xref: /freebsd/crypto/openssl/doc/man1/openssl-req.pod.in (revision b64c5a0ace59af62eff52bfe110a521dc73c937b)
1=pod
2{- OpenSSL::safe::output_do_not_edit_headers(); -}
3
4=head1 NAME
5
6openssl-req - PKCS#10 certificate request and certificate generating command
7
8=head1 SYNOPSIS
9
10B<openssl> B<req>
11[B<-help>]
12[B<-inform> B<DER>|B<PEM>]
13[B<-outform> B<DER>|B<PEM>]
14[B<-in> I<filename>]
15[B<-passin> I<arg>]
16[B<-out> I<filename>]
17[B<-passout> I<arg>]
18[B<-text>]
19[B<-pubkey>]
20[B<-noout>]
21[B<-verify>]
22[B<-modulus>]
23[B<-new>]
24[B<-newkey> I<arg>]
25[B<-pkeyopt> I<opt>:I<value>]
26[B<-noenc>]
27[B<-nodes>]
28[B<-key> I<filename>|I<uri>]
29[B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>]
30[B<-keyout> I<filename>]
31[B<-keygen_engine> I<id>]
32[B<-I<digest>>]
33[B<-config> I<filename>]
34[B<-section> I<name>]
35[B<-x509>]
36[B<-CA> I<filename>|I<uri>]
37[B<-CAkey> I<filename>|I<uri>]
38[B<-days> I<n>]
39[B<-set_serial> I<n>]
40[B<-newhdr>]
41[B<-copy_extensions> I<arg>]
42[B<-addext> I<ext>]
43[B<-extensions> I<section>]
44[B<-reqexts> I<section>]
45[B<-precert>]
46[B<-utf8>]
47[B<-reqopt>]
48[B<-subject>]
49[B<-subj> I<arg>]
50[B<-multivalue-rdn>]
51[B<-sigopt> I<nm>:I<v>]
52[B<-vfyopt> I<nm>:I<v>]
53[B<-batch>]
54[B<-verbose>]
55{- $OpenSSL::safe::opt_name_synopsis -}
56{- $OpenSSL::safe::opt_r_synopsis -}
57{- $OpenSSL::safe::opt_engine_synopsis -}{- $OpenSSL::safe::opt_provider_synopsis -}
58
59=head1 DESCRIPTION
60
61This command primarily creates and processes certificate requests (CSRs)
62in PKCS#10 format. It can additionally create self-signed certificates
63for use as root CAs for example.
64
65=head1 OPTIONS
66
67=over 4
68
69=item B<-help>
70
71Print out a usage message.
72
73=item B<-inform> B<DER>|B<PEM>, B<-outform> B<DER>|B<PEM>
74
75The input and output formats; unspecified by default.
76See L<openssl-format-options(1)> for details.
77
78The data is a PKCS#10 object.
79
80=item B<-in> I<filename>
81
82This specifies the input filename to read a request from.
83This defaults to standard input unless B<-x509> or B<-CA> is specified.
84A request is only read if the creation options
85(B<-new> or B<-newkey> or B<-precert>) are not specified.
86
87=item B<-sigopt> I<nm>:I<v>
88
89Pass options to the signature algorithm during sign operations.
90Names and values of these options are algorithm-specific.
91
92=item B<-vfyopt> I<nm>:I<v>
93
94Pass options to the signature algorithm during verify operations.
95Names and values of these options are algorithm-specific.
96
97=begin comment
98
99Maybe it would be preferable to only have -opts instead of -sigopt and
100-vfyopt?  They are both present here to be compatible with L<openssl-ca(1)>,
101which supports both options for good reasons.
102
103=end comment
104
105=item B<-passin> I<arg>
106
107The password source for private key and certificate input.
108For more information about the format of B<arg>
109see L<openssl-passphrase-options(1)>.
110
111=item B<-passout> I<arg>
112
113The password source for the output file.
114For more information about the format of B<arg>
115see L<openssl-passphrase-options(1)>.
116
117=item B<-out> I<filename>
118
119This specifies the output filename to write to or standard output by default.
120
121=item B<-text>
122
123Prints out the certificate request in text form.
124
125=item B<-subject>
126
127Prints out the certificate request subject
128(or certificate subject if B<-x509> is in use).
129
130=item B<-pubkey>
131
132Prints out the public key.
133
134=item B<-noout>
135
136This option prevents output of the encoded version of the certificate request.
137
138=item B<-modulus>
139
140Prints out the value of the modulus of the public key contained in the request.
141
142=item B<-verify>
143
144Verifies the self-signature on the request.
145
146=item B<-new>
147
148This option generates a new certificate request. It will prompt
149the user for the relevant field values. The actual fields
150prompted for and their maximum and minimum sizes are specified
151in the configuration file and any requested extensions.
152
153If the B<-key> option is not given it will generate a new private key
154using information specified in the configuration file or given with
155the B<-newkey> and B<-pkeyopt> options,
156else by default an RSA key with 2048 bits length.
157
158=item B<-newkey> I<arg>
159
160This option is used to generate a new private key unless B<-key> is given.
161It is subsequently used as if it was given using the B<-key> option.
162
163This option implies the B<-new> flag to create a new certificate request
164or a new certificate in case B<-x509> is given.
165
166The argument takes one of several forms.
167
168[B<rsa:>]I<nbits> generates an RSA key I<nbits> in size.
169If I<nbits> is omitted, i.e., B<-newkey> B<rsa> is specified,
170the default key size specified in the configuration file
171with the B<default_bits> option is used if present, else 2048.
172
173All other algorithms support the B<-newkey> I<algname>:I<file> form, where
174I<file> is an algorithm parameter file, created with C<openssl genpkey -genparam>
175or an X.509 certificate for a key with appropriate algorithm.
176
177B<param:>I<file> generates a key using the parameter file or certificate
178I<file>, the algorithm is determined by the parameters.
179
180I<algname>[:I<file>] generates a key using the given algorithm I<algname>.
181If a parameter file I<file> is given then the parameters specified there
182are used, where the algorithm parameters must match I<algname>.
183If algorithm parameters are not given,
184any necessary parameters should be specified via the B<-pkeyopt> option.
185
186B<dsa:>I<filename> generates a DSA key using the parameters
187in the file I<filename>. B<ec:>I<filename> generates EC key (usable both with
188ECDSA or ECDH algorithms), B<gost2001:>I<filename> generates GOST R
18934.10-2001 key (requires B<gost> engine configured in the configuration
190file). If just B<gost2001> is specified a parameter set should be
191specified by B<-pkeyopt> I<paramset:X>
192
193=item B<-pkeyopt> I<opt>:I<value>
194
195Set the public key algorithm option I<opt> to I<value>. The precise set of
196options supported depends on the public key algorithm used and its
197implementation.
198See L<openssl-genpkey(1)/KEY GENERATION OPTIONS> for more details.
199
200=item B<-key> I<filename>|I<uri>
201
202This option provides the private key for signing a new certificate or
203certificate request.
204Unless B<-in> is given, the corresponding public key is placed in
205the new certificate or certificate request, resulting in a self-signature.
206
207For certificate signing this option is overridden by the B<-CA> option.
208
209This option also accepts PKCS#8 format private keys for PEM format files.
210
211=item B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>
212
213The format of the private key; unspecified by default.
214See L<openssl-format-options(1)> for details.
215
216=item B<-keyout> I<filename>
217
218This gives the filename to write any private key to that has been newly created
219or read from B<-key>.  If neither the B<-keyout> option nor the B<-key> option
220are given then the filename specified in the configuration file with the
221B<default_keyfile> option is used, if present.  Thus, if you want to write the
222private key and the B<-key> option is provided, you should provide the
223B<-keyout> option explicitly.  If a new key is generated and no filename is
224specified the key is written to standard output.
225
226=item B<-noenc>
227
228If this option is specified then if a private key is created it
229will not be encrypted.
230
231=item B<-nodes>
232
233This option is deprecated since OpenSSL 3.0; use B<-noenc> instead.
234
235=item B<-I<digest>>
236
237This specifies the message digest to sign the request.
238Any digest supported by the OpenSSL B<dgst> command can be used.
239This overrides the digest algorithm specified in
240the configuration file.
241
242Some public key algorithms may override this choice. For instance, DSA
243signatures always use SHA1, GOST R 34.10 signatures always use
244GOST R 34.11-94 (B<-md_gost94>), Ed25519 and Ed448 never use any digest.
245
246=item B<-config> I<filename>
247
248This allows an alternative configuration file to be specified.
249Optional; for a description of the default value,
250see L<openssl(1)/COMMAND SUMMARY>.
251
252=item B<-section> I<name>
253
254Specifies the name of the section to use; the default is B<req>.
255
256=item B<-subj> I<arg>
257
258Sets subject name for new request or supersedes the subject name
259when processing a certificate request.
260
261The arg must be formatted as C</type0=value0/type1=value1/type2=...>.
262Special characters may be escaped by C<\> (backslash), whitespace is retained.
263Empty values are permitted, but the corresponding type will not be included
264in the request.
265Giving a single C</> will lead to an empty sequence of RDNs (a NULL-DN).
266Multi-valued RDNs can be formed by placing a C<+> character instead of a C</>
267between the AttributeValueAssertions (AVAs) that specify the members of the set.
268Example:
269
270C</DC=org/DC=OpenSSL/DC=users/UID=123456+CN=John Doe>
271
272=item B<-multivalue-rdn>
273
274This option has been deprecated and has no effect.
275
276=item B<-x509>
277
278This option outputs a certificate instead of a certificate request.
279This is typically used to generate test certificates.
280It is implied by the B<-CA> option.
281
282This option implies the B<-new> flag if B<-in> is not given.
283
284If an existing request is specified with the B<-in> option, it is converted
285to a certificate; otherwise a request is created from scratch.
286
287Unless specified using the B<-set_serial> option,
288a large random number will be used for the serial number.
289
290Unless the B<-copy_extensions> option is used,
291X.509 extensions are not copied from any provided request input file.
292
293X.509 extensions to be added can be specified in the configuration file
294or using the B<-addext> option.
295
296=item B<-CA> I<filename>|I<uri>
297
298Specifies the "CA" certificate to be used for signing a new certificate
299and implies use of B<-x509>.
300When present, this behaves like a "micro CA" as follows:
301The subject name of the "CA" certificate is placed as issuer name in the new
302certificate, which is then signed using the "CA" key given as specified below.
303
304=item B<-CAkey> I<filename>|I<uri>
305
306Sets the "CA" private key to sign a certificate with.
307The private key must match the public key of the certificate given with B<-CA>.
308If this option is not provided then the key must be present in the B<-CA> input.
309
310=item B<-days> I<n>
311
312When B<-x509> is in use this specifies the number of
313days to certify the certificate for, otherwise it is ignored. I<n> should
314be a positive integer. The default is 30 days.
315
316=item B<-set_serial> I<n>
317
318Serial number to use when outputting a self-signed certificate.
319This may be specified as a decimal value or a hex value if preceded by C<0x>.
320If not given, a large random number will be used.
321
322=item B<-copy_extensions> I<arg>
323
324Determines how X.509 extensions in certificate requests should be handled
325when B<-x509> is in use.
326If I<arg> is B<none> or this option is not present then extensions are ignored.
327If I<arg> is B<copy> or B<copyall> then
328all extensions in the request are copied to the certificate.
329
330The main use of this option is to allow a certificate request to supply
331values for certain extensions such as subjectAltName.
332
333=item B<-addext> I<ext>
334
335Add a specific extension to the certificate (if B<-x509> is in use)
336or certificate request.  The argument must have the form of
337a key=value pair as it would appear in a config file.
338
339This option can be given multiple times.
340
341=item B<-extensions> I<section>
342
343=item B<-reqexts> I<section>
344
345These options specify alternative sections to include certificate
346extensions (if B<-x509> is in use) or certificate request extensions.
347This allows several different sections to
348be used in the same configuration file to specify requests for
349a variety of purposes.
350
351=item B<-precert>
352
353A poison extension will be added to the certificate, making it a
354"pre-certificate" (see RFC6962). This can be submitted to Certificate
355Transparency logs in order to obtain signed certificate timestamps (SCTs).
356These SCTs can then be embedded into the pre-certificate as an extension, before
357removing the poison and signing the certificate.
358
359This implies the B<-new> flag.
360
361=item B<-utf8>
362
363This option causes field values to be interpreted as UTF8 strings, by
364default they are interpreted as ASCII. This means that the field
365values, whether prompted from a terminal or obtained from a
366configuration file, must be valid UTF8 strings.
367
368=item B<-reqopt> I<option>
369
370Customise the printing format used with B<-text>. The I<option> argument can be
371a single option or multiple options separated by commas.
372
373See discussion of the  B<-certopt> parameter in the L<openssl-x509(1)>
374command.
375
376=item B<-newhdr>
377
378Adds the word B<NEW> to the PEM file header and footer lines on the outputted
379request. Some software (Netscape certificate server) and some CAs need this.
380
381=item B<-batch>
382
383Non-interactive mode.
384
385=item B<-verbose>
386
387Print extra details about the operations being performed.
388
389=item B<-keygen_engine> I<id>
390
391Specifies an engine (by its unique I<id> string) which would be used
392for key generation operations.
393
394{- $OpenSSL::safe::opt_name_item -}
395
396{- $OpenSSL::safe::opt_r_item -}
397
398{- $OpenSSL::safe::opt_engine_item -}
399
400{- $OpenSSL::safe::opt_provider_item -}
401
402=back
403
404=head1 CONFIGURATION FILE FORMAT
405
406The configuration options are specified in the B<req> section of
407the configuration file. An alternate name be specified by using the
408B<-section> option.
409As with all configuration files, if no
410value is specified in the specific section then
411the initial unnamed or B<default> section is searched too.
412
413The options available are described in detail below.
414
415=over 4
416
417=item B<input_password>, B<output_password>
418
419The passwords for the input private key file (if present) and
420the output private key file (if one will be created). The
421command line options B<passin> and B<passout> override the
422configuration file values.
423
424=item B<default_bits>
425
426Specifies the default key size in bits.
427
428This option is used in conjunction with the B<-new> option to generate
429a new key. It can be overridden by specifying an explicit key size in
430the B<-newkey> option. The smallest accepted key size is 512 bits. If
431no key size is specified then 2048 bits is used.
432
433=item B<default_keyfile>
434
435This is the default filename to write a private key to. If not
436specified the key is written to standard output. This can be
437overridden by the B<-keyout> option.
438
439=item B<oid_file>
440
441This specifies a file containing additional B<OBJECT IDENTIFIERS>.
442Each line of the file should consist of the numerical form of the
443object identifier followed by whitespace then the short name followed
444by whitespace and finally the long name.
445
446=item B<oid_section>
447
448This specifies a section in the configuration file containing extra
449object identifiers. Each line should consist of the short name of the
450object identifier followed by B<=> and the numerical form. The short
451and long names are the same when this option is used.
452
453=item B<RANDFILE>
454
455At startup the specified file is loaded into the random number generator,
456and at exit 256 bytes will be written to it.
457It is used for private key generation.
458
459=item B<encrypt_key>
460
461If this is set to B<no> then if a private key is generated it is
462B<not> encrypted. This is equivalent to the B<-noenc> command line
463option. For compatibility B<encrypt_rsa_key> is an equivalent option.
464
465=item B<default_md>
466
467This option specifies the digest algorithm to use. Any digest supported by the
468OpenSSL B<dgst> command can be used. This option can be overridden on the
469command line. Certain signing algorithms (i.e. Ed25519 and Ed448) will ignore
470any digest that has been set.
471
472=item B<string_mask>
473
474This option masks out the use of certain string types in certain
475fields. Most users will not need to change this option. It can be set to
476several values:
477
478=over 4
479
480=item B<utf8only>
481- only UTF8Strings are used (this is the default value)
482
483=item B<pkix>
484- any string type except T61Strings
485
486=item B<nombstr>
487- any string type except BMPStrings and UTF8Strings
488
489=item B<default>
490- any kind of string type
491
492=back
493
494Note that B<utf8only> is the PKIX recommendation in RFC2459 after 2003, and the
495default B<string_mask>; B<default> is not the default option. The B<nombstr>
496value is a workaround for some software that has problems with variable-sized
497BMPStrings and UTF8Strings.
498
499=item B<req_extensions>
500
501This specifies the configuration file section containing a list of
502extensions to add to the certificate request. It can be overridden
503by the B<-reqexts> command line switch. See the
504L<x509v3_config(5)> manual page for details of the
505extension section format.
506
507=item B<x509_extensions>
508
509This specifies the configuration file section containing a list of
510extensions to add to certificate generated when B<-x509> is in use.
511It can be overridden by the B<-extensions> command line switch.
512
513=item B<prompt>
514
515If set to the value B<no> this disables prompting of certificate fields
516and just takes values from the config file directly. It also changes the
517expected format of the B<distinguished_name> and B<attributes> sections.
518
519=item B<utf8>
520
521If set to the value B<yes> then field values to be interpreted as UTF8
522strings, by default they are interpreted as ASCII. This means that
523the field values, whether prompted from a terminal or obtained from a
524configuration file, must be valid UTF8 strings.
525
526=item B<attributes>
527
528This specifies the section containing any request attributes: its format
529is the same as B<distinguished_name>. Typically these may contain the
530challengePassword or unstructuredName types. They are currently ignored
531by OpenSSL's request signing utilities but some CAs might want them.
532
533=item B<distinguished_name>
534
535This specifies the section containing the distinguished name fields to
536prompt for when generating a certificate or certificate request. The format
537is described in the next section.
538
539=back
540
541=head1 DISTINGUISHED NAME AND ATTRIBUTE SECTION FORMAT
542
543There are two separate formats for the distinguished name and attribute
544sections. If the B<prompt> option is set to B<no> then these sections
545just consist of field names and values: for example,
546
547 CN=My Name
548 OU=My Organization
549 emailAddress=someone@somewhere.org
550
551This allows external programs (e.g. GUI based) to generate a template file with
552all the field names and values and just pass it to this command. An example
553of this kind of configuration file is contained in the B<EXAMPLES> section.
554
555Alternatively if the B<prompt> option is absent or not set to B<no> then the
556file contains field prompting information. It consists of lines of the form:
557
558 fieldName="prompt"
559 fieldName_default="default field value"
560 fieldName_min= 2
561 fieldName_max= 4
562
563"fieldName" is the field name being used, for example commonName (or CN).
564The "prompt" string is used to ask the user to enter the relevant
565details. If the user enters nothing then the default value is used if no
566default value is present then the field is omitted. A field can
567still be omitted if a default value is present if the user just
568enters the '.' character.
569
570The number of characters entered must be between the fieldName_min and
571fieldName_max limits: there may be additional restrictions based
572on the field being used (for example countryName can only ever be
573two characters long and must fit in a PrintableString).
574
575Some fields (such as organizationName) can be used more than once
576in a DN. This presents a problem because configuration files will
577not recognize the same name occurring twice. To avoid this problem
578if the fieldName contains some characters followed by a full stop
579they will be ignored. So for example a second organizationName can
580be input by calling it "1.organizationName".
581
582The actual permitted field names are any object identifier short or
583long names. These are compiled into OpenSSL and include the usual
584values such as commonName, countryName, localityName, organizationName,
585organizationalUnitName, stateOrProvinceName. Additionally emailAddress
586is included as well as name, surname, givenName, initials, and dnQualifier.
587
588Additional object identifiers can be defined with the B<oid_file> or
589B<oid_section> options in the configuration file. Any additional fields
590will be treated as though they were a DirectoryString.
591
592
593=head1 EXAMPLES
594
595Examine and verify certificate request:
596
597 openssl req -in req.pem -text -verify -noout
598
599Create a private key and then generate a certificate request from it:
600
601 openssl genrsa -out key.pem 2048
602 openssl req -new -key key.pem -out req.pem
603
604The same but just using req:
605
606 openssl req -newkey rsa:2048 -keyout key.pem -out req.pem
607
608Generate a self-signed root certificate:
609
610 openssl req -x509 -newkey rsa:2048 -keyout key.pem -out req.pem
611
612Create an SM2 private key and then generate a certificate request from it:
613
614 openssl ecparam -genkey -name SM2 -out sm2.key
615 openssl req -new -key sm2.key -out sm2.csr -sm3 -sigopt "distid:1234567812345678"
616
617Examine and verify an SM2 certificate request:
618
619 openssl req -verify -in sm2.csr -sm3 -vfyopt "distid:1234567812345678"
620
621Example of a file pointed to by the B<oid_file> option:
622
623 1.2.3.4        shortName       A longer Name
624 1.2.3.6        otherName       Other longer Name
625
626Example of a section pointed to by B<oid_section> making use of variable
627expansion:
628
629 testoid1=1.2.3.5
630 testoid2=${testoid1}.6
631
632Sample configuration file prompting for field values:
633
634 [ req ]
635 default_bits           = 2048
636 default_keyfile        = privkey.pem
637 distinguished_name     = req_distinguished_name
638 attributes             = req_attributes
639 req_extensions         = v3_ca
640
641 dirstring_type = nobmp
642
643 [ req_distinguished_name ]
644 countryName                    = Country Name (2 letter code)
645 countryName_default            = AU
646 countryName_min                = 2
647 countryName_max                = 2
648
649 localityName                   = Locality Name (eg, city)
650
651 organizationalUnitName         = Organizational Unit Name (eg, section)
652
653 commonName                     = Common Name (eg, YOUR name)
654 commonName_max                 = 64
655
656 emailAddress                   = Email Address
657 emailAddress_max               = 40
658
659 [ req_attributes ]
660 challengePassword              = A challenge password
661 challengePassword_min          = 4
662 challengePassword_max          = 20
663
664 [ v3_ca ]
665
666 subjectKeyIdentifier=hash
667 authorityKeyIdentifier=keyid:always,issuer:always
668 basicConstraints = critical, CA:true
669
670Sample configuration containing all field values:
671
672
673 [ req ]
674 default_bits           = 2048
675 default_keyfile        = keyfile.pem
676 distinguished_name     = req_distinguished_name
677 attributes             = req_attributes
678 prompt                 = no
679 output_password        = mypass
680
681 [ req_distinguished_name ]
682 C                      = GB
683 ST                     = Test State or Province
684 L                      = Test Locality
685 O                      = Organization Name
686 OU                     = Organizational Unit Name
687 CN                     = Common Name
688 emailAddress           = test@email.address
689
690 [ req_attributes ]
691 challengePassword              = A challenge password
692
693Example of giving the most common attributes (subject and extensions)
694on the command line:
695
696 openssl req -new -subj "/C=GB/CN=foo" \
697                  -addext "subjectAltName = DNS:foo.co.uk" \
698                  -addext "certificatePolicies = 1.2.3.4" \
699                  -newkey rsa:2048 -keyout key.pem -out req.pem
700
701
702=head1 NOTES
703
704The certificate requests generated by B<Xenroll> with MSIE have extensions
705added. It includes the B<keyUsage> extension which determines the type of
706key (signature only or general purpose) and any additional OIDs entered
707by the script in an B<extendedKeyUsage> extension.
708
709=head1 DIAGNOSTICS
710
711The following messages are frequently asked about:
712
713        Using configuration from /some/path/openssl.cnf
714        Unable to load config info
715
716This is followed some time later by:
717
718        unable to find 'distinguished_name' in config
719        problems making Certificate Request
720
721The first error message is the clue: it can't find the configuration
722file! Certain operations (like examining a certificate request) don't
723need a configuration file so its use isn't enforced. Generation of
724certificates or requests however does need a configuration file. This
725could be regarded as a bug.
726
727Another puzzling message is this:
728
729        Attributes:
730            a0:00
731
732this is displayed when no attributes are present and the request includes
733the correct empty B<SET OF> structure (the DER encoding of which is 0xa0
7340x00). If you just see:
735
736        Attributes:
737
738then the B<SET OF> is missing and the encoding is technically invalid (but
739it is tolerated). See the description of the command line option B<-asn1-kludge>
740for more information.
741
742=head1 BUGS
743
744OpenSSL's handling of T61Strings (aka TeletexStrings) is broken: it effectively
745treats them as ISO-8859-1 (Latin 1), Netscape and MSIE have similar behaviour.
746This can cause problems if you need characters that aren't available in
747PrintableStrings and you don't want to or can't use BMPStrings.
748
749As a consequence of the T61String handling the only correct way to represent
750accented characters in OpenSSL is to use a BMPString: unfortunately Netscape
751currently chokes on these. If you have to use accented characters with Netscape
752and MSIE then you currently need to use the invalid T61String form.
753
754The current prompting is not very friendly. It doesn't allow you to confirm what
755you've just entered. Other things like extensions in certificate requests are
756statically defined in the configuration file. Some of these: like an email
757address in subjectAltName should be input by the user.
758
759=head1 SEE ALSO
760
761L<openssl(1)>,
762L<openssl-x509(1)>,
763L<openssl-ca(1)>,
764L<openssl-genrsa(1)>,
765L<openssl-gendsa(1)>,
766L<config(5)>,
767L<x509v3_config(5)>
768
769=head1 HISTORY
770
771The B<-section> option was added in OpenSSL 3.0.0.
772
773The B<-multivalue-rdn> option has become obsolete in OpenSSL 3.0.0 and
774has no effect.
775
776The B<-engine> option was deprecated in OpenSSL 3.0.
777The <-nodes> option was deprecated in OpenSSL 3.0, too; use B<-noenc> instead.
778
779=head1 COPYRIGHT
780
781Copyright 2000-2024 The OpenSSL Project Authors. All Rights Reserved.
782
783Licensed under the Apache License 2.0 (the "License").  You may not use
784this file except in compliance with the License.  You can obtain a copy
785in the file LICENSE in the source distribution or at
786L<https://www.openssl.org/source/license.html>.
787
788=cut
789