1X509(1)                             OpenSSL                            X509(1)
2
3
4

NAME

6       openssl-x509, x509 - Certificate display and signing utility
7

SYNOPSIS

9       openssl x509 [-help] [-inform DER|PEM] [-outform DER|PEM] [-keyform
10       DER|PEM] [-CAform DER|PEM] [-CAkeyform DER|PEM] [-in filename] [-out
11       filename] [-serial] [-hash] [-subject_hash] [-issuer_hash] [-ocspid]
12       [-subject] [-issuer] [-nameopt option] [-email] [-ocsp_uri]
13       [-startdate] [-enddate] [-purpose] [-dates] [-checkend num] [-modulus]
14       [-pubkey] [-fingerprint] [-alias] [-noout] [-trustout] [-clrtrust]
15       [-clrreject] [-addtrust arg] [-addreject arg] [-setalias arg] [-days
16       arg] [-set_serial n] [-signkey filename] [-passin arg] [-x509toreq]
17       [-req] [-CA filename] [-CAkey filename] [-CAcreateserial] [-CAserial
18       filename] [-force_pubkey key] [-text] [-ext extensions] [-certopt
19       option] [-C] [-digest] [-clrext] [-extfile filename] [-extensions
20       section] [-rand file...]  [-writerand file] [-engine id]
21       [-preserve_dates]
22

DESCRIPTION

24       The x509 command is a multi purpose certificate utility. It can be used
25       to display certificate information, convert certificates to various
26       forms, sign certificate requests like a "mini CA" or edit certificate
27       trust settings.
28
29       Since there are a large number of options they will split up into
30       various sections.
31

OPTIONS

33   Input, Output, and General Purpose Options
34       -help
35           Print out a usage message.
36
37       -inform DER|PEM
38           This specifies the input format normally the command will expect an
39           X509 certificate but this can change if other options such as -req
40           are present. The DER format is the DER encoding of the certificate
41           and PEM is the base64 encoding of the DER encoding with header and
42           footer lines added. The default format is PEM.
43
44       -outform DER|PEM
45           This specifies the output format, the options have the same meaning
46           and default as the -inform option.
47
48       -in filename
49           This specifies the input filename to read a certificate from or
50           standard input if this option is not specified.
51
52       -out filename
53           This specifies the output filename to write to or standard output
54           by default.
55
56       -digest
57           The digest to use.  This affects any signing or display option that
58           uses a message digest, such as the -fingerprint, -signkey and -CA
59           options.  Any digest supported by the OpenSSL dgst command can be
60           used.  If not specified then SHA1 is used with -fingerprint or the
61           default digest for the signing algorithm is used, typically SHA256.
62
63       -rand file...
64           A file or files containing random data used to seed the random
65           number generator.  Multiple files can be specified separated by an
66           OS-dependent character.  The separator is ; for MS-Windows, , for
67           OpenVMS, and : for all others.
68
69       [-writerand file]
70           Writes random data to the specified file upon exit.  This can be
71           used with a subsequent -rand flag.
72
73       -engine id
74           Specifying an engine (by its unique id string) will cause x509 to
75           attempt to obtain a functional reference to the specified engine,
76           thus initialising it if needed. The engine will then be set as the
77           default for all available algorithms.
78
79       -preserve_dates
80           When signing a certificate, preserve the "notBefore" and "notAfter"
81           dates instead of adjusting them to current time and duration.
82           Cannot be used with the -days option.
83
84   Display Options
85       Note: the -alias and -purpose options are also display options but are
86       described in the TRUST SETTINGS section.
87
88       -text
89           Prints out the certificate in text form. Full details are output
90           including the public key, signature algorithms, issuer and subject
91           names, serial number any extensions present and any trust settings.
92
93       -ext extensions
94           Prints out the certificate extensions in text form. Extensions are
95           specified with a comma separated string, e.g.,
96           "subjectAltName,subjectKeyIdentifier".  See the x509v3_config(5)
97           manual page for the extension names.
98
99       -certopt option
100           Customise the output format used with -text. The option argument
101           can be a single option or multiple options separated by commas. The
102           -certopt switch may be also be used more than once to set multiple
103           options. See the TEXT OPTIONS section for more information.
104
105       -noout
106           This option prevents output of the encoded version of the
107           certificate.
108
109       -pubkey
110           Outputs the certificate's SubjectPublicKeyInfo block in PEM format.
111
112       -modulus
113           This option prints out the value of the modulus of the public key
114           contained in the certificate.
115
116       -serial
117           Outputs the certificate serial number.
118
119       -subject_hash
120           Outputs the "hash" of the certificate subject name. This is used in
121           OpenSSL to form an index to allow certificates in a directory to be
122           looked up by subject name.
123
124       -issuer_hash
125           Outputs the "hash" of the certificate issuer name.
126
127       -ocspid
128           Outputs the OCSP hash values for the subject name and public key.
129
130       -hash
131           Synonym for "-subject_hash" for backward compatibility reasons.
132
133       -subject_hash_old
134           Outputs the "hash" of the certificate subject name using the older
135           algorithm as used by OpenSSL before version 1.0.0.
136
137       -issuer_hash_old
138           Outputs the "hash" of the certificate issuer name using the older
139           algorithm as used by OpenSSL before version 1.0.0.
140
141       -subject
142           Outputs the subject name.
143
144       -issuer
145           Outputs the issuer name.
146
147       -nameopt option
148           Option which determines how the subject or issuer names are
149           displayed. The option argument can be a single option or multiple
150           options separated by commas.  Alternatively the -nameopt switch may
151           be used more than once to set multiple options. See the NAME
152           OPTIONS section for more information.
153
154       -email
155           Outputs the email address(es) if any.
156
157       -ocsp_uri
158           Outputs the OCSP responder address(es) if any.
159
160       -startdate
161           Prints out the start date of the certificate, that is the notBefore
162           date.
163
164       -enddate
165           Prints out the expiry date of the certificate, that is the notAfter
166           date.
167
168       -dates
169           Prints out the start and expiry dates of a certificate.
170
171       -checkend arg
172           Checks if the certificate expires within the next arg seconds and
173           exits non-zero if yes it will expire or zero if not.
174
175       -fingerprint
176           Calculates and outputs the digest of the DER encoded version of the
177           entire certificate (see digest options).  This is commonly called a
178           "fingerprint". Because of the nature of message digests, the
179           fingerprint of a certificate is unique to that certificate and two
180           certificates with the same fingerprint can be considered to be the
181           same.
182
183       -C  This outputs the certificate in the form of a C source file.
184
185   Trust Settings
186       A trusted certificate is an ordinary certificate which has several
187       additional pieces of information attached to it such as the permitted
188       and prohibited uses of the certificate and an "alias".
189
190       Normally when a certificate is being verified at least one certificate
191       must be "trusted". By default a trusted certificate must be stored
192       locally and must be a root CA: any certificate chain ending in this CA
193       is then usable for any purpose.
194
195       Trust settings currently are only used with a root CA. They allow a
196       finer control over the purposes the root CA can be used for. For
197       example a CA may be trusted for SSL client but not SSL server use.
198
199       See the description of the verify utility for more information on the
200       meaning of trust settings.
201
202       Future versions of OpenSSL will recognize trust settings on any
203       certificate: not just root CAs.
204
205       -trustout
206           This causes x509 to output a trusted certificate. An ordinary or
207           trusted certificate can be input but by default an ordinary
208           certificate is output and any trust settings are discarded. With
209           the -trustout option a trusted certificate is output. A trusted
210           certificate is automatically output if any trust settings are
211           modified.
212
213       -setalias arg
214           Sets the alias of the certificate. This will allow the certificate
215           to be referred to using a nickname for example "Steve's
216           Certificate".
217
218       -alias
219           Outputs the certificate alias, if any.
220
221       -clrtrust
222           Clears all the permitted or trusted uses of the certificate.
223
224       -clrreject
225           Clears all the prohibited or rejected uses of the certificate.
226
227       -addtrust arg
228           Adds a trusted certificate use.  Any object name can be used here
229           but currently only clientAuth (SSL client use), serverAuth (SSL
230           server use), emailProtection (S/MIME email) and anyExtendedKeyUsage
231           are used.  As of OpenSSL 1.1.0, the last of these blocks all
232           purposes when rejected or enables all purposes when trusted.  Other
233           OpenSSL applications may define additional uses.
234
235       -addreject arg
236           Adds a prohibited use. It accepts the same values as the -addtrust
237           option.
238
239       -purpose
240           This option performs tests on the certificate extensions and
241           outputs the results. For a more complete description see the
242           CERTIFICATE EXTENSIONS section.
243
244   Signing Options
245       The x509 utility can be used to sign certificates and requests: it can
246       thus behave like a "mini CA".
247
248       -signkey filename
249           This option causes the input file to be self signed using the
250           supplied private key.
251
252           If the input file is a certificate it sets the issuer name to the
253           subject name (i.e.  makes it self signed) changes the public key to
254           the supplied value and changes the start and end dates. The start
255           date is set to the current time and the end date is set to a value
256           determined by the -days option. Any certificate extensions are
257           retained unless the -clrext option is supplied; this includes, for
258           example, any existing key identifier extensions.
259
260           If the input is a certificate request then a self signed
261           certificate is created using the supplied private key using the
262           subject name in the request.
263
264       -passin arg
265           The key password source. For more information about the format of
266           arg see the PASS PHRASE ARGUMENTS section in openssl(1).
267
268       -clrext
269           Delete any extensions from a certificate. This option is used when
270           a certificate is being created from another certificate (for
271           example with the -signkey or the -CA options). Normally all
272           extensions are retained.
273
274       -keyform PEM|DER
275           Specifies the format (DER or PEM) of the private key file used in
276           the -signkey option.
277
278       -days arg
279           Specifies the number of days to make a certificate valid for. The
280           default is 30 days. Cannot be used with the -preserve_dates option.
281
282       -x509toreq
283           Converts a certificate into a certificate request. The -signkey
284           option is used to pass the required private key.
285
286       -req
287           By default a certificate is expected on input. With this option a
288           certificate request is expected instead.
289
290       -set_serial n
291           Specifies the serial number to use. This option can be used with
292           either the -signkey or -CA options. If used in conjunction with the
293           -CA option the serial number file (as specified by the -CAserial or
294           -CAcreateserial options) is not used.
295
296           The serial number can be decimal or hex (if preceded by 0x).
297
298       -CA filename
299           Specifies the CA certificate to be used for signing. When this
300           option is present x509 behaves like a "mini CA". The input file is
301           signed by this CA using this option: that is its issuer name is set
302           to the subject name of the CA and it is digitally signed using the
303           CAs private key.
304
305           This option is normally combined with the -req option. Without the
306           -req option the input is a certificate which must be self signed.
307
308       -CAkey filename
309           Sets the CA private key to sign a certificate with. If this option
310           is not specified then it is assumed that the CA private key is
311           present in the CA certificate file.
312
313       -CAserial filename
314           Sets the CA serial number file to use.
315
316           When the -CA option is used to sign a certificate it uses a serial
317           number specified in a file. This file consists of one line
318           containing an even number of hex digits with the serial number to
319           use. After each use the serial number is incremented and written
320           out to the file again.
321
322           The default filename consists of the CA certificate file base name
323           with ".srl" appended. For example if the CA certificate file is
324           called "mycacert.pem" it expects to find a serial number file
325           called "mycacert.srl".
326
327       -CAcreateserial
328           With this option the CA serial number file is created if it does
329           not exist: it will contain the serial number "02" and the
330           certificate being signed will have the 1 as its serial number. If
331           the -CA option is specified and the serial number file does not
332           exist a random number is generated; this is the recommended
333           practice.
334
335       -extfile filename
336           File containing certificate extensions to use. If not specified
337           then no extensions are added to the certificate.
338
339       -extensions section
340           The section to add certificate extensions from. If this option is
341           not specified then the extensions should either be contained in the
342           unnamed (default) section or the default section should contain a
343           variable called "extensions" which contains the section to use. See
344           the x509v3_config(5) manual page for details of the extension
345           section format.
346
347       -force_pubkey key
348           When a certificate is created set its public key to key instead of
349           the key in the certificate or certificate request. This option is
350           useful for creating certificates where the algorithm can't normally
351           sign requests, for example DH.
352
353           The format or key can be specified using the -keyform option.
354
355   Name Options
356       The nameopt command line switch determines how the subject and issuer
357       names are displayed. If no nameopt switch is present the default
358       "oneline" format is used which is compatible with previous versions of
359       OpenSSL.  Each option is described in detail below, all options can be
360       preceded by a - to turn the option off. Only the first four will
361       normally be used.
362
363       compat
364           Use the old format.
365
366       RFC2253
367           Displays names compatible with RFC2253 equivalent to esc_2253,
368           esc_ctrl, esc_msb, utf8, dump_nostr, dump_unknown, dump_der,
369           sep_comma_plus, dn_rev and sname.
370
371       oneline
372           A oneline format which is more readable than RFC2253. It is
373           equivalent to specifying the  esc_2253, esc_ctrl, esc_msb, utf8,
374           dump_nostr, dump_der, use_quote, sep_comma_plus_space, space_eq and
375           sname options.  This is the default of no name options are given
376           explicitly.
377
378       multiline
379           A multiline format. It is equivalent esc_ctrl, esc_msb,
380           sep_multiline, space_eq, lname and align.
381
382       esc_2253
383           Escape the "special" characters required by RFC2253 in a field.
384           That is ,+"<>;. Additionally # is escaped at the beginning of a
385           string and a space character at the beginning or end of a string.
386
387       esc_2254
388           Escape the "special" characters required by RFC2254 in a field.
389           That is the NUL character as well as and ()*.
390
391       esc_ctrl
392           Escape control characters. That is those with ASCII values less
393           than 0x20 (space) and the delete (0x7f) character. They are escaped
394           using the RFC2253 \XX notation (where XX are two hex digits
395           representing the character value).
396
397       esc_msb
398           Escape characters with the MSB set, that is with ASCII values
399           larger than 127.
400
401       use_quote
402           Escapes some characters by surrounding the whole string with "
403           characters, without the option all escaping is done with the \
404           character.
405
406       utf8
407           Convert all strings to UTF8 format first. This is required by
408           RFC2253. If you are lucky enough to have a UTF8 compatible terminal
409           then the use of this option (and not setting esc_msb) may result in
410           the correct display of multibyte (international) characters. Is
411           this option is not present then multibyte characters larger than
412           0xff will be represented using the format \UXXXX for 16 bits and
413           \WXXXXXXXX for 32 bits.  Also if this option is off any UTF8Strings
414           will be converted to their character form first.
415
416       ignore_type
417           This option does not attempt to interpret multibyte characters in
418           any way. That is their content octets are merely dumped as though
419           one octet represents each character. This is useful for diagnostic
420           purposes but will result in rather odd looking output.
421
422       show_type
423           Show the type of the ASN1 character string. The type precedes the
424           field contents. For example "BMPSTRING: Hello World".
425
426       dump_der
427           When this option is set any fields that need to be hexdumped will
428           be dumped using the DER encoding of the field. Otherwise just the
429           content octets will be displayed. Both options use the RFC2253
430           #XXXX... format.
431
432       dump_nostr
433           Dump non character string types (for example OCTET STRING) if this
434           option is not set then non character string types will be displayed
435           as though each content octet represents a single character.
436
437       dump_all
438           Dump all fields. This option when used with dump_der allows the DER
439           encoding of the structure to be unambiguously determined.
440
441       dump_unknown
442           Dump any field whose OID is not recognised by OpenSSL.
443
444       sep_comma_plus, sep_comma_plus_space, sep_semi_plus_space,
445       sep_multiline
446           These options determine the field separators. The first character
447           is between RDNs and the second between multiple AVAs (multiple AVAs
448           are very rare and their use is discouraged). The options ending in
449           "space" additionally place a space after the separator to make it
450           more readable. The sep_multiline uses a linefeed character for the
451           RDN separator and a spaced + for the AVA separator. It also indents
452           the fields by four characters. If no field separator is specified
453           then sep_comma_plus_space is used by default.
454
455       dn_rev
456           Reverse the fields of the DN. This is required by RFC2253. As a
457           side effect this also reverses the order of multiple AVAs but this
458           is permissible.
459
460       nofname, sname, lname, oid
461           These options alter how the field name is displayed. nofname does
462           not display the field at all. sname uses the "short name" form (CN
463           for commonName for example). lname uses the long form.  oid
464           represents the OID in numerical form and is useful for diagnostic
465           purpose.
466
467       align
468           Align field values for a more readable output. Only usable with
469           sep_multiline.
470
471       space_eq
472           Places spaces round the = character which follows the field name.
473
474   Text Options
475       As well as customising the name output format, it is also possible to
476       customise the actual fields printed using the certopt options when the
477       text option is present. The default behaviour is to print all fields.
478
479       compatible
480           Use the old format. This is equivalent to specifying no output
481           options at all.
482
483       no_header
484           Don't print header information: that is the lines saying
485           "Certificate" and "Data".
486
487       no_version
488           Don't print out the version number.
489
490       no_serial
491           Don't print out the serial number.
492
493       no_signame
494           Don't print out the signature algorithm used.
495
496       no_validity
497           Don't print the validity, that is the notBefore and notAfter
498           fields.
499
500       no_subject
501           Don't print out the subject name.
502
503       no_issuer
504           Don't print out the issuer name.
505
506       no_pubkey
507           Don't print out the public key.
508
509       no_sigdump
510           Don't give a hexadecimal dump of the certificate signature.
511
512       no_aux
513           Don't print out certificate trust information.
514
515       no_extensions
516           Don't print out any X509V3 extensions.
517
518       ext_default
519           Retain default extension behaviour: attempt to print out
520           unsupported certificate extensions.
521
522       ext_error
523           Print an error message for unsupported certificate extensions.
524
525       ext_parse
526           ASN1 parse unsupported extensions.
527
528       ext_dump
529           Hex dump unsupported extensions.
530
531       ca_default
532           The value used by the ca utility, equivalent to no_issuer,
533           no_pubkey, no_header, and no_version.
534

EXAMPLES

536       Note: in these examples the '\' means the example should be all on one
537       line.
538
539       Display the contents of a certificate:
540
541        openssl x509 -in cert.pem -noout -text
542
543       Display the "Subject Alternative Name" extension of a certificate:
544
545        openssl x509 -in cert.pem -noout -ext subjectAltName
546
547       Display more extensions of a certificate:
548
549        openssl x509 -in cert.pem -noout -ext subjectAltName,nsCertType
550
551       Display the certificate serial number:
552
553        openssl x509 -in cert.pem -noout -serial
554
555       Display the certificate subject name:
556
557        openssl x509 -in cert.pem -noout -subject
558
559       Display the certificate subject name in RFC2253 form:
560
561        openssl x509 -in cert.pem -noout -subject -nameopt RFC2253
562
563       Display the certificate subject name in oneline form on a terminal
564       supporting UTF8:
565
566        openssl x509 -in cert.pem -noout -subject -nameopt oneline,-esc_msb
567
568       Display the certificate SHA1 fingerprint:
569
570        openssl x509 -sha1 -in cert.pem -noout -fingerprint
571
572       Convert a certificate from PEM to DER format:
573
574        openssl x509 -in cert.pem -inform PEM -out cert.der -outform DER
575
576       Convert a certificate to a certificate request:
577
578        openssl x509 -x509toreq -in cert.pem -out req.pem -signkey key.pem
579
580       Convert a certificate request into a self signed certificate using
581       extensions for a CA:
582
583        openssl x509 -req -in careq.pem -extfile openssl.cnf -extensions v3_ca \
584               -signkey key.pem -out cacert.pem
585
586       Sign a certificate request using the CA certificate above and add user
587       certificate extensions:
588
589        openssl x509 -req -in req.pem -extfile openssl.cnf -extensions v3_usr \
590               -CA cacert.pem -CAkey key.pem -CAcreateserial
591
592       Set a certificate to be trusted for SSL client use and change set its
593       alias to "Steve's Class 1 CA"
594
595        openssl x509 -in cert.pem -addtrust clientAuth \
596               -setalias "Steve's Class 1 CA" -out trust.pem
597

NOTES

599       The PEM format uses the header and footer lines:
600
601        -----BEGIN CERTIFICATE-----
602        -----END CERTIFICATE-----
603
604       it will also handle files containing:
605
606        -----BEGIN X509 CERTIFICATE-----
607        -----END X509 CERTIFICATE-----
608
609       Trusted certificates have the lines
610
611        -----BEGIN TRUSTED CERTIFICATE-----
612        -----END TRUSTED CERTIFICATE-----
613
614       The conversion to UTF8 format used with the name options assumes that
615       T61Strings use the ISO8859-1 character set. This is wrong but Netscape
616       and MSIE do this as do many certificates. So although this is incorrect
617       it is more likely to display the majority of certificates correctly.
618
619       The -email option searches the subject name and the subject alternative
620       name extension. Only unique email addresses will be printed out: it
621       will not print the same address more than once.
622

CERTIFICATE EXTENSIONS

624       The -purpose option checks the certificate extensions and determines
625       what the certificate can be used for. The actual checks done are rather
626       complex and include various hacks and workarounds to handle broken
627       certificates and software.
628
629       The same code is used when verifying untrusted certificates in chains
630       so this section is useful if a chain is rejected by the verify code.
631
632       The basicConstraints extension CA flag is used to determine whether the
633       certificate can be used as a CA. If the CA flag is true then it is a
634       CA, if the CA flag is false then it is not a CA. All CAs should have
635       the CA flag set to true.
636
637       If the basicConstraints extension is absent then the certificate is
638       considered to be a "possible CA" other extensions are checked according
639       to the intended use of the certificate. A warning is given in this case
640       because the certificate should really not be regarded as a CA: however
641       it is allowed to be a CA to work around some broken software.
642
643       If the certificate is a V1 certificate (and thus has no extensions) and
644       it is self signed it is also assumed to be a CA but a warning is again
645       given: this is to work around the problem of Verisign roots which are
646       V1 self signed certificates.
647
648       If the keyUsage extension is present then additional restraints are
649       made on the uses of the certificate. A CA certificate must have the
650       keyCertSign bit set if the keyUsage extension is present.
651
652       The extended key usage extension places additional restrictions on the
653       certificate uses. If this extension is present (whether critical or
654       not) the key can only be used for the purposes specified.
655
656       A complete description of each test is given below. The comments about
657       basicConstraints and keyUsage and V1 certificates above apply to all CA
658       certificates.
659
660       SSL Client
661           The extended key usage extension must be absent or include the "web
662           client authentication" OID.  keyUsage must be absent or it must
663           have the digitalSignature bit set. Netscape certificate type must
664           be absent or it must have the SSL client bit set.
665
666       SSL Client CA
667           The extended key usage extension must be absent or include the "web
668           client authentication" OID. Netscape certificate type must be
669           absent or it must have the SSL CA bit set: this is used as a work
670           around if the basicConstraints extension is absent.
671
672       SSL Server
673           The extended key usage extension must be absent or include the "web
674           server authentication" and/or one of the SGC OIDs.  keyUsage must
675           be absent or it must have the digitalSignature, the keyEncipherment
676           set or both bits set.  Netscape certificate type must be absent or
677           have the SSL server bit set.
678
679       SSL Server CA
680           The extended key usage extension must be absent or include the "web
681           server authentication" and/or one of the SGC OIDs.  Netscape
682           certificate type must be absent or the SSL CA bit must be set: this
683           is used as a work around if the basicConstraints extension is
684           absent.
685
686       Netscape SSL Server
687           For Netscape SSL clients to connect to an SSL server it must have
688           the keyEncipherment bit set if the keyUsage extension is present.
689           This isn't always valid because some cipher suites use the key for
690           digital signing.  Otherwise it is the same as a normal SSL server.
691
692       Common S/MIME Client Tests
693           The extended key usage extension must be absent or include the
694           "email protection" OID. Netscape certificate type must be absent or
695           should have the S/MIME bit set. If the S/MIME bit is not set in
696           Netscape certificate type then the SSL client bit is tolerated as
697           an alternative but a warning is shown: this is because some
698           Verisign certificates don't set the S/MIME bit.
699
700       S/MIME Signing
701           In addition to the common S/MIME client tests the digitalSignature
702           bit or the nonRepudiation bit must be set if the keyUsage extension
703           is present.
704
705       S/MIME Encryption
706           In addition to the common S/MIME tests the keyEncipherment bit must
707           be set if the keyUsage extension is present.
708
709       S/MIME CA
710           The extended key usage extension must be absent or include the
711           "email protection" OID. Netscape certificate type must be absent or
712           must have the S/MIME CA bit set: this is used as a work around if
713           the basicConstraints extension is absent.
714
715       CRL Signing
716           The keyUsage extension must be absent or it must have the CRL
717           signing bit set.
718
719       CRL Signing CA
720           The normal CA tests apply. Except in this case the basicConstraints
721           extension must be present.
722

BUGS

724       Extensions in certificates are not transferred to certificate requests
725       and vice versa.
726
727       It is possible to produce invalid certificates or requests by
728       specifying the wrong private key or using inconsistent options in some
729       cases: these should be checked.
730
731       There should be options to explicitly set such things as start and end
732       dates rather than an offset from the current time.
733

SEE ALSO

735       req(1), ca(1), genrsa(1), gendsa(1), verify(1), x509v3_config(5)
736

HISTORY

738       The hash algorithm used in the -subject_hash and -issuer_hash options
739       before OpenSSL 1.0.0 was based on the deprecated MD5 algorithm and the
740       encoding of the distinguished name. In OpenSSL 1.0.0 and later it is
741       based on a canonical version of the DN using SHA1. This means that any
742       directories using the old form must have their links rebuilt using
743       c_rehash or similar.
744
746       Copyright 2000-2019 The OpenSSL Project Authors. All Rights Reserved.
747
748       Licensed under the OpenSSL license (the "License").  You may not use
749       this file except in compliance with the License.  You can obtain a copy
750       in the file LICENSE in the source distribution or at
751       <https://www.openssl.org/source/license.html>.
752
753
754
7551.1.1c                            2019-05-28                           X509(1)
Impressum