Upgrade to OpenSSL 0.9.8h.
[dragonfly.git] / secure / usr.bin / openssl / man / CA.pl.1
CommitLineData
aac4ff6f 1.\" Automatically generated by Pod::Man v1.37, Pod::Parser v1.32
8b0cefbb
JR
2.\"
3.\" Standard preamble:
4.\" ========================================================================
5.de Sh \" Subsection heading
984263bc
MD
6.br
7.if t .Sp
8.ne 5
9.PP
10\fB\\$1\fR
11.PP
12..
8b0cefbb 13.de Sp \" Vertical space (when we can't use .PP)
984263bc
MD
14.if t .sp .5v
15.if n .sp
16..
8b0cefbb 17.de Vb \" Begin verbatim text
984263bc
MD
18.ft CW
19.nf
20.ne \\$1
21..
8b0cefbb 22.de Ve \" End verbatim text
984263bc 23.ft R
984263bc
MD
24.fi
25..
8b0cefbb
JR
26.\" Set up some character translations and predefined strings. \*(-- will
27.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
aac4ff6f
PA
28.\" double quote, and \*(R" will give a right double quote. | will give a
29.\" real vertical bar. \*(C+ will give a nicer C++. Capital omega is used to
30.\" do unbreakable dashes and therefore won't be available. \*(C` and \*(C'
31.\" expand to `' in nroff, nothing in troff, for use with C<>.
32.tr \(*W-|\(bv\*(Tr
8b0cefbb 33.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
984263bc 34.ie n \{\
8b0cefbb
JR
35. ds -- \(*W-
36. ds PI pi
37. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
38. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
39. ds L" ""
40. ds R" ""
41. ds C` ""
42. ds C' ""
984263bc
MD
43'br\}
44.el\{\
8b0cefbb
JR
45. ds -- \|\(em\|
46. ds PI \(*p
47. ds L" ``
48. ds R" ''
984263bc 49'br\}
8b0cefbb
JR
50.\"
51.\" If the F register is turned on, we'll generate index entries on stderr for
52.\" titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and index
53.\" entries marked with X<> in POD. Of course, you'll have to process the
54.\" output yourself in some meaningful fashion.
55.if \nF \{\
56. de IX
57. tm Index:\\$1\t\\n%\t"\\$2"
984263bc 58..
8b0cefbb
JR
59. nr % 0
60. rr F
984263bc 61.\}
8b0cefbb 62.\"
aac4ff6f
PA
63.\" For nroff, turn off justification. Always turn off hyphenation; it makes
64.\" way too many mistakes in technical documents.
65.hy 0
66.if n .na
67.\"
8b0cefbb
JR
68.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
69.\" Fear. Run. Save yourself. No user-serviceable parts.
70. \" fudge factors for nroff and troff
984263bc 71.if n \{\
8b0cefbb
JR
72. ds #H 0
73. ds #V .8m
74. ds #F .3m
75. ds #[ \f1
76. ds #] \fP
984263bc
MD
77.\}
78.if t \{\
8b0cefbb
JR
79. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
80. ds #V .6m
81. ds #F 0
82. ds #[ \&
83. ds #] \&
984263bc 84.\}
8b0cefbb 85. \" simple accents for nroff and troff
984263bc 86.if n \{\
8b0cefbb
JR
87. ds ' \&
88. ds ` \&
89. ds ^ \&
90. ds , \&
91. ds ~ ~
92. ds /
984263bc
MD
93.\}
94.if t \{\
8b0cefbb
JR
95. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
96. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
97. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
98. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
99. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
100. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
984263bc 101.\}
8b0cefbb 102. \" troff and (daisy-wheel) nroff accents
984263bc
MD
103.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
104.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
105.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
106.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
107.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
108.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
109.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
110.ds ae a\h'-(\w'a'u*4/10)'e
111.ds Ae A\h'-(\w'A'u*4/10)'E
8b0cefbb 112. \" corrections for vroff
984263bc
MD
113.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
114.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
8b0cefbb 115. \" for low resolution devices (crt and lpr)
984263bc
MD
116.if \n(.H>23 .if \n(.V>19 \
117\{\
8b0cefbb
JR
118. ds : e
119. ds 8 ss
120. ds o a
121. ds d- d\h'-1'\(ga
122. ds D- D\h'-1'\(hy
123. ds th \o'bp'
124. ds Th \o'LP'
125. ds ae ae
126. ds Ae AE
984263bc
MD
127.\}
128.rm #[ #] #H #V #F C
8b0cefbb
JR
129.\" ========================================================================
130.\"
131.IX Title "CA.PL 1"
aac4ff6f 132.TH CA.PL 1 "2008-09-06" "0.9.8h" "OpenSSL"
984263bc 133.SH "NAME"
e3cdf75b 134CA.pl \- friendlier interface for OpenSSL certificate programs
984263bc 135.SH "SYNOPSIS"
8b0cefbb
JR
136.IX Header "SYNOPSIS"
137\&\fB\s-1CA\s0.pl\fR
984263bc
MD
138[\fB\-?\fR]
139[\fB\-h\fR]
140[\fB\-help\fR]
141[\fB\-newcert\fR]
142[\fB\-newreq\fR]
8b0cefbb 143[\fB\-newreq\-nodes\fR]
984263bc
MD
144[\fB\-newca\fR]
145[\fB\-xsign\fR]
146[\fB\-sign\fR]
147[\fB\-signreq\fR]
148[\fB\-signcert\fR]
149[\fB\-verify\fR]
150[\fBfiles\fR]
151.SH "DESCRIPTION"
8b0cefbb
JR
152.IX Header "DESCRIPTION"
153The \fB\s-1CA\s0.pl\fR script is a perl script that supplies the relevant command line
984263bc
MD
154arguments to the \fBopenssl\fR command for some common certificate operations.
155It is intended to simplify the process of certificate creation and management
156by the use of some simple options.
157.SH "COMMAND OPTIONS"
8b0cefbb
JR
158.IX Header "COMMAND OPTIONS"
159.IP "\fB?\fR, \fB\-h\fR, \fB\-help\fR" 4
160.IX Item "?, -h, -help"
984263bc 161prints a usage message.
8b0cefbb
JR
162.IP "\fB\-newcert\fR" 4
163.IX Item "-newcert"
984263bc
MD
164creates a new self signed certificate. The private key and certificate are
165written to the file \*(L"newreq.pem\*(R".
8b0cefbb
JR
166.IP "\fB\-newreq\fR" 4
167.IX Item "-newreq"
984263bc
MD
168creates a new certificate request. The private key and request are
169written to the file \*(L"newreq.pem\*(R".
a561f9ff
SS
170.IP "\fB\-newreq\-nodes\fR" 4
171.IX Item "-newreq-nodes"
984263bc 172is like \fB\-newreq\fR except that the private key will not be encrypted.
8b0cefbb
JR
173.IP "\fB\-newca\fR" 4
174.IX Item "-newca"
984263bc
MD
175creates a new \s-1CA\s0 hierarchy for use with the \fBca\fR program (or the \fB\-signcert\fR
176and \fB\-xsign\fR options). The user is prompted to enter the filename of the \s-1CA\s0
177certificates (which should also contain the private key) or by hitting \s-1ENTER\s0
178details of the \s-1CA\s0 will be prompted for. The relevant files and directories
179are created in a directory called \*(L"demoCA\*(R" in the current directory.
8b0cefbb
JR
180.IP "\fB\-pkcs12\fR" 4
181.IX Item "-pkcs12"
182create a PKCS#12 file containing the user certificate, private key and \s-1CA\s0
984263bc
MD
183certificate. It expects the user certificate and private key to be in the
184file \*(L"newcert.pem\*(R" and the \s-1CA\s0 certificate to be in the file demoCA/cacert.pem,
185it creates a file \*(L"newcert.p12\*(R". This command can thus be called after the
8b0cefbb 186\&\fB\-sign\fR option. The PKCS#12 file can be imported directly into a browser.
984263bc 187If there is an additional argument on the command line it will be used as the
8b0cefbb 188\&\*(L"friendly name\*(R" for the certificate (which is typically displayed in the browser
984263bc 189list box), otherwise the name \*(L"My Certificate\*(R" is used.
8b0cefbb
JR
190.IP "\fB\-sign\fR, \fB\-signreq\fR, \fB\-xsign\fR" 4
191.IX Item "-sign, -signreq, -xsign"
984263bc
MD
192calls the \fBca\fR program to sign a certificate request. It expects the request
193to be in the file \*(L"newreq.pem\*(R". The new certificate is written to the file
8b0cefbb 194\&\*(L"newcert.pem\*(R" except in the case of the \fB\-xsign\fR option when it is written
984263bc 195to standard output.
8b0cefbb
JR
196.IP "\fB\-signCA\fR" 4
197.IX Item "-signCA"
984263bc
MD
198this option is the same as the \fB\-signreq\fR option except it uses the configuration
199file section \fBv3_ca\fR and so makes the signed request a valid \s-1CA\s0 certificate. This
200is useful when creating intermediate \s-1CA\s0 from a root \s-1CA\s0.
8b0cefbb
JR
201.IP "\fB\-signcert\fR" 4
202.IX Item "-signcert"
984263bc
MD
203this option is the same as \fB\-sign\fR except it expects a self signed certificate
204to be present in the file \*(L"newreq.pem\*(R".
8b0cefbb
JR
205.IP "\fB\-verify\fR" 4
206.IX Item "-verify"
984263bc 207verifies certificates against the \s-1CA\s0 certificate for \*(L"demoCA\*(R". If no certificates
aac4ff6f 208are specified on the command line it tries to verify the file \*(L"newcert.pem\*(R".
8b0cefbb
JR
209.IP "\fBfiles\fR" 4
210.IX Item "files"
984263bc
MD
211one or more optional certificate file names for use with the \fB\-verify\fR command.
212.SH "EXAMPLES"
8b0cefbb
JR
213.IX Header "EXAMPLES"
214Create a \s-1CA\s0 hierarchy:
984263bc
MD
215.PP
216.Vb 1
aac4ff6f 217\& CA.pl -newca
984263bc 218.Ve
8b0cefbb
JR
219.PP
220Complete certificate creation example: create a \s-1CA\s0, create a request, sign
984263bc
MD
221the request and finally create a PKCS#12 file containing it.
222.PP
223.Vb 4
aac4ff6f
PA
224\& CA.pl -newca
225\& CA.pl -newreq
226\& CA.pl -signreq
227\& CA.pl -pkcs12 "My Test Certificate"
984263bc
MD
228.Ve
229.SH "DSA CERTIFICATES"
8b0cefbb
JR
230.IX Header "DSA CERTIFICATES"
231Although the \fB\s-1CA\s0.pl\fR creates \s-1RSA\s0 CAs and requests it is still possible to
232use it with \s-1DSA\s0 certificates and requests using the \fIreq\fR\|(1) command
984263bc
MD
233directly. The following example shows the steps that would typically be taken.
234.PP
8b0cefbb 235Create some \s-1DSA\s0 parameters:
984263bc
MD
236.PP
237.Vb 1
aac4ff6f 238\& openssl dsaparam -out dsap.pem 1024
984263bc 239.Ve
8b0cefbb
JR
240.PP
241Create a \s-1DSA\s0 \s-1CA\s0 certificate and private key:
984263bc
MD
242.PP
243.Vb 1
aac4ff6f 244\& openssl req -x509 -newkey dsa:dsap.pem -keyout cacert.pem -out cacert.pem
984263bc 245.Ve
8b0cefbb
JR
246.PP
247Create the \s-1CA\s0 directories and files:
984263bc
MD
248.PP
249.Vb 1
aac4ff6f 250\& CA.pl -newca
984263bc 251.Ve
984263bc 252.PP
8b0cefbb
JR
253enter cacert.pem when prompted for the \s-1CA\s0 file name.
254.PP
255Create a \s-1DSA\s0 certificate request and private key (a different set of parameters
984263bc
MD
256can optionally be created first):
257.PP
258.Vb 1
aac4ff6f 259\& openssl req -out newreq.pem -newkey dsa:dsap.pem
984263bc 260.Ve
8b0cefbb 261.PP
984263bc
MD
262Sign the request:
263.PP
264.Vb 1
aac4ff6f 265\& CA.pl -signreq
984263bc
MD
266.Ve
267.SH "NOTES"
8b0cefbb
JR
268.IX Header "NOTES"
269Most of the filenames mentioned can be modified by editing the \fB\s-1CA\s0.pl\fR script.
984263bc
MD
270.PP
271If the demoCA directory already exists then the \fB\-newca\fR command will not
272overwrite it and will do nothing. This can happen if a previous call using
273the \fB\-newca\fR option terminated abnormally. To get the correct behaviour
274delete the demoCA directory if it already exists.
275.PP
8b0cefbb 276Under some environments it may not be possible to run the \fB\s-1CA\s0.pl\fR script
984263bc
MD
277directly (for example Win32) and the default configuration file location may
278be wrong. In this case the command:
279.PP
280.Vb 1
aac4ff6f 281\& perl -S CA.pl
984263bc 282.Ve
8b0cefbb
JR
283.PP
284can be used and the \fB\s-1OPENSSL_CONF\s0\fR environment variable changed to point to
984263bc
MD
285the correct path of the configuration file \*(L"openssl.cnf\*(R".
286.PP
287The script is intended as a simple front end for the \fBopenssl\fR program for use
288by a beginner. Its behaviour isn't always what is wanted. For more control over the
289behaviour of the certificate commands call the \fBopenssl\fR command directly.
290.SH "ENVIRONMENT VARIABLES"
8b0cefbb
JR
291.IX Header "ENVIRONMENT VARIABLES"
292The variable \fB\s-1OPENSSL_CONF\s0\fR if defined allows an alternative configuration
984263bc
MD
293file location to be specified, it should contain the full path to the
294configuration file, not just its directory.
295.SH "SEE ALSO"
e3cdf75b 296.IX Header "SEE ALSO"
8b0cefbb
JR
297\&\fIx509\fR\|(1), \fIca\fR\|(1), \fIreq\fR\|(1), \fIpkcs12\fR\|(1),
298\&\fIconfig\fR\|(5)