req.pod

来自「一个用于点对点传输加密的工具包源码」· POD 代码 · 共 539 行 · 第 1/2 页

=pod

=head1 NAME

req - PKCS#10 certificate and certificate generating utility.

=head1 SYNOPSIS

B<openssl> B<req>
[B<-inform PEM|DER>]
[B<-outform PEM|DER>]
[B<-in filename>]
[B<-passin arg>]
[B<-out filename>]
[B<-passout arg>]
[B<-text>]
[B<-noout>]
[B<-verify>]
[B<-modulus>]
[B<-new>]
[B<-rand file(s)>]
[B<-newkey rsa:bits>]
[B<-newkey dsa:file>]
[B<-nodes>]
[B<-key filename>]
[B<-keyform PEM|DER>]
[B<-keyout filename>]
[B<-[md5|sha1|md2|mdc2]>]
[B<-config filename>]
[B<-x509>]
[B<-days n>]
[B<-asn1-kludge>]
[B<-newhdr>]
[B<-extensions section>]
[B<-reqexts section>]

=head1 DESCRIPTION

The B<req> command primarily creates and processes certificate requests
in PKCS#10 format. It can additionally create self signed certificates
for use as root CAs for example.

=head1 COMMAND OPTIONS

=over 4

=item B<-inform DER|PEM>

This specifies the input format. The B<DER> option uses an ASN1 DER encoded
form compatible with the PKCS#10. The B<PEM> form is the default format: it
consists of the B<DER> format base64 encoded with additional header and
footer lines.

=item B<-outform DER|PEM>

This specifies the output format, the options have the same meaning as the 
B<-inform> option.

=item B<-in filename>

This specifies the input filename to read a request from or standard input
if this option is not specified. A request is only read if the creation
options (B<-new> and B<-newkey>) are not specified.

=item B<-passin arg>

the input file password source. For more information about the format of B<arg>
see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)|openssl(1)>.

=item B<-out filename>

This specifies the output filename to write to or standard output by
default.

=item B<-passout arg>

the output file password source. For more information about the format of B<arg>
see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)|openssl(1)>.

=item B<-text>

prints out the certificate request in text form.

=item B<-noout>

this option prevents output of the encoded version of the request.

=item B<-modulus>

this option prints out the value of the modulus of the public key
contained in the request.

=item B<-verify>

verifies the signature on the request.

=item B<-new>

this option generates a new certificate request. It will prompt
the user for the relevant field values. The actual fields
prompted for and their maximum and minimum sizes are specified
in the configuration file and any requested extensions.

If the B<-key> option is not used it will generate a new RSA private
key using information specified in the configuration file.

=item B<-rand file(s)>

a file or files containing random data used to seed the random number
generator, or an EGD socket (see L<RAND_egd(3)|RAND_egd(3)>).
Multiple files can be specified separated by a OS-dependent character.
The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
all others.

=item B<-newkey arg>

this option creates a new certificate request and a new private
key. The argument takes one of two forms. B<rsa:nbits>, where
B<nbits> is the number of bits, generates an RSA key B<nbits>
in size. B<dsa:filename> generates a DSA key using the parameters
in the file B<filename>.

=item B<-key filename>

This specifies the file to read the private key from. It also
accepts PKCS#8 format private keys for PEM format files.

=item B<-keyform PEM|DER>

the format of the private key file specified in the B<-key>
argument. PEM is the default.

=item B<-keyout filename>

this gives the filename to write the newly created private key to.
If this option is not specified then the filename present in the
configuration file is used.

=item B<-nodes>

if this option is specified then if a private key is created it
will not be encrypted.

=item B<-[md5|sha1|md2|mdc2]>

this specifies the message digest to sign the request with. This
overrides the digest algorithm specified in the configuration file.
This option is ignored for DSA requests: they always use SHA1.

=item B<-config filename>

this allows an alternative configuration file to be specified,
this overrides the compile time filename or any specified in
the B<OPENSSL_CONF> environment variable.

=item B<-x509>

this option outputs a self signed certificate instead of a certificate
request. This is typically used to generate a test certificate or
a self signed root CA. The extensions added to the certificate
(if any) are specified in the configuration file.

=item B<-days n>

when the B<-x509> option is being used this specifies the number of
days to certify the certificate for. The default is 30 days.

=item B<-extensions section>

=item B<-reqexts section>

these options specify alternative sections to include certificate
extensions (if the B<-x509> option is present) or certificate
request extensions. This allows several different sections to
be used in the same configuration file to specify requests for
a variety of purposes.

=item B<-asn1-kludge>

by default the B<req> command outputs certificate requests containing
no attributes in the correct PKCS#10 format. However certain CAs will only
accept requests containing no attributes in an invalid form: this
option produces this invalid format.

More precisely the B<Attributes> in a PKCS#10 certificate request
are defined as a B<SET OF Attribute>. They are B<not OPTIONAL> so
if no attributes are present then they should be encoded as an
empty B<SET OF>. The invalid form does not include the empty
B<SET OF> whereas the correct form does.

It should be noted that very few CAs still require the use of this option.

=item B<-newhdr>

Adds the word B<NEW> to the PEM file header and footer lines on the outputed
request. Some software (Netscape certificate server) and some CAs need this.

=back

=head1 CONFIGURATION FILE FORMAT

The configuration options are specified in the B<req> section of
the configuration file. As with all configuration files if no
value is specified in the specific section (i.e. B<req>) then
the initial unnamed or B<default> section is searched too.

The options available are described in detail below.

=over 4

=item B<input_password output_password>

The passwords for the input private key file (if present) and
the output private key file (if one will be created). The
command line options B<passin> and B<passout> override the
configuration file values.

=item B<default_bits>

This specifies the default key size in bits. If not specified then
512 is used. It is used if the B<-new> option is used. It can be
overridden by using the B<-newkey> option.

=item B<default_keyfile>

This is the default filename to write a private key to. If not
specified the key is written to standard output. This can be
overridden by the B<-keyout> option.

=item B<oid_file>

This specifies a file containing additional B<OBJECT IDENTIFIERS>.
Each line of the file should consist of the numerical form of the
object identifier followed by white space then the short name followed
by white space and finally the long name. 

=item B<oid_section>

This specifies a section in the configuration file containing extra
object identifiers. Each line should consist of the short name of the
object identifier followed by B<=> and the numerical form. The short
and long names are the same when this option is used.

=item B<RANDFILE>

This specifies a filename in which random number seed information is
placed and read from, or an EGD socket (see L<RAND_egd(3)|RAND_egd(3)>).
It is used for private key generation.

=item B<encrypt_key>

If this is set to B<no> then if a private key is generated it is
B<not> encrypted. This is equivalent to the B<-nodes> command line
option. For compatibility B<encrypt_rsa_key> is an equivalent option.

=item B<default_md>

This option specifies the digest algorithm to use. Possible values
include B<md5 sha1 mdc2>. If not present then MD5 is used. This
option can be overridden on the command line.

=item B<string_mask>

This option masks out the use of certain string types in certain
fields. Most users will not need to change this option.

It can be set to several values B<default> which is also the default
option uses PrintableStrings, T61Strings and BMPStrings if the 
B<pkix> value is used then only PrintableStrings and BMPStrings will