From: Dr. Stephen Henson Date: Fri, 12 Nov 1999 01:04:39 +0000 (+0000) Subject: More docs and corrections/updates X-Git-Tag: OpenSSL_0_9_5beta1~447 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=5e76807bbdfc566b21ac1686b1cb307112ae4dc2;p=openssl More docs and corrections/updates --- diff --git a/doc/man/ca.pod b/doc/man/ca.pod index 93baab13ab..fbc4cbac9a 100644 --- a/doc/man/ca.pod +++ b/doc/man/ca.pod @@ -202,6 +202,20 @@ any) used. =over 4 +=item B + +This specifies a file containing additional B. +Each line of the file should consist of the numerical form of the +object identifier followed by white space then the short name followed +by white space and finally the long name. + +=item B + +This specifies a section in the configuration file containing extra +object identifiers. Each line should consist of the short name of the +object identifier followed by B<=> and the numerical form. The short +and long names are the same when this option is used. + =item B the same as the B<-outdir> command line option. It specifies diff --git a/doc/man/crl2pkcs7.pod b/doc/man/crl2pkcs7.pod new file mode 100644 index 0000000000..ad749ed0c3 --- /dev/null +++ b/doc/man/crl2pkcs7.pod @@ -0,0 +1,90 @@ +=pod + +=head1 NAME + +crl2pkcs7 - Create a PKCS#7 structure from a CRL and certificates. + +=head1 SYNOPSIS + +B B +[B<-inform PEM|DER>] +[B<-outform PEM|DER>] +[B<-in filename>] +[B<-out filename>] +[B<-print_certs>] + +=head1 DESCRIPTION + +The B command takes an optional CRL and one or more +certificates and converts them into a PKCS#7 degenerate "certificates +only" structure. + +=head1 COMMAND OPTIONS + +=over 4 + +=item B<-inform DER|PEM> + +This specifies the CRL input format. B format is DER encoded CRL +structure.B (the default) is a base64 encoded version of +the DER form with header and footer lines. + +=item B<-outform DER|PEM> + +This specifies the PKCS#7 structure output format. B format is DER +encoded PKCS#7 structure.B (the default) is a base64 encoded version of +the DER form with header and footer lines. + +=item B<-in filename> + +This specifies the input filename to read a CRL from or standard input if this +option is not specified. + +=item B<-out filename> + +specifies the output filename to write the PKCS#7 structure to or standard +output by default. + +=item B<-certfile filename> + +specifies a filename containing one or more certificates in B format. +All certificates in the file will be added to the PKCS#7 structure. This +option can be used more than once to read certificates form multiple +files. + +=item B<-nocrl> + +normally a CRL is included in the output file. With this option no CRL is +included in the output file and a CRL is not read from the input file. + +=back + +=head1 EXAMPLES + +Create a PKCS#7 structure from a certificate and CRL: + + openssl crl2pkcs7 -in crl.pem -certfile cert.pem -out p7.pem + +Creates a PKCS#7 structure in DER format with no CRL from several +different certificates: + + openssl crl2pkcs7 -nocrl -certfile newcert.pem + -certfile demoCA/cacert.pem -outform DER -out p7.der + +=head1 NOTES + +The output file is a PKCS#7 signed data structure containing no signers and +just certificates and an optional CRL. + +This utility can be used to send certificates and CAs to Netscape as part of +the certificate enrollment process. This involves sending the DER encoded output +as MIME type application/x-x509-user-cert. + +The B encoded form with the header and footer lines removed can be used to +install user certificates and CAs in MSIE using the Xenroll control. + +=head1 SEE ALSO + +pkcs7(1) + +=cut diff --git a/doc/man/pkcs7.pod b/doc/man/pkcs7.pod new file mode 100644 index 0000000000..bacd05efe1 --- /dev/null +++ b/doc/man/pkcs7.pod @@ -0,0 +1,73 @@ +=pod + +=head1 NAME + +pkcs7 - PKCS#7 utility + +=head1 SYNOPSIS + +B B +[B<-inform PEM|DER>] +[B<-outform PEM|DER>] +[B<-in filename>] +[B<-out filename>] +[B<-print_certs>] + +=head1 DESCRIPTION + +The B command processes PKCS#7 files in DER or PEM format. + +=head1 COMMAND OPTIONS + +=over 4 + +=item B<-inform DER|PEM> + +This specifies the input format. B format is DER encoded PKCS#7 +v1.5 structure.B (the default) is a base64 encoded version of +the DER form with header and footer lines. + +=item B<-outform DER|PEM> + +This specifies the output format, the options have the same meaning as the +B<-inform> option. + +=item B<-in filename> + +This specifies the input filename to read from or standard input if this +option is not specified. + +=item B<-out filename> + +specifies the output filename to write to or standard output by +default. + +=item B<-print_certs> + +prints out any certificates or CRLs contained in the file. They are +preceded by their subject and issuer names in one line format. + +=back + +=head1 EXAMPLES + +Convert a PKCS#7 file from PEM to DER: + + openssl pkcs7 -in file.pem -outform DER -out file.der + +Output all certificates in a file: + + openssl pkcs7 -in file.pem -print_certs -out certs.pem + +=head1 RESTRICTIONS + +There is no option to print out all the fields of a PKCS#7 file. + +This PKCS#7 routines only understand PKCS#7 v 1.5 as specified in RFC2315 they +cannot currently parse, for example, the new CMS as described in RFCXXXX. + +=head1 SEE ALSO + +crl2pkcs7(1) + +=cut diff --git a/doc/man/req.pod b/doc/man/req.pod index c9e7111aaf..5840013f06 100644 --- a/doc/man/req.pod +++ b/doc/man/req.pod @@ -203,8 +203,8 @@ by white space and finally the long name. =item B This specifies a section in the configuration file containing extra -object identifiers. Each line should consist of the numerical form -of the object identifier followed by B<=> and its name. The short +object identifiers. Each line should consist of the short name of the +object identifier followed by B<=> and the numerical form. The short and long names are the same when this option is used. =item B @@ -305,20 +305,69 @@ will be treated as though they were a DirectoryString. Examine and verify certificate request: -openssl req -in req.pem -text -verify -noout + openssl req -in req.pem -text -verify -noout Create a private key and then generate a certificate request from it: -openssl genrsa -out key.pem 1024 -openssl req -new -key key.pem -out req.pem + openssl genrsa -out key.pem 1024 + openssl req -new -key key.pem -out req.pem The same but just using req: -openssl req -newkey rsa:1024 -keyout key.pem -out req.pem + openssl req -newkey rsa:1024 -keyout key.pem -out req.pem Generate a self signed root certificate: -openssl req -x509 -newkey rsa:1024 -keyout key.pem -out req.pem + openssl req -x509 -newkey rsa:1024 -keyout key.pem -out req.pem + +Example of a file pointed to by the B option: + + 1.2.3.4 shortName A longer Name + 1.2.3.6 otherName Other longer Name + +Example of a section pointed to by B making use of variable +expansion: + + testoid1=1.2.3.5 + testoid2=${testoid1}.6 + +Sample configuration file: + + [ req ] + default_bits = 1024 + default_keyfile = privkey.pem + distinguished_name = req_distinguished_name + attributes = req_attributes + x509_extensions = v3_ca + + dirstring_type = nobmp + + [ req_distinguished_name ] + countryName = Country Name (2 letter code) + countryName_default = AU + countryName_min = 2 + countryName_max = 2 + + localityName = Locality Name (eg, city) + + organizationalUnitName = Organizational Unit Name (eg, section) + + commonName = Common Name (eg, YOUR name) + commonName_max = 64 + + emailAddress = Email Address + emailAddress_max = 40 + + [ req_attributes ] + challengePassword = A challenge password + challengePassword_min = 4 + challengePassword_max = 20 + + [ v3_ca ] + + subjectKeyIdentifier=hash + authorityKeyIdentifier=keyid:always,issuer:always + basicConstraints = CA:true =head1 NOTES