1 .\" Automatically generated by Pod::Man 4.07 (Pod::Simple 3.35)
4 .\" ========================================================================
5 .de Sp \" Vertical space (when we can't use .PP)
9 .de Vb \" Begin verbatim text
14 .de Ve \" End verbatim text
18 .\" Set up some character translations and predefined strings. \*(-- will
19 .\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
20 .\" double quote, and \*(R" will give a right double quote. \*(C+ will
21 .\" give a nicer C++. Capital omega is used to do unbreakable dashes and
22 .\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
23 .\" nothing in troff, for use with C<>.
25 .ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
29 . if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
30 . if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
45 .\" Escape single quotes in literal strings from groff's Unicode transform.
49 .\" If the F register is >0, we'll generate index entries on stderr for
50 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
51 .\" entries marked with X<> in POD. Of course, you'll have to process the
52 .\" output yourself in some meaningful fashion.
54 .\" Avoid warning from groff about undefined register 'F'.
60 . tm Index:\\$1\t\\n%\t"\\$2"
68 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
69 .\" Fear. Run. Save yourself. No user-serviceable parts.
70 . \" fudge factors for nroff and troff
79 . ds #H ((1u-(\\\\n(.fu%2u))*.13m)
85 . \" simple accents for nroff and troff
95 . ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
96 . ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
97 . ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
98 . ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
99 . ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
100 . ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
102 . \" troff and (daisy-wheel) nroff accents
103 .ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
104 .ds 8 \h'\*(#H'\(*b\h'-\*(#H'
105 .ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
106 .ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
107 .ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
108 .ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
109 .ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
110 .ds ae a\h'-(\w'a'u*4/10)'e
111 .ds Ae A\h'-(\w'A'u*4/10)'E
112 . \" corrections for vroff
113 .if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
114 .if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
115 . \" for low resolution devices (crt and lpr)
116 .if \n(.H>23 .if \n(.V>19 \
129 .\" ========================================================================
132 .TH SPKAC 1 "2017-12-07" "1.0.2n" "OpenSSL"
133 .\" For nroff, turn off justification. Always turn off hyphenation; it makes
134 .\" way too many mistakes in technical documents.
139 spkac \- SPKAC printing and generating utility
141 .IX Header "SYNOPSIS"
142 \&\fBopenssl\fR \fBspkac\fR
143 [\fB\-in filename\fR]
144 [\fB\-out filename\fR]
145 [\fB\-key keyfile\fR]
147 [\fB\-challenge string\fR]
149 [\fB\-spkac spkacname\fR]
150 [\fB\-spksect section\fR]
155 .IX Header "DESCRIPTION"
156 The \fBspkac\fR command processes Netscape signed public key and challenge
157 (\s-1SPKAC\s0) files. It can print out their contents, verify the signature and
158 produce its own SPKACs from a supplied private key.
159 .SH "COMMAND OPTIONS"
160 .IX Header "COMMAND OPTIONS"
161 .IP "\fB\-in filename\fR" 4
162 .IX Item "-in filename"
163 This specifies the input filename to read from or standard input if this
164 option is not specified. Ignored if the \fB\-key\fR option is used.
165 .IP "\fB\-out filename\fR" 4
166 .IX Item "-out filename"
167 specifies the output filename to write to or standard output by
169 .IP "\fB\-key keyfile\fR" 4
170 .IX Item "-key keyfile"
171 create an \s-1SPKAC\s0 file using the private key in \fBkeyfile\fR. The
172 \&\fB\-in\fR, \fB\-noout\fR, \fB\-spksect\fR and \fB\-verify\fR options are ignored if
174 .IP "\fB\-passin password\fR" 4
175 .IX Item "-passin password"
176 the input file password source. For more information about the format of \fBarg\fR
177 see the \fB\s-1PASS PHRASE ARGUMENTS\s0\fR section in \fIopenssl\fR\|(1).
178 .IP "\fB\-challenge string\fR" 4
179 .IX Item "-challenge string"
180 specifies the challenge string if an \s-1SPKAC\s0 is being created.
181 .IP "\fB\-spkac spkacname\fR" 4
182 .IX Item "-spkac spkacname"
183 allows an alternative name form the variable containing the
184 \&\s-1SPKAC.\s0 The default is \*(L"\s-1SPKAC\*(R".\s0 This option affects both
185 generated and input \s-1SPKAC\s0 files.
186 .IP "\fB\-spksect section\fR" 4
187 .IX Item "-spksect section"
188 allows an alternative name form the section containing the
189 \&\s-1SPKAC.\s0 The default is the default section.
190 .IP "\fB\-noout\fR" 4
192 don't output the text version of the \s-1SPKAC \s0(not used if an
193 \&\s-1SPKAC\s0 is being created).
194 .IP "\fB\-pubkey\fR" 4
196 output the public key of an \s-1SPKAC \s0(not used if an \s-1SPKAC\s0 is
198 .IP "\fB\-verify\fR" 4
200 verifies the digital signature on the supplied \s-1SPKAC.\s0
201 .IP "\fB\-engine id\fR" 4
202 .IX Item "-engine id"
203 specifying an engine (by its unique \fBid\fR string) will cause \fBspkac\fR
204 to attempt to obtain a functional reference to the specified engine,
205 thus initialising it if needed. The engine will then be set as the default
206 for all available algorithms.
208 .IX Header "EXAMPLES"
209 Print out the contents of an \s-1SPKAC:\s0
212 \& openssl spkac \-in spkac.cnf
215 Verify the signature of an \s-1SPKAC:\s0
218 \& openssl spkac \-in spkac.cnf \-noout \-verify
221 Create an \s-1SPKAC\s0 using the challenge string \*(L"hello\*(R":
224 \& openssl spkac \-key key.pem \-challenge hello \-out spkac.cnf
227 Example of an \s-1SPKAC, \s0(long lines split up for clarity):
230 \& SPKAC=MIG5MGUwXDANBgkqhkiG9w0BAQEFAANLADBIAkEA1cCoq2Wa3Ixs47uI7F\e
231 \& PVwHVIPDx5yso105Y6zpozam135a8R0CpoRvkkigIyXfcCjiVi5oWk+6FfPaD03u\e
232 \& PFoQIDAQABFgVoZWxsbzANBgkqhkiG9w0BAQQFAANBAFpQtY/FojdwkJh1bEIYuc\e
233 \& 2EeM2KHTWPEepWYeawvHD0gQ3DngSC75YCWnnDdq+NQ3F+X4deMx9AaEglZtULwV\e
238 A created \s-1SPKAC\s0 with suitable \s-1DN\s0 components appended can be fed into
239 the \fBca\fR utility.
241 SPKACs are typically generated by Netscape when a form is submitted
242 containing the \fB\s-1KEYGEN\s0\fR tag as part of the certificate enrollment
245 The challenge string permits a primitive form of proof of possession
246 of private key. By checking the \s-1SPKAC\s0 signature and a random challenge
247 string some guarantee is given that the user knows the private key
248 corresponding to the public key being certified. This is important in
249 some applications. Without this it is possible for a previous \s-1SPKAC\s0
250 to be used in a \*(L"replay attack\*(R".
252 .IX Header "SEE ALSO"