[B<-sm2-id> I<string>]
[B<-sm2-hex-id> I<hex-string>]
-=for comment ifdef engine keygen_engine sm2-id sm2-hex-id
+=for openssl ifdef engine keygen_engine sm2-id sm2-hex-id
=head1 DESCRIPTION
-The B<req> command primarily creates and processes certificate requests
+This command primarily creates and processes certificate requests
in PKCS#10 format. It can additionally create self signed certificates
for use as root CAs for example.
Print out a usage message.
-=item B<-inform> B<DER>|B<PEM>
+=item B<-inform> B<DER>|B<PEM>, B<-outform> B<DER>|B<PEM>
-This specifies the input format. The B<DER> option uses an ASN1 DER encoded
-form compatible with the PKCS#10. The B<PEM> form is the default format: it
-consists of the B<DER> format base64 encoded with additional header and
-footer lines.
+The input and formats; the default is B<PEM>.
+See L<openssl(1)/Format Options> for details.
-=item B<-outform> B<DER>|B<PEM>
-
-This specifies the output format, the options have the same meaning and default
-as the B<-inform> option.
+The data is a PKCS#10 object.
=item B<-in> I<filename>
Pass options to the signature algorithm during sign or verify operations.
Names and values of these options are algorithm-specific.
-=item B<-passin> I<arg>
+=item B<-passin> I<arg>, B<-passout> I<arg>
-The input file password source. For more information about the format of B<arg>
-see L<openssl(1)/Pass phrase options>.
+The password source for the input and output file.
+For more information about the format of B<arg>
+see L<openssl(1)/Pass Phrase Options>.
=item B<-out> I<filename>
This specifies the output filename to write to or standard output by
default.
-=item B<-passout> I<arg>
-
-The output file password source. For more information about the format of I<arg>
-see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
-
=item B<-text>
Prints out the certificate request in text form.
If the B<-key> option is not used it will generate a new RSA private
key using information specified in the configuration file.
-=item B<-rand> I<files>
-
-The files containing random data used to seed the random number generator.
-Multiple files can be specified separated by an OS-dependent character.
-The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
-all others.
-
-=item B<-writerand> I<file>
+=item B<-rand> I<files>, B<-writerand> I<file>
-Writes random data to the specified I<file> upon exit.
-This can be used with a subsequent B<-rand> flag.
+See L<openssl(1)/Random State Options> for more information.
=item B<-newkey> I<arg>
the default key size, specified in the configuration file is used.
All other algorithms support the B<-newkey> I<alg>:I<file> form, where file
-may be an algorithm parameter file, created with B<genpkey -genparam>
+may be an algorithm parameter file, created with C<openssl genpkey -genparam>
or an X.509 certificate for a key with appropriate algorithm.
B<param:>I<file> generates a key using the parameter file or certificate
Set the public key algorithm option I<opt> to I<value>. The precise set of
options supported depends on the public key algorithm used and its
-implementation. See B<KEY GENERATION OPTIONS> in the B<genpkey> manual page
-for more details.
+implementation.
+See L<openssl-genpkey(1)/KEY GENERATION OPTIONS> for more details.
=item B<-key> I<filename>
=item B<-keyform> B<DER>|B<PEM>
-The format of the private key file specified in the B<-key>
-argument. PEM is the default.
+The format of the private key; the default is B<PEM>.
+See L<openssl(1)/Format Options> for details.
=item B<-keyout> I<filename>
Sets subject name for new request or supersedes the subject name
when processing a request.
-The arg must be formatted as I</type0=value0/type1=value1/type2=...>.
+The arg must be formatted as C</type0=value0/type1=value1/type2=...>.
Keyword characters may be escaped by \ (backslash), and whitespace is retained.
Empty values are permitted, but the corresponding type will not be included
in the request.
This option causes the -subj argument to be interpreted with full
support for multivalued RDNs. Example:
-I</DC=org/DC=OpenSSL/DC=users/UID=123456+CN=John Doe>
+C</DC=org/DC=OpenSSL/DC=users/UID=123456+CN=John Doe>
-If -multi-rdn is not used then the UID value is I<123456+CN=John Doe>.
+If -multi-rdn is not used then the UID value is C<123456+CN=John Doe>.
=item B<-x509>
=item B<-set_serial> I<n>
Serial number to use when outputting a self signed certificate. This
-may be specified as a decimal value or a hex value if preceded by B<0x>.
+may be specified as a decimal value or a hex value if preceded by C<0x>.
=item B<-addext> I<ext>
Option which determines how the subject or issuer names are displayed. The
I<option> argument can be a single option or multiple options separated by
commas. Alternatively the B<-nameopt> switch may be used more than once to
-set multiple options. See the L<x509(1)> manual page for details.
+set multiple options. See the L<openssl-x509(1)> manual page for details.
=item B<-reqopt> I<option>
Customise the output format used with B<-text>. The I<option> argument can be
a single option or multiple options separated by commas.
-See discussion of the B<-certopt> parameter in the L<x509(1)>
+See discussion of the B<-certopt> parameter in the L<openssl-x509(1)>
command.
=item B<-newhdr>
=item B<-engine> I<id>
-Specifying an engine (by its unique I<id> string) will cause B<req>
+Specifying an engine (by its unique I<id> string) will cause this command
to attempt to obtain a functional reference to the specified engine,
thus initialising it if needed. The engine will then be set as the default
for all available algorithms.
OU=My Organization
emailAddress=someone@somewhere.org
-This allows external programs (e.g. GUI based) to generate a template file
-with all the field names and values and just pass it to B<req>. An example
+This allows external programs (e.g. GUI based) to generate a template file with
+all the field names and values and just pass it to this command. An example
of this kind of configuration file is contained in the B<EXAMPLES> section.
Alternatively if the B<prompt> option is absent or not set to B<no> then the
=head1 NOTES
-The header and footer lines in the B<PEM> format are normally:
-
- -----BEGIN CERTIFICATE REQUEST-----
- -----END CERTIFICATE REQUEST-----
-
-some software (some versions of Netscape certificate server) instead needs:
-
- -----BEGIN NEW CERTIFICATE REQUEST-----
- -----END NEW CERTIFICATE REQUEST-----
-
-which is produced with the B<-newhdr> option but is otherwise compatible.
-Either form is accepted transparently on input.
-
The certificate requests generated by B<Xenroll> with MSIE have extensions
added. It includes the B<keyUsage> extension which determines the type of
key (signature only or general purpose) and any additional OIDs entered
-by the script in an extendedKeyUsage extension.
+by the script in an B<extendedKeyUsage> extension.
=head1 DIAGNOSTICS
Using configuration from /some/path/openssl.cnf
Unable to load config info
-This is followed some time later by...
+This is followed some time later by:
unable to find 'distinguished_name' in config
problems making Certificate Request