1XCA(1) General Commands Manual XCA(1)
2
6 xca - X Certificate and key management
7 A GUI for handling X509 certificates, RSA/DSA/EC keys, PKCS#10 Requests
9 and CRLs in Software and on Smartcards.
10
12 xca [OPTIONS]
13
15 This application is intended as CA, certificate- and Key store. It
16 uses a SQL database to store the items. By default this is SQLite3, but
17 MySQL and PostrgreSQL are also tested and supported. Known types are
18 Certificate signing requests (PKCS#10), Certificates (X509v3), RSA, DSA
19 and EC keys and Certificate revocation lists. The signing of requests,
20 and the creation of self-signed certificates is supported. Both can use
21 templates for simplicity. The PKI structures can be imported and ex‐
22 ported in several formats like PKCS#12, PEM, DER, PKCS#8, PKCS#7.
23 XCA enables users to manage smartcards via the PKCS#11 interface
24
27 --crlgen=<ca-identifier> *
28 Generate CRL for <ca>. Use the 'name' option to set the internal
29 name of the new CRL.
30 --database=<database>
32 File name (*.xdb) of the SQLite database or a remote database
33 descriptor: [user@host/TYPE:dbname#prefix].
34 --exit Exit after importing items.
36 --help Print this help and exit.
38 --hierarchy=<directory> *
40 Save OpenSSL index hierarchy in <dir>.
41 --index=<file> *
43 Save OpenSSL index in <file>.
44 --import *
46 Import all provided items into the database.
47 --import-names *
49 A semicolon separated list of names applied to the imported
50 items in the order found in the PEM file and on the commandline.
51 --issuers *
53 Print all known issuer certificates that have an associated pri‐
54 vate key and the CA basic constraints set to 'true'.
55 --keygen=<type> *
57 Generate a new key and import it into the database. Use the
58 'name' option to set the internal name of the new key. The
59 <type> parameter has the format: '[RSA|DSA|EC]:[<size>|<curve>].
60 --list-curves
62 Prints all known Elliptic Curves.
63 --list-items *
65 List all items in the database.
66 --name=<internal-name> *
68 Provides the name of new generated items. An automatic name will
69 be generated if omitted.
70 --no-gui
72 Do not start the GUI. Alternatively set environment variable
73 XCA_NO_GUI=1 or call xca as 'xca-console' symlink.
74 --password=<password>
76 Database password for unlocking the database.
77 --pem Print PEM representation of provided files. Prints only the pub‐
79 lic part of private keys.
80 --print
82 Print a synopsis of provided files.
83 --select=<id-list> *
85 Selects all items in the comma separated id-list to be shown
86 with 'print', 'text' or 'pem'.
87 --sqlpass=<password>
89 Password to access the remote SQL server.
90 --text Print the content of provided files as OpenSSL does.
92 --verbose
94 Print debug log on stderr. Same as setting XCA_DEBUG=all. See
95 XCA_DEBUG
96 --version
98 Print version information and exit.
99 Options marked with an asterisk need a database. Either from the com‐
101 mandline or as default database.
102
105 The password options accept the same syntax as openssl does:
106 env:var
108 Obtain the password from the environment variable var. Since the
109 environment of other processes is visible on certain platforms
110 (e.g. ps under certain Unix OSes) this option should be used
111 with caution.
112 fd:number
114 Read the password from the file descriptor number. This can be
115 used to send the data via a pipe for example.
116 file:pathname
118 The first line of pathname is the password. If the same pathname
119 argument is supplied to password and sqlpassword arguments then
120 the first line will be used for both passwords. pathname need
121 not refer to a regular file: it could for example refer to a de‐
122 vice or named pipe.
123 pass:password
125 The actual password is password. Since the password is visible
126 to utilities (like 'ps' under Unix) this form should only be
127 used where security is not important.
128 stdin Read the password from standard input.
130
132 Some more or less useful environment variables are evaluated by xca
133 XCA_NO_GUI=1
135 Do not start the graphical user interface forcefully. Same as
136 --no-gui argument. If both were not given, XCA tries to be smart
137 and looks at the other arguments to judge whether to start the
138 GUI or not.
139 XCA_DEBUG=<pattern>
141 The environment variable XCA_DEBUG controls the dynamic debug‐
142 ging. The format is a comma separate list of pattern. Each pat‐
143 tern is: all|[-]<function>|[-]<filename>:<firstline>[-<last‐
144 line>] A leading dash skips the match. The firstline and last‐
145 line may be empty and will be replaced by the first and last
146 line of the file. If -<lastline> is omitted then only the exact
147 line number of lastline is matched.
148 Example: XCA_DEBUG=all,-timerEvent Log everything but skip the
149 annoying timerEvent messages.
150 Example: XCA_DEBUG=pki_base.cpp:100-,-pki_base.cpp:340 Log
151 pki_base Messages from line 100 up to the last line, except line
152 340.
153 XCA_ABORT_ON_WARNING=1
156 Developer option to crash into debugger in case of a warning-
157 level log message. Documented for completeness. Not useful for
158 non-developers
159 XCA_PORTABLE=1
161 Force the windows portable mode. Documented for completeness.
162 Not useful for non-developers
163 XCA_ARGUMENTS=<man|rst|completion>
165 Outputs the commandline arguments in man-page nroff, sphinx rst
166 or as oneline list for command-completion to automatically up‐
167 date the documentation if new arguments are added.
168 QPSQL_OPTIONS QMYSQL_OPTIONS QODBC_OPTIONS
170 Additional connection options for the SQL database drivers as
171 described in https://doc.qt.io/qt-5/qsqldatabase.html#setConnec‐
172 tOptions like QPSQL_OPTIONS=requiressl=1
173
176 A more detailed HTML documentation can be found in the doc directory,
177 in the "Help" menu of the application or on https://hohnstaedt.de/docu‐
178 mentation
179
182 This manual page was written by Christian Hohnstaedt <christian@hohn‐
183 staedt.de>
184 XCA(1)