]>
Commit | Line | Data |
---|---|---|
8d9a4d83 DDO |
1 | =pod |
2 | {- OpenSSL::safe::output_do_not_edit_headers(); -} | |
3 | ||
4 | =head1 NAME | |
5 | ||
d99c8667 | 6 | openssl-cmp - Certificate Management Protocol (CMP, RFC 4210) application |
8d9a4d83 DDO |
7 | |
8 | =head1 SYNOPSIS | |
9 | ||
10 | B<openssl> B<cmp> | |
11 | [B<-help>] | |
12 | [B<-config> I<filename>] | |
13 | [B<-section> I<names>] | |
d99c8667 | 14 | [B<-verbosity> I<level>] |
8d9a4d83 | 15 | |
d99c8667 | 16 | Generic message options: |
8d9a4d83 | 17 | |
6bbff162 | 18 | [B<-cmd> I<ir|cr|kur|p10cr|rr|genm>] |
8d9a4d83 | 19 | [B<-infotype> I<name>] |
7c6577ba | 20 | [B<-profile> I<name>] |
0739dd00 | 21 | [B<-geninfo> I<values>] |
8d9a4d83 | 22 | |
d99c8667 DDO |
23 | Certificate enrollment options: |
24 | ||
f91d003a | 25 | [B<-newkey> I<filename>|I<uri>] |
8d9a4d83 DDO |
26 | [B<-newkeypass> I<arg>] |
27 | [B<-subject> I<name>] | |
8d9a4d83 DDO |
28 | [B<-days> I<number>] |
29 | [B<-reqexts> I<name>] | |
30 | [B<-sans> I<spec>] | |
31 | [B<-san_nodefault>] | |
32 | [B<-policies> I<name>] | |
33 | [B<-policy_oids> I<names>] | |
34 | [B<-policy_oids_critical>] | |
35 | [B<-popo> I<number>] | |
36 | [B<-csr> I<filename>] | |
3d46c81a | 37 | [B<-out_trusted> I<filenames>|I<uris>] |
8d9a4d83 DDO |
38 | [B<-implicit_confirm>] |
39 | [B<-disable_confirm>] | |
40 | [B<-certout> I<filename>] | |
39082af2 | 41 | [B<-chainout> I<filename>] |
8d9a4d83 | 42 | |
d99c8667 DDO |
43 | Certificate enrollment and revocation options: |
44 | ||
3d46c81a | 45 | [B<-oldcert> I<filename>|I<uri>] |
1d32ec20 RR |
46 | [B<-issuer> I<name>] |
47 | [B<-serial> I<number>] | |
8d9a4d83 DDO |
48 | [B<-revreason> I<number>] |
49 | ||
d99c8667 DDO |
50 | Message transfer options: |
51 | ||
7932982b | 52 | [B<-server> I<[http[s]://][userinfo@]host[:port][/path][?query][#fragment]>] |
7932982b | 53 | [B<-proxy> I<[http[s]://][userinfo@]host[:port][/path][?query][#fragment]>] |
d99c8667 | 54 | [B<-no_proxy> I<addresses>] |
6bbff162 | 55 | [B<-recipient> I<name>] |
83b424c3 | 56 | [B<-path> I<remote_path>] |
8f965908 | 57 | [B<-keep_alive> I<value>] |
d99c8667 DDO |
58 | [B<-msg_timeout> I<seconds>] |
59 | [B<-total_timeout> I<seconds>] | |
60 | ||
61 | Server authentication options: | |
62 | ||
3d46c81a | 63 | [B<-trusted> I<filenames>|I<uris>] |
6bbff162 | 64 | [B<-untrusted> I<filenames>|I<uris>] |
3d46c81a | 65 | [B<-srvcert> I<filename>|I<uri>] |
d99c8667 DDO |
66 | [B<-expect_sender> I<name>] |
67 | [B<-ignore_keyusage>] | |
68 | [B<-unprotected_errors>] | |
1caaf073 | 69 | [B<-no_cache_extracerts>] |
b6fbef11 | 70 | [B<-srvcertout> I<filename>] |
d99c8667 DDO |
71 | [B<-extracertsout> I<filename>] |
72 | [B<-cacertsout> I<filename>] | |
01b04851 DDO |
73 | [B<-oldwithold> I<filename>] |
74 | [B<-newwithnew> I<filename>] | |
75 | [B<-newwithold> I<filename>] | |
76 | [B<-oldwithnew> I<filename>] | |
d99c8667 | 77 | |
6bbff162 | 78 | Client authentication and protection options: |
d99c8667 DDO |
79 | |
80 | [B<-ref> I<value>] | |
81 | [B<-secret> I<arg>] | |
3d46c81a DDO |
82 | [B<-cert> I<filename>|I<uri>] |
83 | [B<-own_trusted> I<filenames>|I<uris>] | |
84 | [B<-key> I<filename>|I<uri>] | |
d99c8667 DDO |
85 | [B<-keypass> I<arg>] |
86 | [B<-digest> I<name>] | |
87 | [B<-mac> I<name>] | |
6bbff162 | 88 | [B<-extracerts> I<filenames>|I<uris>] |
d99c8667 DDO |
89 | [B<-unprotected_requests>] |
90 | ||
91 | Credentials format options: | |
92 | ||
8d9a4d83 DDO |
93 | [B<-certform> I<PEM|DER>] |
94 | [B<-keyform> I<PEM|DER|P12|ENGINE>] | |
8d9a4d83 | 95 | [B<-otherpass> I<arg>] |
d99c8667 DDO |
96 | {- $OpenSSL::safe::opt_engine_synopsis -}{- $OpenSSL::safe::opt_provider_synopsis -} |
97 | ||
aed03a12 DDO |
98 | Random state options: |
99 | ||
100 | {- $OpenSSL::safe::opt_r_synopsis -} | |
101 | ||
d99c8667 | 102 | TLS connection options: |
8d9a4d83 DDO |
103 | |
104 | [B<-tls_used>] | |
3d46c81a | 105 | [B<-tls_cert> I<filename>|I<uri>] |
f91d003a | 106 | [B<-tls_key> I<filename>|I<uri>] |
8d9a4d83 | 107 | [B<-tls_keypass> I<arg>] |
3d46c81a DDO |
108 | [B<-tls_extra> I<filenames>|I<uris>] |
109 | [B<-tls_trusted> I<filenames>|I<uris>] | |
8d9a4d83 DDO |
110 | [B<-tls_host> I<name>] |
111 | ||
d99c8667 DDO |
112 | Client-side debugging options: |
113 | ||
8d9a4d83 DDO |
114 | [B<-batch>] |
115 | [B<-repeat> I<number>] | |
6bbff162 | 116 | [B<-reqin> I<filenames>] |
143be474 | 117 | [B<-reqin_new_tid>] |
6bbff162 | 118 | [B<-reqout> I<filenames>] |
2fbe23bb | 119 | [B<-reqout_only> I<filename>] |
6bbff162 DDO |
120 | [B<-rspin> I<filenames>] |
121 | [B<-rspout> I<filenames>] | |
8d9a4d83 DDO |
122 | [B<-use_mock_srv>] |
123 | ||
d99c8667 DDO |
124 | Mock server options: |
125 | ||
126 | [B<-port> I<number>] | |
127 | [B<-max_msgs> I<number>] | |
128 | [B<-srv_ref> I<value>] | |
129 | [B<-srv_secret> I<arg>] | |
3d46c81a DDO |
130 | [B<-srv_cert> I<filename>|I<uri>] |
131 | [B<-srv_key> I<filename>|I<uri>] | |
d99c8667 | 132 | [B<-srv_keypass> I<arg>] |
3d46c81a DDO |
133 | [B<-srv_trusted> I<filenames>|I<uris>] |
134 | [B<-srv_untrusted> I<filenames>|I<uris>] | |
b971d419 | 135 | [B<-ref_cert> I<filename>|I<uri>] |
3d46c81a DDO |
136 | [B<-rsp_cert> I<filename>|I<uri>] |
137 | [B<-rsp_extracerts> I<filenames>|I<uris>] | |
138 | [B<-rsp_capubs> I<filenames>|I<uris>] | |
01b04851 DDO |
139 | [B<-rsp_newwithnew> I<filename>|I<uri>] |
140 | [B<-rsp_newwithold> I<filename>|I<uri>] | |
141 | [B<-rsp_oldwithnew> I<filename>|I<uri>] | |
d99c8667 DDO |
142 | [B<-poll_count> I<number>] |
143 | [B<-check_after> I<number>] | |
144 | [B<-grant_implicitconf>] | |
145 | [B<-pkistatus> I<number>] | |
146 | [B<-failure> I<number>] | |
147 | [B<-failurebits> I<number>] | |
148 | [B<-statusstring> I<arg>] | |
149 | [B<-send_error>] | |
150 | [B<-send_unprotected>] | |
151 | [B<-send_unprot_err>] | |
152 | [B<-accept_unprotected>] | |
153 | [B<-accept_unprot_err>] | |
154 | [B<-accept_raverified>] | |
155 | ||
156 | Certificate verification options, for both CMP and TLS: | |
157 | ||
acb934ff | 158 | {- $OpenSSL::safe::opt_v_synopsis -} |
8d9a4d83 | 159 | |
8d9a4d83 DDO |
160 | =head1 DESCRIPTION |
161 | ||
162 | The B<cmp> command is a client implementation for the Certificate | |
163 | Management Protocol (CMP) as defined in RFC4210. | |
164 | It can be used to request certificates from a CA server, | |
165 | update their certificates, | |
8b22c283 | 166 | request certificates to be revoked, and perform other types of CMP requests. |
8d9a4d83 DDO |
167 | |
168 | =head1 OPTIONS | |
169 | ||
170 | =over 4 | |
171 | ||
172 | =item B<-help> | |
173 | ||
174 | Display a summary of all options | |
175 | ||
176 | =item B<-config> I<filename> | |
177 | ||
178 | Configuration file to use. | |
179 | An empty string C<""> means none. | |
180 | Default filename is from the environment variable C<OPENSSL_CONF>. | |
181 | ||
182 | =item B<-section> I<names> | |
183 | ||
184 | Section(s) to use within config file defining CMP options. | |
185 | An empty string C<""> means no specific section. | |
186 | Default is C<cmp>. | |
b434b2c0 | 187 | |
8d9a4d83 DDO |
188 | Multiple section names may be given, separated by commas and/or whitespace |
189 | (where in the latter case the whole argument must be enclosed in "..."). | |
190 | Contents of sections named later may override contents of sections named before. | |
191 | In any case, as usual, the C<[default]> section and finally the unnamed | |
192 | section (as far as present) can provide per-option fallback values. | |
193 | ||
d99c8667 | 194 | =item B<-verbosity> I<level> |
8d9a4d83 | 195 | |
d99c8667 DDO |
196 | Level of verbosity for logging, error output, etc. |
197 | 0 = EMERG, 1 = ALERT, 2 = CRIT, 3 = ERR, 4 = WARN, 5 = NOTE, | |
198 | 6 = INFO, 7 = DEBUG, 8 = TRACE. | |
199 | Defaults to 6 = INFO. | |
200 | ||
201 | =back | |
8d9a4d83 DDO |
202 | |
203 | =head2 Generic message options | |
204 | ||
205 | =over 4 | |
206 | ||
207 | =item B<-cmd> I<ir|cr|kur|p10cr|rr|genm> | |
208 | ||
209 | CMP command to execute. | |
210 | Currently implemented commands are: | |
211 | ||
212 | =over 8 | |
213 | ||
214 | =item ir E<nbsp> - Initialization Request | |
215 | ||
216 | =item cr E<nbsp> - Certificate Request | |
217 | ||
218 | =item p10cr - PKCS#10 Certification Request (for legacy support) | |
219 | ||
220 | =item kur E<nbsp>E<nbsp>- Key Update Request | |
221 | ||
222 | =item rr E<nbsp> - Revocation Request | |
223 | ||
224 | =item genm - General Message | |
225 | ||
226 | =back | |
227 | ||
025c0f52 | 228 | B<ir> requests initialization of an end entity into a PKI hierarchy |
8b22c283 | 229 | by issuing a first certificate. |
8d9a4d83 | 230 | |
025c0f52 | 231 | B<cr> requests issuing an additional certificate for an end entity already |
8d9a4d83 DDO |
232 | initialized to the PKI hierarchy. |
233 | ||
8b22c283 | 234 | B<p10cr> requests issuing an additional certificate similarly to B<cr> |
025c0f52 | 235 | but using legacy PKCS#10 CSR format. |
8d9a4d83 | 236 | |
5e128ed1 | 237 | B<kur> requests a (key) update for an existing certificate. |
8d9a4d83 | 238 | |
5e128ed1 | 239 | B<rr> requests revocation of an existing certificate. |
8d9a4d83 DDO |
240 | |
241 | B<genm> requests information using a General Message, where optionally | |
242 | included B<InfoTypeAndValue>s may be used to state which info is of interest. | |
243 | Upon receipt of the General Response, information about all received | |
244 | ITAV B<infoType>s is printed to stdout. | |
245 | ||
246 | =item B<-infotype> I<name> | |
247 | ||
248 | Set InfoType name to use for requesting specific info in B<genm>, | |
249 | e.g., C<signKeyPairTypes>. | |
01b04851 | 250 | So far, there is specific support for C<caCerts> and C<rootCaCert>. |
8d9a4d83 | 251 | |
7c6577ba DDO |
252 | =item B<-profile> I<name> |
253 | ||
254 | Name of a certificate profile to place in | |
255 | the PKIHeader generalInfo field of request messages. | |
256 | ||
0739dd00 | 257 | =item B<-geninfo> I<values> |
8d9a4d83 | 258 | |
0739dd00 DDO |
259 | A comma-separated list of InfoTypeAndValue to place in |
260 | the generalInfo field of the PKIHeader of requests messages. | |
261 | Each InfoTypeAndValue gives an OID and an integer or string value | |
262 | of the form I<OID>:int:I<number> or I<OID>:str:I<text>, | |
263 | e.g., C<'1.2.3.4:int:56789, id-kp:str:name'>. | |
8d9a4d83 DDO |
264 | |
265 | =back | |
266 | ||
d99c8667 | 267 | =head2 Certificate enrollment options |
8d9a4d83 DDO |
268 | |
269 | =over 4 | |
270 | ||
f91d003a | 271 | =item B<-newkey> I<filename>|I<uri> |
8d9a4d83 | 272 | |
2d658598 | 273 | The source of the private or public key for the certificate being requested. |
c8c92345 DDO |
274 | Defaults to the public key in the PKCS#10 CSR given with the B<-csr> option, |
275 | the public key of the reference certificate, or the current client key. | |
8d9a4d83 | 276 | |
2d658598 DDO |
277 | The public portion of the key is placed in the certification request. |
278 | ||
279 | Unless B<-cmd> I<p10cr>, B<-popo> I<-1>, or B<-popo> I<0> is given, the | |
280 | private key will be needed as well to provide the proof of possession (POPO), | |
281 | where the B<-key> option may provide a fallback. | |
282 | ||
8d9a4d83 DDO |
283 | =item B<-newkeypass> I<arg> |
284 | ||
285 | Pass phrase source for the key given with the B<-newkey> option. | |
286 | If not given here, the password will be prompted for if needed. | |
287 | ||
79a2bccd | 288 | For more information about the format of I<arg> see |
fee0af08 | 289 | L<openssl-passphrase-options(1)>. |
8d9a4d83 DDO |
290 | |
291 | =item B<-subject> I<name> | |
292 | ||
168d93a2 DDO |
293 | X.509 Distinguished Name (DN) to use as subject field |
294 | in the requested certificate template in IR/CR/KUR messages. | |
60c3d732 | 295 | If the NULL-DN (C</>) is given then no subject is placed in the template. |
7af110f9 DDO |
296 | Default is the subject DN of any PKCS#10 CSR given with the B<-csr> option. |
297 | For KUR, a further fallback is the subject DN | |
298 | of the reference certificate (see B<-oldcert>) if provided. | |
299 | This fallback is used for IR and CR only if no SANs are set. | |
8d9a4d83 | 300 | |
cd7ec0bc | 301 | If provided and neither of B<-cert>, B<-oldcert>, or B<-csr> is given, |
025c0f52 | 302 | the subject DN is used as fallback sender of outgoing CMP messages. |
8d9a4d83 | 303 | |
5a0991d0 | 304 | The argument must be formatted as I</type0=value0/type1=value1/type2=...>. |
025c0f52 | 305 | Special characters may be escaped by C<\> (backslash); whitespace is retained. |
5a0991d0 DDO |
306 | Empty values are permitted, but the corresponding type will not be included. |
307 | Giving a single C</> will lead to an empty sequence of RDNs (a NULL-DN). | |
308 | Multi-valued RDNs can be formed by placing a C<+> character instead of a C</> | |
309 | between the AttributeValueAssertions (AVAs) that specify the members of the set. | |
310 | Example: | |
311 | ||
312 | C</DC=org/DC=OpenSSL/DC=users/UID=123456+CN=John Doe> | |
313 | ||
8d9a4d83 DDO |
314 | =item B<-days> I<number> |
315 | ||
316 | Number of days the new certificate is requested to be valid for, counting from | |
317 | the current time of the host. | |
318 | Also triggers the explicit request that the | |
319 | validity period starts from the current time (as seen by the host). | |
320 | ||
321 | =item B<-reqexts> I<name> | |
322 | ||
323 | Name of section in OpenSSL config file defining certificate request extensions. | |
b51bed05 DDO |
324 | If the B<-csr> option is present, these extensions augment the extensions |
325 | contained the given PKCS#10 CSR, overriding any extensions with same OIDs. | |
8d9a4d83 DDO |
326 | |
327 | =item B<-sans> I<spec> | |
328 | ||
03ee2e5b DDO |
329 | One or more IP addresses, email addresses, DNS names, or URIs |
330 | separated by commas or whitespace | |
8d9a4d83 DDO |
331 | (where in the latter case the whole argument must be enclosed in "...") |
332 | to add as Subject Alternative Name(s) (SAN) certificate request extension. | |
333 | If the special element "critical" is given the SANs are flagged as critical. | |
334 | Cannot be used if any Subject Alternative Name extension is set via B<-reqexts>. | |
335 | ||
336 | =item B<-san_nodefault> | |
337 | ||
338 | When Subject Alternative Names are not given via B<-sans> | |
339 | nor defined via B<-reqexts>, | |
340 | they are copied by default from the reference certificate (see B<-oldcert>). | |
341 | This can be disabled by giving the B<-san_nodefault> option. | |
342 | ||
343 | =item B<-policies> I<name> | |
344 | ||
345 | Name of section in OpenSSL config file defining policies to be set | |
346 | as certificate request extension. | |
347 | This option cannot be used together with B<-policy_oids>. | |
348 | ||
349 | =item B<-policy_oids> I<names> | |
350 | ||
351 | One or more OID(s), separated by commas and/or whitespace | |
352 | (where in the latter case the whole argument must be enclosed in "...") | |
353 | to add as certificate policies request extension. | |
354 | This option cannot be used together with B<-policies>. | |
355 | ||
356 | =item B<-policy_oids_critical> | |
357 | ||
358 | Flag the policies given with B<-policy_oids> as critical. | |
359 | ||
360 | =item B<-popo> I<number> | |
361 | ||
2d658598 | 362 | Proof-of-possession (POPO) method to use for IR/CR/KUR; values: C<-1>..<2> where |
8d9a4d83 DDO |
363 | C<-1> = NONE, C<0> = RAVERIFIED, C<1> = SIGNATURE (default), C<2> = KEYENC. |
364 | ||
365 | Note that a signature-based POPO can only be produced if a private key | |
366 | is provided via the B<-newkey> or B<-key> options. | |
367 | ||
368 | =item B<-csr> I<filename> | |
369 | ||
3d46c81a | 370 | PKCS#10 CSR in PEM or DER format containing a certificate request. |
5e128ed1 | 371 | With B<-cmd> I<p10cr> it is used directly in a legacy P10CR message. |
2d658598 | 372 | |
7af110f9 | 373 | When used with B<-cmd> I<ir>, I<cr>, or I<kur>, |
2d658598 DDO |
374 | it is transformed into the respective regular CMP request. |
375 | In this case, a private key must be provided (with B<-newkey> or B<-key>) | |
376 | for the proof of possession (unless B<-popo> I<-1> or B<-popo> I<0> is used) | |
377 | and the respective public key is placed in the certification request | |
378 | (rather than taking over the public key contained in the PKCS#10 CSR). | |
379 | ||
380 | PKCS#10 CSR input may also be used with B<-cmd> I<rr> | |
381 | to specify the certificate to be revoked | |
025c0f52 | 382 | via the included subject name and public key. |
cd7ec0bc DDO |
383 | Its subject is used as fallback sender in CMP message headers |
384 | if B<-cert> and B<-oldcert> are not given. | |
8d9a4d83 | 385 | |
3d46c81a | 386 | =item B<-out_trusted> I<filenames>|I<uris> |
8d9a4d83 | 387 | |
025c0f52 | 388 | Trusted certificate(s) to use for validating the newly enrolled certificate. |
6b58f498 | 389 | During this verification, any certificate status checking is disabled. |
8d9a4d83 | 390 | |
3d46c81a | 391 | Multiple sources may be given, separated by commas and/or whitespace |
8d9a4d83 DDO |
392 | (where in the latter case the whole argument must be enclosed in "..."). |
393 | Each source may contain multiple certificates. | |
394 | ||
acb934ff DDO |
395 | The certificate verification options |
396 | B<-verify_hostname>, B<-verify_ip>, and B<-verify_email> | |
397 | only affect the certificate verification enabled via this option. | |
8d9a4d83 DDO |
398 | |
399 | =item B<-implicit_confirm> | |
400 | ||
401 | Request implicit confirmation of newly enrolled certificates. | |
402 | ||
403 | =item B<-disable_confirm> | |
404 | ||
405 | Do not send certificate confirmation message for newly enrolled certificate | |
406 | without requesting implicit confirmation | |
407 | to cope with broken servers not supporting implicit confirmation correctly. | |
408 | B<WARNING:> This leads to behavior violating RFC 4210. | |
409 | ||
410 | =item B<-certout> I<filename> | |
411 | ||
60c3d732 | 412 | The file where any newly enrolled certificate should be saved. |
8d9a4d83 | 413 | |
39082af2 DDO |
414 | =item B<-chainout> I<filename> |
415 | ||
60c3d732 | 416 | The file where the chain of any newly enrolled certificate should be saved. |
39082af2 | 417 | |
8d9a4d83 DDO |
418 | =back |
419 | ||
d99c8667 | 420 | =head2 Certificate enrollment and revocation options |
8d9a4d83 DDO |
421 | |
422 | =over 4 | |
423 | ||
6bbff162 | 424 | =item B<-oldcert> I<filename>|I<uri> |
8d9a4d83 DDO |
425 | |
426 | The certificate to be updated (i.e., renewed or re-keyed) in Key Update Request | |
427 | (KUR) messages or to be revoked in Revocation Request (RR) messages. | |
5e128ed1 DDO |
428 | For KUR the certificate to be updated defaults to B<-cert>, |
429 | and the resulting certificate is called I<reference certificate>. | |
025c0f52 | 430 | For RR the certificate to be revoked can also be specified using B<-csr>. |
1d32ec20 | 431 | B<-oldcert> and B<-csr> is ignored if B<-issuer> and B<-serial> is provided. |
8d9a4d83 | 432 | |
3d46c81a | 433 | The reference certificate, if any, is also used for |
d718521f | 434 | deriving default subject DN and Subject Alternative Names and the |
5e128ed1 | 435 | default issuer entry in the requested certificate template of an IR/CR/KUR. |
2d658598 | 436 | Its public key is used as a fallback in the template of certification requests. |
8b22c283 | 437 | Its subject is used as sender of outgoing messages if B<-cert> is not given. |
16931355 DDO |
438 | Its issuer is used as default recipient in CMP message headers |
439 | if neither B<-recipient>, B<-srvcert>, nor B<-issuer> is given. | |
8d9a4d83 | 440 | |
1d32ec20 RR |
441 | =item B<-issuer> I<name> |
442 | ||
443 | X.509 Distinguished Name (DN) use as issuer field | |
444 | in the requested certificate template in IR/CR/KUR/RR messages. | |
445 | If the NULL-DN (C</>) is given then no issuer is placed in the template. | |
446 | ||
447 | If provided and neither B<-recipient> nor B<-srvcert> is given, | |
448 | the issuer DN is used as fallback recipient of outgoing CMP messages. | |
449 | ||
450 | The argument must be formatted as I</type0=value0/type1=value1/type2=...>. | |
451 | For details see the description of the B<-subject> option. | |
452 | ||
453 | =item B<-serial> I<number> | |
454 | ||
455 | Specify the Serial number of certificate to be revoked in revocation request. | |
456 | The serial number can be decimal or hex (if preceded by C<0x>) | |
457 | ||
8d9a4d83 DDO |
458 | =item B<-revreason> I<number> |
459 | ||
460 | Set CRLReason to be included in revocation request (RR); values: C<0>..C<10> | |
461 | or C<-1> for none (which is the default). | |
462 | ||
463 | Reason numbers defined in RFC 5280 are: | |
464 | ||
465 | CRLReason ::= ENUMERATED { | |
466 | unspecified (0), | |
467 | keyCompromise (1), | |
468 | cACompromise (2), | |
469 | affiliationChanged (3), | |
470 | superseded (4), | |
471 | cessationOfOperation (5), | |
472 | certificateHold (6), | |
473 | -- value 7 is not used | |
474 | removeFromCRL (8), | |
475 | privilegeWithdrawn (9), | |
476 | aACompromise (10) | |
477 | } | |
478 | ||
479 | =back | |
480 | ||
8d9a4d83 DDO |
481 | =head2 Message transfer options |
482 | ||
483 | =over 4 | |
484 | ||
7932982b | 485 | =item B<-server> I<[http[s]://][userinfo@]host[:port][/path][?query][#fragment]> |
8d9a4d83 | 486 | |
830b6a13 | 487 | The I<host> domain name or IP address and optionally I<port> |
a56bb5d6 | 488 | of the CMP server to connect to using HTTP(S). |
7a12e7af | 489 | IP address may be for v4 or v6, such as C<127.0.0.1> or C<[::1]> for localhost. |
830b6a13 | 490 | |
1f757df1 DDO |
491 | This option excludes I<-port> and I<-use_mock_srv>. |
492 | It is ignored if I<-rspin> is given with enough filename arguments. | |
a56bb5d6 | 493 | |
4a9299ac DDO |
494 | If the scheme C<https> is given, the B<-tls_used> option is implied. |
495 | When TLS is used, the default port is 443, otherwise 80. | |
7932982b DDO |
496 | The optional userinfo and fragment components are ignored. |
497 | Any given query component is handled as part of the path component. | |
d96486dc | 498 | If a path is included it provides the default value for the B<-path> option. |
8d9a4d83 | 499 | |
79a2bccd | 500 | =item B<-proxy> I<[http[s]://][userinfo@]host[:port][/path][?query][#fragment]> |
8d9a4d83 | 501 | |
79a2bccd | 502 | The HTTP(S) proxy server to use for reaching the CMP server unless B<-no_proxy> |
8d9a4d83 | 503 | applies, see below. |
79a2bccd | 504 | The proxy port defaults to 80 or 443 if the scheme is C<https>; apart from that |
4a9299ac DDO |
505 | the optional C<http://> or C<https://> prefix is ignored (note that using TLS |
506 | may be required by B<-tls_used> or B<-server> with the prefix C<https>), | |
507 | as well as any path, userinfo, and query, and fragment components. | |
8d9a4d83 DDO |
508 | Defaults to the environment variable C<http_proxy> if set, else C<HTTP_PROXY> |
509 | in case no TLS is used, otherwise C<https_proxy> if set, else C<HTTPS_PROXY>. | |
a56bb5d6 | 510 | This option is ignored if I<-server> is not given. |
8d9a4d83 DDO |
511 | |
512 | =item B<-no_proxy> I<addresses> | |
6600baa9 | 513 | |
8d9a4d83 DDO |
514 | List of IP addresses and/or DNS names of servers |
515 | not to use an HTTP(S) proxy for, separated by commas and/or whitespace | |
516 | (where in the latter case the whole argument must be enclosed in "..."). | |
517 | Default is from the environment variable C<no_proxy> if set, else C<NO_PROXY>. | |
a56bb5d6 | 518 | This option is ignored if I<-server> is not given. |
8d9a4d83 | 519 | |
6bbff162 DDO |
520 | =item B<-recipient> I<name> |
521 | ||
522 | Distinguished Name (DN) to use in the recipient field of CMP request message | |
523 | headers, i.e., the CMP server (usually the addressed CA). | |
524 | ||
525 | The recipient field in the header of a CMP message is mandatory. | |
526 | If not given explicitly the recipient is determined in the following order: | |
527 | the subject of the CMP server certificate given with the B<-srvcert> option, | |
528 | the B<-issuer> option, | |
529 | the issuer of the certificate given with the B<-oldcert> option, | |
530 | the issuer of the CMP client certificate (B<-cert> option), | |
531 | as far as any of those is present, else the NULL-DN as last resort. | |
532 | ||
533 | The argument must be formatted as I</type0=value0/type1=value1/type2=...>. | |
534 | For details see the description of the B<-subject> option. | |
535 | ||
83b424c3 DDO |
536 | =item B<-path> I<remote_path> |
537 | ||
538 | HTTP path at the CMP server (aka CMP alias) to use for POST requests. | |
539 | Defaults to any path given with B<-server>, else C<"/">. | |
540 | ||
8f965908 DDO |
541 | =item B<-keep_alive> I<value> |
542 | ||
168d93a2 DDO |
543 | If the given value is 0 then HTTP connections are closed after each response |
544 | (which would be the default behavior of HTTP 1.0) | |
545 | even if a CMP transaction needs more than one round trip. | |
546 | If the value is 1 or 2 | |
547 | then for each transaction a persistent connection is requested. | |
548 | If the value is 2 then a persistent connection is required, | |
549 | i.e., an error occurs if the server does not grant it. | |
8f965908 DDO |
550 | The default value is 1, which means preferring to keep the connection open. |
551 | ||
8d9a4d83 DDO |
552 | =item B<-msg_timeout> I<seconds> |
553 | ||
5acd4007 | 554 | Number of seconds a CMP request-response message round trip |
8d9a4d83 | 555 | is allowed to take before a timeout error is returned. |
5acd4007 | 556 | A value <= 0 means no limitation (waiting indefinitely). |
8f965908 | 557 | Default is to use the B<-total_timeout> setting. |
8d9a4d83 DDO |
558 | |
559 | =item B<-total_timeout> I<seconds> | |
560 | ||
5acd4007 DDO |
561 | Maximum total number of seconds a transaction may take, |
562 | including polling etc. | |
563 | A value <= 0 means no limitation (waiting indefinitely). | |
564 | Default is 0. | |
8d9a4d83 DDO |
565 | |
566 | =back | |
567 | ||
8d9a4d83 DDO |
568 | =head2 Server authentication options |
569 | ||
570 | =over 4 | |
571 | ||
3d46c81a | 572 | =item B<-trusted> I<filenames>|I<uris> |
8d9a4d83 | 573 | |
260878f7 DDO |
574 | The certificate(s), typically of root CAs, the client shall use as trust anchors |
575 | when validating signature-based protection of CMP response messages. | |
576 | This option is ignored if the B<-srvcert> option is given as well. | |
577 | It provides more flexibility than B<-srvcert> because the CMP protection | |
578 | certificate of the server is not pinned but may be any certificate | |
579 | from which a chain to one of the given trust anchors can be constructed. | |
8d9a4d83 | 580 | |
260878f7 DDO |
581 | If none of B<-trusted>, B<-srvcert>, and B<-secret> is given, message validation |
582 | errors will be thrown unless B<-unprotected_errors> permits an exception. | |
b434b2c0 | 583 | |
3d46c81a | 584 | Multiple sources may be given, separated by commas and/or whitespace |
8d9a4d83 DDO |
585 | (where in the latter case the whole argument must be enclosed in "..."). |
586 | Each source may contain multiple certificates. | |
587 | ||
acb934ff DDO |
588 | The certificate verification options |
589 | B<-verify_hostname>, B<-verify_ip>, and B<-verify_email> | |
590 | have no effect on the certificate verification enabled via this option. | |
591 | ||
6bbff162 | 592 | =item B<-untrusted> I<filenames>|I<uris> |
8d9a4d83 | 593 | |
7a7d6b51 DDO |
594 | Non-trusted intermediate CA certificate(s). |
595 | Any extra certificates given with the B<-cert> option are appended to it. | |
596 | All these certificates may be useful for cert path construction | |
260878f7 | 597 | for the own CMP signer certificate (to include in the extraCerts field of |
4a9299ac | 598 | request messages) and for the TLS client certificate (if TLS is used) |
7a7d6b51 | 599 | as well as for chain building |
260878f7 | 600 | when validating server certificates (checking signature-based |
025c0f52 | 601 | CMP message protection) and when validating newly enrolled certificates. |
8d9a4d83 | 602 | |
168d93a2 DDO |
603 | Multiple sources may be given, separated by commas and/or whitespace |
604 | (where in the latter case the whole argument must be enclosed in "..."). | |
260878f7 | 605 | Each source may contain multiple certificates. |
8d9a4d83 | 606 | |
6bbff162 | 607 | =item B<-srvcert> I<filename>|I<uri> |
8d9a4d83 | 608 | |
0d17c2f4 | 609 | The specific CMP server certificate to expect and directly trust (even if it is |
260878f7 DDO |
610 | expired) when verifying signature-based protection of CMP response messages. |
611 | This pins the accepted server and results in ignoring the B<-trusted> option. | |
8d9a4d83 | 612 | |
0d17c2f4 DDO |
613 | If set, the subject of the certificate is also used |
614 | as default value for the recipient of CMP requests | |
260878f7 | 615 | and as default value for the expected sender of CMP responses. |
8d9a4d83 | 616 | |
8d9a4d83 DDO |
617 | =item B<-expect_sender> I<name> |
618 | ||
8b22c283 | 619 | Distinguished Name (DN) expected in the sender field of incoming CMP messages. |
0d17c2f4 | 620 | Defaults to the subject DN of the pinned B<-srvcert>, if any. |
8d9a4d83 | 621 | |
0d17c2f4 DDO |
622 | This can be used to make sure that only a particular entity is accepted as |
623 | CMP message signer, and attackers are not able to use arbitrary certificates | |
624 | of a trusted PKI hierarchy to fraudulently pose as a CMP server. | |
625 | Note that this option gives slightly more freedom than setting the B<-srvcert>, | |
626 | which pins the server to the holder of a particular certificate, while the | |
627 | expected sender name will continue to match after updates of the server cert. | |
8d9a4d83 | 628 | |
025c0f52 DDO |
629 | The argument must be formatted as I</type0=value0/type1=value1/type2=...>. |
630 | For details see the description of the B<-subject> option. | |
631 | ||
8d9a4d83 DDO |
632 | =item B<-ignore_keyusage> |
633 | ||
025c0f52 | 634 | Ignore key usage restrictions in CMP signer certificates when validating |
260878f7 DDO |
635 | signature-based protection of incoming CMP messages. |
636 | By default, C<digitalSignature> must be allowed by CMP signer certificates. | |
fd514375 | 637 | This option applies to both CMP clients and the mock server. |
8d9a4d83 DDO |
638 | |
639 | =item B<-unprotected_errors> | |
640 | ||
641 | Accept missing or invalid protection of negative responses from the server. | |
642 | This applies to the following message types and contents: | |
643 | ||
644 | =over 4 | |
645 | ||
646 | =item * error messages | |
647 | ||
648 | =item * negative certificate responses (IP/CP/KUP) | |
649 | ||
650 | =item * negative revocation responses (RP) | |
651 | ||
652 | =item * negative PKIConf messages | |
653 | ||
654 | =back | |
655 | ||
656 | B<WARNING:> This setting leads to unspecified behavior and it is meant | |
657 | exclusively to allow interoperability with server implementations violating | |
658 | RFC 4210, e.g.: | |
659 | ||
660 | =over 4 | |
661 | ||
662 | =item * section 5.1.3.1 allows exceptions from protecting only for special | |
663 | cases: | |
664 | "There MAY be cases in which the PKIProtection BIT STRING is deliberately not | |
665 | used to protect a message [...] because other protection, external to PKIX, will | |
666 | be applied instead." | |
667 | ||
668 | =item * section 5.3.21 is clear on ErrMsgContent: "The CA MUST always sign it | |
669 | with a signature key." | |
670 | ||
671 | =item * appendix D.4 shows PKIConf message having protection | |
672 | ||
673 | =back | |
674 | ||
1caaf073 DDO |
675 | =item B<-no_cache_extracerts> |
676 | ||
677 | Do not cache certificates in the extraCerts field of CMP messages received. | |
678 | By default, they are kept as they may be helful for validating further messages. | |
679 | This option applies to both CMP clients and the mock server. | |
680 | ||
b6fbef11 DDO |
681 | =item B<-srvcertout> I<filename> |
682 | ||
683 | The file where to save the successfully validated certificate, if any, | |
684 | that the CMP server used for signature-based response message protection. | |
60c3d732 DDO |
685 | If there is no such certificate, typically because the protection was MAC-based, |
686 | this is indicated by deleting the file (if it existed). | |
b6fbef11 | 687 | |
8d9a4d83 DDO |
688 | =item B<-extracertsout> I<filename> |
689 | ||
60c3d732 DDO |
690 | The file where to save the list of certificates contained in the extraCerts |
691 | field of the last received response message that is not a pollRep nor PKIConf. | |
8d9a4d83 DDO |
692 | |
693 | =item B<-cacertsout> I<filename> | |
694 | ||
60c3d732 | 695 | The file where to save the list of CA certificates contained in the caPubs field |
d477484d DDO |
696 | if a positive certificate response (i.e., IP, CP, or KUP) message was received |
697 | or contained in a general response (genp) message with infoType C<caCerts>. | |
8d9a4d83 | 698 | |
01b04851 DDO |
699 | =item B<-oldwithold> I<filename> |
700 | ||
701 | The root CA certificate to include in a genm request of infoType C<rootCaCert>. | |
702 | If present and the optional oldWithNew certificate is received, | |
703 | it is verified using the newWithNew certificate as the (only) trust anchor. | |
704 | ||
705 | =item B<-newwithnew> I<filename> | |
706 | ||
707 | This option must be provided when B<-infotype> I<rootCaCert> is given. | |
708 | It specifies the file to save the newWithNew certificate | |
709 | received in a genp message of type C<rootCaKeyUpdate>. | |
710 | If on success no such cert was received, this file (if present) is deleted | |
711 | to indicate that the requested root CA certificate update is not available. | |
712 | ||
713 | Any received newWithNew certificate is verified | |
714 | using any received newWithOld certificate as untrusted intermediate certificate | |
715 | and the certificate provided with B<-oldwithold> as the (only) trust anchor, | |
716 | or if not provided, using the certificates given with the B<-trusted> option. | |
717 | ||
718 | B<WARNING:> | |
719 | The newWithNew certificate is meant to be a certificate that will be trusted. | |
720 | The trust placed in it cannot be stronger than the trust placed in | |
721 | the B<-oldwithold> certificate if present, otherwise it cannot be stronger than | |
722 | the weakest trust placed in any of the B<-trusted> certificates. | |
723 | ||
724 | =item B<-newwithold> I<filename> | |
725 | ||
726 | The file to save any newWithOld certificate | |
727 | received in a genp message of infoType C<rootCaKeyUpdate>. | |
728 | If on success no such cert was received, this is indicated by deleting the file. | |
729 | ||
730 | =item B<-oldwithnew> I<filename> | |
731 | ||
732 | The file to save any oldWithNew certificate | |
733 | received in a genp message of infoType C<rootCaKeyUpdate>. | |
734 | If on success no such cert was received, this is indicated by deleting the file. | |
735 | ||
8d9a4d83 DDO |
736 | =back |
737 | ||
8d9a4d83 DDO |
738 | =head2 Client authentication options |
739 | ||
740 | =over 4 | |
741 | ||
742 | =item B<-ref> I<value> | |
743 | ||
744 | Reference number/string/value to use as fallback senderKID; this is required | |
745 | if no sender name can be determined from the B<-cert> or <-subject> options and | |
746 | is typically used when authenticating with pre-shared key (password-based MAC). | |
747 | ||
748 | =item B<-secret> I<arg> | |
749 | ||
89ed128d | 750 | Provides the source of a secret value to use with MAC-based message protection. |
ef2d3588 | 751 | This takes precedence over the B<-cert> and B<-key> options. |
89ed128d DDO |
752 | The secret is used for creating MAC-based protection of outgoing messages |
753 | and for validating incoming messages that have MAC-based protection. | |
754 | The algorithm used by default is Password-Based Message Authentication Code (PBM) | |
755 | as defined in RFC 4210 section 5.1.3.1. | |
8d9a4d83 | 756 | |
79a2bccd | 757 | For more information about the format of I<arg> see |
fee0af08 | 758 | L<openssl-passphrase-options(1)>. |
8d9a4d83 | 759 | |
6bbff162 | 760 | =item B<-cert> I<filename>|I<uri> |
8d9a4d83 | 761 | |
15076c26 | 762 | The client's current CMP signer certificate. |
8d9a4d83 | 763 | Requires the corresponding key to be given with B<-key>. |
2d658598 DDO |
764 | |
765 | The subject and the public key contained in this certificate | |
766 | serve as fallback values in the certificate template of IR/CR/KUR messages. | |
767 | ||
8b22c283 DDO |
768 | The subject of this certificate will be used as sender of outgoing CMP messages, |
769 | while the subject of B<-oldcert> or B<-subjectName> may provide fallback values. | |
2d658598 | 770 | |
d718521f | 771 | The issuer of this certificate is used as one of the recipient fallback values |
2d658598 DDO |
772 | and as fallback issuer entry in the certificate template of IR/CR/KUR messages. |
773 | ||
89ed128d DDO |
774 | When performing signature-based message protection, |
775 | this "protection certificate", also called "signer certificate", | |
ef2d3588 DDO |
776 | will be included first in the extraCerts field of outgoing messages |
777 | and the signature is done with the corresponding key. | |
8d9a4d83 DDO |
778 | In Initialization Request (IR) messages this can be used for authenticating |
779 | using an external entity certificate as defined in appendix E.7 of RFC 4210. | |
2d658598 | 780 | |
8d9a4d83 DDO |
781 | For Key Update Request (KUR) messages this is also used as |
782 | the certificate to be updated if the B<-oldcert> option is not given. | |
2d658598 | 783 | |
ef2d3588 DDO |
784 | If the file includes further certs, they are appended to the untrusted certs |
785 | because they typically constitute the chain of the client certificate, which | |
786 | is included in the extraCerts field in signature-protected request messages. | |
8d9a4d83 | 787 | |
3d46c81a | 788 | =item B<-own_trusted> I<filenames>|I<uris> |
15076c26 DDO |
789 | |
790 | If this list of certificates is provided then the chain built for | |
acb934ff DDO |
791 | the client-side CMP signer certificate given with the B<-cert> option |
792 | is verified using the given certificates as trust anchors. | |
15076c26 | 793 | |
3d46c81a | 794 | Multiple sources may be given, separated by commas and/or whitespace |
15076c26 DDO |
795 | (where in the latter case the whole argument must be enclosed in "..."). |
796 | Each source may contain multiple certificates. | |
797 | ||
acb934ff DDO |
798 | The certificate verification options |
799 | B<-verify_hostname>, B<-verify_ip>, and B<-verify_email> | |
800 | have no effect on the certificate verification enabled via this option. | |
801 | ||
6bbff162 | 802 | =item B<-key> I<filename>|I<uri> |
8d9a4d83 DDO |
803 | |
804 | The corresponding private key file for the client's current certificate given in | |
805 | the B<-cert> option. | |
89ed128d DDO |
806 | This will be used for signature-based message protection unless the B<-secret> |
807 | option indicating MAC-based protection or B<-unprotected_requests> is given. | |
8d9a4d83 | 808 | |
2d658598 DDO |
809 | It is also used as a fallback for the B<-newkey> option with IR/CR/KUR messages. |
810 | ||
8d9a4d83 DDO |
811 | =item B<-keypass> I<arg> |
812 | ||
813 | Pass phrase source for the private key given with the B<-key> option. | |
814 | Also used for B<-cert> and B<-oldcert> in case it is an encrypted PKCS#12 file. | |
815 | If not given here, the password will be prompted for if needed. | |
816 | ||
79a2bccd | 817 | For more information about the format of I<arg> see |
fee0af08 | 818 | L<openssl-passphrase-options(1)>. |
8d9a4d83 DDO |
819 | |
820 | =item B<-digest> I<name> | |
821 | ||
822 | Specifies name of supported digest to use in RFC 4210's MSG_SIG_ALG | |
89ed128d | 823 | and as the one-way function (OWF) in C<MSG_MAC_ALG>. |
8d9a4d83 | 824 | If applicable, this is used for message protection and |
2d658598 | 825 | proof-of-possession (POPO) signatures. |
79a2bccd | 826 | To see the list of supported digests, use C<openssl list -digest-commands>. |
8d9a4d83 DDO |
827 | Defaults to C<sha256>. |
828 | ||
829 | =item B<-mac> I<name> | |
830 | ||
89ed128d | 831 | Specifies the name of the MAC algorithm in C<MSG_MAC_ALG>. |
79a2bccd | 832 | To get the names of supported MAC algorithms use C<openssl list -mac-algorithms> |
8d9a4d83 DDO |
833 | and possibly combine such a name with the name of a supported digest algorithm, |
834 | e.g., hmacWithSHA256. | |
835 | Defaults to C<hmac-sha1> as per RFC 4210. | |
836 | ||
6bbff162 | 837 | =item B<-extracerts> I<filenames>|I<uris> |
8d9a4d83 DDO |
838 | |
839 | Certificates to append in the extraCerts field when sending messages. | |
a0745e2b | 840 | They can be used as the default CMP signer certificate chain to include. |
8d9a4d83 | 841 | |
3d46c81a | 842 | Multiple sources may be given, separated by commas and/or whitespace |
8d9a4d83 DDO |
843 | (where in the latter case the whole argument must be enclosed in "..."). |
844 | Each source may contain multiple certificates. | |
845 | ||
846 | =item B<-unprotected_requests> | |
847 | ||
260878f7 | 848 | Send request messages without CMP-level protection. |
8d9a4d83 DDO |
849 | |
850 | =back | |
851 | ||
8d9a4d83 DDO |
852 | =head2 Credentials format options |
853 | ||
854 | =over 4 | |
855 | ||
856 | =item B<-certform> I<PEM|DER> | |
857 | ||
858 | File format to use when saving a certificate to a file. | |
859 | Default value is PEM. | |
860 | ||
b3c5aadf | 861 | =item B<-keyform> I<PEM|DER|P12|ENGINE> |
8d9a4d83 | 862 | |
bee3f389 | 863 | The format of the key input; unspecified by default. |
f91d003a | 864 | See L<openssl(1)/Format Options> for details. |
8d9a4d83 DDO |
865 | |
866 | =item B<-otherpass> I<arg> | |
867 | ||
868 | Pass phrase source for certificate given with the B<-trusted>, B<-untrusted>, | |
7a7d6b51 | 869 | B<-own_trusted>, B<-srvcert>, B<-out_trusted>, B<-extracerts>, |
01b04851 DDO |
870 | B<-srv_trusted>, B<-srv_untrusted>, B<-ref_cert>, B<-rsp_cert>, |
871 | B<-rsp_extracerts>, B<-rsp_capubs>, | |
872 | B<-rsp_newwithnew>, B<-rsp_newwithold>, B<-rsp_oldwithnew>, | |
7a7d6b51 | 873 | B<-tls_extra>, and B<-tls_trusted> options. |
8d9a4d83 DDO |
874 | If not given here, the password will be prompted for if needed. |
875 | ||
79a2bccd | 876 | For more information about the format of I<arg> see |
fee0af08 | 877 | L<openssl-passphrase-options(1)>. |
f91d003a RL |
878 | |
879 | {- $OpenSSL::safe::opt_engine_item -} | |
880 | ||
0f221d9c | 881 | {- output_off() if $disabled{"deprecated-3.0"}; "" -} |
f91d003a | 882 | As an alternative to using this combination: |
8d9a4d83 | 883 | |
f91d003a | 884 | -engine {engineid} -key {keyid} -keyform ENGINE |
8d9a4d83 | 885 | |
f91d003a RL |
886 | ... it's also possible to just give the key ID in URI form to B<-key>, |
887 | like this: | |
8d9a4d83 | 888 | |
f91d003a | 889 | -key org.openssl.engine:{engineid}:{keyid} |
8d9a4d83 | 890 | |
f91d003a RL |
891 | This applies to all options specifying keys: B<-key>, B<-newkey>, and |
892 | B<-tls_key>. | |
0f221d9c | 893 | {- output_on() if $disabled{"deprecated-3.0"}; "" -} |
8d9a4d83 | 894 | |
3206e41c DDO |
895 | =back |
896 | ||
897 | =head2 Provider options | |
898 | ||
899 | =over 4 | |
900 | ||
901 | {- $OpenSSL::safe::opt_provider_item -} | |
902 | ||
903 | =back | |
904 | ||
aed03a12 DDO |
905 | =head2 Random state options |
906 | ||
907 | =over 4 | |
908 | ||
909 | {- $OpenSSL::safe::opt_r_item -} | |
910 | ||
911 | =back | |
912 | ||
d99c8667 | 913 | =head2 TLS connection options |
8d9a4d83 DDO |
914 | |
915 | =over 4 | |
916 | ||
917 | =item B<-tls_used> | |
918 | ||
4a9299ac DDO |
919 | Make the CMP client use TLS (regardless if other TLS-related options are set) |
920 | for message exchange with the server via HTTP. | |
1f757df1 | 921 | This option is not supported with the I<-port> option. |
4a9299ac DDO |
922 | It is implied if the B<-server> option is given with the scheme C<https>. |
923 | It is ignored if the B<-server> option is not given or B<-use_mock_srv> is given | |
924 | or B<-rspin> is given with enough filename arguments. | |
8d9a4d83 | 925 | |
4a9299ac | 926 | The following TLS-related options are ignored if TLS is not used. |
ad1a1d71 | 927 | |
6bbff162 | 928 | =item B<-tls_cert> I<filename>|I<uri> |
8d9a4d83 | 929 | |
ad1a1d71 | 930 | Client's TLS certificate to use for authenticating to the TLS server. |
3d46c81a | 931 | If the source includes further certs they are used (along with B<-untrusted> |
8b22c283 | 932 | certs) for constructing the client cert chain provided to the TLS server. |
8d9a4d83 | 933 | |
f91d003a | 934 | =item B<-tls_key> I<filename>|I<uri> |
8d9a4d83 DDO |
935 | |
936 | Private key for the client's TLS certificate. | |
937 | ||
938 | =item B<-tls_keypass> I<arg> | |
939 | ||
79a2bccd | 940 | Pass phrase source for client's private TLS key B<-tls_key>. |
8d9a4d83 DDO |
941 | Also used for B<-tls_cert> in case it is an encrypted PKCS#12 file. |
942 | If not given here, the password will be prompted for if needed. | |
943 | ||
79a2bccd | 944 | For more information about the format of I<arg> see |
fee0af08 | 945 | L<openssl-passphrase-options(1)>. |
8d9a4d83 | 946 | |
3d46c81a | 947 | =item B<-tls_extra> I<filenames>|I<uris> |
8d9a4d83 | 948 | |
ad1a1d71 | 949 | Extra certificates to provide to the TLS server during handshake. |
8d9a4d83 | 950 | |
3d46c81a | 951 | =item B<-tls_trusted> I<filenames>|I<uris> |
8d9a4d83 | 952 | |
025c0f52 | 953 | Trusted certificate(s) to use for validating the TLS server certificate. |
8d9a4d83 DDO |
954 | This implies hostname validation. |
955 | ||
3d46c81a | 956 | Multiple sources may be given, separated by commas and/or whitespace |
8d9a4d83 DDO |
957 | (where in the latter case the whole argument must be enclosed in "..."). |
958 | Each source may contain multiple certificates. | |
959 | ||
acb934ff DDO |
960 | The certificate verification options |
961 | B<-verify_hostname>, B<-verify_ip>, and B<-verify_email> | |
962 | have no effect on the certificate verification enabled via this option. | |
963 | ||
8d9a4d83 DDO |
964 | =item B<-tls_host> I<name> |
965 | ||
57cd10dd | 966 | Address to be checked during hostname validation. |
8d9a4d83 DDO |
967 | This may be a DNS name or an IP address. |
968 | If not given it defaults to the B<-server> address. | |
969 | ||
970 | =back | |
971 | ||
2fbe23bb | 972 | =head2 Client-side options for debugging and offline scenarios |
8d9a4d83 DDO |
973 | |
974 | =over 4 | |
975 | ||
976 | =item B<-batch> | |
977 | ||
978 | Do not interactively prompt for input, for instance when a password is needed. | |
979 | This can be useful for batch processing and testing. | |
980 | ||
981 | =item B<-repeat> I<number> | |
982 | ||
d830526c | 983 | Invoke the command the given positive number of times with the same parameters. |
8d9a4d83 DDO |
984 | Default is one invocation. |
985 | ||
986 | =item B<-reqin> I<filenames> | |
987 | ||
1f757df1 DDO |
988 | Take the sequence of CMP requests to send to the server from the given file(s) |
989 | rather than from the sequence of requests produced internally. | |
990 | ||
904ee652 DDO |
991 | This option is useful for supporting offline scenarios where the certificate |
992 | request (or any other CMP request) is produced beforehand and sent out later. | |
993 | ||
77aa0069 DDO |
994 | This option is ignored if the B<-rspin> option is given |
995 | because in the latter case no requests are actually sent. | |
b434b2c0 | 996 | |
904ee652 DDO |
997 | Note that in any case the client produces internally its sequence |
998 | of CMP request messages. Thus, all options required for doing this | |
999 | (such as B<-cmd> and all options providing the required parameters) | |
1000 | need to be given also when the B<-reqin> option is present. | |
1001 | ||
d6d9277b DDO |
1002 | If the B<-reqin> option is given for a certificate request |
1003 | and no B<-newkey>, B<-key>, B<-oldcert>, or B<-csr> option is given, | |
1004 | a fallback public key is taken from the request message file | |
1005 | (if it is included in the certificate template). | |
1006 | ||
1007 | Hint: In case the B<-reqin> option is given for a certificate request, there are | |
1008 | situations where the client has access to the public key to be certified but | |
904ee652 DDO |
1009 | not to the private key that by default will be needed for proof of possession. |
1010 | In this case the POPO is not actually needed (because the internally produced | |
1011 | certificate request message will not be sent), and its generation | |
1012 | can be disabled using the options B<-popo> I<-1> or B<-popo> I<0>. | |
1013 | ||
8d9a4d83 DDO |
1014 | Multiple filenames may be given, separated by commas and/or whitespace |
1015 | (where in the latter case the whole argument must be enclosed in "..."). | |
1f757df1 DDO |
1016 | |
1017 | The files are read as far as needed to complete the transaction | |
1018 | and filenames have been provided. If more requests are needed, | |
1019 | the remaining ones are taken from the items at the respective position | |
1020 | in the sequence of requests produced internally. | |
1021 | ||
1022 | The client needs to update the recipNonce field in the given requests (except | |
1023 | for the first one) in order to satisfy the checks to be performed by the server. | |
1024 | This causes re-protection (if protecting requests is required). | |
8d9a4d83 | 1025 | |
143be474 DDO |
1026 | =item B<-reqin_new_tid> |
1027 | ||
1028 | Use a fresh transactionID for CMP request messages read using B<-reqin>, | |
4b0c27d4 | 1029 | which causes their reprotection (if protecting requests is required). |
143be474 DDO |
1030 | This may be needed in case the sequence of requests is reused |
1031 | and the CMP server complains that the transaction ID has already been used. | |
1032 | ||
8d9a4d83 DDO |
1033 | =item B<-reqout> I<filenames> |
1034 | ||
1f757df1 | 1035 | Save the sequence of CMP requests created by the client to the given file(s). |
77aa0069 | 1036 | These requests are not sent to the server if the B<-reqin> option is used, too. |
b434b2c0 | 1037 | |
8d9a4d83 | 1038 | Multiple filenames may be given, separated by commas and/or whitespace. |
1f757df1 DDO |
1039 | |
1040 | Files are written as far as needed to save the transaction | |
1041 | and filenames have been provided. | |
1042 | If the transaction contains more requests, the remaining ones are not saved. | |
8d9a4d83 | 1043 | |
2fbe23bb DDO |
1044 | =item B<-reqout_only> I<filename> |
1045 | ||
1046 | Save the first CMP requests created by the client to the given file and exit. | |
1047 | Any options related to CMP servers and their reponses are ignored. | |
1048 | ||
1049 | This option is useful for supporting offline scenarios where the certificate | |
1050 | request (or any other CMP request) is produced beforehand and sent out later. | |
1051 | ||
8d9a4d83 DDO |
1052 | =item B<-rspin> I<filenames> |
1053 | ||
1f757df1 DDO |
1054 | Process the sequence of CMP responses provided in the given file(s), |
1055 | not contacting any given server, | |
1056 | as long as enough filenames are provided to complete the transaction. | |
b434b2c0 | 1057 | |
8d9a4d83 | 1058 | Multiple filenames may be given, separated by commas and/or whitespace. |
1f757df1 DDO |
1059 | |
1060 | Any server specified via the I<-server> or I<-use_mock_srv> options is contacted | |
1061 | only if more responses are needed to complete the transaction. | |
1062 | In this case the transaction will fail | |
1063 | unless the server has been prepared to continue the already started transaction. | |
8d9a4d83 DDO |
1064 | |
1065 | =item B<-rspout> I<filenames> | |
1066 | ||
1f757df1 DDO |
1067 | Save the sequence of actually used CMP responses to the given file(s). |
1068 | These have been received from the server unless B<-rspin> takes effect. | |
b434b2c0 | 1069 | |
8d9a4d83 | 1070 | Multiple filenames may be given, separated by commas and/or whitespace. |
1f757df1 DDO |
1071 | |
1072 | Files are written as far as needed to save the responses | |
1073 | contained in the transaction and filenames have been provided. | |
1074 | If the transaction contains more responses, the remaining ones are not saved. | |
8d9a4d83 DDO |
1075 | |
1076 | =item B<-use_mock_srv> | |
1077 | ||
a56bb5d6 DDO |
1078 | Test the client using the internal CMP server mock-up at API level, |
1079 | bypassing socket-based transfer via HTTP. | |
1f757df1 | 1080 | This excludes the B<-server> and B<-port> options. |
8d9a4d83 DDO |
1081 | |
1082 | =back | |
1083 | ||
d99c8667 | 1084 | =head2 Mock server options |
8d9a4d83 DDO |
1085 | |
1086 | =over 4 | |
1087 | ||
1088 | =item B<-port> I<number> | |
1089 | ||
830b6a13 | 1090 | Act as HTTP-based CMP server mock-up listening on the given local port. |
7a12e7af | 1091 | The client may address the server via, e.g., C<127.0.0.1> or C<[::1]>. |
830b6a13 | 1092 | This option excludes the B<-server> and B<-use_mock_srv> options. |
1f757df1 DDO |
1093 | The B<-rspin>, B<-rspout>, B<-reqin>, and B<-reqout> options |
1094 | so far are not supported in this mode. | |
8d9a4d83 DDO |
1095 | |
1096 | =item B<-max_msgs> I<number> | |
1097 | ||
1098 | Maximum number of CMP (request) messages the CMP HTTP server mock-up | |
490c8711 | 1099 | should handle, which must be nonnegative. |
8d9a4d83 DDO |
1100 | The default value is 0, which means that no limit is imposed. |
1101 | In any case the server terminates on internal errors, but not when it | |
1102 | detects a CMP-level error that it can successfully answer with an error message. | |
1103 | ||
1104 | =item B<-srv_ref> I<value> | |
1105 | ||
1106 | Reference value to use as senderKID of server in case no B<-srv_cert> is given. | |
1107 | ||
1108 | =item B<-srv_secret> I<arg> | |
1109 | ||
1110 | Password source for server authentication with a pre-shared key (secret). | |
1111 | ||
6bbff162 | 1112 | =item B<-srv_cert> I<filename>|I<uri> |
8d9a4d83 DDO |
1113 | |
1114 | Certificate of the server. | |
1115 | ||
6bbff162 | 1116 | =item B<-srv_key> I<filename>|I<uri> |
8d9a4d83 DDO |
1117 | |
1118 | Private key used by the server for signing messages. | |
1119 | ||
1120 | =item B<-srv_keypass> I<arg> | |
1121 | ||
1122 | Server private key (and cert) file pass phrase source. | |
1123 | ||
3d46c81a | 1124 | =item B<-srv_trusted> I<filenames>|I<uris> |
8d9a4d83 DDO |
1125 | |
1126 | Trusted certificates for client authentication. | |
1127 | ||
acb934ff DDO |
1128 | The certificate verification options |
1129 | B<-verify_hostname>, B<-verify_ip>, and B<-verify_email> | |
1130 | have no effect on the certificate verification enabled via this option. | |
1131 | ||
3d46c81a | 1132 | =item B<-srv_untrusted> I<filenames>|I<uris> |
8d9a4d83 | 1133 | |
025c0f52 | 1134 | Intermediate CA certs that may be useful when validating client certificates. |
8d9a4d83 | 1135 | |
b971d419 DDO |
1136 | =item B<-ref_cert> I<filename>|I<uri> |
1137 | ||
1138 | Certificate to be expected for RR messages and any oldCertID in KUR messages. | |
1139 | ||
6bbff162 | 1140 | =item B<-rsp_cert> I<filename>|I<uri> |
8d9a4d83 DDO |
1141 | |
1142 | Certificate to be returned as mock enrollment result. | |
1143 | ||
3d46c81a | 1144 | =item B<-rsp_extracerts> I<filenames>|I<uris> |
8d9a4d83 DDO |
1145 | |
1146 | Extra certificates to be included in mock certification responses. | |
1147 | ||
3d46c81a | 1148 | =item B<-rsp_capubs> I<filenames>|I<uris> |
8d9a4d83 DDO |
1149 | |
1150 | CA certificates to be included in mock Initialization Response (IP) message. | |
1151 | ||
01b04851 DDO |
1152 | =item B<-rsp_newwithnew> I<filename>|I<uri> |
1153 | ||
1154 | Certificate to be returned in newWithNew field of genp of type rootCaKeyUpdate. | |
1155 | ||
1156 | =item B<-rsp_newwithold> I<filename>|I<uri> | |
1157 | ||
1158 | Certificate to be returned in newWithOld field of genp of type rootCaKeyUpdate. | |
1159 | ||
1160 | =item B<-rsp_oldwithnew> I<filename>|I<uri> | |
1161 | ||
1162 | Certificate to be returned in oldWithNew field of genp of type rootCaKeyUpdate. | |
1163 | ||
8d9a4d83 DDO |
1164 | =item B<-poll_count> I<number> |
1165 | ||
1166 | Number of times the client must poll before receiving a certificate. | |
1167 | ||
1168 | =item B<-check_after> I<number> | |
1169 | ||
1170 | The checkAfter value (number of seconds to wait) to include in poll response. | |
1171 | ||
8d9a4d83 DDO |
1172 | =item B<-grant_implicitconf> |
1173 | ||
1174 | Grant implicit confirmation of newly enrolled certificate. | |
1175 | ||
1176 | =item B<-pkistatus> I<number> | |
1177 | ||
1178 | PKIStatus to be included in server response. | |
1179 | Valid range is 0 (accepted) .. 6 (keyUpdateWarning). | |
1180 | ||
1181 | =item B<-failure> I<number> | |
1182 | ||
1183 | A single failure info bit number to be included in server response. | |
1184 | Valid range is 0 (badAlg) .. 26 (duplicateCertReq). | |
1185 | ||
1186 | =item B<-failurebits> I<number> | |
1187 | Number representing failure bits to be included in server response. | |
1188 | Valid range is 0 .. 2^27 - 1. | |
1189 | ||
1190 | =item B<-statusstring> I<arg> | |
1191 | ||
1192 | Text to be included as status string in server response. | |
1193 | ||
1194 | =item B<-send_error> | |
1195 | ||
1196 | Force server to reply with error message. | |
1197 | ||
1198 | =item B<-send_unprotected> | |
1199 | ||
1200 | Send response messages without CMP-level protection. | |
1201 | ||
1202 | =item B<-send_unprot_err> | |
1203 | ||
1204 | In case of negative responses, server shall send unprotected error messages, | |
1205 | certificate responses (IP/CP/KUP), and revocation responses (RP). | |
1206 | WARNING: This setting leads to behavior violating RFC 4210. | |
1207 | ||
1208 | =item B<-accept_unprotected> | |
1209 | ||
1210 | Accept missing or invalid protection of requests. | |
1211 | ||
1212 | =item B<-accept_unprot_err> | |
1213 | ||
1214 | Accept unprotected error messages from client. | |
260878f7 | 1215 | So far this has no effect because the server does not accept any error messages. |
8d9a4d83 DDO |
1216 | |
1217 | =item B<-accept_raverified> | |
1218 | ||
2d658598 | 1219 | Accept RAVERIFED as proof of possession (POPO). |
8d9a4d83 DDO |
1220 | |
1221 | =back | |
1222 | ||
d99c8667 DDO |
1223 | =head2 Certificate verification options, for both CMP and TLS |
1224 | ||
1225 | =over 4 | |
1226 | ||
acb934ff DDO |
1227 | {- $OpenSSL::safe::opt_v_item -} |
1228 | ||
1229 | The certificate verification options | |
1230 | B<-verify_hostname>, B<-verify_ip>, and B<-verify_email> | |
1231 | only affect the certificate verification enabled via the B<-out_trusted> option. | |
d99c8667 DDO |
1232 | |
1233 | =back | |
8d9a4d83 DDO |
1234 | |
1235 | =head1 NOTES | |
1236 | ||
01b04851 | 1237 | When a client obtains, from a CMP server, CA certificates that it is going to |
1a9e2860 | 1238 | trust, for instance via the C<caPubs> field of a certificate response |
01b04851 | 1239 | or using general messages with infoType C<caCerts> or C<rootCaCert>, |
1a9e2860 DDO |
1240 | authentication of the CMP server is particularly critical. |
1241 | So special care must be taken setting up server authentication | |
1242 | using B<-trusted> and related options for certificate-based authentication | |
1243 | or B<-secret> for MAC-based protection. | |
1244 | If authentication is certificate-based, the B<-srvcertout> option | |
1245 | should be used to obtain the validated server certificate | |
1246 | and perform an authorization check based on it. | |
1247 | ||
8d9a4d83 DDO |
1248 | When setting up CMP configurations and experimenting with enrollment options |
1249 | typically various errors occur until the configuration is correct and complete. | |
1250 | When the CMP server reports an error the client will by default | |
1251 | check the protection of the CMP response message. | |
1252 | Yet some CMP services tend not to protect negative responses. | |
1253 | In this case the client will reject them, and thus their contents are not shown | |
1254 | although they usually contain hints that would be helpful for diagnostics. | |
1255 | For assisting in such cases the CMP client offers a workaround via the | |
1256 | B<-unprotected_errors> option, which allows accepting such negative messages. | |
1257 | ||
35b76bc8 | 1258 | If OpenSSL was built with trace support enabled (e.g., C<./config enable-trace>) |
e8fdb060 | 1259 | and the environment variable B<OPENSSL_TRACE> includes B<HTTP>, |
35b76bc8 | 1260 | the requests and the response headers transferred via HTTP are printed. |
e8fdb060 | 1261 | |
8d9a4d83 DDO |
1262 | =head1 EXAMPLES |
1263 | ||
1264 | =head2 Simple examples using the default OpenSSL configuration file | |
1265 | ||
1266 | This CMP client implementation comes with demonstrative CMP sections | |
1267 | in the example configuration file F<openssl/apps/openssl.cnf>, | |
1268 | which can be used to interact conveniently with the Insta Demo CA. | |
1269 | ||
1270 | In order to enroll an initial certificate from that CA it is sufficient | |
1271 | to issue the following shell commands. | |
1272 | ||
6bbff162 | 1273 | export OPENSSL_CONF=/path/to/openssl/apps/openssl.cnf |
6600baa9 | 1274 | |
ebc1e8fc | 1275 | =begin comment |
6600baa9 | 1276 | |
4d2b2889 | 1277 | wget 'http://pki.certificate.fi:8081/install-ca-cert.html/ca-certificate.crt\ |
8d9a4d83 | 1278 | ?ca-id=632&download-certificate=1' -O insta.ca.crt |
6600baa9 | 1279 | |
ebc1e8fc | 1280 | =end comment |
6600baa9 | 1281 | |
8d9a4d83 DDO |
1282 | openssl genrsa -out insta.priv.pem |
1283 | openssl cmp -section insta | |
1284 | ||
1285 | This should produce the file F<insta.cert.pem> containing a new certificate | |
1286 | for the private key held in F<insta.priv.pem>. | |
1287 | It can be viewed using, e.g., | |
1288 | ||
1289 | openssl x509 -noout -text -in insta.cert.pem | |
1290 | ||
1291 | In case the network setup requires using an HTTP proxy it may be given as usual | |
79a2bccd | 1292 | via the environment variable B<http_proxy> or via the B<-proxy> option in the |
6bbff162 | 1293 | configuration file or the CMP command-line argument B<-proxy>, for example |
8d9a4d83 DDO |
1294 | |
1295 | -proxy http://192.168.1.1:8080 | |
1296 | ||
1297 | In the Insta Demo CA scenario both clients and the server may use the pre-shared | |
8b22c283 | 1298 | secret I<insta> and the reference value I<3078> to authenticate to each other. |
8d9a4d83 DDO |
1299 | |
1300 | Alternatively, CMP messages may be protected in signature-based manner, | |
1301 | where the trust anchor in this case is F<insta.ca.crt> | |
1302 | and the client may use any certificate already obtained from that CA, | |
1303 | as specified in the B<[signature]> section of the example configuration. | |
1304 | This can be used in combination with the B<[insta]> section simply by | |
1305 | ||
1306 | openssl cmp -section insta,signature | |
1307 | ||
1308 | By default the CMP IR message type is used, yet CR works equally here. | |
1309 | This may be specified directly at the command line: | |
1310 | ||
1311 | openssl cmp -section insta -cmd cr | |
1312 | ||
1313 | or by referencing in addition the B<[cr]> section of the example configuration: | |
1314 | ||
1315 | openssl cmp -section insta,cr | |
1316 | ||
1317 | In order to update the enrolled certificate one may call | |
1318 | ||
1319 | openssl cmp -section insta,kur | |
1320 | ||
cb03eef1 | 1321 | using MAC-based protection with PBM or |
8d9a4d83 DDO |
1322 | |
1323 | openssl cmp -section insta,kur,signature | |
1324 | ||
1325 | using signature-based protection. | |
1326 | ||
1327 | In a similar way any previously enrolled certificate may be revoked by | |
1328 | ||
1329 | openssl cmp -section insta,rr -trusted insta.ca.crt | |
1330 | ||
1331 | or | |
1332 | ||
1333 | openssl cmp -section insta,rr,signature | |
1334 | ||
6bbff162 | 1335 | Many more options can be given in the configuration file |
8d9a4d83 | 1336 | and/or on the command line. |
ebc1e8fc DDO |
1337 | For instance, the B<-reqexts> CLI option may refer to a section in the |
1338 | configuration file defining X.509 extensions to use in certificate requests, | |
79a2bccd | 1339 | such as C<v3_req> in F<openssl/apps/openssl.cnf>: |
8d9a4d83 | 1340 | |
ebc1e8fc | 1341 | openssl cmp -section insta,cr -reqexts v3_req |
8d9a4d83 DDO |
1342 | |
1343 | =head2 Certificate enrollment | |
1344 | ||
6bbff162 | 1345 | The following examples do not make use of a configuration file at first. |
8d9a4d83 | 1346 | They assume that a CMP server can be contacted on the local TCP port 80 |
8b22c283 | 1347 | and accepts requests under the alias I</pkix/>. |
8d9a4d83 | 1348 | |
6bbff162 | 1349 | For enrolling its very first certificate the client generates a client key |
8d9a4d83 DDO |
1350 | and sends an initial request message to the local CMP server |
1351 | using a pre-shared secret key for mutual authentication. | |
1352 | In this example the client does not have the CA certificate yet, | |
1353 | so we specify the name of the CA with the B<-recipient> option | |
1354 | and save any CA certificates that we may receive in the C<capubs.pem> file. | |
1355 | ||
6bbff162 | 1356 | In below command line usage examples the C<\> at line ends is used just |
8d9a4d83 DDO |
1357 | for formatting; each of the command invocations should be on a single line. |
1358 | ||
1359 | openssl genrsa -out cl_key.pem | |
6bbff162 DDO |
1360 | openssl cmp -cmd ir -server 127.0.0.1:80/pkix/ -recipient "/CN=CMPserver" \ |
1361 | -ref 1234 -secret pass:1234-5678 \ | |
8d9a4d83 DDO |
1362 | -newkey cl_key.pem -subject "/CN=MyName" \ |
1363 | -cacertsout capubs.pem -certout cl_cert.pem | |
1364 | ||
8d9a4d83 DDO |
1365 | =head2 Certificate update |
1366 | ||
1367 | Then, when the client certificate and its related key pair needs to be updated, | |
1368 | the client can send a key update request taking the certs in C<capubs.pem> | |
1369 | as trusted for authenticating the server and using the previous cert and key | |
1370 | for its own authentication. | |
1371 | Then it can start using the new cert and key. | |
1372 | ||
1373 | openssl genrsa -out cl_key_new.pem | |
d99c8667 | 1374 | openssl cmp -cmd kur -server 127.0.0.1:80/pkix/ \ |
8d9a4d83 DDO |
1375 | -trusted capubs.pem \ |
1376 | -cert cl_cert.pem -key cl_key.pem \ | |
1377 | -newkey cl_key_new.pem -certout cl_cert.pem | |
1378 | cp cl_key_new.pem cl_key.pem | |
1379 | ||
89ed128d | 1380 | This command sequence can be repeated as often as needed. |
8d9a4d83 | 1381 | |
8d9a4d83 DDO |
1382 | =head2 Requesting information from CMP server |
1383 | ||
1384 | Requesting "all relevant information" with an empty General Message. | |
1385 | This prints information about all received ITAV B<infoType>s to stdout. | |
1386 | ||
6bbff162 DDO |
1387 | openssl cmp -cmd genm -server 127.0.0.1/pkix/ -recipient "/CN=CMPserver" \ |
1388 | -ref 1234 -secret pass:1234-5678 | |
8d9a4d83 | 1389 | |
8d9a4d83 DDO |
1390 | =head2 Using a custom configuration file |
1391 | ||
1392 | For CMP client invocations, in particular for certificate enrollment, | |
1393 | usually many parameters need to be set, which is tedious and error-prone to do | |
1394 | on the command line. | |
8c1cbc72 | 1395 | Therefore, the client offers the possibility to read |
79a2bccd | 1396 | options from sections of the OpenSSL config file, usually called F<openssl.cnf>. |
8d9a4d83 DDO |
1397 | The values found there can still be extended and even overridden by any |
1398 | subsequently loaded sections and on the command line. | |
1399 | ||
1400 | After including in the configuration file the following sections: | |
1401 | ||
1402 | [cmp] | |
1403 | server = 127.0.0.1 | |
1404 | path = pkix/ | |
1405 | trusted = capubs.pem | |
1406 | cert = cl_cert.pem | |
1407 | key = cl_key.pem | |
1408 | newkey = cl_key.pem | |
1409 | certout = cl_cert.pem | |
1410 | ||
6bbff162 | 1411 | [init] |
8d9a4d83 DDO |
1412 | recipient = "/CN=CMPserver" |
1413 | trusted = | |
1414 | cert = | |
1415 | key = | |
1416 | ref = 1234 | |
1417 | secret = pass:1234-5678-1234-567 | |
1418 | subject = "/CN=MyName" | |
1419 | cacertsout = capubs.pem | |
1420 | ||
6bbff162 | 1421 | the above enrollment transactions reduce to |
8d9a4d83 | 1422 | |
6bbff162 | 1423 | openssl cmp -section cmp,init |
8d9a4d83 DDO |
1424 | openssl cmp -cmd kur -newkey cl_key_new.pem |
1425 | ||
6bbff162 | 1426 | and the above transaction using a general message reduces to |
8d9a4d83 | 1427 | |
6bbff162 | 1428 | openssl cmp -section cmp,init -cmd genm |
8d9a4d83 DDO |
1429 | |
1430 | =head1 SEE ALSO | |
1431 | ||
1432 | L<openssl-genrsa(1)>, L<openssl-ecparam(1)>, L<openssl-list(1)>, | |
1433 | L<openssl-req(1)>, L<openssl-x509(1)>, L<x509v3_config(5)> | |
1434 | ||
f91d003a RL |
1435 | =head1 HISTORY |
1436 | ||
1437 | The B<cmp> application was added in OpenSSL 3.0. | |
1438 | ||
7c6577ba DDO |
1439 | The B<-engine> option was deprecated in OpenSSL 3.0. |
1440 | ||
1441 | The B<-profile> option was added in OpenSSL 3.3. | |
f91d003a | 1442 | |
8d9a4d83 DDO |
1443 | =head1 COPYRIGHT |
1444 | ||
b6461792 | 1445 | Copyright 2007-2024 The OpenSSL Project Authors. All Rights Reserved. |
8d9a4d83 | 1446 | |
75850738 | 1447 | Licensed under the Apache License 2.0 (the "License"). You may not use |
8d9a4d83 DDO |
1448 | this file except in compliance with the License. You can obtain a copy |
1449 | in the file LICENSE in the source distribution or at | |
1450 | L<https://www.openssl.org/source/license.html>. | |
1451 | ||
1452 | =cut |