-help

Print out a usage message.

-inform

This specifies the input format normally the command will expect an X509 certificate but this can changeif other options such as -req are present. The DER format is the DER encoding of the certificate and PEMis the base64 encoding of the DER encoding with header and footer lines added. The NET option is anobscure Netscape server format that is now obsolete.

-outform

This specifies the output format, the options have the same meaning as the -inform option.

-in

This specifies the input filename to read a certificate from or standard input if this option is notspecified.

-out

This specifies the output filename to write to or standard output by default.

-[digest]

the digest to use. This affects any signing or display option that uses a message digest, such as the

-fingerprint

not specified then SHA1 is used with -fingerprint or the default digest for the signing algorithm is used,typically SHA256.

-engine

specifying an engine (by its unique id string) will cause x509 to attempt to obtain a functional referenceto the specified engine, thus initialising it if needed. The engine will then be set as the default forall available algorithms.Display OptionsNote: the -alias and -purpose options are also display options but are described in the TRUST SETTINGSsection.

-text

prints out the certificate in text form. Full details are output including the public key, signaturealgorithms, issuer and subject names, serial number any extensions present and any trust settings.

-certopt

customise the output format used with -text. The option argument can be a single option or multipleoptions separated by commas. The -certopt switch may be also be used more than once to set multipleoptions. See the TEXT OPTIONS section for more information.

-noout

this option prevents output of the encoded version of the request.

-pubkey

outputs the certificate's SubjectPublicKeyInfo block in PEM format.

-modulus

this option prints out the value of the modulus of the public key contained in the certificate.

-serial

outputs the certificate serial number.

-subject_hash

outputs the "hash" of the certificate subject name. This is used in OpenSSL to form an index to allowcertificates in a directory to be looked up by subject name.

-issuer_hash

outputs the "hash" of the certificate issuer name.

-ocspid

outputs the OCSP hash values for the subject name and public key.

-hash

synonym for "-subject_hash" for backward compatibility reasons.

-subject_hash_old

outputs the "hash" of the certificate subject name using the older algorithm as used by OpenSSL versionsbefore 1.0.0.

-issuer_hash_old

outputs the "hash" of the certificate issuer name using the older algorithm as used by OpenSSL versionsbefore 1.0.0.

-subject

outputs the subject name.

-issuer

outputs the issuer name.

-nameopt

option which determines how the subject or issuer names are displayed. The option argument can be a singleoption or multiple options separated by commas. Alternatively the -nameopt switch may be used more thanonce to set multiple options. See the NAME OPTIONS section for more information.

-email

outputs the email address(es) if any.

-ocsp_uri

outputs the OCSP responder address(es) if any.

-startdate

prints out the start date of the certificate, that is the notBefore date.

-enddate

prints out the expiry date of the certificate, that is the notAfter date.

-dates

prints out the start and expiry dates of a certificate.

-checkend

checks if the certificate expires within the next arg seconds and exits non-zero if yes it will expire orzero if not.

-C

Trust SettingsA trusted certificate is an ordinary certificate which has several additional pieces of information attachedto it such as the permitted and prohibited uses of the certificate and an "alias".Normally when a certificate is being verified at least one certificate must be "trusted". By default a trustedcertificate must be stored locally and must be a root CA: any certificate chain ending in this CA is thenusable for any purpose.Trust settings currently are only used with a root CA. They allow a finer control over the purposes the rootCA can be used for. For example a CA may be trusted for SSL client but not SSL server use.See the description of the verify utility for more information on the meaning of trust settings.Future versions of OpenSSL will recognize trust settings on any certificate: not just root CAs.

-trustout

this causes x509 to output a trusted certificate. An ordinary or trusted certificate can be input but bydefault an ordinary certificate is output and any trust settings are discarded. With the -trustout optiona trusted certificate is output. A trusted certificate is automatically output if any trust settings aremodified.

-setalias

sets the alias of the certificate. This will allow the certificate to be referred to using a nickname forexample "Steve's Certificate".

-alias

outputs the certificate alias, if any.

-clrtrust

clears all the permitted or trusted uses of the certificate.

-clrreject

clears all the prohibited or rejected uses of the certificate.

-addtrust

adds a trusted certificate use. Any object name can be used here but currently only clientAuth (SSLclient use), serverAuth (SSL server use), emailProtection (S/MIME email) and anyExtendedKeyUsage are used.As of OpenSSL 1.1.0, the last of these blocks all purposes when rejected or enables all purposes whentrusted. Other OpenSSL applications may define additional uses.

-addreject

adds a prohibited use. It accepts the same values as the -addtrust option.

-purpose

this option performs tests on the certificate extensions and outputs the results. For a more completedescription see the CERTIFICATE EXTENSIONS section.Signing OptionsThe x509 utility can be used to sign certificates and requests: it can thus behave like a "mini CA".

-signkey

this option causes the input file to be self signed using the supplied private key.If the input file is a certificate it sets the issuer name to the subject name (i.e. makes it selfsigned) changes the public key to the supplied value and changes the start and end dates. The start dateis set to the current time and the end date is set to a value determined by the -days option. Anycertificate extensions are retained unless the -clrext option is supplied; this includes, for example, anyexisting key identifier extensions.If the input is a certificate request then a self signed certificate is created using the supplied privatekey using the subject name in the request.

-passin

the key password source. For more information about the format of arg see the PASS PHRASE ARGUMENTSsection in openssl(1).

-clrext

delete any extensions from a certificate. This option is used when a certificate is being created fromanother certificate (for example with the -signkey or the -CA options). Normally all extensions areretained.

-keyform

specifies the format (DER or PEM) of the private key file used in the -signkey option.

-days

specifies the number of days to make a certificate valid for. The default is 30 days.

-x509toreq

converts a certificate into a certificate request. The -signkey option is used to pass the requiredprivate key.

-req

by default a certificate is expected on input. With this option a certificate request is expected instead.

-set_serial

specifies the serial number to use. This option can be used with either the -signkey or -CA options. Ifused in conjunction with the -CA option the serial number file (as specified by the -CAserial or

-CAcreateserial

The serial number can be decimal or hex (if preceded by 0x).

-CA

specifies the CA certificate to be used for signing. When this option is present x509 behaves like a "miniCA". The input file is signed by this CA using this option: that is its issuer name is set to the subjectname of the CA and it is digitally signed using the CAs private key.This option is normally combined with the -req option. Without the -req option the input is a certificatewhich must be self signed.

-CAkey

sets the CA private key to sign a certificate with. If this option is not specified then it is assumedthat the CA private key is present in the CA certificate file.

-CAserial

sets the CA serial number file to use.When the -CA option is used to sign a certificate it uses a serial number specified in a file. This fileconsist of one line containing an even number of hex digits with the serial number to use. After each usethe serial number is incremented and written out to the file again.The default filename consists of the CA certificate file base name with ".srl" appended. For example ifthe CA certificate file is called "mycacert.pem" it expects to find a serial number file called"mycacert.srl".

-extfile

file containing certificate extensions to use. If not specified then no extensions are added to thecertificate.

-extensions

the section to add certificate extensions from. If this option is not specified then the extensions shouldeither be contained in the unnamed (default) section or the default section should contain a variablecalled "extensions" which contains the section to use. See the x509v3_config(5) manual page for details ofthe extension section format.

-force_pubkey

when a certificate is created set its public key to key instead of the key in the certificate orcertificate request. This option is useful for creating certificates where the algorithm can't normallysign requests, for example DH.The format or key can be specified using the -keyform option.Name OptionsThe nameopt command line switch determines how the subject and issuer names are displayed. If no nameoptswitch is present the default "oneline" format is used which is compatible with previous versions of OpenSSL.Each option is described in detail below, all options can be preceded by a - to turn the option off. Only thefirst four will normally be used.compatuse the old format.RFC2253displays names compatible with RFC2253 equivalent to esc_2253, esc_ctrl, esc_msb, utf8, dump_nostr,dump_unknown, dump_der, sep_comma_plus, dn_rev and sname.onelinea oneline format which is more readable than RFC2253. It is equivalent to specifying the esc_2253,esc_ctrl, esc_msb, utf8, dump_nostr, dump_der, use_quote, sep_comma_plus_space, space_eq and snameoptions. This is the default of no name options are given explicitly.multilinea multiline format. It is equivalent esc_ctrl, esc_msb, sep_multiline, space_eq, lname and align.esc_2253escape the "special" characters required by RFC2253 in a field. That is ,+"<>;. Additionally # is escapedat the beginning of a string and a space character at the beginning or end of a string.esc_2254escape the "special" characters required by RFC2254 in a field. That is the NUL character as well as and()*.esc_ctrlescape control characters. That is those with ASCII values less than 0x20 (space) and the delete (0x7f)character. They are escaped using the RFC2253 \XX notation (where XX are two hex digits representing thecharacter value).esc_msbescape characters with the MSB set, that is with ASCII values larger than 127.use_quoteescapes some characters by surrounding the whole string with " characters, without the option all escapingis done with the \ character.utf8convert all strings to UTF8 format first. This is required by RFC2253. If you are lucky enough to have aUTF8 compatible terminal then the use of this option (and not setting esc_msb) may result in the correctdisplay of multibyte (international) characters. Is this option is not present then multibyte characterslarger than 0xff will be represented using the format \UXXXX for 16 bits and \WXXXXXXXX for 32 bits. Alsoif this option is off any UTF8Strings will be converted to their character form first.ignore_typethis option does not attempt to interpret multibyte characters in any way. That is their content octetsare merely dumped as though one octet represents each character. This is useful for diagnostic purposesbut will result in rather odd looking output.show_typeshow the type of the ASN1 character string. The type precedes the field contents. For example "BMPSTRING:Hello World".dump_derwhen this option is set any fields that need to be hexdumped will be dumped using the DER encoding of thefield. Otherwise just the content octets will be displayed. Both options use the RFC2253 #XXXX... format.dump_nostrdump non character string types (for example OCTET STRING) if this option is not set then non characterstring types will be displayed as though each content octet represents a single character.dump_alldump all fields. This option when used with dump_der allows the DER encoding of the structure to beunambiguously determined.dump_unknowndump any field whose OID is not recognised by OpenSSL.sep_comma_plus, sep_comma_plus_space, sep_semi_plus_space, sep_multilinethese options determine the field separators. The first character is between RDNs and the second betweenmultiple AVAs (multiple AVAs are very rare and their use is discouraged). The options ending in "space"additionally place a space after the separator to make it more readable. The sep_multiline uses a linefeedcharacter for the RDN separator and a spaced + for the AVA separator. It also indents the fields by fourcharacters. If no field separator is specified then sep_comma_plus_space is used by default.dn_revreverse the fields of the DN. This is required by RFC2253. As a side effect this also reverses the orderof multiple AVAs but this is permissible.nofname, sname, lname, oidthese options alter how the field name is displayed. nofname does not display the field at all. sname usesthe "short name" form (CN for commonName for example). lname uses the long form. oid represents the OIDin numerical form and is useful for diagnostic purpose.alignalign field values for a more readable output. Only usable with sep_multiline.space_eqplaces spaces round the = character which follows the field name.Text OptionsAs well as customising the name output format, it is also possible to customise the actual fields printedusing the certopt options when the text option is present. The default behaviour is to print all fields.compatibleuse the old format. This is equivalent to specifying no output options at all.no_headerdon't print header information: that is the lines saying "Certificate" and "Data".no_versiondon't print out the version number.no_serialdon't print out the serial number.no_signamedon't print out the signature algorithm used.no_validitydon't print the validity, that is the notBefore and notAfter fields.no_subjectdon't print out the subject name.no_issuerdon't print out the issuer name.no_pubkeydon't print out the public key.no_sigdumpdon't give a hexadecimal dump of the certificate signature.no_auxdon't print out certificate trust information.no_extensionsdon't print out any X509V3 extensions.ext_defaultretain default extension behaviour: attempt to print out unsupported certificate extensions.ext_errorprint an error message for unsupported certificate extensions.ext_parseASN1 parse unsupported extensions.ext_dumphex dump unsupported extensions.ca_defaultthe value used by the ca utility, equivalent to no_issuer, no_pubkey, no_header, and no_version.EXAMPLESNote: in these examples the '\' means the example should be all on one line.Display the contents of a certificate:openssl x509 -in cert.pem -noout -textDisplay the certificate serial number:openssl x509 -in cert.pem -noout -serialDisplay the certificate subject name:openssl x509 -in cert.pem -noout -subjectDisplay the certificate subject name in RFC2253 form:openssl x509 -in cert.pem -noout -subject -nameopt RFC2253Display the certificate subject name in oneline form on a terminal supporting UTF8:openssl x509 -in cert.pem -noout -subject -nameopt oneline,-esc_msbDisplay the certificate MD5 fingerprint:openssl x509 -in cert.pem -noout -fingerprintDisplay the certificate SHA1 fingerprint:openssl x509 -sha1 -in cert.pem -noout -fingerprintConvert a certificate from PEM to DER format:openssl x509 -in cert.pem -inform PEM -out cert.der -outform DERConvert a certificate to a certificate request:openssl x509 -x509toreq -in cert.pem -out req.pem -signkey key.pemConvert a certificate request into a self signed certificate using extensions for a CA:openssl x509 -req -in careq.pem -extfile openssl.cnf -extensions v3_ca \