1*b077aed3SPierre Pronchery=pod 2*b077aed3SPierre Pronchery{- OpenSSL::safe::output_do_not_edit_headers(); -} 3*b077aed3SPierre Pronchery 4*b077aed3SPierre Pronchery=head1 NAME 5*b077aed3SPierre Pronchery 6*b077aed3SPierre Proncheryopenssl-ca - sample minimal CA application 7*b077aed3SPierre Pronchery 8*b077aed3SPierre Pronchery=head1 SYNOPSIS 9*b077aed3SPierre Pronchery 10*b077aed3SPierre ProncheryB<openssl> B<ca> 11*b077aed3SPierre Pronchery[B<-help>] 12*b077aed3SPierre Pronchery[B<-verbose>] 13*b077aed3SPierre Pronchery[B<-config> I<filename>] 14*b077aed3SPierre Pronchery[B<-name> I<section>] 15*b077aed3SPierre Pronchery[B<-section> I<section>] 16*b077aed3SPierre Pronchery[B<-gencrl>] 17*b077aed3SPierre Pronchery[B<-revoke> I<file>] 18*b077aed3SPierre Pronchery[B<-valid> I<file>] 19*b077aed3SPierre Pronchery[B<-status> I<serial>] 20*b077aed3SPierre Pronchery[B<-updatedb>] 21*b077aed3SPierre Pronchery[B<-crl_reason> I<reason>] 22*b077aed3SPierre Pronchery[B<-crl_hold> I<instruction>] 23*b077aed3SPierre Pronchery[B<-crl_compromise> I<time>] 24*b077aed3SPierre Pronchery[B<-crl_CA_compromise> I<time>] 25*b077aed3SPierre Pronchery[B<-crl_lastupdate> I<date>] 26*b077aed3SPierre Pronchery[B<-crl_nextupdate> I<date>] 27*b077aed3SPierre Pronchery[B<-crldays> I<days>] 28*b077aed3SPierre Pronchery[B<-crlhours> I<hours>] 29*b077aed3SPierre Pronchery[B<-crlsec> I<seconds>] 30*b077aed3SPierre Pronchery[B<-crlexts> I<section>] 31*b077aed3SPierre Pronchery[B<-startdate> I<date>] 32*b077aed3SPierre Pronchery[B<-enddate> I<date>] 33*b077aed3SPierre Pronchery[B<-days> I<arg>] 34*b077aed3SPierre Pronchery[B<-md> I<arg>] 35*b077aed3SPierre Pronchery[B<-policy> I<arg>] 36*b077aed3SPierre Pronchery[B<-keyfile> I<filename>|I<uri>] 37*b077aed3SPierre Pronchery[B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>] 38*b077aed3SPierre Pronchery[B<-key> I<arg>] 39*b077aed3SPierre Pronchery[B<-passin> I<arg>] 40*b077aed3SPierre Pronchery[B<-cert> I<file>] 41*b077aed3SPierre Pronchery[B<-certform> B<DER>|B<PEM>|B<P12>] 42*b077aed3SPierre Pronchery[B<-selfsign>] 43*b077aed3SPierre Pronchery[B<-in> I<file>] 44*b077aed3SPierre Pronchery[B<-inform> B<DER>|<PEM>] 45*b077aed3SPierre Pronchery[B<-out> I<file>] 46*b077aed3SPierre Pronchery[B<-notext>] 47*b077aed3SPierre Pronchery[B<-dateopt>] 48*b077aed3SPierre Pronchery[B<-outdir> I<dir>] 49*b077aed3SPierre Pronchery[B<-infiles>] 50*b077aed3SPierre Pronchery[B<-spkac> I<file>] 51*b077aed3SPierre Pronchery[B<-ss_cert> I<file>] 52*b077aed3SPierre Pronchery[B<-preserveDN>] 53*b077aed3SPierre Pronchery[B<-noemailDN>] 54*b077aed3SPierre Pronchery[B<-batch>] 55*b077aed3SPierre Pronchery[B<-msie_hack>] 56*b077aed3SPierre Pronchery[B<-extensions> I<section>] 57*b077aed3SPierre Pronchery[B<-extfile> I<section>] 58*b077aed3SPierre Pronchery[B<-subj> I<arg>] 59*b077aed3SPierre Pronchery[B<-utf8>] 60*b077aed3SPierre Pronchery[B<-sigopt> I<nm>:I<v>] 61*b077aed3SPierre Pronchery[B<-vfyopt> I<nm>:I<v>] 62*b077aed3SPierre Pronchery[B<-create_serial>] 63*b077aed3SPierre Pronchery[B<-rand_serial>] 64*b077aed3SPierre Pronchery[B<-multivalue-rdn>] 65*b077aed3SPierre Pronchery{- $OpenSSL::safe::opt_r_synopsis -} 66*b077aed3SPierre Pronchery{- $OpenSSL::safe::opt_engine_synopsis -}{- $OpenSSL::safe::opt_provider_synopsis -} 67*b077aed3SPierre Pronchery[I<certreq>...] 68*b077aed3SPierre Pronchery 69*b077aed3SPierre Pronchery=head1 DESCRIPTION 70*b077aed3SPierre Pronchery 71*b077aed3SPierre ProncheryThis command emulates a CA application. 72*b077aed3SPierre ProncherySee the B<WARNINGS> especially when considering to use it productively. 73*b077aed3SPierre ProncheryIt can be used to sign certificate requests (CSRs) in a variety of forms 74*b077aed3SPierre Proncheryand generate certificate revocation lists (CRLs). 75*b077aed3SPierre ProncheryIt also maintains a text database of issued certificates and their status. 76*b077aed3SPierre ProncheryWhen signing certificates, a single request can be specified 77*b077aed3SPierre Proncherywith the B<-in> option, or multiple requests can be processed by 78*b077aed3SPierre Proncheryspecifying a set of B<certreq> files after all options. 79*b077aed3SPierre Pronchery 80*b077aed3SPierre ProncheryNote that there are also very lean ways of generating certificates: 81*b077aed3SPierre Proncherythe B<req> and B<x509> commands can be used for directly creating certificates. 82*b077aed3SPierre ProncherySee L<openssl-req(1)> and L<openssl-x509(1)> for details. 83*b077aed3SPierre Pronchery 84*b077aed3SPierre ProncheryThe descriptions of the B<ca> command options are divided into each purpose. 85*b077aed3SPierre Pronchery 86*b077aed3SPierre Pronchery=head1 OPTIONS 87*b077aed3SPierre Pronchery 88*b077aed3SPierre Pronchery=over 4 89*b077aed3SPierre Pronchery 90*b077aed3SPierre Pronchery=item B<-help> 91*b077aed3SPierre Pronchery 92*b077aed3SPierre ProncheryPrint out a usage message. 93*b077aed3SPierre Pronchery 94*b077aed3SPierre Pronchery=item B<-verbose> 95*b077aed3SPierre Pronchery 96*b077aed3SPierre ProncheryThis prints extra details about the operations being performed. 97*b077aed3SPierre Pronchery 98*b077aed3SPierre Pronchery=item B<-config> I<filename> 99*b077aed3SPierre Pronchery 100*b077aed3SPierre ProncherySpecifies the configuration file to use. 101*b077aed3SPierre ProncheryOptional; for a description of the default value, 102*b077aed3SPierre Proncherysee L<openssl(1)/COMMAND SUMMARY>. 103*b077aed3SPierre Pronchery 104*b077aed3SPierre Pronchery=item B<-name> I<section>, B<-section> I<section> 105*b077aed3SPierre Pronchery 106*b077aed3SPierre ProncherySpecifies the configuration file section to use (overrides 107*b077aed3SPierre ProncheryB<default_ca> in the B<ca> section). 108*b077aed3SPierre Pronchery 109*b077aed3SPierre Pronchery=item B<-in> I<filename> 110*b077aed3SPierre Pronchery 111*b077aed3SPierre ProncheryAn input filename containing a single certificate request (CSR) to be 112*b077aed3SPierre Proncherysigned by the CA. 113*b077aed3SPierre Pronchery 114*b077aed3SPierre Pronchery=item B<-inform> B<DER>|B<PEM> 115*b077aed3SPierre Pronchery 116*b077aed3SPierre ProncheryThe format of the data in certificate request input files; 117*b077aed3SPierre Proncheryunspecified by default. 118*b077aed3SPierre ProncherySee L<openssl-format-options(1)> for details. 119*b077aed3SPierre Pronchery 120*b077aed3SPierre Pronchery=item B<-ss_cert> I<filename> 121*b077aed3SPierre Pronchery 122*b077aed3SPierre ProncheryA single self-signed certificate to be signed by the CA. 123*b077aed3SPierre Pronchery 124*b077aed3SPierre Pronchery=item B<-spkac> I<filename> 125*b077aed3SPierre Pronchery 126*b077aed3SPierre ProncheryA file containing a single Netscape signed public key and challenge 127*b077aed3SPierre Proncheryand additional field values to be signed by the CA. See the B<SPKAC FORMAT> 128*b077aed3SPierre Proncherysection for information on the required input and output format. 129*b077aed3SPierre Pronchery 130*b077aed3SPierre Pronchery=item B<-infiles> 131*b077aed3SPierre Pronchery 132*b077aed3SPierre ProncheryIf present this should be the last option, all subsequent arguments 133*b077aed3SPierre Proncheryare taken as the names of files containing certificate requests. 134*b077aed3SPierre Pronchery 135*b077aed3SPierre Pronchery=item B<-out> I<filename> 136*b077aed3SPierre Pronchery 137*b077aed3SPierre ProncheryThe output file to output certificates to. The default is standard 138*b077aed3SPierre Proncheryoutput. The certificate details will also be printed out to this 139*b077aed3SPierre Proncheryfile in PEM format (except that B<-spkac> outputs DER format). 140*b077aed3SPierre Pronchery 141*b077aed3SPierre Pronchery=item B<-outdir> I<directory> 142*b077aed3SPierre Pronchery 143*b077aed3SPierre ProncheryThe directory to output certificates to. The certificate will be 144*b077aed3SPierre Proncherywritten to a filename consisting of the serial number in hex with 145*b077aed3SPierre ProncheryF<.pem> appended. 146*b077aed3SPierre Pronchery 147*b077aed3SPierre Pronchery=item B<-cert> I<filename> 148*b077aed3SPierre Pronchery 149*b077aed3SPierre ProncheryThe CA certificate, which must match with B<-keyfile>. 150*b077aed3SPierre Pronchery 151*b077aed3SPierre Pronchery=item B<-certform> B<DER>|B<PEM>|B<P12> 152*b077aed3SPierre Pronchery 153*b077aed3SPierre ProncheryThe format of the data in certificate input files; unspecified by default. 154*b077aed3SPierre ProncherySee L<openssl-format-options(1)> for details. 155*b077aed3SPierre Pronchery 156*b077aed3SPierre Pronchery=item B<-keyfile> I<filename>|I<uri> 157*b077aed3SPierre Pronchery 158*b077aed3SPierre ProncheryThe CA private key to sign certificate requests with. 159*b077aed3SPierre ProncheryThis must match with B<-cert>. 160*b077aed3SPierre Pronchery 161*b077aed3SPierre Pronchery=item B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE> 162*b077aed3SPierre Pronchery 163*b077aed3SPierre ProncheryThe format of the private key input file; unspecified by default. 164*b077aed3SPierre ProncherySee L<openssl-format-options(1)> for details. 165*b077aed3SPierre Pronchery 166*b077aed3SPierre Pronchery=item B<-sigopt> I<nm>:I<v> 167*b077aed3SPierre Pronchery 168*b077aed3SPierre ProncheryPass options to the signature algorithm during sign operations. 169*b077aed3SPierre ProncheryNames and values of these options are algorithm-specific. 170*b077aed3SPierre Pronchery 171*b077aed3SPierre Pronchery=item B<-vfyopt> I<nm>:I<v> 172*b077aed3SPierre Pronchery 173*b077aed3SPierre ProncheryPass options to the signature algorithm during verify operations. 174*b077aed3SPierre ProncheryNames and values of these options are algorithm-specific. 175*b077aed3SPierre Pronchery 176*b077aed3SPierre ProncheryThis often needs to be given while signing too, because the self-signature of 177*b077aed3SPierre Proncherya certificate signing request (CSR) is verified against the included public key, 178*b077aed3SPierre Proncheryand that verification may need its own set of options. 179*b077aed3SPierre Pronchery 180*b077aed3SPierre Pronchery=item B<-key> I<password> 181*b077aed3SPierre Pronchery 182*b077aed3SPierre Pronchery=for openssl foreign manual ps(1) 183*b077aed3SPierre Pronchery 184*b077aed3SPierre ProncheryThe password used to encrypt the private key. Since on some 185*b077aed3SPierre Proncherysystems the command line arguments are visible (e.g., when using 186*b077aed3SPierre ProncheryL<ps(1)> on Unix), 187*b077aed3SPierre Proncherythis option should be used with caution. 188*b077aed3SPierre ProncheryBetter use B<-passin>. 189*b077aed3SPierre Pronchery 190*b077aed3SPierre Pronchery=item B<-passin> I<arg> 191*b077aed3SPierre Pronchery 192*b077aed3SPierre ProncheryThe key password source for key files and certificate PKCS#12 files. 193*b077aed3SPierre ProncheryFor more information about the format of B<arg> 194*b077aed3SPierre Proncherysee L<openssl-passphrase-options(1)>. 195*b077aed3SPierre Pronchery 196*b077aed3SPierre Pronchery=item B<-selfsign> 197*b077aed3SPierre Pronchery 198*b077aed3SPierre ProncheryIndicates the issued certificates are to be signed with the key 199*b077aed3SPierre Proncherythe certificate requests were signed with (given with B<-keyfile>). 200*b077aed3SPierre ProncheryCertificate requests signed with a different key are ignored. 201*b077aed3SPierre ProncheryIf B<-spkac>, B<-ss_cert> or B<-gencrl> are given, B<-selfsign> is ignored. 202*b077aed3SPierre Pronchery 203*b077aed3SPierre ProncheryA consequence of using B<-selfsign> is that the self-signed 204*b077aed3SPierre Proncherycertificate appears among the entries in the certificate database 205*b077aed3SPierre Pronchery(see the configuration option B<database>), and uses the same 206*b077aed3SPierre Proncheryserial number counter as all other certificates sign with the 207*b077aed3SPierre Proncheryself-signed certificate. 208*b077aed3SPierre Pronchery 209*b077aed3SPierre Pronchery=item B<-notext> 210*b077aed3SPierre Pronchery 211*b077aed3SPierre ProncheryDon't output the text form of a certificate to the output file. 212*b077aed3SPierre Pronchery 213*b077aed3SPierre Pronchery=item B<-dateopt> 214*b077aed3SPierre Pronchery 215*b077aed3SPierre ProncherySpecify the date output format. Values are: rfc_822 and iso_8601. 216*b077aed3SPierre ProncheryDefaults to rfc_822. 217*b077aed3SPierre Pronchery 218*b077aed3SPierre Pronchery=item B<-startdate> I<date> 219*b077aed3SPierre Pronchery 220*b077aed3SPierre ProncheryThis allows the start date to be explicitly set. The format of the 221*b077aed3SPierre Proncherydate is YYMMDDHHMMSSZ (the same as an ASN1 UTCTime structure), or 222*b077aed3SPierre ProncheryYYYYMMDDHHMMSSZ (the same as an ASN1 GeneralizedTime structure). In 223*b077aed3SPierre Proncheryboth formats, seconds SS and timezone Z must be present. 224*b077aed3SPierre Pronchery 225*b077aed3SPierre Pronchery=item B<-enddate> I<date> 226*b077aed3SPierre Pronchery 227*b077aed3SPierre ProncheryThis allows the expiry date to be explicitly set. The format of the 228*b077aed3SPierre Proncherydate is YYMMDDHHMMSSZ (the same as an ASN1 UTCTime structure), or 229*b077aed3SPierre ProncheryYYYYMMDDHHMMSSZ (the same as an ASN1 GeneralizedTime structure). In 230*b077aed3SPierre Proncheryboth formats, seconds SS and timezone Z must be present. 231*b077aed3SPierre Pronchery 232*b077aed3SPierre Pronchery=item B<-days> I<arg> 233*b077aed3SPierre Pronchery 234*b077aed3SPierre ProncheryThe number of days to certify the certificate for. 235*b077aed3SPierre Pronchery 236*b077aed3SPierre Pronchery=item B<-md> I<alg> 237*b077aed3SPierre Pronchery 238*b077aed3SPierre ProncheryThe message digest to use. 239*b077aed3SPierre ProncheryAny digest supported by the L<openssl-dgst(1)> command can be used. For signing 240*b077aed3SPierre Proncheryalgorithms that do not support a digest (i.e. Ed25519 and Ed448) any message 241*b077aed3SPierre Proncherydigest that is set is ignored. This option also applies to CRLs. 242*b077aed3SPierre Pronchery 243*b077aed3SPierre Pronchery=item B<-policy> I<arg> 244*b077aed3SPierre Pronchery 245*b077aed3SPierre ProncheryThis option defines the CA "policy" to use. This is a section in 246*b077aed3SPierre Proncherythe configuration file which decides which fields should be mandatory 247*b077aed3SPierre Proncheryor match the CA certificate. Check out the B<POLICY FORMAT> section 248*b077aed3SPierre Proncheryfor more information. 249*b077aed3SPierre Pronchery 250*b077aed3SPierre Pronchery=item B<-msie_hack> 251*b077aed3SPierre Pronchery 252*b077aed3SPierre ProncheryThis is a deprecated option to make this command work with very old versions 253*b077aed3SPierre Proncheryof the IE certificate enrollment control "certenr3". It used UniversalStrings 254*b077aed3SPierre Proncheryfor almost everything. Since the old control has various security bugs 255*b077aed3SPierre Proncheryits use is strongly discouraged. 256*b077aed3SPierre Pronchery 257*b077aed3SPierre Pronchery=item B<-preserveDN> 258*b077aed3SPierre Pronchery 259*b077aed3SPierre ProncheryNormally the DN order of a certificate is the same as the order of the 260*b077aed3SPierre Proncheryfields in the relevant policy section. When this option is set the order 261*b077aed3SPierre Proncheryis the same as the request. This is largely for compatibility with the 262*b077aed3SPierre Proncheryolder IE enrollment control which would only accept certificates if their 263*b077aed3SPierre ProncheryDNs match the order of the request. This is not needed for Xenroll. 264*b077aed3SPierre Pronchery 265*b077aed3SPierre Pronchery=item B<-noemailDN> 266*b077aed3SPierre Pronchery 267*b077aed3SPierre ProncheryThe DN of a certificate can contain the EMAIL field if present in the 268*b077aed3SPierre Proncheryrequest DN, however, it is good policy just having the e-mail set into 269*b077aed3SPierre Proncherythe altName extension of the certificate. When this option is set the 270*b077aed3SPierre ProncheryEMAIL field is removed from the certificate' subject and set only in 271*b077aed3SPierre Proncherythe, eventually present, extensions. The B<email_in_dn> keyword can be 272*b077aed3SPierre Proncheryused in the configuration file to enable this behaviour. 273*b077aed3SPierre Pronchery 274*b077aed3SPierre Pronchery=item B<-batch> 275*b077aed3SPierre Pronchery 276*b077aed3SPierre ProncheryThis sets the batch mode. In this mode no questions will be asked 277*b077aed3SPierre Proncheryand all certificates will be certified automatically. 278*b077aed3SPierre Pronchery 279*b077aed3SPierre Pronchery=item B<-extensions> I<section> 280*b077aed3SPierre Pronchery 281*b077aed3SPierre ProncheryThe section of the configuration file containing certificate extensions 282*b077aed3SPierre Proncheryto be added when a certificate is issued (defaults to B<x509_extensions> 283*b077aed3SPierre Proncheryunless the B<-extfile> option is used). 284*b077aed3SPierre ProncheryIf no X.509 extensions are specified then a V1 certificate is created, 285*b077aed3SPierre Proncheryelse a V3 certificate is created. 286*b077aed3SPierre ProncherySee the L<x509v3_config(5)> manual page for details of the 287*b077aed3SPierre Proncheryextension section format. 288*b077aed3SPierre Pronchery 289*b077aed3SPierre Pronchery=item B<-extfile> I<file> 290*b077aed3SPierre Pronchery 291*b077aed3SPierre ProncheryAn additional configuration file to read certificate extensions from 292*b077aed3SPierre Pronchery(using the default section unless the B<-extensions> option is also 293*b077aed3SPierre Proncheryused). 294*b077aed3SPierre Pronchery 295*b077aed3SPierre Pronchery=item B<-subj> I<arg> 296*b077aed3SPierre Pronchery 297*b077aed3SPierre ProncherySupersedes subject name given in the request. 298*b077aed3SPierre Pronchery 299*b077aed3SPierre ProncheryThe arg must be formatted as C</type0=value0/type1=value1/type2=...>. 300*b077aed3SPierre ProncherySpecial characters may be escaped by C<\> (backslash), whitespace is retained. 301*b077aed3SPierre ProncheryEmpty values are permitted, but the corresponding type will not be included 302*b077aed3SPierre Proncheryin the resulting certificate. 303*b077aed3SPierre ProncheryGiving a single C</> will lead to an empty sequence of RDNs (a NULL-DN). 304*b077aed3SPierre ProncheryMulti-valued RDNs can be formed by placing a C<+> character instead of a C</> 305*b077aed3SPierre Proncherybetween the AttributeValueAssertions (AVAs) that specify the members of the set. 306*b077aed3SPierre ProncheryExample: 307*b077aed3SPierre Pronchery 308*b077aed3SPierre ProncheryC</DC=org/DC=OpenSSL/DC=users/UID=123456+CN=John Doe> 309*b077aed3SPierre Pronchery 310*b077aed3SPierre Pronchery=item B<-utf8> 311*b077aed3SPierre Pronchery 312*b077aed3SPierre ProncheryThis option causes field values to be interpreted as UTF8 strings, by 313*b077aed3SPierre Proncherydefault they are interpreted as ASCII. This means that the field 314*b077aed3SPierre Proncheryvalues, whether prompted from a terminal or obtained from a 315*b077aed3SPierre Proncheryconfiguration file, must be valid UTF8 strings. 316*b077aed3SPierre Pronchery 317*b077aed3SPierre Pronchery=item B<-create_serial> 318*b077aed3SPierre Pronchery 319*b077aed3SPierre ProncheryIf reading serial from the text file as specified in the configuration 320*b077aed3SPierre Proncheryfails, specifying this option creates a new random serial to be used as next 321*b077aed3SPierre Proncheryserial number. 322*b077aed3SPierre ProncheryTo get random serial numbers, use the B<-rand_serial> flag instead; this 323*b077aed3SPierre Proncheryshould only be used for simple error-recovery. 324*b077aed3SPierre Pronchery 325*b077aed3SPierre Pronchery=item B<-rand_serial> 326*b077aed3SPierre Pronchery 327*b077aed3SPierre ProncheryGenerate a large random number to use as the serial number. 328*b077aed3SPierre ProncheryThis overrides any option or configuration to use a serial number file. 329*b077aed3SPierre Pronchery 330*b077aed3SPierre Pronchery=item B<-multivalue-rdn> 331*b077aed3SPierre Pronchery 332*b077aed3SPierre ProncheryThis option has been deprecated and has no effect. 333*b077aed3SPierre Pronchery 334*b077aed3SPierre Pronchery{- $OpenSSL::safe::opt_r_item -} 335*b077aed3SPierre Pronchery 336*b077aed3SPierre Pronchery{- $OpenSSL::safe::opt_engine_item -} 337*b077aed3SPierre Pronchery 338*b077aed3SPierre Pronchery{- $OpenSSL::safe::opt_provider_item -} 339*b077aed3SPierre Pronchery 340*b077aed3SPierre Pronchery=back 341*b077aed3SPierre Pronchery 342*b077aed3SPierre Pronchery=head1 CRL OPTIONS 343*b077aed3SPierre Pronchery 344*b077aed3SPierre Pronchery=over 4 345*b077aed3SPierre Pronchery 346*b077aed3SPierre Pronchery=item B<-gencrl> 347*b077aed3SPierre Pronchery 348*b077aed3SPierre ProncheryThis option generates a CRL based on information in the index file. 349*b077aed3SPierre Pronchery 350*b077aed3SPierre Pronchery=item B<-crl_lastupdate> I<time> 351*b077aed3SPierre Pronchery 352*b077aed3SPierre ProncheryAllows the value of the CRL's lastUpdate field to be explicitly set; if 353*b077aed3SPierre Proncherythis option is not present, the current time is used. Accepts times in 354*b077aed3SPierre ProncheryYYMMDDHHMMSSZ format (the same as an ASN1 UTCTime structure) or 355*b077aed3SPierre ProncheryYYYYMMDDHHMMSSZ format (the same as an ASN1 GeneralizedTime structure). 356*b077aed3SPierre Pronchery 357*b077aed3SPierre Pronchery=item B<-crl_nextupdate> I<time> 358*b077aed3SPierre Pronchery 359*b077aed3SPierre ProncheryAllows the value of the CRL's nextUpdate field to be explicitly set; if 360*b077aed3SPierre Proncherythis option is present, any values given for B<-crldays>, B<-crlhours> 361*b077aed3SPierre Proncheryand B<-crlsec> are ignored. Accepts times in the same formats as 362*b077aed3SPierre ProncheryB<-crl_lastupdate>. 363*b077aed3SPierre Pronchery 364*b077aed3SPierre Pronchery=item B<-crldays> I<num> 365*b077aed3SPierre Pronchery 366*b077aed3SPierre ProncheryThe number of days before the next CRL is due. That is the days from 367*b077aed3SPierre Proncherynow to place in the CRL nextUpdate field. 368*b077aed3SPierre Pronchery 369*b077aed3SPierre Pronchery=item B<-crlhours> I<num> 370*b077aed3SPierre Pronchery 371*b077aed3SPierre ProncheryThe number of hours before the next CRL is due. 372*b077aed3SPierre Pronchery 373*b077aed3SPierre Pronchery=item B<-crlsec> I<num> 374*b077aed3SPierre Pronchery 375*b077aed3SPierre ProncheryThe number of seconds before the next CRL is due. 376*b077aed3SPierre Pronchery 377*b077aed3SPierre Pronchery=item B<-revoke> I<filename> 378*b077aed3SPierre Pronchery 379*b077aed3SPierre ProncheryA filename containing a certificate to revoke. 380*b077aed3SPierre Pronchery 381*b077aed3SPierre Pronchery=item B<-valid> I<filename> 382*b077aed3SPierre Pronchery 383*b077aed3SPierre ProncheryA filename containing a certificate to add a Valid certificate entry. 384*b077aed3SPierre Pronchery 385*b077aed3SPierre Pronchery=item B<-status> I<serial> 386*b077aed3SPierre Pronchery 387*b077aed3SPierre ProncheryDisplays the revocation status of the certificate with the specified 388*b077aed3SPierre Proncheryserial number and exits. 389*b077aed3SPierre Pronchery 390*b077aed3SPierre Pronchery=item B<-updatedb> 391*b077aed3SPierre Pronchery 392*b077aed3SPierre ProncheryUpdates the database index to purge expired certificates. 393*b077aed3SPierre Pronchery 394*b077aed3SPierre Pronchery=item B<-crl_reason> I<reason> 395*b077aed3SPierre Pronchery 396*b077aed3SPierre ProncheryRevocation reason, where I<reason> is one of: B<unspecified>, B<keyCompromise>, 397*b077aed3SPierre ProncheryB<CACompromise>, B<affiliationChanged>, B<superseded>, B<cessationOfOperation>, 398*b077aed3SPierre ProncheryB<certificateHold> or B<removeFromCRL>. The matching of I<reason> is case 399*b077aed3SPierre Proncheryinsensitive. Setting any revocation reason will make the CRL v2. 400*b077aed3SPierre Pronchery 401*b077aed3SPierre ProncheryIn practice B<removeFromCRL> is not particularly useful because it is only used 402*b077aed3SPierre Proncheryin delta CRLs which are not currently implemented. 403*b077aed3SPierre Pronchery 404*b077aed3SPierre Pronchery=item B<-crl_hold> I<instruction> 405*b077aed3SPierre Pronchery 406*b077aed3SPierre ProncheryThis sets the CRL revocation reason code to B<certificateHold> and the hold 407*b077aed3SPierre Proncheryinstruction to I<instruction> which must be an OID. Although any OID can be 408*b077aed3SPierre Proncheryused only B<holdInstructionNone> (the use of which is discouraged by RFC2459) 409*b077aed3SPierre ProncheryB<holdInstructionCallIssuer> or B<holdInstructionReject> will normally be used. 410*b077aed3SPierre Pronchery 411*b077aed3SPierre Pronchery=item B<-crl_compromise> I<time> 412*b077aed3SPierre Pronchery 413*b077aed3SPierre ProncheryThis sets the revocation reason to B<keyCompromise> and the compromise time to 414*b077aed3SPierre ProncheryI<time>. I<time> should be in GeneralizedTime format that is I<YYYYMMDDHHMMSSZ>. 415*b077aed3SPierre Pronchery 416*b077aed3SPierre Pronchery=item B<-crl_CA_compromise> I<time> 417*b077aed3SPierre Pronchery 418*b077aed3SPierre ProncheryThis is the same as B<crl_compromise> except the revocation reason is set to 419*b077aed3SPierre ProncheryB<CACompromise>. 420*b077aed3SPierre Pronchery 421*b077aed3SPierre Pronchery=item B<-crlexts> I<section> 422*b077aed3SPierre Pronchery 423*b077aed3SPierre ProncheryThe section of the configuration file containing CRL extensions to 424*b077aed3SPierre Proncheryinclude. If no CRL extension section is present then a V1 CRL is 425*b077aed3SPierre Proncherycreated, if the CRL extension section is present (even if it is 426*b077aed3SPierre Proncheryempty) then a V2 CRL is created. The CRL extensions specified are 427*b077aed3SPierre ProncheryCRL extensions and B<not> CRL entry extensions. It should be noted 428*b077aed3SPierre Proncherythat some software (for example Netscape) can't handle V2 CRLs. See 429*b077aed3SPierre ProncheryL<x509v3_config(5)> manual page for details of the 430*b077aed3SPierre Proncheryextension section format. 431*b077aed3SPierre Pronchery 432*b077aed3SPierre Pronchery=back 433*b077aed3SPierre Pronchery 434*b077aed3SPierre Pronchery=head1 CONFIGURATION FILE OPTIONS 435*b077aed3SPierre Pronchery 436*b077aed3SPierre ProncheryThe section of the configuration file containing options for this command 437*b077aed3SPierre Proncheryis found as follows: If the B<-name> command line option is used, 438*b077aed3SPierre Proncherythen it names the section to be used. Otherwise the section to 439*b077aed3SPierre Proncherybe used must be named in the B<default_ca> option of the B<ca> section 440*b077aed3SPierre Proncheryof the configuration file (or in the default section of the 441*b077aed3SPierre Proncheryconfiguration file). Besides B<default_ca>, the following options are 442*b077aed3SPierre Proncheryread directly from the B<ca> section: 443*b077aed3SPierre Pronchery RANDFILE 444*b077aed3SPierre Pronchery preserve 445*b077aed3SPierre Pronchery msie_hack 446*b077aed3SPierre ProncheryWith the exception of B<RANDFILE>, this is probably a bug and may 447*b077aed3SPierre Proncherychange in future releases. 448*b077aed3SPierre Pronchery 449*b077aed3SPierre ProncheryMany of the configuration file options are identical to command line 450*b077aed3SPierre Proncheryoptions. Where the option is present in the configuration file 451*b077aed3SPierre Proncheryand the command line the command line value is used. Where an 452*b077aed3SPierre Proncheryoption is described as mandatory then it must be present in 453*b077aed3SPierre Proncherythe configuration file or the command line equivalent (if 454*b077aed3SPierre Proncheryany) used. 455*b077aed3SPierre Pronchery 456*b077aed3SPierre Pronchery=over 4 457*b077aed3SPierre Pronchery 458*b077aed3SPierre Pronchery=item B<oid_file> 459*b077aed3SPierre Pronchery 460*b077aed3SPierre ProncheryThis specifies a file containing additional B<OBJECT IDENTIFIERS>. 461*b077aed3SPierre ProncheryEach line of the file should consist of the numerical form of the 462*b077aed3SPierre Proncheryobject identifier followed by whitespace then the short name followed 463*b077aed3SPierre Proncheryby whitespace and finally the long name. 464*b077aed3SPierre Pronchery 465*b077aed3SPierre Pronchery=item B<oid_section> 466*b077aed3SPierre Pronchery 467*b077aed3SPierre ProncheryThis specifies a section in the configuration file containing extra 468*b077aed3SPierre Proncheryobject identifiers. Each line should consist of the short name of the 469*b077aed3SPierre Proncheryobject identifier followed by B<=> and the numerical form. The short 470*b077aed3SPierre Proncheryand long names are the same when this option is used. 471*b077aed3SPierre Pronchery 472*b077aed3SPierre Pronchery=item B<new_certs_dir> 473*b077aed3SPierre Pronchery 474*b077aed3SPierre ProncheryThe same as the B<-outdir> command line option. It specifies 475*b077aed3SPierre Proncherythe directory where new certificates will be placed. Mandatory. 476*b077aed3SPierre Pronchery 477*b077aed3SPierre Pronchery=item B<certificate> 478*b077aed3SPierre Pronchery 479*b077aed3SPierre ProncheryThe same as B<-cert>. It gives the file containing the CA 480*b077aed3SPierre Proncherycertificate. Mandatory. 481*b077aed3SPierre Pronchery 482*b077aed3SPierre Pronchery=item B<private_key> 483*b077aed3SPierre Pronchery 484*b077aed3SPierre ProncherySame as the B<-keyfile> option. The file containing the 485*b077aed3SPierre ProncheryCA private key. Mandatory. 486*b077aed3SPierre Pronchery 487*b077aed3SPierre Pronchery=item B<RANDFILE> 488*b077aed3SPierre Pronchery 489*b077aed3SPierre ProncheryAt startup the specified file is loaded into the random number generator, 490*b077aed3SPierre Proncheryand at exit 256 bytes will be written to it. (Note: Using a RANDFILE is 491*b077aed3SPierre Proncherynot necessary anymore, see the L</HISTORY> section. 492*b077aed3SPierre Pronchery 493*b077aed3SPierre Pronchery=item B<default_days> 494*b077aed3SPierre Pronchery 495*b077aed3SPierre ProncheryThe same as the B<-days> option. The number of days to certify 496*b077aed3SPierre Proncherya certificate for. 497*b077aed3SPierre Pronchery 498*b077aed3SPierre Pronchery=item B<default_startdate> 499*b077aed3SPierre Pronchery 500*b077aed3SPierre ProncheryThe same as the B<-startdate> option. The start date to certify 501*b077aed3SPierre Proncherya certificate for. If not set the current time is used. 502*b077aed3SPierre Pronchery 503*b077aed3SPierre Pronchery=item B<default_enddate> 504*b077aed3SPierre Pronchery 505*b077aed3SPierre ProncheryThe same as the B<-enddate> option. Either this option or 506*b077aed3SPierre ProncheryB<default_days> (or the command line equivalents) must be 507*b077aed3SPierre Proncherypresent. 508*b077aed3SPierre Pronchery 509*b077aed3SPierre Pronchery=item B<default_crl_hours default_crl_days> 510*b077aed3SPierre Pronchery 511*b077aed3SPierre ProncheryThe same as the B<-crlhours> and the B<-crldays> options. These 512*b077aed3SPierre Proncherywill only be used if neither command line option is present. At 513*b077aed3SPierre Proncheryleast one of these must be present to generate a CRL. 514*b077aed3SPierre Pronchery 515*b077aed3SPierre Pronchery=item B<default_md> 516*b077aed3SPierre Pronchery 517*b077aed3SPierre ProncheryThe same as the B<-md> option. Mandatory except where the signing algorithm does 518*b077aed3SPierre Proncherynot require a digest (i.e. Ed25519 and Ed448). 519*b077aed3SPierre Pronchery 520*b077aed3SPierre Pronchery=item B<database> 521*b077aed3SPierre Pronchery 522*b077aed3SPierre ProncheryThe text database file to use. Mandatory. This file must be present 523*b077aed3SPierre Proncherythough initially it will be empty. 524*b077aed3SPierre Pronchery 525*b077aed3SPierre Pronchery=item B<unique_subject> 526*b077aed3SPierre Pronchery 527*b077aed3SPierre ProncheryIf the value B<yes> is given, the valid certificate entries in the 528*b077aed3SPierre Proncherydatabase must have unique subjects. if the value B<no> is given, 529*b077aed3SPierre Proncheryseveral valid certificate entries may have the exact same subject. 530*b077aed3SPierre ProncheryThe default value is B<yes>, to be compatible with older (pre 0.9.8) 531*b077aed3SPierre Proncheryversions of OpenSSL. However, to make CA certificate roll-over easier, 532*b077aed3SPierre Proncheryit's recommended to use the value B<no>, especially if combined with 533*b077aed3SPierre Proncherythe B<-selfsign> command line option. 534*b077aed3SPierre Pronchery 535*b077aed3SPierre ProncheryNote that it is valid in some circumstances for certificates to be created 536*b077aed3SPierre Proncherywithout any subject. In the case where there are multiple certificates without 537*b077aed3SPierre Proncherysubjects this does not count as a duplicate. 538*b077aed3SPierre Pronchery 539*b077aed3SPierre Pronchery=item B<serial> 540*b077aed3SPierre Pronchery 541*b077aed3SPierre ProncheryA text file containing the next serial number to use in hex. Mandatory. 542*b077aed3SPierre ProncheryThis file must be present and contain a valid serial number. 543*b077aed3SPierre Pronchery 544*b077aed3SPierre Pronchery=item B<crlnumber> 545*b077aed3SPierre Pronchery 546*b077aed3SPierre ProncheryA text file containing the next CRL number to use in hex. The crl number 547*b077aed3SPierre Proncherywill be inserted in the CRLs only if this file exists. If this file is 548*b077aed3SPierre Proncherypresent, it must contain a valid CRL number. 549*b077aed3SPierre Pronchery 550*b077aed3SPierre Pronchery=item B<x509_extensions> 551*b077aed3SPierre Pronchery 552*b077aed3SPierre ProncheryA fallback to the B<-extensions> option. 553*b077aed3SPierre Pronchery 554*b077aed3SPierre Pronchery=item B<crl_extensions> 555*b077aed3SPierre Pronchery 556*b077aed3SPierre ProncheryA fallback to the B<-crlexts> option. 557*b077aed3SPierre Pronchery 558*b077aed3SPierre Pronchery=item B<preserve> 559*b077aed3SPierre Pronchery 560*b077aed3SPierre ProncheryThe same as B<-preserveDN> 561*b077aed3SPierre Pronchery 562*b077aed3SPierre Pronchery=item B<email_in_dn> 563*b077aed3SPierre Pronchery 564*b077aed3SPierre ProncheryThe same as B<-noemailDN>. If you want the EMAIL field to be removed 565*b077aed3SPierre Proncheryfrom the DN of the certificate simply set this to 'no'. If not present 566*b077aed3SPierre Proncherythe default is to allow for the EMAIL filed in the certificate's DN. 567*b077aed3SPierre Pronchery 568*b077aed3SPierre Pronchery=item B<msie_hack> 569*b077aed3SPierre Pronchery 570*b077aed3SPierre ProncheryThe same as B<-msie_hack> 571*b077aed3SPierre Pronchery 572*b077aed3SPierre Pronchery=item B<policy> 573*b077aed3SPierre Pronchery 574*b077aed3SPierre ProncheryThe same as B<-policy>. Mandatory. See the B<POLICY FORMAT> section 575*b077aed3SPierre Proncheryfor more information. 576*b077aed3SPierre Pronchery 577*b077aed3SPierre Pronchery=item B<name_opt>, B<cert_opt> 578*b077aed3SPierre Pronchery 579*b077aed3SPierre ProncheryThese options allow the format used to display the certificate details 580*b077aed3SPierre Proncherywhen asking the user to confirm signing. All the options supported by 581*b077aed3SPierre Proncherythe B<x509> utilities B<-nameopt> and B<-certopt> switches can be used 582*b077aed3SPierre Proncheryhere, except the B<no_signame> and B<no_sigdump> are permanently set 583*b077aed3SPierre Proncheryand cannot be disabled (this is because the certificate signature cannot 584*b077aed3SPierre Proncherybe displayed because the certificate has not been signed at this point). 585*b077aed3SPierre Pronchery 586*b077aed3SPierre ProncheryFor convenience the values B<ca_default> are accepted by both to produce 587*b077aed3SPierre Proncherya reasonable output. 588*b077aed3SPierre Pronchery 589*b077aed3SPierre ProncheryIf neither option is present the format used in earlier versions of 590*b077aed3SPierre ProncheryOpenSSL is used. Use of the old format is B<strongly> discouraged because 591*b077aed3SPierre Proncheryit only displays fields mentioned in the B<policy> section, mishandles 592*b077aed3SPierre Proncherymulticharacter string types and does not display extensions. 593*b077aed3SPierre Pronchery 594*b077aed3SPierre Pronchery=item B<copy_extensions> 595*b077aed3SPierre Pronchery 596*b077aed3SPierre ProncheryDetermines how extensions in certificate requests should be handled. 597*b077aed3SPierre ProncheryIf set to B<none> or this option is not present then extensions are 598*b077aed3SPierre Proncheryignored and not copied to the certificate. If set to B<copy> then any 599*b077aed3SPierre Proncheryextensions present in the request that are not already present are copied 600*b077aed3SPierre Proncheryto the certificate. If set to B<copyall> then all extensions in the 601*b077aed3SPierre Proncheryrequest are copied to the certificate: if the extension is already present 602*b077aed3SPierre Proncheryin the certificate it is deleted first. See the B<WARNINGS> section before 603*b077aed3SPierre Proncheryusing this option. 604*b077aed3SPierre Pronchery 605*b077aed3SPierre ProncheryThe main use of this option is to allow a certificate request to supply 606*b077aed3SPierre Proncheryvalues for certain extensions such as subjectAltName. 607*b077aed3SPierre Pronchery 608*b077aed3SPierre Pronchery=back 609*b077aed3SPierre Pronchery 610*b077aed3SPierre Pronchery=head1 POLICY FORMAT 611*b077aed3SPierre Pronchery 612*b077aed3SPierre ProncheryThe policy section consists of a set of variables corresponding to 613*b077aed3SPierre Proncherycertificate DN fields. If the value is "match" then the field value 614*b077aed3SPierre Proncherymust match the same field in the CA certificate. If the value is 615*b077aed3SPierre Pronchery"supplied" then it must be present. If the value is "optional" then 616*b077aed3SPierre Proncheryit may be present. Any fields not mentioned in the policy section 617*b077aed3SPierre Proncheryare silently deleted, unless the B<-preserveDN> option is set but 618*b077aed3SPierre Proncherythis can be regarded more of a quirk than intended behaviour. 619*b077aed3SPierre Pronchery 620*b077aed3SPierre Pronchery=head1 SPKAC FORMAT 621*b077aed3SPierre Pronchery 622*b077aed3SPierre ProncheryThe input to the B<-spkac> command line option is a Netscape 623*b077aed3SPierre Proncherysigned public key and challenge. This will usually come from 624*b077aed3SPierre Proncherythe B<KEYGEN> tag in an HTML form to create a new private key. 625*b077aed3SPierre ProncheryIt is however possible to create SPKACs using L<openssl-spkac(1)>. 626*b077aed3SPierre Pronchery 627*b077aed3SPierre ProncheryThe file should contain the variable SPKAC set to the value of 628*b077aed3SPierre Proncherythe SPKAC and also the required DN components as name value pairs. 629*b077aed3SPierre ProncheryIf you need to include the same component twice then it can be 630*b077aed3SPierre Proncherypreceded by a number and a '.'. 631*b077aed3SPierre Pronchery 632*b077aed3SPierre ProncheryWhen processing SPKAC format, the output is DER if the B<-out> 633*b077aed3SPierre Proncheryflag is used, but PEM format if sending to stdout or the B<-outdir> 634*b077aed3SPierre Proncheryflag is used. 635*b077aed3SPierre Pronchery 636*b077aed3SPierre Pronchery=head1 EXAMPLES 637*b077aed3SPierre Pronchery 638*b077aed3SPierre ProncheryNote: these examples assume that the directory structure this command 639*b077aed3SPierre Proncheryassumes is already set up and the relevant files already exist. This 640*b077aed3SPierre Proncheryusually involves creating a CA certificate and private key with 641*b077aed3SPierre ProncheryL<openssl-req(1)>, a serial number file and an empty index file and 642*b077aed3SPierre Proncheryplacing them in the relevant directories. 643*b077aed3SPierre Pronchery 644*b077aed3SPierre ProncheryTo use the sample configuration file below the directories F<demoCA>, 645*b077aed3SPierre ProncheryF<demoCA/private> and F<demoCA/newcerts> would be created. The CA 646*b077aed3SPierre Proncherycertificate would be copied to F<demoCA/cacert.pem> and its private 647*b077aed3SPierre Proncherykey to F<demoCA/private/cakey.pem>. A file F<demoCA/serial> would be 648*b077aed3SPierre Proncherycreated containing for example "01" and the empty index file 649*b077aed3SPierre ProncheryF<demoCA/index.txt>. 650*b077aed3SPierre Pronchery 651*b077aed3SPierre Pronchery 652*b077aed3SPierre ProncherySign a certificate request: 653*b077aed3SPierre Pronchery 654*b077aed3SPierre Pronchery openssl ca -in req.pem -out newcert.pem 655*b077aed3SPierre Pronchery 656*b077aed3SPierre ProncherySign an SM2 certificate request: 657*b077aed3SPierre Pronchery 658*b077aed3SPierre Pronchery openssl ca -in sm2.csr -out sm2.crt -md sm3 \ 659*b077aed3SPierre Pronchery -sigopt "distid:1234567812345678" \ 660*b077aed3SPierre Pronchery -vfyopt "distid:1234567812345678" 661*b077aed3SPierre Pronchery 662*b077aed3SPierre ProncherySign a certificate request, using CA extensions: 663*b077aed3SPierre Pronchery 664*b077aed3SPierre Pronchery openssl ca -in req.pem -extensions v3_ca -out newcert.pem 665*b077aed3SPierre Pronchery 666*b077aed3SPierre ProncheryGenerate a CRL 667*b077aed3SPierre Pronchery 668*b077aed3SPierre Pronchery openssl ca -gencrl -out crl.pem 669*b077aed3SPierre Pronchery 670*b077aed3SPierre ProncherySign several requests: 671*b077aed3SPierre Pronchery 672*b077aed3SPierre Pronchery openssl ca -infiles req1.pem req2.pem req3.pem 673*b077aed3SPierre Pronchery 674*b077aed3SPierre ProncheryCertify a Netscape SPKAC: 675*b077aed3SPierre Pronchery 676*b077aed3SPierre Pronchery openssl ca -spkac spkac.txt 677*b077aed3SPierre Pronchery 678*b077aed3SPierre ProncheryA sample SPKAC file (the SPKAC line has been truncated for clarity): 679*b077aed3SPierre Pronchery 680*b077aed3SPierre Pronchery SPKAC=MIG0MGAwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAn7PDhCeV/xIxUg8V70YRxK2A5 681*b077aed3SPierre Pronchery CN=Steve Test 682*b077aed3SPierre Pronchery emailAddress=steve@openssl.org 683*b077aed3SPierre Pronchery 0.OU=OpenSSL Group 684*b077aed3SPierre Pronchery 1.OU=Another Group 685*b077aed3SPierre Pronchery 686*b077aed3SPierre ProncheryA sample configuration file with the relevant sections for this command: 687*b077aed3SPierre Pronchery 688*b077aed3SPierre Pronchery [ ca ] 689*b077aed3SPierre Pronchery default_ca = CA_default # The default ca section 690*b077aed3SPierre Pronchery 691*b077aed3SPierre Pronchery [ CA_default ] 692*b077aed3SPierre Pronchery 693*b077aed3SPierre Pronchery dir = ./demoCA # top dir 694*b077aed3SPierre Pronchery database = $dir/index.txt # index file. 695*b077aed3SPierre Pronchery new_certs_dir = $dir/newcerts # new certs dir 696*b077aed3SPierre Pronchery 697*b077aed3SPierre Pronchery certificate = $dir/cacert.pem # The CA cert 698*b077aed3SPierre Pronchery serial = $dir/serial # serial no file 699*b077aed3SPierre Pronchery #rand_serial = yes # for random serial#'s 700*b077aed3SPierre Pronchery private_key = $dir/private/cakey.pem# CA private key 701*b077aed3SPierre Pronchery 702*b077aed3SPierre Pronchery default_days = 365 # how long to certify for 703*b077aed3SPierre Pronchery default_crl_days= 30 # how long before next CRL 704*b077aed3SPierre Pronchery default_md = md5 # md to use 705*b077aed3SPierre Pronchery 706*b077aed3SPierre Pronchery policy = policy_any # default policy 707*b077aed3SPierre Pronchery email_in_dn = no # Don't add the email into cert DN 708*b077aed3SPierre Pronchery 709*b077aed3SPierre Pronchery name_opt = ca_default # Subject name display option 710*b077aed3SPierre Pronchery cert_opt = ca_default # Certificate display option 711*b077aed3SPierre Pronchery copy_extensions = none # Don't copy extensions from request 712*b077aed3SPierre Pronchery 713*b077aed3SPierre Pronchery [ policy_any ] 714*b077aed3SPierre Pronchery countryName = supplied 715*b077aed3SPierre Pronchery stateOrProvinceName = optional 716*b077aed3SPierre Pronchery organizationName = optional 717*b077aed3SPierre Pronchery organizationalUnitName = optional 718*b077aed3SPierre Pronchery commonName = supplied 719*b077aed3SPierre Pronchery emailAddress = optional 720*b077aed3SPierre Pronchery 721*b077aed3SPierre Pronchery=head1 FILES 722*b077aed3SPierre Pronchery 723*b077aed3SPierre ProncheryNote: the location of all files can change either by compile time options, 724*b077aed3SPierre Proncheryconfiguration file entries, environment variables or command line options. 725*b077aed3SPierre ProncheryThe values below reflect the default values. 726*b077aed3SPierre Pronchery 727*b077aed3SPierre Pronchery /usr/local/ssl/lib/openssl.cnf - master configuration file 728*b077aed3SPierre Pronchery ./demoCA - main CA directory 729*b077aed3SPierre Pronchery ./demoCA/cacert.pem - CA certificate 730*b077aed3SPierre Pronchery ./demoCA/private/cakey.pem - CA private key 731*b077aed3SPierre Pronchery ./demoCA/serial - CA serial number file 732*b077aed3SPierre Pronchery ./demoCA/serial.old - CA serial number backup file 733*b077aed3SPierre Pronchery ./demoCA/index.txt - CA text database file 734*b077aed3SPierre Pronchery ./demoCA/index.txt.old - CA text database backup file 735*b077aed3SPierre Pronchery ./demoCA/certs - certificate output file 736*b077aed3SPierre Pronchery 737*b077aed3SPierre Pronchery=head1 RESTRICTIONS 738*b077aed3SPierre Pronchery 739*b077aed3SPierre ProncheryThe text database index file is a critical part of the process and 740*b077aed3SPierre Proncheryif corrupted it can be difficult to fix. It is theoretically possible 741*b077aed3SPierre Proncheryto rebuild the index file from all the issued certificates and a current 742*b077aed3SPierre ProncheryCRL: however there is no option to do this. 743*b077aed3SPierre Pronchery 744*b077aed3SPierre ProncheryV2 CRL features like delta CRLs are not currently supported. 745*b077aed3SPierre Pronchery 746*b077aed3SPierre ProncheryAlthough several requests can be input and handled at once it is only 747*b077aed3SPierre Proncherypossible to include one SPKAC or self-signed certificate. 748*b077aed3SPierre Pronchery 749*b077aed3SPierre Pronchery=head1 BUGS 750*b077aed3SPierre Pronchery 751*b077aed3SPierre ProncheryThis command is quirky and at times downright unfriendly. 752*b077aed3SPierre Pronchery 753*b077aed3SPierre ProncheryThe use of an in-memory text database can cause problems when large 754*b077aed3SPierre Proncherynumbers of certificates are present because, as the name implies 755*b077aed3SPierre Proncherythe database has to be kept in memory. 756*b077aed3SPierre Pronchery 757*b077aed3SPierre ProncheryThis command really needs rewriting or the required functionality 758*b077aed3SPierre Proncheryexposed at either a command or interface level so that a more user-friendly 759*b077aed3SPierre Proncheryreplacement could handle things properly. The script 760*b077aed3SPierre ProncheryB<CA.pl> helps a little but not very much. 761*b077aed3SPierre Pronchery 762*b077aed3SPierre ProncheryAny fields in a request that are not present in a policy are silently 763*b077aed3SPierre Proncherydeleted. This does not happen if the B<-preserveDN> option is used. To 764*b077aed3SPierre Proncheryenforce the absence of the EMAIL field within the DN, as suggested by 765*b077aed3SPierre ProncheryRFCs, regardless the contents of the request' subject the B<-noemailDN> 766*b077aed3SPierre Proncheryoption can be used. The behaviour should be more friendly and 767*b077aed3SPierre Proncheryconfigurable. 768*b077aed3SPierre Pronchery 769*b077aed3SPierre ProncheryCanceling some commands by refusing to certify a certificate can 770*b077aed3SPierre Proncherycreate an empty file. 771*b077aed3SPierre Pronchery 772*b077aed3SPierre Pronchery=head1 WARNINGS 773*b077aed3SPierre Pronchery 774*b077aed3SPierre ProncheryThis command was originally meant as an example of how to do things in a CA. 775*b077aed3SPierre ProncheryIts code does not have production quality. 776*b077aed3SPierre ProncheryIt was not supposed to be used as a full blown CA itself, 777*b077aed3SPierre Proncherynevertheless some people are using it for this purpose at least internally. 778*b077aed3SPierre ProncheryWhen doing so, specific care should be taken to 779*b077aed3SPierre Proncheryproperly secure the private key(s) used for signing certificates. 780*b077aed3SPierre ProncheryIt is advisable to keep them in a secure HW storage such as a smart card or HSM 781*b077aed3SPierre Proncheryand access them via a suitable engine or crypto provider. 782*b077aed3SPierre Pronchery 783*b077aed3SPierre ProncheryThis command command is effectively a single user command: no locking 784*b077aed3SPierre Proncheryis done on the various files and attempts to run more than one B<openssl ca> 785*b077aed3SPierre Proncherycommand on the same database can have unpredictable results. 786*b077aed3SPierre Pronchery 787*b077aed3SPierre ProncheryThe B<copy_extensions> option should be used with caution. If care is 788*b077aed3SPierre Proncherynot taken then it can be a security risk. For example if a certificate 789*b077aed3SPierre Proncheryrequest contains a basicConstraints extension with CA:TRUE and the 790*b077aed3SPierre ProncheryB<copy_extensions> value is set to B<copyall> and the user does not spot 791*b077aed3SPierre Proncherythis when the certificate is displayed then this will hand the requester 792*b077aed3SPierre Proncherya valid CA certificate. 793*b077aed3SPierre ProncheryThis situation can be avoided by setting B<copy_extensions> to B<copy> 794*b077aed3SPierre Proncheryand including basicConstraints with CA:FALSE in the configuration file. 795*b077aed3SPierre ProncheryThen if the request contains a basicConstraints extension it will be 796*b077aed3SPierre Proncheryignored. 797*b077aed3SPierre Pronchery 798*b077aed3SPierre ProncheryIt is advisable to also include values for other extensions such 799*b077aed3SPierre Proncheryas B<keyUsage> to prevent a request supplying its own values. 800*b077aed3SPierre Pronchery 801*b077aed3SPierre ProncheryAdditional restrictions can be placed on the CA certificate itself. 802*b077aed3SPierre ProncheryFor example if the CA certificate has: 803*b077aed3SPierre Pronchery 804*b077aed3SPierre Pronchery basicConstraints = CA:TRUE, pathlen:0 805*b077aed3SPierre Pronchery 806*b077aed3SPierre Proncherythen even if a certificate is issued with CA:TRUE it will not be valid. 807*b077aed3SPierre Pronchery 808*b077aed3SPierre Pronchery=head1 HISTORY 809*b077aed3SPierre Pronchery 810*b077aed3SPierre ProncherySince OpenSSL 1.1.1, the program follows RFC5280. Specifically, 811*b077aed3SPierre Proncherycertificate validity period (specified by any of B<-startdate>, 812*b077aed3SPierre ProncheryB<-enddate> and B<-days>) and CRL last/next update time (specified by 813*b077aed3SPierre Proncheryany of B<-crl_lastupdate>, B<-crl_nextupdate>, B<-crldays>, B<-crlhours> 814*b077aed3SPierre Proncheryand B<-crlsec>) will be encoded as UTCTime if the dates are 815*b077aed3SPierre Proncheryearlier than year 2049 (included), and as GeneralizedTime if the dates 816*b077aed3SPierre Proncheryare in year 2050 or later. 817*b077aed3SPierre Pronchery 818*b077aed3SPierre ProncheryOpenSSL 1.1.1 introduced a new random generator (CSPRNG) with an improved 819*b077aed3SPierre Proncheryseeding mechanism. The new seeding mechanism makes it unnecessary to 820*b077aed3SPierre Proncherydefine a RANDFILE for saving and restoring randomness. This option is 821*b077aed3SPierre Proncheryretained mainly for compatibility reasons. 822*b077aed3SPierre Pronchery 823*b077aed3SPierre ProncheryThe B<-section> option was added in OpenSSL 3.0.0. 824*b077aed3SPierre Pronchery 825*b077aed3SPierre ProncheryThe B<-multivalue-rdn> option has become obsolete in OpenSSL 3.0.0 and 826*b077aed3SPierre Proncheryhas no effect. 827*b077aed3SPierre Pronchery 828*b077aed3SPierre ProncheryThe B<-engine> option was deprecated in OpenSSL 3.0. 829*b077aed3SPierre Pronchery 830*b077aed3SPierre Pronchery=head1 SEE ALSO 831*b077aed3SPierre Pronchery 832*b077aed3SPierre ProncheryL<openssl(1)>, 833*b077aed3SPierre ProncheryL<openssl-req(1)>, 834*b077aed3SPierre ProncheryL<openssl-spkac(1)>, 835*b077aed3SPierre ProncheryL<openssl-x509(1)>, 836*b077aed3SPierre ProncheryL<CA.pl(1)>, 837*b077aed3SPierre ProncheryL<config(5)>, 838*b077aed3SPierre ProncheryL<x509v3_config(5)> 839*b077aed3SPierre Pronchery 840*b077aed3SPierre Pronchery=head1 COPYRIGHT 841*b077aed3SPierre Pronchery 842*b077aed3SPierre ProncheryCopyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved. 843*b077aed3SPierre Pronchery 844*b077aed3SPierre ProncheryLicensed under the Apache License 2.0 (the "License"). You may not use 845*b077aed3SPierre Proncherythis file except in compliance with the License. You can obtain a copy 846*b077aed3SPierre Proncheryin the file LICENSE in the source distribution or at 847*b077aed3SPierre ProncheryL<https://www.openssl.org/source/license.html>. 848*b077aed3SPierre Pronchery 849*b077aed3SPierre Pronchery=cut 850