summaryrefslogtreecommitdiff
path: root/secure/usr.bin/openssl/man/x509.1
diff options
context:
space:
mode:
Diffstat (limited to 'secure/usr.bin/openssl/man/x509.1')
-rw-r--r--secure/usr.bin/openssl/man/x509.1320
1 files changed, 185 insertions, 135 deletions
diff --git a/secure/usr.bin/openssl/man/x509.1 b/secure/usr.bin/openssl/man/x509.1
index df969c81ed3f..8a657bf02173 100644
--- a/secure/usr.bin/openssl/man/x509.1
+++ b/secure/usr.bin/openssl/man/x509.1
@@ -129,17 +129,17 @@
.\" ========================================================================
.\"
.IX Title "X509 1"
-.TH X509 1 "2018-08-14" "1.0.2p" "OpenSSL"
+.TH X509 1 "2018-09-11" "1.1.1" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
-openssl\-x509,
-x509 \- Certificate display and signing utility
+openssl\-x509, x509 \- Certificate display and signing utility
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
\&\fBopenssl\fR \fBx509\fR
+[\fB\-help\fR]
[\fB\-inform DER|PEM|NET\fR]
[\fB\-outform DER|PEM|NET\fR]
[\fB\-keyform DER|PEM\fR]
@@ -185,13 +185,17 @@ x509 \- Certificate display and signing utility
[\fB\-CAserial filename\fR]
[\fB\-force_pubkey key\fR]
[\fB\-text\fR]
+[\fB\-ext extensions\fR]
[\fB\-certopt option\fR]
[\fB\-C\fR]
-[\fB\-md2|\-md5|\-sha1|\-mdc2\fR]
+[\fB\-\f(BIdigest\fB\fR]
[\fB\-clrext\fR]
[\fB\-extfile filename\fR]
[\fB\-extensions section\fR]
+[\fB\-rand file...\fR]
+[\fB\-writerand file\fR]
[\fB\-engine id\fR]
+[\fB\-preserve_dates\fR]
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
The \fBx509\fR command is a multi purpose certificate utility. It can be
@@ -203,8 +207,11 @@ Since there are a large number of options they will split up into
various sections.
.SH "OPTIONS"
.IX Header "OPTIONS"
-.SS "\s-1INPUT, OUTPUT AND GENERAL PURPOSE OPTIONS\s0"
-.IX Subsection "INPUT, OUTPUT AND GENERAL PURPOSE OPTIONS"
+.SS "Input, Output, and General Purpose Options"
+.IX Subsection "Input, Output, and General Purpose Options"
+.IP "\fB\-help\fR" 4
+.IX Item "-help"
+Print out a usage message.
.IP "\fB\-inform DER|PEM|NET\fR" 4
.IX Item "-inform DER|PEM|NET"
This specifies the input format normally the command will expect an X509
@@ -212,11 +219,11 @@ certificate but this can change if other options such as \fB\-req\fR are
present. The \s-1DER\s0 format is the \s-1DER\s0 encoding of the certificate and \s-1PEM\s0
is the base64 encoding of the \s-1DER\s0 encoding with header and footer lines
added. The \s-1NET\s0 option is an obscure Netscape server format that is now
-obsolete.
+obsolete. The default format is \s-1PEM.\s0
.IP "\fB\-outform DER|PEM|NET\fR" 4
.IX Item "-outform DER|PEM|NET"
-This specifies the output format, the options have the same meaning as the
-\&\fB\-inform\fR option.
+This specifies the output format, the options have the same meaning and default
+as the \fB\-inform\fR option.
.IP "\fB\-in filename\fR" 4
.IX Item "-in filename"
This specifies the input filename to read a certificate from or standard input
@@ -225,98 +232,120 @@ if this option is not specified.
.IX Item "-out filename"
This specifies the output filename to write to or standard output by
default.
-.IP "\fB\-md2|\-md5|\-sha1|\-mdc2\fR" 4
-.IX Item "-md2|-md5|-sha1|-mdc2"
-the digest to use. This affects any signing or display option that uses a message
-digest, such as the \fB\-fingerprint\fR, \fB\-signkey\fR and \fB\-CA\fR options. If not
-specified then \s-1SHA1\s0 is used. If the key being used to sign with is a \s-1DSA\s0 key
-then this option has no effect: \s-1SHA1\s0 is always used with \s-1DSA\s0 keys.
+.IP "\fB\-\f(BIdigest\fB\fR" 4
+.IX Item "-digest"
+The digest to use.
+This affects any signing or display option that uses a message
+digest, such as the \fB\-fingerprint\fR, \fB\-signkey\fR and \fB\-CA\fR options.
+Any digest supported by the OpenSSL \fBdgst\fR command can be used.
+If not specified then \s-1SHA1\s0 is used with \fB\-fingerprint\fR or
+the default digest for the signing algorithm is used, typically \s-1SHA256.\s0
+.IP "\fB\-rand file...\fR" 4
+.IX Item "-rand file..."
+A file or files containing random data used to seed the random number
+generator.
+Multiple files can be specified separated by an OS-dependent character.
+The separator is \fB;\fR for MS-Windows, \fB,\fR for OpenVMS, and \fB:\fR for
+all others.
+.IP "[\fB\-writerand file\fR]" 4
+.IX Item "[-writerand file]"
+Writes random data to the specified \fIfile\fR upon exit.
+This can be used with a subsequent \fB\-rand\fR flag.
.IP "\fB\-engine id\fR" 4
.IX Item "-engine id"
-specifying an engine (by its unique \fBid\fR string) will cause \fBx509\fR
+Specifying an engine (by its unique \fBid\fR string) will cause \fBx509\fR
to attempt to obtain a functional reference to the specified engine,
thus initialising it if needed. The engine will then be set as the default
for all available algorithms.
-.SS "\s-1DISPLAY OPTIONS\s0"
-.IX Subsection "DISPLAY OPTIONS"
+.IP "\fB\-preserve_dates\fR" 4
+.IX Item "-preserve_dates"
+When signing a certificate, preserve the \*(L"notBefore\*(R" and \*(L"notAfter\*(R" dates instead
+of adjusting them to current time and duration. Cannot be used with the \fB\-days\fR option.
+.SS "Display Options"
+.IX Subsection "Display Options"
Note: the \fB\-alias\fR and \fB\-purpose\fR options are also display options
but are described in the \fB\s-1TRUST SETTINGS\s0\fR section.
.IP "\fB\-text\fR" 4
.IX Item "-text"
-prints out the certificate in text form. Full details are output including the
+Prints out the certificate in text form. Full details are output including the
public key, signature algorithms, issuer and subject names, serial number
any extensions present and any trust settings.
+.IP "\fB\-ext extensions\fR" 4
+.IX Item "-ext extensions"
+Prints out the certificate extensions in text form. Extensions are specified
+with a comma separated string, e.g., \*(L"subjectAltName,subjectKeyIdentifier\*(R".
+See the \fIx509v3_config\fR\|(5) manual page for the extension names.
.IP "\fB\-certopt option\fR" 4
.IX Item "-certopt option"
-customise the output format used with \fB\-text\fR. The \fBoption\fR argument can be
-a single option or multiple options separated by commas. The \fB\-certopt\fR switch
-may be also be used more than once to set multiple options. See the \fB\s-1TEXT OPTIONS\s0\fR
-section for more information.
+Customise the output format used with \fB\-text\fR. The \fBoption\fR argument
+can be a single option or multiple options separated by commas. The
+\&\fB\-certopt\fR switch may be also be used more than once to set multiple
+options. See the \fB\s-1TEXT OPTIONS\s0\fR section for more information.
.IP "\fB\-noout\fR" 4
.IX Item "-noout"
-this option prevents output of the encoded version of the request.
+This option prevents output of the encoded version of the request.
.IP "\fB\-pubkey\fR" 4
.IX Item "-pubkey"
-outputs the certificate's SubjectPublicKeyInfo block in \s-1PEM\s0 format.
+Outputs the certificate's SubjectPublicKeyInfo block in \s-1PEM\s0 format.
.IP "\fB\-modulus\fR" 4
.IX Item "-modulus"
-this option prints out the value of the modulus of the public key
+This option prints out the value of the modulus of the public key
contained in the certificate.
.IP "\fB\-serial\fR" 4
.IX Item "-serial"
-outputs the certificate serial number.
+Outputs the certificate serial number.
.IP "\fB\-subject_hash\fR" 4
.IX Item "-subject_hash"
-outputs the \*(L"hash\*(R" of the certificate subject name. This is used in OpenSSL to
+Outputs the \*(L"hash\*(R" of the certificate subject name. This is used in OpenSSL to
form an index to allow certificates in a directory to be looked up by subject
name.
.IP "\fB\-issuer_hash\fR" 4
.IX Item "-issuer_hash"
-outputs the \*(L"hash\*(R" of the certificate issuer name.
+Outputs the \*(L"hash\*(R" of the certificate issuer name.
.IP "\fB\-ocspid\fR" 4
.IX Item "-ocspid"
-outputs the \s-1OCSP\s0 hash values for the subject name and public key.
+Outputs the \s-1OCSP\s0 hash values for the subject name and public key.
.IP "\fB\-hash\fR" 4
.IX Item "-hash"
-synonym for \*(L"\-subject_hash\*(R" for backward compatibility reasons.
+Synonym for \*(L"\-subject_hash\*(R" for backward compatibility reasons.
.IP "\fB\-subject_hash_old\fR" 4
.IX Item "-subject_hash_old"
-outputs the \*(L"hash\*(R" of the certificate subject name using the older algorithm
-as used by OpenSSL versions before 1.0.0.
+Outputs the \*(L"hash\*(R" of the certificate subject name using the older algorithm
+as used by OpenSSL before version 1.0.0.
.IP "\fB\-issuer_hash_old\fR" 4
.IX Item "-issuer_hash_old"
-outputs the \*(L"hash\*(R" of the certificate issuer name using the older algorithm
-as used by OpenSSL versions before 1.0.0.
+Outputs the \*(L"hash\*(R" of the certificate issuer name using the older algorithm
+as used by OpenSSL before version 1.0.0.
.IP "\fB\-subject\fR" 4
.IX Item "-subject"
-outputs the subject name.
+Outputs the subject name.
.IP "\fB\-issuer\fR" 4
.IX Item "-issuer"
-outputs the issuer name.
+Outputs the issuer name.
.IP "\fB\-nameopt option\fR" 4
.IX Item "-nameopt option"
-option which determines how the subject or issuer names are displayed. The
+Option which determines how the subject or issuer names are displayed. The
\&\fBoption\fR argument can be a single option or multiple options separated by
commas. Alternatively the \fB\-nameopt\fR switch may be used more than once to
set multiple options. See the \fB\s-1NAME OPTIONS\s0\fR section for more information.
.IP "\fB\-email\fR" 4
.IX Item "-email"
-outputs the email address(es) if any.
+Outputs the email address(es) if any.
.IP "\fB\-ocsp_uri\fR" 4
.IX Item "-ocsp_uri"
-outputs the \s-1OCSP\s0 responder address(es) if any.
+Outputs the \s-1OCSP\s0 responder address(es) if any.
.IP "\fB\-startdate\fR" 4
.IX Item "-startdate"
-prints out the start date of the certificate, that is the notBefore date.
+Prints out the start date of the certificate, that is the notBefore date.
.IP "\fB\-enddate\fR" 4
.IX Item "-enddate"
-prints out the expiry date of the certificate, that is the notAfter date.
+Prints out the expiry date of the certificate, that is the notAfter date.
.IP "\fB\-dates\fR" 4
.IX Item "-dates"
-prints out the start and expiry dates of a certificate.
+Prints out the start and expiry dates of a certificate.
.IP "\fB\-checkend arg\fR" 4
.IX Item "-checkend arg"
-checks if the certificate expires within the next \fBarg\fR seconds and exits
+Checks if the certificate expires within the next \fBarg\fR seconds and exits
non-zero if yes it will expire or zero if not.
.IP "\fB\-fingerprint\fR" 4
.IX Item "-fingerprint"
@@ -327,11 +356,9 @@ digests, the fingerprint of a certificate is unique to that certificate and
two certificates with the same fingerprint can be considered to be the same.
.IP "\fB\-C\fR" 4
.IX Item "-C"
-this outputs the certificate in the form of a C source file.
-.SS "\s-1TRUST SETTINGS\s0"
-.IX Subsection "TRUST SETTINGS"
-Please note these options are currently experimental and may well change.
-.PP
+This outputs the certificate in the form of a C source file.
+.SS "Trust Settings"
+.IX Subsection "Trust Settings"
A \fBtrusted certificate\fR is an ordinary certificate which has several
additional pieces of information attached to it such as the permitted
and prohibited uses of the certificate and an \*(L"alias\*(R".
@@ -352,46 +379,49 @@ Future versions of OpenSSL will recognize trust settings on any
certificate: not just root CAs.
.IP "\fB\-trustout\fR" 4
.IX Item "-trustout"
-this causes \fBx509\fR to output a \fBtrusted\fR certificate. An ordinary
+This causes \fBx509\fR to output a \fBtrusted\fR certificate. An ordinary
or trusted certificate can be input but by default an ordinary
certificate is output and any trust settings are discarded. With the
\&\fB\-trustout\fR option a trusted certificate is output. A trusted
certificate is automatically output if any trust settings are modified.
.IP "\fB\-setalias arg\fR" 4
.IX Item "-setalias arg"
-sets the alias of the certificate. This will allow the certificate
+Sets the alias of the certificate. This will allow the certificate
to be referred to using a nickname for example \*(L"Steve's Certificate\*(R".
.IP "\fB\-alias\fR" 4
.IX Item "-alias"
-outputs the certificate alias, if any.
+Outputs the certificate alias, if any.
.IP "\fB\-clrtrust\fR" 4
.IX Item "-clrtrust"
-clears all the permitted or trusted uses of the certificate.
+Clears all the permitted or trusted uses of the certificate.
.IP "\fB\-clrreject\fR" 4
.IX Item "-clrreject"
-clears all the prohibited or rejected uses of the certificate.
+Clears all the prohibited or rejected uses of the certificate.
.IP "\fB\-addtrust arg\fR" 4
.IX Item "-addtrust arg"
-adds a trusted certificate use. Any object name can be used here
-but currently only \fBclientAuth\fR (\s-1SSL\s0 client use), \fBserverAuth\fR
-(\s-1SSL\s0 server use) and \fBemailProtection\fR (S/MIME email) are used.
+Adds a trusted certificate use.
+Any object name can be used here but currently only \fBclientAuth\fR (\s-1SSL\s0 client
+use), \fBserverAuth\fR (\s-1SSL\s0 server use), \fBemailProtection\fR (S/MIME email) and
+\&\fBanyExtendedKeyUsage\fR are used.
+As of OpenSSL 1.1.0, the last of these blocks all purposes when rejected or
+enables all purposes when trusted.
Other OpenSSL applications may define additional uses.
.IP "\fB\-addreject arg\fR" 4
.IX Item "-addreject arg"
-adds a prohibited use. It accepts the same values as the \fB\-addtrust\fR
+Adds a prohibited use. It accepts the same values as the \fB\-addtrust\fR
option.
.IP "\fB\-purpose\fR" 4
.IX Item "-purpose"
-this option performs tests on the certificate extensions and outputs
+This option performs tests on the certificate extensions and outputs
the results. For a more complete description see the \fB\s-1CERTIFICATE
EXTENSIONS\s0\fR section.
-.SS "\s-1SIGNING OPTIONS\s0"
-.IX Subsection "SIGNING OPTIONS"
+.SS "Signing Options"
+.IX Subsection "Signing Options"
The \fBx509\fR utility can be used to sign certificates and requests: it
can thus behave like a \*(L"mini \s-1CA\*(R".\s0
.IP "\fB\-signkey filename\fR" 4
.IX Item "-signkey filename"
-this option causes the input file to be self signed using the supplied
+This option causes the input file to be self signed using the supplied
private key.
.Sp
If the input file is a certificate it sets the issuer name to the
@@ -399,49 +429,49 @@ subject name (i.e. makes it self signed) changes the public key to the
supplied value and changes the start and end dates. The start date is
set to the current time and the end date is set to a value determined
by the \fB\-days\fR option. Any certificate extensions are retained unless
-the \fB\-clrext\fR option is supplied.
+the \fB\-clrext\fR option is supplied; this includes, for example, any existing
+key identifier extensions.
.Sp
If the input is a certificate request then a self signed certificate
is created using the supplied private key using the subject name in
the request.
.IP "\fB\-passin arg\fR" 4
.IX Item "-passin arg"
-the key password source. For more information about the format of \fBarg\fR
+The key password source. For more information about the format of \fBarg\fR
see the \fB\s-1PASS PHRASE ARGUMENTS\s0\fR section in \fIopenssl\fR\|(1).
.IP "\fB\-clrext\fR" 4
.IX Item "-clrext"
-delete any extensions from a certificate. This option is used when a
+Delete any extensions from a certificate. This option is used when a
certificate is being created from another certificate (for example with
the \fB\-signkey\fR or the \fB\-CA\fR options). Normally all extensions are
retained.
.IP "\fB\-keyform PEM|DER\fR" 4
.IX Item "-keyform PEM|DER"
-specifies the format (\s-1DER\s0 or \s-1PEM\s0) of the private key file used in the
+Specifies the format (\s-1DER\s0 or \s-1PEM\s0) of the private key file used in the
\&\fB\-signkey\fR option.
.IP "\fB\-days arg\fR" 4
.IX Item "-days arg"
-specifies the number of days to make a certificate valid for. The default
-is 30 days.
+Specifies the number of days to make a certificate valid for. The default
+is 30 days. Cannot be used with the \fB\-preserve_dates\fR option.
.IP "\fB\-x509toreq\fR" 4
.IX Item "-x509toreq"
-converts a certificate into a certificate request. The \fB\-signkey\fR option
+Converts a certificate into a certificate request. The \fB\-signkey\fR option
is used to pass the required private key.
.IP "\fB\-req\fR" 4
.IX Item "-req"
-by default a certificate is expected on input. With this option a
+By default a certificate is expected on input. With this option a
certificate request is expected instead.
.IP "\fB\-set_serial n\fR" 4
.IX Item "-set_serial n"
-specifies the serial number to use. This option can be used with either
+Specifies the serial number to use. This option can be used with either
the \fB\-signkey\fR or \fB\-CA\fR options. If used in conjunction with the \fB\-CA\fR
option the serial number file (as specified by the \fB\-CAserial\fR or
\&\fB\-CAcreateserial\fR options) is not used.
.Sp
-The serial number can be decimal or hex (if preceded by \fB0x\fR). Negative
-serial numbers can also be specified but their use is not recommended.
+The serial number can be decimal or hex (if preceded by \fB0x\fR).
.IP "\fB\-CA filename\fR" 4
.IX Item "-CA filename"
-specifies the \s-1CA\s0 certificate to be used for signing. When this option is
+Specifies the \s-1CA\s0 certificate to be used for signing. When this option is
present \fBx509\fR behaves like a \*(L"mini \s-1CA\*(R".\s0 The input file is signed by this
\&\s-1CA\s0 using this option: that is its issuer name is set to the subject name
of the \s-1CA\s0 and it is digitally signed using the CAs private key.
@@ -450,34 +480,35 @@ This option is normally combined with the \fB\-req\fR option. Without the
\&\fB\-req\fR option the input is a certificate which must be self signed.
.IP "\fB\-CAkey filename\fR" 4
.IX Item "-CAkey filename"
-sets the \s-1CA\s0 private key to sign a certificate with. If this option is
+Sets the \s-1CA\s0 private key to sign a certificate with. If this option is
not specified then it is assumed that the \s-1CA\s0 private key is present in
the \s-1CA\s0 certificate file.
.IP "\fB\-CAserial filename\fR" 4
.IX Item "-CAserial filename"
-sets the \s-1CA\s0 serial number file to use.
+Sets the \s-1CA\s0 serial number file to use.
.Sp
When the \fB\-CA\fR option is used to sign a certificate it uses a serial
-number specified in a file. This file consist of one line containing
+number specified in a file. This file consists of one line containing
an even number of hex digits with the serial number to use. After each
use the serial number is incremented and written out to the file again.
.Sp
The default filename consists of the \s-1CA\s0 certificate file base name with
-\&\*(L".srl\*(R" appended. For example if the \s-1CA\s0 certificate file is called
+\&\*(L".srl\*(R" appended. For example if the \s-1CA\s0 certificate file is called
\&\*(L"mycacert.pem\*(R" it expects to find a serial number file called \*(L"mycacert.srl\*(R".
.IP "\fB\-CAcreateserial\fR" 4
.IX Item "-CAcreateserial"
-with this option the \s-1CA\s0 serial number file is created if it does not exist:
+With this option the \s-1CA\s0 serial number file is created if it does not exist:
it will contain the serial number \*(L"02\*(R" and the certificate being signed will
-have the 1 as its serial number. Normally if the \fB\-CA\fR option is specified
-and the serial number file does not exist it is an error.
+have the 1 as its serial number. If the \fB\-CA\fR option is specified
+and the serial number file does not exist a random number is generated;
+this is the recommended practice.
.IP "\fB\-extfile filename\fR" 4
.IX Item "-extfile filename"
-file containing certificate extensions to use. If not specified then
+File containing certificate extensions to use. If not specified then
no extensions are added to the certificate.
.IP "\fB\-extensions section\fR" 4
.IX Item "-extensions section"
-the section to add certificate extensions from. If this option is not
+The section to add certificate extensions from. If this option is not
specified then the extensions should either be contained in the unnamed
(default) section or the default section should contain a variable called
\&\*(L"extensions\*(R" which contains the section to use. See the
@@ -485,14 +516,14 @@ specified then the extensions should either be contained in the unnamed
extension section format.
.IP "\fB\-force_pubkey key\fR" 4
.IX Item "-force_pubkey key"
-when a certificate is created set its public key to \fBkey\fR instead of the
+When a certificate is created set its public key to \fBkey\fR instead of the
key in the certificate or certificate request. This option is useful for
creating certificates where the algorithm can't normally sign requests, for
example \s-1DH.\s0
.Sp
The format or \fBkey\fR can be specified using the \fB\-keyform\fR option.
-.SS "\s-1NAME OPTIONS\s0"
-.IX Subsection "NAME OPTIONS"
+.SS "Name Options"
+.IX Subsection "Name Options"
The \fBnameopt\fR command line switch determines how the subject and issuer
names are displayed. If no \fBnameopt\fR switch is present the default \*(L"oneline\*(R"
format is used which is compatible with previous versions of OpenSSL.
@@ -500,44 +531,48 @@ Each option is described in detail below, all options can be preceded by
a \fB\-\fR to turn the option off. Only the first four will normally be used.
.IP "\fBcompat\fR" 4
.IX Item "compat"
-use the old format. This is equivalent to specifying no name options at all.
+Use the old format.
.IP "\fB\s-1RFC2253\s0\fR" 4
.IX Item "RFC2253"
-displays names compatible with \s-1RFC2253\s0 equivalent to \fBesc_2253\fR, \fBesc_ctrl\fR,
+Displays names compatible with \s-1RFC2253\s0 equivalent to \fBesc_2253\fR, \fBesc_ctrl\fR,
\&\fBesc_msb\fR, \fButf8\fR, \fBdump_nostr\fR, \fBdump_unknown\fR, \fBdump_der\fR,
\&\fBsep_comma_plus\fR, \fBdn_rev\fR and \fBsname\fR.
.IP "\fBoneline\fR" 4
.IX Item "oneline"
-a oneline format which is more readable than \s-1RFC2253.\s0 It is equivalent to
+A oneline format which is more readable than \s-1RFC2253.\s0 It is equivalent to
specifying the \fBesc_2253\fR, \fBesc_ctrl\fR, \fBesc_msb\fR, \fButf8\fR, \fBdump_nostr\fR,
\&\fBdump_der\fR, \fBuse_quote\fR, \fBsep_comma_plus_space\fR, \fBspace_eq\fR and \fBsname\fR
-options.
+options. This is the \fIdefault\fR of no name options are given explicitly.
.IP "\fBmultiline\fR" 4
.IX Item "multiline"
-a multiline format. It is equivalent \fBesc_ctrl\fR, \fBesc_msb\fR, \fBsep_multiline\fR,
+A multiline format. It is equivalent \fBesc_ctrl\fR, \fBesc_msb\fR, \fBsep_multiline\fR,
\&\fBspace_eq\fR, \fBlname\fR and \fBalign\fR.
.IP "\fBesc_2253\fR" 4
.IX Item "esc_2253"
-escape the \*(L"special\*(R" characters required by \s-1RFC2253\s0 in a field That is
+Escape the \*(L"special\*(R" characters required by \s-1RFC2253\s0 in a field. That is
\&\fB,+"<>;\fR. Additionally \fB#\fR is escaped at the beginning of a string
and a space character at the beginning or end of a string.
+.IP "\fBesc_2254\fR" 4
+.IX Item "esc_2254"
+Escape the \*(L"special\*(R" characters required by \s-1RFC2254\s0 in a field. That is
+the \fB\s-1NUL\s0\fR character as well as and \fB()*\fR.
.IP "\fBesc_ctrl\fR" 4
.IX Item "esc_ctrl"
-escape control characters. That is those with \s-1ASCII\s0 values less than
+Escape control characters. That is those with \s-1ASCII\s0 values less than
0x20 (space) and the delete (0x7f) character. They are escaped using the
\&\s-1RFC2253\s0 \eXX notation (where \s-1XX\s0 are two hex digits representing the
character value).
.IP "\fBesc_msb\fR" 4
.IX Item "esc_msb"
-escape characters with the \s-1MSB\s0 set, that is with \s-1ASCII\s0 values larger than
+Escape characters with the \s-1MSB\s0 set, that is with \s-1ASCII\s0 values larger than
127.
.IP "\fBuse_quote\fR" 4
.IX Item "use_quote"
-escapes some characters by surrounding the whole string with \fB"\fR characters,
+Escapes some characters by surrounding the whole string with \fB"\fR characters,
without the option all escaping is done with the \fB\e\fR character.
.IP "\fButf8\fR" 4
.IX Item "utf8"
-convert all strings to \s-1UTF8\s0 format first. This is required by \s-1RFC2253.\s0 If
+Convert all strings to \s-1UTF8\s0 format first. This is required by \s-1RFC2253.\s0 If
you are lucky enough to have a \s-1UTF8\s0 compatible terminal then the use
of this option (and \fBnot\fR setting \fBesc_msb\fR) may result in the correct
display of multibyte (international) characters. Is this option is not
@@ -547,35 +582,35 @@ Also if this option is off any UTF8Strings will be converted to their
character form first.
.IP "\fBignore_type\fR" 4
.IX Item "ignore_type"
-this option does not attempt to interpret multibyte characters in any
+This option does not attempt to interpret multibyte characters in any
way. That is their content octets are merely dumped as though one octet
represents each character. This is useful for diagnostic purposes but
will result in rather odd looking output.
.IP "\fBshow_type\fR" 4
.IX Item "show_type"
-show the type of the \s-1ASN1\s0 character string. The type precedes the
+Show the type of the \s-1ASN1\s0 character string. The type precedes the
field contents. For example \*(L"\s-1BMPSTRING:\s0 Hello World\*(R".
.IP "\fBdump_der\fR" 4
.IX Item "dump_der"
-when this option is set any fields that need to be hexdumped will
+When this option is set any fields that need to be hexdumped will
be dumped using the \s-1DER\s0 encoding of the field. Otherwise just the
content octets will be displayed. Both options use the \s-1RFC2253\s0
\&\fB#XXXX...\fR format.
.IP "\fBdump_nostr\fR" 4
.IX Item "dump_nostr"
-dump non character string types (for example \s-1OCTET STRING\s0) if this
+Dump non character string types (for example \s-1OCTET STRING\s0) if this
option is not set then non character string types will be displayed
as though each content octet represents a single character.
.IP "\fBdump_all\fR" 4
.IX Item "dump_all"
-dump all fields. This option when used with \fBdump_der\fR allows the
+Dump all fields. This option when used with \fBdump_der\fR allows the
\&\s-1DER\s0 encoding of the structure to be unambiguously determined.
.IP "\fBdump_unknown\fR" 4
.IX Item "dump_unknown"
-dump any field whose \s-1OID\s0 is not recognised by OpenSSL.
+Dump any field whose \s-1OID\s0 is not recognised by OpenSSL.
.IP "\fBsep_comma_plus\fR, \fBsep_comma_plus_space\fR, \fBsep_semi_plus_space\fR, \fBsep_multiline\fR" 4
.IX Item "sep_comma_plus, sep_comma_plus_space, sep_semi_plus_space, sep_multiline"
-these options determine the field separators. The first character is
+These options determine the field separators. The first character is
between RDNs and the second between multiple AVAs (multiple AVAs are
very rare and their use is discouraged). The options ending in
\&\*(L"space\*(R" additionally place a space after the separator to make it
@@ -585,80 +620,82 @@ indents the fields by four characters. If no field separator is specified
then \fBsep_comma_plus_space\fR is used by default.
.IP "\fBdn_rev\fR" 4
.IX Item "dn_rev"
-reverse the fields of the \s-1DN.\s0 This is required by \s-1RFC2253.\s0 As a side
+Reverse the fields of the \s-1DN.\s0 This is required by \s-1RFC2253.\s0 As a side
effect this also reverses the order of multiple AVAs but this is
permissible.
.IP "\fBnofname\fR, \fBsname\fR, \fBlname\fR, \fBoid\fR" 4
.IX Item "nofname, sname, lname, oid"
-these options alter how the field name is displayed. \fBnofname\fR does
+These options alter how the field name is displayed. \fBnofname\fR does
not display the field at all. \fBsname\fR uses the \*(L"short name\*(R" form
(\s-1CN\s0 for commonName for example). \fBlname\fR uses the long form.
\&\fBoid\fR represents the \s-1OID\s0 in numerical form and is useful for
diagnostic purpose.
.IP "\fBalign\fR" 4
.IX Item "align"
-align field values for a more readable output. Only usable with
+Align field values for a more readable output. Only usable with
\&\fBsep_multiline\fR.
.IP "\fBspace_eq\fR" 4
.IX Item "space_eq"
-places spaces round the \fB=\fR character which follows the field
+Places spaces round the \fB=\fR character which follows the field
name.
-.SS "\s-1TEXT OPTIONS\s0"
-.IX Subsection "TEXT OPTIONS"
+.SS "Text Options"
+.IX Subsection "Text Options"
As well as customising the name output format, it is also possible to
customise the actual fields printed using the \fBcertopt\fR options when
the \fBtext\fR option is present. The default behaviour is to print all fields.
.IP "\fBcompatible\fR" 4
.IX Item "compatible"
-use the old format. This is equivalent to specifying no output options at all.
+Use the old format. This is equivalent to specifying no output options at all.
.IP "\fBno_header\fR" 4
.IX Item "no_header"
-don't print header information: that is the lines saying \*(L"Certificate\*(R" and \*(L"Data\*(R".
+Don't print header information: that is the lines saying \*(L"Certificate\*(R"
+and \*(L"Data\*(R".
.IP "\fBno_version\fR" 4
.IX Item "no_version"
-don't print out the version number.
+Don't print out the version number.
.IP "\fBno_serial\fR" 4
.IX Item "no_serial"
-don't print out the serial number.
+Don't print out the serial number.
.IP "\fBno_signame\fR" 4
.IX Item "no_signame"
-don't print out the signature algorithm used.
+Don't print out the signature algorithm used.
.IP "\fBno_validity\fR" 4
.IX Item "no_validity"
-don't print the validity, that is the \fBnotBefore\fR and \fBnotAfter\fR fields.
+Don't print the validity, that is the \fBnotBefore\fR and \fBnotAfter\fR fields.
.IP "\fBno_subject\fR" 4
.IX Item "no_subject"
-don't print out the subject name.
+Don't print out the subject name.
.IP "\fBno_issuer\fR" 4
.IX Item "no_issuer"
-don't print out the issuer name.
+Don't print out the issuer name.
.IP "\fBno_pubkey\fR" 4
.IX Item "no_pubkey"
-don't print out the public key.
+Don't print out the public key.
.IP "\fBno_sigdump\fR" 4
.IX Item "no_sigdump"
-don't give a hexadecimal dump of the certificate signature.
+Don't give a hexadecimal dump of the certificate signature.
.IP "\fBno_aux\fR" 4
.IX Item "no_aux"
-don't print out certificate trust information.
+Don't print out certificate trust information.
.IP "\fBno_extensions\fR" 4
.IX Item "no_extensions"
-don't print out any X509V3 extensions.
+Don't print out any X509V3 extensions.
.IP "\fBext_default\fR" 4
.IX Item "ext_default"
-retain default extension behaviour: attempt to print out unsupported certificate extensions.
+Retain default extension behaviour: attempt to print out unsupported
+certificate extensions.
.IP "\fBext_error\fR" 4
.IX Item "ext_error"
-print an error message for unsupported certificate extensions.
+Print an error message for unsupported certificate extensions.
.IP "\fBext_parse\fR" 4
.IX Item "ext_parse"
\&\s-1ASN1\s0 parse unsupported extensions.
.IP "\fBext_dump\fR" 4
.IX Item "ext_dump"
-hex dump unsupported extensions.
+Hex dump unsupported extensions.
.IP "\fBca_default\fR" 4
.IX Item "ca_default"
-the value used by the \fBca\fR utility, equivalent to \fBno_issuer\fR, \fBno_pubkey\fR,
+The value used by the \fBca\fR utility, equivalent to \fBno_issuer\fR, \fBno_pubkey\fR,
\&\fBno_header\fR, and \fBno_version\fR.
.SH "EXAMPLES"
.IX Header "EXAMPLES"
@@ -671,6 +708,18 @@ Display the contents of a certificate:
\& openssl x509 \-in cert.pem \-noout \-text
.Ve
.PP
+Display the \*(L"Subject Alternative Name\*(R" extension of a certificate:
+.PP
+.Vb 1
+\& openssl x509 \-in cert.pem \-noout \-ext subjectAltName
+.Ve
+.PP
+Display more extensions of a certificate:
+.PP
+.Vb 1
+\& openssl x509 \-in cert.pem \-noout \-ext subjectAltName,nsCertType
+.Ve
+.PP
Display the certificate serial number:
.PP
.Vb 1
@@ -839,13 +888,13 @@ Otherwise it is the same as a normal \s-1SSL\s0 server.
.IX Item "Common S/MIME Client Tests"
The extended key usage extension must be absent or include the \*(L"email
protection\*(R" \s-1OID.\s0 Netscape certificate type must be absent or should have the
-S/MIME bit set. If the S/MIME bit is not set in netscape certificate type
+S/MIME bit set. If the S/MIME bit is not set in Netscape certificate type
then the \s-1SSL\s0 client bit is tolerated as an alternative but a warning is shown:
this is because some Verisign certificates don't set the S/MIME bit.
.IP "\fBS/MIME Signing\fR" 4
.IX Item "S/MIME Signing"
-In addition to the common S/MIME client tests the digitalSignature bit must
-be set if the keyUsage extension is present.
+In addition to the common S/MIME client tests the digitalSignature bit or
+the nonRepudiation bit must be set if the keyUsage extension is present.
.IP "\fBS/MIME Encryption\fR" 4
.IX Item "S/MIME Encryption"
In addition to the common S/MIME tests the keyEncipherment bit must be set
@@ -875,11 +924,6 @@ be checked.
.PP
There should be options to explicitly set such things as start and end
dates rather than an offset from the current time.
-.PP
-The code to implement the verify behaviour described in the \fB\s-1TRUST SETTINGS\s0\fR
-is currently being developed. It thus describes the intended behaviour rather
-than the current behaviour. It is hoped that it will represent reality in
-OpenSSL 0.9.5 and later.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fIreq\fR\|(1), \fIca\fR\|(1), \fIgenrsa\fR\|(1),
@@ -887,10 +931,16 @@ OpenSSL 0.9.5 and later.
\&\fIx509v3_config\fR\|(5)
.SH "HISTORY"
.IX Header "HISTORY"
-Before OpenSSL 0.9.8, the default digest for \s-1RSA\s0 keys was \s-1MD5.\s0
-.PP
The hash algorithm used in the \fB\-subject_hash\fR and \fB\-issuer_hash\fR options
before OpenSSL 1.0.0 was based on the deprecated \s-1MD5\s0 algorithm and the encoding
of the distinguished name. In OpenSSL 1.0.0 and later it is based on a
canonical version of the \s-1DN\s0 using \s-1SHA1.\s0 This means that any directories using
the old form must have their links rebuilt using \fBc_rehash\fR or similar.
+.SH "COPYRIGHT"
+.IX Header "COPYRIGHT"
+Copyright 2000\-2018 The OpenSSL Project Authors. All Rights Reserved.
+.PP
+Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
+this file except in compliance with the License. You can obtain a copy
+in the file \s-1LICENSE\s0 in the source distribution or at
+<https://www.openssl.org/source/license.html>.
generated by cgit v1.2.3 (git 2.25.1) at 2025-08-01 23:21:34 +0000