-
=pod
=head1 NAME
[B<-name section>]
[B<-gencrl>]
[B<-revoke file>]
+[B<-valid file>]
[B<-status serial>]
[B<-updatedb>]
[B<-crl_reason reason>]
The options descriptions will be divided into each purpose.
-=head1 CA OPTIONS
+=head1 COMMAND OPTIONS
=over 4
=item B<-ss_cert filename>
-a single self signed certificate to be signed by the CA.
+a single self-signed certificate to be signed by the CA.
=item B<-spkac filename>
=item B<-infiles>
if present this should be the last option, all subsequent arguments
-are assumed to the the names of files containing certificate requests.
+are taken as the names of files containing certificate requests.
=item B<-out filename>
=item B<-preserveDN>
Normally the DN order of a certificate is the same as the order of the
-fields in the relevant policy section. When this option is set the order
+fields in the relevant policy section. When this option is set the order
is the same as the request. This is largely for compatibility with the
older IE enrollment control which would only accept certificates if their
DNs match the order of the request. This is not needed for Xenroll.
=item B<-utf8>
-this option causes field values to be interpreted as UTF8 strings, by
+this option causes field values to be interpreted as UTF8 strings, by
default they are interpreted as ASCII. This means that the field
values, whether prompted from a terminal or obtained from a
configuration file, must be valid UTF8 strings.
a filename containing a certificate to revoke.
+=item B<-valid filename>
+
+a filename containing a certificate to add a Valid certificate entry.
+
=item B<-status serial>
displays the revocation status of the certificate with the specified
This specifies a file containing additional B<OBJECT IDENTIFIERS>.
Each line of the file should consist of the numerical form of the
object identifier followed by white space then the short name followed
-by white space and finally the long name.
+by white space and finally the long name.
=item B<oid_section>
=item B<default_days>
the same as the B<-days> option. The number of days to certify
-a certificate for.
+a certificate for.
=item B<default_startdate>
The input to the B<-spkac> command line option is a Netscape
signed public key and challenge. This will usually come from
-the B<KEYGEN> tag in an HTML form to create a new private key.
+the B<KEYGEN> tag in an HTML form to create a new private key.
It is however possible to create SPKACs using the B<spkac> utility.
The file should contain the variable SPKAC set to the value of
[ ca ]
default_ca = CA_default # The default ca section
-
+
[ CA_default ]
dir = ./demoCA # top dir
database = $dir/index.txt # index file.
- new_certs_dir = $dir/newcerts # new certs dir
-
+ new_certs_dir = $dir/newcerts # new certs dir
+
certificate = $dir/cacert.pem # The CA cert
serial = $dir/serial # serial no file
private_key = $dir/private/cakey.pem# CA private key
RANDFILE = $dir/private/.rand # random number file
-
+
default_days = 365 # how long to certify for
default_crl_days= 30 # how long before next CRL
default_md = md5 # md to use
policy = policy_any # default policy
email_in_dn = no # Don't add the email into cert DN
- name_opt = ca_default # Subject name display option
- cert_opt = ca_default # Certificate display option
- copy_extensions = none # Don't copy extensions from request
+ name_opt = ca_default # Subject name display option
+ cert_opt = ca_default # Certificate display option
+ copy_extensions = none # Don't copy extensions from request
[ policy_any ]
countryName = supplied
=head1 RESTRICTIONS
-The text database index file is a critical part of the process and
+The text database index file is a critical part of the process and
if corrupted it can be difficult to fix. It is theoretically possible
to rebuild the index file from all the issued certificates and a current
CRL: however there is no option to do this.
V2 CRL features like delta CRLs are not currently supported.
Although several requests can be input and handled at once it is only
-possible to include one SPKAC or self signed certificate.
+possible to include one SPKAC or self-signed certificate.
=head1 BUGS
-The use of an in memory text database can cause problems when large
+The use of an in-memory text database can cause problems when large
numbers of certificates are present because, as the name implies
the database has to be kept in memory.
=head1 SEE ALSO
L<req(1)>, L<spkac(1)>, L<x509(1)>, L<CA.pl(1)>,
-L<config(5)>, L<x509v3_config(5)>
+L<config(5)>, L<x509v3_config(5)>
+
+=head1 COPYRIGHT
+
+Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.
+
+Licensed under the OpenSSL license (the "License"). You may not use
+this file except in compliance with the License. You can obtain a copy
+in the file LICENSE in the source distribution or at
+L<https://www.openssl.org/source/license.html>.
=cut