1CA.PL(1ossl) OpenSSL CA.PL(1ossl)
2
3
4
6 CA.pl - friendlier interface for OpenSSL certificate programs
7
9 CA.pl -? | -h | -help
10
11 CA.pl -newcert | -newreq | -newreq-nodes | -xsign | -sign | -signCA |
12 -signcert | -crl | -newca [-extra-cmd parameter]
13
14 CA.pl -pkcs12 [certname]
15
16 CA.pl -verify certfile ...
17
18 CA.pl -revoke certfile [reason]
19
21 The CA.pl script is a perl script that supplies the relevant command
22 line arguments to the openssl(1) command for some common certificate
23 operations. It is intended to simplify the process of certificate
24 creation and management by the use of some simple options.
25
26 The script is intended as a simple front end for the openssl(1) program
27 for use by a beginner. Its behaviour isn't always what is wanted. For
28 more control over the behaviour of the certificate commands call the
29 openssl(1) command directly.
30
31 Most of the filenames mentioned below can be modified by editing the
32 CA.pl script.
33
34 Under some environments it may not be possible to run the CA.pl script
35 directly (for example Win32) and the default configuration file
36 location may be wrong. In this case the command:
37
38 perl -S CA.pl
39
40 can be used and the OPENSSL_CONF environment variable can be set to
41 point to the correct path of the configuration file.
42
44 -?, -h, -help
45 Prints a usage message.
46
47 -newcert
48 Creates a new self signed certificate. The private key is written
49 to the file newkey.pem and the request written to the file
50 newreq.pem. Invokes openssl-req(1).
51
52 -newreq
53 Creates a new certificate request. The private key is written to
54 the file newkey.pem and the request written to the file newreq.pem.
55 Executes openssl-req(1) under the hood.
56
57 -newreq-nodes
58 Is like -newreq except that the private key will not be encrypted.
59 Uses openssl-req(1).
60
61 -newca
62 Creates a new CA hierarchy for use with the ca program (or the
63 -signcert and -xsign options). The user is prompted to enter the
64 filename of the CA certificates (which should also contain the
65 private key) or by hitting ENTER details of the CA will be prompted
66 for. The relevant files and directories are created in a directory
67 called demoCA in the current directory. Uses openssl-req(1) and
68 openssl-ca(1).
69
70 If the demoCA directory already exists then the -newca command will
71 not overwrite it and will do nothing. This can happen if a previous
72 call using the -newca option terminated abnormally. To get the
73 correct behaviour delete the directory if it already exists.
74
75 -pkcs12
76 Create a PKCS#12 file containing the user certificate, private key
77 and CA certificate. It expects the user certificate and private key
78 to be in the file newcert.pem and the CA certificate to be in the
79 file demoCA/cacert.pem, it creates a file newcert.p12. This command
80 can thus be called after the -sign option. The PKCS#12 file can be
81 imported directly into a browser. If there is an additional
82 argument on the command line it will be used as the "friendly name"
83 for the certificate (which is typically displayed in the browser
84 list box), otherwise the name "My Certificate" is used. Delegates
85 work to openssl-pkcs12(1).
86
87 -sign, -signcert, -xsign
88 Calls the openssl-ca(1) command to sign a certificate request. It
89 expects the request to be in the file newreq.pem. The new
90 certificate is written to the file newcert.pem except in the case
91 of the -xsign option when it is written to standard output.
92
93 -signCA
94 This option is the same as the -sign option except it uses the
95 configuration file section v3_ca and so makes the signed request a
96 valid CA certificate. This is useful when creating intermediate CA
97 from a root CA. Extra params are passed to openssl-ca(1).
98
99 -signcert
100 This option is the same as -sign except it expects a self signed
101 certificate to be present in the file newreq.pem. Extra params are
102 passed to openssl-x509(1) and openssl-ca(1).
103
104 -crl
105 Generate a CRL. Executes openssl-ca(1).
106
107 -revoke certfile [reason]
108 Revoke the certificate contained in the specified certfile. An
109 optional reason may be specified, and must be one of: unspecified,
110 keyCompromise, CACompromise, affiliationChanged, superseded,
111 cessationOfOperation, certificateHold, or removeFromCRL. Leverages
112 openssl-ca(1).
113
114 -verify
115 Verifies certificates against the CA certificate for demoCA. If no
116 certificates are specified on the command line it tries to verify
117 the file newcert.pem. Invokes openssl-verify(1).
118
119 -extra-cmd parameter
120 For each option extra-cmd, pass parameter to the openssl(1) sub-
121 command with the same name as cmd, if that sub-command is invoked.
122 For example, if openssl-req(1) is invoked, the parameter given with
123 -extra-req will be passed to it. For multi-word parameters, either
124 repeat the option or quote the parameters so it looks like one word
125 to your shell. See the individual command documentation for more
126 information.
127
129 Create a CA hierarchy:
130
131 CA.pl -newca
132
133 Complete certificate creation example: create a CA, create a request,
134 sign the request and finally create a PKCS#12 file containing it.
135
136 CA.pl -newca
137 CA.pl -newreq
138 CA.pl -sign
139 CA.pl -pkcs12 "My Test Certificate"
140
142 The environment variable OPENSSL may be used to specify the name of the
143 OpenSSL program. It can be a full pathname, or a relative one.
144
145 The environment variable OPENSSL_CONFIG may be used to specify a
146 configuration option and value to the req and ca commands invoked by
147 this script. It's value should be the option and pathname, as in
148 "-config /path/to/conf-file".
149
151 openssl(1), openssl-x509(1), openssl-ca(1), openssl-req(1),
152 openssl-pkcs12(1), config(5)
153
155 Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved.
156
157 Licensed under the Apache License 2.0 (the "License"). You may not use
158 this file except in compliance with the License. You can obtain a copy
159 in the file LICENSE in the source distribution or at
160 <https://www.openssl.org/source/license.html>.
161
162
163
1643.1.1 2023-08-31 CA.PL(1ossl)