1=pod 2{- OpenSSL::safe::output_do_not_edit_headers(); -} 3 4=head1 NAME 5 6openssl-req - PKCS#10 certificate request and certificate generating command 7 8=head1 SYNOPSIS 9 10B<openssl> B<req> 11[B<-help>] 12[B<-inform> B<DER>|B<PEM>] 13[B<-outform> B<DER>|B<PEM>] 14[B<-in> I<filename>] 15[B<-passin> I<arg>] 16[B<-out> I<filename>] 17[B<-passout> I<arg>] 18[B<-text>] 19[B<-pubkey>] 20[B<-noout>] 21[B<-verify>] 22[B<-modulus>] 23[B<-new>] 24[B<-newkey> I<arg>] 25[B<-pkeyopt> I<opt>:I<value>] 26[B<-noenc>] 27[B<-nodes>] 28[B<-key> I<filename>|I<uri>] 29[B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>] 30[B<-keyout> I<filename>] 31[B<-keygen_engine> I<id>] 32[B<-I<digest>>] 33[B<-config> I<filename>] 34[B<-section> I<name>] 35[B<-x509>] 36[B<-CA> I<filename>|I<uri>] 37[B<-CAkey> I<filename>|I<uri>] 38[B<-days> I<n>] 39[B<-set_serial> I<n>] 40[B<-newhdr>] 41[B<-copy_extensions> I<arg>] 42[B<-addext> I<ext>] 43[B<-extensions> I<section>] 44[B<-reqexts> I<section>] 45[B<-precert>] 46[B<-utf8>] 47[B<-reqopt>] 48[B<-subject>] 49[B<-subj> I<arg>] 50[B<-multivalue-rdn>] 51[B<-sigopt> I<nm>:I<v>] 52[B<-vfyopt> I<nm>:I<v>] 53[B<-batch>] 54[B<-verbose>] 55{- $OpenSSL::safe::opt_name_synopsis -} 56{- $OpenSSL::safe::opt_r_synopsis -} 57{- $OpenSSL::safe::opt_engine_synopsis -}{- $OpenSSL::safe::opt_provider_synopsis -} 58 59=head1 DESCRIPTION 60 61This command primarily creates and processes certificate requests (CSRs) 62in PKCS#10 format. It can additionally create self-signed certificates 63for use as root CAs for example. 64 65=head1 OPTIONS 66 67=over 4 68 69=item B<-help> 70 71Print out a usage message. 72 73=item B<-inform> B<DER>|B<PEM>, B<-outform> B<DER>|B<PEM> 74 75The input and output formats; unspecified by default. 76See L<openssl-format-options(1)> for details. 77 78The data is a PKCS#10 object. 79 80=item B<-in> I<filename> 81 82This specifies the input filename to read a request from. 83This defaults to standard input unless B<-x509> or B<-CA> is specified. 84A request is only read if the creation options 85(B<-new> or B<-newkey> or B<-precert>) are not specified. 86 87=item B<-sigopt> I<nm>:I<v> 88 89Pass options to the signature algorithm during sign operations. 90Names and values of these options are algorithm-specific. 91 92=item B<-vfyopt> I<nm>:I<v> 93 94Pass options to the signature algorithm during verify operations. 95Names and values of these options are algorithm-specific. 96 97=begin comment 98 99Maybe it would be preferable to only have -opts instead of -sigopt and 100-vfyopt? They are both present here to be compatible with L<openssl-ca(1)>, 101which supports both options for good reasons. 102 103=end comment 104 105=item B<-passin> I<arg> 106 107The password source for private key and certificate input. 108For more information about the format of B<arg> 109see L<openssl-passphrase-options(1)>. 110 111=item B<-passout> I<arg> 112 113The password source for the output file. 114For more information about the format of B<arg> 115see L<openssl-passphrase-options(1)>. 116 117=item B<-out> I<filename> 118 119This specifies the output filename to write to or standard output by default. 120 121=item B<-text> 122 123Prints out the certificate request in text form. 124 125=item B<-subject> 126 127Prints out the certificate request subject 128(or certificate subject if B<-x509> is in use). 129 130=item B<-pubkey> 131 132Prints out the public key. 133 134=item B<-noout> 135 136This option prevents output of the encoded version of the certificate request. 137 138=item B<-modulus> 139 140Prints out the value of the modulus of the public key contained in the request. 141 142=item B<-verify> 143 144Verifies the self-signature on the request. 145 146=item B<-new> 147 148This option generates a new certificate request. It will prompt 149the user for the relevant field values. The actual fields 150prompted for and their maximum and minimum sizes are specified 151in the configuration file and any requested extensions. 152 153If the B<-key> option is not given it will generate a new private key 154using information specified in the configuration file or given with 155the B<-newkey> and B<-pkeyopt> options, 156else by default an RSA key with 2048 bits length. 157 158=item B<-newkey> I<arg> 159 160This option is used to generate a new private key unless B<-key> is given. 161It is subsequently used as if it was given using the B<-key> option. 162 163This option implies the B<-new> flag to create a new certificate request 164or a new certificate in case B<-x509> is given. 165 166The argument takes one of several forms. 167 168[B<rsa:>]I<nbits> generates an RSA key I<nbits> in size. 169If I<nbits> is omitted, i.e., B<-newkey> B<rsa> is specified, 170the default key size specified in the configuration file 171with the B<default_bits> option is used if present, else 2048. 172 173All other algorithms support the B<-newkey> I<algname>:I<file> form, where 174I<file> is an algorithm parameter file, created with C<openssl genpkey -genparam> 175or an X.509 certificate for a key with appropriate algorithm. 176 177B<param:>I<file> generates a key using the parameter file or certificate 178I<file>, the algorithm is determined by the parameters. 179 180I<algname>[:I<file>] generates a key using the given algorithm I<algname>. 181If a parameter file I<file> is given then the parameters specified there 182are used, where the algorithm parameters must match I<algname>. 183If algorithm parameters are not given, 184any necessary parameters should be specified via the B<-pkeyopt> option. 185 186B<dsa:>I<filename> generates a DSA key using the parameters 187in the file I<filename>. B<ec:>I<filename> generates EC key (usable both with 188ECDSA or ECDH algorithms), B<gost2001:>I<filename> generates GOST R 18934.10-2001 key (requires B<gost> engine configured in the configuration 190file). If just B<gost2001> is specified a parameter set should be 191specified by B<-pkeyopt> I<paramset:X> 192 193=item B<-pkeyopt> I<opt>:I<value> 194 195Set the public key algorithm option I<opt> to I<value>. The precise set of 196options supported depends on the public key algorithm used and its 197implementation. 198See L<openssl-genpkey(1)/KEY GENERATION OPTIONS> for more details. 199 200=item B<-key> I<filename>|I<uri> 201 202This option provides the private key for signing a new certificate or 203certificate request. 204Unless B<-in> is given, the corresponding public key is placed in 205the new certificate or certificate request, resulting in a self-signature. 206 207For certificate signing this option is overridden by the B<-CA> option. 208 209This option also accepts PKCS#8 format private keys for PEM format files. 210 211=item B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE> 212 213The format of the private key; unspecified by default. 214See L<openssl-format-options(1)> for details. 215 216=item B<-keyout> I<filename> 217 218This gives the filename to write any private key to that has been newly created 219or read from B<-key>. If neither the B<-keyout> option nor the B<-key> option 220are given then the filename specified in the configuration file with the 221B<default_keyfile> option is used, if present. Thus, if you want to write the 222private key and the B<-key> option is provided, you should provide the 223B<-keyout> option explicitly. If a new key is generated and no filename is 224specified the key is written to standard output. 225 226=item B<-noenc> 227 228If this option is specified then if a private key is created it 229will not be encrypted. 230 231=item B<-nodes> 232 233This option is deprecated since OpenSSL 3.0; use B<-noenc> instead. 234 235=item B<-I<digest>> 236 237This specifies the message digest to sign the request. 238Any digest supported by the OpenSSL B<dgst> command can be used. 239This overrides the digest algorithm specified in 240the configuration file. 241 242Some public key algorithms may override this choice. For instance, DSA 243signatures always use SHA1, GOST R 34.10 signatures always use 244GOST R 34.11-94 (B<-md_gost94>), Ed25519 and Ed448 never use any digest. 245 246=item B<-config> I<filename> 247 248This allows an alternative configuration file to be specified. 249Optional; for a description of the default value, 250see L<openssl(1)/COMMAND SUMMARY>. 251 252=item B<-section> I<name> 253 254Specifies the name of the section to use; the default is B<req>. 255 256=item B<-subj> I<arg> 257 258Sets subject name for new request or supersedes the subject name 259when processing a certificate request. 260 261The arg must be formatted as C</type0=value0/type1=value1/type2=...>. 262Special characters may be escaped by C<\> (backslash), whitespace is retained. 263Empty values are permitted, but the corresponding type will not be included 264in the request. 265Giving a single C</> will lead to an empty sequence of RDNs (a NULL-DN). 266Multi-valued RDNs can be formed by placing a C<+> character instead of a C</> 267between the AttributeValueAssertions (AVAs) that specify the members of the set. 268Example: 269 270C</DC=org/DC=OpenSSL/DC=users/UID=123456+CN=John Doe> 271 272=item B<-multivalue-rdn> 273 274This option has been deprecated and has no effect. 275 276=item B<-x509> 277 278This option outputs a certificate instead of a certificate request. 279This is typically used to generate test certificates. 280It is implied by the B<-CA> option. 281 282This option implies the B<-new> flag if B<-in> is not given. 283 284If an existing request is specified with the B<-in> option, it is converted 285to a certificate; otherwise a request is created from scratch. 286 287Unless specified using the B<-set_serial> option, 288a large random number will be used for the serial number. 289 290Unless the B<-copy_extensions> option is used, 291X.509 extensions are not copied from any provided request input file. 292 293X.509 extensions to be added can be specified in the configuration file 294or using the B<-addext> option. 295 296=item B<-CA> I<filename>|I<uri> 297 298Specifies the "CA" certificate to be used for signing a new certificate 299and implies use of B<-x509>. 300When present, this behaves like a "micro CA" as follows: 301The subject name of the "CA" certificate is placed as issuer name in the new 302certificate, which is then signed using the "CA" key given as specified below. 303 304=item B<-CAkey> I<filename>|I<uri> 305 306Sets the "CA" private key to sign a certificate with. 307The private key must match the public key of the certificate given with B<-CA>. 308If this option is not provided then the key must be present in the B<-CA> input. 309 310=item B<-days> I<n> 311 312When B<-x509> is in use this specifies the number of 313days to certify the certificate for, otherwise it is ignored. I<n> should 314be a positive integer. The default is 30 days. 315 316=item B<-set_serial> I<n> 317 318Serial number to use when outputting a self-signed certificate. 319This may be specified as a decimal value or a hex value if preceded by C<0x>. 320If not given, a large random number will be used. 321 322=item B<-copy_extensions> I<arg> 323 324Determines how X.509 extensions in certificate requests should be handled 325when B<-x509> is in use. 326If I<arg> is B<none> or this option is not present then extensions are ignored. 327If I<arg> is B<copy> or B<copyall> then 328all extensions in the request are copied to the certificate. 329 330The main use of this option is to allow a certificate request to supply 331values for certain extensions such as subjectAltName. 332 333=item B<-addext> I<ext> 334 335Add a specific extension to the certificate (if B<-x509> is in use) 336or certificate request. The argument must have the form of 337a key=value pair as it would appear in a config file. 338 339This option can be given multiple times. 340 341=item B<-extensions> I<section> 342 343=item B<-reqexts> I<section> 344 345These options specify alternative sections to include certificate 346extensions (if B<-x509> is in use) or certificate request extensions. 347This allows several different sections to 348be used in the same configuration file to specify requests for 349a variety of purposes. 350 351=item B<-precert> 352 353A poison extension will be added to the certificate, making it a 354"pre-certificate" (see RFC6962). This can be submitted to Certificate 355Transparency logs in order to obtain signed certificate timestamps (SCTs). 356These SCTs can then be embedded into the pre-certificate as an extension, before 357removing the poison and signing the certificate. 358 359This implies the B<-new> flag. 360 361=item B<-utf8> 362 363This option causes field values to be interpreted as UTF8 strings, by 364default they are interpreted as ASCII. This means that the field 365values, whether prompted from a terminal or obtained from a 366configuration file, must be valid UTF8 strings. 367 368=item B<-reqopt> I<option> 369 370Customise the printing format used with B<-text>. The I<option> argument can be 371a single option or multiple options separated by commas. 372 373See discussion of the B<-certopt> parameter in the L<openssl-x509(1)> 374command. 375 376=item B<-newhdr> 377 378Adds the word B<NEW> to the PEM file header and footer lines on the outputted 379request. Some software (Netscape certificate server) and some CAs need this. 380 381=item B<-batch> 382 383Non-interactive mode. 384 385=item B<-verbose> 386 387Print extra details about the operations being performed. 388 389=item B<-keygen_engine> I<id> 390 391Specifies an engine (by its unique I<id> string) which would be used 392for key generation operations. 393 394{- $OpenSSL::safe::opt_name_item -} 395 396{- $OpenSSL::safe::opt_r_item -} 397 398{- $OpenSSL::safe::opt_engine_item -} 399 400{- $OpenSSL::safe::opt_provider_item -} 401 402=back 403 404=head1 CONFIGURATION FILE FORMAT 405 406The configuration options are specified in the B<req> section of 407the configuration file. An alternate name be specified by using the 408B<-section> option. 409As with all configuration files, if no 410value is specified in the specific section then 411the initial unnamed or B<default> section is searched too. 412 413The options available are described in detail below. 414 415=over 4 416 417=item B<input_password>, B<output_password> 418 419The passwords for the input private key file (if present) and 420the output private key file (if one will be created). The 421command line options B<passin> and B<passout> override the 422configuration file values. 423 424=item B<default_bits> 425 426Specifies the default key size in bits. 427 428This option is used in conjunction with the B<-new> option to generate 429a new key. It can be overridden by specifying an explicit key size in 430the B<-newkey> option. The smallest accepted key size is 512 bits. If 431no key size is specified then 2048 bits is used. 432 433=item B<default_keyfile> 434 435This is the default filename to write a private key to. If not 436specified the key is written to standard output. This can be 437overridden by the B<-keyout> option. 438 439=item B<oid_file> 440 441This specifies a file containing additional B<OBJECT IDENTIFIERS>. 442Each line of the file should consist of the numerical form of the 443object identifier followed by whitespace then the short name followed 444by whitespace and finally the long name. 445 446=item B<oid_section> 447 448This specifies a section in the configuration file containing extra 449object identifiers. Each line should consist of the short name of the 450object identifier followed by B<=> and the numerical form. The short 451and long names are the same when this option is used. 452 453=item B<RANDFILE> 454 455At startup the specified file is loaded into the random number generator, 456and at exit 256 bytes will be written to it. 457It is used for private key generation. 458 459=item B<encrypt_key> 460 461If this is set to B<no> then if a private key is generated it is 462B<not> encrypted. This is equivalent to the B<-noenc> command line 463option. For compatibility B<encrypt_rsa_key> is an equivalent option. 464 465=item B<default_md> 466 467This option specifies the digest algorithm to use. Any digest supported by the 468OpenSSL B<dgst> command can be used. This option can be overridden on the 469command line. Certain signing algorithms (i.e. Ed25519 and Ed448) will ignore 470any digest that has been set. 471 472=item B<string_mask> 473 474This option masks out the use of certain string types in certain 475fields. Most users will not need to change this option. It can be set to 476several values: 477 478=over 4 479 480=item B<utf8only> 481- only UTF8Strings are used (this is the default value) 482 483=item B<pkix> 484- any string type except T61Strings 485 486=item B<nombstr> 487- any string type except BMPStrings and UTF8Strings 488 489=item B<default> 490- any kind of string type 491 492=back 493 494Note that B<utf8only> is the PKIX recommendation in RFC2459 after 2003, and the 495default B<string_mask>; B<default> is not the default option. The B<nombstr> 496value is a workaround for some software that has problems with variable-sized 497BMPStrings and UTF8Strings. 498 499=item B<req_extensions> 500 501This specifies the configuration file section containing a list of 502extensions to add to the certificate request. It can be overridden 503by the B<-reqexts> command line switch. See the 504L<x509v3_config(5)> manual page for details of the 505extension section format. 506 507=item B<x509_extensions> 508 509This specifies the configuration file section containing a list of 510extensions to add to certificate generated when B<-x509> is in use. 511It can be overridden by the B<-extensions> command line switch. 512 513=item B<prompt> 514 515If set to the value B<no> this disables prompting of certificate fields 516and just takes values from the config file directly. It also changes the 517expected format of the B<distinguished_name> and B<attributes> sections. 518 519=item B<utf8> 520 521If set to the value B<yes> then field values to be interpreted as UTF8 522strings, by default they are interpreted as ASCII. This means that 523the field values, whether prompted from a terminal or obtained from a 524configuration file, must be valid UTF8 strings. 525 526=item B<attributes> 527 528This specifies the section containing any request attributes: its format 529is the same as B<distinguished_name>. Typically these may contain the 530challengePassword or unstructuredName types. They are currently ignored 531by OpenSSL's request signing utilities but some CAs might want them. 532 533=item B<distinguished_name> 534 535This specifies the section containing the distinguished name fields to 536prompt for when generating a certificate or certificate request. The format 537is described in the next section. 538 539=back 540 541=head1 DISTINGUISHED NAME AND ATTRIBUTE SECTION FORMAT 542 543There are two separate formats for the distinguished name and attribute 544sections. If the B<prompt> option is set to B<no> then these sections 545just consist of field names and values: for example, 546 547 CN=My Name 548 OU=My Organization 549 emailAddress=someone@somewhere.org 550 551This allows external programs (e.g. GUI based) to generate a template file with 552all the field names and values and just pass it to this command. An example 553of this kind of configuration file is contained in the B<EXAMPLES> section. 554 555Alternatively if the B<prompt> option is absent or not set to B<no> then the 556file contains field prompting information. It consists of lines of the form: 557 558 fieldName="prompt" 559 fieldName_default="default field value" 560 fieldName_min= 2 561 fieldName_max= 4 562 563"fieldName" is the field name being used, for example commonName (or CN). 564The "prompt" string is used to ask the user to enter the relevant 565details. If the user enters nothing then the default value is used if no 566default value is present then the field is omitted. A field can 567still be omitted if a default value is present if the user just 568enters the '.' character. 569 570The number of characters entered must be between the fieldName_min and 571fieldName_max limits: there may be additional restrictions based 572on the field being used (for example countryName can only ever be 573two characters long and must fit in a PrintableString). 574 575Some fields (such as organizationName) can be used more than once 576in a DN. This presents a problem because configuration files will 577not recognize the same name occurring twice. To avoid this problem 578if the fieldName contains some characters followed by a full stop 579they will be ignored. So for example a second organizationName can 580be input by calling it "1.organizationName". 581 582The actual permitted field names are any object identifier short or 583long names. These are compiled into OpenSSL and include the usual 584values such as commonName, countryName, localityName, organizationName, 585organizationalUnitName, stateOrProvinceName. Additionally emailAddress 586is included as well as name, surname, givenName, initials, and dnQualifier. 587 588Additional object identifiers can be defined with the B<oid_file> or 589B<oid_section> options in the configuration file. Any additional fields 590will be treated as though they were a DirectoryString. 591 592 593=head1 EXAMPLES 594 595Examine and verify certificate request: 596 597 openssl req -in req.pem -text -verify -noout 598 599Create a private key and then generate a certificate request from it: 600 601 openssl genrsa -out key.pem 2048 602 openssl req -new -key key.pem -out req.pem 603 604The same but just using req: 605 606 openssl req -newkey rsa:2048 -keyout key.pem -out req.pem 607 608Generate a self-signed root certificate: 609 610 openssl req -x509 -newkey rsa:2048 -keyout key.pem -out req.pem 611 612Create an SM2 private key and then generate a certificate request from it: 613 614 openssl ecparam -genkey -name SM2 -out sm2.key 615 openssl req -new -key sm2.key -out sm2.csr -sm3 -sigopt "distid:1234567812345678" 616 617Examine and verify an SM2 certificate request: 618 619 openssl req -verify -in sm2.csr -sm3 -vfyopt "distid:1234567812345678" 620 621Example of a file pointed to by the B<oid_file> option: 622 623 1.2.3.4 shortName A longer Name 624 1.2.3.6 otherName Other longer Name 625 626Example of a section pointed to by B<oid_section> making use of variable 627expansion: 628 629 testoid1=1.2.3.5 630 testoid2=${testoid1}.6 631 632Sample configuration file prompting for field values: 633 634 [ req ] 635 default_bits = 2048 636 default_keyfile = privkey.pem 637 distinguished_name = req_distinguished_name 638 attributes = req_attributes 639 req_extensions = v3_ca 640 641 dirstring_type = nobmp 642 643 [ req_distinguished_name ] 644 countryName = Country Name (2 letter code) 645 countryName_default = AU 646 countryName_min = 2 647 countryName_max = 2 648 649 localityName = Locality Name (eg, city) 650 651 organizationalUnitName = Organizational Unit Name (eg, section) 652 653 commonName = Common Name (eg, YOUR name) 654 commonName_max = 64 655 656 emailAddress = Email Address 657 emailAddress_max = 40 658 659 [ req_attributes ] 660 challengePassword = A challenge password 661 challengePassword_min = 4 662 challengePassword_max = 20 663 664 [ v3_ca ] 665 666 subjectKeyIdentifier=hash 667 authorityKeyIdentifier=keyid:always,issuer:always 668 basicConstraints = critical, CA:true 669 670Sample configuration containing all field values: 671 672 673 [ req ] 674 default_bits = 2048 675 default_keyfile = keyfile.pem 676 distinguished_name = req_distinguished_name 677 attributes = req_attributes 678 prompt = no 679 output_password = mypass 680 681 [ req_distinguished_name ] 682 C = GB 683 ST = Test State or Province 684 L = Test Locality 685 O = Organization Name 686 OU = Organizational Unit Name 687 CN = Common Name 688 emailAddress = test@email.address 689 690 [ req_attributes ] 691 challengePassword = A challenge password 692 693Example of giving the most common attributes (subject and extensions) 694on the command line: 695 696 openssl req -new -subj "/C=GB/CN=foo" \ 697 -addext "subjectAltName = DNS:foo.co.uk" \ 698 -addext "certificatePolicies = 1.2.3.4" \ 699 -newkey rsa:2048 -keyout key.pem -out req.pem 700 701 702=head1 NOTES 703 704The certificate requests generated by B<Xenroll> with MSIE have extensions 705added. It includes the B<keyUsage> extension which determines the type of 706key (signature only or general purpose) and any additional OIDs entered 707by the script in an B<extendedKeyUsage> extension. 708 709=head1 DIAGNOSTICS 710 711The following messages are frequently asked about: 712 713 Using configuration from /some/path/openssl.cnf 714 Unable to load config info 715 716This is followed some time later by: 717 718 unable to find 'distinguished_name' in config 719 problems making Certificate Request 720 721The first error message is the clue: it can't find the configuration 722file! Certain operations (like examining a certificate request) don't 723need a configuration file so its use isn't enforced. Generation of 724certificates or requests however does need a configuration file. This 725could be regarded as a bug. 726 727Another puzzling message is this: 728 729 Attributes: 730 a0:00 731 732this is displayed when no attributes are present and the request includes 733the correct empty B<SET OF> structure (the DER encoding of which is 0xa0 7340x00). If you just see: 735 736 Attributes: 737 738then the B<SET OF> is missing and the encoding is technically invalid (but 739it is tolerated). See the description of the command line option B<-asn1-kludge> 740for more information. 741 742=head1 BUGS 743 744OpenSSL's handling of T61Strings (aka TeletexStrings) is broken: it effectively 745treats them as ISO-8859-1 (Latin 1), Netscape and MSIE have similar behaviour. 746This can cause problems if you need characters that aren't available in 747PrintableStrings and you don't want to or can't use BMPStrings. 748 749As a consequence of the T61String handling the only correct way to represent 750accented characters in OpenSSL is to use a BMPString: unfortunately Netscape 751currently chokes on these. If you have to use accented characters with Netscape 752and MSIE then you currently need to use the invalid T61String form. 753 754The current prompting is not very friendly. It doesn't allow you to confirm what 755you've just entered. Other things like extensions in certificate requests are 756statically defined in the configuration file. Some of these: like an email 757address in subjectAltName should be input by the user. 758 759=head1 SEE ALSO 760 761L<openssl(1)>, 762L<openssl-x509(1)>, 763L<openssl-ca(1)>, 764L<openssl-genrsa(1)>, 765L<openssl-gendsa(1)>, 766L<config(5)>, 767L<x509v3_config(5)> 768 769=head1 HISTORY 770 771The B<-section> option was added in OpenSSL 3.0.0. 772 773The B<-multivalue-rdn> option has become obsolete in OpenSSL 3.0.0 and 774has no effect. 775 776The B<-engine> option was deprecated in OpenSSL 3.0. 777The <-nodes> option was deprecated in OpenSSL 3.0, too; use B<-noenc> instead. 778 779=head1 COPYRIGHT 780 781Copyright 2000-2024 The OpenSSL Project Authors. All Rights Reserved. 782 783Licensed under the Apache License 2.0 (the "License"). You may not use 784this file except in compliance with the License. You can obtain a copy 785in the file LICENSE in the source distribution or at 786L<https://www.openssl.org/source/license.html>. 787 788=cut 789