X-Git-Url: https://git.librecmc.org/?a=blobdiff_plain;f=doc%2Fapps%2FCA.pl.pod;h=ed69952f3799e4de2665a913371bb5444e3875a4;hb=0e0c6821fab18a7d180d3c8dfe18e34fdd2afc54;hp=dd41fd8115322230ff3685e9b52c3a3b80b2365b;hpb=2af9fd006d6984ff0720094414215f35b133a575;p=oweals%2Fopenssl.git diff --git a/doc/apps/CA.pl.pod b/doc/apps/CA.pl.pod index dd41fd8115..ed69952f37 100644 --- a/doc/apps/CA.pl.pod +++ b/doc/apps/CA.pl.pod @@ -13,6 +13,7 @@ B [B<-help>] [B<-newcert>] [B<-newreq>] +[B<-newreq-nodes>] [B<-newca>] [B<-xsign>] [B<-sign>] @@ -46,6 +47,10 @@ written to the file "newreq.pem". creates a new certificate request. The private key and request are written to the file "newreq.pem". +=item B<-newreq-nodes> + +is like B<-newreq> except that the private key will not be encrypted. + =item B<-newca> creates a new CA hierarchy for use with the B program (or the B<-signcert> @@ -63,15 +68,22 @@ it creates a file "newcert.p12". This command can thus be called after the B<-sign> option. The PKCS#12 file can be imported directly into a browser. If there is an additional argument on the command line it will be used as the "friendly name" for the certificate (which is typically displayed in the browser -list box), otherwise the name "My Certifictate" is used. +list box), otherwise the name "My Certificate" is used. =item B<-sign>, B<-signreq>, B<-xsign> calls the B program to sign a certificate request. It expects the request to be in the file "newreq.pem". The new certificate is written to the file -"newcert.pem" except in the case of the B<-xcert> option when it is written +"newcert.pem" except in the case of the B<-xsign> option when it is written to standard output. + +=item B<-signCA> + +this option is the same as the B<-signreq> option except it uses the configuration +file section B and so makes the signed request a valid CA certificate. This +is useful when creating intermediate CA from a root CA. + =item B<-signcert> this option is the same as B<-sign> except it expects a self signed certificate @@ -102,6 +114,35 @@ the request and finally create a PKCS#12 file containing it. CA.pl -signreq CA.pl -pkcs12 "My Test Certificate" +=head1 DSA CERTIFICATES + +Although the B creates RSA CAs and requests it is still possible to +use it with DSA certificates and requests using the L command +directly. The following example shows the steps that would typically be taken. + +Create some DSA parameters: + + openssl dsaparam -out dsap.pem 1024 + +Create a DSA CA certificate and private key: + + openssl req -x509 -newkey dsa:dsap.pem -keyout cacert.pem -out cacert.pem + +Create the CA directories and files: + + CA.pl -newca + +enter cacert.pem when prompted for the CA file name. + +Create a DSA certificate request and private key (a different set of parameters +can optionally be created first): + + openssl req -out newreq.pem -newkey dsa:dsap.pem + +Sign the request: + + CA.pl -signreq + =head1 NOTES Most of the filenames mentioned can be modified by editing the B script. @@ -132,6 +173,7 @@ configuration file, not just its directory. =head1 SEE ALSO -L, L, L, L, L +L, L, L, L, +L =cut