Lines Matching +full:1 +full:- +full:of +full:- +full:4
18 .\" Set up some character translations and predefined strings. \*(-- will
24 .tr \(*W-
27 . ds -- \(*W-
29 . if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
30 . if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
37 . ds -- \|\(em\|
51 .\" entries marked with X<> in POD. Of course, you'll have to process the
62 . tm Index:\\$1\t\\n%\t"\\$2"
71 .\" Fear. Run. Save yourself. No user-serviceable parts.
81 . ds #H ((1u-(\\\\n(.fu%2u))*.13m)
97 . ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
98 . ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
99 . ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
100 . ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
101 . ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
102 . ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
104 . \" troff and (daisy-wheel) nroff accents
123 . ds d- d\h'-1'\(ga
124 . ds D- D\h'-1'\(hy
133 .IX Title "OPENSSL-CA 1ossl"
134 .TH OPENSSL-CA 1ossl "2023-09-22" "3.0.11" "OpenSSL"
140 openssl\-ca \- sample minimal CA application
144 [\fB\-help\fR]
145 [\fB\-verbose\fR]
146 [\fB\-config\fR \fIfilename\fR]
147 [\fB\-name\fR \fIsection\fR]
148 [\fB\-section\fR \fIsection\fR]
149 [\fB\-gencrl\fR]
150 [\fB\-revoke\fR \fIfile\fR]
151 [\fB\-valid\fR \fIfile\fR]
152 [\fB\-status\fR \fIserial\fR]
153 [\fB\-updatedb\fR]
154 [\fB\-crl_reason\fR \fIreason\fR]
155 [\fB\-crl_hold\fR \fIinstruction\fR]
156 [\fB\-crl_compromise\fR \fItime\fR]
157 [\fB\-crl_CA_compromise\fR \fItime\fR]
158 [\fB\-crl_lastupdate\fR \fIdate\fR]
159 [\fB\-crl_nextupdate\fR \fIdate\fR]
160 [\fB\-crldays\fR \fIdays\fR]
161 [\fB\-crlhours\fR \fIhours\fR]
162 [\fB\-crlsec\fR \fIseconds\fR]
163 [\fB\-crlexts\fR \fIsection\fR]
164 [\fB\-startdate\fR \fIdate\fR]
165 [\fB\-enddate\fR \fIdate\fR]
166 [\fB\-days\fR \fIarg\fR]
167 [\fB\-md\fR \fIarg\fR]
168 [\fB\-policy\fR \fIarg\fR]
169 [\fB\-keyfile\fR \fIfilename\fR|\fIuri\fR]
170 [\fB\-keyform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR|\fBP12\fR|\fB\s-1ENGINE\s0\fR]
171 [\fB\-key\fR \fIarg\fR]
172 [\fB\-passin\fR \fIarg\fR]
173 [\fB\-cert\fR \fIfile\fR]
174 [\fB\-certform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR|\fBP12\fR]
175 [\fB\-selfsign\fR]
176 [\fB\-in\fR \fIfile\fR]
177 [\fB\-inform\fR \fB\s-1DER\s0\fR|<\s-1PEM\s0>]
178 [\fB\-out\fR \fIfile\fR]
179 [\fB\-notext\fR]
180 [\fB\-dateopt\fR]
181 [\fB\-outdir\fR \fIdir\fR]
182 [\fB\-infiles\fR]
183 [\fB\-spkac\fR \fIfile\fR]
184 [\fB\-ss_cert\fR \fIfile\fR]
185 [\fB\-preserveDN\fR]
186 [\fB\-noemailDN\fR]
187 [\fB\-batch\fR]
188 [\fB\-msie_hack\fR]
189 [\fB\-extensions\fR \fIsection\fR]
190 [\fB\-extfile\fR \fIsection\fR]
191 [\fB\-subj\fR \fIarg\fR]
192 [\fB\-utf8\fR]
193 [\fB\-sigopt\fR \fInm\fR:\fIv\fR]
194 [\fB\-vfyopt\fR \fInm\fR:\fIv\fR]
195 [\fB\-create_serial\fR]
196 [\fB\-rand_serial\fR]
197 [\fB\-multivalue\-rdn\fR]
198 [\fB\-rand\fR \fIfiles\fR]
199 [\fB\-writerand\fR \fIfile\fR]
200 [\fB\-engine\fR \fIid\fR]
201 [\fB\-provider\fR \fIname\fR]
202 [\fB\-provider\-path\fR \fIpath\fR]
203 [\fB\-propquery\fR \fIpropq\fR]
207 This command emulates a \s-1CA\s0 application.
208 See the \fB\s-1WARNINGS\s0\fR especially when considering to use it productively.
209 It can be used to sign certificate requests (CSRs) in a variety of forms
211 It also maintains a text database of issued certificates and their status.
213 with the \fB\-in\fR option, or multiple requests can be processed by
214 specifying a set of \fBcertreq\fR files after all options.
216 Note that there are also very lean ways of generating certificates:
218 See \fBopenssl\-req\fR\|(1) and \fBopenssl\-x509\fR\|(1) for details.
220 The descriptions of the \fBca\fR command options are divided into each purpose.
223 .IP "\fB\-help\fR" 4
224 .IX Item "-help"
226 .IP "\fB\-verbose\fR" 4
227 .IX Item "-verbose"
229 .IP "\fB\-config\fR \fIfilename\fR" 4
230 .IX Item "-config filename"
232 Optional; for a description of the default value,
233 see \*(L"\s-1COMMAND SUMMARY\*(R"\s0 in \fBopenssl\fR\|(1).
234 .IP "\fB\-name\fR \fIsection\fR, \fB\-section\fR \fIsection\fR" 4
235 .IX Item "-name section, -section section"
238 .IP "\fB\-in\fR \fIfilename\fR" 4
239 .IX Item "-in filename"
240 An input filename containing a single certificate request (\s-1CSR\s0) to be
241 signed by the \s-1CA.\s0
242 .IP "\fB\-inform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR" 4
243 .IX Item "-inform DER|PEM"
244 The format of the data in certificate request input files;
246 See \fBopenssl\-format\-options\fR\|(1) for details.
247 .IP "\fB\-ss_cert\fR \fIfilename\fR" 4
248 .IX Item "-ss_cert filename"
249 A single self-signed certificate to be signed by the \s-1CA.\s0
250 .IP "\fB\-spkac\fR \fIfilename\fR" 4
251 .IX Item "-spkac filename"
253 and additional field values to be signed by the \s-1CA.\s0 See the \fB\s-1SPKAC FORMAT\s0\fR
255 .IP "\fB\-infiles\fR" 4
256 .IX Item "-infiles"
258 are taken as the names of files containing certificate requests.
259 .IP "\fB\-out\fR \fIfilename\fR" 4
260 .IX Item "-out filename"
263 file in \s-1PEM\s0 format (except that \fB\-spkac\fR outputs \s-1DER\s0 format).
264 .IP "\fB\-outdir\fR \fIdirectory\fR" 4
265 .IX Item "-outdir directory"
267 written to a filename consisting of the serial number in hex with
269 .IP "\fB\-cert\fR \fIfilename\fR" 4
270 .IX Item "-cert filename"
271 The \s-1CA\s0 certificate, which must match with \fB\-keyfile\fR.
272 .IP "\fB\-certform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR|\fBP12\fR" 4
273 .IX Item "-certform DER|PEM|P12"
274 The format of the data in certificate input files; unspecified by default.
275 See \fBopenssl\-format\-options\fR\|(1) for details.
276 .IP "\fB\-keyfile\fR \fIfilename\fR|\fIuri\fR" 4
277 .IX Item "-keyfile filename|uri"
278 The \s-1CA\s0 private key to sign certificate requests with.
279 This must match with \fB\-cert\fR.
280 .IP "\fB\-keyform\fR \fB\s-1DER\s0\fR|\fB\s-1PEM\s0\fR|\fBP12\fR|\fB\s-1ENGINE\s0\fR" 4
281 .IX Item "-keyform DER|PEM|P12|ENGINE"
282 The format of the private key input file; unspecified by default.
283 See \fBopenssl\-format\-options\fR\|(1) for details.
284 .IP "\fB\-sigopt\fR \fInm\fR:\fIv\fR" 4
285 .IX Item "-sigopt nm:v"
287 Names and values of these options are algorithm-specific.
288 .IP "\fB\-vfyopt\fR \fInm\fR:\fIv\fR" 4
289 .IX Item "-vfyopt nm:v"
291 Names and values of these options are algorithm-specific.
293 This often needs to be given while signing too, because the self-signature of
294 a certificate signing request (\s-1CSR\s0) is verified against the included public key,
295 and that verification may need its own set of options.
296 .IP "\fB\-key\fR \fIpassword\fR" 4
297 .IX Item "-key password"
300 \&\fBps\fR\|(1) on Unix),
302 Better use \fB\-passin\fR.
303 .IP "\fB\-passin\fR \fIarg\fR" 4
304 .IX Item "-passin arg"
306 For more information about the format of \fBarg\fR
307 see \fBopenssl\-passphrase\-options\fR\|(1).
308 .IP "\fB\-selfsign\fR" 4
309 .IX Item "-selfsign"
311 the certificate requests were signed with (given with \fB\-keyfile\fR).
313 If \fB\-spkac\fR, \fB\-ss_cert\fR or \fB\-gencrl\fR are given, \fB\-selfsign\fR is ignored.
315 A consequence of using \fB\-selfsign\fR is that the self-signed
319 self-signed certificate.
320 .IP "\fB\-notext\fR" 4
321 .IX Item "-notext"
322 Don't output the text form of a certificate to the output file.
323 .IP "\fB\-dateopt\fR" 4
324 .IX Item "-dateopt"
327 .IP "\fB\-startdate\fR \fIdate\fR" 4
328 .IX Item "-startdate date"
329 This allows the start date to be explicitly set. The format of the
330 date is \s-1YYMMDDHHMMSSZ\s0 (the same as an \s-1ASN1\s0 UTCTime structure), or
331 \&\s-1YYYYMMDDHHMMSSZ\s0 (the same as an \s-1ASN1\s0 GeneralizedTime structure). In
332 both formats, seconds \s-1SS\s0 and timezone Z must be present.
333 .IP "\fB\-enddate\fR \fIdate\fR" 4
334 .IX Item "-enddate date"
335 This allows the expiry date to be explicitly set. The format of the
336 date is \s-1YYMMDDHHMMSSZ\s0 (the same as an \s-1ASN1\s0 UTCTime structure), or
337 \&\s-1YYYYMMDDHHMMSSZ\s0 (the same as an \s-1ASN1\s0 GeneralizedTime structure). In
338 both formats, seconds \s-1SS\s0 and timezone Z must be present.
339 .IP "\fB\-days\fR \fIarg\fR" 4
340 .IX Item "-days arg"
341 The number of days to certify the certificate for.
342 .IP "\fB\-md\fR \fIalg\fR" 4
343 .IX Item "-md alg"
345 Any digest supported by the \fBopenssl\-dgst\fR\|(1) command can be used. For signing
348 .IP "\fB\-policy\fR \fIarg\fR" 4
349 .IX Item "-policy arg"
350 This option defines the \s-1CA\s0 \*(L"policy\*(R" to use. This is a section in
352 or match the \s-1CA\s0 certificate. Check out the \fB\s-1POLICY FORMAT\s0\fR section
354 .IP "\fB\-msie_hack\fR" 4
355 .IX Item "-msie_hack"
357 of the \s-1IE\s0 certificate enrollment control \*(L"certenr3\*(R". It used UniversalStrings
360 .IP "\fB\-preserveDN\fR" 4
361 .IX Item "-preserveDN"
362 Normally the \s-1DN\s0 order of a certificate is the same as the order of the
365 older \s-1IE\s0 enrollment control which would only accept certificates if their
366 DNs match the order of the request. This is not needed for Xenroll.
367 .IP "\fB\-noemailDN\fR" 4
368 .IX Item "-noemailDN"
369 The \s-1DN\s0 of a certificate can contain the \s-1EMAIL\s0 field if present in the
370 request \s-1DN,\s0 however, it is good policy just having the e\-mail set into
371 the altName extension of the certificate. When this option is set the
372 \&\s-1EMAIL\s0 field is removed from the certificate' subject and set only in
375 .IP "\fB\-batch\fR" 4
376 .IX Item "-batch"
379 .IP "\fB\-extensions\fR \fIsection\fR" 4
380 .IX Item "-extensions section"
381 The section of the configuration file containing certificate extensions
383 unless the \fB\-extfile\fR option is used).
386 See the \fBx509v3_config\fR\|(5) manual page for details of the
388 .IP "\fB\-extfile\fR \fIfile\fR" 4
389 .IX Item "-extfile file"
391 (using the default section unless the \fB\-extensions\fR option is also
393 .IP "\fB\-subj\fR \fIarg\fR" 4
394 .IX Item "-subj arg"
401 Giving a single \f(CW\*(C`/\*(C'\fR will lead to an empty sequence of RDNs (a NULL-DN).
402 Multi-valued RDNs can be formed by placing a \f(CW\*(C`+\*(C'\fR character instead of a \f(CW\*(C`/…
403 between the AttributeValueAssertions (AVAs) that specify the members of the set.
407 .IP "\fB\-utf8\fR" 4
408 .IX Item "-utf8"
409 This option causes field values to be interpreted as \s-1UTF8\s0 strings, by
410 default they are interpreted as \s-1ASCII.\s0 This means that the field
412 configuration file, must be valid \s-1UTF8\s0 strings.
413 .IP "\fB\-create_serial\fR" 4
414 .IX Item "-create_serial"
418 To get random serial numbers, use the \fB\-rand_serial\fR flag instead; this
419 should only be used for simple error-recovery.
420 .IP "\fB\-rand_serial\fR" 4
421 .IX Item "-rand_serial"
424 .IP "\fB\-multivalue\-rdn\fR" 4
425 .IX Item "-multivalue-rdn"
427 .IP "\fB\-rand\fR \fIfiles\fR, \fB\-writerand\fR \fIfile\fR" 4
428 .IX Item "-rand files, -writerand file"
429 See \*(L"Random State Options\*(R" in \fBopenssl\fR\|(1) for details.
430 .IP "\fB\-engine\fR \fIid\fR" 4
431 .IX Item "-engine id"
432 See \*(L"Engine Options\*(R" in \fBopenssl\fR\|(1).
434 .IP "\fB\-provider\fR \fIname\fR" 4
435 .IX Item "-provider name"
437 .IP "\fB\-provider\-path\fR \fIpath\fR" 4
438 .IX Item "-provider-path path"
439 .IP "\fB\-propquery\fR \fIpropq\fR" 4
440 .IX Item "-propquery propq"
442 See \*(L"Provider Options\*(R" in \fBopenssl\fR\|(1), \fBprovider\fR\|(7), and \fBproperty\fR\|(7).
445 .IP "\fB\-gencrl\fR" 4
446 .IX Item "-gencrl"
447 This option generates a \s-1CRL\s0 based on information in the index file.
448 .IP "\fB\-crl_lastupdate\fR \fItime\fR" 4
449 .IX Item "-crl_lastupdate time"
450 Allows the value of the \s-1CRL\s0's lastUpdate field to be explicitly set; if
452 \&\s-1YYMMDDHHMMSSZ\s0 format (the same as an \s-1ASN1\s0 UTCTime structure) or
453 \&\s-1YYYYMMDDHHMMSSZ\s0 format (the same as an \s-1ASN1\s0 GeneralizedTime structure).
454 .IP "\fB\-crl_nextupdate\fR \fItime\fR" 4
455 .IX Item "-crl_nextupdate time"
456 Allows the value of the \s-1CRL\s0's nextUpdate field to be explicitly set; if
457 this option is present, any values given for \fB\-crldays\fR, \fB\-crlhours\fR
458 and \fB\-crlsec\fR are ignored. Accepts times in the same formats as
459 \&\fB\-crl_lastupdate\fR.
460 .IP "\fB\-crldays\fR \fInum\fR" 4
461 .IX Item "-crldays num"
462 The number of days before the next \s-1CRL\s0 is due. That is the days from
463 now to place in the \s-1CRL\s0 nextUpdate field.
464 .IP "\fB\-crlhours\fR \fInum\fR" 4
465 .IX Item "-crlhours num"
466 The number of hours before the next \s-1CRL\s0 is due.
467 .IP "\fB\-crlsec\fR \fInum\fR" 4
468 .IX Item "-crlsec num"
469 The number of seconds before the next \s-1CRL\s0 is due.
470 .IP "\fB\-revoke\fR \fIfilename\fR" 4
471 .IX Item "-revoke filename"
473 .IP "\fB\-valid\fR \fIfilename\fR" 4
474 .IX Item "-valid filename"
476 .IP "\fB\-status\fR \fIserial\fR" 4
477 .IX Item "-status serial"
478 Displays the revocation status of the certificate with the specified
480 .IP "\fB\-updatedb\fR" 4
481 .IX Item "-updatedb"
483 .IP "\fB\-crl_reason\fR \fIreason\fR" 4
484 .IX Item "-crl_reason reason"
485 Revocation reason, where \fIreason\fR is one of: \fBunspecified\fR, \fBkeyCompromise\fR,
487 \&\fBcertificateHold\fR or \fBremoveFromCRL\fR. The matching of \fIreason\fR is case
488 insensitive. Setting any revocation reason will make the \s-1CRL\s0 v2.
492 .IP "\fB\-crl_hold\fR \fIinstruction\fR" 4
493 .IX Item "-crl_hold instruction"
494 This sets the \s-1CRL\s0 revocation reason code to \fBcertificateHold\fR and the hold
495 instruction to \fIinstruction\fR which must be an \s-1OID.\s0 Although any \s-1OID\s0 can be
496 used only \fBholdInstructionNone\fR (the use of which is discouraged by \s-1RFC2459\s0)
498 .IP "\fB\-crl_compromise\fR \fItime\fR" 4
499 .IX Item "-crl_compromise time"
501 \&\fItime\fR. \fItime\fR should be in GeneralizedTime format that is \fI\s-1YYYYMMDDHHMMSSZ\s0\fR.
502 .IP "\fB\-crl_CA_compromise\fR \fItime\fR" 4
503 .IX Item "-crl_CA_compromise time"
506 .IP "\fB\-crlexts\fR \fIsection\fR" 4
507 .IX Item "-crlexts section"
508 The section of the configuration file containing \s-1CRL\s0 extensions to
509 include. If no \s-1CRL\s0 extension section is present then a V1 \s-1CRL\s0 is
510 created, if the \s-1CRL\s0 extension section is present (even if it is
511 empty) then a V2 \s-1CRL\s0 is created. The \s-1CRL\s0 extensions specified are
512 \&\s-1CRL\s0 extensions and \fBnot\fR \s-1CRL\s0 entry extensions. It should be noted
514 \&\fBx509v3_config\fR\|(5) manual page for details of the
518 The section of the configuration file containing options for this command
519 is found as follows: If the \fB\-name\fR command line option is used,
521 be used must be named in the \fBdefault_ca\fR option of the \fBca\fR section
522 of the configuration file (or in the default section of the
525 \s-1RANDFILE\s0
528 With the exception of \fB\s-1RANDFILE\s0\fR, this is probably a bug and may
531 Many of the configuration file options are identical to command line
537 .IP "\fBoid_file\fR" 4
539 This specifies a file containing additional \fB\s-1OBJECT IDENTIFIERS\s0\fR.
540 Each line of the file should consist of the numerical form of the
543 .IP "\fBoid_section\fR" 4
546 object identifiers. Each line should consist of the short name of the
549 .IP "\fBnew_certs_dir\fR" 4
551 The same as the \fB\-outdir\fR command line option. It specifies
553 .IP "\fBcertificate\fR" 4
555 The same as \fB\-cert\fR. It gives the file containing the \s-1CA\s0
557 .IP "\fBprivate_key\fR" 4
559 Same as the \fB\-keyfile\fR option. The file containing the
560 \&\s-1CA\s0 private key. Mandatory.
561 .IP "\fB\s-1RANDFILE\s0\fR" 4
564 and at exit 256 bytes will be written to it. (Note: Using a \s-1RANDFILE\s0 is
565 not necessary anymore, see the \*(L"\s-1HISTORY\*(R"\s0 section.
566 .IP "\fBdefault_days\fR" 4
568 The same as the \fB\-days\fR option. The number of days to certify
570 .IP "\fBdefault_startdate\fR" 4
572 The same as the \fB\-startdate\fR option. The start date to certify
574 .IP "\fBdefault_enddate\fR" 4
576 The same as the \fB\-enddate\fR option. Either this option or
579 .IP "\fBdefault_crl_hours default_crl_days\fR" 4
581 The same as the \fB\-crlhours\fR and the \fB\-crldays\fR options. These
583 least one of these must be present to generate a \s-1CRL.\s0
584 .IP "\fBdefault_md\fR" 4
586 The same as the \fB\-md\fR option. Mandatory except where the signing algorithm does
588 .IP "\fBdatabase\fR" 4
592 .IP "\fBunique_subject\fR" 4
598 versions of OpenSSL. However, to make \s-1CA\s0 certificate roll-over easier,
600 the \fB\-selfsign\fR command line option.
605 .IP "\fBserial\fR" 4
609 .IP "\fBcrlnumber\fR" 4
611 A text file containing the next \s-1CRL\s0 number to use in hex. The crl number
613 present, it must contain a valid \s-1CRL\s0 number.
614 .IP "\fBx509_extensions\fR" 4
616 A fallback to the \fB\-extensions\fR option.
617 .IP "\fBcrl_extensions\fR" 4
619 A fallback to the \fB\-crlexts\fR option.
620 .IP "\fBpreserve\fR" 4
622 The same as \fB\-preserveDN\fR
623 .IP "\fBemail_in_dn\fR" 4
625 The same as \fB\-noemailDN\fR. If you want the \s-1EMAIL\s0 field to be removed
626 from the \s-1DN\s0 of the certificate simply set this to 'no'. If not present
627 the default is to allow for the \s-1EMAIL\s0 filed in the certificate's \s-1DN.\s0
628 .IP "\fBmsie_hack\fR" 4
630 The same as \fB\-msie_hack\fR
631 .IP "\fBpolicy\fR" 4
633 The same as \fB\-policy\fR. Mandatory. See the \fB\s-1POLICY FORMAT\s0\fR section
635 .IP "\fBname_opt\fR, \fBcert_opt\fR" 4
639 the \fBx509\fR utilities \fB\-nameopt\fR and \fB\-certopt\fR switches can be used
647 If neither option is present the format used in earlier versions of
648 OpenSSL is used. Use of the old format is \fBstrongly\fR discouraged because
651 .IP "\fBcopy_extensions\fR" 4
659 in the certificate it is deleted first. See the \fB\s-1WARNINGS\s0\fR section before
662 The main use of this option is to allow a certificate request to supply
666 The policy section consists of a set of variables corresponding to
667 certificate \s-1DN\s0 fields. If the value is \*(L"match\*(R" then the field value
668 must match the same field in the \s-1CA\s0 certificate. If the value is
671 are silently deleted, unless the \fB\-preserveDN\fR option is set but
672 this can be regarded more of a quirk than intended behaviour.
675 The input to the \fB\-spkac\fR command line option is a Netscape
677 the \fB\s-1KEYGEN\s0\fR tag in an \s-1HTML\s0 form to create a new private key.
678 It is however possible to create SPKACs using \fBopenssl\-spkac\fR\|(1).
680 The file should contain the variable \s-1SPKAC\s0 set to the value of
681 the \s-1SPKAC\s0 and also the required \s-1DN\s0 components as name value pairs.
685 When processing \s-1SPKAC\s0 format, the output is \s-1DER\s0 if the \fB\-out\fR
686 flag is used, but \s-1PEM\s0 format if sending to stdout or the \fB\-outdir\fR
692 usually involves creating a \s-1CA\s0 certificate and private key with
693 \&\fBopenssl\-req\fR\|(1), a serial number file and an empty index file and
697 \&\fIdemoCA/private\fR and \fIdemoCA/newcerts\fR would be created. The \s-1CA\s0
705 .Vb 1
706 \& openssl ca \-in req.pem \-out newcert.pem
709 Sign an \s-1SM2\s0 certificate request:
712 \& openssl ca \-in sm2.csr \-out sm2.crt \-md sm3 \e
713 \& \-sigopt "distid:1234567812345678" \e
714 \& \-vfyopt "distid:1234567812345678"
717 Sign a certificate request, using \s-1CA\s0 extensions:
719 .Vb 1
720 \& openssl ca \-in req.pem \-extensions v3_ca \-out newcert.pem
723 Generate a \s-1CRL\s0
725 .Vb 1
726 \& openssl ca \-gencrl \-out crl.pem
731 .Vb 1
732 \& openssl ca \-infiles req1.pem req2.pem req3.pem
735 Certify a Netscape \s-1SPKAC:\s0
737 .Vb 1
738 \& openssl ca \-spkac spkac.txt
741 A sample \s-1SPKAC\s0 file (the \s-1SPKAC\s0 line has been truncated for clarity):
748 \& 1.OU=Another Group
789 Note: the location of all files can change either by compile time options,
794 \& /etc/ssl/openssl.cnf \- master configuration file
795 \& ./demoCA \- main CA directory
796 \& ./demoCA/cacert.pem \- CA certificate
797 \& ./demoCA/private/cakey.pem \- CA private key
798 \& ./demoCA/serial \- CA serial number file
799 \& ./demoCA/serial.old \- CA serial number backup file
800 \& ./demoCA/index.txt \- CA text database file
801 \& ./demoCA/index.txt.old \- CA text database backup file
802 \& ./demoCA/certs \- certificate output file
806 The text database index file is a critical part of the process and
809 \&\s-1CRL:\s0 however there is no option to do this.
811 V2 \s-1CRL\s0 features like delta CRLs are not currently supported.
814 possible to include one \s-1SPKAC\s0 or self-signed certificate.
819 The use of an in-memory text database can cause problems when large
820 numbers of certificates are present because, as the name implies
824 exposed at either a command or interface level so that a more user-friendly
826 \&\fB\s-1CA\s0.pl\fR helps a little but not very much.
829 deleted. This does not happen if the \fB\-preserveDN\fR option is used. To
830 enforce the absence of the \s-1EMAIL\s0 field within the \s-1DN,\s0 as suggested by
831 RFCs, regardless the contents of the request' subject the \fB\-noemailDN\fR
839 This command was originally meant as an example of how to do things in a \s-1CA.\s0
841 It was not supposed to be used as a full blown \s-1CA\s0 itself,
845 It is advisable to keep them in a secure \s-1HW\s0 storage such as a smart card or \s-1HSM\s0
854 request contains a basicConstraints extension with \s-1CA:TRUE\s0 and the
857 a valid \s-1CA\s0 certificate.
859 and including basicConstraints with \s-1CA:FALSE\s0 in the configuration file.
866 Additional restrictions can be placed on the \s-1CA\s0 certificate itself.
867 For example if the \s-1CA\s0 certificate has:
869 .Vb 1
873 then even if a certificate is issued with \s-1CA:TRUE\s0 it will not be valid.
876 Since OpenSSL 1.1.1, the program follows \s-1RFC5280.\s0 Specifically,
877 certificate validity period (specified by any of \fB\-startdate\fR,
878 \&\fB\-enddate\fR and \fB\-days\fR) and \s-1CRL\s0 last/next update time (specified by
879 any of \fB\-crl_lastupdate\fR, \fB\-crl_nextupdate\fR, \fB\-crldays\fR, \fB\-crlhours\fR
880 and \fB\-crlsec\fR) will be encoded as UTCTime if the dates are
884 OpenSSL 1.1.1 introduced a new random generator (\s-1CSPRNG\s0) with an improved
886 define a \s-1RANDFILE\s0 for saving and restoring randomness. This option is
889 The \fB\-section\fR option was added in OpenSSL 3.0.0.
891 The \fB\-multivalue\-rdn\fR option has become obsolete in OpenSSL 3.0.0 and
894 The \fB\-engine\fR option was deprecated in OpenSSL 3.0.
897 \&\fBopenssl\fR\|(1),
898 \&\fBopenssl\-req\fR\|(1),
899 \&\fBopenssl\-spkac\fR\|(1),
900 \&\fBopenssl\-x509\fR\|(1),
901 \&\s-1\fBCA\s0.pl\fR\|(1),
906 Copyright 2000\-2021 The OpenSSL Project Authors. All Rights Reserved.
910 in the file \s-1LICENSE\s0 in the source distribution or at