openssl-ca
minimal certificate authority application
TLDR
SYNOPSIS
openssl ca [options] [-in csr] [-out cert] [-infiles csr...]
DESCRIPTION
openssl ca is a minimal certificate authority application. It signs certificate requests (CSRs), maintains a flat-file database (index.txt) of issued certificates, tracks the next serial number (serial), and generates X.509 Certificate Revocation Lists.By default the command reads its configuration from the [ca] section of openssl.cnf, which selects a default-CA section (default_ca) describing where to find the CA cert/key, the database, the serial file, the directory of issued certs (newcerts/), the policy, and which extensions to apply. Most options can be set there instead of on the command line.
PARAMETERS
-in file
Input CSR (PEM-encoded). Use -infiles instead to sign multiple CSRs in one invocation.-infiles file...
Sign every CSR listed after this option (must be the last option on the line).-out file
Output certificate file (default: stdout).-config file
OpenSSL configuration file (defaults to /etc/ssl/openssl.cnf).-cert file
CA certificate used for signing.-keyfile file
CA private key (PEM, ENGINE URI, or PKCS#11 URI).-days n
Certificate validity in days from today.-startdate YYMMDDHHMMSSZ, -not_before date
Explicit certificate start date.-enddate YYMMDDHHMMSSZ, -not_after date
Explicit certificate expiry date.-md alg
Message digest algorithm (e.g. sha256, sha384).-policy name
CA policy section in the config file (controls which DN fields must match the CA).-extensions section
Config section containing certificate extensions to add.-extfile file
Read extensions from an extra file (combined with -extensions).-subj dn
Override the subject name from the CSR (e.g. `/CN=example/O=Acme`).-batch
Non-interactive mode — sign without prompting for confirmation.-notext
Do not include a human-readable text dump in the output.-noemailDN
Strip the emailAddress RDN from the certificate Subject.-create_serial
Create a fresh random serial if the serial file is missing.-revoke file
Mark the given certificate as revoked in the CA database.-crl_reason reason
Reason for revocation (unspecified, keyCompromise, CACompromise, affiliationChanged, superseded, cessationOfOperation, certificateHold, removeFromCRL).-status serial
Print the revocation status of the certificate with the given serial.-gencrl
Generate a CRL using the current database.-crldays n, -crlhours n
Validity period until the next CRL is expected.
CA SETUP
mkdir -p demoCA/{certs,crl,newcerts,private}
touch demoCA/index.txt
echo '01' > demoCA/serial
CAVEATS
Use proper CA software for production. Database format is proprietary. Configuration complex for beginners.
HISTORY
The openssl ca command has been part of OpenSSL since early versions, providing basic CA functionality.
SEE ALSO
openssl-req(1), openssl-x509(1), openssl-crl(1)
