X-Git-Url: https://git.openssl.org/?p=openssl.git;a=blobdiff_plain;f=doc%2Fapps%2FCA.pl.pod;h=d326101cde788a00ff564900fc92e439c39a291b;hp=59bdde9240a1ec723793a6b21be913f3f2b1d8ad;hb=095db6bdb81500857a0016b6284b9733c4cd547e;hpb=aa3353fda210df947dfc68650dfada241b8037fe;ds=sidebyside diff --git a/doc/apps/CA.pl.pod b/doc/apps/CA.pl.pod index 59bdde9240..d326101cde 100644 --- a/doc/apps/CA.pl.pod +++ b/doc/apps/CA.pl.pod @@ -13,6 +13,7 @@ B [B<-help>] [B<-newcert>] [B<-newreq>] +[B<-newreq-nodes>] [B<-newca>] [B<-xsign>] [B<-sign>] @@ -38,13 +39,17 @@ prints a usage message. =item B<-newcert> -creates a new self signed certificate. The private key and certificate are -written to the file "newreq.pem". +creates a new self signed certificate. The private key is written to the file +"newkey.pem" and the request written to the file "newreq.pem". =item B<-newreq> -creates a new certificate request. The private key and request are -written to the file "newreq.pem". +creates a new certificate request. The private key is written to the file +"newkey.pem" and the request written to the file "newreq.pem". + +=item B<-newreq-nodes> + +is like B<-newreq> except that the private key will not be encrypted. =item B<-newca> @@ -63,15 +68,22 @@ it creates a file "newcert.p12". This command can thus be called after the B<-sign> option. The PKCS#12 file can be imported directly into a browser. If there is an additional argument on the command line it will be used as the "friendly name" for the certificate (which is typically displayed in the browser -list box), otherwise the name "My Certifictate" is used. +list box), otherwise the name "My Certificate" is used. =item B<-sign>, B<-signreq>, B<-xsign> calls the B program to sign a certificate request. It expects the request to be in the file "newreq.pem". The new certificate is written to the file -"newcert.pem" except in the case of the B<-xcert> option when it is written +"newcert.pem" except in the case of the B<-xsign> option when it is written to standard output. + +=item B<-signCA> + +this option is the same as the B<-signreq> option except it uses the configuration +file section B and so makes the signed request a valid CA certificate. This +is useful when creating intermediate CA from a root CA. + =item B<-signcert> this option is the same as B<-sign> except it expects a self signed certificate @@ -102,6 +114,35 @@ the request and finally create a PKCS#12 file containing it. CA.pl -signreq CA.pl -pkcs12 "My Test Certificate" +=head1 DSA CERTIFICATES + +Although the B creates RSA CAs and requests it is still possible to +use it with DSA certificates and requests using the L command +directly. The following example shows the steps that would typically be taken. + +Create some DSA parameters: + + openssl dsaparam -out dsap.pem 1024 + +Create a DSA CA certificate and private key: + + openssl req -x509 -newkey dsa:dsap.pem -keyout cacert.pem -out cacert.pem + +Create the CA directories and files: + + CA.pl -newca + +enter cacert.pem when prompted for the CA file name. + +Create a DSA certificate request and private key (a different set of parameters +can optionally be created first): + + openssl req -out newreq.pem -newkey dsa:dsap.pem + +Sign the request: + + CA.pl -signreq + =head1 NOTES Most of the filenames mentioned can be modified by editing the B script.