diff options
-rw-r--r-- | usr.sbin/openssl/openssl.1 | 328 |
1 files changed, 168 insertions, 160 deletions
diff --git a/usr.sbin/openssl/openssl.1 b/usr.sbin/openssl/openssl.1 index c17d026e74a..30685260bb4 100644 --- a/usr.sbin/openssl/openssl.1 +++ b/usr.sbin/openssl/openssl.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: openssl.1,v 1.5 2003/03/22 08:02:03 david Exp $ +.\" $OpenBSD: openssl.1,v 1.6 2003/04/25 12:43:10 jmc Exp $ .\" ==================================================================== .\" Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved. .\" @@ -7,7 +7,7 @@ .\" are met: .\" .\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. +.\" notice, this list of conditions and the following disclaimer. .\" .\" 2. Redistributions in binary form must reproduce the above copyright .\" notice, this list of conditions and the following disclaimer in @@ -51,28 +51,28 @@ .\" (eay@cryptsoft.com). This product includes software written by Tim .\" Hudson (tjh@cryptsoft.com). .\" -.\" +.\" .\" Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) .\" All rights reserved. .\" .\" This package is an SSL implementation written .\" by Eric Young (eay@cryptsoft.com). .\" The implementation was written so as to conform with Netscapes SSL. -.\" +.\" .\" This library is free for commercial and non-commercial use as long as .\" the following conditions are aheared to. The following conditions .\" apply to all code found in this distribution, be it the RC4, RSA, .\" lhash, DES, etc., code; not just the SSL code. The SSL documentation .\" included with this distribution is covered by the same copyright terms .\" except that the holder is Tim Hudson (tjh@cryptsoft.com). -.\" +.\" .\" Copyright remains Eric Young's, and as such any Copyright notices in .\" the code are not to be removed. .\" If this package is used in a product, Eric Young should be given attribution .\" as the author of the parts of the library used. .\" This can be in the form of a textual message at program startup or .\" in documentation (online or textual) provided with the package. -.\" +.\" .\" Redistribution and use in source and binary forms, with or without .\" modification, are permitted provided that the following conditions .\" are met: @@ -87,12 +87,12 @@ .\" Eric Young (eay@cryptsoft.com)" .\" The word 'cryptographic' can be left out if the rouines from the library .\" being used are not cryptographic related :-). -.\" 4. If you include any Windows specific code (or a derivative thereof) from +.\" 4. If you include any Windows specific code (or a derivative thereof) from .\" the apps directory (application code) you must include an .\" acknowledgement: .\" "This product includes software written by Tim Hudson .\" (tjh@cryptsoft.com)" -.\" +.\" .\" THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE @@ -104,7 +104,7 @@ .\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. -.\" +.\" .\" The licence and distribution terms for any publically available version or .\" derivative of this code cannot be changed. i.e. this code cannot simply be .\" copied and put under another distribution licence @@ -148,14 +148,14 @@ program is a command line tool for using the various cryptography functions of .Nm OpenSSL Ns Li 's .Em crypto -library from the shell. -It can be used for +library from the shell. +It can be used for .Pp .Bl -bullet -compact .It Creation of RSA, DH and DSA key parameters .It -Creation of X.509 certificates, CSRs and CRLs +Creation of X.509 certificates, CSRs and CRLs .It Calculation of Message Digests .It @@ -401,6 +401,7 @@ Read the password from the file descriptor This can be used to send the data via a pipe for example. .It Ar stdin Read the password from standard input. +.El .\" .\" ASN1PARSE .\" @@ -423,7 +424,7 @@ command is a diagnostic utility that can parse ASN.1 structures. It can also be used to extract data from ASN.1 formatted data. .Pp The options are as follows: -.Bl -tag -width Ds +.Bl -tag -width "XXXX" .It Fl inform Ar DER|PEM The input format. .Ar DER @@ -457,25 +458,26 @@ section below. Parse the contents octets of the ASN.1 object starting at .Ar offset . This option can be used multiple times to "drill down" into a nested structure. +.El .Sh ASN1PARSE OUTPUT The output will typically contain lines like this: .Pp .Bd -literal 0:d=0 hl=4 l= 681 cons: SEQUENCE -.Pp + \&..... -.Pp - 229:d=3 hl=3 l= 141 prim: BIT STRING - 373:d=2 hl=3 l= 162 cons: cont [ 3 ] - 376:d=3 hl=3 l= 159 cons: SEQUENCE - 379:d=4 hl=2 l= 29 cons: SEQUENCE + + 229:d=3 hl=3 l= 141 prim: BIT STRING + 373:d=2 hl=3 l= 162 cons: cont [ 3 ] + 376:d=3 hl=3 l= 159 cons: SEQUENCE + 379:d=4 hl=2 l= 29 cons: SEQUENCE 381:d=5 hl=2 l= 3 prim: OBJECT :X509v3 Subject Key Identifier - 386:d=5 hl=2 l= 22 prim: OCTET STRING - 410:d=4 hl=2 l= 112 cons: SEQUENCE + 386:d=5 hl=2 l= 22 prim: OCTET STRING + 410:d=4 hl=2 l= 112 cons: SEQUENCE 412:d=5 hl=2 l= 3 prim: OBJECT :X509v3 Authority Key Identifier - 417:d=5 hl=2 l= 105 prim: OCTET STRING + 417:d=5 hl=2 l= 105 prim: OCTET STRING 524:d=4 hl=2 l= 12 cons: SEQUENCE -.Pp + \&..... .Ed .Pp @@ -493,7 +495,7 @@ The .Fl i option can be used to make the output more readable. .Pp -Some knowledge of the ASN.1 structure is needed to interpret the output. +Some knowledge of the ASN.1 structure is needed to interpret the output. .Pp In this example the BIT STRING at offset 229 is the certificate public key. The contents octets of this will contain the public key information. @@ -502,9 +504,10 @@ This can be examined using the option to yield: .Pp .Bd -literal -\& 0:d=0 hl=3 l= 137 cons: SEQUENCE +\& 0:d=0 hl=3 l= 137 cons: SEQUENCE \& 3:d=1 hl=3 l= 129 prim: INTEGER :E5D21E1F5C8D208EA7A2166C7FAF9F6BDF2059669C60876DDB70840F1A5AAFA59699FE471F379F1DD6A487E7D5409AB6A88D4A9746E24B91D8CF55DB3521015460C8EDE44EE8A4189F7A7BE77D6CD3A9AF2696F486855CF58BF0EDF2B4068058C7A947F52548DDF7E15E96B385F86422BEA9064A3EE9E1158A56E4A6F47E5897 \& 135:d=1 hl=2 l= 3 prim: INTEGER :010001 +.Ed .Sh ASN1PARSE NOTES If an OID is not part of .Nm OpenSSL Ns Li 's @@ -575,7 +578,7 @@ It also maintains a text database of issued certificates and their status. .Pp The options descriptions will be divided into each purpose. .Sh CA OPTIONS -.Bl -tag -width Ds +.Bl -tag -width "XXXX" .It Fl config Ar filename Specifies the configuration file to use. .It Fl name Ar section @@ -600,7 +603,7 @@ See the section for information on the required format. .It Fl infiles If present, this should be the last option; all subsequent arguments -are assumed to be the names of files containing certificate requests. +are assumed to be the names of files containing certificate requests. .It Fl out Ar filename The output file to output certificates to. The default is standard output. @@ -707,7 +710,7 @@ to read certificate extensions from option is also used). .El .Sh CRL OPTIONS -.Bl -tag -width Ds +.Bl -tag -width "XXXX" .It Fl gencrl This option generates a CRL based on information in the index file. .It Fl crldays Ar num @@ -739,7 +742,7 @@ The CRL extensions specified are CRL extensions and .Em not CRL entry extensions. It should be noted that some software (for example Netscape) -can't handle V2 CRLs. +can't handle V2 CRLs. .El .Sh CA CONFIGURATION FILE OPTIONS The section of the configuration file containing options for @@ -774,12 +777,12 @@ the command line value is used. Where an option is described as mandatory, then it must be present in the configuration file or the command line equivalent (if any) used. .Pp -.Bl -tag -width Ds +.Bl -tag -width "XXXX" .It Ar oid_file This specifies a file containing additional OBJECT IDENTIFIERS. Each line of the file should consist of the numerical form of the object identifier followed by whitespace, then the short name followed -by whitespace and finally the long name. +by whitespace and finally the long name. .It Ar oid_section This specifies a section in the configuration file containing extra object identifiers. @@ -813,7 +816,7 @@ or an EGD socket (see The same as the .Fl days option. -The number of days to certify a certificate for. +The number of days to certify a certificate for. .It Ar default_startdate The same as the .Fl startdate @@ -945,7 +948,7 @@ The input to the command line option is a Netscape signed public key and challenge. This will usually come from the .Em KEYGEN -tag in an HTML form to create a new private key. +tag in an HTML form to create a new private key. It is, however, possible to create SPKACs using the .Nm spkac utility. @@ -1192,7 +1195,7 @@ cipher lists into ordered SSL cipher preference lists. It can be used as a test tool to determine the appropriate cipherlist. .Pp The options are as follows: -.Bl -tag -width -Ds +.Bl -tag -width "XXXX" .It Fl v Verbose option. List ciphers with a complete description of protocol version @@ -1285,7 +1288,7 @@ can be used at any point to sort the current cipher list in order of encryption algorithm key length. .Sh CIPHERS STRINGS The following is a list of all permitted cipher strings and their meanings. -.Bl -tag -width Ds +.Bl -tag -width "XXXX" .It Ar DEFAULT The default cipher list. This is determined at compile time and is normally @@ -1482,8 +1485,8 @@ These ciphers can also be used in SSL v3. .Ed .Pp .Cm SSL v2.0 cipher suites -.Bd -literal .Pp +.Bd -literal \& SSL_CK_RC4_128_WITH_MD5 RC4-MD5 \& SSL_CK_RC4_128_EXPORT40_WITH_MD5 EXP-RC4-MD5 \& SSL_CK_RC2_128_CBC_WITH_MD5 RC2-MD5 @@ -1559,7 +1562,7 @@ or format. .Pp The options are as follows: -.Bl -tag -width Ds +.Bl -tag -width "XXXX" .It Fl inform Ar DER|PEM This specifies the input format. .Ar DER @@ -1568,7 +1571,7 @@ format is DER encoded CRL structure. (the default) is a base64 encoded version of the DER form with header and footer lines. .It Fl outform Ar DER|PEM -This specifies the output format; the options have the same meaning as the +This specifies the output format; the options have the same meaning as the .Fl inform option. .It Fl in Ar filename @@ -1647,7 +1650,7 @@ certificates and converts them into a PKCS#7 degenerate "certificates only" structure. .Pp The options are as follows: -.Bl -tag -width Ds +.Bl -tag -width "XXXX" .It Fl inform Ar DER|PEM This specifies the CRL input format. .Ar DER @@ -1695,7 +1698,7 @@ format with no CRL from several different certificates: .Pp .Bd -literal -\& $ openssl crl2pkcs7 -nocrl -certfile newcert.pem +\& $ openssl crl2pkcs7 -nocrl -certfile newcert.pem \& -certfile demoCA/cacert.pem -outform DER -out p7.der .Ed .Sh CRL2PKCS7 NOTES @@ -1743,7 +1746,7 @@ in hexadecimal form. They can also be used for digital signing and verification. .Pp The options are as follows: -.Bl -tag -width Ds +.Bl -tag -width "XXXX" .It Fl c Print out the digest in two digit groups separated by colons, only relevant if .Em hex @@ -1783,7 +1786,7 @@ for MS-Windows, .Cm \&, for OpenVMS, and .Cm \&: -for all others. +for all others. .It Fl signature Ar filename The actual signature to verify. .It Ar file ... @@ -1838,7 +1841,7 @@ The command is used to manipulate DH parameter files. .Pp The options are as follows: -.Bl -tag -width Ds +.Bl -tag -width "XXXX" .It Fl inform Ar DER|PEM This specifies the input format. The argument @@ -1851,7 +1854,7 @@ form is the default format: it consists of the DER format base64 encoded with additional header and footer lines. .It Fl outform Ar DER|PEM -This specifies the output format, the options have the same meaning as the +This specifies the output format, the options have the same meaning as the .Fl inform option. .It Fl in Ar filename @@ -1905,7 +1908,7 @@ This argument specifies that a parameter set should be generated of size .Ar numbits . It must be the last option. If not present, then a value of 512 is used. -If this value is present then the input file is ignored and +If this value is present then the input file is ignored and parameters are generated instead. .It Fl noout This option inhibits the output of the encoded version of the parameters. @@ -1916,6 +1919,7 @@ This option converts the parameters into C code. The parameters can then be loaded by calling the .Cm get_dh Ns Ar numbits Ns Li () function. +.El .Sh DHPARAM WARNINGS The program .Nm dhparam @@ -1931,7 +1935,7 @@ The .Nm dh and .Nm gendh -programs are retained for now, but may have different purposes in future +programs are retained for now, but may have different purposes in future versions of .Nm OpenSSL . .Sh DHPARAM NOTES @@ -1997,7 +2001,7 @@ newer applications should use the more secure PKCS#8 format using the command. .Pp The options are as follows: -.Bl -tag -width Ds +.Bl -tag -width "XXXX" .It Fl inform Ar DER|PEM This specifies the input format. The @@ -2017,7 +2021,7 @@ It consists of the DER format base64 encoded with additional header and footer lines. In the case of a private key, PKCS#8 format is also accepted. .It Fl outform Ar DER|PEM -This specifies the output format, the options have the same meaning as the +This specifies the output format, the options have the same meaning as the .Fl inform option. .It Fl in Ar filename @@ -2049,7 +2053,7 @@ see the .Sx PASS PHRASE ARGUMENTS section above. .It Cm -des|-des3|-idea -These options encrypt the private key with the DES, triple DES, or the +These options encrypt the private key with the DES, triple DES, or the IDEA ciphers, respectively, before outputting it. A pass phrase is prompted for. If none of these options is specified, the key is written in plain text. @@ -2075,6 +2079,7 @@ With this option a public key is read instead. By default a private key is output. With this option a public key will be output instead. This option is automatically set if the input is a public key. +.El .Sh DSA NOTES The .Ar PEM @@ -2102,7 +2107,7 @@ To encrypt a private key using triple DES: .Pp \& $ openssl dsa -in key.pem -des3 -out keyout.pem .Pp -To convert a private key from PEM to DER format: +To convert a private key from PEM to DER format: .Pp \& $ openssl dsa -in key.pem -outform DER -out keyout.der .Pp @@ -2134,7 +2139,7 @@ The command is used to manipulate or generate \s-1DSA\s0 parameter files. .Pp The options are as follows: -.Bl -tag -width Ds +.Bl -tag -width "XXXX" .It Fl inform Ar DER|PEM This specifies the input format. The @@ -2147,7 +2152,7 @@ form is the default format: it consists of the DER format base64 encoded with additional header and footer lines. .It Fl outform Ar DER|PEM -This specifies the output format; the options have the same meaning as the +This specifies the output format; the options have the same meaning as the .Fl inform option. .It Fl in Ar filename @@ -2239,7 +2244,7 @@ or explicitly provided. Base64 encoding or decoding can also be performed either by itself or in addition to the encryption or decryption. .Pp The options are as follows: -.Bl -tag -width Ds +.Bl -tag -width "XXXX" .It Fl in Ar filename The input .Ar filename , @@ -2584,7 +2589,7 @@ command generates a DSA private key from a DSA parameter file command). .Pp The options are as follows: -.Bl -tag -width Ds +.Bl -tag -width "XXXX" .It Cm -des|-des3|-idea These options encrypt the private key with the DES, triple DES, or the IDEA ciphers, respectively, before outputting it. @@ -2612,6 +2617,7 @@ The parameters in this file determine the size of the private key. DSA parameters can be generated and examined using the .Nm openssl dsaparam command. +.El .Sh GENDSA NOTES DSA key generation is little more than random number generation so it is much quicker that RSA key generation for example. @@ -2635,7 +2641,7 @@ The command generates an RSA private key. .Pp The options are as follows: -.Bl -tag -width Ds +.Bl -tag -width "XXXX" .It Fl out Ar filename The output .Ar filename . @@ -2648,7 +2654,7 @@ see the .Sx PASS PHRASE ARGUMENTS section above. .It Cm -des|-des3|-idea -These options encrypt the private key with the DES, triple DES, or the +These options encrypt the private key with the DES, triple DES, or the IDEA ciphers, respectively, before outputting it. If none of these options is specified, no encryption is used. If encryption is used a pass phrase is prompted for, @@ -2678,6 +2684,7 @@ for all others. The size of the private key to generate in bits. This must be the last option specified. The default is 512. +.El .Sh GENRSA NOTES RSA private key generation essentially involves the generation of two prime numbers. @@ -2716,7 +2723,7 @@ file of certificates and converts it into a Netscape certificate sequence. .Pp The options are as follows: -.Bl -tag -width Ds +.Bl -tag -width "XXXX" .It Fl in Ar filename This specifies the input .Ar filename @@ -2818,7 +2825,7 @@ create requests and send queries to an OCSP responder and behave like a mini OCSP server itself. .Pp The options are as follows: -.Bl -tag -width Ds +.Bl -tag -width "XXXX" .It Fl out Ar filename Specify output .Ar filename , @@ -2997,7 +3004,7 @@ By default this additional check is not performed. .El .Sh OCSP SERVER OPTIONS .Pp -.Bl -tag -with DS +.Bl -tag -width "XXXX" .It Fl index Ar indexfile .Ar indexfile is a text index file in @@ -3058,7 +3065,7 @@ option. .It Fl nrequest Ar number The OCSP server will exit after receiving .Ar number -requests, default unlimited. +requests, default unlimited. .It Fl nmin Ar minutes , Fl ndays Ar days Number of .Ar minutes @@ -3240,7 +3247,7 @@ and its Apache variant are available. .Pp The options are as follows: -.Bl -tag -width Ds +.Bl -tag -width "XXXX" .It Fl crypt Use the .Em crypt @@ -3273,7 +3280,7 @@ to each password hash. .El .Sh PASSWD EXAMPLES .Pp -.Bl -tag -width Ds +.Bl -tag -width "XXXX" .It $ openssl passwd -crypt -salt xx password prints .Em xxj31ZMTZzkVA . @@ -3283,6 +3290,7 @@ prints .It $ openssl passwd -apr1 -salt xxxxxxxx password prints .Em $apr1$xxxxxxxx$dxHfLAsjHkDRmG83UXe8K0 . +.El .\" .\" PKCS7 .\" @@ -3308,7 +3316,7 @@ or format. .Pp The options are as follows: -.Bl -tag -width Ds +.Bl -tag -width "XXXX" .It Fl inform Ar DER|PEM This specifies the input format. .Ar DER @@ -3317,7 +3325,7 @@ format is DER encoded PKCS#7 v1.5 structure. (the default) is a base64 encoded version of the DER form with header and footer lines. .It Fl outform Ar DER|PEM -This specifies the output format, the options have the same meaning as the +This specifies the output format, the options have the same meaning as the .Fl inform option. .It Fl in Ar filename @@ -3339,6 +3347,7 @@ Don't output the encoded version of the PKCS#7 structure (or certificates if .Fl print_certs is set). +.El .Sh PKCS7 EXAMPLES Convert a PKCS#7 file from .Em PEM @@ -3401,7 +3410,7 @@ and EncryptedPrivateKeyInfo format with a variety of PKCS#5 (v1.5 and v2.0) and PKCS#12 algorithms. .Pp The options are as follows: -.Bl -tag -width Ds +.Bl -tag -width "XXXX" .It Fl topk8 Normally a PKCS#8 private key is expected on input and a traditional format private key will be written. @@ -3423,7 +3432,7 @@ or .Em PEM format of the traditional format private key is used. .It Fl outform Ar DER|PEM -This specifies the output format, the options have the same meaning as the +This specifies the output format, the options have the same meaning as the .Fl inform option. .It Fl in Ar filename @@ -3513,6 +3522,7 @@ is used. .It Fl v1 Ar alg This option specifies a PKCS#5 v1.5 or PKCS#12 algorithm to use. A complete list of possible algorithms is included below. +.El .Sh PKCS8 NOTES The encrypted form of a .Em PEM @@ -3557,23 +3567,20 @@ Various algorithms can be used with the command line option, including PKCS#5 v1.5 and PKCS#12. These are described in more detail below. .Pp -.Bd -literal -offset indent -.It Ar \ \ PBE-MD2-DES PBE-MD5-DES -.br +.Bl -tag -width "XXXX" +.It Ar PBE-MD2-DES PBE-MD5-DES These algorithms were included in the original PKCS#5 v1.5 specification. They only offer 56 bits of protection since they both use DES. -.It Ar \ \ PBE-SHA1-RC2-64 PBE-MD2-RC2-64 PBE-MD5-RC2-64 PBE-SHA1-DES -.br +.It Ar PBE-SHA1-RC2-64 PBE-MD2-RC2-64 PBE-MD5-RC2-64 PBE-SHA1-DES These algorithms are not mentioned in the original PKCS#5 v1.5 specification but they use the same key derivation algorithm and are supported by some software. They are mentioned in PKCS#5 v2.0. They use either 64 bit RC2 or 56 bit DES. -.It Ar \ \ PBE-SHA1-RC4-128 PBE-SHA1-RC4-40 PBE-SHA1-3DES PBE-SHA1-2DES PBE-SHA1-RC2-128 PBE-SHA1-RC2-40 -.br +.It Ar PBE-SHA1-RC4-128 PBE-SHA1-RC4-40 PBE-SHA1-3DES PBE-SHA1-2DES PBE-SHA1-RC2-128 PBE-SHA1-RC2-40 These algorithms use the PKCS#12 password based encryption algorithm and allow strong encryption algorithms like triple DES or 128 bit RC2 to be used. -.Ed +.El .Sh PKCS8 EXAMPLES Convert a private from traditional to PKCS#5 v2.0 format using triple DES: .Pp @@ -3665,7 +3672,7 @@ a PKCS#12 file can be created by using the .Fl export option (see below). .Sh PKCS12 PARSING OPTIONS -.Bd -ragged -offset indent +.Bl -tag -width "XXXX" .It Fl in Ar filename This specifies the .Ar filename @@ -3720,9 +3727,9 @@ Don't attempt to verify the integrity MAC before reading the file. Prompt for separate integrity and encryption passwords: most software always assumes these are the same so this option will render such PKCS#12 files unreadable. -.Ed +.El .Sh PKCS12 FILE CREATION OPTIONS -.Bd -ragged -offset indent +.Bl -tag -width "XXXX" .It Fl export This option specifies that a PKCS#12 file will be created rather than parsed. @@ -3838,7 +3845,7 @@ for MS-Windows, for OpenVMS, and .Cm \&: for all others. -.Ed +.El .Sh PKCS12 NOTES Although there are a large number of options, most of them are very rarely used. @@ -3989,7 +3996,7 @@ file will be written back if enough seeding was obtained from these sources. .Pp The options are as follows: -.Bd -ragged -offset indent +.Bl -tag -width "XXXX" .It Fl out Ar file Write to .Ar file @@ -4064,7 +4071,7 @@ It can additionally create self-signed certificates, for use as root CAs, for example. .Pp The options are as follows: -.Bd -ragged -offset indent +.Bl -tag -width "XXXX" .It Fl inform Ar DER|PEM This specifies the input format. The @@ -4077,7 +4084,7 @@ form is the default format: it consists of the DER format base64 encoded with additional header and footer lines. .It Fl outform Ar DER|PEM -This specifies the output format, the options have the same meaning as the +This specifies the output format, the options have the same meaning as the .Fl inform option. .It Fl in Ar filename @@ -4223,7 +4230,7 @@ This allows several different sections to be used in the same configuration file to specify requests for a variety of purposes. .It Fl utf8 -This option causes field values to be interpreted as UTF8 strings, by +This option causes field values to be interpreted as UTF8 strings, by default they are interpreted as ASCII. This means that the field values, whether prompted from a terminal or obtained from a configuration file, must be valid UTF8 strings. @@ -4267,7 +4274,7 @@ Some software (Netscape certificate server) and some CAs need this. Non-interactive mode. .It Fl verbose Print extra details about the operations being performed. -.Ed +.El .Sh REQ CONFIGURATION FILE FORMAT The configuration options are specified in the .Em req @@ -4280,7 +4287,7 @@ then the initial unnamed or section is searched too. .Pp The options available are described in detail below. -.Bd -ragged -offset indent +.Bl -tag -width "XXXX" .It Ar input_password output_password The passwords for the input private key file (if present) and the output private key file (if one will be created). @@ -4308,7 +4315,7 @@ option. This specifies a file containing additional OBJECT IDENTIFIERS. Each line of the file should consist of the numerical form of the object identifier, followed by whitespace, then the short name followed -by whitespace and finally the long name. +by whitespace and finally the long name. .It Ar oid_section This specifies a section in the configuration file containing extra object identifiers. @@ -4353,7 +4360,7 @@ which is also the default option, uses .Em PrintableStrings , T61Strings and .Em BMPStrings ; -if the +if the .Ar pkix value is used then only .Em PrintableStrings @@ -4424,7 +4431,7 @@ request signing utilities, but some CAs might want them. This specifies the section containing the distinguished name fields to prompt for when generating a certificate or certificate request. The format is described in the next section. -.Ed +.El .Sh REQ DISTINGUISHED NAME AND ATTRIBUTE SECTION FORMAT There are two separate formats for the distinguished name and attribute sections. @@ -4760,7 +4767,7 @@ newer applications should use the more secure PKCS#8 format using the utility. .Pp The options are as follows: -.Bd -ragged -offset indent +.Bl -tag -width "XXXX" .It Fl inform Ar DER|NET|PEM This specifies the input format. The @@ -4779,7 +4786,7 @@ form is a format described in the .Sx RSA NOTES section. .It Fl outform Ar DER|NET|PEM -This specifies the output format, the options have the same meaning as the +This specifies the output format, the options have the same meaning as the .Fl inform option. .It Fl in Ar filename @@ -4815,7 +4822,7 @@ Use the modified .Em NET algorithm used with some versions of Microsoft IIS and SGC keys. .It Cm -des|-des3|-idea -These options encrypt the private key with the DES, triple DES, or the +These options encrypt the private key with the DES, triple DES, or the IDEA ciphers, respectively, before outputting it. A pass phrase is prompted for. If none of these options is specified the key is written in plain text. @@ -4829,7 +4836,7 @@ These options can only be used with format output files. .It Fl text Prints out the various public or private key components in -plain text, in addition to the encoded version. +plain text, in addition to the encoded version. .It Fl noout This option prevents output of the encoded version of the key. .It Fl modulus @@ -4843,7 +4850,7 @@ option a public key is read instead. By default a private key is output: with this option a public key will be output instead. This option is automatically set if the input is a public key. -.Ed +.El .Sh RSA NOTES The .Em PEM @@ -4897,7 +4904,7 @@ To convert a private key from .Em PEM to .Em DER -format: +format: .Pp \& $ openssl rsa -in key.pem -outform DER -out keyout.der .br @@ -4942,7 +4949,7 @@ command can be used to sign, verify, encrypt and decrypt data using the RSA algorithm. .Pp The options are as follows: -.Bd -ragged -offset indent +.Bl -tag -width "XXXX" .It Fl in Ar filename This specifies the input .Ar filename @@ -4956,9 +4963,9 @@ default. .It Fl inkey Ar file The input key file, by default it should be an RSA private key. .It Fl pubin -The input file is an RSA public key. +The input file is an RSA public key. .It Fl certin -The input is a certificate containing an RSA public key. +The input is a certificate containing an RSA public key. .It Fl sign Sign the input data and output the signed result. This requires an RSA private key. @@ -5028,23 +5035,23 @@ as follows yields: \& $ openssl asn1parse -in pca-cert.pem .Pp .Bd -literal -\& 0:d=0 hl=4 l= 742 cons: SEQUENCE -\& 4:d=1 hl=4 l= 591 cons: SEQUENCE -\& 8:d=2 hl=2 l= 3 cons: cont [ 0 ] +\& 0:d=0 hl=4 l= 742 cons: SEQUENCE +\& 4:d=1 hl=4 l= 591 cons: SEQUENCE +\& 8:d=2 hl=2 l= 3 cons: cont [ 0 ] \& 10:d=3 hl=2 l= 1 prim: INTEGER :02 \& 13:d=2 hl=2 l= 1 prim: INTEGER :00 -\& 16:d=2 hl=2 l= 13 cons: SEQUENCE +\& 16:d=2 hl=2 l= 13 cons: SEQUENCE \& 18:d=3 hl=2 l= 9 prim: OBJECT :md5WithRSAEncryption -\& 29:d=3 hl=2 l= 0 prim: NULL -\& 31:d=2 hl=2 l= 92 cons: SEQUENCE -\& 33:d=3 hl=2 l= 11 cons: SET -\& 35:d=4 hl=2 l= 9 cons: SEQUENCE +\& 29:d=3 hl=2 l= 0 prim: NULL +\& 31:d=2 hl=2 l= 92 cons: SEQUENCE +\& 33:d=3 hl=2 l= 11 cons: SET +\& 35:d=4 hl=2 l= 9 cons: SEQUENCE \& 37:d=5 hl=2 l= 3 prim: OBJECT :countryName \& 42:d=5 hl=2 l= 2 prim: PRINTABLESTRING :AU \& .... -\& 599:d=1 hl=2 l= 13 cons: SEQUENCE +\& 599:d=1 hl=2 l= 13 cons: SEQUENCE \& 601:d=2 hl=2 l= 9 prim: OBJECT :md5WithRSAEncryption -\& 612:d=2 hl=2 l= 0 prim: NULL +\& 612:d=2 hl=2 l= 0 prim: NULL \& 614:d=1 hl=3 l= 129 prim: BIT STRING .Ed .Pp @@ -5062,11 +5069,11 @@ The signature can be analysed with: \& $ openssl rsautl -in sig -verify -asn1parse -inkey pubkey.pem -pubin .Pp .Bd -literal -\& 0:d=0 hl=2 l= 32 cons: SEQUENCE -\& 2:d=1 hl=2 l= 12 cons: SEQUENCE +\& 0:d=0 hl=2 l= 32 cons: SEQUENCE +\& 2:d=1 hl=2 l= 12 cons: SEQUENCE \& 4:d=2 hl=2 l= 8 prim: OBJECT :md5 -\& 14:d=2 hl=2 l= 0 prim: NULL -\& 16:d=1 hl=2 l= 16 prim: OCTET STRING +\& 14:d=2 hl=2 l= 0 prim: NULL +\& 16:d=1 hl=2 l= 16 prim: OCTET STRING \& 0000 - f3 46 9e aa 1a 4a 73 c9-37 ea 93 00 48 25 08 b5 .F...Js.7...H%.. .Ed .Pp @@ -5128,7 +5135,7 @@ It is a useful diagnostic tool for SSL servers. .Pp The options are as follows: -.Bd -ragged -offset indent +.Bl -tag -width "XXXX" .It Fl connect Ar host:port This specifies the .Ar host @@ -5254,7 +5261,7 @@ for OpenVMS, and .Cm \&: for all others. -.Ed +.El .Sh S_CLIENT CONNECTED COMMANDS If a connection is established with an SSL server then any data received from the server is displayed and any key presses will be sent to the @@ -5381,7 +5388,7 @@ command implements a generic SSL/TLS server which listens for connections on a given port using SSL/TLS. .Pp The options are as follows: -.Bd -ragged -offset indent +.Bl -tag -width "XXXX" .It Fl accept Ar port The TCP .Ar port @@ -5544,19 +5551,19 @@ for MS-Windows, for OpenVMS, and .Cm \&: for all others. -.Ed +.El .Sh S_SERVER CONNECTED COMMANDS If a connection request is established with an SSL client and neither the .Fl www nor the .Fl WWW option has been used, then normally any data received -from the client is displayed and any key presses will be sent to the client. +from the client is displayed and any key presses will be sent to the client. .Pp Certain single letter commands are also recognized which perform special operations: these are listed below. .Pp -.Bd -ragged -offset indent +.Bl -tag -width "XXXX" .It Ar q End the current SSL connection, but still accept new connections. .It Ar Q @@ -5570,7 +5577,7 @@ Send some plain text down the underlying TCP connection: this should cause the client to disconnect due to a protocol violation. .It Ar S Print out some session cache status information. -.Ed +.El .Sh S_SERVER NOTES .Nm s_server can be used to debug SSL clients. @@ -5641,7 +5648,7 @@ Since this is a diagnostic tool that needs some knowledge of the SSL protocol to use properly, most users will not need to use it. .Pp The options are as follows: -.Bd -ragged -offset indent +.Bl -tag -width "XXXX" .It Fl inform Ar DER|PEM This specifies the input format. The @@ -5654,7 +5661,7 @@ The form is the default format: it consists of the DER format base64 encoded with additional header and footer lines. .It Fl outform Ar DER|PEM -This specifies the output format, the options have the same meaning as the +This specifies the output format, the options have the same meaning as the .Fl inform option. .It Fl in Ar filename @@ -5668,7 +5675,7 @@ to write session information to, or standard output if this option is not specified. .It Fl text Prints out the various public or private key components in -plain text in addition to the encoded version. +plain text in addition to the encoded version. .It Fl cert If a certificate is present in the session it will be output using this option, if the @@ -5684,7 +5691,7 @@ The .Ar ID can be any string of characters. This option won't normally be used. -.Ed +.El .Sh SESS_ID OUTPUT Typical output: .Pp @@ -5702,7 +5709,7 @@ Typical output: .Ed .Pp These are described below in more detail. -.Bd -ragged -offset indent +.Bl -tag -width "XXXX" .It Ar Protocol This is the protocol in use: TLSv1, SSLv3 or SSLv2. .It Ar Cipher @@ -5723,7 +5730,7 @@ in standard Unix format. The timeout in seconds. .It Ar Verify return code This is the return code when an SSL client certificate is verified. -.Ed +.El .Sh SESS_ID NOTES The .Em PEM @@ -5789,7 +5796,7 @@ There are five operation options that set the type of operation to be performed. The meaning of the other options varies according to the operation type. .Pp The options are as follows: -.Bd -ragged -offset indent +.Bl -tag -width "XXXX" .It Fl encrypt Encrypt mail for the given recipient certificates. Input file is the message to be encrypted. @@ -5879,7 +5886,7 @@ This option adds plain text (text/plain) headers to the supplied message if encrypting or signing. If decrypting or verifying it strips off text headers: if the decrypted or verified message is not of -.Em MIME +.Em MIME type text/plain then an error occurs. .It Fl CAfile Ar file A @@ -5994,7 +6001,7 @@ for OpenVMS, and for all others. .It Ar cert.pem ... One or more certificates of message recipients: used when encrypting -a message. +a message. .It Fl to , from , subject The relevant mail headers. These are included outside the signed @@ -6003,7 +6010,7 @@ If signing, then many .Em S/MIME mail clients check the signer's certificate email address matches that specified in the From: address. -.Ed +.El .Sh SMIME NOTES The .Em MIME @@ -6048,7 +6055,7 @@ clients. Strictly speaking these process PKCS#7 enveloped data: PKCS#7 encrypted data is used for other purposes. .Sh SMIME EXIT CODES -.Bd -ragged -offset indent +.Bl -tag -width "XXXX" .It Ar 0 The operation was completely successful. .It Ar 1 @@ -6064,7 +6071,7 @@ An error occurred decrypting or verifying the message. .It Ar 5 The message was verified correctly, but an error occurred writing out the signers certificates. -.Ed +.El .Sh SMIME EXAMPLES Create a cleartext signed message: .Pp @@ -6222,7 +6229,7 @@ The .Nm speed command is used to test the performance of cryptographic algorithms. .Pp -.Bd -ragged -offset indent +.Bl -tag -width "XXXX" .It Fl engine Ar id Specifying an engine (by it's unique .Ar id @@ -6236,7 +6243,7 @@ for all available algorithms. If any options are given, .Nm speed tests those algorithms, otherwise all of the above are tested. -.Ed +.El .\" .\" SPKAC .\" @@ -6261,7 +6268,7 @@ It can print out their contents, verify the signature and produce its own SPKACs from a supplied private key. .Pp The options are as follows: -.Bd -ragged -offset indent +.Bl -tag -width "XXXX" .It Fl in Ar filename This specifies the input .Ar filename @@ -6307,7 +6314,7 @@ Output the public key of an SPKAC (not used if an SPKAC is being created). .It Fl verify Verifies the digital signature on the supplied SPKAC. -.Ed +.El .Sh SPKAC EXAMPLES Print out the contents of an SPKAC: .Pp @@ -6361,7 +6368,7 @@ to be used in a "replay attack". .Op Fl help .Op Fl issuer_checks .Op Fl verbose -.Op Fl +.Op Fl .Op Ar certificates .Pp The @@ -6369,7 +6376,7 @@ The command verifies certificate chains. .Pp The options are as follows: -.Bd -ragged -offset indent +.Bl -tag -width "XXXX" .It Fl CApath directory A .Ar directory @@ -6423,7 +6430,7 @@ This shows why each candidate issuer certificate was rejected. However the presence of rejection messages does not itself imply that anything is wrong: during the normal verify process several rejections may take place. -.It Fl +.It Fl Marks the last option. All arguments following this are assumed to be certificate files. This is useful if the first certificate filename begins with a @@ -6437,7 +6444,7 @@ a certificate from standard input. They should all be in .Em PEM format. -.Ed +.El .Sh VERIFY OPERATION The .Nm verify @@ -6459,7 +6466,7 @@ and ending in the root CA. It is an error if the whole chain cannot be built up. The chain is built up by looking up the issuers certificate of the current certificate. -If a certificate is found which is its own issuer it is assumed +If a certificate is found which is its own issuer it is assumed to be the root CA. .Pp The process of 'looking up the issuers certificate' itself involves a number @@ -6504,7 +6511,7 @@ For compatibility with previous versions of and .Nm OpenSSL , a certificate with no trust settings is considered to be valid for -all purposes. +all purposes. .Pp The final operation is to check the validity of the certificate chain. The validity period is checked against the current system time and the @@ -6540,7 +6547,7 @@ includes the name of the error code as defined in the header file Some of the error codes are defined but never returned: these are described as "unused". .Pp -.Bd -ragged -offset indent +.Bl -tag -width "XXXX" .It Ar "0 X509_V_OK: ok" The operation was successful. .It Ar 2 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT: unable to get issuer certificate @@ -6662,7 +6669,7 @@ extension does not permit certificate signing. .It Ar 50 X509_V_ERR_APPLICATION_VERIFICATION: application verification failure An application specific error. Unused. -.Ed +.El .Sh VERIFY BUGS Although the issuer checks are a considerable improvement over the old technique, they still suffer from limitations in the underlying @@ -6697,7 +6704,7 @@ command is used to print out version information about .Nm OpenSSL . .Pp The options are as follows: -.Bd -ragged -offset indent +.Bl -tag -width "XXXX" .It Fl a All information: this is the same as setting all the other flags. .It Fl v @@ -6717,7 +6724,7 @@ Platform setting. .It Fl d .Em OPENSSLDIR setting. -.Ed +.El .Sh VERSION NOTES The output of .Nm openssl version -a @@ -6788,7 +6795,7 @@ certificate trust settings. Since there are a large number of options, they are split up into various sections. .Sh X509 INPUT, OUTPUT AND GENERAL PURPOSE OPTIONS -.Bd -ragged -offset indent +.Bl -tag -width "XXXX" .It Fl inform Ar DER|PEM|NET This specifies the input format. Normally the command will expect an X509 certificate, @@ -6806,7 +6813,7 @@ option is an obscure Netscape server format that is now obsolete. .It Fl outform Ar DER|PEM|NET This specifies the output format; -the options have the same meaning as the +the options have the same meaning as the .Fl inform option. .It Fl in Ar filename @@ -6828,7 +6835,7 @@ options. If not specified then MD5 is used. If the key being used to sign with is a DSA key then this option has no effect: SHA1 is always used with DSA keys. -.Ed +.El .Sh X509 DISPLAY OPTIONS .Sy Note : The @@ -6838,7 +6845,7 @@ and options are also display options but are described in the .Sx X509 TRUST OPTIONS section. -.Bd -ragged -offset indent +.Bl -tag -width "XXXX" .It Fl text Prints out the certificate in text form. Full details are output including the public key, signature algorithms, @@ -6902,7 +6909,7 @@ Prints out the digest of the DER encoded version of the whole certificate .Sx DIGEST OPTIONS ) . .It Fl C This outputs the certificate in the form of a C source file. -.Ed +.El .Sh X509 TRUST SETTINGS Please note these options are currently experimental and may well change. .Pp @@ -6930,7 +6937,7 @@ utility for more information on the meaning of trust settings. Future versions of .Nm OpenSSL will recognize trust settings on any certificate: not just root CAs. -.Bd -ragged -offset indent +.Bl -tag -width "XXXX" .It Fl trustout This causes .Nm x509 @@ -6984,17 +6991,17 @@ the results. For a more complete description see the .Sx X509 CERTIFICATE EXTENSIONS section. -.Ed +.El .Sh X509 SIGNING OPTIONS The .Nm x509 utility can be used to sign certificates and requests: it can thus behave like a "mini CA". .Pp -.Bd -ragged -offset indent +.Bl -tag -width "XXXX" .It Fl signkey Ar filename This option causes the input file to be self-signed using the supplied -private key. +private key. .Pp If the input file is a certificate, it sets the issuer name to the subject name (i.e. makes it self-signed), changes the public key to the @@ -7091,7 +7098,7 @@ to the file again. The default filename consists of the CA certificate file base name with .Pa .srl appended. -For example if the CA certificate file is called +For example if the CA certificate file is called .Pa mycacert.pem , it expects to find a serial number file called .Pa mycacert.srl . @@ -7110,7 +7117,7 @@ The section to add certificate extensions from. If this option is not specified then the extensions should either be contained in the unnamed (default) section or the default section should contain a variable called "extensions" which contains the section to use. -.Ed +.El .Sh X509 NAME OPTIONS The .Fl nameopt @@ -7126,7 +7133,7 @@ a .Cm \&- to turn the option off. Only the first four will normally be used. -.Bd -ragged -offset indent +.Bl -tag -width "XXXX" .It Ar compat Use the old format. This is equivalent to specifying no name options at all. @@ -7253,7 +7260,7 @@ Only usable with Places spaces round the .Cm \&= character which follows the field name. -.Ed +.El .Sh X509 TEXT OPTIONS As well as customising the name output format, it is also possible to customise the actual fields printed using the @@ -7262,7 +7269,7 @@ options when the .Fl text option is present. The default behaviour is to print all fields. -.Bd -ragged -offset indent +.Bl -tag -width "XXXX" .It Ar compatible Use the old format. This is equivalent to specifying no output options at all. @@ -7310,7 +7317,7 @@ utility, equivalent to .Ar no_version , no_sigdump and .Ar no_signame . -.Ed +.El .Sh X509 EXAMPLES .Sy Note : In these examples the '\e' means the example should be all on one @@ -7487,7 +7494,7 @@ and V1 certificates above apply to .Em all CA certificates. .Pp -.Bd -ragged -offset indent +.Bl -tag -width "XXXX" .It Ar SSL Client The extended key usage extension must be absent or include the "web client authentication" OID. @@ -7566,7 +7573,7 @@ Netscape certificate type must be absent or must have the .Em S/MIME CA bit set: this is used as a work around if the .Em basicConstraints -extension is absent. +extension is absent. .It Ar CRL Signing The .Em keyUsage @@ -7578,6 +7585,7 @@ The normal CA tests apply. Except in this case the .Em basicConstraints extension must be present. +.El .Sh X509 BUGS Extensions in certificates are not transferred to certificate requests and vice versa. |