SPKAC(1)                            OpenSSL                           SPKAC(1)


NNAAMMEE
       openssl-spkac, spkac - SPKAC printing and generating utility

SSYYNNOOPPSSIISS
       ooppeennssssll ssppkkaacc [--iinn ffiilleennaammee] [--oouutt ffiilleennaammee] [--kkeeyy kkeeyyffiillee] [--ppaassssiinn
       aarrgg] [--cchhaalllleennggee ssttrriinngg] [--ppuubbkkeeyy] [--ssppkkaacc ssppkkaaccnnaammee] [--ssppkksseecctt sseecc--
       ttiioonn] [--nnoooouutt] [--vveerriiffyy] [--eennggiinnee iidd]

DDEESSCCRRIIPPTTIIOONN
       The ssppkkaacc command processes Netscape signed public key and challenge
       (SPKAC) files. It can print out their contents, verify the signature
       and produce its own SPKACs from a supplied private key.

CCOOMMMMAANNDD OOPPTTIIOONNSS
       --iinn ffiilleennaammee
           This specifies the input filename to read from or standard input if
           this option is not specified. Ignored if the --kkeeyy option is used.

       --oouutt ffiilleennaammee
           specifies the output filename to write to or standard output by
           default.

       --kkeeyy kkeeyyffiillee
           create an SPKAC file using the private key in kkeeyyffiillee. The --iinn,
           --nnoooouutt, --ssppkksseecctt and --vveerriiffyy options are ignored if present.

       --ppaassssiinn ppaasssswwoorrdd
           the input file password source. For more information about the for-
           mat of aarrgg see the PPAASSSS PPHHRRAASSEE AARRGGUUMMEENNTTSS section in _o_p_e_n_s_s_l(1).

       --cchhaalllleennggee ssttrriinngg
           specifies the challenge string if an SPKAC is being created.

       --ssppkkaacc ssppkkaaccnnaammee
           allows an alternative name form the variable containing the SPKAC.
           The default is "SPKAC". This option affects both generated and
           input SPKAC files.

       --ssppkksseecctt sseeccttiioonn
           allows an alternative name form the section containing the SPKAC.
           The default is the default section.

       --nnoooouutt
           don't output the text version of the SPKAC (not used if an SPKAC is
           being created).

       --ppuubbkkeeyy
           output the public key of an SPKAC (not used if an SPKAC is being
           created).

       --vveerriiffyy
           verifies the digital signature on the supplied SPKAC.

       --eennggiinnee iidd
           specifying an engine (by its unique iidd string) will cause ssppkkaacc to
           attempt to obtain a functional reference to the specified engine,
           thus initialising it if needed. The engine will then be set as the
           default for all available algorithms.

EEXXAAMMPPLLEESS
       Print out the contents of an SPKAC:

        openssl spkac -in spkac.cnf

       Verify the signature of an SPKAC:

        openssl spkac -in spkac.cnf -noout -verify

       Create an SPKAC using the challenge string "hello":

        openssl spkac -key key.pem -challenge hello -out spkac.cnf

       Example of an SPKAC, (long lines split up for clarity):

        SPKAC=MIG5MGUwXDANBgkqhkiG9w0BAQEFAANLADBIAkEA1cCoq2Wa3Ixs47uI7F\
        PVwHVIPDx5yso105Y6zpozam135a8R0CpoRvkkigIyXfcCjiVi5oWk+6FfPaD03u\
        PFoQIDAQABFgVoZWxsbzANBgkqhkiG9w0BAQQFAANBAFpQtY/FojdwkJh1bEIYuc\
        2EeM2KHTWPEepWYeawvHD0gQ3DngSC75YCWnnDdq+NQ3F+X4deMx9AaEglZtULwV\
        4=

NNOOTTEESS
       A created SPKAC with suitable DN components appended can be fed into
       the ccaa utility.

       SPKACs are typically generated by Netscape when a form is submitted
       containing the KKEEYYGGEENN tag as part of the certificate enrollment
       process.

       The challenge string permits a primitive form of proof of possession of
       private key. By checking the SPKAC signature and a random challenge
       string some guarantee is given that the user knows the private key cor-
       responding to the public key being certified. This is important in some
       applications. Without this it is possible for a previous SPKAC to be
       used in a "replay attack".

SSEEEE AALLSSOO
       _c_a(1)


1.0.2u                            2019-12-20                          SPKAC(1)