Update per latest manual pages after running 'man-update'.
[dragonfly.git] / secure / usr.bin / openssl / man / ca.1
CommitLineData
984263bc
MD
1.\" Automatically generated by Pod::Man version 1.15
2.\" Wed Feb 19 16:49:31 2003
3.\"
4.\" Standard preamble:
5.\" ======================================================================
6.de Sh \" Subsection heading
7.br
8.if t .Sp
9.ne 5
10.PP
11\fB\\$1\fR
12.PP
13..
14.de Sp \" Vertical space (when we can't use .PP)
15.if t .sp .5v
16.if n .sp
17..
18.de Ip \" List item
19.br
20.ie \\n(.$>=3 .ne \\$3
21.el .ne 3
22.IP "\\$1" \\$2
23..
24.de Vb \" Begin verbatim text
25.ft CW
26.nf
27.ne \\$1
28..
29.de Ve \" End verbatim text
30.ft R
31
32.fi
33..
34.\" Set up some character translations and predefined strings. \*(-- will
35.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
36.\" double quote, and \*(R" will give a right double quote. | will give a
37.\" real vertical bar. \*(C+ will give a nicer C++. Capital omega is used
38.\" to do unbreakable dashes and therefore won't be available. \*(C` and
39.\" \*(C' expand to `' in nroff, nothing in troff, for use with C<>
40.tr \(*W-|\(bv\*(Tr
41.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
42.ie n \{\
43. ds -- \(*W-
44. ds PI pi
45. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
46. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
47. ds L" ""
48. ds R" ""
49. ds C` ""
50. ds C' ""
51'br\}
52.el\{\
53. ds -- \|\(em\|
54. ds PI \(*p
55. ds L" ``
56. ds R" ''
57'br\}
58.\"
59.\" If the F register is turned on, we'll generate index entries on stderr
60.\" for titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and
61.\" index entries marked with X<> in POD. Of course, you'll have to process
62.\" the output yourself in some meaningful fashion.
63.if \nF \{\
64. de IX
65. tm Index:\\$1\t\\n%\t"\\$2"
66..
67. nr % 0
68. rr F
69.\}
70.\"
71.\" For nroff, turn off justification. Always turn off hyphenation; it
72.\" makes way too many mistakes in technical documents.
73.hy 0
74.if n .na
75.\"
76.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
77.\" Fear. Run. Save yourself. No user-serviceable parts.
78.bd B 3
79. \" fudge factors for nroff and troff
80.if n \{\
81. ds #H 0
82. ds #V .8m
83. ds #F .3m
84. ds #[ \f1
85. ds #] \fP
86.\}
87.if t \{\
88. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
89. ds #V .6m
90. ds #F 0
91. ds #[ \&
92. ds #] \&
93.\}
94. \" simple accents for nroff and troff
95.if n \{\
96. ds ' \&
97. ds ` \&
98. ds ^ \&
99. ds , \&
100. ds ~ ~
101. ds /
102.\}
103.if t \{\
104. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
105. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
106. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
107. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
108. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
109. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
110.\}
111. \" troff and (daisy-wheel) nroff accents
112.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
113.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
114.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
115.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
116.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
117.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
118.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
119.ds ae a\h'-(\w'a'u*4/10)'e
120.ds Ae A\h'-(\w'A'u*4/10)'E
121. \" corrections for vroff
122.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
123.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
124. \" for low resolution devices (crt and lpr)
125.if \n(.H>23 .if \n(.V>19 \
126\{\
127. ds : e
128. ds 8 ss
129. ds o a
130. ds d- d\h'-1'\(ga
131. ds D- D\h'-1'\(hy
132. ds th \o'bp'
133. ds Th \o'LP'
134. ds ae ae
135. ds Ae AE
136.\}
137.rm #[ #] #H #V #F C
138.\" ======================================================================
139.\"
140.IX Title "CA 1"
141.TH CA 1 "0.9.7a" "2003-02-19" "OpenSSL"
142.UC
143.SH "NAME"
144ca \- sample minimal \s-1CA\s0 application
145.SH "SYNOPSIS"
146.IX Header "SYNOPSIS"
147\&\fBopenssl\fR \fBca\fR
148[\fB\-verbose\fR]
149[\fB\-config filename\fR]
150[\fB\-name section\fR]
151[\fB\-gencrl\fR]
152[\fB\-revoke file\fR]
153[\fB\-crl_reason reason\fR]
154[\fB\-crl_hold instruction\fR]
155[\fB\-crl_compromise time\fR]
156[\fB\-crl_CA_compromise time\fR]
157[\fB\-subj arg\fR]
158[\fB\-crldays days\fR]
159[\fB\-crlhours hours\fR]
160[\fB\-crlexts section\fR]
161[\fB\-startdate date\fR]
162[\fB\-enddate date\fR]
163[\fB\-days arg\fR]
164[\fB\-md arg\fR]
165[\fB\-policy arg\fR]
166[\fB\-keyfile arg\fR]
167[\fB\-key arg\fR]
168[\fB\-passin arg\fR]
169[\fB\-cert file\fR]
170[\fB\-in file\fR]
171[\fB\-out file\fR]
172[\fB\-notext\fR]
173[\fB\-outdir dir\fR]
174[\fB\-infiles\fR]
175[\fB\-spkac file\fR]
176[\fB\-ss_cert file\fR]
177[\fB\-preserveDN\fR]
178[\fB\-noemailDN\fR]
179[\fB\-batch\fR]
180[\fB\-msie_hack\fR]
181[\fB\-extensions section\fR]
182[\fB\-extfile section\fR]
183[\fB\-engine id\fR]
184.SH "DESCRIPTION"
185.IX Header "DESCRIPTION"
186The \fBca\fR command is a minimal \s-1CA\s0 application. It can be used
187to sign certificate requests in a variety of forms and generate
188CRLs it also maintains a text database of issued certificates
189and their status.
190.PP
191The options descriptions will be divided into each purpose.
192.SH "CA OPTIONS"
193.IX Header "CA OPTIONS"
194.Ip "\fB\-config filename\fR" 4
195.IX Item "-config filename"
196specifies the configuration file to use.
197.Ip "\fB\-name section\fR" 4
198.IX Item "-name section"
199specifies the configuration file section to use (overrides
200\&\fBdefault_ca\fR in the \fBca\fR section).
201.Ip "\fB\-in filename\fR" 4
202.IX Item "-in filename"
203an input filename containing a single certificate request to be
204signed by the \s-1CA\s0.
205.Ip "\fB\-ss_cert filename\fR" 4
206.IX Item "-ss_cert filename"
207a single self signed certificate to be signed by the \s-1CA\s0.
208.Ip "\fB\-spkac filename\fR" 4
209.IX Item "-spkac filename"
210a file containing a single Netscape signed public key and challenge
211and additional field values to be signed by the \s-1CA\s0. See the \fB\s-1SPKAC\s0 \s-1FORMAT\s0\fR
212section for information on the required format.
213.Ip "\fB\-infiles\fR" 4
214.IX Item "-infiles"
215if present this should be the last option, all subsequent arguments
216are assumed to the the names of files containing certificate requests.
217.Ip "\fB\-out filename\fR" 4
218.IX Item "-out filename"
219the output file to output certificates to. The default is standard
220output. The certificate details will also be printed out to this
221file.
222.Ip "\fB\-outdir directory\fR" 4
223.IX Item "-outdir directory"
224the directory to output certificates to. The certificate will be
225written to a filename consisting of the serial number in hex with
226\&\*(L".pem\*(R" appended.
227.Ip "\fB\-cert\fR" 4
228.IX Item "-cert"
229the \s-1CA\s0 certificate file.
230.Ip "\fB\-keyfile filename\fR" 4
231.IX Item "-keyfile filename"
232the private key to sign requests with.
233.Ip "\fB\-key password\fR" 4
234.IX Item "-key password"
235the password used to encrypt the private key. Since on some
236systems the command line arguments are visible (e.g. Unix with
237the 'ps' utility) this option should be used with caution.
238.Ip "\fB\-passin arg\fR" 4
239.IX Item "-passin arg"
240the key password source. For more information about the format of \fBarg\fR
241see the \fB\s-1PASS\s0 \s-1PHRASE\s0 \s-1ARGUMENTS\s0\fR section in openssl(1).
242.Ip "\fB\-verbose\fR" 4
243.IX Item "-verbose"
244this prints extra details about the operations being performed.
245.Ip "\fB\-notext\fR" 4
246.IX Item "-notext"
247don't output the text form of a certificate to the output file.
248.Ip "\fB\-startdate date\fR" 4
249.IX Item "-startdate date"
250this allows the start date to be explicitly set. The format of the
251date is \s-1YYMMDDHHMMSSZ\s0 (the same as an \s-1ASN1\s0 UTCTime structure).
252.Ip "\fB\-enddate date\fR" 4
253.IX Item "-enddate date"
254this allows the expiry date to be explicitly set. The format of the
255date is \s-1YYMMDDHHMMSSZ\s0 (the same as an \s-1ASN1\s0 UTCTime structure).
256.Ip "\fB\-days arg\fR" 4
257.IX Item "-days arg"
258the number of days to certify the certificate for.
259.Ip "\fB\-md alg\fR" 4
260.IX Item "-md alg"
261the message digest to use. Possible values include md5, sha1 and mdc2.
262This option also applies to CRLs.
263.Ip "\fB\-policy arg\fR" 4
264.IX Item "-policy arg"
265this option defines the \s-1CA\s0 \*(L"policy\*(R" to use. This is a section in
266the configuration file which decides which fields should be mandatory
267or match the \s-1CA\s0 certificate. Check out the \fB\s-1POLICY\s0 \s-1FORMAT\s0\fR section
268for more information.
269.Ip "\fB\-msie_hack\fR" 4
270.IX Item "-msie_hack"
271this is a legacy option to make \fBca\fR work with very old versions of
272the \s-1IE\s0 certificate enrollment control \*(L"certenr3\*(R". It used UniversalStrings
273for almost everything. Since the old control has various security bugs
274its use is strongly discouraged. The newer control \*(L"Xenroll\*(R" does not
275need this option.
276.Ip "\fB\-preserveDN\fR" 4
277.IX Item "-preserveDN"
278Normally the \s-1DN\s0 order of a certificate is the same as the order of the
279fields in the relevant policy section. When this option is set the order
280is the same as the request. This is largely for compatibility with the
281older \s-1IE\s0 enrollment control which would only accept certificates if their
282DNs match the order of the request. This is not needed for Xenroll.
283.Ip "\fB\-noemailDN\fR" 4
284.IX Item "-noemailDN"
285The \s-1DN\s0 of a certificate can contain the \s-1EMAIL\s0 field if present in the
286request \s-1DN\s0, however it is good policy just having the e-mail set into
287the altName extension of the certificate. When this option is set the
288\&\s-1EMAIL\s0 field is removed from the certificate' subject and set only in
289the, eventually present, extensions. The \fBemail_in_dn\fR keyword can be
290used in the configuration file to enable this behaviour.
291.Ip "\fB\-batch\fR" 4
292.IX Item "-batch"
293this sets the batch mode. In this mode no questions will be asked
294and all certificates will be certified automatically.
295.Ip "\fB\-extensions section\fR" 4
296.IX Item "-extensions section"
297the section of the configuration file containing certificate extensions
298to be added when a certificate is issued (defaults to \fBx509_extensions\fR
299unless the \fB\-extfile\fR option is used). If no extension section is
300present then, a V1 certificate is created. If the extension section
301is present (even if it is empty), then a V3 certificate is created.
302.Ip "\fB\-extfile file\fR" 4
303.IX Item "-extfile file"
304an additional configuration file to read certificate extensions from
305(using the default section unless the \fB\-extensions\fR option is also
306used).
307.Ip "\fB\-engine id\fR" 4
308.IX Item "-engine id"
309specifying an engine (by it's unique \fBid\fR string) will cause \fBreq\fR
310to attempt to obtain a functional reference to the specified engine,
311thus initialising it if needed. The engine will then be set as the default
312for all available algorithms.
313.SH "CRL OPTIONS"
314.IX Header "CRL OPTIONS"
315.Ip "\fB\-gencrl\fR" 4
316.IX Item "-gencrl"
317this option generates a \s-1CRL\s0 based on information in the index file.
318.Ip "\fB\-crldays num\fR" 4
319.IX Item "-crldays num"
320the number of days before the next \s-1CRL\s0 is due. That is the days from
321now to place in the \s-1CRL\s0 nextUpdate field.
322.Ip "\fB\-crlhours num\fR" 4
323.IX Item "-crlhours num"
324the number of hours before the next \s-1CRL\s0 is due.
325.Ip "\fB\-revoke filename\fR" 4
326.IX Item "-revoke filename"
327a filename containing a certificate to revoke.
328.Ip "\fB\-crl_reason reason\fR" 4
329.IX Item "-crl_reason reason"
330revocation reason, where \fBreason\fR is one of: \fBunspecified\fR, \fBkeyCompromise\fR,
331\&\fBCACompromise\fR, \fBaffiliationChanged\fR, \fBsuperseded\fR, \fBcessationOfOperation\fR,
332\&\fBcertificateHold\fR or \fBremoveFromCRL\fR. The matching of \fBreason\fR is case
333insensitive. Setting any revocation reason will make the \s-1CRL\s0 v2.
334.Sp
335In practive \fBremoveFromCRL\fR is not particularly useful because it is only used
336in delta CRLs which are not currently implemented.
337.Ip "\fB\-crl_hold instruction\fR" 4
338.IX Item "-crl_hold instruction"
339This sets the \s-1CRL\s0 revocation reason code to \fBcertificateHold\fR and the hold
340instruction to \fBinstruction\fR which must be an \s-1OID\s0. Although any \s-1OID\s0 can be
341used only \fBholdInstructionNone\fR (the use of which is discouraged by \s-1RFC2459\s0)
342\&\fBholdInstructionCallIssuer\fR or \fBholdInstructionReject\fR will normally be used.
343.Ip "\fB\-crl_compromise time\fR" 4
344.IX Item "-crl_compromise time"
345This sets the revocation reason to \fBkeyCompromise\fR and the compromise time to
346\&\fBtime\fR. \fBtime\fR should be in GeneralizedTime format that is \fB\s-1YYYYMMDDHHMMSSZ\s0\fR.
347.Ip "\fB\-crl_CA_compromise time\fR" 4
348.IX Item "-crl_CA_compromise time"
349This is the same as \fBcrl_compromise\fR except the revocation reason is set to
350\&\fBCACompromise\fR.
351.Ip "\fB\-subj arg\fR" 4
352.IX Item "-subj arg"
353supersedes subject name given in the request.
354The arg must be formatted as \fI/type0=value0/type1=value1/type2=...\fR,
355characters may be escaped by \e (backslash), no spaces are skipped.
356.Ip "\fB\-crlexts section\fR" 4
357.IX Item "-crlexts section"
358the section of the configuration file containing \s-1CRL\s0 extensions to
359include. If no \s-1CRL\s0 extension section is present then a V1 \s-1CRL\s0 is
360created, if the \s-1CRL\s0 extension section is present (even if it is
361empty) then a V2 \s-1CRL\s0 is created. The \s-1CRL\s0 extensions specified are
362\&\s-1CRL\s0 extensions and \fBnot\fR \s-1CRL\s0 entry extensions. It should be noted
363that some software (for example Netscape) can't handle V2 CRLs.
364.SH "CONFIGURATION FILE OPTIONS"
365.IX Header "CONFIGURATION FILE OPTIONS"
366The section of the configuration file containing options for \fBca\fR
367is found as follows: If the \fB\-name\fR command line option is used,
368then it names the section to be used. Otherwise the section to
369be used must be named in the \fBdefault_ca\fR option of the \fBca\fR section
370of the configuration file (or in the default section of the
371configuration file). Besides \fBdefault_ca\fR, the following options are
372read directly from the \fBca\fR section:
373 \s-1RANDFILE\s0
374 preserve
375 msie_hack
376With the exception of \fB\s-1RANDFILE\s0\fR, this is probably a bug and may
377change in future releases.
378.PP
379Many of the configuration file options are identical to command line
380options. Where the option is present in the configuration file
381and the command line the command line value is used. Where an
382option is described as mandatory then it must be present in
383the configuration file or the command line equivalent (if
384any) used.
385.Ip "\fBoid_file\fR" 4
386.IX Item "oid_file"
387This specifies a file containing additional \fB\s-1OBJECT\s0 \s-1IDENTIFIERS\s0\fR.
388Each line of the file should consist of the numerical form of the
389object identifier followed by white space then the short name followed
390by white space and finally the long name.
391.Ip "\fBoid_section\fR" 4
392.IX Item "oid_section"
393This specifies a section in the configuration file containing extra
394object identifiers. Each line should consist of the short name of the
395object identifier followed by \fB=\fR and the numerical form. The short
396and long names are the same when this option is used.
397.Ip "\fBnew_certs_dir\fR" 4
398.IX Item "new_certs_dir"
399the same as the \fB\-outdir\fR command line option. It specifies
400the directory where new certificates will be placed. Mandatory.
401.Ip "\fBcertificate\fR" 4
402.IX Item "certificate"
403the same as \fB\-cert\fR. It gives the file containing the \s-1CA\s0
404certificate. Mandatory.
405.Ip "\fBprivate_key\fR" 4
406.IX Item "private_key"
407same as the \fB\-keyfile\fR option. The file containing the
408\&\s-1CA\s0 private key. Mandatory.
409.Ip "\fB\s-1RANDFILE\s0\fR" 4
410.IX Item "RANDFILE"
411a file used to read and write random number seed information, or
412an \s-1EGD\s0 socket (see RAND_egd(3)).
413.Ip "\fBdefault_days\fR" 4
414.IX Item "default_days"
415the same as the \fB\-days\fR option. The number of days to certify
416a certificate for.
417.Ip "\fBdefault_startdate\fR" 4
418.IX Item "default_startdate"
419the same as the \fB\-startdate\fR option. The start date to certify
420a certificate for. If not set the current time is used.
421.Ip "\fBdefault_enddate\fR" 4
422.IX Item "default_enddate"
423the same as the \fB\-enddate\fR option. Either this option or
424\&\fBdefault_days\fR (or the command line equivalents) must be
425present.
426.Ip "\fBdefault_crl_hours default_crl_days\fR" 4
427.IX Item "default_crl_hours default_crl_days"
428the same as the \fB\-crlhours\fR and the \fB\-crldays\fR options. These
429will only be used if neither command line option is present. At
430least one of these must be present to generate a \s-1CRL\s0.
431.Ip "\fBdefault_md\fR" 4
432.IX Item "default_md"
433the same as the \fB\-md\fR option. The message digest to use. Mandatory.
434.Ip "\fBdatabase\fR" 4
435.IX Item "database"
436the text database file to use. Mandatory. This file must be present
437though initially it will be empty.
438.Ip "\fBserialfile\fR" 4
439.IX Item "serialfile"
440a text file containing the next serial number to use in hex. Mandatory.
441This file must be present and contain a valid serial number.
442.Ip "\fBx509_extensions\fR" 4
443.IX Item "x509_extensions"
444the same as \fB\-extensions\fR.
445.Ip "\fBcrl_extensions\fR" 4
446.IX Item "crl_extensions"
447the same as \fB\-crlexts\fR.
448.Ip "\fBpreserve\fR" 4
449.IX Item "preserve"
450the same as \fB\-preserveDN\fR
451.Ip "\fBemail_in_dn\fR" 4
452.IX Item "email_in_dn"
453the same as \fB\-noemailDN\fR. If you want the \s-1EMAIL\s0 field to be removed
454from the \s-1DN\s0 of the certificate simply set this to 'no'. If not present
455the default is to allow for the \s-1EMAIL\s0 filed in the certificate's \s-1DN\s0.
456.Ip "\fBmsie_hack\fR" 4
457.IX Item "msie_hack"
458the same as \fB\-msie_hack\fR
459.Ip "\fBpolicy\fR" 4
460.IX Item "policy"
461the same as \fB\-policy\fR. Mandatory. See the \fB\s-1POLICY\s0 \s-1FORMAT\s0\fR section
462for more information.
463.Ip "\fBnameopt\fR, \fBcertopt\fR" 4
464.IX Item "nameopt, certopt"
465these options allow the format used to display the certificate details
466when asking the user to confirm signing. All the options supported by
467the \fBx509\fR utilities \fB\-nameopt\fR and \fB\-certopt\fR switches can be used
468here, except the \fBno_signame\fR and \fBno_sigdump\fR are permanently set
469and cannot be disabled (this is because the certificate signature cannot
470be displayed because the certificate has not been signed at this point).
471.Sp
472For convenience the values \fBdefault_ca\fR are accepted by both to produce
473a reasonable output.
474.Sp
475If neither option is present the format used in earlier versions of
476OpenSSL is used. Use of the old format is \fBstrongly\fR discouraged because
477it only displays fields mentioned in the \fBpolicy\fR section, mishandles
478multicharacter string types and does not display extensions.
479.Ip "\fBcopy_extensions\fR" 4
480.IX Item "copy_extensions"
481determines how extensions in certificate requests should be handled.
482If set to \fBnone\fR or this option is not present then extensions are
483ignored and not copied to the certificate. If set to \fBcopy\fR then any
484extensions present in the request that are not already present are copied
485to the certificate. If set to \fBcopyall\fR then all extensions in the
486request are copied to the certificate: if the extension is already present
487in the certificate it is deleted first. See the \fB\s-1WARNINGS\s0\fR section before
488using this option.
489.Sp
490The main use of this option is to allow a certificate request to supply
491values for certain extensions such as subjectAltName.
492.SH "POLICY FORMAT"
493.IX Header "POLICY FORMAT"
494The policy section consists of a set of variables corresponding to
495certificate \s-1DN\s0 fields. If the value is \*(L"match\*(R" then the field value
496must match the same field in the \s-1CA\s0 certificate. If the value is
497\&\*(L"supplied\*(R" then it must be present. If the value is \*(L"optional\*(R" then
498it may be present. Any fields not mentioned in the policy section
499are silently deleted, unless the \fB\-preserveDN\fR option is set but
500this can be regarded more of a quirk than intended behaviour.
501.SH "SPKAC FORMAT"
502.IX Header "SPKAC FORMAT"
503The input to the \fB\-spkac\fR command line option is a Netscape
504signed public key and challenge. This will usually come from
505the \fB\s-1KEYGEN\s0\fR tag in an \s-1HTML\s0 form to create a new private key.
506It is however possible to create SPKACs using the \fBspkac\fR utility.
507.PP
508The file should contain the variable \s-1SPKAC\s0 set to the value of
509the \s-1SPKAC\s0 and also the required \s-1DN\s0 components as name value pairs.
510If you need to include the same component twice then it can be
511preceded by a number and a '.'.
512.SH "EXAMPLES"
513.IX Header "EXAMPLES"
514Note: these examples assume that the \fBca\fR directory structure is
515already set up and the relevant files already exist. This usually
516involves creating a \s-1CA\s0 certificate and private key with \fBreq\fR, a
517serial number file and an empty index file and placing them in
518the relevant directories.
519.PP
520To use the sample configuration file below the directories demoCA,
521demoCA/private and demoCA/newcerts would be created. The \s-1CA\s0
522certificate would be copied to demoCA/cacert.pem and its private
523key to demoCA/private/cakey.pem. A file demoCA/serial would be
524created containing for example \*(L"01\*(R" and the empty index file
525demoCA/index.txt.
526.PP
527Sign a certificate request:
528.PP
529.Vb 1
530\& openssl ca -in req.pem -out newcert.pem
531.Ve
532Sign a certificate request, using \s-1CA\s0 extensions:
533.PP
534.Vb 1
535\& openssl ca -in req.pem -extensions v3_ca -out newcert.pem
536.Ve
537Generate a \s-1CRL\s0
538.PP
539.Vb 1
540\& openssl ca -gencrl -out crl.pem
541.Ve
542Sign several requests:
543.PP
544.Vb 1
545\& openssl ca -infiles req1.pem req2.pem req3.pem
546.Ve
547Certify a Netscape \s-1SPKAC:\s0
548.PP
549.Vb 1
550\& openssl ca -spkac spkac.txt
551.Ve
552A sample \s-1SPKAC\s0 file (the \s-1SPKAC\s0 line has been truncated for clarity):
553.PP
554.Vb 5
555\& SPKAC=MIG0MGAwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAn7PDhCeV/xIxUg8V70YRxK2A5
556\& CN=Steve Test
557\& emailAddress=steve@openssl.org
558\& 0.OU=OpenSSL Group
559\& 1.OU=Another Group
560.Ve
561A sample configuration file with the relevant sections for \fBca\fR:
562.PP
563.Vb 2
564\& [ ca ]
565\& default_ca = CA_default # The default ca section
566.Ve
567.Vb 1
568\& [ CA_default ]
569.Ve
570.Vb 3
571\& dir = ./demoCA # top dir
572\& database = $dir/index.txt # index file.
573\& new_certs_dir = $dir/newcerts # new certs dir
574.Ve
575.Vb 4
576\& certificate = $dir/cacert.pem # The CA cert
577\& serial = $dir/serial # serial no file
578\& private_key = $dir/private/cakey.pem# CA private key
579\& RANDFILE = $dir/private/.rand # random number file
580.Ve
581.Vb 3
582\& default_days = 365 # how long to certify for
583\& default_crl_days= 30 # how long before next CRL
584\& default_md = md5 # md to use
585.Ve
586.Vb 2
587\& policy = policy_any # default policy
588\& email_in_dn = no # Don't add the email into cert DN
589.Ve
590.Vb 3
591\& nameopt = default_ca # Subject name display option
592\& certopt = default_ca # Certificate display option
593\& copy_extensions = none # Don't copy extensions from request
594.Ve
595.Vb 7
596\& [ policy_any ]
597\& countryName = supplied
598\& stateOrProvinceName = optional
599\& organizationName = optional
600\& organizationalUnitName = optional
601\& commonName = supplied
602\& emailAddress = optional
603.Ve
604.SH "FILES"
605.IX Header "FILES"
606Note: the location of all files can change either by compile time options,
607configuration file entries, environment variables or command line options.
608The values below reflect the default values.
609.PP
610.Vb 10
611\& /usr/local/ssl/lib/openssl.cnf - master configuration file
612\& ./demoCA - main CA directory
613\& ./demoCA/cacert.pem - CA certificate
614\& ./demoCA/private/cakey.pem - CA private key
615\& ./demoCA/serial - CA serial number file
616\& ./demoCA/serial.old - CA serial number backup file
617\& ./demoCA/index.txt - CA text database file
618\& ./demoCA/index.txt.old - CA text database backup file
619\& ./demoCA/certs - certificate output file
620\& ./demoCA/.rnd - CA random seed information
621.Ve
622.SH "ENVIRONMENT VARIABLES"
623.IX Header "ENVIRONMENT VARIABLES"
624\&\fB\s-1OPENSSL_CONF\s0\fR reflects the location of master configuration file it can
625be overridden by the \fB\-config\fR command line option.
626.SH "RESTRICTIONS"
627.IX Header "RESTRICTIONS"
628The text database index file is a critical part of the process and
629if corrupted it can be difficult to fix. It is theoretically possible
630to rebuild the index file from all the issued certificates and a current
631\&\s-1CRL:\s0 however there is no option to do this.
632.PP
633V2 \s-1CRL\s0 features like delta \s-1CRL\s0 support and \s-1CRL\s0 numbers are not currently
634supported.
635.PP
636Although several requests can be input and handled at once it is only
637possible to include one \s-1SPKAC\s0 or self signed certificate.
638.SH "BUGS"
639.IX Header "BUGS"
640The use of an in memory text database can cause problems when large
641numbers of certificates are present because, as the name implies
642the database has to be kept in memory.
643.PP
644It is not possible to certify two certificates with the same \s-1DN:\s0 this
645is a side effect of how the text database is indexed and it cannot easily
646be fixed without introducing other problems. Some S/MIME clients can use
647two certificates with the same \s-1DN\s0 for separate signing and encryption
648keys.
649.PP
650The \fBca\fR command really needs rewriting or the required functionality
651exposed at either a command or interface level so a more friendly utility
652(perl script or \s-1GUI\s0) can handle things properly. The scripts \fB\s-1CA\s0.sh\fR and
653\&\fB\s-1CA\s0.pl\fR help a little but not very much.
654.PP
655Any fields in a request that are not present in a policy are silently
656deleted. This does not happen if the \fB\-preserveDN\fR option is used. To
657enforce the absence of the \s-1EMAIL\s0 field within the \s-1DN\s0, as suggested by
658RFCs, regardless the contents of the request' subject the \fB\-noemailDN\fR
659option can be used. The behaviour should be more friendly and
660configurable.
661.PP
662Cancelling some commands by refusing to certify a certificate can
663create an empty file.
664.SH "WARNINGS"
665.IX Header "WARNINGS"
666The \fBca\fR command is quirky and at times downright unfriendly.
667.PP
668The \fBca\fR utility was originally meant as an example of how to do things
669in a \s-1CA\s0. It was not supposed to be used as a full blown \s-1CA\s0 itself:
670nevertheless some people are using it for this purpose.
671.PP
672The \fBca\fR command is effectively a single user command: no locking is
673done on the various files and attempts to run more than one \fBca\fR command
674on the same database can have unpredictable results.
675.PP
676The \fBcopy_extensions\fR option should be used with caution. If care is
677not taken then it can be a security risk. For example if a certificate
678request contains a basicConstraints extension with \s-1CA:TRUE\s0 and the
679\&\fBcopy_extensions\fR value is set to \fBcopyall\fR and the user does not spot
680this when the certificate is displayed then this will hand the requestor
681a valid \s-1CA\s0 certificate.
682.PP
683This situation can be avoided by setting \fBcopy_extensions\fR to \fBcopy\fR
684and including basicConstraints with \s-1CA:FALSE\s0 in the configuration file.
685Then if the request contains a basicConstraints extension it will be
686ignored.
687.PP
688It is advisable to also include values for other extensions such
689as \fBkeyUsage\fR to prevent a request supplying its own values.
690.PP
691Additional restrictions can be placed on the \s-1CA\s0 certificate itself.
692For example if the \s-1CA\s0 certificate has:
693.PP
694.Vb 1
695\& basicConstraints = CA:TRUE, pathlen:0
696.Ve
697then even if a certificate is issued with \s-1CA:TRUE\s0 it will not be valid.
698.SH "SEE ALSO"
699.IX Header "SEE ALSO"
700req(1), spkac(1), x509(1), CA.pl(1),
701config(5)