cbe156d927
- No more OpenSSL 1.x support - Remove 1DES and 3DES - Remove NETLOGON, NTLM (client and 'digest' service)
1388 lines
41 KiB
Groff
1388 lines
41 KiB
Groff
.\" Copyright (c) 2022 Kungliga Tekniska Högskolan
|
|
.\" (Royal Institute of Technology, Stockholm, Sweden).
|
|
.\" All rights reserved.
|
|
.\"
|
|
.\" Redistribution and use in source and binary forms, with or without
|
|
.\" modification, are permitted provided that the following conditions
|
|
.\" are met:
|
|
.\"
|
|
.\" 1. Redistributions of source code must retain the above copyright
|
|
.\" notice, this list of conditions and the following disclaimer.
|
|
.\"
|
|
.\" 2. Redistributions in binary form must reproduce the above copyright
|
|
.\" notice, this list of conditions and the following disclaimer in the
|
|
.\" documentation and/or other materials provided with the distribution.
|
|
.\"
|
|
.\" 3. Neither the name of the Institute nor the names of its contributors
|
|
.\" may be used to endorse or promote products derived from this software
|
|
.\" without specific prior written permission.
|
|
.\"
|
|
.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
|
|
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
|
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
|
.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
|
|
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
|
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
|
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
|
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
|
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
|
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
|
.\" SUCH DAMAGE.
|
|
.\"
|
|
.\" $Id$
|
|
.\"
|
|
.Dd December 23, 2025
|
|
.Dt HXTOOL 1
|
|
.Os HEIMDAL
|
|
.Sh NAME
|
|
.Nm hxtool
|
|
.Nd PKIX command-line utility
|
|
.Sh SYNOPSIS
|
|
.Nm
|
|
.Oo Fl Fl version Oc
|
|
.Oo Fl Fl help Oc
|
|
.Oo Fl Fl openssl-cnf=file Oc
|
|
.Oo Fl Fl openssl-propq=propq Oc
|
|
.Op Ar sub-command
|
|
.Nm
|
|
.Ic list-oids
|
|
.Nm
|
|
.Ic cms-create-sd
|
|
.Op Fl c Ar certificate-store | Fl Fl certificate Ns = Ns Ar certificate-store
|
|
.Op Fl s Ar signer-friendly-name | Fl Fl signer Ns = Ns Ar signer-friendly-name
|
|
.Op Fl Fl anchors Ns = Ns Ar certificate-store
|
|
.Op Fl Fl pool Ns = Ns Ar certificate-pool
|
|
.Op Fl Fl pass Ns = Ns Ar PASS:password
|
|
.Op Fl Fl pass Ns = Ns Ar FILE:path
|
|
.Op Fl Fl pass Ns = Ns Ar PROMPT
|
|
.Op Fl Fl peer-alg Ns = Ns Ar oid
|
|
.Op Fl Fl content-type Ns = Ns Ar oid
|
|
.Op Fl Fl content-info
|
|
.Op Fl Fl pem
|
|
.Op Fl Fl detached-signature
|
|
.Op Fl Fl signer
|
|
.Op Fl Fl id-by-name
|
|
.Op Fl Fl embedded-certs
|
|
.Op Fl Fl embed-leaf-only
|
|
.Ar in-file out-file
|
|
.Nm
|
|
.Ic cms-verify-sd
|
|
.Op Fl D Ar certificate-store | Fl Fl anchors Ns = Ns Ar certificate-store
|
|
.Op Fl c Ar certificate-store | Fl Fl certificate Ns = Ns Ar certificate-store
|
|
.Op Fl Fl pass Ns = Ns Ar PASS:password
|
|
.Op Fl Fl pass Ns = Ns Ar FILE:path
|
|
.Op Fl Fl pass Ns = Ns Ar PROMPT
|
|
.Op Fl Fl missing-revoke
|
|
.Op Fl Fl content-info
|
|
.Op Fl Fl pem
|
|
.Op Fl Fl signer-allowed
|
|
.Op Fl Fl allow-wrong-oid
|
|
.Op Fl Fl signed-content Ns = Ns Ar value
|
|
.Op Fl Fl oid-sym
|
|
.Ar in-file Op Ar out-file
|
|
.Nm
|
|
.Ic cms-unenvelope
|
|
.Op Fl c Ar certificate-store | Fl Fl certificate Ns = Ns Ar certificate-store
|
|
.Op Fl Fl pass Ns = Ns Ar PASS:password
|
|
.Op Fl Fl pass Ns = Ns Ar FILE:path
|
|
.Op Fl Fl pass Ns = Ns Ar PROMPT
|
|
.Op Fl Fl content-info
|
|
.Op Fl Fl allow-weak-crypto
|
|
.Ar in-file out-file
|
|
.Nm
|
|
.Ic cms-envelope
|
|
.Op Fl c Ar certificate-store | Fl Fl certificate Ns = Ns Ar certificate-store
|
|
.Op Fl Fl pass Ns = Ns Ar PASS:password
|
|
.Op Fl Fl pass Ns = Ns Ar FILE:path
|
|
.Op Fl Fl pass Ns = Ns Ar PROMPT
|
|
.Op Fl Fl encryption-type Ns = Ns Ar enctype
|
|
.Op Fl Fl content-type Ns = Ns Ar oid
|
|
.Op Fl Fl content-info
|
|
.Op Fl Fl allow-weak-crypto
|
|
.Ar in-file out-file
|
|
.Nm
|
|
.Ic verify
|
|
.Op Fl Fl pass Ns = Ns Ar PASS:password
|
|
.Op Fl Fl pass Ns = Ns Ar FILE:path
|
|
.Op Fl Fl pass Ns = Ns Ar PROMPT
|
|
.Op Fl Fl allow-proxy-certificate
|
|
.Op Fl Fl missing-revoke
|
|
.Op Fl Fl time Ns = Ns Ar value
|
|
.Op Fl v | Fl Fl verbose
|
|
.Op Fl Fl max-depth Ns = Ns Ar value
|
|
.Op Fl Fl hostname Ns = Ns Ar value
|
|
.Ar cert:foo chain:cert1 chain:cert2 anchor:anchor1 anchor:anchor2
|
|
.Nm
|
|
.Ic print
|
|
.Op Fl Fl pass Ns = Ns Ar PASS:password
|
|
.Op Fl Fl pass Ns = Ns Ar FILE:path
|
|
.Op Fl Fl pass Ns = Ns Ar PROMPT
|
|
.Op Fl Fl content
|
|
.Op Fl Fl raw-json
|
|
.Op Fl Fl never-fail
|
|
.Op Fl Fl info
|
|
.Ar certificate ...
|
|
.Nm
|
|
.Ic validate
|
|
.Op Fl Fl pass Ns = Ns Ar PASS:password
|
|
.Op Fl Fl pass Ns = Ns Ar FILE:path
|
|
.Op Fl Fl pass Ns = Ns Ar PROMPT
|
|
.Ar certificate ...
|
|
.Nm
|
|
.Ic certificate-copy
|
|
.Op Fl Fl in-pass Ns = Ns Ar PASS:password
|
|
.Op Fl Fl in-pass Ns = Ns Ar FILE:path
|
|
.Op Fl Fl in-pass Ns = Ns Ar PROMPT
|
|
.Op Fl Fl out-pass Ns = Ns Ar PASS:password
|
|
.Op Fl Fl out-pass Ns = Ns Ar FILE:path
|
|
.Op Fl Fl out-pass Ns = Ns Ar PROMPT
|
|
.Op Fl Fl append
|
|
.Op Fl Fl root-certs
|
|
.Op Fl Fl private-keys
|
|
.Ar in-certificates-1 ... out-certificate
|
|
.Nm
|
|
.Ic ocsp-fetch
|
|
.Op Fl Fl pass Ns = Ns Ar PASS:password
|
|
.Op Fl Fl pass Ns = Ns Ar FILE:path
|
|
.Op Fl Fl pass Ns = Ns Ar PROMPT
|
|
.Op Fl Fl sign Ns = Ns Ar certificate
|
|
.Op Fl Fl url-path Ns = Ns Ar url
|
|
.Op Fl Fl nonce
|
|
.Op Fl Fl pool Ns = Ns Ar certificate-store
|
|
.Ar outfile certs ...
|
|
.Nm
|
|
.Ic ocsp-verify
|
|
.Op Fl Fl ocsp-file Ns = Ns Ar value
|
|
.Ar certificates ...
|
|
.Nm
|
|
.Ic ocsp-print
|
|
.Op Fl Fl verbose
|
|
.Ar ocsp-response-file ...
|
|
.Nm
|
|
.Ic revoke-print
|
|
.Op Fl Fl verbose
|
|
.Ar ocsp/crl files
|
|
.Nm
|
|
.Ic generate-key
|
|
.Op Fl Fl type Ns = Ns Ar value
|
|
.Op Fl Fl key-bits Ns = Ns Ar value
|
|
.Op Fl Fl verbose
|
|
.Ar output-file
|
|
.Nm
|
|
.Ic request-create
|
|
.Op Fl Fl ca
|
|
.Op Fl Fl ca-path-length Ns = Ns Ar value
|
|
.Op Fl Fl ee
|
|
.Op Fl Fl subject Ns = Ns Ar value
|
|
.Op Fl Fl eku Ns = Ns Ar oid-string
|
|
.Op Fl Fl email Ns = Ns Ar value
|
|
.Op Fl Fl jid Ns = Ns Ar value
|
|
.Op Fl Fl dnsname Ns = Ns Ar value
|
|
.Op Fl Fl kerberos Ns = Ns Ar value
|
|
.Op Fl Fl ms-kerberos Ns = Ns Ar value
|
|
.Op Fl Fl registered Ns = Ns Ar value
|
|
.Op Fl Fl dn Ns = Ns Ar value
|
|
.Op Fl Fl type Ns = Ns Ar value
|
|
.Op Fl Fl key Ns = Ns Ar value
|
|
.Op Fl Fl generate-key Ns = Ns Ar value
|
|
.Op Fl Fl key-bits Ns = Ns Ar value
|
|
.Op Fl Fl verbose
|
|
.Ar output-file
|
|
.Nm
|
|
.Ic request-print
|
|
.Op Fl Fl verbose
|
|
.Ar requests ...
|
|
.Nm
|
|
.Ic query
|
|
.Op Fl Fl exact
|
|
.Op Fl Fl private-key
|
|
.Op Fl Fl friendlyname Ns = Ns Ar name
|
|
.Op Fl Fl eku Ns = Ns Ar oid-string
|
|
.Op Fl Fl expr Ns = Ns Ar expression
|
|
.Op Fl Fl keyEncipherment
|
|
.Op Fl Fl digitalSignature
|
|
.Op Fl Fl print
|
|
.Op Fl Fl pass Ns = Ns Ar PASS:password
|
|
.Op Fl Fl pass Ns = Ns Ar FILE:path
|
|
.Op Fl Fl pass Ns = Ns Ar PROMPT
|
|
.Ar certificates ...
|
|
.Nm
|
|
.Ic info
|
|
.Nm
|
|
.Ic random-data
|
|
.Ar bytes
|
|
.Nm
|
|
.Ic crypto-available
|
|
.Op Fl Fl type Ns = Ns Ar value
|
|
.Op Fl Fl oid-syms
|
|
.Nm
|
|
.Ic crypto-select
|
|
.Op Fl Fl type Ns = Ns Ar value
|
|
.Op Fl Fl certificate Ns = Ns Ar value
|
|
.Op Fl Fl peer-cmstype Ns = Ns Ar value
|
|
.Op Fl Fl oid-sym
|
|
.Nm
|
|
.Ic hex
|
|
.Op Fl d | Fl Fl decode
|
|
.Nm
|
|
.Ic certificate-sign
|
|
.Op Fl Fl issue-ca
|
|
.Op Fl Fl issue-proxy
|
|
.Op Fl Fl domain-controller
|
|
.Op Fl Fl subject Ns = Ns Ar value
|
|
.Op Fl Fl ca-certificate Ns = Ns Ar value
|
|
.Op Fl Fl self-signed
|
|
.Op Fl Fl ca-private-key Ns = Ns Ar value
|
|
.Op Fl Fl certificate Ns = Ns Ar value
|
|
.Op Fl Fl type Ns = Ns Ar value
|
|
.Op Fl Fl lifetime Ns = Ns Ar value
|
|
.Op Fl Fl signature-algorithm Ns = Ns Ar value
|
|
.Op Fl Fl serial-number Ns = Ns Ar value
|
|
.Op Fl Fl path-length Ns = Ns Ar value
|
|
.Op Fl Fl eku Ns = Ns Ar oid-string
|
|
.Op Fl Fl ku Ns = Ns Ar value
|
|
.Op Fl Fl hostname Ns = Ns Ar value
|
|
.Op Fl Fl dnssrv Ns = Ns Ar value
|
|
.Op Fl Fl email Ns = Ns Ar value
|
|
.Op Fl Fl pk-init-principal Ns = Ns Ar value
|
|
.Op Fl Fl ms-upn Ns = Ns Ar value
|
|
.Op Fl Fl jid Ns = Ns Ar value
|
|
.Op Fl Fl permanent-id Ns = Ns Ar value
|
|
.Op Fl Fl hardware-module-name Ns = Ns Ar value
|
|
.Op Fl Fl policy Ns = Ns Ar value
|
|
.Op Fl Fl policy-mapping Ns = Ns Ar value
|
|
.Op Fl Fl pkinit-max-life Ns = Ns Ar value
|
|
.Op Fl Fl req Ns = Ns Ar value
|
|
.Op Fl Fl certificate-private-key Ns = Ns Ar value
|
|
.Op Fl Fl generate-key Ns = Ns Ar value
|
|
.Op Fl Fl key-bits Ns = Ns Ar value
|
|
.Op Fl Fl crl-uri Ns = Ns Ar value
|
|
.Op Fl Fl template-certificate Ns = Ns Ar value
|
|
.Op Fl Fl template-fields Ns = Ns Ar value
|
|
.Nm
|
|
.Ic test-crypto
|
|
.Op Fl Fl pass Ns = Ns Ar PASS:password
|
|
.Op Fl Fl pass Ns = Ns Ar FILE:path
|
|
.Op Fl Fl pass Ns = Ns Ar PROMPT
|
|
.Op Fl Fl verbose
|
|
.Ar certificates...
|
|
.Nm
|
|
.Ic statistic-print
|
|
.Op Fl Fl type Ns = Ns Ar value
|
|
.Nm
|
|
.Ic crl-sign
|
|
.Op Fl Fl signer Ns = Ns Ar value
|
|
.Op Fl Fl pass Ns = Ns Ar PASS:password
|
|
.Op Fl Fl pass Ns = Ns Ar FILE:path
|
|
.Op Fl Fl pass Ns = Ns Ar PROMPT
|
|
.Op Fl Fl crl-file Ns = Ns Ar value
|
|
.Op Fl Fl lifetime Ns = Ns Ar value
|
|
.Ar certificates...
|
|
.Nm
|
|
.Ic acert
|
|
.Op Fl v | Fl Fl verbose
|
|
.Op Fl Fl end-entity
|
|
.Op Fl Fl ca
|
|
.Op Fl Fl cert-num Ns = Ns Ar value
|
|
.Op Fl Fl expr Ns = Ns Ar expression
|
|
.Op Fl M Ar EMAIL | Fl Fl has-email-san Ns = Ns Ar EMAIL
|
|
.Op Fl X Ar jabber-address | Fl Fl has-xmpp-san Ns = Ns Ar jabber-address
|
|
-Op Fl U Ar UPN | Fl Fl has-ms-upn-san Ns = Ns Ar UPN
|
|
.Op Fl D Ar FQDN | Fl Fl has-dnsname-san Ns = Ns Ar FQDN
|
|
.Op Fl P Ar PRINCIPAL | Fl Fl has-pkinit-san Ns = Ns Ar PRINCIPAL
|
|
.Op Fl R Ar OID | Fl Fl has-registeredID-san Ns = Ns Ar OID
|
|
.Op Fl E Ar OID | Fl Fl has-eku Ns = Ns Ar OID
|
|
.Op Fl K Ar key usage element | Fl Fl has-ku Ns = Ns Ar key usage element
|
|
.Op Fl Fl exact
|
|
.Op Fl n | Fl Fl valid-now
|
|
.Op Fl Fl valid-at Ns = Ns Ar datetime
|
|
.Op Fl Fl not-after-eq Ns = Ns Ar datetime
|
|
.Op Fl Fl not-after-lt Ns = Ns Ar datetime
|
|
.Op Fl Fl not-after-gt Ns = Ns Ar datetime
|
|
.Op Fl Fl not-before-eq Ns = Ns Ar datetime
|
|
.Op Fl Fl not-before-lt Ns = Ns Ar datetime
|
|
.Op Fl Fl not-before-gt Ns = Ns Ar datetime
|
|
.Op Fl Fl has-private-key
|
|
.Op Fl Fl lacks-private-key
|
|
.Ar certificate-store
|
|
.Nm
|
|
.Ic jwt-sign
|
|
.Op Fl a Ar algorithm | Fl Fl algorithm Ns = Ns Ar algorithm
|
|
.Op Fl k Ar file | Fl Fl private-key Ns = Ns Ar file
|
|
.Op Fl i Ar issuer | Fl Fl issuer Ns = Ns Ar issuer
|
|
.Op Fl s Ar subject | Fl Fl subject Ns = Ns Ar subject
|
|
.Op Fl A Ar audience | Fl Fl audience Ns = Ns Ar audience
|
|
.Op Fl l Ar seconds | Fl Fl lifetime Ns = Ns Ar seconds
|
|
.Op Fl o Ar file | Fl Fl output Ns = Ns Ar file
|
|
.Nm
|
|
.Ic jwt-verify
|
|
.Op Fl k Ar file | Fl Fl public-key Ns = Ns Ar file
|
|
.Op Fl A Ar audience | Fl Fl audience Ns = Ns Ar audience
|
|
.Op Fl t Ar token | Fl Fl token Ns = Ns Ar token
|
|
.Nm
|
|
.Ic pem-to-jwk
|
|
.Op Fl i Ar file | Fl Fl input Ns = Ns Ar file
|
|
.Op Fl o Ar file | Fl Fl output Ns = Ns Ar file
|
|
.Ar Op Ar pem-file
|
|
.Nm
|
|
.Ic help
|
|
.Ar Op Ar command
|
|
.Sh DESCRIPTION
|
|
.Nm
|
|
is a command-line utility for making certificate signing requests
|
|
(CSRs), displaying CSRs, displaying certificates, signing
|
|
certificates, validating certificates, managing certificate
|
|
revocation lists (CRLs), etc.
|
|
.Pp
|
|
Every sub-command has its own help message, shown when invoked
|
|
with the
|
|
.Fl Fl help
|
|
or
|
|
.Fl h
|
|
option.
|
|
.Pp
|
|
Many sub-commands' command-line options refer to certificate and
|
|
private key stores, supporting DER, PEM, and PKCS#12 files, as
|
|
well as PKCS#11 hard and soft tokens, and others certificate
|
|
stores.
|
|
See
|
|
.Sx CERTIFICATE STORES
|
|
below for how to refer to certificates and private keys.
|
|
.Pp
|
|
The
|
|
.Fl Fl pass Ns = Ns Ar PASS:password ,
|
|
.Fl Fl pass Ns = Ns Ar FILE:path ,
|
|
and
|
|
.Fl Fl pass Ns = Ns Ar PROMPT
|
|
options are for specifying passwords for PKCS#8 (PEM) and PKCS#12 stores, and
|
|
if needed and not given, will be prompted for.
|
|
Note that it's not secure to pass passwords as command-line
|
|
arguments on multi-tenant systems.
|
|
For PKCS#11 stores the details of how a PIN is provided varies by
|
|
OpenSSL provider.
|
|
See
|
|
.Sx CERTIFICATE STORES
|
|
for details of how to specify PINs for PKCS#11 tokens.
|
|
.Pp
|
|
The
|
|
.Fl Fl openssl-cnf=file
|
|
option is for specifying an alternative OpenSSL configuration
|
|
file, which can be useful for enabling FIPS or PKCS#11 providers
|
|
for this program but not by default for all programs.
|
|
The
|
|
.Fl Fl openssl-propq=propq
|
|
option is for specifying OpenSSL property queries.
|
|
See
|
|
.Xr property 7 .
|
|
.Pp
|
|
.Sh SUPPORTED COMMANDS
|
|
.Bl -tag -width Ds -offset indent
|
|
.It Ic list-oids
|
|
List known OIDs.
|
|
.It Ic cms-create-sd , Ic cms-sign
|
|
Wrap a file within a SignedData object.
|
|
.It Ic cms-verify-sd
|
|
Verify a file within a SignedData object.
|
|
.It Ic cms-unenvelope
|
|
Unenvelope a file containing an EnvelopedData object.
|
|
.It Ic cms-envelope
|
|
Envelope a file containing an EnvelopedData object.
|
|
.It Ic verify
|
|
Verify a certificate and its certification path up to a trust
|
|
anchor, possibly checking CRLs.
|
|
.It Ic print
|
|
Print a human-readable rendering of certificates in a store.
|
|
See
|
|
.Sx CERTIFICATE STORES .
|
|
.It Ic validate
|
|
Validate content of a certificate (but not a full chain).
|
|
.It Ic certificate-copy , Ic cc
|
|
Copy certificates and possibly private keys from one store to
|
|
another.
|
|
See
|
|
.Sx CERTIFICATE STORES .
|
|
.It Ic ocsp-fetch
|
|
Fetch OCSP responses for the given certificates.
|
|
.It Ic ocsp-verify
|
|
Verify that certificates are in OCSP file and valid.
|
|
.It Ic ocsp-print
|
|
Print a human-readable rendering of OCSP responses.
|
|
.It Ic revoke-print
|
|
Print a human-readable rendering of a CRL or OCSP response chain.
|
|
.It Ic generate-key
|
|
Generate a private key.
|
|
.It Ic request-create
|
|
Create a CRMF or PKCS#10 request (CSR).
|
|
.It Ic request-print
|
|
Print a human-readable rendering of a CSR.
|
|
.It Ic query
|
|
Query a certificate store for matching certificates.
|
|
.It Ic info
|
|
Print information about supported algorithms.
|
|
.It Ic random-data
|
|
Generate random bytes and print them to standard output.
|
|
.It Ic crypto-available
|
|
Print available CMS crypto types.
|
|
.It Ic crypto-select
|
|
Print selected CMS type based on peer capabilities.
|
|
.It Ic hex
|
|
Hex-encode or decode input.
|
|
.It Ic certificate-sign , Ic cert-sign , Ic issue-certificate , Ic ca
|
|
Issue a certificate, signing it with a Certification Authority
|
|
(CA) certificate, or self-signing it.
|
|
This can issue End Entity (EE), intermediate Certification
|
|
Authority (CA), and root (self-signed) CA certificates.
|
|
.It Ic test-crypto
|
|
Test crypto system related to the certificates.
|
|
.It Ic statistic-print
|
|
Print statistics.
|
|
.It Ic crl-sign
|
|
Create or update a CRL.
|
|
.It Ic acert
|
|
Assert certificate content (for testing).
|
|
.It Ic jwt-sign
|
|
Create a signed JWT.
|
|
This is used mainly for testing \(em this is not intended for
|
|
implementing a security token service (STS).
|
|
Users who wish to implement an STS should use
|
|
.Xr hx509_jws_sign 3 .
|
|
.It Ic jwt-verify
|
|
Verify a JWT and print claims.
|
|
This is used mainly for testing \(em this is not intended for
|
|
implementing Bearer token acceptors.
|
|
Users who wish to implement Bearer token acceptors should use
|
|
.Xr hx509_jws_verify 3 .
|
|
.It Ic pem-to-jwk
|
|
Convert PEM key to JWK format.
|
|
.It Ic help , Ic \&?
|
|
Show help.
|
|
.El
|
|
.Pp
|
|
Other sub-commands reported by the
|
|
.Ic help
|
|
sub-command are not stable or fully supported at this time.
|
|
.Sh COMMAND OPTIONS
|
|
.Ss list-oids
|
|
List known OIDs.
|
|
.\"
|
|
.\" TODO: Add description
|
|
.\"
|
|
.Ss cms-create-sd
|
|
Wrap a file within a CMS SignedData object.
|
|
.Bl -tag -width Ds -compact
|
|
.It Fl c Ar certificate-store , Fl Fl certificate Ns = Ns Ar certificate-store
|
|
Certificate stores to pull certificates from.
|
|
.It Fl s Ar signer-friendly-name , Fl Fl signer Ns = Ns Ar signer-friendly-name
|
|
Certificate to sign with.
|
|
.It Fl Fl anchors Ns = Ns Ar certificate-store
|
|
Trust anchors.
|
|
.It Fl Fl pool Ns = Ns Ar certificate-pool
|
|
Certificate store to pull certificates from.
|
|
.It Fl Fl pass Ns = Ns Ar PASS:password
|
|
.It Fl Fl pass Ns = Ns Ar FILE:path
|
|
.It Fl Fl pass Ns = Ns Ar PROMPT
|
|
.It Fl Fl peer-alg Ns = Ns Ar oid
|
|
OID that the peer supports.
|
|
.It Fl Fl content-type Ns = Ns Ar oid
|
|
Content type OID.
|
|
.It Fl Fl content-info
|
|
Wrap output data in a ContentInfo.
|
|
.It Fl Fl pem
|
|
Wrap output data in PEM armor.
|
|
.It Fl Fl detached-signature
|
|
Create a detached signature.
|
|
.It Fl Fl signer
|
|
Do not sign.
|
|
.It Fl Fl id-by-name
|
|
Use subject name for CMS Identifier.
|
|
.It Fl Fl embedded-certs
|
|
Don't embed certificates.
|
|
.It Fl Fl embed-leaf-only
|
|
Only embed leaf certificate.
|
|
.El
|
|
.\"
|
|
.\" TODO: Add description
|
|
.\"
|
|
.Ss cms-verify-sd
|
|
Verify a file within a CMS SignedData object.
|
|
.Bl -tag -width Ds -compact
|
|
.It Fl D Ar certificate-store , Fl Fl anchors Ns = Ns Ar certificate-store
|
|
Trust anchors.
|
|
.It Fl c Ar certificate-store , Fl Fl certificate Ns = Ns Ar certificate-store
|
|
Certificate store to pull certificates from.
|
|
.Op Fl Fl pass Ns = Ns Ar PASS:password
|
|
.Op Fl Fl pass Ns = Ns Ar FILE:path
|
|
.Op Fl Fl pass Ns = Ns Ar PROMPT
|
|
.It Fl Fl missing-revoke
|
|
Missing CRL/OCSP is ok.
|
|
.It Fl Fl content-info
|
|
Unwrap input data that's in a ContentInfo.
|
|
.It Fl Fl pem
|
|
Unwrap input data from PEM armor.
|
|
.It Fl Fl signer-allowed
|
|
Allow no signer.
|
|
.It Fl Fl allow-wrong-oid
|
|
Allow wrong OID flag.
|
|
.It Fl Fl signed-content Ns = Ns Ar value
|
|
File containing content.
|
|
.It Fl Fl oid-sym
|
|
Show symbolic name for OID.
|
|
.El
|
|
.\"
|
|
.\" TODO: Add description
|
|
.\"
|
|
.Ss cms-unenvelope
|
|
Unenvelope a file containing an EnvelopedData object.
|
|
.Bl -tag -width Ds -compact
|
|
.It Fl c Ar certificate-store , Fl Fl certificate Ns = Ns Ar certificate-store
|
|
Certificate used to decrypt the data.
|
|
.Op Fl Fl pass Ns = Ns Ar PASS:password
|
|
.Op Fl Fl pass Ns = Ns Ar FILE:path
|
|
.Op Fl Fl pass Ns = Ns Ar PROMPT
|
|
.It Fl Fl content-info
|
|
Wrapped output data in a ContentInfo.
|
|
.It Fl Fl allow-weak-crypto
|
|
Allow weak crypto.
|
|
.El
|
|
.\"
|
|
.\" TODO: Add description
|
|
.\"
|
|
.Ss cms-envelope
|
|
Envelope a file as an EnvelopedData object.
|
|
.Bl -tag -width Ds -compact
|
|
.It Fl c Ar certificate-store , Fl Fl certificate Ns = Ns Ar certificate-store
|
|
Certificates used to receive the data.
|
|
.Op Fl Fl pass Ns = Ns Ar PASS:password
|
|
.Op Fl Fl pass Ns = Ns Ar FILE:path
|
|
.Op Fl Fl pass Ns = Ns Ar PROMPT
|
|
.It Fl Fl encryption-type Ns = Ns Ar enctype
|
|
Encryption type.
|
|
.It Fl Fl content-type Ns = Ns Ar oid
|
|
Content type OID.
|
|
.It Fl Fl content-info
|
|
Wrap output data in a ContentInfo.
|
|
.It Fl Fl allow-weak-crypto
|
|
Allow weak crypto.
|
|
.El
|
|
.\"
|
|
.\" TODO: Add description
|
|
.\"
|
|
.Ss verify
|
|
Verify certificate chain.
|
|
.Bl -tag -width Ds -compact
|
|
.Op Fl Fl pass Ns = Ns Ar PASS:password
|
|
.Op Fl Fl pass Ns = Ns Ar PROMPT
|
|
Password.
|
|
.It Fl Fl allow-proxy-certificate
|
|
Allow proxy certificates.
|
|
.It Fl Fl missing-revoke
|
|
Missing CRL/OCSP is ok.
|
|
.It Fl Fl time Ns = Ns Ar value
|
|
Time when to validate the chain.
|
|
.It Fl v , Fl Fl verbose
|
|
Verbose logging.
|
|
.It Fl Fl max-depth Ns = Ns Ar value
|
|
Maximum search length of certificate trust anchor.
|
|
.It Fl Fl hostname Ns = Ns Ar value
|
|
Match hostname to certificate.
|
|
.El
|
|
.\"
|
|
.\" TODO: Add description
|
|
.\"
|
|
.Ss print
|
|
Print certificates.
|
|
.Bl -tag -width Ds -compact
|
|
.Op Fl Fl pass Ns = Ns Ar PASS:password
|
|
.Op Fl Fl pass Ns = Ns Ar FILE:path
|
|
.Op Fl Fl pass Ns = Ns Ar PROMPT
|
|
Password.
|
|
.It Fl Fl content
|
|
Print the content of the certificates.
|
|
.It Fl Fl raw-json
|
|
Print the DER content of the certificates as JSON.
|
|
.It Fl Fl never-fail
|
|
Never fail with an error code.
|
|
.It Fl Fl info
|
|
Print information about the certificate store.
|
|
.El
|
|
.Pp
|
|
The
|
|
.Fl Fl raw-json
|
|
option prints the certificate(s) in the given store as a JSON dump
|
|
of their DER using an experimental (i.e., unstable) schema.
|
|
.Ss validate
|
|
Validate content of certificates.
|
|
.Bl -tag -width Ds -compact
|
|
.It Fl Fl pass Ns = Ns Ar password
|
|
Password, prompter, or environment.
|
|
.El
|
|
.\"
|
|
.\" TODO: Add description
|
|
.\"
|
|
.Ss certificate-copy
|
|
Copy certificates and keys from one store to another.
|
|
.Bl -tag -width Ds -compact
|
|
.It Fl Fl in-pass Ns = Ns Ar password
|
|
Password, prompter, or environment for input store.
|
|
.It Fl Fl out-pass Ns = Ns Ar password
|
|
Password, prompter, or environment for output store.
|
|
.It Fl Fl append
|
|
Append source to destination.
|
|
.It Fl Fl root-certs
|
|
Do not copy root certificates.
|
|
.It Fl Fl private-keys
|
|
Do not copy private keys.
|
|
.El
|
|
.Pp
|
|
Use the
|
|
.Ic certificate-copy
|
|
command to copy certificates from one store to another.
|
|
This is useful for, e.g., converting DER files to PEM or
|
|
vice-versa, removing private keys, adding certificate chains,
|
|
and removing root certificates from chains.
|
|
.Ss ocsp-fetch
|
|
Fetch OCSP responses for the given certificates.
|
|
.Bl -tag -width Ds -compact
|
|
.It Fl Fl pass Ns = Ns Ar password
|
|
Password, prompter, or environment.
|
|
.It Fl Fl sign Ns = Ns Ar certificate
|
|
Certificate used to sign the request.
|
|
.It Fl Fl url-path Ns = Ns Ar url
|
|
Part after host in URL to put in the request.
|
|
.It Fl Fl nonce
|
|
Don't include nonce in request.
|
|
.It Fl Fl pool Ns = Ns Ar certificate-store
|
|
Pool to find parent certificate in.
|
|
.El
|
|
.\"
|
|
.\" TODO: Add description
|
|
.\"
|
|
.Ss ocsp-verify
|
|
Verify OCSP responses.
|
|
.Bl -tag -width Ds -compact
|
|
.It Fl Fl ocsp-file Ns = Ns Ar value
|
|
OCSP file.
|
|
.El
|
|
.\"
|
|
.\" TODO: Add description
|
|
.\"
|
|
.Ss ocsp-print
|
|
Print OCSP responses.
|
|
.Bl -tag -width Ds -compact
|
|
.It Fl Fl verbose
|
|
Verbose output.
|
|
.El
|
|
.\"
|
|
.\" TODO: Add description
|
|
.\"
|
|
.Ss revoke-print
|
|
Print OCSP/CRL files.
|
|
.Bl -tag -width Ds -compact
|
|
.It Fl Fl verbose
|
|
Verbose output.
|
|
.El
|
|
.\"
|
|
.\" TODO: Add description
|
|
.\"
|
|
.Ss generate-key
|
|
Generate a private key.
|
|
.Bl -tag -width Ds -compact
|
|
.It Fl Fl type Ns = Ns Ar value
|
|
Key type.
|
|
.It Fl Fl key-bits Ns = Ns Ar value
|
|
Number of bits in the generated key.
|
|
.It Fl Fl verbose
|
|
Verbose status.
|
|
.El
|
|
.\"
|
|
.\" TODO: Add description
|
|
.\"
|
|
.Ss request-create
|
|
Create a CRMF or PKCS#10 request.
|
|
.Bl -tag -width Ds -compact
|
|
.It Fl Fl ca
|
|
Request CA certificate.
|
|
.It Fl Fl ca-path-length Ns = Ns Ar value
|
|
Path length constraint for CA certificate.
|
|
.It Fl Fl ee
|
|
Include BasicConstraints with cA set to false.
|
|
.It Fl Fl subject Ns = Ns Ar value
|
|
Subject DN.
|
|
.It Fl Fl eku Ns = Ns Ar oid-string
|
|
Add Extended Key Usage OID.
|
|
.It Fl Fl email Ns = Ns Ar value
|
|
Email address in SubjectAltName.
|
|
.It Fl Fl jid Ns = Ns Ar value
|
|
XMPP (Jabber) address in SubjectAltName.
|
|
.It Fl Fl dnsname Ns = Ns Ar value
|
|
Hostname or domainname in SubjectAltName.
|
|
.It Fl Fl kerberos Ns = Ns Ar value
|
|
Kerberos principal name as SubjectAltName.
|
|
.It Fl Fl ms-kerberos Ns = Ns Ar value
|
|
Kerberos principal name as SubjectAltName (Microsoft variant).
|
|
.It Fl Fl registered Ns = Ns Ar value
|
|
Registered object ID as SubjectAltName.
|
|
.It Fl Fl dn Ns = Ns Ar value
|
|
Directory name as SubjectAltName.
|
|
.It Fl Fl type Ns = Ns Ar value
|
|
Type of request CRMF or PKCS10, defaults to PKCS10.
|
|
.It Fl Fl key Ns = Ns Ar value
|
|
Key-pair.
|
|
.It Fl Fl generate-key Ns = Ns Ar value
|
|
Key type.
|
|
.It Fl Fl key-bits Ns = Ns Ar value
|
|
Number of bits in the generated key.
|
|
.It Fl Fl verbose
|
|
Verbose status.
|
|
.El
|
|
.\"
|
|
.\" TODO: Add description
|
|
.\"
|
|
.Ss request-print
|
|
Print requests.
|
|
.Bl -tag -width Ds -compact
|
|
.It Fl Fl verbose
|
|
Verbose printing.
|
|
.El
|
|
.\"
|
|
.\" TODO: Add description
|
|
.\"
|
|
.Ss query
|
|
Query certificates for a match.
|
|
.Bl -tag -width Ds -compact
|
|
.It Fl Fl exact
|
|
Exact match.
|
|
.It Fl Fl private-key
|
|
Search for private key.
|
|
.It Fl Fl friendlyname Ns = Ns Ar name
|
|
Match on friendly name.
|
|
.It Fl Fl eku Ns = Ns Ar oid-string
|
|
Match on EKU.
|
|
.It Fl Fl expr Ns = Ns Ar expression
|
|
Match on expression.
|
|
.It Fl Fl keyEncipherment
|
|
Match keyEncipherment certificates.
|
|
.It Fl Fl digitalSignature
|
|
Match digitalSignature certificates.
|
|
.It Fl Fl print
|
|
Print matches.
|
|
.It Fl Fl pass Ns = Ns Ar password
|
|
Password, prompter, or environment.
|
|
.El
|
|
.\"
|
|
.\" TODO: Add description
|
|
.\"
|
|
.Ss info
|
|
Print information about supported algorithms.
|
|
.\"
|
|
.\" TODO: Add description
|
|
.\"
|
|
.Ss random-data
|
|
Generate random bytes and print them to standard output.
|
|
.\"
|
|
.\" TODO: Add description
|
|
.\"
|
|
.Ss crypto-available
|
|
Print available CMS crypto types.
|
|
.Bl -tag -width Ds -compact
|
|
.It Fl Fl type Ns = Ns Ar value
|
|
Type of CMS algorithm.
|
|
.It Fl Fl oid-syms
|
|
Show symbolic names for OIDs.
|
|
.El
|
|
.\"
|
|
.\" TODO: Add description
|
|
.\"
|
|
.Ss crypto-select
|
|
Print selected CMS type.
|
|
.Bl -tag -width Ds -compact
|
|
.It Fl Fl type Ns = Ns Ar value
|
|
Type of CMS algorithm.
|
|
.It Fl Fl certificate Ns = Ns Ar value
|
|
Source certificate limiting the choices.
|
|
.It Fl Fl peer-cmstype Ns = Ns Ar value
|
|
Peer limiting CMS types.
|
|
.It Fl Fl oid-sym
|
|
Show symbolic name for OID.
|
|
.El
|
|
.\"
|
|
.\" TODO: Add description
|
|
.\"
|
|
.Ss hex
|
|
Encode input to hex.
|
|
.Bl -tag -width Ds -compact
|
|
.It Fl d , Fl Fl decode
|
|
Decode instead of encode.
|
|
.El
|
|
.Ss certificate-sign , Ss cert-sign , Ss issue-certificate , Ss ca
|
|
Issue a certificate, signing it with a Certification Authority
|
|
(CA) certificate, or self-signing it.
|
|
This can issue End Entity (EE), intermediate Certification
|
|
Authority (CA), and root (self-signed) CA certificates.
|
|
This command is intended to be used to operate a CA.
|
|
.Bl -tag -width Ds -compact
|
|
.It Fl Fl issue-ca
|
|
Issue a CA certificate.
|
|
If this option is not used then an EE certificate will be issued.
|
|
.It Fl Fl issue-proxy
|
|
Issue a proxy certificate.
|
|
.It Fl Fl ca-certificate Ns = Ns Ar value
|
|
The certificate of the CA that will sign the certificate to be
|
|
issued.
|
|
For example,
|
|
.Fl Fl ca-private-key Ns = Ns Ar PEM-FILE:/path/to/file ,
|
|
.Fl Fl ca-private-key Ns = Ns Ar DER-FILE:/path/to/file ,
|
|
.Fl Fl ca-private-key Ns = Ns Ar PKCS12:/path/to/file .
|
|
.It Fl Fl self-signed
|
|
Issue a self-signed certificate.
|
|
.It Fl Fl ca-private-key Ns = Ns Ar value
|
|
Private key for the signer of the certificate.
|
|
This is a CA's private key when
|
|
.Fl Fl self-signed
|
|
is not used, or a proxy signer if
|
|
.Fl Fl issue-proxy
|
|
is used.
|
|
For example,
|
|
.Fl Fl ca-private-key Ns = Ns Ar PEM-FILE:/path/to/file ,
|
|
.Fl Fl ca-private-key Ns = Ns Ar DER-FILE:/path/to/file ,
|
|
.Fl Fl ca-private-key Ns = Ns Ar PKCS12:/path/to/file ,
|
|
.Fl Fl ca-private-key Ns = Ns Ar PKCS11:<pkcs11 scheme URI> .
|
|
See
|
|
.Sx CERTIFICATE STORES
|
|
for more details.
|
|
.It Fl Fl req Ns = Ns Ar value
|
|
A certificate signing request (CSR).
|
|
For example,
|
|
.Fl Fl req Ns = Ns Ar PKCS10:/path/to/file
|
|
where the file contains a DER-encoded PKCS#10
|
|
.Ar CertificationRequest .
|
|
Note that extensions requested by the CSR are ignored, though you
|
|
can view the CSR's requested extensions with the
|
|
.Nm Nm request-print
|
|
command.
|
|
.It Fl Fl type Ns = Ns Ar value
|
|
Types of certificate to issue (can be used more than once).
|
|
Available types:
|
|
.Bl -tag -width Ds -offset indent
|
|
.It Li https-server
|
|
Issue a certificate suitable for an HTTPS server (because it has
|
|
the
|
|
.Sq id-kp-serverAuth
|
|
Extended Key Usage (EKU) object identifier (OID)).
|
|
.It Li https-client
|
|
Issue a certificate suitable for an HTTPS client (because it has
|
|
the
|
|
.Sq id-kp-clientAuth
|
|
EKU).
|
|
.It Li email-client
|
|
Issue a certificate suitable for SUBMIT, IMAP, and S/MIME
|
|
(because it has the
|
|
.Sq id-kp-emailProtection
|
|
EKU).
|
|
.It Li pkinit-client
|
|
Issue a certificate suitable for a PKINIT client user (because it
|
|
has the
|
|
.Sq id-pkinit-KPClientAuth ,
|
|
.Sq id-kp-clientAuth ,
|
|
and
|
|
.Sq id-pkinit-ms-eku ,
|
|
EKUs).
|
|
.It Li pkinit-kdc
|
|
Issue a certificate suitable for a KDC (for PKINIT) (because it
|
|
has the
|
|
.Sq id-pkinig-keyPurposeKdc
|
|
EKU).
|
|
.El
|
|
.It Fl Fl certificate Ns = Ns Ar value
|
|
Where to write the certificate to be issued.
|
|
See
|
|
.Fl Fl ca-certificate Ns = Ns Ar value .
|
|
.It Fl Fl generate-key Ns = Ns Ar value
|
|
Generate a private key of the given type whose public key will be
|
|
the subject public key (SPK) of the certificate to be issued.
|
|
.It Fl Fl key-bits Ns = Ns Ar value
|
|
Number of bits in the generated key.
|
|
Use this when using
|
|
.Fl Fl generate-key Ns = Ns Ar rsa .
|
|
.It Fl Fl certificate-private-key Ns = Ns Ar value
|
|
Where to store the private key, if
|
|
.Fl Fl generate-key Ns = Ns Ar value
|
|
is given, or where to read the private key from.
|
|
See
|
|
.Fl Fl ca-private-key Ns = Ns Ar value .
|
|
.It Fl Fl template-certificate Ns = Ns Ar value
|
|
Use the given certificate as a template.
|
|
See
|
|
.Fl Fl ca-certificate Ns = Ns Ar value .
|
|
.It Fl Fl template-fields Ns = Ns Ar value
|
|
This option can be given multiple times, each one having one of
|
|
the following values indicating that an item from the
|
|
.It Fl Fl crl-uri Ns = Ns Ar value
|
|
URI to certificate revocation list (CRL).
|
|
This will be included in the certificate to be issued, and will
|
|
be used by relying parties to check the revocation status of the
|
|
issued certificate.
|
|
.It Fl Fl policy Ns = Ns Ar value
|
|
Certificate Policy OID and optional URI and/or notice
|
|
(OID:URI<space>notice_text).
|
|
.It Fl Fl policy-mapping Ns = Ns Ar value
|
|
Certificate Policy mapping (OID:OID).
|
|
.It Fl Fl template-certificate Ns = Ns Ar value
|
|
certificate is to be used as part of the template:
|
|
.Bl -tag -width Ds -offset indent
|
|
.It Li ExtendedKeyUsage
|
|
I.e., include the EKU OIDs from the template certificate in the
|
|
certificate to be issued.
|
|
.It Li KeyUsage
|
|
I.e., include the KUs from the template certificate in the
|
|
certificate to be issued.
|
|
.It Li SPKI
|
|
This is useful for issuing additional certificates for the same
|
|
subject public key of an existing certificate.
|
|
.It Li notBefore
|
|
.It Li notAfter
|
|
These copy the corresponding certificate constraints from the
|
|
template.
|
|
(These are not useful. A future version will add a template
|
|
field value for certificate lifetime where by the difference
|
|
between notAfter and notBefore will be used to set the new
|
|
certificate's notAfter.)
|
|
.It Li pkinitMaxLife
|
|
Take the PKINIT ticket max life extension value from the template
|
|
certificate.
|
|
.It Li subject
|
|
Take the subject name from the template certificate.
|
|
.El
|
|
.It Fl Fl lifetime Ns = Ns Ar value
|
|
Lifetime of to-be-issued certificate.
|
|
.It Fl Fl serial-number Ns = Ns Ar value
|
|
Serial number of certificate.
|
|
(Do not use.
|
|
Allow the CA to choose the serial number randomly instead.)
|
|
.It Fl Fl subject Ns = Ns Ar value
|
|
Subject name of issued certificate.
|
|
The subject name can and should be left empty when subject
|
|
alternative names are included in the certificate.
|
|
.It Fl Fl eku Ns = Ns Ar oid-string
|
|
Add a given Extended Key Usage (EKU) OID.
|
|
Note that the
|
|
.Fl Fl type = Ns Ar TYPE
|
|
option allows for certain EKU OIDs to be added without having to
|
|
name them.
|
|
OIDs can be referenced by name, such as
|
|
.Dq id-pkix-kp-serverAuth
|
|
or as a sequence of numeric arcs separated by spaces or periods.
|
|
E.g.,
|
|
.Fl Fl eku=id-pkix-kp-serverAuth ,
|
|
.Fl Fl eku=1.2.3.4.5.6 .
|
|
.It Fl Fl ku Ns = Ns Ar value
|
|
Key Usage (digitalSignature, keyEncipherment, dataEncipherment,
|
|
keyAgreement, keyCertSign, cRLSign, encipherOnly, decipherOnly).
|
|
.It Fl Fl signature-algorithm Ns = Ns Ar value
|
|
Signature algorithm to use.
|
|
.It Fl Fl path-length Ns = Ns Ar value
|
|
Maximum path length (CA and proxy certificates); use -1 for no
|
|
limit.
|
|
.It Fl Fl hostname Ns = Ns Ar value
|
|
Adds a
|
|
.Va dNSName
|
|
subject alternative name (SAN) to the certificate to be issued.
|
|
These are the DNS names this certificate is allowed to serve.
|
|
.It Fl Fl dnssrv Ns = Ns Ar value
|
|
Adds a DNS SRV SAN to the certificate to be issued.
|
|
These are the DNS SRV names this certificate is allowed to serve.
|
|
.It Fl Fl email Ns = Ns Ar value
|
|
Adds an
|
|
.Va rfc8222Name
|
|
SAN to the certificate to be issued.
|
|
These are the email addresses assigned to this certificate, which
|
|
can be used for authorization in email-related protocols such as
|
|
SUBMIT, IMAP, and S/MIME.
|
|
.It Fl Fl pk-init-principal Ns = Ns Ar PRINCIPAL-NAME
|
|
Adds a Kerberos principal name SAN to the certificate to be
|
|
issued.
|
|
For
|
|
.Fl Fl type Ns = Ns Ar pkinit-client
|
|
certificates these are the client principals the certificate
|
|
holder can use to get tickets for using PKINIT.
|
|
For
|
|
.Fl Fl type Ns = Ns Ar pkinit-kdc
|
|
certificates these are the service principals (typically
|
|
.Sq krbtgt
|
|
principals) the certificate holder can be a Kerberos
|
|
Authentication Service (AS) for when using PKINIT.
|
|
.It Fl Fl pkinit-max-life Ns = Ns Ar value
|
|
Maximum Kerberos ticket lifetime extension for PKINIT.
|
|
This is a Heimdal-specific certificate extension with OID
|
|
.Ar id-heim-ce-pkinit-princ-max-life
|
|
/
|
|
.Ar 1.2.752.43.16.4
|
|
whose value is a DER-encoded INTEGER count of seconds ranging
|
|
from 0 to 4294967295.
|
|
Kerberos KDCs that support this extension will bound the lifetime
|
|
of any tickets issued to the client to be no more than the
|
|
lifetime in this extension (note that the KDC may further
|
|
restrict the lifetime).
|
|
.It Fl Fl ms-upn Ns = Ns Ar UPN
|
|
Adds a Microsoft user principal name (UPN) SAN to the certificate
|
|
to be issued.
|
|
These are UPNs that the certificate holder can use to get tickets
|
|
for using PKINIT.
|
|
.It Fl Fl jid Ns = Ns Ar value
|
|
Adds an XMPP / Jabber ID SAN to the certificate to be issued.
|
|
These are the names that the certificate holder can use when
|
|
connected to XMPP / Jabber instant messaging.
|
|
.It Fl Fl permanent-id Ns = Ns Ar value
|
|
PermanentIdentifier ([oid]:[serial]).
|
|
.It Fl Fl hardware-module-name Ns = Ns Ar value
|
|
HardwareModuleName (oid:serial).
|
|
.It Fl Fl domain-controller
|
|
Issue a certificate suitable for authenticating an Active
|
|
Directory domain controller.
|
|
.El
|
|
.\"
|
|
.\" TODO: Add description
|
|
.\"
|
|
.Ss test-crypto
|
|
Test crypto system related to the certificates.
|
|
.Bl -tag -width Ds -compact
|
|
.It Fl Fl pass Ns = Ns Ar password
|
|
Password, prompter, or environment.
|
|
.It Fl Fl verbose
|
|
Verbose printing.
|
|
.El
|
|
.\"
|
|
.\" TODO: Add description
|
|
.\"
|
|
.Ss statistic-print
|
|
Print statistics.
|
|
.Bl -tag -width Ds -compact
|
|
.It Fl Fl type Ns = Ns Ar value
|
|
Type of statistics.
|
|
.El
|
|
.\"
|
|
.\" TODO: Add description
|
|
.\"
|
|
.Ss crl-sign
|
|
Create a CRL.
|
|
.Bl -tag -width Ds -compact
|
|
.It Fl Fl signer Ns = Ns Ar value
|
|
Signer certificate.
|
|
.It Fl Fl pass Ns = Ns Ar password
|
|
Password, prompter, or environment.
|
|
.It Fl Fl crl-file Ns = Ns Ar value
|
|
CRL output file.
|
|
.It Fl Fl lifetime Ns = Ns Ar value
|
|
Time the CRL will be valid.
|
|
.El
|
|
.\"
|
|
.\" TODO: Add description
|
|
.\"
|
|
.Ss acert
|
|
Assert certificate content.
|
|
.Bl -tag -width Ds -compact
|
|
.It Fl v , Fl Fl verbose
|
|
Verbose output.
|
|
.It Fl Fl end-entity
|
|
Check the first EE certificate in the store.
|
|
.It Fl Fl ca
|
|
Check the first CA certificate in the store.
|
|
.It Fl Fl cert-num Ns = Ns Ar value
|
|
Check the nth certificate in the store.
|
|
.It Fl Fl expr Ns = Ns Ar expression
|
|
Test the first certificate matching expression.
|
|
.It Fl M Ar email-address , Fl Fl has-email-san Ns = Ns Ar email-address
|
|
Check that cert has email SAN.
|
|
.It Fl X Ar jabber address , Fl Fl has-xmpp-san Ns = Ns Ar jabber address
|
|
Check that cert has XMPP SAN.
|
|
.It Fl U Ar UPN , Fl Fl has-ms-upn-san Ns = Ns Ar UPN
|
|
Check that cert has UPN SAN.
|
|
.It Fl D Ar domainname , Fl Fl has-dnsname-san Ns = Ns Ar domainname
|
|
Check that cert has domainname SAN.
|
|
.It Fl P Ar Kerberos principal name , Fl Fl has-pkinit-san Ns = Ns Ar Kerberos principal name
|
|
Check that cert has PKINIT SAN.
|
|
.It Fl R Ar OID , Fl Fl has-registeredID-san Ns = Ns Ar OID
|
|
Check that cert has registeredID SAN.
|
|
.It Fl E Ar OID , Fl Fl has-eku Ns = Ns Ar OID
|
|
Check that cert has EKU.
|
|
.It Fl K Ar key usage element , Fl Fl has-ku Ns = Ns Ar key usage element
|
|
Check that cert has key usage.
|
|
.It Fl Fl exact
|
|
Check that cert has only given SANs/EKUs/KUs.
|
|
.It Fl n , Fl Fl valid-now
|
|
Check that current time is in certificate's validity period.
|
|
.It Fl Fl valid-at Ns = Ns Ar datetime
|
|
Check that the certificate is valid at given time.
|
|
.It Fl Fl not-after-eq Ns = Ns Ar datetime
|
|
Check that the certificate's notAfter is as given.
|
|
.It Fl Fl not-after-lt Ns = Ns Ar datetime
|
|
Check that the certificate's notAfter is before the given time.
|
|
.It Fl Fl not-after-gt Ns = Ns Ar datetime
|
|
Check that the certificate's notAfter is after the given time.
|
|
.It Fl Fl not-before-eq Ns = Ns Ar datetime
|
|
Check that the certificate's notBefore is as given.
|
|
.It Fl Fl not-before-lt Ns = Ns Ar datetime
|
|
Check that the certificate's notBefore is before the given time.
|
|
.It Fl Fl not-before-gt Ns = Ns Ar datetime
|
|
Check that the certificate's notBefore is after the given time.
|
|
.It Fl Fl has-private-key
|
|
Check that the certificate has a private key.
|
|
.It Fl Fl lacks-private-key
|
|
Check that the certificate does not have a private key.
|
|
.El
|
|
.\"
|
|
.\" TODO: Add description
|
|
.\"
|
|
.Ss jwt-sign
|
|
Create a signed JWT.
|
|
.Bl -tag -width Ds -compact
|
|
.It Fl a Ar algorithm , Fl Fl algorithm Ns = Ns Ar algorithm
|
|
Signature algorithm (RS256, ES256, EdDSA, etc.).
|
|
.It Fl k Ar file , Fl Fl private-key Ns = Ns Ar file
|
|
Private key file (PEM format).
|
|
.It Fl i Ar issuer , Fl Fl issuer Ns = Ns Ar issuer
|
|
Issuer claim (iss).
|
|
.It Fl s Ar subject , Fl Fl subject Ns = Ns Ar subject
|
|
Subject claim (sub).
|
|
.It Fl A Ar audience , Fl Fl audience Ns = Ns Ar audience
|
|
Audience claim (aud).
|
|
.It Fl l Ar seconds , Fl Fl lifetime Ns = Ns Ar seconds
|
|
Token lifetime in seconds.
|
|
.It Fl o Ar file , Fl Fl output Ns = Ns Ar file
|
|
Output file (default: stdout).
|
|
.El
|
|
.\"
|
|
.\" TODO: Add description
|
|
.\"
|
|
.Ss jwt-verify
|
|
Verify a JWT and print claims.
|
|
.Bl -tag -width Ds -compact
|
|
.It Fl k Ar file , Fl Fl public-key Ns = Ns Ar file
|
|
Public key file(s) (PEM format).
|
|
.It Fl A Ar audience , Fl Fl audience Ns = Ns Ar audience
|
|
Required audience.
|
|
.It Fl t Ar token , Fl Fl token Ns = Ns Ar token
|
|
JWT token (or read from stdin).
|
|
.El
|
|
.\"
|
|
.\" TODO: Add description
|
|
.\"
|
|
.Ss pem-to-jwk
|
|
Convert PEM key to JWK format.
|
|
.Bl -tag -width Ds -compact
|
|
.It Fl i Ar file , Fl Fl input Ns = Ns Ar file
|
|
PEM key file.
|
|
.It Fl o Ar file , Fl Fl output Ns = Ns Ar file
|
|
Output file (default: stdout).
|
|
.El
|
|
.\"
|
|
.\" TODO: Add description
|
|
.\"
|
|
.Ss help
|
|
Show help.
|
|
.Sh CERTIFICATE STORES
|
|
Stores of certificates and/or keys have string names that can be
|
|
used with
|
|
.Nm Ap s
|
|
commands as well as in various configuration parameters and
|
|
command-line arguments of Heimdal's Kerberos implementation (for
|
|
PKINIT).
|
|
.Pp
|
|
For example,
|
|
.Ql FILE:/path/to/file ,
|
|
.Ql PEM-FILE:/path/to/file ,
|
|
.Ql DER-FILE:/path/to/file ,
|
|
etc.
|
|
See below for a full list of store types.
|
|
.Pp
|
|
A certificate store name starts with a store TYPE followed by a
|
|
colon followed by a name of form specific to that store type.
|
|
.Pp
|
|
Private keys can be stored in the same stores as the certificates
|
|
that certify their public keys.
|
|
.Pp
|
|
Private keys can also be stored in separate files, but still be
|
|
referenced in one certificate store name by joining two with a
|
|
comma:
|
|
.Ql FILE:/path/to/certificate,/path/to/private/key
|
|
.
|
|
.Pp
|
|
Heimdal supports a variety of certificate and private key store
|
|
types:
|
|
.Bl -tag -width Ds -offset indent
|
|
.It PEM-FILE:/path
|
|
If writing, PEM will be written (private keys may be written in
|
|
algorithm-specific formats or in PKCS#8).
|
|
If reading, PEM will be expected (private keys may be in
|
|
algorithm-specific formats or in PKCS#8).
|
|
.It DER-FILE:/path
|
|
If writing, DER will be written.
|
|
If reading, DER will be expected.
|
|
Private keys will be in algorithm-specific formats.
|
|
.It FILE:/path
|
|
If writing, PEM will be written as if
|
|
.Ql PEM-FILE
|
|
had been used.
|
|
If reading, PEM or DER will be detected and read as if
|
|
.Ql PEM-FILE
|
|
or
|
|
.Ql DER-FILE
|
|
had been used.
|
|
.It PKCS12:/path
|
|
If writing, PKCS#12 will be written.
|
|
If reading, PKCS#12 will be expected.
|
|
Note that PKCS#12 support is currently very limited.
|
|
.It DIR:/path
|
|
OpenSSL-style hashed directory of trust anchors.
|
|
.It KEYCHAIN:system-anchors
|
|
On OS X this refers to the system's trust anchors.
|
|
.It KEYCHAIN:FILE:/path
|
|
On OS X this refers to an OS X keychain at the given path.
|
|
.It PKCS11:<provider-specific>[,config=/path-to-openssl.cnf]
|
|
Loads the given PKCS#11 object using the configured OpenSSL
|
|
provider.
|
|
When using the Latchset OpenSSL PKCS#11 provider,
|
|
.Lk https://github.com/latchset/pkcs11-provider ,
|
|
for example,
|
|
then
|
|
.Va <provider-specific>
|
|
identifier is a PKCS#11 URI (see RFC 7512).
|
|
Examples:
|
|
.Bl -tag -width Ds -offset indent
|
|
.It Va PKCS11:pkcs11:token=MyToken
|
|
.It Va PKCS11:pkcs11:slot-id=0;object=MyCert
|
|
.It Va PKCS11:pkcs11:token=SmartCard,config=/etc/op11.cnf
|
|
.El
|
|
The
|
|
.Va config=PATH
|
|
option is Heimdal-specific and not part of the PKCS#11 URI.
|
|
Use the
|
|
.Va config=PATH
|
|
option to refer to an OpenSSL configuration other than the
|
|
default, such as when you want to configure the PKCS#11 provider
|
|
but not enable it by default.
|
|
The OpenSSL configuration file path must not contain a comma.
|
|
.Pp
|
|
Note that
|
|
.Nm
|
|
will not itself prompt for PINs with which to unlock tokens,
|
|
however OpenSSL providers that use PKCS#11 URIs can take the PIN
|
|
from the
|
|
.Dq pin-value
|
|
attribute or obtain the PIN from the
|
|
.Dq pin-source
|
|
attribute (which allows one to specify a file or a program to
|
|
execute which might then prompt).
|
|
See RFC 7512.
|
|
.It NULL:
|
|
An empty store.
|
|
.It MEMORY:name
|
|
An in-memory only, ephemeral store, usually not used in
|
|
.Nm Ap s
|
|
commands.
|
|
The MEMORY store name exists primarily for internal
|
|
.Sq hx509
|
|
APIs.
|
|
.El
|
|
.Sh EXAMPLES
|
|
Generate an RSA key:
|
|
.Bd -literal -offset indent
|
|
hxtool generate-key --type=rsa --key-bits=4096 PEM-FILE:key.pem
|
|
.Ed
|
|
.Pp
|
|
Create a CSR (with an empty name) for some key:
|
|
.Bd -literal -offset indent
|
|
hxtool request-create --subject= --key=FILE:key.pem csr.der
|
|
.Ed
|
|
.Pp
|
|
Generate a key and create a CSR (with an empty name) for it:
|
|
.Bd -literal -offset indent
|
|
hxtool request-create \\
|
|
--subject= \\
|
|
--generate-key=rsa \\
|
|
--key-bits=4096 \\
|
|
--key=FILE:key.pem \\
|
|
csr.der
|
|
.Ed
|
|
.Pp
|
|
Generate a key and create a CSR with an empty name but also
|
|
requesting a specific dNSName subject alternative name (SAN) for
|
|
it:
|
|
.Bd -literal -offset indent
|
|
hxtool request-create \\
|
|
--subject= \\
|
|
--generate-key=rsa \\
|
|
--dnsname=foo.test.h5l.se \\
|
|
--key=FILE:key.pem \\
|
|
csr.der
|
|
.Ed
|
|
.Pp
|
|
Print a CSR:
|
|
.Bd -literal -offset indent
|
|
hxtool request-print csr.der
|
|
.Ed
|
|
which outputs:
|
|
.Bd -literal -offset indent
|
|
request print
|
|
PKCS#10 CertificationRequest:
|
|
name:
|
|
san: dNSName: foo.test.h5l.se
|
|
.Ed
|
|
.Pp
|
|
Issue an end-entity certificate for an HTTPS server given a CSR:
|
|
.Bd -literal -offset indent
|
|
hxtool issue-certificate \\
|
|
--type=https-server \\
|
|
--subject= \\
|
|
--hostname=foo.test.h5l.se \\
|
|
--ca-certificate=FILE:cacert.pem \\
|
|
--ca-private-key=FILE:cakey.pem \\
|
|
--req=PKCS10:csr.der \\
|
|
--certificate=PEM-FILE:ee.pem
|
|
.Ed
|
|
.Pp
|
|
Add a chain to a PEM file:
|
|
.Bd -literal -offset indent
|
|
hxtool certificate-copy \\
|
|
--no-private-keys \\
|
|
--no-root-certs \\
|
|
FILE:ca.pem FILE:ee.pem
|
|
.Ed
|
|
.Pp
|
|
Create a self-signed end-entity certificate for an HTTPS server:
|
|
.Bd -literal -offset indent
|
|
hxtool issue-certificate \\
|
|
--self-signed \\
|
|
--type=https-server \\
|
|
--subject= \\
|
|
--hostname=foo.test.h5l.se \\
|
|
--ca-private-key=FILE:key.pem \\
|
|
--certificate-private-key=FILE:key.pem \\
|
|
--certificate=PEM-FILE:cert.pem
|
|
.Ed
|
|
.Pp
|
|
Create a root certification authority certificate:
|
|
.Bd -literal -offset indent
|
|
hxtool issue-certificate \\
|
|
--issue-ca \\
|
|
--self-signed \\
|
|
--subject=CN=SomeRootCA \\
|
|
--ca-private-key=FILE:rootkey.pem \\
|
|
--certificate=PEM-FILE:rootcert.pem
|
|
.Ed
|
|
.Pp
|
|
Create an intermediate certification authority certificate from a
|
|
CSR:
|
|
.Bd -literal -offset indent
|
|
hxtool issue-certificate \\
|
|
--type=https-server \\
|
|
--subject=CN=SomeIntermediateCA \\
|
|
--ca-certificate=FILE:parent-cert.pem \\
|
|
--ca-private-key=FILE:parent-key.pem \\
|
|
--req=PKCS10:csr.der \\
|
|
--certificate=PEM-FILE:intermediate.pem
|
|
.Ed
|
|
.Sh SEE ALSO
|
|
.Xr openssl 1 ,
|
|
.Xr property 7
|