-h,--help
Print usage information with a summary of the available options.
-v,--debuglevel
Set debug level, default: 1.
-+,--optionsfile
Read command line options from file.
-i,--infile
Private key input file. If not given the key is read from STDIN.
-x,--keyidhex
Smartcard or TPM private key object handle in hex format with an optional 0x prefix.
-t,--typetype
Type of the input key. Either priv, rsa, ecdsa, ed25519, ed448 or bliss, defaults to priv.
-d,--dndistinguished-name
Subject and issuer distinguished name (DN). Required.
-a,--sansubjectAltName
subjectAltName extension to include in certificate. Can be used multiple times.
-l,--lifetimedays
Days the certificate is valid, default: 1095. Ignored if both an absolute start and end time are
given.
-F,--not-beforedatetime
Absolute time when the validity of the certificate begins. The datetime format is defined by the
--dateform option.
-T,--not-afterdatetime
Absolute time when the validity of the certificate ends. The datetime format is defined by the
--dateform option.
-D,--dateformformstrptime(3) format for the --not-before and --not-after options, default: %d.%m.%y%T-s,--serialhex
Serial number in hex. It is randomly allocated by default.
-e,--flagflag
Add extendedKeyUsage flag. One of serverAuth, clientAuth, crlSign, or ocspSigning. Can be used
multiple times.
-g,--digestdigest
Digest to use for signature creation. One of md5, sha1, sha224, sha256, sha384, or sha512. The
default is determined based on the type and size of the signature key.
-R,--rsa-paddingpadding
Padding to use for RSA signatures. Either pkcs1 or pss, defaults to pkcs1.
-f,--outformencoding
Encoding of the created certificate file. Either der (ASN.1 DER) or pem (Base64 PEM), defaults to
der.
-b,--ca
Include CA basicConstraint extension in certificate.
-o,--ocspuri
OCSP AuthorityInfoAccess URI to include in certificate. Can be used multiple times.
-p,--pathlenlen
Set path length constraint.
-B,--addrblockblock
RFC 3779 address block to include in certificate. block is either a CIDR subnet (such as
10.0.0.0/8) or an arbitrary address range (192.168.1.7-192.168.1.13). Can be repeated to include
multiple blocks. Please note that the supplied blocks are included in the certificate as is, so
for standards compliance, multiple blocks must be supplied in correct order and adjacent blocks
must be combined. Refer to RFC 3779 for details.
-n,--nc-permittedname
Add permitted NameConstraint extension to certificate. For DNS or email constraints, the identity
type is not always detectable by the given name. Use the dns: or email: prefix to force a
constraint type.
-N,--nc-excludedname
Add excluded NameConstraint extension to certificate. For DNS or email constraints, the identity
type is not always detectable by the given name. Use the dns: or email: prefix to force a
constraint type.
-X,--criticaloid
Add a critical extension with the given OID.
-M,--policy-mappingissuer-oid:subject-oid
Add policyMapping from issuer to subject OID.
-E,--policy-explicitlen
Add requireExplicitPolicy constraint.
-H,--policy-inhibitlen
Add inhibitPolicyMapping constraint.
-A,--policy-anylen
Add inhibitAnyPolicy constraint.
CertificatePolicy
Multiple certificatePolicy extensions can be added. Each with the following information:
-P,--cert-policyoid
OID to include in certificatePolicy extension. Required.
-C,--cps-uriuri
Certification Practice statement URI for certificatePolicy.
-U,--user-noticetext
User notice for certificatePolicy.
Install Now
PNG Icons
Emojis