{ "mode": "man", "parameter": "openssl-ca", "section": "1", "url": "https://www.chedong.com/phpMan.php/man/openssl-ca/1/json", "generated": "2026-06-15T14:23:48Z", "synopsis": "openssl ca [-help] [-verbose] [-config filename] [-name section] [-section section] [-gencrl]\n[-revoke file] [-valid file] [-status serial] [-updatedb] [-crlreason reason] [-crlhold\ninstruction] [-crlcompromise time] [-crlCAcompromise time] [-crllastupdate date]\n[-crlnextupdate date] [-crldays days] [-crlhours hours] [-crlsec seconds] [-crlexts section]\n[-startdate date] [-enddate date] [-days arg] [-md arg] [-policy arg] [-keyfile filename|uri]\n[-keyform DER|PEM|P12|ENGINE] [-key arg] [-passin arg] [-cert file] [-certform DER|PEM|P12]\n[-selfsign] [-in file] [-inform DER|] [-out file] [-notext] [-dateopt] [-outdir dir]\n[-infiles] [-spkac file] [-sscert file] [-preserveDN] [-noemailDN] [-batch] [-msiehack]\n[-extensions section] [-extfile section] [-subj arg] [-utf8] [-sigopt nm:v] [-vfyopt nm:v]\n[-createserial] [-randserial] [-multivalue-rdn] [-rand files] [-writerand file] [-engine\nid] [-provider name] [-provider-path path] [-propquery propq] [certreq...]", "sections": { "NAME": { "content": "openssl-ca - sample minimal CA application\n", "subsections": [] }, "SYNOPSIS": { "content": "openssl ca [-help] [-verbose] [-config filename] [-name section] [-section section] [-gencrl]\n[-revoke file] [-valid file] [-status serial] [-updatedb] [-crlreason reason] [-crlhold\ninstruction] [-crlcompromise time] [-crlCAcompromise time] [-crllastupdate date]\n[-crlnextupdate date] [-crldays days] [-crlhours hours] [-crlsec seconds] [-crlexts section]\n[-startdate date] [-enddate date] [-days arg] [-md arg] [-policy arg] [-keyfile filename|uri]\n[-keyform DER|PEM|P12|ENGINE] [-key arg] [-passin arg] [-cert file] [-certform DER|PEM|P12]\n[-selfsign] [-in file] [-inform DER|] [-out file] [-notext] [-dateopt] [-outdir dir]\n[-infiles] [-spkac file] [-sscert file] [-preserveDN] [-noemailDN] [-batch] [-msiehack]\n[-extensions section] [-extfile section] [-subj arg] [-utf8] [-sigopt nm:v] [-vfyopt nm:v]\n[-createserial] [-randserial] [-multivalue-rdn] [-rand files] [-writerand file] [-engine\nid] [-provider name] [-provider-path path] [-propquery propq] [certreq...]\n", "subsections": [] }, "DESCRIPTION": { "content": "This command emulates a CA application. See the WARNINGS especially when considering to use\nit productively. It can be used to sign certificate requests (CSRs) in a variety of forms\nand generate certificate revocation lists (CRLs). It also maintains a text database of\nissued certificates and their status. When signing certificates, a single request can be\nspecified with the -in option, or multiple requests can be processed by specifying a set of\ncertreq files after all options.\n\nNote that there are also very lean ways of generating certificates: the req and x509 commands\ncan be used for directly creating certificates. See openssl-req(1) and openssl-x509(1) for\ndetails.\n\nThe descriptions of the ca command options are divided into each purpose.\n", "subsections": [] }, "OPTIONS": { "content": "", "subsections": [ { "name": "-help", "content": "Print out a usage message.\n" }, { "name": "-verbose", "content": "This prints extra details about the operations being performed.\n" }, { "name": "-config", "content": "Specifies the configuration file to use. Optional; for a description of the default\nvalue, see \"COMMAND SUMMARY\" in openssl(1).\n" }, { "name": "-name -section", "content": "Specifies the configuration file section to use (overrides defaultca in the ca section).\n" }, { "name": "-in", "content": "An input filename containing a single certificate request (CSR) to be signed by the CA.\n" }, { "name": "-inform", "content": "The format of the data in certificate request input files; unspecified by default. See\nopenssl-format-options(1) for details.\n" }, { "name": "-ss", "content": "A single self-signed certificate to be signed by the CA.\n" }, { "name": "-spkac", "content": "A file containing a single Netscape signed public key and challenge and additional field\nvalues to be signed by the CA. See the SPKAC FORMAT section for information on the\nrequired input and output format.\n" }, { "name": "-infiles", "content": "If present this should be the last option, all subsequent arguments are taken as the\nnames of files containing certificate requests.\n" }, { "name": "-out", "content": "The output file to output certificates to. The default is standard output. The\ncertificate details will also be printed out to this file in PEM format (except that\n-spkac outputs DER format).\n" }, { "name": "-outdir", "content": "The directory to output certificates to. The certificate will be written to a filename\nconsisting of the serial number in hex with .pem appended.\n" }, { "name": "-cert", "content": "The CA certificate, which must match with -keyfile.\n" }, { "name": "-certform", "content": "The format of the data in certificate input files; unspecified by default. See\nopenssl-format-options(1) for details.\n" }, { "name": "-keyfile", "content": "The CA private key to sign certificate requests with. This must match with -cert.\n" }, { "name": "-keyform", "content": "The format of the private key input file; unspecified by default. See\nopenssl-format-options(1) for details.\n" }, { "name": "-sigopt", "content": "Pass options to the signature algorithm during sign operations. Names and values of\nthese options are algorithm-specific.\n" }, { "name": "-vfyopt", "content": "Pass options to the signature algorithm during verify operations. Names and values of\nthese options are algorithm-specific.\n\nThis often needs to be given while signing too, because the self-signature of a\ncertificate signing request (CSR) is verified against the included public key, and that\nverification may need its own set of options.\n" }, { "name": "-key", "content": "The password used to encrypt the private key. Since on some systems the command line\narguments are visible (e.g., when using ps(1) on Unix), this option should be used with\ncaution. Better use -passin.\n" }, { "name": "-passin", "content": "The key password source for key files and certificate PKCS#12 files. For more\ninformation about the format of arg see openssl-passphrase-options(1).\n" }, { "name": "-selfsign", "content": "Indicates the issued certificates are to be signed with the key the certificate requests\nwere signed with (given with -keyfile). Certificate requests signed with a different key\nare ignored. If -spkac, -sscert or -gencrl are given, -selfsign is ignored.\n\nA consequence of using -selfsign is that the self-signed certificate appears among the\nentries in the certificate database (see the configuration option database), and uses the\nsame serial number counter as all other certificates sign with the self-signed\ncertificate.\n" }, { "name": "-notext", "content": "Don't output the text form of a certificate to the output file.\n" }, { "name": "-dateopt", "content": "Specify the date output format. Values are: rfc822 and iso8601. Defaults to rfc822.\n" }, { "name": "-startdate", "content": "This allows the start date to be explicitly set. The format of the date is YYMMDDHHMMSSZ\n(the same as an ASN1 UTCTime structure), or YYYYMMDDHHMMSSZ (the same as an ASN1\nGeneralizedTime structure). In both formats, seconds SS and timezone Z must be present.\n" }, { "name": "-enddate", "content": "This allows the expiry date to be explicitly set. The format of the date is YYMMDDHHMMSSZ\n(the same as an ASN1 UTCTime structure), or YYYYMMDDHHMMSSZ (the same as an ASN1\nGeneralizedTime structure). In both formats, seconds SS and timezone Z must be present.\n" }, { "name": "-days", "content": "The number of days to certify the certificate for.\n" }, { "name": "-md", "content": "The message digest to use. Any digest supported by the openssl-dgst(1) command can be\nused. For signing algorithms that do not support a digest (i.e. Ed25519 and Ed448) any\nmessage digest that is set is ignored. This option also applies to CRLs.\n" }, { "name": "-policy", "content": "This option defines the CA \"policy\" to use. This is a section in the configuration file\nwhich decides which fields should be mandatory or match the CA certificate. Check out the\nPOLICY FORMAT section for more information.\n" }, { "name": "-msie", "content": "This is a deprecated option to make this command work with very old versions of the IE\ncertificate enrollment control \"certenr3\". It used UniversalStrings for almost\neverything. Since the old control has various security bugs its use is strongly\ndiscouraged.\n" }, { "name": "-preserveDN", "content": "Normally the DN order of a certificate is the same as the order of the fields in the\nrelevant policy section. When this option is set the order is the same as the request.\nThis is largely for compatibility with the older IE enrollment control which would only\naccept certificates if their DNs match the order of the request. This is not needed for\nXenroll.\n" }, { "name": "-noemailDN", "content": "The DN of a certificate can contain the EMAIL field if present in the request DN,\nhowever, it is good policy just having the e-mail set into the altName extension of the\ncertificate. When this option is set the EMAIL field is removed from the certificate'\nsubject and set only in the, eventually present, extensions. The emailindn keyword can\nbe used in the configuration file to enable this behaviour.\n" }, { "name": "-batch", "content": "This sets the batch mode. In this mode no questions will be asked and all certificates\nwill be certified automatically.\n" }, { "name": "-extensions", "content": "The section of the configuration file containing certificate extensions to be added when\na certificate is issued (defaults to x509extensions unless the -extfile option is used).\nIf no X.509 extensions are specified then a V1 certificate is created, else a V3\ncertificate is created. See the x509v3config(5) manual page for details of the\nextension section format.\n" }, { "name": "-extfile", "content": "An additional configuration file to read certificate extensions from (using the default\nsection unless the -extensions option is also used).\n" }, { "name": "-subj", "content": "Supersedes subject name given in the request.\n\nThe arg must be formatted as \"/type0=value0/type1=value1/type2=...\". Special characters\nmay be escaped by \"\\\" (backslash), whitespace is retained. Empty values are permitted,\nbut the corresponding type will not be included in the resulting certificate. Giving a\nsingle \"/\" will lead to an empty sequence of RDNs (a NULL-DN). Multi-valued RDNs can be\nformed by placing a \"+\" character instead of a \"/\" between the AttributeValueAssertions\n(AVAs) that specify the members of the set. Example:\n\n\"/DC=org/DC=OpenSSL/DC=users/UID=123456+CN=John Doe\"\n" }, { "name": "-utf8", "content": "This option causes field values to be interpreted as UTF8 strings, by default they are\ninterpreted as ASCII. This means that the field values, whether prompted from a terminal\nor obtained from a configuration file, must be valid UTF8 strings.\n" }, { "name": "-create", "content": "If reading serial from the text file as specified in the configuration fails, specifying\nthis option creates a new random serial to be used as next serial number. To get random\nserial numbers, use the -randserial flag instead; this should only be used for simple\nerror-recovery.\n" }, { "name": "-rand", "content": "Generate a large random number to use as the serial number. This overrides any option or\nconfiguration to use a serial number file.\n" }, { "name": "-multivalue-rdn", "content": "This option has been deprecated and has no effect.\n" }, { "name": "-rand -writerand", "content": "See \"Random State Options\" in openssl(1) for details.\n" }, { "name": "-engine", "content": "See \"Engine Options\" in openssl(1). This option is deprecated.\n" }, { "name": "-provider", "content": "" }, { "name": "-provider-path", "content": "" }, { "name": "-propquery", "content": "See \"Provider Options\" in openssl(1), provider(7), and property(7).\n" } ] }, "CRL OPTIONS": { "content": "", "subsections": [ { "name": "-gencrl", "content": "This option generates a CRL based on information in the index file.\n" }, { "name": "-crl", "content": "Allows the value of the CRL's lastUpdate field to be explicitly set; if this option is\nnot present, the current time is used. Accepts times in YYMMDDHHMMSSZ format (the same as\nan ASN1 UTCTime structure) or YYYYMMDDHHMMSSZ format (the same as an ASN1 GeneralizedTime\nstructure).\n" }, { "name": "-crl", "content": "Allows the value of the CRL's nextUpdate field to be explicitly set; if this option is\npresent, any values given for -crldays, -crlhours and -crlsec are ignored. Accepts times\nin the same formats as -crllastupdate.\n" }, { "name": "-crldays", "content": "The number of days before the next CRL is due. That is the days from now to place in the\nCRL nextUpdate field.\n" }, { "name": "-crlhours", "content": "The number of hours before the next CRL is due.\n" }, { "name": "-crlsec", "content": "The number of seconds before the next CRL is due.\n" }, { "name": "-revoke", "content": "A filename containing a certificate to revoke.\n" }, { "name": "-valid", "content": "A filename containing a certificate to add a Valid certificate entry.\n" }, { "name": "-status", "content": "Displays the revocation status of the certificate with the specified serial number and\nexits.\n" }, { "name": "-updatedb", "content": "Updates the database index to purge expired certificates.\n" }, { "name": "-crl", "content": "Revocation reason, where reason is one of: unspecified, keyCompromise, CACompromise,\naffiliationChanged, superseded, cessationOfOperation, certificateHold or removeFromCRL.\nThe matching of reason is case insensitive. Setting any revocation reason will make the\nCRL v2.\n\nIn practice removeFromCRL is not particularly useful because it is only used in delta\nCRLs which are not currently implemented.\n" }, { "name": "-crl", "content": "This sets the CRL revocation reason code to certificateHold and the hold instruction to\ninstruction which must be an OID. Although any OID can be used only holdInstructionNone\n(the use of which is discouraged by RFC2459) holdInstructionCallIssuer or\nholdInstructionReject will normally be used.\n" }, { "name": "-crl", "content": "This sets the revocation reason to keyCompromise and the compromise time to time. time\nshould be in GeneralizedTime format that is YYYYMMDDHHMMSSZ.\n" }, { "name": "-crl", "content": "This is the same as crlcompromise except the revocation reason is set to CACompromise.\n" }, { "name": "-crlexts", "content": "The section of the configuration file containing CRL extensions to include. If no CRL\nextension section is present then a V1 CRL is created, if the CRL extension section is\npresent (even if it is empty) then a V2 CRL is created. The CRL extensions specified are\nCRL extensions and not CRL entry extensions. It should be noted that some software (for\nexample Netscape) can't handle V2 CRLs. See x509v3config(5) manual page for details of\nthe extension section format.\n" } ] }, "CONFIGURATION FILE OPTIONS": { "content": "The section of the configuration file containing options for this command is found as\nfollows: If the -name command line option is used, then it names the section to be used.\nOtherwise the section to be used must be named in the defaultca option of the ca section of\nthe configuration file (or in the default section of the configuration file). Besides\ndefaultca, the following options are read directly from the ca section:\nRANDFILE\npreserve\nmsiehack With the exception of RANDFILE, this is probably a bug and may change in future\nreleases.\n\nMany of the configuration file options are identical to command line options. Where the\noption is present in the configuration file and the command line the command line value is\nused. Where an option is described as mandatory then it must be present in the configuration\nfile or the command line equivalent (if any) used.\n\noidfile\nThis specifies a file containing additional OBJECT IDENTIFIERS. Each line of the file\nshould consist of the numerical form of the object identifier followed by whitespace then\nthe short name followed by whitespace and finally the long name.\n\noidsection\nThis specifies a section in the configuration file containing extra object identifiers.\nEach line should consist of the short name of the object identifier followed by = and the\nnumerical form. The short and long names are the same when this option is used.\n\nnewcertsdir\nThe same as the -outdir command line option. It specifies the directory where new\ncertificates will be placed. Mandatory.\n", "subsections": [ { "name": "certificate", "content": "The same as -cert. It gives the file containing the CA certificate. Mandatory.\n\nprivatekey\nSame as the -keyfile option. The file containing the CA private key. Mandatory.\n\nRANDFILE\nAt startup the specified file is loaded into the random number generator, and at exit 256\nbytes will be written to it. (Note: Using a RANDFILE is not necessary anymore, see the\n\"HISTORY\" section.\n\ndefaultdays\nThe same as the -days option. The number of days to certify a certificate for.\n\ndefaultstartdate\nThe same as the -startdate option. The start date to certify a certificate for. If not\nset the current time is used.\n\ndefaultenddate\nThe same as the -enddate option. Either this option or defaultdays (or the command line\nequivalents) must be present.\n\ndefaultcrlhours defaultcrldays\nThe same as the -crlhours and the -crldays options. These will only be used if neither\ncommand line option is present. At least one of these must be present to generate a CRL.\n\ndefaultmd\nThe same as the -md option. Mandatory except where the signing algorithm does not require\na digest (i.e. Ed25519 and Ed448).\n" }, { "name": "database", "content": "The text database file to use. Mandatory. This file must be present though initially it\nwill be empty.\n\nuniquesubject\nIf the value yes is given, the valid certificate entries in the database must have unique\nsubjects. if the value no is given, several valid certificate entries may have the exact\nsame subject. The default value is yes, to be compatible with older (pre 0.9.8) versions\nof OpenSSL. However, to make CA certificate roll-over easier, it's recommended to use\nthe value no, especially if combined with the -selfsign command line option.\n\nNote that it is valid in some circumstances for certificates to be created without any\nsubject. In the case where there are multiple certificates without subjects this does not\ncount as a duplicate.\n" }, { "name": "serial", "content": "A text file containing the next serial number to use in hex. Mandatory. This file must\nbe present and contain a valid serial number.\n" }, { "name": "crlnumber", "content": "A text file containing the next CRL number to use in hex. The crl number will be inserted\nin the CRLs only if this file exists. If this file is present, it must contain a valid\nCRL number.\n\nx509extensions\nA fallback to the -extensions option.\n\ncrlextensions\nA fallback to the -crlexts option.\n" }, { "name": "preserve", "content": "The same as -preserveDN\n\nemailindn\nThe same as -noemailDN. If you want the EMAIL field to be removed from the DN of the\ncertificate simply set this to 'no'. If not present the default is to allow for the EMAIL\nfiled in the certificate's DN.\n\nmsiehack\nThe same as -msiehack\n" }, { "name": "policy", "content": "The same as -policy. Mandatory. See the POLICY FORMAT section for more information.\n\nnameopt, certopt\nThese options allow the format used to display the certificate details when asking the\nuser to confirm signing. All the options supported by the x509 utilities -nameopt and\n-certopt switches can be used here, except the nosigname and nosigdump are permanently\nset and cannot be disabled (this is because the certificate signature cannot be displayed\nbecause the certificate has not been signed at this point).\n\nFor convenience the values cadefault are accepted by both to produce a reasonable\noutput.\n\nIf neither option is present the format used in earlier versions of OpenSSL is used. Use\nof the old format is strongly discouraged because it only displays fields mentioned in\nthe policy section, mishandles multicharacter string types and does not display\nextensions.\n\ncopyextensions\nDetermines how extensions in certificate requests should be handled. If set to none or\nthis option is not present then extensions are ignored and not copied to the certificate.\nIf set to copy then any extensions present in the request that are not already present\nare copied to the certificate. If set to copyall then all extensions in the request are\ncopied to the certificate: if the extension is already present in the certificate it is\ndeleted first. See the WARNINGS section before using this option.\n\nThe main use of this option is to allow a certificate request to supply values for\ncertain extensions such as subjectAltName.\n" } ] }, "POLICY FORMAT": { "content": "The policy section consists of a set of variables corresponding to certificate DN fields. If\nthe value is \"match\" then the field value must match the same field in the CA certificate. If\nthe value is \"supplied\" then it must be present. If the value is \"optional\" then it may be\npresent. Any fields not mentioned in the policy section are silently deleted, unless the", "subsections": [ { "name": "-preserveDN", "content": "" } ] }, "SPKAC FORMAT": { "content": "The input to the -spkac command line option is a Netscape signed public key and challenge.\nThis will usually come from the KEYGEN tag in an HTML form to create a new private key. It\nis however possible to create SPKACs using openssl-spkac(1).\n\nThe file should contain the variable SPKAC set to the value of the SPKAC and also the\nrequired DN components as name value pairs. If you need to include the same component twice\nthen it can be preceded by a number and a '.'.\n\nWhen processing SPKAC format, the output is DER if the -out flag is used, but PEM format if\nsending to stdout or the -outdir flag is used.\n", "subsections": [] }, "EXAMPLES": { "content": "Note: these examples assume that the directory structure this command assumes is already set\nup and the relevant files already exist. This usually involves creating a CA certificate and\nprivate key with openssl-req(1), a serial number file and an empty index file and placing\nthem in the relevant directories.\n\nTo use the sample configuration file below the directories demoCA, demoCA/private and\ndemoCA/newcerts would be created. The CA certificate would be copied to demoCA/cacert.pem and\nits private key to demoCA/private/cakey.pem. A file demoCA/serial would be created containing\nfor example \"01\" and the empty index file demoCA/index.txt.\n\nSign a certificate request:\n\nopenssl ca -in req.pem -out newcert.pem\n\nSign an SM2 certificate request:\n\nopenssl ca -in sm2.csr -out sm2.crt -md sm3 \\\n-sigopt \"distid:1234567812345678\" \\\n-vfyopt \"distid:1234567812345678\"\n\nSign a certificate request, using CA extensions:\n\nopenssl ca -in req.pem -extensions v3ca -out newcert.pem\n\nGenerate a CRL\n\nopenssl ca -gencrl -out crl.pem\n\nSign several requests:\n\nopenssl ca -infiles req1.pem req2.pem req3.pem\n\nCertify a Netscape SPKAC:\n\nopenssl ca -spkac spkac.txt\n\nA sample SPKAC file (the SPKAC line has been truncated for clarity):\n\nSPKAC=MIG0MGAwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAn7PDhCeV/xIxUg8V70YRxK2A5\nCN=Steve Test\nemailAddress=steve@openssl.org\n0.OU=OpenSSL Group\n1.OU=Another Group\n\nA sample configuration file with the relevant sections for this command:\n\n[ ca ]\ndefaultca = CAdefault # The default ca section\n\n[ CAdefault ]\n\ndir = ./demoCA # top dir\ndatabase = $dir/index.txt # index file.\nnewcertsdir = $dir/newcerts # new certs dir\n\ncertificate = $dir/cacert.pem # The CA cert\nserial = $dir/serial # serial no file\n#randserial = yes # for random serial#'s\nprivatekey = $dir/private/cakey.pem# CA private key\n\ndefaultdays = 365 # how long to certify for\ndefaultcrldays= 30 # how long before next CRL\ndefaultmd = md5 # md to use\n\npolicy = policyany # default policy\nemailindn = no # Don't add the email into cert DN\n\nnameopt = cadefault # Subject name display option\ncertopt = cadefault # Certificate display option\ncopyextensions = none # Don't copy extensions from request\n\n[ policyany ]\ncountryName = supplied\nstateOrProvinceName = optional\norganizationName = optional\norganizationalUnitName = optional\ncommonName = supplied\nemailAddress = optional\n", "subsections": [] }, "FILES": { "content": "Note: the location of all files can change either by compile time options, configuration file\nentries, environment variables or command line options. The values below reflect the default\nvalues.\n\n/usr/local/ssl/lib/openssl.cnf - master configuration file\n./demoCA - main CA directory\n./demoCA/cacert.pem - CA certificate\n./demoCA/private/cakey.pem - CA private key\n./demoCA/serial - CA serial number file\n./demoCA/serial.old - CA serial number backup file\n./demoCA/index.txt - CA text database file\n./demoCA/index.txt.old - CA text database backup file\n./demoCA/certs - certificate output file\n", "subsections": [] }, "RESTRICTIONS": { "content": "The text database index file is a critical part of the process and if corrupted it can be\ndifficult to fix. It is theoretically possible to rebuild the index file from all the issued\ncertificates and a current CRL: however there is no option to do this.\n\nV2 CRL features like delta CRLs are not currently supported.\n\nAlthough several requests can be input and handled at once it is only possible to include one\nSPKAC or self-signed certificate.\n", "subsections": [] }, "BUGS": { "content": "This command is quirky and at times downright unfriendly.\n\nThe use of an in-memory text database can cause problems when large numbers of certificates\nare present because, as the name implies the database has to be kept in memory.\n\nThis command really needs rewriting or the required functionality exposed at either a command\nor interface level so that a more user-friendly replacement could handle things properly. The\nscript CA.pl helps a little but not very much.\n\nAny fields in a request that are not present in a policy are silently deleted. This does not\nhappen if the -preserveDN option is used. To enforce the absence of the EMAIL field within\nthe DN, as suggested by RFCs, regardless the contents of the request' subject the -noemailDN\noption can be used. The behaviour should be more friendly and configurable.\n\nCanceling some commands by refusing to certify a certificate can create an empty file.\n", "subsections": [] }, "WARNINGS": { "content": "This command was originally meant as an example of how to do things in a CA. Its code does\nnot have production quality. It was not supposed to be used as a full blown CA itself,\nnevertheless some people are using it for this purpose at least internally. When doing so,\nspecific care should be taken to properly secure the private key(s) used for signing\ncertificates. It is advisable to keep them in a secure HW storage such as a smart card or\nHSM and access them via a suitable engine or crypto provider.\n\nThis command command is effectively a single user command: no locking is done on the various\nfiles and attempts to run more than one openssl ca command on the same database can have\nunpredictable results.\n\nThe copyextensions option should be used with caution. If care is not taken then it can be a\nsecurity risk. For example if a certificate request contains a basicConstraints extension\nwith CA:TRUE and the copyextensions value is set to copyall and the user does not spot this\nwhen the certificate is displayed then this will hand the requester a valid CA certificate.\nThis situation can be avoided by setting copyextensions to copy and including\nbasicConstraints with CA:FALSE in the configuration file. Then if the request contains a\nbasicConstraints extension it will be ignored.\n\nIt is advisable to also include values for other extensions such as keyUsage to prevent a\nrequest supplying its own values.\n\nAdditional restrictions can be placed on the CA certificate itself. For example if the CA\ncertificate has:\n\nbasicConstraints = CA:TRUE, pathlen:0\n\nthen even if a certificate is issued with CA:TRUE it will not be valid.\n", "subsections": [] }, "HISTORY": { "content": "Since OpenSSL 1.1.1, the program follows RFC5280. Specifically, certificate validity period\n(specified by any of -startdate, -enddate and -days) and CRL last/next update time (specified\nby any of -crllastupdate, -crlnextupdate, -crldays, -crlhours and -crlsec) will be encoded\nas UTCTime if the dates are earlier than year 2049 (included), and as GeneralizedTime if the\ndates are in year 2050 or later.\n\nOpenSSL 1.1.1 introduced a new random generator (CSPRNG) with an improved seeding mechanism.\nThe new seeding mechanism makes it unnecessary to define a RANDFILE for saving and restoring\nrandomness. This option is retained mainly for compatibility reasons.\n\nThe -section option was added in OpenSSL 3.0.0.\n\nThe -multivalue-rdn option has become obsolete in OpenSSL 3.0.0 and has no effect.\n\nThe -engine option was deprecated in OpenSSL 3.0.\n", "subsections": [] }, "SEE ALSO": { "content": "openssl(1), openssl-req(1), openssl-spkac(1), openssl-x509(1), CA.pl(1), config(5),\nx509v3config(5)\n", "subsections": [] }, "COPYRIGHT": { "content": "Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved.\n\nLicensed under the Apache License 2.0 (the \"License\"). You may not use this file except in\ncompliance with the License. You can obtain a copy in the file LICENSE in the source\ndistribution or at .\n\n\n\n3.0.2 2026-06-02 OPENSSL-CA(1SSL)", "subsections": [] } }, "summary": "openssl-ca - sample minimal CA application", "flags": [ { "flag": "", "long": null, "arg": null, "description": "Print out a usage message." }, { "flag": "", "long": null, "arg": null, "description": "This prints extra details about the operations being performed." }, { "flag": "", "long": null, "arg": null, "description": "Specifies the configuration file to use. Optional; for a description of the default value, see \"COMMAND SUMMARY\" in openssl(1)." }, { "flag": "", "long": null, "arg": null, "description": "Specifies the configuration file section to use (overrides defaultca in the ca section)." }, { "flag": "", "long": null, "arg": null, "description": "An input filename containing a single certificate request (CSR) to be signed by the CA." }, { "flag": "", "long": null, "arg": null, "description": "The format of the data in certificate request input files; unspecified by default. See openssl-format-options(1) for details." }, { "flag": "", "long": null, "arg": null, "description": "A single self-signed certificate to be signed by the CA." }, { "flag": "", "long": null, "arg": null, "description": "A file containing a single Netscape signed public key and challenge and additional field values to be signed by the CA. See the SPKAC FORMAT section for information on the required input and output format." }, { "flag": "", "long": null, "arg": null, "description": "If present this should be the last option, all subsequent arguments are taken as the names of files containing certificate requests." }, { "flag": "", "long": null, "arg": null, "description": "The output file to output certificates to. The default is standard output. The certificate details will also be printed out to this file in PEM format (except that -spkac outputs DER format)." }, { "flag": "", "long": null, "arg": null, "description": "The directory to output certificates to. The certificate will be written to a filename consisting of the serial number in hex with .pem appended." }, { "flag": "", "long": null, "arg": null, "description": "The CA certificate, which must match with -keyfile." }, { "flag": "", "long": null, "arg": null, "description": "The format of the data in certificate input files; unspecified by default. See openssl-format-options(1) for details." }, { "flag": "", "long": null, "arg": null, "description": "The CA private key to sign certificate requests with. This must match with -cert." }, { "flag": "", "long": null, "arg": null, "description": "The format of the private key input file; unspecified by default. See openssl-format-options(1) for details." }, { "flag": "", "long": null, "arg": null, "description": "Pass options to the signature algorithm during sign operations. Names and values of these options are algorithm-specific." }, { "flag": "", "long": null, "arg": null, "description": "Pass options to the signature algorithm during verify operations. Names and values of these options are algorithm-specific. This often needs to be given while signing too, because the self-signature of a certificate signing request (CSR) is verified against the included public key, and that verification may need its own set of options." }, { "flag": "", "long": null, "arg": null, "description": "The password used to encrypt the private key. Since on some systems the command line arguments are visible (e.g., when using ps(1) on Unix), this option should be used with caution. Better use -passin." }, { "flag": "", "long": null, "arg": null, "description": "The key password source for key files and certificate PKCS#12 files. For more information about the format of arg see openssl-passphrase-options(1)." }, { "flag": "", "long": null, "arg": null, "description": "Indicates the issued certificates are to be signed with the key the certificate requests were signed with (given with -keyfile). Certificate requests signed with a different key are ignored. If -spkac, -sscert or -gencrl are given, -selfsign is ignored. A consequence of using -selfsign is that the self-signed certificate appears among the entries in the certificate database (see the configuration option database), and uses the same serial number counter as all other certificates sign with the self-signed certificate." }, { "flag": "", "long": null, "arg": null, "description": "Don't output the text form of a certificate to the output file." }, { "flag": "", "long": null, "arg": null, "description": "Specify the date output format. Values are: rfc822 and iso8601. Defaults to rfc822." }, { "flag": "", "long": null, "arg": null, "description": "This allows the start date to be explicitly set. The format of the date is YYMMDDHHMMSSZ (the same as an ASN1 UTCTime structure), or YYYYMMDDHHMMSSZ (the same as an ASN1 GeneralizedTime structure). In both formats, seconds SS and timezone Z must be present." }, { "flag": "", "long": null, "arg": null, "description": "This allows the expiry date to be explicitly set. The format of the date is YYMMDDHHMMSSZ (the same as an ASN1 UTCTime structure), or YYYYMMDDHHMMSSZ (the same as an ASN1 GeneralizedTime structure). In both formats, seconds SS and timezone Z must be present." }, { "flag": "", "long": null, "arg": null, "description": "The number of days to certify the certificate for." }, { "flag": "", "long": null, "arg": null, "description": "The message digest to use. Any digest supported by the openssl-dgst(1) command can be used. For signing algorithms that do not support a digest (i.e. Ed25519 and Ed448) any message digest that is set is ignored. This option also applies to CRLs." }, { "flag": "", "long": null, "arg": null, "description": "This option defines the CA \"policy\" to use. This is a section in the configuration file which decides which fields should be mandatory or match the CA certificate. Check out the POLICY FORMAT section for more information." }, { "flag": "", "long": null, "arg": null, "description": "This is a deprecated option to make this command work with very old versions of the IE certificate enrollment control \"certenr3\". It used UniversalStrings for almost everything. Since the old control has various security bugs its use is strongly discouraged." }, { "flag": "", "long": null, "arg": null, "description": "Normally the DN order of a certificate is the same as the order of the fields in the relevant policy section. When this option is set the order is the same as the request. This is largely for compatibility with the older IE enrollment control which would only accept certificates if their DNs match the order of the request. This is not needed for Xenroll." }, { "flag": "", "long": null, "arg": null, "description": "The DN of a certificate can contain the EMAIL field if present in the request DN, however, it is good policy just having the e-mail set into the altName extension of the certificate. When this option is set the EMAIL field is removed from the certificate' subject and set only in the, eventually present, extensions. The emailindn keyword can be used in the configuration file to enable this behaviour." }, { "flag": "", "long": null, "arg": null, "description": "This sets the batch mode. In this mode no questions will be asked and all certificates will be certified automatically." }, { "flag": "", "long": null, "arg": null, "description": "The section of the configuration file containing certificate extensions to be added when a certificate is issued (defaults to x509extensions unless the -extfile option is used). If no X.509 extensions are specified then a V1 certificate is created, else a V3 certificate is created. See the x509v3config(5) manual page for details of the extension section format." }, { "flag": "", "long": null, "arg": null, "description": "An additional configuration file to read certificate extensions from (using the default section unless the -extensions option is also used)." }, { "flag": "", "long": null, "arg": null, "description": "Supersedes subject name given in the request. The arg must be formatted as \"/type0=value0/type1=value1/type2=...\". Special characters may be escaped by \"\\\" (backslash), whitespace is retained. Empty values are permitted, but the corresponding type will not be included in the resulting certificate. Giving a single \"/\" will lead to an empty sequence of RDNs (a NULL-DN). Multi-valued RDNs can be formed by placing a \"+\" character instead of a \"/\" between the AttributeValueAssertions (AVAs) that specify the members of the set. Example: \"/DC=org/DC=OpenSSL/DC=users/UID=123456+CN=John Doe\"" }, { "flag": "", "long": null, "arg": null, "description": "This option causes field values to be interpreted as UTF8 strings, by default they are interpreted as ASCII. This means that the field values, whether prompted from a terminal or obtained from a configuration file, must be valid UTF8 strings." }, { "flag": "", "long": null, "arg": null, "description": "If reading serial from the text file as specified in the configuration fails, specifying this option creates a new random serial to be used as next serial number. To get random serial numbers, use the -randserial flag instead; this should only be used for simple error-recovery." }, { "flag": "", "long": null, "arg": null, "description": "Generate a large random number to use as the serial number. This overrides any option or configuration to use a serial number file." }, { "flag": "", "long": null, "arg": null, "description": "This option has been deprecated and has no effect." }, { "flag": "", "long": null, "arg": null, "description": "See \"Random State Options\" in openssl(1) for details." }, { "flag": "", "long": null, "arg": null, "description": "See \"Engine Options\" in openssl(1). This option is deprecated." }, { "flag": "", "long": null, "arg": null, "description": "" }, { "flag": "", "long": null, "arg": null, "description": "" }, { "flag": "", "long": null, "arg": null, "description": "See \"Provider Options\" in openssl(1), provider(7), and property(7)." } ], "examples": [ "Note: these examples assume that the directory structure this command assumes is already set", "up and the relevant files already exist. This usually involves creating a CA certificate and", "private key with openssl-req(1), a serial number file and an empty index file and placing", "them in the relevant directories.", "To use the sample configuration file below the directories demoCA, demoCA/private and", "demoCA/newcerts would be created. The CA certificate would be copied to demoCA/cacert.pem and", "its private key to demoCA/private/cakey.pem. A file demoCA/serial would be created containing", "for example \"01\" and the empty index file demoCA/index.txt.", "Sign a certificate request:", "openssl ca -in req.pem -out newcert.pem", "Sign an SM2 certificate request:", "openssl ca -in sm2.csr -out sm2.crt -md sm3 \\", "-sigopt \"distid:1234567812345678\" \\", "-vfyopt \"distid:1234567812345678\"", "Sign a certificate request, using CA extensions:", "openssl ca -in req.pem -extensions v3ca -out newcert.pem", "Generate a CRL", "openssl ca -gencrl -out crl.pem", "Sign several requests:", "openssl ca -infiles req1.pem req2.pem req3.pem", "Certify a Netscape SPKAC:", "openssl ca -spkac spkac.txt", "A sample SPKAC file (the SPKAC line has been truncated for clarity):", "SPKAC=MIG0MGAwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAn7PDhCeV/xIxUg8V70YRxK2A5", "CN=Steve Test", "emailAddress=steve@openssl.org", "0.OU=OpenSSL Group", "1.OU=Another Group", "A sample configuration file with the relevant sections for this command:", "[ ca ]", "defaultca = CAdefault # The default ca section", "[ CAdefault ]", "dir = ./demoCA # top dir", "database = $dir/index.txt # index file.", "newcertsdir = $dir/newcerts # new certs dir", "certificate = $dir/cacert.pem # The CA cert", "serial = $dir/serial # serial no file", "#randserial = yes # for random serial#'s", "privatekey = $dir/private/cakey.pem# CA private key", "defaultdays = 365 # how long to certify for", "defaultcrldays= 30 # how long before next CRL", "defaultmd = md5 # md to use", "policy = policyany # default policy", "emailindn = no # Don't add the email into cert DN", "nameopt = cadefault # Subject name display option", "certopt = cadefault # Certificate display option", "copyextensions = none # Don't copy extensions from request", "[ policyany ]", "countryName = supplied", "stateOrProvinceName = optional", "organizationName = optional", "organizationalUnitName = optional", "commonName = supplied", "emailAddress = optional" ], "see_also": [ { "name": "openssl", "section": "1", "url": "https://www.chedong.com/phpMan.php/man/openssl/1/json" }, { "name": "openssl-req", "section": "1", "url": "https://www.chedong.com/phpMan.php/man/openssl-req/1/json" }, { "name": "openssl-spkac", "section": "1", "url": "https://www.chedong.com/phpMan.php/man/openssl-spkac/1/json" }, { "name": "openssl-x509", "section": "1", "url": "https://www.chedong.com/phpMan.php/man/openssl-x509/1/json" }, { "name": "CA.pl", "section": "1", "url": "https://www.chedong.com/phpMan.php/man/CA.pl/1/json" }, { "name": "config", "section": "5", "url": "https://www.chedong.com/phpMan.php/man/config/5/json" }, { "name": "x509v3config", "section": "5", "url": "https://www.chedong.com/phpMan.php/man/x509v3config/5/json" } ] }