xref: /freebsd/crypto/openssl/doc/man1/openssl-spkac.pod.in (revision 5ca8e32633c4ffbbcd6762e5888b6a4ba0708c6c)
1=pod
2
3=begin comment
4{- join("\n", @autowarntext) -}
5
6=end comment
7
8=head1 NAME
9
10openssl-spkac - SPKAC printing and generating command
11
12=head1 SYNOPSIS
13
14B<openssl> B<spkac>
15[B<-help>]
16[B<-in> I<filename>]
17[B<-out> I<filename>]
18[B<-digest> I<digest>]
19[B<-key> I<filename>|I<uri>]
20[B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>]
21[B<-passin> I<arg>]
22[B<-challenge> I<string>]
23[B<-pubkey>]
24[B<-spkac> I<spkacname>]
25[B<-spksect> I<section>]
26[B<-noout>]
27[B<-verify>]
28{- $OpenSSL::safe::opt_engine_synopsis -}{- $OpenSSL::safe::opt_provider_synopsis -}
29
30=head1 DESCRIPTION
31
32This command processes Netscape signed public key and challenge
33(SPKAC) files. It can print out their contents, verify the signature and
34produce its own SPKACs from a supplied private key.
35
36=head1 OPTIONS
37
38=over 4
39
40=item B<-help>
41
42Print out a usage message.
43
44=item B<-in> I<filename>
45
46This specifies the input filename to read from or standard input if this
47option is not specified. Ignored if the B<-key> option is used.
48
49=item B<-out> I<filename>
50
51Specifies the output filename to write to or standard output by
52default.
53
54=item B<-digest> I<digest>
55
56Use the specified I<digest> to sign a created SPKAC file.
57The default digest algorithm is MD5.
58
59=item B<-key> I<filename>|I<uri>
60
61Create an SPKAC file using the private key specified by I<filename> or I<uri>.
62The B<-in>, B<-noout>, B<-spksect> and B<-verify> options are ignored if
63present.
64
65=item B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>
66
67The key format; unspecified by default.
68See L<openssl-format-options(1)> for details.
69
70=item B<-passin> I<arg>
71
72The input file password source. For more information about the format of I<arg>
73see L<openssl-passphrase-options(1)>.
74
75=item B<-challenge> I<string>
76
77Specifies the challenge string if an SPKAC is being created.
78
79=item B<-spkac> I<spkacname>
80
81Allows an alternative name form the variable containing the
82SPKAC. The default is "SPKAC". This option affects both
83generated and input SPKAC files.
84
85=item B<-spksect> I<section>
86
87Allows an alternative name form the section containing the
88SPKAC. The default is the default section.
89
90=item B<-noout>
91
92Don't output the text version of the SPKAC (not used if an
93SPKAC is being created).
94
95=item B<-pubkey>
96
97Output the public key of an SPKAC (not used if an SPKAC is
98being created).
99
100=item B<-verify>
101
102Verifies the digital signature on the supplied SPKAC.
103
104{- $OpenSSL::safe::opt_engine_item -}
105
106{- $OpenSSL::safe::opt_provider_item -}
107
108=back
109
110=head1 EXAMPLES
111
112Print out the contents of an SPKAC:
113
114 openssl spkac -in spkac.cnf
115
116Verify the signature of an SPKAC:
117
118 openssl spkac -in spkac.cnf -noout -verify
119
120Create an SPKAC using the challenge string "hello":
121
122 openssl spkac -key key.pem -challenge hello -out spkac.cnf
123
124Example of an SPKAC, (long lines split up for clarity):
125
126 SPKAC=MIG5MGUwXDANBgkqhkiG9w0BAQEFAANLADBIAkEA\
127 1cCoq2Wa3Ixs47uI7FPVwHVIPDx5yso105Y6zpozam135a\
128 8R0CpoRvkkigIyXfcCjiVi5oWk+6FfPaD03uPFoQIDAQAB\
129 FgVoZWxsbzANBgkqhkiG9w0BAQQFAANBAFpQtY/FojdwkJ\
130 h1bEIYuc2EeM2KHTWPEepWYeawvHD0gQ3DngSC75YCWnnD\
131 dq+NQ3F+X4deMx9AaEglZtULwV4=
132
133=head1 NOTES
134
135A created SPKAC with suitable DN components appended can be fed to
136L<openssl-ca(1)>.
137
138SPKACs are typically generated by Netscape when a form is submitted
139containing the B<KEYGEN> tag as part of the certificate enrollment
140process.
141
142The challenge string permits a primitive form of proof of possession
143of private key. By checking the SPKAC signature and a random challenge
144string some guarantee is given that the user knows the private key
145corresponding to the public key being certified. This is important in
146some applications. Without this it is possible for a previous SPKAC
147to be used in a "replay attack".
148
149=head1 SEE ALSO
150
151L<openssl(1)>,
152L<openssl-ca(1)>
153
154=head1 HISTORY
155
156The B<-engine> option was deprecated in OpenSSL 3.0.
157
158The B<-digest> option was added in OpenSSL 3.0.
159
160=head1 COPYRIGHT
161
162Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved.
163
164Licensed under the Apache License 2.0 (the "License").  You may not use
165this file except in compliance with the License.  You can obtain a copy
166in the file LICENSE in the source distribution or at
167L<https://www.openssl.org/source/license.html>.
168
169=cut
170