OpenSSL CA(1openssl) NNNNAAAAMMMMEEEE
ca - sample minimal CA application
SSSSYYYYNNNNOOOOPPPPSSSSIIIISSSSooppeennssssll ccaa[-vveerrbboossee --coonnffiigg ffiilleennaammee --naammee sseeccttiioonn
[---gggeeeennnnccccrrrrllll] [---rrreeeevvvvooookkkkeeee ffffiiiilllleeee] [---cccrrrrllll_rrrreeeeaaaassssoooonnnn rrrreeeeaaaassssoooonnnn] [---cccrrrrllll_hhhhoooolllldddd
iiiinnnnssssttttrrrruuuuccccttttiiiioooonnnn] [---cccrrrrllll_ccccoooommmmpppprrrroooommmmiiiisssseeee ttttiiiimmmmeeee] [---cccrrrrllll_CCCCAAAA_ccccoooommmmpppprrrroooommmmiiiisssseeee
ttttiiiimmmmeeee] [---cccrrrrllllddddaaaayyyyssss ddddaaaayyyyssss] [---cccrrrrllllhhhhoooouuuurrrrssss hhhhoooouuuurrrrssss] [---cccrrrrlllleeeexxxxttttssss sssseeeeccccttttiiiioooonnnn]
[---sssttttaaaarrrrttttddddaaaatttteeee ddddaaaatttteeee] [---eeennnnddddddddaaaatttteeee ddddaaaatttteeee] [---dddaaaayyyyssss aaaarrrrgggg] [---mmmdddd aaaarrrrgggg]
[---pppoooolllliiiiccccyyyy aaaarrrrgggg] [---kkkeeeeyyyyffffiiiilllleeee aaaarrrrgggg] [---kkkeeeeyyyy aaaarrrrgggg] [---pppaaaassssssssiiiinnnn aaaarrrrgggg] [---ccceeeerrrrtttt
ffffiiiilllleeee] [---ssseeeellllffffssssiiiiggggnnnn] [---iiinnnn ffffiiiilllleeee] [---ooouuuutttt ffffiiiilllleeee] [---nnnooootttteeeexxxxtttt] [---ooouuuuttttddddiiiirrrr
ddddiiiirrrr] [---iiinnnnffffiiiilllleeeessss] [---sssppppkkkkaaaacccc ffffiiiilllleeee] [---sssssss_cccceeeerrrrtttt ffffiiiilllleeee] [---ppprrrreeeesssseeeerrrrvvvveeeeDDDDNNNN]
[---nnnooooeeeemmmmaaaaiiiillllDDDDNNNN] [---bbbaaaattttcccchhhh] [---mmmssssiiiieeee_hhhhaaaacccckkkk] [---eeexxxxtttteeeennnnssssiiiioooonnnnssss sssseeeeccccttttiiiioooonnnn]
[---eeexxxxttttffffiiiilllleeee sssseeeeccccttttiiiioooonnnn] [---eeennnnggggiiiinnnneeee iiiidddd] [---sssuuuubbbbjjjj aaaarrrrgggg] [---uuuttttffff8888]
[---mmmuuuullllttttiiiivvvvaaaalllluuuueeee---rrrddddnnnn]
DDDDEEEESSSSCCCCRRRRIIIIPPPPTTTTIIIIOOOONNNNTeccaa omn samnmlC plcto.I a eue
to sign certificate requests in a variety of forms and
generate CRLs it also maintains a text database of issuedcertificates and their status.
The options descriptions will be divided into each purpose. CCCCAAAA OOOOPPPPTTTTIIIIOOOONNNNSSSS-ccccoooonnnnffffiiiigggg ffffiiiilllleeeennnnaaaammmmeeee
specifies the configuration file to use.-nnnnaaaammmmeeee sssseeeeccccttttiiiioooonnnn
specifies the configuration file section to use(vrie ddeeffaauullttccaa nteccaa eto)
-iiiinnnn ffffiiiilllleeeennnnaaaammmmeeee
an input filename containing a single certificate
request to be signed by the CA.-ssssssss_cccceeeerrrrtttt ffffiiiilllleeeennnnaaaammmmeeee
a single self signed certificate to be signed by the CA.
-ssssppppkkkkaaaacccc ffffiiiilllleeeennnnaaaammmmeeee
a file containing a single Netscape signed public key
and challenge and additional field values to be signed by the CA. See the SSSSPPPPKKKKAAAACCCC FFFFOOOORRRRMMMMAAAATTTT section for information on the required format.-iiiinnnnffffiiiilllleeeessss
if present this should be the last option, all subsequent arguments are assumed to the the names offiles containing certificate requests.
-oooouuuutttt ffffiiiilllleeeennnnaaaammmmeeee
the output file to output certificates to. The default
15/Jul/2005 Last change: 0.9.8o 1 OpenSSL CA(1openssl)
is standard output. The certificate details will also be
printed out to this file.-oooouuuuttttddddiiiirrrr ddddiiiirrrreeeeccccttttoooorrrryyyy
the directory to output certificates to. The certificate
will be written to a filename consisting of the serial number in hex with ".pem" appended.-cccceeeerrrrtttt
the CA certificate file.
-kkkkeeeeyyyyffffiiiilllleeee ffffiiiilllleeeennnnaaaammmmeeee
the private key to sign requests with.-kkkkeeeeyyyy ppppaaaasssssssswwwwoooorrrrdddd
the password used to encrypt the private key. Since on some systems the command line arguments are visible (e.g. Unix with the 'ps' utility) this option should beused with caution.
-sssseeeellllffffssssiiiiggggnnnn
indicates the issued certificates are to be signed with
the key the certificate requests were signed with (given
with ---kkkeeeeyyyyffffiiiilllleeee). Cerificate requests signed with a
different key are ignored. If ---sssppppkkkkaaaacccc, ---sssssss_cccceeeerrrrtttt or
---gggeeeennnnccccrrrrllll are given, ---ssseeeellllffffssssiiiiggggnnnn is ignored.
A consequence of using ---ssseeeellllffffssssiiiiggggnnnn is that the self-signed
certificate appears among the entries in the certificate
database (see the configuration option ddddaaaattttaaaabbbbaaaasssseeee), and uses the same serial number counter as all othercertificates sign with the self-signed certificate.
-ppppaaaassssssssiiiinnnn aaaarrrrgggg
the key password source. For more information about the format of aaaarrrrgggg see the PPPPAAAASSSSSSSS PPPPHHHHRRRRAAAASSSSEEEE AAAARRRRGGGGUUUUMMMMEEEENNNNTTTTSSSS section in openssl(1).-vvvveeeerrrrbbbboooosssseeee
this prints extra details about the operations being performed.-nnnnooootttteeeexxxxtttt
don't output the text form of a certificate to the
output file.-ssssttttaaaarrrrttttddddaaaatttteeee ddddaaaatttteeee
this allows the start date to be explicitly set. The format of the date is YYMMDDHHMMSSZ (the same as an ASN1 UTCTime structure).15/Jul/2005 Last change: 0.9.8o 2 OpenSSL CA(1openssl)
-eeeennnnddddddddaaaatttteeee ddddaaaatttteeee
this allows the expiry date to be explicitly set. The format of the date is YYMMDDHHMMSSZ (the same as an ASN1 UTCTime structure).-ddddaaaayyyyssss aaaarrrrgggg
the number of days to certify the certificate for.
-mmmmdddd aaaallllgggg
the message digest to use. Possible values include md5, sha1 and mdc2. This option also applies to CRLs.-ppppoooolllliiiiccccyyyy aaaarrrrgggg
this option defines the CA "policy" to use. This is a section in the configuration file which decides whichfields should be mandatory or match the CA certificate.
Check out the PPPPOOOOLLLLIIIICCCCYYYY FFFFOOOORRRRMMMMAAAATTTT section for more information.-mmmmssssiiiieeee_hhhhaaaacccckkkk
ti salgc pint aeccaa okwt eyod
versions of the IE certificate enrollment control
"certenr3". It used UniversalStrings for almost everything. Since the old control has various security bugs its use is strongly discouraged. The newer control "Xenroll" does not need this option.-pppprrrreeeesssseeeerrrrvvvveeeeDDDDNNNN
Normally the DN order of a certificate is the same as
the order of the fields in the relevant policy section. When this option is set the order is the same as the request. This is largely for compatibility with the older IE enrollment control which would only acceptcertificates if their DNs match the order of the
request. This is not needed for Xenroll.-nnnnooooeeeemmmmaaaaiiiillllDDDDNNNN
The DN of a certificate can contain the EMAIL field if
present in the request DN, however it is good policyjust having the e-mail set into the altName extension of
the certificate. When this option is set the EMAIL field
is removed from the certificate' subject and set only in
the, eventually present, extensions. The eeeemmmmaaaaiiiillll_iiiinnnn_ddddnnnn
keyword can be used in the configuration file to enable
this behaviour.-bbbbaaaattttcccchhhh
this sets the batch mode. In this mode no questions willbe asked and all certificates will be certified
automatically.
15/Jul/2005 Last change: 0.9.8o 3 OpenSSL CA(1openssl)
-eeeexxxxtttteeeennnnssssiiiioooonnnnssss sssseeeeccccttttiiiioooonnnn
the section of the configuration file containingcertificate extensions to be added when a certificate is
issued (defaults to xxxx555500009999_eeeexxxxtttteeeennnnssssiiiioooonnnnssss unless the ---eeexxxxttttffffiiiilllleeee
option is used). If no extension section is presentthen, a V1 certificate is created. If the extension
section is present (even if it is empty), then a V3certificate is created.
-eeeexxxxttttffffiiiilllleeee ffffiiiilllleeee
an additional configuration file to read certificate
extensions from (using the default section unless the---eeexxxxtttteeeennnnssssiiiioooonnnnssss option is also used).
-eeeennnnggggiiiinnnneeee iiiidddd
specifying an engine (by it's unique iiiidddd string) willcause rrrreeeeqqqq to attempt to obtain a functional reference to
the specified engine, thus initialising it if needed. The engine will then be set as the default for all available algorithms.-ssssuuuubbbbjjjj aaaarrrrgggg
supersedes subject name given in the request. The arg must be formatted as /type0=value0/type1=value1/type2=..., characters may beescaped by \ (backslash), no spaces are skipped.
-uuuuttttffff8888
this option causes field values to be interpreted as
UTF8 strings, by default they are interpreted as ASCII. This means that the field values, whether prompted from a terminal or obtained from a configuration file, must be valid UTF8 strings.-mmmmuuuullllttttiiiivvvvaaaalllluuuueeee---rrrddddnnnn
this option causes the -subj argument to be interpretedt
with full support for multivalued RDNs. Example:/DC=org/DC=OpenSSL/DC=users/UID=123456+CN=John Doe
If -multi-rdn is not used then the UID value is
123456+CN=John Doe. CCCCRRRRLLLL OOOOPPPPTTTTIIIIOOOONNNNSSSS-ggggeeeennnnccccrrrrllll
this option generates a CRL based on information in the index file.-ccccrrrrllllddddaaaayyyyssss nnnnuuuummmm
the number of days before the next CRL is due. That is the days from now to place in the CRL nextUpdate field.15/Jul/2005 Last change: 0.9.8o 4 OpenSSL CA(1openssl)
-ccccrrrrllllhhhhoooouuuurrrrssss nnnnuuuummmm
the number of hours before the next CRL is due.-rrrreeeevvvvooookkkkeeee ffffiiiilllleeeennnnaaaammmmeeee
a filename containing a certificate to revoke.
-ccccrrrrllll_rrrreeeeaaaassssoooonnnn rrrreeeeaaaassssoooonnnn
revocation reason, where rrrreeeeaaaassssoooonnnn is one of: uuuunnnnssssppppeeeecccciiiiffffiiiieeeedddd,
kkkkeeeeyyyyCCCCoooommmmpppprrrroooommmmiiiisssseeee, CCCCAAAACCCCoooommmmpppprrrroooommmmiiiisssseeee, aaaaffffffffiiiilllliiiiaaaattttiiiioooonnnnCCCChhhhaaaannnnggggeeeedddd,ssuuppeerrsseeddeedd,cceessssaattiioonnOOffOOppeerraattiioonn,cceerrttiiffiiccaatteeHHoolldd r
rrrreeeemmmmoooovvvveeeeFFFFrrrroooommmmCCCCRRRRLLLL. The matching of rrrreeeeaaaassssoooonnnn is case
insensitive. Setting any revocation reason will make the
CRL v2. In practive rrrreeeemmmmoooovvvveeeeFFFFrrrroooommmmCCCCRRRRLLLL is not particularly usefulbecause it is only used in delta CRLs which are not
currently implemented.-ccccrrrrllll_hhhhoooolllldddd iiiinnnnssssttttrrrruuuuccccttttiiiioooonnnn
This sets the CRL revocation reason code to
cceerrttiiffiiccaatteeHHoolldd n h odisrcint iinnssttrruuccttiioonn
which must be an OID. Although any OID can be used only
hhhhoooollllddddIIIInnnnssssttttrrrruuuuccccttttiiiioooonnnnNNNNoooonnnneeee (the use of which is discouraged by RFC2459) hhhhoooollllddddIIIInnnnssssttttrrrruuuuccccttttiiiioooonnnnCCCCaaaallllllllIIIIssssssssuuuueeeerrrr or hhhhoooollllddddIIIInnnnssssttttrrrruuuuccccttttiiiioooonnnnRRRReeeejjjjeeeecccctttt will normally be used.-ccccrrrrllll_ccccoooommmmpppprrrroooommmmiiiisssseeee ttttiiiimmmmeeee
This sets the revocation reason to kkkkeeeeyyyyCCCCoooommmmpppprrrroooommmmiiiisssseeee and the
compromise time to ttttiiiimmmmeeee. ttttiiiimmmmeeee should be in GeneralizedTime format that is YYYYYYYYYYYYYYYYMMMMMMMMDDDDDDDDHHHHHHHHMMMMMMMMSSSSSSSSZZZZ.-ccccrrrrllll_CCCCAAAA_ccccoooommmmpppprrrroooommmmiiiisssseeee ttttiiiimmmmeeee
This is the same as ccccrrrrllll_ccccoooommmmpppprrrroooommmmiiiisssseeee except the revocation
reason is set to CCCCAAAACCCCoooommmmpppprrrroooommmmiiiisssseeee.-ccccrrrrlllleeeexxxxttttssss sssseeeeccccttttiiiioooonnnn
the section of the configuration file containing CRL extensions to include. If no CRL extension section is present then a V1 CRL is created, if the CRL extension section is present (even if it is empty) then a V2 CRL is created. The CRL extensions specified are CRL extensions and nnnnooootttt CRL entry extensions. It should benoted that some software (for example Netscape) can't
handle V2 CRLs. CCCCOOOONNNNFFFFIIIIGGGGUUUURRRRAAAATTTTIIIIOOOONNNN FFFFIIIILLLLEEEE OOOOPPPPTTTTIIIIOOOONNNNSSSS The section of the configuration file containing options forccaa sfuda olw:I h -nnaammeecmadln pini
used, then it names the section to be used. Otherwise thescint eue utb ae nteddeeffaauulltt_ccaaoto f
teccaa eto ftecniuainfl o ntedfut
scino h ofgrto ie.Bsdsddeeffaauulltt_ccaa h
15/Jul/2005 Last change: 0.9.8o 5 OpenSSL CA(1openssl)
floigotosaera ietyfo h ccaascin
RANDFILE preservemsie_hack With the exception of RRRRAAAANNNNDDDDFFFFIIIILLLLEEEE, this is probably
a bug and may change in future releases.Many of the configuration file options are identical to
command line options. Where the option is present in the configuration file and the command line the command line value is used. Where an option is described as mandatory then it must be present in the configuration file or the command line equivalent (if any) used.ooooiiiidddd_ffffiiiilllleeee
This specifies a file containing additional OOOOBBBBJJJJEEEECCCCTTTT IIIIDDDDEEEENNNNTTTTIIIIFFFFIIIIEEEERRRRSSSS. Each line of the file should consist ofthe numerical form of the object identifier followed by
white space then the short name followed by white space and finally the long name.ooooiiiidddd_sssseeeeccccttttiiiioooonnnn
This specifies a section in the configuration file containing extra object identifiers. Each line should consist of the short name of the object identifierfollowed by ==== and the numerical form. The short and long
names are the same when this option is used.nnnneeeewwww_cccceeeerrrrttttssss_ddddiiiirrrr
the same as the ---ooouuuuttttddddiiiirrrr command line option. It
specifies the directory where new certificates will be
placed. Mandatory.cceerrttiiffiiccaattee
the same as ---ccceeeerrrrtttt. It gives the file containing the CA
certificate. Mandatory.
pppprrrriiiivvvvaaaatttteeee_kkkkeeeeyyyy
same as the ---kkkeeeeyyyyffffiiiilllleeee option. The file containing the CA
private key. Mandatory. RRRRAAAANNNNDDDDFFFFIIIILLLLEEEE a file used to read and write random number seedinformation, or an EGD socket (see RAND_egd(3)).
ddddeeeeffffaaaauuuulllltttt_ddddaaaayyyyssss
the same as the ---dddaaaayyyyssss option. The number of days to
certify a certificate for.
ddddeeeeffffaaaauuuulllltttt_ssssttttaaaarrrrttttddddaaaatttteeee
the same as the ---sssttttaaaarrrrttttddddaaaatttteeee option. The start date to
certify a certificate for. If not set the current time
is used.15/Jul/2005 Last change: 0.9.8o 6 OpenSSL CA(1openssl)
ddddeeeeffffaaaauuuulllltttt_eeeennnnddddddddaaaatttteeee
the same as the ---eeennnnddddddddaaaatttteeee option. Either this option or
ddddeeeeffffaaaauuuulllltttt_ddddaaaayyyyssss (or the command line equivalents) must be
present.ddddeeeeffffaaaauuuulllltttt_ccccrrrrllll_hhhhoooouuuurrrrssss ddddeeeeffffaaaauuuulllltttt_ccccrrrrllll_ddddaaaayyyyssss
the same as the ---cccrrrrllllhhhhoooouuuurrrrssss and the ---cccrrrrllllddddaaaayyyyssss options.
These will only be used if neither command line option is present. At least one of these must be present to generate a CRL.ddddeeeeffffaaaauuuulllltttt_mmmmdddd
the same as the ---mmmdddd option. The message digest to use.
Mandatory. ddddaaaattttaaaabbbbaaaasssseeee the text database file to use. Mandatory. This file must be present though initially it will be empty.uuuunnnniiiiqqqquuuueeee_ssssuuuubbbbjjjjeeeecccctttt
if the value yyyyeeeessss is given, the valid certificate entries
in the database must have unique subjects. if the valuennnnoooo is given, several valid certificate entries may have
the exact same subject. The default value is yyyyeeeessss, to be compatible with older (pre 0.9.8) versions of OpenSSL.However, to make CA certificate roll-over easier, it's
recommended to use the value nnnnoooo, especially if combinedwith the ---ssseeeellllffffssssiiiiggggnnnn command line option.
sssseeeerrrriiiiaaaallll a text file containing the next serial number to use in hex. Mandatory. This file must be present and contain a valid serial number. ccccrrrrllllnnnnuuuummmmbbbbeeeerrrr a text file containing the next CRL number to use in hex. The crl number will be inserted in the CRLs only if this file exists. If this file is present, it must contain a valid CRL number.xxxx555500009999_eeeexxxxtttteeeennnnssssiiiioooonnnnssss
the same as ---eeexxxxtttteeeennnnssssiiiioooonnnnssss.
ccccrrrrllll_eeeexxxxtttteeeennnnssssiiiioooonnnnssss
the same as ---cccrrrrlllleeeexxxxttttssss.
pppprrrreeeesssseeeerrrrvvvveeeethe same as ---ppprrrreeeesssseeeerrrrvvvveeeeDDDDNNNN
eeeemmmmaaaaiiiillll_iiiinnnn_ddddnnnn
the same as ---nnnooooeeeemmmmaaaaiiiillllDDDDNNNN. If you want the EMAIL field to
be removed from the DN of the certificate simply set
15/Jul/2005 Last change: 0.9.8o 7 OpenSSL CA(1openssl) this to 'no'. If not present the default is to allow for
the EMAIL filed in the certificate's DN.
mmmmssssiiiieeee_hhhhaaaacccckkkk
the same as ---mmmssssiiiieeee_hhhhaaaacccckkkk
ppppoooolllliiiiccccyyyythe same as ---pppoooolllliiiiccccyyyy. Mandatory. See the PPPPOOOOLLLLIIIICCCCYYYY FFFFOOOORRRRMMMMAAAATTTT
section for more information.nnnnaaaammmmeeee_oooopppptttt, cccceeeerrrrtttt_oooopppptttt
these options allow the format used to display thecertificate details when asking the user to confirm
signing. All the options supported by the xxxx555500009999 utilities---nnnaaaammmmeeeeoooopppptttt and ---ccceeeerrrrttttoooopppptttt switches can be used here, except
the nnnnoooo_ssssiiiiggggnnnnaaaammmmeeee and nnnnoooo_ssssiiiiggggdddduuuummmmpppp are permanently set and
cannot be disabled (this is because the certificate
signature cannot be displayed because the certificate
has not been signed at this point).Frcneinetevle ccaaddeeffaauulltt r cetdb
both to produce a reasonable output. If neither option is present the format used in earlier versions of OpenSSL is used. Use of the old format isssssttttrrrroooonnnnggggllllyyyy discouraged because it only displays fields
mentioned in the ppppoooolllliiiiccccyyyy section, mishandles multicharacter string types and does not display extensions.ccccooooppppyyyy_eeeexxxxtttteeeennnnssssiiiioooonnnnssss
determines how extensions in certificate requests should
be handled. If set to nnnnoooonnnneeee or this option is not present then extensions are ignored and not copied tothe certificate. If set to ccccooooppppyyyy then any extensions
present in the request that are not already present arecopied to the certificate. If set to ccccooooppppyyyyaaaallllllll then all
extensions in the request are copied to the certificate:
if the extension is already present in the certificate
it is deleted first. See the WWWWAAAARRRRNNNNIIIINNNNGGGGSSSS section before using this option.The main use of this option is to allow a certificate
request to supply values for certain extensions such as subjectAltName. PPPPOOOOLLLLIIIICCCCYYYY FFFFOOOORRRRMMMMAAAATTTT The policy section consists of a set of variablescorresponding to certificate DN fields. If the value is
"match" then the field value must match the same field inthe CA certificate. If the value is "supplied" then it must
be present. If the value is "optional" then it may be15/Jul/2005 Last change: 0.9.8o 8 OpenSSL CA(1openssl) present. Any fields not mentioned in the policy section are
silently deleted, unless the ---ppprrrreeeesssseeeerrrrvvvveeeeDDDDNNNN option is set but
this can be regarded more of a quirk than intended
behaviour. SSSSPPPPKKKKAAAACCCC FFFFOOOORRRRMMMMAAAATTTTThe input to the ---sssppppkkkkaaaacccc command line option is a Netscape
signed public key and challenge. This will usually come from the KKKKEEEEYYYYGGGGEEEENNNN tag in an HTML form to create a new private key. It is however possible to create SPKACs using the ssssppppkkkkaaaacccc utility. The file should contain the variable SPKAC set to the value of the SPKAC and also the required DN components as name value pairs. If you need to include the same componenttwice then it can be preceded by a number and a '.'.
EEEEXXXXAAAAMMMMPPPPLLLLEEEESSSSNt:teeeape sueta h ccaadrcoysrcue
is already set up and the relevant files already exist. Thisusually involves creating a CA certificate and private key
with rrrreeeeqqqq, a serial number file and an empty index file and placing them in the relevant directories. To use the sample configuration file below the directories demoCA, demoCA/private and demoCA/newcerts would be created.The CA certificate would be copied to demoCA/cacert.pem and
its private key to demoCA/private/cakey.pem. A file
demoCA/serial would be created containing for example "01" and the empty index file demoCA/index.txt.Sign a certificate request:
openssl ca -in req.pem -out newcert.pem
Sign a certificate request, using CA extensions:
openssl ca -in req.pem -extensions v3_ca -out newcert.pem
Generate a CRLopenssl ca -gencrl -out crl.pem
Sign several requests:openssl ca -infiles req1.pem req2.pem req3.pem
Certify a Netscape SPKAC:
openssl ca -spkac spkac.txt
A sample SPKAC file (the SPKAC line has been truncated for
15/Jul/2005 Last change: 0.9.8o 9 OpenSSL CA(1openssl) clarity): SPKAC=MIG0MGAwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAn7PDhCeV/xIxUg8V70YRxK2A5 CN=Steve Test emailAddress=steve@openssl.org 0.OU=OpenSSL Group 1.OU=Another Group A sample configuration file with the relevant sections for
ccaa:
[ ca ]
default_ca = CA_default # The default ca section
[ CA_default ]
dir = ./demoCA # top dir
database = $dir/index.txt # index file.
new_certs_dir = $dir/newcerts # new certs dir
certificate = $dir/cacert.pem # The CA cert
serial = $dir/serial # serial no file
private_key = $dir/private/cakey.pem# CA private key
RANDFILE = $dir/private/.rand # random number file
default_days = 365 # how long to certify for
default_crl_days= 30 # how long before next CRL
default_md = md5 # md to use
policy = policy_any # default policy
email_in_dn = no # Don't add the email into cert DN
name_opt = ca_default # Subject name display option
cert_opt = ca_default # Certificate display option
copy_extensions = none # Don't copy extensions from request
[ policy_any ]
countryName = supplied stateOrProvinceName = optional organizationName = optional organizationalUnitName = optional commonName = supplied emailAddress = optional FFFFIIIILLLLEEEESSSSNote: the location of all files can change either by compile
time options, configuration file entries, environment variables or command line options. The values below reflect the default values.15/Jul/2005 Last change: 0.9.8o 10 OpenSSL CA(1openssl)
/usr/local/ssl/lib/openssl.cnf - master configuration file
./demoCA - main CA directory
./demoCA/cacert.pem - CA certificate
./demoCA/private/cakey.pem - CA private key
./demoCA/serial - CA serial number file
./demoCA/serial.old - CA serial number backup file
./demoCA/index.txt - CA text database file
./demoCA/index.txt.old - CA text database backup file
./demoCA/certs - certificate output file
./demoCA/.rnd - CA random seed information
EEEENNNNVVVVIIIIRRRROOOONNNNMMMMEEEENNNNTTTT VVVVAAAARRRRIIIIAAAABBBBLLLLEEEESSSSOOOOPPPPEEEENNNNSSSSSSSSLLLL_CCCCOOOONNNNFFFF reflects the location of master configuration
file it can be overridden by the ---cccoooonnnnffffiiiigggg command line
option. RRRREEEESSSSTTTTRRRRIIIICCCCTTTTIIIIOOOONNNNSSSSThe text database index file is a critical part of the
process and if corrupted it can be difficult to fix. It is
theoretically possible to rebuild the index file from all
the issued certificates and a current CRL: however there is
no option to do this. V2 CRL features like delta CRLs are not currently supported.Although several requests can be input and handled at once
it is only possible to include one SPKAC or self signedcertificate.
BBBBUUUUGGGGSSSSThe use of an in memory text database can cause problems
when large numbers of certificates are present because, as
the name implies the database has to be kept in memory.Teccaa omn elynesrwiigo h eurd
functionality exposed at either a command or interface levelso a more friendly utility (perl script or GUI) can handle
things properly. The scripts CCCCAAAA....sssshhhh and CCCCAAAA....ppppllll help a little but not very much. Any fields in a request that are not present in a policy aresilently deleted. This does not happen if the ---ppprrrreeeesssseeeerrrrvvvveeeeDDDDNNNN
option is used. To enforce the absence of the EMAIL field within the DN, as suggested by RFCs, regardless the contentsof the request' subject the ---nnnooooeeeemmmmaaaaiiiillllDDDDNNNN option can be used.
The behaviour should be more friendly and configurable. Cancelling some commands by refusing to certify acertificate can create an empty file.
15/Jul/2005 Last change: 0.9.8o 11 OpenSSL CA(1openssl) WWWWAAAARRRRNNNNIIIINNNNGGGGSSSS
Teccaa omn sqik n ttmsdwrgtufinl.
Teccaa tlt a rgnlymata neapeo o o
do things in a CA. It was not supposed to be used as a full blown CA itself: nevertheless some people are using it for this purpose.Teccaa omn sefcieyasnl srcmad o
locking is done on the various files and attempts to runmr hnoeccaa omn ntesm aaaecnhv
unpredictable results.The ccccooooppppyyyy_eeeexxxxtttteeeennnnssssiiiioooonnnnssss option should be used with caution. If
care is not taken then it can be a security risk. For
example if a certificate request contains a basicConstraints
extension with CA:TRUE and the ccccooooppppyyyy_eeeexxxxtttteeeennnnssssiiiioooonnnnssss value is set
to ccccooooppppyyyyaaaallllllll and the user does not spot this when thecertificate is displayed then this will hand the requestor a
valid CA certificate.
This situation can be avoided by setting ccccooooppppyyyy_eeeexxxxtttteeeennnnssssiiiioooonnnnssss to
ccccooooppppyyyy and including basicConstraints with CA:FALSE in the configuration file. Then if the request contains a basicConstraints extension it will be ignored. It is advisable to also include values for other extensions such as kkkkeeeeyyyyUUUUssssaaaaggggeeee to prevent a request supplying its own values.Additional restrictions can be placed on the CA certificate
itself. For example if the CA certificate has:
basicConstraints = CA:TRUE, pathlen:0then even if a certificate is issued with CA:TRUE it will
not be valid. SSSSEEEEEEEE AAAALLLLSSSSOOOO req(1), spkac(1), x509(1), CA.pl(1), config(5)15/Jul/2005 Last change: 0.9.8o 12 OpenSSL CA(1openssl)
15/Jul/2005 Last change: 0.9.8o 13