x509 - Certificate display and signing utility
gmssl x509 [-help] [-inform DER|PEM|NET] [-outform DER|PEM|NET] [-keyform DER|PEM] [-CAform DER|PEM] [-CAkeyform DER|PEM] [-in filename] [-out filename] [-serial] [-hash] [-subject_hash] [-issuer_hash] [-ocspid] [-subject] [-issuer] [-nameopt option] [-email] [-ocsp_uri] [-startdate] [-enddate] [-purpose] [-dates] [-checkend num] [-modulus] [-pubkey] [-fingerprint] [-alias] [-noout] [-trustout] [-clrtrust] [-clrreject] [-addtrust arg] [-addreject arg] [-setalias arg] [-days arg] [-set_serial n] [-signkey filename] [-passin arg] [-x509toreq] [-req] [-CA filename] [-CAkey filename] [-CAcreateserial] [-CAserial filename] [-force_pubkey key] [-text] [-certopt option] [-C] [-[digest]] [-clrext] [-extfile filename] [-extensions section] [-engine id]
The x509 command is a multi purpose certificate utility. It can be used to display certificate information, convert certificates to various forms, sign certificate requests like a "mini CA" or edit certificate trust settings.
Since there are a large number of options they will split up into various sections.
x509命令是一个多用途证书实用程序。 它可用于显示证书信息,将证书转换为各种表单,签署诸如“迷你CA”或编辑证书信任设置的证书请求。
由于有大量的选择,它们将分成不同的部分。
Print out a usage message.
打印使用信息。
This specifies the input format normally the command will expect an X509 certificate but this can change if other options such as -req are present. The DER format is the DER encoding of the certificate and PEM is the base64 encoding of the DER encoding with header and footer lines added. The NET option is an obscure Netscape server format that is now obsolete.
这通常指定命令将期望X509证书的输入格式,但如果存在其他选项(如-req),则可以更改该输入格式。 DER格式是证书的DER编码,PEM是添加了页眉和页脚行的DER编码的base64编码。 NET选项是一个晦涩的Netscape服务器格式,现在已经过时了。
This specifies the output format, the options have the same meaning as the -inform option.
这指定输出格式,这些选项与-inform选项具有相同的含义。
This specifies the input filename to read a certificate from or standard input if this option is not specified.
如果未指定此选项,则指定从或从标准输入读取证书的输入文件名。
This specifies the output filename to write to or standard output by default.
默认情况下,它指定要写入的输出文件名或标准输出。
the digest to use. This affects any signing or display option that uses a message digest, such as the -fingerprint, -signkey and -CA options. Any digest supported by the GmSSL dgst command can be used. If not specified then SHA1 is used with -fingerprint or the default digest for the signing algorithm is used, typically SHA256.
消化使用。 这会影响使用消息摘要的任何签名或显示选项,例如-fingerprint,-signkey和-CA选项。 可以使用GmSSL dgst命令支持的任何摘要。 如果没有指定,则SHA1与-fingerprint一起使用,或者使用签名算法的默认摘要,通常为SHA256。
specifying an engine (by its unique id string) will cause x509 to attempt to obtain a functional reference to the specified engine, thus initialising it if needed. The engine will then be set as the default for all available algorithms.
指定引擎(通过其唯一的id字符串)将导致x509尝试获取对指定引擎的功能引用,从而在需要时进行初始化。 然后,引擎将被设置为所有可用算法的默认值。
Note: the -alias and -purpose options are also display options but are described in the TRUST SETTINGS section.
注意:-alias和-purpose选项也是显示选项,但在“信任设置”部分中有介绍。
prints out the certificate in text form. Full details are output including the public key, signature algorithms, issuer and subject names, serial number any extensions present and any trust settings.
以文本形式打印证书。 输出全部细节,包括公钥,签名算法,发行人和主题名称,任何扩展名的序列号和任何信任设置。
customise the output format used with -text. The option argument can be a single option or multiple options separated by commas. The -certopt switch may be also be used more than once to set multiple options. See the TEXT OPTIONS section for more information.
定制与-text一起使用的输出格式。 选项参数可以是单个选项或多个选项,以逗号分隔。 可以使用-certopt开关多次设置多个选项。 有关详细信息,请参阅TEXT OPTIONS部分。
this option prevents output of the encoded version of the request.
此选项可防止请求的编码版本的输出。
outputs the certificate's SubjectPublicKeyInfo block in PEM format.
以PEM格式输出证书的SubjectPublicKeyInfo块。
this option prints out the value of the modulus of the public key contained in the certificate.
此选项打印证书中包含的公钥的模数值。
outputs the certificate serial number.
输出证书序列号。
outputs the "hash" of the certificate subject name. This is used in GmSSL to form an index to allow certificates in a directory to be looked up by subject name.
输出证书主题名称的“哈希”。 这在GmSSL中用于形成索引,以允许以主题名称查找目录中的证书。
outputs the "hash" of the certificate issuer name.
输出证书颁发者名称的“哈希”。
outputs the OCSP hash values for the subject name and public key.
输出主题名称和公钥的OCSP哈希值。
synonym for "-subject_hash" for backward compatibility reasons.
“-subject_hash”的同义词由于向后兼容性原因。
outputs the "hash" of the certificate subject name using the older algorithm as used by GmSSL versions before 1.0.0.
使用1.0.0之前的GmSSL版本使用的旧算法输出证书主题名称的“哈希”。
outputs the "hash" of the certificate issuer name using the older algorithm as used by GmSSL versions before 1.0.0.
使用1.0.0之前的GmSSL版本使用的旧算法输出证书颁发者名称的“哈希”。
outputs the subject name.
输出主题名称。
outputs the issuer name.
输出颁发者名称。
option which determines how the subject or issuer names are displayed. The option argument can be a single option or multiple options separated by commas. Alternatively the -nameopt switch may be used more than once to set multiple options. See the NAME OPTIONS section for more information.
该选项用于确定主题或发行者名称的显示方式。 选项参数可以是单个选项或多个选项,以逗号分隔。 或者,-nameopt开关可以被多次使用以设置多个选项。 有关详细信息,请参阅“NAME OPTIONS”部分。
outputs the email address(es) if any.
输出电子邮件地址(如果有)。
outputs the OCSP responder address(es) if any.
输出OCSP响应者地址(如果有)。
prints out the start date of the certificate, that is the notBefore date.
打印证书的开始日期,即notBefore日期。
prints out the expiry date of the certificate, that is the notAfter date.
打印证书的到期日期,即notAfter日期。
prints out the start and expiry dates of a certificate.
打印证书的开始和到期日期。
checks if the certificate expires within the next arg seconds and exits non-zero if yes it will expire or zero if not.
检查证书是否在下一个arg秒内到期,如果是,则退出非零,否则为零。
prints out the digest of the DER encoded version of the whole certificate (see digest options).
打印整个证书的DER编码版本的摘要(请参阅摘要选项)。
this outputs the certificate in the form of a C source file.
这将以C源文件的形式输出证书。
A trusted certificate is an ordinary certificate which has several additional pieces of information attached to it such as the permitted and prohibited uses of the certificate and an "alias".
Normally when a certificate is being verified at least one certificate must be "trusted". By default a trusted certificate must be stored locally and must be a root CA: any certificate chain ending in this CA is then usable for any purpose.
Trust settings currently are only used with a root CA. They allow a finer control over the purposes the root CA can be used for. For example a CA may be trusted for SSL client but not SSL server use.
See the description of the verify utility for more information on the meaning of trust settings.
Future versions of GmSSL will recognize trust settings on any certificate: not just root CAs.
受信任的证书是普通证书,其中附有数个附加的信息,例如证书的许可和禁止使用以及“别名”。
通常当证书被证实时,至少有一个证书必须是“可信任的”。 默认情况下,受信任的证书必须在本地存储,并且必须是根CA:任何以CA为结尾的证书链可用于任何目的。
目前的信任设置仅与根CA一起使用。 它们允许对根CA可以使用的目的进行更精细的控制。 例如,CA可能被信任为SSL客户端,但不能使用SSL服务器。
有关信任设置的含义的更多信息,请参阅验证实用程序的说明。
未来版本的GmSSL将会识别任何证书上的信任设置:不仅仅是根CA。
this causes x509 to output a trusted certificate. An ordinary or trusted certificate can be input but by default an ordinary certificate is output and any trust settings are discarded. With the -trustout option a trusted certificate is output. A trusted certificate is automatically output if any trust settings are modified.
这导致x509输出可信证书。 可以输入普通或可信任的证书,但默认情况下会输出普通证书,并丢弃任何信任设置。 使用-trustout选项,输出可信证书。 如果任何信任设置被修改,将自动输出受信任的证书。
sets the alias of the certificate. This will allow the certificate to be referred to using a nickname for example "Steve's Certificate".
设置证书的别名。 这将允许使用昵称来引用证书,例如“Steve's Certificate”。
outputs the certificate alias, if any.
输出证书别名(如果有)。
clears all the permitted or trusted uses of the certificate.
清除证书的所有允许或受信任的用途。
clears all the prohibited or rejected uses of the certificate.
清除证书的所有禁止或拒绝的使用。
adds a trusted certificate use. Any object name can be used here but currently only clientAuth (SSL client use), serverAuth (SSL server use), emailProtection (S/MIME email) and anyExtendedKeyUsage are used. As of GmSSL 1.1.0, the last of these blocks all purposes when rejected or enables all purposes when trusted. Other GmSSL applications may define additional uses.
添加可信证书使用。 任何对象名称都可以在这里使用,但目前只使用clientAuth(SSL客户端使用),serverAuth(SSL服务器使用),emailProtection(S / MIME电子邮件)和anyExtendedKeyUsage。 从GmSSL 1.1.0开始,最后一个将被拒绝或在受信任时使所有目的成为可能。 其他GmSSL应用程序可能会定义其他用途。
adds a prohibited use. It accepts the same values as the -addtrust option.
增加禁止使用。 它接受与-addtrust选项相同的值。
this option performs tests on the certificate extensions and outputs the results. For a more complete description see the CERTIFICATE EXTENSIONS section.
此选项对证书扩展进行测试并输出结果。 有关更完整的说明,请参阅CERTIFICATE EXTENSIONS部分。
The x509 utility can be used to sign certificates and requests: it can thus behave like a "mini CA".
x509实用程序可用于签署证书和请求:它像“迷你CA”
this option causes the input file to be self signed using the supplied private key.
If the input file is a certificate it sets the issuer name to the subject name (i.e. makes it self signed) changes the public key to the supplied value and changes the start and end dates. The start date is set to the current time and the end date is set to a value determined by the -days option. Any certificate extensions are retained unless the -clrext option is supplied; this includes, for example, any existing key identifier extensions.
If the input is a certificate request then a self signed certificate is created using the supplied private key using the subject name in the request.
此选项将使用提供的私钥对输入文件进行自签名。
如果输入文件是证书,则将发行人名称设置为主题名称(即使其自签名)将公钥更改为提供的值,并更改开始和结束日期。 开始日期设置为当前时间,结束日期设置为由-days选项确定的值。 除非提供了-clrext选项,否则将保留任何证书扩展名; 这包括例如任何现有的密钥标识符扩展。
如果输入是证书请求,则使用提供的私钥使用请求中的主题名称创建自签名证书。
the key password source. For more information about the format of arg see the PASS PHRASE ARGUMENTS section in gmssl(1).
密码密码来源。 有关arg格式的更多信息,请参阅gmssl(1)中的PASS PHRASE ARGUMENTS部分。
delete any extensions from a certificate. This option is used when a certificate is being created from another certificate (for example with the -signkey or the -CA options). Normally all extensions are retained.
从证书中删除任何扩展名。 当从另一个证书创建证书时使用此选项(例如使用-signkey或-CA选项)。 通常所有的扩展都保留。
specifies the format (DER or PEM) of the private key file used in the -signkey option.
指定-signkey选项中使用的私钥文件的格式(DER或PEM)。
specifies the number of days to make a certificate valid for. The default is 30 days.
指定使证书有效的天数。 默认为30天。
converts a certificate into a certificate request. The -signkey option is used to pass the required private key.
将证书转换为证书请求。 -signkey选项用于传递所需的私钥。
by default a certificate is expected on input. With this option a certificate request is expected instead.
默认情况下,预期输入证书。 使用此选项,可以使用证书请求。
specifies the serial number to use. This option can be used with either the -signkey or -CA options. If used in conjunction with the -CA option the serial number file (as specified by the -CAserial or -CAcreateserial options) is not used.
The serial number can be decimal or hex (if preceded by 0x).
指定要使用的序列号。 此选项可与-signkey或-CA选项一起使用。 如果与-CA选项结合使用,则不使用序列号文件(由-CAserial或-CAcreateserial选项指定)。
序列号可以是十进制或十六进制(如果前面是0x)。
specifies the CA certificate to be used for signing. When this option is present x509 behaves like a "mini CA". The input file is signed by this CA using this option: that is its issuer name is set to the subject name of the CA and it is digitally signed using the CAs private key.
This option is normally combined with the -req option. Without the -req option the input is a certificate which must be self signed.
指定要用于签名的CA证书。 当此选项存在时,x509的行为就像“迷你CA”。 该CA使用此选项对输入文件进行签名:即将其颁发者名称设置为CA的主题名称,并使用CAs私钥进行数字签名。
此选项通常与-req选项组合。 没有-req选项,输入是必须是自签名的证书。
sets the CA private key to sign a certificate with. If this option is not specified then it is assumed that the CA private key is present in the CA certificate file.
设置CA私钥以签署证书。 如果未指定此选项,则假定CA私钥存在于CA证书文件中。
sets the CA serial number file to use.
When the -CA option is used to sign a certificate it uses a serial number specified in a file. This file consist of one line containing an even number of hex digits with the serial number to use. After each use the serial number is incremented and written out to the file again.
The default filename consists of the CA certificate file base name with ".srl" appended. For example if the CA certificate file is called "mycacert.pem" it expects to find a serial number file called "mycacert.srl".
设置要使用的CA序列号文件。
当-CA选项用于签署证书时,它使用文件中指定的序列号。 该文件包含一行,其中包含使用序列号的偶数十六进制数字。 每次使用后,序列号将增加并再次写入文件。
默认文件名由附加了“.srl”的CA证书文件基础名称组成。 例如,如果CA证书文件被称为“mycacert.pem”,则它希望找到一个名为“mycacert.srl”的序列号文件。
with this option the CA serial number file is created if it does not exist: it will contain the serial number "02" and the certificate being signed will have the 1 as its serial number. If the -CA option is specified and the serial number file does not exist a random number is generated; this is the recommended practice.
使用此选项,CA序列号文件不存在时将被创建:它将包含序列号“02”,正在签名的证书将具有1作为其序列号。 如果指定了-CA选项,并且序列号文件不存在,则生成随机数; 这是推荐的做法。
file containing certificate extensions to use. If not specified then no extensions are added to the certificate.
包含要使用的证书扩展名的文件。 如果未指定,则不会将任何扩展名添加到证书。
the section to add certificate extensions from. If this option is not specified then the extensions should either be contained in the unnamed (default) section or the default section should contain a variable called "extensions" which contains the section to use. See the x509v3_config(5) manual page for details of the extension section format.
从中添加证书扩展的部分。 如果未指定此选项,则扩展名应包含在未命名(默认)部分中,默认部分应包含一个名为“extensions”的变量,该变量包含要使用的部分。 有关扩展部分格式的详细信息,请参阅x509v3_config(5)手册页。
when a certificate is created set its public key to key instead of the key in the certificate or certificate request. This option is useful for creating certificates where the algorithm can't normally sign requests, for example DH.
The format or key can be specified using the -keyform option.
当创建证书时,将其公钥设置为key而不是证书或证书请求中的密钥。 此选项对于创建证书,在算法无法正常签署请求时很有用,例如DH。
可以使用-keyform选项指定格式或key。
The nameopt command line switch determines how the subject and issuer names are displayed. If no nameopt switch is present the default "oneline" format is used which is compatible with previous versions of GmSSL. Each option is described in detail below, all options can be preceded by a - to turn the option off. Only the first four will normally be used.
nameopt命令行开关确定主题和发行者名称的显示方式。 如果没有nameopt开关, 则使用与以前版本的GmSSL兼容的默认“oneline”格式。 每个选项在下面详细描述, 所有选项都可以在前面 - 关闭该选项。 通常只会使用前四个。
use the old format.
使用旧的格式。
displays names compatible with RFC2253 equivalent to esc_2253, esc_ctrl, esc_msb, utf8, dump_nostr, dump_unknown, dump_der, sep_comma_plus, dn_rev and sname.
显示与esc2253,esc_ctrl,esc_msb,utf8,dump_nostr,dump_unknown,dump_der,sep_comma_plus, dn_rev和sname等效的RFC2253兼容的名称。
a oneline format which is more readable than RFC2253. It is equivalent to specifying the esc_2253, esc_ctrl, esc_msb, utf8, dump_nostr, dump_der, use_quote, sep_comma_plus_space, space_eq and sname options. This is the default of no name options are given explicitly.
一种比RFC2253更可读的在线格式。 相当于指定esc_2253,esc_ctrl,esc_msb,utf8,dump_nostr, dump_der,use_quote,sep_comma_plus_space,space_eq和sname选项。 这是默认的,没有明确给出名称选项。
a multiline format. It is equivalent esc_ctrl, esc_msb, sep_multiline, space_eq, lname and align.
多行格式。 它等效于esc_ctrl,esc_msb,sep_multiline,space_eq,lname和align。
escape the "special" characters required by RFC2253 in a field. That is ,+"<>;. Additionally # is escaped at the beginning of a string and a space character at the beginning or end of a string.
在一个字段中转义RFC2253所需的“特殊”字符。 也就是说,+“<>;另外#在字符串的开始处转义,在字符串的开头或结尾放置一个空格。
escape the "special" characters required by RFC2254 in a field. That is the NUL character as well as and ()*.
在一个字段中转义RFC2254所需的“特殊”字符。 那就是NUL字符以及()*。
escape control characters. That is those with ASCII values less than 0x20 (space) and the delete (0x7f) character. They are escaped using the RFC2253 \XX notation (where XX are two hex digits representing the character value).
转义控制字符。 那是ASCII值小于0x20(空格)和删除(0x7f)字符的那些。 它们使用RFC2253 \ XX符号进行转义(其中XX是表示字符值的两个十六进制数字)。
escape characters with the MSB set, that is with ASCII values larger than 127.
转义字符与MSB集合,即ASCII值大于127。
escapes some characters by surrounding the whole string with " characters, without the option all escaping is done with the \ character.
通过围绕整个字符串以“字符”转义一些字符,而没有选项,所有的转义都是用\字符完成的。
convert all strings to UTF8 format first. This is required by RFC2253. If you are lucky enough to have a UTF8 compatible terminal then the use of this option (and not setting esc_msb) may result in the correct display of multibyte (international) characters. Is this option is not present then multibyte characters larger than 0xff will be represented using the format \UXXXX for 16 bits and \WXXXXXXXX for 32 bits. Also if this option is off any UTF8Strings will be converted to their character form first.
首先将所有字符串转换为UTF8格式。 这是RFC2253所要求的。 如果您足够有足够的UTF8兼容终端, 则使用此选项(而不是设置esc_msb)可能会导致多字节(国际)字符的正确显示。 此选项不存在, 则大于0xff的多字节字符将使用格式\ UXXXX(16位)和\ WXXXXXXXX(32位)来表示。 此外, 如果此选项关闭,任何UTF8Strings将首先转换为其字符形式。
this option does not attempt to interpret multibyte characters in any way. That is their content octets are merely dumped as though one octet represents each character. This is useful for diagnostic purposes but will result in rather odd looking output.
此选项不会以任何方式尝试解释多字节字符。 这就是他们的内容八位字节只是被转储, 就像一个八位位组代表每个字符一样。 这对于诊断目的是有用的,但会导致相当奇怪的输出。
show the type of the ASN1 character string. The type precedes the field contents. For example "BMPSTRING: Hello World".
显示ASN1字符串的类型。 该类型位于字段内容之前。 例如“BMPSTRING:Hello World”。
when this option is set any fields that need to be hexdumped will be dumped using the DER encoding of the field. Otherwise just the content octets will be displayed. Both options use the RFC2253 #XXXX... format.
当设置此选项时,需要使用hexdumped的任何字段将使用字段的DER编码进行转储。 否则只会显示内容八位字节。 两种选项都使用RFC2253 #XXXX ...格式
dump non character string types (for example OCTET STRING) if this option is not set then non character string types will be displayed as though each content octet represents a single character.
转储非字符串类型(例如OCTET STRING),如果未设置此选项, 则将显示非字符串类型,因为每个内容字节表示单个字符。
dump all fields. This option when used with dump_der allows the DER encoding of the structure to be unambiguously determined.
转储所有字段。 当与dump_der一起使用时,该选项允许明确地确定结构的DER编码。
dump any field whose OID is not recognised by GmSSL.
转储GmSSL不识别其OID的任何字段。
these options determine the field separators. The first character is between RDNs and the second between multiple AVAs (multiple AVAs are very rare and their use is discouraged). The options ending in "space" additionally place a space after the separator to make it more readable. The sep_multiline uses a linefeed character for the RDN separator and a spaced + for the AVA separator. It also indents the fields by four characters. If no field separator is specified then sep_comma_plus_space is used by default.
这些选项决定了字段分隔符。 第一个字符在RDN之间,而第二个是多个AVA之间(多个AVA非常罕见,并且不鼓励使用它们)。 以“空格”结尾的选项还会在分隔符之后放置一个空格,使其更易于阅读。 sep_multiline对RDN分隔符使用换行字符, 并为AVA分隔符使用间隔的+。 它还将字段缩小四个字符。 如果没有指定字段分隔符,则默认使用sep_comma_plus_space。
reverse the fields of the DN. This is required by RFC2253. As a side effect this also reverses the order of multiple AVAs but this is permissible.
反转DN的字段。 这是RFC2253所要求的。 作为副作用,这也反转了多个AVA的顺序,但这是允许的。
these options alter how the field name is displayed. nofname does not display the field at all. sname uses the "short name" form (CN for commonName for example). lname uses the long form. oid represents the OID in numerical form and is useful for diagnostic purpose.
这些选项会改变字段名称的显示方式。 nofname根本不显示字段。 sname使用“短名称”表单(例如,用于commonName的CN)。 lname使用长格式。 oid以数字形式表示OID,可用于诊断目的。
align field values for a more readable output. Only usable with sep_multiline.
调整字段值以获得更可读的输出。 仅适用于sep_multiline。
places spaces round the = character which follows the field name.
在字段名后面的=字符上放置空格。
As well as customising the name output format, it is also possible to customise the actual fields printed using the certopt options when the text option is present. The default behaviour is to print all fields.
use the old format. This is equivalent to specifying no output options at all.
don't print header information: that is the lines saying "Certificate" and "Data".
don't print out the version number.
don't print out the serial number.
don't print out the signature algorithm used.
don't print the validity, that is the notBefore and notAfter fields.
don't print out the subject name.
don't print out the issuer name.
don't print out the public key.
don't give a hexadecimal dump of the certificate signature.
don't print out certificate trust information.
don't print out any X509V3 extensions.
retain default extension behaviour: attempt to print out unsupported certificate extensions.
print an error message for unsupported certificate extensions.
ASN1 parse unsupported extensions.
hex dump unsupported extensions.
the value used by the ca utility, equivalent to no_issuer, no_pubkey, no_header, and no_version.
Note: in these examples the '\' means the example should be all on one line.
Display the contents of a certificate:
gmssl x509 -in cert.pem -noout -text
Display the certificate serial number:
gmssl x509 -in cert.pem -noout -serial
Display the certificate subject name:
gmssl x509 -in cert.pem -noout -subject
Display the certificate subject name in RFC2253 form:
gmssl x509 -in cert.pem -noout -subject -nameopt RFC2253
Display the certificate subject name in oneline form on a terminal supporting UTF8:
gmssl x509 -in cert.pem -noout -subject -nameopt oneline,-esc_msb
Display the certificate MD5 fingerprint:
gmssl x509 -in cert.pem -noout -fingerprint
Display the certificate SHA1 fingerprint:
gmssl x509 -sha1 -in cert.pem -noout -fingerprint
Convert a certificate from PEM to DER format:
gmssl x509 -in cert.pem -inform PEM -out cert.der -outform DER
Convert a certificate to a certificate request:
gmssl x509 -x509toreq -in cert.pem -out req.pem -signkey key.pem
Convert a certificate request into a self signed certificate using extensions for a CA:
gmssl x509 -req -in careq.pem -extfile openssl.cnf -extensions v3_ca \
-signkey key.pem -out cacert.pem
Sign a certificate request using the CA certificate above and add user certificate extensions:
gmssl x509 -req -in req.pem -extfile openssl.cnf -extensions v3_usr \
-CA cacert.pem -CAkey key.pem -CAcreateserial
Set a certificate to be trusted for SSL client use and change set its alias to "Steve's Class 1 CA"
gmssl x509 -in cert.pem -addtrust clientAuth \
-setalias "Steve's Class 1 CA" -out trust.pem
The PEM format uses the header and footer lines:
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
it will also handle files containing:
-----BEGIN X509 CERTIFICATE-----
-----END X509 CERTIFICATE-----
Trusted certificates have the lines
-----BEGIN TRUSTED CERTIFICATE-----
-----END TRUSTED CERTIFICATE-----
The conversion to UTF8 format used with the name options assumes that T61Strings use the ISO8859-1 character set. This is wrong but Netscape and MSIE do this as do many certificates. So although this is incorrect it is more likely to display the majority of certificates correctly.
The -fingerprint option takes the digest of the DER encoded certificate. This is commonly called a "fingerprint". Because of the nature of message digests the fingerprint of a certificate is unique to that certificate and two certificates with the same fingerprint can be considered to be the same.
The Netscape fingerprint uses MD5 whereas MSIE uses SHA1.
The -email option searches the subject name and the subject alternative name extension. Only unique email addresses will be printed out: it will not print the same address more than once.
The -purpose option checks the certificate extensions and determines what the certificate can be used for. The actual checks done are rather complex and include various hacks and workarounds to handle broken certificates and software.
The same code is used when verifying untrusted certificates in chains so this section is useful if a chain is rejected by the verify code.
The basicConstraints extension CA flag is used to determine whether the certificate can be used as a CA. If the CA flag is true then it is a CA, if the CA flag is false then it is not a CA. All CAs should have the CA flag set to true.
If the basicConstraints extension is absent then the certificate is considered to be a "possible CA" other extensions are checked according to the intended use of the certificate. A warning is given in this case because the certificate should really not be regarded as a CA: however it is allowed to be a CA to work around some broken software.
If the certificate is a V1 certificate (and thus has no extensions) and it is self signed it is also assumed to be a CA but a warning is again given: this is to work around the problem of Verisign roots which are V1 self signed certificates.
If the keyUsage extension is present then additional restraints are made on the uses of the certificate. A CA certificate must have the keyCertSign bit set if the keyUsage extension is present.
The extended key usage extension places additional restrictions on the certificate uses. If this extension is present (whether critical or not) the key can only be used for the purposes specified.
A complete description of each test is given below. The comments about basicConstraints and keyUsage and V1 certificates above apply to all CA certificates.
The extended key usage extension must be absent or include the "web client authentication" OID. keyUsage must be absent or it must have the digitalSignature bit set. Netscape certificate type must be absent or it must have the SSL client bit set.
The extended key usage extension must be absent or include the "web client authentication" OID. Netscape certificate type must be absent or it must have the SSL CA bit set: this is used as a work around if the basicConstraints extension is absent.
The extended key usage extension must be absent or include the "web server authentication" and/or one of the SGC OIDs. keyUsage must be absent or it must have the digitalSignature, the keyEncipherment set or both bits set. Netscape certificate type must be absent or have the SSL server bit set.
The extended key usage extension must be absent or include the "web server authentication" and/or one of the SGC OIDs. Netscape certificate type must be absent or the SSL CA bit must be set: this is used as a work around if the basicConstraints extension is absent.
For Netscape SSL clients to connect to an SSL server it must have the keyEncipherment bit set if the keyUsage extension is present. This isn't always valid because some cipher suites use the key for digital signing. Otherwise it is the same as a normal SSL server.
The extended key usage extension must be absent or include the "email protection" OID. Netscape certificate type must be absent or should have the S/MIME bit set. If the S/MIME bit is not set in Netscape certificate type then the SSL client bit is tolerated as an alternative but a warning is shown: this is because some Verisign certificates don't set the S/MIME bit.
In addition to the common S/MIME client tests the digitalSignature bit must be set if the keyUsage extension is present.
In addition to the common S/MIME tests the keyEncipherment bit must be set if the keyUsage extension is present.
The extended key usage extension must be absent or include the "email protection" OID. Netscape certificate type must be absent or must have the S/MIME CA bit set: this is used as a work around if the basicConstraints extension is absent.
The keyUsage extension must be absent or it must have the CRL signing bit set.
The normal CA tests apply. Except in this case the basicConstraints extension must be present.
Extensions in certificates are not transferred to certificate requests and vice versa.
It is possible to produce invalid certificates or requests by specifying the wrong private key or using inconsistent options in some cases: these should be checked.
There should be options to explicitly set such things as start and end dates rather than an offset from the current time.
req(1), ca(1), genrsa(1), gendsa(1), verify(1), x509v3_config(5)
The hash algorithm used in the -subject_hash and -issuer_hash options before GmSSL 1.0.0 was based on the deprecated MD5 algorithm and the encoding of the distinguished name. In GmSSL 1.0.0 and later it is based on a canonical version of the DN using SHA1. This means that any directories using the old form must have their links rebuilt using c_rehash or similar.
Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the GmSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy in the file LICENSE in the source distribution or at https://www.openssl.org/source/license.html.