From d6df2b281f4eb0524606e3313afe8caf45d7e342 Mon Sep 17 00:00:00 2001 From: Richard Levitte Date: Fri, 4 Apr 2003 14:39:44 +0000 Subject: [PATCH] Add documentation on the added functionality in 'openssl ca'. --- apps/ca.c | 1 + doc/apps/ca.pod | 25 +++++++++++++++++++++++++ 2 files changed, 26 insertions(+) diff --git a/apps/ca.c b/apps/ca.c index ea84facac9..34b1507aee 100644 --- a/apps/ca.c +++ b/apps/ca.c @@ -169,6 +169,7 @@ static char *ca_usage[]={ " -keyform arg - private key file format (PEM or ENGINE)\n", " -key arg - key to decode the private key if it is encrypted\n", " -cert file - The CA certificate\n", +" -selfsign - sign a certificate with the key associated with it\n", " -in file - The input PEM encoded certificate request(s)\n", " -out file - Where to put the output file(s)\n", " -outdir dir - Where to put output certificates\n", diff --git a/doc/apps/ca.pod b/doc/apps/ca.pod index de66c534b5..6d010216e7 100644 --- a/doc/apps/ca.pod +++ b/doc/apps/ca.pod @@ -30,6 +30,7 @@ B B [B<-key arg>] [B<-passin arg>] [B<-cert file>] +[B<-selfsign>] [B<-in file>] [B<-out file>] [B<-notext>] @@ -113,6 +114,20 @@ the password used to encrypt the private key. Since on some systems the command line arguments are visible (e.g. Unix with the 'ps' utility) this option should be used with caution. +=item B<-selfsign> + +indicates the issued certificates are to be signed with the key +the certificate requests were signed with (given with B<-keyfile>). +Cerificate requests signed with a different key are ignored. If +B<-spkac>, B<-ss_cert> or B<-gencrl> are given, B<-selfsign> is +ignored. + +A consequence of using B<-selfsign> is that the self-signed +certificate appears among the entries in the certificate database +(see the configuration option B), and uses the same +serial number counter as all other certificates sign with the +self-signed certificate. + =item B<-passin arg> the key password source. For more information about the format of B @@ -359,6 +374,16 @@ the same as the B<-md> option. The message digest to use. Mandatory. the text database file to use. Mandatory. This file must be present though initially it will be empty. +=item B + +if the value B is given, the valid certificate entries in the +database must have unique subjects. if the value B is given, +several valid certificate entries may have the exact same subject. +The default value is B, to be compatible with older (pre 0.9.8) +versions of OpenSSL. However, to make CA certificate roll-over easier, +it's recommended to use the value B, especially if combined with +the B<-selfsign> command line option. + =item B a text file containing the next serial number to use in hex. Mandatory. -- 2.25.1