1 .\" $NetBSD: openssl_CA.pl.1,v 1.14 2015/06/12 17:01:14 christos Exp $
3 .\" Automatically generated by Pod::Man 2.28 (Pod::Simple 3.28)
6 .\" ========================================================================
7 .de Sp \" Vertical space (when we can't use .PP)
11 .de Vb \" Begin verbatim text
16 .de Ve \" End verbatim text
20 .\" Set up some character translations and predefined strings. \*(-- will
21 .\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
22 .\" double quote, and \*(R" will give a right double quote. \*(C+ will
23 .\" give a nicer C++. Capital omega is used to do unbreakable dashes and
24 .\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
25 .\" nothing in troff, for use with C<>.
27 .ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
31 . if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
32 . if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
47 .\" Escape single quotes in literal strings from groff's Unicode transform.
51 .\" If the F register is turned on, we'll generate index entries on stderr for
52 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
53 .\" entries marked with X<> in POD. Of course, you'll have to process the
54 .\" output yourself in some meaningful fashion.
56 .\" Avoid warning from groff about undefined register 'F'.
60 .if \n(.g .if rF .nr rF 1
61 .if (\n(rF:(\n(.g==0)) \{
64 . tm Index:\\$1\t\\n%\t"\\$2"
74 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
75 .\" Fear. Run. Save yourself. No user-serviceable parts.
76 . \" fudge factors for nroff and troff
85 . ds #H ((1u-(\\\\n(.fu%2u))*.13m)
91 . \" simple accents for nroff and troff
101 . ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
102 . ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
103 . ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
104 . ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
105 . ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
106 . ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
108 . \" troff and (daisy-wheel) nroff accents
109 .ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
110 .ds 8 \h'\*(#H'\(*b\h'-\*(#H'
111 .ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
112 .ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
113 .ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
114 .ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
115 .ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
116 .ds ae a\h'-(\w'a'u*4/10)'e
117 .ds Ae A\h'-(\w'A'u*4/10)'E
118 . \" corrections for vroff
119 .if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
120 .if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
121 . \" for low resolution devices (crt and lpr)
122 .if \n(.H>23 .if \n(.V>19 \
135 .\" ========================================================================
138 .TH CA.PL 1 "2013-02-05" "1.0.1n" "OpenSSL"
139 .\" For nroff, turn off justification. Always turn off hyphenation; it makes
140 .\" way too many mistakes in technical documents.
144 CA.pl \- friendlier interface for OpenSSL certificate programs
148 .IX Header "SYNOPSIS"
155 [\fB\-newreq\-nodes\fR]
164 .IX Header "DESCRIPTION"
165 The \fB\s-1CA\s0.pl\fR script is a perl script that supplies the relevant command line
166 arguments to the \fBopenssl\fR command for some common certificate operations.
167 It is intended to simplify the process of certificate creation and management
168 by the use of some simple options.
169 .SH "COMMAND OPTIONS"
170 .IX Header "COMMAND OPTIONS"
171 .IP "\fB?\fR, \fB\-h\fR, \fB\-help\fR" 4
172 .IX Item "?, -h, -help"
173 prints a usage message.
174 .IP "\fB\-newcert\fR" 4
176 creates a new self signed certificate. The private key is written to the file
177 \&\*(L"newkey.pem\*(R" and the request written to the file \*(L"newreq.pem\*(R".
178 .IP "\fB\-newreq\fR" 4
180 creates a new certificate request. The private key is written to the file
181 \&\*(L"newkey.pem\*(R" and the request written to the file \*(L"newreq.pem\*(R".
182 .IP "\fB\-newreq\-nodes\fR" 4
183 .IX Item "-newreq-nodes"
184 is like \fB\-newreq\fR except that the private key will not be encrypted.
185 .IP "\fB\-newca\fR" 4
187 creates a new \s-1CA\s0 hierarchy for use with the \fBca\fR program (or the \fB\-signcert\fR
188 and \fB\-xsign\fR options). The user is prompted to enter the filename of the \s-1CA\s0
189 certificates (which should also contain the private key) or by hitting \s-1ENTER\s0
190 details of the \s-1CA\s0 will be prompted for. The relevant files and directories
191 are created in a directory called \*(L"demoCA\*(R" in the current directory.
192 .IP "\fB\-pkcs12\fR" 4
194 create a PKCS#12 file containing the user certificate, private key and \s-1CA\s0
195 certificate. It expects the user certificate and private key to be in the
196 file \*(L"newcert.pem\*(R" and the \s-1CA\s0 certificate to be in the file demoCA/cacert.pem,
197 it creates a file \*(L"newcert.p12\*(R". This command can thus be called after the
198 \&\fB\-sign\fR option. The PKCS#12 file can be imported directly into a browser.
199 If there is an additional argument on the command line it will be used as the
200 \&\*(L"friendly name\*(R" for the certificate (which is typically displayed in the browser
201 list box), otherwise the name \*(L"My Certificate\*(R" is used.
202 .IP "\fB\-sign\fR, \fB\-signreq\fR, \fB\-xsign\fR" 4
203 .IX Item "-sign, -signreq, -xsign"
204 calls the \fBca\fR program to sign a certificate request. It expects the request
205 to be in the file \*(L"newreq.pem\*(R". The new certificate is written to the file
206 \&\*(L"newcert.pem\*(R" except in the case of the \fB\-xsign\fR option when it is written
208 .IP "\fB\-signCA\fR" 4
210 this option is the same as the \fB\-signreq\fR option except it uses the configuration
211 file section \fBv3_ca\fR and so makes the signed request a valid \s-1CA\s0 certificate. This
212 is useful when creating intermediate \s-1CA\s0 from a root \s-1CA.\s0
213 .IP "\fB\-signcert\fR" 4
215 this option is the same as \fB\-sign\fR except it expects a self signed certificate
216 to be present in the file \*(L"newreq.pem\*(R".
217 .IP "\fB\-verify\fR" 4
219 verifies certificates against the \s-1CA\s0 certificate for \*(L"demoCA\*(R". If no certificates
220 are specified on the command line it tries to verify the file \*(L"newcert.pem\*(R".
223 one or more optional certificate file names for use with the \fB\-verify\fR command.
225 .IX Header "EXAMPLES"
226 Create a \s-1CA\s0 hierarchy:
232 Complete certificate creation example: create a \s-1CA,\s0 create a request, sign
233 the request and finally create a PKCS#12 file containing it.
239 \& CA.pl \-pkcs12 "My Test Certificate"
241 .SH "DSA CERTIFICATES"
242 .IX Header "DSA CERTIFICATES"
243 Although the \fB\s-1CA\s0.pl\fR creates \s-1RSA\s0 CAs and requests it is still possible to
244 use it with \s-1DSA\s0 certificates and requests using the \fIopenssl_req\fR\|(1) command
245 directly. The following example shows the steps that would typically be taken.
247 Create some \s-1DSA\s0 parameters:
250 \& openssl dsaparam \-out dsap.pem 1024
253 Create a \s-1DSA CA\s0 certificate and private key:
256 \& openssl req \-x509 \-newkey dsa:dsap.pem \-keyout cacert.pem \-out cacert.pem
259 Create the \s-1CA\s0 directories and files:
265 enter cacert.pem when prompted for the \s-1CA\s0 file name.
267 Create a \s-1DSA\s0 certificate request and private key (a different set of parameters
268 can optionally be created first):
271 \& openssl req \-out newreq.pem \-newkey dsa:dsap.pem
281 Most of the filenames mentioned can be modified by editing the \fB\s-1CA\s0.pl\fR script.
283 If the demoCA directory already exists then the \fB\-newca\fR command will not
284 overwrite it and will do nothing. This can happen if a previous call using
285 the \fB\-newca\fR option terminated abnormally. To get the correct behaviour
286 delete the demoCA directory if it already exists.
288 Under some environments it may not be possible to run the \fB\s-1CA\s0.pl\fR script
289 directly (for example Win32) and the default configuration file location may
290 be wrong. In this case the command:
296 can be used and the \fB\s-1OPENSSL_CONF\s0\fR environment variable changed to point to
297 the correct path of the configuration file \*(L"openssl.cnf\*(R".
299 The script is intended as a simple front end for the \fBopenssl\fR program for use
300 by a beginner. Its behaviour isn't always what is wanted. For more control over the
301 behaviour of the certificate commands call the \fBopenssl\fR command directly.
302 .SH "ENVIRONMENT VARIABLES"
303 .IX Header "ENVIRONMENT VARIABLES"
304 The variable \fB\s-1OPENSSL_CONF\s0\fR if defined allows an alternative configuration
305 file location to be specified, it should contain the full path to the
306 configuration file, not just its directory.
308 .IX Header "SEE ALSO"
309 \&\fIopenssl_x509\fR\|(1), \fIopenssl_ca\fR\|(1), \fIopenssl_req\fR\|(1), \fIopenssl_pkcs12\fR\|(1),
310 \&\fIopenssl.cnf\fR\|(5)