138 lines
4.9 KiB
Groff
138 lines
4.9 KiB
Groff
|
The 'req' command is used to manipulate and deal with pkcs#10
|
||
|
certificate requests.
|
||
|
|
||
|
It's default mode of operation is to load a certificate and then
|
||
|
write it out again.
|
||
|
|
||
|
By default the 'req' is read from stdin in 'PEM' format.
|
||
|
The -inform option can be used to specify 'pem' format or 'der'
|
||
|
format. PEM format is the base64 encoding of the DER format.
|
||
|
|
||
|
By default 'req' then writes the request back out. -outform can be used
|
||
|
to indicate the desired output format, be it 'pem' or 'der'.
|
||
|
|
||
|
To specify an input file, use the '-in' option and the '-out' option
|
||
|
can be used to specify the output file.
|
||
|
|
||
|
If you wish to perform a command and not output the certificate
|
||
|
request afterwards, use the '-noout' option.
|
||
|
|
||
|
When a certificate is loaded, it can be printed in a human readable
|
||
|
ascii format via the '-text' option.
|
||
|
|
||
|
To check that the signature on a certificate request is correct, use
|
||
|
the '-verify' option to make sure that the private key contained in the
|
||
|
certificate request corresponds to the signature.
|
||
|
|
||
|
Besides the default mode, there is also the 'generate a certificate
|
||
|
request' mode. There are several flags that trigger this mode.
|
||
|
|
||
|
-new will generate a new RSA key (if required) and then prompts
|
||
|
the user for details for the certificate request.
|
||
|
-newkey has an argument that is the number of bits to make the new
|
||
|
key. This function also triggers '-new'.
|
||
|
|
||
|
The '-new' option can have a key to use specified instead of having to
|
||
|
load one, '-key' is used to specify the file containg the key.
|
||
|
-keyform can be used to specify the format of the key. Only
|
||
|
'pem' and 'der' formats are supported, later, 'netscape' format may be added.
|
||
|
|
||
|
Finally there is the '-x509' options which makes req output a self
|
||
|
signed x509 certificate instead of a certificate request.
|
||
|
|
||
|
Now as you may have noticed, there are lots of default options that
|
||
|
cannot be specified via the command line. They are held in a 'template'
|
||
|
or 'configuration file'. The -config option specifies which configuration
|
||
|
file to use. See conf.doc for details on the syntax of this file.
|
||
|
|
||
|
The req command uses the 'req' section of the config file.
|
||
|
|
||
|
---
|
||
|
# The following variables are defined. For this example I will populate
|
||
|
# the various values
|
||
|
[ req ]
|
||
|
default_bits = 512 # default number of bits to use.
|
||
|
default_keyfile = testkey.pem # Where to write the generated keyfile
|
||
|
# if not specified.
|
||
|
distinguished_name= req_dn # The section that contains the
|
||
|
# information about which 'object' we
|
||
|
# want to put in the DN.
|
||
|
attributes = req_attr # The objects we want for the
|
||
|
# attributes field.
|
||
|
encrypt_rsa_key = no # Should we encrypt newly generated
|
||
|
# keys. I strongly recommend 'yes'.
|
||
|
|
||
|
# The distinguished name section. For the following entries, the
|
||
|
# object names must exist in the SSLeay header file objects.h. If they
|
||
|
# do not, they will be silently ignored. The entries have the following
|
||
|
# format.
|
||
|
# <object_name> => string to prompt with
|
||
|
# <object_name>_default => default value for people
|
||
|
# <object_name>_value => Automatically use this value for this field.
|
||
|
# <object_name>_min => minimum number of characters for data (def. 0)
|
||
|
# <object_name>_max => maximum number of characters for data (def. inf.)
|
||
|
# All of these entries are optional except for the first one.
|
||
|
[ req_dn ]
|
||
|
countryName = Country Name (2 letter code)
|
||
|
countryName_default = AU
|
||
|
|
||
|
stateOrProvinceName = State or Province Name (full name)
|
||
|
stateOrProvinceName_default = Queensland
|
||
|
|
||
|
localityName = Locality Name (eg, city)
|
||
|
|
||
|
organizationName = Organization Name (eg, company)
|
||
|
organizationName_default = Mincom Pty Ltd
|
||
|
|
||
|
organizationalUnitName = Organizational Unit Name (eg, section)
|
||
|
organizationalUnitName_default = MTR
|
||
|
|
||
|
commonName = Common Name (eg, YOUR name)
|
||
|
commonName_max = 64
|
||
|
|
||
|
emailAddress = Email Address
|
||
|
emailAddress_max = 40
|
||
|
|
||
|
# The next section is the attributes section. This is exactly the
|
||
|
# same as for the previous section except that the resulting objects are
|
||
|
# put in the attributes field.
|
||
|
[ req_attr ]
|
||
|
challengePassword = A challenge password
|
||
|
challengePassword_min = 4
|
||
|
challengePassword_max = 20
|
||
|
|
||
|
unstructuredName = An optional company name
|
||
|
|
||
|
----
|
||
|
Also note that the order that attributes appear in this file is the
|
||
|
order they will be put into the distinguished name.
|
||
|
|
||
|
Once this request has been generated, it can be sent to a CA for
|
||
|
certifying.
|
||
|
|
||
|
----
|
||
|
A few quick examples....
|
||
|
|
||
|
To generate a new request and a new key
|
||
|
req -new
|
||
|
|
||
|
To generate a new request and a 1058 bit key
|
||
|
req -newkey 1058
|
||
|
|
||
|
To generate a new request using a pre-existing key
|
||
|
req -new -key key.pem
|
||
|
|
||
|
To generate a self signed x509 certificate from a certificate
|
||
|
request using a supplied key, and we want to see the text form of the
|
||
|
output certificate (which we will put in the file selfSign.pem
|
||
|
req -x509 -in req.pem -key key.pem -text -out selfSign.pem
|
||
|
|
||
|
Verify that the signature is correct on a certificate request.
|
||
|
req -verify -in req.pem
|
||
|
|
||
|
Verify that the signature was made using a specified public key.
|
||
|
req -verify -in req.pem -key key.pem
|
||
|
|
||
|
Print the contents of a certificate request
|
||
|
req -text -in req.pem
|