openssl-x509.1 - OpenGrok cross reference for /freebsd/secure/usr.bin/openssl/man/openssl-x509.1

Lines Matching +full:1 +full:- +full:of +full:- +full:4
18 .\" Set up some character translations and predefined strings.  \*(-- will
24 .tr \(*W-
27 .    ds -- \(*W-
29 .    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
30 .    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
37 .    ds -- \|\(em\|
51 .\" entries marked with X<> in POD.  Of course, you'll have to process the
62 .        tm Index:\\$1\t\\n%\t"\\$2"
71 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
81 .    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
97 .    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
98 .    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
99 .    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
100 .    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
101 .    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
102 .    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
104 .    \" troff and (daisy-wheel) nroff accents
123 .    ds d- d\h'-1'\(ga
124 .    ds D- D\h'-1'\(hy
133 .IX Title "OPENSSL-X509 1ossl"
134 .TH OPENSSL-X509 1ossl "2023-09-22" "3.0.11" "OpenSSL"
140 openssl\-x509 \- Certificate display and signing command
144 [\fB\-help\fR]
145 [\fB\-in\fR \fIfilename\fR|\fIuri\fR]
146 [\fB\-passin\fR \fIarg\fR]
147 [\fB\-new\fR]
148 [\fB\-x509toreq\fR]
149 [\fB\-req\fR]
150 [\fB\-copy_extensions\fR \fIarg\fR]
151 [\fB\-inform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR]
152 [\fB\-vfyopt\fR \fInm\fR:\fIv\fR]
153 [\fB\-key\fR \fIfilename\fR|\fIuri\fR]
154 [\fB\-keyform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR|\fBP12\fR|\fB\s-1ENGINE\s0\fR]
155 [\fB\-signkey\fR \fIfilename\fR|\fIuri\fR]
156 [\fB\-out\fR \fIfilename\fR]
157 [\fB\-outform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR]
158 [\fB\-nocert\fR]
159 [\fB\-noout\fR]
160 [\fB\-dateopt\fR]
161 [\fB\-text\fR]
162 [\fB\-certopt\fR \fIoption\fR]
163 [\fB\-fingerprint\fR]
164 [\fB\-alias\fR]
165 [\fB\-serial\fR]
166 [\fB\-startdate\fR]
167 [\fB\-enddate\fR]
168 [\fB\-dates\fR]
169 [\fB\-subject\fR]
170 [\fB\-issuer\fR]
171 [\fB\-nameopt\fR \fIoption\fR]
172 [\fB\-email\fR]
173 [\fB\-hash\fR]
174 [\fB\-subject_hash\fR]
175 [\fB\-subject_hash_old\fR]
176 [\fB\-issuer_hash\fR]
177 [\fB\-issuer_hash_old\fR]
178 [\fB\-ext\fR \fIextensions\fR]
179 [\fB\-ocspid\fR]
180 [\fB\-ocsp_uri\fR]
181 [\fB\-purpose\fR]
182 [\fB\-pubkey\fR]
183 [\fB\-modulus\fR]
184 [\fB\-checkend\fR \fInum\fR]
185 [\fB\-checkhost\fR \fIhost\fR]
186 [\fB\-checkemail\fR \fIhost\fR]
187 [\fB\-checkip\fR \fIipaddr\fR]
188 [\fB\-set_serial\fR \fIn\fR]
189 [\fB\-next_serial\fR]
190 [\fB\-days\fR \fIarg\fR]
191 [\fB\-preserve_dates\fR]
192 [\fB\-subj\fR \fIarg\fR]
193 [\fB\-force_pubkey\fR \fIfilename\fR]
194 [\fB\-clrext\fR]
195 [\fB\-extfile\fR \fIfilename\fR]
196 [\fB\-extensions\fR \fIsection\fR]
197 [\fB\-sigopt\fR \fInm\fR:\fIv\fR]
198 [\fB\-badsig\fR]
199 [\fB\-\f(BIdigest\fB\fR]
200 [\fB\-CA\fR \fIfilename\fR|\fIuri\fR]
201 [\fB\-CAform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR|\fBP12\fR]
202 [\fB\-CAkey\fR \fIfilename\fR|\fIuri\fR]
203 [\fB\-CAkeyform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR|\fBP12\fR|\fB\s-1ENGINE\s0\fR]
204 [\fB\-CAserial\fR \fIfilename\fR]
205 [\fB\-CAcreateserial\fR]
206 [\fB\-trustout\fR]
207 [\fB\-setalias\fR \fIarg\fR]
208 [\fB\-clrtrust\fR]
209 [\fB\-addtrust\fR \fIarg\fR]
210 [\fB\-clrreject\fR]
211 [\fB\-addreject\fR \fIarg\fR]
212 [\fB\-rand\fR \fIfiles\fR]
213 [\fB\-writerand\fR \fIfile\fR]
214 [\fB\-engine\fR \fIid\fR]
215 [\fB\-provider\fR \fIname\fR]
216 [\fB\-provider\-path\fR \fIpath\fR]
217 [\fB\-propquery\fR \fIpropq\fR]
220 This command is a multi-purposes certificate handling command.
224 and then self-signing them or signing them like a \*(L"micro \s-1CA\*(R".\s0
226 Since there are a large number of options they will split up into
232 .IP "\fB\-help\fR" 4
233 .IX Item "-help"
235 .IP "\fB\-in\fR \fIfilename\fR|\fIuri\fR" 4
236 .IX Item "-in filename|uri"
238 or the input file for reading a certificate request if the \fB\-req\fR flag is used.
241 This option cannot be combined with the \fB\-new\fR flag.
242 .IP "\fB\-passin\fR \fIarg\fR" 4
243 .IX Item "-passin arg"
245 For more information about the format of \fIarg\fR
246 see \fBopenssl\-passphrase\-options\fR\|(1).
247 .IP "\fB\-new\fR" 4
248 .IX Item "-new"
250 or certificate request. So the \fB\-in\fR option must not be used in this case.
251 Instead, the \fB\-subj\fR option needs to be given.
252 The public key to include can be given with the \fB\-force_pubkey\fR option
253 and defaults to the key given with the \fB\-key\fR (or \fB\-signkey\fR) option,
254 which implies self-signature.
255 .IP "\fB\-x509toreq\fR" 4
256 .IX Item "-x509toreq"
258 The \fB\-key\fR (or \fB\-signkey\fR) option must be used to provide the private key for
259 self-signing; the corresponding public key is placed in the subjectPKInfo field.
262 X.509 extensions to be added can be specified using the \fB\-extfile\fR option.
263 .IP "\fB\-req\fR" 4
264 .IX Item "-req"
267 which must be correctly self-signed.
270 X.509 extensions to be added can be specified using the \fB\-extfile\fR option.
271 .IP "\fB\-copy_extensions\fR \fIarg\fR" 4
272 .IX Item "-copy_extensions arg"
274 when converting from a certificate to a request using the \fB\-x509toreq\fR option
275 or converting from a request to a certificate using the \fB\-req\fR option.
281 The \fB\-ext\fR option can be used to further restrict which extensions to copy.
282 .IP "\fB\-inform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR" 4
283 .IX Item "-inform DER|PEM"
285 See \fBopenssl\-format\-options\fR\|(1) for details.
286 .IP "\fB\-vfyopt\fR \fInm\fR:\fIv\fR" 4
287 .IX Item "-vfyopt nm:v"
289 Names and values of these options are algorithm-specific.
290 .IP "\fB\-key\fR \fIfilename\fR|\fIuri\fR" 4
291 .IX Item "-key filename|uri"
294 Unless \fB\-force_pubkey\fR is given, the corresponding public key is placed in
295 the new certificate or certificate request, resulting in a self-signature.
297 This option cannot be used in conjunction with the \fB\-CA\fR option.
299 It sets the issuer name to the subject name (i.e., makes it self-issued)
301 by \fB\-force_pubkey\fR).
302 Unless the \fB\-preserve_dates\fR option is supplied,
304 and the end date to a value determined by the \fB\-days\fR option.
305 .IP "\fB\-signkey\fR \fIfilename\fR|\fIuri\fR" 4
306 .IX Item "-signkey filename|uri"
307 This option is an alias of \fB\-key\fR.
308 .IP "\fB\-keyform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR|\fBP12\fR|\fB\s-1ENGINE\s0\fR" 4
309 .IX Item "-keyform DER|PEM|P12|ENGINE"
311 See \fBopenssl\-format\-options\fR\|(1) for details.
312 .IP "\fB\-out\fR \fIfilename\fR" 4
313 .IX Item "-out filename"
315 .IP "\fB\-outform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR" 4
316 .IX Item "-outform DER|PEM"
317 The output format; the default is \fB\s-1PEM\s0\fR.
318 See \fBopenssl\-format\-options\fR\|(1) for details.
319 .IP "\fB\-nocert\fR" 4
320 .IX Item "-nocert"
322 .IP "\fB\-noout\fR" 4
323 .IX Item "-noout"
327 Note: the \fB\-alias\fR and \fB\-purpose\fR options are also printing options
329 .IP "\fB\-dateopt\fR" 4
330 .IX Item "-dateopt"
333 .IP "\fB\-text\fR" 4
334 .IX Item "-text"
338 .IP "\fB\-certopt\fR \fIoption\fR" 4
339 .IX Item "-certopt option"
340 Customise the print format used with \fB\-text\fR. The \fIoption\fR argument
342 The \fB\-certopt\fR switch may be also be used more than once to set multiple
344 .IP "\fB\-fingerprint\fR" 4
345 .IX Item "-fingerprint"
346 Calculates and prints the digest of the \s-1DER\s0 encoded version of the entire
348 This is commonly called a \*(L"fingerprint\*(R". Because of the nature of message
349 digests, the fingerprint of a certificate is unique to that certificate and
351 .IP "\fB\-alias\fR" 4
352 .IX Item "-alias"
354 .IP "\fB\-serial\fR" 4
355 .IX Item "-serial"
357 .IP "\fB\-startdate\fR" 4
358 .IX Item "-startdate"
359 Prints out the start date of the certificate, that is the notBefore date.
360 .IP "\fB\-enddate\fR" 4
361 .IX Item "-enddate"
362 Prints out the expiry date of the certificate, that is the notAfter date.
363 .IP "\fB\-dates\fR" 4
364 .IX Item "-dates"
365 Prints out the start and expiry dates of a certificate.
366 .IP "\fB\-subject\fR" 4
367 .IX Item "-subject"
369 .IP "\fB\-issuer\fR" 4
370 .IX Item "-issuer"
372 .IP "\fB\-nameopt\fR \fIoption\fR" 4
373 .IX Item "-nameopt option"
375 See \fBopenssl\-namedisplay\-options\fR\|(1) for details.
376 .IP "\fB\-email\fR" 4
377 .IX Item "-email"
379 .IP "\fB\-hash\fR" 4
380 .IX Item "-hash"
381 Synonym for \*(L"\-subject_hash\*(R" for backward compatibility reasons.
382 .IP "\fB\-subject_hash\fR" 4
383 .IX Item "-subject_hash"
384 Prints the \*(L"hash\*(R" of the certificate subject name. This is used in OpenSSL to
387 .IP "\fB\-subject_hash_old\fR" 4
388 .IX Item "-subject_hash_old"
389 Prints the \*(L"hash\*(R" of the certificate subject name using the older algorithm
391 .IP "\fB\-issuer_hash\fR" 4
392 .IX Item "-issuer_hash"
393 Prints the \*(L"hash\*(R" of the certificate issuer name.
394 .IP "\fB\-issuer_hash_old\fR" 4
395 .IX Item "-issuer_hash_old"
396 Prints the \*(L"hash\*(R" of the certificate issuer name using the older algorithm
398 .IP "\fB\-ext\fR \fIextensions\fR" 4
399 .IX Item "-ext extensions"
405 .IP "\fB\-ocspid\fR" 4
406 .IX Item "-ocspid"
407 Prints the \s-1OCSP\s0 hash values for the subject name and public key.
408 .IP "\fB\-ocsp_uri\fR" 4
409 .IX Item "-ocsp_uri"
410 Prints the \s-1OCSP\s0 responder address(es) if any.
411 .IP "\fB\-purpose\fR" 4
412 .IX Item "-purpose"
415 \&\*(L"Certificate Extensions\*(R" in \fBopenssl\-verification\-options\fR\|(1).
416 .IP "\fB\-pubkey\fR" 4
417 .IX Item "-pubkey"
418 Prints the certificate's SubjectPublicKeyInfo block in \s-1PEM\s0 format.
419 .IP "\fB\-modulus\fR" 4
420 .IX Item "-modulus"
421 This option prints out the value of the modulus of the public key
425 .IP "\fB\-checkend\fR \fIarg\fR" 4
426 .IX Item "-checkend arg"
429 .IP "\fB\-checkhost\fR \fIhost\fR" 4
430 .IX Item "-checkhost host"
432 .IP "\fB\-checkemail\fR \fIemail\fR" 4
433 .IX Item "-checkemail email"
435 .IP "\fB\-checkip\fR \fIipaddr\fR" 4
436 .IX Item "-checkip ipaddr"
437 Check that the certificate matches the specified \s-1IP\s0 address.
440 .IP "\fB\-set_serial\fR \fIn\fR" 4
441 .IX Item "-set_serial n"
443 This option can be used with the \fB\-key\fR, \fB\-signkey\fR, or \fB\-CA\fR options.
444 If used in conjunction with the \fB\-CA\fR option
445 the serial number file (as specified by the \fB\-CAserial\fR option) is not used.
448 .IP "\fB\-next_serial\fR" 4
449 .IX Item "-next_serial"
451 .IP "\fB\-days\fR \fIarg\fR" 4
452 .IX Item "-days arg"
453 Specifies the number of days until a newly generated certificate expires.
455 Cannot be used together with the \fB\-preserve_dates\fR option.
456 .IP "\fB\-preserve_dates\fR" 4
457 .IX Item "-preserve_dates"
458 When signing a certificate, preserve \*(L"notBefore\*(R" and \*(L"notAfter\*(R" dates of any
459 input certificate instead of adjusting them to current time and duration.
460 Cannot be used together with the \fB\-days\fR option.
461 .IP "\fB\-subj\fR \fIarg\fR" 4
462 .IX Item "-subj arg"
464 When the certificate is self-signed the issuer name is set to the same value.
470 Giving a single \f(CW\*(C`/\*(C'\fR will lead to an empty sequence of RDNs (a NULL-DN).
471 Multi-valued RDNs can be formed by placing a \f(CW\*(C`+\*(C'\fR character instead of a \f(CW\*(C`/…
472 between the AttributeValueAssertions (AVAs) that specify the members of the set.
477 This option can be used in conjunction with the \fB\-force_pubkey\fR option
480 .IP "\fB\-force_pubkey\fR \fIfilename\fR" 4
481 .IX Item "-force_pubkey filename"
483 instead of the key contained in the input
484 or given with the \fB\-key\fR (or \fB\-signkey\fR) option.
486 This option is useful for creating self-issued certificates that are not
487 self-signed, for instance when the key cannot be used for signing, such as \s-1DH.\s0
488 It can also be used in conjunction with \fB\-new\fR and \fB\-subj\fR to directly
490 .IP "\fB\-clrext\fR" 4
491 .IX Item "-clrext"
496 the \fB\-clrext\fR option prevents taking over any extensions from the source.
499 .IP "\fB\-extfile\fR \fIfilename\fR" 4
500 .IX Item "-extfile filename"
502 .IP "\fB\-extensions\fR \fIsection\fR" 4
503 .IX Item "-extensions section"
509 See the \fBx509v3_config\fR\|(5) manual page for details of the
511 .IP "\fB\-sigopt\fR \fInm\fR:\fIv\fR" 4
512 .IX Item "-sigopt nm:v"
515 Names and values provided using this option are algorithm-specific.
516 .IP "\fB\-badsig\fR" 4
517 .IX Item "-badsig"
520 .IP "\fB\-\f(BIdigest\fB\fR" 4
521 .IX Item "-digest"
524 digest, such as the \fB\-fingerprint\fR, \fB\-key\fR, and \fB\-CA\fR options.
525 Any digest supported by the \fBopenssl\-dgst\fR\|(1) command can be used.
526 If not specified then \s-1SHA1\s0 is used with \fB\-fingerprint\fR or
527 the default digest for the signing algorithm is used, typically \s-1SHA256.\s0
528 .SS "Micro-CA Options"
529 .IX Subsection "Micro-CA Options"
530 .IP "\fB\-CA\fR \fIfilename\fR|\fIuri\fR" 4
531 .IX Item "-CA filename|uri"
532 Specifies the \*(L"\s-1CA\*(R"\s0 certificate to be used for signing.
533 When present, this behaves like a \*(L"micro \s-1CA\*(R"\s0 as follows:
534 The subject name of the \*(L"\s-1CA\*(R"\s0 certificate is placed as issuer name in the new
535 certificate, which is then signed using the \*(L"\s-1CA\*(R"\s0 key given as detailed below.
537 This option cannot be used in conjunction with \fB\-key\fR (or \fB\-signkey\fR).
538 This option is normally combined with the \fB\-req\fR option referencing a \s-1CSR.\s0
539 Without the \fB\-req\fR option the input must be an existing certificate
540 unless the \fB\-new\fR option is given, which generates a certificate from scratch.
541 .IP "\fB\-CAform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR|\fBP12\fR," 4
542 .IX Item "-CAform DER|PEM|P12,"
543 The format for the \s-1CA\s0 certificate; unspecified by default.
544 See \fBopenssl\-format\-options\fR\|(1) for details.
545 .IP "\fB\-CAkey\fR \fIfilename\fR|\fIuri\fR" 4
546 .IX Item "-CAkey filename|uri"
547 Sets the \s-1CA\s0 private key to sign a certificate with.
548 The private key must match the public key of the certificate given with \fB\-CA\fR.
549 If this option is not provided then the key must be present in the \fB\-CA\fR input.
550 .IP "\fB\-CAkeyform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR|\fBP12\fR|\fB\s-1ENGINE\s0\fR" 4
551 .IX Item "-CAkeyform DER|PEM|P12|ENGINE"
552 The format for the \s-1CA\s0 key; unspecified by default.
553 See \fBopenssl\-format\-options\fR\|(1) for details.
554 .IP "\fB\-CAserial\fR \fIfilename\fR" 4
555 .IX Item "-CAserial filename"
556 Sets the \s-1CA\s0 serial number file to use.
558 When creating a certificate with this option and with the \fB\-CA\fR option,
560 This file consists of one line containing
561 an even number of hex digits with the serial number used last time.
564 The default filename consists of the \s-1CA\s0 certificate file base name with
565 \&\fI.srl\fR appended. For example if the \s-1CA\s0 certificate file is called
569 If the \fB\-CA\fR option is specified and neither <\-CAserial> or <\-CAcreateserial>
572 .IP "\fB\-CAcreateserial\fR" 4
573 .IX Item "-CAcreateserial"
574 With this option and the \fB\-CA\fR option
575 the \s-1CA\s0 serial number file is created if it does not exist.
581 additional pieces of information attached to it such as the permitted
582 and prohibited uses of the certificate and possibly an \*(L"alias\*(R" (nickname).
586 locally and must be a root \s-1CA:\s0 any certificate chain ending in this \s-1CA\s0
589 Trust settings currently are only used with a root \s-1CA.\s0
590 They allow a finer control over the purposes the root \s-1CA\s0 can be used for.
591 For example, a \s-1CA\s0 may be trusted for \s-1SSL\s0 client but not \s-1SSL\s0 server use.
593 See \fBopenssl\-verification\-options\fR\|(1) for more information
594 on the meaning of trust settings.
596 Future versions of OpenSSL will recognize trust settings on any
598 .IP "\fB\-trustout\fR" 4
599 .IX Item "-trustout"
600 Mark any certificate \s-1PEM\s0 output as <trusted> certificate rather than ordinary.
603 With the \fB\-trustout\fR option a trusted certificate is output. A trusted
605 .IP "\fB\-setalias\fR \fIarg\fR" 4
606 .IX Item "-setalias arg"
607 Sets the \*(L"alias\*(R" of the certificate. This will allow the certificate
609 .IP "\fB\-clrtrust\fR" 4
610 .IX Item "-clrtrust"
611 Clears all the permitted or trusted uses of the certificate.
612 .IP "\fB\-addtrust\fR \fIarg\fR" 4
613 .IX Item "-addtrust arg"
617 As of OpenSSL 1.1.0, the last of these blocks all purposes when rejected or
620 .IP "\fB\-clrreject\fR" 4
621 .IX Item "-clrreject"
622 Clears all the prohibited or rejected uses of the certificate.
623 .IP "\fB\-addreject\fR \fIarg\fR" 4
624 .IX Item "-addreject arg"
626 It accepts the same values as the \fB\-addtrust\fR option.
629 .IP "\fB\-rand\fR \fIfiles\fR, \fB\-writerand\fR \fIfile\fR" 4
630 .IX Item "-rand files, -writerand file"
631 See \*(L"Random State Options\*(R" in \fBopenssl\fR\|(1) for details.
632 .IP "\fB\-engine\fR \fIid\fR" 4
633 .IX Item "-engine id"
634 See \*(L"Engine Options\*(R" in \fBopenssl\fR\|(1).
636 .IP "\fB\-provider\fR \fIname\fR" 4
637 .IX Item "-provider name"
639 .IP "\fB\-provider\-path\fR \fIpath\fR" 4
640 .IX Item "-provider-path path"
641 .IP "\fB\-propquery\fR \fIpropq\fR" 4
642 .IX Item "-propquery propq"
644 See \*(L"Provider Options\*(R" in \fBopenssl\fR\|(1), \fBprovider\fR\|(7), and \fBproperty\fR\|(7).
650 .IP "\fBcompatible\fR" 4
653 .IP "\fBno_header\fR" 4
657 .IP "\fBno_version\fR" 4
660 .IP "\fBno_serial\fR" 4
663 .IP "\fBno_signame\fR" 4
666 .IP "\fBno_validity\fR" 4
669 .IP "\fBno_subject\fR" 4
672 .IP "\fBno_issuer\fR" 4
675 .IP "\fBno_pubkey\fR" 4
678 .IP "\fBno_sigdump\fR" 4
680 Don't give a hexadecimal dump of the certificate signature.
681 .IP "\fBno_aux\fR" 4
684 .IP "\fBno_extensions\fR" 4
687 .IP "\fBext_default\fR" 4
691 .IP "\fBext_error\fR" 4
694 .IP "\fBext_parse\fR" 4
696 \&\s-1ASN1\s0 parse unsupported extensions.
697 .IP "\fBext_dump\fR" 4
700 .IP "\fBca_default\fR" 4
702 The value used by \fBopenssl\-ca\fR\|(1), equivalent to \fBno_issuer\fR, \fBno_pubkey\fR,
709 Print the contents of a certificate:
711 .Vb 1
712 \& openssl x509 \-in cert.pem \-noout \-text
715 Print the \*(L"Subject Alternative Name\*(R" extension of a certificate:
717 .Vb 1
718 \& openssl x509 \-in cert.pem \-noout \-ext subjectAltName
721 Print more extensions of a certificate:
723 .Vb 1
724 \& openssl x509 \-in cert.pem \-noout \-ext subjectAltName,nsCertType
729 .Vb 1
730 \& openssl x509 \-in cert.pem \-noout \-serial
735 .Vb 1
736 \& openssl x509 \-in cert.pem \-noout \-subject
739 Print the certificate subject name in \s-1RFC2253\s0 form:
741 .Vb 1
742 \& openssl x509 \-in cert.pem \-noout \-subject \-nameopt RFC2253
746 supporting \s-1UTF8:\s0
748 .Vb 1
749 \& openssl x509 \-in cert.pem \-noout \-subject \-nameopt oneline,\-esc_msb
752 Print the certificate \s-1SHA1\s0 fingerprint:
754 .Vb 1
755 \& openssl x509 \-sha1 \-in cert.pem \-noout \-fingerprint
758 Convert a certificate from \s-1PEM\s0 to \s-1DER\s0 format:
760 .Vb 1
761 \& openssl x509 \-in cert.pem \-inform PEM \-out cert.der \-outform DER
766 .Vb 1
767 \& openssl x509 \-x509toreq \-in cert.pem \-out req.pem \-key key.pem
770 Convert a certificate request into a self-signed certificate using
771 extensions for a \s-1CA:\s0
774 \& openssl x509 \-req \-in careq.pem \-extfile openssl.cnf \-extensions v3_ca \e
775 \&        \-key key.pem \-out cacert.pem
778 Sign a certificate request using the \s-1CA\s0 certificate above and add user
782 \& openssl x509 \-req \-in req.pem \-extfile openssl.cnf \-extensions v3_usr \e
783 \&        \-CA cacert.pem \-CAkey key.pem \-CAcreateserial
786 Set a certificate to be trusted for \s-1SSL\s0 client use and change set its alias to
787 \&\*(L"Steve's Class 1 \s-1CA\*(R"\s0
790 \& openssl x509 \-in cert.pem \-addtrust clientAuth \e
791 \&        \-setalias "Steve\*(Aqs Class 1 CA" \-out trust.pem
795 The conversion to \s-1UTF8\s0 format used with the name options assumes that
796 T61Strings use the \s-1ISO8859\-1\s0 character set. This is wrong but Netscape
797 and \s-1MSIE\s0 do this as do many certificates. So although this is incorrect
798 it is more likely to print the majority of certificates correctly.
800 The \fB\-email\fR option searches the subject name and the subject alternative
813 \&\fBopenssl\fR\|(1),
814 \&\fBopenssl\-req\fR\|(1),
815 \&\fBopenssl\-ca\fR\|(1),
816 \&\fBopenssl\-genrsa\fR\|(1),
817 \&\fBopenssl\-gendsa\fR\|(1),
818 \&\fBopenssl\-verify\fR\|(1),
822 The hash algorithm used in the \fB\-subject_hash\fR and \fB\-issuer_hash\fR options
823 before OpenSSL 1.0.0 was based on the deprecated \s-1MD5\s0 algorithm and the encoding
825 version of the \s-1DN\s0 using \s-1SHA1.\s0 This means that any directories using the old
826 form must have their links rebuilt using \fBopenssl\-rehash\fR\|(1) or similar.
828 The \fB\-signkey\fR option has been renamed to \fB\-key\fR in OpenSSL 3.0,
831 The \fB\-engine\fR option was deprecated in OpenSSL 3.0.
833 The \fB\-C\fR option was removed in OpenSSL 3.0.
836 Copyright 2000\-2023 The OpenSSL Project Authors. All Rights Reserved.
840 in the file \s-1LICENSE\s0 in the source distribution or at