SPKAC 1 2003-07-24 0.9.9-dev OpenSSL

NAME

spkac - SPKAC printing and generating utility

LIBRARY

libcrypto, -lcrypto

SYNOPSIS

ooppeennssssll ssppkkaacc [--iinn ffiilleennaammee] [--oouutt ffiilleennaammee] [--kkeeyy kkeeyyffiillee] [--ppaassssiinn aarrgg] [--cchhaalllleennggee ssttrriinngg] [--ppuubbkkeeyy] [--ssppkkaacc ssppkkaaccnnaammee] [--ssppkksseecctt sseeccttiioonn] [--nnoooouutt] [--vveerriiffyy] [--eennggiinnee iidd]

DESCRIPTION

The ssppkkaacc command processes Netscape signed public key and challenge (SPKAC) files. It can print out their contents, verify the signature and produce its own SPKACs from a supplied private key.

COMMAND OPTIONS

--iinn ffiilleennaammee This specifies the input filename to read from or standard input if this
option is not specified. Ignored if the --kkeeyy option is used.
--oouutt ffiilleennaammee specifies the output filename to write to or standard output by
default.
--kkeeyy kkeeyyffiillee create an SPKAC file using the private key in kkeeyyffiillee. The
--iinn, --nnoooouutt, --ssppkksseecctt and --vveerriiffyy options are ignored if present.
--ppaassssiinn ppaasssswwoorrdd the input file password source. For more information about the format of aarrgg
see the PPAASSSS PPHHRRAASSEE AARRGGUUMMEENNTTSS section in _o_p_e_n_s_s_l(1).
--cchhaalllleennggee ssttrriinngg specifies the challenge string if an SPKAC is being created.
--ssppkkaacc ssppkkaaccnnaammee allows an alternative name form the variable containing the
SPKAC. The default is "SPKAC". This option affects both generated and input SPKAC files.
--ssppkksseecctt sseeccttiioonn allows an alternative name form the section containing the
SPKAC. The default is the default section.
--nnoooouutt don't output the text version of the SPKAC (not used if an
SPKAC is being created).
--ppuubbkkeeyy output the public key of an SPKAC (not used if an SPKAC is
being created).
--vveerriiffyy verifies the digital signature on the supplied SPKAC.
--eennggiinnee iidd specifying an engine (by it's unique iidd string) will cause rreeqq
to attempt to obtain a functional reference to the specified engine, thus initialising it if needed. The engine will then be set as the default for all available algorithms.

EXAMPLES

Print out the contents of an SPKAC:


 openssl spkac -in spkac.cnf

Verify the signature of an SPKAC:


 openssl spkac -in spkac.cnf -noout -verify

Create an SPKAC using the challenge string "hello":


 openssl spkac -key key.pem -challenge hello -out spkac.cnf

Example of an SPKAC, (long lines split up for clarity):


 SPKAC=MIG5MGUwXDANBgkqhkiG9w0BAQEFAANLADBIAkEA1cCoq2Wa3Ixs47uI7F\
 PVwHVIPDx5yso105Y6zpozam135a8R0CpoRvkkigIyXfcCjiVi5oWk+6FfPaD03u\
 PFoQIDAQABFgVoZWxsbzANBgkqhkiG9w0BAQQFAANBAFpQtY/FojdwkJh1bEIYuc\
 2EeM2KHTWPEepWYeawvHD0gQ3DngSC75YCWnnDdq+NQ3F+X4deMx9AaEglZtULwV\
 4=

NOTES

A created SPKAC with suitable DN components appended can be fed into the ccaa utility.

SPKACs are typically generated by Netscape when a form is submitted containing the KKEEYYGGEENN tag as part of the certificate enrollment process.

The challenge string permits a primitive form of proof of possession of private key. By checking the SPKAC signature and a random challenge string some guarantee is given that the user knows the private key corresponding to the public key being certified. This is important in some applications. Without this it is possible for a previous SPKAC to be used in a "replay attack".

SEE ALSO

_o_p_e_n_s_s_l___c_a(1)