1XCA(1) General Commands Manual XCA(1)
2
6 xca - X Certificate and key management
7 A GUI for handling X509 certificates, RSA/DSA/EC keys, PKCS#10 Requests
9 and CRLs in Software and on Smartcards.
10
12 xca [OPTIONS]
13
15 This application is intended as CA, certificate- and Key store. It
16 uses a SQL database to store the items. By default this is SQLite3, but
17 MySQL and PostrgreSQL are also tested and supported. Known types are
18 Certificate signing requests (PKCS#10), Certificates (X509v3), RSA, DSA
19 and EC keys and Certificate revocation lists. The signing of requests,
20 and the creation of self-signed certificates is supported. Both can use
21 templates for simplicity. The PKI structures can be imported and ex‐
22 ported in several formats like PKCS#12, PEM, DER, PKCS#8, PKCS#7.
23 XCA enables users to manage smartcards via the PKCS#11 interface
24
27 --crlgen=<ca-identifier> *
28 Generate CRL for <ca>. Use the 'name' option to set the internal
29 name of the new CRL.
30 --database=<database>
32 File name (*.xdb) of the SQLite database or a remote database
33 descriptor: [user@host/TYPE:dbname#prefix].
34 --exit Exit after importing items.
36 --help Print this help and exit.
38 --hierarchy=<directory> *
40 Save OpenSSL index hierarchy in <dir>.
41 --index=<file> *
43 Save OpenSSL index in <file>.
44 --import *
46 Import all provided items into the database.
47 --issuers *
49 Print all known issuer certificates that have an associated pri‐
50 vate key and the CA basic constraints set to 'true'.
51 --keygen=<type> *
53 Generate a new key and import it into the database. Use the
54 'name' option to set the internal name of the new key. The
55 <type> parameter has the format: '[RSA|DSA|EC]:[<size>|<curve>].
56 --list-curves
58 Prints all known Elliptic Curves.
59 --name=<internal-name> *
61 Provides the name of new generated items. An automatic name will
62 be generated if omitted.
63 --no-gui
65 Do not start the GUI. Alternatively set environment variable
66 XCA_NO_GUI=1 or call xca as 'xca-console' symlink.
67 --password=<password>
69 Database password for unlocking the database.
70 --pem Print PEM representation of provided files. Prints only the pub‐
72 lic part of private keys.
73 --print
75 Print a synopsis of provided files.
76 --sqlpass=<password>
78 Password to access the remote SQL server.
79 --text Print the content of provided files as OpenSSL does.
81 --verbose
83 Print debug log on stderr. Alternatively set the environment
84 variable XCA_DEBUG=1.
85 --version
87 Print version information and exit.
88 Options marked with an asterisk need a database. Either from the com‐
90 mandline or as default database.
91
94 The password options accept the same syntax as openssl does:
95 env:var
97 Obtain the password from the environment variable var. Since the
98 environment of other processes is visible on certain platforms
99 (e.g. ps under certain Unix OSes) this option should be used
100 with caution.
101 fd:number
103 Read the password from the file descriptor number. This can be
104 used to send the data via a pipe for example.
105 file:pathname
107 The first line of pathname is the password. If the same pathname
108 argument is supplied to password and sqlpassword arguments then
109 the first line will be used for both passwords. pathname need
110 not refer to a regular file: it could for example refer to a de‐
111 vice or named pipe.
112 pass:password
114 The actual password is password. Since the password is visible
115 to utilities (like 'ps' under Unix) this form should only be
116 used where security is not important.
117 stdin Read the password from standard input.
119
123 A more detailed HTML documentation can be found in the doc directory,
124 in the "Help" menu of the application or on https://hohnstaedt.de/docu‐
125 mentation
126
129 This manual page was written by Christian Hohnstaedt <christian@hohn‐
130 staedt.de>
131 XCA(1)