xref: /freebsd/crypto/openssl/doc/man1/openssl-req.pod.in (revision 8aac90f18aef7c9eea906c3ff9a001ca7b94f375)
1=pod
2{- OpenSSL::safe::output_do_not_edit_headers(); -}
3
4=head1 NAME
5
6openssl-req - PKCS#10 certificate request and certificate generating command
7
8=head1 SYNOPSIS
9
10B<openssl> B<req>
11[B<-help>]
12[B<-inform> B<DER>|B<PEM>]
13[B<-outform> B<DER>|B<PEM>]
14[B<-in> I<filename>]
15[B<-passin> I<arg>]
16[B<-out> I<filename>]
17[B<-passout> I<arg>]
18[B<-text>]
19[B<-pubkey>]
20[B<-noout>]
21[B<-verify>]
22[B<-modulus>]
23[B<-new>]
24[B<-newkey> I<arg>]
25[B<-pkeyopt> I<opt>:I<value>]
26[B<-noenc>]
27[B<-nodes>]
28[B<-key> I<filename>|I<uri>]
29[B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>]
30[B<-keyout> I<filename>]
31[B<-keygen_engine> I<id>]
32[B<-I<digest>>]
33[B<-config> I<filename>]
34[B<-section> I<name>]
35[B<-x509>]
36[B<-CA> I<filename>|I<uri>]
37[B<-CAkey> I<filename>|I<uri>]
38[B<-days> I<n>]
39[B<-set_serial> I<n>]
40[B<-newhdr>]
41[B<-copy_extensions> I<arg>]
42[B<-addext> I<ext>]
43[B<-extensions> I<section>]
44[B<-reqexts> I<section>]
45[B<-precert>]
46[B<-utf8>]
47[B<-reqopt>]
48[B<-subject>]
49[B<-subj> I<arg>]
50[B<-multivalue-rdn>]
51[B<-sigopt> I<nm>:I<v>]
52[B<-vfyopt> I<nm>:I<v>]
53[B<-batch>]
54[B<-verbose>]
55{- $OpenSSL::safe::opt_name_synopsis -}
56{- $OpenSSL::safe::opt_r_synopsis -}
57{- $OpenSSL::safe::opt_engine_synopsis -}{- $OpenSSL::safe::opt_provider_synopsis -}
58
59=head1 DESCRIPTION
60
61This command primarily creates and processes certificate requests (CSRs)
62in PKCS#10 format. It can additionally create self-signed certificates
63for use as root CAs for example.
64
65=head1 OPTIONS
66
67=over 4
68
69=item B<-help>
70
71Print out a usage message.
72
73=item B<-inform> B<DER>|B<PEM>, B<-outform> B<DER>|B<PEM>
74
75The input and output formats; unspecified by default.
76See L<openssl-format-options(1)> for details.
77
78The data is a PKCS#10 object.
79
80=item B<-in> I<filename>
81
82This specifies the input filename to read a request from.
83This defaults to standard input unless B<-x509> or B<-CA> is specified.
84A request is only read if the creation options
85(B<-new> or B<-newkey> or B<-precert>) are not specified.
86
87=item B<-sigopt> I<nm>:I<v>
88
89Pass options to the signature algorithm during sign operations.
90Names and values of these options are algorithm-specific.
91
92=item B<-vfyopt> I<nm>:I<v>
93
94Pass options to the signature algorithm during verify operations.
95Names and values of these options are algorithm-specific.
96
97=begin comment
98
99Maybe it would be preferable to only have -opts instead of -sigopt and
100-vfyopt?  They are both present here to be compatible with L<openssl-ca(1)>,
101which supports both options for good reasons.
102
103=end comment
104
105=item B<-passin> I<arg>
106
107The password source for private key and certificate input.
108For more information about the format of B<arg>
109see L<openssl-passphrase-options(1)>.
110
111=item B<-passout> I<arg>
112
113The password source for the output file.
114For more information about the format of B<arg>
115see L<openssl-passphrase-options(1)>.
116
117=item B<-out> I<filename>
118
119This specifies the output filename to write to or standard output by default.
120
121=item B<-text>
122
123Prints out the certificate request in text form.
124
125=item B<-subject>
126
127Prints out the certificate request subject
128(or certificate subject if B<-x509> is in use).
129
130=item B<-pubkey>
131
132Prints out the public key.
133
134=item B<-noout>
135
136This option prevents output of the encoded version of the certificate request.
137
138=item B<-modulus>
139
140Prints out the value of the modulus of the public key contained in the request.
141
142=item B<-verify>
143
144Verifies the self-signature on the request.
145
146=item B<-new>
147
148This option generates a new certificate request. It will prompt
149the user for the relevant field values. The actual fields
150prompted for and their maximum and minimum sizes are specified
151in the configuration file and any requested extensions.
152
153If the B<-key> option is not given it will generate a new private key
154using information specified in the configuration file or given with
155the B<-newkey> and B<-pkeyopt> options,
156else by default an RSA key with 2048 bits length.
157
158=item B<-newkey> I<arg>
159
160This option is used to generate a new private key unless B<-key> is given.
161It is subsequently used as if it was given using the B<-key> option.
162
163This option implies the B<-new> flag to create a new certificate request
164or a new certificate in case B<-x509> is given.
165
166The argument takes one of several forms.
167
168[B<rsa:>]I<nbits> generates an RSA key I<nbits> in size.
169If I<nbits> is omitted, i.e., B<-newkey> B<rsa> is specified,
170the default key size specified in the configuration file
171with the B<default_bits> option is used if present, else 2048.
172
173All other algorithms support the B<-newkey> I<algname>:I<file> form, where
174I<file> is an algorithm parameter file, created with C<openssl genpkey -genparam>
175or an X.509 certificate for a key with appropriate algorithm.
176
177B<param:>I<file> generates a key using the parameter file or certificate
178I<file>, the algorithm is determined by the parameters.
179
180I<algname>[:I<file>] generates a key using the given algorithm I<algname>.
181If a parameter file I<file> is given then the parameters specified there
182are used, where the algorithm parameters must match I<algname>.
183If algorithm parameters are not given,
184any necessary parameters should be specified via the B<-pkeyopt> option.
185
186B<dsa:>I<filename> generates a DSA key using the parameters
187in the file I<filename>. B<ec:>I<filename> generates EC key (usable both with
188ECDSA or ECDH algorithms), B<gost2001:>I<filename> generates GOST R
18934.10-2001 key (requires B<gost> engine configured in the configuration
190file). If just B<gost2001> is specified a parameter set should be
191specified by B<-pkeyopt> I<paramset:X>
192
193=item B<-pkeyopt> I<opt>:I<value>
194
195Set the public key algorithm option I<opt> to I<value>. The precise set of
196options supported depends on the public key algorithm used and its
197implementation.
198See L<openssl-genpkey(1)/KEY GENERATION OPTIONS> for more details.
199
200=item B<-key> I<filename>|I<uri>
201
202This option provides the private key for signing a new certificate or
203certificate request.
204Unless B<-in> is given, the corresponding public key is placed in
205the new certificate or certificate request, resulting in a self-signature.
206
207For certificate signing this option is overridden by the B<-CA> option.
208
209This option also accepts PKCS#8 format private keys for PEM format files.
210
211=item B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>
212
213The format of the private key; unspecified by default.
214See L<openssl-format-options(1)> for details.
215
216=item B<-keyout> I<filename>
217
218This gives the filename to write any private key to that has been newly created
219or read from B<-key>.  If neither the B<-keyout> option nor the B<-key> option
220are given then the filename specified in the configuration file with the
221B<default_keyfile> option is used, if present.  Thus, if you want to write the
222private key and the B<-key> option is provided, you should provide the
223B<-keyout> option explicitly.  If a new key is generated and no filename is
224specified the key is written to standard output.
225
226=item B<-noenc>
227
228If this option is specified then if a private key is created it
229will not be encrypted.
230
231=item B<-nodes>
232
233This option is deprecated since OpenSSL 3.0; use B<-noenc> instead.
234
235=item B<-I<digest>>
236
237This specifies the message digest to sign the request.
238Any digest supported by the OpenSSL B<dgst> command can be used.
239This overrides the digest algorithm specified in
240the configuration file.
241
242Some public key algorithms may override this choice. For instance, DSA
243signatures always use SHA1, GOST R 34.10 signatures always use
244GOST R 34.11-94 (B<-md_gost94>), Ed25519 and Ed448 never use any digest.
245
246=item B<-config> I<filename>
247
248This allows an alternative configuration file to be specified.
249Optional; for a description of the default value,
250see L<openssl(1)/COMMAND SUMMARY>.
251
252=item B<-section> I<name>
253
254Specifies the name of the section to use; the default is B<req>.
255
256=item B<-subj> I<arg>
257
258Sets subject name for new request or supersedes the subject name
259when processing a certificate request.
260
261The arg must be formatted as C</type0=value0/type1=value1/type2=...>.
262Special characters may be escaped by C<\> (backslash), whitespace is retained.
263Empty values are permitted, but the corresponding type will not be included
264in the request.
265Giving a single C</> will lead to an empty sequence of RDNs (a NULL-DN).
266Multi-valued RDNs can be formed by placing a C<+> character instead of a C</>
267between the AttributeValueAssertions (AVAs) that specify the members of the set.
268Example:
269
270C</DC=org/DC=OpenSSL/DC=users/UID=123456+CN=John Doe>
271
272=item B<-multivalue-rdn>
273
274This option has been deprecated and has no effect.
275
276=item B<-x509>
277
278This option outputs a certificate instead of a certificate request.
279This is typically used to generate test certificates.
280It is implied by the B<-CA> option.
281
282This option implies the B<-new> flag if B<-in> is not given.
283
284If an existing request is specified with the B<-in> option, it is converted
285to a certificate; otherwise a request is created from scratch.
286
287Unless specified using the B<-set_serial> option,
288a large random number will be used for the serial number.
289
290Unless the B<-copy_extensions> option is used,
291X.509 extensions are not copied from any provided request input file.
292
293X.509 extensions to be added can be specified in the configuration file
294or using the B<-addext> option.
295
296=item B<-CA> I<filename>|I<uri>
297
298Specifies the "CA" certificate to be used for signing a new certificate
299and implies use of B<-x509>.
300When present, this behaves like a "micro CA" as follows:
301The subject name of the "CA" certificate is placed as issuer name in the new
302certificate, which is then signed using the "CA" key given as specified below.
303
304=item B<-CAkey> I<filename>|I<uri>
305
306Sets the "CA" private key to sign a certificate with.
307The private key must match the public key of the certificate given with B<-CA>.
308If this option is not provided then the key must be present in the B<-CA> input.
309
310=item B<-days> I<n>
311
312When B<-x509> is in use this specifies the number of
313days to certify the certificate for, otherwise it is ignored. I<n> should
314be a positive integer. The default is 30 days.
315
316=item B<-set_serial> I<n>
317
318Serial number to use when outputting a self-signed certificate.
319This may be specified as a decimal value or a hex value if preceded by C<0x>.
320If not given, a large random number will be used.
321
322=item B<-copy_extensions> I<arg>
323
324Determines how X.509 extensions in certificate requests should be handled
325when B<-x509> is in use.
326If I<arg> is B<none> or this option is not present then extensions are ignored.
327If I<arg> is B<copy> or B<copyall> then
328all extensions in the request are copied to the certificate.
329
330The main use of this option is to allow a certificate request to supply
331values for certain extensions such as subjectAltName.
332
333=item B<-addext> I<ext>
334
335Add a specific extension to the certificate (if B<-x509> is in use)
336or certificate request.  The argument must have the form of
337a key=value pair as it would appear in a config file.
338
339This option can be given multiple times.
340
341=item B<-extensions> I<section>
342
343=item B<-reqexts> I<section>
344
345These options specify alternative sections to include certificate
346extensions (if B<-x509> is in use) or certificate request extensions.
347This allows several different sections to
348be used in the same configuration file to specify requests for
349a variety of purposes.
350
351=item B<-precert>
352
353A poison extension will be added to the certificate, making it a
354"pre-certificate" (see RFC6962). This can be submitted to Certificate
355Transparency logs in order to obtain signed certificate timestamps (SCTs).
356These SCTs can then be embedded into the pre-certificate as an extension, before
357removing the poison and signing the certificate.
358
359This implies the B<-new> flag.
360
361=item B<-utf8>
362
363This option causes field values to be interpreted as UTF8 strings, by
364default they are interpreted as ASCII. This means that the field
365values, whether prompted from a terminal or obtained from a
366configuration file, must be valid UTF8 strings.
367
368=item B<-reqopt> I<option>
369
370Customise the printing format used with B<-text>. The I<option> argument can be
371a single option or multiple options separated by commas.
372
373See discussion of the  B<-certopt> parameter in the L<openssl-x509(1)>
374command.
375
376=item B<-newhdr>
377
378Adds the word B<NEW> to the PEM file header and footer lines on the outputted
379request. Some software (Netscape certificate server) and some CAs need this.
380
381=item B<-batch>
382
383Non-interactive mode.
384
385=item B<-verbose>
386
387Print extra details about the operations being performed.
388
389=item B<-keygen_engine> I<id>
390
391Specifies an engine (by its unique I<id> string) which would be used
392for key generation operations.
393
394{- $OpenSSL::safe::opt_name_item -}
395
396{- $OpenSSL::safe::opt_r_item -}
397
398{- $OpenSSL::safe::opt_engine_item -}
399
400{- $OpenSSL::safe::opt_provider_item -}
401
402=back
403
404=head1 CONFIGURATION FILE FORMAT
405
406The configuration options are specified in the B<req> section of
407the configuration file. An alternate name be specified by using the
408B<-section> option.
409As with all configuration files, if no
410value is specified in the specific section then
411the initial unnamed or B<default> section is searched too.
412
413The options available are described in detail below.
414
415=over 4
416
417=item B<input_password>, B<output_password>
418
419The passwords for the input private key file (if present) and
420the output private key file (if one will be created). The
421command line options B<passin> and B<passout> override the
422configuration file values.
423
424=item B<default_bits>
425
426Specifies the default key size in bits.
427
428This option is used in conjunction with the B<-new> option to generate
429a new key. It can be overridden by specifying an explicit key size in
430the B<-newkey> option. The smallest accepted key size is 512 bits. If
431no key size is specified then 2048 bits is used.
432
433=item B<default_keyfile>
434
435This is the default filename to write a private key to. If not
436specified the key is written to standard output. This can be
437overridden by the B<-keyout> option.
438
439=item B<oid_file>
440
441This specifies a file containing additional B<OBJECT IDENTIFIERS>.
442Each line of the file should consist of the numerical form of the
443object identifier followed by whitespace then the short name followed
444by whitespace and finally the long name.
445
446=item B<oid_section>
447
448This specifies a section in the configuration file containing extra
449object identifiers. Each line should consist of the short name of the
450object identifier followed by B<=> and the numerical form. The short
451and long names are the same when this option is used.
452
453=item B<RANDFILE>
454
455At startup the specified file is loaded into the random number generator,
456and at exit 256 bytes will be written to it.
457It is used for private key generation.
458
459=item B<encrypt_key>
460
461If this is set to B<no> then if a private key is generated it is
462B<not> encrypted. This is equivalent to the B<-noenc> command line
463option. For compatibility B<encrypt_rsa_key> is an equivalent option.
464
465=item B<default_md>
466
467This option specifies the digest algorithm to use. Any digest supported by the
468OpenSSL B<dgst> command can be used. This option can be overridden on the
469command line. Certain signing algorithms (i.e. Ed25519 and Ed448) will ignore
470any digest that has been set.
471
472=item B<string_mask>
473
474This option masks out the use of certain string types in certain
475fields. Most users will not need to change this option.
476
477It can be set to several values B<default> which is also the default
478option uses PrintableStrings, T61Strings and BMPStrings if the
479B<pkix> value is used then only PrintableStrings and BMPStrings will
480be used. This follows the PKIX recommendation in RFC2459. If the
481B<utf8only> option is used then only UTF8Strings will be used: this
482is the PKIX recommendation in RFC2459 after 2003. Finally the B<nombstr>
483option just uses PrintableStrings and T61Strings: certain software has
484problems with BMPStrings and UTF8Strings: in particular Netscape.
485
486=item B<req_extensions>
487
488This specifies the configuration file section containing a list of
489extensions to add to the certificate request. It can be overridden
490by the B<-reqexts> command line switch. See the
491L<x509v3_config(5)> manual page for details of the
492extension section format.
493
494=item B<x509_extensions>
495
496This specifies the configuration file section containing a list of
497extensions to add to certificate generated when B<-x509> is in use.
498It can be overridden by the B<-extensions> command line switch.
499
500=item B<prompt>
501
502If set to the value B<no> this disables prompting of certificate fields
503and just takes values from the config file directly. It also changes the
504expected format of the B<distinguished_name> and B<attributes> sections.
505
506=item B<utf8>
507
508If set to the value B<yes> then field values to be interpreted as UTF8
509strings, by default they are interpreted as ASCII. This means that
510the field values, whether prompted from a terminal or obtained from a
511configuration file, must be valid UTF8 strings.
512
513=item B<attributes>
514
515This specifies the section containing any request attributes: its format
516is the same as B<distinguished_name>. Typically these may contain the
517challengePassword or unstructuredName types. They are currently ignored
518by OpenSSL's request signing utilities but some CAs might want them.
519
520=item B<distinguished_name>
521
522This specifies the section containing the distinguished name fields to
523prompt for when generating a certificate or certificate request. The format
524is described in the next section.
525
526=back
527
528=head1 DISTINGUISHED NAME AND ATTRIBUTE SECTION FORMAT
529
530There are two separate formats for the distinguished name and attribute
531sections. If the B<prompt> option is set to B<no> then these sections
532just consist of field names and values: for example,
533
534 CN=My Name
535 OU=My Organization
536 emailAddress=someone@somewhere.org
537
538This allows external programs (e.g. GUI based) to generate a template file with
539all the field names and values and just pass it to this command. An example
540of this kind of configuration file is contained in the B<EXAMPLES> section.
541
542Alternatively if the B<prompt> option is absent or not set to B<no> then the
543file contains field prompting information. It consists of lines of the form:
544
545 fieldName="prompt"
546 fieldName_default="default field value"
547 fieldName_min= 2
548 fieldName_max= 4
549
550"fieldName" is the field name being used, for example commonName (or CN).
551The "prompt" string is used to ask the user to enter the relevant
552details. If the user enters nothing then the default value is used if no
553default value is present then the field is omitted. A field can
554still be omitted if a default value is present if the user just
555enters the '.' character.
556
557The number of characters entered must be between the fieldName_min and
558fieldName_max limits: there may be additional restrictions based
559on the field being used (for example countryName can only ever be
560two characters long and must fit in a PrintableString).
561
562Some fields (such as organizationName) can be used more than once
563in a DN. This presents a problem because configuration files will
564not recognize the same name occurring twice. To avoid this problem
565if the fieldName contains some characters followed by a full stop
566they will be ignored. So for example a second organizationName can
567be input by calling it "1.organizationName".
568
569The actual permitted field names are any object identifier short or
570long names. These are compiled into OpenSSL and include the usual
571values such as commonName, countryName, localityName, organizationName,
572organizationalUnitName, stateOrProvinceName. Additionally emailAddress
573is included as well as name, surname, givenName, initials, and dnQualifier.
574
575Additional object identifiers can be defined with the B<oid_file> or
576B<oid_section> options in the configuration file. Any additional fields
577will be treated as though they were a DirectoryString.
578
579
580=head1 EXAMPLES
581
582Examine and verify certificate request:
583
584 openssl req -in req.pem -text -verify -noout
585
586Create a private key and then generate a certificate request from it:
587
588 openssl genrsa -out key.pem 2048
589 openssl req -new -key key.pem -out req.pem
590
591The same but just using req:
592
593 openssl req -newkey rsa:2048 -keyout key.pem -out req.pem
594
595Generate a self-signed root certificate:
596
597 openssl req -x509 -newkey rsa:2048 -keyout key.pem -out req.pem
598
599Create an SM2 private key and then generate a certificate request from it:
600
601 openssl ecparam -genkey -name SM2 -out sm2.key
602 openssl req -new -key sm2.key -out sm2.csr -sm3 -sigopt "distid:1234567812345678"
603
604Examine and verify an SM2 certificate request:
605
606 openssl req -verify -in sm2.csr -sm3 -vfyopt "distid:1234567812345678"
607
608Example of a file pointed to by the B<oid_file> option:
609
610 1.2.3.4        shortName       A longer Name
611 1.2.3.6        otherName       Other longer Name
612
613Example of a section pointed to by B<oid_section> making use of variable
614expansion:
615
616 testoid1=1.2.3.5
617 testoid2=${testoid1}.6
618
619Sample configuration file prompting for field values:
620
621 [ req ]
622 default_bits           = 2048
623 default_keyfile        = privkey.pem
624 distinguished_name     = req_distinguished_name
625 attributes             = req_attributes
626 req_extensions         = v3_ca
627
628 dirstring_type = nobmp
629
630 [ req_distinguished_name ]
631 countryName                    = Country Name (2 letter code)
632 countryName_default            = AU
633 countryName_min                = 2
634 countryName_max                = 2
635
636 localityName                   = Locality Name (eg, city)
637
638 organizationalUnitName         = Organizational Unit Name (eg, section)
639
640 commonName                     = Common Name (eg, YOUR name)
641 commonName_max                 = 64
642
643 emailAddress                   = Email Address
644 emailAddress_max               = 40
645
646 [ req_attributes ]
647 challengePassword              = A challenge password
648 challengePassword_min          = 4
649 challengePassword_max          = 20
650
651 [ v3_ca ]
652
653 subjectKeyIdentifier=hash
654 authorityKeyIdentifier=keyid:always,issuer:always
655 basicConstraints = critical, CA:true
656
657Sample configuration containing all field values:
658
659
660 [ req ]
661 default_bits           = 2048
662 default_keyfile        = keyfile.pem
663 distinguished_name     = req_distinguished_name
664 attributes             = req_attributes
665 prompt                 = no
666 output_password        = mypass
667
668 [ req_distinguished_name ]
669 C                      = GB
670 ST                     = Test State or Province
671 L                      = Test Locality
672 O                      = Organization Name
673 OU                     = Organizational Unit Name
674 CN                     = Common Name
675 emailAddress           = test@email.address
676
677 [ req_attributes ]
678 challengePassword              = A challenge password
679
680Example of giving the most common attributes (subject and extensions)
681on the command line:
682
683 openssl req -new -subj "/C=GB/CN=foo" \
684                  -addext "subjectAltName = DNS:foo.co.uk" \
685                  -addext "certificatePolicies = 1.2.3.4" \
686                  -newkey rsa:2048 -keyout key.pem -out req.pem
687
688
689=head1 NOTES
690
691The certificate requests generated by B<Xenroll> with MSIE have extensions
692added. It includes the B<keyUsage> extension which determines the type of
693key (signature only or general purpose) and any additional OIDs entered
694by the script in an B<extendedKeyUsage> extension.
695
696=head1 DIAGNOSTICS
697
698The following messages are frequently asked about:
699
700        Using configuration from /some/path/openssl.cnf
701        Unable to load config info
702
703This is followed some time later by:
704
705        unable to find 'distinguished_name' in config
706        problems making Certificate Request
707
708The first error message is the clue: it can't find the configuration
709file! Certain operations (like examining a certificate request) don't
710need a configuration file so its use isn't enforced. Generation of
711certificates or requests however does need a configuration file. This
712could be regarded as a bug.
713
714Another puzzling message is this:
715
716        Attributes:
717            a0:00
718
719this is displayed when no attributes are present and the request includes
720the correct empty B<SET OF> structure (the DER encoding of which is 0xa0
7210x00). If you just see:
722
723        Attributes:
724
725then the B<SET OF> is missing and the encoding is technically invalid (but
726it is tolerated). See the description of the command line option B<-asn1-kludge>
727for more information.
728
729=head1 BUGS
730
731OpenSSL's handling of T61Strings (aka TeletexStrings) is broken: it effectively
732treats them as ISO-8859-1 (Latin 1), Netscape and MSIE have similar behaviour.
733This can cause problems if you need characters that aren't available in
734PrintableStrings and you don't want to or can't use BMPStrings.
735
736As a consequence of the T61String handling the only correct way to represent
737accented characters in OpenSSL is to use a BMPString: unfortunately Netscape
738currently chokes on these. If you have to use accented characters with Netscape
739and MSIE then you currently need to use the invalid T61String form.
740
741The current prompting is not very friendly. It doesn't allow you to confirm what
742you've just entered. Other things like extensions in certificate requests are
743statically defined in the configuration file. Some of these: like an email
744address in subjectAltName should be input by the user.
745
746=head1 SEE ALSO
747
748L<openssl(1)>,
749L<openssl-x509(1)>,
750L<openssl-ca(1)>,
751L<openssl-genrsa(1)>,
752L<openssl-gendsa(1)>,
753L<config(5)>,
754L<x509v3_config(5)>
755
756=head1 HISTORY
757
758The B<-section> option was added in OpenSSL 3.0.0.
759
760The B<-multivalue-rdn> option has become obsolete in OpenSSL 3.0.0 and
761has no effect.
762
763The B<-engine> option was deprecated in OpenSSL 3.0.
764The <-nodes> option was deprecated in OpenSSL 3.0, too; use B<-noenc> instead.
765
766=head1 COPYRIGHT
767
768Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved.
769
770Licensed under the Apache License 2.0 (the "License").  You may not use
771this file except in compliance with the License.  You can obtain a copy
772in the file LICENSE in the source distribution or at
773L<https://www.openssl.org/source/license.html>.
774
775=cut
776