159191Skris=pod 259191Skris 359191Skris=head1 NAME 459191Skris 5325337Sjkimopenssl-spkac, 659191Skrisspkac - SPKAC printing and generating utility 759191Skris 859191Skris=head1 SYNOPSIS 959191Skris 1059191SkrisB<openssl> B<spkac> 1159191Skris[B<-in filename>] 1259191Skris[B<-out filename>] 1359191Skris[B<-key keyfile>] 1459191Skris[B<-passin arg>] 1559191Skris[B<-challenge string>] 1659191Skris[B<-pubkey>] 1759191Skris[B<-spkac spkacname>] 1859191Skris[B<-spksect section>] 1959191Skris[B<-noout>] 2059191Skris[B<-verify>] 21111147Snectar[B<-engine id>] 2259191Skris 2359191Skris=head1 DESCRIPTION 2459191Skris 2559191SkrisThe B<spkac> command processes Netscape signed public key and challenge 2659191Skris(SPKAC) files. It can print out their contents, verify the signature and 2759191Skrisproduce its own SPKACs from a supplied private key. 2859191Skris 2959191Skris=head1 COMMAND OPTIONS 3059191Skris 3159191Skris=over 4 3259191Skris 3359191Skris=item B<-in filename> 3459191Skris 3559191SkrisThis specifies the input filename to read from or standard input if this 3659191Skrisoption is not specified. Ignored if the B<-key> option is used. 3759191Skris 3859191Skris=item B<-out filename> 3959191Skris 4059191Skrisspecifies the output filename to write to or standard output by 4159191Skrisdefault. 4259191Skris 4359191Skris=item B<-key keyfile> 4459191Skris 4559191Skriscreate an SPKAC file using the private key in B<keyfile>. The 4659191SkrisB<-in>, B<-noout>, B<-spksect> and B<-verify> options are ignored if 4759191Skrispresent. 4859191Skris 4959191Skris=item B<-passin password> 5059191Skris 5159191Skristhe input file password source. For more information about the format of B<arg> 5259191Skrissee the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)|openssl(1)>. 5359191Skris 5459191Skris=item B<-challenge string> 5559191Skris 5659191Skrisspecifies the challenge string if an SPKAC is being created. 5759191Skris 5859191Skris=item B<-spkac spkacname> 5959191Skris 6059191Skrisallows an alternative name form the variable containing the 6159191SkrisSPKAC. The default is "SPKAC". This option affects both 6259191Skrisgenerated and input SPKAC files. 6359191Skris 6459191Skris=item B<-spksect section> 6559191Skris 6659191Skrisallows an alternative name form the section containing the 6759191SkrisSPKAC. The default is the default section. 6859191Skris 6959191Skris=item B<-noout> 7059191Skris 7159191Skrisdon't output the text version of the SPKAC (not used if an 7259191SkrisSPKAC is being created). 7359191Skris 7459191Skris=item B<-pubkey> 7559191Skris 7659191Skrisoutput the public key of an SPKAC (not used if an SPKAC is 7759191Skrisbeing created). 7859191Skris 7959191Skris=item B<-verify> 8059191Skris 8159191Skrisverifies the digital signature on the supplied SPKAC. 8259191Skris 83111147Snectar=item B<-engine id> 8459191Skris 85238405Sjkimspecifying an engine (by its unique B<id> string) will cause B<spkac> 86111147Snectarto attempt to obtain a functional reference to the specified engine, 87111147Snectarthus initialising it if needed. The engine will then be set as the default 88111147Snectarfor all available algorithms. 89111147Snectar 9059191Skris=back 9159191Skris 9259191Skris=head1 EXAMPLES 9359191Skris 9459191SkrisPrint out the contents of an SPKAC: 9559191Skris 9659191Skris openssl spkac -in spkac.cnf 9759191Skris 9859191SkrisVerify the signature of an SPKAC: 9959191Skris 10059191Skris openssl spkac -in spkac.cnf -noout -verify 10159191Skris 10259191SkrisCreate an SPKAC using the challenge string "hello": 10359191Skris 10459191Skris openssl spkac -key key.pem -challenge hello -out spkac.cnf 10559191Skris 10659191SkrisExample of an SPKAC, (long lines split up for clarity): 10759191Skris 10859191Skris SPKAC=MIG5MGUwXDANBgkqhkiG9w0BAQEFAANLADBIAkEA1cCoq2Wa3Ixs47uI7F\ 10959191Skris PVwHVIPDx5yso105Y6zpozam135a8R0CpoRvkkigIyXfcCjiVi5oWk+6FfPaD03u\ 11059191Skris PFoQIDAQABFgVoZWxsbzANBgkqhkiG9w0BAQQFAANBAFpQtY/FojdwkJh1bEIYuc\ 11159191Skris 2EeM2KHTWPEepWYeawvHD0gQ3DngSC75YCWnnDdq+NQ3F+X4deMx9AaEglZtULwV\ 11259191Skris 4= 11359191Skris 11459191Skris=head1 NOTES 11559191Skris 11659191SkrisA created SPKAC with suitable DN components appended can be fed into 11759191Skristhe B<ca> utility. 11859191Skris 11959191SkrisSPKACs are typically generated by Netscape when a form is submitted 12059191Skriscontaining the B<KEYGEN> tag as part of the certificate enrollment 12159191Skrisprocess. 12259191Skris 12359191SkrisThe challenge string permits a primitive form of proof of possession 12459191Skrisof private key. By checking the SPKAC signature and a random challenge 12559191Skrisstring some guarantee is given that the user knows the private key 12659191Skriscorresponding to the public key being certified. This is important in 12759191Skrissome applications. Without this it is possible for a previous SPKAC 12859191Skristo be used in a "replay attack". 12959191Skris 13059191Skris=head1 SEE ALSO 13159191Skris 13259191SkrisL<ca(1)|ca(1)> 13359191Skris 13459191Skris=cut 135