1X509(1)                             OpenSSL                            X509(1)
2
3
4

NAME

6       openssl-x509, x509 - Certificate display and signing utility
7

SYNOPSIS

9       openssl x509 [-help] [-inform DER|PEM] [-outform DER|PEM] [-keyform
10       DER|PEM|ENGINE] [-CAform DER|PEM] [-CAkeyform DER|PEM] [-in filename]
11       [-out filename] [-serial] [-hash] [-subject_hash] [-issuer_hash]
12       [-ocspid] [-subject] [-issuer] [-nameopt option] [-email] [-ocsp_uri]
13       [-startdate] [-enddate] [-purpose] [-dates] [-checkend num] [-modulus]
14       [-pubkey] [-fingerprint] [-alias] [-noout] [-trustout] [-clrtrust]
15       [-clrreject] [-addtrust arg] [-addreject arg] [-setalias arg] [-days
16       arg] [-set_serial n] [-signkey arg] [-passin arg] [-x509toreq] [-req]
17       [-CA filename] [-CAkey filename] [-CAcreateserial] [-CAserial filename]
18       [-force_pubkey key] [-text] [-ext extensions] [-certopt option] [-C]
19       [-digest] [-clrext] [-extfile filename] [-extensions section] [-sigopt
20       nm:v] [-rand file...]  [-writerand file] [-engine id] [-preserve_dates]
21

DESCRIPTION

23       The x509 command is a multi purpose certificate utility. It can be used
24       to display certificate information, convert certificates to various
25       forms, sign certificate requests like a "mini CA" or edit certificate
26       trust settings.
27
28       Since there are a large number of options they will split up into
29       various sections.
30

OPTIONS

32   Input, Output, and General Purpose Options
33       -help
34           Print out a usage message.
35
36       -inform DER|PEM
37           This specifies the input format normally the command will expect an
38           X509 certificate but this can change if other options such as -req
39           are present. The DER format is the DER encoding of the certificate
40           and PEM is the base64 encoding of the DER encoding with header and
41           footer lines added. The default format is PEM.
42
43       -outform DER|PEM
44           This specifies the output format, the options have the same meaning
45           and default as the -inform option.
46
47       -in filename
48           This specifies the input filename to read a certificate from or
49           standard input if this option is not specified.
50
51       -out filename
52           This specifies the output filename to write to or standard output
53           by default.
54
55       -digest
56           The digest to use.  This affects any signing or display option that
57           uses a message digest, such as the -fingerprint, -signkey and -CA
58           options.  Any digest supported by the OpenSSL dgst command can be
59           used.  If not specified then SHA1 is used with -fingerprint or the
60           default digest for the signing algorithm is used, typically SHA256.
61
62       -rand file...
63           A file or files containing random data used to seed the random
64           number generator.  Multiple files can be specified separated by an
65           OS-dependent character.  The separator is ; for MS-Windows, , for
66           OpenVMS, and : for all others.
67
68       [-writerand file]
69           Writes random data to the specified file upon exit.  This can be
70           used with a subsequent -rand flag.
71
72       -engine id
73           Specifying an engine (by its unique id string) will cause x509 to
74           attempt to obtain a functional reference to the specified engine,
75           thus initialising it if needed. The engine will then be set as the
76           default for all available algorithms.
77
78       -preserve_dates
79           When signing a certificate, preserve the "notBefore" and "notAfter"
80           dates instead of adjusting them to current time and duration.
81           Cannot be used with the -days option.
82
83   Display Options
84       Note: the -alias and -purpose options are also display options but are
85       described in the TRUST SETTINGS section.
86
87       -text
88           Prints out the certificate in text form. Full details are output
89           including the public key, signature algorithms, issuer and subject
90           names, serial number any extensions present and any trust settings.
91
92       -ext extensions
93           Prints out the certificate extensions in text form. Extensions are
94           specified with a comma separated string, e.g.,
95           "subjectAltName,subjectKeyIdentifier".  See the x509v3_config(5)
96           manual page for the extension names.
97
98       -certopt option
99           Customise the output format used with -text. The option argument
100           can be a single option or multiple options separated by commas. The
101           -certopt switch may be also be used more than once to set multiple
102           options. See the TEXT OPTIONS section for more information.
103
104       -noout
105           This option prevents output of the encoded version of the
106           certificate.
107
108       -pubkey
109           Outputs the certificate's SubjectPublicKeyInfo block in PEM format.
110
111       -modulus
112           This option prints out the value of the modulus of the public key
113           contained in the certificate.
114
115       -serial
116           Outputs the certificate serial number.
117
118       -subject_hash
119           Outputs the "hash" of the certificate subject name. This is used in
120           OpenSSL to form an index to allow certificates in a directory to be
121           looked up by subject name.
122
123       -issuer_hash
124           Outputs the "hash" of the certificate issuer name.
125
126       -ocspid
127           Outputs the OCSP hash values for the subject name and public key.
128
129       -hash
130           Synonym for "-subject_hash" for backward compatibility reasons.
131
132       -subject_hash_old
133           Outputs the "hash" of the certificate subject name using the older
134           algorithm as used by OpenSSL before version 1.0.0.
135
136       -issuer_hash_old
137           Outputs the "hash" of the certificate issuer name using the older
138           algorithm as used by OpenSSL before version 1.0.0.
139
140       -subject
141           Outputs the subject name.
142
143       -issuer
144           Outputs the issuer name.
145
146       -nameopt option
147           Option which determines how the subject or issuer names are
148           displayed. The option argument can be a single option or multiple
149           options separated by commas.  Alternatively the -nameopt switch may
150           be used more than once to set multiple options. See the NAME
151           OPTIONS section for more information.
152
153       -email
154           Outputs the email address(es) if any.
155
156       -ocsp_uri
157           Outputs the OCSP responder address(es) if any.
158
159       -startdate
160           Prints out the start date of the certificate, that is the notBefore
161           date.
162
163       -enddate
164           Prints out the expiry date of the certificate, that is the notAfter
165           date.
166
167       -dates
168           Prints out the start and expiry dates of a certificate.
169
170       -checkend arg
171           Checks if the certificate expires within the next arg seconds and
172           exits nonzero if yes it will expire or zero if not.
173
174       -fingerprint
175           Calculates and outputs the digest of the DER encoded version of the
176           entire certificate (see digest options).  This is commonly called a
177           "fingerprint". Because of the nature of message digests, the
178           fingerprint of a certificate is unique to that certificate and two
179           certificates with the same fingerprint can be considered to be the
180           same.
181
182       -C  This outputs the certificate in the form of a C source file.
183
184   Trust Settings
185       A trusted certificate is an ordinary certificate which has several
186       additional pieces of information attached to it such as the permitted
187       and prohibited uses of the certificate and an "alias".
188
189       Normally when a certificate is being verified at least one certificate
190       must be "trusted". By default a trusted certificate must be stored
191       locally and must be a root CA: any certificate chain ending in this CA
192       is then usable for any purpose.
193
194       Trust settings currently are only used with a root CA. They allow a
195       finer control over the purposes the root CA can be used for. For
196       example a CA may be trusted for SSL client but not SSL server use.
197
198       See the description of the verify utility for more information on the
199       meaning of trust settings.
200
201       Future versions of OpenSSL will recognize trust settings on any
202       certificate: not just root CAs.
203
204       -trustout
205           This causes x509 to output a trusted certificate. An ordinary or
206           trusted certificate can be input but by default an ordinary
207           certificate is output and any trust settings are discarded. With
208           the -trustout option a trusted certificate is output. A trusted
209           certificate is automatically output if any trust settings are
210           modified.
211
212       -setalias arg
213           Sets the alias of the certificate. This will allow the certificate
214           to be referred to using a nickname for example "Steve's
215           Certificate".
216
217       -alias
218           Outputs the certificate alias, if any.
219
220       -clrtrust
221           Clears all the permitted or trusted uses of the certificate.
222
223       -clrreject
224           Clears all the prohibited or rejected uses of the certificate.
225
226       -addtrust arg
227           Adds a trusted certificate use.  Any object name can be used here
228           but currently only clientAuth (SSL client use), serverAuth (SSL
229           server use), emailProtection (S/MIME email) and anyExtendedKeyUsage
230           are used.  As of OpenSSL 1.1.0, the last of these blocks all
231           purposes when rejected or enables all purposes when trusted.  Other
232           OpenSSL applications may define additional uses.
233
234       -addreject arg
235           Adds a prohibited use. It accepts the same values as the -addtrust
236           option.
237
238       -purpose
239           This option performs tests on the certificate extensions and
240           outputs the results. For a more complete description see the
241           CERTIFICATE EXTENSIONS section.
242
243   Signing Options
244       The x509 utility can be used to sign certificates and requests: it can
245       thus behave like a "mini CA".
246
247       -signkey arg
248           This option causes the input file to be self signed using the
249           supplied private key or engine. The private key's format is
250           specified with the -keyform option.
251
252           If the input file is a certificate it sets the issuer name to the
253           subject name (i.e.  makes it self signed) changes the public key to
254           the supplied value and changes the start and end dates. The start
255           date is set to the current time and the end date is set to a value
256           determined by the -days option. Any certificate extensions are
257           retained unless the -clrext option is supplied; this includes, for
258           example, any existing key identifier extensions.
259
260           If the input is a certificate request then a self signed
261           certificate is created using the supplied private key using the
262           subject name in the request.
263
264       -sigopt nm:v
265           Pass options to the signature algorithm during sign or verify
266           operations.  Names and values of these options are algorithm-
267           specific.
268
269       -passin arg
270           The key password source. For more information about the format of
271           arg see "Pass Phrase Options" in openssl(1).
272
273       -clrext
274           Delete any extensions from a certificate. This option is used when
275           a certificate is being created from another certificate (for
276           example with the -signkey or the -CA options). Normally all
277           extensions are retained.
278
279       -keyform PEM|DER|ENGINE
280           Specifies the format (DER or PEM) of the private key file used in
281           the -signkey option.
282
283       -days arg
284           Specifies the number of days to make a certificate valid for. The
285           default is 30 days. Cannot be used with the -preserve_dates option.
286
287       -x509toreq
288           Converts a certificate into a certificate request. The -signkey
289           option is used to pass the required private key.
290
291       -req
292           By default a certificate is expected on input. With this option a
293           certificate request is expected instead.
294
295       -set_serial n
296           Specifies the serial number to use. This option can be used with
297           either the -signkey or -CA options. If used in conjunction with the
298           -CA option the serial number file (as specified by the -CAserial or
299           -CAcreateserial options) is not used.
300
301           The serial number can be decimal or hex (if preceded by 0x).
302
303       -CA filename
304           Specifies the CA certificate to be used for signing. When this
305           option is present x509 behaves like a "mini CA". The input file is
306           signed by this CA using this option: that is its issuer name is set
307           to the subject name of the CA and it is digitally signed using the
308           CAs private key.
309
310           This option is normally combined with the -req option. Without the
311           -req option the input is a certificate which must be self signed.
312
313       -CAkey filename
314           Sets the CA private key to sign a certificate with. If this option
315           is not specified then it is assumed that the CA private key is
316           present in the CA certificate file.
317
318       -CAserial filename
319           Sets the CA serial number file to use.
320
321           When the -CA option is used to sign a certificate it uses a serial
322           number specified in a file. This file consists of one line
323           containing an even number of hex digits with the serial number to
324           use. After each use the serial number is incremented and written
325           out to the file again.
326
327           The default filename consists of the CA certificate file base name
328           with ".srl" appended. For example if the CA certificate file is
329           called "mycacert.pem" it expects to find a serial number file
330           called "mycacert.srl".
331
332       -CAcreateserial
333           With this option the CA serial number file is created if it does
334           not exist: it will contain the serial number "02" and the
335           certificate being signed will have the 1 as its serial number. If
336           the -CA option is specified and the serial number file does not
337           exist a random number is generated; this is the recommended
338           practice.
339
340       -extfile filename
341           File containing certificate extensions to use. If not specified
342           then no extensions are added to the certificate.
343
344       -extensions section
345           The section to add certificate extensions from. If this option is
346           not specified then the extensions should either be contained in the
347           unnamed (default) section or the default section should contain a
348           variable called "extensions" which contains the section to use. See
349           the x509v3_config(5) manual page for details of the extension
350           section format.
351
352       -force_pubkey key
353           When a certificate is created set its public key to key instead of
354           the key in the certificate or certificate request. This option is
355           useful for creating certificates where the algorithm can't normally
356           sign requests, for example DH.
357
358           The format or key can be specified using the -keyform option.
359
360   Name Options
361       The nameopt command line switch determines how the subject and issuer
362       names are displayed. If no nameopt switch is present the default
363       "oneline" format is used which is compatible with previous versions of
364       OpenSSL.  Each option is described in detail below, all options can be
365       preceded by a - to turn the option off. Only the first four will
366       normally be used.
367
368       compat
369           Use the old format.
370
371       RFC2253
372           Displays names compatible with RFC2253 equivalent to esc_2253,
373           esc_ctrl, esc_msb, utf8, dump_nostr, dump_unknown, dump_der,
374           sep_comma_plus, dn_rev and sname.
375
376       oneline
377           A oneline format which is more readable than RFC2253. It is
378           equivalent to specifying the  esc_2253, esc_ctrl, esc_msb, utf8,
379           dump_nostr, dump_der, use_quote, sep_comma_plus_space, space_eq and
380           sname options.  This is the default of no name options are given
381           explicitly.
382
383       multiline
384           A multiline format. It is equivalent esc_ctrl, esc_msb,
385           sep_multiline, space_eq, lname and align.
386
387       esc_2253
388           Escape the "special" characters required by RFC2253 in a field.
389           That is ,+"<>;. Additionally # is escaped at the beginning of a
390           string and a space character at the beginning or end of a string.
391
392       esc_2254
393           Escape the "special" characters required by RFC2254 in a field.
394           That is the NUL character as well as and ()*.
395
396       esc_ctrl
397           Escape control characters. That is those with ASCII values less
398           than 0x20 (space) and the delete (0x7f) character. They are escaped
399           using the RFC2253 \XX notation (where XX are two hex digits
400           representing the character value).
401
402       esc_msb
403           Escape characters with the MSB set, that is with ASCII values
404           larger than 127.
405
406       use_quote
407           Escapes some characters by surrounding the whole string with "
408           characters, without the option all escaping is done with the \
409           character.
410
411       utf8
412           Convert all strings to UTF8 format first. This is required by
413           RFC2253. If you are lucky enough to have a UTF8 compatible terminal
414           then the use of this option (and not setting esc_msb) may result in
415           the correct display of multibyte (international) characters. Is
416           this option is not present then multibyte characters larger than
417           0xff will be represented using the format \UXXXX for 16 bits and
418           \WXXXXXXXX for 32 bits.  Also if this option is off any UTF8Strings
419           will be converted to their character form first.
420
421       ignore_type
422           This option does not attempt to interpret multibyte characters in
423           any way. That is their content octets are merely dumped as though
424           one octet represents each character. This is useful for diagnostic
425           purposes but will result in rather odd looking output.
426
427       show_type
428           Show the type of the ASN1 character string. The type precedes the
429           field contents. For example "BMPSTRING: Hello World".
430
431       dump_der
432           When this option is set any fields that need to be hexdumped will
433           be dumped using the DER encoding of the field. Otherwise just the
434           content octets will be displayed. Both options use the RFC2253
435           #XXXX... format.
436
437       dump_nostr
438           Dump non character string types (for example OCTET STRING) if this
439           option is not set then non character string types will be displayed
440           as though each content octet represents a single character.
441
442       dump_all
443           Dump all fields. This option when used with dump_der allows the DER
444           encoding of the structure to be unambiguously determined.
445
446       dump_unknown
447           Dump any field whose OID is not recognised by OpenSSL.
448
449       sep_comma_plus, sep_comma_plus_space, sep_semi_plus_space,
450       sep_multiline
451           These options determine the field separators. The first character
452           is between RDNs and the second between multiple AVAs (multiple AVAs
453           are very rare and their use is discouraged). The options ending in
454           "space" additionally place a space after the separator to make it
455           more readable. The sep_multiline uses a linefeed character for the
456           RDN separator and a spaced + for the AVA separator. It also indents
457           the fields by four characters. If no field separator is specified
458           then sep_comma_plus_space is used by default.
459
460       dn_rev
461           Reverse the fields of the DN. This is required by RFC2253. As a
462           side effect this also reverses the order of multiple AVAs but this
463           is permissible.
464
465       nofname, sname, lname, oid
466           These options alter how the field name is displayed. nofname does
467           not display the field at all. sname uses the "short name" form (CN
468           for commonName for example). lname uses the long form.  oid
469           represents the OID in numerical form and is useful for diagnostic
470           purpose.
471
472       align
473           Align field values for a more readable output. Only usable with
474           sep_multiline.
475
476       space_eq
477           Places spaces round the = character which follows the field name.
478
479   Text Options
480       As well as customising the name output format, it is also possible to
481       customise the actual fields printed using the certopt options when the
482       text option is present. The default behaviour is to print all fields.
483
484       compatible
485           Use the old format. This is equivalent to specifying no output
486           options at all.
487
488       no_header
489           Don't print header information: that is the lines saying
490           "Certificate" and "Data".
491
492       no_version
493           Don't print out the version number.
494
495       no_serial
496           Don't print out the serial number.
497
498       no_signame
499           Don't print out the signature algorithm used.
500
501       no_validity
502           Don't print the validity, that is the notBefore and notAfter
503           fields.
504
505       no_subject
506           Don't print out the subject name.
507
508       no_issuer
509           Don't print out the issuer name.
510
511       no_pubkey
512           Don't print out the public key.
513
514       no_sigdump
515           Don't give a hexadecimal dump of the certificate signature.
516
517       no_aux
518           Don't print out certificate trust information.
519
520       no_extensions
521           Don't print out any X509V3 extensions.
522
523       ext_default
524           Retain default extension behaviour: attempt to print out
525           unsupported certificate extensions.
526
527       ext_error
528           Print an error message for unsupported certificate extensions.
529
530       ext_parse
531           ASN1 parse unsupported extensions.
532
533       ext_dump
534           Hex dump unsupported extensions.
535
536       ca_default
537           The value used by the ca utility, equivalent to no_issuer,
538           no_pubkey, no_header, and no_version.
539

EXAMPLES

541       Note: in these examples the '\' means the example should be all on one
542       line.
543
544       Display the contents of a certificate:
545
546        openssl x509 -in cert.pem -noout -text
547
548       Display the "Subject Alternative Name" extension of a certificate:
549
550        openssl x509 -in cert.pem -noout -ext subjectAltName
551
552       Display more extensions of a certificate:
553
554        openssl x509 -in cert.pem -noout -ext subjectAltName,nsCertType
555
556       Display the certificate serial number:
557
558        openssl x509 -in cert.pem -noout -serial
559
560       Display the certificate subject name:
561
562        openssl x509 -in cert.pem -noout -subject
563
564       Display the certificate subject name in RFC2253 form:
565
566        openssl x509 -in cert.pem -noout -subject -nameopt RFC2253
567
568       Display the certificate subject name in oneline form on a terminal
569       supporting UTF8:
570
571        openssl x509 -in cert.pem -noout -subject -nameopt oneline,-esc_msb
572
573       Display the certificate SHA1 fingerprint:
574
575        openssl x509 -sha1 -in cert.pem -noout -fingerprint
576
577       Convert a certificate from PEM to DER format:
578
579        openssl x509 -in cert.pem -inform PEM -out cert.der -outform DER
580
581       Convert a certificate to a certificate request:
582
583        openssl x509 -x509toreq -in cert.pem -out req.pem -signkey key.pem
584
585       Convert a certificate request into a self signed certificate using
586       extensions for a CA:
587
588        openssl x509 -req -in careq.pem -extfile openssl.cnf -extensions v3_ca \
589               -signkey key.pem -out cacert.pem
590
591       Sign a certificate request using the CA certificate above and add user
592       certificate extensions:
593
594        openssl x509 -req -in req.pem -extfile openssl.cnf -extensions v3_usr \
595               -CA cacert.pem -CAkey key.pem -CAcreateserial
596
597       Set a certificate to be trusted for SSL client use and change set its
598       alias to "Steve's Class 1 CA"
599
600        openssl x509 -in cert.pem -addtrust clientAuth \
601               -setalias "Steve's Class 1 CA" -out trust.pem
602

NOTES

604       The PEM format uses the header and footer lines:
605
606        -----BEGIN CERTIFICATE-----
607        -----END CERTIFICATE-----
608
609       it will also handle files containing:
610
611        -----BEGIN X509 CERTIFICATE-----
612        -----END X509 CERTIFICATE-----
613
614       Trusted certificates have the lines
615
616        -----BEGIN TRUSTED CERTIFICATE-----
617        -----END TRUSTED CERTIFICATE-----
618
619       The conversion to UTF8 format used with the name options assumes that
620       T61Strings use the ISO8859-1 character set. This is wrong but Netscape
621       and MSIE do this as do many certificates. So although this is incorrect
622       it is more likely to display the majority of certificates correctly.
623
624       The -email option searches the subject name and the subject alternative
625       name extension. Only unique email addresses will be printed out: it
626       will not print the same address more than once.
627

CERTIFICATE EXTENSIONS

629       The -purpose option checks the certificate extensions and determines
630       what the certificate can be used for. The actual checks done are rather
631       complex and include various hacks and workarounds to handle broken
632       certificates and software.
633
634       The same code is used when verifying untrusted certificates in chains
635       so this section is useful if a chain is rejected by the verify code.
636
637       The basicConstraints extension CA flag is used to determine whether the
638       certificate can be used as a CA. If the CA flag is true then it is a
639       CA, if the CA flag is false then it is not a CA. All CAs should have
640       the CA flag set to true.
641
642       If the basicConstraints extension is absent then the certificate is
643       considered to be a "possible CA" other extensions are checked according
644       to the intended use of the certificate. A warning is given in this case
645       because the certificate should really not be regarded as a CA: however
646       it is allowed to be a CA to work around some broken software.
647
648       If the certificate is a V1 certificate (and thus has no extensions) and
649       it is self signed it is also assumed to be a CA but a warning is again
650       given: this is to work around the problem of Verisign roots which are
651       V1 self signed certificates.
652
653       If the keyUsage extension is present then additional restraints are
654       made on the uses of the certificate. A CA certificate must have the
655       keyCertSign bit set if the keyUsage extension is present.
656
657       The extended key usage extension places additional restrictions on the
658       certificate uses. If this extension is present (whether critical or
659       not) the key can only be used for the purposes specified.
660
661       A complete description of each test is given below. The comments about
662       basicConstraints and keyUsage and V1 certificates above apply to all CA
663       certificates.
664
665       SSL Client
666           The extended key usage extension must be absent or include the "web
667           client authentication" OID.  keyUsage must be absent or it must
668           have the digitalSignature bit set. Netscape certificate type must
669           be absent or it must have the SSL client bit set.
670
671       SSL Client CA
672           The extended key usage extension must be absent or include the "web
673           client authentication" OID. Netscape certificate type must be
674           absent or it must have the SSL CA bit set: this is used as a work
675           around if the basicConstraints extension is absent.
676
677       SSL Server
678           The extended key usage extension must be absent or include the "web
679           server authentication" and/or one of the SGC OIDs.  keyUsage must
680           be absent or it must have the digitalSignature, the keyEncipherment
681           set or both bits set.  Netscape certificate type must be absent or
682           have the SSL server bit set.
683
684       SSL Server CA
685           The extended key usage extension must be absent or include the "web
686           server authentication" and/or one of the SGC OIDs.  Netscape
687           certificate type must be absent or the SSL CA bit must be set: this
688           is used as a work around if the basicConstraints extension is
689           absent.
690
691       Netscape SSL Server
692           For Netscape SSL clients to connect to an SSL server it must have
693           the keyEncipherment bit set if the keyUsage extension is present.
694           This isn't always valid because some cipher suites use the key for
695           digital signing.  Otherwise it is the same as a normal SSL server.
696
697       Common S/MIME Client Tests
698           The extended key usage extension must be absent or include the
699           "email protection" OID. Netscape certificate type must be absent or
700           should have the S/MIME bit set. If the S/MIME bit is not set in
701           Netscape certificate type then the SSL client bit is tolerated as
702           an alternative but a warning is shown: this is because some
703           Verisign certificates don't set the S/MIME bit.
704
705       S/MIME Signing
706           In addition to the common S/MIME client tests the digitalSignature
707           bit or the nonRepudiation bit must be set if the keyUsage extension
708           is present.
709
710       S/MIME Encryption
711           In addition to the common S/MIME tests the keyEncipherment bit must
712           be set if the keyUsage extension is present.
713
714       S/MIME CA
715           The extended key usage extension must be absent or include the
716           "email protection" OID. Netscape certificate type must be absent or
717           must have the S/MIME CA bit set: this is used as a work around if
718           the basicConstraints extension is absent.
719
720       CRL Signing
721           The keyUsage extension must be absent or it must have the CRL
722           signing bit set.
723
724       CRL Signing CA
725           The normal CA tests apply. Except in this case the basicConstraints
726           extension must be present.
727

BUGS

729       Extensions in certificates are not transferred to certificate requests
730       and vice versa.
731
732       It is possible to produce invalid certificates or requests by
733       specifying the wrong private key or using inconsistent options in some
734       cases: these should be checked.
735
736       There should be options to explicitly set such things as start and end
737       dates rather than an offset from the current time.
738

SEE ALSO

740       req(1), ca(1), genrsa(1), gendsa(1), verify(1), x509v3_config(5)
741

HISTORY

743       The hash algorithm used in the -subject_hash and -issuer_hash options
744       before OpenSSL 1.0.0 was based on the deprecated MD5 algorithm and the
745       encoding of the distinguished name. In OpenSSL 1.0.0 and later it is
746       based on a canonical version of the DN using SHA1. This means that any
747       directories using the old form must have their links rebuilt using
748       c_rehash or similar.
749
751       Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved.
752
753       Licensed under the OpenSSL license (the "License").  You may not use
754       this file except in compliance with the License.  You can obtain a copy
755       in the file LICENSE in the source distribution or at
756       <https://www.openssl.org/source/license.html>.
757
758
759
7601.1.1k                            2021-03-26                           X509(1)
Impressum