1=pod 2 3=begin comment 4{- join("\n", @autowarntext) -} 5 6=end comment 7 8=head1 NAME 9 10openssl-spkac - SPKAC printing and generating command 11 12=head1 SYNOPSIS 13 14B<openssl> B<spkac> 15[B<-help>] 16[B<-in> I<filename>] 17[B<-out> I<filename>] 18[B<-digest> I<digest>] 19[B<-key> I<filename>|I<uri>] 20[B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>] 21[B<-passin> I<arg>] 22[B<-challenge> I<string>] 23[B<-pubkey>] 24[B<-spkac> I<spkacname>] 25[B<-spksect> I<section>] 26[B<-noout>] 27[B<-verify>] 28{- $OpenSSL::safe::opt_engine_synopsis -}{- $OpenSSL::safe::opt_provider_synopsis -} 29 30=head1 DESCRIPTION 31 32This command processes Netscape signed public key and challenge 33(SPKAC) files. It can print out their contents, verify the signature and 34produce its own SPKACs from a supplied private key. 35 36=head1 OPTIONS 37 38=over 4 39 40=item B<-help> 41 42Print out a usage message. 43 44=item B<-in> I<filename> 45 46This specifies the input filename to read from or standard input if this 47option is not specified. Ignored if the B<-key> option is used. 48 49=item B<-out> I<filename> 50 51Specifies the output filename to write to or standard output by 52default. 53 54=item B<-digest> I<digest> 55 56Use the specified I<digest> to sign a created SPKAC file. 57The default digest algorithm is MD5. 58 59=item B<-key> I<filename>|I<uri> 60 61Create an SPKAC file using the private key specified by I<filename> or I<uri>. 62The B<-in>, B<-noout>, B<-spksect> and B<-verify> options are ignored if 63present. 64 65=item B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE> 66 67The key format; unspecified by default. 68See L<openssl-format-options(1)> for details. 69 70=item B<-passin> I<arg> 71 72The input file password source. For more information about the format of I<arg> 73see L<openssl-passphrase-options(1)>. 74 75=item B<-challenge> I<string> 76 77Specifies the challenge string if an SPKAC is being created. 78 79=item B<-spkac> I<spkacname> 80 81Allows an alternative name form the variable containing the 82SPKAC. The default is "SPKAC". This option affects both 83generated and input SPKAC files. 84 85=item B<-spksect> I<section> 86 87Allows an alternative name form the section containing the 88SPKAC. The default is the default section. 89 90=item B<-noout> 91 92Don't output the text version of the SPKAC (not used if an 93SPKAC is being created). 94 95=item B<-pubkey> 96 97Output the public key of an SPKAC (not used if an SPKAC is 98being created). 99 100=item B<-verify> 101 102Verifies the digital signature on the supplied SPKAC. 103 104{- $OpenSSL::safe::opt_engine_item -} 105 106{- $OpenSSL::safe::opt_provider_item -} 107 108=back 109 110=head1 EXAMPLES 111 112Print out the contents of an SPKAC: 113 114 openssl spkac -in spkac.cnf 115 116Verify the signature of an SPKAC: 117 118 openssl spkac -in spkac.cnf -noout -verify 119 120Create an SPKAC using the challenge string "hello": 121 122 openssl spkac -key key.pem -challenge hello -out spkac.cnf 123 124Example of an SPKAC, (long lines split up for clarity): 125 126 SPKAC=MIG5MGUwXDANBgkqhkiG9w0BAQEFAANLADBIAkEA\ 127 1cCoq2Wa3Ixs47uI7FPVwHVIPDx5yso105Y6zpozam135a\ 128 8R0CpoRvkkigIyXfcCjiVi5oWk+6FfPaD03uPFoQIDAQAB\ 129 FgVoZWxsbzANBgkqhkiG9w0BAQQFAANBAFpQtY/FojdwkJ\ 130 h1bEIYuc2EeM2KHTWPEepWYeawvHD0gQ3DngSC75YCWnnD\ 131 dq+NQ3F+X4deMx9AaEglZtULwV4= 132 133=head1 NOTES 134 135A created SPKAC with suitable DN components appended can be fed to 136L<openssl-ca(1)>. 137 138SPKACs are typically generated by Netscape when a form is submitted 139containing the B<KEYGEN> tag as part of the certificate enrollment 140process. 141 142The challenge string permits a primitive form of proof of possession 143of private key. By checking the SPKAC signature and a random challenge 144string some guarantee is given that the user knows the private key 145corresponding to the public key being certified. This is important in 146some applications. Without this it is possible for a previous SPKAC 147to be used in a "replay attack". 148 149=head1 SEE ALSO 150 151L<openssl(1)>, 152L<openssl-ca(1)> 153 154=head1 HISTORY 155 156The B<-engine> option was deprecated in OpenSSL 3.0. 157 158The B<-digest> option was added in OpenSSL 3.0. 159 160=head1 COPYRIGHT 161 162Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved. 163 164Licensed under the Apache License 2.0 (the "License"). You may not use 165this file except in compliance with the License. You can obtain a copy 166in the file LICENSE in the source distribution or at 167L<https://www.openssl.org/source/license.html>. 168 169=cut 170
