openssl/doc/ca.1

122 lines
4.6 KiB
Groff
Raw Normal View History

From eay@orb.mincom.oz.au Thu Dec 28 23:56:45 1995
Received: by orb.mincom.oz.au id AA07374
(5.65c/IDA-1.4.4 for eay); Thu, 28 Dec 1995 13:56:45 +1000
Date: Thu, 28 Dec 1995 13:56:45 +1000 (EST)
From: Eric Young <eay@mincom.oz.au>
X-Sender: eay@orb
To: sameer <sameer@c2.org>
Cc: ssleay@mincom.oz.au
Subject: Re: 'ca'
In-Reply-To: <199512230440.UAA23410@infinity.c2.org>
Message-Id: <Pine.SOL.3.91.951228133525.7269A-100000@orb>
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Status: RO
X-Status:
On Fri, 22 Dec 1995, sameer wrote:
> I could use documentation on 'ca'. Thanks.
Very quickly.
The ca program uses the ssleay.conf file for most of its configuration
./ca -help
-verbose - Talk alot while doing things
-config file - A config file. If you don't want to use the
default config file
-name arg - The particular CA definition to use
In the config file, the section to use for parameters. This lets
multiple setups to be contained in the one file. By default, the
default_ca variable is looked up in the [ ca ] section. So in the
shipped ssleay.conf, the CA definition used is CA_default. It could be
any other name.
-gencrl days - Generate a new CRL, days is when the next CRL is due
This will generate a new certificate revocion list.
-days arg - number of days to certify the certificate for
When certifiying certificates, this is the number of days to use.
-md arg - md to use, one of md2, md5, sha or sha1
-policy arg - The CA 'policy' to support
I'll describe this later, but there are 2 policies definied in the
shipped ssleay.conf
-keyfile arg - PEM RSA private key file
-key arg - key to decode the RSA private key if it is encrypted
since we need to keep the CA's RSA key encrypted
-cert - The CA certificate
-in file - The input PEM encoded certificate request(s)
-out file - Where to put the output file(s)
-outdir dir - Where to put output certificates
The -out options concatinates all the output certificied
certificates to one file, -outdir puts them in a directory,
named by serial number.
-infiles .... - The last argument, requests to process
The certificate requests to process, -in is the same.
Just about all the above have default values defined in ssleay.conf.
The key variables in ssleay.conf are (for the pariticular '-name' being
used, in the default, it is CA_default).
dir is where all the CA database stuff is kept.
certs is where all the previously issued certificates are kept.
The database is a simple text database containing the following tab separated
fields.
status: a value of 'R' - revoked, 'E' -expired or 'V' valid.
issued date: When the certificate was certified.
revoked date: When it was revoked, blank if not revoked.
serial number: The certificate serial number.
certificate: Where the certificate is located.
CN: The name of the certificate.
The demo file has quite a few made up values it it. The last 2 were
added by the ca program and are acurate.
The CA program does not update the 'certificate' file correctly right now.
The serial field should be unique as should the CN/status combination.
The ca program checks these at startup. What still needs to be
wrtten is a program to 'regenerate' the data base file from the issued
certificate list (and a CRL list).
Back to the CA_default variables.
Most of the variables are commented.
policy is the default policy.
Ok for policies, they define the order and which fields must be present
in the certificate request and what gets filled in.
So a value of
countryName = match
means that the country name must match the CA certificate.
organizationalUnitName = optional
The org.Unit,Name does not have to be present and
commonName = supplied
commonName must be supplied in the certificate request.
For the 'policy_match' polocy, the order of the attributes in the
generated certiticate would be
countryName
stateOrProvinceName
organizationName
organizationalUnitName
commonName
emailAddress
Have a play, it sort of makes sense. If you think about how the persona
requests operate, it is similar to the 'policy_match' policy and the
'policy_anything' is similar to what versign is doing.
I hope this helps a bit. Some backend scripts are definitly needed to
update the database and to make certificate revocion easy. All
certificates issued should also be kept forever (or until they expire?)
hope this helps
eric (who has to run off an buy some cheap knee pads for the caving in 4
days time :-)
--
Eric Young | Signature removed since it was generating
AARNet: eay@mincom.oz.au | more followups than the message contents :-)