Lines Matching full:s0
231 \&\s-1TLS\s0 connection options:
280 Certificate verification options, for both \s-1CMP\s0 and \s-1TLS:\s0
315 Management Protocol (\s-1CMP\s0) as defined in \s-1RFC4210.\s0
316 It can be used to request certificates from a \s-1CA\s0 server,
318 request certificates to be revoked, and perform other types of \s-1CMP\s0 requests.
331 Section(s) to use within config file defining \s-1CMP\s0 options.
343 0 = \s-1EMERG, 1\s0 = \s-1ALERT, 2\s0 = \s-1CRIT, 3\s0 = \s-1ERR, 4\s0 = \s-1WARN, 5\s0 = \s-1NOTE,
344 6\s0 = \s-1INFO, 7\s0 = \s-1DEBUG, 8\s0 = \s-1TRACE.\s0
345 Defaults to 6 = \s-1INFO.\s0
350 \&\s-1CMP\s0 command to execute.
370 \&\fBir\fR requests initialization of an end entity into a \s-1PKI\s0 hierarchy
374 initialized to the \s-1PKI\s0 hierarchy.
377 but using legacy PKCS#10 \s-1CSR\s0 format.
386 \&\s-1ITAV\s0 \fBinfoType\fRs is printed to stdout.
394 generalInfo integer values to place in request PKIHeader with given \s-1OID,\s0
401 Defaults to the public key in the PKCS#10 \s-1CSR\s0 given with the \fB\-csr\fR option,
407 private key will be needed as well to provide the proof of possession (\s-1POPO\s0),
418 X509 Distinguished Name (\s-1DN\s0) of subject to use in the requested certificate
421 Default is the subject \s-1DN\s0 of any PKCS#10 \s-1CSR\s0 given with the \fB\-csr\fR option.
422 For \s-1KUR,\s0 a further fallback is the subject \s-1DN\s0
424 This fallback is used for \s-1IR\s0 and \s-1CR\s0 only if no SANs are set.
427 the subject \s-1DN\s0 is used as fallback sender of outgoing \s-1CMP\s0 messages.
440 X509 issuer Distinguished Name (\s-1DN\s0) of the \s-1CA\s0 server
441 to place in the requested certificate template in \s-1IR/CR/KUR.\s0
445 the issuer \s-1DN\s0 is used as fallback recipient of outgoing \s-1CMP\s0 messages.
459 contained the given PKCS#10 \s-1CSR,\s0 overriding any extensions with same OIDs.
462 One or more \s-1IP\s0 addresses, \s-1DNS\s0 names, or URIs separated by commas or whitespace
464 to add as Subject Alternative Name(s) (\s-1SAN\s0) certificate request extension.
480 One or more \s-1OID\s0(s), separated by commas and/or whitespace
489 Proof-of-possession (\s-1POPO\s0) method to use for \s-1IR/CR/KUR\s0; values: \f(CW\*(C`\-1\*(C'\fR…
490 …C`\-1\*(C'\fR = \s-1NONE,\s0 \f(CW0\fR = \s-1RAVERIFIED,\s0 \f(CW1\fR = \s-1SIGNATURE\s0 (default)…
492 Note that a signature-based \s-1POPO\s0 can only be produced if a private key
496 PKCS#10 \s-1CSR\s0 in \s-1PEM\s0 or \s-1DER\s0 format containing a certificate request.
500 it is transformed into the respective regular \s-1CMP\s0 request.
504 (rather than taking over the public key contained in the PKCS#10 \s-1CSR\s0).
506 PKCS#10 \s-1CSR\s0 input may also be used with \fB\-cmd\fR \fIrr\fR
529 \&\fB\s-1WARNING:\s0\fR This leads to behavior violating \s-1RFC 4210.\s0
541 (\s-1KUR\s0) messages or to be revoked in Revocation Request (\s-1RR\s0) messages.
542 For \s-1KUR\s0 the certificate to be updated defaults to \fB\-cert\fR,
544 For \s-1RR\s0 the certificate to be revoked can also be specified using \fB\-csr\fR.
547 deriving default subject \s-1DN\s0 and Subject Alternative Names and the
548 default issuer entry in the requested certificate template of an \s-1IR/CR/KUR.\s0
551 Its issuer is used as default recipient in \s-1CMP\s0 message headers
555 Set CRLReason to be included in revocation request (\s-1RR\s0); values: \f(CW0\fR..\f(CW10\fR
558 Reason numbers defined in \s-1RFC 5280\s0 are:
579 The \s-1DNS\s0 hostname or \s-1IP\s0 address and optionally port
580 of the \s-1CMP\s0 server to connect to using \s-1HTTP\s0(S).
591 The \s-1HTTP\s0(S) proxy server to use for reaching the \s-1CMP\s0 server unless \fB\-no_proxy\fR
594 …CW\*(C`http://\*(C'\fR or \f(CW\*(C`https://\*(C'\fR prefix is ignored (note that \s-1TLS\s0 may be
598 in case no \s-1TLS\s0 is used, otherwise \f(CW\*(C`https_proxy\*(C'\fR if set, else \f(CW\*(C`HTTPS…
602 List of \s-1IP\s0 addresses and/or \s-1DNS\s0 names of servers
603 not to use an \s-1HTTP\s0(S) proxy for, separated by commas and/or whitespace
609 Distinguished Name (\s-1DN\s0) to use in the recipient field of \s-1CMP\s0 request message
610 headers, i.e., the \s-1CMP\s0 server (usually the addressed \s-1CA\s0).
612 The recipient field in the header of a \s-1CMP\s0 message is mandatory.
614 the subject of the \s-1CMP\s0 server certificate given with the \fB\-srvcert\fR option,
617 the issuer of the \s-1CMP\s0 client certificate (\fB\-cert\fR option),
624 \&\s-1HTTP\s0 path at the \s-1CMP\s0 server (aka \s-1CMP\s0 alias) to use for \s-1POST\s0 requests.
628 If the given value is 0 then \s-1HTTP\s0 connections are not kept open
629 after receiving a response, which is the default behavior for \s-1HTTP 1.0.\s0
636 Number of seconds a \s-1CMP\s0 request-response message round trip
651 when validating signature-based protection of \s-1CMP\s0 response messages.
653 It provides more flexibility than \fB\-srvcert\fR because the \s-1CMP\s0 protection
669 Non-trusted intermediate \s-1CA\s0 certificate(s).
672 for the own \s-1CMP\s0 signer certificate (to include in the extraCerts field of
673 request messages) and for the \s-1TLS\s0 client certificate (if \s-1TLS\s0 is enabled)
676 \&\s-1CMP\s0 message protection) and when validating newly enrolled certificates.
682 The specific \s-1CMP\s0 server certificate to expect and directly trust (even if it is
683 expired) when verifying signature-based protection of \s-1CMP\s0 response messages.
687 as default value for the recipient of \s-1CMP\s0 requests
688 and as default value for the expected sender of \s-1CMP\s0 responses.
691 Distinguished Name (\s-1DN\s0) expected in the sender field of incoming \s-1CMP\s0 messages.
692 Defaults to the subject \s-1DN\s0 of the pinned \fB\-srvcert\fR, if any.
695 \&\s-1CMP\s0 message signer, and attackers are not able to use arbitrary certificates
696 of a trusted \s-1PKI\s0 hierarchy to fraudulently pose as a \s-1CMP\s0 server.
705 Ignore key usage restrictions in \s-1CMP\s0 signer certificates when validating
706 signature-based protection of incoming \s-1CMP\s0 messages.
707 By default, \f(CW\*(C`digitalSignature\*(C'\fR must be allowed by \s-1CMP\s0 signer certificates.
716 negative certificate responses (\s-1IP/CP/KUP\s0)
718 negative revocation responses (\s-1RP\s0)
724 \&\fB\s-1WARNING:\s0\fR This setting leads to unspecified behavior and it is meant
726 \&\s-1RFC 4210,\s0 e.g.:
730 \&\*(L"There \s-1MAY\s0 be cases in which the PKIProtection \s-1BIT STRING\s0 is deliberately not
731 used to protect a message [...] because other protection, external to \s-1PKIX,\s0 will
734 section 5.3.21 is clear on ErrMsgContent: \*(L"The \s-1CA MUST\s0 always sign it
747 The file where to save any \s-1CA\s0 certificates contained in the caPubs field of
748 the last received certificate response (i.e., \s-1IP, CP,\s0 or \s-1KUP\s0) message.
755 is typically used when authenticating with pre-shared key (password-based \s-1MAC\s0).
762 The algorithm used by default is Password-Based Message Authentication Code (\s-1PBM\s0)
763 as defined in \s-1RFC 4210\s0 section 5.1.3.1.
769 The client's current \s-1CMP\s0 signer certificate.
773 serve as fallback values in the certificate template of \s-1IR/CR/KUR\s0 messages.
775 The subject of this certificate will be used as sender of outgoing \s-1CMP\s0 messages,
779 and as fallback issuer entry in the certificate template of \s-1IR/CR/KUR\s0 messages.
785 In Initialization Request (\s-1IR\s0) messages this can be used for authenticating
786 using an external entity certificate as defined in appendix E.7 of \s-1RFC 4210.\s0
788 For Key Update Request (\s-1KUR\s0) messages this is also used as
797 the client-side \s-1CMP\s0 signer certificate given with the \fB\-cert\fR option
814 It is also used as a fallback for the \fB\-newkey\fR option with \s-1IR/CR/KUR\s0 messages.
825 Specifies name of supported digest to use in \s-1RFC 4210\s0's \s-1MSG_SIG_ALG\s0
826 and as the one-way function (\s-1OWF\s0) in \f(CW\*(C`MSG_MAC_ALG\*(C'\fR.
828 proof-of-possession (\s-1POPO\s0) signatures.
833 Specifies the name of the \s-1MAC\s0 algorithm in \f(CW\*(C`MSG_MAC_ALG\*(C'\fR.
834 To get the names of supported \s-1MAC\s0 algorithms use \f(CW\*(C`openssl list \-mac\-algorithms\*(…
837 Defaults to \f(CW\*(C`hmac\-sha1\*(C'\fR as per \s-1RFC 4210.\s0
841 They can be used as the default \s-1CMP\s0 signer certificate chain to include.
854 Default value is \s-1PEM.\s0
880 \&... it's also possible to just give the key \s-1ID\s0 in \s-1URI\s0 form to \fB\-key\fR,
905 .SS "\s-1TLS\s0 connection options"
909 Enable using \s-1TLS\s0 (even when other TLS-related options are not set)
910 for message exchange with \s-1CMP\s0 server via \s-1HTTP.\s0
919 Client's \s-1TLS\s0 certificate.
921 certs) for constructing the client cert chain provided to the \s-1TLS\s0 server.
924 Private key for the client's \s-1TLS\s0 certificate.
927 Pass phrase source for client's private \s-1TLS\s0 key \fB\-tls_key\fR.
935 Extra certificates to provide to \s-1TLS\s0 server during \s-1TLS\s0 handshake
938 Trusted certificate(s) to use for validating the \s-1TLS\s0 server certificate.
951 This may be a \s-1DNS\s0 name or an \s-1IP\s0 address.
965 Take the sequence of \s-1CMP\s0 requests to send to the server from the given file(s)
984 Use a fresh transactionID for \s-1CMP\s0 request messages read using \fB\-reqin\fR,
987 and the \s-1CMP\s0 server complains that the transaction \s-1ID\s0 has already been used.
990 Save the sequence of \s-1CMP\s0 requests created by the client to the given file(s).
1000 Process the sequence of \s-1CMP\s0 responses provided in the given file(s),
1012 Save the sequence of actually used \s-1CMP\s0 responses to the given file(s).
1022 Test the client using the internal \s-1CMP\s0 server mock-up at \s-1API\s0 level,
1023 bypassing socket-based transfer via \s-1HTTP.\s0
1029 Act as HTTP-based \s-1CMP\s0 server mock-up listening on the given port.
1035 Maximum number of \s-1CMP\s0 (request) messages the \s-1CMP HTTP\s0 server mock-up
1064 Intermediate \s-1CA\s0 certs that may be useful when validating client certificates.
1073 \&\s-1CA\s0 certificates to be included in mock Initialization Response (\s-1IP\s0) message.
1107 certificate responses (\s-1IP/CP/KUP\s0), and revocation responses (\s-1RP\s0).
1108 \&\s-1WARNING:\s0 This setting leads to behavior violating \s-1RFC 4210.\s0
1118 Accept \s-1RAVERIFED\s0 as proof of possession (\s-1POPO\s0).
1119 .SS "Certificate verification options, for both \s-1CMP\s0 and \s-1TLS\s0"
1131 When a client obtains from a \s-1CMP\s0 server \s-1CA\s0 certificates that it is going to
1133 authentication of the \s-1CMP\s0 server is particularly critical.
1138 When setting up \s-1CMP\s0 configurations and experimenting with enrollment options
1140 When the \s-1CMP\s0 server reports an error the client will by default
1141 check the protection of the \s-1CMP\s0 response message.
1142 Yet some \s-1CMP\s0 services tend not to protect negative responses.
1145 For assisting in such cases the \s-1CMP\s0 client offers a workaround via the
1151 This \s-1CMP\s0 client implementation comes with demonstrative \s-1CMP\s0 sections
1153 which can be used to interact conveniently with the Insta Demo \s-1CA.\s0
1155 In order to enroll an initial certificate from that \s-1CA\s0 it is sufficient
1175 In case the network setup requires using an \s-1HTTP\s0 proxy it may be given as usual
1177 configuration file or the \s-1CMP\s0 command-line argument \fB\-proxy\fR, for example
1183 In the Insta Demo \s-1CA\s0 scenario both clients and the server may use the pre-shared
1186 Alternatively, \s-1CMP\s0 messages may be protected in signature-based manner,
1188 and the client may use any certificate already obtained from that \s-1CA,\s0
1196 By default the \s-1CMP IR\s0 message type is used, yet \s-1CR\s0 works equally here.
1215 using MAC-based protection with \s-1PBM\s0 or
1237 For instance, the \fB\-reqexts\fR \s-1CLI\s0 option may refer to a section in the
1247 They assume that a \s-1CMP\s0 server can be contacted on the local \s-1TCP\s0 port 80
1251 and sends an initial request message to the local \s-1CMP\s0 server
1253 In this example the client does not have the \s-1CA\s0 certificate yet,
1254 so we specify the name of the \s-1CA\s0 with the \fB\-recipient\fR option
1255 and save any \s-1CA\s0 certificates that we may receive in the \f(CW\*(C`capubs.pem\*(C'\fR file.
1285 .SS "Requesting information from \s-1CMP\s0 server"
1288 This prints information about all received \s-1ITAV\s0 \fBinfoType\fRs to stdout.
1296 For \s-1CMP\s0 client invocations, in particular for certificate enrollment,
1354 in the file \s-1LICENSE\s0 in the source distribution or at