openssl
diff --git a/‎master/man1/CA.pl/index.html‎
Lines changed: 1 addition & 1 deletion b/‎master/man1/CA.pl/index.html‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎master/man1/openssl-ca/index.html‎
Lines changed: 1 addition & 1 deletion b/‎master/man1/openssl-ca/index.html‎
Lines changed: 1 addition & 1 deletion
@@ -15,4 +15,4 @@
 CA.pl -newreq
 CA.pl -sign
 CA.pl -pkcs12 &quot;My Test Certificate&quot;
-</code></pre></div><h2 id=environment>ENVIRONMENT<a class=headerlink href=#environment title="Permanent link">&para;</a></h2><p>The environment variable <strong>OPENSSL</strong> may be used to specify the name of the OpenSSL program. It can be a full pathname, or a relative one.</p><p>The environment variable <strong>OPENSSL_CONFIG</strong> may be used to specify a configuration option and value to the <strong>req</strong> and <strong>ca</strong> commands invoked by this script. It&#39;s value should be the option and pathname, as in <code>-config /path/to/conf-file</code>.</p><h2 id=see-also>SEE ALSO<a class=headerlink href=#see-also title="Permanent link">&para;</a></h2><p><a href=../openssl/ >openssl(1)</a>, <a href=../openssl-x509/ >openssl-x509(1)</a>, <a href=../openssl-ca/ >openssl-ca(1)</a>, <a href=../openssl-req/ >openssl-req(1)</a>, <a href=../openssl-pkcs12/ >openssl-pkcs12(1)</a>, <a href=../../man5/config/ >config(5)</a></p><h2 id=copyright>COPYRIGHT<a class=headerlink href=#copyright title="Permanent link">&para;</a></h2><p>Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved.</p><p>Licensed under the Apache License 2.0 (the &quot;License&quot;). You may not use this file except in compliance with the License. You can obtain a copy in the file LICENSE in the source distribution or at <a href=https://www.openssl.org/source/license.html>https://www.openssl.org/source/license.html</a>.</p></article></div><script>var target=document.getElementById(location.hash.slice(1));target&&target.name&&(target.checked=target.name.startsWith("__tabbed_"))</script></div></main><footer class=md-footer><div class="md-footer-meta md-typeset"><div class="md-footer-meta__inner md-grid"><div class=md-copyright> Made with <a href=https://squidfunk.github.io/mkdocs-material/ target=_blank rel=noopener> Material for MkDocs </a></div></div></div></footer></div><div class=md-dialog data-md-component=dialog><div class="md-dialog__inner md-typeset"></div></div><script id=__config type=application/json>{"base": "../..", "features": ["navigation.indexes", "navigation.instant", "navigation.path", "navigation.prune", "navigation.tabs", "navigation.tabs.sticky", "navigation.tracking", "search.suggest", "toc.follow"], "search": "../../assets/javascripts/workers/search.b8dbb3d2.min.js", "translations": {"clipboard.copied": "Copied to clipboard", "clipboard.copy": "Copy to clipboard", "search.result.more.one": "1 more on this page", "search.result.more.other": "# more on this page", "search.result.none": "No matching documents", "search.result.one": "1 matching document", "search.result.other": "# matching documents", "search.result.placeholder": "Type to start searching", "search.result.term.missing": "Missing", "select.version": "Select version"}, "version": {"default": "master", "provider": "mike"}}</script><script src=../../assets/javascripts/bundle.ad660dcc.min.js></script></body></html>
+</code></pre></div><h2 id=environment>ENVIRONMENT<a class=headerlink href=#environment title="Permanent link">&para;</a></h2><p>The environment variable <strong>OPENSSL</strong> may be used to specify the name of the OpenSSL program. It can be a full pathname, or a relative one.</p><p>The environment variable <strong>OPENSSL_CONFIG</strong> may be used to specify a configuration option and value to the <strong>req</strong> and <strong>ca</strong> commands invoked by this script. It&#39;s value should be the option and pathname, as in <code>-config /path/to/conf-file</code>.</p><h2 id=see-also>SEE ALSO<a class=headerlink href=#see-also title="Permanent link">&para;</a></h2><p><a href=../openssl/ >openssl(1)</a>, <a href=../openssl-x509/ >openssl-x509(1)</a>, <a href=../openssl-ca/ >openssl-ca(1)</a>, <a href=../openssl-req/ >openssl-req(1)</a>, <a href=../openssl-pkcs12/ >openssl-pkcs12(1)</a>, <a href=../../man5/config/ >config(5)</a></p><h2 id=copyright>COPYRIGHT<a class=headerlink href=#copyright title="Permanent link">&para;</a></h2><p>Copyright 2000-2025 The OpenSSL Project Authors. All Rights Reserved.</p><p>Licensed under the Apache License 2.0 (the &quot;License&quot;). You may not use this file except in compliance with the License. You can obtain a copy in the file LICENSE in the source distribution or at <a href=https://www.openssl.org/source/license.html>https://www.openssl.org/source/license.html</a>.</p></article></div><script>var target=document.getElementById(location.hash.slice(1));target&&target.name&&(target.checked=target.name.startsWith("__tabbed_"))</script></div></main><footer class=md-footer><div class="md-footer-meta md-typeset"><div class="md-footer-meta__inner md-grid"><div class=md-copyright> Made with <a href=https://squidfunk.github.io/mkdocs-material/ target=_blank rel=noopener> Material for MkDocs </a></div></div></div></footer></div><div class=md-dialog data-md-component=dialog><div class="md-dialog__inner md-typeset"></div></div><script id=__config type=application/json>{"base": "../..", "features": ["navigation.indexes", "navigation.instant", "navigation.path", "navigation.prune", "navigation.tabs", "navigation.tabs.sticky", "navigation.tracking", "search.suggest", "toc.follow"], "search": "../../assets/javascripts/workers/search.b8dbb3d2.min.js", "translations": {"clipboard.copied": "Copied to clipboard", "clipboard.copy": "Copy to clipboard", "search.result.more.one": "1 more on this page", "search.result.more.other": "# more on this page", "search.result.none": "No matching documents", "search.result.one": "1 matching document", "search.result.other": "# matching documents", "search.result.placeholder": "Type to start searching", "search.result.term.missing": "Missing", "select.version": "Select version"}, "version": {"default": "master", "provider": "mike"}}</script><script src=../../assets/javascripts/bundle.ad660dcc.min.js></script></body></html>
@@ -64,4 +64,4 @@
 ./demoCA/index.txt.old         - CA text database backup file
 ./demoCA/certs                 - certificate output file
 </code></pre></div><h2 id=restrictions>RESTRICTIONS<a class=headerlink href=#restrictions title="Permanent link">&para;</a></h2><p>The text database index file is a critical part of the process and if corrupted it can be difficult to fix. It is theoretically possible to rebuild the index file from all the issued certificates and a current CRL: however there is no option to do this.</p><p>V2 CRL features like delta CRLs are not currently supported.</p><p>Although several requests can be input and handled at once it is only possible to include one SPKAC or self-signed certificate.</p><h2 id=bugs>BUGS<a class=headerlink href=#bugs title="Permanent link">&para;</a></h2><p>This command is quirky and at times downright unfriendly.</p><p>The use of an in-memory text database can cause problems when large numbers of certificates are present because, as the name implies the database has to be kept in memory.</p><p>This command really needs rewriting or the required functionality exposed at either a command or interface level so that a more user-friendly replacement could handle things properly. The script <strong>CA.pl</strong> helps a little but not very much.</p><p>Any fields in a request that are not present in a policy are silently deleted. This does not happen if the <strong>-preserveDN</strong> option is used. To enforce the absence of the EMAIL field within the DN, as suggested by RFCs, regardless the contents of the request&#39; subject the <strong>-noemailDN</strong> option can be used. The behaviour should be more friendly and configurable.</p><p>Canceling some commands by refusing to certify a certificate can create an empty file.</p><h2 id=warnings>WARNINGS<a class=headerlink href=#warnings title="Permanent link">&para;</a></h2><p>This command was originally meant as an example of how to do things in a CA. Its code does not have production quality. It was not supposed to be used as a full blown CA itself, nevertheless some people are using it for this purpose at least internally. When doing so, specific care should be taken to properly secure the private key(s) used for signing certificates. It is advisable to keep them in a secure HW storage such as a smart card or HSM and access them via a suitable engine or crypto provider.</p><p>This command is effectively a single user command: no locking is done on the various files and attempts to run more than one <strong>openssl ca</strong> command on the same database can have unpredictable results.</p><p>The <strong>copy_extensions</strong> option should be used with caution. If care is not taken then it can be a security risk. For example if a certificate request contains a basicConstraints extension with CA:TRUE and the <strong>copy_extensions</strong> value is set to <strong>copyall</strong> and the user does not spot this when the certificate is displayed then this will hand the requester a valid CA certificate. This situation can be avoided by setting <strong>copy_extensions</strong> to <strong>copy</strong> and including basicConstraints with CA:FALSE in the configuration file. Then if the request contains a basicConstraints extension it will be ignored.</p><p>It is advisable to also include values for other extensions such as <strong>keyUsage</strong> to prevent a request supplying its own values.</p><p>Additional restrictions can be placed on the CA certificate itself. For example if the CA certificate has:</p><div class=highlight><pre><span></span><code>basicConstraints = CA:TRUE, pathlen:0
-</code></pre></div><p>then even if a certificate is issued with CA:TRUE it will not be valid.</p><h2 id=history>HISTORY<a class=headerlink href=#history title="Permanent link">&para;</a></h2><p>Since OpenSSL 1.1.1, the program follows RFC5280. Specifically, certificate validity period (specified by any of <strong>-startdate</strong>, <strong>-enddate</strong> and <strong>-days</strong>) and CRL last/next update time (specified by any of <strong>-crl_lastupdate</strong>, <strong>-crl_nextupdate</strong>, <strong>-crldays</strong>, <strong>-crlhours</strong> and <strong>-crlsec</strong>) will be encoded as UTCTime if the dates are earlier than year 2049 (included), and as GeneralizedTime if the dates are in year 2050 or later.</p><p>OpenSSL 1.1.1 introduced a new random generator (CSPRNG) with an improved seeding mechanism. The new seeding mechanism makes it unnecessary to define a RANDFILE for saving and restoring randomness. This option is retained mainly for compatibility reasons.</p><p>The <strong>-section</strong> option was added in OpenSSL 3.0.0.</p><p>The <strong>-multivalue-rdn</strong> option has become obsolete in OpenSSL 3.0.0 and has no effect.</p><p>The <strong>-engine</strong> option was deprecated in OpenSSL 3.0.</p><p>Since OpenSSL 3.2, generated certificates bear X.509 version 3, and key identifier extensions are included by default.</p><h2 id=see-also>SEE ALSO<a class=headerlink href=#see-also title="Permanent link">&para;</a></h2><p><a href=../openssl/ >openssl(1)</a>, <a href=../openssl-req/ >openssl-req(1)</a>, <a href=../openssl-spkac/ >openssl-spkac(1)</a>, <a href=../openssl-x509/ >openssl-x509(1)</a>, <a href=../CA.pl/ >CA.pl(1)</a>, <a href=../../man5/config/ >config(5)</a>, <a href=../../man5/x509v3_config/ >x509v3_config(5)</a></p><h2 id=copyright>COPYRIGHT<a class=headerlink href=#copyright title="Permanent link">&para;</a></h2><p>Copyright 2000-2024 The OpenSSL Project Authors. All Rights Reserved.</p><p>Licensed under the Apache License 2.0 (the &quot;License&quot;). You may not use this file except in compliance with the License. You can obtain a copy in the file LICENSE in the source distribution or at <a href=https://www.openssl.org/source/license.html>https://www.openssl.org/source/license.html</a>.</p></article></div><script>var target=document.getElementById(location.hash.slice(1));target&&target.name&&(target.checked=target.name.startsWith("__tabbed_"))</script></div></main><footer class=md-footer><div class="md-footer-meta md-typeset"><div class="md-footer-meta__inner md-grid"><div class=md-copyright> Made with <a href=https://squidfunk.github.io/mkdocs-material/ target=_blank rel=noopener> Material for MkDocs </a></div></div></div></footer></div><div class=md-dialog data-md-component=dialog><div class="md-dialog__inner md-typeset"></div></div><script id=__config type=application/json>{"base": "../..", "features": ["navigation.indexes", "navigation.instant", "navigation.path", "navigation.prune", "navigation.tabs", "navigation.tabs.sticky", "navigation.tracking", "search.suggest", "toc.follow"], "search": "../../assets/javascripts/workers/search.b8dbb3d2.min.js", "translations": {"clipboard.copied": "Copied to clipboard", "clipboard.copy": "Copy to clipboard", "search.result.more.one": "1 more on this page", "search.result.more.other": "# more on this page", "search.result.none": "No matching documents", "search.result.one": "1 matching document", "search.result.other": "# matching documents", "search.result.placeholder": "Type to start searching", "search.result.term.missing": "Missing", "select.version": "Select version"}, "version": {"default": "master", "provider": "mike"}}</script><script src=../../assets/javascripts/bundle.ad660dcc.min.js></script></body></html>
+</code></pre></div><p>then even if a certificate is issued with CA:TRUE it will not be valid.</p><h2 id=history>HISTORY<a class=headerlink href=#history title="Permanent link">&para;</a></h2><p>Since OpenSSL 1.1.1, the program follows RFC5280. Specifically, certificate validity period (specified by any of <strong>-startdate</strong>, <strong>-enddate</strong> and <strong>-days</strong>) and CRL last/next update time (specified by any of <strong>-crl_lastupdate</strong>, <strong>-crl_nextupdate</strong>, <strong>-crldays</strong>, <strong>-crlhours</strong> and <strong>-crlsec</strong>) will be encoded as UTCTime if the dates are earlier than year 2049 (included), and as GeneralizedTime if the dates are in year 2050 or later.</p><p>OpenSSL 1.1.1 introduced a new random generator (CSPRNG) with an improved seeding mechanism. The new seeding mechanism makes it unnecessary to define a RANDFILE for saving and restoring randomness. This option is retained mainly for compatibility reasons.</p><p>The <strong>-section</strong> option was added in OpenSSL 3.0.0.</p><p>The <strong>-multivalue-rdn</strong> option has become obsolete in OpenSSL 3.0.0 and has no effect.</p><p>The <strong>-engine</strong> option was deprecated in OpenSSL 3.0.</p><p>Since OpenSSL 3.2, generated certificates bear X.509 version 3, and key identifier extensions are included by default.</p><h2 id=see-also>SEE ALSO<a class=headerlink href=#see-also title="Permanent link">&para;</a></h2><p><a href=../openssl/ >openssl(1)</a>, <a href=../openssl-req/ >openssl-req(1)</a>, <a href=../openssl-spkac/ >openssl-spkac(1)</a>, <a href=../openssl-x509/ >openssl-x509(1)</a>, <a href=../CA.pl/ >CA.pl(1)</a>, <a href=../../man5/config/ >config(5)</a>, <a href=../../man5/x509v3_config/ >x509v3_config(5)</a></p><h2 id=copyright>COPYRIGHT<a class=headerlink href=#copyright title="Permanent link">&para;</a></h2><p>Copyright 2000-2025 The OpenSSL Project Authors. All Rights Reserved.</p><p>Licensed under the Apache License 2.0 (the &quot;License&quot;). You may not use this file except in compliance with the License. You can obtain a copy in the file LICENSE in the source distribution or at <a href=https://www.openssl.org/source/license.html>https://www.openssl.org/source/license.html</a>.</p></article></div><script>var target=document.getElementById(location.hash.slice(1));target&&target.name&&(target.checked=target.name.startsWith("__tabbed_"))</script></div></main><footer class=md-footer><div class="md-footer-meta md-typeset"><div class="md-footer-meta__inner md-grid"><div class=md-copyright> Made with <a href=https://squidfunk.github.io/mkdocs-material/ target=_blank rel=noopener> Material for MkDocs </a></div></div></div></footer></div><div class=md-dialog data-md-component=dialog><div class="md-dialog__inner md-typeset"></div></div><script id=__config type=application/json>{"base": "../..", "features": ["navigation.indexes", "navigation.instant", "navigation.path", "navigation.prune", "navigation.tabs", "navigation.tabs.sticky", "navigation.tracking", "search.suggest", "toc.follow"], "search": "../../assets/javascripts/workers/search.b8dbb3d2.min.js", "translations": {"clipboard.copied": "Copied to clipboard", "clipboard.copy": "Copy to clipboard", "search.result.more.one": "1 more on this page", "search.result.more.other": "# more on this page", "search.result.none": "No matching documents", "search.result.one": "1 matching document", "search.result.other": "# matching documents", "search.result.placeholder": "Type to start searching", "search.result.term.missing": "Missing", "select.version": "Select version"}, "version": {"default": "master", "provider": "mike"}}</script><script src=../../assets/javascripts/bundle.ad660dcc.min.js></script></body></html>