Changeset View
Changeset View
Standalone View
Standalone View
doc/man1/openssl-cmp.pod.in
Context not available. | |||||
=item B<-newkey> I<filename>|I<uri> | =item B<-newkey> I<filename>|I<uri> | ||||
The source of the private or public key for the certificate requested | The source of the private or public key for the certificate being requested. | ||||
in Initialization Request (IR), Certification Request(CR), or | |||||
Key Update Request (KUR). | |||||
Defaults to the public key in the PKCS#10 CSR given with the B<-csr> option, | Defaults to the public key in the PKCS#10 CSR given with the B<-csr> option, | ||||
the public key of the reference certificate, or the current client key. | the public key of the reference certificate, or the current client key. | ||||
The public portion of the key is placed in the certification request. | |||||
Unless B<-cmd> I<p10cr>, B<-popo> I<-1>, or B<-popo> I<0> is given, the | |||||
private key will be needed as well to provide the proof of possession (POPO), | |||||
where the B<-key> option may provide a fallback. | |||||
=item B<-newkeypass> I<arg> | =item B<-newkeypass> I<arg> | ||||
Pass phrase source for the key given with the B<-newkey> option. | Pass phrase source for the key given with the B<-newkey> option. | ||||
Context not available. | |||||
=item B<-popo> I<number> | =item B<-popo> I<number> | ||||
Proof-of-Possession (POPO) method to use for IR/CR/KUR; values: C<-1>..<2> where | Proof-of-possession (POPO) method to use for IR/CR/KUR; values: C<-1>..<2> where | ||||
C<-1> = NONE, C<0> = RAVERIFIED, C<1> = SIGNATURE (default), C<2> = KEYENC. | C<-1> = NONE, C<0> = RAVERIFIED, C<1> = SIGNATURE (default), C<2> = KEYENC. | ||||
Note that a signature-based POPO can only be produced if a private key | Note that a signature-based POPO can only be produced if a private key | ||||
Context not available. | |||||
PKCS#10 CSR in PEM or DER format containing a certificate request. | PKCS#10 CSR in PEM or DER format containing a certificate request. | ||||
With B<-cmd> I<p10cr> it is used directly in a legacy P10CR message. | With B<-cmd> I<p10cr> it is used directly in a legacy P10CR message. | ||||
When used with B<-cmd> I<ir>, I<cr>, or I<kur>, | When used with B<-cmd> I<ir>, I<cr>, or I<kur>, | ||||
it is transformed into the respective regular CMP request, | it is transformed into the respective regular CMP request. | ||||
while its public key is ignored if I<-newkey> is given. | In this case, a private key must be provided (with B<-newkey> or B<-key>) | ||||
It may also be used with B<-cmd> I<rr> to specify the certificate to be revoked | for the proof of possession (unless B<-popo> I<-1> or B<-popo> I<0> is used) | ||||
and the respective public key is placed in the certification request | |||||
(rather than taking over the public key contained in the PKCS#10 CSR). | |||||
PKCS#10 CSR input may also be used with B<-cmd> I<rr> | |||||
to specify the certificate to be revoked | |||||
via the included subject name and public key. | via the included subject name and public key. | ||||
=item B<-out_trusted> I<filenames>|I<uris> | =item B<-out_trusted> I<filenames>|I<uris> | ||||
Trusted certificate(s) to use for validating the newly enrolled certificate. | Trusted certificate(s) to use for validating the newly enrolled certificate. | ||||
During this verification, any certificate status checking is disabled. | |||||
Multiple sources may be given, separated by commas and/or whitespace | Multiple sources may be given, separated by commas and/or whitespace | ||||
(where in the latter case the whole argument must be enclosed in "..."). | (where in the latter case the whole argument must be enclosed in "..."). | ||||
Context not available. | |||||
The reference certificate, if any, is also used for | The reference certificate, if any, is also used for | ||||
deriving default subject DN and Subject Alternative Names and the | deriving default subject DN and Subject Alternative Names and the | ||||
default issuer entry in the requested certificate template of an IR/CR/KUR. | default issuer entry in the requested certificate template of an IR/CR/KUR. | ||||
Its public key is used as a fallback in the template of certification requests. | |||||
Its subject is used as sender of outgoing messages if B<-cert> is not given. | Its subject is used as sender of outgoing messages if B<-cert> is not given. | ||||
Its issuer is used as default recipient in CMP message headers | Its issuer is used as default recipient in CMP message headers | ||||
if neither B<-recipient>, B<-srvcert>, nor B<-issuer> is given. | if neither B<-recipient>, B<-srvcert>, nor B<-issuer> is given. | ||||
Context not available. | |||||
The DNS hostname or IP address and optionally port | The DNS hostname or IP address and optionally port | ||||
of the CMP server to connect to using HTTP(S). | of the CMP server to connect to using HTTP(S). | ||||
This excludes I<-port> and I<-use_mock_srv> and is ignored with I<-rspin>. | This option excludes I<-port> and I<-use_mock_srv>. | ||||
It is ignored if I<-rspin> is given with enough filename arguments. | |||||
The scheme C<https> may be given only if the B<-tls_used> option is used. | The scheme C<https> may be given only if the B<-tls_used> option is used. | ||||
In this case the default port is 443, else 80. | In this case the default port is 443, else 80. | ||||
Context not available. | |||||
=item B<-trusted> I<filenames>|I<uris> | =item B<-trusted> I<filenames>|I<uris> | ||||
When validating signature-based protection of CMP response messages, | The certificate(s), typically of root CAs, the client shall use as trust anchors | ||||
these are the CA certificate(s) to trust while checking certificate chains | when validating signature-based protection of CMP response messages. | ||||
during CMP server authentication. | This option is ignored if the B<-srvcert> option is given as well. | ||||
This option gives more flexibility than the B<-srvcert> option because the | It provides more flexibility than B<-srvcert> because the CMP protection | ||||
server-side CMP signer certificate is not pinned but may be any certificate | certificate of the server is not pinned but may be any certificate | ||||
for which a chain to one of the given trusted certificates can be constructed. | from which a chain to one of the given trust anchors can be constructed. | ||||
If no B<-trusted>, B<-srvcert>, and B<-secret> option is given | If none of B<-trusted>, B<-srvcert>, and B<-secret> is given, message validation | ||||
then protected response messages from the server are not authenticated. | errors will be thrown unless B<-unprotected_errors> permits an exception. | ||||
Multiple sources may be given, separated by commas and/or whitespace | Multiple sources may be given, separated by commas and/or whitespace | ||||
(where in the latter case the whole argument must be enclosed in "..."). | (where in the latter case the whole argument must be enclosed in "..."). | ||||
Context not available. | |||||
Non-trusted intermediate CA certificate(s). | Non-trusted intermediate CA certificate(s). | ||||
Any extra certificates given with the B<-cert> option are appended to it. | Any extra certificates given with the B<-cert> option are appended to it. | ||||
All these certificates may be useful for cert path construction | All these certificates may be useful for cert path construction | ||||
for the CMP client certificate (to include in the extraCerts field of outgoing | for the own CMP signer certificate (to include in the extraCerts field of | ||||
messages) and for the TLS client certificate (if TLS is enabled) | request messages) and for the TLS client certificate (if TLS is enabled) | ||||
as well as for chain building | as well as for chain building | ||||
when validating the CMP server certificate (checking signature-based | when validating server certificates (checking signature-based | ||||
CMP message protection) and when validating newly enrolled certificates. | CMP message protection) and when validating newly enrolled certificates. | ||||
Multiple sources may be given, separated by commas and/or whitespace. | Multiple filenames or URLs may be given, separated by commas and/or whitespace. | ||||
Each file may contain multiple certificates. | Each source may contain multiple certificates. | ||||
=item B<-srvcert> I<filename>|I<uri> | =item B<-srvcert> I<filename>|I<uri> | ||||
The specific CMP server certificate to expect and directly trust (even if it is | The specific CMP server certificate to expect and directly trust (even if it is | ||||
expired) when validating signature-based protection of CMP response messages. | expired) when verifying signature-based protection of CMP response messages. | ||||
May be set alternatively to the B<-trusted> option to pin the accepted server. | This pins the accepted server and results in ignoring the B<-trusted> option. | ||||
If set, the subject of the certificate is also used | If set, the subject of the certificate is also used | ||||
as default value for the recipient of CMP requests | as default value for the recipient of CMP requests | ||||
and as default value for the expected sender of incoming CMP messages. | and as default value for the expected sender of CMP responses. | ||||
=item B<-expect_sender> I<name> | =item B<-expect_sender> I<name> | ||||
Context not available. | |||||
=item B<-ignore_keyusage> | =item B<-ignore_keyusage> | ||||
Ignore key usage restrictions in CMP signer certificates when validating | Ignore key usage restrictions in CMP signer certificates when validating | ||||
signature-based protection of incoming CMP messages, | signature-based protection of incoming CMP messages. | ||||
else C<digitalSignature> must be allowed for signer certificate. | By default, C<digitalSignature> must be allowed by CMP signer certificates. | ||||
=item B<-unprotected_errors> | =item B<-unprotected_errors> | ||||
Context not available. | |||||
The client's current CMP signer certificate. | The client's current CMP signer certificate. | ||||
Requires the corresponding key to be given with B<-key>. | Requires the corresponding key to be given with B<-key>. | ||||
The subject and the public key contained in this certificate | |||||
serve as fallback values in the certificate template of IR/CR/KUR messages. | |||||
The subject of this certificate will be used as sender of outgoing CMP messages, | The subject of this certificate will be used as sender of outgoing CMP messages, | ||||
while the subject of B<-oldcert> or B<-subjectName> may provide fallback values. | while the subject of B<-oldcert> or B<-subjectName> may provide fallback values. | ||||
The issuer of this certificate is used as one of the recipient fallback values | The issuer of this certificate is used as one of the recipient fallback values | ||||
and as fallback issuer entry in the certificate template of IR/CR/KUR. | and as fallback issuer entry in the certificate template of IR/CR/KUR messages. | ||||
When using signature-based message protection, this "protection certificate" | When using signature-based message protection, this "protection certificate" | ||||
will be included first in the extraCerts field of outgoing messages | will be included first in the extraCerts field of outgoing messages | ||||
and the signature is done with the corresponding key. | and the signature is done with the corresponding key. | ||||
In Initialization Request (IR) messages this can be used for authenticating | In Initialization Request (IR) messages this can be used for authenticating | ||||
using an external entity certificate as defined in appendix E.7 of RFC 4210. | using an external entity certificate as defined in appendix E.7 of RFC 4210. | ||||
For Key Update Request (KUR) messages this is also used as | For Key Update Request (KUR) messages this is also used as | ||||
the certificate to be updated if the B<-oldcert> option is not given. | the certificate to be updated if the B<-oldcert> option is not given. | ||||
If the file includes further certs, they are appended to the untrusted certs | If the file includes further certs, they are appended to the untrusted certs | ||||
because they typically constitute the chain of the client certificate, which | because they typically constitute the chain of the client certificate, which | ||||
is included in the extraCerts field in signature-protected request messages. | is included in the extraCerts field in signature-protected request messages. | ||||
Context not available. | |||||
This will be used for signature-based message protection unless | This will be used for signature-based message protection unless | ||||
the B<-secret> option indicating PBM or B<-unprotected_requests> is given. | the B<-secret> option indicating PBM or B<-unprotected_requests> is given. | ||||
It is also used as a fallback for the B<-newkey> option with IR/CR/KUR messages. | |||||
=item B<-keypass> I<arg> | =item B<-keypass> I<arg> | ||||
Pass phrase source for the private key given with the B<-key> option. | Pass phrase source for the private key given with the B<-key> option. | ||||
Context not available. | |||||
Specifies name of supported digest to use in RFC 4210's MSG_SIG_ALG | Specifies name of supported digest to use in RFC 4210's MSG_SIG_ALG | ||||
and as the one-way function (OWF) in MSG_MAC_ALG. | and as the one-way function (OWF) in MSG_MAC_ALG. | ||||
If applicable, this is used for message protection and | If applicable, this is used for message protection and | ||||
Proof-of-Possession (POPO) signatures. | proof-of-possession (POPO) signatures. | ||||
To see the list of supported digests, use C<openssl list -digest-commands>. | To see the list of supported digests, use C<openssl list -digest-commands>. | ||||
Defaults to C<sha256>. | Defaults to C<sha256>. | ||||
Context not available. | |||||
=item B<-unprotected_requests> | =item B<-unprotected_requests> | ||||
Send messages without CMP-level protection. | Send request messages without CMP-level protection. | ||||
=back | =back | ||||
Context not available. | |||||
=item B<-tls_used> | =item B<-tls_used> | ||||
Enable using TLS (even when other TLS_related options are not set) | Enable using TLS (even when other TLS-related options are not set) | ||||
when connecting to CMP server via HTTP. | for message exchange with CMP server via HTTP. | ||||
This option is not supported with the I<-port> option | This option is not supported with the I<-port> option. | ||||
and is ignored with the I<-use_mock_srv> and I<-rspin> options | It is ignored if the I<-server> option is not given or I<-use_mock_srv> is given | ||||
or if the I<-server> option is not given. | or I<-rspin> is given with enough filename arguments. | ||||
The following TLS-related options are ignored | |||||
if B<-tls_used> is not given or does not take effect. | |||||
=item B<-tls_cert> I<filename>|I<uri> | =item B<-tls_cert> I<filename>|I<uri> | ||||
Context not available. | |||||
=item B<-reqin> I<filenames> | =item B<-reqin> I<filenames> | ||||
Take sequence of CMP requests from file(s). | Take the sequence of CMP requests to send to the server from the given file(s) | ||||
rather than from the sequence of requests produced internally. | |||||
This option is ignored if the B<-rspin> option is given | |||||
because in the latter case no requests are actually sent. | |||||
Multiple filenames may be given, separated by commas and/or whitespace | Multiple filenames may be given, separated by commas and/or whitespace | ||||
(where in the latter case the whole argument must be enclosed in "..."). | (where in the latter case the whole argument must be enclosed in "..."). | ||||
As many files are read as needed for a complete transaction. | |||||
The files are read as far as needed to complete the transaction | |||||
and filenames have been provided. If more requests are needed, | |||||
the remaining ones are taken from the items at the respective position | |||||
in the sequence of requests produced internally. | |||||
The client needs to update the recipNonce field in the given requests (except | |||||
for the first one) in order to satisfy the checks to be performed by the server. | |||||
This causes re-protection (if protecting requests is required). | |||||
=item B<-reqin_new_tid> | =item B<-reqin_new_tid> | ||||
Use a fresh transactionID for CMP request messages read using B<-reqin>, | Use a fresh transactionID for CMP request messages read using B<-reqin>, | ||||
which requires re-protecting them as far as they were protected before. | which causes their reprotection (if protecting requests is required). | ||||
This may be needed in case the sequence of requests is reused | This may be needed in case the sequence of requests is reused | ||||
and the CMP server complains that the transaction ID has already been used. | and the CMP server complains that the transaction ID has already been used. | ||||
=item B<-reqout> I<filenames> | =item B<-reqout> I<filenames> | ||||
Save sequence of CMP requests to file(s). | Save the sequence of CMP requests created by the client to the given file(s). | ||||
These requests are not sent to the server if the B<-reqin> option is used, too. | |||||
Multiple filenames may be given, separated by commas and/or whitespace. | Multiple filenames may be given, separated by commas and/or whitespace. | ||||
As many files are written as needed to store the complete transaction. | |||||
Files are written as far as needed to save the transaction | |||||
and filenames have been provided. | |||||
If the transaction contains more requests, the remaining ones are not saved. | |||||
=item B<-rspin> I<filenames> | =item B<-rspin> I<filenames> | ||||
Process sequence of CMP responses provided in file(s), skipping server. | Process the sequence of CMP responses provided in the given file(s), | ||||
This excludes I<-server>, I<-port>, and I<-use_mock_srv>. | not contacting any given server, | ||||
as long as enough filenames are provided to complete the transaction. | |||||
Multiple filenames may be given, separated by commas and/or whitespace. | Multiple filenames may be given, separated by commas and/or whitespace. | ||||
As many files are read as needed for the complete transaction. | |||||
Any server specified via the I<-server> or I<-use_mock_srv> options is contacted | |||||
only if more responses are needed to complete the transaction. | |||||
In this case the transaction will fail | |||||
unless the server has been prepared to continue the already started transaction. | |||||
=item B<-rspout> I<filenames> | =item B<-rspout> I<filenames> | ||||
Save sequence of CMP responses to file(s). | Save the sequence of actually used CMP responses to the given file(s). | ||||
These have been received from the server unless B<-rspin> takes effect. | |||||
Multiple filenames may be given, separated by commas and/or whitespace. | Multiple filenames may be given, separated by commas and/or whitespace. | ||||
As many files are written as needed to store the complete transaction. | |||||
Files are written as far as needed to save the responses | |||||
contained in the transaction and filenames have been provided. | |||||
If the transaction contains more responses, the remaining ones are not saved. | |||||
=item B<-use_mock_srv> | =item B<-use_mock_srv> | ||||
Test the client using the internal CMP server mock-up at API level, | Test the client using the internal CMP server mock-up at API level, | ||||
bypassing socket-based transfer via HTTP. | bypassing socket-based transfer via HTTP. | ||||
This excludes I<-server>, I<-port>, and I<-rspin>. | This excludes the B<-server> and B<-port> options. | ||||
=back | =back | ||||
Context not available. | |||||
=item B<-port> I<number> | =item B<-port> I<number> | ||||
Act as HTTP-based CMP server mock-up listening on the given port. | Act as HTTP-based CMP server mock-up listening on the given port. | ||||
This excludes I<-server>, I<-rspin>, and I<-use_mock_srv>. | This excludes the B<-server> and B<-use_mock_srv> options. | ||||
The B<-rspin>, B<-rspout>, B<-reqin>, and B<-reqout> options | |||||
so far are not supported in this mode. | |||||
=item B<-max_msgs> I<number> | =item B<-max_msgs> I<number> | ||||
Context not available. | |||||
=item B<-accept_unprot_err> | =item B<-accept_unprot_err> | ||||
Accept unprotected error messages from client. | Accept unprotected error messages from client. | ||||
So far this has no effect because the server does not accept any error messages. | |||||
=item B<-accept_raverified> | =item B<-accept_raverified> | ||||
Accept RAVERIFED as proof-of-possession (POPO). | Accept RAVERIFED as proof of possession (POPO). | ||||
=back | =back | ||||
Context not available. |