Red Hat DocumentationFuse ESBToggle FramesPrintFeedback

The ca Utility

Purpose of the ca utility

You can use the ca utility to create X.509 certificates by signing existing signing requests. It is imperative that you check the details of a certificate request before signing. Your organization should have a policy with respect to issuing certificates.

The ca utility is used to sign certificate requests thereby creating a valid X.509 certificate which can be returned to the request submitter. It can also be used to generate Certificate Revocation Lists (CRLS). For information on the ca -policy and -name options, refer to The OpenSSL Configuration File .

Creating a new CA

To create a new CA using the openssl ca utility, two files (serial and index.txt) must be created in the location specified by the openssl configuration file that you are using.


The options supported by the openssl ca utility are as follows:


- Talk alot while doing things

-config file

- A config file

-name arg

- The particular CA definition to use


- Generate a new CRL

-crldays days

- Days is when the next CRL is due

-crlhours hours

- Hours is when the next CRL is due

-days arg

- number of days to certify the certificate for

-md arg

- md to use, one of md2, md5, sha or sha1

-policy arg

- The CA ‘policy’ to support

-keyfile arg

- PEM private key file

-key arg

- key to decode the private key if it is encrypted


- The CA certificate

-in file

- The input PEM encoded certificate request(s)

-out file

- Where to put the output file(s)

-outdir dir

- Where to put output certificates


- The last argument, requests to process

-spkac file

- File contains DN and signed public key and challenge


- Do not re-order the DN


- Do not ask questions


- msie modifications to handle all thos universal strings

Most of the above parameters have default values as defined in openssl.cnf.

Using the ca Utility

Converting a private key to PEM format from DER format requires the ca utility. To sign the supplied CSR MyReq.pem to be valid for 365 days and to create a new X.509 certificate in PEM format, use the ca utility as follows:

openssl ca -config ssl_conf_path_name -days 365
           -in MyReq.pem -out MyNewCert.pem
Comments powered by Disqus