diff options
-rw-r--r-- | apps/x509.c | 51 | ||||
-rw-r--r-- | doc/man1/openssl-x509.pod.in | 28 |
2 files changed, 45 insertions, 34 deletions
diff --git a/apps/x509.c b/apps/x509.c index 1108ff7ad4..163c1c8a67 100644 --- a/apps/x509.c +++ b/apps/x509.c @@ -42,7 +42,7 @@ typedef enum OPTION_choice { OPT_ERR = -1, OPT_EOF = 0, OPT_HELP, OPT_INFORM, OPT_OUTFORM, OPT_KEYFORM, OPT_REQ, OPT_CAFORM, OPT_CAKEYFORM, OPT_VFYOPT, OPT_SIGOPT, OPT_DAYS, OPT_PASSIN, OPT_EXTFILE, - OPT_EXTENSIONS, OPT_IN, OPT_OUT, OPT_SIGNKEY, OPT_CA, OPT_CAKEY, + OPT_EXTENSIONS, OPT_IN, OPT_OUT, OPT_KEY, OPT_SIGNKEY, OPT_CA, OPT_CAKEY, OPT_CASERIAL, OPT_SET_SERIAL, OPT_NEW, OPT_FORCE_PUBKEY, OPT_SUBJ, OPT_ADDTRUST, OPT_ADDREJECT, OPT_SETALIAS, OPT_CERTOPT, OPT_NAMEOPT, OPT_EMAIL, OPT_OCSP_URI, OPT_SERIAL, OPT_NEXT_SERIAL, @@ -72,8 +72,10 @@ const OPTIONS x509_options[] = { {"inform", OPT_INFORM, 'f', "CSR input file format (DER or PEM) - default PEM"}, {"vfyopt", OPT_VFYOPT, 's', "CSR verification parameter in n:v form"}, + {"key", OPT_KEY, 's', + "Key to be used in certificate or cert request"}, {"signkey", OPT_SIGNKEY, 's', - "Key used to self-sign certificate or cert request"}, + "Same as -key"}, {"keyform", OPT_KEYFORM, 'E', "Key input format (ENGINE, other values ignored)"}, {"out", OPT_OUT, '>', "Output file - default stdout"}, @@ -149,7 +151,7 @@ const OPTIONS x509_options[] = { OPT_SECTION("Micro-CA"), {"CA", OPT_CA, '<', - "Use the given CA certificate, conflicts with -signkey"}, + "Use the given CA certificate, conflicts with -key"}, {"CAform", OPT_CAFORM, 'F', "CA cert format (PEM/DER/P12); has no effect"}, {"CAkey", OPT_CAKEY, 's', "The corresponding CA key; default is -CA arg"}, {"CAkeyform", OPT_CAKEYFORM, 'E', @@ -244,7 +246,7 @@ int x509_main(int argc, char **argv) CONF *extconf = NULL; int ext_copy = EXT_COPY_UNSET; X509V3_CTX ext_ctx; - EVP_PKEY *signkey = NULL, *CAkey = NULL, *pubkey = NULL; + EVP_PKEY *privkey = NULL, *CAkey = NULL, *pubkey = NULL; EVP_PKEY *pkey; int newcert = 0; char *subj = NULL, *digestname = NULL; @@ -261,7 +263,7 @@ int x509_main(int argc, char **argv) char *checkhost = NULL, *checkemail = NULL, *checkip = NULL; char *ext_names = NULL; char *extsect = NULL, *extfile = NULL, *passin = NULL, *passinarg = NULL; - char *infile = NULL, *outfile = NULL, *signkeyfile = NULL, *CAfile = NULL; + char *infile = NULL, *outfile = NULL, *privkeyfile = NULL, *CAfile = NULL; char *prog; int days = UNSET_DAYS; /* not explicitly set */ int x509toreq = 0, modulus = 0, print_pubkey = 0, pprint = 0; @@ -374,8 +376,9 @@ int x509_main(int argc, char **argv) case OPT_EXTENSIONS: extsect = opt_arg(); break; + case OPT_KEY: case OPT_SIGNKEY: - signkeyfile = opt_arg(); + privkeyfile = opt_arg(); break; case OPT_CA: CAfile = opt_arg(); @@ -605,9 +608,9 @@ int x509_main(int argc, char **argv) "The -req option cannot be used with -new\n"); goto end; } - if (signkeyfile != NULL) { - signkey = load_key(signkeyfile, keyformat, 0, passin, e, "private key"); - if (signkey == NULL) + if (privkeyfile != NULL) { + privkey = load_key(privkeyfile, keyformat, 0, passin, e, "private key"); + if (privkey == NULL) goto end; } if (pubkeyfile != NULL) { @@ -622,9 +625,9 @@ int x509_main(int argc, char **argv) "The -new option requires a subject to be set using -subj\n"); goto end; } - if (signkeyfile == NULL && pubkeyfile == NULL) { + if (privkeyfile == NULL && pubkeyfile == NULL) { BIO_printf(bio_err, - "The -new option without -signkey requires using -force_pubkey\n"); + "The -new option without -key requires using -force_pubkey\n"); goto end; } } @@ -635,8 +638,8 @@ int x509_main(int argc, char **argv) if (CAkeyfile == NULL) CAkeyfile = CAfile; if (CAfile != NULL) { - if (signkeyfile != NULL) { - BIO_printf(bio_err, "Cannot use both -signkey and -CA option\n"); + if (privkeyfile != NULL) { + BIO_printf(bio_err, "Cannot use both -key and -CA option\n"); goto end; } } else if (CAkeyfile != NULL) { @@ -697,9 +700,9 @@ int x509_main(int argc, char **argv) BIO_printf(bio_err, "Warning: ignoring -preserve_dates option with -req or -new\n"); preserve_dates = 0; - if (signkeyfile == NULL && CAkeyfile == NULL) { + if (privkeyfile == NULL && CAkeyfile == NULL) { BIO_printf(bio_err, - "We need a private key to sign with, use -signkey or -CAkey or -CA with private key\n"); + "We need a private key to sign with, use -key or -CAkey or -CA with private key\n"); goto end; } if ((x = X509_new_ex(app_get0_libctx(), app_get0_propq())) == NULL) @@ -727,9 +730,9 @@ int x509_main(int argc, char **argv) && !X509_set_subject_name(x, fsubj != NULL ? fsubj : X509_REQ_get_subject_name(req))) goto end; - if ((pubkey != NULL || signkey != NULL || req != NULL) + if ((pubkey != NULL || privkey != NULL || req != NULL) && !X509_set_pubkey(x, pubkey != NULL ? pubkey : - signkey != NULL ? signkey : + privkey != NULL ? privkey : X509_REQ_get0_pubkey(req))) goto end; @@ -787,7 +790,7 @@ int x509_main(int argc, char **argv) if (sno != NULL && !X509_set_serialNumber(x, sno)) goto end; - if (reqfile || newcert || signkey != NULL || CAfile != NULL) { + if (reqfile || newcert || privkey != NULL || CAfile != NULL) { if (!preserve_dates && !set_cert_times(x, NULL, NULL, days)) goto end; if (!X509_set_issuer_name(x, X509_get_subject_name(issuer_cert))) @@ -813,15 +816,15 @@ int x509_main(int argc, char **argv) } if (x509toreq) { /* also works in conjunction with -req */ - if (signkey == NULL) { - BIO_printf(bio_err, "Must specify request key using -signkey\n"); + if (privkey == NULL) { + BIO_printf(bio_err, "Must specify request key using -key\n"); goto end; } if (clrext && ext_copy != EXT_COPY_NONE) { BIO_printf(bio_err, "Must not use -clrext together with -copy_extensions\n"); goto end; } - if ((rq = x509_to_req(x, signkey, digest, sigopts, + if ((rq = x509_to_req(x, privkey, digest, sigopts, ext_copy, ext_names)) == NULL) goto end; if (!noout) { @@ -838,8 +841,8 @@ int x509_main(int argc, char **argv) } } noout = 1; - } else if (signkey != NULL) { - if (!do_X509_sign(x, signkey, digest, sigopts, &ext_ctx)) + } else if (privkey != NULL) { + if (!do_X509_sign(x, privkey, digest, sigopts, &ext_ctx)) goto end; } else if (CAfile != NULL) { if (!reqfile && !newcert) { /* certificate should be self-signed */ @@ -1030,7 +1033,7 @@ int x509_main(int argc, char **argv) X509_REQ_free(req); X509_free(x); X509_free(xca); - EVP_PKEY_free(signkey); + EVP_PKEY_free(privkey); EVP_PKEY_free(CAkey); EVP_PKEY_free(pubkey); sk_OPENSSL_STRING_free(sigopts); diff --git a/doc/man1/openssl-x509.pod.in b/doc/man1/openssl-x509.pod.in index 77c5e64ee0..7f42d45cf7 100644 --- a/doc/man1/openssl-x509.pod.in +++ b/doc/man1/openssl-x509.pod.in @@ -17,8 +17,9 @@ B<openssl> B<x509> [B<-copy_extensions> I<arg>] [B<-inform> B<DER>|B<PEM>] [B<-vfyopt> I<nm>:I<v>] -[B<-signkey> I<filename>|I<uri>] +[B<-key> I<filename>|I<uri>] [B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>] +[B<-signkey> I<filename>|I<uri>] [B<-out> I<filename>] [B<-outform> B<DER>|B<PEM>] [B<-nocert>] @@ -118,13 +119,13 @@ Generate a certificate from scratch, not using an input certificate or certificate request. So the B<-in> option must not be used in this case. Instead, the B<-subj> option needs to be given. The public key to include can be given with the B<-force_pubkey> option -and defaults to the key given with the B<-signkey> option, +and defaults to the key given with the B<-key> option, which implies self-signature. =item B<-x509toreq> Output a PKCS#10 certificate request (rather than a certificate). -The B<-signkey> option must be used to provide the private key for self-signing; +The B<-key> option must be used to provide the private key for self-signing; the corresponding public key is placed in the subjectPKInfo field. X.509 extensions included in a certificate input are not copied by default. @@ -161,7 +162,7 @@ See L<openssl-format-options(1)> for details. Pass options to the signature algorithm during verify operations. Names and values of these options are algorithm-specific. -=item B<-signkey> I<filename>|I<uri> +=item B<-key> I<filename>|I<uri> This option causes the new certificate or certificate request to be self-signed using the supplied private key. @@ -174,6 +175,10 @@ Unless the B<-preserve_dates> option is supplied, it sets the validity start date to the current time and the end date to a value determined by the B<-days> option. +=item B<-signkey> I<filename>|I<uri> + +This option is an alias of B<-key>. + =item B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE> The key input format; the default is B<PEM>. @@ -348,7 +353,7 @@ Check that the certificate matches the specified IP address. =item B<-set_serial> I<n> Specifies the serial number to use. This option can be used with either -the B<-signkey> or B<-CA> options. If used in conjunction with the B<-CA> option +the B<-key> or B<-CA> options. If used in conjunction with the B<-CA> option the serial number file (as specified by the B<-CAserial> option) is not used. The serial number can be decimal or hex (if preceded by C<0x>). @@ -392,7 +397,7 @@ or certificate request. =item B<-force_pubkey> I<filename> When a certificate is created set its public key to the key in I<filename> -instead of the key contained in the input or given with the B<-signkey> option. +instead of the key contained in the input or given with the B<-key> option. This option is useful for creating self-issued certificates that are not self-signed, for instance when the key cannot be used for signing, such as DH. @@ -438,7 +443,7 @@ for testing. The digest to use. This affects any signing or printing option that uses a message -digest, such as the B<-fingerprint>, B<-signkey> and B<-CA> options. +digest, such as the B<-fingerprint>, B<-key> and B<-CA> options. Any digest supported by the L<openssl-dgst(1)> command can be used. If not specified then SHA1 is used with B<-fingerprint> or the default digest for the signing algorithm is used, typically SHA256. @@ -456,7 +461,7 @@ When present, this behaves like a "micro CA" as follows: The subject name of the "CA" certificate is placed as issuer name in the new certificate, which is then signed using the "CA" key given as detailed below. -This option cannot be used in conjunction with the B<-signkey> option. +This option cannot be used in conjunction with the B<-key> option. This option is normally combined with the B<-req> option referencing a CSR. Without the B<-req> option the input must be a self-signed certificate unless the B<-new> option is given, which generates a certificate from scratch. @@ -700,13 +705,13 @@ Convert a certificate from PEM to DER format: Convert a certificate to a certificate request: - openssl x509 -x509toreq -in cert.pem -out req.pem -signkey key.pem + openssl x509 -x509toreq -in cert.pem -out req.pem -key key.pem Convert a certificate request into a self-signed certificate using extensions for a CA: openssl x509 -req -in careq.pem -extfile openssl.cnf -extensions v3_ca \ - -signkey key.pem -out cacert.pem + -key key.pem -out cacert.pem Sign a certificate request using the CA certificate above and add user certificate extensions: @@ -871,6 +876,9 @@ of the distinguished name. In OpenSSL 1.0.0 and later it is based on a canonical version of the DN using SHA1. This means that any directories using the old form must have their links rebuilt using L<openssl-rehash(1)> or similar. +The B<-signkey> option has been renamed to B<-key> in OpenSSL 3.0, +keeping the old name as an alias. + All B<-keyform> and B<-CAkeyform> values except B<ENGINE> have become obsolete in OpenSSL 3.0.0 and have no effect. |