The 'req' command is used to manipulate and deal with pkcs#10 certificate requests. It's default mode of operation is to load a certificate and then write it out again. By default the 'req' is read from stdin in 'PEM' format. The -inform option can be used to specify 'pem' format or 'der' format. PEM format is the base64 encoding of the DER format. By default 'req' then writes the request back out. -outform can be used to indicate the desired output format, be it 'pem' or 'der'. To specify an input file, use the '-in' option and the '-out' option can be used to specify the output file. If you wish to perform a command and not output the certificate request afterwards, use the '-noout' option. When a certificate is loaded, it can be printed in a human readable ascii format via the '-text' option. To check that the signature on a certificate request is correct, use the '-verify' option to make sure that the private key contained in the certificate request corresponds to the signature. Besides the default mode, there is also the 'generate a certificate request' mode. There are several flags that trigger this mode. -new will generate a new RSA key (if required) and then prompts the user for details for the certificate request. -newkey has an argument that is the number of bits to make the new key. This function also triggers '-new'. The '-new' option can have a key to use specified instead of having to load one, '-key' is used to specify the file containg the key. -keyform can be used to specify the format of the key. Only 'pem' and 'der' formats are supported, later, 'netscape' format may be added. Finally there is the '-x509' options which makes req output a self signed x509 certificate instead of a certificate request. Now as you may have noticed, there are lots of default options that cannot be specified via the command line. They are held in a 'template' or 'configuration file'. The -config option specifies which configuration file to use. See conf.doc for details on the syntax of this file. The req command uses the 'req' section of the config file. --- # The following variables are defined. For this example I will populate # the various values [ req ] default_bits = 512 # default number of bits to use. default_keyfile = testkey.pem # Where to write the generated keyfile # if not specified. distinguished_name= req_dn # The section that contains the # information about which 'object' we # want to put in the DN. attributes = req_attr # The objects we want for the # attributes field. encrypt_rsa_key = no # Should we encrypt newly generated # keys. I strongly recommend 'yes'. # The distinguished name section. For the following entries, the # object names must exist in the SSLeay header file objects.h. If they # do not, they will be silently ignored. The entries have the following # format. #=> string to prompt with # _default => default value for people # _value => Automatically use this value for this field. # _min => minimum number of characters for data (def. 0) # _max => maximum number of characters for data (def. inf.) # All of these entries are optional except for the first one. [ req_dn ] countryName = Country Name (2 letter code) countryName_default = AU stateOrProvinceName = State or Province Name (full name) stateOrProvinceName_default = Queensland localityName = Locality Name (eg, city) organizationName = Organization Name (eg, company) organizationName_default = Mincom Pty Ltd organizationalUnitName = Organizational Unit Name (eg, section) organizationalUnitName_default = MTR commonName = Common Name (eg, YOUR name) commonName_max = 64 emailAddress = Email Address emailAddress_max = 40 # The next section is the attributes section. This is exactly the # same as for the previous section except that the resulting objects are # put in the attributes field. [ req_attr ] challengePassword = A challenge password challengePassword_min = 4 challengePassword_max = 20 unstructuredName = An optional company name ---- Also note that the order that attributes appear in this file is the order they will be put into the distinguished name. Once this request has been generated, it can be sent to a CA for certifying. ---- A few quick examples.... To generate a new request and a new key req -new To generate a new request and a 1058 bit key req -newkey 1058 To generate a new request using a pre-existing key req -new -key key.pem To generate a self signed x509 certificate from a certificate request using a supplied key, and we want to see the text form of the output certificate (which we will put in the file selfSign.pem req -x509 -in req.pem -key key.pem -text -out selfSign.pem Verify that the signature is correct on a certificate request. req -verify -in req.pem Verify that the signature was made using a specified public key. req -verify -in req.pem -key key.pem Print the contents of a certificate request req -text -in req.pem