LinuxCommandLibrary

CA.pl.1s

Manage Certificate Authority certificates

SYNOPSIS

CA.pl [-newca] [-newreq] [-newkey | -newreq-nodes] [-sign | -signreq | -signca] [-out file] [-notext] [-pkcs12 [pargs]] [-x509] [-config file]

PARAMETERS

-newca
    Create new CA hierarchy in demoCA directory

-newreq
    Generate new certificate request (CSR)

-newkey
    Generate new private key (prompts for passphrase)

-newreq-nodes
    Generate new request without encrypting private key

-sign
    Sign certificate request with CA

-signreq
    Alternative method to sign a request

-signca
    Sign CA certificate

-out file
    Output to specified file

-notext
    Do not print certificate text

-pkcs12 [pargs]
    Create PKCS#12 file from certificate and key

-x509
    Output certificate in X.509 format

-config file
    Use custom OpenSSL config file

-verify
    Verify a certificate against CA

-revoke file
    Revoke a certificate

DESCRIPTION

CA.pl is a Perl script bundled with OpenSSL that simplifies the management of a demonstration Certificate Authority (CA). It provides a menu-driven or command-line interface to perform common CA operations such as creating the CA hierarchy, generating certificate signing requests (CSRs), private keys, signing certificates, verifying certificates, and exporting to PKCS#12 format.

Designed for educational and testing purposes, it automates sequences of openssl commands, storing data in a demoCA directory structure including private keys, certificates, indexes, and serial files. Users interact via options or an interactive menu for tasks like issuing end-entity certificates or CRLs.

While convenient for demos, it lacks production-grade features like proper access controls or HSM integration. Environment variables like $CAKEY and $CAPRIVKEY allow customization. It's widely used in tutorials to illustrate PKI concepts without complex setups.

CAVEATS

Demo script only; not for production due to insecure defaults, hardcoded paths, and lack of robust security. Requires Perl and OpenSSL. Interactive mode may prompt for passwords insecurely. Uses weak demo config.

DIRECTORY STRUCTURE

Creates demoCA with subdirs: certs, crl, newcerts, private; files: CA.key, CA.crt, index.txt, serial.

INTERACTIVE MODE

Run without args for menu: 1:newcert, 2:sign, etc. Environment vars like $OPENSSL_CONF override config.

HISTORY

Originated in SSLeay (pre-OpenSSL), included in OpenSSL since version 0.9.2 (1998). Maintained for backward compatibility and demos; largely superseded by native openssl ca subcommand in OpenSSL 1.1.0+.

SEE ALSO

openssl(1), ca(1), req(1), x509(1), pkcs12(1)

Copied to clipboard