1.\" Automatically generated by Pod::Man 4.07 (Pod::Simple 3.35)
2.\"
3.\" Standard preamble:
4.\" ========================================================================
5.de Sp \" Vertical space (when we can't use .PP)
6.if t .sp .5v
7.if n .sp
8..
9.de Vb \" Begin verbatim text
10.ft CW
11.nf
12.ne \\$1
13..
14.de Ve \" End verbatim text
15.ft R
16.fi
17..
18.\" Set up some character translations and predefined strings. \*(-- will
19.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
20.\" double quote, and \*(R" will give a right double quote. \*(C+ will
21.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
22.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
23.\" nothing in troff, for use with C<>.
24.tr \(*W-
25.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
26.ie n \{\
27. ds -- \(*W-
28. ds PI pi
29. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
30. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
31. ds L" ""
32. ds R" ""
33. ds C` ""
34. ds C' ""
35'br\}
36.el\{\
37. ds -- \|\(em\|
38. ds PI \(*p
39. ds L" ``
40. ds R" ''
41. ds C`
42. ds C'
43'br\}
44.\"
45.\" Escape single quotes in literal strings from groff's Unicode transform.
46.ie \n(.g .ds Aq \(aq
47.el .ds Aq '
48.\"
49.\" If the F register is >0, we'll generate index entries on stderr for
50.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
51.\" entries marked with X<> in POD. Of course, you'll have to process the
52.\" output yourself in some meaningful fashion.
53.\"
54.\" Avoid warning from groff about undefined register 'F'.
55.de IX
56..
57.if !\nF .nr F 0
58.if \nF>0 \{\
59. de IX
60. tm Index:\\$1\t\\n%\t"\\$2"
61..
62. if !\nF==2 \{\
63. nr % 0
64. nr F 2
65. \}
66.\}
67.\"
68.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
69.\" Fear. Run. Save yourself. No user-serviceable parts.
70. \" fudge factors for nroff and troff
71.if n \{\
72. ds #H 0
73. ds #V .8m
74. ds #F .3m
75. ds #[ \f1
76. ds #] \fP
77.\}
78.if t \{\
79. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
80. ds #V .6m
81. ds #F 0
82. ds #[ \&
83. ds #] \&
84.\}
85. \" simple accents for nroff and troff
86.if n \{\
87. ds ' \&
88. ds ` \&
89. ds ^ \&
90. ds , \&
91. ds ~ ~
92. ds /
93.\}
94.if t \{\
95. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
96. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
97. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
98. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
99. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
100. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
101.\}
102. \" troff and (daisy-wheel) nroff accents
103.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
104.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
105.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
106.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
107.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
108.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
109.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
110.ds ae a\h'-(\w'a'u*4/10)'e
111.ds Ae A\h'-(\w'A'u*4/10)'E
112. \" corrections for vroff
113.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
114.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
115. \" for low resolution devices (crt and lpr)
116.if \n(.H>23 .if \n(.V>19 \
117\{\
118. ds : e
119. ds 8 ss
120. ds o a
121. ds d- d\h'-1'\(ga
122. ds D- D\h'-1'\(hy
123. ds th \o'bp'
124. ds Th \o'LP'
125. ds ae ae
126. ds Ae AE
127.\}
128.rm #[ #] #H #V #F C
129.\" ========================================================================
130.\"
131.IX Title "SPKAC 1"
132.TH SPKAC 1 "2017-11-02" "1.0.2m" "OpenSSL"
133.\" For nroff, turn off justification. Always turn off hyphenation; it makes
134.\" way too many mistakes in technical documents.
135.if n .ad l
136.nh
137.SH "NAME"
138openssl\-spkac,
139spkac \- SPKAC printing and generating utility
140.SH "SYNOPSIS"
141.IX Header "SYNOPSIS"
142\&\fBopenssl\fR \fBspkac\fR
143[\fB\-in filename\fR]
144[\fB\-out filename\fR]
145[\fB\-key keyfile\fR]
146[\fB\-passin arg\fR]
147[\fB\-challenge string\fR]
148[\fB\-pubkey\fR]
149[\fB\-spkac spkacname\fR]
150[\fB\-spksect section\fR]
151[\fB\-noout\fR]
152[\fB\-verify\fR]
153[\fB\-engine id\fR]
154.SH "DESCRIPTION"
155.IX Header "DESCRIPTION"
156The \fBspkac\fR command processes Netscape signed public key and challenge
157(\s-1SPKAC\s0) files. It can print out their contents, verify the signature and
158produce its own SPKACs from a supplied private key.
159.SH "COMMAND OPTIONS"
160.IX Header "COMMAND OPTIONS"
161.IP "\fB\-in filename\fR" 4
162.IX Item "-in filename"
163This specifies the input filename to read from or standard input if this
164option is not specified. Ignored if the \fB\-key\fR option is used.
165.IP "\fB\-out filename\fR" 4
166.IX Item "-out filename"
167specifies the output filename to write to or standard output by
168default.
169.IP "\fB\-key keyfile\fR" 4
170.IX Item "-key keyfile"
171create an \s-1SPKAC\s0 file using the private key in \fBkeyfile\fR. The
172\&\fB\-in\fR, \fB\-noout\fR, \fB\-spksect\fR and \fB\-verify\fR options are ignored if
173present.
174.IP "\fB\-passin password\fR" 4
175.IX Item "-passin password"
176the input file password source. For more information about the format of \fBarg\fR
177see the \fB\s-1PASS PHRASE ARGUMENTS\s0\fR section in \fIopenssl\fR\|(1).
178.IP "\fB\-challenge string\fR" 4
179.IX Item "-challenge string"
180specifies the challenge string if an \s-1SPKAC\s0 is being created.
181.IP "\fB\-spkac spkacname\fR" 4
182.IX Item "-spkac spkacname"
183allows an alternative name form the variable containing the
184\&\s-1SPKAC.\s0 The default is \*(L"\s-1SPKAC\*(R".\s0 This option affects both
185generated and input \s-1SPKAC\s0 files.
186.IP "\fB\-spksect section\fR" 4
187.IX Item "-spksect section"
188allows an alternative name form the section containing the
189\&\s-1SPKAC.\s0 The default is the default section.
190.IP "\fB\-noout\fR" 4
191.IX Item "-noout"
192don't output the text version of the \s-1SPKAC \s0(not used if an
193\&\s-1SPKAC\s0 is being created).
194.IP "\fB\-pubkey\fR" 4
195.IX Item "-pubkey"
196output the public key of an \s-1SPKAC \s0(not used if an \s-1SPKAC\s0 is
197being created).
198.IP "\fB\-verify\fR" 4
199.IX Item "-verify"
200verifies the digital signature on the supplied \s-1SPKAC.\s0
201.IP "\fB\-engine id\fR" 4
202.IX Item "-engine id"
203specifying an engine (by its unique \fBid\fR string) will cause \fBspkac\fR
204to attempt to obtain a functional reference to the specified engine,
205thus initialising it if needed. The engine will then be set as the default
206for all available algorithms.
207.SH "EXAMPLES"
208.IX Header "EXAMPLES"
209Print out the contents of an \s-1SPKAC:\s0
210.PP
211.Vb 1
212\& openssl spkac \-in spkac.cnf
213.Ve
214.PP
215Verify the signature of an \s-1SPKAC:\s0
216.PP
217.Vb 1
218\& openssl spkac \-in spkac.cnf \-noout \-verify
219.Ve
220.PP
221Create an \s-1SPKAC\s0 using the challenge string \*(L"hello\*(R":
222.PP
223.Vb 1
224\& openssl spkac \-key key.pem \-challenge hello \-out spkac.cnf
225.Ve
226.PP
227Example of an \s-1SPKAC, \s0(long lines split up for clarity):
228.PP
229.Vb 5
230\& SPKAC=MIG5MGUwXDANBgkqhkiG9w0BAQEFAANLADBIAkEA1cCoq2Wa3Ixs47uI7F\e
231\& PVwHVIPDx5yso105Y6zpozam135a8R0CpoRvkkigIyXfcCjiVi5oWk+6FfPaD03u\e
232\& PFoQIDAQABFgVoZWxsbzANBgkqhkiG9w0BAQQFAANBAFpQtY/FojdwkJh1bEIYuc\e
233\& 2EeM2KHTWPEepWYeawvHD0gQ3DngSC75YCWnnDdq+NQ3F+X4deMx9AaEglZtULwV\e
234\& 4=
235.Ve
236.SH "NOTES"
237.IX Header "NOTES"
238A created \s-1SPKAC\s0 with suitable \s-1DN\s0 components appended can be fed into
239the \fBca\fR utility.
240.PP
241SPKACs are typically generated by Netscape when a form is submitted
242containing the \fB\s-1KEYGEN\s0\fR tag as part of the certificate enrollment
243process.
244.PP
245The challenge string permits a primitive form of proof of possession
246of private key. By checking the \s-1SPKAC\s0 signature and a random challenge
247string some guarantee is given that the user knows the private key
248corresponding to the public key being certified. This is important in
249some applications. Without this it is possible for a previous \s-1SPKAC\s0
250to be used in a \*(L"replay attack\*(R".
251.SH "SEE ALSO"
252.IX Header "SEE ALSO"
253\&\fIca\fR\|(1)
2.\"
3.\" Standard preamble:
4.\" ========================================================================
5.de Sp \" Vertical space (when we can't use .PP)
6.if t .sp .5v
7.if n .sp
8..
9.de Vb \" Begin verbatim text
10.ft CW
11.nf
12.ne \\$1
13..
14.de Ve \" End verbatim text
15.ft R
16.fi
17..
18.\" Set up some character translations and predefined strings. \*(-- will
19.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
20.\" double quote, and \*(R" will give a right double quote. \*(C+ will
21.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
22.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
23.\" nothing in troff, for use with C<>.
24.tr \(*W-
25.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
26.ie n \{\
27. ds -- \(*W-
28. ds PI pi
29. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
30. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
31. ds L" ""
32. ds R" ""
33. ds C` ""
34. ds C' ""
35'br\}
36.el\{\
37. ds -- \|\(em\|
38. ds PI \(*p
39. ds L" ``
40. ds R" ''
41. ds C`
42. ds C'
43'br\}
44.\"
45.\" Escape single quotes in literal strings from groff's Unicode transform.
46.ie \n(.g .ds Aq \(aq
47.el .ds Aq '
48.\"
49.\" If the F register is >0, we'll generate index entries on stderr for
50.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
51.\" entries marked with X<> in POD. Of course, you'll have to process the
52.\" output yourself in some meaningful fashion.
53.\"
54.\" Avoid warning from groff about undefined register 'F'.
55.de IX
56..
57.if !\nF .nr F 0
58.if \nF>0 \{\
59. de IX
60. tm Index:\\$1\t\\n%\t"\\$2"
61..
62. if !\nF==2 \{\
63. nr % 0
64. nr F 2
65. \}
66.\}
67.\"
68.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
69.\" Fear. Run. Save yourself. No user-serviceable parts.
70. \" fudge factors for nroff and troff
71.if n \{\
72. ds #H 0
73. ds #V .8m
74. ds #F .3m
75. ds #[ \f1
76. ds #] \fP
77.\}
78.if t \{\
79. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
80. ds #V .6m
81. ds #F 0
82. ds #[ \&
83. ds #] \&
84.\}
85. \" simple accents for nroff and troff
86.if n \{\
87. ds ' \&
88. ds ` \&
89. ds ^ \&
90. ds , \&
91. ds ~ ~
92. ds /
93.\}
94.if t \{\
95. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
96. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
97. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
98. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
99. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
100. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
101.\}
102. \" troff and (daisy-wheel) nroff accents
103.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
104.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
105.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
106.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
107.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
108.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
109.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
110.ds ae a\h'-(\w'a'u*4/10)'e
111.ds Ae A\h'-(\w'A'u*4/10)'E
112. \" corrections for vroff
113.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
114.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
115. \" for low resolution devices (crt and lpr)
116.if \n(.H>23 .if \n(.V>19 \
117\{\
118. ds : e
119. ds 8 ss
120. ds o a
121. ds d- d\h'-1'\(ga
122. ds D- D\h'-1'\(hy
123. ds th \o'bp'
124. ds Th \o'LP'
125. ds ae ae
126. ds Ae AE
127.\}
128.rm #[ #] #H #V #F C
129.\" ========================================================================
130.\"
131.IX Title "SPKAC 1"
132.TH SPKAC 1 "2017-11-02" "1.0.2m" "OpenSSL"
133.\" For nroff, turn off justification. Always turn off hyphenation; it makes
134.\" way too many mistakes in technical documents.
135.if n .ad l
136.nh
137.SH "NAME"
138openssl\-spkac,
139spkac \- SPKAC printing and generating utility
140.SH "SYNOPSIS"
141.IX Header "SYNOPSIS"
142\&\fBopenssl\fR \fBspkac\fR
143[\fB\-in filename\fR]
144[\fB\-out filename\fR]
145[\fB\-key keyfile\fR]
146[\fB\-passin arg\fR]
147[\fB\-challenge string\fR]
148[\fB\-pubkey\fR]
149[\fB\-spkac spkacname\fR]
150[\fB\-spksect section\fR]
151[\fB\-noout\fR]
152[\fB\-verify\fR]
153[\fB\-engine id\fR]
154.SH "DESCRIPTION"
155.IX Header "DESCRIPTION"
156The \fBspkac\fR command processes Netscape signed public key and challenge
157(\s-1SPKAC\s0) files. It can print out their contents, verify the signature and
158produce its own SPKACs from a supplied private key.
159.SH "COMMAND OPTIONS"
160.IX Header "COMMAND OPTIONS"
161.IP "\fB\-in filename\fR" 4
162.IX Item "-in filename"
163This specifies the input filename to read from or standard input if this
164option is not specified. Ignored if the \fB\-key\fR option is used.
165.IP "\fB\-out filename\fR" 4
166.IX Item "-out filename"
167specifies the output filename to write to or standard output by
168default.
169.IP "\fB\-key keyfile\fR" 4
170.IX Item "-key keyfile"
171create an \s-1SPKAC\s0 file using the private key in \fBkeyfile\fR. The
172\&\fB\-in\fR, \fB\-noout\fR, \fB\-spksect\fR and \fB\-verify\fR options are ignored if
173present.
174.IP "\fB\-passin password\fR" 4
175.IX Item "-passin password"
176the input file password source. For more information about the format of \fBarg\fR
177see the \fB\s-1PASS PHRASE ARGUMENTS\s0\fR section in \fIopenssl\fR\|(1).
178.IP "\fB\-challenge string\fR" 4
179.IX Item "-challenge string"
180specifies the challenge string if an \s-1SPKAC\s0 is being created.
181.IP "\fB\-spkac spkacname\fR" 4
182.IX Item "-spkac spkacname"
183allows an alternative name form the variable containing the
184\&\s-1SPKAC.\s0 The default is \*(L"\s-1SPKAC\*(R".\s0 This option affects both
185generated and input \s-1SPKAC\s0 files.
186.IP "\fB\-spksect section\fR" 4
187.IX Item "-spksect section"
188allows an alternative name form the section containing the
189\&\s-1SPKAC.\s0 The default is the default section.
190.IP "\fB\-noout\fR" 4
191.IX Item "-noout"
192don't output the text version of the \s-1SPKAC \s0(not used if an
193\&\s-1SPKAC\s0 is being created).
194.IP "\fB\-pubkey\fR" 4
195.IX Item "-pubkey"
196output the public key of an \s-1SPKAC \s0(not used if an \s-1SPKAC\s0 is
197being created).
198.IP "\fB\-verify\fR" 4
199.IX Item "-verify"
200verifies the digital signature on the supplied \s-1SPKAC.\s0
201.IP "\fB\-engine id\fR" 4
202.IX Item "-engine id"
203specifying an engine (by its unique \fBid\fR string) will cause \fBspkac\fR
204to attempt to obtain a functional reference to the specified engine,
205thus initialising it if needed. The engine will then be set as the default
206for all available algorithms.
207.SH "EXAMPLES"
208.IX Header "EXAMPLES"
209Print out the contents of an \s-1SPKAC:\s0
210.PP
211.Vb 1
212\& openssl spkac \-in spkac.cnf
213.Ve
214.PP
215Verify the signature of an \s-1SPKAC:\s0
216.PP
217.Vb 1
218\& openssl spkac \-in spkac.cnf \-noout \-verify
219.Ve
220.PP
221Create an \s-1SPKAC\s0 using the challenge string \*(L"hello\*(R":
222.PP
223.Vb 1
224\& openssl spkac \-key key.pem \-challenge hello \-out spkac.cnf
225.Ve
226.PP
227Example of an \s-1SPKAC, \s0(long lines split up for clarity):
228.PP
229.Vb 5
230\& SPKAC=MIG5MGUwXDANBgkqhkiG9w0BAQEFAANLADBIAkEA1cCoq2Wa3Ixs47uI7F\e
231\& PVwHVIPDx5yso105Y6zpozam135a8R0CpoRvkkigIyXfcCjiVi5oWk+6FfPaD03u\e
232\& PFoQIDAQABFgVoZWxsbzANBgkqhkiG9w0BAQQFAANBAFpQtY/FojdwkJh1bEIYuc\e
233\& 2EeM2KHTWPEepWYeawvHD0gQ3DngSC75YCWnnDdq+NQ3F+X4deMx9AaEglZtULwV\e
234\& 4=
235.Ve
236.SH "NOTES"
237.IX Header "NOTES"
238A created \s-1SPKAC\s0 with suitable \s-1DN\s0 components appended can be fed into
239the \fBca\fR utility.
240.PP
241SPKACs are typically generated by Netscape when a form is submitted
242containing the \fB\s-1KEYGEN\s0\fR tag as part of the certificate enrollment
243process.
244.PP
245The challenge string permits a primitive form of proof of possession
246of private key. By checking the \s-1SPKAC\s0 signature and a random challenge
247string some guarantee is given that the user knows the private key
248corresponding to the public key being certified. This is important in
249some applications. Without this it is possible for a previous \s-1SPKAC\s0
250to be used in a \*(L"replay attack\*(R".
251.SH "SEE ALSO"
252.IX Header "SEE ALSO"
253\&\fIca\fR\|(1)