Table of Contents for
Network Security with OpenSSL

Version ebook / Retour

Cover image for bash Cookbook, 2nd Edition Network Security with OpenSSL by Pravir Chandra Published by O'Reilly Media, Inc., 2002
  1. Cover
  2. Network Security with OpenSSL
  3. Network Security with OpenSSL
  4. Dedication
  5. A Note Regarding Supplemental Files
  6. Preface
  7. 1. Introduction
  8. 2. Command-Line Interface
  9. 3. Public Key Infrastructure (PKI)
  10. 4. Support Infrastructure
  11. 5. SSL/TLS Programming
  12. 6. Symmetric Cryptography
  13. 7. Hashes and MACs
  14. 8. Public Key Algorithms
  15. 9. OpenSSL in Other Languages
  16. 10. Advanced Programming Topics
  17. A. Command-Line Reference
  18. asn1parse
  19. ca
  20. ciphers
  21. crl
  22. crl2pkcs7
  23. dgst
  24. dhparam
  25. dsa
  26. dsaparam
  27. enc
  28. errstr
  29. gendsa
  30. genrsa
  31. nseq
  32. passwd
  33. pkcs7
  34. pkcs8
  35. pkcs12
  36. rand
  37. req
  38. rsa
  39. rsautl
  40. s_client
  41. s_server
  42. s_time
  43. sess_id
  44. smime
  45. speed
  46. spkac
  47. verify
  48. version
  49. x509
  50. Index
  51. About the Authors
  52. Colophon
  53. Copyright

Name

ca

Synopsis

The ca command is a basic certification authority that can be used to issue X.509 certificates and certificate revocation lists.

Options

-config filename

Specify the name of a file to be used as a configuration file. If omitted, the system-wide default configuration file is used. Use of this option overrides the OPENSSL_CONF environment variable.

-verbose

Cause more information to be displayed than normal.

-name section

Specify the name of a section in the configuration file being used that contains the default settings for the CA. The default is to use the section specified by the default_ca key in the ca section of the configuration file.

-in filename

Specify the name of a file containing a certificate request to be signed by the CA, causing a certificate to be created.

-ss_cert filename

Specify the name of a file containing a self-signed certificate to be signed by the CA.

-spkac filename

Specify the name of a file containing a Netscape Signed Public Key and Challenge.

-infiles

If this option is present, it must be the last option on the command line. Each argument after it is assumed to be a file containing a certificate request to be signed by the CA, and certificates will be created for each one.

-out filename

Specify the name of a file to write the certificate or certificates created by the CA to. The default is to write certificates to stdout. If the gencrl option is used, this option specifies the name of the file to which the generated certificate revocation list will be written.

-outdir directory

Specify the directory where certificates will be written. Each certificate that is issued will be written with a filename composed of the certificates serial number in hexadecimal and an extension of “.pem”. This option overrides the configuration file’s new_certs_dir key.

-cert filename

Specify the name of the file containing the CA’s certificate. This option overrides the configuration file’s certificate key.

-keyfile filename

Specify the name of the file containing the CA’s private key. This option overrides the configuration file’s private_key key.

-key password

Specify the password that is required to decrypt the CA’s private key. This option does not conform to the guidelines outlined in Chapter 2 for passwords and passphrases. Use of this option is not recommended. The passin option should be used instead.

-passin password

Specify the password or passphrase that is required to decrypt the CA’s private key. The password or passphrase specified with this option follows the guidelines outlined in Chapter 2.

-notext

Cause the text form of a certificate to be excluded from the output file.

-startdate date

Specify the start date on which the issued certificate or certificates will be valid. If this option is omitted, the default is to use the current system time. This option overrides the configuration file’s default_startdate key.

-enddate date

Specify the end date on which the issued certificate or certificates will be valid. If this option is omitted, the default is to use the start date plus the number of days specified with the days option. Use of this option will override the days option if both are used. This option overrides the configuration file’s default_enddate key.

-days number

Specify the number of days for which issued certificates will be valid. This option overrides the configuration file’s default_days key.

-md digest

Specify the message digest algorithm to use. The default is to use MD5, but valid options include MD5, SHA1, and MDC2. This option overrides the configuration file’s default_md key.

-policy section

Specify the name of a section in the configuration file being used that contains a policy definition to be used. This option overrides the configuration file’s policy key.

-msie_hack

Specify this option if you need to issue certificates that will work with very old versions of the Internet Explorer certificate enrollment control “certenr3”. Avoid using this option unless you know that you absolutely need it.

-preserveDN

Cause the order and components of the distinguished name from a certificate request to be preserved in the issued certificate. Ordinarily, the certificate will be created using only the components from the policy that is in use by the CA.

-batch

Cause verification prompts to be suppressed, allowing the command to do its work without any human intervention.

-extensions section

Specify the name of a section in the configuration file being used that contains the extensions to be added to certificates that are issued. If no extension section is used, an X.509v1 format certificate will be issued; otherwise, an X.509v3 certificate will be issued. This option overrides the configuration file’s x509_extensions key.

-gencrl

Cause a certificate revocation list to be generated.

-crldays number

Specify the number of days before the next certificate revocation list will be generated. This option is used to compute the date that is used to fill in the nextUpdate field. This option overrides the configuration file’s default_crl_days key.

-crlhours number

Specify the number of hours before the next certificate revocation list will be generated. This option computes the date that is used to fill in the nextUpdate field. This option may be used in combination with the crldays option. This option overrides the configuration file’s default_crl_hours key.

-revoke filename

Specify the name of a file containing a certificate that will be revoked.

-crlexts section

Specify the name of a section in the configuration file being used that contains the extensions to be added to the certificate revocation list that is issued. If no extension section is used, a v1 CRL is created; otherwise, a v2 CRL is created. This option overrides the configuration file’s crl_extensions key.

Configuration Options

oid_file

Specify the name of a file that contains object identifier definitions. The format of this file is one definition per line, each line consisting of three columns. The first column is the numerical representation of the OID. The second column is the OID’s short name, which should be a single word composed of only upper- and lowercase letters. The third column is the OID’s long name, which may be composed of multiple words and characters other than letters.

oid_section

Specify the name of a section that contains object identifier definitions. Key names in the section should be the OID’s short name, and the corresponding value should be the OID’s numerical representation. Long names are the same as short names for OIDs that are defined in this manner.

new_certs_dir

Specify the directory where issued certificates will be stored. This is the same as the outdir command-line option.

certificate

Specify the name of a file containing the CA’s certificate. This is the same as the cert command-line option.

private_key

Specify the name of a file containing the CA’s private key. This is the same as the keyfile command-line option.

RANDFILE

Specify the name of a file that will be used to seed the PRNG. On Unix systems, the filename may be the name of an EGD socket.

default_days

Specify the number of days for which issued certificates will be valid. This is the same as the days command-line option.

default_startdate

Specify the default starting date for which issued certificates will be valid. This is the same as the startdate command-line option.

default_enddate

Specify the default ending date for which issued certificates will be valid. This is the same as the enddate command-line option.

default_crl_days

Specify the default number of days until a new certificate revocation list is generated. This is the same as the crldays command-line option.

default_crl_hours

Specify the default number of hours until a new certificate revocation list is generated. This is the same as the crlhours command-line option.

default_md

Specify the default message digest to be used for signing certificates and certificate revocation lists. This is the same as the md command-line option.

database

Specify the name of a file that will be used to keep track of certificates that are issued by the CA. This setting is mandatory and has no corresponding command-line option.

serialfile

Specify the name of a file that will be used to keep track of the next serial number that will be assigned to a certificate when it is issued. This setting is mandatory and has no corresponding command-line option.

x509_extensions

Specify the name of a section in the configuration file that contains the set of extensions to be included in certificates that are issued by the CA. This is the same as the extensions command-line option.

crl_extensions

Specify the name of a section in the configuration file that contains the set of extensions to be included in certificate revocation lists that are issued by the CA. This is the same as the crlexts command-line option.

preserve

If this is set to yes, the order and components of the distinguished name contained in a certificate request will be preserved in the issued certificate. This is the same as the preserveDN command-line option.

msie_hack

If this is set to yes, certificates that are issued will work with very old versions of the Internet Explorer certificate enrollment control “certenr3”. Avoid using this option unless you know that you absolutely need it.

policy

Specify the name of a section in the configuration file that defines the policy for this CA. This option is the same as the policy command-line option.

Notes

For the options that require a date as a parameter or configuration file keys that require a date as a value, the date should be specified in the same format as an ASN.1 UTC Time structure, which is YYMMDDHHMMSS Z, in which Z is the actual capital letter Z.

The use of a configuration file is strongly encouraged. In fact, unless the settings in the system-wide default configuration file are acceptable, a configuration file is required because there are mandatory configuration options that have no equivalent command-line options.

Each key in a policy definition section should be named for the short name of each object identifier present in a distinguished name. The value for each key should be match, supplied, or optional. OIDs that are marked as match must be present in the certificate request and must match the same OID in the CA’s distinguished name. OIDs that are marked as supplied must be present in the certificate request, and OIDs that are marked as optional may or may not be present in the certificate request.

The ca command is intended to be an example certification authority. It has several limitations that make it unsuitable for use in a production environment. This command is discussed in detail in Chapter 3.