[openssl-users] Cant get openssl x509 to work as documented

Robert Moskowitz rgm at htt-consult.com
Tue Aug 22 01:02:33 UTC 2017

I had a frustrating day.  I looked at the documentation at:


My Fedora24 reports that I am at version 1.0.2k

I made the following comand:

openssl x509 -req -days 3650 -extensions v3_intermediate_ca -inform $format\
  -in $dir/csr/intermediate.csr.$format -outform $format -out 
-CAkeyform $format -CAkey $cadir/private/ca.key.$format -CAform $format\
  -CA $cadir/certs/ca.cert.$format

Where format=der and got that der is an invalid option.  Plus the 'help' 

Note that -CAkeyform is invalid and that -CAkey can only be PEM.

Even when I used my pem CA key, I still got errors.  -config is not an 
option, where does this command get the config file from? -extensions 
says it looks to the config file for that label!

SHA256 is not listed as a valid hash.

usage: x509 args
  -inform arg     - input format - default PEM (one of DER, NET or PEM)
  -outform arg    - output format - default PEM (one of DER, NET or PEM)
  -keyform arg    - private key format - default PEM
  -CAform arg     - CA format - default PEM
  -CAkeyform arg  - CA key format - default PEM
  -in arg         - input file - default stdin
  -out arg        - output file - default stdout
  -passin arg     - private key password source
  -serial         - print serial number value
  -subject_hash   - print subject hash value
  -subject_hash_old   - print old-style (MD5) subject hash value
  -issuer_hash    - print issuer hash value
  -issuer_hash_old    - print old-style (MD5) issuer hash value
  -hash           - synonym for -subject_hash
  -subject        - print subject DN
  -issuer         - print issuer DN
  -email          - print email address(es)
  -startdate      - notBefore field
  -enddate        - notAfter field
  -purpose        - print out certificate purposes
  -dates          - both Before and After dates
  -modulus        - print the RSA key modulus
  -pubkey         - output the public key
  -fingerprint    - print the certificate fingerprint
  -alias          - output certificate alias
  -noout          - no certificate output
  -ocspid         - print OCSP hash values for the subject name and 
public key
  -ocsp_uri       - print OCSP Responder URL(s)
  -trustout       - output a "trusted" certificate
  -clrtrust       - clear all trusted purposes
  -clrreject      - clear all rejected purposes
  -addtrust arg   - trust certificate for a given purpose
  -addreject arg  - reject certificate for a given purpose
  -setalias arg   - set certificate alias
  -days arg       - How long till expiry of a signed certificate - def 
30 days
  -checkend arg   - check whether the cert expires in the next arg seconds
                    exit 1 if so, 0 if not
  -signkey arg    - self sign cert with arg
  -x509toreq      - output a certification request object
  -req            - input is a certificate request, sign and output.
  -CA arg         - set the CA certificate, must be PEM format.
  -CAkey arg      - set the CA key, must be PEM format
                    missing, it is assumed to be in the CA file.
  -CAcreateserial - create serial number file if it does not exist
  -CAserial arg   - serial file
  -set_serial     - serial number to use
  -text           - print the certificate in text form
  -C              - print out C code forms
  -<dgst>         - digest to use, see openssl dgst -h output for list
  -extfile        - configuration file with X509V3 extensions to add
  -extensions     - section from config file with X509V3 extensions to add
  -clrext         - delete extensions before signing and input certificate
  -nameopt arg    - various certificate name options
  -engine e       - use engine e, possibly a hardware device.
  -certopt arg    - various certificate text options
  -checkhost host - check certificate matches "host"
  -checkemail email - check certificate matches "email"
  -checkip ipaddr - check certificate matches "ipaddr"

So it looks like for now, I cannot make a guide that easily supports DER 
or PEM.  DER really seems to be an issue how to make.

My searching has come up pretty empty.  No instructions out there.

More information about the openssl-users mailing list