]>
Commit | Line | Data |
---|---|---|
aba3e65f DSH |
1 | |
2 | =pod | |
3 | ||
4 | =head1 NAME | |
5 | ||
cc5ba6a7 | 6 | req - PKCS#10 certificate request and certificate generating utility. |
aba3e65f DSH |
7 | |
8 | =head1 SYNOPSIS | |
9 | ||
10 | B<openssl> B<req> | |
11 | [B<-inform PEM|DER>] | |
12 | [B<-outform PEM|DER>] | |
13 | [B<-in filename>] | |
a3fe382e | 14 | [B<-passin arg>] |
aba3e65f | 15 | [B<-out filename>] |
a3fe382e | 16 | [B<-passout arg>] |
aba3e65f | 17 | [B<-text>] |
21a85f19 | 18 | [B<-pubkey>] |
aba3e65f DSH |
19 | [B<-noout>] |
20 | [B<-verify>] | |
21 | [B<-modulus>] | |
22 | [B<-new>] | |
fb0b844a | 23 | [B<-rand file(s)>] |
aba3e65f DSH |
24 | [B<-newkey rsa:bits>] |
25 | [B<-newkey dsa:file>] | |
26 | [B<-nodes>] | |
27 | [B<-key filename>] | |
28 | [B<-keyform PEM|DER>] | |
29 | [B<-keyout filename>] | |
30 | [B<-[md5|sha1|md2|mdc2]>] | |
31 | [B<-config filename>] | |
bad40585 | 32 | [B<-subj arg>] |
aba3e65f DSH |
33 | [B<-x509>] |
34 | [B<-days n>] | |
cc5ba6a7 | 35 | [B<-set_serial n>] |
8a208cba DSH |
36 | [B<-asn1-kludge>] |
37 | [B<-newhdr>] | |
aba3e65f DSH |
38 | [B<-extensions section>] |
39 | [B<-reqexts section>] | |
1fc6d41b | 40 | [B<-utf8>] |
bad40585 BM |
41 | [B<-batch>] |
42 | [B<-verbose>] | |
aba3e65f DSH |
43 | |
44 | =head1 DESCRIPTION | |
45 | ||
46 | The B<req> command primarily creates and processes certificate requests | |
47 | in PKCS#10 format. It can additionally create self signed certificates | |
48 | for use as root CAs for example. | |
49 | ||
50 | =head1 COMMAND OPTIONS | |
51 | ||
52 | =over 4 | |
53 | ||
54 | =item B<-inform DER|PEM> | |
55 | ||
56 | This specifies the input format. The B<DER> option uses an ASN1 DER encoded | |
57 | form compatible with the PKCS#10. The B<PEM> form is the default format: it | |
58 | consists of the B<DER> format base64 encoded with additional header and | |
59 | footer lines. | |
60 | ||
61 | =item B<-outform DER|PEM> | |
62 | ||
63 | This specifies the output format, the options have the same meaning as the | |
64 | B<-inform> option. | |
65 | ||
66 | =item B<-in filename> | |
67 | ||
68 | This specifies the input filename to read a request from or standard input | |
69 | if this option is not specified. A request is only read if the creation | |
70 | options (B<-new> and B<-newkey>) are not specified. | |
71 | ||
a3fe382e | 72 | =item B<-passin arg> |
20432eae | 73 | |
a3fe382e DSH |
74 | the input file password source. For more information about the format of B<arg> |
75 | see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)|openssl(1)>. | |
20432eae | 76 | |
aba3e65f DSH |
77 | =item B<-out filename> |
78 | ||
79 | This specifies the output filename to write to or standard output by | |
80 | default. | |
81 | ||
a3fe382e | 82 | =item B<-passout arg> |
20432eae | 83 | |
a3fe382e DSH |
84 | the output file password source. For more information about the format of B<arg> |
85 | see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)|openssl(1)>. | |
20432eae | 86 | |
aba3e65f DSH |
87 | =item B<-text> |
88 | ||
89 | prints out the certificate request in text form. | |
90 | ||
21a85f19 DSH |
91 | =item B<-pubkey> |
92 | ||
93 | outputs the public key. | |
94 | ||
aba3e65f DSH |
95 | =item B<-noout> |
96 | ||
97 | this option prevents output of the encoded version of the request. | |
98 | ||
99 | =item B<-modulus> | |
100 | ||
101 | this option prints out the value of the modulus of the public key | |
102 | contained in the request. | |
103 | ||
104 | =item B<-verify> | |
105 | ||
106 | verifies the signature on the request. | |
107 | ||
108 | =item B<-new> | |
109 | ||
110 | this option generates a new certificate request. It will prompt | |
111 | the user for the relevant field values. The actual fields | |
112 | prompted for and their maximum and minimum sizes are specified | |
113 | in the configuration file and any requested extensions. | |
114 | ||
115 | If the B<-key> option is not used it will generate a new RSA private | |
116 | key using information specified in the configuration file. | |
117 | ||
fb0b844a RL |
118 | =item B<-rand file(s)> |
119 | ||
120 | a file or files containing random data used to seed the random number | |
121 | generator, or an EGD socket (see L<RAND_egd(3)|RAND_egd(3)>). | |
122 | Multiple files can be specified separated by a OS-dependent character. | |
123 | The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for | |
124 | all others. | |
125 | ||
aba3e65f DSH |
126 | =item B<-newkey arg> |
127 | ||
128 | this option creates a new certificate request and a new private | |
129 | key. The argument takes one of two forms. B<rsa:nbits>, where | |
130 | B<nbits> is the number of bits, generates an RSA key B<nbits> | |
131 | in size. B<dsa:filename> generates a DSA key using the parameters | |
132 | in the file B<filename>. | |
133 | ||
134 | =item B<-key filename> | |
135 | ||
136 | This specifies the file to read the private key from. It also | |
137 | accepts PKCS#8 format private keys for PEM format files. | |
138 | ||
139 | =item B<-keyform PEM|DER> | |
140 | ||
141 | the format of the private key file specified in the B<-key> | |
142 | argument. PEM is the default. | |
143 | ||
144 | =item B<-keyout filename> | |
145 | ||
146 | this gives the filename to write the newly created private key to. | |
147 | If this option is not specified then the filename present in the | |
148 | configuration file is used. | |
149 | ||
150 | =item B<-nodes> | |
151 | ||
152 | if this option is specified then if a private key is created it | |
153 | will not be encrypted. | |
154 | ||
155 | =item B<-[md5|sha1|md2|mdc2]> | |
156 | ||
157 | this specifies the message digest to sign the request with. This | |
158 | overrides the digest algorithm specified in the configuration file. | |
b38f9f66 | 159 | This option is ignored for DSA requests: they always use SHA1. |
aba3e65f DSH |
160 | |
161 | =item B<-config filename> | |
162 | ||
163 | this allows an alternative configuration file to be specified, | |
164 | this overrides the compile time filename or any specified in | |
165 | the B<OPENSSL_CONF> environment variable. | |
166 | ||
bad40585 BM |
167 | =item B<-subj arg> |
168 | ||
169 | sets subject name for new request or supersedes the subject name | |
170 | when processing a request. | |
171 | ||
aba3e65f DSH |
172 | =item B<-x509> |
173 | ||
174 | this option outputs a self signed certificate instead of a certificate | |
175 | request. This is typically used to generate a test certificate or | |
176 | a self signed root CA. The extensions added to the certificate | |
cc5ba6a7 DSH |
177 | (if any) are specified in the configuration file. Unless specified |
178 | using the B<set_serial> option B<0> will be used for the serial | |
179 | number. | |
aba3e65f DSH |
180 | |
181 | =item B<-days n> | |
182 | ||
183 | when the B<-x509> option is being used this specifies the number of | |
184 | days to certify the certificate for. The default is 30 days. | |
185 | ||
cc5ba6a7 DSH |
186 | =item B<-set_serial n> |
187 | ||
3b80e3aa | 188 | serial number to use when outputting a self signed certificate. This |
cc5ba6a7 DSH |
189 | may be specified as a decimal value or a hex value if preceded by B<0x>. |
190 | It is possible to use negative serial numbers but this is not recommended. | |
191 | ||
aba3e65f | 192 | =item B<-extensions section> |
fbecbc8c | 193 | |
aba3e65f DSH |
194 | =item B<-reqexts section> |
195 | ||
196 | these options specify alternative sections to include certificate | |
197 | extensions (if the B<-x509> option is present) or certificate | |
198 | request extensions. This allows several different sections to | |
199 | be used in the same configuration file to specify requests for | |
200 | a variety of purposes. | |
201 | ||
1fc6d41b DSH |
202 | =item B<-utf8> |
203 | ||
204 | this option causes field values to be interpreted as UTF8 strings, by | |
205 | default they are interpreted as ASCII. This means that the field | |
206 | values, whether prompted from a terminal or obtained from a | |
207 | configuration file, must be valid UTF8 strings. | |
208 | ||
aba3e65f DSH |
209 | =item B<-asn1-kludge> |
210 | ||
211 | by default the B<req> command outputs certificate requests containing | |
212 | no attributes in the correct PKCS#10 format. However certain CAs will only | |
213 | accept requests containing no attributes in an invalid form: this | |
214 | option produces this invalid format. | |
215 | ||
216 | More precisely the B<Attributes> in a PKCS#10 certificate request | |
217 | are defined as a B<SET OF Attribute>. They are B<not OPTIONAL> so | |
218 | if no attributes are present then they should be encoded as an | |
219 | empty B<SET OF>. The invalid form does not include the empty | |
220 | B<SET OF> whereas the correct form does. | |
221 | ||
222 | It should be noted that very few CAs still require the use of this option. | |
223 | ||
8a208cba DSH |
224 | =item B<-newhdr> |
225 | ||
226 | Adds the word B<NEW> to the PEM file header and footer lines on the outputed | |
227 | request. Some software (Netscape certificate server) and some CAs need this. | |
228 | ||
bad40585 BM |
229 | =item B<-batch> |
230 | ||
231 | non-interactive mode. | |
232 | ||
233 | =item B<-verbose> | |
234 | ||
235 | print extra details about the operations being performed. | |
236 | ||
aba3e65f DSH |
237 | =back |
238 | ||
239 | =head1 CONFIGURATION FILE FORMAT | |
240 | ||
19d2bb57 | 241 | The configuration options are specified in the B<req> section of |
aba3e65f DSH |
242 | the configuration file. As with all configuration files if no |
243 | value is specified in the specific section (i.e. B<req>) then | |
244 | the initial unnamed or B<default> section is searched too. | |
245 | ||
246 | The options available are described in detail below. | |
247 | ||
248 | =over 4 | |
249 | ||
b38f9f66 DSH |
250 | =item B<input_password output_password> |
251 | ||
252 | The passwords for the input private key file (if present) and | |
253 | the output private key file (if one will be created). The | |
a3fe382e DSH |
254 | command line options B<passin> and B<passout> override the |
255 | configuration file values. | |
b38f9f66 | 256 | |
aba3e65f DSH |
257 | =item B<default_bits> |
258 | ||
259 | This specifies the default key size in bits. If not specified then | |
260 | 512 is used. It is used if the B<-new> option is used. It can be | |
19d2bb57 | 261 | overridden by using the B<-newkey> option. |
aba3e65f DSH |
262 | |
263 | =item B<default_keyfile> | |
264 | ||
265 | This is the default filename to write a private key to. If not | |
266 | specified the key is written to standard output. This can be | |
19d2bb57 | 267 | overridden by the B<-keyout> option. |
aba3e65f DSH |
268 | |
269 | =item B<oid_file> | |
270 | ||
271 | This specifies a file containing additional B<OBJECT IDENTIFIERS>. | |
272 | Each line of the file should consist of the numerical form of the | |
273 | object identifier followed by white space then the short name followed | |
274 | by white space and finally the long name. | |
275 | ||
276 | =item B<oid_section> | |
277 | ||
278 | This specifies a section in the configuration file containing extra | |
5e76807b DSH |
279 | object identifiers. Each line should consist of the short name of the |
280 | object identifier followed by B<=> and the numerical form. The short | |
aba3e65f DSH |
281 | and long names are the same when this option is used. |
282 | ||
283 | =item B<RANDFILE> | |
284 | ||
285 | This specifies a filename in which random number seed information is | |
a4cfd178 UM |
286 | placed and read from, or an EGD socket (see L<RAND_egd(3)|RAND_egd(3)>). |
287 | It is used for private key generation. | |
aba3e65f | 288 | |
b38f9f66 | 289 | =item B<encrypt_key> |
aba3e65f DSH |
290 | |
291 | If this is set to B<no> then if a private key is generated it is | |
292 | B<not> encrypted. This is equivalent to the B<-nodes> command line | |
6e6bc352 | 293 | option. For compatibility B<encrypt_rsa_key> is an equivalent option. |
aba3e65f DSH |
294 | |
295 | =item B<default_md> | |
296 | ||
297 | This option specifies the digest algorithm to use. Possible values | |
298 | include B<md5 sha1 mdc2>. If not present then MD5 is used. This | |
299 | option can be overridden on the command line. | |
300 | ||
b38f9f66 | 301 | =item B<string_mask> |
aba3e65f | 302 | |
b38f9f66 DSH |
303 | This option masks out the use of certain string types in certain |
304 | fields. Most users will not need to change this option. | |
aba3e65f DSH |
305 | |
306 | It can be set to several values B<default> which is also the default | |
307 | option uses PrintableStrings, T61Strings and BMPStrings if the | |
308 | B<pkix> value is used then only PrintableStrings and BMPStrings will | |
309 | be used. This follows the PKIX recommendation in RFC2459. If the | |
310 | B<utf8only> option is used then only UTF8Strings will be used: this | |
b38f9f66 | 311 | is the PKIX recommendation in RFC2459 after 2003. Finally the B<nombstr> |
aba3e65f | 312 | option just uses PrintableStrings and T61Strings: certain software has |
b38f9f66 | 313 | problems with BMPStrings and UTF8Strings: in particular Netscape. |
aba3e65f DSH |
314 | |
315 | =item B<req_extensions> | |
316 | ||
317 | this specifies the configuration file section containing a list of | |
318 | extensions to add to the certificate request. It can be overridden | |
319 | by the B<-reqexts> command line switch. | |
320 | ||
321 | =item B<x509_extensions> | |
322 | ||
323 | this specifies the configuration file section containing a list of | |
324 | extensions to add to certificate generated when the B<-x509> switch | |
325 | is used. It can be overridden by the B<-extensions> command line switch. | |
326 | ||
6e6bc352 DSH |
327 | =item B<prompt> |
328 | ||
329 | if set to the value B<no> this disables prompting of certificate fields | |
330 | and just takes values from the config file directly. It also changes the | |
331 | expected format of the B<distinguished_name> and B<attributes> sections. | |
332 | ||
1fc6d41b DSH |
333 | =item B<utf8> |
334 | ||
335 | if set to the value B<yes> then field values to be interpreted as UTF8 | |
336 | strings, by default they are interpreted as ASCII. This means that | |
337 | the field values, whether prompted from a terminal or obtained from a | |
338 | configuration file, must be valid UTF8 strings. | |
339 | ||
aba3e65f DSH |
340 | =item B<attributes> |
341 | ||
342 | this specifies the section containing any request attributes: its format | |
6e6bc352 DSH |
343 | is the same as B<distinguished_name>. Typically these may contain the |
344 | challengePassword or unstructuredName types. They are currently ignored | |
345 | by OpenSSL's request signing utilities but some CAs might want them. | |
aba3e65f DSH |
346 | |
347 | =item B<distinguished_name> | |
348 | ||
19d2bb57 | 349 | This specifies the section containing the distinguished name fields to |
6e6bc352 DSH |
350 | prompt for when generating a certificate or certificate request. The format |
351 | is described in the next section. | |
352 | ||
353 | =back | |
354 | ||
355 | =head1 DISTINGUISHED NAME AND ATTRIBUTE SECTION FORMAT | |
356 | ||
357 | There are two separate formats for the distinguished name and attribute | |
358 | sections. If the B<prompt> option is set to B<no> then these sections | |
359 | just consist of field names and values: for example, | |
aba3e65f | 360 | |
6e6bc352 DSH |
361 | CN=My Name |
362 | OU=My Organization | |
657e60fa | 363 | emailAddress=someone@somewhere.org |
6e6bc352 DSH |
364 | |
365 | This allows external programs (e.g. GUI based) to generate a template file | |
366 | with all the field names and values and just pass it to B<req>. An example | |
8a208cba | 367 | of this kind of configuration file is contained in the B<EXAMPLES> section. |
6e6bc352 | 368 | |
8a208cba | 369 | Alternatively if the B<prompt> option is absent or not set to B<no> then the |
6e6bc352 DSH |
370 | file contains field prompting information. It consists of lines of the form: |
371 | ||
372 | fieldName="prompt" | |
373 | fieldName_default="default field value" | |
374 | fieldName_min= 2 | |
375 | fieldName_max= 4 | |
aba3e65f | 376 | |
20432eae | 377 | "fieldName" is the field name being used, for example commonName (or CN). |
19d2bb57 | 378 | The "prompt" string is used to ask the user to enter the relevant |
aba3e65f DSH |
379 | details. If the user enters nothing then the default value is used if no |
380 | default value is present then the field is omitted. A field can | |
381 | still be omitted if a default value is present if the user just | |
382 | enters the '.' character. | |
383 | ||
384 | The number of characters entered must be between the fieldName_min and | |
385 | fieldName_max limits: there may be additional restrictions based | |
386 | on the field being used (for example countryName can only ever be | |
387 | two characters long and must fit in a PrintableString). | |
388 | ||
389 | Some fields (such as organizationName) can be used more than once | |
390 | in a DN. This presents a problem because configuration files will | |
6e6bc352 | 391 | not recognize the same name occurring twice. To avoid this problem |
8a208cba | 392 | if the fieldName contains some characters followed by a full stop |
aba3e65f DSH |
393 | they will be ignored. So for example a second organizationName can |
394 | be input by calling it "1.organizationName". | |
395 | ||
396 | The actual permitted field names are any object identifier short or | |
397 | long names. These are compiled into OpenSSL and include the usual | |
398 | values such as commonName, countryName, localityName, organizationName, | |
399 | organizationUnitName, stateOrPrivinceName. Additionally emailAddress | |
8a208cba | 400 | is include as well as name, surname, givenName initials and dnQualifier. |
aba3e65f DSH |
401 | |
402 | Additional object identifiers can be defined with the B<oid_file> or | |
403 | B<oid_section> options in the configuration file. Any additional fields | |
404 | will be treated as though they were a DirectoryString. | |
405 | ||
af29811e | 406 | |
aba3e65f DSH |
407 | =head1 EXAMPLES |
408 | ||
409 | Examine and verify certificate request: | |
410 | ||
5e76807b | 411 | openssl req -in req.pem -text -verify -noout |
aba3e65f DSH |
412 | |
413 | Create a private key and then generate a certificate request from it: | |
414 | ||
5e76807b DSH |
415 | openssl genrsa -out key.pem 1024 |
416 | openssl req -new -key key.pem -out req.pem | |
aba3e65f DSH |
417 | |
418 | The same but just using req: | |
419 | ||
5e76807b | 420 | openssl req -newkey rsa:1024 -keyout key.pem -out req.pem |
aba3e65f DSH |
421 | |
422 | Generate a self signed root certificate: | |
423 | ||
5e76807b DSH |
424 | openssl req -x509 -newkey rsa:1024 -keyout key.pem -out req.pem |
425 | ||
426 | Example of a file pointed to by the B<oid_file> option: | |
427 | ||
428 | 1.2.3.4 shortName A longer Name | |
429 | 1.2.3.6 otherName Other longer Name | |
430 | ||
431 | Example of a section pointed to by B<oid_section> making use of variable | |
432 | expansion: | |
433 | ||
434 | testoid1=1.2.3.5 | |
435 | testoid2=${testoid1}.6 | |
436 | ||
6e6bc352 | 437 | Sample configuration file prompting for field values: |
5e76807b DSH |
438 | |
439 | [ req ] | |
440 | default_bits = 1024 | |
441 | default_keyfile = privkey.pem | |
442 | distinguished_name = req_distinguished_name | |
443 | attributes = req_attributes | |
444 | x509_extensions = v3_ca | |
445 | ||
446 | dirstring_type = nobmp | |
447 | ||
448 | [ req_distinguished_name ] | |
449 | countryName = Country Name (2 letter code) | |
450 | countryName_default = AU | |
6e6bc352 DSH |
451 | countryName_min = 2 |
452 | countryName_max = 2 | |
5e76807b DSH |
453 | |
454 | localityName = Locality Name (eg, city) | |
455 | ||
456 | organizationalUnitName = Organizational Unit Name (eg, section) | |
457 | ||
458 | commonName = Common Name (eg, YOUR name) | |
459 | commonName_max = 64 | |
460 | ||
461 | emailAddress = Email Address | |
462 | emailAddress_max = 40 | |
463 | ||
464 | [ req_attributes ] | |
465 | challengePassword = A challenge password | |
466 | challengePassword_min = 4 | |
467 | challengePassword_max = 20 | |
468 | ||
469 | [ v3_ca ] | |
470 | ||
471 | subjectKeyIdentifier=hash | |
472 | authorityKeyIdentifier=keyid:always,issuer:always | |
473 | basicConstraints = CA:true | |
aba3e65f | 474 | |
6e6bc352 DSH |
475 | Sample configuration containing all field values: |
476 | ||
477 | ||
478 | RANDFILE = $ENV::HOME/.rnd | |
479 | ||
480 | [ req ] | |
481 | default_bits = 1024 | |
482 | default_keyfile = keyfile.pem | |
483 | distinguished_name = req_distinguished_name | |
484 | attributes = req_attributes | |
485 | prompt = no | |
486 | output_password = mypass | |
487 | ||
488 | [ req_distinguished_name ] | |
489 | C = GB | |
490 | ST = Test State or Province | |
491 | L = Test Locality | |
492 | O = Organization Name | |
493 | OU = Organizational Unit Name | |
494 | CN = Common Name | |
495 | emailAddress = test@email.address | |
496 | ||
497 | [ req_attributes ] | |
498 | challengePassword = A challenge password | |
499 | ||
500 | ||
aba3e65f DSH |
501 | =head1 NOTES |
502 | ||
8a208cba | 503 | The header and footer lines in the B<PEM> format are normally: |
0286d944 DSH |
504 | |
505 | -----BEGIN CERTIFICATE REQUEST---- | |
506 | -----END CERTIFICATE REQUEST---- | |
507 | ||
508 | some software (some versions of Netscape certificate server) instead needs: | |
509 | ||
510 | -----BEGIN NEW CERTIFICATE REQUEST---- | |
511 | -----END NEW CERTIFICATE REQUEST---- | |
512 | ||
8a208cba DSH |
513 | which is produced with the B<-newhdr> option but is otherwise compatible. |
514 | Either form is accepted transparently on input. | |
aba3e65f DSH |
515 | |
516 | The certificate requests generated by B<Xenroll> with MSIE have extensions | |
517 | added. It includes the B<keyUsage> extension which determines the type of | |
518 | key (signature only or general purpose) and any additional OIDs entered | |
519 | by the script in an extendedKeyUsage extension. | |
520 | ||
521 | =head1 DIAGNOSTICS | |
522 | ||
523 | The following messages are frequently asked about: | |
524 | ||
525 | Using configuration from /some/path/openssl.cnf | |
526 | Unable to load config info | |
527 | ||
528 | This is followed some time later by... | |
529 | ||
530 | unable to find 'distinguished_name' in config | |
531 | problems making Certificate Request | |
532 | ||
533 | The first error message is the clue: it can't find the configuration | |
534 | file! Certain operations (like examining a certificate request) don't | |
535 | need a configuration file so its use isn't enforced. Generation of | |
19d2bb57 | 536 | certificates or requests however does need a configuration file. This |
aba3e65f DSH |
537 | could be regarded as a bug. |
538 | ||
539 | Another puzzling message is this: | |
540 | ||
541 | Attributes: | |
542 | a0:00 | |
543 | ||
544 | this is displayed when no attributes are present and the request includes | |
545 | the correct empty B<SET OF> structure (the DER encoding of which is 0xa0 | |
546 | 0x00). If you just see: | |
547 | ||
548 | Attributes: | |
549 | ||
550 | then the B<SET OF> is missing and the encoding is technically invalid (but | |
551 | it is tolerated). See the description of the command line option B<-asn1-kludge> | |
552 | for more information. | |
553 | ||
554 | =head1 ENVIRONMENT VARIABLES | |
555 | ||
556 | The variable B<OPENSSL_CONF> if defined allows an alternative configuration | |
557 | file location to be specified, it will be overridden by the B<-config> command | |
19d2bb57 | 558 | line switch if it is present. For compatibility reasons the B<SSLEAY_CONF> |
aba3e65f DSH |
559 | environment variable serves the same purpose but its use is discouraged. |
560 | ||
561 | =head1 BUGS | |
562 | ||
19d2bb57 UM |
563 | OpenSSL's handling of T61Strings (aka TeletexStrings) is broken: it effectively |
564 | treats them as ISO-8859-1 (Latin 1), Netscape and MSIE have similar behaviour. | |
aba3e65f DSH |
565 | This can cause problems if you need characters that aren't available in |
566 | PrintableStrings and you don't want to or can't use BMPStrings. | |
567 | ||
568 | As a consequence of the T61String handling the only correct way to represent | |
569 | accented characters in OpenSSL is to use a BMPString: unfortunately Netscape | |
570 | currently chokes on these. If you have to use accented characters with Netscape | |
571 | and MSIE then you currently need to use the invalid T61String form. | |
572 | ||
6e6bc352 DSH |
573 | The current prompting is not very friendly. It doesn't allow you to confirm what |
574 | you've just entered. Other things like extensions in certificate requests are | |
575 | statically defined in the configuration file. Some of these: like an email | |
576 | address in subjectAltName should be input by the user. | |
aba3e65f DSH |
577 | |
578 | =head1 SEE ALSO | |
579 | ||
bb075f88 RL |
580 | L<x509(1)|x509(1)>, L<ca(1)|ca(1)>, L<genrsa(1)|genrsa(1)>, |
581 | L<gendsa(1)|gendsa(1)>, L<config(5)|config(5)> | |
aba3e65f DSH |
582 | |
583 | =cut |