1 |
.\" $MidnightBSD$ |
2 |
.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) |
3 |
.\" |
4 |
.\" Standard preamble: |
5 |
.\" ======================================================================== |
6 |
.de Sp \" Vertical space (when we can't use .PP) |
7 |
.if t .sp .5v |
8 |
.if n .sp |
9 |
.. |
10 |
.de Vb \" Begin verbatim text |
11 |
.ft CW |
12 |
.nf |
13 |
.ne \\$1 |
14 |
.. |
15 |
.de Ve \" End verbatim text |
16 |
.ft R |
17 |
.fi |
18 |
.. |
19 |
.\" Set up some character translations and predefined strings. \*(-- will |
20 |
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left |
21 |
.\" double quote, and \*(R" will give a right double quote. \*(C+ will |
22 |
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and |
23 |
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, |
24 |
.\" nothing in troff, for use with C<>. |
25 |
.tr \(*W- |
26 |
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' |
27 |
.ie n \{\ |
28 |
. ds -- \(*W- |
29 |
. ds PI pi |
30 |
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch |
31 |
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch |
32 |
. ds L" "" |
33 |
. ds R" "" |
34 |
. ds C` "" |
35 |
. ds C' "" |
36 |
'br\} |
37 |
.el\{\ |
38 |
. ds -- \|\(em\| |
39 |
. ds PI \(*p |
40 |
. ds L" `` |
41 |
. ds R" '' |
42 |
. ds C` |
43 |
. ds C' |
44 |
'br\} |
45 |
.\" |
46 |
.\" Escape single quotes in literal strings from groff's Unicode transform. |
47 |
.ie \n(.g .ds Aq \(aq |
48 |
.el .ds Aq ' |
49 |
.\" |
50 |
.\" If the F register is >0, we'll generate index entries on stderr for |
51 |
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index |
52 |
.\" entries marked with X<> in POD. Of course, you'll have to process the |
53 |
.\" output yourself in some meaningful fashion. |
54 |
.\" |
55 |
.\" Avoid warning from groff about undefined register 'F'. |
56 |
.de IX |
57 |
.. |
58 |
.if !\nF .nr F 0 |
59 |
.if \nF>0 \{\ |
60 |
. de IX |
61 |
. tm Index:\\$1\t\\n%\t"\\$2" |
62 |
.. |
63 |
. if !\nF==2 \{\ |
64 |
. nr % 0 |
65 |
. nr F 2 |
66 |
. \} |
67 |
.\} |
68 |
.\" |
69 |
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). |
70 |
.\" Fear. Run. Save yourself. No user-serviceable parts. |
71 |
. \" fudge factors for nroff and troff |
72 |
.if n \{\ |
73 |
. ds #H 0 |
74 |
. ds #V .8m |
75 |
. ds #F .3m |
76 |
. ds #[ \f1 |
77 |
. ds #] \fP |
78 |
.\} |
79 |
.if t \{\ |
80 |
. ds #H ((1u-(\\\\n(.fu%2u))*.13m) |
81 |
. ds #V .6m |
82 |
. ds #F 0 |
83 |
. ds #[ \& |
84 |
. ds #] \& |
85 |
.\} |
86 |
. \" simple accents for nroff and troff |
87 |
.if n \{\ |
88 |
. ds ' \& |
89 |
. ds ` \& |
90 |
. ds ^ \& |
91 |
. ds , \& |
92 |
. ds ~ ~ |
93 |
. ds / |
94 |
.\} |
95 |
.if t \{\ |
96 |
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" |
97 |
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' |
98 |
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' |
99 |
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' |
100 |
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' |
101 |
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' |
102 |
.\} |
103 |
. \" troff and (daisy-wheel) nroff accents |
104 |
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' |
105 |
.ds 8 \h'\*(#H'\(*b\h'-\*(#H' |
106 |
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] |
107 |
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' |
108 |
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' |
109 |
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] |
110 |
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] |
111 |
.ds ae a\h'-(\w'a'u*4/10)'e |
112 |
.ds Ae A\h'-(\w'A'u*4/10)'E |
113 |
. \" corrections for vroff |
114 |
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' |
115 |
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' |
116 |
. \" for low resolution devices (crt and lpr) |
117 |
.if \n(.H>23 .if \n(.V>19 \ |
118 |
\{\ |
119 |
. ds : e |
120 |
. ds 8 ss |
121 |
. ds o a |
122 |
. ds d- d\h'-1'\(ga |
123 |
. ds D- D\h'-1'\(hy |
124 |
. ds th \o'bp' |
125 |
. ds Th \o'LP' |
126 |
. ds ae ae |
127 |
. ds Ae AE |
128 |
.\} |
129 |
.rm #[ #] #H #V #F C |
130 |
.\" ======================================================================== |
131 |
.\" |
132 |
.IX Title "CA 1" |
133 |
.TH CA 1 "2018-11-20" "1.0.2q" "OpenSSL" |
134 |
.\" For nroff, turn off justification. Always turn off hyphenation; it makes |
135 |
.\" way too many mistakes in technical documents. |
136 |
.if n .ad l |
137 |
.nh |
138 |
.SH "NAME" |
139 |
openssl\-ca, |
140 |
ca \- sample minimal CA application |
141 |
.SH "SYNOPSIS" |
142 |
.IX Header "SYNOPSIS" |
143 |
\&\fBopenssl\fR \fBca\fR |
144 |
[\fB\-verbose\fR] |
145 |
[\fB\-config filename\fR] |
146 |
[\fB\-name section\fR] |
147 |
[\fB\-gencrl\fR] |
148 |
[\fB\-revoke file\fR] |
149 |
[\fB\-status serial\fR] |
150 |
[\fB\-updatedb\fR] |
151 |
[\fB\-crl_reason reason\fR] |
152 |
[\fB\-crl_hold instruction\fR] |
153 |
[\fB\-crl_compromise time\fR] |
154 |
[\fB\-crl_CA_compromise time\fR] |
155 |
[\fB\-crldays days\fR] |
156 |
[\fB\-crlhours hours\fR] |
157 |
[\fB\-crlexts section\fR] |
158 |
[\fB\-startdate date\fR] |
159 |
[\fB\-enddate date\fR] |
160 |
[\fB\-days arg\fR] |
161 |
[\fB\-md arg\fR] |
162 |
[\fB\-policy arg\fR] |
163 |
[\fB\-keyfile arg\fR] |
164 |
[\fB\-keyform PEM|DER\fR] |
165 |
[\fB\-key arg\fR] |
166 |
[\fB\-passin arg\fR] |
167 |
[\fB\-cert file\fR] |
168 |
[\fB\-selfsign\fR] |
169 |
[\fB\-in file\fR] |
170 |
[\fB\-out file\fR] |
171 |
[\fB\-notext\fR] |
172 |
[\fB\-outdir dir\fR] |
173 |
[\fB\-infiles\fR] |
174 |
[\fB\-spkac file\fR] |
175 |
[\fB\-ss_cert file\fR] |
176 |
[\fB\-preserveDN\fR] |
177 |
[\fB\-noemailDN\fR] |
178 |
[\fB\-batch\fR] |
179 |
[\fB\-msie_hack\fR] |
180 |
[\fB\-extensions section\fR] |
181 |
[\fB\-extfile section\fR] |
182 |
[\fB\-engine id\fR] |
183 |
[\fB\-subj arg\fR] |
184 |
[\fB\-utf8\fR] |
185 |
[\fB\-multivalue\-rdn\fR] |
186 |
.SH "DESCRIPTION" |
187 |
.IX Header "DESCRIPTION" |
188 |
The \fBca\fR command is a minimal \s-1CA\s0 application. It can be used |
189 |
to sign certificate requests in a variety of forms and generate |
190 |
CRLs it also maintains a text database of issued certificates |
191 |
and their status. |
192 |
.PP |
193 |
The options descriptions will be divided into each purpose. |
194 |
.SH "CA OPTIONS" |
195 |
.IX Header "CA OPTIONS" |
196 |
.IP "\fB\-config filename\fR" 4 |
197 |
.IX Item "-config filename" |
198 |
specifies the configuration file to use. |
199 |
.IP "\fB\-name section\fR" 4 |
200 |
.IX Item "-name section" |
201 |
specifies the configuration file section to use (overrides |
202 |
\&\fBdefault_ca\fR in the \fBca\fR section). |
203 |
.IP "\fB\-in filename\fR" 4 |
204 |
.IX Item "-in filename" |
205 |
an input filename containing a single certificate request to be |
206 |
signed by the \s-1CA.\s0 |
207 |
.IP "\fB\-ss_cert filename\fR" 4 |
208 |
.IX Item "-ss_cert filename" |
209 |
a single self signed certificate to be signed by the \s-1CA.\s0 |
210 |
.IP "\fB\-spkac filename\fR" 4 |
211 |
.IX Item "-spkac filename" |
212 |
a file containing a single Netscape signed public key and challenge |
213 |
and additional field values to be signed by the \s-1CA.\s0 See the \fB\s-1SPKAC FORMAT\s0\fR |
214 |
section for information on the required input and output format. |
215 |
.IP "\fB\-infiles\fR" 4 |
216 |
.IX Item "-infiles" |
217 |
if present this should be the last option, all subsequent arguments |
218 |
are assumed to be the names of files containing certificate requests. |
219 |
.IP "\fB\-out filename\fR" 4 |
220 |
.IX Item "-out filename" |
221 |
the output file to output certificates to. The default is standard |
222 |
output. The certificate details will also be printed out to this |
223 |
file in \s-1PEM\s0 format (except that \fB\-spkac\fR outputs \s-1DER\s0 format). |
224 |
.IP "\fB\-outdir directory\fR" 4 |
225 |
.IX Item "-outdir directory" |
226 |
the directory to output certificates to. The certificate will be |
227 |
written to a filename consisting of the serial number in hex with |
228 |
\&\*(L".pem\*(R" appended. |
229 |
.IP "\fB\-cert\fR" 4 |
230 |
.IX Item "-cert" |
231 |
the \s-1CA\s0 certificate file. |
232 |
.IP "\fB\-keyfile filename\fR" 4 |
233 |
.IX Item "-keyfile filename" |
234 |
the private key to sign requests with. |
235 |
.IP "\fB\-keyform PEM|DER\fR" 4 |
236 |
.IX Item "-keyform PEM|DER" |
237 |
the format of the data in the private key file. |
238 |
The default is \s-1PEM.\s0 |
239 |
.IP "\fB\-key password\fR" 4 |
240 |
.IX Item "-key password" |
241 |
the password used to encrypt the private key. Since on some |
242 |
systems the command line arguments are visible (e.g. Unix with |
243 |
the 'ps' utility) this option should be used with caution. |
244 |
.IP "\fB\-selfsign\fR" 4 |
245 |
.IX Item "-selfsign" |
246 |
indicates the issued certificates are to be signed with the key |
247 |
the certificate requests were signed with (given with \fB\-keyfile\fR). |
248 |
Cerificate requests signed with a different key are ignored. If |
249 |
\&\fB\-spkac\fR, \fB\-ss_cert\fR or \fB\-gencrl\fR are given, \fB\-selfsign\fR is |
250 |
ignored. |
251 |
.Sp |
252 |
A consequence of using \fB\-selfsign\fR is that the self-signed |
253 |
certificate appears among the entries in the certificate database |
254 |
(see the configuration option \fBdatabase\fR), and uses the same |
255 |
serial number counter as all other certificates sign with the |
256 |
self-signed certificate. |
257 |
.IP "\fB\-passin arg\fR" 4 |
258 |
.IX Item "-passin arg" |
259 |
the key password source. For more information about the format of \fBarg\fR |
260 |
see the \fB\s-1PASS PHRASE ARGUMENTS\s0\fR section in \fIopenssl\fR\|(1). |
261 |
.IP "\fB\-verbose\fR" 4 |
262 |
.IX Item "-verbose" |
263 |
this prints extra details about the operations being performed. |
264 |
.IP "\fB\-notext\fR" 4 |
265 |
.IX Item "-notext" |
266 |
don't output the text form of a certificate to the output file. |
267 |
.IP "\fB\-startdate date\fR" 4 |
268 |
.IX Item "-startdate date" |
269 |
this allows the start date to be explicitly set. The format of the |
270 |
date is \s-1YYMMDDHHMMSSZ\s0 (the same as an \s-1ASN1\s0 UTCTime structure). |
271 |
.IP "\fB\-enddate date\fR" 4 |
272 |
.IX Item "-enddate date" |
273 |
this allows the expiry date to be explicitly set. The format of the |
274 |
date is \s-1YYMMDDHHMMSSZ\s0 (the same as an \s-1ASN1\s0 UTCTime structure). |
275 |
.IP "\fB\-days arg\fR" 4 |
276 |
.IX Item "-days arg" |
277 |
the number of days to certify the certificate for. |
278 |
.IP "\fB\-md alg\fR" 4 |
279 |
.IX Item "-md alg" |
280 |
the message digest to use. Possible values include md5, sha1 and mdc2. |
281 |
This option also applies to CRLs. |
282 |
.IP "\fB\-policy arg\fR" 4 |
283 |
.IX Item "-policy arg" |
284 |
this option defines the \s-1CA\s0 \*(L"policy\*(R" to use. This is a section in |
285 |
the configuration file which decides which fields should be mandatory |
286 |
or match the \s-1CA\s0 certificate. Check out the \fB\s-1POLICY FORMAT\s0\fR section |
287 |
for more information. |
288 |
.IP "\fB\-msie_hack\fR" 4 |
289 |
.IX Item "-msie_hack" |
290 |
this is a legacy option to make \fBca\fR work with very old versions of |
291 |
the \s-1IE\s0 certificate enrollment control \*(L"certenr3\*(R". It used UniversalStrings |
292 |
for almost everything. Since the old control has various security bugs |
293 |
its use is strongly discouraged. The newer control \*(L"Xenroll\*(R" does not |
294 |
need this option. |
295 |
.IP "\fB\-preserveDN\fR" 4 |
296 |
.IX Item "-preserveDN" |
297 |
Normally the \s-1DN\s0 order of a certificate is the same as the order of the |
298 |
fields in the relevant policy section. When this option is set the order |
299 |
is the same as the request. This is largely for compatibility with the |
300 |
older \s-1IE\s0 enrollment control which would only accept certificates if their |
301 |
DNs match the order of the request. This is not needed for Xenroll. |
302 |
.IP "\fB\-noemailDN\fR" 4 |
303 |
.IX Item "-noemailDN" |
304 |
The \s-1DN\s0 of a certificate can contain the \s-1EMAIL\s0 field if present in the |
305 |
request \s-1DN,\s0 however it is good policy just having the e\-mail set into |
306 |
the altName extension of the certificate. When this option is set the |
307 |
\&\s-1EMAIL\s0 field is removed from the certificate' subject and set only in |
308 |
the, eventually present, extensions. The \fBemail_in_dn\fR keyword can be |
309 |
used in the configuration file to enable this behaviour. |
310 |
.IP "\fB\-batch\fR" 4 |
311 |
.IX Item "-batch" |
312 |
this sets the batch mode. In this mode no questions will be asked |
313 |
and all certificates will be certified automatically. |
314 |
.IP "\fB\-extensions section\fR" 4 |
315 |
.IX Item "-extensions section" |
316 |
the section of the configuration file containing certificate extensions |
317 |
to be added when a certificate is issued (defaults to \fBx509_extensions\fR |
318 |
unless the \fB\-extfile\fR option is used). If no extension section is |
319 |
present then, a V1 certificate is created. If the extension section |
320 |
is present (even if it is empty), then a V3 certificate is created. See the:w |
321 |
\&\fIx509v3_config\fR\|(5) manual page for details of the |
322 |
extension section format. |
323 |
.IP "\fB\-extfile file\fR" 4 |
324 |
.IX Item "-extfile file" |
325 |
an additional configuration file to read certificate extensions from |
326 |
(using the default section unless the \fB\-extensions\fR option is also |
327 |
used). |
328 |
.IP "\fB\-engine id\fR" 4 |
329 |
.IX Item "-engine id" |
330 |
specifying an engine (by its unique \fBid\fR string) will cause \fBca\fR |
331 |
to attempt to obtain a functional reference to the specified engine, |
332 |
thus initialising it if needed. The engine will then be set as the default |
333 |
for all available algorithms. |
334 |
.IP "\fB\-subj arg\fR" 4 |
335 |
.IX Item "-subj arg" |
336 |
supersedes subject name given in the request. |
337 |
The arg must be formatted as \fI/type0=value0/type1=value1/type2=...\fR, |
338 |
characters may be escaped by \e (backslash), no spaces are skipped. |
339 |
.IP "\fB\-utf8\fR" 4 |
340 |
.IX Item "-utf8" |
341 |
this option causes field values to be interpreted as \s-1UTF8\s0 strings, by |
342 |
default they are interpreted as \s-1ASCII.\s0 This means that the field |
343 |
values, whether prompted from a terminal or obtained from a |
344 |
configuration file, must be valid \s-1UTF8\s0 strings. |
345 |
.IP "\fB\-multivalue\-rdn\fR" 4 |
346 |
.IX Item "-multivalue-rdn" |
347 |
this option causes the \-subj argument to be interpretedt with full |
348 |
support for multivalued RDNs. Example: |
349 |
.Sp |
350 |
\&\fI/DC=org/DC=OpenSSL/DC=users/UID=123456+CN=John Doe\fR |
351 |
.Sp |
352 |
If \-multi\-rdn is not used then the \s-1UID\s0 value is \fI123456+CN=John Doe\fR. |
353 |
.SH "CRL OPTIONS" |
354 |
.IX Header "CRL OPTIONS" |
355 |
.IP "\fB\-gencrl\fR" 4 |
356 |
.IX Item "-gencrl" |
357 |
this option generates a \s-1CRL\s0 based on information in the index file. |
358 |
.IP "\fB\-crldays num\fR" 4 |
359 |
.IX Item "-crldays num" |
360 |
the number of days before the next \s-1CRL\s0 is due. That is the days from |
361 |
now to place in the \s-1CRL\s0 nextUpdate field. |
362 |
.IP "\fB\-crlhours num\fR" 4 |
363 |
.IX Item "-crlhours num" |
364 |
the number of hours before the next \s-1CRL\s0 is due. |
365 |
.IP "\fB\-revoke filename\fR" 4 |
366 |
.IX Item "-revoke filename" |
367 |
a filename containing a certificate to revoke. |
368 |
.IP "\fB\-status serial\fR" 4 |
369 |
.IX Item "-status serial" |
370 |
displays the revocation status of the certificate with the specified |
371 |
serial number and exits. |
372 |
.IP "\fB\-updatedb\fR" 4 |
373 |
.IX Item "-updatedb" |
374 |
Updates the database index to purge expired certificates. |
375 |
.IP "\fB\-crl_reason reason\fR" 4 |
376 |
.IX Item "-crl_reason reason" |
377 |
revocation reason, where \fBreason\fR is one of: \fBunspecified\fR, \fBkeyCompromise\fR, |
378 |
\&\fBCACompromise\fR, \fBaffiliationChanged\fR, \fBsuperseded\fR, \fBcessationOfOperation\fR, |
379 |
\&\fBcertificateHold\fR or \fBremoveFromCRL\fR. The matching of \fBreason\fR is case |
380 |
insensitive. Setting any revocation reason will make the \s-1CRL\s0 v2. |
381 |
.Sp |
382 |
In practive \fBremoveFromCRL\fR is not particularly useful because it is only used |
383 |
in delta CRLs which are not currently implemented. |
384 |
.IP "\fB\-crl_hold instruction\fR" 4 |
385 |
.IX Item "-crl_hold instruction" |
386 |
This sets the \s-1CRL\s0 revocation reason code to \fBcertificateHold\fR and the hold |
387 |
instruction to \fBinstruction\fR which must be an \s-1OID.\s0 Although any \s-1OID\s0 can be |
388 |
used only \fBholdInstructionNone\fR (the use of which is discouraged by \s-1RFC2459\s0) |
389 |
\&\fBholdInstructionCallIssuer\fR or \fBholdInstructionReject\fR will normally be used. |
390 |
.IP "\fB\-crl_compromise time\fR" 4 |
391 |
.IX Item "-crl_compromise time" |
392 |
This sets the revocation reason to \fBkeyCompromise\fR and the compromise time to |
393 |
\&\fBtime\fR. \fBtime\fR should be in GeneralizedTime format that is \fB\s-1YYYYMMDDHHMMSSZ\s0\fR. |
394 |
.IP "\fB\-crl_CA_compromise time\fR" 4 |
395 |
.IX Item "-crl_CA_compromise time" |
396 |
This is the same as \fBcrl_compromise\fR except the revocation reason is set to |
397 |
\&\fBCACompromise\fR. |
398 |
.IP "\fB\-crlexts section\fR" 4 |
399 |
.IX Item "-crlexts section" |
400 |
the section of the configuration file containing \s-1CRL\s0 extensions to |
401 |
include. If no \s-1CRL\s0 extension section is present then a V1 \s-1CRL\s0 is |
402 |
created, if the \s-1CRL\s0 extension section is present (even if it is |
403 |
empty) then a V2 \s-1CRL\s0 is created. The \s-1CRL\s0 extensions specified are |
404 |
\&\s-1CRL\s0 extensions and \fBnot\fR \s-1CRL\s0 entry extensions. It should be noted |
405 |
that some software (for example Netscape) can't handle V2 CRLs. See |
406 |
\&\fIx509v3_config\fR\|(5) manual page for details of the |
407 |
extension section format. |
408 |
.SH "CONFIGURATION FILE OPTIONS" |
409 |
.IX Header "CONFIGURATION FILE OPTIONS" |
410 |
The section of the configuration file containing options for \fBca\fR |
411 |
is found as follows: If the \fB\-name\fR command line option is used, |
412 |
then it names the section to be used. Otherwise the section to |
413 |
be used must be named in the \fBdefault_ca\fR option of the \fBca\fR section |
414 |
of the configuration file (or in the default section of the |
415 |
configuration file). Besides \fBdefault_ca\fR, the following options are |
416 |
read directly from the \fBca\fR section: |
417 |
\s-1RANDFILE\s0 |
418 |
preserve |
419 |
msie_hack |
420 |
With the exception of \fB\s-1RANDFILE\s0\fR, this is probably a bug and may |
421 |
change in future releases. |
422 |
.PP |
423 |
Many of the configuration file options are identical to command line |
424 |
options. Where the option is present in the configuration file |
425 |
and the command line the command line value is used. Where an |
426 |
option is described as mandatory then it must be present in |
427 |
the configuration file or the command line equivalent (if |
428 |
any) used. |
429 |
.IP "\fBoid_file\fR" 4 |
430 |
.IX Item "oid_file" |
431 |
This specifies a file containing additional \fB\s-1OBJECT IDENTIFIERS\s0\fR. |
432 |
Each line of the file should consist of the numerical form of the |
433 |
object identifier followed by white space then the short name followed |
434 |
by white space and finally the long name. |
435 |
.IP "\fBoid_section\fR" 4 |
436 |
.IX Item "oid_section" |
437 |
This specifies a section in the configuration file containing extra |
438 |
object identifiers. Each line should consist of the short name of the |
439 |
object identifier followed by \fB=\fR and the numerical form. The short |
440 |
and long names are the same when this option is used. |
441 |
.IP "\fBnew_certs_dir\fR" 4 |
442 |
.IX Item "new_certs_dir" |
443 |
the same as the \fB\-outdir\fR command line option. It specifies |
444 |
the directory where new certificates will be placed. Mandatory. |
445 |
.IP "\fBcertificate\fR" 4 |
446 |
.IX Item "certificate" |
447 |
the same as \fB\-cert\fR. It gives the file containing the \s-1CA\s0 |
448 |
certificate. Mandatory. |
449 |
.IP "\fBprivate_key\fR" 4 |
450 |
.IX Item "private_key" |
451 |
same as the \fB\-keyfile\fR option. The file containing the |
452 |
\&\s-1CA\s0 private key. Mandatory. |
453 |
.IP "\fB\s-1RANDFILE\s0\fR" 4 |
454 |
.IX Item "RANDFILE" |
455 |
a file used to read and write random number seed information, or |
456 |
an \s-1EGD\s0 socket (see \fIRAND_egd\fR\|(3)). |
457 |
.IP "\fBdefault_days\fR" 4 |
458 |
.IX Item "default_days" |
459 |
the same as the \fB\-days\fR option. The number of days to certify |
460 |
a certificate for. |
461 |
.IP "\fBdefault_startdate\fR" 4 |
462 |
.IX Item "default_startdate" |
463 |
the same as the \fB\-startdate\fR option. The start date to certify |
464 |
a certificate for. If not set the current time is used. |
465 |
.IP "\fBdefault_enddate\fR" 4 |
466 |
.IX Item "default_enddate" |
467 |
the same as the \fB\-enddate\fR option. Either this option or |
468 |
\&\fBdefault_days\fR (or the command line equivalents) must be |
469 |
present. |
470 |
.IP "\fBdefault_crl_hours default_crl_days\fR" 4 |
471 |
.IX Item "default_crl_hours default_crl_days" |
472 |
the same as the \fB\-crlhours\fR and the \fB\-crldays\fR options. These |
473 |
will only be used if neither command line option is present. At |
474 |
least one of these must be present to generate a \s-1CRL.\s0 |
475 |
.IP "\fBdefault_md\fR" 4 |
476 |
.IX Item "default_md" |
477 |
the same as the \fB\-md\fR option. The message digest to use. Mandatory. |
478 |
.IP "\fBdatabase\fR" 4 |
479 |
.IX Item "database" |
480 |
the text database file to use. Mandatory. This file must be present |
481 |
though initially it will be empty. |
482 |
.IP "\fBunique_subject\fR" 4 |
483 |
.IX Item "unique_subject" |
484 |
if the value \fByes\fR is given, the valid certificate entries in the |
485 |
database must have unique subjects. if the value \fBno\fR is given, |
486 |
several valid certificate entries may have the exact same subject. |
487 |
The default value is \fByes\fR, to be compatible with older (pre 0.9.8) |
488 |
versions of OpenSSL. However, to make \s-1CA\s0 certificate roll-over easier, |
489 |
it's recommended to use the value \fBno\fR, especially if combined with |
490 |
the \fB\-selfsign\fR command line option. |
491 |
.Sp |
492 |
Note that it is valid in some circumstances for certificates to be created |
493 |
without any subject. In the case where there are multiple certificates without |
494 |
subjects this does not count as a duplicate. |
495 |
.IP "\fBserial\fR" 4 |
496 |
.IX Item "serial" |
497 |
a text file containing the next serial number to use in hex. Mandatory. |
498 |
This file must be present and contain a valid serial number. |
499 |
.IP "\fBcrlnumber\fR" 4 |
500 |
.IX Item "crlnumber" |
501 |
a text file containing the next \s-1CRL\s0 number to use in hex. The crl number |
502 |
will be inserted in the CRLs only if this file exists. If this file is |
503 |
present, it must contain a valid \s-1CRL\s0 number. |
504 |
.IP "\fBx509_extensions\fR" 4 |
505 |
.IX Item "x509_extensions" |
506 |
the same as \fB\-extensions\fR. |
507 |
.IP "\fBcrl_extensions\fR" 4 |
508 |
.IX Item "crl_extensions" |
509 |
the same as \fB\-crlexts\fR. |
510 |
.IP "\fBpreserve\fR" 4 |
511 |
.IX Item "preserve" |
512 |
the same as \fB\-preserveDN\fR |
513 |
.IP "\fBemail_in_dn\fR" 4 |
514 |
.IX Item "email_in_dn" |
515 |
the same as \fB\-noemailDN\fR. If you want the \s-1EMAIL\s0 field to be removed |
516 |
from the \s-1DN\s0 of the certificate simply set this to 'no'. If not present |
517 |
the default is to allow for the \s-1EMAIL\s0 filed in the certificate's \s-1DN.\s0 |
518 |
.IP "\fBmsie_hack\fR" 4 |
519 |
.IX Item "msie_hack" |
520 |
the same as \fB\-msie_hack\fR |
521 |
.IP "\fBpolicy\fR" 4 |
522 |
.IX Item "policy" |
523 |
the same as \fB\-policy\fR. Mandatory. See the \fB\s-1POLICY FORMAT\s0\fR section |
524 |
for more information. |
525 |
.IP "\fBname_opt\fR, \fBcert_opt\fR" 4 |
526 |
.IX Item "name_opt, cert_opt" |
527 |
these options allow the format used to display the certificate details |
528 |
when asking the user to confirm signing. All the options supported by |
529 |
the \fBx509\fR utilities \fB\-nameopt\fR and \fB\-certopt\fR switches can be used |
530 |
here, except the \fBno_signame\fR and \fBno_sigdump\fR are permanently set |
531 |
and cannot be disabled (this is because the certificate signature cannot |
532 |
be displayed because the certificate has not been signed at this point). |
533 |
.Sp |
534 |
For convenience the values \fBca_default\fR are accepted by both to produce |
535 |
a reasonable output. |
536 |
.Sp |
537 |
If neither option is present the format used in earlier versions of |
538 |
OpenSSL is used. Use of the old format is \fBstrongly\fR discouraged because |
539 |
it only displays fields mentioned in the \fBpolicy\fR section, mishandles |
540 |
multicharacter string types and does not display extensions. |
541 |
.IP "\fBcopy_extensions\fR" 4 |
542 |
.IX Item "copy_extensions" |
543 |
determines how extensions in certificate requests should be handled. |
544 |
If set to \fBnone\fR or this option is not present then extensions are |
545 |
ignored and not copied to the certificate. If set to \fBcopy\fR then any |
546 |
extensions present in the request that are not already present are copied |
547 |
to the certificate. If set to \fBcopyall\fR then all extensions in the |
548 |
request are copied to the certificate: if the extension is already present |
549 |
in the certificate it is deleted first. See the \fB\s-1WARNINGS\s0\fR section before |
550 |
using this option. |
551 |
.Sp |
552 |
The main use of this option is to allow a certificate request to supply |
553 |
values for certain extensions such as subjectAltName. |
554 |
.SH "POLICY FORMAT" |
555 |
.IX Header "POLICY FORMAT" |
556 |
The policy section consists of a set of variables corresponding to |
557 |
certificate \s-1DN\s0 fields. If the value is \*(L"match\*(R" then the field value |
558 |
must match the same field in the \s-1CA\s0 certificate. If the value is |
559 |
\&\*(L"supplied\*(R" then it must be present. If the value is \*(L"optional\*(R" then |
560 |
it may be present. Any fields not mentioned in the policy section |
561 |
are silently deleted, unless the \fB\-preserveDN\fR option is set but |
562 |
this can be regarded more of a quirk than intended behaviour. |
563 |
.SH "SPKAC FORMAT" |
564 |
.IX Header "SPKAC FORMAT" |
565 |
The input to the \fB\-spkac\fR command line option is a Netscape |
566 |
signed public key and challenge. This will usually come from |
567 |
the \fB\s-1KEYGEN\s0\fR tag in an \s-1HTML\s0 form to create a new private key. |
568 |
It is however possible to create SPKACs using the \fBspkac\fR utility. |
569 |
.PP |
570 |
The file should contain the variable \s-1SPKAC\s0 set to the value of |
571 |
the \s-1SPKAC\s0 and also the required \s-1DN\s0 components as name value pairs. |
572 |
If you need to include the same component twice then it can be |
573 |
preceded by a number and a '.'. |
574 |
.PP |
575 |
When processing \s-1SPKAC\s0 format, the output is \s-1DER\s0 if the \fB\-out\fR |
576 |
flag is used, but \s-1PEM\s0 format if sending to stdout or the \fB\-outdir\fR |
577 |
flag is used. |
578 |
.SH "EXAMPLES" |
579 |
.IX Header "EXAMPLES" |
580 |
Note: these examples assume that the \fBca\fR directory structure is |
581 |
already set up and the relevant files already exist. This usually |
582 |
involves creating a \s-1CA\s0 certificate and private key with \fBreq\fR, a |
583 |
serial number file and an empty index file and placing them in |
584 |
the relevant directories. |
585 |
.PP |
586 |
To use the sample configuration file below the directories demoCA, |
587 |
demoCA/private and demoCA/newcerts would be created. The \s-1CA\s0 |
588 |
certificate would be copied to demoCA/cacert.pem and its private |
589 |
key to demoCA/private/cakey.pem. A file demoCA/serial would be |
590 |
created containing for example \*(L"01\*(R" and the empty index file |
591 |
demoCA/index.txt. |
592 |
.PP |
593 |
Sign a certificate request: |
594 |
.PP |
595 |
.Vb 1 |
596 |
\& openssl ca \-in req.pem \-out newcert.pem |
597 |
.Ve |
598 |
.PP |
599 |
Sign a certificate request, using \s-1CA\s0 extensions: |
600 |
.PP |
601 |
.Vb 1 |
602 |
\& openssl ca \-in req.pem \-extensions v3_ca \-out newcert.pem |
603 |
.Ve |
604 |
.PP |
605 |
Generate a \s-1CRL\s0 |
606 |
.PP |
607 |
.Vb 1 |
608 |
\& openssl ca \-gencrl \-out crl.pem |
609 |
.Ve |
610 |
.PP |
611 |
Sign several requests: |
612 |
.PP |
613 |
.Vb 1 |
614 |
\& openssl ca \-infiles req1.pem req2.pem req3.pem |
615 |
.Ve |
616 |
.PP |
617 |
Certify a Netscape \s-1SPKAC:\s0 |
618 |
.PP |
619 |
.Vb 1 |
620 |
\& openssl ca \-spkac spkac.txt |
621 |
.Ve |
622 |
.PP |
623 |
A sample \s-1SPKAC\s0 file (the \s-1SPKAC\s0 line has been truncated for clarity): |
624 |
.PP |
625 |
.Vb 5 |
626 |
\& SPKAC=MIG0MGAwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAn7PDhCeV/xIxUg8V70YRxK2A5 |
627 |
\& CN=Steve Test |
628 |
\& emailAddress=steve@openssl.org |
629 |
\& 0.OU=OpenSSL Group |
630 |
\& 1.OU=Another Group |
631 |
.Ve |
632 |
.PP |
633 |
A sample configuration file with the relevant sections for \fBca\fR: |
634 |
.PP |
635 |
.Vb 2 |
636 |
\& [ ca ] |
637 |
\& default_ca = CA_default # The default ca section |
638 |
\& |
639 |
\& [ CA_default ] |
640 |
\& |
641 |
\& dir = ./demoCA # top dir |
642 |
\& database = $dir/index.txt # index file. |
643 |
\& new_certs_dir = $dir/newcerts # new certs dir |
644 |
\& |
645 |
\& certificate = $dir/cacert.pem # The CA cert |
646 |
\& serial = $dir/serial # serial no file |
647 |
\& private_key = $dir/private/cakey.pem# CA private key |
648 |
\& RANDFILE = $dir/private/.rand # random number file |
649 |
\& |
650 |
\& default_days = 365 # how long to certify for |
651 |
\& default_crl_days= 30 # how long before next CRL |
652 |
\& default_md = md5 # md to use |
653 |
\& |
654 |
\& policy = policy_any # default policy |
655 |
\& email_in_dn = no # Don\*(Aqt add the email into cert DN |
656 |
\& |
657 |
\& name_opt = ca_default # Subject name display option |
658 |
\& cert_opt = ca_default # Certificate display option |
659 |
\& copy_extensions = none # Don\*(Aqt copy extensions from request |
660 |
\& |
661 |
\& [ policy_any ] |
662 |
\& countryName = supplied |
663 |
\& stateOrProvinceName = optional |
664 |
\& organizationName = optional |
665 |
\& organizationalUnitName = optional |
666 |
\& commonName = supplied |
667 |
\& emailAddress = optional |
668 |
.Ve |
669 |
.SH "FILES" |
670 |
.IX Header "FILES" |
671 |
Note: the location of all files can change either by compile time options, |
672 |
configuration file entries, environment variables or command line options. |
673 |
The values below reflect the default values. |
674 |
.PP |
675 |
.Vb 10 |
676 |
\& /usr/local/ssl/lib/openssl.cnf \- master configuration file |
677 |
\& ./demoCA \- main CA directory |
678 |
\& ./demoCA/cacert.pem \- CA certificate |
679 |
\& ./demoCA/private/cakey.pem \- CA private key |
680 |
\& ./demoCA/serial \- CA serial number file |
681 |
\& ./demoCA/serial.old \- CA serial number backup file |
682 |
\& ./demoCA/index.txt \- CA text database file |
683 |
\& ./demoCA/index.txt.old \- CA text database backup file |
684 |
\& ./demoCA/certs \- certificate output file |
685 |
\& ./demoCA/.rnd \- CA random seed information |
686 |
.Ve |
687 |
.SH "ENVIRONMENT VARIABLES" |
688 |
.IX Header "ENVIRONMENT VARIABLES" |
689 |
\&\fB\s-1OPENSSL_CONF\s0\fR reflects the location of master configuration file it can |
690 |
be overridden by the \fB\-config\fR command line option. |
691 |
.SH "RESTRICTIONS" |
692 |
.IX Header "RESTRICTIONS" |
693 |
The text database index file is a critical part of the process and |
694 |
if corrupted it can be difficult to fix. It is theoretically possible |
695 |
to rebuild the index file from all the issued certificates and a current |
696 |
\&\s-1CRL:\s0 however there is no option to do this. |
697 |
.PP |
698 |
V2 \s-1CRL\s0 features like delta CRLs are not currently supported. |
699 |
.PP |
700 |
Although several requests can be input and handled at once it is only |
701 |
possible to include one \s-1SPKAC\s0 or self signed certificate. |
702 |
.SH "BUGS" |
703 |
.IX Header "BUGS" |
704 |
The use of an in memory text database can cause problems when large |
705 |
numbers of certificates are present because, as the name implies |
706 |
the database has to be kept in memory. |
707 |
.PP |
708 |
The \fBca\fR command really needs rewriting or the required functionality |
709 |
exposed at either a command or interface level so a more friendly utility |
710 |
(perl script or \s-1GUI\s0) can handle things properly. The scripts \fB\s-1CA\s0.sh\fR and |
711 |
\&\fB\s-1CA\s0.pl\fR help a little but not very much. |
712 |
.PP |
713 |
Any fields in a request that are not present in a policy are silently |
714 |
deleted. This does not happen if the \fB\-preserveDN\fR option is used. To |
715 |
enforce the absence of the \s-1EMAIL\s0 field within the \s-1DN,\s0 as suggested by |
716 |
RFCs, regardless the contents of the request' subject the \fB\-noemailDN\fR |
717 |
option can be used. The behaviour should be more friendly and |
718 |
configurable. |
719 |
.PP |
720 |
Cancelling some commands by refusing to certify a certificate can |
721 |
create an empty file. |
722 |
.SH "WARNINGS" |
723 |
.IX Header "WARNINGS" |
724 |
The \fBca\fR command is quirky and at times downright unfriendly. |
725 |
.PP |
726 |
The \fBca\fR utility was originally meant as an example of how to do things |
727 |
in a \s-1CA.\s0 It was not supposed to be used as a full blown \s-1CA\s0 itself: |
728 |
nevertheless some people are using it for this purpose. |
729 |
.PP |
730 |
The \fBca\fR command is effectively a single user command: no locking is |
731 |
done on the various files and attempts to run more than one \fBca\fR command |
732 |
on the same database can have unpredictable results. |
733 |
.PP |
734 |
The \fBcopy_extensions\fR option should be used with caution. If care is |
735 |
not taken then it can be a security risk. For example if a certificate |
736 |
request contains a basicConstraints extension with \s-1CA:TRUE\s0 and the |
737 |
\&\fBcopy_extensions\fR value is set to \fBcopyall\fR and the user does not spot |
738 |
this when the certificate is displayed then this will hand the requestor |
739 |
a valid \s-1CA\s0 certificate. |
740 |
.PP |
741 |
This situation can be avoided by setting \fBcopy_extensions\fR to \fBcopy\fR |
742 |
and including basicConstraints with \s-1CA:FALSE\s0 in the configuration file. |
743 |
Then if the request contains a basicConstraints extension it will be |
744 |
ignored. |
745 |
.PP |
746 |
It is advisable to also include values for other extensions such |
747 |
as \fBkeyUsage\fR to prevent a request supplying its own values. |
748 |
.PP |
749 |
Additional restrictions can be placed on the \s-1CA\s0 certificate itself. |
750 |
For example if the \s-1CA\s0 certificate has: |
751 |
.PP |
752 |
.Vb 1 |
753 |
\& basicConstraints = CA:TRUE, pathlen:0 |
754 |
.Ve |
755 |
.PP |
756 |
then even if a certificate is issued with \s-1CA:TRUE\s0 it will not be valid. |
757 |
.SH "SEE ALSO" |
758 |
.IX Header "SEE ALSO" |
759 |
\&\fIreq\fR\|(1), \fIspkac\fR\|(1), \fIx509\fR\|(1), \s-1\fICA\s0.pl\fR\|(1), |
760 |
\&\fIconfig\fR\|(5), \fIx509v3_config\fR\|(5) |