openssl/doc/req.1

138 lines
4.9 KiB
Groff
Raw Normal View History

The 'req' command is used to manipulate and deal with pkcs#10
certificate requests.
It's default mode of operation is to load a certificate and then
write it out again.
By default the 'req' is read from stdin in 'PEM' format.
The -inform option can be used to specify 'pem' format or 'der'
format. PEM format is the base64 encoding of the DER format.
By default 'req' then writes the request back out. -outform can be used
to indicate the desired output format, be it 'pem' or 'der'.
To specify an input file, use the '-in' option and the '-out' option
can be used to specify the output file.
If you wish to perform a command and not output the certificate
request afterwards, use the '-noout' option.
When a certificate is loaded, it can be printed in a human readable
ascii format via the '-text' option.
To check that the signature on a certificate request is correct, use
the '-verify' option to make sure that the private key contained in the
certificate request corresponds to the signature.
Besides the default mode, there is also the 'generate a certificate
request' mode. There are several flags that trigger this mode.
-new will generate a new RSA key (if required) and then prompts
the user for details for the certificate request.
-newkey has an argument that is the number of bits to make the new
key. This function also triggers '-new'.
The '-new' option can have a key to use specified instead of having to
load one, '-key' is used to specify the file containg the key.
-keyform can be used to specify the format of the key. Only
'pem' and 'der' formats are supported, later, 'netscape' format may be added.
Finally there is the '-x509' options which makes req output a self
signed x509 certificate instead of a certificate request.
Now as you may have noticed, there are lots of default options that
cannot be specified via the command line. They are held in a 'template'
or 'configuration file'. The -config option specifies which configuration
file to use. See conf.doc for details on the syntax of this file.
The req command uses the 'req' section of the config file.
---
# The following variables are defined. For this example I will populate
# the various values
[ req ]
default_bits = 512 # default number of bits to use.
default_keyfile = testkey.pem # Where to write the generated keyfile
# if not specified.
distinguished_name= req_dn # The section that contains the
# information about which 'object' we
# want to put in the DN.
attributes = req_attr # The objects we want for the
# attributes field.
encrypt_rsa_key = no # Should we encrypt newly generated
# keys. I strongly recommend 'yes'.
# The distinguished name section. For the following entries, the
# object names must exist in the SSLeay header file objects.h. If they
# do not, they will be silently ignored. The entries have the following
# format.
# <object_name> => string to prompt with
# <object_name>_default => default value for people
# <object_name>_value => Automatically use this value for this field.
# <object_name>_min => minimum number of characters for data (def. 0)
# <object_name>_max => maximum number of characters for data (def. inf.)
# All of these entries are optional except for the first one.
[ req_dn ]
countryName = Country Name (2 letter code)
countryName_default = AU
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Queensland
localityName = Locality Name (eg, city)
organizationName = Organization Name (eg, company)
organizationName_default = Mincom Pty Ltd
organizationalUnitName = Organizational Unit Name (eg, section)
organizationalUnitName_default = MTR
commonName = Common Name (eg, YOUR name)
commonName_max = 64
emailAddress = Email Address
emailAddress_max = 40
# The next section is the attributes section. This is exactly the
# same as for the previous section except that the resulting objects are
# put in the attributes field.
[ req_attr ]
challengePassword = A challenge password
challengePassword_min = 4
challengePassword_max = 20
unstructuredName = An optional company name
----
Also note that the order that attributes appear in this file is the
order they will be put into the distinguished name.
Once this request has been generated, it can be sent to a CA for
certifying.
----
A few quick examples....
To generate a new request and a new key
req -new
To generate a new request and a 1058 bit key
req -newkey 1058
To generate a new request using a pre-existing key
req -new -key key.pem
To generate a self signed x509 certificate from a certificate
request using a supplied key, and we want to see the text form of the
output certificate (which we will put in the file selfSign.pem
req -x509 -in req.pem -key key.pem -text -out selfSign.pem
Verify that the signature is correct on a certificate request.
req -verify -in req.pem
Verify that the signature was made using a specified public key.
req -verify -in req.pem -key key.pem
Print the contents of a certificate request
req -text -in req.pem