| version 1.34, 2016/07/17 16:33:17 |
version 1.35, 2016/07/19 20:02:47 |
|
|
| .Qq drill down |
.Qq drill down |
| into a nested structure. |
into a nested structure. |
| .El |
.El |
| .\" |
|
| .\" CA |
|
| .\" |
|
| .Sh CA |
.Sh CA |
| .nr nS 1 |
.nr nS 1 |
| .Nm "openssl ca" |
.Nm "openssl ca" |
| .Bk -words |
|
| .Op Fl batch |
.Op Fl batch |
| .Op Fl cert Ar file |
.Op Fl cert Ar file |
| .Op Fl config Ar file |
.Op Fl config Ar file |
|
|
| .Op Fl subj Ar arg |
.Op Fl subj Ar arg |
| .Op Fl updatedb |
.Op Fl updatedb |
| .Op Fl verbose |
.Op Fl verbose |
| .Ek |
|
| .nr nS 0 |
.nr nS 0 |
| .Pp |
.Pp |
| The |
The |
| .Nm ca |
.Nm ca |
| command is a minimal CA application. |
command is a minimal certificate authority (CA) application. |
| It can be used to sign certificate requests in a variety of forms |
It can be used to sign certificate requests in a variety of forms |
| and generate CRLs. |
and generate certificate revocation lists (CRLs). |
| It also maintains a text database of issued certificates and their status. |
It also maintains a text database of issued certificates and their status. |
| .Pp |
.Pp |
| The options descriptions will be divided into each purpose. |
The options relevant to CAs are as follows: |
| .Sh CA OPTIONS |
|
| .Bl -tag -width "XXXX" |
.Bl -tag -width "XXXX" |
| .It Fl batch |
.It Fl batch |
| This sets the batch mode. |
This sets the batch mode. |
|
|
| .It Fl extensions Ar section |
.It Fl extensions Ar section |
| The section of the configuration file containing certificate extensions |
The section of the configuration file containing certificate extensions |
| to be added when a certificate is issued (defaults to |
to be added when a certificate is issued (defaults to |
| .Em x509_extensions |
.Cm x509_extensions |
| unless the |
unless the |
| .Fl extfile |
.Fl extfile |
| option is used). |
option is used). |
|
|
| are assumed to be the names of files containing certificate requests. |
are assumed to be the names of files containing certificate requests. |
| .It Fl key Ar keyfile |
.It Fl key Ar keyfile |
| The password used to encrypt the private key. |
The password used to encrypt the private key. |
| Since on some systems the command line arguments are visible |
Since on some systems the command line arguments are visible, |
| (e.g.\& |
this option should be used with caution. |
| .Ux |
|
| with the |
|
| .Xr ps 1 |
|
| utility) this option should be used with caution. |
|
| .It Fl keyfile Ar file |
.It Fl keyfile Ar file |
| The private key to sign requests with. |
The private key to sign requests with. |
| .It Fl keyform Ar PEM |
.It Fl keyform Ar PEM |
|
|
| The DN of a certificate can contain the EMAIL field if present in the |
The DN of a certificate can contain the EMAIL field if present in the |
| request DN, however it is good policy just having the email set into |
request DN, however it is good policy just having the email set into |
| the |
the |
| .Em altName |
.Cm altName |
| extension of the certificate. |
extension of the certificate. |
| When this option is set, the EMAIL field is removed from the certificate's |
When this option is set, the EMAIL field is removed from the certificate's |
| subject and set only in the, eventually present, extensions. |
subject and set only in the, eventually present, extensions. |
|
|
| This option defines the CA |
This option defines the CA |
| .Qq policy |
.Qq policy |
| to use. |
to use. |
| This is a section in the configuration file which decides which fields |
The policy section in the configuration file |
| should be mandatory or match the CA certificate. |
consists of a set of variables corresponding to certificate DN fields. |
| Check out the |
The values may be one of |
| .Sx CA POLICY FORMAT |
.Qq match |
| section for more information. |
(the value must match the same field in the CA certificate), |
| |
.Qq supplied |
| |
(the value must be present), or |
| |
.Qq optional |
| |
(the value may be present). |
| |
Any fields not mentioned in the policy section |
| |
are silently deleted, unless the |
| |
.Fl preserveDN |
| |
option is set, |
| |
but this can be regarded more of a quirk than intended behaviour. |
| .It Fl preserveDN |
.It Fl preserveDN |
| Normally, the DN order of a certificate is the same as the order of the |
Normally, the DN order of a certificate is the same as the order of the |
| fields in the relevant policy section. |
fields in the relevant policy section. |
|
|
| .It Fl spkac Ar file |
.It Fl spkac Ar file |
| A file containing a single Netscape signed public key and challenge, |
A file containing a single Netscape signed public key and challenge, |
| and additional field values to be signed by the CA. |
and additional field values to be signed by the CA. |
| See the |
This will usually come from the |
| .Sx SPKAC FORMAT |
KEYGEN tag in an HTML form to create a new private key. |
| section for information on the required format. |
It is, however, possible to create SPKACs using the |
| |
.Nm spkac |
| |
utility. |
| |
.Pp |
| |
The file should contain the variable SPKAC set to the value of |
| |
the SPKAC and also the required DN components as name value pairs. |
| |
If it's necessary to include the same component twice, |
| |
then it can be preceded by a number and a |
| |
.Sq \&. . |
| .It Fl ss_cert Ar file |
.It Fl ss_cert Ar file |
| A single self-signed certificate to be signed by the CA. |
A single self-signed certificate to be signed by the CA. |
| .It Fl startdate Ar date |
.It Fl startdate Ar date |
|
|
| The format of the date is YYMMDDHHMMSSZ |
The format of the date is YYMMDDHHMMSSZ |
| .Pq the same as an ASN1 UTCTime structure . |
.Pq the same as an ASN1 UTCTime structure . |
| .It Fl status Ar serial |
.It Fl status Ar serial |
| Show status of certificate with serial number |
Show the status of the certificate with serial number |
| .Ar serial . |
.Ar serial . |
| .It Fl updatedb |
.It Fl updatedb |
| Update database for expired certificates. |
Update database for expired certificates. |
| .It Fl verbose |
.It Fl verbose |
| This prints extra details about the operations being performed. |
This prints extra details about the operations being performed. |
| .El |
.El |
| .Sh CRL OPTIONS |
.Pp |
| |
The options relevant to CRLs are as follows: |
| .Bl -tag -width "XXXX" |
.Bl -tag -width "XXXX" |
| .It Fl crl_CA_compromise Ar time |
.It Fl crl_CA_compromise Ar time |
| This is the same as |
This is the same as |
|
|
| .It Fl crldays Ar num |
.It Fl crldays Ar num |
| The number of days before the next CRL is due. |
The number of days before the next CRL is due. |
| This is the days from now to place in the CRL |
This is the days from now to place in the CRL |
| .Em nextUpdate |
.Cm nextUpdate |
| field. |
field. |
| .It Fl crlexts Ar section |
.It Fl crlexts Ar section |
| The |
The |
|
|
| .Pq backslash , |
.Pq backslash , |
| no spaces are skipped. |
no spaces are skipped. |
| .El |
.El |
| .Sh CA CONFIGURATION FILE OPTIONS |
|
| The section of the configuration file containing options for |
|
| .Nm ca |
|
| is found as follows: |
|
| If the |
|
| .Fl name |
|
| command line option is used, then it names the section to be used. |
|
| Otherwise the section to be used must be named in the |
|
| .Em default_ca |
|
| option of the |
|
| .Em ca |
|
| section of the configuration file (or in the default section of the |
|
| configuration file). |
|
| Besides |
|
| .Em default_ca , |
|
| the following options are read directly from the |
|
| .Em ca |
|
| section: |
|
| .Pp |
.Pp |
| .Bl -tag -width Ds -offset indent -compact |
Many of the options can be set in the |
| .It preserve |
.Cm ca |
| .It msie_hack |
section of the configuration file |
| .El |
(or in the default section of the configuration file), |
| |
specified using |
| |
.Cm default_ca |
| |
or |
| |
.Fl name . |
| |
The options |
| |
.Cm preserve |
| |
and |
| |
.Cm msie_hack |
| |
are read directly from the |
| |
.Cm ca |
| |
section. |
| .Pp |
.Pp |
| This is probably a bug and may change in future releases. |
|
| .Pp |
|
| Many of the configuration file options are identical to command line |
Many of the configuration file options are identical to command line |
| options. |
options. |
| Where the option is present in the configuration file and the command line, |
Where the option is present in the configuration file and the command line, |
|
|
| .Pq if any |
.Pq if any |
| used. |
used. |
| .Bl -tag -width "XXXX" |
.Bl -tag -width "XXXX" |
| .It Ar certificate |
.It Cm certificate |
| The same as |
The same as |
| .Fl cert . |
.Fl cert . |
| It gives the file containing the CA certificate. |
It gives the file containing the CA certificate. |
| Mandatory. |
Mandatory. |
| .It Ar copy_extensions |
.It Cm copy_extensions |
| Determines how extensions in certificate requests should be handled. |
Determines how extensions in certificate requests should be handled. |
| If set to |
If set to |
| .Ar none |
.Cm none |
| or this option is not present, then extensions are |
or this option is not present, then extensions are |
| ignored and not copied to the certificate. |
ignored and not copied to the certificate. |
| If set to |
If set to |
| .Ar copy , |
.Cm copy , |
| then any extensions present in the request that are not already present |
then any extensions present in the request that are not already present |
| are copied to the certificate. |
are copied to the certificate. |
| If set to |
If set to |
| .Ar copyall , |
.Cm copyall , |
| then all extensions in the request are copied to the certificate: |
then all extensions in the request are copied to the certificate: |
| if the extension is already present in the certificate it is deleted first. |
if the extension is already present in the certificate it is deleted first. |
| See the |
|
| .Sx CA WARNINGS |
|
| section before using this option. |
|
| .Pp |
.Pp |
| |
The |
| |
.Cm copy_extensions |
| |
option should be used with caution. |
| |
If care is not taken, it can be a security risk. |
| |
For example, if a certificate request contains a |
| |
.Cm basicConstraints |
| |
extension with CA:TRUE and the |
| |
.Cm copy_extensions |
| |
value is set to |
| |
.Cm copyall |
| |
and the user does not spot |
| |
this when the certificate is displayed, then this will hand the requestor |
| |
a valid CA certificate. |
| |
.Pp |
| |
This situation can be avoided by setting |
| |
.Cm copy_extensions |
| |
to |
| |
.Cm copy |
| |
and including |
| |
.Cm basicConstraints |
| |
with CA:FALSE in the configuration file. |
| |
Then if the request contains a |
| |
.Cm basicConstraints |
| |
extension, it will be ignored. |
| |
.Pp |
| The main use of this option is to allow a certificate request to supply |
The main use of this option is to allow a certificate request to supply |
| values for certain extensions such as |
values for certain extensions such as |
| .Em subjectAltName . |
.Cm subjectAltName . |
| .It Ar crl_extensions |
.It Cm crl_extensions |
| The same as |
The same as |
| .Fl crlexts . |
.Fl crlexts . |
| .It Ar crlnumber |
.It Cm crlnumber |
| A text file containing the next CRL number to use in hex. |
A text file containing the next CRL number to use in hex. |
| The CRL number will be inserted in the CRLs only if this file exists. |
The CRL number will be inserted in the CRLs only if this file exists. |
| If this file is present, it must contain a valid CRL number. |
If this file is present, it must contain a valid CRL number. |
| .It Ar database |
.It Cm database |
| The text database file to use. |
The text database file to use. |
| Mandatory. |
Mandatory. |
| This file must be present, though initially it will be empty. |
This file must be present, though initially it will be empty. |
| .It Ar default_crl_hours , default_crl_days |
.It Cm default_crl_hours , default_crl_days |
| The same as the |
The same as the |
| .Fl crlhours |
.Fl crlhours |
| and |
and |
|
|
| options. |
options. |
| These will only be used if neither command line option is present. |
These will only be used if neither command line option is present. |
| At least one of these must be present to generate a CRL. |
At least one of these must be present to generate a CRL. |
| .It Ar default_days |
.It Cm default_days |
| The same as the |
The same as the |
| .Fl days |
.Fl days |
| option. |
option. |
| The number of days to certify a certificate for. |
The number of days to certify a certificate for. |
| .It Ar default_enddate |
.It Cm default_enddate |
| The same as the |
The same as the |
| .Fl enddate |
.Fl enddate |
| option. |
option. |
| Either this option or |
Either this option or |
| .Ar default_days |
.Cm default_days |
| .Pq or the command line equivalents |
.Pq or the command line equivalents |
| must be present. |
must be present. |
| .It Ar default_md |
.It Cm default_md |
| The same as the |
The same as the |
| .Fl md |
.Fl md |
| option. |
option. |
| The message digest to use. |
The message digest to use. |
| Mandatory. |
Mandatory. |
| .It Ar default_startdate |
.It Cm default_startdate |
| The same as the |
The same as the |
| .Fl startdate |
.Fl startdate |
| option. |
option. |
| The start date to certify a certificate for. |
The start date to certify a certificate for. |
| If not set, the current time is used. |
If not set, the current time is used. |
| .It Ar email_in_dn |
.It Cm email_in_dn |
| The same as |
The same as |
| .Fl noemailDN . |
.Fl noemailDN . |
| If the EMAIL field is to be removed from the DN of the certificate, |
If the EMAIL field is to be removed from the DN of the certificate, |
|
|
| .Qq no . |
.Qq no . |
| If not present, the default is to allow for the EMAIL field in the |
If not present, the default is to allow for the EMAIL field in the |
| certificate's DN. |
certificate's DN. |
| .It Ar msie_hack |
.It Cm msie_hack |
| The same as |
The same as |
| .Fl msie_hack . |
.Fl msie_hack . |
| .It Ar name_opt , cert_opt |
.It Cm name_opt , cert_opt |
| These options allow the format used to display the certificate details |
These options allow the format used to display the certificate details |
| when asking the user to confirm signing. |
when asking the user to confirm signing. |
| All the options supported by the |
All the options supported by the |
|
|
| and |
and |
| .Fl certopt |
.Fl certopt |
| switches can be used here, except that |
switches can be used here, except that |
| .Ar no_signame |
.Cm no_signame |
| and |
and |
| .Ar no_sigdump |
.Cm no_sigdump |
| are permanently set and cannot be disabled |
are permanently set and cannot be disabled |
| (this is because the certificate signature cannot be displayed because |
(this is because the certificate signature cannot be displayed because |
| the certificate has not been signed at this point). |
the certificate has not been signed at this point). |
| .Pp |
.Pp |
| For convenience, the value |
For convenience, the value |
| .Em ca_default |
.Cm ca_default |
| is accepted by both to produce a reasonable output. |
is accepted by both to produce a reasonable output. |
| .Pp |
.Pp |
| If neither option is present, the format used in earlier versions of |
If neither option is present, the format used in earlier versions of |
| .Nm OpenSSL |
.Nm openssl |
| is used. |
is used. |
| Use of the old format is |
Use of the old format is |
| .Em strongly |
.Em strongly |
| discouraged because it only displays fields mentioned in the |
discouraged because it only displays fields mentioned in the |
| .Ar policy |
.Cm policy |
| section, |
section, |
| mishandles multicharacter string types and does not display extensions. |
mishandles multicharacter string types and does not display extensions. |
| .It Ar new_certs_dir |
.It Cm new_certs_dir |
| The same as the |
The same as the |
| .Fl outdir |
.Fl outdir |
| command line option. |
command line option. |
| It specifies the directory where new certificates will be placed. |
It specifies the directory where new certificates will be placed. |
| Mandatory. |
Mandatory. |
| .It Ar oid_file |
.It Cm oid_file |
| This specifies a file containing additional object identifiers. |
This specifies a file containing additional object identifiers. |
| Each line of the file should consist of the numerical form of the |
Each line of the file should consist of the numerical form of the |
| object identifier followed by whitespace, then the short name followed |
object identifier followed by whitespace, then the short name followed |
| by whitespace and finally the long name. |
by whitespace and finally the long name. |
| .It Ar oid_section |
.It Cm oid_section |
| This specifies a section in the configuration file containing extra |
This specifies a section in the configuration file containing extra |
| object identifiers. |
object identifiers. |
| Each line should consist of the short name of the object identifier |
Each line should consist of the short name of the object identifier |
|
|
| .Sq = |
.Sq = |
| and the numerical form. |
and the numerical form. |
| The short and long names are the same when this option is used. |
The short and long names are the same when this option is used. |
| .It Ar policy |
.It Cm policy |
| The same as |
The same as |
| .Fl policy . |
.Fl policy . |
| Mandatory. |
Mandatory. |
| See the |
.It Cm preserve |
| .Sx CA POLICY FORMAT |
|
| section for more information. |
|
| .It Ar preserve |
|
| The same as |
The same as |
| .Fl preserveDN . |
.Fl preserveDN . |
| .It Ar private_key |
.It Cm private_key |
| Same as the |
Same as the |
| .Fl keyfile |
.Fl keyfile |
| option. |
option. |
| The file containing the CA private key. |
The file containing the CA private key. |
| Mandatory. |
Mandatory. |
| .It Ar serial |
.It Cm serial |
| A text file containing the next serial number to use in hex. |
A text file containing the next serial number to use in hex. |
| Mandatory. |
Mandatory. |
| This file must be present and contain a valid serial number. |
This file must be present and contain a valid serial number. |
| .It Ar unique_subject |
.It Cm unique_subject |
| If the value |
If the value |
| .Ar yes |
.Cm yes |
| is given, the valid certificate entries in the |
is given, the valid certificate entries in the |
| database must have unique subjects. |
database must have unique subjects. |
| If the value |
If the value |
| .Ar no |
.Cm no |
| is given, |
is given, |
| several valid certificate entries may have the exact same subject. |
several valid certificate entries may have the exact same subject. |
| The default value is |
The default value is |
| .Ar yes . |
.Cm yes . |
| .It Ar x509_extensions |
.It Cm x509_extensions |
| The same as |
The same as |
| .Fl extensions . |
.Fl extensions . |
| .El |
.El |
| .Sh CA POLICY FORMAT |
|
| The policy section consists of a set of variables corresponding to |
|
| certificate DN fields. |
|
| If the value is |
|
| .Qq match , |
|
| then the field value must match the same field in the CA certificate. |
|
| If the value is |
|
| .Qq supplied , |
|
| then it must be present. |
|
| If the value is |
|
| .Qq optional , |
|
| then it may be present. |
|
| Any fields not mentioned in the policy section |
|
| are silently deleted, unless the |
|
| .Fl preserveDN |
|
| option is set, |
|
| but this can be regarded more of a quirk than intended behaviour. |
|
| .Sh SPKAC FORMAT |
|
| The input to the |
|
| .Fl spkac |
|
| command line option is a Netscape signed public key and challenge. |
|
| This will usually come from the |
|
| .Em KEYGEN |
|
| tag in an HTML form to create a new private key. |
|
| It is, however, possible to create SPKACs using the |
|
| .Nm spkac |
|
| utility. |
|
| .Pp |
|
| The file should contain the variable SPKAC set to the value of |
|
| the SPKAC and also the required DN components as name value pairs. |
|
| If it's necessary to include the same component twice, |
|
| then it can be preceded by a number and a |
|
| .Sq \&. . |
|
| .Sh CA EXAMPLES |
|
| .Sy Note : |
|
| these examples assume that the |
|
| .Nm ca |
|
| directory structure is already set up and the relevant files already exist. |
|
| This usually involves creating a CA certificate and private key with |
|
| .Cm req , |
|
| a serial number file and an empty index file and placing them in |
|
| the relevant directories. |
|
| .Pp |
|
| To use the sample configuration file below, the directories |
|
| .Pa demoCA , |
|
| .Pa demoCA/private |
|
| and |
|
| .Pa demoCA/newcerts |
|
| would be created. |
|
| The CA certificate would be copied to |
|
| .Pa demoCA/cacert.pem |
|
| and its private key to |
|
| .Pa demoCA/private/cakey.pem . |
|
| A file |
|
| .Pa demoCA/serial |
|
| would be created containing, for example, |
|
| .Qq 01 |
|
| and the empty index file |
|
| .Pa demoCA/index.txt . |
|
| .Pp |
|
| Sign a certificate request: |
|
| .Pp |
|
| .Dl $ openssl ca -in req.pem -out newcert.pem |
|
| .Pp |
|
| Sign a certificate request, using CA extensions: |
|
| .Pp |
|
| .Dl $ openssl ca -in req.pem -extensions v3_ca -out newcert.pem |
|
| .Pp |
|
| Generate a CRL: |
|
| .Pp |
|
| .Dl $ openssl ca -gencrl -out crl.pem |
|
| .Pp |
|
| Sign several requests: |
|
| .Pp |
|
| .Dl $ openssl ca -infiles req1.pem req2.pem req3.pem |
|
| .Pp |
|
| Certify a Netscape SPKAC: |
|
| .Pp |
|
| .Dl $ openssl ca -spkac spkac.txt |
|
| .Pp |
|
| A sample SPKAC file |
|
| .Pq the SPKAC line has been truncated for clarity : |
|
| .Bd -literal -offset indent |
|
| SPKAC=MIG0MGAwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAn7PDhCeV/xIxUg8V70YRxK |
|
| CN=Steve Test |
|
| emailAddress=steve@openssl.org |
|
| 0.OU=OpenSSL Group |
|
| 1.OU=Another Group |
|
| .Ed |
|
| .Pp |
|
| A sample configuration file with the relevant sections for |
|
| .Nm ca : |
|
| .Bd -literal |
|
| \& [ ca ] |
|
| \& default_ca = CA_default # The default ca section |
|
| |
|
| \& [ CA_default ] |
|
| |
|
| \& dir = ./demoCA # top dir |
|
| \& database = $dir/index.txt # index file |
|
| \& new_certs_dir = $dir/newcerts # new certs dir |
|
| |
|
| \& certificate = $dir/cacert.pem # The CA cert |
|
| \& serial = $dir/serial # serial no file |
|
| \& private_key = $dir/private/cakey.pem# CA private key |
|
| |
|
| \& default_days = 365 # how long to certify for |
|
| \& default_crl_days= 30 # how long before next CRL |
|
| \& default_md = md5 # md to use |
|
| |
|
| \& policy = policy_any # default policy |
|
| \& email_in_dn = no # Don't add the email into cert DN |
|
| |
|
| \& name_opt = ca_default # Subject name display option |
|
| \& cert_opt = ca_default # Certificate display option |
|
| \& copy_extensions = none #Don't copy extensions from request |
|
| |
|
| \& [ policy_any ] |
|
| \& countryName = supplied |
|
| \& stateOrProvinceName = optional |
|
| \& organizationName = optional |
|
| \& organizationalUnitName = optional |
|
| \& commonName = supplied |
|
| \& emailAddress = optional |
|
| .Ed |
|
| .Sh CA FILES |
|
| .Sy Note : |
|
| the location of all files can change either by compile time options, |
|
| configuration file entries, environment variables, or command line options. |
|
| The values below reflect the default values. |
|
| .Bd -literal -offset indent |
|
| /etc/ssl/openssl.cnf - master configuration file |
|
| \&./demoCA - main CA directory |
|
| \&./demoCA/cacert.pem - CA certificate |
|
| \&./demoCA/private/cakey.pem - CA private key |
|
| \&./demoCA/serial - CA serial number file |
|
| \&./demoCA/serial.old - CA serial number backup file |
|
| \&./demoCA/index.txt - CA text database file |
|
| \&./demoCA/index.txt.old - CA text database backup file |
|
| \&./demoCA/certs - certificate output file |
|
| .Ed |
|
| .Sh CA ENVIRONMENT VARIABLES |
|
| .Ev OPENSSL_CONF |
|
| reflects the location of the master configuration file; |
|
| it can be overridden by the |
|
| .Fl config |
|
| command line option. |
|
| .Sh CA RESTRICTIONS |
|
| The text database index file is a critical part of the process, |
|
| and if corrupted it can be difficult to fix. |
|
| It is theoretically possible to rebuild the index file from all the |
|
| issued certificates and a current CRL; however there is no option to do this. |
|
| .Pp |
|
| V2 CRL features like delta CRLs are not currently supported. |
|
| .Pp |
|
| Although several requests can be input and handled at once, it is only |
|
| possible to include one SPKAC or self-signed certificate. |
|
| .Sh CA BUGS |
|
| The use of an in-memory text database can cause problems when large |
|
| numbers of certificates are present because, as the name implies, |
|
| the database has to be kept in memory. |
|
| .Pp |
|
| It is not possible to certify two certificates with the same DN; this |
|
| is a side effect of how the text database is indexed and it cannot easily |
|
| be fixed without introducing other problems. |
|
| Some S/MIME clients can use two certificates with the same DN for separate |
|
| signing and encryption keys. |
|
| .Pp |
|
| The |
|
| .Nm ca |
|
| command really needs rewriting or the required functionality |
|
| exposed at either a command or interface level so a more friendly utility |
|
| .Pq perl script or GUI |
|
| can handle things properly. |
|
| .Pp |
|
| Any fields in a request that are not present in a policy are silently |
|
| deleted. |
|
| This does not happen if the |
|
| .Fl preserveDN |
|
| option is used. |
|
| To enforce the absence of the EMAIL field within the DN, as suggested |
|
| by RFCs, regardless of the contents of the request's subject the |
|
| .Fl noemailDN |
|
| option can be used. |
|
| The behaviour should be more friendly and configurable. |
|
| .Pp |
|
| Cancelling some commands by refusing to certify a certificate can |
|
| create an empty file. |
|
| .Sh CA WARNINGS |
|
| The |
|
| .Nm ca |
|
| command is quirky and at times downright unfriendly. |
|
| .Pp |
|
| The |
|
| .Nm ca |
|
| utility was originally meant as an example of how to do things in a CA. |
|
| It was not supposed to be used as a full blown CA itself: |
|
| nevertheless some people are using it for this purpose. |
|
| .Pp |
|
| The |
|
| .Nm ca |
|
| command is effectively a single user command: no locking is done on the |
|
| various files, and attempts to run more than one |
|
| .Nm ca |
|
| command on the same database can have unpredictable results. |
|
| .Pp |
|
| The |
|
| .Ar copy_extensions |
|
| option should be used with caution. |
|
| If care is not taken, it can be a security risk. |
|
| For example, if a certificate request contains a |
|
| .Em basicConstraints |
|
| extension with CA:TRUE and the |
|
| .Ar copy_extensions |
|
| value is set to |
|
| .Ar copyall |
|
| and the user does not spot |
|
| this when the certificate is displayed, then this will hand the requestor |
|
| a valid CA certificate. |
|
| .Pp |
|
| This situation can be avoided by setting |
|
| .Ar copy_extensions |
|
| to |
|
| .Ar copy |
|
| and including |
|
| .Em basicConstraints |
|
| with CA:FALSE in the configuration file. |
|
| Then if the request contains a |
|
| .Em basicConstraints |
|
| extension, it will be ignored. |
|
| .Pp |
|
| It is advisable to also include values for other extensions such |
|
| as |
|
| .Ar keyUsage |
|
| to prevent a request supplying its own values. |
|
| .Pp |
|
| Additional restrictions can be placed on the CA certificate itself. |
|
| For example if the CA certificate has: |
|
| .Pp |
|
| .D1 basicConstraints = CA:TRUE, pathlen:0 |
|
| .Pp |
|
| then even if a certificate is issued with CA:TRUE it will not be valid. |
|
| .\" |
.\" |
| .\" CIPHERS |
.\" CIPHERS |
| .\" |
.\" |
|
|
| This can be used to send the data via a pipe for example. |
This can be used to send the data via a pipe for example. |
| .It Ar stdin |
.It Ar stdin |
| Read the password from standard input. |
Read the password from standard input. |
| |
.El |
| |
.Sh ENVIRONMENT |
| |
The following environment variables affect the execution of |
| |
.Nm openssl : |
| |
.Bl -tag -width "OPENSSL_CONFXXX" |
| |
.It Ev OPENSSL_CONF |
| |
The location of the master configuration file. |
| .El |
.El |
| .\" |
.\" |
| .\" FILES |
.\" FILES |
![[BACK]](/icons/back.gif){kind=icon}
Return to openssl.1 CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [local] / src / usr.bin / openssl