一、简介
ca命令能够签发证书请求文件以及生成CRL列表
二、语法
openssl ca [-verbose] [-config filename] [-name section] [-gencrl] [-revoke file][-crl_reason reason] [-crl_hold instruction] [-crl_compromise time] [-crl_CA_compromise time ] [ -subj subj] [-crldays days] [-crlhours hours] [-crlexts section] [-startdate date] [-enddate date][-days arg] [-md arg] [-policy arg] [-keyfile arg] [-keyform arg] [-key arg] [-passin arg] [-cert file][-selfsign] [-in file] [-out file] [-notext] [-outdir dir] [-infiles] [-spkac file] [-ss_cert file] [-preserveDN] [-batch] [-msie_hack] [-extensions section][-utf8] [-create_serial] [-multivalue-rdn] [-sigopt] [-noemailDN][ -crlsec] [-extfile file] [-updatedb] [ -engine id ]
选项
-verbose - Talk alot while doing things -config file - A config file -name arg - The particular CA definition to use -gencrl - Generate a new CRL -crldays days - Days is when the next CRL is due -crlhours hours - Hours is when the next CRL is due -startdate YYMMDDHHMMSSZ - certificate validity notBefore -enddate YYMMDDHHMMSSZ - certificate validity notAfter (overrides -days) -days arg - number of days to certify the certificate for -md arg - md to use, see openssl dgst -h for list -policy arg - The CA 'policy' to support -keyfile arg - private key file -keyform arg - private key file format (PEM or ENGINE) -key arg - key to decode the private key if it is encrypted -cert file - The CA certificate -selfsign - sign a certificate with the key associated with it -in file - The input PEM encoded certificate request(s) -out file - Where to put the output file(s) -outdir dir - Where to put output certificates -infiles .... - The last argument, requests to process -spkac file - File contains DN and signed public key and challenge -ss_cert file - File contains a self signed cert to sign -preserveDN - Don't re-order the DN -noemailDN - Don't add the EMAIL field into certificate' subject -batch - Don't ask questions -msie_hack - msie modifications to handle all those universal strings -revoke file - Revoke a certificate (given in file) -subj arg - Use arg instead of request's subject -utf8 - input characters are UTF8 (default ASCII) -multivalue-rdn - enable support for multivalued RDNs -extensions .. - Extension section (override value in config file) -extfile file - Configuration file with X509v3 extentions to add -crlexts .. - CRL extension section (override value in config file) -engine e - use engine e, possibly a hardware device. -status serial - Shows certificate status given the serial number -updatedb - Updates db for expired certificates
三、实例
1、签发证书请求文件
openssl ca -in cert_req.pem -extensions v3_ca -out newcert.pem
或
openssl ca -config openssl.cnf -name CA_default -days 365 -md sha1 -policy policy_anything -cert demoCA/cacert.pem -in cert_req.pem -out cert1.pem -preserveDN -noemailDN -subj /CN=CN/O=JS/OU=WX/cn=myname -extensions myexts
2、撤销证书并生成crl
openssl ca -revoke rsa_server_cert.pem -config openssl_utf8.cnf -keyfile rsa_ca_prikey.pem -passin pass:"123456" -cert rsa_ca_cert.pem openssl ca -gencrl -config openssl_utf8.cnf -utf8 -keyfile rsa_ca_prikey.pem -passin pass:"123456" -cert rsa_ca_cert.pem -out crl.pem
设置原因、挂起处理方法
openssl ca -gencrl -crl_reason keyCompromise -crl_compromise 20010101030303Z -crl_hold holdInstructionReject -crl_CA_compromise 20020101030303Z -crldays 10 -out crl2.crl