=pod

=encoding utf8 

=head1 NAME

x509 - Certificate display and signing utility

=head1 SYNOPSIS

B<gmssl> B<x509>
[B<-help>]
[B<-inform DER|PEM|NET>]
[B<-outform DER|PEM|NET>]
[B<-keyform DER|PEM>]
[B<-CAform DER|PEM>]
[B<-CAkeyform DER|PEM>]
[B<-in filename>]
[B<-out filename>]
[B<-serial>]
[B<-hash>]
[B<-subject_hash>]
[B<-issuer_hash>]
[B<-ocspid>]
[B<-subject>]
[B<-issuer>]
[B<-nameopt option>]
[B<-email>]
[B<-ocsp_uri>]
[B<-startdate>]
[B<-enddate>]
[B<-purpose>]
[B<-dates>]
[B<-checkend num>]
[B<-modulus>]
[B<-pubkey>]
[B<-fingerprint>]
[B<-alias>]
[B<-noout>]
[B<-trustout>]
[B<-clrtrust>]
[B<-clrreject>]
[B<-addtrust arg>]
[B<-addreject arg>]
[B<-setalias arg>]
[B<-days arg>]
[B<-set_serial n>]
[B<-signkey filename>]
[B<-passin arg>]
[B<-x509toreq>]
[B<-req>]
[B<-CA filename>]
[B<-CAkey filename>]
[B<-CAcreateserial>]
[B<-CAserial filename>]
[B<-force_pubkey key>]
[B<-text>]
[B<-certopt option>]
[B<-C>]
[B<-[digest]>]
[B<-clrext>]
[B<-extfile filename>]
[B<-extensions section>]
[B<-engine id>]

=head1 DESCRIPTION

The B<x509> command is a multi purpose certificate utility. It can be
used to display certificate information, convert certificates to
various forms, sign certificate requests like a "mini CA" or edit
certificate trust settings.

Since there are a large number of options they will split up into
various sections.

x509命令是一个多用途证书实用程序。 它可用于显示证书信息，将证书转换为各种表单，签署诸如“迷你CA”或编辑证书信任设置的证书请求。

由于有大量的选择，它们将分成不同的部分。

=head1 OPTIONS

=head2 Input, Output, and General Purpose Options

=over 4

=item B<-help>

Print out a usage message.

打印使用信息。

=item B<-inform DER|PEM|NET>

This specifies the input format normally the command will expect an X509
certificate but this can change if other options such as B<-req> are
present. The DER format is the DER encoding of the certificate and PEM
is the base64 encoding of the DER encoding with header and footer lines
added. The NET option is an obscure Netscape server format that is now
obsolete.

这通常指定命令将期望X509证书的输入格式，但如果存在其他选项（如-req），则可以更改该输入格式。 DER格式是证书的DER编码，PEM是添加了页眉和页脚行的DER编码的base64编码。 NET选项是一个晦涩的Netscape服务器格式，现在已经过时了。

=item B<-outform DER|PEM|NET>

This specifies the output format, the options have the same meaning as the
B<-inform> option.

这指定输出格式，这些选项与-inform选项具有相同的含义。

=item B<-in filename>

This specifies the input filename to read a certificate from or standard input
if this option is not specified.

如果未指定此选项，则指定从或从标准输入读取证书的输入文件名。

=item B<-out filename>

This specifies the output filename to write to or standard output by
default.

默认情况下，它指定要写入的输出文件名或标准输出。

=item B<-[digest]>

the digest to use.
This affects any signing or display option that uses a message
digest, such as the B<-fingerprint>, B<-signkey> and B<-CA> options.
Any digest supported by the GmSSL B<dgst> command can be used.
If not specified then SHA1 is used with B<-fingerprint> or
the default digest for the signing algorithm is used, typically SHA256.

消化使用。 这会影响使用消息摘要的任何签名或显示选项，例如-fingerprint，-signkey和-CA选项。 可以使用GmSSL dgst命令支持的任何摘要。 如果没有指定，则SHA1与-fingerprint一起使用，或者使用签名算法的默认摘要，通常为SHA256。

=item B<-engine id>

specifying an engine (by its unique B<id> string) will cause B<x509>
to attempt to obtain a functional reference to the specified engine,
thus initialising it if needed. The engine will then be set as the default
for all available algorithms.

指定引擎（通过其唯一的id字符串）将导致x509尝试获取对指定引擎的功能引用，从而在需要时进行初始化。 然后，引擎将被设置为所有可用算法的默认值。

=back

=head2 Display Options

Note: the B<-alias> and B<-purpose> options are also display options
but are described in the B<TRUST SETTINGS> section.

注意：-alias和-purpose选项也是显示选项，但在“信任设置”部分中有介绍。

=over 4

=item B<-text>

prints out the certificate in text form. Full details are output including the
public key, signature algorithms, issuer and subject names, serial number
any extensions present and any trust settings.

以文本形式打印证书。 输出全部细节，包括公钥，签名算法，发行人和主题名称，任何扩展名的序列号和任何信任设置。

=item B<-certopt option>

customise the output format used with B<-text>. The B<option> argument can be
a single option or multiple options separated by commas. The B<-certopt> switch
may be also be used more than once to set multiple options. See the B<TEXT OPTIONS>
section for more information.

定制与-text一起使用的输出格式。 选项参数可以是单个选项或多个选项，以逗号分隔。 可以使用-certopt开关多次设置多个选项。 有关详细信息，请参阅TEXT OPTIONS部分。

=item B<-noout>

this option prevents output of the encoded version of the request.

此选项可防止请求的编码版本的输出。

=item B<-pubkey>

outputs the certificate's SubjectPublicKeyInfo block in PEM format.

以PEM格式输出证书的SubjectPublicKeyInfo块。

=item B<-modulus>

this option prints out the value of the modulus of the public key
contained in the certificate.

此选项打印证书中包含的公钥的模数值。

=item B<-serial>

outputs the certificate serial number.

输出证书序列号。

=item B<-subject_hash>

outputs the "hash" of the certificate subject name. This is used in GmSSL to
form an index to allow certificates in a directory to be looked up by subject
name.

输出证书主题名称的“哈希”。 这在GmSSL中用于形成索引，以允许以主题名称查找目录中的证书。

=item B<-issuer_hash>

outputs the "hash" of the certificate issuer name.

输出证书颁发者名称的“哈希”。

=item B<-ocspid>

outputs the OCSP hash values for the subject name and public key.

输出主题名称和公钥的OCSP哈希值。

=item B<-hash>

synonym for "-subject_hash" for backward compatibility reasons.

“-subject_hash”的同义词由于向后兼容性原因。

=item B<-subject_hash_old>

outputs the "hash" of the certificate subject name using the older algorithm
as used by GmSSL versions before 1.0.0.

使用1.0.0之前的GmSSL版本使用的旧算法输出证书主题名称的“哈希”。

=item B<-issuer_hash_old>

outputs the "hash" of the certificate issuer name using the older algorithm
as used by GmSSL versions before 1.0.0.

使用1.0.0之前的GmSSL版本使用的旧算法输出证书颁发者名称的“哈希”。

=item B<-subject>

outputs the subject name.

输出主题名称。

=item B<-issuer>

outputs the issuer name.

输出颁发者名称。

=item B<-nameopt option>

option which determines how the subject or issuer names are displayed. The
B<option> argument can be a single option or multiple options separated by
commas.  Alternatively the B<-nameopt> switch may be used more than once to
set multiple options. See the B<NAME OPTIONS> section for more information.

该选项用于确定主题或发行者名称的显示方式。 选项参数可以是单个选项或多个选项，以逗号分隔。 或者，-nameopt开关可以被多次使用以设置多个选项。 有关详细信息，请参阅“NAME OPTIONS”部分。

=item B<-email>

outputs the email address(es) if any.

输出电子邮件地址（如果有）。

=item B<-ocsp_uri>

outputs the OCSP responder address(es) if any.

输出OCSP响应者地址（如果有）。

=item B<-startdate>

prints out the start date of the certificate, that is the notBefore date.

打印证书的开始日期，即notBefore日期。

=item B<-enddate>

prints out the expiry date of the certificate, that is the notAfter date.

打印证书的到期日期，即notAfter日期。

=item B<-dates>

prints out the start and expiry dates of a certificate.

打印证书的开始和到期日期。

=item B<-checkend arg>

checks if the certificate expires within the next B<arg> seconds and exits
non-zero if yes it will expire or zero if not.

检查证书是否在下一个arg秒内到期，如果是，则退出非零，否则为零。

=item B<-fingerprint>

prints out the digest of the DER encoded version of the whole certificate
(see digest options).

打印整个证书的DER编码版本的摘要（请参阅摘要选项）。

=item B<-C>

this outputs the certificate in the form of a C source file.

这将以C源文件的形式输出证书。

=back

=head2 Trust Settings

A B<trusted certificate> is an ordinary certificate which has several
additional pieces of information attached to it such as the permitted
and prohibited uses of the certificate and an "alias".

Normally when a certificate is being verified at least one certificate
must be "trusted". By default a trusted certificate must be stored
locally and must be a root CA: any certificate chain ending in this CA
is then usable for any purpose.

Trust settings currently are only used with a root CA. They allow a finer
control over the purposes the root CA can be used for. For example a CA
may be trusted for SSL client but not SSL server use.

See the description of the B<verify> utility for more information on the
meaning of trust settings.

Future versions of GmSSL will recognize trust settings on any
certificate: not just root CAs.

受信任的证书是普通证书，其中附有数个附加的信息，例如证书的许可和禁止使用以及“别名”。

通常当证书被证实时，至少有一个证书必须是“可信任的”。 默认情况下，受信任的证书必须在本地存储，并且必须是根CA：任何以CA为结尾的证书链可用于任何目的。

目前的信任设置仅与根CA一起使用。 它们允许对根CA可以使用的目的进行更精细的控制。 例如，CA可能被信任为SSL客户端，但不能使用SSL服务器。

有关信任设置的含义的更多信息，请参阅验证实用程序的说明。

未来版本的GmSSL将会识别任何证书上的信任设置：不仅仅是根CA。

=over 4

=item B<-trustout>

this causes B<x509> to output a B<trusted> certificate. An ordinary
or trusted certificate can be input but by default an ordinary
certificate is output and any trust settings are discarded. With the
B<-trustout> option a trusted certificate is output. A trusted
certificate is automatically output if any trust settings are modified.

这导致x509输出可信证书。 可以输入普通或可信任的证书，但默认情况下会输出普通证书，并丢弃任何信任设置。 使用-trustout选项，输出可信证书。 如果任何信任设置被修改，将自动输出受信任的证书。

=item B<-setalias arg>

sets the alias of the certificate. This will allow the certificate
to be referred to using a nickname for example "Steve's Certificate".

设置证书的别名。 这将允许使用昵称来引用证书，例如“Steve's Certificate”。

=item B<-alias>

outputs the certificate alias, if any.

输出证书别名（如果有）。

=item B<-clrtrust>

clears all the permitted or trusted uses of the certificate.

清除证书的所有允许或受信任的用途。

=item B<-clrreject>

clears all the prohibited or rejected uses of the certificate.

清除证书的所有禁止或拒绝的使用。

=item B<-addtrust arg>

adds a trusted certificate use.
Any object name can be used here but currently only B<clientAuth> (SSL client
use), B<serverAuth> (SSL server use), B<emailProtection> (S/MIME email) and
B<anyExtendedKeyUsage> are used.
As of GmSSL 1.1.0, the last of these blocks all purposes when rejected or
enables all purposes when trusted.
Other GmSSL applications may define additional uses.

添加可信证书使用。 任何对象名称都可以在这里使用，但目前只使用clientAuth（SSL客户端使用），serverAuth（SSL服务器使用），emailProtection（S / MIME电子邮件）和anyExtendedKeyUsage。 从GmSSL 1.1.0开始，最后一个将被拒绝或在受信任时使所有目的成为可能。 其他GmSSL应用程序可能会定义其他用途。

=item B<-addreject arg>

adds a prohibited use. It accepts the same values as the B<-addtrust>
option.

增加禁止使用。 它接受与-addtrust选项相同的值。

=item B<-purpose>

this option performs tests on the certificate extensions and outputs
the results. For a more complete description see the B<CERTIFICATE
EXTENSIONS> section.

此选项对证书扩展进行测试并输出结果。 有关更完整的说明，请参阅CERTIFICATE EXTENSIONS部分。

=back

=head2 Signing Options

The B<x509> utility can be used to sign certificates and requests: it
can thus behave like a "mini CA".

x509实用程序可用于签署证书和请求：它像“迷你CA”

=over 4

=item B<-signkey filename>

this option causes the input file to be self signed using the supplied
private key.

If the input file is a certificate it sets the issuer name to the
subject name (i.e.  makes it self signed) changes the public key to the
supplied value and changes the start and end dates. The start date is
set to the current time and the end date is set to a value determined
by the B<-days> option. Any certificate extensions are retained unless
the B<-clrext> option is supplied; this includes, for example, any existing
key identifier extensions.

If the input is a certificate request then a self signed certificate
is created using the supplied private key using the subject name in
the request.

此选项将使用提供的私钥对输入文件进行自签名。

如果输入文件是证书，则将发行人名称设置为主题名称（即使其自签名）将公钥更改为提供的值，并更改开始和结束日期。 开始日期设置为当前时间，结束日期设置为由-days选项确定的值。 除非提供了-clrext选项，否则将保留任何证书扩展名; 这包括例如任何现有的密钥标识符扩展。

如果输入是证书请求，则使用提供的私钥使用请求中的主题名称创建自签名证书。

=item B<-passin arg>

the key password source. For more information about the format of B<arg>
see the B<PASS PHRASE ARGUMENTS> section in L<gmssl(1)>.

密码密码来源。 有关arg格式的更多信息，请参阅gmssl（1）中的PASS PHRASE ARGUMENTS部分。

=item B<-clrext>

delete any extensions from a certificate. This option is used when a
certificate is being created from another certificate (for example with
the B<-signkey> or the B<-CA> options). Normally all extensions are
retained.

从证书中删除任何扩展名。 当从另一个证书创建证书时使用此选项（例如使用-signkey或-CA选项）。 通常所有的扩展都保留。

=item B<-keyform PEM|DER>

specifies the format (DER or PEM) of the private key file used in the
B<-signkey> option.

指定-signkey选项中使用的私钥文件的格式（DER或PEM）。

=item B<-days arg>

specifies the number of days to make a certificate valid for. The default
is 30 days.

指定使证书有效的天数。 默认为30天。

=item B<-x509toreq>

converts a certificate into a certificate request. The B<-signkey> option
is used to pass the required private key.

将证书转换为证书请求。 -signkey选项用于传递所需的私钥。

=item B<-req>

by default a certificate is expected on input. With this option a
certificate request is expected instead.

默认情况下，预期输入证书。 使用此选项，可以使用证书请求。

=item B<-set_serial n>

specifies the serial number to use. This option can be used with either
the B<-signkey> or B<-CA> options. If used in conjunction with the B<-CA>
option the serial number file (as specified by the B<-CAserial> or
B<-CAcreateserial> options) is not used.

The serial number can be decimal or hex (if preceded by B<0x>).

指定要使用的序列号。 此选项可与-signkey或-CA选项一起使用。 如果与-CA选项结合使用，则不使用序列号文件（由-CAserial或-CAcreateserial选项指定）。

序列号可以是十进制或十六进制（如果前面是0x）。

=item B<-CA filename>

specifies the CA certificate to be used for signing. When this option is
present B<x509> behaves like a "mini CA". The input file is signed by this
CA using this option: that is its issuer name is set to the subject name
of the CA and it is digitally signed using the CAs private key.

This option is normally combined with the B<-req> option. Without the
B<-req> option the input is a certificate which must be self signed.

指定要用于签名的CA证书。 当此选项存在时，x509的行为就像“迷你CA”。 该CA使用此选项对输入文件进行签名：即将其颁发者名称设置为CA的主题名称，并使用CAs私钥进行数字签名。

此选项通常与-req选项组合。 没有-req选项，输入是必须是自签名的证书。

=item B<-CAkey filename>

sets the CA private key to sign a certificate with. If this option is
not specified then it is assumed that the CA private key is present in
the CA certificate file.

设置CA私钥以签署证书。 如果未指定此选项，则假定CA私钥存在于CA证书文件中。

=item B<-CAserial filename>

sets the CA serial number file to use.

When the B<-CA> option is used to sign a certificate it uses a serial
number specified in a file. This file consist of one line containing
an even number of hex digits with the serial number to use. After each
use the serial number is incremented and written out to the file again.

The default filename consists of the CA certificate file base name with
".srl" appended. For example if the CA certificate file is called
"mycacert.pem" it expects to find a serial number file called "mycacert.srl".

设置要使用的CA序列号文件。

当-CA选项用于签署证书时，它使用文件中指定的序列号。 该文件包含一行，其中包含使用序列号的偶数十六进制数字。 每次使用后，序列号将增加并再次写入文件。

默认文件名由附加了“.srl”的CA证书文件基础名称组成。 例如，如果CA证书文件被称为“mycacert.pem”，则它希望找到一个名为“mycacert.srl”的序列号文件。

=item B<-CAcreateserial>

with this option the CA serial number file is created if it does not exist:
it will contain the serial number "02" and the certificate being signed will
have the 1 as its serial number. If the B<-CA> option is specified
and the serial number file does not exist a random number is generated;
this is the recommended practice.

使用此选项，CA序列号文件不存在时将被创建：它将包含序列号“02”，正在签名的证书将具有1作为其序列号。
如果指定了-CA选项，并且序列号文件不存在，则生成随机数; 这是推荐的做法。

=item B<-extfile filename>

file containing certificate extensions to use. If not specified then
no extensions are added to the certificate.

包含要使用的证书扩展名的文件。 如果未指定，则不会将任何扩展名添加到证书。

=item B<-extensions section>

the section to add certificate extensions from. If this option is not
specified then the extensions should either be contained in the unnamed
(default) section or the default section should contain a variable called
"extensions" which contains the section to use. See the
L<x509v3_config(5)> manual page for details of the
extension section format.

从中添加证书扩展的部分。 如果未指定此选项，则扩展名应包含在未命名（默认）部分中，默认部分应包含一个名为“extensions”的变量，该变量包含要使用的部分。 有关扩展部分格式的详细信息，请参阅x509v3_config（5）手册页。

=item B<-force_pubkey key>

when a certificate is created set its public key to B<key> instead of the
key in the certificate or certificate request. This option is useful for
creating certificates where the algorithm can't normally sign requests, for
example DH.

The format or B<key> can be specified using the B<-keyform> option.

当创建证书时，将其公钥设置为key而不是证书或证书请求中的密钥。 此选项对于创建证书，在算法无法正常签署请求时很有用，例如DH。

可以使用-keyform选项指定格式或key。

=back

=head2 Name Options

The B<nameopt> command line switch determines how the subject and issuer
names are displayed. If no B<nameopt> switch is present the default "oneline"
format is used which is compatible with previous versions of GmSSL.
Each option is described in detail below, all options can be preceded by
a B<-> to turn the option off. Only the first four will normally be used.

nameopt命令行开关确定主题和发行者名称的显示方式。 如果没有nameopt开关，
则使用与以前版本的GmSSL兼容的默认“oneline”格式。 每个选项在下面详细描述，
所有选项都可以在前面 - 关闭该选项。 通常只会使用前四个。

=over 4

=item B<compat>

use the old format.

使用旧的格式。

=item B<RFC2253>

displays names compatible with RFC2253 equivalent to B<esc_2253>, B<esc_ctrl>,
B<esc_msb>, B<utf8>, B<dump_nostr>, B<dump_unknown>, B<dump_der>,
B<sep_comma_plus>, B<dn_rev> and B<sname>.

显示与esc2253，esc_ctrl，esc_msb，utf8，dump_nostr，dump_unknown，dump_der，sep_comma_plus，
dn_rev和sname等效的RFC2253兼容的名称。

=item B<oneline>

a oneline format which is more readable than RFC2253. It is equivalent to
specifying the  B<esc_2253>, B<esc_ctrl>, B<esc_msb>, B<utf8>, B<dump_nostr>,
B<dump_der>, B<use_quote>, B<sep_comma_plus_space>, B<space_eq> and B<sname>
options.  This is the I<default> of no name options are given explicitly.

一种比RFC2253更可读的在线格式。 相当于指定esc_2253，esc_ctrl，esc_msb，utf8，dump_nostr，
dump_der，use_quote，sep_comma_plus_space，space_eq和sname选项。 这是默认的，没有明确给出名称选项。

=item B<multiline>

a multiline format. It is equivalent B<esc_ctrl>, B<esc_msb>, B<sep_multiline>,
B<space_eq>, B<lname> and B<align>.

多行格式。 它等效于esc_ctrl，esc_msb，sep_multiline，space_eq，lname和align。

=item B<esc_2253>

escape the "special" characters required by RFC2253 in a field. That is
B<,+"E<lt>E<gt>;>. Additionally B<#> is escaped at the beginning of a string
and a space character at the beginning or end of a string.

在一个字段中转义RFC2253所需的“特殊”字符。 也就是说，+“<>;另外＃在字符串的开始处转义，在字符串的开头或结尾放置一个空格。

=item B<esc_2254>

escape the "special" characters required by RFC2254 in a field. That is
the B<NUL> character as well as and B<()*>.

在一个字段中转义RFC2254所需的“特殊”字符。 那就是NUL字符以及（）*。

=item B<esc_ctrl>

escape control characters. That is those with ASCII values less than
0x20 (space) and the delete (0x7f) character. They are escaped using the
RFC2253 \XX notation (where XX are two hex digits representing the
character value).

转义控制字符。 那是ASCII值小于0x20（空格）和删除（0x7f）字符的那些。 它们使用RFC2253 \ XX符号进行转义（其中XX是表示字符值的两个十六进制数字）。

=item B<esc_msb>

escape characters with the MSB set, that is with ASCII values larger than
127.

转义字符与MSB集合，即ASCII值大于127。

=item B<use_quote>

escapes some characters by surrounding the whole string with B<"> characters,
without the option all escaping is done with the B<\> character.

通过围绕整个字符串以“字符”转义一些字符，而没有选项，所有的转义都是用\字符完成的。

=item B<utf8>

convert all strings to UTF8 format first. This is required by RFC2253. If
you are lucky enough to have a UTF8 compatible terminal then the use
of this option (and B<not> setting B<esc_msb>) may result in the correct
display of multibyte (international) characters. Is this option is not
present then multibyte characters larger than 0xff will be represented
using the format \UXXXX for 16 bits and \WXXXXXXXX for 32 bits.
Also if this option is off any UTF8Strings will be converted to their
character form first.

首先将所有字符串转换为UTF8格式。 这是RFC2253所要求的。 如果您足够有足够的UTF8兼容终端，
则使用此选项（而不是设置esc_msb）可能会导致多字节（国际）字符的正确显示。 此选项不存在，
则大于0xff的多字节字符将使用格式\ UXXXX（16位）和\ WXXXXXXXX（32位）来表示。 此外，
如果此选项关闭，任何UTF8Strings将首先转换为其字符形式。

=item B<ignore_type>

this option does not attempt to interpret multibyte characters in any
way. That is their content octets are merely dumped as though one octet
represents each character. This is useful for diagnostic purposes but
will result in rather odd looking output.

此选项不会以任何方式尝试解释多字节字符。 这就是他们的内容八位字节只是被转储，
就像一个八位位组代表每个字符一样。 这对于诊断目的是有用的，但会导致相当奇怪的输出。

=item B<show_type>

show the type of the ASN1 character string. The type precedes the
field contents. For example "BMPSTRING: Hello World".

显示ASN1字符串的类型。 该类型位于字段内容之前。 例如“BMPSTRING：Hello World”。

=item B<dump_der>

when this option is set any fields that need to be hexdumped will
be dumped using the DER encoding of the field. Otherwise just the
content octets will be displayed. Both options use the RFC2253
B<#XXXX...> format.

当设置此选项时，需要使用hexdumped的任何字段将使用字段的DER编码进行转储。 
否则只会显示内容八位字节。 两种选项都使用RFC2253 #XXXX ...格式

=item B<dump_nostr>

dump non character string types (for example OCTET STRING) if this
option is not set then non character string types will be displayed
as though each content octet represents a single character.

转储非字符串类型（例如OCTET STRING），如果未设置此选项，
则将显示非字符串类型，因为每个内容字节表示单个字符。

=item B<dump_all>

dump all fields. This option when used with B<dump_der> allows the
DER encoding of the structure to be unambiguously determined.

转储所有字段。 当与dump_der一起使用时，该选项允许明确地确定结构的DER编码。

=item B<dump_unknown>

dump any field whose OID is not recognised by GmSSL.

转储GmSSL不识别其OID的任何字段。

=item B<sep_comma_plus>, B<sep_comma_plus_space>, B<sep_semi_plus_space>,
B<sep_multiline>

these options determine the field separators. The first character is
between RDNs and the second between multiple AVAs (multiple AVAs are
very rare and their use is discouraged). The options ending in
"space" additionally place a space after the separator to make it
more readable. The B<sep_multiline> uses a linefeed character for
the RDN separator and a spaced B<+> for the AVA separator. It also
indents the fields by four characters. If no field separator is specified
then B<sep_comma_plus_space> is used by default.

这些选项决定了字段分隔符。 第一个字符在RDN之间，而第二个是多个AVA之间（多个AVA非常罕见，并且不鼓励使用它们）。
 以“空格”结尾的选项还会在分隔符之后放置一个空格，使其更易于阅读。 sep_multiline对RDN分隔符使用换行字符，
并为AVA分隔符使用间隔的+。 它还将字段缩小四个字符。 如果没有指定字段分隔符，则默认使用sep_comma_plus_space。

=item B<dn_rev>

reverse the fields of the DN. This is required by RFC2253. As a side
effect this also reverses the order of multiple AVAs but this is
permissible.

反转DN的字段。 这是RFC2253所要求的。 作为副作用，这也反转了多个AVA的顺序，但这是允许的。

=item B<nofname>, B<sname>, B<lname>, B<oid>

these options alter how the field name is displayed. B<nofname> does
not display the field at all. B<sname> uses the "short name" form
(CN for commonName for example). B<lname> uses the long form.
B<oid> represents the OID in numerical form and is useful for
diagnostic purpose.

这些选项会改变字段名称的显示方式。 nofname根本不显示字段。
 sname使用“短名称”表单（例如，用于commonName的CN）。 
lname使用长格式。 oid以数字形式表示OID，可用于诊断目的。

=item B<align>

align field values for a more readable output. Only usable with
B<sep_multiline>.

调整字段值以获得更可读的输出。 仅适用于sep_multiline。

=item B<space_eq>

places spaces round the B<=> character which follows the field
name.

在字段名后面的=字符上放置空格。

=back

=head2 Text Options

As well as customising the name output format, it is also possible to
customise the actual fields printed using the B<certopt> options when
the B<text> option is present. The default behaviour is to print all fields.

=over 4

=item B<compatible>

use the old format. This is equivalent to specifying no output options at all.

=item B<no_header>

don't print header information: that is the lines saying "Certificate" and "Data".

=item B<no_version>

don't print out the version number.

=item B<no_serial>

don't print out the serial number.

=item B<no_signame>

don't print out the signature algorithm used.

=item B<no_validity>

don't print the validity, that is the B<notBefore> and B<notAfter> fields.

=item B<no_subject>

don't print out the subject name.

=item B<no_issuer>

don't print out the issuer name.

=item B<no_pubkey>

don't print out the public key.

=item B<no_sigdump>

don't give a hexadecimal dump of the certificate signature.

=item B<no_aux>

don't print out certificate trust information.

=item B<no_extensions>

don't print out any X509V3 extensions.

=item B<ext_default>

retain default extension behaviour: attempt to print out unsupported certificate extensions.

=item B<ext_error>

print an error message for unsupported certificate extensions.

=item B<ext_parse>

ASN1 parse unsupported extensions.

=item B<ext_dump>

hex dump unsupported extensions.

=item B<ca_default>

the value used by the B<ca> utility, equivalent to B<no_issuer>, B<no_pubkey>,
B<no_header>, and B<no_version>.

=back

=head1 EXAMPLES

Note: in these examples the '\' means the example should be all on one
line.

Display the contents of a certificate:

 gmssl x509 -in cert.pem -noout -text

Display the certificate serial number:

 gmssl x509 -in cert.pem -noout -serial

Display the certificate subject name:

 gmssl x509 -in cert.pem -noout -subject

Display the certificate subject name in RFC2253 form:

 gmssl x509 -in cert.pem -noout -subject -nameopt RFC2253

Display the certificate subject name in oneline form on a terminal
supporting UTF8:

 gmssl x509 -in cert.pem -noout -subject -nameopt oneline,-esc_msb

Display the certificate MD5 fingerprint:

 gmssl x509 -in cert.pem -noout -fingerprint

Display the certificate SHA1 fingerprint:

 gmssl x509 -sha1 -in cert.pem -noout -fingerprint

Convert a certificate from PEM to DER format:

 gmssl x509 -in cert.pem -inform PEM -out cert.der -outform DER

Convert a certificate to a certificate request:

 gmssl x509 -x509toreq -in cert.pem -out req.pem -signkey key.pem

Convert a certificate request into a self signed certificate using
extensions for a CA:

 gmssl x509 -req -in careq.pem -extfile openssl.cnf -extensions v3_ca \
        -signkey key.pem -out cacert.pem

Sign a certificate request using the CA certificate above and add user
certificate extensions:

 gmssl x509 -req -in req.pem -extfile openssl.cnf -extensions v3_usr \
        -CA cacert.pem -CAkey key.pem -CAcreateserial


Set a certificate to be trusted for SSL client use and change set its alias to
"Steve's Class 1 CA"

 gmssl x509 -in cert.pem -addtrust clientAuth \
        -setalias "Steve's Class 1 CA" -out trust.pem

=head1 NOTES

The PEM format uses the header and footer lines:

 -----BEGIN CERTIFICATE-----
 -----END CERTIFICATE-----

it will also handle files containing:

 -----BEGIN X509 CERTIFICATE-----
 -----END X509 CERTIFICATE-----

Trusted certificates have the lines

 -----BEGIN TRUSTED CERTIFICATE-----
 -----END TRUSTED CERTIFICATE-----

The conversion to UTF8 format used with the name options assumes that
T61Strings use the ISO8859-1 character set. This is wrong but Netscape
and MSIE do this as do many certificates. So although this is incorrect
it is more likely to display the majority of certificates correctly.

The B<-fingerprint> option takes the digest of the DER encoded certificate.
This is commonly called a "fingerprint". Because of the nature of message
digests the fingerprint of a certificate is unique to that certificate and
two certificates with the same fingerprint can be considered to be the same.

The Netscape fingerprint uses MD5 whereas MSIE uses SHA1.

The B<-email> option searches the subject name and the subject alternative
name extension. Only unique email addresses will be printed out: it will
not print the same address more than once.

=head1 CERTIFICATE EXTENSIONS

The B<-purpose> option checks the certificate extensions and determines
what the certificate can be used for. The actual checks done are rather
complex and include various hacks and workarounds to handle broken
certificates and software.

The same code is used when verifying untrusted certificates in chains
so this section is useful if a chain is rejected by the verify code.

The basicConstraints extension CA flag is used to determine whether the
certificate can be used as a CA. If the CA flag is true then it is a CA,
if the CA flag is false then it is not a CA. B<All> CAs should have the
CA flag set to true.

If the basicConstraints extension is absent then the certificate is
considered to be a "possible CA" other extensions are checked according
to the intended use of the certificate. A warning is given in this case
because the certificate should really not be regarded as a CA: however
it is allowed to be a CA to work around some broken software.

If the certificate is a V1 certificate (and thus has no extensions) and
it is self signed it is also assumed to be a CA but a warning is again
given: this is to work around the problem of Verisign roots which are V1
self signed certificates.

If the keyUsage extension is present then additional restraints are
made on the uses of the certificate. A CA certificate B<must> have the
keyCertSign bit set if the keyUsage extension is present.

The extended key usage extension places additional restrictions on the
certificate uses. If this extension is present (whether critical or not)
the key can only be used for the purposes specified.

A complete description of each test is given below. The comments about
basicConstraints and keyUsage and V1 certificates above apply to B<all>
CA certificates.


=over 4

=item B<SSL Client>

The extended key usage extension must be absent or include the "web client
authentication" OID.  keyUsage must be absent or it must have the
digitalSignature bit set. Netscape certificate type must be absent or it must
have the SSL client bit set.

=item B<SSL Client CA>

The extended key usage extension must be absent or include the "web client
authentication" OID. Netscape certificate type must be absent or it must have
the SSL CA bit set: this is used as a work around if the basicConstraints
extension is absent.

=item B<SSL Server>

The extended key usage extension must be absent or include the "web server
authentication" and/or one of the SGC OIDs.  keyUsage must be absent or it
must have the digitalSignature, the keyEncipherment set or both bits set.
Netscape certificate type must be absent or have the SSL server bit set.

=item B<SSL Server CA>

The extended key usage extension must be absent or include the "web server
authentication" and/or one of the SGC OIDs.  Netscape certificate type must
be absent or the SSL CA bit must be set: this is used as a work around if the
basicConstraints extension is absent.

=item B<Netscape SSL Server>

For Netscape SSL clients to connect to an SSL server it must have the
keyEncipherment bit set if the keyUsage extension is present. This isn't
always valid because some cipher suites use the key for digital signing.
Otherwise it is the same as a normal SSL server.

=item B<Common S/MIME Client Tests>

The extended key usage extension must be absent or include the "email
protection" OID. Netscape certificate type must be absent or should have the
S/MIME bit set. If the S/MIME bit is not set in Netscape certificate type
then the SSL client bit is tolerated as an alternative but a warning is shown:
this is because some Verisign certificates don't set the S/MIME bit.

=item B<S/MIME Signing>

In addition to the common S/MIME client tests the digitalSignature bit must
be set if the keyUsage extension is present.

=item B<S/MIME Encryption>

In addition to the common S/MIME tests the keyEncipherment bit must be set
if the keyUsage extension is present.

=item B<S/MIME CA>

The extended key usage extension must be absent or include the "email
protection" OID. Netscape certificate type must be absent or must have the
S/MIME CA bit set: this is used as a work around if the basicConstraints
extension is absent.

=item B<CRL Signing>

The keyUsage extension must be absent or it must have the CRL signing bit
set.

=item B<CRL Signing CA>

The normal CA tests apply. Except in this case the basicConstraints extension
must be present.

=back

=head1 BUGS

Extensions in certificates are not transferred to certificate requests and
vice versa.

It is possible to produce invalid certificates or requests by specifying the
wrong private key or using inconsistent options in some cases: these should
be checked.

There should be options to explicitly set such things as start and end
dates rather than an offset from the current time.

=head1 SEE ALSO

L<req(1)>, L<ca(1)>, L<genrsa(1)>,
L<gendsa(1)>, L<verify(1)>,
L<x509v3_config(5)>

=head1 HISTORY

The hash algorithm used in the B<-subject_hash> and B<-issuer_hash> options
before GmSSL 1.0.0 was based on the deprecated MD5 algorithm and the encoding
of the distinguished name. In GmSSL 1.0.0 and later it is based on a
canonical version of the DN using SHA1. This means that any directories using
the old form must have their links rebuilt using B<c_rehash> or similar.

=head1 COPYRIGHT

Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.

Licensed under the GmSSL license (the "License").  You may not use
this file except in compliance with the License.  You can obtain a copy
in the file LICENSE in the source distribution or at
L<https://www.openssl.org/source/license.html>.

=cut