mirror of
https://github.com/openssl/openssl.git
synced 2024-12-03 05:41:46 +08:00
a8055c70fa
Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/11189)
226 lines
6.9 KiB
Plaintext
226 lines
6.9 KiB
Plaintext
=pod
|
|
|
|
=head1 NAME
|
|
|
|
CA.pl - friendlier interface for OpenSSL certificate programs
|
|
|
|
=head1 SYNOPSIS
|
|
|
|
B<CA.pl>
|
|
B<-?> |
|
|
B<-h> |
|
|
B<-help>
|
|
|
|
B<CA.pl>
|
|
B<-newcert> |
|
|
B<-newreq> |
|
|
B<-newreq-nodes> |
|
|
B<-xsign> |
|
|
B<-sign> |
|
|
B<-signCA> |
|
|
B<-signcert> |
|
|
B<-crl> |
|
|
B<-newca>
|
|
[B<-extra-cmd> I<extra-params>]
|
|
|
|
B<CA.pl> B<-pkcs12> [B<-extra-pkcs12> I<extra-params>] [I<certname>]
|
|
|
|
B<CA.pl> B<-verify> [B<-extra-verify> I<extra-params>] I<certfile> ...
|
|
|
|
B<CA.pl> B<-revoke> [B<-extra-ca> I<extra-params>] I<certfile> [I<reason>]
|
|
|
|
=head1 DESCRIPTION
|
|
|
|
The B<CA.pl> script is a perl script that supplies the relevant command line
|
|
arguments to the L<openssl(1)> command for some common certificate operations.
|
|
It is intended to simplify the process of certificate creation and management
|
|
by the use of some simple options.
|
|
|
|
=head1 OPTIONS
|
|
|
|
=over 4
|
|
|
|
=item B<?>, B<-h>, B<-help>
|
|
|
|
Prints a usage message.
|
|
|
|
=item B<-newcert>
|
|
|
|
Creates a new self signed certificate. The private key is written to the file
|
|
F<newkey.pem> and the request written to the file F<newreq.pem>.
|
|
Invokes L<openssl-req(1)>.
|
|
|
|
=item B<-newreq>
|
|
|
|
Creates a new certificate request. The private key is written to the file
|
|
F<newkey.pem> and the request written to the file F<newreq.pem>.
|
|
Executes L<openssl-req(1)> under the hood.
|
|
|
|
=item B<-newreq-nodes>
|
|
|
|
Is like B<-newreq> except that the private key will not be encrypted.
|
|
Uses L<openssl-req(1)>.
|
|
|
|
=item B<-newca>
|
|
|
|
Creates a new CA hierarchy for use with the B<ca> program (or the B<-signcert>
|
|
and B<-xsign> options). The user is prompted to enter the filename of the CA
|
|
certificates (which should also contain the private key) or by hitting ENTER
|
|
details of the CA will be prompted for. The relevant files and directories
|
|
are created in a directory called F<demoCA> in the current directory.
|
|
Uses L<openssl-req(1)> and L<openssl-ca(1)>.
|
|
|
|
=item B<-pkcs12>
|
|
|
|
Create a PKCS#12 file containing the user certificate, private key and CA
|
|
certificate. It expects the user certificate and private key to be in the
|
|
file F<newcert.pem> and the CA certificate to be in the file F<demoCA/cacert.pem>,
|
|
it creates a file F<newcert.p12>. This command can thus be called after the
|
|
B<-sign> option. The PKCS#12 file can be imported directly into a browser.
|
|
If there is an additional argument on the command line it will be used as the
|
|
"friendly name" for the certificate (which is typically displayed in the browser
|
|
list box), otherwise the name "My Certificate" is used.
|
|
Delegates work to L<openssl-pkcs12(1)>.
|
|
|
|
=item B<-sign>, B<-signcert>, B<-xsign>
|
|
|
|
Calls the L<openssl-ca(1)> command to sign a certificate request. It expects the
|
|
request to be in the file F<newreq.pem>. The new certificate is written to the
|
|
file F<newcert.pem> except in the case of the B<-xsign> option when it is
|
|
written to standard output.
|
|
|
|
=item B<-signCA>
|
|
|
|
This option is the same as the B<-signreq> option except it uses the
|
|
configuration file section B<v3_ca> and so makes the signed request a
|
|
valid CA certificate. This is useful when creating intermediate CA from
|
|
a root CA. Extra params are passed to L<openssl-ca(1)>.
|
|
|
|
=item B<-signcert>
|
|
|
|
This option is the same as B<-sign> except it expects a self signed certificate
|
|
to be present in the file F<newreq.pem>.
|
|
Extra params are passed to L<openssl-x509(1)> and L<openssl-ca(1)>.
|
|
|
|
=item B<-crl>
|
|
|
|
Generate a CRL. Executes L<openssl-ca(1)>.
|
|
|
|
=item B<-revoke> I<certfile> [I<reason>]
|
|
|
|
Revoke the certificate contained in the specified B<certfile>. An optional
|
|
reason may be specified, and must be one of: B<unspecified>,
|
|
B<keyCompromise>, B<CACompromise>, B<affiliationChanged>, B<superseded>,
|
|
B<cessationOfOperation>, B<certificateHold>, or B<removeFromCRL>.
|
|
Leverages L<openssl-ca(1)>.
|
|
|
|
=item B<-verify>
|
|
|
|
Verifies certificates against the CA certificate for F<demoCA>. If no
|
|
certificates are specified on the command line it tries to verify the file
|
|
F<newcert.pem>. Invokes L<openssl-verify(1)>.
|
|
|
|
=item B<-extra-req> | B<-extra-ca> | B<-extra-pkcs12> | B<-extra-x509> | B<-extra-verify> I<extra-params>
|
|
|
|
For each option B<extra-I<cmd>>, pass I<extra-params> to the L<openssl(1)>
|
|
sub-command with the same name as I<cmd>, if that sub-command is invoked.
|
|
For example, if L<openssl-req(1)> is invoked, the I<extra-params> given with
|
|
B<-extra-req> will be passed to it.
|
|
Users should consult L<openssl(1)> command documentation for more information.
|
|
|
|
=back
|
|
|
|
=head1 EXAMPLES
|
|
|
|
Create a CA hierarchy:
|
|
|
|
CA.pl -newca
|
|
|
|
Complete certificate creation example: create a CA, create a request, sign
|
|
the request and finally create a PKCS#12 file containing it.
|
|
|
|
CA.pl -newca
|
|
CA.pl -newreq
|
|
CA.pl -signreq
|
|
CA.pl -pkcs12 "My Test Certificate"
|
|
|
|
=head1 DSA CERTIFICATES
|
|
|
|
Although the B<CA.pl> creates RSA CAs and requests it is still possible to
|
|
use it with DSA certificates and requests using the L<openssl-req(1)> command
|
|
directly. The following example shows the steps that would typically be taken.
|
|
|
|
Create some DSA parameters:
|
|
|
|
openssl dsaparam -out dsap.pem 1024
|
|
|
|
Create a DSA CA certificate and private key:
|
|
|
|
openssl req -x509 -newkey dsa:dsap.pem -keyout cacert.pem -out cacert.pem
|
|
|
|
Create the CA directories and files:
|
|
|
|
CA.pl -newca
|
|
|
|
enter a filename (for example, F<cacert.pem>) when prompted for the CA file
|
|
name.
|
|
|
|
Create a DSA certificate request and private key (a different set of parameters
|
|
can optionally be created first):
|
|
|
|
openssl req -out newreq.pem -newkey dsa:dsap.pem
|
|
|
|
Sign the request:
|
|
|
|
CA.pl -signreq
|
|
|
|
=head1 ENVIRONMENT
|
|
|
|
The environment variable B<OPENSSL_CONFIG> may be used to specify a
|
|
configuration option and value to the B<req> and B<ca> commands invoked by
|
|
this script. It's value should be the option and pathname, as in
|
|
C<-config /path/to/conf-file>.
|
|
|
|
=head1 NOTES
|
|
|
|
Most of the filenames mentioned can be modified by editing the B<CA.pl> script.
|
|
|
|
If the F<demoCA> directory already exists then the B<-newca> command will not
|
|
overwrite it and will do nothing. This can happen if a previous call using
|
|
the B<-newca> option terminated abnormally. To get the correct behaviour
|
|
delete the demoCA directory if it already exists.
|
|
|
|
Under some environments it may not be possible to run the B<CA.pl> script
|
|
directly (for example Win32) and the default configuration file location may
|
|
be wrong. In this case the command:
|
|
|
|
perl -S CA.pl
|
|
|
|
can be used and the B<OPENSSL_CONF> environment variable changed to point to
|
|
the correct path of the configuration file.
|
|
|
|
The script is intended as a simple front end for the L<openssl(1)> program for
|
|
use by a beginner. Its behaviour isn't always what is wanted. For more control
|
|
over the behaviour of the certificate commands call the L<openssl(1)> command
|
|
directly.
|
|
|
|
=head1 SEE ALSO
|
|
|
|
L<openssl(1)>,
|
|
L<openssl-x509(1)>,
|
|
L<openssl-ca(1)>,
|
|
L<openssl-req(1)>,
|
|
L<openssl-pkcs12(1)>,
|
|
L<config(5)>
|
|
|
|
=head1 COPYRIGHT
|
|
|
|
Copyright 2000-2017 The OpenSSL Project Authors. All Rights Reserved.
|
|
|
|
Licensed under the Apache License 2.0 (the "License"). You may not use
|
|
this file except in compliance with the License. You can obtain a copy
|
|
in the file LICENSE in the source distribution or at
|
|
L<https://www.openssl.org/source/license.html>.
|
|
|
|
=cut
|