OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
OPT_INFORM, OPT_OUTFORM, OPT_KEYFORM, OPT_REQ, OPT_CAFORM,
OPT_CAKEYFORM, OPT_VFYOPT, OPT_SIGOPT, OPT_DAYS, OPT_PASSIN, OPT_EXTFILE,
- OPT_EXTENSIONS, OPT_IN, OPT_OUT, OPT_SIGNKEY, OPT_CA, OPT_CAKEY,
+ OPT_EXTENSIONS, OPT_IN, OPT_OUT, OPT_KEY, OPT_SIGNKEY, OPT_CA, OPT_CAKEY,
OPT_CASERIAL, OPT_SET_SERIAL, OPT_NEW, OPT_FORCE_PUBKEY, OPT_SUBJ,
OPT_ADDTRUST, OPT_ADDREJECT, OPT_SETALIAS, OPT_CERTOPT, OPT_NAMEOPT,
OPT_EMAIL, OPT_OCSP_URI, OPT_SERIAL, OPT_NEXT_SERIAL,
{"inform", OPT_INFORM, 'f',
"CSR input file format (DER or PEM) - default PEM"},
{"vfyopt", OPT_VFYOPT, 's', "CSR verification parameter in n:v form"},
+ {"key", OPT_KEY, 's',
+ "Key to be used in certificate or cert request"},
{"signkey", OPT_SIGNKEY, 's',
- "Key used to self-sign certificate or cert request"},
+ "Same as -key"},
{"keyform", OPT_KEYFORM, 'E',
"Key input format (ENGINE, other values ignored)"},
{"out", OPT_OUT, '>', "Output file - default stdout"},
OPT_SECTION("Micro-CA"),
{"CA", OPT_CA, '<',
- "Use the given CA certificate, conflicts with -signkey"},
+ "Use the given CA certificate, conflicts with -key"},
{"CAform", OPT_CAFORM, 'F', "CA cert format (PEM/DER/P12); has no effect"},
{"CAkey", OPT_CAKEY, 's', "The corresponding CA key; default is -CA arg"},
{"CAkeyform", OPT_CAKEYFORM, 'E',
CONF *extconf = NULL;
int ext_copy = EXT_COPY_UNSET;
X509V3_CTX ext_ctx;
- EVP_PKEY *signkey = NULL, *CAkey = NULL, *pubkey = NULL;
+ EVP_PKEY *privkey = NULL, *CAkey = NULL, *pubkey = NULL;
EVP_PKEY *pkey;
int newcert = 0;
char *subj = NULL, *digestname = NULL;
char *checkhost = NULL, *checkemail = NULL, *checkip = NULL;
char *ext_names = NULL;
char *extsect = NULL, *extfile = NULL, *passin = NULL, *passinarg = NULL;
- char *infile = NULL, *outfile = NULL, *signkeyfile = NULL, *CAfile = NULL;
+ char *infile = NULL, *outfile = NULL, *privkeyfile = NULL, *CAfile = NULL;
char *prog;
int days = UNSET_DAYS; /* not explicitly set */
int x509toreq = 0, modulus = 0, print_pubkey = 0, pprint = 0;
case OPT_EXTENSIONS:
extsect = opt_arg();
break;
+ case OPT_KEY:
case OPT_SIGNKEY:
- signkeyfile = opt_arg();
+ privkeyfile = opt_arg();
break;
case OPT_CA:
CAfile = opt_arg();
"The -req option cannot be used with -new\n");
goto end;
}
- if (signkeyfile != NULL) {
- signkey = load_key(signkeyfile, keyformat, 0, passin, e, "private key");
- if (signkey == NULL)
+ if (privkeyfile != NULL) {
+ privkey = load_key(privkeyfile, keyformat, 0, passin, e, "private key");
+ if (privkey == NULL)
goto end;
}
if (pubkeyfile != NULL) {
"The -new option requires a subject to be set using -subj\n");
goto end;
}
- if (signkeyfile == NULL && pubkeyfile == NULL) {
+ if (privkeyfile == NULL && pubkeyfile == NULL) {
BIO_printf(bio_err,
- "The -new option without -signkey requires using -force_pubkey\n");
+ "The -new option without -key requires using -force_pubkey\n");
goto end;
}
}
if (CAkeyfile == NULL)
CAkeyfile = CAfile;
if (CAfile != NULL) {
- if (signkeyfile != NULL) {
- BIO_printf(bio_err, "Cannot use both -signkey and -CA option\n");
+ if (privkeyfile != NULL) {
+ BIO_printf(bio_err, "Cannot use both -key and -CA option\n");
goto end;
}
} else if (CAkeyfile != NULL) {
BIO_printf(bio_err,
"Warning: ignoring -preserve_dates option with -req or -new\n");
preserve_dates = 0;
- if (signkeyfile == NULL && CAkeyfile == NULL) {
+ if (privkeyfile == NULL && CAkeyfile == NULL) {
BIO_printf(bio_err,
- "We need a private key to sign with, use -signkey or -CAkey or -CA with private key\n");
+ "We need a private key to sign with, use -key or -CAkey or -CA with private key\n");
goto end;
}
if ((x = X509_new_ex(app_get0_libctx(), app_get0_propq())) == NULL)
&& !X509_set_subject_name(x, fsubj != NULL ? fsubj :
X509_REQ_get_subject_name(req)))
goto end;
- if ((pubkey != NULL || signkey != NULL || req != NULL)
+ if ((pubkey != NULL || privkey != NULL || req != NULL)
&& !X509_set_pubkey(x, pubkey != NULL ? pubkey :
- signkey != NULL ? signkey :
+ privkey != NULL ? privkey :
X509_REQ_get0_pubkey(req)))
goto end;
if (sno != NULL && !X509_set_serialNumber(x, sno))
goto end;
- if (reqfile || newcert || signkey != NULL || CAfile != NULL) {
+ if (reqfile || newcert || privkey != NULL || CAfile != NULL) {
if (!preserve_dates && !set_cert_times(x, NULL, NULL, days))
goto end;
if (!X509_set_issuer_name(x, X509_get_subject_name(issuer_cert)))
}
if (x509toreq) { /* also works in conjunction with -req */
- if (signkey == NULL) {
- BIO_printf(bio_err, "Must specify request key using -signkey\n");
+ if (privkey == NULL) {
+ BIO_printf(bio_err, "Must specify request key using -key\n");
goto end;
}
if (clrext && ext_copy != EXT_COPY_NONE) {
BIO_printf(bio_err, "Must not use -clrext together with -copy_extensions\n");
goto end;
}
- if ((rq = x509_to_req(x, signkey, digest, sigopts,
+ if ((rq = x509_to_req(x, privkey, digest, sigopts,
ext_copy, ext_names)) == NULL)
goto end;
if (!noout) {
}
}
noout = 1;
- } else if (signkey != NULL) {
- if (!do_X509_sign(x, signkey, digest, sigopts, &ext_ctx))
+ } else if (privkey != NULL) {
+ if (!do_X509_sign(x, privkey, digest, sigopts, &ext_ctx))
goto end;
} else if (CAfile != NULL) {
if (!reqfile && !newcert) { /* certificate should be self-signed */
X509_REQ_free(req);
X509_free(x);
X509_free(xca);
- EVP_PKEY_free(signkey);
+ EVP_PKEY_free(privkey);
EVP_PKEY_free(CAkey);
EVP_PKEY_free(pubkey);
sk_OPENSSL_STRING_free(sigopts);
[B<-copy_extensions> I<arg>]
[B<-inform> B<DER>|B<PEM>]
[B<-vfyopt> I<nm>:I<v>]
-[B<-signkey> I<filename>|I<uri>]
+[B<-key> I<filename>|I<uri>]
[B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>]
+[B<-signkey> I<filename>|I<uri>]
[B<-out> I<filename>]
[B<-outform> B<DER>|B<PEM>]
[B<-nocert>]
or certificate request. So the B<-in> option must not be used in this case.
Instead, the B<-subj> option needs to be given.
The public key to include can be given with the B<-force_pubkey> option
-and defaults to the key given with the B<-signkey> option,
+and defaults to the key given with the B<-key> option,
which implies self-signature.
=item B<-x509toreq>
Output a PKCS#10 certificate request (rather than a certificate).
-The B<-signkey> option must be used to provide the private key for self-signing;
+The B<-key> option must be used to provide the private key for self-signing;
the corresponding public key is placed in the subjectPKInfo field.
X.509 extensions included in a certificate input are not copied by default.
Pass options to the signature algorithm during verify operations.
Names and values of these options are algorithm-specific.
-=item B<-signkey> I<filename>|I<uri>
+=item B<-key> I<filename>|I<uri>
This option causes the new certificate or certificate request
to be self-signed using the supplied private key.
it sets the validity start date to the current time
and the end date to a value determined by the B<-days> option.
+=item B<-signkey> I<filename>|I<uri>
+
+This option is an alias of B<-key>.
+
=item B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>
The key input format; the default is B<PEM>.
=item B<-set_serial> I<n>
Specifies the serial number to use. This option can be used with either
-the B<-signkey> or B<-CA> options. If used in conjunction with the B<-CA> option
+the B<-key> or B<-CA> options. If used in conjunction with the B<-CA> option
the serial number file (as specified by the B<-CAserial> option) is not used.
The serial number can be decimal or hex (if preceded by C<0x>).
=item B<-force_pubkey> I<filename>
When a certificate is created set its public key to the key in I<filename>
-instead of the key contained in the input or given with the B<-signkey> option.
+instead of the key contained in the input or given with the B<-key> option.
This option is useful for creating self-issued certificates that are not
self-signed, for instance when the key cannot be used for signing, such as DH.
The digest to use.
This affects any signing or printing option that uses a message
-digest, such as the B<-fingerprint>, B<-signkey> and B<-CA> options.
+digest, such as the B<-fingerprint>, B<-key> and B<-CA> options.
Any digest supported by the L<openssl-dgst(1)> command can be used.
If not specified then SHA1 is used with B<-fingerprint> or
the default digest for the signing algorithm is used, typically SHA256.
The subject name of the "CA" certificate is placed as issuer name in the new
certificate, which is then signed using the "CA" key given as detailed below.
-This option cannot be used in conjunction with the B<-signkey> option.
+This option cannot be used in conjunction with the B<-key> option.
This option is normally combined with the B<-req> option referencing a CSR.
Without the B<-req> option the input must be a self-signed certificate
unless the B<-new> option is given, which generates a certificate from scratch.
Convert a certificate to a certificate request:
- openssl x509 -x509toreq -in cert.pem -out req.pem -signkey key.pem
+ openssl x509 -x509toreq -in cert.pem -out req.pem -key key.pem
Convert a certificate request into a self-signed certificate using
extensions for a CA:
openssl x509 -req -in careq.pem -extfile openssl.cnf -extensions v3_ca \
- -signkey key.pem -out cacert.pem
+ -key key.pem -out cacert.pem
Sign a certificate request using the CA certificate above and add user
certificate extensions:
version of the DN using SHA1. This means that any directories using the old
form must have their links rebuilt using L<openssl-rehash(1)> or similar.
+The B<-signkey> option has been renamed to B<-key> in OpenSSL 3.0,
+keeping the old name as an alias.
+
All B<-keyform> and B<-CAkeyform> values except B<ENGINE>
have become obsolete in OpenSSL 3.0.0 and have no effect.