Lines Matching +full:csr +full:- +full:2 +full:l
18 .\" Set up some character translations and predefined strings. \*(-- will
19 .\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
24 .tr \(*W-
27 . ds -- \(*W-
29 . if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
30 . if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
31 . ds L" ""
37 . ds -- \|\(em\|
39 . ds L" ``
62 . tm Index:\\$1\t\\n%\t"\\$2"
64 . if !\nF==2 \{\
66 . nr F 2
71 .\" Fear. Run. Save yourself. No user-serviceable parts.
81 . ds #H ((1u-(\\\\n(.fu%2u))*.13m)
97 . ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
98 . ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
99 . ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
100 . ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
101 . ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
102 . ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
104 . \" troff and (daisy-wheel) nroff accents
123 . ds d- d\h'-1'\(ga
124 . ds D- D\h'-1'\(hy
133 .IX Title "OPENSSL-X509 1ossl"
134 .TH OPENSSL-X509 1ossl "2023-09-22" "3.0.11" "OpenSSL"
140 openssl\-x509 \- Certificate display and signing command
144 [\fB\-help\fR]
145 [\fB\-in\fR \fIfilename\fR|\fIuri\fR]
146 [\fB\-passin\fR \fIarg\fR]
147 [\fB\-new\fR]
148 [\fB\-x509toreq\fR]
149 [\fB\-req\fR]
150 [\fB\-copy_extensions\fR \fIarg\fR]
151 [\fB\-inform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR]
152 [\fB\-vfyopt\fR \fInm\fR:\fIv\fR]
153 [\fB\-key\fR \fIfilename\fR|\fIuri\fR]
154 [\fB\-keyform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR|\fBP12\fR|\fB\s-1ENGINE\s0\fR]
155 [\fB\-signkey\fR \fIfilename\fR|\fIuri\fR]
156 [\fB\-out\fR \fIfilename\fR]
157 [\fB\-outform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR]
158 [\fB\-nocert\fR]
159 [\fB\-noout\fR]
160 [\fB\-dateopt\fR]
161 [\fB\-text\fR]
162 [\fB\-certopt\fR \fIoption\fR]
163 [\fB\-fingerprint\fR]
164 [\fB\-alias\fR]
165 [\fB\-serial\fR]
166 [\fB\-startdate\fR]
167 [\fB\-enddate\fR]
168 [\fB\-dates\fR]
169 [\fB\-subject\fR]
170 [\fB\-issuer\fR]
171 [\fB\-nameopt\fR \fIoption\fR]
172 [\fB\-email\fR]
173 [\fB\-hash\fR]
174 [\fB\-subject_hash\fR]
175 [\fB\-subject_hash_old\fR]
176 [\fB\-issuer_hash\fR]
177 [\fB\-issuer_hash_old\fR]
178 [\fB\-ext\fR \fIextensions\fR]
179 [\fB\-ocspid\fR]
180 [\fB\-ocsp_uri\fR]
181 [\fB\-purpose\fR]
182 [\fB\-pubkey\fR]
183 [\fB\-modulus\fR]
184 [\fB\-checkend\fR \fInum\fR]
185 [\fB\-checkhost\fR \fIhost\fR]
186 [\fB\-checkemail\fR \fIhost\fR]
187 [\fB\-checkip\fR \fIipaddr\fR]
188 [\fB\-set_serial\fR \fIn\fR]
189 [\fB\-next_serial\fR]
190 [\fB\-days\fR \fIarg\fR]
191 [\fB\-preserve_dates\fR]
192 [\fB\-subj\fR \fIarg\fR]
193 [\fB\-force_pubkey\fR \fIfilename\fR]
194 [\fB\-clrext\fR]
195 [\fB\-extfile\fR \fIfilename\fR]
196 [\fB\-extensions\fR \fIsection\fR]
197 [\fB\-sigopt\fR \fInm\fR:\fIv\fR]
198 [\fB\-badsig\fR]
199 [\fB\-\f(BIdigest\fB\fR]
200 [\fB\-CA\fR \fIfilename\fR|\fIuri\fR]
201 [\fB\-CAform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR|\fBP12\fR]
202 [\fB\-CAkey\fR \fIfilename\fR|\fIuri\fR]
203 [\fB\-CAkeyform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR|\fBP12\fR|\fB\s-1ENGINE\s0\fR]
204 [\fB\-CAserial\fR \fIfilename\fR]
205 [\fB\-CAcreateserial\fR]
206 [\fB\-trustout\fR]
207 [\fB\-setalias\fR \fIarg\fR]
208 [\fB\-clrtrust\fR]
209 [\fB\-addtrust\fR \fIarg\fR]
210 [\fB\-clrreject\fR]
211 [\fB\-addreject\fR \fIarg\fR]
212 [\fB\-rand\fR \fIfiles\fR]
213 [\fB\-writerand\fR \fIfile\fR]
214 [\fB\-engine\fR \fIid\fR]
215 [\fB\-provider\fR \fIname\fR]
216 [\fB\-provider\-path\fR \fIpath\fR]
217 [\fB\-propquery\fR \fIpropq\fR]
220 This command is a multi-purposes certificate handling command.
224 and then self-signing them or signing them like a \*(L"micro \s-1CA\*(R".\s0
232 .IP "\fB\-help\fR" 4
233 .IX Item "-help"
235 .IP "\fB\-in\fR \fIfilename\fR|\fIuri\fR" 4
236 .IX Item "-in filename|uri"
238 or the input file for reading a certificate request if the \fB\-req\fR flag is used.
241 This option cannot be combined with the \fB\-new\fR flag.
242 .IP "\fB\-passin\fR \fIarg\fR" 4
243 .IX Item "-passin arg"
246 see \fBopenssl\-passphrase\-options\fR\|(1).
247 .IP "\fB\-new\fR" 4
248 .IX Item "-new"
250 or certificate request. So the \fB\-in\fR option must not be used in this case.
251 Instead, the \fB\-subj\fR option needs to be given.
252 The public key to include can be given with the \fB\-force_pubkey\fR option
253 and defaults to the key given with the \fB\-key\fR (or \fB\-signkey\fR) option,
254 which implies self-signature.
255 .IP "\fB\-x509toreq\fR" 4
256 .IX Item "-x509toreq"
258 The \fB\-key\fR (or \fB\-signkey\fR) option must be used to provide the private key for
259 self-signing; the corresponding public key is placed in the subjectPKInfo field.
262 X.509 extensions to be added can be specified using the \fB\-extfile\fR option.
263 .IP "\fB\-req\fR" 4
264 .IX Item "-req"
267 which must be correctly self-signed.
270 X.509 extensions to be added can be specified using the \fB\-extfile\fR option.
271 .IP "\fB\-copy_extensions\fR \fIarg\fR" 4
272 .IX Item "-copy_extensions arg"
274 when converting from a certificate to a request using the \fB\-x509toreq\fR option
275 or converting from a request to a certificate using the \fB\-req\fR option.
281 The \fB\-ext\fR option can be used to further restrict which extensions to copy.
282 .IP "\fB\-inform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR" 4
283 .IX Item "-inform DER|PEM"
285 See \fBopenssl\-format\-options\fR\|(1) for details.
286 .IP "\fB\-vfyopt\fR \fInm\fR:\fIv\fR" 4
287 .IX Item "-vfyopt nm:v"
289 Names and values of these options are algorithm-specific.
290 .IP "\fB\-key\fR \fIfilename\fR|\fIuri\fR" 4
291 .IX Item "-key filename|uri"
294 Unless \fB\-force_pubkey\fR is given, the corresponding public key is placed in
295 the new certificate or certificate request, resulting in a self-signature.
297 This option cannot be used in conjunction with the \fB\-CA\fR option.
299 It sets the issuer name to the subject name (i.e., makes it self-issued)
301 by \fB\-force_pubkey\fR).
302 Unless the \fB\-preserve_dates\fR option is supplied,
304 and the end date to a value determined by the \fB\-days\fR option.
305 .IP "\fB\-signkey\fR \fIfilename\fR|\fIuri\fR" 4
306 .IX Item "-signkey filename|uri"
307 This option is an alias of \fB\-key\fR.
308 .IP "\fB\-keyform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR|\fBP12\fR|\fB\s-1ENGINE\s0\fR" 4
309 .IX Item "-keyform DER|PEM|P12|ENGINE"
311 See \fBopenssl\-format\-options\fR\|(1) for details.
312 .IP "\fB\-out\fR \fIfilename\fR" 4
313 .IX Item "-out filename"
315 .IP "\fB\-outform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR" 4
316 .IX Item "-outform DER|PEM"
317 The output format; the default is \fB\s-1PEM\s0\fR.
318 See \fBopenssl\-format\-options\fR\|(1) for details.
319 .IP "\fB\-nocert\fR" 4
320 .IX Item "-nocert"
322 .IP "\fB\-noout\fR" 4
323 .IX Item "-noout"
327 Note: the \fB\-alias\fR and \fB\-purpose\fR options are also printing options
328 but are described in the \*(L"Trust Settings\*(R" section.
329 .IP "\fB\-dateopt\fR" 4
330 .IX Item "-dateopt"
333 .IP "\fB\-text\fR" 4
334 .IX Item "-text"
338 .IP "\fB\-certopt\fR \fIoption\fR" 4
339 .IX Item "-certopt option"
340 Customise the print format used with \fB\-text\fR. The \fIoption\fR argument
342 The \fB\-certopt\fR switch may be also be used more than once to set multiple
343 options. See the \*(L"Text Printing Flags\*(R" section for more information.
344 .IP "\fB\-fingerprint\fR" 4
345 .IX Item "-fingerprint"
346 Calculates and prints the digest of the \s-1DER\s0 encoded version of the entire
348 This is commonly called a \*(L"fingerprint\*(R". Because of the nature of message
351 .IP "\fB\-alias\fR" 4
352 .IX Item "-alias"
353 Prints the certificate \*(L"alias\*(R" (nickname), if any.
354 .IP "\fB\-serial\fR" 4
355 .IX Item "-serial"
357 .IP "\fB\-startdate\fR" 4
358 .IX Item "-startdate"
360 .IP "\fB\-enddate\fR" 4
361 .IX Item "-enddate"
363 .IP "\fB\-dates\fR" 4
364 .IX Item "-dates"
366 .IP "\fB\-subject\fR" 4
367 .IX Item "-subject"
369 .IP "\fB\-issuer\fR" 4
370 .IX Item "-issuer"
372 .IP "\fB\-nameopt\fR \fIoption\fR" 4
373 .IX Item "-nameopt option"
375 See \fBopenssl\-namedisplay\-options\fR\|(1) for details.
376 .IP "\fB\-email\fR" 4
377 .IX Item "-email"
379 .IP "\fB\-hash\fR" 4
380 .IX Item "-hash"
381 Synonym for \*(L"\-subject_hash\*(R" for backward compatibility reasons.
382 .IP "\fB\-subject_hash\fR" 4
383 .IX Item "-subject_hash"
384 Prints the \*(L"hash\*(R" of the certificate subject name. This is used in OpenSSL to
387 .IP "\fB\-subject_hash_old\fR" 4
388 .IX Item "-subject_hash_old"
389 Prints the \*(L"hash\*(R" of the certificate subject name using the older algorithm
391 .IP "\fB\-issuer_hash\fR" 4
392 .IX Item "-issuer_hash"
393 Prints the \*(L"hash\*(R" of the certificate issuer name.
394 .IP "\fB\-issuer_hash_old\fR" 4
395 .IX Item "-issuer_hash_old"
396 Prints the \*(L"hash\*(R" of the certificate issuer name using the older algorithm
398 .IP "\fB\-ext\fR \fIextensions\fR" 4
399 .IX Item "-ext extensions"
403 with a comma separated string, e.g., \*(L"subjectAltName,subjectKeyIdentifier\*(R".
405 .IP "\fB\-ocspid\fR" 4
406 .IX Item "-ocspid"
407 Prints the \s-1OCSP\s0 hash values for the subject name and public key.
408 .IP "\fB\-ocsp_uri\fR" 4
409 .IX Item "-ocsp_uri"
410 Prints the \s-1OCSP\s0 responder address(es) if any.
411 .IP "\fB\-purpose\fR" 4
412 .IX Item "-purpose"
415 \&\*(L"Certificate Extensions\*(R" in \fBopenssl\-verification\-options\fR\|(1).
416 .IP "\fB\-pubkey\fR" 4
417 .IX Item "-pubkey"
418 Prints the certificate's SubjectPublicKeyInfo block in \s-1PEM\s0 format.
419 .IP "\fB\-modulus\fR" 4
420 .IX Item "-modulus"
425 .IP "\fB\-checkend\fR \fIarg\fR" 4
426 .IX Item "-checkend arg"
429 .IP "\fB\-checkhost\fR \fIhost\fR" 4
430 .IX Item "-checkhost host"
432 .IP "\fB\-checkemail\fR \fIemail\fR" 4
433 .IX Item "-checkemail email"
435 .IP "\fB\-checkip\fR \fIipaddr\fR" 4
436 .IX Item "-checkip ipaddr"
437 Check that the certificate matches the specified \s-1IP\s0 address.
440 .IP "\fB\-set_serial\fR \fIn\fR" 4
441 .IX Item "-set_serial n"
443 This option can be used with the \fB\-key\fR, \fB\-signkey\fR, or \fB\-CA\fR options.
444 If used in conjunction with the \fB\-CA\fR option
445 the serial number file (as specified by the \fB\-CAserial\fR option) is not used.
448 .IP "\fB\-next_serial\fR" 4
449 .IX Item "-next_serial"
451 .IP "\fB\-days\fR \fIarg\fR" 4
452 .IX Item "-days arg"
455 Cannot be used together with the \fB\-preserve_dates\fR option.
456 .IP "\fB\-preserve_dates\fR" 4
457 .IX Item "-preserve_dates"
458 When signing a certificate, preserve \*(L"notBefore\*(R" and \*(L"notAfter\*(R" dates of any
460 Cannot be used together with the \fB\-days\fR option.
461 .IP "\fB\-subj\fR \fIarg\fR" 4
462 .IX Item "-subj arg"
464 When the certificate is self-signed the issuer name is set to the same value.
470 Giving a single \f(CW\*(C`/\*(C'\fR will lead to an empty sequence of RDNs (a NULL-DN).
471 Multi-valued RDNs can be formed by placing a \f(CW\*(C`+\*(C'\fR character instead of a \f(CW\*(C`/…
477 This option can be used in conjunction with the \fB\-force_pubkey\fR option
480 .IP "\fB\-force_pubkey\fR \fIfilename\fR" 4
481 .IX Item "-force_pubkey filename"
484 or given with the \fB\-key\fR (or \fB\-signkey\fR) option.
486 This option is useful for creating self-issued certificates that are not
487 self-signed, for instance when the key cannot be used for signing, such as \s-1DH.\s0
488 It can also be used in conjunction with \fB\-new\fR and \fB\-subj\fR to directly
490 .IP "\fB\-clrext\fR" 4
491 .IX Item "-clrext"
496 the \fB\-clrext\fR option prevents taking over any extensions from the source.
499 .IP "\fB\-extfile\fR \fIfilename\fR" 4
500 .IX Item "-extfile filename"
502 .IP "\fB\-extensions\fR \fIsection\fR" 4
503 .IX Item "-extensions section"
508 \&\*(L"extensions\*(R" which contains the section to use.
511 .IP "\fB\-sigopt\fR \fInm\fR:\fIv\fR" 4
512 .IX Item "-sigopt nm:v"
515 Names and values provided using this option are algorithm-specific.
516 .IP "\fB\-badsig\fR" 4
517 .IX Item "-badsig"
520 .IP "\fB\-\f(BIdigest\fB\fR" 4
521 .IX Item "-digest"
524 digest, such as the \fB\-fingerprint\fR, \fB\-key\fR, and \fB\-CA\fR options.
525 Any digest supported by the \fBopenssl\-dgst\fR\|(1) command can be used.
526 If not specified then \s-1SHA1\s0 is used with \fB\-fingerprint\fR or
527 the default digest for the signing algorithm is used, typically \s-1SHA256.\s0
528 .SS "Micro-CA Options"
529 .IX Subsection "Micro-CA Options"
530 .IP "\fB\-CA\fR \fIfilename\fR|\fIuri\fR" 4
531 .IX Item "-CA filename|uri"
532 Specifies the \*(L"\s-1CA\*(R"\s0 certificate to be used for signing.
533 When present, this behaves like a \*(L"micro \s-1CA\*(R"\s0 as follows:
534 The subject name of the \*(L"\s-1CA\*(R"\s0 certificate is placed as issuer name in the new
535 certificate, which is then signed using the \*(L"\s-1CA\*(R"\s0 key given as detailed below.
537 This option cannot be used in conjunction with \fB\-key\fR (or \fB\-signkey\fR).
538 This option is normally combined with the \fB\-req\fR option referencing a \s-1CSR.\s0
539 Without the \fB\-req\fR option the input must be an existing certificate
540 unless the \fB\-new\fR option is given, which generates a certificate from scratch.
541 .IP "\fB\-CAform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR|\fBP12\fR," 4
542 .IX Item "-CAform DER|PEM|P12,"
543 The format for the \s-1CA\s0 certificate; unspecified by default.
544 See \fBopenssl\-format\-options\fR\|(1) for details.
545 .IP "\fB\-CAkey\fR \fIfilename\fR|\fIuri\fR" 4
546 .IX Item "-CAkey filename|uri"
547 Sets the \s-1CA\s0 private key to sign a certificate with.
548 The private key must match the public key of the certificate given with \fB\-CA\fR.
549 If this option is not provided then the key must be present in the \fB\-CA\fR input.
550 .IP "\fB\-CAkeyform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR|\fBP12\fR|\fB\s-1ENGINE\s0\fR" 4
551 .IX Item "-CAkeyform DER|PEM|P12|ENGINE"
552 The format for the \s-1CA\s0 key; unspecified by default.
553 See \fBopenssl\-format\-options\fR\|(1) for details.
554 .IP "\fB\-CAserial\fR \fIfilename\fR" 4
555 .IX Item "-CAserial filename"
556 Sets the \s-1CA\s0 serial number file to use.
558 When creating a certificate with this option and with the \fB\-CA\fR option,
564 The default filename consists of the \s-1CA\s0 certificate file base name with
565 \&\fI.srl\fR appended. For example if the \s-1CA\s0 certificate file is called
569 If the \fB\-CA\fR option is specified and neither <\-CAserial> or <\-CAcreateserial>
572 .IP "\fB\-CAcreateserial\fR" 4
573 .IX Item "-CAcreateserial"
574 With this option and the \fB\-CA\fR option
575 the \s-1CA\s0 serial number file is created if it does not exist.
582 and prohibited uses of the certificate and possibly an \*(L"alias\*(R" (nickname).
585 must be \*(L"trusted\*(R". By default a trusted certificate must be stored
586 locally and must be a root \s-1CA:\s0 any certificate chain ending in this \s-1CA\s0
589 Trust settings currently are only used with a root \s-1CA.\s0
590 They allow a finer control over the purposes the root \s-1CA\s0 can be used for.
591 For example, a \s-1CA\s0 may be trusted for \s-1SSL\s0 client but not \s-1SSL\s0 server use.
593 See \fBopenssl\-verification\-options\fR\|(1) for more information
598 .IP "\fB\-trustout\fR" 4
599 .IX Item "-trustout"
600 Mark any certificate \s-1PEM\s0 output as <trusted> certificate rather than ordinary.
603 With the \fB\-trustout\fR option a trusted certificate is output. A trusted
605 .IP "\fB\-setalias\fR \fIarg\fR" 4
606 .IX Item "-setalias arg"
607 Sets the \*(L"alias\*(R" of the certificate. This will allow the certificate
608 to be referred to using a nickname for example \*(L"Steve's Certificate\*(R".
609 .IP "\fB\-clrtrust\fR" 4
610 .IX Item "-clrtrust"
612 .IP "\fB\-addtrust\fR \fIarg\fR" 4
613 .IX Item "-addtrust arg"
620 .IP "\fB\-clrreject\fR" 4
621 .IX Item "-clrreject"
623 .IP "\fB\-addreject\fR \fIarg\fR" 4
624 .IX Item "-addreject arg"
626 It accepts the same values as the \fB\-addtrust\fR option.
629 .IP "\fB\-rand\fR \fIfiles\fR, \fB\-writerand\fR \fIfile\fR" 4
630 .IX Item "-rand files, -writerand file"
631 See \*(L"Random State Options\*(R" in \fBopenssl\fR\|(1) for details.
632 .IP "\fB\-engine\fR \fIid\fR" 4
633 .IX Item "-engine id"
634 See \*(L"Engine Options\*(R" in \fBopenssl\fR\|(1).
636 .IP "\fB\-provider\fR \fIname\fR" 4
637 .IX Item "-provider name"
639 .IP "\fB\-provider\-path\fR \fIpath\fR" 4
640 .IX Item "-provider-path path"
641 .IP "\fB\-propquery\fR \fIpropq\fR" 4
642 .IX Item "-propquery propq"
644 See \*(L"Provider Options\*(R" in \fBopenssl\fR\|(1), \fBprovider\fR\|(7), and \fBproperty\fR\|(7).
655 Don't print header information: that is the lines saying \*(L"Certificate\*(R"
656 and \*(L"Data\*(R".
696 \&\s-1ASN1\s0 parse unsupported extensions.
702 The value used by \fBopenssl\-ca\fR\|(1), equivalent to \fBno_issuer\fR, \fBno_pubkey\fR,
712 \& openssl x509 \-in cert.pem \-noout \-text
715 Print the \*(L"Subject Alternative Name\*(R" extension of a certificate:
718 \& openssl x509 \-in cert.pem \-noout \-ext subjectAltName
724 \& openssl x509 \-in cert.pem \-noout \-ext subjectAltName,nsCertType
730 \& openssl x509 \-in cert.pem \-noout \-serial
736 \& openssl x509 \-in cert.pem \-noout \-subject
739 Print the certificate subject name in \s-1RFC2253\s0 form:
742 \& openssl x509 \-in cert.pem \-noout \-subject \-nameopt RFC2253
746 supporting \s-1UTF8:\s0
749 \& openssl x509 \-in cert.pem \-noout \-subject \-nameopt oneline,\-esc_msb
752 Print the certificate \s-1SHA1\s0 fingerprint:
755 \& openssl x509 \-sha1 \-in cert.pem \-noout \-fingerprint
758 Convert a certificate from \s-1PEM\s0 to \s-1DER\s0 format:
761 \& openssl x509 \-in cert.pem \-inform PEM \-out cert.der \-outform DER
767 \& openssl x509 \-x509toreq \-in cert.pem \-out req.pem \-key key.pem
770 Convert a certificate request into a self-signed certificate using
771 extensions for a \s-1CA:\s0
773 .Vb 2
774 \& openssl x509 \-req \-in careq.pem \-extfile openssl.cnf \-extensions v3_ca \e
775 \& \-key key.pem \-out cacert.pem
778 Sign a certificate request using the \s-1CA\s0 certificate above and add user
781 .Vb 2
782 \& openssl x509 \-req \-in req.pem \-extfile openssl.cnf \-extensions v3_usr \e
783 \& \-CA cacert.pem \-CAkey key.pem \-CAcreateserial
786 Set a certificate to be trusted for \s-1SSL\s0 client use and change set its alias to
787 \&\*(L"Steve's Class 1 \s-1CA\*(R"\s0
789 .Vb 2
790 \& openssl x509 \-in cert.pem \-addtrust clientAuth \e
791 \& \-setalias "Steve\*(Aqs Class 1 CA" \-out trust.pem
795 The conversion to \s-1UTF8\s0 format used with the name options assumes that
796 T61Strings use the \s-1ISO8859\-1\s0 character set. This is wrong but Netscape
797 and \s-1MSIE\s0 do this as do many certificates. So although this is incorrect
800 The \fB\-email\fR option searches the subject name and the subject alternative
814 \&\fBopenssl\-req\fR\|(1),
815 \&\fBopenssl\-ca\fR\|(1),
816 \&\fBopenssl\-genrsa\fR\|(1),
817 \&\fBopenssl\-gendsa\fR\|(1),
818 \&\fBopenssl\-verify\fR\|(1),
822 The hash algorithm used in the \fB\-subject_hash\fR and \fB\-issuer_hash\fR options
823 before OpenSSL 1.0.0 was based on the deprecated \s-1MD5\s0 algorithm and the encoding
825 version of the \s-1DN\s0 using \s-1SHA1.\s0 This means that any directories using the old
826 form must have their links rebuilt using \fBopenssl\-rehash\fR\|(1) or similar.
828 The \fB\-signkey\fR option has been renamed to \fB\-key\fR in OpenSSL 3.0,
831 The \fB\-engine\fR option was deprecated in OpenSSL 3.0.
833 The \fB\-C\fR option was removed in OpenSSL 3.0.
836 Copyright 2000\-2023 The OpenSSL Project Authors. All Rights Reserved.
838 Licensed under the Apache License 2.0 (the \*(L"License\*(R"). You may not use
840 in the file \s-1LICENSE\s0 in the source distribution or at