diff options
Diffstat (limited to 'lib/libssl/src/doc/apps')
| -rw-r--r-- | lib/libssl/src/doc/apps/CA.pl.pod | 179 | ||||
| -rw-r--r-- | lib/libssl/src/doc/apps/tsget.pod | 194 | ||||
| -rw-r--r-- | lib/libssl/src/doc/apps/verify.pod | 3 | ||||
| -rw-r--r-- | lib/libssl/src/doc/apps/x509.pod | 2 |
4 files changed, 2 insertions, 376 deletions
diff --git a/lib/libssl/src/doc/apps/CA.pl.pod b/lib/libssl/src/doc/apps/CA.pl.pod deleted file mode 100644 index d326101cde7..00000000000 --- a/lib/libssl/src/doc/apps/CA.pl.pod +++ /dev/null @@ -1,179 +0,0 @@ - -=pod - -=head1 NAME - -CA.pl - friendlier interface for OpenSSL certificate programs - -=head1 SYNOPSIS - -B<CA.pl> -[B<-?>] -[B<-h>] -[B<-help>] -[B<-newcert>] -[B<-newreq>] -[B<-newreq-nodes>] -[B<-newca>] -[B<-xsign>] -[B<-sign>] -[B<-signreq>] -[B<-signcert>] -[B<-verify>] -[B<files>] - -=head1 DESCRIPTION - -The B<CA.pl> script is a perl script that supplies the relevant command line -arguments to the B<openssl> command for some common certificate operations. -It is intended to simplify the process of certificate creation and management -by the use of some simple options. - -=head1 COMMAND OPTIONS - -=over 4 - -=item B<?>, B<-h>, B<-help> - -prints a usage message. - -=item B<-newcert> - -creates a new self signed certificate. The private key is written to the file -"newkey.pem" and the request written to the file "newreq.pem". - -=item B<-newreq> - -creates a new certificate request. The private key is written to the file -"newkey.pem" and the request written to the file "newreq.pem". - -=item B<-newreq-nodes> - -is like B<-newreq> except that the private key will not be encrypted. - -=item B<-newca> - -creates a new CA hierarchy for use with the B<ca> program (or the B<-signcert> -and B<-xsign> options). The user is prompted to enter the filename of the CA -certificates (which should also contain the private key) or by hitting ENTER -details of the CA will be prompted for. The relevant files and directories -are created in a directory called "demoCA" in the current directory. - -=item B<-pkcs12> - -create a PKCS#12 file containing the user certificate, private key and CA -certificate. It expects the user certificate and private key to be in the -file "newcert.pem" and the CA certificate to be in the file demoCA/cacert.pem, -it creates a file "newcert.p12". This command can thus be called after the -B<-sign> option. The PKCS#12 file can be imported directly into a browser. -If there is an additional argument on the command line it will be used as the -"friendly name" for the certificate (which is typically displayed in the browser -list box), otherwise the name "My Certificate" is used. - -=item B<-sign>, B<-signreq>, B<-xsign> - -calls the B<ca> program to sign a certificate request. It expects the request -to be in the file "newreq.pem". The new certificate is written to the file -"newcert.pem" except in the case of the B<-xsign> option when it is written -to standard output. - - -=item B<-signCA> - -this option is the same as the B<-signreq> option except it uses the configuration -file section B<v3_ca> and so makes the signed request a valid CA certificate. This -is useful when creating intermediate CA from a root CA. - -=item B<-signcert> - -this option is the same as B<-sign> except it expects a self signed certificate -to be present in the file "newreq.pem". - -=item B<-verify> - -verifies certificates against the CA certificate for "demoCA". If no certificates -are specified on the command line it tries to verify the file "newcert.pem". - -=item B<files> - -one or more optional certificate file names for use with the B<-verify> command. - -=back - -=head1 EXAMPLES - -Create a CA hierarchy: - - CA.pl -newca - -Complete certificate creation example: create a CA, create a request, sign -the request and finally create a PKCS#12 file containing it. - - CA.pl -newca - CA.pl -newreq - CA.pl -signreq - CA.pl -pkcs12 "My Test Certificate" - -=head1 DSA CERTIFICATES - -Although the B<CA.pl> creates RSA CAs and requests it is still possible to -use it with DSA certificates and requests using the L<req(1)|req(1)> command -directly. The following example shows the steps that would typically be taken. - -Create some DSA parameters: - - openssl dsaparam -out dsap.pem 1024 - -Create a DSA CA certificate and private key: - - openssl req -x509 -newkey dsa:dsap.pem -keyout cacert.pem -out cacert.pem - -Create the CA directories and files: - - CA.pl -newca - -enter cacert.pem when prompted for the CA file name. - -Create a DSA certificate request and private key (a different set of parameters -can optionally be created first): - - openssl req -out newreq.pem -newkey dsa:dsap.pem - -Sign the request: - - CA.pl -signreq - -=head1 NOTES - -Most of the filenames mentioned can be modified by editing the B<CA.pl> script. - -If the demoCA directory already exists then the B<-newca> command will not -overwrite it and will do nothing. This can happen if a previous call using -the B<-newca> option terminated abnormally. To get the correct behaviour -delete the demoCA directory if it already exists. - -Under some environments it may not be possible to run the B<CA.pl> script -directly (for example Win32) and the default configuration file location may -be wrong. In this case the command: - - perl -S CA.pl - -can be used and the B<OPENSSL_CONF> environment variable changed to point to -the correct path of the configuration file "openssl.cnf". - -The script is intended as a simple front end for the B<openssl> program for use -by a beginner. Its behaviour isn't always what is wanted. For more control over the -behaviour of the certificate commands call the B<openssl> command directly. - -=head1 ENVIRONMENT VARIABLES - -The variable B<OPENSSL_CONF> if defined allows an alternative configuration -file location to be specified, it should contain the full path to the -configuration file, not just its directory. - -=head1 SEE ALSO - -L<x509(1)|x509(1)>, L<ca(1)|ca(1)>, L<req(1)|req(1)>, L<pkcs12(1)|pkcs12(1)>, -L<config(5)|config(5)> - -=cut diff --git a/lib/libssl/src/doc/apps/tsget.pod b/lib/libssl/src/doc/apps/tsget.pod deleted file mode 100644 index 56db985c4bb..00000000000 --- a/lib/libssl/src/doc/apps/tsget.pod +++ /dev/null @@ -1,194 +0,0 @@ -=pod - -=head1 NAME - -tsget - Time Stamping HTTP/HTTPS client - -=head1 SYNOPSIS - -B<tsget> -B<-h> server_url -[B<-e> extension] -[B<-o> output] -[B<-v>] -[B<-d>] -[B<-k> private_key.pem] -[B<-p> key_password] -[B<-c> client_cert.pem] -[B<-C> CA_certs.pem] -[B<-P> CA_path] -[B<-r> file:file...] -[B<-g> EGD_socket] -[request]... - -=head1 DESCRIPTION - -The B<tsget> command can be used for sending a time stamp request, as -specified in B<RFC 3161>, to a time stamp server over HTTP or HTTPS and storing -the time stamp response in a file. This tool cannot be used for creating the -requests and verifying responses, you can use the OpenSSL B<ts(1)> command to -do that. B<tsget> can send several requests to the server without closing -the TCP connection if more than one requests are specified on the command -line. - -The tool sends the following HTTP request for each time stamp request: - - POST url HTTP/1.1 - User-Agent: OpenTSA tsget.pl/<version> - Host: <host>:<port> - Pragma: no-cache - Content-Type: application/timestamp-query - Accept: application/timestamp-reply - Content-Length: length of body - - ...binary request specified by the user... - -B<tsget> expects a response of type application/timestamp-reply, which is -written to a file without any interpretation. - -=head1 OPTIONS - -=over 4 - -=item B<-h> server_url - -The URL of the HTTP/HTTPS server listening for time stamp requests. - -=item B<-e> extension - -If the B<-o> option is not given this argument specifies the extension of the -output files. The base name of the output file will be the same as those of -the input files. Default extension is '.tsr'. (Optional) - -=item B<-o> output - -This option can be specified only when just one request is sent to the -server. The time stamp response will be written to the given output file. '-' -means standard output. In case of multiple time stamp requests or the absence -of this argument the names of the output files will be derived from the names -of the input files and the default or specified extension argument. (Optional) - -=item B<-v> - -The name of the currently processed request is printed on standard -error. (Optional) - -=item B<-d> - -Switches on verbose mode for the underlying B<curl> library. You can see -detailed debug messages for the connection. (Optional) - -=item B<-k> private_key.pem - -(HTTPS) In case of certificate-based client authentication over HTTPS -<private_key.pem> must contain the private key of the user. The private key -file can optionally be protected by a passphrase. The B<-c> option must also -be specified. (Optional) - -=item B<-p> key_password - -(HTTPS) Specifies the passphrase for the private key specified by the B<-k> -argument. If this option is omitted and the key is passphrase protected B<tsget> -will ask for it. (Optional) - -=item B<-c> client_cert.pem - -(HTTPS) In case of certificate-based client authentication over HTTPS -<client_cert.pem> must contain the X.509 certificate of the user. The B<-k> -option must also be specified. If this option is not specified no -certificate-based client authentication will take place. (Optional) - -=item B<-C> CA_certs.pem - -(HTTPS) The trusted CA certificate store. The certificate chain of the peer's -certificate must include one of the CA certificates specified in this file. -Either option B<-C> or option B<-P> must be given in case of HTTPS. (Optional) - -=item B<-P> CA_path - -(HTTPS) The path containing the trusted CA certificates to verify the peer's -certificate. The directory must be prepared with the B<c_rehash> -OpenSSL utility. Either option B<-C> or option B<-P> must be given in case of -HTTPS. (Optional) - -=item B<-rand> file:file... - -The files containing random data for seeding the random number -generator. Multiple files can be specified, the separator is B<;> for -MS-Windows, B<,> for VMS and B<:> for all other platforms. (Optional) - -=item B<-g> EGD_socket - -The name of an EGD socket to get random data from. (Optional) - -=item [request]... - -List of files containing B<RFC 3161> DER-encoded time stamp requests. If no -requests are specified only one request will be sent to the server and it will be -read from the standard input. (Optional) - -=back - -=head1 ENVIRONMENT VARIABLES - -The B<TSGET> environment variable can optionally contain default -arguments. The content of this variable is added to the list of command line -arguments. - -=head1 EXAMPLES - -The examples below presume that B<file1.tsq> and B<file2.tsq> contain valid -time stamp requests, tsa.opentsa.org listens at port 8080 for HTTP requests -and at port 8443 for HTTPS requests, the TSA service is available at the /tsa -absolute path. - -Get a time stamp response for file1.tsq over HTTP, output is written to -file1.tsr: - - tsget -h http://tsa.opentsa.org:8080/tsa file1.tsq - -Get a time stamp response for file1.tsq and file2.tsq over HTTP showing -progress, output is written to file1.reply and file2.reply respectively: - - tsget -h http://tsa.opentsa.org:8080/tsa -v -e .reply \ - file1.tsq file2.tsq - -Create a time stamp request, write it to file3.tsq, send it to the server and -write the response to file3.tsr: - - openssl ts -query -data file3.txt -cert | tee file3.tsq \ - | tsget -h http://tsa.opentsa.org:8080/tsa \ - -o file3.tsr - -Get a time stamp response for file1.tsq over HTTPS without client -authentication: - - tsget -h https://tsa.opentsa.org:8443/tsa \ - -C cacerts.pem file1.tsq - -Get a time stamp response for file1.tsq over HTTPS with certificate-based -client authentication (it will ask for the passphrase if client_key.pem is -protected): - - tsget -h https://tsa.opentsa.org:8443/tsa -C cacerts.pem \ - -k client_key.pem -c client_cert.pem file1.tsq - -You can shorten the previous command line if you make use of the B<TSGET> -environment variable. The following commands do the same as the previous -example: - - TSGET='-h https://tsa.opentsa.org:8443/tsa -C cacerts.pem \ - -k client_key.pem -c client_cert.pem' - export TSGET - tsget file1.tsq - -=head1 AUTHOR - -Zoltan Glozik <zglozik@opentsa.org>, OpenTSA project (http://www.opentsa.org) - -=head1 SEE ALSO - -L<openssl(1)|openssl(1)>, L<ts(1)|ts(1)>, L<curl(1)|curl(1)>, -B<RFC 3161> - -=cut diff --git a/lib/libssl/src/doc/apps/verify.pod b/lib/libssl/src/doc/apps/verify.pod index da683004bd2..f1d5384b9a5 100644 --- a/lib/libssl/src/doc/apps/verify.pod +++ b/lib/libssl/src/doc/apps/verify.pod @@ -43,8 +43,7 @@ The B<verify> command verifies certificate chains. A directory of trusted certificates. The certificates should have names of the form: hash.0 or have symbolic links to them of this form ("hash" is the hashed certificate subject name: see the B<-hash> option -of the B<x509> utility). Under Unix the B<c_rehash> script will automatically -create symbolic links to a directory of certificates. +of the B<x509> utility). =item B<-CAfile file> diff --git a/lib/libssl/src/doc/apps/x509.pod b/lib/libssl/src/doc/apps/x509.pod index d2d9eb812af..314018f0862 100644 --- a/lib/libssl/src/doc/apps/x509.pod +++ b/lib/libssl/src/doc/apps/x509.pod @@ -856,6 +856,6 @@ The hash algorithm used in the B<-subject_hash> and B<-issuer_hash> options before OpenSSL 1.0.0 was based on the deprecated MD5 algorithm and the encoding of the distinguished name. In OpenSSL 1.0.0 and later it is based on a canonical version of the DN using SHA1. This means that any directories using -the old form must have their links rebuilt using B<c_rehash> or similar. +the old form must have their links rebuilt. =cut |