Lines Matching +full:csr +full:- +full:2 +full:l
18 .\" Set up some character translations and predefined strings. \*(-- will
19 .\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
24 .tr \(*W-
27 . ds -- \(*W-
29 . if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
30 . if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
31 . ds L" ""
37 . ds -- \|\(em\|
39 . ds L" ``
62 . tm Index:\\$1\t\\n%\t"\\$2"
64 . if !\nF==2 \{\
66 . nr F 2
71 .\" Fear. Run. Save yourself. No user-serviceable parts.
81 . ds #H ((1u-(\\\\n(.fu%2u))*.13m)
97 . ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
98 . ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
99 . ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
100 . ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
101 . ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
102 . ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
104 . \" troff and (daisy-wheel) nroff accents
123 . ds d- d\h'-1'\(ga
124 . ds D- D\h'-1'\(hy
133 .IX Title "OPENSSL-REQ 1ossl"
134 .TH OPENSSL-REQ 1ossl "2023-09-22" "3.0.11" "OpenSSL"
140 openssl\-req \- PKCS#10 certificate request and certificate generating command
144 [\fB\-help\fR]
145 [\fB\-inform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR]
146 [\fB\-outform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR]
147 [\fB\-in\fR \fIfilename\fR]
148 [\fB\-passin\fR \fIarg\fR]
149 [\fB\-out\fR \fIfilename\fR]
150 [\fB\-passout\fR \fIarg\fR]
151 [\fB\-text\fR]
152 [\fB\-pubkey\fR]
153 [\fB\-noout\fR]
154 [\fB\-verify\fR]
155 [\fB\-modulus\fR]
156 [\fB\-new\fR]
157 [\fB\-newkey\fR \fIarg\fR]
158 [\fB\-pkeyopt\fR \fIopt\fR:\fIvalue\fR]
159 [\fB\-noenc\fR]
160 [\fB\-nodes\fR]
161 [\fB\-key\fR \fIfilename\fR|\fIuri\fR]
162 [\fB\-keyform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR|\fBP12\fR|\fB\s-1ENGINE\s0\fR]
163 [\fB\-keyout\fR \fIfilename\fR]
164 [\fB\-keygen_engine\fR \fIid\fR]
165 [\fB\-\f(BIdigest\fB\fR]
166 [\fB\-config\fR \fIfilename\fR]
167 [\fB\-section\fR \fIname\fR]
168 [\fB\-x509\fR]
169 [\fB\-CA\fR \fIfilename\fR|\fIuri\fR]
170 [\fB\-CAkey\fR \fIfilename\fR|\fIuri\fR]
171 [\fB\-days\fR \fIn\fR]
172 [\fB\-set_serial\fR \fIn\fR]
173 [\fB\-newhdr\fR]
174 [\fB\-copy_extensions\fR \fIarg\fR]
175 [\fB\-addext\fR \fIext\fR]
176 [\fB\-extensions\fR \fIsection\fR]
177 [\fB\-reqexts\fR \fIsection\fR]
178 [\fB\-precert\fR]
179 [\fB\-utf8\fR]
180 [\fB\-reqopt\fR]
181 [\fB\-subject\fR]
182 [\fB\-subj\fR \fIarg\fR]
183 [\fB\-multivalue\-rdn\fR]
184 [\fB\-sigopt\fR \fInm\fR:\fIv\fR]
185 [\fB\-vfyopt\fR \fInm\fR:\fIv\fR]
186 [\fB\-batch\fR]
187 [\fB\-verbose\fR]
188 [\fB\-nameopt\fR \fIoption\fR]
189 [\fB\-rand\fR \fIfiles\fR]
190 [\fB\-writerand\fR \fIfile\fR]
191 [\fB\-engine\fR \fIid\fR]
192 [\fB\-provider\fR \fIname\fR]
193 [\fB\-provider\-path\fR \fIpath\fR]
194 [\fB\-propquery\fR \fIpropq\fR]
198 in PKCS#10 format. It can additionally create self-signed certificates
202 .IP "\fB\-help\fR" 4
203 .IX Item "-help"
205 .IP "\fB\-inform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR, \fB\-outform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\…
206 .IX Item "-inform DER|PEM, -outform DER|PEM"
208 See \fBopenssl\-format\-options\fR\|(1) for details.
211 .IP "\fB\-in\fR \fIfilename\fR" 4
212 .IX Item "-in filename"
214 This defaults to standard input unless \fB\-x509\fR or \fB\-CA\fR is specified.
216 (\fB\-new\fR or \fB\-newkey\fR or \fB\-precert\fR) are not specified.
217 .IP "\fB\-sigopt\fR \fInm\fR:\fIv\fR" 4
218 .IX Item "-sigopt nm:v"
220 Names and values of these options are algorithm-specific.
221 .IP "\fB\-vfyopt\fR \fInm\fR:\fIv\fR" 4
222 .IX Item "-vfyopt nm:v"
224 Names and values of these options are algorithm-specific.
225 .IP "\fB\-passin\fR \fIarg\fR" 4
226 .IX Item "-passin arg"
229 see \fBopenssl\-passphrase\-options\fR\|(1).
230 .IP "\fB\-passout\fR \fIarg\fR" 4
231 .IX Item "-passout arg"
234 see \fBopenssl\-passphrase\-options\fR\|(1).
235 .IP "\fB\-out\fR \fIfilename\fR" 4
236 .IX Item "-out filename"
238 .IP "\fB\-text\fR" 4
239 .IX Item "-text"
241 .IP "\fB\-subject\fR" 4
242 .IX Item "-subject"
244 (or certificate subject if \fB\-x509\fR is in use).
245 .IP "\fB\-pubkey\fR" 4
246 .IX Item "-pubkey"
248 .IP "\fB\-noout\fR" 4
249 .IX Item "-noout"
251 .IP "\fB\-modulus\fR" 4
252 .IX Item "-modulus"
254 .IP "\fB\-verify\fR" 4
255 .IX Item "-verify"
256 Verifies the self-signature on the request.
257 .IP "\fB\-new\fR" 4
258 .IX Item "-new"
264 If the \fB\-key\fR option is not given it will generate a new private key
266 the \fB\-newkey\fR and \fB\-pkeyopt\fR options,
267 else by default an \s-1RSA\s0 key with 2048 bits length.
268 .IP "\fB\-newkey\fR \fIarg\fR" 4
269 .IX Item "-newkey arg"
270 This option is used to generate a new private key unless \fB\-key\fR is given.
271 It is subsequently used as if it was given using the \fB\-key\fR option.
273 This option implies the \fB\-new\fR flag to create a new certificate request
274 or a new certificate in case \fB\-x509\fR is given.
278 [\fBrsa:\fR]\fInbits\fR generates an \s-1RSA\s0 key \fInbits\fR in size.
279 If \fInbits\fR is omitted, i.e., \fB\-newkey\fR \fBrsa\fR is specified,
283 All other algorithms support the \fB\-newkey\fR \fIalgname\fR:\fIfile\fR form, where
284 \&\fIfile\fR is an algorithm parameter file, created with \f(CW\*(C`openssl genpkey \-genparam\*(C'…
294 any necessary parameters should be specified via the \fB\-pkeyopt\fR option.
296 \&\fBdsa:\fR\fIfilename\fR generates a \s-1DSA\s0 key using the parameters
297 in the file \fIfilename\fR. \fBec:\fR\fIfilename\fR generates \s-1EC\s0 key (usable both with
298 \&\s-1ECDSA\s0 or \s-1ECDH\s0 algorithms), \fBgost2001:\fR\fIfilename\fR generates \s-1GOST R
299 34.10\-2001\s0 key (requires \fBgost\fR engine configured in the configuration
301 specified by \fB\-pkeyopt\fR \fIparamset:X\fR
302 .IP "\fB\-pkeyopt\fR \fIopt\fR:\fIvalue\fR" 4
303 .IX Item "-pkeyopt opt:value"
307 See \*(L"\s-1KEY GENERATION OPTIONS\*(R"\s0 in \fBopenssl\-genpkey\fR\|(1) for more details.
308 .IP "\fB\-key\fR \fIfilename\fR|\fIuri\fR" 4
309 .IX Item "-key filename|uri"
312 Unless \fB\-in\fR is given, the corresponding public key is placed in
313 the new certificate or certificate request, resulting in a self-signature.
315 For certificate signing this option is overridden by the \fB\-CA\fR option.
317 This option also accepts PKCS#8 format private keys for \s-1PEM\s0 format files.
318 .IP "\fB\-keyform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR|\fBP12\fR|\fB\s-1ENGINE\s0\fR" 4
319 .IX Item "-keyform DER|PEM|P12|ENGINE"
321 See \fBopenssl\-format\-options\fR\|(1) for details.
322 .IP "\fB\-keyout\fR \fIfilename\fR" 4
323 .IX Item "-keyout filename"
325 or read from \fB\-key\fR. If neither the \fB\-keyout\fR option nor the \fB\-key\fR option
328 private key and the \fB\-key\fR option is provided, you should provide the
329 \&\fB\-keyout\fR option explicitly. If a new key is generated and no filename is
331 .IP "\fB\-noenc\fR" 4
332 .IX Item "-noenc"
335 .IP "\fB\-nodes\fR" 4
336 .IX Item "-nodes"
337 This option is deprecated since OpenSSL 3.0; use \fB\-noenc\fR instead.
338 .IP "\fB\-\f(BIdigest\fB\fR" 4
339 .IX Item "-digest"
345 Some public key algorithms may override this choice. For instance, \s-1DSA\s0
346 signatures always use \s-1SHA1, GOST R 34.10\s0 signatures always use
347 \&\s-1GOST R 34.11\-94\s0 (\fB\-md_gost94\fR), Ed25519 and Ed448 never use any digest.
348 .IP "\fB\-config\fR \fIfilename\fR" 4
349 .IX Item "-config filename"
352 see \*(L"\s-1COMMAND SUMMARY\*(R"\s0 in \fBopenssl\fR\|(1).
353 .IP "\fB\-section\fR \fIname\fR" 4
354 .IX Item "-section name"
356 .IP "\fB\-subj\fR \fIarg\fR" 4
357 .IX Item "-subj arg"
365 Giving a single \f(CW\*(C`/\*(C'\fR will lead to an empty sequence of RDNs (a NULL-DN).
366 Multi-valued RDNs can be formed by placing a \f(CW\*(C`+\*(C'\fR character instead of a \f(CW\*(C`/…
371 .IP "\fB\-multivalue\-rdn\fR" 4
372 .IX Item "-multivalue-rdn"
374 .IP "\fB\-x509\fR" 4
375 .IX Item "-x509"
378 It is implied by the \fB\-CA\fR option.
380 This option implies the \fB\-new\fR flag if \fB\-in\fR is not given.
382 If an existing request is specified with the \fB\-in\fR option, it is converted
385 Unless specified using the \fB\-set_serial\fR option,
388 Unless the \fB\-copy_extensions\fR option is used,
392 or using the \fB\-addext\fR option.
393 .IP "\fB\-CA\fR \fIfilename\fR|\fIuri\fR" 4
394 .IX Item "-CA filename|uri"
395 Specifies the \*(L"\s-1CA\*(R"\s0 certificate to be used for signing a new certificate
396 and implies use of \fB\-x509\fR.
397 When present, this behaves like a \*(L"micro \s-1CA\*(R"\s0 as follows:
398 The subject name of the \*(L"\s-1CA\*(R"\s0 certificate is placed as issuer name in the new
399 certificate, which is then signed using the \*(L"\s-1CA\*(R"\s0 key given as specified below.
400 .IP "\fB\-CAkey\fR \fIfilename\fR|\fIuri\fR" 4
401 .IX Item "-CAkey filename|uri"
402 Sets the \*(L"\s-1CA\*(R"\s0 private key to sign a certificate with.
403 The private key must match the public key of the certificate given with \fB\-CA\fR.
404 If this option is not provided then the key must be present in the \fB\-CA\fR input.
405 .IP "\fB\-days\fR \fIn\fR" 4
406 .IX Item "-days n"
407 When \fB\-x509\fR is in use this specifies the number of
410 .IP "\fB\-set_serial\fR \fIn\fR" 4
411 .IX Item "-set_serial n"
412 Serial number to use when outputting a self-signed certificate.
415 .IP "\fB\-copy_extensions\fR \fIarg\fR" 4
416 .IX Item "-copy_extensions arg"
418 when \fB\-x509\fR is in use.
425 .IP "\fB\-addext\fR \fIext\fR" 4
426 .IX Item "-addext ext"
427 Add a specific extension to the certificate (if \fB\-x509\fR is in use)
432 .IP "\fB\-extensions\fR \fIsection\fR" 4
433 .IX Item "-extensions section"
435 .IP "\fB\-reqexts\fR \fIsection\fR" 4
436 .IX Item "-reqexts section"
439 extensions (if \fB\-x509\fR is in use) or certificate request extensions.
443 .IP "\fB\-precert\fR" 4
444 .IX Item "-precert"
446 \&\*(L"pre-certificate\*(R" (see \s-1RFC6962\s0). This can be submitted to Certificate
448 These SCTs can then be embedded into the pre-certificate as an extension, before
451 This implies the \fB\-new\fR flag.
452 .IP "\fB\-utf8\fR" 4
453 .IX Item "-utf8"
454 This option causes field values to be interpreted as \s-1UTF8\s0 strings, by
455 default they are interpreted as \s-1ASCII.\s0 This means that the field
457 configuration file, must be valid \s-1UTF8\s0 strings.
458 .IP "\fB\-reqopt\fR \fIoption\fR" 4
459 .IX Item "-reqopt option"
460 Customise the printing format used with \fB\-text\fR. The \fIoption\fR argument can be
463 See discussion of the \fB\-certopt\fR parameter in the \fBopenssl\-x509\fR\|(1)
465 .IP "\fB\-newhdr\fR" 4
466 .IX Item "-newhdr"
467 Adds the word \fB\s-1NEW\s0\fR to the \s-1PEM\s0 file header and footer lines on the outputted
469 .IP "\fB\-batch\fR" 4
470 .IX Item "-batch"
471 Non-interactive mode.
472 .IP "\fB\-verbose\fR" 4
473 .IX Item "-verbose"
475 .IP "\fB\-keygen_engine\fR \fIid\fR" 4
476 .IX Item "-keygen_engine id"
479 .IP "\fB\-nameopt\fR \fIoption\fR" 4
480 .IX Item "-nameopt option"
482 See \fBopenssl\-namedisplay\-options\fR\|(1) for details.
483 .IP "\fB\-rand\fR \fIfiles\fR, \fB\-writerand\fR \fIfile\fR" 4
484 .IX Item "-rand files, -writerand file"
485 See \*(L"Random State Options\*(R" in \fBopenssl\fR\|(1) for details.
486 .IP "\fB\-engine\fR \fIid\fR" 4
487 .IX Item "-engine id"
488 See \*(L"Engine Options\*(R" in \fBopenssl\fR\|(1).
490 .IP "\fB\-provider\fR \fIname\fR" 4
491 .IX Item "-provider name"
493 .IP "\fB\-provider\-path\fR \fIpath\fR" 4
494 .IX Item "-provider-path path"
495 .IP "\fB\-propquery\fR \fIpropq\fR" 4
496 .IX Item "-propquery propq"
498 See \*(L"Provider Options\*(R" in \fBopenssl\fR\|(1), \fBprovider\fR\|(7), and \fBproperty\fR\|(7).
503 \&\fB\-section\fR option.
519 This option is used in conjunction with the \fB\-new\fR option to generate
521 the \fB\-newkey\fR option. The smallest accepted key size is 512 bits. If
527 overridden by the \fB\-keyout\fR option.
530 This specifies a file containing additional \fB\s-1OBJECT IDENTIFIERS\s0\fR.
540 .IP "\fB\s-1RANDFILE\s0\fR" 4
548 \&\fBnot\fR encrypted. This is equivalent to the \fB\-noenc\fR command line
564 be used. This follows the \s-1PKIX\s0 recommendation in \s-1RFC2459.\s0 If the
566 is the \s-1PKIX\s0 recommendation in \s-1RFC2459\s0 after 2003. Finally the \fBnombstr\fR
573 by the \fB\-reqexts\fR command line switch. See the
579 extensions to add to certificate generated when \fB\-x509\fR is in use.
580 It can be overridden by the \fB\-extensions\fR command line switch.
588 If set to the value \fByes\fR then field values to be interpreted as \s-1UTF8\s0
589 strings, by default they are interpreted as \s-1ASCII.\s0 This means that
591 configuration file, must be valid \s-1UTF8\s0 strings.
615 This allows external programs (e.g. \s-1GUI\s0 based) to generate a template file with
617 of this kind of configuration file is contained in the \fB\s-1EXAMPLES\s0\fR section.
625 \& fieldName_min= 2
629 \&\*(L"fieldName\*(R" is the field name being used, for example commonName (or \s-1CN\s0).
630 The \*(L"prompt\*(R" string is used to ask the user to enter the relevant
642 in a \s-1DN.\s0 This presents a problem because configuration files will
646 be input by calling it \*(L"1.organizationName\*(R".
662 \& openssl req \-in req.pem \-text \-verify \-noout
667 .Vb 2
668 \& openssl genrsa \-out key.pem 2048
669 \& openssl req \-new \-key key.pem \-out req.pem
675 \& openssl req \-newkey rsa:2048 \-keyout key.pem \-out req.pem
678 Generate a self-signed root certificate:
681 \& openssl req \-x509 \-newkey rsa:2048 \-keyout key.pem \-out req.pem
684 Create an \s-1SM2\s0 private key and then generate a certificate request from it:
686 .Vb 2
687 \& openssl ecparam \-genkey \-name SM2 \-out sm2.key
688 \& openssl req \-new \-key sm2.key \-out sm2.csr \-sm3 \-sigopt "distid:1234567812345678"
691 Examine and verify an \s-1SM2\s0 certificate request:
694 \& openssl req \-verify \-in sm2.csr \-sm3 \-vfyopt "distid:1234567812345678"
699 .Vb 2
707 .Vb 2
725 \& countryName = Country Name (2 letter code)
727 \& countryName_min = 2
728 \& countryName_max = 2
766 \& L = Test Locality
780 \& openssl req \-new \-subj "/C=GB/CN=foo" \e
781 \& \-addext "subjectAltName = DNS:foo.co.uk" \e
782 \& \-addext "certificatePolicies = 1.2.3.4" \e
783 \& \-newkey rsa:2048 \-keyout key.pem \-out req.pem
787 The certificate requests generated by \fBXenroll\fR with \s-1MSIE\s0 have extensions
795 .Vb 2
802 .Vb 2
815 .Vb 2
821 the correct empty \fB\s-1SET OF\s0\fR structure (the \s-1DER\s0 encoding of which is 0xa0
828 then the \fB\s-1SET OF\s0\fR is missing and the encoding is technically invalid (but
829 it is tolerated). See the description of the command line option \fB\-asn1\-kludge\fR
834 treats them as \s-1ISO\-8859\-1\s0 (Latin 1), Netscape and \s-1MSIE\s0 have similar behaviour.
841 and \s-1MSIE\s0 then you currently need to use the invalid T61String form.
850 \&\fBopenssl\-x509\fR\|(1),
851 \&\fBopenssl\-ca\fR\|(1),
852 \&\fBopenssl\-genrsa\fR\|(1),
853 \&\fBopenssl\-gendsa\fR\|(1),
858 The \fB\-section\fR option was added in OpenSSL 3.0.0.
860 The \fB\-multivalue\-rdn\fR option has become obsolete in OpenSSL 3.0.0 and
863 The \fB\-engine\fR option was deprecated in OpenSSL 3.0.
864 The <\-nodes> option was deprecated in OpenSSL 3.0, too; use \fB\-noenc\fR instead.
867 Copyright 2000\-2021 The OpenSSL Project Authors. All Rights Reserved.
869 Licensed under the Apache License 2.0 (the \*(L"License\*(R"). You may not use
871 in the file \s-1LICENSE\s0 in the source distribution or at