openssl-ca
TLDR
Sign certificate request
$ openssl ca -in [request.csr] -out [certificate.crt]
Sign with specific CA$ openssl ca -config [ca.cnf] -cert [ca.crt] -keyfile [ca.key] -in [request.csr] -out [cert.crt]
Revoke certificate$ openssl ca -revoke [certificate.crt]
Generate CRL$ openssl ca -gencrl -out [crl.pem]
List issued certificates$ openssl ca -status [serial_number]
SYNOPSIS
openssl ca [options] [-in csr] [-out cert]
DESCRIPTION
openssl ca is a minimal certificate authority application. It signs certificate requests, maintains a database of issued certificates, and generates Certificate Revocation Lists.
Intended for testing and small-scale PKI deployments.
PARAMETERS
-in file
Input CSR.-out file
Output certificate.-config file
Config file.-cert file
CA certificate.-keyfile file
CA private key.-days n
Validity period.-revoke file
Revoke certificate.-gencrl
Generate CRL.
CA SETUP
$ # Initialize CA
mkdir -p demoCA/{certs,crl,newcerts,private}
touch demoCA/index.txt
echo '01' > demoCA/serial
mkdir -p demoCA/{certs,crl,newcerts,private}
touch demoCA/index.txt
echo '01' > demoCA/serial
CAVEATS
Use proper CA software for production. Database format is proprietary. Configuration complex for beginners.
HISTORY
The openssl ca command has been part of OpenSSL since early versions, providing basic CA functionality.
SEE ALSO
openssl-req(1), openssl-x509(1), openssl-crl(1)
