ca.1 (206048) | ca.1 (215698) |
---|---|
1.\" Automatically generated by Pod::Man v1.37, Pod::Parser v1.37 | 1.\" Automatically generated by Pod::Man 2.22 (Pod::Simple 3.07) |
2.\" 3.\" Standard preamble: 4.\" ======================================================================== | 2.\" 3.\" Standard preamble: 4.\" ======================================================================== |
5.de Sh \" Subsection heading 6.br 7.if t .Sp 8.ne 5 9.PP 10\fB\\$1\fR 11.PP 12.. | |
13.de Sp \" Vertical space (when we can't use .PP) 14.if t .sp .5v 15.if n .sp 16.. 17.de Vb \" Begin verbatim text 18.ft CW 19.nf 20.ne \\$1 21.. 22.de Ve \" End verbatim text 23.ft R 24.fi 25.. 26.\" Set up some character translations and predefined strings. \*(-- will 27.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left | 5.de Sp \" Vertical space (when we can't use .PP) 6.if t .sp .5v 7.if n .sp 8.. 9.de Vb \" Begin verbatim text 10.ft CW 11.nf 12.ne \\$1 13.. 14.de Ve \" End verbatim text 15.ft R 16.fi 17.. 18.\" Set up some character translations and predefined strings. \*(-- will 19.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left |
28.\" double quote, and \*(R" will give a right double quote. | will give a 29.\" real vertical bar. \*(C+ will give a nicer C++. Capital omega is used to 30.\" do unbreakable dashes and therefore won't be available. \*(C` and \*(C' 31.\" expand to `' in nroff, nothing in troff, for use with C<>. 32.tr \(*W-|\(bv\*(Tr | 20.\" double quote, and \*(R" will give a right double quote. \*(C+ will 21.\" give a nicer C++. Capital omega is used to do unbreakable dashes and 22.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, 23.\" nothing in troff, for use with C<>. 24.tr \(*W- |
33.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' 34.ie n \{\ 35. ds -- \(*W- 36. ds PI pi 37. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch 38. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch 39. ds L" "" 40. ds R" "" 41. ds C` "" 42. ds C' "" 43'br\} 44.el\{\ 45. ds -- \|\(em\| 46. ds PI \(*p 47. ds L" `` 48. ds R" '' 49'br\} 50.\" | 25.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' 26.ie n \{\ 27. ds -- \(*W- 28. ds PI pi 29. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch 30. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch 31. ds L" "" 32. ds R" "" 33. ds C` "" 34. ds C' "" 35'br\} 36.el\{\ 37. ds -- \|\(em\| 38. ds PI \(*p 39. ds L" `` 40. ds R" '' 41'br\} 42.\" |
43.\" Escape single quotes in literal strings from groff's Unicode transform. 44.ie \n(.g .ds Aq \(aq 45.el .ds Aq ' 46.\" |
|
51.\" If the F register is turned on, we'll generate index entries on stderr for | 47.\" If the F register is turned on, we'll generate index entries on stderr for |
52.\" titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and index | 48.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index |
53.\" entries marked with X<> in POD. Of course, you'll have to process the 54.\" output yourself in some meaningful fashion. | 49.\" entries marked with X<> in POD. Of course, you'll have to process the 50.\" output yourself in some meaningful fashion. |
55.if \nF \{\ | 51.ie \nF \{\ |
56. de IX 57. tm Index:\\$1\t\\n%\t"\\$2" 58.. 59. nr % 0 60. rr F 61.\} | 52. de IX 53. tm Index:\\$1\t\\n%\t"\\$2" 54.. 55. nr % 0 56. rr F 57.\} |
58.el \{\ 59. de IX 60.. 61.\} |
|
62.\" | 62.\" |
63.\" For nroff, turn off justification. Always turn off hyphenation; it makes 64.\" way too many mistakes in technical documents. 65.hy 0 66.if n .na 67.\" | |
68.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). 69.\" Fear. Run. Save yourself. No user-serviceable parts. 70. \" fudge factors for nroff and troff 71.if n \{\ 72. ds #H 0 73. ds #V .8m 74. ds #F .3m 75. ds #[ \f1 --- 48 unchanged lines hidden (view full) --- 124. ds Th \o'LP' 125. ds ae ae 126. ds Ae AE 127.\} 128.rm #[ #] #H #V #F C 129.\" ======================================================================== 130.\" 131.IX Title "CA 1" | 63.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). 64.\" Fear. Run. Save yourself. No user-serviceable parts. 65. \" fudge factors for nroff and troff 66.if n \{\ 67. ds #H 0 68. ds #V .8m 69. ds #F .3m 70. ds #[ \f1 --- 48 unchanged lines hidden (view full) --- 119. ds Th \o'LP' 120. ds ae ae 121. ds Ae AE 122.\} 123.rm #[ #] #H #V #F C 124.\" ======================================================================== 125.\" 126.IX Title "CA 1" |
132.TH CA 1 "2010-03-24" "0.9.8n" "OpenSSL" | 127.TH CA 1 "2010-11-16" "0.9.8p" "OpenSSL" 128.\" For nroff, turn off justification. Always turn off hyphenation; it makes 129.\" way too many mistakes in technical documents. 130.if n .ad l 131.nh |
133.SH "NAME" 134ca \- sample minimal CA application 135.SH "SYNOPSIS" 136.IX Header "SYNOPSIS" 137\&\fBopenssl\fR \fBca\fR 138[\fB\-verbose\fR] 139[\fB\-config filename\fR] 140[\fB\-name section\fR] --- 60 unchanged lines hidden (view full) --- 201.IP "\fB\-spkac filename\fR" 4 202.IX Item "-spkac filename" 203a file containing a single Netscape signed public key and challenge 204and additional field values to be signed by the \s-1CA\s0. See the \fB\s-1SPKAC\s0 \s-1FORMAT\s0\fR 205section for information on the required format. 206.IP "\fB\-infiles\fR" 4 207.IX Item "-infiles" 208if present this should be the last option, all subsequent arguments | 132.SH "NAME" 133ca \- sample minimal CA application 134.SH "SYNOPSIS" 135.IX Header "SYNOPSIS" 136\&\fBopenssl\fR \fBca\fR 137[\fB\-verbose\fR] 138[\fB\-config filename\fR] 139[\fB\-name section\fR] --- 60 unchanged lines hidden (view full) --- 200.IP "\fB\-spkac filename\fR" 4 201.IX Item "-spkac filename" 202a file containing a single Netscape signed public key and challenge 203and additional field values to be signed by the \s-1CA\s0. See the \fB\s-1SPKAC\s0 \s-1FORMAT\s0\fR 204section for information on the required format. 205.IP "\fB\-infiles\fR" 4 206.IX Item "-infiles" 207if present this should be the last option, all subsequent arguments |
209are assumed to the the names of files containing certificate requests. | 208are assumed to the the names of files containing certificate requests. |
210.IP "\fB\-out filename\fR" 4 211.IX Item "-out filename" 212the output file to output certificates to. The default is standard 213output. The certificate details will also be printed out to this 214file. 215.IP "\fB\-outdir directory\fR" 4 216.IX Item "-outdir directory" 217the directory to output certificates to. The certificate will be --- 157 unchanged lines hidden (view full) --- 375\&\fBCACompromise\fR. 376.IP "\fB\-crlexts section\fR" 4 377.IX Item "-crlexts section" 378the section of the configuration file containing \s-1CRL\s0 extensions to 379include. If no \s-1CRL\s0 extension section is present then a V1 \s-1CRL\s0 is 380created, if the \s-1CRL\s0 extension section is present (even if it is 381empty) then a V2 \s-1CRL\s0 is created. The \s-1CRL\s0 extensions specified are 382\&\s-1CRL\s0 extensions and \fBnot\fR \s-1CRL\s0 entry extensions. It should be noted | 209.IP "\fB\-out filename\fR" 4 210.IX Item "-out filename" 211the output file to output certificates to. The default is standard 212output. The certificate details will also be printed out to this 213file. 214.IP "\fB\-outdir directory\fR" 4 215.IX Item "-outdir directory" 216the directory to output certificates to. The certificate will be --- 157 unchanged lines hidden (view full) --- 374\&\fBCACompromise\fR. 375.IP "\fB\-crlexts section\fR" 4 376.IX Item "-crlexts section" 377the section of the configuration file containing \s-1CRL\s0 extensions to 378include. If no \s-1CRL\s0 extension section is present then a V1 \s-1CRL\s0 is 379created, if the \s-1CRL\s0 extension section is present (even if it is 380empty) then a V2 \s-1CRL\s0 is created. The \s-1CRL\s0 extensions specified are 381\&\s-1CRL\s0 extensions and \fBnot\fR \s-1CRL\s0 entry extensions. It should be noted |
383that some software (for example Netscape) can't handle V2 CRLs. | 382that some software (for example Netscape) can't handle V2 CRLs. |
384.SH "CONFIGURATION FILE OPTIONS" 385.IX Header "CONFIGURATION FILE OPTIONS" 386The section of the configuration file containing options for \fBca\fR 387is found as follows: If the \fB\-name\fR command line option is used, 388then it names the section to be used. Otherwise the section to 389be used must be named in the \fBdefault_ca\fR option of the \fBca\fR section 390of the configuration file (or in the default section of the 391configuration file). Besides \fBdefault_ca\fR, the following options are --- 10 unchanged lines hidden (view full) --- 402option is described as mandatory then it must be present in 403the configuration file or the command line equivalent (if 404any) used. 405.IP "\fBoid_file\fR" 4 406.IX Item "oid_file" 407This specifies a file containing additional \fB\s-1OBJECT\s0 \s-1IDENTIFIERS\s0\fR. 408Each line of the file should consist of the numerical form of the 409object identifier followed by white space then the short name followed | 383.SH "CONFIGURATION FILE OPTIONS" 384.IX Header "CONFIGURATION FILE OPTIONS" 385The section of the configuration file containing options for \fBca\fR 386is found as follows: If the \fB\-name\fR command line option is used, 387then it names the section to be used. Otherwise the section to 388be used must be named in the \fBdefault_ca\fR option of the \fBca\fR section 389of the configuration file (or in the default section of the 390configuration file). Besides \fBdefault_ca\fR, the following options are --- 10 unchanged lines hidden (view full) --- 401option is described as mandatory then it must be present in 402the configuration file or the command line equivalent (if 403any) used. 404.IP "\fBoid_file\fR" 4 405.IX Item "oid_file" 406This specifies a file containing additional \fB\s-1OBJECT\s0 \s-1IDENTIFIERS\s0\fR. 407Each line of the file should consist of the numerical form of the 408object identifier followed by white space then the short name followed |
410by white space and finally the long name. | 409by white space and finally the long name. |
411.IP "\fBoid_section\fR" 4 412.IX Item "oid_section" 413This specifies a section in the configuration file containing extra 414object identifiers. Each line should consist of the short name of the 415object identifier followed by \fB=\fR and the numerical form. The short 416and long names are the same when this option is used. 417.IP "\fBnew_certs_dir\fR" 4 418.IX Item "new_certs_dir" --- 9 unchanged lines hidden (view full) --- 428\&\s-1CA\s0 private key. Mandatory. 429.IP "\fB\s-1RANDFILE\s0\fR" 4 430.IX Item "RANDFILE" 431a file used to read and write random number seed information, or 432an \s-1EGD\s0 socket (see \fIRAND_egd\fR\|(3)). 433.IP "\fBdefault_days\fR" 4 434.IX Item "default_days" 435the same as the \fB\-days\fR option. The number of days to certify | 410.IP "\fBoid_section\fR" 4 411.IX Item "oid_section" 412This specifies a section in the configuration file containing extra 413object identifiers. Each line should consist of the short name of the 414object identifier followed by \fB=\fR and the numerical form. The short 415and long names are the same when this option is used. 416.IP "\fBnew_certs_dir\fR" 4 417.IX Item "new_certs_dir" --- 9 unchanged lines hidden (view full) --- 427\&\s-1CA\s0 private key. Mandatory. 428.IP "\fB\s-1RANDFILE\s0\fR" 4 429.IX Item "RANDFILE" 430a file used to read and write random number seed information, or 431an \s-1EGD\s0 socket (see \fIRAND_egd\fR\|(3)). 432.IP "\fBdefault_days\fR" 4 433.IX Item "default_days" 434the same as the \fB\-days\fR option. The number of days to certify |
436a certificate for. | 435a certificate for. |
437.IP "\fBdefault_startdate\fR" 4 438.IX Item "default_startdate" 439the same as the \fB\-startdate\fR option. The start date to certify 440a certificate for. If not set the current time is used. 441.IP "\fBdefault_enddate\fR" 4 442.IX Item "default_enddate" 443the same as the \fB\-enddate\fR option. Either this option or 444\&\fBdefault_days\fR (or the command line equivalents) must be --- 111 unchanged lines hidden (view full) --- 556certificate would be copied to demoCA/cacert.pem and its private 557key to demoCA/private/cakey.pem. A file demoCA/serial would be 558created containing for example \*(L"01\*(R" and the empty index file 559demoCA/index.txt. 560.PP 561Sign a certificate request: 562.PP 563.Vb 1 | 436.IP "\fBdefault_startdate\fR" 4 437.IX Item "default_startdate" 438the same as the \fB\-startdate\fR option. The start date to certify 439a certificate for. If not set the current time is used. 440.IP "\fBdefault_enddate\fR" 4 441.IX Item "default_enddate" 442the same as the \fB\-enddate\fR option. Either this option or 443\&\fBdefault_days\fR (or the command line equivalents) must be --- 111 unchanged lines hidden (view full) --- 555certificate would be copied to demoCA/cacert.pem and its private 556key to demoCA/private/cakey.pem. A file demoCA/serial would be 557created containing for example \*(L"01\*(R" and the empty index file 558demoCA/index.txt. 559.PP 560Sign a certificate request: 561.PP 562.Vb 1 |
564\& openssl ca -in req.pem -out newcert.pem | 563\& openssl ca \-in req.pem \-out newcert.pem |
565.Ve 566.PP 567Sign a certificate request, using \s-1CA\s0 extensions: 568.PP 569.Vb 1 | 564.Ve 565.PP 566Sign a certificate request, using \s-1CA\s0 extensions: 567.PP 568.Vb 1 |
570\& openssl ca -in req.pem -extensions v3_ca -out newcert.pem | 569\& openssl ca \-in req.pem \-extensions v3_ca \-out newcert.pem |
571.Ve 572.PP 573Generate a \s-1CRL\s0 574.PP 575.Vb 1 | 570.Ve 571.PP 572Generate a \s-1CRL\s0 573.PP 574.Vb 1 |
576\& openssl ca -gencrl -out crl.pem | 575\& openssl ca \-gencrl \-out crl.pem |
577.Ve 578.PP 579Sign several requests: 580.PP 581.Vb 1 | 576.Ve 577.PP 578Sign several requests: 579.PP 580.Vb 1 |
582\& openssl ca -infiles req1.pem req2.pem req3.pem | 581\& openssl ca \-infiles req1.pem req2.pem req3.pem |
583.Ve 584.PP 585Certify a Netscape \s-1SPKAC:\s0 586.PP 587.Vb 1 | 582.Ve 583.PP 584Certify a Netscape \s-1SPKAC:\s0 585.PP 586.Vb 1 |
588\& openssl ca -spkac spkac.txt | 587\& openssl ca \-spkac spkac.txt |
589.Ve 590.PP 591A sample \s-1SPKAC\s0 file (the \s-1SPKAC\s0 line has been truncated for clarity): 592.PP 593.Vb 5 594\& SPKAC=MIG0MGAwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAn7PDhCeV/xIxUg8V70YRxK2A5 595\& CN=Steve Test 596\& emailAddress=steve@openssl.org 597\& 0.OU=OpenSSL Group 598\& 1.OU=Another Group 599.Ve 600.PP 601A sample configuration file with the relevant sections for \fBca\fR: 602.PP 603.Vb 2 604\& [ ca ] 605\& default_ca = CA_default # The default ca section | 588.Ve 589.PP 590A sample \s-1SPKAC\s0 file (the \s-1SPKAC\s0 line has been truncated for clarity): 591.PP 592.Vb 5 593\& SPKAC=MIG0MGAwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAn7PDhCeV/xIxUg8V70YRxK2A5 594\& CN=Steve Test 595\& emailAddress=steve@openssl.org 596\& 0.OU=OpenSSL Group 597\& 1.OU=Another Group 598.Ve 599.PP 600A sample configuration file with the relevant sections for \fBca\fR: 601.PP 602.Vb 2 603\& [ ca ] 604\& default_ca = CA_default # The default ca section |
606.Ve 607.PP 608.Vb 1 | 605\& |
609\& [ CA_default ] | 606\& [ CA_default ] |
610.Ve 611.PP 612.Vb 3 | 607\& |
613\& dir = ./demoCA # top dir 614\& database = $dir/index.txt # index file. 615\& new_certs_dir = $dir/newcerts # new certs dir | 608\& dir = ./demoCA # top dir 609\& database = $dir/index.txt # index file. 610\& new_certs_dir = $dir/newcerts # new certs dir |
616.Ve 617.PP 618.Vb 4 | 611\& |
619\& certificate = $dir/cacert.pem # The CA cert 620\& serial = $dir/serial # serial no file 621\& private_key = $dir/private/cakey.pem# CA private key 622\& RANDFILE = $dir/private/.rand # random number file | 612\& certificate = $dir/cacert.pem # The CA cert 613\& serial = $dir/serial # serial no file 614\& private_key = $dir/private/cakey.pem# CA private key 615\& RANDFILE = $dir/private/.rand # random number file |
623.Ve 624.PP 625.Vb 3 | 616\& |
626\& default_days = 365 # how long to certify for 627\& default_crl_days= 30 # how long before next CRL 628\& default_md = md5 # md to use | 617\& default_days = 365 # how long to certify for 618\& default_crl_days= 30 # how long before next CRL 619\& default_md = md5 # md to use |
629.Ve 630.PP 631.Vb 2 | 620\& |
632\& policy = policy_any # default policy | 621\& policy = policy_any # default policy |
633\& email_in_dn = no # Don't add the email into cert DN 634.Ve 635.PP 636.Vb 3 | 622\& email_in_dn = no # Don\*(Aqt add the email into cert DN 623\& |
637\& name_opt = ca_default # Subject name display option 638\& cert_opt = ca_default # Certificate display option | 624\& name_opt = ca_default # Subject name display option 625\& cert_opt = ca_default # Certificate display option |
639\& copy_extensions = none # Don't copy extensions from request 640.Ve 641.PP 642.Vb 7 | 626\& copy_extensions = none # Don\*(Aqt copy extensions from request 627\& |
643\& [ policy_any ] 644\& countryName = supplied 645\& stateOrProvinceName = optional 646\& organizationName = optional 647\& organizationalUnitName = optional 648\& commonName = supplied 649\& emailAddress = optional 650.Ve 651.SH "FILES" 652.IX Header "FILES" 653Note: the location of all files can change either by compile time options, 654configuration file entries, environment variables or command line options. 655The values below reflect the default values. 656.PP 657.Vb 10 | 628\& [ policy_any ] 629\& countryName = supplied 630\& stateOrProvinceName = optional 631\& organizationName = optional 632\& organizationalUnitName = optional 633\& commonName = supplied 634\& emailAddress = optional 635.Ve 636.SH "FILES" 637.IX Header "FILES" 638Note: the location of all files can change either by compile time options, 639configuration file entries, environment variables or command line options. 640The values below reflect the default values. 641.PP 642.Vb 10 |
658\& /usr/local/ssl/lib/openssl.cnf - master configuration file 659\& ./demoCA - main CA directory 660\& ./demoCA/cacert.pem - CA certificate 661\& ./demoCA/private/cakey.pem - CA private key 662\& ./demoCA/serial - CA serial number file 663\& ./demoCA/serial.old - CA serial number backup file 664\& ./demoCA/index.txt - CA text database file 665\& ./demoCA/index.txt.old - CA text database backup file 666\& ./demoCA/certs - certificate output file 667\& ./demoCA/.rnd - CA random seed information | 643\& /usr/local/ssl/lib/openssl.cnf \- master configuration file 644\& ./demoCA \- main CA directory 645\& ./demoCA/cacert.pem \- CA certificate 646\& ./demoCA/private/cakey.pem \- CA private key 647\& ./demoCA/serial \- CA serial number file 648\& ./demoCA/serial.old \- CA serial number backup file 649\& ./demoCA/index.txt \- CA text database file 650\& ./demoCA/index.txt.old \- CA text database backup file 651\& ./demoCA/certs \- certificate output file 652\& ./demoCA/.rnd \- CA random seed information |
668.Ve 669.SH "ENVIRONMENT VARIABLES" 670.IX Header "ENVIRONMENT VARIABLES" 671\&\fB\s-1OPENSSL_CONF\s0\fR reflects the location of master configuration file it can 672be overridden by the \fB\-config\fR command line option. 673.SH "RESTRICTIONS" 674.IX Header "RESTRICTIONS" 675The text database index file is a critical part of the process and --- 67 unchanged lines hidden --- | 653.Ve 654.SH "ENVIRONMENT VARIABLES" 655.IX Header "ENVIRONMENT VARIABLES" 656\&\fB\s-1OPENSSL_CONF\s0\fR reflects the location of master configuration file it can 657be overridden by the \fB\-config\fR command line option. 658.SH "RESTRICTIONS" 659.IX Header "RESTRICTIONS" 660The text database index file is a critical part of the process and --- 67 unchanged lines hidden --- |