| 1 | =pod
|
|---|
| 2 |
|
|---|
| 3 | =head1 NAME
|
|---|
| 4 |
|
|---|
| 5 | CA.pl - friendlier interface for OpenSSL certificate programs
|
|---|
| 6 |
|
|---|
| 7 | =head1 SYNOPSIS
|
|---|
| 8 |
|
|---|
| 9 | B<CA.pl>
|
|---|
| 10 | B<-?> |
|
|---|
| 11 | B<-h> |
|
|---|
| 12 | B<-help>
|
|---|
| 13 |
|
|---|
| 14 | B<CA.pl>
|
|---|
| 15 | B<-newcert> |
|
|---|
| 16 | B<-newreq> |
|
|---|
| 17 | B<-newreq-nodes> |
|
|---|
| 18 | B<-xsign> |
|
|---|
| 19 | B<-sign> |
|
|---|
| 20 | B<-signCA> |
|
|---|
| 21 | B<-signcert> |
|
|---|
| 22 | B<-crl> |
|
|---|
| 23 | B<-newca>
|
|---|
| 24 | [B<-extra-cmd> extra-params]
|
|---|
| 25 |
|
|---|
| 26 | B<CA.pl> B<-pkcs12> [B<-extra-pkcs12> extra-params] [B<certname>]
|
|---|
| 27 |
|
|---|
| 28 | B<CA.pl> B<-verify> [B<-extra-verify> extra-params] B<certfile>...
|
|---|
| 29 |
|
|---|
| 30 | B<CA.pl> B<-revoke> [B<-extra-ca> extra-params] B<certfile> [B<reason>]
|
|---|
| 31 |
|
|---|
| 32 | =head1 DESCRIPTION
|
|---|
| 33 |
|
|---|
| 34 | The B<CA.pl> script is a perl script that supplies the relevant command line
|
|---|
| 35 | arguments to the B<openssl> command for some common certificate operations.
|
|---|
| 36 | It is intended to simplify the process of certificate creation and management
|
|---|
| 37 | by the use of some simple options.
|
|---|
| 38 |
|
|---|
| 39 | =head1 OPTIONS
|
|---|
| 40 |
|
|---|
| 41 | =over 4
|
|---|
| 42 |
|
|---|
| 43 | =item B<?>, B<-h>, B<-help>
|
|---|
| 44 |
|
|---|
| 45 | Prints a usage message.
|
|---|
| 46 |
|
|---|
| 47 | =item B<-newcert>
|
|---|
| 48 |
|
|---|
| 49 | Creates a new self signed certificate. The private key is written to the file
|
|---|
| 50 | "newkey.pem" and the request written to the file "newreq.pem".
|
|---|
| 51 | This argument invokes B<openssl req> command.
|
|---|
| 52 |
|
|---|
| 53 | =item B<-newreq>
|
|---|
| 54 |
|
|---|
| 55 | Creates a new certificate request. The private key is written to the file
|
|---|
| 56 | "newkey.pem" and the request written to the file "newreq.pem".
|
|---|
| 57 | Executes B<openssl req> command below the hood.
|
|---|
| 58 |
|
|---|
| 59 | =item B<-newreq-nodes>
|
|---|
| 60 |
|
|---|
| 61 | Is like B<-newreq> except that the private key will not be encrypted.
|
|---|
| 62 | Uses B<openssl req> command.
|
|---|
| 63 |
|
|---|
| 64 | =item B<-newca>
|
|---|
| 65 |
|
|---|
| 66 | Creates a new CA hierarchy for use with the B<ca> program (or the B<-signcert>
|
|---|
| 67 | and B<-xsign> options). The user is prompted to enter the filename of the CA
|
|---|
| 68 | certificates (which should also contain the private key) or by hitting ENTER
|
|---|
| 69 | details of the CA will be prompted for. The relevant files and directories
|
|---|
| 70 | are created in a directory called "demoCA" in the current directory.
|
|---|
| 71 | B<openssl req> and B<openssl ca> commands are get invoked.
|
|---|
| 72 |
|
|---|
| 73 | =item B<-pkcs12>
|
|---|
| 74 |
|
|---|
| 75 | Create a PKCS#12 file containing the user certificate, private key and CA
|
|---|
| 76 | certificate. It expects the user certificate and private key to be in the
|
|---|
| 77 | file "newcert.pem" and the CA certificate to be in the file demoCA/cacert.pem,
|
|---|
| 78 | it creates a file "newcert.p12". This command can thus be called after the
|
|---|
| 79 | B<-sign> option. The PKCS#12 file can be imported directly into a browser.
|
|---|
| 80 | If there is an additional argument on the command line it will be used as the
|
|---|
| 81 | "friendly name" for the certificate (which is typically displayed in the browser
|
|---|
| 82 | list box), otherwise the name "My Certificate" is used.
|
|---|
| 83 | Delegates work to B<openssl pkcs12> command.
|
|---|
| 84 |
|
|---|
| 85 | =item B<-sign>, B<-signcert>, B<-xsign>
|
|---|
| 86 |
|
|---|
| 87 | Calls the B<ca> program to sign a certificate request. It expects the request
|
|---|
| 88 | to be in the file "newreq.pem". The new certificate is written to the file
|
|---|
| 89 | "newcert.pem" except in the case of the B<-xsign> option when it is written
|
|---|
| 90 | to standard output. Leverages B<openssl ca> command.
|
|---|
| 91 |
|
|---|
| 92 | =item B<-signCA>
|
|---|
| 93 |
|
|---|
| 94 | This option is the same as the B<-sign> option except it uses the
|
|---|
| 95 | configuration file section B<v3_ca> and so makes the signed request a
|
|---|
| 96 | valid CA certificate. This is useful when creating intermediate CA from
|
|---|
| 97 | a root CA. Extra params are passed on to B<openssl ca> command.
|
|---|
| 98 |
|
|---|
| 99 | =item B<-signcert>
|
|---|
| 100 |
|
|---|
| 101 | This option is the same as B<-sign> except it expects a self signed certificate
|
|---|
| 102 | to be present in the file "newreq.pem".
|
|---|
| 103 | Extra params are passed on to B<openssl x509> and B<openssl ca> commands.
|
|---|
| 104 |
|
|---|
| 105 | =item B<-crl>
|
|---|
| 106 |
|
|---|
| 107 | Generate a CRL. Executes B<openssl ca> command.
|
|---|
| 108 |
|
|---|
| 109 | =item B<-revoke certfile [reason]>
|
|---|
| 110 |
|
|---|
| 111 | Revoke the certificate contained in the specified B<certfile>. An optional
|
|---|
| 112 | reason may be specified, and must be one of: B<unspecified>,
|
|---|
| 113 | B<keyCompromise>, B<CACompromise>, B<affiliationChanged>, B<superseded>,
|
|---|
| 114 | B<cessationOfOperation>, B<certificateHold>, or B<removeFromCRL>.
|
|---|
| 115 | Leverages B<openssl ca> command.
|
|---|
| 116 |
|
|---|
| 117 | =item B<-verify>
|
|---|
| 118 |
|
|---|
| 119 | Verifies certificates against the CA certificate for "demoCA". If no
|
|---|
| 120 | certificates are specified on the command line it tries to verify the file
|
|---|
| 121 | "newcert.pem". Invokes B<openssl verify> command.
|
|---|
| 122 |
|
|---|
| 123 | =item B<-extra-req> | B<-extra-ca> | B<-extra-pkcs12> | B<-extra-x509> | B<-extra-verify> <extra-params>
|
|---|
| 124 |
|
|---|
| 125 | The purpose of these parameters is to allow optional parameters to be supplied
|
|---|
| 126 | to B<openssl> that this command executes. The B<-extra-cmd> are specific to the
|
|---|
| 127 | option being used and the B<openssl> command getting invoked. For example
|
|---|
| 128 | when this command invokes B<openssl req> extra parameters can be passed on
|
|---|
| 129 | with the B<-extra-req> parameter. The
|
|---|
| 130 | B<openssl> commands being invoked per option are documented below.
|
|---|
| 131 | Users should consult B<openssl> command documentation for more information.
|
|---|
| 132 |
|
|---|
| 133 | =back
|
|---|
| 134 |
|
|---|
| 135 | =head1 EXAMPLES
|
|---|
| 136 |
|
|---|
| 137 | Create a CA hierarchy:
|
|---|
| 138 |
|
|---|
| 139 | CA.pl -newca
|
|---|
| 140 |
|
|---|
| 141 | Complete certificate creation example: create a CA, create a request, sign
|
|---|
| 142 | the request and finally create a PKCS#12 file containing it.
|
|---|
| 143 |
|
|---|
| 144 | CA.pl -newca
|
|---|
| 145 | CA.pl -newreq
|
|---|
| 146 | CA.pl -sign
|
|---|
| 147 | CA.pl -pkcs12 "My Test Certificate"
|
|---|
| 148 |
|
|---|
| 149 | =head1 DSA CERTIFICATES
|
|---|
| 150 |
|
|---|
| 151 | Although the B<CA.pl> creates RSA CAs and requests it is still possible to
|
|---|
| 152 | use it with DSA certificates and requests using the L<req(1)> command
|
|---|
| 153 | directly. The following example shows the steps that would typically be taken.
|
|---|
| 154 |
|
|---|
| 155 | Create some DSA parameters:
|
|---|
| 156 |
|
|---|
| 157 | openssl dsaparam -out dsap.pem 1024
|
|---|
| 158 |
|
|---|
| 159 | Create a DSA CA certificate and private key:
|
|---|
| 160 |
|
|---|
| 161 | openssl req -x509 -newkey dsa:dsap.pem -keyout cacert.pem -out cacert.pem
|
|---|
| 162 |
|
|---|
| 163 | Create the CA directories and files:
|
|---|
| 164 |
|
|---|
| 165 | CA.pl -newca
|
|---|
| 166 |
|
|---|
| 167 | enter cacert.pem when prompted for the CA filename.
|
|---|
| 168 |
|
|---|
| 169 | Create a DSA certificate request and private key (a different set of parameters
|
|---|
| 170 | can optionally be created first):
|
|---|
| 171 |
|
|---|
| 172 | openssl req -out newreq.pem -newkey dsa:dsap.pem
|
|---|
| 173 |
|
|---|
| 174 | Sign the request:
|
|---|
| 175 |
|
|---|
| 176 | CA.pl -sign
|
|---|
| 177 |
|
|---|
| 178 | =head1 NOTES
|
|---|
| 179 |
|
|---|
| 180 | Most of the filenames mentioned can be modified by editing the B<CA.pl> script.
|
|---|
| 181 |
|
|---|
| 182 | If the demoCA directory already exists then the B<-newca> command will not
|
|---|
| 183 | overwrite it and will do nothing. This can happen if a previous call using
|
|---|
| 184 | the B<-newca> option terminated abnormally. To get the correct behaviour
|
|---|
| 185 | delete the demoCA directory if it already exists.
|
|---|
| 186 |
|
|---|
| 187 | Under some environments it may not be possible to run the B<CA.pl> script
|
|---|
| 188 | directly (for example Win32) and the default configuration file location may
|
|---|
| 189 | be wrong. In this case the command:
|
|---|
| 190 |
|
|---|
| 191 | perl -S CA.pl
|
|---|
| 192 |
|
|---|
| 193 | can be used and the B<OPENSSL_CONF> environment variable changed to point to
|
|---|
| 194 | the correct path of the configuration file.
|
|---|
| 195 |
|
|---|
| 196 | The script is intended as a simple front end for the B<openssl> program for use
|
|---|
| 197 | by a beginner. Its behaviour isn't always what is wanted. For more control over the
|
|---|
| 198 | behaviour of the certificate commands call the B<openssl> command directly.
|
|---|
| 199 |
|
|---|
| 200 | =head1 SEE ALSO
|
|---|
| 201 |
|
|---|
| 202 | L<x509(1)>, L<ca(1)>, L<req(1)>, L<pkcs12(1)>,
|
|---|
| 203 | L<config(5)>
|
|---|
| 204 |
|
|---|
| 205 | =head1 COPYRIGHT
|
|---|
| 206 |
|
|---|
| 207 | Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved.
|
|---|
| 208 |
|
|---|
| 209 | Licensed under the OpenSSL license (the "License"). You may not use
|
|---|
| 210 | this file except in compliance with the License. You can obtain a copy
|
|---|
| 211 | in the file LICENSE in the source distribution or at
|
|---|
| 212 | L<https://www.openssl.org/source/license.html>.
|
|---|
| 213 |
|
|---|
| 214 | =cut
|
|---|
