR) is given then no issuer is placed in the template.
534 If provided and neither \fB\-recipient\fR nor \fB\-srvcert\fR is given,
538 For details see the description of the \fB\-subject\fR option.
539 .IP "\fB\-serial\fR \fInumber\fR" 4
540 .IX Item "-serial number"
543 .IP "\fB\-revreason\fR \fInumber\fR" 4
544 .IX Item "-revreason number"
546 or \f(CW\-1\fR for none (which is the default).
559 \& \-\- value 7 is not used
565 .SS "Message transfer options"
566 .IX Subsection "Message transfer options"
567 .IP "\fB\-server\fR \fI[http[s]://][userinfo@]host[:port][/path][?query][#fragment]\fR" 4
568 .IX Item "-server [http[s]://][userinfo@]host[:port][/path][?query][#fragment]"
574 This option excludes \fI\-port\fR and \fI\-use_mock_srv\fR.
575 It is ignored if \fI\-rspin\fR is given with enough filename arguments.
577 If the scheme \f(CW\*(C`https\*(C'\fR is given, the \fB\-tls_used\fR option is implied.
581 If a path is included it provides the default value for the \fB\-path\fR option.
582 .IP "\fB\-proxy\fR \fI[http[s]://][userinfo@]host[:port][/path][?query][#fragment]\fR" 4
583 .IX Item "-proxy [http[s]://][userinfo@]host[:port][/path][?query][#fragment]"
584 The HTTP(S) proxy server to use for reaching the CMP server unless \fB\-no_proxy\fR
589 may be required by \fB\-tls_used\fR or \fB\-server\fR with the prefix \f(CW\*(C`https\*(C'\fR),
593 This option is ignored if \fI\-server\fR is not given.
594 .IP "\fB\-no_proxy\fR \fIaddresses\fR" 4
595 .IX Item "-no_proxy addresses"
600 This option is ignored if \fI\-server\fR is not given.
601 .IP "\fB\-recipient\fR \fIname\fR" 4
602 .IX Item "-recipient name"
603 Distinguished Name (DN) to use in the recipient field of CMP request message
606 The recipient field in the header of a CMP message is mandatory.
608 the subject of the CMP server certificate given with the \fB\-srvcert\fR option,
609 the \fB\-issuer\fR option,
610 the issuer of the certificate given with the \fB\-oldcert\fR option,
611 the issuer of the CMP client certificate (\fB\-cert\fR option),
612 as far as any of those is present, else the NULL-DN as last resort.
615 For details see the description of the \fB\-subject\fR option.
616 .IP "\fB\-path\fR \fIremote_path\fR" 4
617 .IX Item "-path remote_path"
619 Defaults to any path given with \fB\-server\fR, else \f(CW"/"\fR.
620 .IP "\fB\-keep_alive\fR \fIvalue\fR" 4
621 .IX Item "-keep_alive value"
630 .IP "\fB\-msg_timeout\fR \fIseconds\fR" 4
631 .IX Item "-msg_timeout seconds"
632 Number of seconds a CMP request-response message round trip
635 Default is to use the \fB\-total_timeout\fR setting.
636 .IP "\fB\-total_timeout\fR \fIseconds\fR" 4
637 .IX Item "-total_timeout seconds"
644 .IP "\fB\-trusted\fR \fIfilenames\fR|\fIuris\fR" 4
645 .IX Item "-trusted filenames|uris"
647 when validating signature-based protection of CMP response messages.
648 This option is ignored if the \fB\-srvcert\fR option is given as well.
649 It provides more flexibility than \fB\-srvcert\fR because the CMP protection
653 If none of \fB\-trusted\fR, \fB\-srvcert\fR, and \fB\-secret\fR is given, message validation
654 errors will be thrown unless \fB\-unprotected_errors\fR permits an exception.
661 \&\fB\-verify_hostname\fR, \fB\-verify_ip\fR, and \fB\-verify_email\fR
663 .IP "\fB\-untrusted\fR \fIfilenames\fR|\fIuris\fR" 4
664 .IX Item "-untrusted filenames|uris"
665 Non-trusted intermediate CA certificate(s).
666 Any extra certificates given with the \fB\-cert\fR option are appended to it.
671 when validating server certificates (checking signature-based
672 CMP message protection) and when validating newly enrolled certificates.
677 .IP "\fB\-srvcert\fR \fIfilename\fR|\fIuri\fR" 4
678 .IX Item "-srvcert filename|uri"
680 expired) when verifying signature-based protection of CMP response messages.
681 This pins the accepted server and results in ignoring the \fB\-trusted\fR option.
686 .IP "\fB\-expect_sender\fR \fIname\fR" 4
687 .IX Item "-expect_sender name"
689 Defaults to the subject DN of the pinned \fB\-srvcert\fR, if any.
692 CMP message signer, and attackers are not able to use arbitrary certificates
694 Note that this option gives slightly more freedom than setting the \fB\-srvcert\fR,
699 For details see the description of the \fB\-subject\fR option.
700 .IP \fB\-ignore_keyusage\fR 4
701 .IX Item "-ignore_keyusage"
703 signature-based protection of incoming CMP messages.
706 .IP \fB\-unprotected_errors\fR 4
707 .IX Item "-unprotected_errors"
709 This applies to the following message types and contents:
729 used to protect a message [...] because other protection, external to PKIX, will
735 appendix D.4 shows PKIConf message having protection
739 .IP \fB\-no_cache_extracerts\fR 4
740 .IX Item "-no_cache_extracerts"
744 .IP "\fB\-srvcertout\fR \fIfilename\fR" 4
745 .IX Item "-srvcertout filename"
747 that the CMP server used for signature-based response message protection.
748 If there is no such certificate, typically because the protection was MAC-based,
750 .IP "\fB\-extracertsout\fR \fIfilename\fR" 4
751 .IX Item "-extracertsout filename"
753 field of the last received response message that is not a pollRep nor PKIConf.
754 .IP "\fB\-cacertsout\fR \fIfilename\fR" 4
755 .IX Item "-cacertsout filename"
757 if a positive certificate response (i.e., IP, CP, or KUP) message was received
758 or contained in a general response (genp) message with infoType \f(CW\*(C`caCerts\*(C'\fR.
759 .IP "\fB\-oldwithold\fR \fIfilename\fR" 4
760 .IX Item "-oldwithold filename"
764 .IP "\fB\-newwithnew\fR \fIfilename\fR" 4
765 .IX Item "-newwithnew filename"
766 This option must be provided when \fB\-infotype\fR \fIrootCaCert\fR is given.
768 received in a genp message of type \f(CW\*(C`rootCaKeyUpdate\*(C'\fR.
774 and the certificate provided with \fB\-oldwithold\fR as the (only) trust anchor,
775 or if not provided, using the certificates given with the \fB\-trusted\fR option.
780 the \fB\-oldwithold\fR certificate if present, otherwise it cannot be stronger than
781 the weakest trust placed in any of the \fB\-trusted\fR certificates.
782 .IP "\fB\-newwithold\fR \fIfilename\fR" 4
783 .IX Item "-newwithold filename"
785 received in a genp message of infoType \f(CW\*(C`rootCaKeyUpdate\*(C'\fR.
787 .IP "\fB\-oldwithnew\fR \fIfilename\fR" 4
788 .IX Item "-oldwithnew filename"
790 received in a genp message of infoType \f(CW\*(C`rootCaKeyUpdate\*(C'\fR.
792 .IP "\fB\-crlcert\fR \fIfilename\fR" 4
793 .IX Item "-crlcert filename"
797 .IP "\fB\-oldcrl\fR \fIfilename\fR" 4
798 .IX Item "-oldcrl filename"
800 Unless the \fB\-crlcert\fR option is provided as well,
804 .IP "\fB\-crlout\fR \fIfilename\fR" 4
805 .IX Item "-crlout filename"
806 The file to save any CRL received in a genp message of infoType \f(CW\*(C`crls\*(C'\fR.
810 .IP "\fB\-ref\fR \fIvalue\fR" 4
811 .IX Item "-ref value"
813 if no sender name can be determined from the \fB\-cert\fR or <\-subject> options and
814 is typically used when authenticating with pre-shared key (password-based MAC).
815 .IP "\fB\-secret\fR \fIarg\fR" 4
816 .IX Item "-secret arg"
817 Provides the source of a secret value to use with MAC-based message protection.
818 This takes precedence over the \fB\-cert\fR and \fB\-key\fR options.
819 The secret is used for creating MAC-based protection of outgoing messages
820 and for validating incoming messages that have MAC-based protection.
821 The algorithm used by default is Password-Based Message Authentication Code (PBM)
825 \&\fBopenssl\-passphrase\-options\fR\|(1).
826 .IP "\fB\-cert\fR \fIfilename\fR|\fIuri\fR" 4
827 .IX Item "-cert filename|uri"
829 Requires the corresponding key to be given with \fB\-key\fR.
835 while the subject of \fB\-oldcert\fR or \fB\-subjectName\fR may provide fallback values.
840 When performing signature-based message protection,
848 the certificate to be updated if the \fB\-oldcert\fR option is not given.
852 is included in the extraCerts field in signature-protected request messages.
853 .IP "\fB\-own_trusted\fR \fIfilenames\fR|\fIuris\fR" 4
854 .IX Item "-own_trusted filenames|uris"
856 the client-side CMP signer certificate given with the \fB\-cert\fR option
864 \&\fB\-verify_hostname\fR, \fB\-verify_ip\fR, and \fB\-verify_email\fR
866 .IP "\fB\-key\fR \fIfilename\fR|\fIuri\fR" 4
867 .IX Item "-key filename|uri"
869 the \fB\-cert\fR option.
870 This will be used for signature-based message protection unless the \fB\-secret\fR
871 option indicating MAC-based protection or \fB\-unprotected_requests\fR is given.
873 It is also used as a fallback for the \fB\-newkey\fR option with IR/CR/KUR messages.
874 .IP "\fB\-keypass\fR \fIarg\fR" 4
875 .IX Item "-keypass arg"
876 Pass phrase source for the private key given with the \fB\-key\fR option.
877 Also used for \fB\-cert\fR and \fB\-oldcert\fR in case it is an encrypted PKCS#12 file.
881 \&\fBopenssl\-passphrase\-options\fR\|(1).
882 .IP "\fB\-digest\fR \fIname\fR" 4
883 .IX Item "-digest name"
885 and as the one-way function (OWF) in \f(CW\*(C`MSG_MAC_ALG\*(C'\fR.
886 If applicable, this is used for message protection and
887 proof-of-possession (POPO) signatures.
888 To see the list of supported digests, use \f(CW\*(C`openssl list \-digest\-commands\*(C'\fR.
890 .IP "\fB\-mac\fR \fIname\fR" 4
891 .IX Item "-mac name"
893 To get the names of supported MAC algorithms use \f(CW\*(C`openssl list \-mac\-algorithms\*(C'\fR
896 Defaults to \f(CW\*(C`hmac\-sha1\*(C'\fR as per RFC 4210.
897 .IP "\fB\-extracerts\fR \fIfilenames\fR|\fIuris\fR" 4
898 .IX Item "-extracerts filenames|uris"
905 .IP \fB\-unprotected_requests\fR 4
906 .IX Item "-unprotected_requests"
907 Send request messages without CMP-level protection.
910 .IP "\fB\-certform\fR \fIPEM|DER\fR" 4
911 .IX Item "-certform PEM|DER"
914 .IP "\fB\-crlform\fR \fIPEM|DER\fR" 4
915 .IX Item "-crlform PEM|DER"
920 .IP "\fB\-keyform\fR \fIPEM|DER|P12|ENGINE\fR" 4
921 .IX Item "-keyform PEM|DER|P12|ENGINE"
924 .IP "\fB\-otherpass\fR \fIarg\fR" 4
925 .IX Item "-otherpass arg"
926 Pass phrase source for certificate given with the \fB\-trusted\fR, \fB\-untrusted\fR,
927 \&\fB\-own_trusted\fR, \fB\-srvcert\fR, \fB\-crlcert\fR, \fB\-out_trusted\fR, \fB\-extracerts\fR,
928 \&\fB\-srv_trusted\fR, \fB\-srv_untrusted\fR, \fB\-ref_cert\fR,
929 \&\fB\-rsp_extracerts\fR, \fB\-rsp_capubs\fR,
930 \&\fB\-rsp_newwithnew\fR, \fB\-rsp_newwithold\fR, \fB\-rsp_oldwithnew\fR,
931 \&\fB\-tls_extra\fR, and \fB\-tls_trusted\fR options.
935 \&\fBopenssl\-passphrase\-options\fR\|(1).
936 .IP "\fB\-engine\fR \fIid\fR" 4
937 .IX Item "-engine id"
944 \& \-engine {engineid} \-key {keyid} \-keyform ENGINE
947 \&... it's also possible to just give the key ID in URI form to \fB\-key\fR,
951 \& \-key org.openssl.engine:{engineid}:{keyid}
954 This applies to all options specifying keys: \fB\-key\fR, \fB\-newkey\fR, and
955 \&\fB\-tls_key\fR.
958 .IP "\fB\-provider\fR \fIname\fR" 4
959 .IX Item "-provider name"
961 .IP "\fB\-provider\-path\fR \fIpath\fR" 4
962 .IX Item "-provider-path path"
963 .IP "\fB\-provparam\fR \fI[name:]key=value\fR" 4
964 .IX Item "-provparam [name:]key=value"
965 .IP "\fB\-propquery\fR \fIpropq\fR" 4
966 .IX Item "-propquery propq"
971 .IP "\fB\-rand\fR \fIfiles\fR, \fB\-writerand\fR \fIfile\fR" 4
972 .IX Item "-rand files, -writerand file"
976 .IP \fB\-tls_used\fR 4
977 .IX Item "-tls_used"
978 Make the CMP client use TLS (regardless if other TLS-related options are set)
979 for message exchange with the server via HTTP.
980 This option is not supported with the \fI\-port\fR option.
981 It is implied if the \fB\-server\fR option is given with the scheme \f(CW\*(C`https\*(C'\fR.
982 It is ignored if the \fB\-server\fR option is not given or \fB\-use_mock_srv\fR is given
983 or \fB\-rspin\fR is given with enough filename arguments.
985 The following TLS-related options are ignored if TLS is not used.
986 .IP "\fB\-tls_cert\fR \fIfilename\fR|\fIuri\fR" 4
987 .IX Item "-tls_cert filename|uri"
989 If the source includes further certs they are used (along with \fB\-untrusted\fR
991 .IP "\fB\-tls_key\fR \fIfilename\fR|\fIuri\fR" 4
992 .IX Item "-tls_key filename|uri"
994 .IP "\fB\-tls_keypass\fR \fIarg\fR" 4
995 .IX Item "-tls_keypass arg"
996 Pass phrase source for client's private TLS key \fB\-tls_key\fR.
997 Also used for \fB\-tls_cert\fR in case it is an encrypted PKCS#12 file.
1001 \&\fBopenssl\-passphrase\-options\fR\|(1).
1002 .IP "\fB\-tls_extra\fR \fIfilenames\fR|\fIuris\fR" 4
1003 .IX Item "-tls_extra filenames|uris"
1005 .IP "\fB\-tls_trusted\fR \fIfilenames\fR|\fIuris\fR" 4
1006 .IX Item "-tls_trusted filenames|uris"
1015 \&\fB\-verify_hostname\fR, \fB\-verify_ip\fR, and \fB\-verify_email\fR
1017 .IP "\fB\-tls_host\fR \fIname\fR" 4
1018 .IX Item "-tls_host name"
1021 If not given it defaults to the \fB\-server\fR address.
1022 .SS "Client-side options for debugging and offline scenarios"
1023 .IX Subsection "Client-side options for debugging and offline scenarios"
1024 .IP \fB\-batch\fR 4
1025 .IX Item "-batch"
1028 .IP "\fB\-repeat\fR \fInumber\fR" 4
1029 .IX Item "-repeat number"
1032 .IP "\fB\-reqin\fR \fIfilenames\fR" 4
1033 .IX Item "-reqin filenames"
1040 This option is ignored if the \fB\-rspin\fR option is given
1045 (such as \fB\-cmd\fR and all options providing the required parameters)
1046 need to be given also when the \fB\-reqin\fR option is present.
1048 If the \fB\-reqin\fR option is given for a certificate request
1049 and no \fB\-newkey\fR, \fB\-key\fR, \fB\-oldcert\fR, or \fB\-csr\fR option is given,
1050 a fallback public key is taken from the request message file
1053 Hint: In case the \fB\-reqin\fR option is given for a certificate request, there are
1057 certificate request message will not be sent), and its generation
1058 can be disabled using the options \fB\-popo\fR \fI\-1\fR or \fB\-popo\fR \fI0\fR.
1070 This causes re-protection (if protecting requests is required).
1071 .IP \fB\-reqin_new_tid\fR 4
1072 .IX Item "-reqin_new_tid"
1073 Use a fresh transactionID for CMP request messages read using \fB\-reqin\fR,
1077 .IP "\fB\-reqout\fR \fIfilenames\fR" 4
1078 .IX Item "-reqout filenames"
1080 These requests are not sent to the server if the \fB\-reqin\fR option is used, too.
1087 .IP "\fB\-reqout_only\fR \fIfilename\fR" 4
1088 .IX Item "-reqout_only filename"
1094 .IP "\fB\-rspin\fR \fIfilenames\fR" 4
1095 .IX Item "-rspin filenames"
1102 Any server specified via the \fI\-server\fR or \fI\-use_mock_srv\fR options is contacted
1106 .IP "\fB\-rspout\fR \fIfilenames\fR" 4
1107 .IX Item "-rspout filenames"
1109 These have been received from the server unless \fB\-rspin\fR takes effect.
1116 .IP \fB\-use_mock_srv\fR 4
1117 .IX Item "-use_mock_srv"
1118 Test the client using the internal CMP server mock-up at API level,
1119 bypassing socket-based transfer via HTTP.
1120 This excludes the \fB\-server\fR and \fB\-port\fR options.
1123 .IP "\fB\-port\fR \fInumber\fR" 4
1124 .IX Item "-port number"
1125 Act as HTTP-based CMP server mock-up listening on the given local port.
1127 This option excludes the \fB\-server\fR and \fB\-use_mock_srv\fR options.
1128 The \fB\-rspin\fR, \fB\-rspout\fR, \fB\-reqin\fR, and \fB\-reqout\fR options
1130 .IP "\fB\-max_msgs\fR \fInumber\fR" 4
1131 .IX Item "-max_msgs number"
1132 Maximum number of CMP (request) messages the CMP HTTP server mock-up
1136 detects a CMP-level error that it can successfully answer with an error message.
1137 .IP "\fB\-srv_ref\fR \fIvalue\fR" 4
1138 .IX Item "-srv_ref value"
1139 Reference value to use as senderKID of server in case no \fB\-srv_cert\fR is given.
1140 .IP "\fB\-srv_secret\fR \fIarg\fR" 4
1141 .IX Item "-srv_secret arg"
1142 Password source for server authentication with a pre-shared key (secret).
1143 .IP "\fB\-srv_cert\fR \fIfilename\fR|\fIuri\fR" 4
1144 .IX Item "-srv_cert filename|uri"
1146 .IP "\fB\-srv_key\fR \fIfilename\fR|\fIuri\fR" 4
1147 .IX Item "-srv_key filename|uri"
1149 .IP "\fB\-srv_keypass\fR \fIarg\fR" 4
1150 .IX Item "-srv_keypass arg"
1152 .IP "\fB\-srv_trusted\fR \fIfilenames\fR|\fIuris\fR" 4
1153 .IX Item "-srv_trusted filenames|uris"
1157 \&\fB\-verify_hostname\fR, \fB\-verify_ip\fR, and \fB\-verify_email\fR
1159 .IP "\fB\-srv_untrusted\fR \fIfilenames\fR|\fIuris\fR" 4
1160 .IX Item "-srv_untrusted filenames|uris"
1162 .IP "\fB\-ref_cert\fR \fIfilename\fR|\fIuri\fR" 4
1163 .IX Item "-ref_cert filename|uri"
1165 .IP "\fB\-rsp_cert\fR \fIfilename\fR|\fIuri\fR" 4
1166 .IX Item "-rsp_cert filename|uri"
1168 .IP "\fB\-rsp_key\fR \fIfilename\fR|\fIuri\fR" 4
1169 .IX Item "-rsp_key filename|uri"
1171 .IP "\fB\-rsp_keypass\fR \fIarg\fR" 4
1172 .IX Item "-rsp_keypass arg"
1174 .IP "\fB\-rsp_crl\fR \fIfilename\fR|\fIuri\fR" 4
1175 .IX Item "-rsp_crl filename|uri"
1177 .IP "\fB\-rsp_extracerts\fR \fIfilenames\fR|\fIuris\fR" 4
1178 .IX Item "-rsp_extracerts filenames|uris"
1180 .IP "\fB\-rsp_capubs\fR \fIfilenames\fR|\fIuris\fR" 4
1181 .IX Item "-rsp_capubs filenames|uris"
1182 CA certificates to be included in mock Initialization Response (IP) message.
1183 .IP "\fB\-rsp_newwithnew\fR \fIfilename\fR|\fIuri\fR" 4
1184 .IX Item "-rsp_newwithnew filename|uri"
1186 .IP "\fB\-rsp_newwithold\fR \fIfilename\fR|\fIuri\fR" 4
1187 .IX Item "-rsp_newwithold filename|uri"
1189 .IP "\fB\-rsp_oldwithnew\fR \fIfilename\fR|\fIuri\fR" 4
1190 .IX Item "-rsp_oldwithnew filename|uri"
1192 .IP "\fB\-poll_count\fR \fInumber\fR" 4
1193 .IX Item "-poll_count number"
1195 .IP "\fB\-check_after\fR \fInumber\fR" 4
1196 .IX Item "-check_after number"
1198 .IP \fB\-grant_implicitconf\fR 4
1199 .IX Item "-grant_implicitconf"
1201 .IP "\fB\-pkistatus\fR \fInumber\fR" 4
1202 .IX Item "-pkistatus number"
1205 .IP "\fB\-failure\fR \fInumber\fR" 4
1206 .IX Item "-failure number"
1209 .IP "\fB\-failurebits\fR \fInumber\fR Number representing failure bits to be included in server res…
1210 .IX Item "-failurebits number Number representing failure bits to be included in server response. V…
1212 .IP "\fB\-statusstring\fR \fIarg\fR" 4
1213 .IX Item "-statusstring arg"
1216 .IP \fB\-send_error\fR 4
1217 .IX Item "-send_error"
1218 Force server to reply with error message.
1219 .IP \fB\-send_unprotected\fR 4
1220 .IX Item "-send_unprotected"
1221 Send response messages without CMP-level protection.
1222 .IP \fB\-send_unprot_err\fR 4
1223 .IX Item "-send_unprot_err"
1227 .IP \fB\-accept_unprotected\fR 4
1228 .IX Item "-accept_unprotected"
1230 .IP \fB\-accept_unprot_err\fR 4
1231 .IX Item "-accept_unprot_err"
1234 .IP \fB\-accept_raverified\fR 4
1235 .IX Item "-accept_raverified"
1239 …-allow_proxy_certs\fR, \fB\-attime\fR, \fB\-no_check_time\fR, \fB\-check_ss_sig\fR, \fB\-crl_check…
1240 …-allow_proxy_certs, -attime, -no_check_time, -check_ss_sig, -crl_check, -crl_check_all, -explicit_…
1242 See "Verification Options" in \fBopenssl\-verification\-options\fR\|(1) for details.
1245 \&\fB\-verify_hostname\fR, \fB\-verify_ip\fR, and \fB\-verify_email\fR
1246 only affect the certificate verification enabled via the \fB\-out_trusted\fR option.
1254 using \fB\-trusted\fR and related options for certificate-based authentication
1255 or \fB\-secret\fR for MAC-based protection.
1256 If authentication is certificate-based, the \fB\-srvcertout\fR option
1258 and perform an authorization check based on it.
1263 check the protection of the CMP response message.
1268 \&\fB\-unprotected_errors\fR option, which allows accepting such negative messages.
1270 If OpenSSL was built with trace support enabled (e.g., \f(CW\*(C`./config enable\-trace\*(C'\fR)
1289 \& openssl genrsa \-out insta.priv.pem
1290 \& openssl cmp \-section insta
1298 \& openssl x509 \-noout \-text \-in insta.cert.pem
1302 via the environment variable \fBhttp_proxy\fR or via the \fB\-proxy\fR option in the
1303 configuration file or the CMP command-line argument \fB\-proxy\fR, for example
1306 \& \-proxy http://192.168.1.1:8080
1309 In the Insta Demo CA scenario both clients and the server may use the pre-shared
1312 Alternatively, CMP messages may be protected in signature-based manner,
1319 \& openssl cmp \-section insta,signature
1322 By default the CMP IR message type is used, yet CR works equally here.
1326 \& openssl cmp \-section insta \-cmd cr
1332 \& openssl cmp \-section insta,cr
1338 \& openssl cmp \-section insta,kur,signature
1341 using signature-based protection with the certificate that is to be updated.
1342 For certificate updates, MAC-based protection should generally not be used.
1347 \& openssl cmp \-section insta,rr \-trusted insta.ca.crt
1353 \& openssl cmp \-section insta,rr,signature
1358 For instance, the \fB\-reqexts\fR CLI option may refer to a section in the
1363 \& openssl cmp \-section insta,cr \-reqexts v3_req
1372 and sends an initial request message to the local CMP server
1373 using a pre-shared secret key for mutual authentication.
1375 so we specify the name of the CA with the \fB\-recipient\fR option
1382 \& openssl genrsa \-out cl_key.pem
1383 \& openssl cmp \-cmd ir \-server 127.0.0.1:80/pkix/ \-recipient "/CN=CMPserver" \e
1384 \& \-ref 1234 \-secret pass:1234\-5678 \e
1385 \& \-newkey cl_key.pem \-subject "/CN=MyName" \e
1386 \& \-cacertsout capubs.pem \-certout cl_cert.pem
1397 \& openssl genrsa \-out cl_key_new.pem
1398 \& openssl cmp \-cmd kur \-server 127.0.0.1:80/pkix/ \e
1399 \& \-trusted capubs.pem \e
1400 \& \-cert cl_cert.pem \-key cl_key.pem \e
1401 \& \-newkey cl_key_new.pem \-certout cl_cert.pem
1408 Requesting "all relevant information" with an empty General Message.
1412 \& openssl cmp \-cmd genm \-server 127.0.0.1/pkix/ \-recipient "/CN=CMPserver" \e
1413 \& \-ref 1234 \-secret pass:1234\-5678
1418 usually many parameters need to be set, which is tedious and error-prone to do
1443 \& secret = pass:1234\-5678\-1234\-567
1451 \& openssl cmp \-section cmp,init
1452 \& openssl cmp \-cmd kur \-newkey cl_key_new.pem
1455 and the above transaction using a general message reduces to
1458 \& openssl cmp \-section cmp,init \-cmd genm
1462 \&\fBopenssl\-genrsa\fR\|(1), \fBopenssl\-ecparam\fR\|(1), \fBopenssl\-list\fR\|(1),
1463 \&\fBopenssl\-req\fR\|(1), \fBopenssl\-x509\fR\|(1), \fBx509v3_config\fR\|(5)
1468 The \fB\-engine\fR option was deprecated in OpenSSL 3.0.
1470 The \fB\-oldwithold\fR, \fB\-newwithnew\fR, \fB\-newwithold\fR, \fB\-oldwithnew\fR,
1471 The \fB\-srvcertout\fR, and \fB\-serial\fR option were added in OpenSSL 3.2, as well
1472 as an extension of \fB\-cacertsout\fR to use when getting CA certificates.
1473 Since then, the \fB\-issuer\fR may be used also for certificates to be revoked.
1475 The \fB\-profile\fR and \fB\-no_cache_extracerts\fR options were added in OpenSSL 3.3,
1478 The \fB\-template\fR, \fB\-crlcert\fR, \fB\-oldcrl\fR, \fB\-crlout\fR, \fB\-crlform\fR
1479 and \fB\-rsp_crl\fR options were added in OpenSSL 3.4.
1481 \&\fB\-centralkeygen\fR, b<\-newkeyout>, \fB\-rsp_key\fR and
1482 \&\fB\-rsp_keypass\fR were added in OpenSSL 3.5.
1485 Copyright 2007\-2025 The OpenSSL Project Authors. All Rights Reserved.