it's recommended to use the value B<no>, especially if combined with
the B<-selfsign> command line option.
-=item B<serialfile>
+=item B<serial>
a text file containing the next serial number to use in hex. Mandatory.
This file must be present and contain a valid serial number.
+=item B<crlnumber>
+
+a text file containing the next CRL number to use in hex. The crl number
+will be inserted in the CRLs only if this file exists. If this file is
+present, it must contain a valid CRL number.
+
=item B<x509_extensions>
the same as B<-extensions>.
and cannot be disabled (this is because the certificate signature cannot
be displayed because the certificate has not been signed at this point).
-For convenience the values B<default_ca> are accepted by both to produce
+For convenience the values B<ca_default> are accepted by both to produce
a reasonable output.
If neither option is present the format used in earlier versions of
policy = policy_any # default policy
email_in_dn = no # Don't add the email into cert DN
- nameopt = default_ca # Subject name display option
- certopt = default_ca # Certificate display option
+ nameopt = ca_default # Subject name display option
+ certopt = ca_default # Certificate display option
copy_extensions = none # Don't copy extensions from request
[ policy_any ]
to rebuild the index file from all the issued certificates and a current
CRL: however there is no option to do this.
-V2 CRL features like delta CRL support and CRL numbers are not currently
-supported.
+V2 CRL features like delta CRLs are not currently supported.
Although several requests can be input and handled at once it is only
possible to include one SPKAC or self signed certificate.
numbers of certificates are present because, as the name implies
the database has to be kept in memory.
-It is not possible to certify two certificates with the same DN: this
-is a side effect of how the text database is indexed and it cannot easily
-be fixed without introducing other problems. Some S/MIME clients can use
-two certificates with the same DN for separate signing and encryption
-keys.
-
The B<ca> command really needs rewriting or the required functionality
exposed at either a command or interface level so a more friendly utility
(perl script or GUI) can handle things properly. The scripts B<CA.sh> and