Red Hat DocumentationFuse ESBToggle FramesPrintFeedback

[ca] Variables

Choosing the CA section

You can configure the file openssl.cnf to support a number of CAs that have different policies for signing CSRs. The -name parameter to the ca command specifies which CA section to use; for example:

openssl ca -name MyCa ...

This command refers to the CA section [MyCa]. If -name is not supplied to the ca command, the CA section used is the one indicated by the default_ca variable. In the Example openssl.cnf File , this is set to CA_default (which is the name of another section listing the defaults for a number of settings associated with the ca command). Multiple different CAs can be supported in the configuration file, but there can be only one default CA.

Overview of the variables

Possible [ca] variables include the following

dir: The location for the CA database
     The database is a simple text database containing the
     following tab separated fields:

status: A value of ‘R’ - revoked, ‘E’ -expired or ‘V’ valid
issued date: When the certificate was certified
revoked date: When it was revoked, blank if not revoked
serial number: The certificate serial number
certificate: Where the certificate is located
CN: The name of the certificate
certs: Where the issued certificates are kept

The serial number field should be unique, as should the CN/status combination. The ca utility checks these at startup.

Comments powered by Disqus