342 lines
9.9 KiB
HTML
342 lines
9.9 KiB
HTML
|
|
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
|
<HTML><HEAD><TITLE>Man page of CA.PL</TITLE>
|
|
</HEAD><BODY>
|
|
<H1>CA.PL</H1>
|
|
Section: OpenSSL (1SSL)<BR>Updated: 2021-03-22<BR><A HREF="#index">Index</A>
|
|
<A HREF="/cgi-bin/man/man2html">Return to Main Contents</A><HR>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
<A NAME="lbAB"> </A>
|
|
<H2>NAME</H2>
|
|
|
|
CA.pl - friendlier interface for OpenSSL certificate programs
|
|
<A NAME="lbAC"> </A>
|
|
<H2>SYNOPSIS</H2>
|
|
|
|
|
|
|
|
<B></B><FONT SIZE="-1"><B>CA</B></FONT><B>.pl</B>
|
|
<B>-?</B> |
|
|
<B>-h</B> |
|
|
<B>-help</B>
|
|
<P>
|
|
|
|
<B></B><FONT SIZE="-1"><B>CA</B></FONT><B>.pl</B>
|
|
<B>-newcert</B> |
|
|
<B>-newreq</B> |
|
|
<B>-newreq-nodes</B> |
|
|
<B>-xsign</B> |
|
|
<B>-sign</B> |
|
|
<B>-signCA</B> |
|
|
<B>-signcert</B> |
|
|
<B>-crl</B> |
|
|
<B>-newca</B>
|
|
[<B>-extra-cmd</B> extra-params]
|
|
<P>
|
|
|
|
<B></B><FONT SIZE="-1"><B>CA</B></FONT><B>.pl</B> <B>-pkcs12</B> [<B>-extra-pkcs12</B> extra-params] [<B>certname</B>]
|
|
<P>
|
|
|
|
<B></B><FONT SIZE="-1"><B>CA</B></FONT><B>.pl</B> <B>-verify</B> [<B>-extra-verify</B> extra-params] <B>certfile</B>...
|
|
<P>
|
|
|
|
<B></B><FONT SIZE="-1"><B>CA</B></FONT><B>.pl</B> <B>-revoke</B> [<B>-extra-ca</B> extra-params] <B>certfile</B> [<B>reason</B>]
|
|
<A NAME="lbAD"> </A>
|
|
<H2>DESCRIPTION</H2>
|
|
|
|
|
|
|
|
The <B></B><FONT SIZE="-1"><B>CA</B></FONT><B>.pl</B> script is a perl script that supplies the relevant command line
|
|
arguments to the <B>openssl</B> command for some common certificate operations.
|
|
It is intended to simplify the process of certificate creation and management
|
|
by the use of some simple options.
|
|
<A NAME="lbAE"> </A>
|
|
<H2>OPTIONS</H2>
|
|
|
|
|
|
|
|
<DL COMPACT>
|
|
<DT id="1"><B>?</B>, <B>-h</B>, <B>-help</B><DD>
|
|
|
|
|
|
Prints a usage message.
|
|
<DT id="2"><B>-newcert</B><DD>
|
|
|
|
|
|
Creates a new self signed certificate. The private key is written to the file
|
|
``newkey.pem'' and the request written to the file ``newreq.pem''.
|
|
This argument invokes <B>openssl req</B> command.
|
|
<DT id="3"><B>-newreq</B><DD>
|
|
|
|
|
|
Creates a new certificate request. The private key is written to the file
|
|
``newkey.pem'' and the request written to the file ``newreq.pem''.
|
|
Executes <B>openssl req</B> command below the hood.
|
|
<DT id="4"><B>-newreq-nodes</B><DD>
|
|
|
|
|
|
Is like <B>-newreq</B> except that the private key will not be encrypted.
|
|
Uses <B>openssl req</B> command.
|
|
<DT id="5"><B>-newca</B><DD>
|
|
|
|
|
|
Creates a new <FONT SIZE="-1">CA</FONT> hierarchy for use with the <B>ca</B> program (or the <B>-signcert</B>
|
|
and <B>-xsign</B> options). The user is prompted to enter the filename of the <FONT SIZE="-1">CA</FONT>
|
|
certificates (which should also contain the private key) or by hitting <FONT SIZE="-1">ENTER</FONT>
|
|
details of the <FONT SIZE="-1">CA</FONT> will be prompted for. The relevant files and directories
|
|
are created in a directory called ``demoCA'' in the current directory.
|
|
<B>openssl req</B> and <B>openssl ca</B> commands are get invoked.
|
|
<DT id="6"><B>-pkcs12</B><DD>
|
|
|
|
|
|
Create a PKCS#12 file containing the user certificate, private key and <FONT SIZE="-1">CA</FONT>
|
|
certificate. It expects the user certificate and private key to be in the
|
|
file ``newcert.pem'' and the <FONT SIZE="-1">CA</FONT> certificate to be in the file demoCA/cacert.pem,
|
|
it creates a file ``newcert.p12''. This command can thus be called after the
|
|
<B>-sign</B> option. The PKCS#12 file can be imported directly into a browser.
|
|
If there is an additional argument on the command line it will be used as the
|
|
``friendly name'' for the certificate (which is typically displayed in the browser
|
|
list box), otherwise the name ``My Certificate'' is used.
|
|
Delegates work to <B>openssl pkcs12</B> command.
|
|
<DT id="7"><B>-sign</B>, <B>-signcert</B>, <B>-xsign</B><DD>
|
|
|
|
|
|
Calls the <B>ca</B> program to sign a certificate request. It expects the request
|
|
to be in the file ``newreq.pem''. The new certificate is written to the file
|
|
``newcert.pem'' except in the case of the <B>-xsign</B> option when it is written
|
|
to standard output. Leverages <B>openssl ca</B> command.
|
|
<DT id="8"><B>-signCA</B><DD>
|
|
|
|
|
|
This option is the same as the <B>-signreq</B> option except it uses the
|
|
configuration file section <B>v3_ca</B> and so makes the signed request a
|
|
valid <FONT SIZE="-1">CA</FONT> certificate. This is useful when creating intermediate <FONT SIZE="-1">CA</FONT> from
|
|
a root <FONT SIZE="-1">CA.</FONT> Extra params are passed on to <B>openssl ca</B> command.
|
|
<DT id="9"><B>-signcert</B><DD>
|
|
|
|
|
|
This option is the same as <B>-sign</B> except it expects a self signed certificate
|
|
to be present in the file ``newreq.pem''.
|
|
Extra params are passed on to <B>openssl x509</B> and <B>openssl ca</B> commands.
|
|
<DT id="10"><B>-crl</B><DD>
|
|
|
|
|
|
Generate a <FONT SIZE="-1">CRL.</FONT> Executes <B>openssl ca</B> command.
|
|
<DT id="11"><B>-revoke certfile [reason]</B><DD>
|
|
|
|
|
|
Revoke the certificate contained in the specified <B>certfile</B>. An optional
|
|
reason may be specified, and must be one of: <B>unspecified</B>,
|
|
<B>keyCompromise</B>, <B>CACompromise</B>, <B>affiliationChanged</B>, <B>superseded</B>,
|
|
<B>cessationOfOperation</B>, <B>certificateHold</B>, or <B>removeFromCRL</B>.
|
|
Leverages <B>openssl ca</B> command.
|
|
<DT id="12"><B>-verify</B><DD>
|
|
|
|
|
|
Verifies certificates against the <FONT SIZE="-1">CA</FONT> certificate for ``demoCA''. If no
|
|
certificates are specified on the command line it tries to verify the file
|
|
``newcert.pem''. Invokes <B>openssl verify</B> command.
|
|
<DT id="13"><B>-extra-req</B> | <B>-extra-ca</B> | <B>-extra-pkcs12</B> | <B>-extra-x509</B> | <B>-extra-verify</B> <extra-params><DD>
|
|
|
|
|
|
The purpose of these parameters is to allow optional parameters to be supplied
|
|
to <B>openssl</B> that this command executes. The <B>-extra-cmd</B> are specific to the
|
|
option being used and the <B>openssl</B> command getting invoked. For example
|
|
when this command invokes <B>openssl req</B> extra parameters can be passed on
|
|
with the <B>-extra-req</B> parameter. The
|
|
<B>openssl</B> commands being invoked per option are documented below.
|
|
Users should consult <B>openssl</B> command documentation for more information.
|
|
</DL>
|
|
<A NAME="lbAF"> </A>
|
|
<H2>EXAMPLES</H2>
|
|
|
|
|
|
|
|
Create a <FONT SIZE="-1">CA</FONT> hierarchy:
|
|
<P>
|
|
|
|
|
|
|
|
<PRE>
|
|
CA.pl -newca
|
|
|
|
</PRE>
|
|
|
|
|
|
<P>
|
|
|
|
Complete certificate creation example: create a <FONT SIZE="-1">CA,</FONT> create a request, sign
|
|
the request and finally create a PKCS#12 file containing it.
|
|
<P>
|
|
|
|
|
|
|
|
<PRE>
|
|
CA.pl -newca
|
|
CA.pl -newreq
|
|
CA.pl -signreq
|
|
CA.pl -pkcs12 "My Test Certificate"
|
|
|
|
</PRE>
|
|
|
|
|
|
<A NAME="lbAG"> </A>
|
|
<H2>DSA CERTIFICATES</H2>
|
|
|
|
|
|
|
|
Although the <B></B><FONT SIZE="-1"><B>CA</B></FONT><B>.pl</B> creates <FONT SIZE="-1">RSA</FONT> CAs and requests it is still possible to
|
|
use it with <FONT SIZE="-1">DSA</FONT> certificates and requests using the <B><A HREF="/cgi-bin/man/man2html?1+req">req</A></B>(1) command
|
|
directly. The following example shows the steps that would typically be taken.
|
|
<P>
|
|
|
|
Create some <FONT SIZE="-1">DSA</FONT> parameters:
|
|
<P>
|
|
|
|
|
|
|
|
<PRE>
|
|
openssl dsaparam -out dsap.pem 1024
|
|
|
|
</PRE>
|
|
|
|
|
|
<P>
|
|
|
|
Create a <FONT SIZE="-1">DSA CA</FONT> certificate and private key:
|
|
<P>
|
|
|
|
|
|
|
|
<PRE>
|
|
openssl req -x509 -newkey dsa:dsap.pem -keyout cacert.pem -out cacert.pem
|
|
|
|
</PRE>
|
|
|
|
|
|
<P>
|
|
|
|
Create the <FONT SIZE="-1">CA</FONT> directories and files:
|
|
<P>
|
|
|
|
|
|
|
|
<PRE>
|
|
CA.pl -newca
|
|
|
|
</PRE>
|
|
|
|
|
|
<P>
|
|
|
|
enter cacert.pem when prompted for the <FONT SIZE="-1">CA</FONT> file name.
|
|
<P>
|
|
|
|
Create a <FONT SIZE="-1">DSA</FONT> certificate request and private key (a different set of parameters
|
|
can optionally be created first):
|
|
<P>
|
|
|
|
|
|
|
|
<PRE>
|
|
openssl req -out newreq.pem -newkey dsa:dsap.pem
|
|
|
|
</PRE>
|
|
|
|
|
|
<P>
|
|
|
|
Sign the request:
|
|
<P>
|
|
|
|
|
|
|
|
<PRE>
|
|
CA.pl -signreq
|
|
|
|
</PRE>
|
|
|
|
|
|
<A NAME="lbAH"> </A>
|
|
<H2>NOTES</H2>
|
|
|
|
|
|
|
|
Most of the filenames mentioned can be modified by editing the <B></B><FONT SIZE="-1"><B>CA</B></FONT><B>.pl</B> script.
|
|
<P>
|
|
|
|
If the demoCA directory already exists then the <B>-newca</B> command will not
|
|
overwrite it and will do nothing. This can happen if a previous call using
|
|
the <B>-newca</B> option terminated abnormally. To get the correct behaviour
|
|
delete the demoCA directory if it already exists.
|
|
<P>
|
|
|
|
Under some environments it may not be possible to run the <B></B><FONT SIZE="-1"><B>CA</B></FONT><B>.pl</B> script
|
|
directly (for example Win32) and the default configuration file location may
|
|
be wrong. In this case the command:
|
|
<P>
|
|
|
|
|
|
|
|
<PRE>
|
|
perl -S CA.pl
|
|
|
|
</PRE>
|
|
|
|
|
|
<P>
|
|
|
|
can be used and the <B></B><FONT SIZE="-1"><B>OPENSSL_CONF</B></FONT><B></B> environment variable changed to point to
|
|
the correct path of the configuration file.
|
|
<P>
|
|
|
|
The script is intended as a simple front end for the <B>openssl</B> program for use
|
|
by a beginner. Its behaviour isn't always what is wanted. For more control over the
|
|
behaviour of the certificate commands call the <B>openssl</B> command directly.
|
|
<A NAME="lbAI"> </A>
|
|
<H2>SEE ALSO</H2>
|
|
|
|
|
|
|
|
<B><A HREF="/cgi-bin/man/man2html?1+x509">x509</A></B>(1), <B><A HREF="/cgi-bin/man/man2html?1+ca">ca</A></B>(1), <B><A HREF="/cgi-bin/man/man2html?1+req">req</A></B>(1), <B><A HREF="/cgi-bin/man/man2html?1+pkcs12">pkcs12</A></B>(1),
|
|
<B><A HREF="/cgi-bin/man/man2html?5+config">config</A></B>(5)
|
|
<A NAME="lbAJ"> </A>
|
|
<H2>COPYRIGHT</H2>
|
|
|
|
|
|
|
|
Copyright 2000-2017 The OpenSSL Project Authors. All Rights Reserved.
|
|
<P>
|
|
|
|
Licensed under the OpenSSL license (the ``License''). You may not use
|
|
this file except in compliance with the License. You can obtain a copy
|
|
in the file <FONT SIZE="-1">LICENSE</FONT> in the source distribution or at
|
|
<<A HREF="https://www.openssl.org/source/license.html">https://www.openssl.org/source/license.html</A>>.
|
|
<P>
|
|
|
|
<HR>
|
|
<A NAME="index"> </A><H2>Index</H2>
|
|
<DL>
|
|
<DT id="14"><A HREF="#lbAB">NAME</A><DD>
|
|
<DT id="15"><A HREF="#lbAC">SYNOPSIS</A><DD>
|
|
<DT id="16"><A HREF="#lbAD">DESCRIPTION</A><DD>
|
|
<DT id="17"><A HREF="#lbAE">OPTIONS</A><DD>
|
|
<DT id="18"><A HREF="#lbAF">EXAMPLES</A><DD>
|
|
<DT id="19"><A HREF="#lbAG">DSA CERTIFICATES</A><DD>
|
|
<DT id="20"><A HREF="#lbAH">NOTES</A><DD>
|
|
<DT id="21"><A HREF="#lbAI">SEE ALSO</A><DD>
|
|
<DT id="22"><A HREF="#lbAJ">COPYRIGHT</A><DD>
|
|
</DL>
|
|
<HR>
|
|
This document was created by
|
|
<A HREF="/cgi-bin/man/man2html">man2html</A>,
|
|
using the manual pages.<BR>
|
|
Time: 00:05:08 GMT, March 31, 2021
|
|
</BODY>
|
|
</HTML>
|