X-Git-Url: https://git.librecmc.org/?a=blobdiff_plain;f=doc%2Fapps%2FCA.pl.pod;h=63cd1320cc764265b0846770f6572ae460533d7d;hb=da542e1bf762507bc6630847e4c3dd18de81359d;hp=59bdde9240a1ec723793a6b21be913f3f2b1d8ad;hpb=aa3353fda210df947dfc68650dfada241b8037fe;p=oweals%2Fopenssl.git diff --git a/doc/apps/CA.pl.pod b/doc/apps/CA.pl.pod index 59bdde9240..63cd1320cc 100644 --- a/doc/apps/CA.pl.pod +++ b/doc/apps/CA.pl.pod @@ -63,15 +63,22 @@ it creates a file "newcert.p12". This command can thus be called after the B<-sign> option. The PKCS#12 file can be imported directly into a browser. If there is an additional argument on the command line it will be used as the "friendly name" for the certificate (which is typically displayed in the browser -list box), otherwise the name "My Certifictate" is used. +list box), otherwise the name "My Certificate" is used. =item B<-sign>, B<-signreq>, B<-xsign> calls the B program to sign a certificate request. It expects the request to be in the file "newreq.pem". The new certificate is written to the file -"newcert.pem" except in the case of the B<-xcert> option when it is written +"newcert.pem" except in the case of the B<-xsign> option when it is written to standard output. + +=item B<-signCA> + +this option is the same as the B<-signreq> option except it uses the configuration +file section B and so makes the signed request a valid CA certificate. This +is useful when creating intermediate CA from a root CA. + =item B<-signcert> this option is the same as B<-sign> except it expects a self signed certificate @@ -102,6 +109,35 @@ the request and finally create a PKCS#12 file containing it. CA.pl -signreq CA.pl -pkcs12 "My Test Certificate" +=head1 DSA CERTIFICATES + +Although the B creates RSA CAs and requests it is still possible to +use it with DSA certificates and requests using the L command +directly. The following example shows the steps that would typically be taken. + +Create some DSA parameters: + + openssl dsaparam -out dsap.pem 1024 + +Create a DSA CA certificate and private key: + + openssl req -x509 -newkey dsa:dsap.pem -keyout cacert.pem -out cacert.pem + +Create the CA directories and files: + + CA.pl -newca + +enter cacert.pem when prompted for the CA file name. + +Create a DSA certificate request and private key (a different set of parameters +can optionally be created first): + + openssl req -out newreq.pem -newkey dsa:dsap.pem + +Sign the request: + + CA.pl -signreq + =head1 NOTES Most of the filenames mentioned can be modified by editing the B script.