diff options
Diffstat (limited to 'doc/apps/x509.pod')
| -rw-r--r-- | doc/apps/x509.pod | 48 |
1 files changed, 38 insertions, 10 deletions
diff --git a/doc/apps/x509.pod b/doc/apps/x509.pod index 21bdfccb9..3002b0812 100644 --- a/doc/apps/x509.pod +++ b/doc/apps/x509.pod @@ -23,6 +23,7 @@ B<openssl> B<x509> [B<-issuer>] [B<-nameopt option>] [B<-email>] +[B<-ocsp_uri>] [B<-startdate>] [B<-enddate>] [B<-purpose>] @@ -98,12 +99,12 @@ default. the digest to use. This affects any signing or display option that uses a message digest, such as the B<-fingerprint>, B<-signkey> and B<-CA> options. If not -specified then MD5 is used. If the key being used to sign with is a DSA key then -this option has no effect: SHA1 is always used with DSA keys. +specified then SHA1 is used. If the key being used to sign with is a DSA key +then this option has no effect: SHA1 is always used with DSA keys. =item B<-engine id> -specifying an engine (by it's unique B<id> string) will cause B<req> +specifying an engine (by its unique B<id> string) will cause B<x509> to attempt to obtain a functional reference to the specified engine, thus initialising it if needed. The engine will then be set as the default for all available algorithms. @@ -155,7 +156,17 @@ outputs the "hash" of the certificate issuer name. =item B<-hash> -synonym for "-hash" for backward compatibility reasons. +synonym for "-subject_hash" for backward compatibility reasons. + +=item B<-subject_hash_old> + +outputs the "hash" of the certificate subject name using the older algorithm +as used by OpenSSL versions before 1.0.0. + +=item B<-issuer_hash_old> + +outputs the "hash" of the certificate issuer name using the older algorithm +as used by OpenSSL versions before 1.0.0. =item B<-subject> @@ -176,6 +187,10 @@ set multiple options. See the B<NAME OPTIONS> section for more information. outputs the email address(es) if any. +=item B<-ocsp_uri> + +outputs the OCSP responder address(es) if any. + =item B<-startdate> prints out the start date of the certificate, that is the notBefore date. @@ -376,7 +391,9 @@ no extensions are added to the certificate. the section to add certificate extensions from. If this option is not specified then the extensions should either be contained in the unnamed (default) section or the default section should contain a variable called -"extensions" which contains the section to use. +"extensions" which contains the section to use. See the +L<x509v3_config(5)|x509v3_config(5)> manual page for details of the +extension section format. =back @@ -404,13 +421,13 @@ B<sep_comma_plus>, B<dn_rev> and B<sname>. a oneline format which is more readable than RFC2253. It is equivalent to specifying the B<esc_2253>, B<esc_ctrl>, B<esc_msb>, B<utf8>, B<dump_nostr>, -B<dump_der>, B<use_quote>, B<sep_comma_plus_spc>, B<spc_eq> and B<sname> +B<dump_der>, B<use_quote>, B<sep_comma_plus_space>, B<space_eq> and B<sname> options. =item B<multiline> a multiline format. It is equivalent B<esc_ctrl>, B<esc_msb>, B<sep_multiline>, -B<spc_eq>, B<lname> and B<align>. +B<space_eq>, B<lname> and B<align>. =item B<esc_2253> @@ -510,7 +527,7 @@ diagnostic purpose. align field values for a more readable output. Only usable with B<sep_multiline>. -=item B<spc_eq> +=item B<space_eq> places spaces round the B<=> character which follows the field name. @@ -620,7 +637,7 @@ Display the certificate subject name in RFC2253 form: Display the certificate subject name in oneline form on a terminal supporting UTF8: - openssl x509 -in cert.pem -noout -subject -nameopt oneline,-escmsb + openssl x509 -in cert.pem -noout -subject -nameopt oneline,-esc_msb Display the certificate MD5 fingerprint: @@ -823,6 +840,17 @@ OpenSSL 0.9.5 and later. =head1 SEE ALSO L<req(1)|req(1)>, L<ca(1)|ca(1)>, L<genrsa(1)|genrsa(1)>, -L<gendsa(1)|gendsa(1)>, L<verify(1)|verify(1)> +L<gendsa(1)|gendsa(1)>, L<verify(1)|verify(1)>, +L<x509v3_config(5)|x509v3_config(5)> + +=head1 HISTORY + +Before OpenSSL 0.9.8, the default digest for RSA keys was MD5. + +The hash algorithm used in the B<-subject_hash> and B<-issuer_hash> options +before OpenSSL 1.0.0 was based on the deprecated MD5 algorithm and the encoding +of the distinguished name. In OpenSSL 1.0.0 and later it is based on a +canonical version of the DN using SHA1. This means that any directories using +the old form must have their links rebuilt using B<c_rehash> or similar. =cut |