spkac(1ssl)spkac(1ssl)NAMEspkac - SPKAC printing and generating utility
SYNOPSIS
openssl spkac [-infilename] [-outfilename] [-keykeyfile] [-passinarg]
[-challengestring] [-pubkey] [-spkacspkacname] [-spksectsection]
[-noout] [-verify]
OPTIONS
Specifies the input filename to read from or standard input if this
option is not specified. Ignored if the -key option is used. Specifies
the output filename to write to or standard output by default. Creates
an SPKAC file using the private key in keyfile. The -in, -noout, -spk‐
sect and -verify options are ignored if present. The input file pass‐
word source. For more information about the format of arg, see the Pass
Phrase Arguments section in openssl(1ssl). Specifies the challenge
string if an SPKAC is being created. Allows an alternative name from
the variable containing the SPKAC. The default is SPKAC. This option
affects both generated and input SPKAC files. Allows an alternative
name from the section containing the SPKAC. The default is the default
section. Does not output the text version of the SPKAC (not used if an
SPKAC is being created). Outputs the public key of an SPKAC (not used
if an SPKAC is being created). Verifies the digital signature on the
supplied SPKAC.
DESCRIPTION
The spkac command processes Netscape signed public key and challenge
(SPKAC) files. It can print out their contents, verify the signature
and produce its own SPKACs from a supplied private key.
NOTES
A created SPKAC with suitable DN components appended can be fed into
the ca utility.
SPKACs are typically generated by Netscape when a form is submitted
containing the KEYGEN tag as part of the certificate enrollment
process.
The challenge string permits a primitive form of proof of possession of
private key. By checking the SPKAC signature and a random challenge
string some guarantee is given that the user knows the private key cor‐
responding to the public key being certified. This is important in some
applications. Without this it is possible for a previous SPKAC to be
used in a replay attack.
EXAMPLES
Print out the contents of an SPKAC: openssl spkac-in spkac.cnf
Verify the signature of an SPKAC: openssl spkac-in spkac.cnf -noout
-verify
Create an SPKAC using the challenge string "hello": openssl spkac-key
key.pem -challenge hello -out spkac.cnf
Example of an SPKAC, (long lines split up for clarity):
SPKAC=MIG5MGUwXDANBgkqhkiG9w0BAQEFAANLADBIAkEA1cCoq2Wa3Ixs47uI7F\
PVwHVIPDx5yso105Y6zpozam135a8R0CpoRvkkigIyXfcCjiVi5oWk+6FfPaD03u\ PFo‐
QIDAQABFgVoZWxsbzANBgkqhkiG9w0BAQQFAANBAFpQtY/FojdwkJh1bEIYuc\
2EeM2KHTWPEepWYeawvHD0gQ3DngSC75YCWnnDdq+NQ3F+X4deMx9AaEglZtULwV\ 4=
SEE ALSO
Commands: ca(1ssl)spkac(1ssl)