Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages


home | help
CA.PL(1)			    OpenSSL			      CA.PL(1)

NAME - friendlier interface for	OpenSSL	certificate programs

SYNOPSIS -?	| -h | -help -newcert |	-newreq	| -newreq-nodes	| -xsign | -sign | -signCA |
       -signcert | -crl	| -newca [-extra-cmd extra-params] -pkcs12 [-extra-pkcs12 extra-params] [certname] -verify [-extra-verify extra-params] certfile... -revoke [-extra-ca	extra-params] certfile [reason]

       The script	is a perl script that supplies the relevant command
       line arguments to the openssl command for some common certificate
       operations.  It is intended to simplify the process of certificate
       creation	and management by the use of some simple options.

       ?, -h, -help
	   Prints a usage message.

	   Creates a new self signed certificate. The private key is written
	   to the file "newkey.pem" and	the request written to the file
	   "newreq.pem".  This argument	invokes	openssl	req command.

	   Creates a new certificate request. The private key is written to
	   the file "newkey.pem" and the request written to the	file
	   "newreq.pem".  Executes openssl req command below the hood.

	   Is like -newreq except that the private key will not	be encrypted.
	   Uses	openssl	req command.

	   Creates a new CA hierarchy for use with the ca program (or the
	   -signcert and -xsign	options). The user is prompted to enter	the
	   filename of the CA certificates (which should also contain the
	   private key)	or by hitting ENTER details of the CA will be prompted
	   for.	The relevant files and directories are created in a directory
	   called "demoCA" in the current directory.  openssl req and openssl
	   ca commands are get invoked.

	   Create a PKCS#12 file containing the	user certificate, private key
	   and CA certificate. It expects the user certificate and private key
	   to be in the	file "newcert.pem" and the CA certificate to be	in the
	   file	demoCA/cacert.pem, it creates a	file "newcert.p12". This
	   command can thus be called after the	-sign option. The PKCS#12 file
	   can be imported directly into a browser.  If	there is an additional
	   argument on the command line	it will	be used	as the "friendly name"
	   for the certificate (which is typically displayed in	the browser
	   list	box), otherwise	the name "My Certificate" is used.  Delegates
	   work	to openssl pkcs12 command.

       -sign, -signcert, -xsign
	   Calls the ca	program	to sign	a certificate request. It expects the
	   request to be in the	file "newreq.pem". The new certificate is
	   written to the file "newcert.pem" except in the case	of the -xsign
	   option when it is written to	standard output. Leverages openssl ca

	   This	option is the same as the -sign	option except it uses the
	   configuration file section v3_ca and	so makes the signed request a
	   valid CA certificate. This is useful	when creating intermediate CA
	   from	a root CA.  Extra params are passed on to openssl ca command.

	   This	option is the same as -sign except it expects a	self signed
	   certificate to be present in	the file "newreq.pem".	Extra params
	   are passed on to openssl x509 and openssl ca	commands.

	   Generate a CRL. Executes openssl ca command.

       -revoke certfile	[reason]
	   Revoke the certificate contained in the specified certfile. An
	   optional reason may be specified, and must be one of: unspecified,
	   keyCompromise, CACompromise,	affiliationChanged, superseded,
	   cessationOfOperation, certificateHold, or removeFromCRL.  Leverages
	   openssl ca command.

	   Verifies certificates against the CA	certificate for	"demoCA". If
	   no certificates are specified on the	command	line it	tries to
	   verify the file "newcert.pem".  Invokes openssl verify command.

       -extra-req | -extra-ca |	-extra-pkcs12 |	-extra-x509 | -extra-verify
	   The purpose of these	parameters is to allow optional	parameters to
	   be supplied to openssl that this command executes. The -extra-cmd
	   are specific	to the option being used and the openssl command
	   getting invoked. For	example	when this command invokes openssl req
	   extra parameters can	be passed on with the -extra-req parameter.
	   The openssl commands	being invoked per option are documented	below.
	   Users should	consult	openssl	command	documentation for more

       Create a	CA hierarchy: -newca

       Complete	certificate creation example: create a CA, create a request,
       sign the	request	and finally create a PKCS#12 file containing it. -newca -newreq -sign -pkcs12 "My Test Certificate"

       Although	the creates RSA CAs and requests it is still possible to
       use it with DSA certificates and	requests using the req(1) command
       directly. The following example shows the steps that would typically be

       Create some DSA parameters:

	openssl	dsaparam -out dsap.pem 1024

       Create a	DSA CA certificate and private key:

	openssl	req -x509 -newkey dsa:dsap.pem -keyout cacert.pem -out cacert.pem

       Create the CA directories and files: -newca

       enter cacert.pem	when prompted for the CA filename.

       Create a	DSA certificate	request	and private key	(a different set of
       parameters can optionally be created first):

	openssl	req -out newreq.pem -newkey dsa:dsap.pem

       Sign the	request: -sign

       Most of the filenames mentioned can be modified by editing the

       If the demoCA directory already exists then the -newca command will not
       overwrite it and	will do	nothing. This can happen if a previous call
       using the -newca	option terminated abnormally. To get the correct
       behaviour delete	the demoCA directory if	it already exists.

       Under some environments it may not be possible to run the script
       directly	(for example Win32) and	the default configuration file
       location	may be wrong. In this case the command:

	perl -S

       can be used and the OPENSSL_CONF	environment variable changed to	point
       to the correct path of the configuration	file.

       The script is intended as a simple front	end for	the openssl program
       for use by a beginner. Its behaviour isn't always what is wanted. For
       more control over the behaviour of the certificate commands call	the
       openssl command directly.

       x509(1),	ca(1), req(1), pkcs12(1), config(5)

       Copyright 2000-2020 The OpenSSL Project Authors.	All Rights Reserved.

       Licensed	under the OpenSSL license (the "License").  You	may not	use
       this file except	in compliance with the License.	 You can obtain	a copy
       in the file LICENSE in the source distribution or at

1.1.1k				  2021-03-25			      CA.PL(1)


Want to link to this manual page? Use this URL:

home | help