1 files changed, 42 insertions, 1 deletions
diff --git a/src/lib/libssl/src/doc/apps/CA.pl.pod b/src/lib/libssl/src/doc/apps/CA.pl.pod
index 83e4c0af81..58e0f52001 100644
--- a/src/lib/libssl/src/doc/apps/CA.pl.pod
+++ b/src/lib/libssl/src/doc/apps/CA.pl.pod
@@ -13,6 +13,7 @@ B<CA.pl>
 [B<-help>]
 [B<-newcert>]
 [B<-newreq>]
+[B<-newreq-nodes>]
 [B<-newca>]
 [B<-xsign>]
 [B<-sign>]
@@ -46,6 +47,10 @@ written to the file "newreq.pem".
 creates a new certificate request. The private key and request are
 written to the file "newreq.pem".
+=item B<-newreq-nowdes>
+is like B<-newreq> except that the private key will not be encrypted.
 =item B<-newca>
 creates a new CA hierarchy for use with the B<ca> program (or the B<-signcert>
@@ -69,9 +74,16 @@ list box), otherwise the name "My Certificate" is used.
 calls the B<ca> program to sign a certificate request. It expects the request
 to be in the file "newreq.pem". The new certificate is written to the file
-"newcert.pem" except in the case of the B<-xcert> option when it is written
+"newcert.pem" except in the case of the B<-xsign> option when it is written
 to standard output.
+=item B<-signCA>
+this option is the same as the B<-signreq> option except it uses the configuration
+file section B<v3_ca> and so makes the signed request a valid CA certificate. This
+is useful when creating intermediate CA from a root CA.
 =item B<-signcert>
 this option is the same as B<-sign> except it expects a self signed certificate
@@ -102,6 +114,35 @@ the request and finally create a PKCS#12 file containing it.
 CA.pl -signreq
 CA.pl -pkcs12 "My Test Certificate"
+=head1 DSA CERTIFICATES
+Although the B<CA.pl> creates RSA CAs and requests it is still possible to
+use it with DSA certificates and requests using the L<req(1)|req(1)> command
+directly. The following example shows the steps that would typically be taken.
+Create some DSA parameters:
+ openssl dsaparam -out dsap.pem 1024
+Create a DSA CA certificate and private key:
+ openssl req -x509 -newkey dsa:dsap.pem -keyout cacert.pem -out cacert.pem
+Create the CA directories and files:
+ CA.pl -newca
+enter cacert.pem when prompted for the CA file name.
+Create a DSA certificate request and private key (a different set of parameters
+can optionally be created first):
+ openssl req -out newreq.pem -newkey dsa:dsap.pem 
+Sign the request:
+ CA.pl -signreq
 =head1 NOTES
 Most of the filenames mentioned can be modified by editing the B<CA.pl> script.

diff --git a/src/lib/libssl/src/doc/apps/CA.pl.pod b/src/lib/libssl/src/doc/apps/CA.pl.pod index 83e4c0af81..58e0f52001 100644 --- a/src/lib/libssl/src/doc/apps/CA.pl.pod +++ b/src/lib/libssl/src/doc/apps/CA.pl.pod
@@ -13,6 +13,7 @@ B<CA.pl>
13	[B<-help>]	13	[B<-help>]
14	[B<-newcert>]	14	[B<-newcert>]
15	[B<-newreq>]	15	[B<-newreq>]
		16	[B<-newreq-nodes>]
16	[B<-newca>]	17	[B<-newca>]
17	[B<-xsign>]	18	[B<-xsign>]
18	[B<-sign>]	19	[B<-sign>]
@@ -46,6 +47,10 @@ written to the file "newreq.pem".
46	creates a new certificate request. The private key and request are	47	creates a new certificate request. The private key and request are
47	written to the file "newreq.pem".	48	written to the file "newreq.pem".
48		49
		50	=item B<-newreq-nowdes>
		51
		52	is like B<-newreq> except that the private key will not be encrypted.
		53
49	=item B<-newca>	54	=item B<-newca>
50		55
51	creates a new CA hierarchy for use with the B<ca> program (or the B<-signcert>	56	creates a new CA hierarchy for use with the B<ca> program (or the B<-signcert>
@@ -69,9 +74,16 @@ list box), otherwise the name "My Certificate" is used.
69		74
70	calls the B<ca> program to sign a certificate request. It expects the request	75	calls the B<ca> program to sign a certificate request. It expects the request
71	to be in the file "newreq.pem". The new certificate is written to the file	76	to be in the file "newreq.pem". The new certificate is written to the file
72	"newcert.pem" except in the case of the B<-xcert> option when it is written	77	"newcert.pem" except in the case of the B<-xsign> option when it is written
73	to standard output.	78	to standard output.
74		79
		80
		81	=item B<-signCA>
		82
		83	this option is the same as the B<-signreq> option except it uses the configuration
		84	file section B<v3_ca> and so makes the signed request a valid CA certificate. This
		85	is useful when creating intermediate CA from a root CA.
		86
75	=item B<-signcert>	87	=item B<-signcert>
76		88
77	this option is the same as B<-sign> except it expects a self signed certificate	89	this option is the same as B<-sign> except it expects a self signed certificate
@@ -102,6 +114,35 @@ the request and finally create a PKCS#12 file containing it.
102	CA.pl -signreq	114	CA.pl -signreq
103	CA.pl -pkcs12 "My Test Certificate"	115	CA.pl -pkcs12 "My Test Certificate"
104		116
		117	=head1 DSA CERTIFICATES
		118
		119	Although the B<CA.pl> creates RSA CAs and requests it is still possible to
		120	use it with DSA certificates and requests using the L<req(1)\|req(1)> command
		121	directly. The following example shows the steps that would typically be taken.
		122
		123	Create some DSA parameters:
		124
		125	openssl dsaparam -out dsap.pem 1024
		126
		127	Create a DSA CA certificate and private key:
		128
		129	openssl req -x509 -newkey dsa:dsap.pem -keyout cacert.pem -out cacert.pem
		130
		131	Create the CA directories and files:
		132
		133	CA.pl -newca
		134
		135	enter cacert.pem when prompted for the CA file name.
		136
		137	Create a DSA certificate request and private key (a different set of parameters
		138	can optionally be created first):
		139
		140	openssl req -out newreq.pem -newkey dsa:dsap.pem
		141
		142	Sign the request:
		143
		144	CA.pl -signreq
		145
105	=head1 NOTES	146	=head1 NOTES
106		147
107	Most of the filenames mentioned can be modified by editing the B<CA.pl> script.	148	Most of the filenames mentioned can be modified by editing the B<CA.pl> script.