req man page on DigitalUNIX

Man page or keyword search:  
man Server   12896 pages
apropos Keyword Search (all sections)
Output format
DigitalUNIX logo
[printable version]

req(1ssl)							     req(1ssl)

       req - PKCS#10 certificate and certificate generating utility

       openssl	req  [-inform  PEM  | DER] [-outform PEM | DER] [-in filename]
       [-passin arg] [-out filename] [-passoutarg] [-text] [-noout]  [-verify]
       [-modulus]  [-new] [-randfilename] [-newkeyrsa:bits] [-newkey dsa:file]
       [-nodes] [-key filename] [-keyform PEM | DER] [-keyoutfilename]	[--md5
       |  sha1 | md2 | mdc2] [-configfilename] [-x509] [-daysn] [-asn1-kludge]
       [-newhdr] [-extensionssection] [-reqextssection]

       Specifies the input format. The DER option uses	an  ASN1  DER  encoded
       form  compatible	 with the PKCS#10. The PEM form is the default format;
       it consists of the DER format base64 encoded with additional header and
       footer  lines.	Specifies the output format. The options have the same
       meaning as the -inform option.  Specifies the input filename to read  a
       request	from  or  standard  input  if  this option is not specified. A
       request is only read if the creation options (-new and -newkey) are not
       specified.   Input file password source. For more information about the
       format of arg, see the Pass Phrase  Arguments  section  in  openssl(1).
       Specifies  the  output  filename	 to  write  to	or  standard output by
       default.	 Output file password source. For more information  about  the
       format  of  arg,	 see  the Pass Phrase Arguments section in openssl(1).
       Prints out the certificate request in text form.	  Prevents  output  of
       the  encoded version of the request.  Prints out the value of the modu‐
       lus of the public key contained in the request.	Verifies the signature
       on  the	request.   Generates a new certificate request. It will prompt
       the user for the relevant field values. The actual fields prompted  for
       and  their maximum and minimum sizes are specified in the configuration
       file and any requested extensions.

	      If the -key option is not used it will generate a new  RSA  pri‐
	      vate  key using information specified in the configuration file.
	      A file or files containing random data used to seed  the	random
	      number  generator, or an EGD socket. (See RAND_egd(3).) Multiple
	      files are separated by an OS-dependent character. The  separator
	      is  a semicolon (;) for MS-Windows, a comma (,) for OpenVMS, and
	      a colon (:) for all others.  Creates a new  certificate  request
	      and  a new private key. The argument takes one of two forms. The
	      rsa:nbits, where nbits is the number of bits, generates  an  RSA
	      key  nbits  in  size. The dsa:filename generates a DSA key using
	      the parameters in the file filename.  Specifies the file to read
	      the private key from. It also accepts PKCS#8 format private keys
	      for PEM format files.  The format of the private key file speci‐
	      fied  in	the -key option. The PEM format is the default.	 Gives
	      the filename to write the newly created private key to. If  this
	      option is not specified then the filename present in the config‐
	      uration file is used.  If this option is	specified  then	 if  a
	      private  key is created it will not be encrypted.	 Specifies the
	      message digest to sign the  request  with.  This	overrides  the
	      digest  algorithm	 specified  in	the  configuration  file. This
	      option is ignored	 for  DSA  requests;  they  always  use	 SHA1.
	      Allows  an  alternative configuration file to be specified. This
	      overrides the compile time filename  or  any  specified  in  the
	      OPENSSL_CONF  environment	 variable.  Outputs a self-signed cer‐
	      tificate instead of a certificate	 request.  This	 is  typically
	      used  to	generate  a test certificate or a self-signed root CA.
	      The extensions added to the certificate (if any)	are  specified
	      in  the configuration file.  When the -x509 option is being used
	      this specifies the number of days to  certify  the  certificate.
	      The  default  is	30  days.   Specifies  alternative sections to
	      include certificate extensions (if the -x509 option is  present)
	      or  certificate request extensions.  This allows several differ‐
	      ent sections to be used in the same configuration file to	 spec‐
	      ify requests for a variety of purposes.  By default the req com‐
	      mand outputs certificate requests containing  no	attributes  in
	      the correct PKCS#10 format. However certain CAs will only accept
	      requests containing no  attributes  in  an  invalid  form.  This
	      option produces this invalid format.

	      More  precisely  the Attributes in a PKCS#10 certificate request
	      are defined as a SET OF Attribute. They are not optional, so  if
	      no  attributes  are  present  then  they should be encoded as an
	      empty SET OF. The invalid form does not include  the  empty  SET
	      OF, whereas the correct form does.

	      It  should  be  noted that very few CAs still require the use of
	      this option.  Adds the word NEW  to  the	PEM  file  header  and
	      footer  lines  on	 the outputed request. Some software (Netscape
	      certificate server) and some CAs need this.

       The configuration options are specified in the req section of the  con‐
       figuration  file. As with all configuration files if no value is speci‐
       fied in the specific section (i.e.  req) then the  initial  unnamed  or
       default section is searched too.

       The options available are described in detail below.  The passwords for
       the input private key file (if present) and the output private key file
       (if  one	 will be created). The command line options passin and passout
       override the configuration file values.	Specifies the default key size
       in  bits.  If  not  specified  then 512 is used. It is used if the -new
       option is used. It can be overridden by using the -newkey option.   The
       default filename to write a private key to. If not specified the key is
       written to standard output. This	 can  be  overridden  by  the  -keyout
       option.	 Specifies  a  file  containing additional object identifiers.
       Each line of the file should consist  of	 the  numerical	 form  of  the
       object  identifier followed by white space then the short name followed
       by white space and finally the long name.  Specifies a section  in  the
       configuration  file  containing	extra  object  identifiers.  Each line
       should consist of the short name of the object identifier followed by =
       and the numerical form. The short and long names are the same when this
       option is used.	Specifies a  filename  in  which  random  number  seed
       information   is	  placed  and  read  from,  or	an  EGD	 socket.  (See
       RAND_egd(3)). It is used for private key generation.  If this is set to
       no  then	 if  a	private key is generated it is not encrypted.  This is
       equivalent  to  the  -nodes  command  line  option.  For	 compatibility
       encrypt_rsa_key	is  an	equivalent option.  Specifies the digest algo‐
       rithm to use. Possible values include md5 sha1 mdc2.   If  not  present
       then  MD5  is  used. This option can be overridden on the command line.
       Masks out the use of certain string types in certain fields. Most users
       will not need to change this option.

	      It can be set to several values. The default option uses Printa‐
	      bleStrings, T61Strings and BMPStrings. If the pkix value is used
	      then  only  PrintableStrings  and	 BMPStrings will be used. This
	      follows the PKIX recommendation  in  RFC2459.  If	 the  utf8only
	      option  is  used then only UTF8Strings will be used; this is the
	      PKIX recommendation in RFC2459 after 2003. Finally, the  nombstr
	      option  uses  PrintableStrings  and T61Strings. Certain software
	      has problems with BMPStrings and UTF8Strings, particularly  Net‐
	      scape.   Specifies  the  configuration file section containing a
	      list of extensions to add to the certificate request. It can  be
	      overridden  by  the -reqexts command line option.	 Specifies the
	      configuration file section containing a list  of	extensions  to
	      add  to the certificate generated when the -x509 option is used.
	      It can be overridden by the -extensions command line option.  If
	      set  to  the  value  no  this  disables prompting of certificate
	      fields and takes values from the config file directly.  It  also
	      changes  the  expected  format  of  the  distinguished_name  and
	      attributes  sections.   Specifies	 the  section  containing  any
	      request	attributes.   Its   format  is	the  same  as  distin‐
	      guished_name. Typically these may contain the  challengePassword
	      or   unstructuredName  types.  They  are	currently  ignored  by
	      OpenSSL's request signing utilities  but	some  CAs  might  want
	      them.   Specifies	 the section containing the distinguished name
	      fields to prompt for when generating a certificate  or  certifi‐
	      cate request. The format is described in the next section.

       There are two separate formats for the distinguished name and attribute
       sections. If the prompt option is set to no then	 these	sections  only
       consist of field names and values. An example follows:
	CN=My Name
	OU=My Organization

       This  allows  external programs (e.g. GUI based) to generate a template
       file with all the field names and values and pass it to req.  An	 exam‐
       ple  of	this  kind  of configuration file is contained in the Examples

       Alternatively if the prompt option is absent or not set to no then  the
       file  contains  field prompting information.  It consists of lines such
       as the following:
	fieldName_default="default field value"
	fieldName_min= 2
	fieldName_max= 4

       The fieldName  is the field name being used,  such  as  commonName  (or

       The  prompt  string  is	used  to  ask  the  user to enter the relevant
       details.	 If the user enters nothing then the default value is used. If
       no  default  value  is  present	then the field is omitted. A field can
       still be omitted if a default value is present if the user  enters  the
       '.' character.

       The  number of characters entered must be between the fieldName_min and
       fieldName_max limits. There may be additional restrictions based on the
       field  being  used. For example, countryName can only be two characters
       long and must fit in a PrintableString.

       Some fields, such as organizationName, can be used more than once in  a
       DN. This presents a problem because configuration files will not recog‐
       nize the same name occurring twice. To avoid this problem if the field‐
       Name  contains  some  characters	 followed  by a full stop they will be
       ignored. So, for example, a second organizationName  can	 be  input  by
       calling it 1.organizationName.

       The  actual  permitted  field  names are any object identifier short or
       long names. These are compiled into OpenSSL and include the usual  val‐
       ues  such  as  commonName, countryName, localityName, organizationName,
       organizationUnitName, stateOrPrivinceName. Additionally emailAddress is
       included, as well as name, surname, givenName initials and dnQualifier.

       Additional  object  identifiers	can  be	 defined  with the oid_file or
       oid_section options in the configuration file.  Any  additional	fields
       will be treated as though they were a DirectoryString.

       The req command primarily creates and processes certificate requests in
       PKCS#10 format. It can additionally create self signed certificates for
       use as root CAs for example.

       The header and footer lines in the PEM format are normally:

       Some  software, including some versions of Netscape certificate server,

       This is produced with the -newhdr option, but is otherwise  compatible.
       Either form is accepted transparently on input.

       The certificate requests generated by Xenroll with MSIE have extensions
       added. It includes the keyUsage extension which determines the type  of
       key (signature only or general purpose) and any additional OIDs entered
       by the script in an extendedKeyUsage extension.

       OpenSSL's handling of T61Strings (also known as TeletexStrings) is bro‐
       ken.   It effectively treats them as ISO-8859-1 (Latin 1). Netscape and
       MSIE have similar behavior. This can cause problems if you need charac‐
       ters  that are not available in PrintableStrings and you do not want to
       or cannot use BMPStrings.

       As a consequence of the T61String handling the only correct way to rep‐
       resent  accented	 characters in OpenSSL is to use a BMPString. Unfortu‐
       nately Netscape currently chokes on these. If you have to use  accented
       characters  with	 Netscape  and MSIE then you currently need to use the
       invalid T61String form.

       The current prompting is not very friendly. It  doesn't	allow  you  to
       confirm	what  you've entered. Other things, such as extensions in cer‐
       tificate requests, are statically defined in  the  configuration	 file.
       Some  of	 these,	 such as an email address in subjectAltName, should be
       input by the user.

       The following messages are frequently asked about:      Using  configu‐
       ration from /some/path/openssl.cnf      Unable to load config info

       This is followed some time later by the following lines:	     unable to
       find 'distinguished_name' in config	 problems  making  Certificate

       The  first  error  message is the clue. It means the configuration file
       cannot be found. Certain operations, such as  examining	a  certificate
       request,	 do  not need a configuration file; so its use isn't enforced.
       Generation of certificates or requests, however, do need	 a  configura‐
       tion file.

       Another error message is this:

       This  is	 displayed  when  no  attributes  are  present and the request
       includes the correct empty SET OF structure (the DER encoding of	 which
       is 0xa0 0x00). If you only see

       then the SET OF is missing and the encoding is technically invalid (but
       it is tolerated). See  the  description	of  the	 command  line	option
       -asn1-kludge for more information.

       Examine	and  verify certificate request: openssl req -in req.pem -text
       -verify -noout

       Create a private key and then generate a certificate request  from  it:
       openssl	genrsa	-out  key.pem  1024 openssl req -new -key key.pem -out

       The same but just using	req:  openssl  req  -newkey  rsa:1024  -keyout
       key.pem -out req.pem

       Generate	 a  self  signed  root	certificate: openssl req -x509 -newkey
       rsa:1024 -keyout key.pem -out req.pem

       Example of a file pointed to by the oid_file  option:	short‐
       Name A longer Name   otherName Other longer Name

       Example	of  a section pointed to by oid_section making use of variable
       expansion: testoid1= testoid2=${testoid1}.6

       Sample configuration file prompting for field values: [ req ]
	default_bits	   = 1024
	default_keyfile	   = privkey.pem
	distinguished_name = req_distinguished_name
	attributes	   = req_attributes
	x509_extensions	   = v3_ca

	dirstring_type = nobmp

	[ req_distinguished_name ]
	countryName		= Country Name (2 letter code)
	countryName_default	     = AU
	countryName_min		= 2
	countryName_max		= 2

	localityName		= Locality Name (eg, city)

	organizationalUnitName	     = Organizational Unit Name (eg, section)

	commonName		= Common Name (eg, YOUR name)
	commonName_max		     = 64

	emailAddress		= Email Address
	emailAddress_max	= 40

	[ req_attributes ]
	challengePassword	= A challenge password
	challengePassword_min	     = 4
	challengePassword_max	     = 20

	[ v3_ca ]

	basicConstraints = CA:true

       Sample configuration containing all field values:
	RANDFILE      = $ENV::HOME/.rnd

	[ req ]
	default_bits	   = 1024
	default_keyfile	   = keyfile.pem
	distinguished_name = req_distinguished_name
	attributes	   = req_attributes
	prompt		   = no
	output_password	   = mypass

	[ req_distinguished_name ]
	C	      = GB
	ST	      = Test State or Province
	L	      = Test Locality
	O	      = Organization Name
	OU	      = Organizational Unit Name
	CN	      = Common Name
	emailAddress	   = test@email.address

	[ req_attributes ]
	challengePassword	= A challenge password

       If defined, the variable OPENSSL_CONF allows an alternative  configura‐
       tion  file location to be specified. It will be overridden by the -con‐
       fig command line option if it is present. For compatibility reasons the
       SSLEAY_CONF  environment	 variable serves the same purpose, but its use
       is discouraged.

       Commands: x509(1ssl), ca(1ssl), genrsa(1ssl), gendsa(1ssl)

       Others: config(5)


List of man pages available for DigitalUNIX

Copyright (c) for man pages and the logo by the respective OS vendor.

For those who want to learn more, the polarhome community provides shell access and support.

[legal] [privacy] [GNU] [policy] [cookies] [netiquette] [sponsors] [FAQ]
Polarhome, production since 1999.
Member of Polarhome portal.
Based on Fawad Halim's script.
Vote for polarhome
Free Shell Accounts :: the biggest list on the net