Creates a new self signed certificate. The private key is written to the file
F<newkey.pem> and the request written to the file F<newreq.pem>.
-This argument invokes L<openssl-req(1)> command.
+Invokes L<openssl-req(1)>.
=item B<-newreq>
Creates a new certificate request. The private key is written to the file
F<newkey.pem> and the request written to the file F<newreq.pem>.
-Executes L<openssl-req(1)> command below the hood.
+Executes L<openssl-req(1)> under the hood.
=item B<-newreq-nodes>
Is like B<-newreq> except that the private key will not be encrypted.
-Uses L<openssl-req(1)> command.
+Uses L<openssl-req(1)>.
=item B<-newca>
certificates (which should also contain the private key) or by hitting ENTER
details of the CA will be prompted for. The relevant files and directories
are created in a directory called F<demoCA> in the current directory.
-L<openssl-req(1)> and L<openssl-ca(1)> commands are get invoked.
+Uses L<openssl-req(1)> and L<openssl-ca(1)>.
=item B<-pkcs12>
If there is an additional argument on the command line it will be used as the
"friendly name" for the certificate (which is typically displayed in the browser
list box), otherwise the name "My Certificate" is used.
-Delegates work to L<openssl-pkcs12(1)> command.
+Delegates work to L<openssl-pkcs12(1)>.
=item B<-sign>, B<-signcert>, B<-xsign>
Calls the L<openssl-ca(1)> command to sign a certificate request. It expects the
request to be in the file F<newreq.pem>. The new certificate is written to the
file F<newcert.pem> except in the case of the B<-xsign> option when it is
-written to standard output. Leverages L<openssl-ca(1)> command.
+written to standard output.
=item B<-signCA>
This option is the same as the B<-signreq> option except it uses the
configuration file section B<v3_ca> and so makes the signed request a
valid CA certificate. This is useful when creating intermediate CA from
-a root CA. Extra params are passed on to L<openssl-ca(1)> command.
+a root CA. Extra params are passed to L<openssl-ca(1)>.
=item B<-signcert>
This option is the same as B<-sign> except it expects a self signed certificate
to be present in the file F<newreq.pem>.
-Extra params are passed on to L<openssl-x509(1)> and L<openssl-ca(1)> commands.
+Extra params are passed to L<openssl-x509(1)> and L<openssl-ca(1)>.
=item B<-crl>
-Generate a CRL. Executes L<openssl-ca(1)> command.
+Generate a CRL. Executes L<openssl-ca(1)>.
=item B<-revoke> I<certfile> [I<reason>]
reason may be specified, and must be one of: B<unspecified>,
B<keyCompromise>, B<CACompromise>, B<affiliationChanged>, B<superseded>,
B<cessationOfOperation>, B<certificateHold>, or B<removeFromCRL>.
-Leverages L<openssl-ca(1)> command.
+Leverages L<openssl-ca(1)>.
=item B<-verify>
Verifies certificates against the CA certificate for F<demoCA>. If no
certificates are specified on the command line it tries to verify the file
-F<newcert.pem>. Invokes L<openssl-verify(1)> command.
+F<newcert.pem>. Invokes L<openssl-verify(1)>.
=item B<-extra-req> | B<-extra-ca> | B<-extra-pkcs12> | B<-extra-x509> | B<-extra-verify> I<extra-params>
=head1 DSA CERTIFICATES
Although the B<CA.pl> creates RSA CAs and requests it is still possible to
-use it with DSA certificates and requests using the L<req(1)> command
+use it with DSA certificates and requests using the L<openssl-req(1)> command
directly. The following example shows the steps that would typically be taken.
Create some DSA parameters:
The encryption algorithm to use. For example triple DES (168 bits) - B<-des3>
or 256 bit AES - B<-aes256>. Any standard algorithm name (as used by the
EVP_get_cipherbyname() function) can also be used preceded by a dash, for
-example B<-aes-128-cbc>. See L<enc(1)> for a list of ciphers
+example B<-aes-128-cbc>. See L<openssl-enc(1)> for a list of ciphers
supported by your version of OpenSSL.
If not specified triple DES is used. Only used with B<-encrypt> and
B<-verify_ip>, B<-verify_name>, B<-x509_strict>
Set various certificate chain validation options. See the
-L<verify(1)> manual page for details.
+L<openssl-verify(1)> manual page for details.
=back
=item B<-nameopt> I<option>
Option which determines how the subject or issuer names are displayed. See
-the description of B<-nameopt> in L<x509(1)>.
+the description of B<-nameopt> in L<openssl-x509(1)>.
=item B<-noout>
Note that the algorithm name X9.42 DH may be used as a synonym for the DH
algorithm. These are identical and do not indicate the type of parameters that
will be generated. Use the B<dh_paramgen_type> option to indicate whether PKCS#3
-or X9.42 DH parameters are required. See L<DH Parameter Generation Options>
+or X9.42 DH parameters are required. See L</DH Parameter Generation Options>
below for more details.
=item B<-pkeyopt> I<opt>:I<value>
=item B<-digest-commands>
Display a list of message digest commands, which are typically used
-as input to the L<dgst(1)> or L<speed(1)> commands.
+as input to the L<openssl-dgst(1)> or L<openssl-speed(1)> commands.
=item B<-digest-algorithms>
=item B<-cipher-commands>
Display a list of cipher commands, which are typically used as input
-to the L<dgst(1)> or L<speed(1)> commands.
+to the L<openssl-dgst(1)> or L<openssl-speed(1)> commands.
=item B<-cipher-algorithms>
B<-verify_ip>, B<-verify_name>, B<-x509_strict>
Set different certificate verification options.
-See L<verify(1)> manual page for details.
+See L<openssl-verify(1)> manual page for details.
=item B<-verify_other> I<file>
Option which determines how the subject or issuer names are displayed. The
I<option> argument can be a single option or multiple options separated by
commas. Alternatively the B<-nameopt> switch may be used more than once to
-set multiple options. See the L<x509(1)> manual page for details.
+set multiple options. See the L<openssl-x509(1)> manual page for details.
=item B<-reqopt> I<option>
Customise the output format used with B<-text>. The I<option> argument can be
a single option or multiple options separated by commas.
-See discussion of the B<-certopt> parameter in the L<x509(1)>
+See discussion of the B<-certopt> parameter in the L<openssl-x509(1)>
command.
=item B<-newhdr>
Option which determines how the subject or issuer names are displayed. The
I<option> argument can be a single option or multiple options separated by
commas. Alternatively the B<-nameopt> switch may be used more than once to
-set multiple options. See the L<x509(1)> manual page for details.
+set multiple options. See the L<openssl-x509(1)> manual page for details.
=item B<-CApath> I<directory>
The directory to use for server certificate verification. This directory
-must be in "hash format", see L<verify(1)> for more information. These are
-also used when building the client certificate chain.
+must be in "hash format", see L<openssl-verify(1)> for more information.
+These are also used when building the client certificate chain.
=item B<-CAfile> I<file>
=item B<-chainCApath> I<directory>
The directory to use for building the chain provided to the server. This
-directory must be in "hash format", see L<verify(1)> for more information.
+directory must be in "hash format", see L<openssl-verify(1)> for more
+information.
=item B<-chainCAfile> I<file>
B<-verify_ip>, B<-verify_name>, B<-x509_strict>
Set various certificate chain validation options. See the
-L<verify(1)> manual page for details.
+L<openssl-verify(1)> manual page for details.
=item B<-reconnect>
Option which determines how the subject or issuer names are displayed. The
I<val> argument can be a single option or multiple options separated by
commas. Alternatively the B<-nameopt> switch may be used more than once to
-set multiple options. See the L<x509(1)> manual page for details.
+set multiple options. See the L<openssl-x509(1)> manual page for details.
=item B<-naccept> I<+int>
=item B<-CApath> I<dir>
The directory to use for client certificate verification. This directory
-must be in "hash format", see L<verify(1)> for more information. These are
-also used when building the server certificate chain.
+must be in "hash format", see L<openssl-verify(1)> for more information.
+These are also used when building the server certificate chain.
=item B<-chainCApath> I<dir>
The directory to use for building the chain provided to the client. This
-directory must be in "hash format", see L<verify(1)> for more information.
+directory must be in "hash format", see L<openssl-verify(1)> for more
+information.
=item B<-chainCAfile> I<file>
B<-verify_ip>, B<-verify_name>, B<-x509_strict>
Set different peer certificate verification options.
-See the L<verify(1)> manual page for details.
+See the L<openssl-verify(1)> manual page for details.
=item B<-crl_check>, B<-crl_check_all>
Option which determines how the subject or issuer names are displayed. The
I<option> argument can be a single option or multiple options separated by
commas. Alternatively the B<-nameopt> switch may be used more than once to
-set multiple options. See the L<x509(1)> manual page for details.
+set multiple options. See the L<openssl-x509(1)> manual page for details.
=item B<-CApath> I<directory>
This list will be combined with any TLSv1.3 ciphersuites that have been
configured. Although the server determines which cipher suite is used it should
take the first supported cipher in the list sent by the client. See
-L<ciphers(1)> for more information.
+L<openssl-ciphers(1)> for more information.
=item B<-ciphersuites> I<val>
list will be combined with any TLSv1.2 and below ciphersuites that have been
configured. Although the server determines which cipher suite is used it should
take the first supported cipher in the list sent by the client. See
-L<ciphers(1)> for more information. The format for this list is a simple
-colon (":") separated list of TLSv1.3 ciphersuite names.
+L<openssl-ciphers(1)> for more information. The format for this list is a
+simple colon (":") separated list of TLSv1.3 ciphersuite names.
=item B<-time> I<length>
is that a web client complains it has no certificates or gives an empty
list to choose from. This is normally because the server is not sending
the clients certificate authority in its "acceptable CA list" when it
-requests a certificate. By using L<s_client(1)> the CA list can be
+requests a certificate. By using L<openssl-s_client(1)> the CA list can be
viewed and checked. However some servers only request client authentication
after a specific URL is requested. To obtain the list in this case it
-is necessary to use the B<-prexit> option of L<s_client(1)> and
+is necessary to use the B<-prexit> option of L<openssl-s_client(1)> and
send an HTTP request for an appropriate page.
If a certificate is specified on the command line using the B<-cert>
=head1 BUGS
Because this program does not have all the options of the
-L<s_client(1)> program to turn protocols on and off, you may not be
-able to measure the performance of all protocols with all servers.
+L<openssl-s_client(1)> program to turn protocols on and off, you may not
+be able to measure the performance of all protocols with all servers.
The B<-verify> option should really exit if the server verification
fails.
B<-verify_ip>, B<-verify_name>, B<-x509_strict>
Set various options of certificate chain verification. See
-L<verify(1)> manual page for details.
+L<openssl-verify(1)> manual page for details.
=item I<cert.pem> ...
=item B<-CApath> I<trusted_cert_path>
The name of the directory containing the trusted CA certificates of the
-client. See the similar option of L<verify(1)> for additional
+client. See the similar option of L<openssl-verify(1)> for additional
details. Either this option or B<-CAfile> must be specified. (Optional)
The name of the file containing a set of trusted self-signed CA
certificates in PEM format. See the similar option of
-L<verify(1)> for additional details. Either this option
+L<openssl-verify(1)> for additional details. Either this option
or B<-CApath> must be specified.
(Optional)
=item B<oid_file>
-See L<ca(1)> for description. (Optional)
+See L<openssl-ca(1)> for description. (Optional)
=item B<oid_section>
-See L<ca(1)> for description. (Optional)
+See L<openssl-ca(1)> for description. (Optional)
=item B<RANDFILE>
-See L<ca(1)> for description. (Optional)
+See L<openssl-ca(1)> for description. (Optional)
=item B<serial>
extendedKeyUsage = critical,timeStamping
-See L<req(1)>, L<ca(1)>, and L<x509(1)> for instructions. The examples
-below assume that F<cacert.pem> contains the certificate of the CA,
-F<tsacert.pem> is the signing certificate issued by F<cacert.pem> and
-F<tsakey.pem> is the private key of the TSA.
+See L<openssl-req(1)>, L<openssl-ca(1)>, and L<openssl-x509(1)> for
+instructions. The examples below assume that F<cacert.pem> contains the
+certificate of the CA, F<tsacert.pem> is the signing certificate issued
+by F<cacert.pem> and F<tsakey.pem> is the private key of the TSA.
To create a timestamp response for a request:
Option which determines how the subject or issuer names are displayed. The
I<option> argument can be a single option or multiple options separated by
commas. Alternatively the B<-nameopt> switch may be used more than once to
-set multiple options. See the L<x509(1)> manual page for details.
+set multiple options. See the L<openssl-x509(1)> manual page for details.
=item B<-no_check_time>
DANE TLSA authentication is enabled, but no TLSA records matched the
certificate chain.
-This error is only possible in L<s_client(1)>.
+This error is only possible in L<openssl-s_client(1)>.
=item B<X509_V_ERR_EE_KEY_TOO_SMALL>
=item B<dgst>
Message Digest calculation. MAC calculations are superseded by
-L<mac(1)>.
+L<openssl-mac(1)>.
=item B<dh>
Diffie-Hellman Parameter Management.
-Obsoleted by L<dhparam(1)>.
+Obsoleted by L<openssl-dhparam(1)>.
=item B<dhparam>
Generation and Management of Diffie-Hellman Parameters. Superseded by
-L<genpkey(1)> and L<pkeyparam(1)>.
+L<openssl-genpkey(1)> and L<openssl-pkeyparam(1)>.
=item B<dsa>
=item B<dsaparam>
DSA Parameter Generation and Management. Superseded by
-L<genpkey(1)> and L<pkeyparam(1)>.
+L<openssl-genpkey(1)> and L<openssl-pkeyparam(1)>.
=item B<ec>
=item B<gendh>
Generation of Diffie-Hellman Parameters.
-Obsoleted by L<dhparam(1)>.
+Obsoleted by L<openssl-dhparam(1)>.
=item B<gendsa>
Generation of DSA Private Key from Parameters. Superseded by
-L<genpkey(1)> and L<pkey(1)>.
+L<openssl-genpkey(1)> and L<openssl-pkey(1)>.
=item B<genpkey>
=item B<genrsa>
-Generation of RSA Private Key. Superseded by L<genpkey(1)>.
+Generation of RSA Private Key. Superseded by L<openssl-genpkey(1)>.
=item B<info>
=item B<rsautl>
RSA utility for signing, verification, encryption, and decryption. Superseded
-by L<pkeyutl(1)>.
+by L<openssl-pkeyutl(1)>.
=item B<s_client>
and ciphers.
Depending on how OpenSSL was configured and built, not all ciphers listed
-here may be present. See L<enc(1)> for more information and command usage.
+here may be present. See L<openssl-enc(1)> for more information and command
+usage.
=over 4