1OPENSSL-X509(1ossl)                 OpenSSL                OPENSSL-X509(1ossl)
2
3
4

NAME

6       openssl-x509 - Certificate display and signing command
7

SYNOPSIS

9       openssl x509 [-help] [-in filename|uri] [-passin arg] [-new]
10       [-x509toreq] [-req] [-copy_extensions arg] [-inform DER|PEM] [-vfyopt
11       nm:v] [-key filename|uri] [-keyform DER|PEM|P12|ENGINE] [-signkey
12       filename|uri] [-out filename] [-outform DER|PEM] [-nocert] [-noout]
13       [-dateopt] [-text] [-certopt option] [-fingerprint] [-alias] [-serial]
14       [-startdate] [-enddate] [-dates] [-subject] [-issuer] [-nameopt option]
15       [-email] [-hash] [-subject_hash] [-subject_hash_old] [-issuer_hash]
16       [-issuer_hash_old] [-ext extensions] [-ocspid] [-ocsp_uri] [-purpose]
17       [-pubkey] [-modulus] [-checkend num] [-checkhost host] [-checkemail
18       host] [-checkip ipaddr] [-set_serial n] [-next_serial] [-days arg]
19       [-preserve_dates] [-subj arg] [-force_pubkey filename] [-clrext]
20       [-extfile filename] [-extensions section] [-sigopt nm:v] [-badsig]
21       [-digest] [-CA filename|uri] [-CAform DER|PEM|P12] [-CAkey
22       filename|uri] [-CAkeyform DER|PEM|P12|ENGINE] [-CAserial filename]
23       [-CAcreateserial] [-trustout] [-setalias arg] [-clrtrust] [-addtrust
24       arg] [-clrreject] [-addreject arg] [-rand files] [-writerand file]
25       [-engine id] [-provider name] [-provider-path path] [-propquery propq]
26

DESCRIPTION

28       This command is a multi-purposes certificate handling command.  It can
29       be used to print certificate information, convert certificates to
30       various forms, edit certificate trust settings, generate certificates
31       from scratch or from certificating requests and then self-signing them
32       or signing them like a "micro CA".
33
34       Since there are a large number of options they will split up into
35       various sections.
36

OPTIONS

38   Input, Output, and General Purpose Options
39       -help
40           Print out a usage message.
41
42       -in filename|uri
43           This specifies the input to read a certificate from or the input
44           file for reading a certificate request if the -req flag is used.
45           In both cases this defaults to standard input.
46
47           This option cannot be combined with the -new flag.
48
49       -passin arg
50           The key and certificate file password source.  For more information
51           about the format of arg see openssl-passphrase-options(1).
52
53       -new
54           Generate a certificate from scratch, not using an input certificate
55           or certificate request. So the -in option must not be used in this
56           case.  Instead, the -subj option needs to be given.  The public key
57           to include can be given with the -force_pubkey option and defaults
58           to the key given with the -key (or -signkey) option, which implies
59           self-signature.
60
61       -x509toreq
62           Output a PKCS#10 certificate request (rather than a certificate).
63           The -key (or -signkey) option must be used to provide the private
64           key for self-signing; the corresponding public key is placed in the
65           subjectPKInfo field.
66
67           X.509 extensions included in a certificate input are not copied by
68           default.  X.509 extensions to be added can be specified using the
69           -extfile option.
70
71       -req
72           By default a certificate is expected on input.  With this option a
73           PKCS#10 certificate request is expected instead, which must be
74           correctly self-signed.
75
76           X.509 extensions included in the request are not copied by default.
77           X.509 extensions to be added can be specified using the -extfile
78           option.
79
80       -copy_extensions arg
81           Determines how to handle X.509 extensions when converting from a
82           certificate to a request using the -x509toreq option or converting
83           from a request to a certificate using the -req option.  If arg is
84           none or this option is not present then extensions are ignored.  If
85           arg is copy or copyall then all extensions are copied, except that
86           subject identifier and authority key identifier extensions are not
87           taken over when producing a certificate request.
88
89           The -ext option can be used to further restrict which extensions to
90           copy.
91
92       -inform DER|PEM
93           The input file format; unspecified by default.  See
94           openssl-format-options(1) for details.
95
96       -vfyopt nm:v
97           Pass options to the signature algorithm during verify operations.
98           Names and values of these options are algorithm-specific.
99
100       -key filename|uri
101           This option provides the private key for signing a new certificate
102           or certificate request.  Unless -force_pubkey is given, the
103           corresponding public key is placed in the new certificate or
104           certificate request, resulting in a self-signature.
105
106           This option cannot be used in conjunction with the -CA option.
107
108           It sets the issuer name to the subject name (i.e., makes it self-
109           issued) and changes the public key to the supplied value (unless
110           overridden by -force_pubkey).  Unless the -preserve_dates option is
111           supplied, it sets the validity start date to the current time and
112           the end date to a value determined by the -days option.
113
114       -signkey filename|uri
115           This option is an alias of -key.
116
117       -keyform DER|PEM|P12|ENGINE
118           The key input format; unspecified by default.  See
119           openssl-format-options(1) for details.
120
121       -out filename
122           This specifies the output filename to write to or standard output
123           by default.
124
125       -outform DER|PEM
126           The output format; the default is PEM.  See
127           openssl-format-options(1) for details.
128
129       -nocert
130           Do not output a certificate (except for printing as requested by
131           below options).
132
133       -noout
134           This option prevents output except for printing as requested by
135           below options.
136
137   Certificate Printing Options
138       Note: the -alias and -purpose options are also printing options but are
139       described in the "Trust Settings" section.
140
141       -dateopt
142           Specify the date output format. Values are: rfc_822 and iso_8601.
143           Defaults to rfc_822.
144
145       -text
146           Prints out the certificate in text form. Full details are printed
147           including the public key, signature algorithms, issuer and subject
148           names, serial number any extensions present and any trust settings.
149
150       -certopt option
151           Customise the print format used with -text. The option argument can
152           be a single option or multiple options separated by commas.  The
153           -certopt switch may be also be used more than once to set multiple
154           options. See the "Text Printing Flags" section for more
155           information.
156
157       -fingerprint
158           Calculates and prints the digest of the DER encoded version of the
159           entire certificate (see digest options).  This is commonly called a
160           "fingerprint". Because of the nature of message digests, the
161           fingerprint of a certificate is unique to that certificate and two
162           certificates with the same fingerprint can be considered to be the
163           same.
164
165       -alias
166           Prints the certificate "alias" (nickname), if any.
167
168       -serial
169           Prints the certificate serial number.
170
171       -startdate
172           Prints out the start date of the certificate, that is the notBefore
173           date.
174
175       -enddate
176           Prints out the expiry date of the certificate, that is the notAfter
177           date.
178
179       -dates
180           Prints out the start and expiry dates of a certificate.
181
182       -subject
183           Prints the subject name.
184
185       -issuer
186           Prints the issuer name.
187
188       -nameopt option
189           This specifies how the subject or issuer names are displayed.  See
190           openssl-namedisplay-options(1) for details.
191
192       -email
193           Prints the email address(es) if any.
194
195       -hash
196           Synonym for "-subject_hash" for backward compatibility reasons.
197
198       -subject_hash
199           Prints the "hash" of the certificate subject name. This is used in
200           OpenSSL to form an index to allow certificates in a directory to be
201           looked up by subject name.
202
203       -subject_hash_old
204           Prints the "hash" of the certificate subject name using the older
205           algorithm as used by OpenSSL before version 1.0.0.
206
207       -issuer_hash
208           Prints the "hash" of the certificate issuer name.
209
210       -issuer_hash_old
211           Prints the "hash" of the certificate issuer name using the older
212           algorithm as used by OpenSSL before version 1.0.0.
213
214       -ext extensions
215           Prints out the certificate extensions in text form.  Can also be
216           used to restrict which extensions to copy.  Extensions are
217           specified with a comma separated string, e.g.,
218           "subjectAltName,subjectKeyIdentifier".  See the x509v3_config(5)
219           manual page for the extension names.
220
221       -ocspid
222           Prints the OCSP hash values for the subject name and public key.
223
224       -ocsp_uri
225           Prints the OCSP responder address(es) if any.
226
227       -purpose
228           This option performs tests on the certificate extensions and
229           outputs the results. For a more complete description see
230           "Certificate Extensions" in openssl-verification-options(1).
231
232       -pubkey
233           Prints the certificate's SubjectPublicKeyInfo block in PEM format.
234
235       -modulus
236           This option prints out the value of the modulus of the public key
237           contained in the certificate.
238
239   Certificate Checking Options
240       -checkend arg
241           Checks if the certificate expires within the next arg seconds and
242           exits nonzero if yes it will expire or zero if not.
243
244       -checkhost host
245           Check that the certificate matches the specified host.
246
247       -checkemail email
248           Check that the certificate matches the specified email address.
249
250       -checkip ipaddr
251           Check that the certificate matches the specified IP address.
252
253   Certificate Output Options
254       -set_serial n
255           Specifies the serial number to use.  This option can be used with
256           the -key, -signkey, or -CA options.  If used in conjunction with
257           the -CA option the serial number file (as specified by the
258           -CAserial option) is not used.
259
260           The serial number can be decimal or hex (if preceded by "0x").
261
262       -next_serial
263           Set the serial to be one more than the number in the certificate.
264
265       -days arg
266           Specifies the number of days until a newly generated certificate
267           expires.  The default is 30.  Cannot be used together with the
268           -preserve_dates option.
269
270       -preserve_dates
271           When signing a certificate, preserve "notBefore" and "notAfter"
272           dates of any input certificate instead of adjusting them to current
273           time and duration.  Cannot be used together with the -days option.
274
275       -subj arg
276           When a certificate is created set its subject name to the given
277           value.  When the certificate is self-signed the issuer name is set
278           to the same value.
279
280           The arg must be formatted as
281           "/type0=value0/type1=value1/type2=...".  Special characters may be
282           escaped by "\" (backslash), whitespace is retained.  Empty values
283           are permitted, but the corresponding type will not be included in
284           the certificate.  Giving a single "/" will lead to an empty
285           sequence of RDNs (a NULL-DN).  Multi-valued RDNs can be formed by
286           placing a "+" character instead of a "/" between the
287           AttributeValueAssertions (AVAs) that specify the members of the
288           set.  Example:
289
290           "/DC=org/DC=OpenSSL/DC=users/UID=123456+CN=John Doe"
291
292           This option can be used in conjunction with the -force_pubkey
293           option to create a certificate even without providing an input
294           certificate or certificate request.
295
296       -force_pubkey filename
297           When a certificate is created set its public key to the key in
298           filename instead of the key contained in the input or given with
299           the -key (or -signkey) option.
300
301           This option is useful for creating self-issued certificates that
302           are not self-signed, for instance when the key cannot be used for
303           signing, such as DH.  It can also be used in conjunction with
304           b<-new> and -subj to directly generate a certificate containing any
305           desired public key.
306
307       -clrext
308           When transforming a certificate to a new certificate by default all
309           certificate extensions are retained.
310
311           When transforming a certificate or certificate request, the -clrext
312           option prevents taking over any extensions from the source.  In any
313           case, when producing a certificate request, neither subject
314           identifier nor authority key identifier extensions are included.
315
316       -extfile filename
317           Configuration file containing certificate and request X.509
318           extensions to add.
319
320       -extensions section
321           The section in the extfile to add X.509 extensions from.  If this
322           option is not specified then the extensions should either be
323           contained in the unnamed (default) section or the default section
324           should contain a variable called "extensions" which contains the
325           section to use.  See the x509v3_config(5) manual page for details
326           of the extension section format.
327
328       -sigopt nm:v
329           Pass options to the signature algorithm during sign operations.
330           This option may be given multiple times.  Names and values provided
331           using this option are algorithm-specific.
332
333       -badsig
334           Corrupt the signature before writing it; this can be useful for
335           testing.
336
337       -digest
338           The digest to use.  This affects any signing or printing option
339           that uses a message digest, such as the -fingerprint, -key, and -CA
340           options.  Any digest supported by the openssl-dgst(1) command can
341           be used.  If not specified then SHA1 is used with -fingerprint or
342           the default digest for the signing algorithm is used, typically
343           SHA256.
344
345   Micro-CA Options
346       -CA filename|uri
347           Specifies the "CA" certificate to be used for signing.  When
348           present, this behaves like a "micro CA" as follows: The subject
349           name of the "CA" certificate is placed as issuer name in the new
350           certificate, which is then signed using the "CA" key given as
351           detailed below.
352
353           This option cannot be used in conjunction with -key (or -signkey).
354           This option is normally combined with the -req option referencing a
355           CSR.  Without the -req option the input must be an existing
356           certificate unless the -new option is given, which generates a
357           certificate from scratch.
358
359       -CAform DER|PEM|P12,
360           The format for the CA certificate; unspecifed by default.  See
361           openssl-format-options(1) for details.
362
363       -CAkey filename|uri
364           Sets the CA private key to sign a certificate with.  The private
365           key must match the public key of the certificate given with -CA.
366           If this option is not provided then the key must be present in the
367           -CA input.
368
369       -CAkeyform DER|PEM|P12|ENGINE
370           The format for the CA key; unspecified by default.  See
371           openssl-format-options(1) for details.
372
373       -CAserial filename
374           Sets the CA serial number file to use.
375
376           When the -CA option is used to sign a certificate it uses a serial
377           number specified in a file. This file consists of one line
378           containing an even number of hex digits with the serial number to
379           use. After each use the serial number is incremented and written
380           out to the file again.
381
382           The default filename consists of the CA certificate file base name
383           with .srl appended. For example if the CA certificate file is
384           called mycacert.pem it expects to find a serial number file called
385           mycacert.srl.
386
387       -CAcreateserial
388           With this option the CA serial number file is created if it does
389           not exist: it will contain the serial number "02" and the
390           certificate being signed will have the 1 as its serial number. If
391           the -CA option is specified and the serial number file does not
392           exist a random number is generated; this is the recommended
393           practice.
394
395   Trust Settings
396       A trusted certificate is an ordinary certificate which has several
397       additional pieces of information attached to it such as the permitted
398       and prohibited uses of the certificate and possibly an "alias"
399       (nickname).
400
401       Normally when a certificate is being verified at least one certificate
402       must be "trusted". By default a trusted certificate must be stored
403       locally and must be a root CA: any certificate chain ending in this CA
404       is then usable for any purpose.
405
406       Trust settings currently are only used with a root CA.  They allow a
407       finer control over the purposes the root CA can be used for.  For
408       example, a CA may be trusted for SSL client but not SSL server use.
409
410       See openssl-verification-options(1) for more information on the meaning
411       of trust settings.
412
413       Future versions of OpenSSL will recognize trust settings on any
414       certificate: not just root CAs.
415
416       -trustout
417           Mark any certificate PEM output as <trusted> certificate rather
418           than ordinary.  An ordinary or trusted certificate can be input but
419           by default an ordinary certificate is output and any trust settings
420           are discarded.  With the -trustout option a trusted certificate is
421           output. A trusted certificate is automatically output if any trust
422           settings are modified.
423
424       -setalias arg
425           Sets the "alias" of the certificate. This will allow the
426           certificate to be referred to using a nickname for example "Steve's
427           Certificate".
428
429       -clrtrust
430           Clears all the permitted or trusted uses of the certificate.
431
432       -addtrust arg
433           Adds a trusted certificate use.  Any object name can be used here
434           but currently only clientAuth, serverAuth, emailProtection, and
435           anyExtendedKeyUsage are defined.  As of OpenSSL 1.1.0, the last of
436           these blocks all purposes when rejected or enables all purposes
437           when trusted.  Other OpenSSL applications may define additional
438           uses.
439
440       -clrreject
441           Clears all the prohibited or rejected uses of the certificate.
442
443       -addreject arg
444           Adds a prohibited trust anchor purpose.  It accepts the same values
445           as the -addtrust option.
446
447   Generic options
448       -rand files, -writerand file
449           See "Random State Options" in openssl(1) for details.
450
451       -engine id
452           See "Engine Options" in openssl(1).  This option is deprecated.
453
454       -provider name
455       -provider-path path
456       -propquery propq
457           See "Provider Options" in openssl(1), provider(7), and property(7).
458
459   Text Printing Flags
460       As well as customising the name printing format, it is also possible to
461       customise the actual fields printed using the certopt option when the
462       text option is present. The default behaviour is to print all fields.
463
464       compatible
465           Use the old format. This is equivalent to specifying no printing
466           options at all.
467
468       no_header
469           Don't print header information: that is the lines saying
470           "Certificate" and "Data".
471
472       no_version
473           Don't print out the version number.
474
475       no_serial
476           Don't print out the serial number.
477
478       no_signame
479           Don't print out the signature algorithm used.
480
481       no_validity
482           Don't print the validity, that is the notBefore and notAfter
483           fields.
484
485       no_subject
486           Don't print out the subject name.
487
488       no_issuer
489           Don't print out the issuer name.
490
491       no_pubkey
492           Don't print out the public key.
493
494       no_sigdump
495           Don't give a hexadecimal dump of the certificate signature.
496
497       no_aux
498           Don't print out certificate trust information.
499
500       no_extensions
501           Don't print out any X509V3 extensions.
502
503       ext_default
504           Retain default extension behaviour: attempt to print out
505           unsupported certificate extensions.
506
507       ext_error
508           Print an error message for unsupported certificate extensions.
509
510       ext_parse
511           ASN1 parse unsupported extensions.
512
513       ext_dump
514           Hex dump unsupported extensions.
515
516       ca_default
517           The value used by openssl-ca(1), equivalent to no_issuer,
518           no_pubkey, no_header, and no_version.
519

EXAMPLES

521       Note: in these examples the '\' means the example should be all on one
522       line.
523
524       Print the contents of a certificate:
525
526        openssl x509 -in cert.pem -noout -text
527
528       Print the "Subject Alternative Name" extension of a certificate:
529
530        openssl x509 -in cert.pem -noout -ext subjectAltName
531
532       Print more extensions of a certificate:
533
534        openssl x509 -in cert.pem -noout -ext subjectAltName,nsCertType
535
536       Print the certificate serial number:
537
538        openssl x509 -in cert.pem -noout -serial
539
540       Print the certificate subject name:
541
542        openssl x509 -in cert.pem -noout -subject
543
544       Print the certificate subject name in RFC2253 form:
545
546        openssl x509 -in cert.pem -noout -subject -nameopt RFC2253
547
548       Print the certificate subject name in oneline form on a terminal
549       supporting UTF8:
550
551        openssl x509 -in cert.pem -noout -subject -nameopt oneline,-esc_msb
552
553       Print the certificate SHA1 fingerprint:
554
555        openssl x509 -sha1 -in cert.pem -noout -fingerprint
556
557       Convert a certificate from PEM to DER format:
558
559        openssl x509 -in cert.pem -inform PEM -out cert.der -outform DER
560
561       Convert a certificate to a certificate request:
562
563        openssl x509 -x509toreq -in cert.pem -out req.pem -key key.pem
564
565       Convert a certificate request into a self-signed certificate using
566       extensions for a CA:
567
568        openssl x509 -req -in careq.pem -extfile openssl.cnf -extensions v3_ca \
569               -key key.pem -out cacert.pem
570
571       Sign a certificate request using the CA certificate above and add user
572       certificate extensions:
573
574        openssl x509 -req -in req.pem -extfile openssl.cnf -extensions v3_usr \
575               -CA cacert.pem -CAkey key.pem -CAcreateserial
576
577       Set a certificate to be trusted for SSL client use and change set its
578       alias to "Steve's Class 1 CA"
579
580        openssl x509 -in cert.pem -addtrust clientAuth \
581               -setalias "Steve's Class 1 CA" -out trust.pem
582

NOTES

584       The conversion to UTF8 format used with the name options assumes that
585       T61Strings use the ISO8859-1 character set. This is wrong but Netscape
586       and MSIE do this as do many certificates. So although this is incorrect
587       it is more likely to print the majority of certificates correctly.
588
589       The -email option searches the subject name and the subject alternative
590       name extension. Only unique email addresses will be printed out: it
591       will not print the same address more than once.
592

BUGS

594       It is possible to produce invalid certificates or requests by
595       specifying the wrong private key, using unsuitable X.509 extensions, or
596       using inconsistent options in some cases: these should be checked.
597
598       There should be options to explicitly set such things as start and end
599       dates rather than an offset from the current time.
600

SEE ALSO

602       openssl(1), openssl-req(1), openssl-ca(1), openssl-genrsa(1),
603       openssl-gendsa(1), openssl-verify(1), x509v3_config(5)
604

HISTORY

606       The hash algorithm used in the -subject_hash and -issuer_hash options
607       before OpenSSL 1.0.0 was based on the deprecated MD5 algorithm and the
608       encoding of the distinguished name. In OpenSSL 1.0.0 and later it is
609       based on a canonical version of the DN using SHA1. This means that any
610       directories using the old form must have their links rebuilt using
611       openssl-rehash(1) or similar.
612
613       The -signkey option has been renamed to -key in OpenSSL 3.0, keeping
614       the old name as an alias.
615
616       The -engine option was deprecated in OpenSSL 3.0.
617
618       The -C option was removed in OpenSSL 3.0.
619
621       Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved.
622
623       Licensed under the Apache License 2.0 (the "License").  You may not use
624       this file except in compliance with the License.  You can obtain a copy
625       in the file LICENSE in the source distribution or at
626       <https://www.openssl.org/source/license.html>.
627
628
629
6303.0.5                             2022-07-05               OPENSSL-X509(1ossl)
Impressum