159191Skris 259191Skris=pod 359191Skris 459191Skris=head1 NAME 559191Skris 659191SkrisCA.pl - friendlier interface for OpenSSL certificate programs 759191Skris 859191Skris=head1 SYNOPSIS 959191Skris 1059191SkrisB<CA.pl> 1159191Skris[B<-?>] 1259191Skris[B<-h>] 1359191Skris[B<-help>] 1459191Skris[B<-newcert>] 1559191Skris[B<-newreq>] 16109998Smarkm[B<-newreq-nodes>] 1759191Skris[B<-newca>] 1859191Skris[B<-xsign>] 1959191Skris[B<-sign>] 2059191Skris[B<-signreq>] 2159191Skris[B<-signcert>] 2259191Skris[B<-verify>] 2359191Skris[B<files>] 2459191Skris 2559191Skris=head1 DESCRIPTION 2659191Skris 2759191SkrisThe B<CA.pl> script is a perl script that supplies the relevant command line 2859191Skrisarguments to the B<openssl> command for some common certificate operations. 2959191SkrisIt is intended to simplify the process of certificate creation and management 3059191Skrisby the use of some simple options. 3159191Skris 3259191Skris=head1 COMMAND OPTIONS 3359191Skris 3459191Skris=over 4 3559191Skris 3659191Skris=item B<?>, B<-h>, B<-help> 3759191Skris 3859191Skrisprints a usage message. 3959191Skris 4059191Skris=item B<-newcert> 4159191Skris 42246772Sjkimcreates a new self signed certificate. The private key is written to the file 43246772Sjkim"newkey.pem" and the request written to the file "newreq.pem". 4459191Skris 4559191Skris=item B<-newreq> 4659191Skris 47246772Sjkimcreates a new certificate request. The private key is written to the file 48246772Sjkim"newkey.pem" and the request written to the file "newreq.pem". 4959191Skris 50160814Ssimon=item B<-newreq-nodes> 51109998Smarkm 52109998Smarkmis like B<-newreq> except that the private key will not be encrypted. 53109998Smarkm 5459191Skris=item B<-newca> 5559191Skris 5659191Skriscreates a new CA hierarchy for use with the B<ca> program (or the B<-signcert> 5759191Skrisand B<-xsign> options). The user is prompted to enter the filename of the CA 5859191Skriscertificates (which should also contain the private key) or by hitting ENTER 5959191Skrisdetails of the CA will be prompted for. The relevant files and directories 6059191Skrisare created in a directory called "demoCA" in the current directory. 6159191Skris 6259191Skris=item B<-pkcs12> 6359191Skris 6459191Skriscreate a PKCS#12 file containing the user certificate, private key and CA 6559191Skriscertificate. It expects the user certificate and private key to be in the 6659191Skrisfile "newcert.pem" and the CA certificate to be in the file demoCA/cacert.pem, 6759191Skrisit creates a file "newcert.p12". This command can thus be called after the 6859191SkrisB<-sign> option. The PKCS#12 file can be imported directly into a browser. 6959191SkrisIf there is an additional argument on the command line it will be used as the 7059191Skris"friendly name" for the certificate (which is typically displayed in the browser 7159191Skrislist box), otherwise the name "My Certificate" is used. 7259191Skris 7359191Skris=item B<-sign>, B<-signreq>, B<-xsign> 7459191Skris 7559191Skriscalls the B<ca> program to sign a certificate request. It expects the request 7659191Skristo be in the file "newreq.pem". The new certificate is written to the file 7768651Skris"newcert.pem" except in the case of the B<-xsign> option when it is written 7859191Skristo standard output. 7959191Skris 8068651Skris 8168651Skris=item B<-signCA> 8268651Skris 8368651Skristhis option is the same as the B<-signreq> option except it uses the configuration 8468651Skrisfile section B<v3_ca> and so makes the signed request a valid CA certificate. This 8568651Skrisis useful when creating intermediate CA from a root CA. 8668651Skris 8759191Skris=item B<-signcert> 8859191Skris 8959191Skristhis option is the same as B<-sign> except it expects a self signed certificate 9059191Skristo be present in the file "newreq.pem". 9159191Skris 9259191Skris=item B<-verify> 9359191Skris 9459191Skrisverifies certificates against the CA certificate for "demoCA". If no certificates 9559191Skrisare specified on the command line it tries to verify the file "newcert.pem". 9659191Skris 9759191Skris=item B<files> 9859191Skris 9959191Skrisone or more optional certificate file names for use with the B<-verify> command. 10059191Skris 10159191Skris=back 10259191Skris 10359191Skris=head1 EXAMPLES 10459191Skris 10559191SkrisCreate a CA hierarchy: 10659191Skris 10759191Skris CA.pl -newca 10859191Skris 10959191SkrisComplete certificate creation example: create a CA, create a request, sign 11059191Skristhe request and finally create a PKCS#12 file containing it. 11159191Skris 11259191Skris CA.pl -newca 11359191Skris CA.pl -newreq 11459191Skris CA.pl -signreq 11559191Skris CA.pl -pkcs12 "My Test Certificate" 11659191Skris 11759191Skris=head1 DSA CERTIFICATES 11859191Skris 11959191SkrisAlthough the B<CA.pl> creates RSA CAs and requests it is still possible to 12059191Skrisuse it with DSA certificates and requests using the L<req(1)|req(1)> command 12159191Skrisdirectly. The following example shows the steps that would typically be taken. 12259191Skris 12359191SkrisCreate some DSA parameters: 12459191Skris 12559191Skris openssl dsaparam -out dsap.pem 1024 12659191Skris 12759191SkrisCreate a DSA CA certificate and private key: 12859191Skris 12959191Skris openssl req -x509 -newkey dsa:dsap.pem -keyout cacert.pem -out cacert.pem 13059191Skris 13159191SkrisCreate the CA directories and files: 13259191Skris 13359191Skris CA.pl -newca 13459191Skris 13559191Skrisenter cacert.pem when prompted for the CA file name. 13659191Skris 13768651SkrisCreate a DSA certificate request and private key (a different set of parameters 13859191Skriscan optionally be created first): 13959191Skris 14059191Skris openssl req -out newreq.pem -newkey dsa:dsap.pem 14159191Skris 14259191SkrisSign the request: 14359191Skris 14459191Skris CA.pl -signreq 14559191Skris 14659191Skris=head1 NOTES 14759191Skris 14859191SkrisMost of the filenames mentioned can be modified by editing the B<CA.pl> script. 14959191Skris 15059191SkrisIf the demoCA directory already exists then the B<-newca> command will not 15159191Skrisoverwrite it and will do nothing. This can happen if a previous call using 15259191Skristhe B<-newca> option terminated abnormally. To get the correct behaviour 15359191Skrisdelete the demoCA directory if it already exists. 15459191Skris 15559191SkrisUnder some environments it may not be possible to run the B<CA.pl> script 15659191Skrisdirectly (for example Win32) and the default configuration file location may 15759191Skrisbe wrong. In this case the command: 15859191Skris 15959191Skris perl -S CA.pl 16059191Skris 16159191Skriscan be used and the B<OPENSSL_CONF> environment variable changed to point to 16259191Skristhe correct path of the configuration file "openssl.cnf". 16359191Skris 16459191SkrisThe script is intended as a simple front end for the B<openssl> program for use 16559191Skrisby a beginner. Its behaviour isn't always what is wanted. For more control over the 16659191Skrisbehaviour of the certificate commands call the B<openssl> command directly. 16759191Skris 16859191Skris=head1 ENVIRONMENT VARIABLES 16959191Skris 17059191SkrisThe variable B<OPENSSL_CONF> if defined allows an alternative configuration 17159191Skrisfile location to be specified, it should contain the full path to the 17259191Skrisconfiguration file, not just its directory. 17359191Skris 17459191Skris=head1 SEE ALSO 17559191Skris 17659191SkrisL<x509(1)|x509(1)>, L<ca(1)|ca(1)>, L<req(1)|req(1)>, L<pkcs12(1)|pkcs12(1)>, 17759191SkrisL<config(5)|config(5)> 17859191Skris 17959191Skris=cut 180