Lines Matching +full:1 +full:- +full:of +full:- +full:4
18 .\" Set up some character translations and predefined strings. \*(-- will
24 .tr \(*W-
27 . ds -- \(*W-
29 . if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
30 . if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
37 . ds -- \|\(em\|
51 .\" entries marked with X<> in POD. Of course, you'll have to process the
62 . tm Index:\\$1\t\\n%\t"\\$2"
71 .\" Fear. Run. Save yourself. No user-serviceable parts.
81 . ds #H ((1u-(\\\\n(.fu%2u))*.13m)
97 . ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
98 . ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
99 . ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
100 . ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
101 . ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
102 . ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
104 . \" troff and (daisy-wheel) nroff accents
123 . ds d- d\h'-1'\(ga
124 . ds D- D\h'-1'\(hy
133 .IX Title "OPENSSL-CMP 1ossl"
134 .TH OPENSSL-CMP 1ossl "2023-09-22" "3.0.11" "OpenSSL"
140 openssl\-cmp \- Certificate Management Protocol (CMP, RFC 4210) application
144 [\fB\-help\fR]
145 [\fB\-config\fR \fIfilename\fR]
146 [\fB\-section\fR \fInames\fR]
147 [\fB\-verbosity\fR \fIlevel\fR]
151 [\fB\-cmd\fR \fIir|cr|kur|p10cr|rr|genm\fR]
152 [\fB\-infotype\fR \fIname\fR]
153 [\fB\-geninfo\fR \fIOID:int:N\fR]
157 [\fB\-newkey\fR \fIfilename\fR|\fIuri\fR]
158 [\fB\-newkeypass\fR \fIarg\fR]
159 [\fB\-subject\fR \fIname\fR]
160 [\fB\-issuer\fR \fIname\fR]
161 [\fB\-days\fR \fInumber\fR]
162 [\fB\-reqexts\fR \fIname\fR]
163 [\fB\-sans\fR \fIspec\fR]
164 [\fB\-san_nodefault\fR]
165 [\fB\-policies\fR \fIname\fR]
166 [\fB\-policy_oids\fR \fInames\fR]
167 [\fB\-policy_oids_critical\fR]
168 [\fB\-popo\fR \fInumber\fR]
169 [\fB\-csr\fR \fIfilename\fR]
170 [\fB\-out_trusted\fR \fIfilenames\fR|\fIuris\fR]
171 [\fB\-implicit_confirm\fR]
172 [\fB\-disable_confirm\fR]
173 [\fB\-certout\fR \fIfilename\fR]
174 [\fB\-chainout\fR \fIfilename\fR]
178 [\fB\-oldcert\fR \fIfilename\fR|\fIuri\fR]
179 [\fB\-revreason\fR \fInumber\fR]
183 [\fB\-server\fR \fI[http[s]://][userinfo@]host[:port][/path][?query][#fragment]\fR]
184 [\fB\-proxy\fR \fI[http[s]://][userinfo@]host[:port][/path][?query][#fragment]\fR]
185 [\fB\-no_proxy\fR \fIaddresses\fR]
186 [\fB\-recipient\fR \fIname\fR]
187 [\fB\-path\fR \fIremote_path\fR]
188 [\fB\-keep_alive\fR \fIvalue\fR]
189 [\fB\-msg_timeout\fR \fIseconds\fR]
190 [\fB\-total_timeout\fR \fIseconds\fR]
194 [\fB\-trusted\fR \fIfilenames\fR|\fIuris\fR]
195 [\fB\-untrusted\fR \fIfilenames\fR|\fIuris\fR]
196 [\fB\-srvcert\fR \fIfilename\fR|\fIuri\fR]
197 [\fB\-expect_sender\fR \fIname\fR]
198 [\fB\-ignore_keyusage\fR]
199 [\fB\-unprotected_errors\fR]
200 [\fB\-extracertsout\fR \fIfilename\fR]
201 [\fB\-cacertsout\fR \fIfilename\fR]
205 [\fB\-ref\fR \fIvalue\fR]
206 [\fB\-secret\fR \fIarg\fR]
207 [\fB\-cert\fR \fIfilename\fR|\fIuri\fR]
208 [\fB\-own_trusted\fR \fIfilenames\fR|\fIuris\fR]
209 [\fB\-key\fR \fIfilename\fR|\fIuri\fR]
210 [\fB\-keypass\fR \fIarg\fR]
211 [\fB\-digest\fR \fIname\fR]
212 [\fB\-mac\fR \fIname\fR]
213 [\fB\-extracerts\fR \fIfilenames\fR|\fIuris\fR]
214 [\fB\-unprotected_requests\fR]
218 [\fB\-certform\fR \fIPEM|DER\fR]
219 [\fB\-keyform\fR \fIPEM|DER|P12|ENGINE\fR]
220 [\fB\-otherpass\fR \fIarg\fR]
221 [\fB\-engine\fR \fIid\fR]
222 [\fB\-provider\fR \fIname\fR]
223 [\fB\-provider\-path\fR \fIpath\fR]
224 [\fB\-propquery\fR \fIpropq\fR]
228 [\fB\-rand\fR \fIfiles\fR]
229 [\fB\-writerand\fR \fIfile\fR]
231 \&\s-1TLS\s0 connection options:
233 [\fB\-tls_used\fR]
234 [\fB\-tls_cert\fR \fIfilename\fR|\fIuri\fR]
235 [\fB\-tls_key\fR \fIfilename\fR|\fIuri\fR]
236 [\fB\-tls_keypass\fR \fIarg\fR]
237 [\fB\-tls_extra\fR \fIfilenames\fR|\fIuris\fR]
238 [\fB\-tls_trusted\fR \fIfilenames\fR|\fIuris\fR]
239 [\fB\-tls_host\fR \fIname\fR]
241 Client-side debugging options:
243 [\fB\-batch\fR]
244 [\fB\-repeat\fR \fInumber\fR]
245 [\fB\-reqin\fR \fIfilenames\fR]
246 [\fB\-reqin_new_tid\fR]
247 [\fB\-reqout\fR \fIfilenames\fR]
248 [\fB\-rspin\fR \fIfilenames\fR]
249 [\fB\-rspout\fR \fIfilenames\fR]
250 [\fB\-use_mock_srv\fR]
254 [\fB\-port\fR \fInumber\fR]
255 [\fB\-max_msgs\fR \fInumber\fR]
256 [\fB\-srv_ref\fR \fIvalue\fR]
257 [\fB\-srv_secret\fR \fIarg\fR]
258 [\fB\-srv_cert\fR \fIfilename\fR|\fIuri\fR]
259 [\fB\-srv_key\fR \fIfilename\fR|\fIuri\fR]
260 [\fB\-srv_keypass\fR \fIarg\fR]
261 [\fB\-srv_trusted\fR \fIfilenames\fR|\fIuris\fR]
262 [\fB\-srv_untrusted\fR \fIfilenames\fR|\fIuris\fR]
263 [\fB\-rsp_cert\fR \fIfilename\fR|\fIuri\fR]
264 [\fB\-rsp_extracerts\fR \fIfilenames\fR|\fIuris\fR]
265 [\fB\-rsp_capubs\fR \fIfilenames\fR|\fIuris\fR]
266 [\fB\-poll_count\fR \fInumber\fR]
267 [\fB\-check_after\fR \fInumber\fR]
268 [\fB\-grant_implicitconf\fR]
269 [\fB\-pkistatus\fR \fInumber\fR]
270 [\fB\-failure\fR \fInumber\fR]
271 [\fB\-failurebits\fR \fInumber\fR]
272 [\fB\-statusstring\fR \fIarg\fR]
273 [\fB\-send_error\fR]
274 [\fB\-send_unprotected\fR]
275 [\fB\-send_unprot_err\fR]
276 [\fB\-accept_unprotected\fR]
277 [\fB\-accept_unprot_err\fR]
278 [\fB\-accept_raverified\fR]
280 Certificate verification options, for both \s-1CMP\s0 and \s-1TLS:\s0
282 [\fB\-allow_proxy_certs\fR]
283 [\fB\-attime\fR \fItimestamp\fR]
284 [\fB\-no_check_time\fR]
285 [\fB\-check_ss_sig\fR]
286 [\fB\-crl_check\fR]
287 [\fB\-crl_check_all\fR]
288 [\fB\-explicit_policy\fR]
289 [\fB\-extended_crl\fR]
290 [\fB\-ignore_critical\fR]
291 [\fB\-inhibit_any\fR]
292 [\fB\-inhibit_map\fR]
293 [\fB\-partial_chain\fR]
294 [\fB\-policy\fR \fIarg\fR]
295 [\fB\-policy_check\fR]
296 [\fB\-policy_print\fR]
297 [\fB\-purpose\fR \fIpurpose\fR]
298 [\fB\-suiteB_128\fR]
299 [\fB\-suiteB_128_only\fR]
300 [\fB\-suiteB_192\fR]
301 [\fB\-trusted_first\fR]
302 [\fB\-no_alt_chains\fR]
303 [\fB\-use_deltas\fR]
304 [\fB\-auth_level\fR \fInum\fR]
305 [\fB\-verify_depth\fR \fInum\fR]
306 [\fB\-verify_email\fR \fIemail\fR]
307 [\fB\-verify_hostname\fR \fIhostname\fR]
308 [\fB\-verify_ip\fR \fIip\fR]
309 [\fB\-verify_name\fR \fIname\fR]
310 [\fB\-x509_strict\fR]
311 [\fB\-issuer_checks\fR]
315 Management Protocol (\s-1CMP\s0) as defined in \s-1RFC4210.\s0
316 It can be used to request certificates from a \s-1CA\s0 server,
318 request certificates to be revoked, and perform other types of \s-1CMP\s0 requests.
321 .IP "\fB\-help\fR" 4
322 .IX Item "-help"
323 Display a summary of all options
324 .IP "\fB\-config\fR \fIfilename\fR" 4
325 .IX Item "-config filename"
329 .IP "\fB\-section\fR \fInames\fR" 4
330 .IX Item "-section names"
331 Section(s) to use within config file defining \s-1CMP\s0 options.
337 Contents of sections named later may override contents of sections named before.
339 section (as far as present) can provide per-option fallback values.
340 .IP "\fB\-verbosity\fR \fIlevel\fR" 4
341 .IX Item "-verbosity level"
342 Level of verbosity for logging, error output, etc.
343 0 = \s-1EMERG, 1\s0 = \s-1ALERT, 2\s0 = \s-1CRIT, 3\s0 = \s-1ERR, 4\s0 = \s-1WARN, 5\s0 = \s-1NOTE,
344 6\s0 = \s-1INFO, 7\s0 = \s-1DEBUG, 8\s0 = \s-1TRACE.\s0
345 Defaults to 6 = \s-1INFO.\s0
348 .IP "\fB\-cmd\fR \fIir|cr|kur|p10cr|rr|genm\fR" 4
349 .IX Item "-cmd ir|cr|kur|p10cr|rr|genm"
350 \&\s-1CMP\s0 command to execute.
352 .RS 4
353 .IP "ir \ \- Initialization Request" 8
354 .IX Item "ir - Initialization Request"
356 .IP "cr \ \- Certificate Request" 8
357 .IX Item "cr - Certificate Request"
358 .IP "p10cr \- PKCS#10 Certification Request (for legacy support)" 8
359 .IX Item "p10cr - PKCS#10 Certification Request (for legacy support)"
360 .IP "kur \ \ \- Key Update Request" 8
361 .IX Item "kur - Key Update Request"
362 .IP "rr \ \- Revocation Request" 8
363 .IX Item "rr - Revocation Request"
364 .IP "genm \- General Message" 8
365 .IX Item "genm - General Message"
367 .RS 4
370 \&\fBir\fR requests initialization of an end entity into a \s-1PKI\s0 hierarchy
374 initialized to the \s-1PKI\s0 hierarchy.
377 but using legacy PKCS#10 \s-1CSR\s0 format.
381 \&\fBrr\fR requests revocation of an existing certificate.
384 included \fBInfoTypeAndValue\fRs may be used to state which info is of interest.
385 Upon receipt of the General Response, information about all received
386 \&\s-1ITAV\s0 \fBinfoType\fRs is printed to stdout.
388 .IP "\fB\-infotype\fR \fIname\fR" 4
389 .IX Item "-infotype name"
392 .IP "\fB\-geninfo\fR \fIOID:int:N\fR" 4
393 .IX Item "-geninfo OID:int:N"
394 generalInfo integer values to place in request PKIHeader with given \s-1OID,\s0
398 .IP "\fB\-newkey\fR \fIfilename\fR|\fIuri\fR" 4
399 .IX Item "-newkey filename|uri"
400 The source of the private or public key for the certificate being requested.
401 Defaults to the public key in the PKCS#10 \s-1CSR\s0 given with the \fB\-csr\fR option,
402 the public key of the reference certificate, or the current client key.
404 The public portion of the key is placed in the certification request.
406 Unless \fB\-cmd\fR \fIp10cr\fR, \fB\-popo\fR \fI\-1\fR, or \fB\-popo\fR \fI0\fR is given, the
407 private key will be needed as well to provide the proof of possession (\s-1POPO\s0),
408 where the \fB\-key\fR option may provide a fallback.
409 .IP "\fB\-newkeypass\fR \fIarg\fR" 4
410 .IX Item "-newkeypass arg"
411 Pass phrase source for the key given with the \fB\-newkey\fR option.
414 For more information about the format of \fIarg\fR see
415 \&\fBopenssl\-passphrase\-options\fR\|(1).
416 .IP "\fB\-subject\fR \fIname\fR" 4
417 .IX Item "-subject name"
418 X509 Distinguished Name (\s-1DN\s0) of subject to use in the requested certificate
420 If the NULL-DN (\f(CW"/"\fR) is given then no subject is placed in the template.
421 Default is the subject \s-1DN\s0 of any PKCS#10 \s-1CSR\s0 given with the \fB\-csr\fR option.
422 For \s-1KUR,\s0 a further fallback is the subject \s-1DN\s0
423 of the reference certificate (see \fB\-oldcert\fR) if provided.
424 This fallback is used for \s-1IR\s0 and \s-1CR\s0 only if no SANs are set.
426 If provided and neither \fB\-cert\fR nor \fB\-oldcert\fR is given,
427 the subject \s-1DN\s0 is used as fallback sender of outgoing \s-1CMP\s0 messages.
432 Giving a single \f(CW\*(C`/\*(C'\fR will lead to an empty sequence of RDNs (a NULL-DN).
433 Multi-valued RDNs can be formed by placing a \f(CW\*(C`+\*(C'\fR character instead of a \f(CW\*(C`/…
434 between the AttributeValueAssertions (AVAs) that specify the members of the set.
438 .IP "\fB\-issuer\fR \fIname\fR" 4
439 .IX Item "-issuer name"
440 X509 issuer Distinguished Name (\s-1DN\s0) of the \s-1CA\s0 server
441 to place in the requested certificate template in \s-1IR/CR/KUR.\s0
442 If the NULL-DN (\f(CW"/"\fR) is given then no issuer is placed in the template.
444 If provided and neither \fB\-recipient\fR nor \fB\-srvcert\fR is given,
445 the issuer \s-1DN\s0 is used as fallback recipient of outgoing \s-1CMP\s0 messages.
448 For details see the description of the \fB\-subject\fR option.
449 .IP "\fB\-days\fR \fInumber\fR" 4
450 .IX Item "-days number"
451 Number of days the new certificate is requested to be valid for, counting from
452 the current time of the host.
455 .IP "\fB\-reqexts\fR \fIname\fR" 4
456 .IX Item "-reqexts name"
457 Name of section in OpenSSL config file defining certificate request extensions.
458 If the \fB\-csr\fR option is present, these extensions augment the extensions
459 contained the given PKCS#10 \s-1CSR,\s0 overriding any extensions with same OIDs.
460 .IP "\fB\-sans\fR \fIspec\fR" 4
461 .IX Item "-sans spec"
462 One or more \s-1IP\s0 addresses, \s-1DNS\s0 names, or URIs separated by commas or whitespace
464 to add as Subject Alternative Name(s) (\s-1SAN\s0) certificate request extension.
466 Cannot be used if any Subject Alternative Name extension is set via \fB\-reqexts\fR.
467 .IP "\fB\-san_nodefault\fR" 4
468 .IX Item "-san_nodefault"
469 When Subject Alternative Names are not given via \fB\-sans\fR
470 nor defined via \fB\-reqexts\fR,
471 they are copied by default from the reference certificate (see \fB\-oldcert\fR).
472 This can be disabled by giving the \fB\-san_nodefault\fR option.
473 .IP "\fB\-policies\fR \fIname\fR" 4
474 .IX Item "-policies name"
475 Name of section in OpenSSL config file defining policies to be set
477 This option cannot be used together with \fB\-policy_oids\fR.
478 .IP "\fB\-policy_oids\fR \fInames\fR" 4
479 .IX Item "-policy_oids names"
480 One or more \s-1OID\s0(s), separated by commas and/or whitespace
483 This option cannot be used together with \fB\-policies\fR.
484 .IP "\fB\-policy_oids_critical\fR" 4
485 .IX Item "-policy_oids_critical"
486 Flag the policies given with \fB\-policy_oids\fR as critical.
487 .IP "\fB\-popo\fR \fInumber\fR" 4
488 .IX Item "-popo number"
489 Proof-of-possession (\s-1POPO\s0) method to use for \s-1IR/CR/KUR\s0; values: \f(CW\*(C`\-1\*(C'\fR…
490 \&\f(CW\*(C`\-1\*(C'\fR = \s-1NONE,\s0 \f(CW0\fR = \s-1RAVERIFIED,\s0 \f(CW1\fR = \s-1SIGNATURE\s0 …
492 Note that a signature-based \s-1POPO\s0 can only be produced if a private key
493 is provided via the \fB\-newkey\fR or \fB\-key\fR options.
494 .IP "\fB\-csr\fR \fIfilename\fR" 4
495 .IX Item "-csr filename"
496 PKCS#10 \s-1CSR\s0 in \s-1PEM\s0 or \s-1DER\s0 format containing a certificate request.
497 With \fB\-cmd\fR \fIp10cr\fR it is used directly in a legacy P10CR message.
499 When used with \fB\-cmd\fR \fIir\fR, \fIcr\fR, or \fIkur\fR,
500 it is transformed into the respective regular \s-1CMP\s0 request.
501 In this case, a private key must be provided (with \fB\-newkey\fR or \fB\-key\fR)
502 for the proof of possession (unless \fB\-popo\fR \fI\-1\fR or \fB\-popo\fR \fI0\fR is used)
504 (rather than taking over the public key contained in the PKCS#10 \s-1CSR\s0).
506 PKCS#10 \s-1CSR\s0 input may also be used with \fB\-cmd\fR \fIrr\fR
509 .IP "\fB\-out_trusted\fR \fIfilenames\fR|\fIuris\fR" 4
510 .IX Item "-out_trusted filenames|uris"
519 \&\fB\-verify_hostname\fR, \fB\-verify_ip\fR, and \fB\-verify_email\fR
521 .IP "\fB\-implicit_confirm\fR" 4
522 .IX Item "-implicit_confirm"
523 Request implicit confirmation of newly enrolled certificates.
524 .IP "\fB\-disable_confirm\fR" 4
525 .IX Item "-disable_confirm"
529 \&\fB\s-1WARNING:\s0\fR This leads to behavior violating \s-1RFC 4210.\s0
530 .IP "\fB\-certout\fR \fIfilename\fR" 4
531 .IX Item "-certout filename"
533 .IP "\fB\-chainout\fR \fIfilename\fR" 4
534 .IX Item "-chainout filename"
535 The file where the chain of the newly enrolled certificate should be saved.
538 .IP "\fB\-oldcert\fR \fIfilename\fR|\fIuri\fR" 4
539 .IX Item "-oldcert filename|uri"
540 The certificate to be updated (i.e., renewed or re-keyed) in Key Update Request
541 (\s-1KUR\s0) messages or to be revoked in Revocation Request (\s-1RR\s0) messages.
542 For \s-1KUR\s0 the certificate to be updated defaults to \fB\-cert\fR,
544 For \s-1RR\s0 the certificate to be revoked can also be specified using \fB\-csr\fR.
547 deriving default subject \s-1DN\s0 and Subject Alternative Names and the
548 default issuer entry in the requested certificate template of an \s-1IR/CR/KUR.\s0
549 Its public key is used as a fallback in the template of certification requests.
550 Its subject is used as sender of outgoing messages if \fB\-cert\fR is not given.
551 Its issuer is used as default recipient in \s-1CMP\s0 message headers
552 if neither \fB\-recipient\fR, \fB\-srvcert\fR, nor \fB\-issuer\fR is given.
553 .IP "\fB\-revreason\fR \fInumber\fR" 4
554 .IX Item "-revreason number"
555 Set CRLReason to be included in revocation request (\s-1RR\s0); values: \f(CW0\fR..\f(CW10\fR
556 or \f(CW\*(C`\-1\*(C'\fR for none (which is the default).
558 Reason numbers defined in \s-1RFC 5280\s0 are:
563 \& keyCompromise (1),
566 \& superseded (4),
569 \& \-\- value 7 is not used
577 .IP "\fB\-server\fR \fI[http[s]://][userinfo@]host[:port][/path][?query][#fragment]\fR" 4
578 .IX Item "-server [http[s]://][userinfo@]host[:port][/path][?query][#fragment]"
579 The \s-1DNS\s0 hostname or \s-1IP\s0 address and optionally port
580 of the \s-1CMP\s0 server to connect to using \s-1HTTP\s0(S).
581 This option excludes \fI\-port\fR and \fI\-use_mock_srv\fR.
582 It is ignored if \fI\-rspin\fR is given with enough filename arguments.
584 The scheme \f(CW\*(C`https\*(C'\fR may be given only if the \fB\-tls_used\fR option is used.
587 Any given query component is handled as part of the path component.
588 If a path is included it provides the default value for the \fB\-path\fR option.
589 .IP "\fB\-proxy\fR \fI[http[s]://][userinfo@]host[:port][/path][?query][#fragment]\fR" 4
590 .IX Item "-proxy [http[s]://][userinfo@]host[:port][/path][?query][#fragment]"
591 The \s-1HTTP\s0(S) proxy server to use for reaching the \s-1CMP\s0 server unless \fB\-no_proxy\fR
594 …CW\*(C`http://\*(C'\fR or \f(CW\*(C`https://\*(C'\fR prefix is ignored (note that \s-1TLS\s0 may be
595 selected by \fB\-tls_used\fR), as well as any path, userinfo, and query, and fragment
598 in case no \s-1TLS\s0 is used, otherwise \f(CW\*(C`https_proxy\*(C'\fR if set, else \f(CW\*(C`HTTPS…
599 This option is ignored if \fI\-server\fR is not given.
600 .IP "\fB\-no_proxy\fR \fIaddresses\fR" 4
601 .IX Item "-no_proxy addresses"
602 List of \s-1IP\s0 addresses and/or \s-1DNS\s0 names of servers
603 not to use an \s-1HTTP\s0(S) proxy for, separated by commas and/or whitespace
606 This option is ignored if \fI\-server\fR is not given.
607 .IP "\fB\-recipient\fR \fIname\fR" 4
608 .IX Item "-recipient name"
609 Distinguished Name (\s-1DN\s0) to use in the recipient field of \s-1CMP\s0 request message
610 headers, i.e., the \s-1CMP\s0 server (usually the addressed \s-1CA\s0).
612 The recipient field in the header of a \s-1CMP\s0 message is mandatory.
614 the subject of the \s-1CMP\s0 server certificate given with the \fB\-srvcert\fR option,
615 the \fB\-issuer\fR option,
616 the issuer of the certificate given with the \fB\-oldcert\fR option,
617 the issuer of the \s-1CMP\s0 client certificate (\fB\-cert\fR option),
618 as far as any of those is present, else the NULL-DN as last resort.
621 For details see the description of the \fB\-subject\fR option.
622 .IP "\fB\-path\fR \fIremote_path\fR" 4
623 .IX Item "-path remote_path"
624 \&\s-1HTTP\s0 path at the \s-1CMP\s0 server (aka \s-1CMP\s0 alias) to use for \s-1POST\s0 requests.
625 Defaults to any path given with \fB\-server\fR, else \f(CW"/"\fR.
626 .IP "\fB\-keep_alive\fR \fIvalue\fR" 4
627 .IX Item "-keep_alive value"
628 If the given value is 0 then \s-1HTTP\s0 connections are not kept open
629 after receiving a response, which is the default behavior for \s-1HTTP 1.0.\s0
630 If the value is 1 or 2 then persistent connections are requested.
633 The default value is 1, which means preferring to keep the connection open.
634 .IP "\fB\-msg_timeout\fR \fIseconds\fR" 4
635 .IX Item "-msg_timeout seconds"
636 Number of seconds a \s-1CMP\s0 request-response message round trip
639 Default is to use the \fB\-total_timeout\fR setting.
640 .IP "\fB\-total_timeout\fR \fIseconds\fR" 4
641 .IX Item "-total_timeout seconds"
642 Maximum total number of seconds a transaction may take,
648 .IP "\fB\-trusted\fR \fIfilenames\fR|\fIuris\fR" 4
649 .IX Item "-trusted filenames|uris"
650 The certificate(s), typically of root CAs, the client shall use as trust anchors
651 when validating signature-based protection of \s-1CMP\s0 response messages.
652 This option is ignored if the \fB\-srvcert\fR option is given as well.
653 It provides more flexibility than \fB\-srvcert\fR because the \s-1CMP\s0 protection
654 certificate of the server is not pinned but may be any certificate
655 from which a chain to one of the given trust anchors can be constructed.
657 If none of \fB\-trusted\fR, \fB\-srvcert\fR, and \fB\-secret\fR is given, message validation
658 errors will be thrown unless \fB\-unprotected_errors\fR permits an exception.
665 \&\fB\-verify_hostname\fR, \fB\-verify_ip\fR, and \fB\-verify_email\fR
667 .IP "\fB\-untrusted\fR \fIfilenames\fR|\fIuris\fR" 4
668 .IX Item "-untrusted filenames|uris"
669 Non-trusted intermediate \s-1CA\s0 certificate(s).
670 Any extra certificates given with the \fB\-cert\fR option are appended to it.
672 for the own \s-1CMP\s0 signer certificate (to include in the extraCerts field of
673 request messages) and for the \s-1TLS\s0 client certificate (if \s-1TLS\s0 is enabled)
675 when validating server certificates (checking signature-based
676 \&\s-1CMP\s0 message protection) and when validating newly enrolled certificates.
680 .IP "\fB\-srvcert\fR \fIfilename\fR|\fIuri\fR" 4
681 .IX Item "-srvcert filename|uri"
682 The specific \s-1CMP\s0 server certificate to expect and directly trust (even if it is
683 expired) when verifying signature-based protection of \s-1CMP\s0 response messages.
684 This pins the accepted server and results in ignoring the \fB\-trusted\fR option.
686 If set, the subject of the certificate is also used
687 as default value for the recipient of \s-1CMP\s0 requests
688 and as default value for the expected sender of \s-1CMP\s0 responses.
689 .IP "\fB\-expect_sender\fR \fIname\fR" 4
690 .IX Item "-expect_sender name"
691 Distinguished Name (\s-1DN\s0) expected in the sender field of incoming \s-1CMP\s0 messages.
692 Defaults to the subject \s-1DN\s0 of the pinned \fB\-srvcert\fR, if any.
695 \&\s-1CMP\s0 message signer, and attackers are not able to use arbitrary certificates
696 of a trusted \s-1PKI\s0 hierarchy to fraudulently pose as a \s-1CMP\s0 server.
697 Note that this option gives slightly more freedom than setting the \fB\-srvcert\fR,
698 which pins the server to the holder of a particular certificate, while the
699 expected sender name will continue to match after updates of the server cert.
702 For details see the description of the \fB\-subject\fR option.
703 .IP "\fB\-ignore_keyusage\fR" 4
704 .IX Item "-ignore_keyusage"
705 Ignore key usage restrictions in \s-1CMP\s0 signer certificates when validating
706 signature-based protection of incoming \s-1CMP\s0 messages.
707 By default, \f(CW\*(C`digitalSignature\*(C'\fR must be allowed by \s-1CMP\s0 signer certificates.
708 .IP "\fB\-unprotected_errors\fR" 4
709 .IX Item "-unprotected_errors"
710 Accept missing or invalid protection of negative responses from the server.
712 .RS 4
713 .IP "\(bu" 4
715 .IP "\(bu" 4
716 negative certificate responses (\s-1IP/CP/KUP\s0)
717 .IP "\(bu" 4
718 negative revocation responses (\s-1RP\s0)
719 .IP "\(bu" 4
722 .RS 4
724 \&\fB\s-1WARNING:\s0\fR This setting leads to unspecified behavior and it is meant
726 \&\s-1RFC 4210,\s0 e.g.:
727 .IP "\(bu" 4
730 \&\*(L"There \s-1MAY\s0 be cases in which the PKIProtection \s-1BIT STRING\s0 is deliberately not
731 used to protect a message [...] because other protection, external to \s-1PKIX,\s0 will
733 .IP "\(bu" 4
734 section 5.3.21 is clear on ErrMsgContent: \*(L"The \s-1CA MUST\s0 always sign it
736 .IP "\(bu" 4
737 appendix D.4 shows PKIConf message having protection
739 .RS 4
741 .IP "\fB\-extracertsout\fR \fIfilename\fR" 4
742 .IX Item "-extracertsout filename"
745 .IP "\fB\-cacertsout\fR \fIfilename\fR" 4
746 .IX Item "-cacertsout filename"
747 The file where to save any \s-1CA\s0 certificates contained in the caPubs field of
748 the last received certificate response (i.e., \s-1IP, CP,\s0 or \s-1KUP\s0) message.
751 .IP "\fB\-ref\fR \fIvalue\fR" 4
752 .IX Item "-ref value"
754 if no sender name can be determined from the \fB\-cert\fR or <\-subject> options and
755 is typically used when authenticating with pre-shared key (password-based \s-1MAC\s0).
756 .IP "\fB\-secret\fR \fIarg\fR" 4
757 .IX Item "-secret arg"
758 Provides the source of a secret value to use with MAC-based message protection.
759 This takes precedence over the \fB\-cert\fR and \fB\-key\fR options.
760 The secret is used for creating MAC-based protection of outgoing messages
761 and for validating incoming messages that have MAC-based protection.
762 The algorithm used by default is Password-Based Message Authentication Code (\s-1PBM\s0)
763 as defined in \s-1RFC 4210\s0 section 5.1.3.1.
765 For more information about the format of \fIarg\fR see
766 \&\fBopenssl\-passphrase\-options\fR\|(1).
767 .IP "\fB\-cert\fR \fIfilename\fR|\fIuri\fR" 4
768 .IX Item "-cert filename|uri"
769 The client's current \s-1CMP\s0 signer certificate.
770 Requires the corresponding key to be given with \fB\-key\fR.
773 serve as fallback values in the certificate template of \s-1IR/CR/KUR\s0 messages.
775 The subject of this certificate will be used as sender of outgoing \s-1CMP\s0 messages,
776 while the subject of \fB\-oldcert\fR or \fB\-subjectName\fR may provide fallback values.
778 The issuer of this certificate is used as one of the recipient fallback values
779 and as fallback issuer entry in the certificate template of \s-1IR/CR/KUR\s0 messages.
781 When performing signature-based message protection,
783 will be included first in the extraCerts field of outgoing messages
785 In Initialization Request (\s-1IR\s0) messages this can be used for authenticating
786 using an external entity certificate as defined in appendix E.7 of \s-1RFC 4210.\s0
788 For Key Update Request (\s-1KUR\s0) messages this is also used as
789 the certificate to be updated if the \fB\-oldcert\fR option is not given.
792 because they typically constitute the chain of the client certificate, which
793 is included in the extraCerts field in signature-protected request messages.
794 .IP "\fB\-own_trusted\fR \fIfilenames\fR|\fIuris\fR" 4
795 .IX Item "-own_trusted filenames|uris"
796 If this list of certificates is provided then the chain built for
797 the client-side \s-1CMP\s0 signer certificate given with the \fB\-cert\fR option
805 \&\fB\-verify_hostname\fR, \fB\-verify_ip\fR, and \fB\-verify_email\fR
807 .IP "\fB\-key\fR \fIfilename\fR|\fIuri\fR" 4
808 .IX Item "-key filename|uri"
810 the \fB\-cert\fR option.
811 This will be used for signature-based message protection unless the \fB\-secret\fR
812 option indicating MAC-based protection or \fB\-unprotected_requests\fR is given.
814 It is also used as a fallback for the \fB\-newkey\fR option with \s-1IR/CR/KUR\s0 messages.
815 .IP "\fB\-keypass\fR \fIarg\fR" 4
816 .IX Item "-keypass arg"
817 Pass phrase source for the private key given with the \fB\-key\fR option.
818 Also used for \fB\-cert\fR and \fB\-oldcert\fR in case it is an encrypted PKCS#12 file.
821 For more information about the format of \fIarg\fR see
822 \&\fBopenssl\-passphrase\-options\fR\|(1).
823 .IP "\fB\-digest\fR \fIname\fR" 4
824 .IX Item "-digest name"
825 Specifies name of supported digest to use in \s-1RFC 4210\s0's \s-1MSG_SIG_ALG\s0
826 and as the one-way function (\s-1OWF\s0) in \f(CW\*(C`MSG_MAC_ALG\*(C'\fR.
828 proof-of-possession (\s-1POPO\s0) signatures.
829 To see the list of supported digests, use \f(CW\*(C`openssl list \-digest\-commands\*(C'\fR.
831 .IP "\fB\-mac\fR \fIname\fR" 4
832 .IX Item "-mac name"
833 Specifies the name of the \s-1MAC\s0 algorithm in \f(CW\*(C`MSG_MAC_ALG\*(C'\fR.
834 To get the names of supported \s-1MAC\s0 algorithms use \f(CW\*(C`openssl list \-mac\-algorithms\*(…
835 and possibly combine such a name with the name of a supported digest algorithm,
837 Defaults to \f(CW\*(C`hmac\-sha1\*(C'\fR as per \s-1RFC 4210.\s0
838 .IP "\fB\-extracerts\fR \fIfilenames\fR|\fIuris\fR" 4
839 .IX Item "-extracerts filenames|uris"
841 They can be used as the default \s-1CMP\s0 signer certificate chain to include.
846 .IP "\fB\-unprotected_requests\fR" 4
847 .IX Item "-unprotected_requests"
848 Send request messages without CMP-level protection.
851 .IP "\fB\-certform\fR \fIPEM|DER\fR" 4
852 .IX Item "-certform PEM|DER"
854 Default value is \s-1PEM.\s0
855 .IP "\fB\-keyform\fR \fIPEM|DER|P12|ENGINE\fR" 4
856 .IX Item "-keyform PEM|DER|P12|ENGINE"
857 The format of the key input; unspecified by default.
858 See \*(L"Format Options\*(R" in \fBopenssl\fR\|(1) for details.
859 .IP "\fB\-otherpass\fR \fIarg\fR" 4
860 .IX Item "-otherpass arg"
861 Pass phrase source for certificate given with the \fB\-trusted\fR, \fB\-untrusted\fR,
862 \&\fB\-own_trusted\fR, \fB\-srvcert\fR, \fB\-out_trusted\fR, \fB\-extracerts\fR,
863 \&\fB\-srv_trusted\fR, \fB\-srv_untrusted\fR, \fB\-rsp_extracerts\fR, \fB\-rsp_capubs\fR,
864 \&\fB\-tls_extra\fR, and \fB\-tls_trusted\fR options.
867 For more information about the format of \fIarg\fR see
868 \&\fBopenssl\-passphrase\-options\fR\|(1).
869 .IP "\fB\-engine\fR \fIid\fR" 4
870 .IX Item "-engine id"
871 See \*(L"Engine Options\*(R" in \fBopenssl\fR\|(1).
876 .Vb 1
877 \& \-engine {engineid} \-key {keyid} \-keyform ENGINE
880 \&... it's also possible to just give the key \s-1ID\s0 in \s-1URI\s0 form to \fB\-key\fR,
883 .Vb 1
884 \& \-key org.openssl.engine:{engineid}:{keyid}
887 This applies to all options specifying keys: \fB\-key\fR, \fB\-newkey\fR, and
888 \&\fB\-tls_key\fR.
891 .IP "\fB\-provider\fR \fIname\fR" 4
892 .IX Item "-provider name"
894 .IP "\fB\-provider\-path\fR \fIpath\fR" 4
895 .IX Item "-provider-path path"
896 .IP "\fB\-propquery\fR \fIpropq\fR" 4
897 .IX Item "-propquery propq"
899 See \*(L"Provider Options\*(R" in \fBopenssl\fR\|(1), \fBprovider\fR\|(7), and \fBproperty\fR\|(7).
902 .IP "\fB\-rand\fR \fIfiles\fR, \fB\-writerand\fR \fIfile\fR" 4
903 .IX Item "-rand files, -writerand file"
904 See \*(L"Random State Options\*(R" in \fBopenssl\fR\|(1) for details.
905 .SS "\s-1TLS\s0 connection options"
907 .IP "\fB\-tls_used\fR" 4
908 .IX Item "-tls_used"
909 Enable using \s-1TLS\s0 (even when other TLS-related options are not set)
910 for message exchange with \s-1CMP\s0 server via \s-1HTTP.\s0
911 This option is not supported with the \fI\-port\fR option.
912 It is ignored if the \fI\-server\fR option is not given or \fI\-use_mock_srv\fR is given
913 or \fI\-rspin\fR is given with enough filename arguments.
915 The following TLS-related options are ignored
916 if \fB\-tls_used\fR is not given or does not take effect.
917 .IP "\fB\-tls_cert\fR \fIfilename\fR|\fIuri\fR" 4
918 .IX Item "-tls_cert filename|uri"
919 Client's \s-1TLS\s0 certificate.
920 If the source includes further certs they are used (along with \fB\-untrusted\fR
921 certs) for constructing the client cert chain provided to the \s-1TLS\s0 server.
922 .IP "\fB\-tls_key\fR \fIfilename\fR|\fIuri\fR" 4
923 .IX Item "-tls_key filename|uri"
924 Private key for the client's \s-1TLS\s0 certificate.
925 .IP "\fB\-tls_keypass\fR \fIarg\fR" 4
926 .IX Item "-tls_keypass arg"
927 Pass phrase source for client's private \s-1TLS\s0 key \fB\-tls_key\fR.
928 Also used for \fB\-tls_cert\fR in case it is an encrypted PKCS#12 file.
931 For more information about the format of \fIarg\fR see
932 \&\fBopenssl\-passphrase\-options\fR\|(1).
933 .IP "\fB\-tls_extra\fR \fIfilenames\fR|\fIuris\fR" 4
934 .IX Item "-tls_extra filenames|uris"
935 Extra certificates to provide to \s-1TLS\s0 server during \s-1TLS\s0 handshake
936 .IP "\fB\-tls_trusted\fR \fIfilenames\fR|\fIuris\fR" 4
937 .IX Item "-tls_trusted filenames|uris"
938 Trusted certificate(s) to use for validating the \s-1TLS\s0 server certificate.
946 \&\fB\-verify_hostname\fR, \fB\-verify_ip\fR, and \fB\-verify_email\fR
948 .IP "\fB\-tls_host\fR \fIname\fR" 4
949 .IX Item "-tls_host name"
951 This may be a \s-1DNS\s0 name or an \s-1IP\s0 address.
952 If not given it defaults to the \fB\-server\fR address.
953 .SS "Client-side debugging options"
954 .IX Subsection "Client-side debugging options"
955 .IP "\fB\-batch\fR" 4
956 .IX Item "-batch"
959 .IP "\fB\-repeat\fR \fInumber\fR" 4
960 .IX Item "-repeat number"
961 Invoke the command the given positive number of times with the same parameters.
963 .IP "\fB\-reqin\fR \fIfilenames\fR" 4
964 .IX Item "-reqin filenames"
965 Take the sequence of \s-1CMP\s0 requests to send to the server from the given file(s)
966 rather than from the sequence of requests produced internally.
968 This option is ignored if the \fB\-rspin\fR option is given
977 in the sequence of requests produced internally.
981 This causes re-protection (if protecting requests is required).
982 .IP "\fB\-reqin_new_tid\fR" 4
983 .IX Item "-reqin_new_tid"
984 Use a fresh transactionID for \s-1CMP\s0 request messages read using \fB\-reqin\fR,
986 This may be needed in case the sequence of requests is reused
987 and the \s-1CMP\s0 server complains that the transaction \s-1ID\s0 has already been used.
988 .IP "\fB\-reqout\fR \fIfilenames\fR" 4
989 .IX Item "-reqout filenames"
990 Save the sequence of \s-1CMP\s0 requests created by the client to the given file(s).
991 These requests are not sent to the server if the \fB\-reqin\fR option is used, too.
998 .IP "\fB\-rspin\fR \fIfilenames\fR" 4
999 .IX Item "-rspin filenames"
1000 Process the sequence of \s-1CMP\s0 responses provided in the given file(s),
1006 Any server specified via the \fI\-server\fR or \fI\-use_mock_srv\fR options is contacted
1010 .IP "\fB\-rspout\fR \fIfilenames\fR" 4
1011 .IX Item "-rspout filenames"
1012 Save the sequence of actually used \s-1CMP\s0 responses to the given file(s).
1013 These have been received from the server unless \fB\-rspin\fR takes effect.
1020 .IP "\fB\-use_mock_srv\fR" 4
1021 .IX Item "-use_mock_srv"
1022 Test the client using the internal \s-1CMP\s0 server mock-up at \s-1API\s0 level,
1023 bypassing socket-based transfer via \s-1HTTP.\s0
1024 This excludes the \fB\-server\fR and \fB\-port\fR options.
1027 .IP "\fB\-port\fR \fInumber\fR" 4
1028 .IX Item "-port number"
1029 Act as HTTP-based \s-1CMP\s0 server mock-up listening on the given port.
1030 This excludes the \fB\-server\fR and \fB\-use_mock_srv\fR options.
1031 The \fB\-rspin\fR, \fB\-rspout\fR, \fB\-reqin\fR, and \fB\-reqout\fR options
1033 .IP "\fB\-max_msgs\fR \fInumber\fR" 4
1034 .IX Item "-max_msgs number"
1035 Maximum number of \s-1CMP\s0 (request) messages the \s-1CMP HTTP\s0 server mock-up
1039 detects a CMP-level error that it can successfully answer with an error message.
1040 .IP "\fB\-srv_ref\fR \fIvalue\fR" 4
1041 .IX Item "-srv_ref value"
1042 Reference value to use as senderKID of server in case no \fB\-srv_cert\fR is given.
1043 .IP "\fB\-srv_secret\fR \fIarg\fR" 4
1044 .IX Item "-srv_secret arg"
1045 Password source for server authentication with a pre-shared key (secret).
1046 .IP "\fB\-srv_cert\fR \fIfilename\fR|\fIuri\fR" 4
1047 .IX Item "-srv_cert filename|uri"
1048 Certificate of the server.
1049 .IP "\fB\-srv_key\fR \fIfilename\fR|\fIuri\fR" 4
1050 .IX Item "-srv_key filename|uri"
1052 .IP "\fB\-srv_keypass\fR \fIarg\fR" 4
1053 .IX Item "-srv_keypass arg"
1055 .IP "\fB\-srv_trusted\fR \fIfilenames\fR|\fIuris\fR" 4
1056 .IX Item "-srv_trusted filenames|uris"
1060 \&\fB\-verify_hostname\fR, \fB\-verify_ip\fR, and \fB\-verify_email\fR
1062 .IP "\fB\-srv_untrusted\fR \fIfilenames\fR|\fIuris\fR" 4
1063 .IX Item "-srv_untrusted filenames|uris"
1064 Intermediate \s-1CA\s0 certs that may be useful when validating client certificates.
1065 .IP "\fB\-rsp_cert\fR \fIfilename\fR|\fIuri\fR" 4
1066 .IX Item "-rsp_cert filename|uri"
1068 .IP "\fB\-rsp_extracerts\fR \fIfilenames\fR|\fIuris\fR" 4
1069 .IX Item "-rsp_extracerts filenames|uris"
1071 .IP "\fB\-rsp_capubs\fR \fIfilenames\fR|\fIuris\fR" 4
1072 .IX Item "-rsp_capubs filenames|uris"
1073 \&\s-1CA\s0 certificates to be included in mock Initialization Response (\s-1IP\s0) message.
1074 .IP "\fB\-poll_count\fR \fInumber\fR" 4
1075 .IX Item "-poll_count number"
1076 Number of times the client must poll before receiving a certificate.
1077 .IP "\fB\-check_after\fR \fInumber\fR" 4
1078 .IX Item "-check_after number"
1079 The checkAfter value (number of seconds to wait) to include in poll response.
1080 .IP "\fB\-grant_implicitconf\fR" 4
1081 .IX Item "-grant_implicitconf"
1082 Grant implicit confirmation of newly enrolled certificate.
1083 .IP "\fB\-pkistatus\fR \fInumber\fR" 4
1084 .IX Item "-pkistatus number"
1087 .IP "\fB\-failure\fR \fInumber\fR" 4
1088 .IX Item "-failure number"
1091 .IP "\fB\-failurebits\fR \fInumber\fR Number representing failure bits to be included in server res…
1092 .IX Item "-failurebits number Number representing failure bits to be included in server response. V…
1094 .IP "\fB\-statusstring\fR \fIarg\fR" 4
1095 .IX Item "-statusstring arg"
1098 .IP "\fB\-send_error\fR" 4
1099 .IX Item "-send_error"
1101 .IP "\fB\-send_unprotected\fR" 4
1102 .IX Item "-send_unprotected"
1103 Send response messages without CMP-level protection.
1104 .IP "\fB\-send_unprot_err\fR" 4
1105 .IX Item "-send_unprot_err"
1106 In case of negative responses, server shall send unprotected error messages,
1107 certificate responses (\s-1IP/CP/KUP\s0), and revocation responses (\s-1RP\s0).
1108 \&\s-1WARNING:\s0 This setting leads to behavior violating \s-1RFC 4210.\s0
1109 .IP "\fB\-accept_unprotected\fR" 4
1110 .IX Item "-accept_unprotected"
1111 Accept missing or invalid protection of requests.
1112 .IP "\fB\-accept_unprot_err\fR" 4
1113 .IX Item "-accept_unprot_err"
1116 .IP "\fB\-accept_raverified\fR" 4
1117 .IX Item "-accept_raverified"
1118 Accept \s-1RAVERIFED\s0 as proof of possession (\s-1POPO\s0).
1119 .SS "Certificate verification options, for both \s-1CMP\s0 and \s-1TLS\s0"
1121 …-allow_proxy_certs\fR, \fB\-attime\fR, \fB\-no_check_time\fR, \fB\-check_ss_sig\fR, \fB\-crl_check…
1122 …-allow_proxy_certs, -attime, -no_check_time, -check_ss_sig, -crl_check, -crl_check_all, -explicit_…
1123 Set various options of certificate chain verification.
1124 See \*(L"Verification Options\*(R" in \fBopenssl\-verification\-options\fR\|(1) for details.
1127 \&\fB\-verify_hostname\fR, \fB\-verify_ip\fR, and \fB\-verify_email\fR
1128 only affect the certificate verification enabled via the \fB\-out_trusted\fR option.
1131 When a client obtains from a \s-1CMP\s0 server \s-1CA\s0 certificates that it is going to
1132 trust, for instance via the \f(CW\*(C`caPubs\*(C'\fR field of a certificate response,
1133 authentication of the \s-1CMP\s0 server is particularly critical.
1135 using \fB\-trusted\fR and related options for certificate-based authentication
1136 or \fB\-secret\fR for MAC-based protection.
1138 When setting up \s-1CMP\s0 configurations and experimenting with enrollment options
1140 When the \s-1CMP\s0 server reports an error the client will by default
1141 check the protection of the \s-1CMP\s0 response message.
1142 Yet some \s-1CMP\s0 services tend not to protect negative responses.
1145 For assisting in such cases the \s-1CMP\s0 client offers a workaround via the
1146 \&\fB\-unprotected_errors\fR option, which allows accepting such negative messages.
1151 This \s-1CMP\s0 client implementation comes with demonstrative \s-1CMP\s0 sections
1153 which can be used to interact conveniently with the Insta Demo \s-1CA.\s0
1155 In order to enroll an initial certificate from that \s-1CA\s0 it is sufficient
1158 .Vb 1
1163 \& openssl genrsa \-out insta.priv.pem
1164 \& openssl cmp \-section insta
1171 .Vb 1
1172 \& openssl x509 \-noout \-text \-in insta.cert.pem
1175 In case the network setup requires using an \s-1HTTP\s0 proxy it may be given as usual
1176 via the environment variable \fBhttp_proxy\fR or via the \fB\-proxy\fR option in the
1177 configuration file or the \s-1CMP\s0 command-line argument \fB\-proxy\fR, for example
1179 .Vb 1
1180 \& \-proxy http://192.168.1.1:8080
1183 In the Insta Demo \s-1CA\s0 scenario both clients and the server may use the pre-shared
1186 Alternatively, \s-1CMP\s0 messages may be protected in signature-based manner,
1188 and the client may use any certificate already obtained from that \s-1CA,\s0
1189 as specified in the \fB[signature]\fR section of the example configuration.
1192 .Vb 1
1193 \& openssl cmp \-section insta,signature
1196 By default the \s-1CMP IR\s0 message type is used, yet \s-1CR\s0 works equally here.
1199 .Vb 1
1200 \& openssl cmp \-section insta \-cmd cr
1203 or by referencing in addition the \fB[cr]\fR section of the example configuration:
1205 .Vb 1
1206 \& openssl cmp \-section insta,cr
1211 .Vb 1
1212 \& openssl cmp \-section insta,kur
1215 using MAC-based protection with \s-1PBM\s0 or
1217 .Vb 1
1218 \& openssl cmp \-section insta,kur,signature
1221 using signature-based protection.
1225 .Vb 1
1226 \& openssl cmp \-section insta,rr \-trusted insta.ca.crt
1231 .Vb 1
1232 \& openssl cmp \-section insta,rr,signature
1237 For instance, the \fB\-reqexts\fR \s-1CLI\s0 option may refer to a section in the
1241 .Vb 1
1242 \& openssl cmp \-section insta,cr \-reqexts v3_req
1246 The following examples do not make use of a configuration file at first.
1247 They assume that a \s-1CMP\s0 server can be contacted on the local \s-1TCP\s0 port 80
1251 and sends an initial request message to the local \s-1CMP\s0 server
1252 using a pre-shared secret key for mutual authentication.
1253 In this example the client does not have the \s-1CA\s0 certificate yet,
1254 so we specify the name of the \s-1CA\s0 with the \fB\-recipient\fR option
1255 and save any \s-1CA\s0 certificates that we may receive in the \f(CW\*(C`capubs.pem\*(C'\fR file.
1258 for formatting; each of the command invocations should be on a single line.
1261 \& openssl genrsa \-out cl_key.pem
1262 \& openssl cmp \-cmd ir \-server 127.0.0.1:80/pkix/ \-recipient "/CN=CMPserver" \e
1263 \& \-ref 1234 \-secret pass:1234\-5678 \e
1264 \& \-newkey cl_key.pem \-subject "/CN=MyName" \e
1265 \& \-cacertsout capubs.pem \-certout cl_cert.pem
1276 \& openssl genrsa \-out cl_key_new.pem
1277 \& openssl cmp \-cmd kur \-server 127.0.0.1:80/pkix/ \e
1278 \& \-trusted capubs.pem \e
1279 \& \-cert cl_cert.pem \-key cl_key.pem \e
1280 \& \-newkey cl_key_new.pem \-certout cl_cert.pem
1285 .SS "Requesting information from \s-1CMP\s0 server"
1288 This prints information about all received \s-1ITAV\s0 \fBinfoType\fRs to stdout.
1291 \& openssl cmp \-cmd genm \-server 127.0.0.1/pkix/ \-recipient "/CN=CMPserver" \e
1292 \& \-ref 1234 \-secret pass:1234\-5678
1296 For \s-1CMP\s0 client invocations, in particular for certificate enrollment,
1297 usually many parameters need to be set, which is tedious and error-prone to do
1300 options from sections of the OpenSSL config file, usually called \fIopenssl.cnf\fR.
1322 \& secret = pass:1234\-5678\-1234\-567
1330 \& openssl cmp \-section cmp,init
1331 \& openssl cmp \-cmd kur \-newkey cl_key_new.pem
1336 .Vb 1
1337 \& openssl cmp \-section cmp,init \-cmd genm
1341 \&\fBopenssl\-genrsa\fR\|(1), \fBopenssl\-ecparam\fR\|(1), \fBopenssl\-list\fR\|(1),
1342 \&\fBopenssl\-req\fR\|(1), \fBopenssl\-x509\fR\|(1), \fBx509v3_config\fR\|(5)
1347 The \fB\-engine option\fR was deprecated in OpenSSL 3.0.
1350 Copyright 2007\-2023 The OpenSSL Project Authors. All Rights Reserved.
1354 in the file \s-1LICENSE\s0 in the source distribution or at