Lines Matching +full:- +full:b
5 openssl-ca,
6 ca - sample minimal CA application
10 B<openssl> B<ca>
11 [B<-help>]
12 [B<-verbose>]
13 [B<-config filename>]
14 [B<-name section>]
15 [B<-gencrl>]
16 [B<-revoke file>]
17 [B<-valid file>]
18 [B<-status serial>]
19 [B<-updatedb>]
20 [B<-crl_reason reason>]
21 [B<-crl_hold instruction>]
22 [B<-crl_compromise time>]
23 [B<-crl_CA_compromise time>]
24 [B<-crldays days>]
25 [B<-crlhours hours>]
26 [B<-crlexts section>]
27 [B<-startdate date>]
28 [B<-enddate date>]
29 [B<-days arg>]
30 [B<-md arg>]
31 [B<-policy arg>]
32 [B<-keyfile arg>]
33 [B<-keyform PEM|DER>]
34 [B<-key arg>]
35 [B<-passin arg>]
36 [B<-cert file>]
37 [B<-selfsign>]
38 [B<-in file>]
39 [B<-out file>]
40 [B<-notext>]
41 [B<-outdir dir>]
42 [B<-infiles>]
43 [B<-spkac file>]
44 [B<-ss_cert file>]
45 [B<-preserveDN>]
46 [B<-noemailDN>]
47 [B<-batch>]
48 [B<-msie_hack>]
49 [B<-extensions section>]
50 [B<-extfile section>]
51 [B<-engine id>]
52 [B<-subj arg>]
53 [B<-utf8>]
54 [B<-sigopt nm:v>]
55 [B<-create_serial>]
56 [B<-rand_serial>]
57 [B<-multivalue-rdn>]
58 [B<-rand file...>]
59 [B<-writerand file>]
63 The B<ca> command is a minimal CA application. It can be used
74 =item B<-help>
78 =item B<-verbose>
82 =item B<-config filename>
88 =item B<-name section>
91 B<default_ca> in the B<ca> section).
93 =item B<-in filename>
98 =item B<-ss_cert filename>
100 A single self-signed certificate to be signed by the CA.
102 =item B<-spkac filename>
105 and additional field values to be signed by the CA. See the B<SPKAC FORMAT>
108 =item B<-infiles>
113 =item B<-out filename>
117 file in PEM format (except that B<-spkac> outputs DER format).
119 =item B<-outdir directory>
125 =item B<-cert>
129 =item B<-keyfile filename>
133 =item B<-keyform PEM|DER>
138 =item B<-sigopt nm:v>
141 Names and values of these options are algorithm-specific.
143 =item B<-key password>
149 =item B<-selfsign>
152 the certificate requests were signed with (given with B<-keyfile>).
154 B<-spkac>, B<-ss_cert> or B<-gencrl> are given, B<-selfsign> is
157 A consequence of using B<-selfsign> is that the self-signed
159 (see the configuration option B<database>), and uses the same
161 self-signed certificate.
163 =item B<-passin arg>
165 The key password source. For more information about the format of B<arg>
168 =item B<-notext>
172 =item B<-startdate date>
179 =item B<-enddate date>
186 =item B<-days arg>
190 =item B<-md alg>
193 Any digest supported by the OpenSSL B<dgst> command can be used. For signing
197 =item B<-policy arg>
201 or match the CA certificate. Check out the B<POLICY FORMAT> section
204 =item B<-msie_hack>
206 This is a deprecated option to make B<ca> work with very old versions of
211 =item B<-preserveDN>
219 =item B<-noemailDN>
222 request DN, however, it is good policy just having the e-mail set into
225 the, eventually present, extensions. The B<email_in_dn> keyword can be
228 =item B<-batch>
233 =item B<-extensions section>
236 to be added when a certificate is issued (defaults to B<x509_extensions>
237 unless the B<-extfile> option is used). If no extension section is
243 =item B<-extfile file>
246 (using the default section unless the B<-extensions> option is also
249 =item B<-engine id>
251 Specifying an engine (by its unique B<id> string) will cause B<ca>
256 =item B<-subj arg>
264 =item B<-utf8>
271 =item B<-create_serial>
276 To get random serial numbers, use the B<-rand_serial> flag instead; this
277 should only be used for simple error-recovery.
279 =item B<-rand_serial>
284 =item B<-multivalue-rdn>
286 This option causes the -subj argument to be interpreted with full
291 If -multi-rdn is not used then the UID value is I<123456+CN=John Doe>.
293 =item B<-rand file...>
297 Multiple files can be specified separated by an OS-dependent character.
298 The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
301 =item [B<-writerand file>]
304 This can be used with a subsequent B<-rand> flag.
312 =item B<-gencrl>
316 =item B<-crldays num>
321 =item B<-crlhours num>
325 =item B<-revoke filename>
329 =item B<-valid filename>
333 =item B<-status serial>
338 =item B<-updatedb>
342 =item B<-crl_reason reason>
344 Revocation reason, where B<reason> is one of: B<unspecified>, B<keyCompromise>,
345 B<CACompromise>, B<affiliationChanged>, B<superseded>, B<cessationOfOperation>,
346 B<certificateHold> or B<removeFromCRL>. The matching of B<reason> is case
349 In practice B<removeFromCRL> is not particularly useful because it is only used
352 =item B<-crl_hold instruction>
354 This sets the CRL revocation reason code to B<certificateHold> and the hold
355 instruction to B<instruction> which must be an OID. Although any OID can be
356 used only B<holdInstructionNone> (the use of which is discouraged by RFC2459)
357 B<holdInstructionCallIssuer> or B<holdInstructionReject> will normally be used.
359 =item B<-crl_compromise time>
361 This sets the revocation reason to B<keyCompromise> and the compromise time to
362 B<time>. B<time> should be in GeneralizedTime format that is B<YYYYMMDDHHMMSSZ>.
364 =item B<-crl_CA_compromise time>
366 This is the same as B<crl_compromise> except the revocation reason is set to
367 B<CACompromise>.
369 =item B<-crlexts section>
375 CRL extensions and B<not> CRL entry extensions. It should be noted
384 The section of the configuration file containing options for B<ca>
385 is found as follows: If the B<-name> command line option is used,
387 be used must be named in the B<default_ca> option of the B<ca> section
389 configuration file). Besides B<default_ca>, the following options are
390 read directly from the B<ca> section:
394 With the exception of B<RANDFILE>, this is probably a bug and may
406 =item B<oid_file>
408 This specifies a file containing additional B<OBJECT IDENTIFIERS>.
413 =item B<oid_section>
417 object identifier followed by B<=> and the numerical form. The short
420 =item B<new_certs_dir>
422 The same as the B<-outdir> command line option. It specifies
425 =item B<certificate>
427 The same as B<-cert>. It gives the file containing the CA
430 =item B<private_key>
432 Same as the B<-keyfile> option. The file containing the
435 =item B<RANDFILE>
440 =item B<default_days>
442 The same as the B<-days> option. The number of days to certify
445 =item B<default_startdate>
447 The same as the B<-startdate> option. The start date to certify
450 =item B<default_enddate>
452 The same as the B<-enddate> option. Either this option or
453 B<default_days> (or the command line equivalents) must be
456 =item B<default_crl_hours default_crl_days>
458 The same as the B<-crlhours> and the B<-crldays> options. These
462 =item B<default_md>
464 The same as the B<-md> option. Mandatory except where the signing algorithm does
467 =item B<database>
472 =item B<unique_subject>
474 If the value B<yes> is given, the valid certificate entries in the
475 database must have unique subjects. if the value B<no> is given,
477 The default value is B<yes>, to be compatible with older (pre 0.9.8)
478 versions of OpenSSL. However, to make CA certificate roll-over easier,
479 it's recommended to use the value B<no>, especially if combined with
480 the B<-selfsign> command line option.
486 =item B<serial>
491 =item B<crlnumber>
497 =item B<x509_extensions>
499 The same as B<-extensions>.
501 =item B<crl_extensions>
503 The same as B<-crlexts>.
505 =item B<preserve>
507 The same as B<-preserveDN>
509 =item B<email_in_dn>
511 The same as B<-noemailDN>. If you want the EMAIL field to be removed
515 =item B<msie_hack>
517 The same as B<-msie_hack>
519 =item B<policy>
521 The same as B<-policy>. Mandatory. See the B<POLICY FORMAT> section
524 =item B<name_opt>, B<cert_opt>
528 the B<x509> utilities B<-nameopt> and B<-certopt> switches can be used
529 here, except the B<no_signame> and B<no_sigdump> are permanently set
533 For convenience the values B<ca_default> are accepted by both to produce
537 OpenSSL is used. Use of the old format is B<strongly> discouraged because
538 it only displays fields mentioned in the B<policy> section, mishandles
541 =item B<copy_extensions>
544 If set to B<none> or this option is not present then extensions are
545 ignored and not copied to the certificate. If set to B<copy> then any
547 to the certificate. If set to B<copyall> then all extensions in the
549 in the certificate it is deleted first. See the B<WARNINGS> section before
564 are silently deleted, unless the B<-preserveDN> option is set but
569 The input to the B<-spkac> command line option is a Netscape
571 the B<KEYGEN> tag in an HTML form to create a new private key.
572 It is however possible to create SPKACs using the B<spkac> utility.
579 When processing SPKAC format, the output is DER if the B<-out>
580 flag is used, but PEM format if sending to stdout or the B<-outdir>
585 Note: these examples assume that the B<ca> directory structure is
587 involves creating a CA certificate and private key with B<req>, a
601 openssl ca -in req.pem -out newcert.pem
605 openssl ca -in req.pem -extensions v3_ca -out newcert.pem
609 openssl ca -gencrl -out crl.pem
613 openssl ca -infiles req1.pem req2.pem req3.pem
617 openssl ca -spkac spkac.txt
627 A sample configuration file with the relevant sections for B<ca>:
669 /usr/local/ssl/lib/openssl.cnf - master configuration file
670 ./demoCA - main CA directory
671 ./demoCA/cacert.pem - CA certificate
672 ./demoCA/private/cakey.pem - CA private key
673 ./demoCA/serial - CA serial number file
674 ./demoCA/serial.old - CA serial number backup file
675 ./demoCA/index.txt - CA text database file
676 ./demoCA/index.txt.old - CA text database backup file
677 ./demoCA/certs - certificate output file
678 ./demoCA/.rnd - CA random seed information
690 possible to include one SPKAC or self-signed certificate.
694 The use of an in-memory text database can cause problems when large
698 The B<ca> command really needs rewriting or the required functionality
701 B<CA.pl> helps a little but not very much.
704 deleted. This does not happen if the B<-preserveDN> option is used. To
706 RFCs, regardless the contents of the request' subject the B<-noemailDN>
715 The B<ca> command is quirky and at times downright unfriendly.
717 The B<ca> utility was originally meant as an example of how to do things
721 The B<ca> command is effectively a single user command: no locking is
722 done on the various files and attempts to run more than one B<ca> command
725 The B<copy_extensions> option should be used with caution. If care is
728 B<copy_extensions> value is set to B<copyall> and the user does not spot
732 This situation can be avoided by setting B<copy_extensions> to B<copy>
738 as B<keyUsage> to prevent a request supplying its own values.
750 certificate validity period (specified by any of B<-startdate>,
751 B<-enddate> and B<-days>) will be encoded as UTCTime if the dates are
762 Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved.