You can use the ca utility to create X.509 certificates by signing existing signing requests. It is imperative that you check the details of a certificate request before signing. Your organization should have a policy with respect to issuing certificates.
The ca utility is used to sign certificate requests thereby
creating a valid X.509 certificate which can be returned to the request
submitter. It can also be used to generate Certificate Revocation Lists (CRLS).
For information on the ca
-policy and -name options, refer to The OpenSSL Configuration File .
To create a new CA using the openssl ca utility, two files
(serial and index.txt) must be created
in the location specified by the openssl configuration file that you are using.
The options supported by the openssl ca utility are as follows:
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Most of the above parameters have default values as defined in
openssl.cnf.
Converting a private key to PEM format from DER format requires the
ca utility. To sign the supplied CSR
MyReq.pem to be valid for 365 days and to create a new X.509
certificate in PEM format, use the ca utility as follows:
openssl ca -config ssl_conf_path_name -days 365
-in MyReq.pem -out MyNewCert.pem |  |  |
 |
