summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--apps/ca.c59
-rw-r--r--apps/crl.c4
-rw-r--r--apps/include/apps.h13
-rw-r--r--apps/lib/apps.c83
-rw-r--r--apps/req.c18
-rw-r--r--apps/s_client.c7
-rw-r--r--apps/s_server.c7
-rw-r--r--apps/x509.c8
-rw-r--r--doc/man1/openssl-ca.pod.in12
-rw-r--r--test/recipes/80-test_ca.t8
10 files changed, 125 insertions, 94 deletions
diff --git a/apps/ca.c b/apps/ca.c
index e2fb43fd7e..a18ff0998e 100644
--- a/apps/ca.c
+++ b/apps/ca.c
@@ -93,7 +93,8 @@ typedef enum {
static char *lookup_conf(const CONF *conf, const char *group, const char *tag);
-static int certify(X509 **xret, const char *infile, EVP_PKEY *pkey, X509 *x509,
+static int certify(X509 **xret, const char *infile, int informat,
+ EVP_PKEY *pkey, X509 *x509,
const EVP_MD *dgst,
STACK_OF(OPENSSL_STRING) *sigopts,
STACK_OF(OPENSSL_STRING) *vfyopts,
@@ -104,7 +105,8 @@ static int certify(X509 **xret, const char *infile, EVP_PKEY *pkey, X509 *x509,
long days, int batch, const char *ext_sect, CONF *conf,
int verbose, unsigned long certopt, unsigned long nameopt,
int default_op, int ext_copy, int selfsign);
-static int certify_cert(X509 **xret, const char *infile, EVP_PKEY *pkey, X509 *x509,
+static int certify_cert(X509 **xret, const char *infile, int informat,
+ EVP_PKEY *pkey, X509 *x509,
const EVP_MD *dgst,
STACK_OF(OPENSSL_STRING) *sigopts,
STACK_OF(OPENSSL_STRING) *vfyopts,
@@ -150,7 +152,8 @@ typedef enum OPTION_choice {
OPT_ENGINE, OPT_VERBOSE, OPT_CONFIG, OPT_NAME, OPT_SUBJ, OPT_UTF8,
OPT_CREATE_SERIAL, OPT_MULTIVALUE_RDN, OPT_STARTDATE, OPT_ENDDATE,
OPT_DAYS, OPT_MD, OPT_POLICY, OPT_KEYFILE, OPT_KEYFORM, OPT_PASSIN,
- OPT_KEY, OPT_CERT, OPT_SELFSIGN, OPT_IN, OPT_OUT, OPT_OUTDIR, OPT_VFYOPT,
+ OPT_KEY, OPT_CERT, OPT_CERTFORM, OPT_SELFSIGN,
+ OPT_IN, OPT_INFORM, OPT_OUT, OPT_OUTDIR, OPT_VFYOPT,
OPT_SIGOPT, OPT_NOTEXT, OPT_BATCH, OPT_PRESERVEDN, OPT_NOEMAILDN,
OPT_GENCRL, OPT_MSIE_HACK, OPT_CRLDAYS, OPT_CRLHOURS, OPT_CRLSEC,
OPT_INFILES, OPT_SS_CERT, OPT_SPKAC, OPT_REVOKE, OPT_VALID,
@@ -168,7 +171,8 @@ const OPTIONS ca_options[] = {
{"help", OPT_HELP, '-', "Display this summary"},
{"verbose", OPT_VERBOSE, '-', "Verbose output during processing"},
{"outdir", OPT_OUTDIR, '/', "Where to put output cert"},
- {"in", OPT_IN, '<', "The input PEM encoded cert request(s)"},
+ {"in", OPT_IN, '<', "The input cert request(s)"},
+ {"inform", OPT_INFORM, 'F', "CSR input format (DER or PEM); default PEM"},
{"infiles", OPT_INFILES, '-', "The last argument, requests to process"},
{"out", OPT_OUT, '>', "Where to put the output file(s)"},
{"notext", OPT_NOTEXT, '-', "Do not print the generated certificate"},
@@ -190,7 +194,7 @@ const OPTIONS ca_options[] = {
OPT_SECTION("Certificate"),
{"subj", OPT_SUBJ, 's', "Use arg instead of request's subject"},
- {"utf8", OPT_UTF8, '-', "Input characters are UTF8 (default ASCII)"},
+ {"utf8", OPT_UTF8, '-', "Input characters are UTF8; default ASCII"},
{"create_serial", OPT_CREATE_SERIAL, '-',
"If reading serial fails, create a new random serial"},
{"rand_serial", OPT_RAND_SERIAL, '-',
@@ -215,6 +219,8 @@ const OPTIONS ca_options[] = {
{"passin", OPT_PASSIN, 's', "Input file pass phrase source"},
{"key", OPT_KEY, 's', "Key to decode the private key if it is encrypted"},
{"cert", OPT_CERT, '<', "The CA cert"},
+ {"certform", OPT_CERTFORM, 'F',
+ "certificate input format (DER or PEM); default PEM"},
{"selfsign", OPT_SELFSIGN, '-',
"Sign a cert with the key associated with it"},
{"sigopt", OPT_SIGOPT, 's', "Signature parameter in n:v form"},
@@ -267,6 +273,7 @@ int ca_main(int argc, char **argv)
char *configfile = default_config_file, *section = NULL;
char *md = NULL, *policy = NULL, *keyfile = NULL;
char *certfile = NULL, *crl_ext = NULL, *crlnumberfile = NULL, *key = NULL;
+ int certformat = FORMAT_PEM, informat = FORMAT_PEM;
const char *infile = NULL, *spkac_file = NULL, *ss_cert_file = NULL;
const char *extensions = NULL, *extfile = NULL, *passinarg = NULL;
char *outdir = NULL, *outfile = NULL, *rev_arg = NULL, *ser_status = NULL;
@@ -306,6 +313,10 @@ opthelp:
req = 1;
infile = opt_arg();
break;
+ case OPT_INFORM:
+ if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &informat))
+ goto opthelp;
+ break;
case OPT_OUT:
outfile = opt_arg();
break;
@@ -373,6 +384,10 @@ opthelp:
case OPT_CERT:
certfile = opt_arg();
break;
+ case OPT_CERTFORM:
+ if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &certformat))
+ goto opthelp;
+ break;
case OPT_SELFSIGN:
selfsign = 1;
break;
@@ -571,7 +586,7 @@ end_of_options:
&& (certfile = lookup_conf(conf, section, ENV_CERTIFICATE)) == NULL)
goto end;
- x509 = load_cert(certfile, FORMAT_PEM, "CA certificate");
+ x509 = load_cert(certfile, certformat, "CA certificate");
if (x509 == NULL)
goto end;
@@ -926,7 +941,7 @@ end_of_options:
}
if (ss_cert_file != NULL) {
total++;
- j = certify_cert(&x, ss_cert_file, pkey, x509, dgst,
+ j = certify_cert(&x, ss_cert_file, certformat, pkey, x509, dgst,
sigopts, vfyopts, attribs,
db, serial, subj, chtype, multirdn, email_dn,
startdate, enddate, days, batch, extensions,
@@ -947,8 +962,8 @@ end_of_options:
}
if (infile != NULL) {
total++;
- j = certify(&x, infile, pkey, x509p, dgst, sigopts, vfyopts,
- attribs, db,
+ j = certify(&x, infile, informat, pkey, x509p, dgst,
+ sigopts, vfyopts, attribs, db,
serial, subj, chtype, multirdn, email_dn, startdate,
enddate, days, batch, extensions, conf, verbose,
certopt, get_nameopt(), default_op, ext_copy, selfsign);
@@ -967,7 +982,8 @@ end_of_options:
}
for (i = 0; i < argc; i++) {
total++;
- j = certify(&x, argv[i], pkey, x509p, dgst, sigopts, vfyopts,
+ j = certify(&x, argv[i], informat, pkey, x509p, dgst,
+ sigopts, vfyopts,
attribs, db,
serial, subj, chtype, multirdn, email_dn, startdate,
enddate, days, batch, extensions, conf, verbose,
@@ -1247,7 +1263,7 @@ end_of_options:
goto end;
} else {
X509 *revcert;
- revcert = load_cert(infile, FORMAT_PEM, infile);
+ revcert = load_cert(infile, certformat, infile);
if (revcert == NULL)
goto end;
if (dorevoke == 2)
@@ -1300,7 +1316,8 @@ static char *lookup_conf(const CONF *conf, const char *section, const char *tag)
return entry;
}
-static int certify(X509 **xret, const char *infile, EVP_PKEY *pkey, X509 *x509,
+static int certify(X509 **xret, const char *infile, int informat,
+ EVP_PKEY *pkey, X509 *x509,
const EVP_MD *dgst,
STACK_OF(OPENSSL_STRING) *sigopts,
STACK_OF(OPENSSL_STRING) *vfyopts,
@@ -1313,20 +1330,12 @@ static int certify(X509 **xret, const char *infile, EVP_PKEY *pkey, X509 *x509,
int default_op, int ext_copy, int selfsign)
{
X509_REQ *req = NULL;
- BIO *in = NULL;
EVP_PKEY *pktmp = NULL;
int ok = -1, i;
- in = BIO_new_file(infile, "r");
- if (in == NULL) {
- ERR_print_errors(bio_err);
+ req = load_csr(infile, informat, "certificate request");
+ if (req == NULL)
goto end;
- }
- if ((req = PEM_read_bio_X509_REQ(in, NULL, NULL, NULL)) == NULL) {
- BIO_printf(bio_err, "Error reading certificate request in %s\n",
- infile);
- goto end;
- }
if (verbose)
X509_REQ_print_ex(bio_err, req, nameopt, X509_FLAG_COMPAT);
@@ -1367,11 +1376,11 @@ static int certify(X509 **xret, const char *infile, EVP_PKEY *pkey, X509 *x509,
end:
X509_REQ_free(req);
- BIO_free(in);
return ok;
}
-static int certify_cert(X509 **xret, const char *infile, EVP_PKEY *pkey, X509 *x509,
+static int certify_cert(X509 **xret, const char *infile, int certformat,
+ EVP_PKEY *pkey, X509 *x509,
const EVP_MD *dgst,
STACK_OF(OPENSSL_STRING) *sigopts,
STACK_OF(OPENSSL_STRING) *vfyopts,
@@ -1387,7 +1396,7 @@ static int certify_cert(X509 **xret, const char *infile, EVP_PKEY *pkey, X509 *x
EVP_PKEY *pktmp = NULL;
int ok = -1, i;
- if ((req = load_cert(infile, FORMAT_PEM, infile)) == NULL)
+ if ((req = load_cert(infile, certformat, infile)) == NULL)
goto end;
if (verbose)
X509_print(bio_err, req);
diff --git a/apps/crl.c b/apps/crl.c
index 8b5a36322a..8028fef5de 100644
--- a/apps/crl.c
+++ b/apps/crl.c
@@ -205,7 +205,7 @@ int crl_main(int argc, char **argv)
if (argc != 0)
goto opthelp;
- x = load_crl(infile, informat);
+ x = load_crl(infile, informat, "CRL");
if (x == NULL)
goto end;
@@ -250,7 +250,7 @@ int crl_main(int argc, char **argv)
BIO_puts(bio_err, "Missing CRL signing key\n");
goto end;
}
- newcrl = load_crl(crldiff, informat);
+ newcrl = load_crl(crldiff, informat, "other CRL");
if (!newcrl)
goto end;
pkey = load_key(keyfile, keyformat, 0, NULL, NULL, "CRL signing key");
diff --git a/apps/include/apps.h b/apps/include/apps.h
index f9049f060f..e168942e19 100644
--- a/apps/include/apps.h
+++ b/apps/include/apps.h
@@ -104,16 +104,17 @@ int set_ext_copy(int *copy_type, const char *arg);
int copy_extensions(X509 *x, X509_REQ *req, int copy_type);
int app_passwd(const char *arg1, const char *arg2, char **pass1, char **pass2);
int add_oid_section(CONF *conf);
-X509 *load_cert(const char *file, int format, const char *cert_descrip);
-X509_CRL *load_crl(const char *infile, int format);
+X509_REQ *load_csr(const char *file, int format, const char *desc);
+X509 *load_cert(const char *file, int format, const char *desc);
+X509_CRL *load_crl(const char *infile, int format, const char *desc);
EVP_PKEY *load_key(const char *file, int format, int maybe_stdin,
- const char *pass, ENGINE *e, const char *key_descrip);
+ const char *pass, ENGINE *e, const char *desc);
EVP_PKEY *load_pubkey(const char *file, int format, int maybe_stdin,
- const char *pass, ENGINE *e, const char *key_descrip);
+ const char *pass, ENGINE *e, const char *desc);
int load_certs(const char *file, STACK_OF(X509) **certs, int format,
- const char *pass, const char *cert_descrip);
+ const char *pass, const char *desc);
int load_crls(const char *file, STACK_OF(X509_CRL) **crls, int format,
- const char *pass, const char *cert_descrip);
+ const char *pass, const char *desc);
X509_STORE *setup_verify(const char *CAfile, int noCAfile,
const char *CApath, int noCApath,
const char *CAstore, int noCAstore);
diff --git a/apps/lib/apps.c b/apps/lib/apps.c
index 5395d842eb..d175e687ba 100644
--- a/apps/lib/apps.c
+++ b/apps/lib/apps.c
@@ -421,7 +421,7 @@ static int load_pkcs12(BIO *in, const char *desc,
int len, ret = 0;
PKCS12 *p12;
p12 = d2i_PKCS12_bio(in, NULL);
- if (p12 == NULL) {
+ if (p12 == NULL && desc != NULL) {
BIO_printf(bio_err, "Error loading PKCS12 file for %s\n", desc);
goto die;
}
@@ -433,7 +433,8 @@ static int load_pkcs12(BIO *in, const char *desc,
pem_cb = (pem_password_cb *)password_callback;
len = pem_cb(tpass, PEM_BUFSIZE, 0, cb_data);
if (len < 0) {
- BIO_printf(bio_err, "Passphrase callback error for %s\n", desc);
+ BIO_printf(bio_err, "Passphrase callback error for %s\n",
+ desc != NULL ? desc : "PKCS12 input");
goto die;
}
if (len < PEM_BUFSIZE)
@@ -441,7 +442,7 @@ static int load_pkcs12(BIO *in, const char *desc,
if (!PKCS12_verify_mac(p12, tpass, len)) {
BIO_printf(bio_err,
"Mac verify error (wrong password?) in PKCS12 file for %s\n",
- desc);
+ desc != NULL ? desc : "PKCS12 input");
goto die;
}
pass = tpass;
@@ -452,7 +453,7 @@ static int load_pkcs12(BIO *in, const char *desc,
return ret;
}
-X509 *load_cert(const char *file, int format, const char *cert_descrip)
+X509 *load_cert(const char *file, int format, const char *desc)
{
X509 *x = NULL;
BIO *cert;
@@ -479,22 +480,22 @@ X509 *load_cert(const char *file, int format, const char *cert_descrip)
x = PEM_read_bio_X509_AUX(cert, NULL,
(pem_password_cb *)password_callback, NULL);
} else if (format == FORMAT_PKCS12) {
- if (!load_pkcs12(cert, cert_descrip, NULL, NULL, NULL, &x, NULL))
+ if (!load_pkcs12(cert, desc, NULL, NULL, NULL, &x, NULL))
goto end;
} else {
BIO_printf(bio_err, "bad input format specified for %s\n", cert_descrip);
goto end;
}
end:
- if (x == NULL) {
- BIO_printf(bio_err, "unable to load certificate\n");
+ if (x == NULL && desc != NULL) {
+ BIO_printf(bio_err, "unable to load %s\n", desc);
ERR_print_errors(bio_err);
}
BIO_free(cert);
return x;
}
-X509_CRL *load_crl(const char *infile, int format)
+X509_CRL *load_crl(const char *infile, int format, const char *desc)
{
X509_CRL *x = NULL;
BIO *in = NULL;
@@ -517,19 +518,44 @@ X509_CRL *load_crl(const char *infile, int format)
BIO_printf(bio_err, "bad input format specified for input crl\n");
goto end;
}
- if (x == NULL) {
- BIO_printf(bio_err, "unable to load CRL\n");
+
+ end:
+ if (x == NULL && desc != NULL) {
+ BIO_printf(bio_err, "unable to load %s\n", desc);
ERR_print_errors(bio_err);
goto end;
}
+ BIO_free(in);
+ return x;
+}
+
+X509_REQ *load_csr(const char *file, int format, const char *desc)
+{
+ X509_REQ *req = NULL;
+ BIO *in;
+
+ in = bio_open_default(file, 'r', format);
+ if (in == NULL)
+ goto end;
+
+ if (format == FORMAT_ASN1)
+ req = d2i_X509_REQ_bio(in, NULL);
+ else if (format == FORMAT_PEM)
+ req = PEM_read_bio_X509_REQ(in, NULL, NULL, NULL);
+ else if (desc)
+ BIO_printf(bio_err, "unsupported format for loading %s\n", desc);
end:
+ if (req == NULL && desc != NULL) {
+ BIO_printf(bio_err, "unable to load %s\n", desc);
+ ERR_print_errors(bio_err);
+ }
BIO_free(in);
- return x;
+ return req;
}
EVP_PKEY *load_key(const char *file, int format, int maybe_stdin,
- const char *pass, ENGINE *e, const char *key_descrip)
+ const char *pass, ENGINE *e, const char *desc)
{
BIO *key = NULL;
EVP_PKEY *pkey = NULL;
@@ -553,8 +579,8 @@ EVP_PKEY *load_key(const char *file, int format, int maybe_stdin,
&cb_data);
ENGINE_finish(e);
}
- if (pkey == NULL) {
- BIO_printf(bio_err, "cannot load %s from engine\n", key_descrip);
+ if (pkey == NULL && desc != NULL) {
+ BIO_printf(bio_err, "cannot load %s from engine\n", desc);
ERR_print_errors(bio_err);
}
#else
@@ -576,7 +602,8 @@ EVP_PKEY *load_key(const char *file, int format, int maybe_stdin,
} else if (format == FORMAT_PEM) {
pkey = PEM_read_bio_PrivateKey(key, NULL, wrap_password_callback, &cb_data);
} else if (format == FORMAT_PKCS12) {
- if (!load_pkcs12(key, key_descrip, wrap_password_callback, &cb_data,
+ if (!load_pkcs12(key, desc,
+ (pem_password_cb *)password_callback, &cb_data,
&pkey, NULL, NULL))
goto end;
#if !defined(OPENSSL_NO_RSA) && !defined(OPENSSL_NO_DSA) && !defined (OPENSSL_NO_RC4)
@@ -591,15 +618,15 @@ EVP_PKEY *load_key(const char *file, int format, int maybe_stdin,
}
end:
BIO_free(key);
- if (pkey == NULL) {
- BIO_printf(bio_err, "unable to load %s\n", key_descrip);
+ if (pkey == NULL && desc != NULL) {
+ BIO_printf(bio_err, "unable to load %s\n", desc);
ERR_print_errors(bio_err);
}
return pkey;
}
EVP_PKEY *load_pubkey(const char *file, int format, int maybe_stdin,
- const char *pass, ENGINE *e, const char *key_descrip)
+ const char *pass, ENGINE *e, const char *desc)
{
BIO *key = NULL;
EVP_PKEY *pkey = NULL;
@@ -619,8 +646,8 @@ EVP_PKEY *load_pubkey(const char *file, int format, int maybe_stdin,
#ifndef OPENSSL_NO_ENGINE
pkey = ENGINE_load_public_key(e, file, (UI_METHOD *)get_ui_method(),
&cb_data);
- if (pkey == NULL) {
- BIO_printf(bio_err, "cannot load %s from engine\n", key_descrip);
+ if (pkey == NULL && desc != NULL) {
+ BIO_printf(bio_err, "cannot load %s from engine\n", desc);
ERR_print_errors(bio_err);
}
#else
@@ -680,8 +707,10 @@ EVP_PKEY *load_pubkey(const char *file, int format, int maybe_stdin,
}
end:
BIO_free(key);
- if (pkey == NULL)
- BIO_printf(bio_err, "unable to load %s\n", key_descrip);
+ if (pkey == NULL && desc != NULL) {
+ BIO_printf(bio_err, "unable to load %s\n", desc);
+ ERR_print_errors(bio_err);
+ }
return pkey;
}
@@ -760,9 +789,11 @@ static int load_certs_crls(const char *file, int format,
sk_X509_CRL_pop_free(*pcrls, X509_CRL_free);
*pcrls = NULL;
}
- BIO_printf(bio_err, "unable to load %s\n",
- pcerts ? "certificates" : "CRLs");
- ERR_print_errors(bio_err);
+ if (desc != NULL) {
+ BIO_printf(bio_err, "unable to load %s for %s\n",
+ pcerts ? "certificates" : "CRLs", desc);
+ ERR_print_errors(bio_err);
+ }
}
return rv;
}
@@ -1900,7 +1931,7 @@ static X509_CRL *load_crl_crldp(STACK_OF(DIST_POINT) *crldp)
DIST_POINT *dp = sk_DIST_POINT_value(crldp, i);
urlptr = get_dp_url(dp);
if (urlptr)
- return load_crl(urlptr, FORMAT_HTTP);
+ return load_crl(urlptr, FORMAT_HTTP, "CRL via CDP");
}
return NULL;
}
diff --git a/apps/req.c b/apps/req.c
index 9ab120c34f..6740f21c35 100644
--- a/apps/req.c
+++ b/apps/req.c
@@ -230,7 +230,7 @@ static int duplicated(LHASH_OF(OPENSSL_STRING) *addexts, char *kv)
int req_main(int argc, char **argv)
{
ASN1_INTEGER *serial = NULL;
- BIO *in = NULL, *out = NULL;
+ BIO *out = NULL;
ENGINE *e = NULL, *gen_eng = NULL;
EVP_PKEY *pkey = NULL;
EVP_PKEY_CTX *genctx = NULL;
@@ -469,7 +469,7 @@ int req_main(int argc, char **argv)
BIO_printf(bio_err, "Using configuration from %s\n", template);
if ((req_conf = app_load_config(template)) == NULL)
goto end;
- if (addext_bio) {
+ if (addext_bio != NULL) {
if (verbose)
BIO_printf(bio_err,
"Using additional configuration from command line\n");
@@ -715,18 +715,9 @@ int req_main(int argc, char **argv)
}
if (!newreq) {
- in = bio_open_default(infile, 'r', informat);
- if (in == NULL)
+ req = load_csr(infile, informat, "X509 request");
+ if (req == NULL)
goto end;
-
- if (informat == FORMAT_ASN1)
- req = d2i_X509_REQ_bio(in, NULL);
- else
- req = PEM_read_bio_X509_REQ(in, NULL, NULL, NULL);
- if (req == NULL) {
- BIO_printf(bio_err, "unable to load X509 request\n");
- goto end;
- }
}
if (newreq || x509) {
@@ -992,7 +983,6 @@ int req_main(int argc, char **argv)
NCONF_free(req_conf);
NCONF_free(addext_conf);
BIO_free(addext_bio);
- BIO_free(in);
BIO_free_all(out);
EVP_PKEY_free(pkey);
EVP_PKEY_CTX_free(genctx);
diff --git a/apps/s_client.c b/apps/s_client.c
index a28b2867a3..1596cb2f1e 100644
--- a/apps/s_client.c
+++ b/apps/s_client.c
@@ -1736,12 +1736,9 @@ int s_client_main(int argc, char **argv)
if (crl_file != NULL) {
X509_CRL *crl;
- crl = load_crl(crl_file, crl_format);
- if (crl == NULL) {
- BIO_puts(bio_err, "Error loading CRL\n");
- ERR_print_errors(bio_err);
+ crl = load_crl(crl_file, crl_format, "CRL");
+ if (crl == NULL)
goto end;
- }
crls = sk_X509_CRL_new_null();
if (crls == NULL || !sk_X509_CRL_push(crls, crl)) {
BIO_puts(bio_err, "Error adding CRL\n");
diff --git a/apps/s_server.c b/apps/s_server.c
index 14550aebc2..8e2d73e622 100644
--- a/apps/s_server.c
+++ b/apps/s_server.c
@@ -1787,12 +1787,9 @@ int s_server_main(int argc, char *argv[])
if (crl_file != NULL) {
X509_CRL *crl;
- crl = load_crl(crl_file, crl_format);
- if (crl == NULL) {
- BIO_puts(bio_err, "Error loading CRL\n");
- ERR_print_errors(bio_err);
+ crl = load_crl(crl_file, crl_format, "CRL");
+ if (crl == NULL)
goto end;
- }
crls = sk_X509_CRL_new_null();
if (crls == NULL || !sk_X509_CRL_push(crls, crl)) {
BIO_puts(bio_err, "Error adding CRL\n");
diff --git a/apps/x509.c b/apps/x509.c
index 16c1f95754..d891b42f92 100644
--- a/apps/x509.c
+++ b/apps/x509.c
@@ -572,14 +572,8 @@ int x509_main(int argc, char **argv)
if (reqfile) {
EVP_PKEY *pkey;
- BIO *in;
-
- in = bio_open_default(infile, 'r', informat);
- if (in == NULL)
- goto end;
- req = PEM_read_bio_X509_REQ(in, NULL, NULL, NULL);
- BIO_free(in);
+ req = load_csr(infile, informat, "certificate request input");
if (req == NULL) {
ERR_print_errors(bio_err);
goto end;
diff --git a/doc/man1/openssl-ca.pod.in b/doc/man1/openssl-ca.pod.in
index d561101d80..0202661845 100644
--- a/doc/man1/openssl-ca.pod.in
+++ b/doc/man1/openssl-ca.pod.in
@@ -36,8 +36,10 @@ B<openssl> B<ca>
[B<-key> I<arg>]
[B<-passin> I<arg>]
[B<-cert> I<file>]
+[B<-certform> B<DER>|<PEM>]
[B<-selfsign>]
[B<-in> I<file>]
+[B<-inform> B<DER>|<PEM>]
[B<-out> I<file>]
[B<-notext>]
[B<-outdir> I<dir>]
@@ -104,6 +106,11 @@ B<default_ca> in the B<ca> section).
An input filename containing a single certificate request to be
signed by the CA.
+=item B<-inform> B<DER>|B<PEM>
+
+The format of the data in CSR input files.
+The default is PEM.
+
=item B<-ss_cert> I<filename>
A single self-signed certificate to be signed by the CA.
@@ -135,6 +142,11 @@ F<.pem> appended.
The CA certificate file.
+=item B<-certform> B<DER>|B<PEM>
+
+The format of the data in certificate input files.
+The default is PEM.
+
=item B<-keyfile> I<filename>
The private key to sign requests with.
diff --git a/test/recipes/80-test_ca.t b/test/recipes/80-test_ca.t
index 3b36a2bfd9..3d4dfcd060 100644
--- a/test/recipes/80-test_ca.t
+++ b/test/recipes/80-test_ca.t
@@ -32,12 +32,12 @@ plan tests => 6;
$ENV{OPENSSL_CONFIG} = '-config "'.srctop_file("test", "Uss.cnf").'"';
skip "failed creating new certificate request", 3
- if !ok(run(perlapp(["CA.pl","-newreq"])),
+ if !ok(run(perlapp(["CA.pl","-newreq",
+ "-extra-req","-outform DER"])),
'creating certificate request');
-
- $ENV{OPENSSL_CONFIG} = '-rand_serial -config "'.$std_openssl_cnf.'"';
+ $ENV{OPENSSL_CONFIG} = '-rand_serial -inform DER -config "'.$std_openssl_cnf.'"';
skip "failed to sign certificate request", 2
- if !is(yes(cmdstr(perlapp(["CA.pl", "-sign"]))), 0,
+ if !is(yes(cmdstr(perlapp(["CA.pl", "-sign", "-extra-ca"]))), 0,
'signing certificate request');
ok(run(perlapp(["CA.pl", "-verify", "newcert.pem"])),