OPENSSL-CA(1ssl) OpenSSL OPENSSL-CA(1ssl) openssl-ca - (CA) openssl ca [-help] [-verbose] [-quiet] [-config _] [-name ] [-section ] [-gencrl] [-revoke ] [-valid ] [-status _] [-updatedb] [-crl_reason ] [-crl_hold ] [-crl_compromise ] [-crl_CA_compromise ] [-crl_lastupdate ] [-crl_nextupdate ] [-crldays ] [-crlhours ] [-crlsec ] [-crlexts ] [-startdate ] [-not_before ] [-enddate ] [-not_after ] [-days ] [-md ] [-policy ] [-keyfile _|uri] [-keyform DER|PEM|P12|ENGINE] [-key ] [-passin ] [-cert ] [-certform DER|PEM|P12] [-selfsign] [-in ] [-inform DER|] [-out ] [-notext] [-dateopt] [-outdir ] [-infiles] [-spkac ] [-ss_cert ] [-preserveDN] [-noemailDN] [-batch] [-msie_hack] [-extensions ] [-extfile ] [-subj ] [-utf8] [-sigopt :] [-vfyopt :] [-create_serial] [-rand_serial] [-multivalue-rdn] [-rand ] [-writerand ] [-engine ] [-provider ] [-provider-path ] [-provparam [:]=] [-propquery ] [_...] (CA). . 3 X.509. x509v3_config(5). (CSRs) (CRLs). . -in certreq . : req x509 . openssl-req(1) openssl-x509(1) . ca . -help . -verbose . -quiet . -config _ . " " openssl(1). -name -section ( default_ca ca). -in _ (CSR) (CA). -inform DER|PEM (CSR) PEM . openssl-format-options(1) . -ss_cert _ CA. -spkac _ Netscape CA. SPKAC . -infiles . -out _ . . PEM ( -spkac DER). -outdir . .pem. -cert _ (CA) -keyfile. -certform DER|PEM|P12 . openssl-format-options(1) . -keyfile _|uri CA . -cert. -keyform DER|PEM|P12|ENGINE . openssl-format-options(1) . -sigopt : . " " provider-signature(7). -vfyopt : . . (CSR) . -key _ . ( ps(1) ) . -passin. -passin PKCS#12. arg openssl-passphrase-options(1). -selfsign ( -keyfile). . -spkac -ss_cert -gencrl -selfsign. -selfsign ( database) . -notext . -dateopt . : rfc_822 iso_8601. rfc_822. -startdate -not_before . YYMMDDHHMMSSZ ( ASN1 UTCTime) YYYYMMDDHHMMSSZ ( ASN1 GeneralizedTime). SS Z . "today". -enddate -not_after . YYMMDDHHMMSSZ ( ASN1 UTCTime) YYYYMMDDHHMMSSZ ( ASN1 GeneralizedTime). SS Z . "today". -days. -days . -not_before . -not_after/-startdate . -md alg . openssl-dgst(1). ( Ed25519 Ed448) . (CRLs). -policy "" (CA) . . . -msie_hack IE "certenr3". UniversalStrings . . -preserveDN (DN) . . IE . Xenroll. -noemailDN (DN) (EMAIL) altName . EMAIL . email_in_dn . -batch . . -extensions ( x509_extensions -extfile). x509v3_config(5) . -extfile ( -extensions ). -subj . "/type0=value0/type1=value1/type2=...". "\" ( ) . . "/" (NULL-DN). "+" "/" (AVAs) . : "/DC=org/DC=OpenSSL/DC=users/UID=123456+CN=John Doe" -utf8 UTF8 ASCII. UTF8 . -create_serial . -rand_serial . -rand_serial . . -multivalue-rdn . -rand files -writerand file " " openssl(1) . -engine id " " openssl(1). . -provider name -provider-path path -provparam [name:]key=value -propquery propq " " openssl(1) provider(7) property(7). (CRL) -gencrl . -crl_lastupdate lastUpdate . YYMMDDHHMMSSZ ( ASN1 UTCTime) YYYYMMDDHHMMSSZ ( ASN1 GeneralizedTime). -crl_nextupdate nextUpdate -crldays -crlhours -crlsec. -crl_lastupdate. -crldays num . nextUpdate . -crlhours num . -crlsec num . -revoke _ . -valid _ . -status _ . -updatedb . -crl_reason : unspecified ( ) keyCompromise ( ) CACompromise ( ) affiliationChanged ( ) superseded () cessationOfOperation ( ) certificateHold ( ) removeFromCRL ( ). . (v2). removeFromCRL (delta CRLs) . -crl_hold certificateHold (OID). holdInstructionNone ( RFC 5280) holdInstructionCallIssuer holdInstructionReject . -crl_compromise keyCompromise . GeneralizedTime YYYYMMDDHHMMSSZ. -crl_CA_compromise crl_compromise CACompromise. -crlexts CRL . CRL CRL V1 ( ) CRL V2. CRL CRL CRL. ( Netscape) CRL V2. x509v3_config(5) . : -name . default_ca ca ( ). default_ca ca: RANDFILE preserve msie_hack RANDFILE . . . ( ). oid_file . . oid_section . = . . new_certs_dir -outdir. . . certificate -cert. (CA). . private_key -keyfile. (CA). . RANDFILE 256 . (: RANDFILE "HISTORY". default_days -days. . default_startdate -startdate. . . default_enddate -enddate. default_days ( ). default_crl_hours default_crl_days -crlhours -crldays. . CRL. default_md -md. ( Ed25519 Ed448). database . . . unique_subject yes . no . yes OpenSSL ( 0.9.8). no -selfsign. . . serial . . . crlnumber CRL . CRL CRL . CRL . x509_extensions -extensions. crl_extensions -crlexts. preserve -preserveDN email_in_dn -noemailDN. (EMAIL) (DN) 'no'. . msie_hack -msie_hack policy -policy. . POLICY FORMAT . name_opt, cert_opt . x509 -nameopt -certopt no_signame no_sigdump ( ). ca_default . OpenSSL . policy . copy_extensions . none . copy . copyall : . WARNINGS . subjectAltName. (DN) . "match" (CA). "supplied" . "optional" . -preserveDN . SPKAC -spkac Netscape. KEYGEN HTML . SPKACs openssl-spkac(1). SPKAC SPKAC (DN) . '.'. SPKAC DER -out PEM (stdout) -outdir. : . CA openssl-req(1) . demoCA demoCA/private demoCA/newcerts. demoCA/cacert.pem demoCA/private/cakey.pem. demoCA/serial "01" demoCA/index.txt. : openssl ca -in req.pem -out newcert.pem SM2: openssl ca -in sm2.csr -out sm2.crt -md sm3 \ -sigopt "distid:1234567812345678" \ -vfyopt "distid:1234567812345678" CA: openssl ca -in req.pem -extensions v3_ca -out newcert.pem CRL openssl ca -gencrl -out crl.pem : openssl ca -infiles req1.pem req2.pem req3.pem Netscape SPKAC: openssl ca -spkac spkac.txt SPKAC ( SPKAC ): SPKAC=MIG0MGAwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAn7PDhCeV/xIxUg8V70YRxK2A5 CN=Steve Test emailAddress=steve@openssl.org 0.OU=OpenSSL Group 1.OU=Another Group : [ ca ] default_ca = CA_default # [ CA_default ] dir = ./demoCA # database = $dir/index.txt # . new_certs_dir = $dir/newcerts # certificate = $dir/cacert.pem # serial = $dir/serial # #rand_serial = yes # private_key = $dir/private/cakey.pem# default_days = 365 # default_crl_days= 30 # default_md = sha256 # policy = policy_any # email_in_dn = no # DN name_opt = ca_default # cert_opt = ca_default # copy_extensions = none # [ policy_any ] countryName = supplied stateOrProvinceName = optional organizationName = optional organizationalUnitName = optional commonName = supplied emailAddress = optional : . . /usr/local/ssl/lib/openssl.cnf - ./demoCA - ./demoCA/cacert.pem - ./demoCA/private/cakey.pem - ./demoCA/serial - ./demoCA/serial.old - ./demoCA/index.txt - ./demoCA/index.txt.old - ./demoCA/certs - . . V2 CRL delta CRLs . SPKAC . . . . CA.pl . . -preserveDN. (EMAIL) DN RFC -noemailDN. . . (CA). . . . HSM . : openssl ca . copy_extensions . . basicConstraints CA:TRUE copy_extensions copyall . copy_extensions copy basicConstraints CA:FALSE . basicConstraints . keyUsage . . : basicConstraints = CA:TRUE, pathlen:0 CA:TRUE . OpenSSL 1.1.1 RFC5280. ( -startdate -enddate -days) / ( -crl_lastupdate -crl_nextupdate -crldays -crlhours -crlsec) UTCTime 2049 ( 2049) GeneralizedTime 2050 . OpenSSL 1.1.1 (CSPRNG) . RANDFILE . . -section OpenSSL 3.0.0. -multivalue-rdn OpenSSL 3.0.0 . -engine OpenSSL 3.0. 3.2 OpenSSL 3 X.509 (key identifier extensions) . openssl(1), openssl-req(1), openssl-spkac(1), openssl-x509(1), CA.pl(1), config(5), x509v3_config(5) 2000-2025 OpenSSL. . Apache 2.0 ( ""). . LICENSE . 3 . . : . 3.6.2 7 2026 OPENSSL-CA(1ssl)