spkac.pod revision 325337
1=pod 2 3=head1 NAME 4 5openssl-spkac, 6spkac - SPKAC printing and generating utility 7 8=head1 SYNOPSIS 9 10B<openssl> B<spkac> 11[B<-in filename>] 12[B<-out filename>] 13[B<-key keyfile>] 14[B<-passin arg>] 15[B<-challenge string>] 16[B<-pubkey>] 17[B<-spkac spkacname>] 18[B<-spksect section>] 19[B<-noout>] 20[B<-verify>] 21[B<-engine id>] 22 23=head1 DESCRIPTION 24 25The B<spkac> command processes Netscape signed public key and challenge 26(SPKAC) files. It can print out their contents, verify the signature and 27produce its own SPKACs from a supplied private key. 28 29=head1 COMMAND OPTIONS 30 31=over 4 32 33=item B<-in filename> 34 35This specifies the input filename to read from or standard input if this 36option is not specified. Ignored if the B<-key> option is used. 37 38=item B<-out filename> 39 40specifies the output filename to write to or standard output by 41default. 42 43=item B<-key keyfile> 44 45create an SPKAC file using the private key in B<keyfile>. The 46B<-in>, B<-noout>, B<-spksect> and B<-verify> options are ignored if 47present. 48 49=item B<-passin password> 50 51the input file password source. For more information about the format of B<arg> 52see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)|openssl(1)>. 53 54=item B<-challenge string> 55 56specifies the challenge string if an SPKAC is being created. 57 58=item B<-spkac spkacname> 59 60allows an alternative name form the variable containing the 61SPKAC. The default is "SPKAC". This option affects both 62generated and input SPKAC files. 63 64=item B<-spksect section> 65 66allows an alternative name form the section containing the 67SPKAC. The default is the default section. 68 69=item B<-noout> 70 71don't output the text version of the SPKAC (not used if an 72SPKAC is being created). 73 74=item B<-pubkey> 75 76output the public key of an SPKAC (not used if an SPKAC is 77being created). 78 79=item B<-verify> 80 81verifies the digital signature on the supplied SPKAC. 82 83=item B<-engine id> 84 85specifying an engine (by its unique B<id> string) will cause B<spkac> 86to attempt to obtain a functional reference to the specified engine, 87thus initialising it if needed. The engine will then be set as the default 88for all available algorithms. 89 90=back 91 92=head1 EXAMPLES 93 94Print out the contents of an SPKAC: 95 96 openssl spkac -in spkac.cnf 97 98Verify the signature of an SPKAC: 99 100 openssl spkac -in spkac.cnf -noout -verify 101 102Create an SPKAC using the challenge string "hello": 103 104 openssl spkac -key key.pem -challenge hello -out spkac.cnf 105 106Example of an SPKAC, (long lines split up for clarity): 107 108 SPKAC=MIG5MGUwXDANBgkqhkiG9w0BAQEFAANLADBIAkEA1cCoq2Wa3Ixs47uI7F\ 109 PVwHVIPDx5yso105Y6zpozam135a8R0CpoRvkkigIyXfcCjiVi5oWk+6FfPaD03u\ 110 PFoQIDAQABFgVoZWxsbzANBgkqhkiG9w0BAQQFAANBAFpQtY/FojdwkJh1bEIYuc\ 111 2EeM2KHTWPEepWYeawvHD0gQ3DngSC75YCWnnDdq+NQ3F+X4deMx9AaEglZtULwV\ 112 4= 113 114=head1 NOTES 115 116A created SPKAC with suitable DN components appended can be fed into 117the B<ca> utility. 118 119SPKACs are typically generated by Netscape when a form is submitted 120containing the B<KEYGEN> tag as part of the certificate enrollment 121process. 122 123The challenge string permits a primitive form of proof of possession 124of private key. By checking the SPKAC signature and a random challenge 125string some guarantee is given that the user knows the private key 126corresponding to the public key being certified. This is important in 127some applications. Without this it is possible for a previous SPKAC 128to be used in a "replay attack". 129 130=head1 SEE ALSO 131 132L<ca(1)|ca(1)> 133 134=cut 135