=pod =head1 NAME openssl-x509, x509 - Certificate display and signing utility =head1 SYNOPSIS B B [B<-help>] [B<-inform DER|PEM>] [B<-outform DER|PEM>] [B<-keyform DER|PEM>] [B<-CAform DER|PEM>] [B<-CAkeyform DER|PEM>] [B<-in filename>] [B<-out filename>] [B<-serial>] [B<-hash>] [B<-subject_hash>] [B<-issuer_hash>] [B<-ocspid>] [B<-subject>] [B<-issuer>] [B<-nameopt option>] [B<-email>] [B<-ocsp_uri>] [B<-startdate>] [B<-enddate>] [B<-purpose>] [B<-dates>] [B<-checkend num>] [B<-modulus>] [B<-pubkey>] [B<-fingerprint>] [B<-alias>] [B<-noout>] [B<-trustout>] [B<-clrtrust>] [B<-clrreject>] [B<-addtrust arg>] [B<-addreject arg>] [B<-setalias arg>] [B<-days arg>] [B<-set_serial n>] [B<-signkey filename>] [B<-passin arg>] [B<-x509toreq>] [B<-req>] [B<-CA filename>] [B<-CAkey filename>] [B<-CAcreateserial>] [B<-CAserial filename>] [B<-force_pubkey filename>] [B<-text>] [B<-ext extensions>] [B<-certopt option>] [B<-C>] [B<-I>] [B<-clrext>] [B<-extfile filename>] [B<-extensions section>] [B<-rand file...>] [B<-writerand file>] [B<-engine id>] [B<-preserve_dates>] =head1 DESCRIPTION The B command is a multi purpose certificate utility. It can be used to display certificate information, convert certificates to various forms, sign certificate requests like a "mini CA" or edit certificate trust settings. Since there are a large number of options they will split up into various sections. =head1 OPTIONS =head2 Input, Output, and General Purpose Options =over 4 =item B<-help> Print out a usage message. =item B<-inform DER|PEM> This specifies the input format normally the command will expect an X509 certificate but this can change if other options such as B<-req> are present. The DER format is the DER encoding of the certificate and PEM is the base64 encoding of the DER encoding with header and footer lines added. The default format is PEM. =item B<-outform DER|PEM> This specifies the output format, the options have the same meaning and default as the B<-inform> option. =item B<-in filename> This specifies the input filename to read a certificate from or standard input if this option is not specified. =item B<-out filename> This specifies the output filename to write to or standard output by default. =item B<-I> The digest to use. This affects any signing or display option that uses a message digest, such as the B<-fingerprint>, B<-signkey> and B<-CA> options. Any digest supported by the OpenSSL B command can be used. If not specified then SHA1 is used with B<-fingerprint> or the default digest for the signing algorithm is used, typically SHA256. =item B<-rand file...> A file or files containing random data used to seed the random number generator. Multiple files can be specified separated by an OS-dependent character. The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for all others. =item [B<-writerand file>] Writes random data to the specified I upon exit. This can be used with a subsequent B<-rand> flag. =item B<-engine id> Specifying an engine (by its unique B string) will cause B to attempt to obtain a functional reference to the specified engine, thus initialising it if needed. The engine will then be set as the default for all available algorithms. =item B<-preserve_dates> When signing a certificate, preserve the "notBefore" and "notAfter" dates instead of adjusting them to current time and duration. Cannot be used with the B<-days> option. =back =head2 Display Options Note: the B<-alias> and B<-purpose> options are also display options but are described in the B section. =over 4 =item B<-text> Prints out the certificate in text form. Full details are output including the public key, signature algorithms, issuer and subject names, serial number any extensions present and any trust settings. =item B<-ext extensions> Prints out the certificate extensions in text form. Extensions are specified with a comma separated string, e.g., "subjectAltName,subjectKeyIdentifier". See the L manual page for the extension names. =item B<-certopt option> Customise the output format used with B<-text>. The B