258 lines
11 KiB
HTML
258 lines
11 KiB
HTML
|
<?xml version="1.0" ?>
|
||
|
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
|
||
|
<html xmlns="http://www.w3.org/1999/xhtml">
|
||
|
<head>
|
||
|
<title>CA.pl</title>
|
||
|
<meta http-equiv="content-type" content="text/html; charset=utf-8" />
|
||
|
<link rev="made" href="mailto:root@localhost" />
|
||
|
</head>
|
||
|
|
||
|
<body style="background-color: white">
|
||
|
|
||
|
|
||
|
<!-- INDEX BEGIN -->
|
||
|
<div name="index">
|
||
|
<p><a name="__index__"></a></p>
|
||
|
|
||
|
<ul>
|
||
|
|
||
|
<li><a href="#name">NAME</a></li>
|
||
|
<li><a href="#synopsis">SYNOPSIS</a></li>
|
||
|
<li><a href="#description">DESCRIPTION</a></li>
|
||
|
<li><a href="#options">OPTIONS</a></li>
|
||
|
<li><a href="#examples">EXAMPLES</a></li>
|
||
|
<li><a href="#dsa_certificates">DSA CERTIFICATES</a></li>
|
||
|
<li><a href="#notes">NOTES</a></li>
|
||
|
<li><a href="#see_also">SEE ALSO</a></li>
|
||
|
<li><a href="#copyright">COPYRIGHT</a></li>
|
||
|
</ul>
|
||
|
|
||
|
<hr name="index" />
|
||
|
</div>
|
||
|
<!-- INDEX END -->
|
||
|
|
||
|
<p>
|
||
|
</p>
|
||
|
<hr />
|
||
|
<h1><a name="name">NAME</a></h1>
|
||
|
<p>CA.pl - friendlier interface for OpenSSL certificate programs</p>
|
||
|
<p>
|
||
|
</p>
|
||
|
<hr />
|
||
|
<h1><a name="synopsis">SYNOPSIS</a></h1>
|
||
|
<p><strong>CA.pl</strong>
|
||
|
<strong>-?</strong> |
|
||
|
<strong>-h</strong> |
|
||
|
<strong>-help</strong></p>
|
||
|
<p><strong>CA.pl</strong>
|
||
|
<strong>-newcert</strong> |
|
||
|
<strong>-newreq</strong> |
|
||
|
<strong>-newreq-nodes</strong> |
|
||
|
<strong>-xsign</strong> |
|
||
|
<strong>-sign</strong> |
|
||
|
<strong>-signCA</strong> |
|
||
|
<strong>-signcert</strong> |
|
||
|
<strong>-crl</strong> |
|
||
|
<strong>-newca</strong>
|
||
|
[<strong>-extra-cmd</strong> <em>extra-params</em>]</p>
|
||
|
<p><strong>CA.pl</strong> <strong>-pkcs12</strong> [<strong>-extra-pkcs12</strong> <em>extra-params</em>] [<em>certname</em>]</p>
|
||
|
<p><strong>CA.pl</strong> <strong>-verify</strong> [<strong>-extra-verify</strong> <em>extra-params</em>] <em>certfile</em> ...</p>
|
||
|
<p><strong>CA.pl</strong> <strong>-revoke</strong> [<strong>-extra-ca</strong> <em>extra-params</em>] <em>certfile</em> [<em>reason</em>]</p>
|
||
|
<p>
|
||
|
</p>
|
||
|
<hr />
|
||
|
<h1><a name="description">DESCRIPTION</a></h1>
|
||
|
<p>The <strong>CA.pl</strong> script is a perl script that supplies the relevant command line
|
||
|
arguments to the <em>openssl(1)</em> command for some common certificate operations.
|
||
|
It is intended to simplify the process of certificate creation and management
|
||
|
by the use of some simple options.</p>
|
||
|
<p>
|
||
|
</p>
|
||
|
<hr />
|
||
|
<h1><a name="options">OPTIONS</a></h1>
|
||
|
<dl>
|
||
|
<dt><strong><a name="h_help" class="item"><strong>?</strong>, <strong>-h</strong>, <strong>-help</strong></a></strong></dt>
|
||
|
|
||
|
<dd>
|
||
|
<p>Prints a usage message.</p>
|
||
|
</dd>
|
||
|
<dt><strong><a name="newcert" class="item"><strong>-newcert</strong></a></strong></dt>
|
||
|
|
||
|
<dd>
|
||
|
<p>Creates a new self signed certificate. The private key is written to the file
|
||
|
<em class="file">newkey.pem</em> and the request written to the file <em class="file">newreq.pem</em>.
|
||
|
Invokes <em>openssl-req(1)</em>.</p>
|
||
|
</dd>
|
||
|
<dt><strong><a name="newreq" class="item"><strong>-newreq</strong></a></strong></dt>
|
||
|
|
||
|
<dd>
|
||
|
<p>Creates a new certificate request. The private key is written to the file
|
||
|
<em class="file">newkey.pem</em> and the request written to the file <em class="file">newreq.pem</em>.
|
||
|
Executes <em>openssl-req(1)</em> under the hood.</p>
|
||
|
</dd>
|
||
|
<dt><strong><a name="newreq_nodes" class="item"><strong>-newreq-nodes</strong></a></strong></dt>
|
||
|
|
||
|
<dd>
|
||
|
<p>Is like <strong>-newreq</strong> except that the private key will not be encrypted.
|
||
|
Uses <em>openssl-req(1)</em>.</p>
|
||
|
</dd>
|
||
|
<dt><strong><a name="newca" class="item"><strong>-newca</strong></a></strong></dt>
|
||
|
|
||
|
<dd>
|
||
|
<p>Creates a new CA hierarchy for use with the <strong>ca</strong> program (or the <strong>-signcert</strong>
|
||
|
and <strong>-xsign</strong> options). The user is prompted to enter the filename of the CA
|
||
|
certificates (which should also contain the private key) or by hitting ENTER
|
||
|
details of the CA will be prompted for. The relevant files and directories
|
||
|
are created in a directory called <em class="file">demoCA</em> in the current directory.
|
||
|
Uses <em>openssl-req(1)</em> and <em>openssl-ca(1)</em>.</p>
|
||
|
</dd>
|
||
|
<dt><strong><a name="pkcs12" class="item"><strong>-pkcs12</strong></a></strong></dt>
|
||
|
|
||
|
<dd>
|
||
|
<p>Create a PKCS#12 file containing the user certificate, private key and CA
|
||
|
certificate. It expects the user certificate and private key to be in the
|
||
|
file <em class="file">newcert.pem</em> and the CA certificate to be in the file <em class="file">demoCA/cacert.pem</em>,
|
||
|
it creates a file <em class="file">newcert.p12</em>. This command can thus be called after the
|
||
|
<strong>-sign</strong> option. The PKCS#12 file can be imported directly into a browser.
|
||
|
If there is an additional argument on the command line it will be used as the
|
||
|
"friendly name" for the certificate (which is typically displayed in the browser
|
||
|
list box), otherwise the name "My Certificate" is used.
|
||
|
Delegates work to <a href="#pkcs12">openssl-pkcs12(1)</a>.</p>
|
||
|
</dd>
|
||
|
<dt><strong><a name="sign_signcert_xsign" class="item"><strong>-sign</strong>, <strong>-signcert</strong>, <strong>-xsign</strong></a></strong></dt>
|
||
|
|
||
|
<dd>
|
||
|
<p>Calls the <em>openssl-ca(1)</em> command to sign a certificate request. It expects the
|
||
|
request to be in the file <em class="file">newreq.pem</em>. The new certificate is written to the
|
||
|
file <em class="file">newcert.pem</em> except in the case of the <strong>-xsign</strong> option when it is
|
||
|
written to standard output.</p>
|
||
|
</dd>
|
||
|
<dt><strong><a name="signca" class="item"><strong>-signCA</strong></a></strong></dt>
|
||
|
|
||
|
<dd>
|
||
|
<p>This option is the same as the <strong>-signreq</strong> option except it uses the
|
||
|
configuration file section <strong>v3_ca</strong> and so makes the signed request a
|
||
|
valid CA certificate. This is useful when creating intermediate CA from
|
||
|
a root CA. Extra params are passed to <em>openssl-ca(1)</em>.</p>
|
||
|
</dd>
|
||
|
<dt><strong><a name="signcert" class="item"><strong>-signcert</strong></a></strong></dt>
|
||
|
|
||
|
<dd>
|
||
|
<p>This option is the same as <strong>-sign</strong> except it expects a self signed certificate
|
||
|
to be present in the file <em class="file">newreq.pem</em>.
|
||
|
Extra params are passed to <em>openssl-x509(1)</em> and <em>openssl-ca(1)</em>.</p>
|
||
|
</dd>
|
||
|
<dt><strong><a name="crl" class="item"><strong>-crl</strong></a></strong></dt>
|
||
|
|
||
|
<dd>
|
||
|
<p>Generate a CRL. Executes <em>openssl-ca(1)</em>.</p>
|
||
|
</dd>
|
||
|
<dt><strong><a name="revoke_certfile_reason" class="item"><strong>-revoke</strong> <em>certfile</em> [<em>reason</em>]</a></strong></dt>
|
||
|
|
||
|
<dd>
|
||
|
<p>Revoke the certificate contained in the specified <strong>certfile</strong>. An optional
|
||
|
reason may be specified, and must be one of: <strong>unspecified</strong>,
|
||
|
<strong>keyCompromise</strong>, <strong>CACompromise</strong>, <strong>affiliationChanged</strong>, <strong>superseded</strong>,
|
||
|
<strong>cessationOfOperation</strong>, <strong>certificateHold</strong>, or <strong>removeFromCRL</strong>.
|
||
|
Leverages <em>openssl-ca(1)</em>.</p>
|
||
|
</dd>
|
||
|
<dt><strong><a name="verify" class="item"><strong>-verify</strong></a></strong></dt>
|
||
|
|
||
|
<dd>
|
||
|
<p>Verifies certificates against the CA certificate for <em class="file">demoCA</em>. If no
|
||
|
certificates are specified on the command line it tries to verify the file
|
||
|
<em class="file">newcert.pem</em>. Invokes <a href="#verify">openssl-verify(1)</a>.</p>
|
||
|
</dd>
|
||
|
<dt><strong><a name="extra_req_extra_ca_extra_pkcs12_extra_x509_extra_verify_extra_params" class="item"><strong>-extra-req</strong> | <strong>-extra-ca</strong> | <strong>-extra-pkcs12</strong> | <strong>-extra-x509</strong> | <strong>-extra-verify</strong> <em>extra-params</em></a></strong></dt>
|
||
|
|
||
|
<dd>
|
||
|
<p>For each option <strong>extra-<em>cmd</em></strong>, pass <em>extra-params</em> to the <em>openssl(1)</em>
|
||
|
sub-command with the same name as <em>cmd</em>, if that sub-command is invoked.
|
||
|
For example, if <em>openssl-req(1)</em> is invoked, the <em>extra-params</em> given with
|
||
|
<strong>-extra-req</strong> will be passed to it.
|
||
|
Users should consult <em>openssl(1)</em> command documentation for more information.</p>
|
||
|
</dd>
|
||
|
</dl>
|
||
|
<p>
|
||
|
</p>
|
||
|
<hr />
|
||
|
<h1><a name="examples">EXAMPLES</a></h1>
|
||
|
<p>Create a CA hierarchy:</p>
|
||
|
<pre>
|
||
|
CA.pl -newca</pre>
|
||
|
<p>Complete certificate creation example: create a CA, create a request, sign
|
||
|
the request and finally create a PKCS#12 file containing it.</p>
|
||
|
<pre>
|
||
|
CA.pl -newca
|
||
|
CA.pl -newreq
|
||
|
CA.pl -signreq
|
||
|
CA.pl -pkcs12 "My Test Certificate"</pre>
|
||
|
<p>
|
||
|
</p>
|
||
|
<hr />
|
||
|
<h1><a name="dsa_certificates">DSA CERTIFICATES</a></h1>
|
||
|
<p>Although the <strong>CA.pl</strong> creates RSA CAs and requests it is still possible to
|
||
|
use it with DSA certificates and requests using the <em>openssl-req(1)</em> command
|
||
|
directly. The following example shows the steps that would typically be taken.</p>
|
||
|
<p>Create some DSA parameters:</p>
|
||
|
<pre>
|
||
|
openssl dsaparam -out dsap.pem 1024</pre>
|
||
|
<p>Create a DSA CA certificate and private key:</p>
|
||
|
<pre>
|
||
|
openssl req -x509 -newkey dsa:dsap.pem -keyout cacert.pem -out cacert.pem</pre>
|
||
|
<p>Create the CA directories and files:</p>
|
||
|
<pre>
|
||
|
CA.pl -newca</pre>
|
||
|
<p>enter a filename (for example, <em class="file">cacert.pem</em>) when prompted for the CA file
|
||
|
name.</p>
|
||
|
<p>Create a DSA certificate request and private key (a different set of parameters
|
||
|
can optionally be created first):</p>
|
||
|
<pre>
|
||
|
openssl req -out newreq.pem -newkey dsa:dsap.pem</pre>
|
||
|
<p>Sign the request:</p>
|
||
|
<pre>
|
||
|
CA.pl -signreq</pre>
|
||
|
<p>
|
||
|
</p>
|
||
|
<hr />
|
||
|
<h1><a name="notes">NOTES</a></h1>
|
||
|
<p>Most of the filenames mentioned can be modified by editing the <strong>CA.pl</strong> script.</p>
|
||
|
<p>If the demoCA directory already exists then the <strong>-newca</strong> command will not
|
||
|
overwrite it and will do nothing. This can happen if a previous call using
|
||
|
the <strong>-newca</strong> option terminated abnormally. To get the correct behaviour
|
||
|
delete the demoCA directory if it already exists.</p>
|
||
|
<p>Under some environments it may not be possible to run the <strong>CA.pl</strong> script
|
||
|
directly (for example Win32) and the default configuration file location may
|
||
|
be wrong. In this case the command:</p>
|
||
|
<pre>
|
||
|
perl -S CA.pl</pre>
|
||
|
<p>can be used and the <strong>OPENSSL_CONF</strong> environment variable changed to point to
|
||
|
the correct path of the configuration file.</p>
|
||
|
<p>The script is intended as a simple front end for the <em>openssl(1)</em> program for
|
||
|
use by a beginner. Its behaviour isn't always what is wanted. For more control
|
||
|
over the behaviour of the certificate commands call the <em>openssl(1)</em> command
|
||
|
directly.</p>
|
||
|
<p>
|
||
|
</p>
|
||
|
<hr />
|
||
|
<h1><a name="see_also">SEE ALSO</a></h1>
|
||
|
<p><em>openssl(1)</em>,
|
||
|
<em>openssl-x509(1)</em>,
|
||
|
<em>openssl-ca(1)</em>,
|
||
|
<em>openssl-req(1)</em>,
|
||
|
<a href="#pkcs12">openssl-pkcs12(1)</a>,
|
||
|
<em>config(5)</em></p>
|
||
|
<p>
|
||
|
</p>
|
||
|
<hr />
|
||
|
<h1><a name="copyright">COPYRIGHT</a></h1>
|
||
|
<p>Copyright 2000-2017 The OpenSSL Project Authors. All Rights Reserved.</p>
|
||
|
<p>Licensed under the Apache License 2.0 (the "License"). You may not use
|
||
|
this file except in compliance with the License. You can obtain a copy
|
||
|
in the file LICENSE in the source distribution or at
|
||
|
<a href="https://www.openssl.org/source/license.html">https://www.openssl.org/source/license.html</a>.</p>
|
||
|
|
||
|
</body>
|
||
|
|
||
|
</html>
|