+typedef enum OPTION_choice {
+ OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
+ OPT_ENGINE, OPT_VERBOSE, OPT_CONFIG, OPT_NAME, OPT_SUBJ, OPT_UTF8,
+ OPT_CREATE_SERIAL, OPT_MULTIVALUE_RDN, OPT_STARTDATE, OPT_ENDDATE,
+ OPT_DAYS, OPT_MD, OPT_POLICY, OPT_KEYFILE, OPT_KEYFORM, OPT_PASSIN,
+ OPT_KEY, OPT_CERT, OPT_SELFSIGN, OPT_IN, OPT_OUT, OPT_OUTDIR,
+ OPT_SIGOPT, OPT_NOTEXT, OPT_BATCH, OPT_PRESERVEDN, OPT_NOEMAILDN,
+ OPT_GENCRL, OPT_MSIE_HACK, OPT_CRLDAYS, OPT_CRLHOURS, OPT_CRLSEC,
+ OPT_INFILES, OPT_SS_CERT, OPT_SPKAC, OPT_REVOKE, OPT_VALID,
+ OPT_EXTENSIONS, OPT_EXTFILE, OPT_STATUS, OPT_UPDATEDB, OPT_CRLEXTS,
+ OPT_CRL_REASON, OPT_CRL_HOLD, OPT_CRL_COMPROMISE,
+ OPT_CRL_CA_COMPROMISE
+} OPTION_CHOICE;
+
+OPTIONS ca_options[] = {
+ {"help", OPT_HELP, '-', "Display this summary"},
+ {"verbose", OPT_VERBOSE, '-', "Verbose output during processing"},
+ {"config", OPT_CONFIG, 's', "A config file"},
+ {"name", OPT_NAME, 's', "The particular CA definition to use"},
+ {"subj", OPT_SUBJ, 's', "Use arg instead of request's subject"},
+ {"utf8", OPT_UTF8, '-', "Input characters are UTF8 (default ASCII)"},
+ {"create_serial", OPT_CREATE_SERIAL, '-'},
+ {"multivalue-rdn", OPT_MULTIVALUE_RDN, '-',
+ "Enable support for multivalued RDNs"},
+ {"startdate", OPT_STARTDATE, 's', "Cert notBefore, YYMMDDHHMMSSZ"},
+ {"enddate", OPT_ENDDATE, 's',
+ "YYMMDDHHMMSSZ cert notAfter (overrides -days)"},
+ {"days", OPT_DAYS, 'p', "Number of days to certify the cert for"},
+ {"md", OPT_MD, 's', "md to use; one of md2, md5, sha or sha1"},
+ {"policy", OPT_POLICY, 's', "The CA 'policy' to support"},
+ {"keyfile", OPT_KEYFILE, '<', "Private key file"},
+ {"keyform", OPT_KEYFORM, 'f', "Private key file format (PEM or ENGINE)"},
+ {"passin", OPT_PASSIN, 's'},
+ {"key", OPT_KEY, 's', "Key to decode the private key if it is encrypted"},
+ {"cert", OPT_CERT, '<', "The CA cert"},
+ {"selfsign", OPT_SELFSIGN, '-',
+ "Sign a cert with the key associated with it"},
+ {"in", OPT_IN, '<', "The input PEM encoded cert request(s)"},
+ {"out", OPT_OUT, '>', "Where to put the output file(s)"},
+ {"outdir", OPT_OUTDIR, '/', "Where to put output cert"},
+ {"sigopt", OPT_SIGOPT, 's'},
+ {"notext", OPT_NOTEXT, '-'},
+ {"batch", OPT_BATCH, '-', "Don't ask questions"},
+ {"preserveDN", OPT_PRESERVEDN, '-', "Don't re-order the DN"},
+ {"noemailDN", OPT_NOEMAILDN, '-', "Don't add the EMAIL field to the DN"},
+ {"gencrl", OPT_GENCRL, '-', "Generate a new CRL"},
+ {"msie_hack", OPT_MSIE_HACK, '-',
+ "msie modifications to handle all those universal strings"},
+ {"crldays", OPT_CRLDAYS, 'p', "Days is when the next CRL is due"},
+ {"crlhours", OPT_CRLHOURS, 'p', "Hours is when the next CRL is due"},
+ {"crlsec", OPT_CRLSEC, 'p'},
+ {"infiles", OPT_INFILES, '-', "The last argument, requests to process"},
+ {"ss_cert", OPT_SS_CERT, '<', "File contains a self signed cert to sign"},
+ {"spkac", OPT_SPKAC, '<',
+ "File contains DN and signed public key and challenge"},
+ {"revoke", OPT_REVOKE, '<', "Revoke a cert (given in file)"},
+ {"valid", OPT_VALID, 's'},
+ {"extensions", OPT_EXTENSIONS, 's',
+ "Extension section (override value in config file)"},
+ {"extfile", OPT_EXTFILE, '<',
+ "Configuration file with X509v3 extensions to add"},
+ {"status", OPT_STATUS, 's', "Shows cert status given the serial number"},
+ {"updatedb", OPT_UPDATEDB, '-', "Updates db for expired cert"},
+ {"crlexts", OPT_CRLEXTS, 's',
+ "CRL extension section (override value in config file)"},
+ {"crl_reason", OPT_CRL_REASON, 's'},
+ {"crl_hold", OPT_CRL_HOLD, 's'},
+ {"crl_compromise", OPT_CRL_COMPROMISE, 's'},
+ {"crl_CA_compromise", OPT_CRL_CA_COMPROMISE, 's'},
+#ifndef OPENSSL_NO_ENGINE
+ {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
+#endif
+ {NULL}
+};