man page on DigitalUNIX

Man page or keyword search:  
man Server   12896 pages
apropos Keyword Search (all sections)
Output format
DigitalUNIX logo
[printable version]

NAME - Friendlier interface for OpenSSL certificate programs

SYNOPSIS  [-?] [-h] [-help] [-newcert] [-newreq] [-newca] [-xsign] [-sign]
       [-signreq] [-signcert] [-verify] [files]

       Prints a usage message.	Creates a new  self  signed  certificate.  The
       private	key  and certificate are written to the file newreq.pem.  Cre‐
       ates a new certificate request. The private key and request are written
       to the file newreq.pem.	Creates a new CA hierarchy for use with the ca
       program (or the -signcert and -xsign options). The user is prompted  to
       enter  the  filename  of the CA certificates (which should also contain
       the private key) or, by	hitting	 ENTER	details	 of  the  CA  will  be
       prompted	 for.  The  relevant  files  and  directories are created in a
       directory called demoCA in the current directory.   Creates  a  PKCS#12
       file  containing	 the user certificate, private key and CA certificate.
       It expects the user certificate and private  key	 to  be	 in  the  file
       newcert.pem and the CA certificate to be in the file demoCA/cacert.pem,
       it creates a file newcert.p12. This command can thus  be	 called	 after
       the  -sign  option.  The	 PKCS#12  file can be imported directly into a
       browser. If there is an additional argument on the command line it will
       be  used	 as  the friendly name for the certificate (which is typically
       displayed in the browser list box), otherwise the name  My  Certificate
       is  used.   Calls  the  ca  program  to	sign a certificate request. It
       expects the request to be in the file newreq.pem.  The new  certificate
       is  written  to	the  file newcert.pem except in the case of the -xsign
       option when it is written to standard output.  The same as the -signreq
       option except it uses the configuration file section v3_ca and so makes
       the signed request a valid CA certificate. This is useful when creating
       intermediate  CA	 from  a root CA.  The same as -sign option, except it
       expects a self signed certificate to be present in the file newreq.pem.
       Verifies certificates against the CA certificate for demoCA. If no cer‐
       tificates are specified on the command line it tries to verify the file
       newcert.pem.   One or more optional certificate file names for use with
       the -verify option.

       The script is a perl script that supplies	the  relevant  command
       line arguments to the openssl command for some common certificate oper‐
       ations. It is intended to simplify the process of certificate  creation
       and management by the use of some simple options.

       Most  of	 the  filenames mentioned can be modified by editing the

       If the demoCA directory already exists then the -newca option will  not
       overwrite  it  and  will do nothing. This can happen if a previous call
       using the -newca option	terminated  abnormally.	 To  get  the  correct
       behavior delete the demoCA directory if it already exists.

       Under  some environments it may not be possible to run the script
       directly (for example Win32), and the default configuration file	 loca‐
       tion  may  be wrong. In this case the command perl -S can be used
       and the OPENSSL_CONF environment variable changed to point to  the cor‐
       rect path of the configuration file openssl.cnf.

       The  script  is	intended as a simple front end for the openssl program
       for use by a beginner. Its behavior isn't always what  is  wanted.  For
       more  control  over  the	 behavior of the certificate commands call the
       openssl command directly.

       Create a CA hierarchy: -newca

       Complete certificate creation example: create a CA, create  a  request,
       sign the request and finally create a PKCS#12 file containing it. -newca -newreq -signreq -pkcs12 "My Test Certificate"

       Although the creates RSA CAs and requests it is still possible to
       use it with  DSA	 certificates  and  requests  using  the  req  command
       directly. The following example shows the steps that would typically be

       Create some DSA parameters:
	openssl dsaparam -out dsap.pem 1024

       Create a DSA CA certificate and private key:
	openssl req -x509 -newkey dsa:dsap.pem -keyout	cacert.pem  -out  cac‐

       Create the CA directories and files: -newca

       Enter cacert.pem when prompted for the CA file name.

       Create  a  DSA  certificate request and private key (a different set of
       parameters can optionally be created first):
	openssl req -out newreq.pem -newkey dsa:dsap.pem

       Sign the request: -signreq

       The variable OPENSSL_CONF if defined allows an  alternative  configura‐
       tion  file location to be specified. It should contain the full path to
       the configuration file, not just its directory.

       Commands: x509(1ssl), ca(1ssl), req(1ssl), pkcs12(1ssl)

       Others: config(5)


List of man pages available for DigitalUNIX

Copyright (c) for man pages and the logo by the respective OS vendor.

For those who want to learn more, the polarhome community provides shell access and support.

[legal] [privacy] [GNU] [policy] [cookies] [netiquette] [sponsors] [FAQ]
Polarhome, production since 1999.
Member of Polarhome portal.
Based on Fawad Halim's script.
Vote for polarhome
Free Shell Accounts :: the biggest list on the net