I'm toying with the idea of writing a more user-friendly CA management tool. In the process of analysing what's already there, I have had to deal with the cryptic interface between ca and req and the configuration file (variously ssleay.cnf) This file is only ever used by ca and req programs, and the correspondance between configuration fields and command line arguments is not clear. I've written an html document setting out the correspondances as near as I can determine them. Any ideas on what would make a CA management tool useable are welcome. Colin.Title: openSSL Configuration file correspondances.
ca - Certifying Authority Maintenance.
The ca program maintains a database of certificates signed by a given Certifying Authority.
There are two basic operations on the database: Signing and Revocation.
- Signing adds a certificate generated from
- a PEM request,
- a self-signed certificate or
- an SPAK file.
- Revocation flags certificates as revoked and generates a CRL (certificate revocation list) of certificates which have expired.
These are really two different functions, and should be in separate programs.
I don't know how you revoke a certificate which has not yet expired.
| Argument | |
| -spkac file | File contains DN and signed public key and challenge |
| -ss_cert file | File contains a self signed cert to sign |
| -in file | The input PEM encoded certificate request(s) |
| -infiles .... | The last argument, requests to process |
| Argument | Configuration | |
| -startdate | $ca::default_startdate | when does the certificate start YYMMDDHHMMSS (defaults to today) |
| -days | $ca::default_days | number of days to certify the certificate for |
| -md | $ca::default_md | md to use, one of md2, md5, sha or sha1 |
| -policy | $ca::policy | The CA 'policy' to support |
| -outdir | $ca::new_certs_dir | Where to put output certificates |
| -preserveDN | $ca::preserve | Don't re-order the DN |
| -msie_hack | ::msie_hack | msie modifications to handle all those universal strings |
| $ca::serial | CA serial number file | |
| $ca::x509_extensions | x509 extensions | |
| ::oid_file | extra oids for the DN |
| Argument | Configuration | |
| -config file | ENV::SSLEAY_CONF | Configuration file to use |
| -name | ca::default_ca | The particular CA definition to use |
| -cert | $ca::certificate | The CA certificate file |
| -keyfile | $ca::private_key | PEM private key file |
| -key | key to decode the CA's private key if it is encrypted | |
| $ca::database | CA database |
| Argument | |
| -gencrl | Generate a new CRL |
| Argument | Configuration | |
| -crldays | $ca::default_crl_days | Days is when the next CRL is due |
| -crlhours | $ca::default_crl_hours | Hours is when the next CRL is due |
req - Request Maintenance.
req is a program which can
- create a request and a private key associated with that request.
- validate a request's signature
- create a self-signed certificate for use as a CA certificate.
- dump the DN and other content of a request.
| Argument | |
| -newkey | make a key and a request. |
| -x509 | output a self signed X509 structure instead. |
| -verify | check request signature |
| -modulus | print RSA modulus. |
| -noout | don't print stuff out. |
| -text | print out human readable text. |
| Argument | Configuration | |
| -in arg | input file - default stdin | |
| -inform arg | input format - default PEM (one of DER, TXT or PEM) | |
| -out arg | output file - default stdout | |
| -outform arg | output format - default PEM | |
| -key file | make a request using key in file (or use it for verification). | |
| -keyform | input key file format. | |
| -keyout arg | req::default_keyfile | file to output the request's private key to. |
| -config file | ENV::SSLEAY_CONF | Load configuration file. |
| ::oid_file | file for extra oids for the DN | |
| req::RANDFILE | random number file for generating keys |
| Argument | Configuration | |
| -nodes | req::encrypt_rsa_key req::encrypt_key | no des encryption |
| -asn1-kludge | output new certificate request in a format that some CA's require. This format is wrong | |
| -days | number of days an x509 certificate generated by -x509 is valid for. | |
| -md5 -sha1 -md2 -mdc2 | req::default_md | Digest to sign with (md5, sha1, md2, mdc2) |
| req::attributes | extra attributes configuration section for request | |
| req::distinguished_name | distinguished name configuration section for request | |
| req::default_bits | key length > 384 |
BODY { background: #EEFFFA; margin-left: 7%; margin-right: 7% }
P { background: #EEFFFA; font-size: 15pt }
H1 { text-align: center; padding: 1cm }
BLOCKQUOTE { text-align:center }
LI { text-justify:both }
UL { font-size: 15pt; padding: 0.5cm }
A:visited { color: #000055 }
A:link { color: #CC0000 }
.head { font-size: 20pt }
