Table of Contents for

Network Security with OpenSSL

Specify the name of a file from which data will be read. The expected data varies depending on the type of operation being performed, but usually an X.509 certificate is expected. If this option is omitted, stdin is used by default.

Specify the format of the input data. If this option is omitted, the default is normally PEM, but may vary depending on the operation being performed.

Specify the name of a file to which data will be written. Output is normally an X.509 certificate. If this option is omitted, stdout is used by default.

Specify the format of the output data. If this option is omitted, the default is normally PEM, but may vary depending on the operation being performed.

Specify the message digest to use for signing. If this option is omitted, the default is to use MD5 for certificates and certificate requests containing RSA keys. For certificates and certificate requests containing DSA keys, DSS1 is always used, regardless of which algorithm is specified on the command line.

Cause output of the certificate in encoded form to be suppressed.

Output a human-readable representation of the certificate.

Output the value of the modulus of the public key contained in the certificate.

Output the certificate’s serial number.

Output the hash of the certificate issuer’s name. This value is used by any command that accepts a CApath option to name the certificates in the directory specified by the option.

Output the certificate’s subject name.

Output the certificate’s issuer name.

Specify how the subject or issuer names are displayed. This option may be specified more than once. See the section below for a list of valid options and what they mean.

Output the certificate’s email address or addresses if any are present.

Output the certificate’s start date.

Output the certificate’s end date.

Output the certificate’s start and end dates.

Check whether the certificate will expire within the number of seconds specified as a parameter to this option.

Output the certificate’s public key in PEM format.

Output the certificate’s fingerprint, which is the digest of a DER-encoded form of the whole certificate.

Output a C code representation of the certificate.

Cause a trusted certificate to be output. Either a trusted or untrusted certificate is accepted as input to the command, but only untrusted certificates are normally output. If any trust settings are modified on a certificate, a trusted certificate is automatically output, regardless of whether this option is specified.

Output the certificate’s alias. Technically, this is a display option, but it is listed as a trust option because a certificate’s alias is a trust setting.

Specify the alias for the certificate. Allows a certificate to be referred to by its alias.

Cause a series of tests to be performed on the certificate’s extensions. The results of the test are output.

Cause all permitted or trusted uses of the certificate to be cleared.

Cause all prohibited or rejected uses of the certificate to be cleared.

Add a permitted or trusted use to the certificate. Any object identifier’s short name may be used as a parameter for this option. OpenSSL itself uses only clientAuth, serverAuth, and emailProtection.

Add a prohibited or rejected use to the certificate. Any object identifier’s short name may be used as a parameter for this option.

Cause the input data to be treated as a certificate request. This option is required with many of the other options described in this section.

Specify the name of a file containing the private key that will be used to create a self-signed certificate. If the input data is a certificate, its issuer name will be set to its subject name, and the public key that it contains will be replaced with the public key that matches the private key specified by this option. The certificate’s start date will be set to the current date, and its end date will be computed using the days option. If the input data is a certificate request, a self-signed certificate is created using the specified private key and the subject name contained in the request.

Specify the format of the key that is specified with the signkey option. If this option is omitted, PEM is the default.

Specify the password required to decrypt the private key specified with the signkey or CAkey options. This option follows the guidelines for passwords or passphrases outlined in Chapter 2.

Specify the number of days to make a certificate valid. The default is 30 days.

Specify the name of a file containing a certificate that will be used for signing. This certificate’s subject name is used as the issuer name for the resulting certificate, and the certificate is signed using the private key that matches this certificate. This option is normally used with the req option, but may be used with an existing self-signed certificate as well.

Specify the format—DER or PEM—of the certificate specified with the CA option. If this option is omitted, PEM is the default.

Specify the name of a file containing the private key that matches the certificate specified with the CA option. If this option is omitted, the private key is expected to be in the same file as the certificate.

Specify the format—DER or PEM—of the private key specified with the CAkey option. If this option is omitted, PEM is the default.

Specify the name of a file containing the certificate’s serial number information. This file uses the same format as the serial-number file for the ca command, which is a single line containing an even number of hexadecimal digits representing the next serial number to use. If this option is omitted, the filename specified with the CA command is used with its extension stripped and replaced with .srl.

Specify the name of a file containing the certificate’s serial number information. If the file doesn’t exist, it will be created using the number “02” as the next serial number to issue.

Specify the name of a file containing extensions that should be included in the new certificate. This file is essentially a configuration file, although the configuration file’s only use with this command is for certificate extensions.

Specify the name of the section to use from the file specified with the extfile option that contains the extensions to include in the new certificate.

Cause all extensions present in a certificate to be removed. This option should be used when a new certificate is being created from another existing certificate, using either the signkey or the CA options.

Convert a certificate into a certificate request. The signkey option should be used in combination with this option to specify the name of the file containing the private key that matches the certificate.

The default format. It is equivalent to specifying no nameopt options at all.

Cause names to be displayed in a format compatible with RFC 2253. It is equivalent to specifying the options esc_2253, esc_ctrl, esc_msb, utf8, dump_nostr, dump_unknown, dump_der, sep_comma_plus, dn_rev, and sname.

A single-line format that is more readable than the RFC 2253 format. It is equivalent to specifying the options esc_2253, esc_ctrl, esc_msb, utf8, dump_nostr, dump_der, use_quote, sep_comma_plus_spc, spc_eq, and sname.

A multiline format that is equivalent to specifying the options esc_ctrl, esc_msb, sep_multiline, spc_eq, and lname.

Cause special characters required by RFC 2253 to be escaped. The characters that are escaped are comma (,), plus (+), double quotes (“), less than (<), greater than (>), and semi-colon (;). In addition, a hash mark (#), a space at the beginning of a string, or a space at the end of a string are also escaped.

Cause control characters to be escaped. Escaped characters have an ASCII value less than a space (0x20) or equal to the delete character (0x7F).

Cause characters that have their most significant bit (MSB) set to be escaped.

Cause some characters to be escaped by surrounding the entire string with double-quotes characters.

Cause all strings to be converted to the UTF8 character encoding.

Cause multibyte characters to be uninterpreted. In other words, each byte of a multibyte character is treated as if it was a character of its own.

Cause the ASN.1 type of the string to be prepended to the output.

Cause any fields that need to be hexdumped to be dumped using the DER encoding of the field. If this option is not used, just the content octets will be displayed.

Cause noncharacter string types to be displayed. If this option is not used, noncharacter string types will be displayed as though each content octet was a single character.

Cause all fields to be displayed.

Cause any field that has an OID unknown to OpenSSL to be displayed. Without this option, unknown fields are not included in the output.

Specify how fields will be separated in the output.

Cause the fields to be displayed in the reverse order that they are present in the name.

Cause the field name to be suppressed.

Cause the field name to be displayed using the field object identifier’s short name.

Cause the field name to be displayed using the field object identifier’s long name.

Cause the field name to be displayed using the field object identifier’s numerical representation.

Cause spaces to be placed around the equals sign (=) that is used to separate the field name from its value.