CA.pl.pod 6.8 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214
  1. =pod
  2. =head1 NAME
  3. CA.pl - friendlier interface for OpenSSL certificate programs
  4. =head1 SYNOPSIS
  5. B<CA.pl>
  6. B<-?> |
  7. B<-h> |
  8. B<-help>
  9. B<CA.pl>
  10. B<-newcert> |
  11. B<-newreq> |
  12. B<-newreq-nodes> |
  13. B<-xsign> |
  14. B<-sign> |
  15. B<-signCA> |
  16. B<-signcert> |
  17. B<-crl> |
  18. B<-newca>
  19. [B<-extra-cmd> extra-params]
  20. B<CA.pl> B<-pkcs12> [B<-extra-pkcs12> extra-params] [B<certname>]
  21. B<CA.pl> B<-verify> [B<-extra-verify> extra-params] B<certfile>...
  22. B<CA.pl> B<-revoke> [B<-extra-ca> extra-params] B<certfile> [B<reason>]
  23. =head1 DESCRIPTION
  24. The B<CA.pl> script is a perl script that supplies the relevant command line
  25. arguments to the B<openssl> command for some common certificate operations.
  26. It is intended to simplify the process of certificate creation and management
  27. by the use of some simple options.
  28. =head1 OPTIONS
  29. =over 4
  30. =item B<?>, B<-h>, B<-help>
  31. Prints a usage message.
  32. =item B<-newcert>
  33. Creates a new self signed certificate. The private key is written to the file
  34. "newkey.pem" and the request written to the file "newreq.pem".
  35. This argument invokes B<openssl req> command.
  36. =item B<-newreq>
  37. Creates a new certificate request. The private key is written to the file
  38. "newkey.pem" and the request written to the file "newreq.pem".
  39. Executes B<openssl req> command below the hood.
  40. =item B<-newreq-nodes>
  41. Is like B<-newreq> except that the private key will not be encrypted.
  42. Uses B<openssl req> command.
  43. =item B<-newca>
  44. Creates a new CA hierarchy for use with the B<ca> program (or the B<-signcert>
  45. and B<-xsign> options). The user is prompted to enter the filename of the CA
  46. certificates (which should also contain the private key) or by hitting ENTER
  47. details of the CA will be prompted for. The relevant files and directories
  48. are created in a directory called "demoCA" in the current directory.
  49. B<openssl req> and B<openssl ca> commands are get invoked.
  50. =item B<-pkcs12>
  51. Create a PKCS#12 file containing the user certificate, private key and CA
  52. certificate. It expects the user certificate and private key to be in the
  53. file "newcert.pem" and the CA certificate to be in the file demoCA/cacert.pem,
  54. it creates a file "newcert.p12". This command can thus be called after the
  55. B<-sign> option. The PKCS#12 file can be imported directly into a browser.
  56. If there is an additional argument on the command line it will be used as the
  57. "friendly name" for the certificate (which is typically displayed in the browser
  58. list box), otherwise the name "My Certificate" is used.
  59. Delegates work to B<openssl pkcs12> command.
  60. =item B<-sign>, B<-signcert>, B<-xsign>
  61. Calls the B<ca> program to sign a certificate request. It expects the request
  62. to be in the file "newreq.pem". The new certificate is written to the file
  63. "newcert.pem" except in the case of the B<-xsign> option when it is written
  64. to standard output. Leverages B<openssl ca> command.
  65. =item B<-signCA>
  66. This option is the same as the B<-signreq> option except it uses the
  67. configuration file section B<v3_ca> and so makes the signed request a
  68. valid CA certificate. This is useful when creating intermediate CA from
  69. a root CA. Extra params are passed on to B<openssl ca> command.
  70. =item B<-signcert>
  71. This option is the same as B<-sign> except it expects a self signed certificate
  72. to be present in the file "newreq.pem".
  73. Extra params are passed on to B<openssl x509> and B<openssl ca> commands.
  74. =item B<-crl>
  75. Generate a CRL. Executes B<openssl ca> command.
  76. =item B<-revoke certfile [reason]>
  77. Revoke the certificate contained in the specified B<certfile>. An optional
  78. reason may be specified, and must be one of: B<unspecified>,
  79. B<keyCompromise>, B<CACompromise>, B<affiliationChanged>, B<superseded>,
  80. B<cessationOfOperation>, B<certificateHold>, or B<removeFromCRL>.
  81. Leverages B<openssl ca> command.
  82. =item B<-verify>
  83. Verifies certificates against the CA certificate for "demoCA". If no
  84. certificates are specified on the command line it tries to verify the file
  85. "newcert.pem". Invokes B<openssl verify> command.
  86. =item B<-extra-req> | B<-extra-ca> | B<-extra-pkcs12> | B<-extra-x509> | B<-extra-verify> <extra-params>
  87. The purpose of these parameters is to allow optional parameters to be supplied
  88. to B<openssl> that this command executes. The B<-extra-cmd> are specific to the
  89. option being used and the B<openssl> command getting invoked. For example
  90. when this command invokes B<openssl req> extra parameters can be passed on
  91. with the B<-extra-req> parameter. The
  92. B<openssl> commands being invoked per option are documented below.
  93. Users should consult B<openssl> command documentation for more information.
  94. =back
  95. =head1 EXAMPLES
  96. Create a CA hierarchy:
  97. CA.pl -newca
  98. Complete certificate creation example: create a CA, create a request, sign
  99. the request and finally create a PKCS#12 file containing it.
  100. CA.pl -newca
  101. CA.pl -newreq
  102. CA.pl -signreq
  103. CA.pl -pkcs12 "My Test Certificate"
  104. =head1 DSA CERTIFICATES
  105. Although the B<CA.pl> creates RSA CAs and requests it is still possible to
  106. use it with DSA certificates and requests using the L<req(1)> command
  107. directly. The following example shows the steps that would typically be taken.
  108. Create some DSA parameters:
  109. openssl dsaparam -out dsap.pem 1024
  110. Create a DSA CA certificate and private key:
  111. openssl req -x509 -newkey dsa:dsap.pem -keyout cacert.pem -out cacert.pem
  112. Create the CA directories and files:
  113. CA.pl -newca
  114. enter cacert.pem when prompted for the CA file name.
  115. Create a DSA certificate request and private key (a different set of parameters
  116. can optionally be created first):
  117. openssl req -out newreq.pem -newkey dsa:dsap.pem
  118. Sign the request:
  119. CA.pl -signreq
  120. =head1 NOTES
  121. Most of the filenames mentioned can be modified by editing the B<CA.pl> script.
  122. If the demoCA directory already exists then the B<-newca> command will not
  123. overwrite it and will do nothing. This can happen if a previous call using
  124. the B<-newca> option terminated abnormally. To get the correct behaviour
  125. delete the demoCA directory if it already exists.
  126. Under some environments it may not be possible to run the B<CA.pl> script
  127. directly (for example Win32) and the default configuration file location may
  128. be wrong. In this case the command:
  129. perl -S CA.pl
  130. can be used and the B<OPENSSL_CONF> environment variable changed to point to
  131. the correct path of the configuration file.
  132. The script is intended as a simple front end for the B<openssl> program for use
  133. by a beginner. Its behaviour isn't always what is wanted. For more control over the
  134. behaviour of the certificate commands call the B<openssl> command directly.
  135. =head1 SEE ALSO
  136. L<x509(1)>, L<ca(1)>, L<req(1)>, L<pkcs12(1)>,
  137. L<config(5)>
  138. =head1 COPYRIGHT
  139. Copyright 2000-2017 The OpenSSL Project Authors. All Rights Reserved.
  140. Licensed under the OpenSSL license (the "License"). You may not use
  141. this file except in compliance with the License. You can obtain a copy
  142. in the file LICENSE in the source distribution or at
  143. L<https://www.openssl.org/source/license.html>.
  144. =cut