man-pages/man1/CA.pl.1ssl.html

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<HTML><HEAD><TITLE>Man page of CA.PL</TITLE>
</HEAD><BODY>
<H1>CA.PL</H1>
Section: OpenSSL (1SSL)<BR>Updated: 2021-03-22<BR><A HREF="#index">Index</A>
<A HREF="/cgi-bin/man/man2html">Return to Main Contents</A><HR>






<A NAME="lbAB">&nbsp;</A>
<H2>NAME</H2>

CA.pl - friendlier interface for OpenSSL certificate programs
<A NAME="lbAC">&nbsp;</A>
<H2>SYNOPSIS</H2>



<B></B><FONT SIZE="-1"><B>CA</B></FONT><B>.pl</B>
<B>-?</B> |
<B>-h</B> |
<B>-help</B>
<P>

<B></B><FONT SIZE="-1"><B>CA</B></FONT><B>.pl</B>
<B>-newcert</B> |
<B>-newreq</B> |
<B>-newreq-nodes</B> |
<B>-xsign</B> |
<B>-sign</B> |
<B>-signCA</B> |
<B>-signcert</B> |
<B>-crl</B> |
<B>-newca</B>
[<B>-extra-cmd</B> extra-params]
<P>

<B></B><FONT SIZE="-1"><B>CA</B></FONT><B>.pl</B> <B>-pkcs12</B> [<B>-extra-pkcs12</B> extra-params] [<B>certname</B>]
<P>

<B></B><FONT SIZE="-1"><B>CA</B></FONT><B>.pl</B> <B>-verify</B> [<B>-extra-verify</B> extra-params] <B>certfile</B>...
<P>

<B></B><FONT SIZE="-1"><B>CA</B></FONT><B>.pl</B> <B>-revoke</B> [<B>-extra-ca</B> extra-params] <B>certfile</B> [<B>reason</B>]
<A NAME="lbAD">&nbsp;</A>
<H2>DESCRIPTION</H2>



The <B></B><FONT SIZE="-1"><B>CA</B></FONT><B>.pl</B> script is a perl script that supplies the relevant command line
arguments to the <B>openssl</B> command for some common certificate operations.
It is intended to simplify the process of certificate creation and management
by the use of some simple options.
<A NAME="lbAE">&nbsp;</A>
<H2>OPTIONS</H2>



<DL COMPACT>
<DT id="1"><B>?</B>, <B>-h</B>, <B>-help</B><DD>


Prints a usage message.
<DT id="2"><B>-newcert</B><DD>


Creates a new self signed certificate. The private key is written to the file
``newkey.pem'' and the request written to the file ``newreq.pem''.
This argument invokes <B>openssl req</B> command.
<DT id="3"><B>-newreq</B><DD>


Creates a new certificate request. The private key is written to the file
``newkey.pem'' and the request written to the file ``newreq.pem''.
Executes <B>openssl req</B> command below the hood.
<DT id="4"><B>-newreq-nodes</B><DD>


Is like <B>-newreq</B> except that the private key will not be encrypted.
Uses <B>openssl req</B> command.
<DT id="5"><B>-newca</B><DD>


Creates a new <FONT SIZE="-1">CA</FONT> hierarchy for use with the <B>ca</B> program (or the <B>-signcert</B>
and <B>-xsign</B> options). The user is prompted to enter the filename of the <FONT SIZE="-1">CA</FONT>
certificates (which should also contain the private key) or by hitting <FONT SIZE="-1">ENTER</FONT>
details of the <FONT SIZE="-1">CA</FONT> will be prompted for. The relevant files and directories
are created in a directory called ``demoCA'' in the current directory.
<B>openssl req</B> and <B>openssl ca</B> commands are get invoked.
<DT id="6"><B>-pkcs12</B><DD>


Create a PKCS#12 file containing the user certificate, private key and <FONT SIZE="-1">CA</FONT>
certificate. It expects the user certificate and private key to be in the
file ``newcert.pem'' and the <FONT SIZE="-1">CA</FONT> certificate to be in the file demoCA/cacert.pem,
it creates a file ``newcert.p12''. This command can thus be called after the
<B>-sign</B> option. The PKCS#12 file can be imported directly into a browser.
If there is an additional argument on the command line it will be used as the
``friendly name'' for the certificate (which is typically displayed in the browser
list box), otherwise the name ``My Certificate'' is used.
Delegates work to <B>openssl pkcs12</B> command.
<DT id="7"><B>-sign</B>, <B>-signcert</B>, <B>-xsign</B><DD>


Calls the <B>ca</B> program to sign a certificate request. It expects the request
to be in the file ``newreq.pem''. The new certificate is written to the file
``newcert.pem'' except in the case of the <B>-xsign</B> option when it is written
to standard output. Leverages <B>openssl ca</B> command.
<DT id="8"><B>-signCA</B><DD>


This option is the same as the <B>-signreq</B> option except it uses the
configuration file section <B>v3_ca</B> and so makes the signed request a
valid <FONT SIZE="-1">CA</FONT> certificate. This is useful when creating intermediate <FONT SIZE="-1">CA</FONT> from
a root <FONT SIZE="-1">CA.</FONT>  Extra params are passed on to <B>openssl ca</B> command.
<DT id="9"><B>-signcert</B><DD>


This option is the same as <B>-sign</B> except it expects a self signed certificate
to be present in the file ``newreq.pem''.
Extra params are passed on to <B>openssl x509</B> and <B>openssl ca</B> commands.
<DT id="10"><B>-crl</B><DD>


Generate a <FONT SIZE="-1">CRL.</FONT> Executes <B>openssl ca</B> command.
<DT id="11"><B>-revoke certfile [reason]</B><DD>


Revoke the certificate contained in the specified <B>certfile</B>. An optional
reason may be specified, and must be one of: <B>unspecified</B>,
<B>keyCompromise</B>, <B>CACompromise</B>, <B>affiliationChanged</B>, <B>superseded</B>,
<B>cessationOfOperation</B>, <B>certificateHold</B>, or <B>removeFromCRL</B>.
Leverages <B>openssl ca</B> command.
<DT id="12"><B>-verify</B><DD>


Verifies certificates against the <FONT SIZE="-1">CA</FONT> certificate for ``demoCA''. If no
certificates are specified on the command line it tries to verify the file
``newcert.pem''.  Invokes <B>openssl verify</B> command.
<DT id="13"><B>-extra-req</B> | <B>-extra-ca</B> | <B>-extra-pkcs12</B> | <B>-extra-x509</B> | <B>-extra-verify</B> &lt;extra-params&gt;<DD>


The purpose of these parameters is to allow optional parameters to be supplied
to <B>openssl</B> that this command executes. The <B>-extra-cmd</B> are specific to the
option being used and the <B>openssl</B> command getting invoked. For example
when this command invokes <B>openssl req</B> extra parameters can be passed on
with the <B>-extra-req</B> parameter. The
<B>openssl</B> commands being invoked per option are documented below.
Users should consult <B>openssl</B> command documentation for more information.
</DL>
<A NAME="lbAF">&nbsp;</A>
<H2>EXAMPLES</H2>



Create a <FONT SIZE="-1">CA</FONT> hierarchy:
<P>



<PRE>
 CA.pl -newca

</PRE>


<P>

Complete certificate creation example: create a <FONT SIZE="-1">CA,</FONT> create a request, sign
the request and finally create a PKCS#12 file containing it.
<P>



<PRE>
 CA.pl -newca
 CA.pl -newreq
 CA.pl -signreq
 CA.pl -pkcs12 &quot;My Test Certificate&quot;

</PRE>


<A NAME="lbAG">&nbsp;</A>
<H2>DSA CERTIFICATES</H2>



Although the <B></B><FONT SIZE="-1"><B>CA</B></FONT><B>.pl</B> creates <FONT SIZE="-1">RSA</FONT> CAs and requests it is still possible to
use it with <FONT SIZE="-1">DSA</FONT> certificates and requests using the <B><A HREF="/cgi-bin/man/man2html?1+req">req</A></B>(1) command
directly. The following example shows the steps that would typically be taken.
<P>

Create some <FONT SIZE="-1">DSA</FONT> parameters:
<P>



<PRE>
 openssl dsaparam -out dsap.pem 1024

</PRE>


<P>

Create a <FONT SIZE="-1">DSA CA</FONT> certificate and private key:
<P>



<PRE>
 openssl req -x509 -newkey dsa:dsap.pem -keyout cacert.pem -out cacert.pem

</PRE>


<P>

Create the <FONT SIZE="-1">CA</FONT> directories and files:
<P>



<PRE>
 CA.pl -newca

</PRE>


<P>

enter cacert.pem when prompted for the <FONT SIZE="-1">CA</FONT> file name.
<P>

Create a <FONT SIZE="-1">DSA</FONT> certificate request and private key (a different set of parameters
can optionally be created first):
<P>



<PRE>
 openssl req -out newreq.pem -newkey dsa:dsap.pem

</PRE>


<P>

Sign the request:
<P>



<PRE>
 CA.pl -signreq

</PRE>


<A NAME="lbAH">&nbsp;</A>
<H2>NOTES</H2>



Most of the filenames mentioned can be modified by editing the <B></B><FONT SIZE="-1"><B>CA</B></FONT><B>.pl</B> script.
<P>

If the demoCA directory already exists then the <B>-newca</B> command will not
overwrite it and will do nothing. This can happen if a previous call using
the <B>-newca</B> option terminated abnormally. To get the correct behaviour
delete the demoCA directory if it already exists.
<P>

Under some environments it may not be possible to run the <B></B><FONT SIZE="-1"><B>CA</B></FONT><B>.pl</B> script
directly (for example Win32) and the default configuration file location may
be wrong. In this case the command:
<P>



<PRE>
 perl -S CA.pl

</PRE>


<P>

can be used and the <B></B><FONT SIZE="-1"><B>OPENSSL_CONF</B></FONT><B></B> environment variable changed to point to
the correct path of the configuration file.
<P>

The script is intended as a simple front end for the <B>openssl</B> program for use
by a beginner. Its behaviour isn't always what is wanted. For more control over the
behaviour of the certificate commands call the <B>openssl</B> command directly.
<A NAME="lbAI">&nbsp;</A>
<H2>SEE ALSO</H2>



<B><A HREF="/cgi-bin/man/man2html?1+x509">x509</A></B>(1), <B><A HREF="/cgi-bin/man/man2html?1+ca">ca</A></B>(1), <B><A HREF="/cgi-bin/man/man2html?1+req">req</A></B>(1), <B><A HREF="/cgi-bin/man/man2html?1+pkcs12">pkcs12</A></B>(1),
<B><A HREF="/cgi-bin/man/man2html?5+config">config</A></B>(5)
<A NAME="lbAJ">&nbsp;</A>
<H2>COPYRIGHT</H2>



Copyright 2000-2017 The OpenSSL Project Authors. All Rights Reserved.
<P>

Licensed under the OpenSSL license (the ``License'').  You may not use
this file except in compliance with the License.  You can obtain a copy
in the file <FONT SIZE="-1">LICENSE</FONT> in the source distribution or at
&lt;<A HREF="https://www.openssl.org/source/license.html">https://www.openssl.org/source/license.html</A>&gt;.
<P>

<HR>
<A NAME="index">&nbsp;</A><H2>Index</H2>
<DL>
<DT id="14"><A HREF="#lbAB">NAME</A><DD>
<DT id="15"><A HREF="#lbAC">SYNOPSIS</A><DD>
<DT id="16"><A HREF="#lbAD">DESCRIPTION</A><DD>
<DT id="17"><A HREF="#lbAE">OPTIONS</A><DD>
<DT id="18"><A HREF="#lbAF">EXAMPLES</A><DD>
<DT id="19"><A HREF="#lbAG">DSA CERTIFICATES</A><DD>
<DT id="20"><A HREF="#lbAH">NOTES</A><DD>
<DT id="21"><A HREF="#lbAI">SEE ALSO</A><DD>
<DT id="22"><A HREF="#lbAJ">COPYRIGHT</A><DD>
</DL>
<HR>
This document was created by
<A HREF="/cgi-bin/man/man2html">man2html</A>,
using the manual pages.<BR>
Time: 00:05:08 GMT, March 31, 2021
</BODY>
</HTML>