10 B<openssl> B<x509>
11 [B<-help>]
12 [B<-in> I<filename>|I<uri>]
13 [B<-passin> I<arg>]
14 [B<-new>]
15 [B<-x509toreq>]
16 [B<-req>]
17 [B<-copy_extensions> I<arg>]
18 [B<-inform> B<DER>|B<PEM>]
19 [B<-vfyopt> I<nm>:I<v>]
20 [B<-key> I<filename>|I<uri>]
21 [B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>]
22 [B<-signkey> I<filename>|I<uri>]
23 [B<-out> I<filename>]
24 [B<-outform> B<DER>|B<PEM>]
25 [B<-nocert>]
26 [B<-noout>]
27 [B<-dateopt>]
28 [B<-text>]
29 [B<-certopt> I<option>]
30 [B<-fingerprint>]
31 [B<-alias>]
32 [B<-serial>]
33 [B<-startdate>]
34 [B<-enddate>]
35 [B<-dates>]
36 [B<-subject>]
37 [B<-issuer>]
39 [B<-email>]
40 [B<-hash>]
41 [B<-subject_hash>]
42 [B<-subject_hash_old>]
43 [B<-issuer_hash>]
44 [B<-issuer_hash_old>]
45 [B<-ext> I<extensions>]
46 [B<-ocspid>]
47 [B<-ocsp_uri>]
48 [B<-purpose>]
49 [B<-pubkey>]
50 [B<-modulus>]
51 [B<-checkend> I<num>]
52 [B<-checkhost> I<host>]
53 [B<-checkemail> I<host>]
54 [B<-checkip> I<ipaddr>]
55 [B<-set_serial> I<n>]
56 [B<-next_serial>]
57 [B<-not_before> I<date>]
58 [B<-not_after> I<date>]
59 [B<-days> I<arg>]
60 [B<-preserve_dates>]
61 [B<-set_issuer> I<arg>]
62 [B<-set_subject> I<arg>]
63 [B<-subj> I<arg>]
64 [B<-force_pubkey> I<filename>]
65 [B<-clrext>]
66 [B<-extfile> I<filename>]
67 [B<-extensions> I<section>]
68 [B<-sigopt> I<nm>:I<v>]
69 [B<-badsig>]
70 [B<-I<digest>>]
71 [B<-CA> I<filename>|I<uri>]
72 [B<-CAform> B<DER>|B<PEM>|B<P12>]
73 [B<-CAkey> I<filename>|I<uri>]
74 [B<-CAkeyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>]
75 [B<-CAserial> I<filename>]
76 [B<-CAcreateserial>]
77 [B<-trustout>]
78 [B<-setalias> I<arg>]
79 [B<-clrtrust>]
80 [B<-addtrust> I<arg>]
81 [B<-clrreject>]
82 [B<-addreject> I<arg>]
107 =item B<-help>
111 =item B<-in> I<filename>|I<uri>
114 or the input file for reading a certificate request if the B<-req> flag is used.
117 This option cannot be combined with the B<-new> flag.
119 =item B<-passin> I<arg>
125 =item B<-new>
129 So this excludes the B<-in> and B<-req> options.
130 Instead, the B<-set_subject> option needs to be given.
131 The public key to include can be given with the B<-force_pubkey> option
132 and defaults to the key given with the B<-key> (or B<-signkey>) option,
135 =item B<-x509toreq>
138 The B<-key> (or B<-signkey>) option must be used to provide the private key for
142 X.509 extensions to be added can be specified using the B<-extfile> option.
144 =item B<-req>
151 X.509 extensions to be added can be specified using the B<-extfile> option.
153 =item B<-copy_extensions> I<arg>
156 when converting from a certificate to a request using the B<-x509toreq> option
157 or converting from a request to a certificate using the B<-req> option.
158 If I<arg> is B<none> or this option is not present then extensions are ignored.
159 If I<arg> is B<copy> or B<copyall> then all extensions are copied,
163 The B<-ext> option can be used to further restrict which extensions to copy.
165 =item B<-inform> B<DER>|B<PEM>
170 =item B<-vfyopt> I<nm>:I<v>
175 =item B<-key> I<filename>|I<uri>
179 Unless B<-force_pubkey> is given, the corresponding public key is placed in
182 This option cannot be used in conjunction with the B<-CA> option.
185 Unless the B<-preserve_dates> option is supplied,
187 and the end date to a value determined by the B<-days> option.
189 B<-not_before> and B<-not_after>.
191 =item B<-signkey> I<filename>|I<uri>
193 This option is an alias of B<-key>.
195 =item B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>
200 =item B<-out> I<filename>
204 =item B<-outform> B<DER>|B<PEM>
206 The output format; the default is B<PEM>.
209 =item B<-nocert>
213 =item B<-noout>
221 Note: the B<-alias> and B<-purpose> options are also printing options
226 =item B<-dateopt>
231 =item B<-text>
237 =item B<-certopt> I<option>
239 Customise the print format used with B<-text>. The I<option> argument
241 The B<-certopt> switch may be also be used more than once to set multiple
244 =item B<-fingerprint>
252 =item B<-alias>
256 =item B<-serial>
260 =item B<-startdate>
264 =item B<-enddate>
268 =item B<-dates>
272 =item B<-subject>
276 =item B<-issuer>
282 =item B<-email>
286 =item B<-hash>
290 =item B<-subject_hash>
296 =item B<-subject_hash_old>
301 =item B<-issuer_hash>
305 =item B<-issuer_hash_old>
310 =item B<-ext> I<extensions>
318 =item B<-ocspid>
322 =item B<-ocsp_uri>
326 =item B<-purpose>
332 =item B<-pubkey>
336 =item B<-modulus>
347 =item B<-checkend> I<arg>
352 =item B<-checkhost> I<host>
356 =item B<-checkemail> I<email>
360 =item B<-checkip> I<ipaddr>
370 =item B<-set_serial> I<n>
373 This option can be used with the B<-key>, B<-signkey>, or B<-CA> options.
374 If used in conjunction with the B<-CA> option
375 the serial number file (as specified by the B<-CAserial> option) is not used.
379 =item B<-next_serial>
383 =item B<-not_before> I<date>
391 Cannot be used together with the B<-preserve_dates> option.
393 =item B<-not_after> I<date>
401 Cannot be used together with the B<-preserve_dates> option.
402 This overrides the option B<-days>.
404 =item B<-days> I<arg>
409 Cannot be used together with the option B<-preserve_dates>.
410 If option B<-not_after> is set, the explicit expiry date takes precedence.
412 =item B<-preserve_dates>
416 Cannot be used together with the options B<-days>, B<-not_before> and B<-not_after>.
418 =item B<-set_issuer> I<arg>
422 See B<-set_subject> on how the arg must be formatted.
424 =item B<-set_subject> I<arg>
428 unless the B<-set_issuer> option is given.
441 This option can be used with the B<-new> and B<-force_pubkey> options to create
444 =item B<-subj> I<arg>
446 This option is an alias of B<-set_subject>.
448 =item B<-force_pubkey> I<filename>
453 or given with the B<-key> (or B<-signkey>) option.
456 This option can be used in conjunction with b<-new> and B<-set_subject>
462 =item B<-clrext>
468 the B<-clrext> option prevents taking over any extensions from the source.
472 =item B<-extfile> I<filename>
476 =item B<-extensions> I<section>
490 =item B<-sigopt> I<nm>:I<v>
496 =item B<-badsig>
501 =item B<-I<digest>>
505 digest, such as the B<-fingerprint>, B<-key>, and B<-CA> options.
507 If not specified then SHA1 is used with B<-fingerprint> or
516 =item B<-CA> I<filename>|I<uri>
523 This option cannot be used in conjunction with B<-key> (or B<-signkey>).
524 This option is normally combined with the B<-req> option referencing a CSR.
525 Without the B<-req> option the input must be an existing certificate
526 unless the B<-new> option is given, which generates a certificate from scratch.
528 =item B<-CAform> B<DER>|B<PEM>|B<P12>,
533 =item B<-CAkey> I<filename>|I<uri>
536 The private key must match the public key of the certificate given with B<-CA>.
537 If this option is not provided then the key must be present in the B<-CA> input.
539 =item B<-CAkeyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>
544 =item B<-CAserial> I<filename>
548 When creating a certificate with this option and with the B<-CA> option,
559 If the B<-CA> option is specified and neither <-CAserial> or <-CAcreateserial>
563 =item B<-CAcreateserial>
565 With this option and the B<-CA> option
574 A B<trusted certificate> is an ordinary certificate which has several
595 =item B<-trustout>
600 With the B<-trustout> option a trusted certificate is output. A trusted
603 =item B<-setalias> I<arg>
608 =item B<-clrtrust>
612 =item B<-addtrust> I<arg>
615 Any object name can be used here but currently only B<clientAuth>,
616 B<serverAuth>, B<emailProtection>, and B<anyExtendedKeyUsage> are defined.
621 =item B<-clrreject>
625 =item B<-addreject> I<arg>
628 It accepts the same values as the B<-addtrust> option.
647 customise the actual fields printed using the B<certopt> option when
648 the B<text> option is present. The default behaviour is to print all fields.
652 =item B<compatible>
656 =item B<no_header>
661 =item B<no_version>
665 =item B<no_serial>
669 =item B<no_signame>
673 =item B<no_validity>
675 Don't print the validity, that is the B<notBefore> and B<notAfter> fields.
677 =item B<no_subject>
681 =item B<no_issuer>
685 =item B<no_pubkey>
689 =item B<no_sigdump>
693 =item B<no_aux>
697 =item B<no_extensions>
701 =item B<ext_default>
706 =item B<ext_error>
710 =item B<ext_parse>
714 =item B<ext_dump>
718 =item B<ca_default>
720 The value used by L<openssl-ca(1)>, equivalent to B<no_issuer>, B<no_pubkey>,
721 B<no_header>, and B<no_version>.
796 The B<-email> option searches the subject name and the subject alternative
821 The hash algorithm used in the B<-subject_hash> and B<-issuer_hash> options
827 The B<-signkey> option has been renamed to B<-key> in OpenSSL 3.0,
830 The B<-engine> option was deprecated in OpenSSL 3.0.
832 The B<-C> option was removed in OpenSSL 3.0.

Last Index update Fri Nov 22 14:03:13 UTC 2024

Dedicated to & Maintained by Room-11