-help

Print out a usage message.

-inform

This specifies the input format. The DER option uses an ASN1 DER encoded form compatible with the PKCS#10.The PEM form is the default format: it consists of the DER format base64 encoded with additional headerand footer lines.

-outform

This specifies the output format, the options have the same meaning as the -inform option.

-in

This specifies the input filename to read a request from or standard input if this option is notspecified. A request is only read if the creation options (-new and -newkey) are not specified.

-passin

the input file password source. For more information about the format of arg see the PASS PHRASE ARGUMENTSsection in openssl(1).

-out

This specifies the output filename to write to or standard output by default.

-passout

the output file password source. For more information about the format of arg see the PASS PHRASEARGUMENTS section in openssl(1).

-text

prints out the certificate request in text form.

-subject

prints out the request subject (or certificate subject if -x509 is specified)

-pubkey

outputs the public key.

-noout

this option prevents output of the encoded version of the request.

-modulus

this option prints out the value of the modulus of the public key contained in the request.

-verify

verifies the signature on the request.

-new

this option generates a new certificate request. It will prompt the user for the relevant field values.The actual fields prompted for and their maximum and minimum sizes are specified in the configuration fileand any requested extensions.If the -key option is not used it will generate a new RSA private key using information specified in theconfiguration file.

-rand

a file or files containing random data used to seed the random number generator, or an EGD socket (seeRAND_egd(3)). Multiple files can be specified separated by an OS-dependent character. The separator is ;for MS-Windows, , for OpenVMS, and : for all others.

-newkey

this option creates a new certificate request and a new private key. The argument takes one of severalforms. rsa:nbits, where nbits is the number of bits, generates an RSA key nbits in size. If nbits isomitted, i.e. -newkey rsa specified, the default key size, specified in the configuration file is used.All other algorithms support the -newkey alg:file form, where file may be an algorithm parameter file,created by the genpkey -genparam command or and X.509 certificate for a key with appropriate algorithm.param:file generates a key using the parameter file or certificate file, the algorithm is determined bythe parameters. algname:file use algorithm algname and parameter file file: the two algorithms must matchor an error occurs. algname just uses algorithm algname, and parameters, if necessary should be specifiedvia -pkeyopt parameter.dsa:filename generates a DSA key using the parameters in the file filename. ec:filename generates EC key(usable both with ECDSA or ECDH algorithms), gost2001:filename generates GOST R 34.10-2001 key (requiresccgost engine configured in the configuration file). If just gost2001 is specified a parameter set shouldbe specified by -pkeyopt paramset:X

-pkeyopt

set the public key algorithm option opt to value. The precise set of options supported depends on thepublic key algorithm used and its implementation. See KEY GENERATION OPTIONS in the genpkey manual pagefor more details.

-key

This specifies the file to read the private key from. It also accepts PKCS#8 format private keys for PEMformat files.

-keyform

the format of the private key file specified in the -key argument. PEM is the default.

-keyout

this gives the filename to write the newly created private key to. If this option is not specified thenthe filename present in the configuration file is used.

-nodes

if this option is specified then if a private key is created it will not be encrypted.

-[digest]

this specifies the message digest to sign the request. Any digest supported by the OpenSSL dgst commandcan be used. This overrides the digest algorithm specified in the configuration file.Some public key algorithms may override this choice. For instance, DSA signatures always use SHA1, GOST R34.10 signatures always use GOST R 34.11-94 (-md_gost94).

-config

this allows an alternative configuration file to be specified. Optional; for a description of the defaultvalue, see "COMMAND SUMMARY" in openssl(1).

-subj

sets subject name for new request or supersedes the subject name when processing a request. The arg mustbe formatted as /type0=value0/type1=value1/type2=..., characters may be escaped by \ (backslash), nospaces are skipped.

-multivalue-rdn

this option causes the -subj argument to be interpreted with full support for multivalued RDNs. Example:/DC=org/DC=OpenSSL/DC=users/UID=123456+CN=John DoeIf -multi-rdn is not used then the UID value is 123456+CN=John Doe.

-x509

this option outputs a self signed certificate instead of a certificate request. This is typically used togenerate a test certificate or a self signed root CA. The extensions added to the certificate (if any) arespecified in the configuration file. Unless specified using the set_serial option, a large random numberwill be used for the serial number.If existing request is specified with the -in option, it is converted to the self signed certificateotherwise new request is created.

-days

when the -x509 option is being used this specifies the number of days to certify the certificate for. Thedefault is 30 days.

-set_serial

serial number to use when outputting a self signed certificate. This may be specified as a decimal valueor a hex value if preceded by 0x.

-reqexts

these options specify alternative sections to include certificate extensions (if the -x509 option ispresent) or certificate request extensions. This allows several different sections to be used in the sameconfiguration file to specify requests for a variety of purposes.

-utf8

this option causes field values to be interpreted as UTF8 strings, by default they are interpreted asASCII. This means that the field values, whether prompted from a terminal or obtained from a configurationfile, must be valid UTF8 strings.

-nameopt

option which determines how the subject or issuer names are displayed. The option argument can be a singleoption or multiple options separated by commas. Alternatively the -nameopt switch may be used more thanonce to set multiple options. See the x509(1) manual page for details.

-reqopt

customise the output format used with -text. The option argument can be a single option or multipleoptions separated by commas.See discussion of the -certopt parameter in the x509(1) command.

-newhdr

Adds the word NEW to the PEM file header and footer lines on the outputted request. Some software(Netscape certificate server) and some CAs need this.

-batch

non-interactive mode.

-verbose

print extra details about the operations being performed.

-engine

specifying an engine (by its unique id string) will cause req to attempt to obtain a functional referenceto the specified engine, thus initialising it if needed. The engine will then be set as the default forall available algorithms.

-keygen_engine

specifies an engine (by its unique id string) which would be used for key generation operations.CONFIGURATION FILE FORMATThe configuration options are specified in the req section of the configuration file. As with allconfiguration files if no value is specified in the specific section (i.e. req) then the initial unnamed ordefault section is searched too.The options available are described in detail below.input_password output_passwordThe passwords for the input private key file (if present) and the output private key file (if one will becreated). The command line options passin and passout override the configuration file values.default_bitsSpecifies the default key size in bits.This option is used in conjunction with the -new option to generate a new key. It can be overridden byspecifying an explicit key size in the -newkey option. The smallest accepted key size is 512 bits. If nokey size is specified then 2048 bits is used.default_keyfileThis is the default filename to write a private key to. If not specified the key is written to standardoutput. This can be overridden by the -keyout option.oid_fileThis specifies a file containing additional OBJECT IDENTIFIERS. Each line of the file should consist ofthe numerical form of the object identifier followed by white space then the short name followed by whitespace and finally the long name.oid_sectionThis specifies a section in the configuration file containing extra object identifiers. Each line shouldconsist of the short name of the object identifier followed by = and the numerical form. The short andlong names are the same when this option is used.RANDFILEThis specifies a filename in which random number seed information is placed and read from, or an EGDsocket (see RAND_egd(3)). It is used for private key generation.encrypt_keyIf this is set to no then if a private key is generated it is not encrypted. This is equivalent to the