[B<-name section>]
[B<-gencrl>]
[B<-revoke file>]
+[B<-subj arg>]
[B<-crldays days>]
[B<-crlhours hours>]
[B<-crlexts section>]
[B<-policy arg>]
[B<-keyfile arg>]
[B<-key arg>]
+[B<-passin arg>]
[B<-cert file>]
[B<-in file>]
[B<-out file>]
+[B<-notext>]
[B<-outdir dir>]
[B<-infiles>]
[B<-spkac file>]
[B<-batch>]
[B<-msie_hack>]
[B<-extensions section>]
+[B<-extfile section>]
=head1 DESCRIPTION
systems the command line arguments are visible (e.g. Unix with
the 'ps' utility) this option should be used with caution.
+=item B<-passin arg>
+
+the key password source. For more information about the format of B<arg>
+see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)|openssl(1)>.
+
=item B<-verbose>
this prints extra details about the operations being performed.
+=item B<-notext>
+
+don't output the text form of a certificate to the output file.
+
=item B<-startdate date>
this allows the start date to be explicitly set. The format of the
=item B<-extensions section>
the section of the configuration file containing certificate extensions
-to be added when a certificate is issued. If no extension section is
-present then a V1 certificate is created. If the extension section
-is present (even if it is empty) then a V3 certificate is created.
+to be added when a certificate is issued (defaults to B<x509_extensions>
+unless the B<-extfile> option is used). If no extension section is
+present then, a V1 certificate is created. If the extension section
+is present (even if it is empty), then a V3 certificate is created.
+
+=item B<-extfile file>
+
+an additional configuration file to read certificate extensions from
+(using the default section unless the B<-extensions> option is also
+used).
=back
a filename containing a certificate to revoke.
+=item B<-subj arg>
+
+supersedes subject name given in the request
+
=item B<-crlexts section>
the section of the configuration file containing CRL extensions to
=item B<RANDFILE>
-a file used to read and write random number seed information.
+a file used to read and write random number seed information, or
+an EGD socket (see L<RAND_egd(3)|RAND_egd(3)>).
=item B<default_days>
the same as B<-policy>. Mandatory. See the B<POLICY FORMAT> section
for more information.
+=item B<nameopt>, B<certopt>
+
+these options allow the format used to display the certificate details
+when asking the user to confirm signing. All the options supported by
+the B<x509> utilities B<-nameopt> and B<-certopt> switches can be used
+here, except the B<no_signame> and B<no_sigdump> are permanently set
+and cannot be disabled (this is because the certificate signature cannot
+be displayed because the certificate has not been signed at this point).
+
+For convenience the values B<default_ca> are accepted by both to produce
+a reasonable output.
+
+If neither option is present the format used in earlier versions of
+OpenSSL is used. Use of the old format is B<strongly> discouraged because
+it only displays fields mentioned in the B<policy> section, mishandles
+multicharacter string types and does not display extensions.
+
=back
=head1 POLICY FORMAT
Sign a certificate request:
-openssl ca -in req.pem -out newcert.pem
+ openssl ca -in req.pem -out newcert.pem
+
+Sign a certificate request, using CA extensions:
+
+ openssl ca -in req.pem -extensions v3_ca -out newcert.pem
Generate a CRL
-openssl ca -gencrl -out crl.pem
+ openssl ca -gencrl -out crl.pem
Sign several requests:
-openssl ca -infiles req1.pem req2.pem req3.pem
+ openssl ca -infiles req1.pem req2.pem req3.pem
Certify a Netscape SPKAC:
-openssl ca -spkac spkac.txt
+ openssl ca -spkac spkac.txt
A sample SPKAC file (the SPKAC line has been truncated for clarity):
policy = policy_any # default policy
+ nameopt = default_ca # Subject name display option
+ certopt = default_ca # Certificate display option
+
[ policy_any ]
countryName = supplied
stateOrProvinceName = optional
The B<ca> command is quirky and at times downright unfriendly.
The B<ca> utility was originally meant as an example of how to do things
-in a CA. It was not supposed be be used as a full blown CA itself:
+in a CA. It was not supposed to be used as a full blown CA itself:
nevertheless some people are using it for this purpose.
The B<ca> command is effectively a single user command: no locking is
B<CA.pl> help a little but not very much.
Any fields in a request that are not present in a policy are silently
-deleted. This does not happen if the B<-preserveDN> option is used but
-the extra fields are not displayed when the user is asked to certify
-a request. The behaviour should be more friendly and configurable.
+deleted. This does not happen if the B<-preserveDN> option is used.
+The behaviour should be more friendly and configurable.
Cancelling some commands by refusing to certify a certificate can
create an empty file.
=head1 SEE ALSO
-req(1), spkac(1), x509(1), CA.pl(1), config(5)
+L<req(1)|req(1)>, L<spkac(1)|spkac(1)>, L<x509(1)|x509(1)>, L<CA.pl(1)|CA.pl(1)>,
+L<config(5)|config(5)>
=cut