]>
Commit | Line | Data |
---|---|---|
8d9a4d83 DDO |
1 | =pod |
2 | {- OpenSSL::safe::output_do_not_edit_headers(); -} | |
3 | ||
4 | =head1 NAME | |
5 | ||
6 | openssl-cmp - client for the Certificate Management Protocol (CMP, RFC 4210) | |
7 | ||
8 | =head1 SYNOPSIS | |
9 | ||
10 | B<openssl> B<cmp> | |
11 | [B<-help>] | |
12 | [B<-config> I<filename>] | |
13 | [B<-section> I<names>] | |
14 | ||
15 | [B<-server> I<address[:port]>] | |
16 | [B<-proxy> I<[http[s]://]address[:port][/path]>] | |
17 | [B<-no_proxy> I<addresses>] | |
18 | [B<-path> I<remote_path>] | |
19 | [B<-msg_timeout> I<seconds>] | |
20 | [B<-total_timeout> I<seconds>] | |
21 | ||
22 | [B<-trusted> I<filenames>] | |
23 | [B<-untrusted> I<sources>] | |
24 | [B<-srvcert> I<filename>] | |
25 | [B<-recipient> I<name>] | |
26 | [B<-expect_sender> I<name>] | |
27 | [B<-ignore_keyusage>] | |
28 | [B<-unprotected_errors>] | |
29 | [B<-extracertsout> I<filename>] | |
30 | [B<-cacertsout> I<filename>] | |
31 | ||
32 | [B<-ref> I<value>] | |
33 | [B<-secret> I<arg>] | |
34 | [B<-cert> I<filename>] | |
35 | [B<-key> I<filename>] | |
36 | [B<-keypass> I<arg>] | |
37 | [B<-digest> I<name>] | |
38 | [B<-mac> I<name>] | |
39 | [B<-extracerts> I<sources>] | |
40 | [B<-unprotected_requests>] | |
41 | ||
42 | [B<-cmd> I<ir|cr|kur|p10cr|rr|genm>] | |
43 | [B<-infotype> I<name>] | |
44 | [B<-geninfo> I<OID:int:N>] | |
45 | ||
46 | [B<-newkey> I<filename>] | |
47 | [B<-newkeypass> I<arg>] | |
48 | [B<-subject> I<name>] | |
49 | [B<-issuer> I<name>] | |
50 | [B<-days> I<number>] | |
51 | [B<-reqexts> I<name>] | |
52 | [B<-sans> I<spec>] | |
53 | [B<-san_nodefault>] | |
54 | [B<-policies> I<name>] | |
55 | [B<-policy_oids> I<names>] | |
56 | [B<-policy_oids_critical>] | |
57 | [B<-popo> I<number>] | |
58 | [B<-csr> I<filename>] | |
59 | [B<-out_trusted> I<filenames>] | |
60 | [B<-verify_hostname> I<cn>] | |
61 | [B<-verify_ip> I<ip>] | |
62 | [B<-verify_email> I<email>] | |
63 | [B<-implicit_confirm>] | |
64 | [B<-disable_confirm>] | |
65 | [B<-certout> I<filename>] | |
66 | ||
67 | [B<-oldcert> I<filename>] | |
68 | [B<-revreason> I<number>] | |
69 | ||
70 | [B<-certform> I<PEM|DER>] | |
71 | [B<-keyform> I<PEM|DER|P12|ENGINE>] | |
72 | [B<-certsform> I<PEM|DER|P12>] | |
73 | [B<-otherpass> I<arg>] | |
74 | [B<-engine> I<id>] | |
75 | {- $OpenSSL::safe::opt_provider_synopsis -} | |
76 | ||
77 | [B<-tls_used>] | |
78 | [B<-tls_cert> I<filename>] | |
79 | [B<-tls_key> I<filename>] | |
80 | [B<-tls_keypass> I<arg>] | |
81 | [B<-tls_extra> I<filenames>] | |
82 | [B<-tls_trusted> I<filenames>] | |
83 | [B<-tls_host> I<name>] | |
84 | ||
85 | [B<-batch>] | |
86 | [B<-repeat> I<number>] | |
87 | [B<-reqin>] I<filenames> | |
143be474 | 88 | [B<-reqin_new_tid>] |
8d9a4d83 DDO |
89 | [B<-reqout>] I<filenames> |
90 | [B<-rspin>] I<filenames> | |
91 | [B<-rspout>] I<filenames> | |
92 | [B<-use_mock_srv>] | |
93 | ||
94 | [B<-policy> I<arg>] | |
95 | [B<-purpose> I<purpose>] | |
96 | [B<-verify_name> I<name>] | |
97 | [B<-verify_depth> I<num>] | |
98 | [B<-auth_level> I<level>] | |
99 | [B<-attime> I<timestamp>] | |
100 | [B<-ignore_critical>] | |
101 | [B<-issuer_checks>] | |
102 | [B<-policy_check>] | |
103 | [B<-explicit_policy>] | |
104 | [B<-inhibit_any>] | |
105 | [B<-inhibit_map>] | |
106 | [B<-x509_strict>] | |
107 | [B<-extended_crl>] | |
108 | [B<-use_deltas>] | |
109 | [B<-policy_print>] | |
110 | [B<-check_ss_sig>] | |
111 | [B<-crl_check>] | |
112 | [B<-crl_check_all>] | |
113 | [B<-trusted_first>] | |
114 | [B<-suiteB_128_only>] | |
115 | [B<-suiteB_128>] | |
116 | [B<-suiteB_192>] | |
117 | [B<-partial_chain>] | |
118 | [B<-no_alt_chains>] | |
119 | [B<-no_check_time>] | |
120 | [B<-allow_proxy_certs>] | |
121 | ||
122 | [B<-port> I<number>] | |
123 | [B<-max_msgs> I<number>] | |
124 | [B<-srv_ref> I<value>] | |
125 | [B<-srv_secret> I<arg>] | |
126 | [B<-srv_cert> I<filename>] | |
127 | [B<-srv_key> I<filename>] | |
128 | [B<-srv_keypass> I<arg>] | |
129 | [B<-srv_trusted> I<filenames>] | |
130 | [B<-srv_untrusted> I<filenames>] | |
131 | [B<-rsp_cert> I<filename>] | |
132 | [B<-rsp_extracerts> I<filenames>] | |
133 | [B<-rsp_capubs> I<filenames>] | |
134 | [B<-poll_count> I<number>] | |
135 | [B<-check_after> I<number>] | |
136 | [B<-grant_implicitconf>] | |
137 | [B<-pkistatus> I<number>] | |
138 | [B<-failure> I<number>] | |
139 | [B<-failurebits> I<number>] | |
140 | [B<-statusstring> I<arg>] | |
141 | [B<-send_error>] | |
142 | [B<-send_unprotected>] | |
143 | [B<-send_unprot_err>] | |
144 | [B<-accept_unprotected>] | |
145 | [B<-accept_unprot_err>] | |
146 | [B<-accept_raverified>] | |
147 | ||
148 | =head1 DESCRIPTION | |
149 | ||
150 | The B<cmp> command is a client implementation for the Certificate | |
151 | Management Protocol (CMP) as defined in RFC4210. | |
152 | It can be used to request certificates from a CA server, | |
153 | update their certificates, | |
154 | request certificates to be revoked, and perform other CMP requests. | |
155 | ||
156 | =head1 OPTIONS | |
157 | ||
158 | =over 4 | |
159 | ||
160 | =item B<-help> | |
161 | ||
162 | Display a summary of all options | |
163 | ||
164 | =item B<-config> I<filename> | |
165 | ||
166 | Configuration file to use. | |
167 | An empty string C<""> means none. | |
168 | Default filename is from the environment variable C<OPENSSL_CONF>. | |
169 | ||
170 | =item B<-section> I<names> | |
171 | ||
172 | Section(s) to use within config file defining CMP options. | |
173 | An empty string C<""> means no specific section. | |
174 | Default is C<cmp>. | |
175 | Multiple section names may be given, separated by commas and/or whitespace | |
176 | (where in the latter case the whole argument must be enclosed in "..."). | |
177 | Contents of sections named later may override contents of sections named before. | |
178 | In any case, as usual, the C<[default]> section and finally the unnamed | |
179 | section (as far as present) can provide per-option fallback values. | |
180 | ||
181 | =back | |
182 | ||
183 | ||
184 | =head2 Generic message options | |
185 | ||
186 | =over 4 | |
187 | ||
188 | =item B<-cmd> I<ir|cr|kur|p10cr|rr|genm> | |
189 | ||
190 | CMP command to execute. | |
191 | Currently implemented commands are: | |
192 | ||
193 | =over 8 | |
194 | ||
195 | =item ir E<nbsp> - Initialization Request | |
196 | ||
197 | =item cr E<nbsp> - Certificate Request | |
198 | ||
199 | =item p10cr - PKCS#10 Certification Request (for legacy support) | |
200 | ||
201 | =item kur E<nbsp>E<nbsp>- Key Update Request | |
202 | ||
203 | =item rr E<nbsp> - Revocation Request | |
204 | ||
205 | =item genm - General Message | |
206 | ||
207 | =back | |
208 | ||
209 | B<ir> requests initialization of an End Entity into a PKI hierarchy by means of | |
210 | issuance of a first certificate. | |
211 | ||
212 | B<cr> requests issuance of an additional certificate for an End Entity already | |
213 | initialized to the PKI hierarchy. | |
214 | ||
215 | B<p10cr> requests issuance of an additional certificate similarly to B<cr> | |
216 | but uses PKCS#10 CSR format. | |
217 | ||
218 | B<kur> requests (key) update for an existing, given certificate. | |
219 | ||
220 | B<rr> requests revocation of an existing, given certificate. | |
221 | ||
222 | B<genm> requests information using a General Message, where optionally | |
223 | included B<InfoTypeAndValue>s may be used to state which info is of interest. | |
224 | Upon receipt of the General Response, information about all received | |
225 | ITAV B<infoType>s is printed to stdout. | |
226 | ||
227 | =item B<-infotype> I<name> | |
228 | ||
229 | Set InfoType name to use for requesting specific info in B<genm>, | |
230 | e.g., C<signKeyPairTypes>. | |
231 | ||
232 | =item B<-geninfo> I<OID:int:N> | |
233 | ||
234 | generalInfo integer values to place in request PKIHeader with given OID, | |
235 | e.g., C<1.2.3:int:987>. | |
236 | ||
237 | =back | |
238 | ||
239 | ||
240 | =head2 Certificate request options | |
241 | ||
242 | =over 4 | |
243 | ||
244 | =item B<-newkey> I<filename> | |
245 | ||
246 | The file containing the private or public key for the certificate requested | |
247 | in Initialization Request (IR), Certification Request(CR), or | |
248 | Key Update Request (KUR). | |
249 | Default is the public key in the PKCS#10 CSR given with the B<-csr> option, | |
250 | if any, or else the current client key, if given. | |
251 | ||
252 | =item B<-newkeypass> I<arg> | |
253 | ||
254 | Pass phrase source for the key given with the B<-newkey> option. | |
255 | If not given here, the password will be prompted for if needed. | |
256 | ||
257 | For more information about the format of B<arg> see the | |
258 | B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>. | |
259 | ||
260 | =item B<-subject> I<name> | |
261 | ||
262 | X509 Distinguished Name (DN) of subject to use in the requested certificate | |
263 | template. | |
264 | For KUR, it defaults to the subject DN of the reference certificate | |
265 | (see B<-oldcert>). | |
266 | This default is used for IR and CR only if no SANs are set. | |
267 | ||
268 | The argument must be formatted as I</type0=value0/type1=value1/type2=...>, | |
269 | characters may be escaped by C<\>E<nbsp>(backslash), no spaces are skipped. | |
270 | ||
271 | In case B<-cert> is not set, for instance when using MSG_MAC_ALG, | |
272 | the subject DN is also used as sender of the PKI message. | |
273 | ||
274 | =item B<-issuer> I<name> | |
275 | ||
276 | X509 issuer Distinguished Name (DN) of the CA server | |
277 | to place in the requested certificate template in IR/CR/KUR. | |
278 | ||
279 | The argument must be formatted as I</type0=value0/type1=value1/type2=...>, | |
280 | characters may be escaped by C<\>E<nbsp>(backslash), no spaces are skipped. | |
281 | ||
282 | If neither B<-srvcert> nor B<-recipient> is available, | |
283 | the name given in this option is also set as the recipient of the CMP message. | |
284 | ||
285 | =item B<-days> I<number> | |
286 | ||
287 | Number of days the new certificate is requested to be valid for, counting from | |
288 | the current time of the host. | |
289 | Also triggers the explicit request that the | |
290 | validity period starts from the current time (as seen by the host). | |
291 | ||
292 | =item B<-reqexts> I<name> | |
293 | ||
294 | Name of section in OpenSSL config file defining certificate request extensions. | |
295 | ||
296 | =item B<-sans> I<spec> | |
297 | ||
298 | One or more IP addresses, DNS names, or URIs separated by commas or whitespace | |
299 | (where in the latter case the whole argument must be enclosed in "...") | |
300 | to add as Subject Alternative Name(s) (SAN) certificate request extension. | |
301 | If the special element "critical" is given the SANs are flagged as critical. | |
302 | Cannot be used if any Subject Alternative Name extension is set via B<-reqexts>. | |
303 | ||
304 | =item B<-san_nodefault> | |
305 | ||
306 | When Subject Alternative Names are not given via B<-sans> | |
307 | nor defined via B<-reqexts>, | |
308 | they are copied by default from the reference certificate (see B<-oldcert>). | |
309 | This can be disabled by giving the B<-san_nodefault> option. | |
310 | ||
311 | =item B<-policies> I<name> | |
312 | ||
313 | Name of section in OpenSSL config file defining policies to be set | |
314 | as certificate request extension. | |
315 | This option cannot be used together with B<-policy_oids>. | |
316 | ||
317 | =item B<-policy_oids> I<names> | |
318 | ||
319 | One or more OID(s), separated by commas and/or whitespace | |
320 | (where in the latter case the whole argument must be enclosed in "...") | |
321 | to add as certificate policies request extension. | |
322 | This option cannot be used together with B<-policies>. | |
323 | ||
324 | =item B<-policy_oids_critical> | |
325 | ||
326 | Flag the policies given with B<-policy_oids> as critical. | |
327 | ||
328 | =item B<-popo> I<number> | |
329 | ||
330 | Proof-of-Possession (POPO) method to use for IR/CR/KUR; values: C<-1>..<2> where | |
331 | C<-1> = NONE, C<0> = RAVERIFIED, C<1> = SIGNATURE (default), C<2> = KEYENC. | |
332 | ||
333 | Note that a signature-based POPO can only be produced if a private key | |
334 | is provided via the B<-newkey> or B<-key> options. | |
335 | ||
336 | =item B<-csr> I<filename> | |
337 | ||
338 | CSR in PKCS#10 format to use in legacy P10CR messages. | |
339 | ||
340 | =item B<-out_trusted> I<filenames> | |
341 | ||
342 | Trusted certificate(s) to use for verifying the newly enrolled certificate. | |
343 | ||
344 | Multiple filenames may be given, separated by commas and/or whitespace | |
345 | (where in the latter case the whole argument must be enclosed in "..."). | |
346 | Each source may contain multiple certificates. | |
347 | ||
348 | =item B<-verify_hostname> I<name> | |
349 | ||
350 | When verification of the newly enrolled certificate is enabled (with the | |
351 | B<-out_trusted> option), check if any DNS Subject Alternative Name (or if no | |
352 | DNS SAN is included, the Common Name in the subject) equals the given B<name>. | |
353 | ||
354 | =item B<-verify_ip> I<ip> | |
355 | ||
356 | When verification of the newly enrolled certificate is enabled (with the | |
357 | B<-out_trusted> option), check if there is | |
358 | an IP address Subject Alternative Name matching the given IP address. | |
359 | ||
360 | =item B<-verify_email> I<email> | |
361 | ||
362 | When verification of the newly enrolled certificate is enabled (with the | |
363 | B<-out_trusted> option), check if there is | |
364 | an email address Subject Alternative Name matching the given email address. | |
365 | ||
366 | =item B<-implicit_confirm> | |
367 | ||
368 | Request implicit confirmation of newly enrolled certificates. | |
369 | ||
370 | =item B<-disable_confirm> | |
371 | ||
372 | Do not send certificate confirmation message for newly enrolled certificate | |
373 | without requesting implicit confirmation | |
374 | to cope with broken servers not supporting implicit confirmation correctly. | |
375 | B<WARNING:> This leads to behavior violating RFC 4210. | |
376 | ||
377 | =item B<-certout> I<filename> | |
378 | ||
379 | The file where the newly enrolled certificate should be saved. | |
380 | ||
381 | =back | |
382 | ||
383 | ||
384 | =head2 Certificate revocation options | |
385 | ||
386 | =over 4 | |
387 | ||
388 | =item B<-oldcert> I<filename> | |
389 | ||
390 | The certificate to be updated (i.e., renewed or re-keyed) in Key Update Request | |
391 | (KUR) messages or to be revoked in Revocation Request (RR) messages. | |
392 | It must be given for RR, while for KUR it defaults to B<-cert>. | |
393 | ||
394 | The reference certificate determined in this way, if any, is also used for | |
395 | deriving default subject DN and Subject Alternative Names for IR, CR, and KUR. | |
396 | Its issuer, if any, is used as default recipient in the CMP message header | |
397 | if neither B<-srvcert>, B<-recipient>, nor B<-issuer> is available. | |
398 | ||
399 | =item B<-revreason> I<number> | |
400 | ||
401 | Set CRLReason to be included in revocation request (RR); values: C<0>..C<10> | |
402 | or C<-1> for none (which is the default). | |
403 | ||
404 | Reason numbers defined in RFC 5280 are: | |
405 | ||
406 | CRLReason ::= ENUMERATED { | |
407 | unspecified (0), | |
408 | keyCompromise (1), | |
409 | cACompromise (2), | |
410 | affiliationChanged (3), | |
411 | superseded (4), | |
412 | cessationOfOperation (5), | |
413 | certificateHold (6), | |
414 | -- value 7 is not used | |
415 | removeFromCRL (8), | |
416 | privilegeWithdrawn (9), | |
417 | aACompromise (10) | |
418 | } | |
419 | ||
420 | =back | |
421 | ||
422 | ||
423 | =head2 Message transfer options | |
424 | ||
425 | =over 4 | |
426 | ||
427 | =item B<-server> I<[http[s]://]address[:port]> | |
428 | ||
429 | The IP address or DNS hostname and optionally port (defaulting to 80 or 443) | |
430 | of the CMP server to connect to using HTTP(S) transport. | |
431 | The optional "http://" or "https://" prefix is ignored. | |
432 | ||
433 | =item B<-proxy> I<[http[s]://]address[:port][/path]> | |
434 | ||
435 | The HTTP(S) proxy server to use for reaching the CMP server unless B<no_proxy> | |
436 | applies, see below. | |
437 | The optional "http://" or "https://" prefix and any trailing path are ignored. | |
438 | Defaults to the environment variable C<http_proxy> if set, else C<HTTP_PROXY> | |
439 | in case no TLS is used, otherwise C<https_proxy> if set, else C<HTTPS_PROXY>. | |
440 | ||
441 | =item B<-no_proxy> I<addresses> | |
442 | List of IP addresses and/or DNS names of servers | |
443 | not to use an HTTP(S) proxy for, separated by commas and/or whitespace | |
444 | (where in the latter case the whole argument must be enclosed in "..."). | |
445 | Default is from the environment variable C<no_proxy> if set, else C<NO_PROXY>. | |
446 | ||
447 | =item B<-path> I<remote_path> | |
448 | ||
449 | HTTP path at the CMP server (aka CMP alias) to use for POST requests. | |
450 | Defaults to "/". | |
451 | ||
452 | =item B<-msg_timeout> I<seconds> | |
453 | ||
454 | Number of seconds (or 0 for infinite) a CMP request-response message round trip | |
455 | is allowed to take before a timeout error is returned. | |
456 | Default is 120. | |
457 | ||
458 | =item B<-total_timeout> I<seconds> | |
459 | ||
460 | Maximum number seconds an overall enrollment transaction may take, | |
461 | including attempts polling for certificates on C<waiting> PKIStatus. | |
462 | Default is 0 (infinite). | |
463 | ||
464 | =back | |
465 | ||
466 | ||
467 | =head2 Server authentication options | |
468 | ||
469 | =over 4 | |
470 | ||
471 | =item B<-trusted> I<filenames> | |
472 | ||
473 | When verifying signature-based protection of CMP response messages, | |
474 | these are the CA certificate(s) to trust while checking certificate chains | |
475 | during CMP server authentication. | |
476 | This option gives more flexibility than the B<-srvcert> option because | |
477 | it does not pin down the expected CMP server by allowing only one certificate. | |
478 | ||
479 | Multiple filenames may be given, separated by commas and/or whitespace | |
480 | (where in the latter case the whole argument must be enclosed in "..."). | |
481 | Each source may contain multiple certificates. | |
482 | ||
483 | =item B<-untrusted> I<sources> | |
484 | ||
485 | Non-trusted intermediate certificate(s) that may be useful | |
486 | for constructing the TLS client certificate chain (if TLS is enabled) and | |
487 | for building certificate chains while verifying the CMP server certificate | |
488 | (when checking signature-based CMP message protection) | |
489 | and while verifying the newly enrolled certificate. | |
490 | These may get added to the extraCerts field sent in requests as far as needed. | |
491 | ||
492 | Multiple filenames may be given, separated by commas and/or whitespace. | |
493 | Each file may contain multiple certificates. | |
494 | ||
495 | =item B<-srvcert> I<filename> | |
496 | ||
497 | The specific CMP server certificate to use and directly trust (even if it is | |
498 | expired) when verifying signature-based protection of CMP response messages. | |
499 | May be set alternatively to the B<-trusted> option | |
500 | if the certificate is available and only this one shall be accepted. | |
501 | ||
502 | If set, the issuer of the certificate is also used as the recipient of the CMP | |
503 | request and as the expected sender of the CMP response, | |
504 | overriding any potential B<-recipient> option. | |
505 | ||
506 | =item B<-recipient> I<name> | |
507 | ||
508 | This option may be used to explicitly set the Distinguished Name (DN) | |
509 | of the CMP message recipient, i.e., the CMP server (usually a CA or RA entity). | |
510 | ||
511 | The argument must be formatted as I</type0=value0/type1=value1/type2=...>, | |
512 | characters may be escaped by C<\>E<nbsp>(backslash), no spaces are skipped. | |
513 | ||
514 | If a CMP server certificate is given with the B<-srvcert> option, its subject | |
515 | name is taken as the recipient name and the B<-recipient> option is ignored. | |
516 | If neither of the two are given, the recipient of the PKI message is | |
517 | determined in the following order: from the B<-issuer> option if present, | |
518 | the issuer of old cert given with the B<-oldcert> option if present, | |
519 | the issuer of the client certificate (B<-cert> option) if present. | |
520 | ||
521 | The recipient field in the header of CMP messagese is mandatory. | |
522 | If none of the options that enable the derivation of the recipient name are | |
523 | given, no suitable value for the recipient in the PKIHeader is available. | |
524 | As a last resort it is set to NULL-DN. | |
525 | ||
526 | When a response is received, its sender must match the recipient of the request. | |
527 | ||
528 | =item B<-expect_sender> I<name> | |
529 | ||
530 | Distinguished Name (DN) of the expected sender of CMP response messages when | |
531 | MSG_SIG_ALG is used for protection. | |
532 | This can be used to ensure that only a particular entity is accepted | |
533 | as the CMP server, and attackers are not able to use arbitrary certificates | |
534 | of a trusted PKI hierarchy to fraudulently pose as a CMP server. | |
535 | Note that this option gives slightly more freedom than B<-srvcert>, | |
536 | which pins down the server to a particular certificate, | |
537 | while B<-expect_sender> I<name> will continue to match after updates of the | |
538 | server cert. | |
539 | ||
540 | The argument must be formatted as I</type0=value0/type1=value1/type2=...>, | |
541 | characters may be escaped by C<\>E<nbsp>(backslash), no spaces are skipped. | |
542 | ||
543 | If not given, the subject DN of B<-srvcert>, if provided, will be used. | |
544 | ||
545 | =item B<-ignore_keyusage> | |
546 | ||
547 | Ignore key usage restrictions in CMP signer certificates when verifying | |
548 | signature-based protection of incoming CMP messages, | |
549 | else C<digitalSignature> must be allowed for signer certificate. | |
550 | ||
551 | =item B<-unprotected_errors> | |
552 | ||
553 | Accept missing or invalid protection of negative responses from the server. | |
554 | This applies to the following message types and contents: | |
555 | ||
556 | =over 4 | |
557 | ||
558 | =item * error messages | |
559 | ||
560 | =item * negative certificate responses (IP/CP/KUP) | |
561 | ||
562 | =item * negative revocation responses (RP) | |
563 | ||
564 | =item * negative PKIConf messages | |
565 | ||
566 | =back | |
567 | ||
568 | B<WARNING:> This setting leads to unspecified behavior and it is meant | |
569 | exclusively to allow interoperability with server implementations violating | |
570 | RFC 4210, e.g.: | |
571 | ||
572 | =over 4 | |
573 | ||
574 | =item * section 5.1.3.1 allows exceptions from protecting only for special | |
575 | cases: | |
576 | "There MAY be cases in which the PKIProtection BIT STRING is deliberately not | |
577 | used to protect a message [...] because other protection, external to PKIX, will | |
578 | be applied instead." | |
579 | ||
580 | =item * section 5.3.21 is clear on ErrMsgContent: "The CA MUST always sign it | |
581 | with a signature key." | |
582 | ||
583 | =item * appendix D.4 shows PKIConf message having protection | |
584 | ||
585 | =back | |
586 | ||
587 | =item B<-extracertsout> I<filename> | |
588 | ||
589 | The file where to save any extra certificates received in the extraCerts field | |
590 | of response messages. | |
591 | ||
592 | =item B<-cacertsout> I<filename> | |
593 | ||
594 | The file where to save any CA certificates received in the caPubs field of | |
595 | Initializiation Response (IP) messages. | |
596 | ||
597 | =back | |
598 | ||
599 | ||
600 | =head2 Client authentication options | |
601 | ||
602 | =over 4 | |
603 | ||
604 | =item B<-ref> I<value> | |
605 | ||
606 | Reference number/string/value to use as fallback senderKID; this is required | |
607 | if no sender name can be determined from the B<-cert> or <-subject> options and | |
608 | is typically used when authenticating with pre-shared key (password-based MAC). | |
609 | ||
610 | =item B<-secret> I<arg> | |
611 | ||
612 | Source of secret value to use for creating PBM-based protection of outgoing | |
613 | messages and for verifying any PBM-based protection of incoming messages. | |
614 | PBM stands for Password-Based Message Authentication Code. | |
615 | This takes precedence over the B<-cert> option. | |
616 | ||
617 | For more information about the format of B<arg> see the | |
618 | B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>. | |
619 | ||
620 | =item B<-cert> I<filename> | |
621 | ||
622 | The client's current certificate. | |
623 | Requires the corresponding key to be given with B<-key>. | |
624 | The subject of this certificate will be used as the "sender" field | |
625 | of outgoing CMP messages, while B<-subjectName> may provide a fallback value. | |
626 | When using signature-based message protection, this "protection certificate" | |
627 | will be included first in the extraCerts field of outgoing messages. | |
628 | In Initialization Request (IR) messages this can be used for authenticating | |
629 | using an external entity certificate as defined in appendix E.7 of RFC 4210. | |
630 | For Key Update Request (KUR) messages this is also used as | |
631 | the certificate to be updated if the B<-oldcert> option is not given. | |
632 | If the file includes further certs, they are appended to the untrusted certs. | |
633 | These may get added to the extraCerts field sent in requests as far as needed. | |
634 | ||
635 | =item B<-key> I<filename> | |
636 | ||
637 | The corresponding private key file for the client's current certificate given in | |
638 | the B<-cert> option. | |
639 | This will be used for signature-based message protection unless | |
640 | the B<-secret> option indicating PBM or B<-unprotected_requests> is given. | |
641 | ||
642 | =item B<-keypass> I<arg> | |
643 | ||
644 | Pass phrase source for the private key given with the B<-key> option. | |
645 | Also used for B<-cert> and B<-oldcert> in case it is an encrypted PKCS#12 file. | |
646 | If not given here, the password will be prompted for if needed. | |
647 | ||
648 | For more information about the format of B<arg> see the | |
649 | B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>. | |
650 | ||
651 | =item B<-digest> I<name> | |
652 | ||
653 | Specifies name of supported digest to use in RFC 4210's MSG_SIG_ALG | |
654 | and as the one-way function (OWF) in MSG_MAC_ALG. | |
655 | If applicable, this is used for message protection and | |
656 | Proof-of-Possession (POPO) signatures. | |
657 | To see the list of supported digests, use B<openssl list -digest-commands>. | |
658 | Defaults to C<sha256>. | |
659 | ||
660 | =item B<-mac> I<name> | |
661 | ||
662 | Specifies the name of the MAC algorithm in MSG_MAC_ALG. | |
663 | To get the names of supported MAC algorithms use B<openssl list -mac-algorithms> | |
664 | and possibly combine such a name with the name of a supported digest algorithm, | |
665 | e.g., hmacWithSHA256. | |
666 | Defaults to C<hmac-sha1> as per RFC 4210. | |
667 | ||
668 | =item B<-extracerts> I<sources> | |
669 | ||
670 | Certificates to append in the extraCerts field when sending messages. | |
671 | ||
672 | Multiple filenames or URLs may be given, separated by commas and/or whitespace | |
673 | (where in the latter case the whole argument must be enclosed in "..."). | |
674 | Each source may contain multiple certificates. | |
675 | ||
676 | =item B<-unprotected_requests> | |
677 | ||
678 | Send messages without CMP-level protection. | |
679 | ||
680 | =back | |
681 | ||
682 | ||
683 | =head2 Credentials format options | |
684 | ||
685 | =over 4 | |
686 | ||
687 | =item B<-certform> I<PEM|DER> | |
688 | ||
689 | File format to use when saving a certificate to a file. | |
690 | Default value is PEM. | |
691 | ||
692 | =item B<-keyform> I<PEM|DER|P12> | |
693 | ||
694 | Format to assume when reading key files. | |
695 | Default value is PEM. | |
696 | ||
697 | =item B<-certsform> I<PEM|DER|P12> | |
698 | ||
699 | Format to try first when reading multiple certificates from file(s). | |
700 | Default value is PEM. | |
701 | ||
702 | =item B<-otherpass> I<arg> | |
703 | ||
704 | Pass phrase source for certificate given with the B<-trusted>, B<-untrusted>, | |
705 | B<-out_trusted>, B<-extracerts>, B<-tls_extra>, or B<-tls_trusted> options. | |
706 | If not given here, the password will be prompted for if needed. | |
707 | ||
708 | For more information about the format of B<arg> see the | |
709 | B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>. | |
710 | ||
711 | =item B<-engine> I<id> | |
712 | ||
713 | Specifying a crypto engine B<id> will lead to obtaining a functional | |
714 | reference to the specified engine, initializing it if needed. | |
715 | The engine will be used for all algorithms supported for keys | |
716 | prefixed by C<engine:>. | |
717 | Engines may be defined in the OpenSSL config file as usual in an engine section. | |
718 | ||
719 | Options specifying keys, like B<-key>, B<-newkey>, B<-tls_key> can prefix | |
720 | C<engine:> to engine-specific identifiers for security tokens objects held by | |
721 | the engine. | |
722 | The following example utilizes the RFC 7512 PKCS #11 URI scheme | |
723 | as supported, e.g., by libp11: | |
724 | C<-key engine:pkcs11:object=my-private-key;type=private;pin-value=1234> | |
725 | ||
726 | {- $OpenSSL::safe::opt_provider_item -} | |
727 | ||
728 | =back | |
729 | ||
730 | ||
731 | =head2 TLS options | |
732 | ||
733 | =over 4 | |
734 | ||
735 | =item B<-tls_used> | |
736 | ||
737 | Enable using TLS (even when other TLS_related options are not set) | |
738 | when connecting to CMP server. | |
739 | ||
740 | =item B<-tls_cert> I<filename> | |
741 | ||
742 | Client's TLS certificate. | |
743 | If the file includes further certificates, | |
744 | they are used for constructing the client cert chain provided to the TLS server. | |
745 | ||
746 | =item B<-tls_key> I<filename> | |
747 | ||
748 | Private key for the client's TLS certificate. | |
749 | ||
750 | =item B<-tls_keypass> I<arg> | |
751 | ||
752 | Pass phrase source for client's private TLS key B<tls_key>. | |
753 | Also used for B<-tls_cert> in case it is an encrypted PKCS#12 file. | |
754 | If not given here, the password will be prompted for if needed. | |
755 | ||
756 | For more information about the format of B<arg> see the | |
757 | B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>. | |
758 | ||
759 | =item B<-tls_extra> I<filenames> | |
760 | ||
761 | Extra certificates to provide to TLS server during TLS handshake | |
762 | ||
763 | =item B<-tls_trusted> I<filenames> | |
764 | ||
765 | Trusted certificate(s) to use for verifying the TLS server certificate. | |
766 | This implies hostname validation. | |
767 | ||
768 | Multiple filenames may be given, separated by commas and/or whitespace | |
769 | (where in the latter case the whole argument must be enclosed in "..."). | |
770 | Each source may contain multiple certificates. | |
771 | ||
772 | =item B<-tls_host> I<name> | |
773 | ||
774 | Address to be checked during hostname validation. | |
775 | This may be a DNS name or an IP address. | |
776 | If not given it defaults to the B<-server> address. | |
777 | ||
778 | =back | |
779 | ||
780 | ||
781 | =head2 Client-side debugging options | |
782 | ||
783 | =over 4 | |
784 | ||
785 | =item B<-batch> | |
786 | ||
787 | Do not interactively prompt for input, for instance when a password is needed. | |
788 | This can be useful for batch processing and testing. | |
789 | ||
790 | =item B<-repeat> I<number> | |
791 | ||
792 | Invoke the command the given number of times with the same parameters. | |
793 | Default is one invocation. | |
794 | ||
795 | =item B<-reqin> I<filenames> | |
796 | ||
797 | Take sequence of CMP requests from file(s). | |
798 | Multiple filenames may be given, separated by commas and/or whitespace | |
799 | (where in the latter case the whole argument must be enclosed in "..."). | |
800 | As many files are read as needed for a complete transaction. | |
801 | ||
143be474 DDO |
802 | =item B<-reqin_new_tid> |
803 | ||
804 | Use a fresh transactionID for CMP request messages read using B<-reqin>, | |
805 | which requires re-protecting them as far as they were protected before. | |
806 | This may be needed in case the sequence of requests is reused | |
807 | and the CMP server complains that the transaction ID has already been used. | |
808 | ||
8d9a4d83 DDO |
809 | =item B<-reqout> I<filenames> |
810 | ||
811 | Save sequence of CMP requests to file(s). | |
812 | Multiple filenames may be given, separated by commas and/or whitespace. | |
813 | As many files are written as needed to store the complete transaction. | |
814 | ||
815 | =item B<-rspin> I<filenames> | |
816 | ||
817 | Process sequence of CMP responses provided in file(s), skipping server. | |
818 | Multiple filenames may be given, separated by commas and/or whitespace. | |
819 | As many files are read as needed for the complete transaction. | |
820 | ||
821 | =item B<-rspout> I<filenames> | |
822 | ||
823 | Save sequence of CMP responses to file(s). | |
824 | Multiple filenames may be given, separated by commas and/or whitespace. | |
825 | As many files are written as needed to store the complete transaction. | |
826 | ||
827 | =item B<-use_mock_srv> | |
828 | ||
829 | Use the internal mock server for testing the client. | |
830 | This works at API level, bypassing HTTP transport. | |
831 | ||
832 | =back | |
833 | ||
834 | ||
835 | =head2 Certificate verification options, for both CMP and TLS | |
836 | ||
837 | =over 4 | |
838 | ||
839 | =item B<-policy>, B<-purpose>, B<-verify_name>, B<-verify_depth>, | |
840 | B<-attime>, | |
841 | B<-ignore_critical>, B<-issuer_checks>, | |
842 | B<-policy_check>, | |
843 | B<-explicit_policy>, B<-inhibit_any>, B<-inhibit_map>, | |
844 | B<-x509_strict>, B<-extended_crl>, B<-use_deltas>, | |
845 | B<-policy_print>, B<-check_ss_sig>, B<-crl_check>, B<-crl_check_all>, | |
846 | B<-trusted_first>, | |
847 | B<-suiteB_128_only>, B<-suiteB_128>, B<-suiteB_192>, | |
848 | B<-partial_chain>, B<-no_alt_chains>, B<-no_check_time>, | |
849 | B<-auth_level>, | |
850 | B<-allow_proxy_certs> | |
851 | ||
852 | Set various options of certificate chain verification. | |
853 | See L<openssl(1)/Verification Options> for details. | |
854 | ||
855 | =back | |
856 | ||
857 | ||
858 | =head2 Mock server options, for testing purposes only | |
859 | ||
860 | =over 4 | |
861 | ||
862 | =item B<-port> I<number> | |
863 | ||
864 | Act as CMP HTTP server mock-up listening on the given port. | |
865 | ||
866 | =item B<-max_msgs> I<number> | |
867 | ||
868 | Maximum number of CMP (request) messages the CMP HTTP server mock-up | |
869 | should handle, which must be non-negative. | |
870 | The default value is 0, which means that no limit is imposed. | |
871 | In any case the server terminates on internal errors, but not when it | |
872 | detects a CMP-level error that it can successfully answer with an error message. | |
873 | ||
874 | =item B<-srv_ref> I<value> | |
875 | ||
876 | Reference value to use as senderKID of server in case no B<-srv_cert> is given. | |
877 | ||
878 | =item B<-srv_secret> I<arg> | |
879 | ||
880 | Password source for server authentication with a pre-shared key (secret). | |
881 | ||
882 | =item B<-srv_cert> I<filename> | |
883 | ||
884 | Certificate of the server. | |
885 | ||
886 | =item B<-srv_key> I<filename> | |
887 | ||
888 | Private key used by the server for signing messages. | |
889 | ||
890 | =item B<-srv_keypass> I<arg> | |
891 | ||
892 | Server private key (and cert) file pass phrase source. | |
893 | ||
894 | =item B<-srv_trusted> I<filenames> | |
895 | ||
896 | Trusted certificates for client authentication. | |
897 | ||
898 | =item B<-srv_untrusted> I<filenames> | |
899 | ||
6b326fc3 | 900 | Intermediate CA certs that may be useful when verifying client certificates. |
8d9a4d83 DDO |
901 | |
902 | =item B<-rsp_cert> I<filename> | |
903 | ||
904 | Certificate to be returned as mock enrollment result. | |
905 | ||
906 | =item B<-rsp_extracerts> I<filenames> | |
907 | ||
908 | Extra certificates to be included in mock certification responses. | |
909 | ||
910 | =item B<-rsp_capubs> I<filenames> | |
911 | ||
912 | CA certificates to be included in mock Initialization Response (IP) message. | |
913 | ||
914 | =item B<-poll_count> I<number> | |
915 | ||
916 | Number of times the client must poll before receiving a certificate. | |
917 | ||
918 | =item B<-check_after> I<number> | |
919 | ||
920 | The checkAfter value (number of seconds to wait) to include in poll response. | |
921 | ||
922 | ||
923 | =item B<-grant_implicitconf> | |
924 | ||
925 | Grant implicit confirmation of newly enrolled certificate. | |
926 | ||
927 | =item B<-pkistatus> I<number> | |
928 | ||
929 | PKIStatus to be included in server response. | |
930 | Valid range is 0 (accepted) .. 6 (keyUpdateWarning). | |
931 | ||
932 | =item B<-failure> I<number> | |
933 | ||
934 | A single failure info bit number to be included in server response. | |
935 | Valid range is 0 (badAlg) .. 26 (duplicateCertReq). | |
936 | ||
937 | =item B<-failurebits> I<number> | |
938 | Number representing failure bits to be included in server response. | |
939 | Valid range is 0 .. 2^27 - 1. | |
940 | ||
941 | =item B<-statusstring> I<arg> | |
942 | ||
943 | Text to be included as status string in server response. | |
944 | ||
945 | =item B<-send_error> | |
946 | ||
947 | Force server to reply with error message. | |
948 | ||
949 | =item B<-send_unprotected> | |
950 | ||
951 | Send response messages without CMP-level protection. | |
952 | ||
953 | =item B<-send_unprot_err> | |
954 | ||
955 | In case of negative responses, server shall send unprotected error messages, | |
956 | certificate responses (IP/CP/KUP), and revocation responses (RP). | |
957 | WARNING: This setting leads to behavior violating RFC 4210. | |
958 | ||
959 | =item B<-accept_unprotected> | |
960 | ||
961 | Accept missing or invalid protection of requests. | |
962 | ||
963 | =item B<-accept_unprot_err> | |
964 | ||
965 | Accept unprotected error messages from client. | |
966 | ||
967 | =item B<-accept_raverified> | |
968 | ||
969 | Accept RAVERIFED as proof-of-possession (POPO). | |
970 | ||
971 | =back | |
972 | ||
973 | ||
974 | =head1 NOTES | |
975 | ||
976 | When setting up CMP configurations and experimenting with enrollment options | |
977 | typically various errors occur until the configuration is correct and complete. | |
978 | When the CMP server reports an error the client will by default | |
979 | check the protection of the CMP response message. | |
980 | Yet some CMP services tend not to protect negative responses. | |
981 | In this case the client will reject them, and thus their contents are not shown | |
982 | although they usually contain hints that would be helpful for diagnostics. | |
983 | For assisting in such cases the CMP client offers a workaround via the | |
984 | B<-unprotected_errors> option, which allows accepting such negative messages. | |
985 | ||
986 | ||
987 | =head1 EXAMPLES | |
988 | ||
989 | =head2 Simple examples using the default OpenSSL configuration file | |
990 | ||
991 | This CMP client implementation comes with demonstrative CMP sections | |
992 | in the example configuration file F<openssl/apps/openssl.cnf>, | |
993 | which can be used to interact conveniently with the Insta Demo CA. | |
994 | ||
995 | In order to enroll an initial certificate from that CA it is sufficient | |
996 | to issue the following shell commands. | |
997 | ||
998 | cd /path/to/openssl | |
999 | export OPENSSL_CONF=openssl.cnf | |
1000 | wget 'http://pki.certificate.fi:8080/install-ca-cert.html/ca-certificate.crt\ | |
1001 | ?ca-id=632&download-certificate=1' -O insta.ca.crt | |
1002 | openssl genrsa -out insta.priv.pem | |
1003 | openssl cmp -section insta | |
1004 | ||
1005 | This should produce the file F<insta.cert.pem> containing a new certificate | |
1006 | for the private key held in F<insta.priv.pem>. | |
1007 | It can be viewed using, e.g., | |
1008 | ||
1009 | openssl x509 -noout -text -in insta.cert.pem | |
1010 | ||
1011 | In case the network setup requires using an HTTP proxy it may be given as usual | |
1012 | via the environment variable B<http_proxy> or via the B<proxy> option or | |
1013 | the CMP command-line argument B<-proxy>, for example | |
1014 | ||
1015 | -proxy http://192.168.1.1:8080 | |
1016 | ||
1017 | In the Insta Demo CA scenario both clients and the server may use the pre-shared | |
1018 | secret "insta" and the reference value "3078" to authenticate to each other. | |
1019 | ||
1020 | Alternatively, CMP messages may be protected in signature-based manner, | |
1021 | where the trust anchor in this case is F<insta.ca.crt> | |
1022 | and the client may use any certificate already obtained from that CA, | |
1023 | as specified in the B<[signature]> section of the example configuration. | |
1024 | This can be used in combination with the B<[insta]> section simply by | |
1025 | ||
1026 | openssl cmp -section insta,signature | |
1027 | ||
1028 | By default the CMP IR message type is used, yet CR works equally here. | |
1029 | This may be specified directly at the command line: | |
1030 | ||
1031 | openssl cmp -section insta -cmd cr | |
1032 | ||
1033 | or by referencing in addition the B<[cr]> section of the example configuration: | |
1034 | ||
1035 | openssl cmp -section insta,cr | |
1036 | ||
1037 | In order to update the enrolled certificate one may call | |
1038 | ||
1039 | openssl cmp -section insta,kur | |
1040 | ||
1041 | using with PBM-based protection or | |
1042 | ||
1043 | openssl cmp -section insta,kur,signature | |
1044 | ||
1045 | using signature-based protection. | |
1046 | ||
1047 | In a similar way any previously enrolled certificate may be revoked by | |
1048 | ||
1049 | openssl cmp -section insta,rr -trusted insta.ca.crt | |
1050 | ||
1051 | or | |
1052 | ||
1053 | openssl cmp -section insta,rr,signature | |
1054 | ||
1055 | Many more options can be used in the configuration file | |
1056 | and/or on the command line. | |
1057 | ||
1058 | ||
1059 | =head2 Certificate enrollment | |
1060 | ||
1061 | The following examples at first do not make use of a configuration file. | |
1062 | They assume that a CMP server can be contacted on the local TCP port 80 | |
1063 | and accepts requests under the alias "/pkix/". | |
1064 | ||
1065 | For enrolling its very first certificate the client generates a first client key | |
1066 | and sends an initial request message to the local CMP server | |
1067 | using a pre-shared secret key for mutual authentication. | |
1068 | In this example the client does not have the CA certificate yet, | |
1069 | so we specify the name of the CA with the B<-recipient> option | |
1070 | and save any CA certificates that we may receive in the C<capubs.pem> file. | |
1071 | ||
1072 | In below command line usage examples the C<\> at line ends is just used | |
1073 | for formatting; each of the command invocations should be on a single line. | |
1074 | ||
1075 | openssl genrsa -out cl_key.pem | |
1076 | openssl cmp -cmd ir -server 127.0.0.1:80 -path pkix/ \ | |
1077 | -ref 1234 -secret pass:1234-5678-1234-5678 \ | |
1078 | -recipient "/CN=CMPserver" \ | |
1079 | -newkey cl_key.pem -subject "/CN=MyName" \ | |
1080 | -cacertsout capubs.pem -certout cl_cert.pem | |
1081 | ||
1082 | ||
1083 | =head2 Certificate update | |
1084 | ||
1085 | Then, when the client certificate and its related key pair needs to be updated, | |
1086 | the client can send a key update request taking the certs in C<capubs.pem> | |
1087 | as trusted for authenticating the server and using the previous cert and key | |
1088 | for its own authentication. | |
1089 | Then it can start using the new cert and key. | |
1090 | ||
1091 | openssl genrsa -out cl_key_new.pem | |
1092 | openssl cmp -cmd kur -server 127.0.0.1:80 -path pkix/ \ | |
1093 | -trusted capubs.pem \ | |
1094 | -cert cl_cert.pem -key cl_key.pem \ | |
1095 | -newkey cl_key_new.pem -certout cl_cert.pem | |
1096 | cp cl_key_new.pem cl_key.pem | |
1097 | ||
1098 | This command sequence can be repated as often as needed. | |
1099 | ||
1100 | ||
1101 | =head2 Requesting information from CMP server | |
1102 | ||
1103 | Requesting "all relevant information" with an empty General Message. | |
1104 | This prints information about all received ITAV B<infoType>s to stdout. | |
1105 | ||
1106 | openssl cmp -cmd genm -server 127.0.0.1 -path pkix/ \ | |
1107 | -ref 1234 -secret pass:1234-5678-1234-5678 \ | |
1108 | -recipient "/CN=CMPserver" | |
1109 | ||
1110 | ||
1111 | =head2 Using a custom configuration file | |
1112 | ||
1113 | For CMP client invocations, in particular for certificate enrollment, | |
1114 | usually many parameters need to be set, which is tedious and error-prone to do | |
1115 | on the command line. | |
1116 | Therefore the client offers the possibility to read | |
1117 | options from sections of the OpenSSL config file, usually called B<openssl.cnf>. | |
1118 | The values found there can still be extended and even overridden by any | |
1119 | subsequently loaded sections and on the command line. | |
1120 | ||
1121 | After including in the configuration file the following sections: | |
1122 | ||
1123 | [cmp] | |
1124 | server = 127.0.0.1 | |
1125 | path = pkix/ | |
1126 | trusted = capubs.pem | |
1127 | cert = cl_cert.pem | |
1128 | key = cl_key.pem | |
1129 | newkey = cl_key.pem | |
1130 | certout = cl_cert.pem | |
1131 | ||
1132 | [cmp-init] | |
1133 | recipient = "/CN=CMPserver" | |
1134 | trusted = | |
1135 | cert = | |
1136 | key = | |
1137 | ref = 1234 | |
1138 | secret = pass:1234-5678-1234-567 | |
1139 | subject = "/CN=MyName" | |
1140 | cacertsout = capubs.pem | |
1141 | ||
1142 | the above enrollment invocations reduce to | |
1143 | ||
1144 | openssl cmp -section cmp,cmp-init | |
1145 | openssl cmp -cmd kur -newkey cl_key_new.pem | |
1146 | ||
1147 | and the above genm call reduces to | |
1148 | ||
1149 | openssl cmp -section cmp,cmp-init -cmd genm | |
1150 | ||
1151 | =head1 SEE ALSO | |
1152 | ||
1153 | L<openssl-genrsa(1)>, L<openssl-ecparam(1)>, L<openssl-list(1)>, | |
1154 | L<openssl-req(1)>, L<openssl-x509(1)>, L<x509v3_config(5)> | |
1155 | ||
1156 | =head1 COPYRIGHT | |
1157 | ||
1158 | Copyright 2007-2019 The OpenSSL Project Authors. All Rights Reserved. | |
1159 | ||
1160 | Licensed under the OpenSSL license (the "License"). You may not use | |
1161 | this file except in compliance with the License. You can obtain a copy | |
1162 | in the file LICENSE in the source distribution or at | |
1163 | L<https://www.openssl.org/source/license.html>. | |
1164 | ||
1165 | =cut |