openssl-x509.1 - OpenGrok cross reference for /freebsd/secure/usr.bin/openssl/man/openssl-x509.1

Lines Matching +full:4 +full:a
58 .TH OPENSSL-X509 1ossl 2025-09-30 3.5.4 OpenSSL
149 This command is a multi-purposes certificate handling command.
153 and then self-signing them or signing them like a "micro CA".
159 Since there are a large number of options they will split up into
165 .IP \fB\-help\fR 4
167 Print out a usage message.
168 .IP "\fB\-in\fR \fIfilename\fR|\fIuri\fR" 4
170 This specifies the input to read a certificate from
171 or the input file for reading a certificate request if the \fB\-req\fR flag is used.
175 .IP "\fB\-passin\fR \fIarg\fR" 4
180 .IP \fB\-new\fR 4
182 Generate a certificate from scratch, not using an input certificate
189 .IP \fB\-x509toreq\fR 4
191 Output a PKCS#10 certificate request (rather than a certificate).
195 X.509 extensions included in a certificate input are not copied by default.
197 .IP \fB\-req\fR 4
199 By default a certificate is expected on input.
200 With this option a PKCS#10 certificate request is expected instead,
205 .IP "\fB\-copy_extensions\fR \fIarg\fR" 4
208 when converting from a certificate to a request using the \fB\-x509toreq\fR option
209 or converting from a request to a certificate using the \fB\-req\fR option.
213 are not taken over when producing a certificate request.
216 .IP "\fB\-inform\fR \fBDER\fR|\fBPEM\fR" 4
220 .IP "\fB\-vfyopt\fR \fInm\fR:\fIv\fR" 4
224 .IP "\fB\-key\fR \fIfilename\fR|\fIuri\fR" 4
226 This option provides the private key for signing a new certificate or
229 the new certificate or certificate request, resulting in a self-signature.
236 and the end date to a value determined by the \fB\-days\fR option.
239 .IP "\fB\-signkey\fR \fIfilename\fR|\fIuri\fR" 4
242 .IP "\fB\-keyform\fR \fBDER\fR|\fBPEM\fR|\fBP12\fR|\fBENGINE\fR" 4
246 .IP "\fB\-out\fR \fIfilename\fR" 4
249 .IP "\fB\-outform\fR \fBDER\fR|\fBPEM\fR" 4
253 .IP \fB\-nocert\fR 4
255 Do not output a certificate (except for printing as requested by below options).
256 .IP \fB\-noout\fR 4
263 .IP \fB\-dateopt\fR 4
267 .IP \fB\-text\fR 4
272 .IP "\fB\-certopt\fR \fIoption\fR" 4
275 can be a single option or multiple options separated by commas.
278 .IP \fB\-fingerprint\fR 4
282 This is commonly called a "fingerprint". Because of the nature of message
283 digests, the fingerprint of a certificate is unique to that certificate and
285 .IP \fB\-alias\fR 4
288 .IP \fB\-serial\fR 4
291 .IP \fB\-startdate\fR 4
294 .IP \fB\-enddate\fR 4
297 .IP \fB\-dates\fR 4
299 Prints out the start and expiry dates of a certificate.
300 .IP \fB\-subject\fR 4
303 .IP \fB\-issuer\fR 4
306 .IP "\fB\-nameopt\fR \fIoption\fR" 4
310 .IP \fB\-email\fR 4
313 .IP \fB\-hash\fR 4
316 .IP \fB\-subject_hash\fR 4
319 form an index to allow certificates in a directory to be looked up by subject
321 .IP \fB\-subject_hash_old\fR 4
325 .IP \fB\-issuer_hash\fR 4
328 .IP \fB\-issuer_hash_old\fR 4
332 .IP "\fB\-ext\fR \fIextensions\fR" 4
337 with a comma separated string, e.g., "subjectAltName, subjectKeyIdentifier".
339 .IP \fB\-ocspid\fR 4
342 .IP \fB\-ocsp_uri\fR 4
345 .IP \fB\-purpose\fR 4
348 the results. For a more complete description see
350 .IP \fB\-pubkey\fR 4
353 .IP \fB\-modulus\fR 4
359 .IP "\fB\-checkend\fR \fIarg\fR" 4
363 .IP "\fB\-checkhost\fR \fIhost\fR" 4
366 .IP "\fB\-checkemail\fR \fIemail\fR" 4
369 .IP "\fB\-checkip\fR \fIipaddr\fR" 4
374 .IP "\fB\-set_serial\fR \fIn\fR" 4
382 .IP \fB\-next_serial\fR 4
385 .IP "\fB\-not_before\fR \fIdate\fR" 4
394 .IP "\fB\-not_after\fR \fIdate\fR" 4
404 .IP "\fB\-days\fR \fIarg\fR" 4
406 Specifies the number of days from today until a newly generated certificate expires.
411 .IP \fB\-preserve_dates\fR 4
413 When signing a certificate, preserve "notBefore" and "notAfter" dates of any
416 .IP "\fB\-set_issuer\fR \fIarg\fR" 4
418 When a certificate is created set its issuer name to the given value.
421 .IP "\fB\-set_subject\fR \fIarg\fR" 4
423 When a certificate is created set its subject name to the given value.
431 Giving a single \f(CW\*(C`/\*(C'\fR will lead to an empty sequence of RDNs (a NULL-DN).
432 Multi-valued RDNs can be formed by placing a \f(CW\*(C`+\*(C'\fR character instead of a \f(CW\*(C`/…
439 a new certificate without providing an input certificate or certificate request.
440 .IP "\fB\-subj\fR \fIarg\fR" 4
443 .IP "\fB\-force_pubkey\fR \fIfilename\fR" 4
445 When a new certificate or certificate request is created
449 If the input contains no public key but a private key, its public part is used.
452 to directly generate a certificate containing any desired public key.
456 .IP \fB\-clrext\fR 4
458 When transforming a certificate to a new certificate
461 When transforming a certificate or certificate request,
463 In any case, when producing a certificate request,
465 .IP "\fB\-extfile\fR \fIfilename\fR" 4
468 .IP "\fB\-extensions\fR \fIsection\fR" 4
473 (default) section or the default section should contain a variable called
481 .IP "\fB\-sigopt\fR \fInm\fR:\fIv\fR" 4
486 .IP \fB\-badsig\fR 4
490 .IP \fB\-\fR\f(BIdigest\fR 4
493 This affects any signing or printing option that uses a message
500 .IP "\fB\-CA\fR \fIfilename\fR|\fIuri\fR" 4
503 When present, this behaves like a "micro CA" as follows:
508 This option is normally combined with the \fB\-req\fR option referencing a CSR.
510 unless the \fB\-new\fR option is given, which generates a certificate from scratch.
511 .IP "\fB\-CAform\fR \fBDER\fR|\fBPEM\fR|\fBP12\fR," 4
515 .IP "\fB\-CAkey\fR \fIfilename\fR|\fIuri\fR" 4
517 Sets the CA private key to sign a certificate with.
520 .IP "\fB\-CAkeyform\fR \fBDER\fR|\fBPEM\fR|\fBP12\fR|\fBENGINE\fR" 4
524 .IP "\fB\-CAserial\fR \fIfilename\fR" 4
528 When creating a certificate with this option and with the \fB\-CA\fR option,
536 \&\fImycacert.pem\fR it expects to find a serial number file called
541 a random number is generated; this is the recommended practice.
542 .IP \fB\-CAcreateserial\fR 4
546 A random number is generated, used for the certificate,
550 A \fBtrusted certificate\fR is an ordinary certificate which has several
554 Normally when a certificate is being verified at least one certificate
555 must be "trusted". By default a trusted certificate must be stored
556 locally and must be a root CA: any certificate chain ending in this CA
559 Trust settings currently are only used with a root CA.
560 They allow a finer control over the purposes the root CA can be used for.
561 For example, a CA may be trusted for SSL client but not SSL server use.
568 .IP \fB\-trustout\fR 4
573 With the \fB\-trustout\fR option a trusted certificate is output. A trusted
575 .IP "\fB\-setalias\fR \fIarg\fR" 4
578 to be referred to using a nickname for example "Steve's Certificate".
579 .IP \fB\-clrtrust\fR 4
582 .IP "\fB\-addtrust\fR \fIarg\fR" 4
584 Adds a trusted certificate use.
590 .IP \fB\-clrreject\fR 4
593 .IP "\fB\-addreject\fR \fIarg\fR" 4
595 Adds a prohibited trust anchor purpose.
599 .IP "\fB\-rand\fR \fIfiles\fR, \fB\-writerand\fR \fIfile\fR" 4
602 .IP "\fB\-engine\fR \fIid\fR" 4
606 .IP "\fB\-provider\fR \fIname\fR" 4
609 .IP "\fB\-provider\-path\fR \fIpath\fR" 4
611 .IP "\fB\-provparam\fR \fI[name:]key=value\fR" 4
613 .IP "\fB\-propquery\fR \fIpropq\fR" 4
622 .IP \fBcompatible\fR 4
625 .IP \fBno_header\fR 4
629 .IP \fBno_version\fR 4
632 .IP \fBno_serial\fR 4
635 .IP \fBno_signame\fR 4
638 .IP \fBno_validity\fR 4
641 .IP \fBno_subject\fR 4
644 .IP \fBno_issuer\fR 4
647 .IP \fBno_pubkey\fR 4
650 .IP \fBno_sigdump\fR 4
652 Don't give a hexadecimal dump of the certificate signature.
653 .IP \fBno_aux\fR 4
656 .IP \fBno_extensions\fR 4
659 .IP \fBext_default\fR 4
663 .IP \fBext_error\fR 4
666 .IP \fBext_parse\fR 4
669 .IP \fBext_dump\fR 4
672 .IP \fBca_default\fR 4
681 Print the contents of a certificate:
687 Print the "Subject Alternative Name" extension of a certificate:
693 Print more extensions of a certificate:
717 Print the certificate subject name in oneline form on a terminal
730 Convert a certificate from PEM to DER format:
736 Convert a certificate to a certificate request:
742 Convert a certificate request into a self-signed certificate using
743 extensions for a CA:
750 Sign a certificate request using the CA certificate above and add user
758 Set a certificate to be trusted for SSL client use and change set its alias to
796 of the distinguished name. In OpenSSL 1.0.0 and later it is based on a canonical
814 this file except in compliance with the License.  You can obtain a copy