=pod =head1 NAME req - PKCS#10 certificate request and certificate generating utility. =head1 SYNOPSIS B B [B<-inform PEM|DER>] [B<-outform PEM|DER>] [B<-in filename>] [B<-passin arg>] [B<-out filename>] [B<-passout arg>] [B<-text>] [B<-pubkey>] [B<-noout>] [B<-verify>] [B<-modulus>] [B<-new>] [B<-rand file(s)>] [B<-newkey rsa:bits>] [B<-newkey alg:file>] [B<-nodes>] [B<-key filename>] [B<-keyform PEM|DER>] [B<-keyout filename>] [B<-keygen_engine id>] [B<-[digest]>] [B<-config filename>] [B<-subj arg>] [B<-multivalue-rdn>] [B<-x509>] [B<-days n>] [B<-set_serial n>] [B<-asn1-kludge>] [B<-no-asn1-kludge>] [B<-newhdr>] [B<-extensions section>] [B<-reqexts section>] [B<-utf8>] [B<-nameopt>] [B<-reqopt>] [B<-subject>] [B<-subj arg>] [B<-batch>] [B<-verbose>] [B<-engine id>] =head1 DESCRIPTION The B command primarily creates and processes certificate requests in PKCS#10 format. It can additionally create self signed certificates for use as root CAs for example. =head1 COMMAND OPTIONS =over 4 =item B<-inform DER|PEM> This specifies the input format. The B option uses an ASN1 DER encoded form compatible with the PKCS#10. The B form is the default format: it consists of the B format base64 encoded with additional header and footer lines. =item B<-outform DER|PEM> This specifies the output format, the options have the same meaning as the B<-inform> option. =item B<-in filename> This specifies the input filename to read a request from or standard input if this option is not specified. A request is only read if the creation options (B<-new> and B<-newkey>) are not specified. =item B<-passin arg> the input file password source. For more information about the format of B see the B section in L. =item B<-out filename> This specifies the output filename to write to or standard output by default. =item B<-passout arg> the output file password source. For more information about the format of B see the B section in L. =item B<-text> prints out the certificate request in text form. =item B<-subject> prints out the request subject (or certificate subject if B<-x509> is specified) =item B<-pubkey> outputs the public key. =item B<-noout> this option prevents output of the encoded version of the request. =item B<-modulus> this option prints out the value of the modulus of the public key contained in the request. =item B<-verify> verifies the signature on the request. =item B<-new> this option generates a new certificate request. It will prompt the user for the relevant field values. The actual fields prompted for and their maximum and minimum sizes are specified in the configuration file and any requested extensions. If the B<-key> option is not used it will generate a new RSA private key using information specified in the configuration file. =item B<-subj arg> Replaces subject field of input request with specified data and outputs modified request. The arg must be formatted as I, characters may be escaped by \ (backslash), no spaces are skipped. =item B<-rand file(s)> a file or files containing random data used to seed the random number generator, or an EGD socket (see L). Multiple files can be specified separated by a OS-dependent character. The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for all others. =item B<-newkey arg> this option creates a new certificate request and a new private key. The argument takes one of several forms. B, where B is the number of bits, generates an RSA key B in size. If B is omitted, i.e. B<-newkey rsa> specified, the default key size, specified in the configuration file is used. All other algorithms support the B<-newkey alg:file> form, where file may be an algorithm parameter file, created by the B command or and X.509 certificate for a key with approriate algorithm. B generates a key using the parameter file or certificate B, the algorithm is determined by the parameters. B use algorithm B and parameter file B: the two algorithms must match or an error occurs. B just uses algorithm B, and parameters, if neccessary should be specified via B<-pkeyopt> parameter. B generates a DSA key using the parameters in the file B. B generates EC key (usable both with ECDSA or ECDH algorithms), B generates GOST R 34.10-2001 key (requires B engine configured in the configuration file). If just B is specified a parameter set should be specified by B<-pkeyopt paramset:X> =item B<-pkeyopt opt:value> set the public key algorithm option B to B. The precise set of options supported depends on the public key algorithm used and its implementation. See B in the B manual page for more details. =item B<-key filename> This specifies the file to read the private key from. It also accepts PKCS#8 format private keys for PEM format files. =item B<-keyform PEM|DER> the format of the private key file specified in the B<-key> argument. PEM is the default. =item B<-keyout filename> this gives the filename to write the newly created private key to. If this option is not specified then the filename present in the configuration file is used. =item B<-nodes> if this option is specified then if a private key is created it will not be encrypted. =item B<-[digest]> this specifies the message digest to sign the request with (such as B<-md5>, B<-sha1>). This overrides the digest algorithm specified in the configuration file. Some public key algorithms may override this choice. For instance, DSA signatures always use SHA1, GOST R 34.10 signatures always use GOST R 34.11-94 (B<-md_gost94>). =item B<-config filename> this allows an alternative configuration file to be specified, this overrides the compile time filename or any specified in the B environment variable. =item B<-subj arg> sets subject name for new request or supersedes the subject name when processing a request. The arg must be formatted as I, characters may be escaped by \ (backslash), no spaces are skipped. =item B<-multivalue-rdn> this option causes the -subj argument to be interpreted with full support for multivalued RDNs. Example: I If -multi-rdn is not used then the UID value is I<123456+CN=John Doe>. =item B<-x509> this option outputs a self signed certificate instead of a certificate request. This is typically used to generate a test certificate or a self signed root CA. The extensions added to the certificate (if any) are specified in the configuration file. Unless specified using the B option B<0> will be used for the serial number. =item B<-days n> when the B<-x509> option is being used this specifies the number of days to certify the certificate for. The default is 30 days. =item B<-set_serial n> serial number to use when outputting a self signed certificate. This may be specified as a decimal value or a hex value if preceded by B<0x>. It is possible to use negative serial numbers but this is not recommended. =item B<-extensions section> =item B<-reqexts section> these options specify alternative sections to include certificate extensions (if the B<-x509> option is present) or certificate request extensions. This allows several different sections to be used in the same configuration file to specify requests for a variety of purposes. =item B<-utf8> this option causes field values to be interpreted as UTF8 strings, by default they are interpreted as ASCII. This means that the field values, whether prompted from a terminal or obtained from a configuration file, must be valid UTF8 strings. =item B<-nameopt option> option which determines how the subject or issuer names are displayed. The B