Add 'openssl x509 -new' functionality to the libcrypto CLI utility

The ability to generate a new certificate is useful for testing and experimentation with rechaining PKIs. While there, alias '-key' to '-signkey' for compatibility. with and OK tb@
author: job <> 2024-01-26 11:58:37 +0000
committer: job <> 2024-01-26 11:58:37 +0000
commit: ebf8195ae2a041b9e833b4a53bdf3b0f0ac2fee7 (patch)
tree: 22591d8d23256836bf7d611b624a079dc6dafe19 /src/usr.bin/openssl/openssl.1
parent: e71abd74fd0206dc7a48c9c5a889e557b2afbb45 (diff)
download: openbsd-ebf8195ae2a041b9e833b4a53bdf3b0f0ac2fee7.tar.gz
openbsd-ebf8195ae2a041b9e833b4a53bdf3b0f0ac2fee7.tar.bz2
openbsd-ebf8195ae2a041b9e833b4a53bdf3b0f0ac2fee7.zip
1 files changed, 21 insertions, 2 deletions
diff --git a/src/usr.bin/openssl/openssl.1 b/src/usr.bin/openssl/openssl.1
index b608b1634e..0e2ffbcd00 100644
--- a/src/usr.bin/openssl/openssl.1
+++ b/src/usr.bin/openssl/openssl.1
@@ -1,4 +1,4 @@
-.\" $OpenBSD: openssl.1,v 1.154 2024/01/12 11:24:03 job Exp $
+.\" $OpenBSD: openssl.1,v 1.155 2024/01/26 11:58:37 job Exp $
 .\" ====================================================================
 .\" Copyright (c) 1998-2002 The OpenSSL Project.  All rights reserved.
 .\"
@@ -110,7 +110,7 @@
 .\" copied and put under another distribution licence
 .\" [including the GNU Public Licence.]
 .\"
-.Dd $Mdocdate: January 12 2024 $
+.Dd $Mdocdate: January 26 2024 $
 .Dt OPENSSL 1
 .Os
 .Sh NAME
@@ -6112,6 +6112,7 @@ version.
 .Op Fl modulus
 .Op Fl multivalue-rdn
 .Op Fl nameopt Ar option
+.Op Fl new
 .Op Fl next_serial
 .Op Fl noout
 .Op Fl ocsp_uri
@@ -6153,10 +6154,14 @@ The following are x509 input, output, and general purpose options:
 .It Fl in Ar file
 The input file to read from,
 or standard input if not specified.
+This option cannot be used with
+.Fl new .
 .It Fl inform Cm der | net | pem
 The input format.
 Normally, the command will expect an X.509 certificate,
 but this can change if other options such as
+.Fl in
+or
 .Fl req
 are present.
 .It Fl md5 | sha1
@@ -6710,8 +6715,22 @@ The format of the key file used in the
 and
 .Fl signkey
 options.
+.It Fl new
+Generate a new certificate using the subject given by
+.Fl set_subject
+and signed by
+.Fl signkey .
+If no public key is provided with
+.Fl force_pubkey ,
+the resulting certificate is self-signed.
+This option cannot be used with
+.Fl in
+or
+.Fl req .
 .It Fl req
 Expect a certificate request on input instead of a certificate.
+This option cannot be used with
+.Fl new .
 .It Fl set_issuer Ar name
 The issuer name to use.
 .Ar name
author	job <>	2024-01-26 11:58:37 +0000
committer	job <>	2024-01-26 11:58:37 +0000
commit	ebf8195ae2a041b9e833b4a53bdf3b0f0ac2fee7 (patch)
tree	22591d8d23256836bf7d611b624a079dc6dafe19 /src/usr.bin/openssl/openssl.1
parent	e71abd74fd0206dc7a48c9c5a889e557b2afbb45 (diff)
download	openbsd-ebf8195ae2a041b9e833b4a53bdf3b0f0ac2fee7.tar.gz openbsd-ebf8195ae2a041b9e833b4a53bdf3b0f0ac2fee7.tar.bz2 openbsd-ebf8195ae2a041b9e833b4a53bdf3b0f0ac2fee7.zip

diff --git a/src/usr.bin/openssl/openssl.1 b/src/usr.bin/openssl/openssl.1 index b608b1634e..0e2ffbcd00 100644 --- a/src/usr.bin/openssl/openssl.1 +++ b/src/usr.bin/openssl/openssl.1
@@ -1,4 +1,4 @@
1	.\" $OpenBSD: openssl.1,v 1.154 2024/01/12 11:24:03 job Exp $	1	.\" $OpenBSD: openssl.1,v 1.155 2024/01/26 11:58:37 job Exp $
2	.\" ====================================================================	2	.\" ====================================================================
3	.\" Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved.	3	.\" Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved.
4	.\"	4	.\"
@@ -110,7 +110,7 @@
110	.\" copied and put under another distribution licence	110	.\" copied and put under another distribution licence
111	.\" [including the GNU Public Licence.]	111	.\" [including the GNU Public Licence.]
112	.\"	112	.\"
113	.Dd $Mdocdate: January 12 2024 $	113	.Dd $Mdocdate: January 26 2024 $
114	.Dt OPENSSL 1	114	.Dt OPENSSL 1
115	.Os	115	.Os
116	.Sh NAME	116	.Sh NAME
@@ -6112,6 +6112,7 @@ version.
6112	.Op Fl modulus	6112	.Op Fl modulus
6113	.Op Fl multivalue-rdn	6113	.Op Fl multivalue-rdn
6114	.Op Fl nameopt Ar option	6114	.Op Fl nameopt Ar option
		6115	.Op Fl new
6115	.Op Fl next_serial	6116	.Op Fl next_serial
6116	.Op Fl noout	6117	.Op Fl noout
6117	.Op Fl ocsp_uri	6118	.Op Fl ocsp_uri
@@ -6153,10 +6154,14 @@ The following are x509 input, output, and general purpose options:
6153	.It Fl in Ar file	6154	.It Fl in Ar file
6154	The input file to read from,	6155	The input file to read from,
6155	or standard input if not specified.	6156	or standard input if not specified.
		6157	This option cannot be used with
		6158	.Fl new .
6156	.It Fl inform Cm der \| net \| pem	6159	.It Fl inform Cm der \| net \| pem
6157	The input format.	6160	The input format.
6158	Normally, the command will expect an X.509 certificate,	6161	Normally, the command will expect an X.509 certificate,
6159	but this can change if other options such as	6162	but this can change if other options such as
		6163	.Fl in
		6164	or
6160	.Fl req	6165	.Fl req
6161	are present.	6166	are present.
6162	.It Fl md5 \| sha1	6167	.It Fl md5 \| sha1
@@ -6710,8 +6715,22 @@ The format of the key file used in the
6710	and	6715	and
6711	.Fl signkey	6716	.Fl signkey
6712	options.	6717	options.
		6718	.It Fl new
		6719	Generate a new certificate using the subject given by
		6720	.Fl set_subject
		6721	and signed by
		6722	.Fl signkey .
		6723	If no public key is provided with
		6724	.Fl force_pubkey ,
		6725	the resulting certificate is self-signed.
		6726	This option cannot be used with
		6727	.Fl in
		6728	or
		6729	.Fl req .
6713	.It Fl req	6730	.It Fl req
6714	Expect a certificate request on input instead of a certificate.	6731	Expect a certificate request on input instead of a certificate.
		6732	This option cannot be used with
		6733	.Fl new .
6715	.It Fl set_issuer Ar name	6734	.It Fl set_issuer Ar name
6716	The issuer name to use.	6735	The issuer name to use.
6717	.Ar name	6736	.Ar name