OpenSSL "ca -config" - Using Configuration File

Q

Can I use my own configuration file when running "ca" command?

✍: FYIcenter.com

A

Yes, you can specify your own configuration file using the "-config file" option when running the "ca" command.

OpenSSL configuration file allows you to control the behavior of the "ca" command with the following options:

  • certificate - This option specifies the file name of the default CA certificate. This option is mandatory. It can be overridden by the -cert option at the command line.
  • private_key - This option specifies the file name of the CA private key. It can be overridden by the -keyfile option at the command line.
  • new_certs_dir - This option specifies the directory where new certificates will be placed. This option is mandatory. It can be overridden by the -outdir option at the command line.
  • default_days - This option specify the number of valid days to give the new certificate. It can be overridden by the -days option at the command line.
  • default_startdate- This option specifies the start date and time of the new certificate. It can be overridden by the -startdate option at the command line.
  • default_md - This option specifies the message digest algorithm to use when generating the digital signature of the certificate. This option is mandatory. It can be overridden by the -md option at the command line.
  • database - This option specifies the file name of the certificate database. This option is mandatory. The certificate database file must be present though initially it will be empty.
  • unique_subject - If the value yes is given, the valid certificate entries in the database must have unique subjects (You can not sign two certificates with the same subjsct). If the value no is given, several valid certificate entries may have the exact same subject (You can sign multiple certificates with the same subjsct).
  • serial This option specifies a text file containing the next serial number (in hexdecimal) to use when signing a new certificate. This option is mandatory. This serial number file must be present and contain a valid serial number.
  • crlnumber - This option specifies a text file containing the next serial number (in hexdecimal) to use when generating a CRL. This option is mandatory. This serial number file must be present and contain a valid serial number.
  • preserve - If the value yes is given, the order of DN (Distinguished Name) fields in CSR will be preserved. Otherwise, the order of DN fields will be decided by the relevant policy. It can be overridden by the -preserveDN option at the command line.
  • email_in_dn - If the value no is given, the email field will be removed from the DN. Otherwise, the email field will stay in the DN. It can be overridden by the -noemailDN option at the command line.
  • copy_extensions - If the value none is given, X509 v3 extensions in the CSR will be ignored. If the value copyall is given, all X509 v3 extensions in the CSR will be copied to the certificate. If the value copy is given, only X509 v3 extensions that are in the CSR, but not in the certificate, will be copied.
  • x509_extensions - This option specifies a section in the configuration file where X509 v3 extension options are located. It can be overridden by the -extensions option at the command line.
  • crl_extensions - This option specifies a section in the configuration file where CRL extension options are located. It can be overridden by the -crlexts option at the command line.
  • policy - This option specifies a section in the configuration file where policy options are located. It can be overridden by the -policy option at the command line.
  • default_ca - This option specifies a section in the configuration file where all above "ca" options are located. This option is mandatory.

 

OpenSSL [ca] Section in Configuration File

OpenSSL "ca -selfsign" - Self Sign CSR

OpenSSL "ca" Command

⇑⇑ OpenSSL Tutorials

2016-09-09, 1041👍, 0💬