mirror/openssl
2
0
Fork 0
mirror of https://github.com/openssl/openssl.git synced 2025-03-31 20:10:45 +08:00
Code Issues Packages Projects Releases Wiki Activity

openssl-x509.pod.in: Reflect better that -signkey is an alias for -key option

Browse Source 
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16440)
This commit is contained in:
Dr. David von Oheimb 2021-08-25 12:30:09 +02:00 committed by Dr. David von Oheimb
parent 611ef4f373
commit cc0d1b03a9
1 changed files with 10 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
doc/man1/openssl-x509.pod.in
View File

@ -120,14 +120,14 @@ Generate a certificate from scratch, not using an input certificate
or certificate request. So the B<-in> option must not be used in this case.
Instead, the B<-subj> option needs to be given.
The public key to include can be given with the B<-force_pubkey> option
and defaults to the key given with the B<-key> option,
and defaults to the key given with the B<-key> (or B<-signkey>) option,
which implies self-signature.
=item B<-x509toreq>
Output a PKCS#10 certificate request (rather than a certificate).
The B<-key> option must be used to provide the private key for self-signing;
the corresponding public key is placed in the subjectPKInfo field.
The B<-key> (or B<-signkey>) option must be used to provide the private key for
self-signing; the corresponding public key is placed in the subjectPKInfo field.
X.509 extensions included in a certificate input are not copied by default.
X.509 extensions to be added can be specified using the B<-extfile> option.
@ -360,8 +360,9 @@ Check that the certificate matches the specified IP address.
=item B<-set_serial> I<n>
Specifies the serial number to use. This option can be used with either
the B<-key> or B<-CA> options. If used in conjunction with the B<-CA> option
Specifies the serial number to use.
This option can be used with the B<-key>, B<-signkey>, or B<-CA> options.
If used in conjunction with the B<-CA> option
the serial number file (as specified by the B<-CAserial> option) is not used.
The serial number can be decimal or hex (if preceded by C<0x>).
@ -405,7 +406,8 @@ or certificate request.
=item B<-force_pubkey> I<filename>
When a certificate is created set its public key to the key in I<filename>
instead of the key contained in the input or given with the B<-key> option.
instead of the key contained in the input
or given with the B<-key> (or B<-signkey>) option.
This option is useful for creating self-issued certificates that are not
self-signed, for instance when the key cannot be used for signing, such as DH.
@ -451,7 +453,7 @@ for testing.
The digest to use.
This affects any signing or printing option that uses a message
digest, such as the B<-fingerprint>, B<-key> and B<-CA> options.
digest, such as the B<-fingerprint>, B<-key>, and B<-CA> options.
Any digest supported by the L<openssl-dgst(1)> command can be used.
If not specified then SHA1 is used with B<-fingerprint> or
the default digest for the signing algorithm is used, typically SHA256.
@ -469,7 +471,7 @@ When present, this behaves like a "micro CA" as follows:
The subject name of the "CA" certificate is placed as issuer name in the new
certificate, which is then signed using the "CA" key given as detailed below.
This option cannot be used in conjunction with the B<-key> option.
This option cannot be used in conjunction with B<-key> (or B<-signkey>).
This option is normally combined with the B<-req> option referencing a CSR.
Without the B<-req> option the input must be an existing certificate
unless the B<-new> option is given, which generates a certificate from scratch.