CA.pl.pod 6.7 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218
  1. =pod
  2. =head1 NAME
  3. CA.pl - friendlier interface for OpenSSL certificate programs
  4. =head1 SYNOPSIS
  5. B<CA.pl>
  6. B<-?> |
  7. B<-h> |
  8. B<-help>
  9. B<CA.pl>
  10. B<-newcert> |
  11. B<-newreq> |
  12. B<-newreq-nodes> |
  13. B<-xsign> |
  14. B<-sign> |
  15. B<-signCA> |
  16. B<-signcert> |
  17. B<-crl> |
  18. B<-newca>
  19. [B<-extra-cmd> I<extra-params>]
  20. B<CA.pl> B<-pkcs12> [B<-extra-pkcs12> I<extra-params>] [I<certname>]
  21. B<CA.pl> B<-verify> [B<-extra-verify> I<extra-params>] I<certfile> ...
  22. B<CA.pl> B<-revoke> [B<-extra-ca> I<extra-params>] I<certfile> [I<reason>]
  23. =head1 DESCRIPTION
  24. The B<CA.pl> script is a perl script that supplies the relevant command line
  25. arguments to the L<openssl(1)> command for some common certificate operations.
  26. It is intended to simplify the process of certificate creation and management
  27. by the use of some simple options.
  28. =head1 OPTIONS
  29. =over 4
  30. =item B<?>, B<-h>, B<-help>
  31. Prints a usage message.
  32. =item B<-newcert>
  33. Creates a new self signed certificate. The private key is written to the file
  34. F<newkey.pem> and the request written to the file F<newreq.pem>.
  35. Invokes L<openssl-req(1)>.
  36. =item B<-newreq>
  37. Creates a new certificate request. The private key is written to the file
  38. F<newkey.pem> and the request written to the file F<newreq.pem>.
  39. Executes L<openssl-req(1)> under the hood.
  40. =item B<-newreq-nodes>
  41. Is like B<-newreq> except that the private key will not be encrypted.
  42. Uses L<openssl-req(1)>.
  43. =item B<-newca>
  44. Creates a new CA hierarchy for use with the B<ca> program (or the B<-signcert>
  45. and B<-xsign> options). The user is prompted to enter the filename of the CA
  46. certificates (which should also contain the private key) or by hitting ENTER
  47. details of the CA will be prompted for. The relevant files and directories
  48. are created in a directory called F<demoCA> in the current directory.
  49. Uses L<openssl-req(1)> and L<openssl-ca(1)>.
  50. =item B<-pkcs12>
  51. Create a PKCS#12 file containing the user certificate, private key and CA
  52. certificate. It expects the user certificate and private key to be in the
  53. file F<newcert.pem> and the CA certificate to be in the file F<demoCA/cacert.pem>,
  54. it creates a file F<newcert.p12>. This command can thus be called after the
  55. B<-sign> option. The PKCS#12 file can be imported directly into a browser.
  56. If there is an additional argument on the command line it will be used as the
  57. "friendly name" for the certificate (which is typically displayed in the browser
  58. list box), otherwise the name "My Certificate" is used.
  59. Delegates work to L<openssl-pkcs12(1)>.
  60. =item B<-sign>, B<-signcert>, B<-xsign>
  61. Calls the L<openssl-ca(1)> command to sign a certificate request. It expects the
  62. request to be in the file F<newreq.pem>. The new certificate is written to the
  63. file F<newcert.pem> except in the case of the B<-xsign> option when it is
  64. written to standard output.
  65. =item B<-signCA>
  66. This option is the same as the B<-signreq> option except it uses the
  67. configuration file section B<v3_ca> and so makes the signed request a
  68. valid CA certificate. This is useful when creating intermediate CA from
  69. a root CA. Extra params are passed to L<openssl-ca(1)>.
  70. =item B<-signcert>
  71. This option is the same as B<-sign> except it expects a self signed certificate
  72. to be present in the file F<newreq.pem>.
  73. Extra params are passed to L<openssl-x509(1)> and L<openssl-ca(1)>.
  74. =item B<-crl>
  75. Generate a CRL. Executes L<openssl-ca(1)>.
  76. =item B<-revoke> I<certfile> [I<reason>]
  77. Revoke the certificate contained in the specified B<certfile>. An optional
  78. reason may be specified, and must be one of: B<unspecified>,
  79. B<keyCompromise>, B<CACompromise>, B<affiliationChanged>, B<superseded>,
  80. B<cessationOfOperation>, B<certificateHold>, or B<removeFromCRL>.
  81. Leverages L<openssl-ca(1)>.
  82. =item B<-verify>
  83. Verifies certificates against the CA certificate for F<demoCA>. If no
  84. certificates are specified on the command line it tries to verify the file
  85. F<newcert.pem>. Invokes L<openssl-verify(1)>.
  86. =item B<-extra-req> | B<-extra-ca> | B<-extra-pkcs12> | B<-extra-x509> | B<-extra-verify> I<extra-params>
  87. For each option B<extra-I<cmd>>, pass I<extra-params> to the L<openssl(1)>
  88. sub-command with the same name as I<cmd>, if that sub-command is invoked.
  89. For example, if L<openssl-req(1)> is invoked, the I<extra-params> given with
  90. B<-extra-req> will be passed to it.
  91. Users should consult L<openssl(1)> command documentation for more information.
  92. =back
  93. =head1 EXAMPLES
  94. Create a CA hierarchy:
  95. CA.pl -newca
  96. Complete certificate creation example: create a CA, create a request, sign
  97. the request and finally create a PKCS#12 file containing it.
  98. CA.pl -newca
  99. CA.pl -newreq
  100. CA.pl -signreq
  101. CA.pl -pkcs12 "My Test Certificate"
  102. =head1 DSA CERTIFICATES
  103. Although the B<CA.pl> creates RSA CAs and requests it is still possible to
  104. use it with DSA certificates and requests using the L<openssl-req(1)> command
  105. directly. The following example shows the steps that would typically be taken.
  106. Create some DSA parameters:
  107. openssl dsaparam -out dsap.pem 1024
  108. Create a DSA CA certificate and private key:
  109. openssl req -x509 -newkey dsa:dsap.pem -keyout cacert.pem -out cacert.pem
  110. Create the CA directories and files:
  111. CA.pl -newca
  112. enter a filename (for example, F<cacert.pem>) when prompted for the CA file
  113. name.
  114. Create a DSA certificate request and private key (a different set of parameters
  115. can optionally be created first):
  116. openssl req -out newreq.pem -newkey dsa:dsap.pem
  117. Sign the request:
  118. CA.pl -signreq
  119. =head1 NOTES
  120. Most of the filenames mentioned can be modified by editing the B<CA.pl> script.
  121. If the demoCA directory already exists then the B<-newca> command will not
  122. overwrite it and will do nothing. This can happen if a previous call using
  123. the B<-newca> option terminated abnormally. To get the correct behaviour
  124. delete the demoCA directory if it already exists.
  125. Under some environments it may not be possible to run the B<CA.pl> script
  126. directly (for example Win32) and the default configuration file location may
  127. be wrong. In this case the command:
  128. perl -S CA.pl
  129. can be used and the B<OPENSSL_CONF> environment variable changed to point to
  130. the correct path of the configuration file.
  131. The script is intended as a simple front end for the L<openssl(1)> program for
  132. use by a beginner. Its behaviour isn't always what is wanted. For more control
  133. over the behaviour of the certificate commands call the L<openssl(1)> command
  134. directly.
  135. =head1 SEE ALSO
  136. L<openssl(1)>,
  137. L<openssl-x509(1)>,
  138. L<openssl-ca(1)>,
  139. L<openssl-req(1)>,
  140. L<openssl-pkcs12(1)>,
  141. L<config(5)>
  142. =head1 COPYRIGHT
  143. Copyright 2000-2017 The OpenSSL Project Authors. All Rights Reserved.
  144. Licensed under the Apache License 2.0 (the "License"). You may not use
  145. this file except in compliance with the License. You can obtain a copy
  146. in the file LICENSE in the source distribution or at
  147. L<https://www.openssl.org/source/license.html>.
  148. =cut