X-Git-Url: http://git.rot13.org/?a=blobdiff_plain;f=userapps%2Fopensource%2Fopenssl%2Fdoc%2Fapps%2FCA.pl.pod;fp=userapps%2Fopensource%2Fopenssl%2Fdoc%2Fapps%2FCA.pl.pod;h=58e0f5200100c248d271a7ffefe523ed4a5aa65e;hb=59e02c1be2c9b373846b0789fbd5b7ef46f0927f;hp=0000000000000000000000000000000000000000;hpb=3f05a9da74f56df22d185b66ee663a6fd8053cb3;p=bcm963xx.git diff --git a/userapps/opensource/openssl/doc/apps/CA.pl.pod b/userapps/opensource/openssl/doc/apps/CA.pl.pod new file mode 100755 index 00000000..58e0f520 --- /dev/null +++ b/userapps/opensource/openssl/doc/apps/CA.pl.pod @@ -0,0 +1,179 @@ + +=pod + +=head1 NAME + +CA.pl - friendlier interface for OpenSSL certificate programs + +=head1 SYNOPSIS + +B +[B<-?>] +[B<-h>] +[B<-help>] +[B<-newcert>] +[B<-newreq>] +[B<-newreq-nodes>] +[B<-newca>] +[B<-xsign>] +[B<-sign>] +[B<-signreq>] +[B<-signcert>] +[B<-verify>] +[B] + +=head1 DESCRIPTION + +The B script is a perl script that supplies the relevant command line +arguments to the B command for some common certificate operations. +It is intended to simplify the process of certificate creation and management +by the use of some simple options. + +=head1 COMMAND OPTIONS + +=over 4 + +=item B, B<-h>, B<-help> + +prints a usage message. + +=item B<-newcert> + +creates a new self signed certificate. The private key and certificate are +written to the file "newreq.pem". + +=item B<-newreq> + +creates a new certificate request. The private key and request are +written to the file "newreq.pem". + +=item B<-newreq-nowdes> + +is like B<-newreq> except that the private key will not be encrypted. + +=item B<-newca> + +creates a new CA hierarchy for use with the B program (or the B<-signcert> +and B<-xsign> options). The user is prompted to enter the filename of the CA +certificates (which should also contain the private key) or by hitting ENTER +details of the CA will be prompted for. The relevant files and directories +are created in a directory called "demoCA" in the current directory. + +=item B<-pkcs12> + +create a PKCS#12 file containing the user certificate, private key and CA +certificate. It expects the user certificate and private key to be in the +file "newcert.pem" and the CA certificate to be in the file demoCA/cacert.pem, +it creates a file "newcert.p12". This command can thus be called after the +B<-sign> option. The PKCS#12 file can be imported directly into a browser. +If there is an additional argument on the command line it will be used as the +"friendly name" for the certificate (which is typically displayed in the browser +list box), otherwise the name "My Certificate" is used. + +=item B<-sign>, B<-signreq>, B<-xsign> + +calls the B program to sign a certificate request. It expects the request +to be in the file "newreq.pem". The new certificate is written to the file +"newcert.pem" except in the case of the B<-xsign> option when it is written +to standard output. + + +=item B<-signCA> + +this option is the same as the B<-signreq> option except it uses the configuration +file section B and so makes the signed request a valid CA certificate. This +is useful when creating intermediate CA from a root CA. + +=item B<-signcert> + +this option is the same as B<-sign> except it expects a self signed certificate +to be present in the file "newreq.pem". + +=item B<-verify> + +verifies certificates against the CA certificate for "demoCA". If no certificates +are specified on the command line it tries to verify the file "newcert.pem". + +=item B + +one or more optional certificate file names for use with the B<-verify> command. + +=back + +=head1 EXAMPLES + +Create a CA hierarchy: + + CA.pl -newca + +Complete certificate creation example: create a CA, create a request, sign +the request and finally create a PKCS#12 file containing it. + + CA.pl -newca + CA.pl -newreq + CA.pl -signreq + CA.pl -pkcs12 "My Test Certificate" + +=head1 DSA CERTIFICATES + +Although the B creates RSA CAs and requests it is still possible to +use it with DSA certificates and requests using the L command +directly. The following example shows the steps that would typically be taken. + +Create some DSA parameters: + + openssl dsaparam -out dsap.pem 1024 + +Create a DSA CA certificate and private key: + + openssl req -x509 -newkey dsa:dsap.pem -keyout cacert.pem -out cacert.pem + +Create the CA directories and files: + + CA.pl -newca + +enter cacert.pem when prompted for the CA file name. + +Create a DSA certificate request and private key (a different set of parameters +can optionally be created first): + + openssl req -out newreq.pem -newkey dsa:dsap.pem + +Sign the request: + + CA.pl -signreq + +=head1 NOTES + +Most of the filenames mentioned can be modified by editing the B script. + +If the demoCA directory already exists then the B<-newca> command will not +overwrite it and will do nothing. This can happen if a previous call using +the B<-newca> option terminated abnormally. To get the correct behaviour +delete the demoCA directory if it already exists. + +Under some environments it may not be possible to run the B script +directly (for example Win32) and the default configuration file location may +be wrong. In this case the command: + + perl -S CA.pl + +can be used and the B environment variable changed to point to +the correct path of the configuration file "openssl.cnf". + +The script is intended as a simple front end for the B program for use +by a beginner. Its behaviour isn't always what is wanted. For more control over the +behaviour of the certificate commands call the B command directly. + +=head1 ENVIRONMENT VARIABLES + +The variable B if defined allows an alternative configuration +file location to be specified, it should contain the full path to the +configuration file, not just its directory. + +=head1 SEE ALSO + +L, L, L, L, +L + +=cut