Table of Contents for
Network Security with OpenSSL

Version ebook / Retour

Cover image for bash Cookbook, 2nd Edition Network Security with OpenSSL by Pravir Chandra Published by O'Reilly Media, Inc., 2002
  1. Cover
  2. Network Security with OpenSSL
  3. Network Security with OpenSSL
  4. Dedication
  5. A Note Regarding Supplemental Files
  6. Preface
  7. 1. Introduction
  8. 2. Command-Line Interface
  9. 3. Public Key Infrastructure (PKI)
  10. 4. Support Infrastructure
  11. 5. SSL/TLS Programming
  12. 6. Symmetric Cryptography
  13. 7. Hashes and MACs
  14. 8. Public Key Algorithms
  15. 9. OpenSSL in Other Languages
  16. 10. Advanced Programming Topics
  17. A. Command-Line Reference
  18. asn1parse
  19. ca
  20. ciphers
  21. crl
  22. crl2pkcs7
  23. dgst
  24. dhparam
  25. dsa
  26. dsaparam
  27. enc
  28. errstr
  29. gendsa
  30. genrsa
  31. nseq
  32. passwd
  33. pkcs7
  34. pkcs8
  35. pkcs12
  36. rand
  37. req
  38. rsa
  39. rsautl
  40. s_client
  41. s_server
  42. s_time
  43. sess_id
  44. smime
  45. speed
  46. spkac
  47. verify
  48. version
  49. x509
  50. Index
  51. About the Authors
  52. Colophon
  53. Copyright

Name

req

Synopsis

The req command is used to create, examine, and manipulate PKCS#10-formatted certificate requests. It can also be used to create self-signed certificates suitable for use in setting up a root certification authority.

Options

-config filename

Specify the name of a file to use as a configuration file. If this option is omitted, the system-wide default configuration file is used. Use of this option overrides the OPENSSL_CONF environment variable.

-in filename

Specify the name of a file from which a certificate request will be read. If this option is omitted, stdin is used.

-inform DER|PEM

Specify the format of the input certificate request, either DER or PEM. If this option is omitted, PEM is the default format.

-out filename

Specify the name of a file to which the resulting self-signed certificate or certificate request will be written. If this option is omitted, stdout will be used.

-outform DER|PEM

Specify the format, DER or PEM, which will be used to write the self-signed certificate or certificate request. If this option is omitted, PEM is the default.

-passin password

Specify the password or passphrase that will be used to decrypt the private key corresponding to the input certificate or certificate request. This option follows the guidelines outlined in Chapter 2 for passwords and passphrases.

-passout password

Specify the password or passphrase that will be used to encrypt the private key that may be generated with the certificate or certificate request. This option follows the guidelines outlined in Chapter 2 for passwords and passphrases.

-rand filename

Specify the name of a file or files that will be used to seed the PRNG. This option follows the guidelines outlined in Chapter 2.

-noout

Cause output of a certificate or certificate request to be suppressed. This option is useful when examining a certificate request.

-text

Cause a human-readable representation of the input certificate request to be output.

-modulus

Cause the modulus of the public key contained in the request to be output.

-verify

Verify the signature on the certificate request.

-new

Cause a new certificate request to be generated. When this option is used, no data is read from either stdin or the file specified with the in option. If the key option is not also specified, a new RSA key pair will be generated.

-newkey rsa:length, -newkey dsa:filename

Cause a new certificate request to be generated with a new key pair. For an RSA key pair, the length of the primes must be specified. For a DSA key pair, the name of a file containing the DSA parameters must be specified. The parameters are expected to be in PEM format.

-key filename

Specify the name of a file containing the private key to use in the certificate request.

-keyform DER|PEM

Specify the format, DER or PEM, of the private key specified using the key option. If this option is omitted, the default is PEM.

-keyout filename

Specify the name of a file to which the private key that was used will be written.

-nodes

If a new key pair is generated, this option causes the output private key to be unencrypted.

-md2, -md5, -mdc2, -sha1

Specify the message digest algorithm to use to sign the certificate request. If this option is omitted, the default is MD5. These options are ignored when a DSA key is being used because DSS1 must always be used with DSA keys.

-x509

Cause a self-signed certificate to be output instead of a certificate request. The resulting self-signed certificate is suitable for use with a root certification authority.

-days number

When a self-signed certificate is being generated, this option specifies the number of days for which the certificate will be valid.

-extensions section

Specify the name of a configuration file section containing the extensions to be included in a self-signed certificate.

-reqexts section

Specify the name of a configuration file section containing the extensions to be included in a certificate request.

-asn1-kludge

Cause empty attribute sets to be omitted from the resulting certificate request. This invalid format is required by some CA software. Use of this option is not recommended unless you know that you need it.

-newhdr

Cause the word “new” to be added to the PEM header and footer lines when a certificate request is being generated. Most software does not require this.

Configuration Options

RANDFILE

Specify the name of a file that will be used to seed the PRNG for private key generation. This setting is overridden by the rand command-line option.

input_password

Specify the password to use for the private key that is used as input. This setting is overridden by the passin command-line option.

output_password

Specify the password to use for encrypting a generated private key. This setting is overridden by the passout command-line option.

default_bits

When an RSA key is generated, this setting specifies the default key length. It can be overridden using the newkey command-line option.

default_keyfile

Specify the name of a file that will be used to write a generated private key. This setting is overridden by the keyout command-line option.

encrypt_key, encrypt_rsa_key

Setting the value for this key to no will cause any generated private key to be unencrypted. This setting is equivalent to specifying the nodes command-line option.

default_md

Specify the default message digest algorithm to use for signing certificates and certificate requests. This setting is overridden by the md2, md5, mdc2, or sha1 command-line options.

oid_file

Specify the name of a file containing object identifier definitions. The file should contain one definition per line, with each line consisting of three columns. The first column is the numerical representation of the OID. The second column is the OID’s short name, and the third column is the OID’s long name. The short name should be a single word and composed of only upper- and lowercase letters.

oid_section

Specify the name of a configuration file section that contains object identifier definitions. In this section, each key should be the short name of the OID, and the corresponding value should be the OID’s numerical representation. When OIDs are defined this way, the short and long names are the same.

string_mask

This setting is used to mask out certain string types for certain fields. The default setting is normally appropriate and shouldn’t need to be changed.

req_extensions

Specify the name of a configuration file section that contains the extensions to be included in a certificate request. This setting is overridden by the reqexts command-line option.

x509_extensions

Specify the name of a configuration file section that contains the extensions to be included in a self-signed certificate. This setting is overridden by the extensions command-line option.

prompt

Setting the value for this key to no will cause all prompting for distinguished name information to be suppressed. It also causes the section specified by the distinguished_name key to be interpreted differently.

attributes

Specify the name of a section containing any attributes that should be included in a generated certificate request.

distinguished_name

Specify the name of a section containing the fields to be included in a generated certificate request.

Notes

The sections named by the attributes and distinguished_name keys in the configuration file can follow one of two possible formats, depending on the setting of the prompt key. If prompting is disabled, each key in the section should be the name of a field to be included in the certificate request, and the corresponding value should be the value for each field. This is the simplest format for these sections.

If prompting is enabled, four keys are required for each field that will be included in the generated certificate request. Each key uses the name of the field as a base. The key using the name of the field alone is the prompt that is displayed to the user. For the other three keys, _default, _min, and _max are appended to the field name, and the corresponding values are the default value for the field in the generated certificate request, the minimum length of data that can be entered by the user, and the maximum length of data that can be entered by the user.

Some fields can appear more than once in a distinguished name, but the format described does not allow for more than one field of the same name. To allow for this situation, any characters up to and including a period at the beginning of a field name are ignored, thus allowing for multiple definitions for a field in the configuration file, but including only the proper field name in the generated certificate request. For example, 1.organizationName and 2.organizationName are separate definitions in a configuration file, but in the generated certificate request, two fields named organizationName will be included.