Add documentation on the added functionality in 'openssl ca'.

d6df2b28 · Richard Levitte · 6fcf7354 · d6df2b28 · d6df2b28
隐藏空白更改
内联并排

Showing with 26 addition and 0 deletion

apps/ca.c apps/ca.c +1 -0

doc/apps/ca.pod doc/apps/ca.pod +25 -0

未找到文件。
--- a/apps/ca.c
+++ b/apps/ca.c
@@ -169,6 +169,7 @@ static char *ca_usage[]={
 " -keyform arg    - private key file format (PEM or ENGINE)\n",
 " -key arg        - key to decode the private key if it is encrypted\n",
 " -cert file      - The CA certificate\n",
+" -selfsign       - sign a certificate with the key associated with it\n",
 " -in file        - The input PEM encoded certificate request(s)\n",
 " -out file       - Where to put the output file(s)\n",
 " -outdir dir     - Where to put output certificates\n",

--- a/doc/apps/ca.pod
+++ b/doc/apps/ca.pod
@@ -30,6 +30,7 @@ B<openssl> B<ca>
 [B<-key arg>]
 [B<-passin arg>]
 [B<-cert file>]
+[B<-selfsign>]
 [B<-in file>]
 [B<-out file>]
 [B<-notext>]
@@ -113,6 +114,20 @@ the password used to encrypt the private key. Since on some
 systems the command line arguments are visible (e.g. Unix with
 the 'ps' utility) this option should be used with caution.

+=item B<-selfsign>
+
+indicates the issued certificates are to be signed with the key
+the certificate requests were signed with (given with B<-keyfile>).
+Cerificate requests signed with a different key are ignored.  If
+B<-spkac>, B<-ss_cert> or B<-gencrl> are given, B<-selfsign> is
+ignored.
+
+A consequence of using B<-selfsign> is that the self-signed
+certificate appears among the entries in the certificate database
+(see the configuration option B<database>), and uses the same
+serial number counter as all other certificates sign with the
+self-signed certificate.
+
 =item B<-passin arg>

 the key password source. For more information about the format of B<arg>
@@ -359,6 +374,16 @@ the same as the B<-md> option. The message digest to use. Mandatory.
 the text database file to use. Mandatory. This file must be present
 though initially it will be empty.

+=item B<unique_subject>
+
+if the value B<yes> is given, the valid certificate entries in the
+database must have unique subjects.  if the value B<no> is given,
+several valid certificate entries may have the exact same subject.
+The default value is B<yes>, to be compatible with older (pre 0.9.8)
+versions of OpenSSL.  However, to make CA certificate roll-over easier,
+it's recommended to use the value B<no>, especially if combined with
+the B<-selfsign> command line option.
+
 =item B<serialfile>

 a text file containing the next serial number to use in hex. Mandatory.