diff options
Diffstat (limited to 'upstream/debian-unstable/man1/openssl-x509.1ssl')
| -rw-r--r-- | upstream/debian-unstable/man1/openssl-x509.1ssl | 42 |
1 files changed, 27 insertions, 15 deletions
diff --git a/upstream/debian-unstable/man1/openssl-x509.1ssl b/upstream/debian-unstable/man1/openssl-x509.1ssl index 039c557a..e21cad3e 100644 --- a/upstream/debian-unstable/man1/openssl-x509.1ssl +++ b/upstream/debian-unstable/man1/openssl-x509.1ssl @@ -55,7 +55,7 @@ .\" ======================================================================== .\" .IX Title "OPENSSL-X509 1SSL" -.TH OPENSSL-X509 1SSL 2024-02-03 3.1.5 OpenSSL +.TH OPENSSL-X509 1SSL 2024-04-04 3.2.2-dev OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -144,9 +144,13 @@ openssl\-x509 \- Certificate display and signing command This command is a multi-purposes certificate handling command. It can be used to print certificate information, convert certificates to various forms, edit certificate trust settings, -generate certificates from scratch or from certificating requests +generate certificates from scratch or from certification requests and then self-signing them or signing them like a "micro CA". .PP +Generated certificates bear X.509 version 3. +Unless specified otherwise, +key identifier extensions are included as described in \fBx509v3_config\fR\|(5). +.PP Since there are a large number of options they will split up into various sections. .SH OPTIONS @@ -171,7 +175,8 @@ see \fBopenssl\-passphrase\-options\fR\|(1). .IP \fB\-new\fR 4 .IX Item "-new" Generate a certificate from scratch, not using an input certificate -or certificate request. So the \fB\-in\fR option must not be used in this case. +or certificate request. +So this excludes the \fB\-in\fR and \fB\-req\fR options. Instead, the \fB\-subj\fR option needs to be given. The public key to include can be given with the \fB\-force_pubkey\fR option and defaults to the key given with the \fB\-key\fR (or \fB\-signkey\fR) option, @@ -205,7 +210,7 @@ are not taken over when producing a certificate request. The \fB\-ext\fR option can be used to further restrict which extensions to copy. .IP "\fB\-inform\fR \fBDER\fR|\fBPEM\fR" 4 .IX Item "-inform DER|PEM" -The input file format; unspecified by default. +The input file format to use; by default PEM is tried first. See \fBopenssl\-format\-options\fR\|(1) for details. .IP "\fB\-vfyopt\fR \fInm\fR:\fIv\fR" 4 .IX Item "-vfyopt nm:v" @@ -220,9 +225,7 @@ the new certificate or certificate request, resulting in a self-signature. .Sp This option cannot be used in conjunction with the \fB\-CA\fR option. .Sp -It sets the issuer name to the subject name (i.e., makes it self-issued) -and changes the public key to the supplied value (unless overridden -by \fB\-force_pubkey\fR). +It sets the issuer name to the subject name (i.e., makes it self-issued). Unless the \fB\-preserve_dates\fR option is supplied, it sets the validity start date to the current time and the end date to a value determined by the \fB\-days\fR option. @@ -324,7 +327,7 @@ as used by OpenSSL before version 1.0.0. Prints out the certificate extensions in text form. Can also be used to restrict which extensions to copy. Extensions are specified -with a comma separated string, e.g., "subjectAltName,subjectKeyIdentifier". +with a comma separated string, e.g., "subjectAltName, subjectKeyIdentifier". See the \fBx509v3_config\fR\|(5) manual page for the extension names. .IP \fB\-ocspid\fR 4 .IX Item "-ocspid" @@ -398,19 +401,21 @@ Example: .Sp \&\f(CW\*(C`/DC=org/DC=OpenSSL/DC=users/UID=123456+CN=John Doe\*(C'\fR .Sp -This option can be used in conjunction with the \fB\-force_pubkey\fR option -to create a certificate even without providing an input certificate -or certificate request. +This option can be used with the \fB\-new\fR and \fB\-force_pubkey\fR options to create +a new certificate without providing an input certificate or certificate request. .IP "\fB\-force_pubkey\fR \fIfilename\fR" 4 .IX Item "-force_pubkey filename" -When a certificate is created set its public key to the key in \fIfilename\fR +When a new certificate or certificate request is created +set its public key to the given key instead of the key contained in the input or given with the \fB\-key\fR (or \fB\-signkey\fR) option. +If the input contains no public key but a private key, its public part is used. +.Sp +This option can be used in conjunction with b<\-new> and \fB\-subj\fR +to directly generate a certificate containing any desired public key. .Sp -This option is useful for creating self-issued certificates that are not +This option is also useful for creating self-issued certificates that are not self-signed, for instance when the key cannot be used for signing, such as DH. -It can also be used in conjunction with \fB\-new\fR and \fB\-subj\fR to directly -generate a certificate containing any desired public key. .IP \fB\-clrext\fR 4 .IX Item "-clrext" When transforming a certificate to a new certificate @@ -430,8 +435,12 @@ If this option is not specified then the extensions should either be contained in the unnamed (default) section or the default section should contain a variable called "extensions" which contains the section to use. +.Sp See the \fBx509v3_config\fR\|(5) manual page for details of the extension section format. +.Sp +Unless specified otherwise, +key identifier extensions are included as described in \fBx509v3_config\fR\|(5). .IP "\fB\-sigopt\fR \fInm\fR:\fIv\fR" 4 .IX Item "-sigopt nm:v" Pass options to the signature algorithm during sign operations. @@ -755,6 +764,9 @@ keeping the old name as an alias. The \fB\-engine\fR option was deprecated in OpenSSL 3.0. .PP The \fB\-C\fR option was removed in OpenSSL 3.0. +.PP +Since OpenSSL 3.2, generated certificates bear X.509 version 3, +and key identifier extensions are included by default. .SH COPYRIGHT .IX Header "COPYRIGHT" Copyright 2000\-2023 The OpenSSL Project Authors. All Rights Reserved. |