summaryrefslogtreecommitdiffstats
path: root/secure/usr.bin/openssl/man/ca.1
diff options
context:
space:
mode:
Diffstat (limited to 'secure/usr.bin/openssl/man/ca.1')
-rw-r--r--secure/usr.bin/openssl/man/ca.177
1 files changed, 57 insertions, 20 deletions
diff --git a/secure/usr.bin/openssl/man/ca.1 b/secure/usr.bin/openssl/man/ca.1
index ab85a0c..528f1d7 100644
--- a/secure/usr.bin/openssl/man/ca.1
+++ b/secure/usr.bin/openssl/man/ca.1
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man v1.37, Pod::Parser v1.14
+.\" Automatically generated by Pod::Man v1.37, Pod::Parser v1.32
.\"
.\" Standard preamble:
.\" ========================================================================
@@ -129,7 +129,7 @@
.\" ========================================================================
.\"
.IX Title "CA 1"
-.TH CA 1 "2005-02-25" "0.9.7d" "OpenSSL"
+.TH CA 1 "2006-07-29" "0.9.8b" "OpenSSL"
.SH "NAME"
ca \- sample minimal CA application
.SH "SYNOPSIS"
@@ -144,7 +144,6 @@ ca \- sample minimal CA application
[\fB\-crl_hold instruction\fR]
[\fB\-crl_compromise time\fR]
[\fB\-crl_CA_compromise time\fR]
-[\fB\-subj arg\fR]
[\fB\-crldays days\fR]
[\fB\-crlhours hours\fR]
[\fB\-crlexts section\fR]
@@ -157,6 +156,7 @@ ca \- sample minimal CA application
[\fB\-key arg\fR]
[\fB\-passin arg\fR]
[\fB\-cert file\fR]
+[\fB\-selfsign\fR]
[\fB\-in file\fR]
[\fB\-out file\fR]
[\fB\-notext\fR]
@@ -171,6 +171,9 @@ ca \- sample minimal CA application
[\fB\-extensions section\fR]
[\fB\-extfile section\fR]
[\fB\-engine id\fR]
+[\fB\-subj arg\fR]
+[\fB\-utf8\fR]
+[\fB\-multivalue\-rdn\fR]
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
The \fBca\fR command is a minimal \s-1CA\s0 application. It can be used
@@ -225,6 +228,19 @@ the private key to sign requests with.
the password used to encrypt the private key. Since on some
systems the command line arguments are visible (e.g. Unix with
the 'ps' utility) this option should be used with caution.
+.IP "\fB\-selfsign\fR" 4
+.IX Item "-selfsign"
+indicates the issued certificates are to be signed with the key
+the certificate requests were signed with (given with \fB\-keyfile\fR).
+Cerificate requests signed with a different key are ignored. If
+\&\fB\-spkac\fR, \fB\-ss_cert\fR or \fB\-gencrl\fR are given, \fB\-selfsign\fR is
+ignored.
+.Sp
+A consequence of using \fB\-selfsign\fR is that the self-signed
+certificate appears among the entries in the certificate database
+(see the configuration option \fBdatabase\fR), and uses the same
+serial number counter as all other certificates sign with the
+self-signed certificate.
.IP "\fB\-passin arg\fR" 4
.IX Item "-passin arg"
the key password source. For more information about the format of \fBarg\fR
@@ -300,6 +316,25 @@ specifying an engine (by it's unique \fBid\fR string) will cause \fBreq\fR
to attempt to obtain a functional reference to the specified engine,
thus initialising it if needed. The engine will then be set as the default
for all available algorithms.
+.IP "\fB\-subj arg\fR" 4
+.IX Item "-subj arg"
+supersedes subject name given in the request.
+The arg must be formatted as \fI/type0=value0/type1=value1/type2=...\fR,
+characters may be escaped by \e (backslash), no spaces are skipped.
+.IP "\fB\-utf8\fR" 4
+.IX Item "-utf8"
+this option causes field values to be interpreted as \s-1UTF8\s0 strings, by
+default they are interpreted as \s-1ASCII\s0. This means that the field
+values, whether prompted from a terminal or obtained from a
+configuration file, must be valid \s-1UTF8\s0 strings.
+.IP "\fB\-multivalue\-rdn\fR" 4
+.IX Item "-multivalue-rdn"
+this option causes the \-subj argument to be interpretedt with full
+support for multivalued RDNs. Example:
+.Sp
+\&\fI/DC=org/DC=OpenSSL/DC=users/UID=123456+CN=John Doe\fR
+.Sp
+If \-multi\-rdn is not used then the \s-1UID\s0 value is \fI123456+CN=John Doe\fR.
.SH "CRL OPTIONS"
.IX Header "CRL OPTIONS"
.IP "\fB\-gencrl\fR" 4
@@ -338,11 +373,6 @@ This sets the revocation reason to \fBkeyCompromise\fR and the compromise time t
.IX Item "-crl_CA_compromise time"
This is the same as \fBcrl_compromise\fR except the revocation reason is set to
\&\fBCACompromise\fR.
-.IP "\fB\-subj arg\fR" 4
-.IX Item "-subj arg"
-supersedes subject name given in the request.
-The arg must be formatted as \fI/type0=value0/type1=value1/type2=...\fR,
-characters may be escaped by \e (backslash), no spaces are skipped.
.IP "\fB\-crlexts section\fR" 4
.IX Item "-crlexts section"
the section of the configuration file containing \s-1CRL\s0 extensions to
@@ -425,10 +455,24 @@ the same as the \fB\-md\fR option. The message digest to use. Mandatory.
.IX Item "database"
the text database file to use. Mandatory. This file must be present
though initially it will be empty.
+.IP "\fBunique_subject\fR" 4
+.IX Item "unique_subject"
+if the value \fByes\fR is given, the valid certificate entries in the
+database must have unique subjects. if the value \fBno\fR is given,
+several valid certificate entries may have the exact same subject.
+The default value is \fByes\fR, to be compatible with older (pre 0.9.8)
+versions of OpenSSL. However, to make \s-1CA\s0 certificate roll-over easier,
+it's recommended to use the value \fBno\fR, especially if combined with
+the \fB\-selfsign\fR command line option.
.IP "\fBserial\fR" 4
.IX Item "serial"
a text file containing the next serial number to use in hex. Mandatory.
This file must be present and contain a valid serial number.
+.IP "\fBcrlnumber\fR" 4
+.IX Item "crlnumber"
+a text file containing the next \s-1CRL\s0 number to use in hex. The crl number
+will be inserted in the CRLs only if this file exists. If this file is
+present, it must contain a valid \s-1CRL\s0 number.
.IP "\fBx509_extensions\fR" 4
.IX Item "x509_extensions"
the same as \fB\-extensions\fR.
@@ -450,8 +494,8 @@ the same as \fB\-msie_hack\fR
.IX Item "policy"
the same as \fB\-policy\fR. Mandatory. See the \fB\s-1POLICY\s0 \s-1FORMAT\s0\fR section
for more information.
-.IP "\fBnameopt\fR, \fBcertopt\fR" 4
-.IX Item "nameopt, certopt"
+.IP "\fBname_opt\fR, \fBcert_opt\fR" 4
+.IX Item "name_opt, cert_opt"
these options allow the format used to display the certificate details
when asking the user to confirm signing. All the options supported by
the \fBx509\fR utilities \fB\-nameopt\fR and \fB\-certopt\fR switches can be used
@@ -590,8 +634,8 @@ A sample configuration file with the relevant sections for \fBca\fR:
.Ve
.PP
.Vb 3
-\& nameopt = ca_default # Subject name display option
-\& certopt = ca_default # Certificate display option
+\& name_opt = ca_default # Subject name display option
+\& cert_opt = ca_default # Certificate display option
\& copy_extensions = none # Don't copy extensions from request
.Ve
.PP
@@ -633,8 +677,7 @@ if corrupted it can be difficult to fix. It is theoretically possible
to rebuild the index file from all the issued certificates and a current
\&\s-1CRL:\s0 however there is no option to do this.
.PP
-V2 \s-1CRL\s0 features like delta \s-1CRL\s0 support and \s-1CRL\s0 numbers are not currently
-supported.
+V2 \s-1CRL\s0 features like delta CRLs are not currently supported.
.PP
Although several requests can be input and handled at once it is only
possible to include one \s-1SPKAC\s0 or self signed certificate.
@@ -644,12 +687,6 @@ The use of an in memory text database can cause problems when large
numbers of certificates are present because, as the name implies
the database has to be kept in memory.
.PP
-It is not possible to certify two certificates with the same \s-1DN:\s0 this
-is a side effect of how the text database is indexed and it cannot easily
-be fixed without introducing other problems. Some S/MIME clients can use
-two certificates with the same \s-1DN\s0 for separate signing and encryption
-keys.
-.PP
The \fBca\fR command really needs rewriting or the required functionality
exposed at either a command or interface level so a more friendly utility
(perl script or \s-1GUI\s0) can handle things properly. The scripts \fB\s-1CA\s0.sh\fR and
OpenPOWER on IntegriCloud