=head1 SYNOPSIS
B<openssl> B<ca>
+[B<-help>]
[B<-verbose>]
[B<-config filename>]
[B<-name section>]
[B<-gencrl>]
[B<-revoke file>]
+[B<-status serial>]
+[B<-updatedb>]
[B<-crl_reason reason>]
[B<-crl_hold instruction>]
[B<-crl_compromise time>]
[B<-md arg>]
[B<-policy arg>]
[B<-keyfile arg>]
+[B<-keyform PEM|DER>]
[B<-key arg>]
[B<-passin arg>]
[B<-cert file>]
[B<-engine id>]
[B<-subj arg>]
[B<-utf8>]
+[B<-create_serial>]
[B<-multivalue-rdn>]
=head1 DESCRIPTION
=over 4
+=item B<-help>
+
+Print out a usage message.
+
+=item B<-verbose>
+
+this prints extra details about the operations being performed.
+
=item B<-config filename>
specifies the configuration file to use.
a file containing a single Netscape signed public key and challenge
and additional field values to be signed by the CA. See the B<SPKAC FORMAT>
-section for information on the required format.
+section for information on the required input and output format.
=item B<-infiles>
the output file to output certificates to. The default is standard
output. The certificate details will also be printed out to this
-file.
+file in PEM format (except that B<-spkac> outputs DER format).
=item B<-outdir directory>
the private key to sign requests with.
+=item B<-keyform PEM|DER>
+
+the format of the data in the private key file.
+The default is PEM.
+
=item B<-key password>
the password used to encrypt the private key. Since on some
indicates the issued certificates are to be signed with the key
the certificate requests were signed with (given with B<-keyfile>).
-Cerificate requests signed with a different key are ignored. If
+Certificate requests signed with a different key are ignored. If
B<-spkac>, B<-ss_cert> or B<-gencrl> are given, B<-selfsign> is
ignored.
=item B<-passin arg>
the key password source. For more information about the format of B<arg>
-see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)|openssl(1)>.
-
-=item B<-verbose>
-
-this prints extra details about the operations being performed.
+see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
=item B<-notext>
=item B<-md alg>
-the message digest to use. Possible values include md5, sha1 and mdc2.
+the message digest to use.
+Any digest supported by the OpenSSL B<dgst> command can be used.
This option also applies to CRLs.
=item B<-policy arg>
to be added when a certificate is issued (defaults to B<x509_extensions>
unless the B<-extfile> option is used). If no extension section is
present then, a V1 certificate is created. If the extension section
-is present (even if it is empty), then a V3 certificate is created.
+is present (even if it is empty), then a V3 certificate is created. See the:w
+L<x509v3_config(5)> manual page for details of the
+extension section format.
=item B<-extfile file>
=item B<-engine id>
-specifying an engine (by it's unique B<id> string) will cause B<req>
+specifying an engine (by its unique B<id> string) will cause B<ca>
to attempt to obtain a functional reference to the specified engine,
thus initialising it if needed. The engine will then be set as the default
for all available algorithms.
values, whether prompted from a terminal or obtained from a
configuration file, must be valid UTF8 strings.
+=item B<-create_serial>
+
+if reading serial from the text file as specified in the configuration
+fails, specifying this option creates a new random serial to be used as next
+serial number.
+
=item B<-multivalue-rdn>
-this option causes the -subj argument to be interpretedt with full
+This option causes the -subj argument to be interpreted with full
support for multivalued RDNs. Example:
I</DC=org/DC=OpenSSL/DC=users/UID=123456+CN=John Doe>
a filename containing a certificate to revoke.
+=item B<-status serial>
+
+displays the revocation status of the certificate with the specified
+serial number and exits.
+
+=item B<-updatedb>
+
+Updates the database index to purge expired certificates.
+
=item B<-crl_reason reason>
revocation reason, where B<reason> is one of: B<unspecified>, B<keyCompromise>,
B<certificateHold> or B<removeFromCRL>. The matching of B<reason> is case
insensitive. Setting any revocation reason will make the CRL v2.
-In practive B<removeFromCRL> is not particularly useful because it is only used
+In practice B<removeFromCRL> is not particularly useful because it is only used
in delta CRLs which are not currently implemented.
=item B<-crl_hold instruction>
created, if the CRL extension section is present (even if it is
empty) then a V2 CRL is created. The CRL extensions specified are
CRL extensions and B<not> CRL entry extensions. It should be noted
-that some software (for example Netscape) can't handle V2 CRLs.
+that some software (for example Netscape) can't handle V2 CRLs. See
+L<x509v3_config(5)> manual page for details of the
+extension section format.
=back
=item B<RANDFILE>
a file used to read and write random number seed information, or
-an EGD socket (see L<RAND_egd(3)|RAND_egd(3)>).
+an EGD socket (see L<RAND_egd(3)>).
=item B<default_days>
=item B<default_md>
-the same as the B<-md> option. The message digest to use. Mandatory.
+the same as the B<-md> option. Mandatory.
=item B<database>
If you need to include the same component twice then it can be
preceded by a number and a '.'.
+When processing SPKAC format, the output is DER if the B<-out>
+flag is used, but PEM format if sending to stdout or the B<-outdir>
+flag is used.
+
=head1 EXAMPLES
Note: these examples assume that the B<ca> directory structure is
The B<ca> command really needs rewriting or the required functionality
exposed at either a command or interface level so a more friendly utility
-(perl script or GUI) can handle things properly. The scripts B<CA.sh> and
-B<CA.pl> help a little but not very much.
+(perl script or GUI) can handle things properly. The script
+B<CA.pl> helps a little but not very much.
Any fields in a request that are not present in a policy are silently
deleted. This does not happen if the B<-preserveDN> option is used. To
option can be used. The behaviour should be more friendly and
configurable.
-Cancelling some commands by refusing to certify a certificate can
+Canceling some commands by refusing to certify a certificate can
create an empty file.
=head1 WARNINGS
not taken then it can be a security risk. For example if a certificate
request contains a basicConstraints extension with CA:TRUE and the
B<copy_extensions> value is set to B<copyall> and the user does not spot
-this when the certificate is displayed then this will hand the requestor
+this when the certificate is displayed then this will hand the requester
a valid CA certificate.
This situation can be avoided by setting B<copy_extensions> to B<copy>
=head1 SEE ALSO
-L<req(1)|req(1)>, L<spkac(1)|spkac(1)>, L<x509(1)|x509(1)>, L<CA.pl(1)|CA.pl(1)>,
-L<config(5)|config(5)>
+L<req(1)>, L<spkac(1)>, L<x509(1)>, L<CA.pl(1)>,
+L<config(5)>, L<x509v3_config(5)>
=cut
projects / openssl.git / blobdiff