1X509(1)                             OpenSSL                            X509(1)
2
3
4

NAME

6       x509 - Certificate display and signing utility
7

SYNOPSIS

9       openssl x509 [-inform DER|PEM|NET] [-outform DER|PEM|NET] [-keyform
10       DER|PEM] [-CAform DER|PEM] [-CAkeyform DER|PEM] [-in filename] [-out
11       filename] [-serial] [-hash] [-subject_hash] [-issuer_hash] [-ocspid]
12       [-subject] [-issuer] [-nameopt option] [-email] [-ocsp_uri]
13       [-startdate] [-enddate] [-purpose] [-dates] [-checkend num] [-modulus]
14       [-pubkey] [-fingerprint] [-alias] [-noout] [-trustout] [-clrtrust]
15       [-clrreject] [-addtrust arg] [-addreject arg] [-setalias arg] [-days
16       arg] [-set_serial n] [-signkey filename] [-passin arg] [-x509toreq]
17       [-req] [-CA filename] [-CAkey filename] [-CAcreateserial] [-CAserial
18       filename] [-force_pubkey key] [-text] [-certopt option] [-C]
19       [-md2|-md5|-sha1|-mdc2] [-clrext] [-extfile filename] [-extensions
20       section] [-engine id]
21

DESCRIPTION

23       The x509 command is a multi purpose certificate utility. It can be used
24       to display certificate information, convert certificates to various
25       forms, sign certificate requests like a "mini CA" or edit certificate
26       trust settings.
27
28       Since there are a large number of options they will split up into
29       various sections.
30

OPTIONS

32   INPUT, OUTPUT AND GENERAL PURPOSE OPTIONS
33       -inform DER|PEM|NET
34           This specifies the input format normally the command will expect an
35           X509 certificate but this can change if other options such as -req
36           are present. The DER format is the DER encoding of the certificate
37           and PEM is the base64 encoding of the DER encoding with header and
38           footer lines added. The NET option is an obscure Netscape server
39           format that is now obsolete.
40
41       -outform DER|PEM|NET
42           This specifies the output format, the options have the same meaning
43           as the -inform option.
44
45       -in filename
46           This specifies the input filename to read a certificate from or
47           standard input if this option is not specified.
48
49       -out filename
50           This specifies the output filename to write to or standard output
51           by default.
52
53       -md2|-md5|-sha1|-mdc2
54           the digest to use. This affects any signing or display option that
55           uses a message digest, such as the -fingerprint, -signkey and -CA
56           options. If not specified then SHA1 is used. If the key being used
57           to sign with is a DSA key then this option has no effect: SHA1 is
58           always used with DSA keys.  For full list of digests see openssl
59           dgst -h output.
60
61       -engine id
62           specifying an engine (by its unique id string) will cause x509 to
63           attempt to obtain a functional reference to the specified engine,
64           thus initialising it if needed. The engine will then be set as the
65           default for all available algorithms.
66
67   DISPLAY OPTIONS
68       Note: the -alias and -purpose options are also display options but are
69       described in the TRUST SETTINGS section.
70
71       -text
72           prints out the certificate in text form. Full details are output
73           including the public key, signature algorithms, issuer and subject
74           names, serial number any extensions present and any trust settings.
75
76       -certopt option
77           customise the output format used with -text. The option argument
78           can be a single option or multiple options separated by commas. The
79           -certopt switch may be also be used more than once to set multiple
80           options. See the TEXT OPTIONS section for more information.
81
82       -noout
83           this option prevents output of the encoded version of the request.
84
85       -pubkey
86           outputs the the certificate's SubjectPublicKeyInfo block in PEM
87           format.
88
89       -modulus
90           this option prints out the value of the modulus of the public key
91           contained in the certificate.
92
93       -serial
94           outputs the certificate serial number.
95
96       -subject_hash
97           outputs the "hash" of the certificate subject name. This is used in
98           OpenSSL to form an index to allow certificates in a directory to be
99           looked up by subject name.
100
101       -issuer_hash
102           outputs the "hash" of the certificate issuer name.
103
104       -ocspid
105           outputs the OCSP hash values for the subject name and public key.
106
107       -hash
108           synonym for "-subject_hash" for backward compatibility reasons.
109
110       -subject_hash_old
111           outputs the "hash" of the certificate subject name using the older
112           algorithm as used by OpenSSL versions before 1.0.0.
113
114       -issuer_hash_old
115           outputs the "hash" of the certificate issuer name using the older
116           algorithm as used by OpenSSL versions before 1.0.0.
117
118       -subject
119           outputs the subject name.
120
121       -issuer
122           outputs the issuer name.
123
124       -nameopt option
125           option which determines how the subject or issuer names are
126           displayed. The option argument can be a single option or multiple
127           options separated by commas.  Alternatively the -nameopt switch may
128           be used more than once to set multiple options. See the NAME
129           OPTIONS section for more information.
130
131       -email
132           outputs the email address(es) if any.
133
134       -ocsp_uri
135           outputs the OCSP responder address(es) if any.
136
137       -startdate
138           prints out the start date of the certificate, that is the notBefore
139           date.
140
141       -enddate
142           prints out the expiry date of the certificate, that is the notAfter
143           date.
144
145       -dates
146           prints out the start and expiry dates of a certificate.
147
148       -checkend arg
149           checks if the certificate expires within the next arg seconds and
150           exits non-zero if yes it will expire or zero if not.
151
152       -fingerprint
153           prints out the digest of the DER encoded version of the whole
154           certificate (see digest options).
155
156       -C  this outputs the certificate in the form of a C source file.
157
158   TRUST SETTINGS
159       Please note these options are currently experimental and may well
160       change.
161
162       A trusted certificate is an ordinary certificate which has several
163       additional pieces of information attached to it such as the permitted
164       and prohibited uses of the certificate and an "alias".
165
166       Normally when a certificate is being verified at least one certificate
167       must be "trusted". By default a trusted certificate must be stored
168       locally and must be a root CA: any certificate chain ending in this CA
169       is then usable for any purpose.
170
171       Trust settings currently are only used with a root CA. They allow a
172       finer control over the purposes the root CA can be used for. For
173       example a CA may be trusted for SSL client but not SSL server use.
174
175       See the description of the verify utility for more information on the
176       meaning of trust settings.
177
178       Future versions of OpenSSL will recognize trust settings on any
179       certificate: not just root CAs.
180
181       -trustout
182           this causes x509 to output a trusted certificate. An ordinary or
183           trusted certificate can be input but by default an ordinary
184           certificate is output and any trust settings are discarded. With
185           the -trustout option a trusted certificate is output. A trusted
186           certificate is automatically output if any trust settings are
187           modified.
188
189       -setalias arg
190           sets the alias of the certificate. This will allow the certificate
191           to be referred to using a nickname for example "Steve's
192           Certificate".
193
194       -alias
195           outputs the certificate alias, if any.
196
197       -clrtrust
198           clears all the permitted or trusted uses of the certificate.
199
200       -clrreject
201           clears all the prohibited or rejected uses of the certificate.
202
203       -addtrust arg
204           adds a trusted certificate use. Any object name can be used here
205           but currently only clientAuth (SSL client use), serverAuth (SSL
206           server use) and emailProtection (S/MIME email) are used.  Other
207           OpenSSL applications may define additional uses.
208
209       -addreject arg
210           adds a prohibited use. It accepts the same values as the -addtrust
211           option.
212
213       -purpose
214           this option performs tests on the certificate extensions and
215           outputs the results. For a more complete description see the
216           CERTIFICATE EXTENSIONS section.
217
218   SIGNING OPTIONS
219       The x509 utility can be used to sign certificates and requests: it can
220       thus behave like a "mini CA".
221
222       -signkey filename
223           this option causes the input file to be self signed using the
224           supplied private key.
225
226           If the input file is a certificate it sets the issuer name to the
227           subject name (i.e.  makes it self signed) changes the public key to
228           the supplied value and changes the start and end dates. The start
229           date is set to the current time and the end date is set to a value
230           determined by the -days option. Any certificate extensions are
231           retained unless the -clrext option is supplied.
232
233           If the input is a certificate request then a self signed
234           certificate is created using the supplied private key using the
235           subject name in the request.
236
237       -passin arg
238           the key password source. For more information about the format of
239           arg see the PASS PHRASE ARGUMENTS section in openssl(1).
240
241       -clrext
242           delete any extensions from a certificate. This option is used when
243           a certificate is being created from another certificate (for
244           example with the -signkey or the -CA options). Normally all
245           extensions are retained.
246
247       -keyform PEM|DER
248           specifies the format (DER or PEM) of the private key file used in
249           the -signkey option.
250
251       -days arg
252           specifies the number of days to make a certificate valid for. The
253           default is 30 days.
254
255       -x509toreq
256           converts a certificate into a certificate request. The -signkey
257           option is used to pass the required private key.
258
259       -req
260           by default a certificate is expected on input. With this option a
261           certificate request is expected instead.
262
263       -set_serial n
264           specifies the serial number to use. This option can be used with
265           either the -signkey or -CA options. If used in conjunction with the
266           -CA option the serial number file (as specified by the -CAserial or
267           -CAcreateserial options) is not used.
268
269           The serial number can be decimal or hex (if preceded by 0x).
270           Negative serial numbers can also be specified but their use is not
271           recommended.
272
273       -CA filename
274           specifies the CA certificate to be used for signing. When this
275           option is present x509 behaves like a "mini CA". The input file is
276           signed by this CA using this option: that is its issuer name is set
277           to the subject name of the CA and it is digitally signed using the
278           CAs private key.
279
280           This option is normally combined with the -req option. Without the
281           -req option the input is a certificate which must be self signed.
282
283       -CAkey filename
284           sets the CA private key to sign a certificate with. If this option
285           is not specified then it is assumed that the CA private key is
286           present in the CA certificate file.
287
288       -CAserial filename
289           sets the CA serial number file to use.
290
291           When the -CA option is used to sign a certificate it uses a serial
292           number specified in a file. This file consist of one line
293           containing an even number of hex digits with the serial number to
294           use. After each use the serial number is incremented and written
295           out to the file again.
296
297           The default filename consists of the CA certificate file base name
298           with ".srl" appended. For example if the CA certificate file is
299           called "mycacert.pem" it expects to find a serial number file
300           called "mycacert.srl".
301
302       -CAcreateserial
303           with this option the CA serial number file is created if it does
304           not exist: it will contain the serial number "02" and the
305           certificate being signed will have the 1 as its serial number.
306           Normally if the -CA option is specified and the serial number file
307           does not exist it is an error.
308
309       -extfile filename
310           file containing certificate extensions to use. If not specified
311           then no extensions are added to the certificate.
312
313       -extensions section
314           the section to add certificate extensions from. If this option is
315           not specified then the extensions should either be contained in the
316           unnamed (default) section or the default section should contain a
317           variable called "extensions" which contains the section to use. See
318           the x509v3_config(5) manual page for details of the extension
319           section format.
320
321       -force_pubkey key
322           when a certificate is created set its public key to key instead of
323           the key in the certificate or certificate request. This option is
324           useful for creating certificates where the algorithm can't normally
325           sign requests, for example DH.
326
327           The format or key can be specified using the -keyform option.
328
329   NAME OPTIONS
330       The nameopt command line switch determines how the subject and issuer
331       names are displayed. If no nameopt switch is present the default
332       "oneline" format is used which is compatible with previous versions of
333       OpenSSL.  Each option is described in detail below, all options can be
334       preceded by a - to turn the option off. Only the first four will
335       normally be used.
336
337       compat
338           use the old format. This is equivalent to specifying no name
339           options at all.
340
341       RFC2253
342           displays names compatible with RFC2253 equivalent to esc_2253,
343           esc_ctrl, esc_msb, utf8, dump_nostr, dump_unknown, dump_der,
344           sep_comma_plus, dn_rev and sname.
345
346       oneline
347           a oneline format which is more readable than RFC2253. It is
348           equivalent to specifying the  esc_2253, esc_ctrl, esc_msb, utf8,
349           dump_nostr, dump_der, use_quote, sep_comma_plus_space, space_eq and
350           sname options.
351
352       multiline
353           a multiline format. It is equivalent esc_ctrl, esc_msb,
354           sep_multiline, space_eq, lname and align.
355
356       esc_2253
357           escape the "special" characters required by RFC2253 in a field That
358           is ,+"<>;. Additionally # is escaped at the beginning of a string
359           and a space character at the beginning or end of a string.
360
361       esc_ctrl
362           escape control characters. That is those with ASCII values less
363           than 0x20 (space) and the delete (0x7f) character. They are escaped
364           using the RFC2253 \XX notation (where XX are two hex digits
365           representing the character value).
366
367       esc_msb
368           escape characters with the MSB set, that is with ASCII values
369           larger than 127.
370
371       use_quote
372           escapes some characters by surrounding the whole string with "
373           characters, without the option all escaping is done with the \
374           character.
375
376       utf8
377           convert all strings to UTF8 format first. This is required by
378           RFC2253. If you are lucky enough to have a UTF8 compatible terminal
379           then the use of this option (and not setting esc_msb) may result in
380           the correct display of multibyte (international) characters. Is
381           this option is not present then multibyte characters larger than
382           0xff will be represented using the format \UXXXX for 16 bits and
383           \WXXXXXXXX for 32 bits.  Also if this option is off any UTF8Strings
384           will be converted to their character form first.
385
386       ignore_type
387           this option does not attempt to interpret multibyte characters in
388           any way. That is their content octets are merely dumped as though
389           one octet represents each character. This is useful for diagnostic
390           purposes but will result in rather odd looking output.
391
392       show_type
393           show the type of the ASN1 character string. The type precedes the
394           field contents. For example "BMPSTRING: Hello World".
395
396       dump_der
397           when this option is set any fields that need to be hexdumped will
398           be dumped using the DER encoding of the field. Otherwise just the
399           content octets will be displayed. Both options use the RFC2253
400           #XXXX... format.
401
402       dump_nostr
403           dump non character string types (for example OCTET STRING) if this
404           option is not set then non character string types will be displayed
405           as though each content octet represents a single character.
406
407       dump_all
408           dump all fields. This option when used with dump_der allows the DER
409           encoding of the structure to be unambiguously determined.
410
411       dump_unknown
412           dump any field whose OID is not recognised by OpenSSL.
413
414       sep_comma_plus, sep_comma_plus_space, sep_semi_plus_space,
415       sep_multiline
416           these options determine the field separators. The first character
417           is between RDNs and the second between multiple AVAs (multiple AVAs
418           are very rare and their use is discouraged). The options ending in
419           "space" additionally place a space after the separator to make it
420           more readable. The sep_multiline uses a linefeed character for the
421           RDN separator and a spaced + for the AVA separator. It also indents
422           the fields by four characters. If no field separator is specified
423           then sep_comma_plus_space is used by default.
424
425       dn_rev
426           reverse the fields of the DN. This is required by RFC2253. As a
427           side effect this also reverses the order of multiple AVAs but this
428           is permissible.
429
430       nofname, sname, lname, oid
431           these options alter how the field name is displayed. nofname does
432           not display the field at all. sname uses the "short name" form (CN
433           for commonName for example). lname uses the long form.  oid
434           represents the OID in numerical form and is useful for diagnostic
435           purpose.
436
437       align
438           align field values for a more readable output. Only usable with
439           sep_multiline.
440
441       space_eq
442           places spaces round the = character which follows the field name.
443
444   TEXT OPTIONS
445       As well as customising the name output format, it is also possible to
446       customise the actual fields printed using the certopt options when the
447       text option is present. The default behaviour is to print all fields.
448
449       compatible
450           use the old format. This is equivalent to specifying no output
451           options at all.
452
453       no_header
454           don't print header information: that is the lines saying
455           "Certificate" and "Data".
456
457       no_version
458           don't print out the version number.
459
460       no_serial
461           don't print out the serial number.
462
463       no_signame
464           don't print out the signature algorithm used.
465
466       no_validity
467           don't print the validity, that is the notBefore and notAfter
468           fields.
469
470       no_subject
471           don't print out the subject name.
472
473       no_issuer
474           don't print out the issuer name.
475
476       no_pubkey
477           don't print out the public key.
478
479       no_sigdump
480           don't give a hexadecimal dump of the certificate signature.
481
482       no_aux
483           don't print out certificate trust information.
484
485       no_extensions
486           don't print out any X509V3 extensions.
487
488       ext_default
489           retain default extension behaviour: attempt to print out
490           unsupported certificate extensions.
491
492       ext_error
493           print an error message for unsupported certificate extensions.
494
495       ext_parse
496           ASN1 parse unsupported extensions.
497
498       ext_dump
499           hex dump unsupported extensions.
500
501       ca_default
502           the value used by the ca utility, equivalent to no_issuer,
503           no_pubkey, no_header, and no_version.
504

EXAMPLES

506       Note: in these examples the '\' means the example should be all on one
507       line.
508
509       Display the contents of a certificate:
510
511        openssl x509 -in cert.pem -noout -text
512
513       Display the certificate serial number:
514
515        openssl x509 -in cert.pem -noout -serial
516
517       Display the certificate subject name:
518
519        openssl x509 -in cert.pem -noout -subject
520
521       Display the certificate subject name in RFC2253 form:
522
523        openssl x509 -in cert.pem -noout -subject -nameopt RFC2253
524
525       Display the certificate subject name in oneline form on a terminal
526       supporting UTF8:
527
528        openssl x509 -in cert.pem -noout -subject -nameopt oneline,-esc_msb
529
530       Display the certificate MD5 fingerprint:
531
532        openssl x509 -in cert.pem -noout -fingerprint
533
534       Display the certificate SHA1 fingerprint:
535
536        openssl x509 -sha1 -in cert.pem -noout -fingerprint
537
538       Convert a certificate from PEM to DER format:
539
540        openssl x509 -in cert.pem -inform PEM -out cert.der -outform DER
541
542       Convert a certificate to a certificate request:
543
544        openssl x509 -x509toreq -in cert.pem -out req.pem -signkey key.pem
545
546       Convert a certificate request into a self signed certificate using
547       extensions for a CA:
548
549        openssl x509 -req -in careq.pem -extfile openssl.cnf -extensions v3_ca \
550               -signkey key.pem -out cacert.pem
551
552       Sign a certificate request using the CA certificate above and add user
553       certificate extensions:
554
555        openssl x509 -req -in req.pem -extfile openssl.cnf -extensions v3_usr \
556               -CA cacert.pem -CAkey key.pem -CAcreateserial
557
558       Set a certificate to be trusted for SSL client use and change set its
559       alias to "Steve's Class 1 CA"
560
561        openssl x509 -in cert.pem -addtrust clientAuth \
562               -setalias "Steve's Class 1 CA" -out trust.pem
563

NOTES

565       The PEM format uses the header and footer lines:
566
567        -----BEGIN CERTIFICATE-----
568        -----END CERTIFICATE-----
569
570       it will also handle files containing:
571
572        -----BEGIN X509 CERTIFICATE-----
573        -----END X509 CERTIFICATE-----
574
575       Trusted certificates have the lines
576
577        -----BEGIN TRUSTED CERTIFICATE-----
578        -----END TRUSTED CERTIFICATE-----
579
580       The conversion to UTF8 format used with the name options assumes that
581       T61Strings use the ISO8859-1 character set. This is wrong but Netscape
582       and MSIE do this as do many certificates. So although this is incorrect
583       it is more likely to display the majority of certificates correctly.
584
585       The -fingerprint option takes the digest of the DER encoded
586       certificate.  This is commonly called a "fingerprint". Because of the
587       nature of message digests the fingerprint of a certificate is unique to
588       that certificate and two certificates with the same fingerprint can be
589       considered to be the same.
590
591       The Netscape fingerprint uses MD5 whereas MSIE uses SHA1.
592
593       The -email option searches the subject name and the subject alternative
594       name extension. Only unique email addresses will be printed out: it
595       will not print the same address more than once.
596

CERTIFICATE EXTENSIONS

598       The -purpose option checks the certificate extensions and determines
599       what the certificate can be used for. The actual checks done are rather
600       complex and include various hacks and workarounds to handle broken
601       certificates and software.
602
603       The same code is used when verifying untrusted certificates in chains
604       so this section is useful if a chain is rejected by the verify code.
605
606       The basicConstraints extension CA flag is used to determine whether the
607       certificate can be used as a CA. If the CA flag is true then it is a
608       CA, if the CA flag is false then it is not a CA. All CAs should have
609       the CA flag set to true.
610
611       If the basicConstraints extension is absent then the certificate is
612       considered to be a "possible CA" other extensions are checked according
613       to the intended use of the certificate. A warning is given in this case
614       because the certificate should really not be regarded as a CA: however
615       it is allowed to be a CA to work around some broken software.
616
617       If the certificate is a V1 certificate (and thus has no extensions) and
618       it is self signed it is also assumed to be a CA but a warning is again
619       given: this is to work around the problem of Verisign roots which are
620       V1 self signed certificates.
621
622       If the keyUsage extension is present then additional restraints are
623       made on the uses of the certificate. A CA certificate must have the
624       keyCertSign bit set if the keyUsage extension is present.
625
626       The extended key usage extension places additional restrictions on the
627       certificate uses. If this extension is present (whether critical or
628       not) the key can only be used for the purposes specified.
629
630       A complete description of each test is given below. The comments about
631       basicConstraints and keyUsage and V1 certificates above apply to all CA
632       certificates.
633
634       SSL Client
635           The extended key usage extension must be absent or include the "web
636           client authentication" OID.  keyUsage must be absent or it must
637           have the digitalSignature bit set. Netscape certificate type must
638           be absent or it must have the SSL client bit set.
639
640       SSL Client CA
641           The extended key usage extension must be absent or include the "web
642           client authentication" OID. Netscape certificate type must be
643           absent or it must have the SSL CA bit set: this is used as a work
644           around if the basicConstraints extension is absent.
645
646       SSL Server
647           The extended key usage extension must be absent or include the "web
648           server authentication" and/or one of the SGC OIDs.  keyUsage must
649           be absent or it must have the digitalSignature, the keyEncipherment
650           set or both bits set.  Netscape certificate type must be absent or
651           have the SSL server bit set.
652
653       SSL Server CA
654           The extended key usage extension must be absent or include the "web
655           server authentication" and/or one of the SGC OIDs.  Netscape
656           certificate type must be absent or the SSL CA bit must be set: this
657           is used as a work around if the basicConstraints extension is
658           absent.
659
660       Netscape SSL Server
661           For Netscape SSL clients to connect to an SSL server it must have
662           the keyEncipherment bit set if the keyUsage extension is present.
663           This isn't always valid because some cipher suites use the key for
664           digital signing.  Otherwise it is the same as a normal SSL server.
665
666       Common S/MIME Client Tests
667           The extended key usage extension must be absent or include the
668           "email protection" OID. Netscape certificate type must be absent or
669           should have the S/MIME bit set. If the S/MIME bit is not set in
670           netscape certificate type then the SSL client bit is tolerated as
671           an alternative but a warning is shown: this is because some
672           Verisign certificates don't set the S/MIME bit.
673
674       S/MIME Signing
675           In addition to the common S/MIME client tests the digitalSignature
676           bit must be set if the keyUsage extension is present.
677
678       S/MIME Encryption
679           In addition to the common S/MIME tests the keyEncipherment bit must
680           be set if the keyUsage extension is present.
681
682       S/MIME CA
683           The extended key usage extension must be absent or include the
684           "email protection" OID. Netscape certificate type must be absent or
685           must have the S/MIME CA bit set: this is used as a work around if
686           the basicConstraints extension is absent.
687
688       CRL Signing
689           The keyUsage extension must be absent or it must have the CRL
690           signing bit set.
691
692       CRL Signing CA
693           The normal CA tests apply. Except in this case the basicConstraints
694           extension must be present.
695

BUGS

697       Extensions in certificates are not transferred to certificate requests
698       and vice versa.
699
700       It is possible to produce invalid certificates or requests by
701       specifying the wrong private key or using inconsistent options in some
702       cases: these should be checked.
703
704       There should be options to explicitly set such things as start and end
705       dates rather than an offset from the current time.
706
707       The code to implement the verify behaviour described in the TRUST
708       SETTINGS is currently being developed. It thus describes the intended
709       behaviour rather than the current behaviour. It is hoped that it will
710       represent reality in OpenSSL 0.9.5 and later.
711

SEE ALSO

713       req(1), ca(1), genrsa(1), gendsa(1), verify(1), x509v3_config(5)
714

HISTORY

716       Before OpenSSL 0.9.8, the default digest for RSA keys was MD5.
717
718       The hash algorithm used in the -subject_hash and -issuer_hash options
719       before OpenSSL 1.0.0 was based on the deprecated MD5 algorithm and the
720       encoding of the distinguished name. In OpenSSL 1.0.0 and later it is
721       based on a canonical version of the DN using SHA1. This means that any
722       directories using the old form must have their links rebuilt using
723       c_rehash or similar.
724
725
726
7271.0.2k                            2019-03-12                           X509(1)
Impressum