summaryrefslogtreecommitdiffstats
path: root/upstream/archlinux/man1/openssl-cmp.1ssl
diff options
context:
space:
mode:
Diffstat (limited to 'upstream/archlinux/man1/openssl-cmp.1ssl')
-rw-r--r--upstream/archlinux/man1/openssl-cmp.1ssl67
1 files changed, 56 insertions, 11 deletions
diff --git a/upstream/archlinux/man1/openssl-cmp.1ssl b/upstream/archlinux/man1/openssl-cmp.1ssl
index a0dab1a8..0afc3c81 100644
--- a/upstream/archlinux/man1/openssl-cmp.1ssl
+++ b/upstream/archlinux/man1/openssl-cmp.1ssl
@@ -55,7 +55,7 @@
.\" ========================================================================
.\"
.IX Title "OPENSSL-CMP 1ssl"
-.TH OPENSSL-CMP 1ssl 2024-01-30 3.2.1 OpenSSL
+.TH OPENSSL-CMP 1ssl 2024-04-28 3.3.0 OpenSSL
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
@@ -74,7 +74,8 @@ Generic message options:
.PP
[\fB\-cmd\fR \fIir|cr|kur|p10cr|rr|genm\fR]
[\fB\-infotype\fR \fIname\fR]
-[\fB\-geninfo\fR \fIOID:int:N\fR]
+[\fB\-profile\fR \fIname\fR]
+[\fB\-geninfo\fR \fIvalues\fR]
.PP
Certificate enrollment options:
.PP
@@ -122,6 +123,7 @@ Server authentication options:
[\fB\-expect_sender\fR \fIname\fR]
[\fB\-ignore_keyusage\fR]
[\fB\-unprotected_errors\fR]
+[\fB\-no_cache_extracerts\fR]
[\fB\-srvcertout\fR \fIfilename\fR]
[\fB\-extracertsout\fR \fIfilename\fR]
[\fB\-cacertsout\fR \fIfilename\fR]
@@ -175,6 +177,7 @@ Client-side debugging options:
[\fB\-reqin\fR \fIfilenames\fR]
[\fB\-reqin_new_tid\fR]
[\fB\-reqout\fR \fIfilenames\fR]
+[\fB\-reqout_only\fR \fIfilename\fR]
[\fB\-rspin\fR \fIfilenames\fR]
[\fB\-rspout\fR \fIfilenames\fR]
[\fB\-use_mock_srv\fR]
@@ -324,10 +327,17 @@ ITAV \fBinfoType\fRs is printed to stdout.
Set InfoType name to use for requesting specific info in \fBgenm\fR,
e.g., \f(CW\*(C`signKeyPairTypes\*(C'\fR.
So far, there is specific support for \f(CW\*(C`caCerts\*(C'\fR and \f(CW\*(C`rootCaCert\*(C'\fR.
-.IP "\fB\-geninfo\fR \fIOID:int:N\fR" 4
-.IX Item "-geninfo OID:int:N"
-generalInfo integer values to place in request PKIHeader with given OID,
-e.g., \f(CW\*(C`1.2.3.4:int:56789\*(C'\fR.
+.IP "\fB\-profile\fR \fIname\fR" 4
+.IX Item "-profile name"
+Name of a certificate profile to place in
+the PKIHeader generalInfo field of request messages.
+.IP "\fB\-geninfo\fR \fIvalues\fR" 4
+.IX Item "-geninfo values"
+A comma-separated list of InfoTypeAndValue to place in
+the generalInfo field of the PKIHeader of requests messages.
+Each InfoTypeAndValue gives an OID and an integer or string value
+of the form \fIOID\fR:int:\fInumber\fR or \fIOID\fR:str:\fItext\fR,
+e.g., \f(CW\*(Aq1.2.3.4:int:56789, id\-kp:str:name\*(Aq\fR.
.SS "Certificate enrollment options"
.IX Subsection "Certificate enrollment options"
.IP "\fB\-newkey\fR \fIfilename\fR|\fIuri\fR" 4
@@ -653,6 +663,7 @@ For details see the description of the \fB\-subject\fR option.
Ignore key usage restrictions in CMP signer certificates when validating
signature-based protection of incoming CMP messages.
By default, \f(CW\*(C`digitalSignature\*(C'\fR must be allowed by CMP signer certificates.
+This option applies to both CMP clients and the mock server.
.IP \fB\-unprotected_errors\fR 4
.IX Item "-unprotected_errors"
Accept missing or invalid protection of negative responses from the server.
@@ -686,6 +697,11 @@ appendix D.4 shows PKIConf message having protection
.RE
.RS 4
.RE
+.IP \fB\-no_cache_extracerts\fR 4
+.IX Item "-no_cache_extracerts"
+Do not cache certificates in the extraCerts field of CMP messages received.
+By default, they are kept as they may be helful for validating further messages.
+This option applies to both CMP clients and the mock server.
.IP "\fB\-srvcertout\fR \fIfilename\fR" 4
.IX Item "-srvcertout filename"
The file where to save the successfully validated certificate, if any,
@@ -940,8 +956,8 @@ have no effect on the certificate verification enabled via this option.
Address to be checked during hostname validation.
This may be a DNS name or an IP address.
If not given it defaults to the \fB\-server\fR address.
-.SS "Client-side debugging options"
-.IX Subsection "Client-side debugging options"
+.SS "Client-side options for debugging and offline scenarios"
+.IX Subsection "Client-side options for debugging and offline scenarios"
.IP \fB\-batch\fR 4
.IX Item "-batch"
Do not interactively prompt for input, for instance when a password is needed.
@@ -955,9 +971,29 @@ Default is one invocation.
Take the sequence of CMP requests to send to the server from the given file(s)
rather than from the sequence of requests produced internally.
.Sp
+This option is useful for supporting offline scenarios where the certificate
+request (or any other CMP request) is produced beforehand and sent out later.
+.Sp
This option is ignored if the \fB\-rspin\fR option is given
because in the latter case no requests are actually sent.
.Sp
+Note that in any case the client produces internally its sequence
+of CMP request messages. Thus, all options required for doing this
+(such as \fB\-cmd\fR and all options providing the required parameters)
+need to be given also when the \fB\-reqin\fR option is present.
+.Sp
+If the \fB\-reqin\fR option is given for a certificate request
+and no \fB\-newkey\fR, \fB\-key\fR, \fB\-oldcert\fR, or \fB\-csr\fR option is given,
+a fallback public key is taken from the request message file
+(if it is included in the certificate template).
+.Sp
+Hint: In case the \fB\-reqin\fR option is given for a certificate request, there are
+situations where the client has access to the public key to be certified but
+not to the private key that by default will be needed for proof of possession.
+In this case the POPO is not actually needed (because the internally produced
+certificate request message will not be sent), and its generation
+can be disabled using the options \fB\-popo\fR \fI\-1\fR or \fB\-popo\fR \fI0\fR.
+.Sp
Multiple filenames may be given, separated by commas and/or whitespace
(where in the latter case the whole argument must be enclosed in "...").
.Sp
@@ -985,6 +1021,13 @@ Multiple filenames may be given, separated by commas and/or whitespace.
Files are written as far as needed to save the transaction
and filenames have been provided.
If the transaction contains more requests, the remaining ones are not saved.
+.IP "\fB\-reqout_only\fR \fIfilename\fR" 4
+.IX Item "-reqout_only filename"
+Save the first CMP requests created by the client to the given file and exit.
+Any options related to CMP servers and their reponses are ignored.
+.Sp
+This option is useful for supporting offline scenarios where the certificate
+request (or any other CMP request) is produced beforehand and sent out later.
.IP "\fB\-rspin\fR \fIfilenames\fR" 4
.IX Item "-rspin filenames"
Process the sequence of CMP responses provided in the given file(s),
@@ -1223,7 +1266,7 @@ In order to update the enrolled certificate one may call
\& openssl cmp \-section insta,kur
.Ve
.PP
-using with MAC-based protection with PBM or
+using MAC-based protection with PBM or
.PP
.Vb 1
\& openssl cmp \-section insta,kur,signature
@@ -1355,10 +1398,12 @@ and the above transaction using a general message reduces to
.IX Header "HISTORY"
The \fBcmp\fR application was added in OpenSSL 3.0.
.PP
-The \fB\-engine option\fR was deprecated in OpenSSL 3.0.
+The \fB\-engine\fR option was deprecated in OpenSSL 3.0.
+.PP
+The \fB\-profile\fR option was added in OpenSSL 3.3.
.SH COPYRIGHT
.IX Header "COPYRIGHT"
-Copyright 2007\-2023 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2007\-2024 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
generated by cgit v1.2.3 (git 2.39.1) at 2025-02-10 15:11:48 +0000