Openssl ca命令

一、简介

ca命令能够签发证书请求文件以及生成CRL列表

二、语法

openssl ca [-verbose] [-config filename] [-name section] [-gencrl] [-revoke file][-crl_reason reason] [-crl_hold instruction] [-crl_compromise time] [-crl_CA_compromise time ] [ -subj subj] [-crldays days] [-crlhours hours] [-crlexts section] [-startdate date] [-enddate date][-days arg] [-md arg] [-policy arg] [-keyfile arg] [-keyform arg] [-key arg] [-passin arg] [-cert file][-selfsign] [-in file] [-out file] [-notext] [-outdir dir] [-infiles] [-spkac file] [-ss_cert file] [-preserveDN] [-batch] [-msie_hack] [-extensions section][-utf8] [-create_serial] [-multivalue-rdn] [-sigopt] [-noemailDN][ -crlsec] [-extfile file] [-updatedb] [ -engine id ]

选项

-verbose        - Talk alot while doing things
 -config file    - A config file
 -name arg       - The particular CA definition to use
 -gencrl         - Generate a new CRL
 -crldays days   - Days is when the next CRL is due
 -crlhours hours - Hours is when the next CRL is due
 -startdate YYMMDDHHMMSSZ  - certificate validity notBefore
 -enddate YYMMDDHHMMSSZ    - certificate validity notAfter (overrides -days)
 -days arg       - number of days to certify the certificate for
 -md arg         - md to use, see openssl dgst -h for list
 -policy arg     - The CA 'policy' to support
 -keyfile arg    - private key file
 -keyform arg    - private key file format (PEM or ENGINE)
 -key arg        - key to decode the private key if it is encrypted
 -cert file      - The CA certificate
 -selfsign       - sign a certificate with the key associated with it
 -in file        - The input PEM encoded certificate request(s)
 -out file       - Where to put the output file(s)
 -outdir dir     - Where to put output certificates
 -infiles ....   - The last argument, requests to process
 -spkac file     - File contains DN and signed public key and challenge
 -ss_cert file   - File contains a self signed cert to sign
 -preserveDN     - Don't re-order the DN
 -noemailDN      - Don't add the EMAIL field into certificate' subject
 -batch          - Don't ask questions
 -msie_hack      - msie modifications to handle all those universal strings
 -revoke file    - Revoke a certificate (given in file)
 -subj arg       - Use arg instead of request's subject
 -utf8           - input characters are UTF8 (default ASCII)
 -multivalue-rdn - enable support for multivalued RDNs
 -extensions ..  - Extension section (override value in config file)
 -extfile file   - Configuration file with X509v3 extentions to add
 -crlexts ..     - CRL extension section (override value in config file)
 -engine e       - use engine e, possibly a hardware device.
 -status serial  - Shows certificate status given the serial number
 -updatedb       - Updates db for expired certificates

三、实例

1、签发证书请求文件

openssl ca -in cert_req.pem -extensions v3_ca -out newcert.pem

或

openssl ca -config openssl.cnf -name CA_default -days  -md sha1 -policy policy_anything -cert demoCA/cacert.pem -in cert_req.pem -out cert1.pem -preserveDN -noemailDN -subj /CN=CN/O=JS/OU=WX/cn=myname -extensions myexts

2、撤销证书并生成crl

openssl ca -revoke rsa_server_cert.pem -config openssl_utf8.cnf -keyfile rsa_ca_prikey.pem -passin pass:"" -cert rsa_ca_cert.pem
openssl ca -gencrl -config openssl_utf8.cnf -utf8 -keyfile rsa_ca_prikey.pem -passin pass:"" -cert rsa_ca_cert.pem -out crl.pem

设置原因、挂起处理方法

openssl ca -gencrl -crl_reason keyCompromise -crl_compromise 20010101030303Z  -crl_hold holdInstructionReject -crl_CA_compromise  20020101030303Z -crldays  -out crl2.crl

参考：http://blog.csdn.net/as3luyuan123/article/details/13346613