Lines Matching +full:- +full:- +full:arg +full:- +full:file
1 .\" -*- mode: troff; coding: utf-8 -*-
57 .IX Title "OPENSSL-X509 1ossl"
58 .TH OPENSSL-X509 1ossl 2025-09-30 3.5.4 OpenSSL
64 openssl\-x509 \- Certificate display and signing command
68 [\fB\-help\fR]
69 [\fB\-in\fR \fIfilename\fR|\fIuri\fR]
70 [\fB\-passin\fR \fIarg\fR]
71 [\fB\-new\fR]
72 [\fB\-x509toreq\fR]
73 [\fB\-req\fR]
74 [\fB\-copy_extensions\fR \fIarg\fR]
75 [\fB\-inform\fR \fBDER\fR|\fBPEM\fR]
76 [\fB\-vfyopt\fR \fInm\fR:\fIv\fR]
77 [\fB\-key\fR \fIfilename\fR|\fIuri\fR]
78 [\fB\-keyform\fR \fBDER\fR|\fBPEM\fR|\fBP12\fR|\fBENGINE\fR]
79 [\fB\-signkey\fR \fIfilename\fR|\fIuri\fR]
80 [\fB\-out\fR \fIfilename\fR]
81 [\fB\-outform\fR \fBDER\fR|\fBPEM\fR]
82 [\fB\-nocert\fR]
83 [\fB\-noout\fR]
84 [\fB\-dateopt\fR]
85 [\fB\-text\fR]
86 [\fB\-certopt\fR \fIoption\fR]
87 [\fB\-fingerprint\fR]
88 [\fB\-alias\fR]
89 [\fB\-serial\fR]
90 [\fB\-startdate\fR]
91 [\fB\-enddate\fR]
92 [\fB\-dates\fR]
93 [\fB\-subject\fR]
94 [\fB\-issuer\fR]
95 [\fB\-nameopt\fR \fIoption\fR]
96 [\fB\-email\fR]
97 [\fB\-hash\fR]
98 [\fB\-subject_hash\fR]
99 [\fB\-subject_hash_old\fR]
100 [\fB\-issuer_hash\fR]
101 [\fB\-issuer_hash_old\fR]
102 [\fB\-ext\fR \fIextensions\fR]
103 [\fB\-ocspid\fR]
104 [\fB\-ocsp_uri\fR]
105 [\fB\-purpose\fR]
106 [\fB\-pubkey\fR]
107 [\fB\-modulus\fR]
108 [\fB\-checkend\fR \fInum\fR]
109 [\fB\-checkhost\fR \fIhost\fR]
110 [\fB\-checkemail\fR \fIhost\fR]
111 [\fB\-checkip\fR \fIipaddr\fR]
112 [\fB\-set_serial\fR \fIn\fR]
113 [\fB\-next_serial\fR]
114 [\fB\-not_before\fR \fIdate\fR]
115 [\fB\-not_after\fR \fIdate\fR]
116 [\fB\-days\fR \fIarg\fR]
117 [\fB\-preserve_dates\fR]
118 [\fB\-set_issuer\fR \fIarg\fR]
119 [\fB\-set_subject\fR \fIarg\fR]
120 [\fB\-subj\fR \fIarg\fR]
121 [\fB\-force_pubkey\fR \fIfilename\fR]
122 [\fB\-clrext\fR]
123 [\fB\-extfile\fR \fIfilename\fR]
124 [\fB\-extensions\fR \fIsection\fR]
125 [\fB\-sigopt\fR \fInm\fR:\fIv\fR]
126 [\fB\-badsig\fR]
127 [\fB\-\fR\f(BIdigest\fR]
128 [\fB\-CA\fR \fIfilename\fR|\fIuri\fR]
129 [\fB\-CAform\fR \fBDER\fR|\fBPEM\fR|\fBP12\fR]
130 [\fB\-CAkey\fR \fIfilename\fR|\fIuri\fR]
131 [\fB\-CAkeyform\fR \fBDER\fR|\fBPEM\fR|\fBP12\fR|\fBENGINE\fR]
132 [\fB\-CAserial\fR \fIfilename\fR]
133 [\fB\-CAcreateserial\fR]
134 [\fB\-trustout\fR]
135 [\fB\-setalias\fR \fIarg\fR]
136 [\fB\-clrtrust\fR]
137 [\fB\-addtrust\fR \fIarg\fR]
138 [\fB\-clrreject\fR]
139 [\fB\-addreject\fR \fIarg\fR]
140 [\fB\-rand\fR \fIfiles\fR]
141 [\fB\-writerand\fR \fIfile\fR]
142 [\fB\-engine\fR \fIid\fR]
143 [\fB\-provider\fR \fIname\fR]
144 [\fB\-provider\-path\fR \fIpath\fR]
145 [\fB\-provparam\fR \fI[name:]key=value\fR]
146 [\fB\-propquery\fR \fIpropq\fR]
149 This command is a multi-purposes certificate handling command.
153 and then self-signing them or signing them like a "micro CA".
165 .IP \fB\-help\fR 4
166 .IX Item "-help"
168 .IP "\fB\-in\fR \fIfilename\fR|\fIuri\fR" 4
169 .IX Item "-in filename|uri"
171 or the input file for reading a certificate request if the \fB\-req\fR flag is used.
174 This option cannot be combined with the \fB\-new\fR flag.
175 .IP "\fB\-passin\fR \fIarg\fR" 4
176 .IX Item "-passin arg"
177 The key and certificate file password source.
178 For more information about the format of \fIarg\fR
179 see \fBopenssl\-passphrase\-options\fR\|(1).
180 .IP \fB\-new\fR 4
181 .IX Item "-new"
184 So this excludes the \fB\-in\fR and \fB\-req\fR options.
185 Instead, the \fB\-set_subject\fR option needs to be given.
186 The public key to include can be given with the \fB\-force_pubkey\fR option
187 and defaults to the key given with the \fB\-key\fR (or \fB\-signkey\fR) option,
188 which implies self-signature.
189 .IP \fB\-x509toreq\fR 4
190 .IX Item "-x509toreq"
192 The \fB\-key\fR (or \fB\-signkey\fR) option must be used to provide the private key for
193 self-signing; the corresponding public key is placed in the subjectPKInfo field.
196 X.509 extensions to be added can be specified using the \fB\-extfile\fR option.
197 .IP \fB\-req\fR 4
198 .IX Item "-req"
201 which must be correctly self-signed.
204 X.509 extensions to be added can be specified using the \fB\-extfile\fR option.
205 .IP "\fB\-copy_extensions\fR \fIarg\fR" 4
206 .IX Item "-copy_extensions arg"
208 when converting from a certificate to a request using the \fB\-x509toreq\fR option
209 or converting from a request to a certificate using the \fB\-req\fR option.
210 If \fIarg\fR is \fBnone\fR or this option is not present then extensions are ignored.
211 If \fIarg\fR is \fBcopy\fR or \fBcopyall\fR then all extensions are copied,
215 The \fB\-ext\fR option can be used to further restrict which extensions to copy.
216 .IP "\fB\-inform\fR \fBDER\fR|\fBPEM\fR" 4
217 .IX Item "-inform DER|PEM"
218 The input file format to use; by default PEM is tried first.
219 See \fBopenssl\-format\-options\fR\|(1) for details.
220 .IP "\fB\-vfyopt\fR \fInm\fR:\fIv\fR" 4
221 .IX Item "-vfyopt nm:v"
223 Names and values of these options are algorithm-specific.
224 .IP "\fB\-key\fR \fIfilename\fR|\fIuri\fR" 4
225 .IX Item "-key filename|uri"
228 Unless \fB\-force_pubkey\fR is given, the corresponding public key is placed in
229 the new certificate or certificate request, resulting in a self-signature.
231 This option cannot be used in conjunction with the \fB\-CA\fR option.
233 It sets the issuer name to the subject name (i.e., makes it self-issued).
234 Unless the \fB\-preserve_dates\fR option is supplied,
236 and the end date to a value determined by the \fB\-days\fR option.
238 \&\fB\-not_before\fR and \fB\-not_after\fR.
239 .IP "\fB\-signkey\fR \fIfilename\fR|\fIuri\fR" 4
240 .IX Item "-signkey filename|uri"
241 This option is an alias of \fB\-key\fR.
242 .IP "\fB\-keyform\fR \fBDER\fR|\fBPEM\fR|\fBP12\fR|\fBENGINE\fR" 4
243 .IX Item "-keyform DER|PEM|P12|ENGINE"
245 See \fBopenssl\-format\-options\fR\|(1) for details.
246 .IP "\fB\-out\fR \fIfilename\fR" 4
247 .IX Item "-out filename"
249 .IP "\fB\-outform\fR \fBDER\fR|\fBPEM\fR" 4
250 .IX Item "-outform DER|PEM"
252 See \fBopenssl\-format\-options\fR\|(1) for details.
253 .IP \fB\-nocert\fR 4
254 .IX Item "-nocert"
256 .IP \fB\-noout\fR 4
257 .IX Item "-noout"
261 Note: the \fB\-alias\fR and \fB\-purpose\fR options are also printing options
263 .IP \fB\-dateopt\fR 4
264 .IX Item "-dateopt"
267 .IP \fB\-text\fR 4
268 .IX Item "-text"
272 .IP "\fB\-certopt\fR \fIoption\fR" 4
273 .IX Item "-certopt option"
274 Customise the print format used with \fB\-text\fR. The \fIoption\fR argument
276 The \fB\-certopt\fR switch may be also be used more than once to set multiple
278 .IP \fB\-fingerprint\fR 4
279 .IX Item "-fingerprint"
285 .IP \fB\-alias\fR 4
286 .IX Item "-alias"
288 .IP \fB\-serial\fR 4
289 .IX Item "-serial"
291 .IP \fB\-startdate\fR 4
292 .IX Item "-startdate"
294 .IP \fB\-enddate\fR 4
295 .IX Item "-enddate"
297 .IP \fB\-dates\fR 4
298 .IX Item "-dates"
300 .IP \fB\-subject\fR 4
301 .IX Item "-subject"
303 .IP \fB\-issuer\fR 4
304 .IX Item "-issuer"
306 .IP "\fB\-nameopt\fR \fIoption\fR" 4
307 .IX Item "-nameopt option"
309 See \fBopenssl\-namedisplay\-options\fR\|(1) for details.
310 .IP \fB\-email\fR 4
311 .IX Item "-email"
313 .IP \fB\-hash\fR 4
314 .IX Item "-hash"
315 Synonym for "\-subject_hash" for backward compatibility reasons.
316 .IP \fB\-subject_hash\fR 4
317 .IX Item "-subject_hash"
321 .IP \fB\-subject_hash_old\fR 4
322 .IX Item "-subject_hash_old"
325 .IP \fB\-issuer_hash\fR 4
326 .IX Item "-issuer_hash"
328 .IP \fB\-issuer_hash_old\fR 4
329 .IX Item "-issuer_hash_old"
332 .IP "\fB\-ext\fR \fIextensions\fR" 4
333 .IX Item "-ext extensions"
339 .IP \fB\-ocspid\fR 4
340 .IX Item "-ocspid"
342 .IP \fB\-ocsp_uri\fR 4
343 .IX Item "-ocsp_uri"
345 .IP \fB\-purpose\fR 4
346 .IX Item "-purpose"
349 "Certificate Extensions" in \fBopenssl\-verification\-options\fR\|(1).
350 .IP \fB\-pubkey\fR 4
351 .IX Item "-pubkey"
353 .IP \fB\-modulus\fR 4
354 .IX Item "-modulus"
359 .IP "\fB\-checkend\fR \fIarg\fR" 4
360 .IX Item "-checkend arg"
361 Checks if the certificate expires within the next \fIarg\fR seconds and exits
363 .IP "\fB\-checkhost\fR \fIhost\fR" 4
364 .IX Item "-checkhost host"
366 .IP "\fB\-checkemail\fR \fIemail\fR" 4
367 .IX Item "-checkemail email"
369 .IP "\fB\-checkip\fR \fIipaddr\fR" 4
370 .IX Item "-checkip ipaddr"
374 .IP "\fB\-set_serial\fR \fIn\fR" 4
375 .IX Item "-set_serial n"
377 This option can be used with the \fB\-key\fR, \fB\-signkey\fR, or \fB\-CA\fR options.
378 If used in conjunction with the \fB\-CA\fR option
379 the serial number file (as specified by the \fB\-CAserial\fR option) is not used.
382 .IP \fB\-next_serial\fR 4
383 .IX Item "-next_serial"
385 .IP "\fB\-not_before\fR \fIdate\fR" 4
386 .IX Item "-not_before date"
393 Cannot be used together with the \fB\-preserve_dates\fR option.
394 .IP "\fB\-not_after\fR \fIdate\fR" 4
395 .IX Item "-not_after date"
402 Cannot be used together with the \fB\-preserve_dates\fR option.
403 This overrides the option \fB\-days\fR.
404 .IP "\fB\-days\fR \fIarg\fR" 4
405 .IX Item "-days arg"
409 Cannot be used together with the option \fB\-preserve_dates\fR.
410 If option \fB\-not_after\fR is set, the explicit expiry date takes precedence.
411 .IP \fB\-preserve_dates\fR 4
412 .IX Item "-preserve_dates"
415 Cannot be used together with the options \fB\-days\fR, \fB\-not_before\fR and \fB\-not_after\fR.
416 .IP "\fB\-set_issuer\fR \fIarg\fR" 4
417 .IX Item "-set_issuer arg"
420 See \fB\-set_subject\fR on how the arg must be formatted.
421 .IP "\fB\-set_subject\fR \fIarg\fR" 4
422 .IX Item "-set_subject arg"
424 When the certificate is self-signed the issuer name is set to the same value,
425 unless the \fB\-set_issuer\fR option is given.
427 The arg must be formatted as \f(CW\*(C`/type0=value0/type1=value1/type2=...\*(C'\fR.
431 Giving a single \f(CW\*(C`/\*(C'\fR will lead to an empty sequence of RDNs (a NULL-DN).
432 Multi-valued RDNs can be formed by placing a \f(CW\*(C`+\*(C'\fR character instead of a \f(CW\*(C`/…
438 This option can be used with the \fB\-new\fR and \fB\-force_pubkey\fR options to create
440 .IP "\fB\-subj\fR \fIarg\fR" 4
441 .IX Item "-subj arg"
442 This option is an alias of \fB\-set_subject\fR.
443 .IP "\fB\-force_pubkey\fR \fIfilename\fR" 4
444 .IX Item "-force_pubkey filename"
448 or given with the \fB\-key\fR (or \fB\-signkey\fR) option.
451 This option can be used in conjunction with b<\-new> and \fB\-set_subject\fR
454 This option is also useful for creating self-issued certificates that are not
455 self-signed, for instance when the key cannot be used for signing, such as DH.
456 .IP \fB\-clrext\fR 4
457 .IX Item "-clrext"
462 the \fB\-clrext\fR option prevents taking over any extensions from the source.
465 .IP "\fB\-extfile\fR \fIfilename\fR" 4
466 .IX Item "-extfile filename"
467 Configuration file containing certificate and request X.509 extensions to add.
468 .IP "\fB\-extensions\fR \fIsection\fR" 4
469 .IX Item "-extensions section"
481 .IP "\fB\-sigopt\fR \fInm\fR:\fIv\fR" 4
482 .IX Item "-sigopt nm:v"
485 Names and values provided using this option are algorithm-specific.
486 .IP \fB\-badsig\fR 4
487 .IX Item "-badsig"
490 .IP \fB\-\fR\f(BIdigest\fR 4
491 .IX Item "-digest"
494 digest, such as the \fB\-fingerprint\fR, \fB\-key\fR, and \fB\-CA\fR options.
495 Any digest supported by the \fBopenssl\-dgst\fR\|(1) command can be used.
496 If not specified then SHA1 is used with \fB\-fingerprint\fR or
498 .SS "Micro-CA Options"
499 .IX Subsection "Micro-CA Options"
500 .IP "\fB\-CA\fR \fIfilename\fR|\fIuri\fR" 4
501 .IX Item "-CA filename|uri"
507 This option cannot be used in conjunction with \fB\-key\fR (or \fB\-signkey\fR).
508 This option is normally combined with the \fB\-req\fR option referencing a CSR.
509 Without the \fB\-req\fR option the input must be an existing certificate
510 unless the \fB\-new\fR option is given, which generates a certificate from scratch.
511 .IP "\fB\-CAform\fR \fBDER\fR|\fBPEM\fR|\fBP12\fR," 4
512 .IX Item "-CAform DER|PEM|P12,"
514 See \fBopenssl\-format\-options\fR\|(1) for details.
515 .IP "\fB\-CAkey\fR \fIfilename\fR|\fIuri\fR" 4
516 .IX Item "-CAkey filename|uri"
518 The private key must match the public key of the certificate given with \fB\-CA\fR.
519 If this option is not provided then the key must be present in the \fB\-CA\fR input.
520 .IP "\fB\-CAkeyform\fR \fBDER\fR|\fBPEM\fR|\fBP12\fR|\fBENGINE\fR" 4
521 .IX Item "-CAkeyform DER|PEM|P12|ENGINE"
523 See \fBopenssl\-format\-options\fR\|(1) for details.
524 .IP "\fB\-CAserial\fR \fIfilename\fR" 4
525 .IX Item "-CAserial filename"
526 Sets the CA serial number file to use.
528 When creating a certificate with this option and with the \fB\-CA\fR option,
529 the certificate serial number is stored in the given file.
530 This file consists of one line containing
532 After reading this number, it is incremented and used, and the file is updated.
534 The default filename consists of the CA certificate file base name with
535 \&\fI.srl\fR appended. For example if the CA certificate file is called
536 \&\fImycacert.pem\fR it expects to find a serial number file called
539 If the \fB\-CA\fR option is specified and neither <\-CAserial> or <\-CAcreateserial>
540 is given and the default serial number file does not exist,
542 .IP \fB\-CAcreateserial\fR 4
543 .IX Item "-CAcreateserial"
544 With this option and the \fB\-CA\fR option
545 the CA serial number file is created if it does not exist.
547 and saved into the serial number file determined as described above.
563 See \fBopenssl\-verification\-options\fR\|(1) for more information
568 .IP \fB\-trustout\fR 4
569 .IX Item "-trustout"
573 With the \fB\-trustout\fR option a trusted certificate is output. A trusted
575 .IP "\fB\-setalias\fR \fIarg\fR" 4
576 .IX Item "-setalias arg"
579 .IP \fB\-clrtrust\fR 4
580 .IX Item "-clrtrust"
582 .IP "\fB\-addtrust\fR \fIarg\fR" 4
583 .IX Item "-addtrust arg"
590 .IP \fB\-clrreject\fR 4
591 .IX Item "-clrreject"
593 .IP "\fB\-addreject\fR \fIarg\fR" 4
594 .IX Item "-addreject arg"
596 It accepts the same values as the \fB\-addtrust\fR option.
599 .IP "\fB\-rand\fR \fIfiles\fR, \fB\-writerand\fR \fIfile\fR" 4
600 .IX Item "-rand files, -writerand file"
602 .IP "\fB\-engine\fR \fIid\fR" 4
603 .IX Item "-engine id"
606 .IP "\fB\-provider\fR \fIname\fR" 4
607 .IX Item "-provider name"
609 .IP "\fB\-provider\-path\fR \fIpath\fR" 4
610 .IX Item "-provider-path path"
611 .IP "\fB\-provparam\fR \fI[name:]key=value\fR" 4
612 .IX Item "-provparam [name:]key=value"
613 .IP "\fB\-propquery\fR \fIpropq\fR" 4
614 .IX Item "-propquery propq"
674 The value used by \fBopenssl\-ca\fR\|(1), equivalent to \fBno_issuer\fR, \fBno_pubkey\fR,
684 \& openssl x509 \-in cert.pem \-noout \-text
690 \& openssl x509 \-in cert.pem \-noout \-ext subjectAltName
696 \& openssl x509 \-in cert.pem \-noout \-ext subjectAltName,nsCertType
702 \& openssl x509 \-in cert.pem \-noout \-serial
708 \& openssl x509 \-in cert.pem \-noout \-subject
714 \& openssl x509 \-in cert.pem \-noout \-subject \-nameopt RFC2253
721 \& openssl x509 \-in cert.pem \-noout \-subject \-nameopt oneline,\-esc_msb
727 \& openssl x509 \-sha1 \-in cert.pem \-noout \-fingerprint
733 \& openssl x509 \-in cert.pem \-inform PEM \-out cert.der \-outform DER
739 \& openssl x509 \-x509toreq \-in cert.pem \-out req.pem \-key key.pem
742 Convert a certificate request into a self-signed certificate using
746 \& openssl x509 \-req \-in careq.pem \-extfile openssl.cnf \-extensions v3_ca \e
747 \& \-key key.pem \-out cacert.pem
754 \& openssl x509 \-req \-in req.pem \-extfile openssl.cnf \-extensions v3_usr \e
755 \& \-CA cacert.pem \-CAkey key.pem \-CAcreateserial
762 \& openssl x509 \-in cert.pem \-addtrust clientAuth \e
763 \& \-setalias "Steve\*(Aqs Class 1 CA" \-out trust.pem
768 T61Strings use the ISO8859\-1 character set. This is wrong but Netscape
772 The \fB\-email\fR option searches the subject name and the subject alternative
786 \&\fBopenssl\-req\fR\|(1),
787 \&\fBopenssl\-ca\fR\|(1),
788 \&\fBopenssl\-genrsa\fR\|(1),
789 \&\fBopenssl\-gendsa\fR\|(1),
790 \&\fBopenssl\-verify\fR\|(1),
794 The hash algorithm used in the \fB\-subject_hash\fR and \fB\-issuer_hash\fR options
798 form must have their links rebuilt using \fBopenssl\-rehash\fR\|(1) or similar.
800 The \fB\-signkey\fR option has been renamed to \fB\-key\fR in OpenSSL 3.0,
803 The \fB\-engine\fR option was deprecated in OpenSSL 3.0.
805 The \fB\-C\fR option was removed in OpenSSL 3.0.
811 Copyright 2000\-2024 The OpenSSL Project Authors. All Rights Reserved.
814 this file except in compliance with the License. You can obtain a copy
815 in the file LICENSE in the source distribution or at