First, Introduction
CA command to issue certificate request files and generate CRL list
Second, the grammar
OpenSSL CA [-verbose] [-config filename] [-name section] [-GENCRL] [-revokefile][-crl_reason reason] [-crl_hold instruction] [-crl_compromise Time] [-crl_ca_compromise Time] [-subj subj] [-crldays days] [-crlhours hours] [-crlexts section] [-startdateDate] [-enddateDate][-days ARG] [-md arg] [-policy arg] [-keyfile arg] [-keyform arg] [-key arg] [-passin ARG] [-certfile][-selfsign] [-inch file] [-outfile] [-notext] [-outdirdir] [-infiles] [-spkacfile] [-ss_certfile] [-preservedn] [-batch] [-msie_hack] [-extensions Section][-utf8] [-create_serial] [-multivalue-rdn] [-sigopt] [- noemaildn][-crlsec] [-extfilefile] [-updatedb] [-engineID]
Options
-verbose-talk alot whiledoing things-configfile-A Configfile-name Arg-The particular CA definition to use-GENCRL-Generate a new CRL-crldays Days-The next CRL is due-crlhours hours-Hours is while the next CRL is due-startdate YYMMDDHHMMSSZ-Certificate Validity notbefore-enddate yymmddhhmmssz-certificate Validity Notafter (Overrides-Days )-days Arg-number of days to certify the certificate for-MD ARG-MD to use, see OpenSSL dgst-h forList-policy arg-the CA'Policy' to support-keyfile arg-private Keyfile-keyform arg-private Keyfileformat (PEM or ENGINE)-key Arg-key to decode the private keyifIt is encrypted-certfile-The CA certificate-selfsign-Sign a certificate with the key associated with it-inch file-The input PEM encoded certificate request (s)-outfile-Where to put the outputfile(s)-outdirdir-Where to put output certificates-infiles ....-The Lastargument, requests to process-spkacfile-File contains DN and signed public key and challenge-ss_certfile-File contains a self signed Cert to sign-preservedn-don'T re-order the DN-noemaildn-don't add the EMAIL field into certificate'subject-batch-don'T Ask questions-msie_hack-MSIE Modifications to handle all those universal strings-revokefile-Revoke a certificate (giveninch file) -SUBJ arg-use ARG instead of request's Subject-utf8-input characters is UTF8 (default ASCII)-multivalue-rdn-enable Support formultivalued RDNs-extensions. -Extension section (override ValueinchConfigfile) -extfilefile-ConfigurationfileWith x509v3 extentions to add-crlexts. -CRL Extension section (override valueinchConfigfile) -engine e-Use engine E, possibly a hardware device.-status Serial-shows certificate status given the serial number-updatedb-updates DB forExpired certificates
Third, examples
1. Issuing the certificate request file
OpenSSL CA- in cert_req.pem-extensions v3_ca-out Newcert.pem
Or
365 -md sha1-policy policy_anything-cert Democa/cacert.pem- in Cert_req.pem-out cert1.pem-preserved N-noemaildn-subj/cn=cn/o=js/ou=wx/cn=myname-extensions myexts
2. Revocation of certificates
OpenSSL Ca-revoke Newcert.pem
3. Generating CRLs
OpenSSL ca-gencrl-out crl.crl-config/root/workspace/testssl/openssl/apps/openssl.cnf
Set reason, suspend processing method
OpenSSL Ca-gencrl-crl_reason keycompromise-crl_compromise 20010101030303Z -crl_hold holdinstructionreject-crl_ Ca_compromise -out crl2.crl
Reference: http://blog.csdn.net/as3luyuan123/article/details/13346613
Openssl CA Command