OPENSSL-X509(1ssl) OpenSSL OPENSSL-X509(1ssl) openssl-x509 - openssl x509 [-help] [-in _|_] [-passin ] [-new] [-x509toreq] [-req] [-copy_extensions ] [-inform DER|PEM] [-vfyopt :] [-key _|_] [-keyform DER|PEM|P12|ENGINE] [-signkey _|_] [-out _] [-outform DER|PEM] [-nocert] [-noout] [-dateopt] [-text] [-certopt ] [-fingerprint] [-alias] [-serial] [-startdate] [-enddate] [-dates] [-subject] [-issuer] [-nameopt ] [-email] [-hash] [-subject_hash] [-subject_hash_old] [-issuer_hash] [-issuer_hash_old] [-ext ] [-ocspid] [-ocsp_uri] [-purpose] [-pubkey] [-modulus] [-multi] [-checkend ] [-checkhost ] [-checkemail ] [-checkip __] [-set_serial ] [-next_serial] [-not_before ] [-not_after ] [-days ] [-preserve_dates] [-set_issuer ] [-set_subject ] [-subj ] [-force_pubkey _] [-clrext] [-extfile _] [-extensions ] [-sigopt :] [-badsig] [-] [-CA _|_] [-CAform DER|PEM|P12] [-CAkey _|_] [-CAkeyform DER|PEM|P12|ENGINE] [-CAserial _] [-CAcreateserial] [-trustout] [-setalias ] [-clrtrust] [-addtrust ] [-clrreject] [-addreject ] [-rand ] [-writerand ] [-engine ] [-provider ] [-provider-path ] [-provparam [:]=] [-propquery ] . " ". 3 X.509. x509v3_config(5). . -help . -in _|_ -req. . -new. -passin . openssl-passphrase-options(1). -new . -in -req. -set_subject. -force_pubkey -key ( -signkey) . -x509toreq PKCS#10 ( ). -key ( -signkey) subjectPKInfo. X.509 . X.509 -extfile. -req . PKCS#10 . X.509 . X.509 -extfile. -copy_extensions X.509 -x509toreq -req. none . copy copyall . -ext . -inform DER|PEM PEM . openssl-format-options(1) . -vfyopt : . . -key _|_ . -force_pubkey . -CA. ( ). -preserve_dates -days. -not_before -not_after. -signkey _|_ -key. -keyform DER|PEM|P12|ENGINE . openssl-format-options(1) . -out _ . -outform DER|PEM PEM. openssl-format-options(1) . -nocert ( ). -noout . : -alias -purpose " ". -dateopt . : rfc_822 iso_8601. rfc_822. -text . . -certopt -text. . -certopt . " " . -fingerprint DER ( ). "". . -alias " " () . -serial . -startdate notBefore. -enddate notAfter. -dates . -subject . -issuer . -nameopt . openssl-namedisplay-options(1) . -email ( ) . -hash "-subject_hash" . -subject_hash "" (hash) . OpenSSL . -subject_hash_old "" OpenSSL 1.0.0. -issuer_hash "" . -issuer_hash_old "" OpenSSL 1.0.0. -ext . . "subjectAltName, subjectKeyIdentifier". x509v3_config(5) . -ocspid OCSP . -ocsp_uri ( ) OCSP . -purpose . "Certificate Extensions" openssl-verification-options(1). -pubkey SubjectPublicKeyInfo PEM. -modulus (modulus) . -multi . -checkend -multi . -multi . -checkhost . -checkemail _ . -checkip _ip IP . -set_serial n . -key -signkey -CA. -CA ( -CAserial). ( "0x"). -next_serial . -not_before . YYMMDDHHMMSSZ ( ASN1 UTCTime) YYYYMMDDHHMMSSZ ( ASN1 GeneralizedTime). SS Z . "today". -preserve_dates. -not_after . YYMMDDHHMMSSZ ( ASN1 UTCTime) YYYYMMDDHHMMSSZ ( ASN1 GeneralizedTime). SS Z . "today". -preserve_dates. -days. -days . 30. -preserve_dates. -not_after . -preserve_dates "notBefore" "notAfter" . -days -not_before -not_after. -set_issuer . -set_subject . -set_subject . -set_issuer. "/type0=value0/type1=value1/type2=...". "\" ( ) . . "/" RDNs ( NULL-DN). RDNs "+" "/" (AVAs) . : "/DC=org/DC=OpenSSL/DC=users/UID=123456+CN=John Doe" -new -force_pubkey . -subj -set_subject. -force_pubkey _ -key ( -signkey). . -new -set_subject . DH. -clrext . -clrext . . -extfile _ X.509 . -extensions (extfile) X.509. () "extensions" . x509v3_config(5) . x509v3_config(5). -sigopt : . . . -badsig . - . -fingerprint -key -CA. openssl-dgst(1). SHA1 -fingerprint SHA256. Micro-CA -CA _|uri " " (CA) . "micro CA" : "CA" "CA" . -key ( -signkey). -req (CSR). -req -new . -CAform DER|PEM|P12 . openssl-format-options(1) . -CAkey _|uri . -CA. -CA. -CAkeyform DER|PEM|P12|ENGINE . openssl-format-options(1) . -CAserial _ . -CA . . . .srl. mycacert.pem mycacert.srl. -CA <-CAserial> <-CAcreateserial> . -CAcreateserial -CA . . " " (). "". (root CA): . . . SSL SSL. openssl-verification-options(1) . OpenSSL : . -trustout PEM <> . . -trustout . . -setalias " " . "Steve's Certificate". -clrtrust . -addtrust . clientAuth serverAuth emailProtection anyExtendedKeyUsage . OpenSSL 1.1.0 . OpenSSL . -clrreject . -addreject . -addtrust. -rand -writerand " " openssl(1) . -engine id " " openssl(1). . -provider -provider-path -provparam [:]= -propquery propq " " openssl(1) provider(7) property(7). certopt text. . compatible . . no_header : "Certificate" "Data". no_version . no_serial . no_signame . no_validity notBefore notAfter. no_subject (). no_issuer . no_pubkey . no_sigdump . no_aux . no_extensions X509V3. ext_default : . ext_error . ext_parse ASN1 . ext_dump . ca_default openssl-ca(1) no_issuer no_pubkey no_header no_version. : '\' . : openssl x509 -in cert.pem -noout -text "Subject Alternative Name" : openssl x509 -in cert.pem -noout -ext subjectAltName : openssl x509 -in cert.pem -noout -ext subjectAltName,nsCertType : openssl x509 -in cert.pem -noout -serial : openssl x509 -in cert.pem -noout -subject RFC2253: openssl x509 -in cert.pem -noout -subject -nameopt RFC2253 UTF8: openssl x509 -in cert.pem -noout -subject -nameopt oneline,-esc_msb SHA1 : openssl x509 -sha1 -in cert.pem -noout -fingerprint PEM DER: openssl x509 -in cert.pem -inform PEM -out cert.der -outform DER : openssl x509 -x509toreq -in cert.pem -out req.pem -key key.pem (CA): openssl x509 -req -in careq.pem -extfile openssl.cnf -extensions v3_ca \ -key key.pem -out cacert.pem (CA) : openssl x509 -req -in req.pem -extfile openssl.cnf -extensions v3_usr \ -CA cacert.pem -CAkey key.pem -CAcreateserial SSL "Steve's Class 1 CA" openssl x509 -in cert.pem -addtrust clientAuth \ -setalias "Steve's Class 1 CA" -out trust.pem 30 ( ): openssl x509 -in chain.pem -multi -checkend $[3600*24*30] \ && echo 'perform renewal' || echo 'renewal unnecessary' UTF8 T61Strings ISO8859-1. Netscape MSIE . . -email . : . X.509 : . . openssl(1), openssl-req(1), openssl-ca(1), openssl-genrsa(1), openssl-gendsa(1), openssl-verify(1), x509v3_config(5) -subject_hash -issuer_hash 1.0.0 OpenSSL MD5 (DN). 1.0.0 (DN) SHA1. openssl-rehash(1) . -signkey -key 3.0 OpenSSL . -engine OpenSSL 3.0. -C OpenSSL 3.0. 3.2 OpenSSL 3 X.509 (key identifier extensions) . 2000-2025 OpenSSL. . Apache 2.0 ( ""). . LICENSE . 3 . . : . 3.6.2 7 2026 OPENSSL-X509(1ssl)