123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179 |
- =pod
- =head1 NAME
- CA.pl - friendlier interface for OpenSSL certificate programs
- =head1 SYNOPSIS
- B<CA.pl>
- [B<-?>]
- [B<-h>]
- [B<-help>]
- [B<-newcert>]
- [B<-newreq>]
- [B<-newreq-nodes>]
- [B<-newca>]
- [B<-xsign>]
- [B<-sign>]
- [B<-signreq>]
- [B<-signcert>]
- [B<-verify>]
- [B<files>]
- =head1 DESCRIPTION
- The B<CA.pl> script is a perl script that supplies the relevant command line
- arguments to the B<openssl> command for some common certificate operations.
- It is intended to simplify the process of certificate creation and management
- by the use of some simple options.
- =head1 COMMAND OPTIONS
- =over 4
- =item B<?>, B<-h>, B<-help>
- prints a usage message.
- =item B<-newcert>
- creates a new self signed certificate. The private key is written to the file
- "newkey.pem" and the request written to the file "newreq.pem".
- =item B<-newreq>
- creates a new certificate request. The private key is written to the file
- "newkey.pem" and the request written to the file "newreq.pem".
- =item B<-newreq-nodes>
- is like B<-newreq> except that the private key will not be encrypted.
- =item B<-newca>
- creates a new CA hierarchy for use with the B<ca> program (or the B<-signcert>
- and B<-xsign> options). The user is prompted to enter the filename of the CA
- certificates (which should also contain the private key) or by hitting ENTER
- details of the CA will be prompted for. The relevant files and directories
- are created in a directory called "demoCA" in the current directory.
- =item B<-pkcs12>
- create a PKCS#12 file containing the user certificate, private key and CA
- certificate. It expects the user certificate and private key to be in the
- file "newcert.pem" and the CA certificate to be in the file demoCA/cacert.pem,
- it creates a file "newcert.p12". This command can thus be called after the
- B<-sign> option. The PKCS#12 file can be imported directly into a browser.
- If there is an additional argument on the command line it will be used as the
- "friendly name" for the certificate (which is typically displayed in the browser
- list box), otherwise the name "My Certificate" is used.
- =item B<-sign>, B<-signreq>, B<-xsign>
- calls the B<ca> program to sign a certificate request. It expects the request
- to be in the file "newreq.pem". The new certificate is written to the file
- "newcert.pem" except in the case of the B<-xsign> option when it is written
- to standard output.
- =item B<-signCA>
- this option is the same as the B<-signreq> option except it uses the configuration
- file section B<v3_ca> and so makes the signed request a valid CA certificate. This
- is useful when creating intermediate CA from a root CA.
- =item B<-signcert>
- this option is the same as B<-sign> except it expects a self signed certificate
- to be present in the file "newreq.pem".
- =item B<-verify>
- verifies certificates against the CA certificate for "demoCA". If no certificates
- are specified on the command line it tries to verify the file "newcert.pem".
- =item B<files>
- one or more optional certificate file names for use with the B<-verify> command.
- =back
- =head1 EXAMPLES
- Create a CA hierarchy:
- CA.pl -newca
- Complete certificate creation example: create a CA, create a request, sign
- the request and finally create a PKCS#12 file containing it.
- CA.pl -newca
- CA.pl -newreq
- CA.pl -signreq
- CA.pl -pkcs12 "My Test Certificate"
- =head1 DSA CERTIFICATES
- Although the B<CA.pl> creates RSA CAs and requests it is still possible to
- use it with DSA certificates and requests using the L<req(1)|req(1)> command
- directly. The following example shows the steps that would typically be taken.
- Create some DSA parameters:
- openssl dsaparam -out dsap.pem 1024
- Create a DSA CA certificate and private key:
- openssl req -x509 -newkey dsa:dsap.pem -keyout cacert.pem -out cacert.pem
- Create the CA directories and files:
- CA.pl -newca
- enter cacert.pem when prompted for the CA file name.
- Create a DSA certificate request and private key (a different set of parameters
- can optionally be created first):
- openssl req -out newreq.pem -newkey dsa:dsap.pem
- Sign the request:
- CA.pl -signreq
- =head1 NOTES
- Most of the filenames mentioned can be modified by editing the B<CA.pl> script.
- If the demoCA directory already exists then the B<-newca> command will not
- overwrite it and will do nothing. This can happen if a previous call using
- the B<-newca> option terminated abnormally. To get the correct behaviour
- delete the demoCA directory if it already exists.
- Under some environments it may not be possible to run the B<CA.pl> script
- directly (for example Win32) and the default configuration file location may
- be wrong. In this case the command:
- perl -S CA.pl
- can be used and the B<OPENSSL_CONF> environment variable changed to point to
- the correct path of the configuration file "openssl.cnf".
- The script is intended as a simple front end for the B<openssl> program for use
- by a beginner. Its behaviour isn't always what is wanted. For more control over the
- behaviour of the certificate commands call the B<openssl> command directly.
- =head1 ENVIRONMENT VARIABLES
- The variable B<OPENSSL_CONF> if defined allows an alternative configuration
- file location to be specified, it should contain the full path to the
- configuration file, not just its directory.
- =head1 SEE ALSO
- L<x509(1)|x509(1)>, L<ca(1)|ca(1)>, L<req(1)|req(1)>, L<pkcs12(1)|pkcs12(1)>,
- L<config(5)|config(5)>
- =cut
|