[B<-help>]
[B<-newcert>]
[B<-newreq>]
+[B<-newreq-nodes>]
[B<-newca>]
[B<-xsign>]
[B<-sign>]
creates a new certificate request. The private key and request are
written to the file "newreq.pem".
+=item B<-newreq-nodes>
+
+is like B<-newreq> except that the private key will not be encrypted.
+
=item B<-newca>
creates a new CA hierarchy for use with the B<ca> program (or the B<-signcert>
B<-sign> option. The PKCS#12 file can be imported directly into a browser.
If there is an additional argument on the command line it will be used as the
"friendly name" for the certificate (which is typically displayed in the browser
-list box), otherwise the name "My Certifictate" is used.
+list box), otherwise the name "My Certificate" is used.
=item B<-sign>, B<-signreq>, B<-xsign>
calls the B<ca> program to sign a certificate request. It expects the request
to be in the file "newreq.pem". The new certificate is written to the file
-"newcert.pem" except in the case of the B<-xcert> option when it is written
+"newcert.pem" except in the case of the B<-xsign> option when it is written
to standard output.
+
+=item B<-signCA>
+
+this option is the same as the B<-signreq> option except it uses the configuration
+file section B<v3_ca> and so makes the signed request a valid CA certificate. This
+is useful when creating intermediate CA from a root CA.
+
=item B<-signcert>
this option is the same as B<-sign> except it expects a self signed certificate
CA.pl -signreq
CA.pl -pkcs12 "My Test Certificate"
+=head1 DSA CERTIFICATES
+
+Although the B<CA.pl> creates RSA CAs and requests it is still possible to
+use it with DSA certificates and requests using the L<req(1)|req(1)> command
+directly. The following example shows the steps that would typically be taken.
+
+Create some DSA parameters:
+
+ openssl dsaparam -out dsap.pem 1024
+
+Create a DSA CA certificate and private key:
+
+ openssl req -x509 -newkey dsa:dsap.pem -keyout cacert.pem -out cacert.pem
+
+Create the CA directories and files:
+
+ CA.pl -newca
+
+enter cacert.pem when prompted for the CA file name.
+
+Create a DSA certificate request and private key (a different set of parameters
+can optionally be created first):
+
+ openssl req -out newreq.pem -newkey dsa:dsap.pem
+
+Sign the request:
+
+ CA.pl -signreq
+
=head1 NOTES
Most of the filenames mentioned can be modified by editing the B<CA.pl> script.
=head1 SEE ALSO
-L<x509(1)|x509(1)>, L<ca(1)|ca(1)>, L<req(1)|req(1)>, L<pkcs12(1)|pkcs12(1)>, L<config(1)|config(1)>
+L<x509(1)|x509(1)>, L<ca(1)|ca(1)>, L<req(1)|req(1)>, L<pkcs12(1)|pkcs12(1)>,
+L<config(5)|config(5)>
=cut