Lines Matching +full:serial +full:- +full:number
1 .\" -*- mode: troff; coding: utf-8 -*-
57 .IX Title "OPENSSL-X509 1ossl"
58 .TH OPENSSL-X509 1ossl 2025-09-30 3.5.4 OpenSSL
64 openssl\-x509 \- Certificate display and signing command
68 [\fB\-help\fR]
69 [\fB\-in\fR \fIfilename\fR|\fIuri\fR]
70 [\fB\-passin\fR \fIarg\fR]
71 [\fB\-new\fR]
72 [\fB\-x509toreq\fR]
73 [\fB\-req\fR]
74 [\fB\-copy_extensions\fR \fIarg\fR]
75 [\fB\-inform\fR \fBDER\fR|\fBPEM\fR]
76 [\fB\-vfyopt\fR \fInm\fR:\fIv\fR]
77 [\fB\-key\fR \fIfilename\fR|\fIuri\fR]
78 [\fB\-keyform\fR \fBDER\fR|\fBPEM\fR|\fBP12\fR|\fBENGINE\fR]
79 [\fB\-signkey\fR \fIfilename\fR|\fIuri\fR]
80 [\fB\-out\fR \fIfilename\fR]
81 [\fB\-outform\fR \fBDER\fR|\fBPEM\fR]
82 [\fB\-nocert\fR]
83 [\fB\-noout\fR]
84 [\fB\-dateopt\fR]
85 [\fB\-text\fR]
86 [\fB\-certopt\fR \fIoption\fR]
87 [\fB\-fingerprint\fR]
88 [\fB\-alias\fR]
89 [\fB\-serial\fR]
90 [\fB\-startdate\fR]
91 [\fB\-enddate\fR]
92 [\fB\-dates\fR]
93 [\fB\-subject\fR]
94 [\fB\-issuer\fR]
95 [\fB\-nameopt\fR \fIoption\fR]
96 [\fB\-email\fR]
97 [\fB\-hash\fR]
98 [\fB\-subject_hash\fR]
99 [\fB\-subject_hash_old\fR]
100 [\fB\-issuer_hash\fR]
101 [\fB\-issuer_hash_old\fR]
102 [\fB\-ext\fR \fIextensions\fR]
103 [\fB\-ocspid\fR]
104 [\fB\-ocsp_uri\fR]
105 [\fB\-purpose\fR]
106 [\fB\-pubkey\fR]
107 [\fB\-modulus\fR]
108 [\fB\-checkend\fR \fInum\fR]
109 [\fB\-checkhost\fR \fIhost\fR]
110 [\fB\-checkemail\fR \fIhost\fR]
111 [\fB\-checkip\fR \fIipaddr\fR]
112 [\fB\-set_serial\fR \fIn\fR]
113 [\fB\-next_serial\fR]
114 [\fB\-not_before\fR \fIdate\fR]
115 [\fB\-not_after\fR \fIdate\fR]
116 [\fB\-days\fR \fIarg\fR]
117 [\fB\-preserve_dates\fR]
118 [\fB\-set_issuer\fR \fIarg\fR]
119 [\fB\-set_subject\fR \fIarg\fR]
120 [\fB\-subj\fR \fIarg\fR]
121 [\fB\-force_pubkey\fR \fIfilename\fR]
122 [\fB\-clrext\fR]
123 [\fB\-extfile\fR \fIfilename\fR]
124 [\fB\-extensions\fR \fIsection\fR]
125 [\fB\-sigopt\fR \fInm\fR:\fIv\fR]
126 [\fB\-badsig\fR]
127 [\fB\-\fR\f(BIdigest\fR]
128 [\fB\-CA\fR \fIfilename\fR|\fIuri\fR]
129 [\fB\-CAform\fR \fBDER\fR|\fBPEM\fR|\fBP12\fR]
130 [\fB\-CAkey\fR \fIfilename\fR|\fIuri\fR]
131 [\fB\-CAkeyform\fR \fBDER\fR|\fBPEM\fR|\fBP12\fR|\fBENGINE\fR]
132 [\fB\-CAserial\fR \fIfilename\fR]
133 [\fB\-CAcreateserial\fR]
134 [\fB\-trustout\fR]
135 [\fB\-setalias\fR \fIarg\fR]
136 [\fB\-clrtrust\fR]
137 [\fB\-addtrust\fR \fIarg\fR]
138 [\fB\-clrreject\fR]
139 [\fB\-addreject\fR \fIarg\fR]
140 [\fB\-rand\fR \fIfiles\fR]
141 [\fB\-writerand\fR \fIfile\fR]
142 [\fB\-engine\fR \fIid\fR]
143 [\fB\-provider\fR \fIname\fR]
144 [\fB\-provider\-path\fR \fIpath\fR]
145 [\fB\-provparam\fR \fI[name:]key=value\fR]
146 [\fB\-propquery\fR \fIpropq\fR]
149 This command is a multi-purposes certificate handling command.
153 and then self-signing them or signing them like a "micro CA".
159 Since there are a large number of options they will split up into
165 .IP \fB\-help\fR 4
166 .IX Item "-help"
168 .IP "\fB\-in\fR \fIfilename\fR|\fIuri\fR" 4
169 .IX Item "-in filename|uri"
171 or the input file for reading a certificate request if the \fB\-req\fR flag is used.
174 This option cannot be combined with the \fB\-new\fR flag.
175 .IP "\fB\-passin\fR \fIarg\fR" 4
176 .IX Item "-passin arg"
179 see \fBopenssl\-passphrase\-options\fR\|(1).
180 .IP \fB\-new\fR 4
181 .IX Item "-new"
184 So this excludes the \fB\-in\fR and \fB\-req\fR options.
185 Instead, the \fB\-set_subject\fR option needs to be given.
186 The public key to include can be given with the \fB\-force_pubkey\fR option
187 and defaults to the key given with the \fB\-key\fR (or \fB\-signkey\fR) option,
188 which implies self-signature.
189 .IP \fB\-x509toreq\fR 4
190 .IX Item "-x509toreq"
192 The \fB\-key\fR (or \fB\-signkey\fR) option must be used to provide the private key for
193 self-signing; the corresponding public key is placed in the subjectPKInfo field.
196 X.509 extensions to be added can be specified using the \fB\-extfile\fR option.
197 .IP \fB\-req\fR 4
198 .IX Item "-req"
201 which must be correctly self-signed.
204 X.509 extensions to be added can be specified using the \fB\-extfile\fR option.
205 .IP "\fB\-copy_extensions\fR \fIarg\fR" 4
206 .IX Item "-copy_extensions arg"
208 when converting from a certificate to a request using the \fB\-x509toreq\fR option
209 or converting from a request to a certificate using the \fB\-req\fR option.
215 The \fB\-ext\fR option can be used to further restrict which extensions to copy.
216 .IP "\fB\-inform\fR \fBDER\fR|\fBPEM\fR" 4
217 .IX Item "-inform DER|PEM"
219 See \fBopenssl\-format\-options\fR\|(1) for details.
220 .IP "\fB\-vfyopt\fR \fInm\fR:\fIv\fR" 4
221 .IX Item "-vfyopt nm:v"
223 Names and values of these options are algorithm-specific.
224 .IP "\fB\-key\fR \fIfilename\fR|\fIuri\fR" 4
225 .IX Item "-key filename|uri"
228 Unless \fB\-force_pubkey\fR is given, the corresponding public key is placed in
229 the new certificate or certificate request, resulting in a self-signature.
231 This option cannot be used in conjunction with the \fB\-CA\fR option.
233 It sets the issuer name to the subject name (i.e., makes it self-issued).
234 Unless the \fB\-preserve_dates\fR option is supplied,
236 and the end date to a value determined by the \fB\-days\fR option.
238 \&\fB\-not_before\fR and \fB\-not_after\fR.
239 .IP "\fB\-signkey\fR \fIfilename\fR|\fIuri\fR" 4
240 .IX Item "-signkey filename|uri"
241 This option is an alias of \fB\-key\fR.
242 .IP "\fB\-keyform\fR \fBDER\fR|\fBPEM\fR|\fBP12\fR|\fBENGINE\fR" 4
243 .IX Item "-keyform DER|PEM|P12|ENGINE"
245 See \fBopenssl\-format\-options\fR\|(1) for details.
246 .IP "\fB\-out\fR \fIfilename\fR" 4
247 .IX Item "-out filename"
249 .IP "\fB\-outform\fR \fBDER\fR|\fBPEM\fR" 4
250 .IX Item "-outform DER|PEM"
252 See \fBopenssl\-format\-options\fR\|(1) for details.
253 .IP \fB\-nocert\fR 4
254 .IX Item "-nocert"
256 .IP \fB\-noout\fR 4
257 .IX Item "-noout"
261 Note: the \fB\-alias\fR and \fB\-purpose\fR options are also printing options
263 .IP \fB\-dateopt\fR 4
264 .IX Item "-dateopt"
267 .IP \fB\-text\fR 4
268 .IX Item "-text"
270 public key, signature algorithms, issuer and subject names, serial number
272 .IP "\fB\-certopt\fR \fIoption\fR" 4
273 .IX Item "-certopt option"
274 Customise the print format used with \fB\-text\fR. The \fIoption\fR argument
276 The \fB\-certopt\fR switch may be also be used more than once to set multiple
278 .IP \fB\-fingerprint\fR 4
279 .IX Item "-fingerprint"
285 .IP \fB\-alias\fR 4
286 .IX Item "-alias"
288 .IP \fB\-serial\fR 4
289 .IX Item "-serial"
290 Prints the certificate serial number.
291 .IP \fB\-startdate\fR 4
292 .IX Item "-startdate"
294 .IP \fB\-enddate\fR 4
295 .IX Item "-enddate"
297 .IP \fB\-dates\fR 4
298 .IX Item "-dates"
300 .IP \fB\-subject\fR 4
301 .IX Item "-subject"
303 .IP \fB\-issuer\fR 4
304 .IX Item "-issuer"
306 .IP "\fB\-nameopt\fR \fIoption\fR" 4
307 .IX Item "-nameopt option"
309 See \fBopenssl\-namedisplay\-options\fR\|(1) for details.
310 .IP \fB\-email\fR 4
311 .IX Item "-email"
313 .IP \fB\-hash\fR 4
314 .IX Item "-hash"
315 Synonym for "\-subject_hash" for backward compatibility reasons.
316 .IP \fB\-subject_hash\fR 4
317 .IX Item "-subject_hash"
321 .IP \fB\-subject_hash_old\fR 4
322 .IX Item "-subject_hash_old"
325 .IP \fB\-issuer_hash\fR 4
326 .IX Item "-issuer_hash"
328 .IP \fB\-issuer_hash_old\fR 4
329 .IX Item "-issuer_hash_old"
332 .IP "\fB\-ext\fR \fIextensions\fR" 4
333 .IX Item "-ext extensions"
339 .IP \fB\-ocspid\fR 4
340 .IX Item "-ocspid"
342 .IP \fB\-ocsp_uri\fR 4
343 .IX Item "-ocsp_uri"
345 .IP \fB\-purpose\fR 4
346 .IX Item "-purpose"
349 "Certificate Extensions" in \fBopenssl\-verification\-options\fR\|(1).
350 .IP \fB\-pubkey\fR 4
351 .IX Item "-pubkey"
353 .IP \fB\-modulus\fR 4
354 .IX Item "-modulus"
359 .IP "\fB\-checkend\fR \fIarg\fR" 4
360 .IX Item "-checkend arg"
363 .IP "\fB\-checkhost\fR \fIhost\fR" 4
364 .IX Item "-checkhost host"
366 .IP "\fB\-checkemail\fR \fIemail\fR" 4
367 .IX Item "-checkemail email"
369 .IP "\fB\-checkip\fR \fIipaddr\fR" 4
370 .IX Item "-checkip ipaddr"
374 .IP "\fB\-set_serial\fR \fIn\fR" 4
375 .IX Item "-set_serial n"
376 Specifies the serial number to use.
377 This option can be used with the \fB\-key\fR, \fB\-signkey\fR, or \fB\-CA\fR options.
378 If used in conjunction with the \fB\-CA\fR option
379 the serial number file (as specified by the \fB\-CAserial\fR option) is not used.
381 The serial number can be decimal or hex (if preceded by \f(CW\*(C`0x\*(C'\fR).
382 .IP \fB\-next_serial\fR 4
383 .IX Item "-next_serial"
384 Set the serial to be one more than the number in the certificate.
385 .IP "\fB\-not_before\fR \fIdate\fR" 4
386 .IX Item "-not_before date"
393 Cannot be used together with the \fB\-preserve_dates\fR option.
394 .IP "\fB\-not_after\fR \fIdate\fR" 4
395 .IX Item "-not_after date"
402 Cannot be used together with the \fB\-preserve_dates\fR option.
403 This overrides the option \fB\-days\fR.
404 .IP "\fB\-days\fR \fIarg\fR" 4
405 .IX Item "-days arg"
406 Specifies the number of days from today until a newly generated certificate expires.
409 Cannot be used together with the option \fB\-preserve_dates\fR.
410 If option \fB\-not_after\fR is set, the explicit expiry date takes precedence.
411 .IP \fB\-preserve_dates\fR 4
412 .IX Item "-preserve_dates"
415 Cannot be used together with the options \fB\-days\fR, \fB\-not_before\fR and \fB\-not_after\fR.
416 .IP "\fB\-set_issuer\fR \fIarg\fR" 4
417 .IX Item "-set_issuer arg"
420 See \fB\-set_subject\fR on how the arg must be formatted.
421 .IP "\fB\-set_subject\fR \fIarg\fR" 4
422 .IX Item "-set_subject arg"
424 When the certificate is self-signed the issuer name is set to the same value,
425 unless the \fB\-set_issuer\fR option is given.
431 Giving a single \f(CW\*(C`/\*(C'\fR will lead to an empty sequence of RDNs (a NULL-DN).
432 Multi-valued RDNs can be formed by placing a \f(CW\*(C`+\*(C'\fR character instead of a \f(CW\*(C`/…
438 This option can be used with the \fB\-new\fR and \fB\-force_pubkey\fR options to create
440 .IP "\fB\-subj\fR \fIarg\fR" 4
441 .IX Item "-subj arg"
442 This option is an alias of \fB\-set_subject\fR.
443 .IP "\fB\-force_pubkey\fR \fIfilename\fR" 4
444 .IX Item "-force_pubkey filename"
448 or given with the \fB\-key\fR (or \fB\-signkey\fR) option.
451 This option can be used in conjunction with b<\-new> and \fB\-set_subject\fR
454 This option is also useful for creating self-issued certificates that are not
455 self-signed, for instance when the key cannot be used for signing, such as DH.
456 .IP \fB\-clrext\fR 4
457 .IX Item "-clrext"
462 the \fB\-clrext\fR option prevents taking over any extensions from the source.
465 .IP "\fB\-extfile\fR \fIfilename\fR" 4
466 .IX Item "-extfile filename"
468 .IP "\fB\-extensions\fR \fIsection\fR" 4
469 .IX Item "-extensions section"
481 .IP "\fB\-sigopt\fR \fInm\fR:\fIv\fR" 4
482 .IX Item "-sigopt nm:v"
485 Names and values provided using this option are algorithm-specific.
486 .IP \fB\-badsig\fR 4
487 .IX Item "-badsig"
490 .IP \fB\-\fR\f(BIdigest\fR 4
491 .IX Item "-digest"
494 digest, such as the \fB\-fingerprint\fR, \fB\-key\fR, and \fB\-CA\fR options.
495 Any digest supported by the \fBopenssl\-dgst\fR\|(1) command can be used.
496 If not specified then SHA1 is used with \fB\-fingerprint\fR or
498 .SS "Micro-CA Options"
499 .IX Subsection "Micro-CA Options"
500 .IP "\fB\-CA\fR \fIfilename\fR|\fIuri\fR" 4
501 .IX Item "-CA filename|uri"
507 This option cannot be used in conjunction with \fB\-key\fR (or \fB\-signkey\fR).
508 This option is normally combined with the \fB\-req\fR option referencing a CSR.
509 Without the \fB\-req\fR option the input must be an existing certificate
510 unless the \fB\-new\fR option is given, which generates a certificate from scratch.
511 .IP "\fB\-CAform\fR \fBDER\fR|\fBPEM\fR|\fBP12\fR," 4
512 .IX Item "-CAform DER|PEM|P12,"
514 See \fBopenssl\-format\-options\fR\|(1) for details.
515 .IP "\fB\-CAkey\fR \fIfilename\fR|\fIuri\fR" 4
516 .IX Item "-CAkey filename|uri"
518 The private key must match the public key of the certificate given with \fB\-CA\fR.
519 If this option is not provided then the key must be present in the \fB\-CA\fR input.
520 .IP "\fB\-CAkeyform\fR \fBDER\fR|\fBPEM\fR|\fBP12\fR|\fBENGINE\fR" 4
521 .IX Item "-CAkeyform DER|PEM|P12|ENGINE"
523 See \fBopenssl\-format\-options\fR\|(1) for details.
524 .IP "\fB\-CAserial\fR \fIfilename\fR" 4
525 .IX Item "-CAserial filename"
526 Sets the CA serial number file to use.
528 When creating a certificate with this option and with the \fB\-CA\fR option,
529 the certificate serial number is stored in the given file.
531 an even number of hex digits with the serial number used last time.
532 After reading this number, it is incremented and used, and the file is updated.
536 \&\fImycacert.pem\fR it expects to find a serial number file called
539 If the \fB\-CA\fR option is specified and neither <\-CAserial> or <\-CAcreateserial>
540 is given and the default serial number file does not exist,
541 a random number is generated; this is the recommended practice.
542 .IP \fB\-CAcreateserial\fR 4
543 .IX Item "-CAcreateserial"
544 With this option and the \fB\-CA\fR option
545 the CA serial number file is created if it does not exist.
546 A random number is generated, used for the certificate,
547 and saved into the serial number file determined as described above.
563 See \fBopenssl\-verification\-options\fR\|(1) for more information
568 .IP \fB\-trustout\fR 4
569 .IX Item "-trustout"
573 With the \fB\-trustout\fR option a trusted certificate is output. A trusted
575 .IP "\fB\-setalias\fR \fIarg\fR" 4
576 .IX Item "-setalias arg"
579 .IP \fB\-clrtrust\fR 4
580 .IX Item "-clrtrust"
582 .IP "\fB\-addtrust\fR \fIarg\fR" 4
583 .IX Item "-addtrust arg"
590 .IP \fB\-clrreject\fR 4
591 .IX Item "-clrreject"
593 .IP "\fB\-addreject\fR \fIarg\fR" 4
594 .IX Item "-addreject arg"
596 It accepts the same values as the \fB\-addtrust\fR option.
599 .IP "\fB\-rand\fR \fIfiles\fR, \fB\-writerand\fR \fIfile\fR" 4
600 .IX Item "-rand files, -writerand file"
602 .IP "\fB\-engine\fR \fIid\fR" 4
603 .IX Item "-engine id"
606 .IP "\fB\-provider\fR \fIname\fR" 4
607 .IX Item "-provider name"
609 .IP "\fB\-provider\-path\fR \fIpath\fR" 4
610 .IX Item "-provider-path path"
611 .IP "\fB\-provparam\fR \fI[name:]key=value\fR" 4
612 .IX Item "-provparam [name:]key=value"
613 .IP "\fB\-propquery\fR \fIpropq\fR" 4
614 .IX Item "-propquery propq"
631 Don't print out the version number.
634 Don't print out the serial number.
674 The value used by \fBopenssl\-ca\fR\|(1), equivalent to \fBno_issuer\fR, \fBno_pubkey\fR,
684 \& openssl x509 \-in cert.pem \-noout \-text
690 \& openssl x509 \-in cert.pem \-noout \-ext subjectAltName
696 \& openssl x509 \-in cert.pem \-noout \-ext subjectAltName,nsCertType
699 Print the certificate serial number:
702 \& openssl x509 \-in cert.pem \-noout \-serial
708 \& openssl x509 \-in cert.pem \-noout \-subject
714 \& openssl x509 \-in cert.pem \-noout \-subject \-nameopt RFC2253
721 \& openssl x509 \-in cert.pem \-noout \-subject \-nameopt oneline,\-esc_msb
727 \& openssl x509 \-sha1 \-in cert.pem \-noout \-fingerprint
733 \& openssl x509 \-in cert.pem \-inform PEM \-out cert.der \-outform DER
739 \& openssl x509 \-x509toreq \-in cert.pem \-out req.pem \-key key.pem
742 Convert a certificate request into a self-signed certificate using
746 \& openssl x509 \-req \-in careq.pem \-extfile openssl.cnf \-extensions v3_ca \e
747 \& \-key key.pem \-out cacert.pem
754 \& openssl x509 \-req \-in req.pem \-extfile openssl.cnf \-extensions v3_usr \e
755 \& \-CA cacert.pem \-CAkey key.pem \-CAcreateserial
762 \& openssl x509 \-in cert.pem \-addtrust clientAuth \e
763 \& \-setalias "Steve\*(Aqs Class 1 CA" \-out trust.pem
768 T61Strings use the ISO8859\-1 character set. This is wrong but Netscape
772 The \fB\-email\fR option searches the subject name and the subject alternative
786 \&\fBopenssl\-req\fR\|(1),
787 \&\fBopenssl\-ca\fR\|(1),
788 \&\fBopenssl\-genrsa\fR\|(1),
789 \&\fBopenssl\-gendsa\fR\|(1),
790 \&\fBopenssl\-verify\fR\|(1),
794 The hash algorithm used in the \fB\-subject_hash\fR and \fB\-issuer_hash\fR options
798 form must have their links rebuilt using \fBopenssl\-rehash\fR\|(1) or similar.
800 The \fB\-signkey\fR option has been renamed to \fB\-key\fR in OpenSSL 3.0,
803 The \fB\-engine\fR option was deprecated in OpenSSL 3.0.
805 The \fB\-C\fR option was removed in OpenSSL 3.0.
811 Copyright 2000\-2024 The OpenSSL Project Authors. All Rights Reserved.