Add documentation on the added functionality in 'openssl ca'.
This commit is contained in:
Richard Levitte
parent
6fcf735497
commit
d6df2b281f
@ -169,6 +169,7 @@ static char *ca_usage[]={
|
||||
" -keyform arg - private key file format (PEM or ENGINE)\n",
|
||||
" -key arg - key to decode the private key if it is encrypted\n",
|
||||
" -cert file - The CA certificate\n",
|
||||
" -selfsign - sign a certificate with the key associated with it\n",
|
||||
" -in file - The input PEM encoded certificate request(s)\n",
|
||||
" -out file - Where to put the output file(s)\n",
|
||||
" -outdir dir - Where to put output certificates\n",
|
||||
|
||||
@ -30,6 +30,7 @@ B<openssl> B<ca>
|
||||
[B<-key arg>]
|
||||
[B<-passin arg>]
|
||||
[B<-cert file>]
|
||||
[B<-selfsign>]
|
||||
[B<-in file>]
|
||||
[B<-out file>]
|
||||
[B<-notext>]
|
||||
@ -113,6 +114,20 @@ the password used to encrypt the private key. Since on some
|
||||
systems the command line arguments are visible (e.g. Unix with
|
||||
the 'ps' utility) this option should be used with caution.
|
||||
|
||||
=item B<-selfsign>
|
||||
|
||||
indicates the issued certificates are to be signed with the key
|
||||
the certificate requests were signed with (given with B<-keyfile>).
|
||||
Cerificate requests signed with a different key are ignored. If
|
||||
B<-spkac>, B<-ss_cert> or B<-gencrl> are given, B<-selfsign> is
|
||||
ignored.
|
||||
|
||||
A consequence of using B<-selfsign> is that the self-signed
|
||||
certificate appears among the entries in the certificate database
|
||||
(see the configuration option B<database>), and uses the same
|
||||
serial number counter as all other certificates sign with the
|
||||
self-signed certificate.
|
||||
|
||||
=item B<-passin arg>
|
||||
|
||||
the key password source. For more information about the format of B<arg>
|
||||
@ -359,6 +374,16 @@ the same as the B<-md> option. The message digest to use. Mandatory.
|
||||
the text database file to use. Mandatory. This file must be present
|
||||
though initially it will be empty.
|
||||
|
||||
=item B<unique_subject>
|
||||
|
||||
if the value B<yes> is given, the valid certificate entries in the
|
||||
database must have unique subjects. if the value B<no> is given,
|
||||
several valid certificate entries may have the exact same subject.
|
||||
The default value is B<yes>, to be compatible with older (pre 0.9.8)
|
||||
versions of OpenSSL. However, to make CA certificate roll-over easier,
|
||||
it's recommended to use the value B<no>, especially if combined with
|
||||
the B<-selfsign> command line option.
|
||||
|
||||
=item B<serialfile>
|
||||
|
||||
a text file containing the next serial number to use in hex. Mandatory.
|
||||
|
||||
Loading…
Reference in New Issue
Block a user