1=pod 2 3=head1 NAME 4 5CA.pl - friendlier interface for OpenSSL certificate programs 6 7=head1 SYNOPSIS 8 9=for openssl duplicate options 10 11B<CA.pl> 12B<-?> | 13B<-h> | 14B<-help> 15 16B<CA.pl> 17B<-newcert> | 18B<-newreq> | 19B<-newreq-nodes> | 20B<-xsign> | 21B<-sign> | 22B<-signCA> | 23B<-signcert> | 24B<-crl> | 25B<-newca> 26[B<-extra-I<cmd>> I<parameter>] 27 28B<CA.pl> B<-pkcs12> [I<certname>] 29 30B<CA.pl> B<-verify> I<certfile> ... 31 32B<CA.pl> B<-revoke> I<certfile> [I<reason>] 33 34=head1 DESCRIPTION 35 36The B<CA.pl> script is a perl script that supplies the relevant command line 37arguments to the L<openssl(1)> command for some common certificate operations. 38It is intended to simplify the process of certificate creation and management 39by the use of some simple options. 40 41The script is intended as a simple front end for the L<openssl(1)> program for 42use by a beginner. Its behaviour isn't always what is wanted. For more control 43over the behaviour of the certificate commands call the L<openssl(1)> command 44directly. 45 46Most of the filenames mentioned below can be modified by editing the 47B<CA.pl> script. 48 49Under some environments it may not be possible to run the B<CA.pl> script 50directly (for example Win32) and the default configuration file location may 51be wrong. In this case the command: 52 53 perl -S CA.pl 54 55can be used and the B<OPENSSL_CONF> environment variable can be set to point to 56the correct path of the configuration file. 57 58=head1 OPTIONS 59 60=over 4 61 62=item B<-?>, B<-h>, B<-help> 63 64Prints a usage message. 65 66=item B<-newcert> 67 68Creates a new self signed certificate. The private key is written to the file 69F<newkey.pem> and the request written to the file F<newreq.pem>. 70Invokes L<openssl-req(1)>. 71 72=item B<-newreq> 73 74Creates a new certificate request. The private key is written to the file 75F<newkey.pem> and the request written to the file F<newreq.pem>. 76Executes L<openssl-req(1)> under the hood. 77 78=item B<-newreq-nodes> 79 80Is like B<-newreq> except that the private key will not be encrypted. 81Uses L<openssl-req(1)>. 82 83=item B<-newca> 84 85Creates a new CA hierarchy for use with the B<ca> program (or the B<-signcert> 86and B<-xsign> options). The user is prompted to enter the filename of the CA 87certificates (which should also contain the private key) or by hitting ENTER 88details of the CA will be prompted for. The relevant files and directories 89are created in a directory called F<demoCA> in the current directory. 90Uses L<openssl-req(1)> and L<openssl-ca(1)>. 91 92If the F<demoCA> directory already exists then the B<-newca> command will not 93overwrite it and will do nothing. This can happen if a previous call using 94the B<-newca> option terminated abnormally. To get the correct behaviour 95delete the directory if it already exists. 96 97=item B<-pkcs12> 98 99Create a PKCS#12 file containing the user certificate, private key and CA 100certificate. It expects the user certificate and private key to be in the 101file F<newcert.pem> and the CA certificate to be in the file F<demoCA/cacert.pem>, 102it creates a file F<newcert.p12>. This command can thus be called after the 103B<-sign> option. The PKCS#12 file can be imported directly into a browser. 104If there is an additional argument on the command line it will be used as the 105"friendly name" for the certificate (which is typically displayed in the browser 106list box), otherwise the name "My Certificate" is used. 107Delegates work to L<openssl-pkcs12(1)>. 108 109=item B<-sign>, B<-signcert>, B<-xsign> 110 111Calls the L<openssl-ca(1)> command to sign a certificate request. It expects the 112request to be in the file F<newreq.pem>. The new certificate is written to the 113file F<newcert.pem> except in the case of the B<-xsign> option when it is 114written to standard output. 115 116=item B<-signCA> 117 118This option is the same as the B<-sign> option except it uses the 119configuration file section B<v3_ca> and so makes the signed request a 120valid CA certificate. This is useful when creating intermediate CA from 121a root CA. Extra params are passed to L<openssl-ca(1)>. 122 123=item B<-signcert> 124 125This option is the same as B<-sign> except it expects a self signed certificate 126to be present in the file F<newreq.pem>. 127Extra params are passed to L<openssl-x509(1)> and L<openssl-ca(1)>. 128 129=item B<-crl> 130 131Generate a CRL. Executes L<openssl-ca(1)>. 132 133=item B<-revoke> I<certfile> [I<reason>] 134 135Revoke the certificate contained in the specified B<certfile>. An optional 136reason may be specified, and must be one of: B<unspecified>, 137B<keyCompromise>, B<CACompromise>, B<affiliationChanged>, B<superseded>, 138B<cessationOfOperation>, B<certificateHold>, or B<removeFromCRL>. 139Leverages L<openssl-ca(1)>. 140 141=item B<-verify> 142 143Verifies certificates against the CA certificate for F<demoCA>. If no 144certificates are specified on the command line it tries to verify the file 145F<newcert.pem>. Invokes L<openssl-verify(1)>. 146 147=item B<-extra-I<cmd>> I<parameter> 148 149For each option B<extra-I<cmd>>, pass I<parameter> to the L<openssl(1)> 150sub-command with the same name as I<cmd>, if that sub-command is invoked. 151For example, if L<openssl-req(1)> is invoked, the I<parameter> given with 152B<-extra-req> will be passed to it. 153For multi-word parameters, either repeat the option or quote the I<parameters> 154so it looks like one word to your shell. 155See the individual command documentation for more information. 156 157=back 158 159=head1 EXAMPLES 160 161Create a CA hierarchy: 162 163 CA.pl -newca 164 165Complete certificate creation example: create a CA, create a request, sign 166the request and finally create a PKCS#12 file containing it. 167 168 CA.pl -newca 169 CA.pl -newreq 170 CA.pl -sign 171 CA.pl -pkcs12 "My Test Certificate" 172 173=head1 ENVIRONMENT 174 175The environment variable B<OPENSSL> may be used to specify the name of 176the OpenSSL program. It can be a full pathname, or a relative one. 177 178The environment variable B<OPENSSL_CONFIG> may be used to specify a 179configuration option and value to the B<req> and B<ca> commands invoked by 180this script. It's value should be the option and pathname, as in 181C<-config /path/to/conf-file>. 182 183=head1 SEE ALSO 184 185L<openssl(1)>, 186L<openssl-x509(1)>, 187L<openssl-ca(1)>, 188L<openssl-req(1)>, 189L<openssl-pkcs12(1)>, 190L<config(5)> 191 192=head1 COPYRIGHT 193 194Copyright 2000-2025 The OpenSSL Project Authors. All Rights Reserved. 195 196Licensed under the Apache License 2.0 (the "License"). You may not use 197this file except in compliance with the License. You can obtain a copy 198in the file LICENSE in the source distribution or at 199L<https://www.openssl.org/source/license.html>. 200 201=cut 202