diff options
Diffstat (limited to 'doc/apps/ca.pod')
-rw-r--r-- | doc/apps/ca.pod | 50 |
1 files changed, 36 insertions, 14 deletions
diff --git a/doc/apps/ca.pod b/doc/apps/ca.pod index 5db7d9441c..9ff0cc3612 100644 --- a/doc/apps/ca.pod +++ b/doc/apps/ca.pod @@ -17,7 +17,6 @@ B<openssl> B<ca> [B<-crl_hold instruction>] [B<-crl_compromise time>] [B<-crl_CA_compromise time>] -[B<-subj arg>] [B<-crldays days>] [B<-crlhours hours>] [B<-crlexts section>] @@ -45,6 +44,9 @@ B<openssl> B<ca> [B<-extensions section>] [B<-extfile section>] [B<-engine id>] +[B<-subj arg>] +[B<-utf8>] +[B<-multivalue-rdn>] =head1 DESCRIPTION @@ -203,7 +205,9 @@ the section of the configuration file containing certificate extensions to be added when a certificate is issued (defaults to B<x509_extensions> unless the B<-extfile> option is used). If no extension section is present then, a V1 certificate is created. If the extension section -is present (even if it is empty), then a V3 certificate is created. +is present (even if it is empty), then a V3 certificate is created. See the:w +L<x509v3_config(5)|x509v3_config(5)> manual page for details of the +extension section format. =item B<-extfile file> @@ -213,11 +217,33 @@ used). =item B<-engine id> -specifying an engine (by it's unique B<id> string) will cause B<req> +specifying an engine (by its unique B<id> string) will cause B<ca> to attempt to obtain a functional reference to the specified engine, thus initialising it if needed. The engine will then be set as the default for all available algorithms. +=item B<-subj arg> + +supersedes subject name given in the request. +The arg must be formatted as I</type0=value0/type1=value1/type2=...>, +characters may be escaped by \ (backslash), no spaces are skipped. + +=item B<-utf8> + +this option causes field values to be interpreted as UTF8 strings, by +default they are interpreted as ASCII. This means that the field +values, whether prompted from a terminal or obtained from a +configuration file, must be valid UTF8 strings. + +=item B<-multivalue-rdn> + +this option causes the -subj argument to be interpretedt with full +support for multivalued RDNs. Example: + +I</DC=org/DC=OpenSSL/DC=users/UID=123456+CN=John Doe> + +If -multi-rdn is not used then the UID value is I<123456+CN=John Doe>. + =back =head1 CRL OPTIONS @@ -268,12 +294,6 @@ B<time>. B<time> should be in GeneralizedTime format that is B<YYYYMMDDHHMMSSZ>. This is the same as B<crl_compromise> except the revocation reason is set to B<CACompromise>. -=item B<-subj arg> - -supersedes subject name given in the request. -The arg must be formatted as I</type0=value0/type1=value1/type2=...>, -characters may be escaped by \ (backslash), no spaces are skipped. - =item B<-crlexts section> the section of the configuration file containing CRL extensions to @@ -281,7 +301,9 @@ include. If no CRL extension section is present then a V1 CRL is created, if the CRL extension section is present (even if it is empty) then a V2 CRL is created. The CRL extensions specified are CRL extensions and B<not> CRL entry extensions. It should be noted -that some software (for example Netscape) can't handle V2 CRLs. +that some software (for example Netscape) can't handle V2 CRLs. See +L<x509v3_config(5)|x509v3_config(5)> manual page for details of the +extension section format. =back @@ -422,7 +444,7 @@ the same as B<-msie_hack> the same as B<-policy>. Mandatory. See the B<POLICY FORMAT> section for more information. -=item B<nameopt>, B<certopt> +=item B<name_opt>, B<cert_opt> these options allow the format used to display the certificate details when asking the user to confirm signing. All the options supported by @@ -544,8 +566,8 @@ A sample configuration file with the relevant sections for B<ca>: policy = policy_any # default policy email_in_dn = no # Don't add the email into cert DN - nameopt = ca_default # Subject name display option - certopt = ca_default # Certificate display option + name_opt = ca_default # Subject name display option + cert_opt = ca_default # Certificate display option copy_extensions = none # Don't copy extensions from request [ policy_any ] @@ -648,6 +670,6 @@ then even if a certificate is issued with CA:TRUE it will not be valid. =head1 SEE ALSO L<req(1)|req(1)>, L<spkac(1)|spkac(1)>, L<x509(1)|x509(1)>, L<CA.pl(1)|CA.pl(1)>, -L<config(5)|config(5)> +L<config(5)|config(5)>, L<x509v3_config(5)|x509v3_config(5)> =cut |