ssl-admin(1)ssl-admin(1)NAMEssl-admin - OpenSSL Certificate Manager
SYNOPSISssl-adminDESCRIPTIONssl-admin is a menu-driven tool designed to simplify the management and
distriibution of SSL certificates. ssl-admin was originally written to
manage SSL certificates for use with OpenVPN. This functionality has
not been removed.
CORE FUNCTIONS
There are a number of core operations within ssl-admin, often times
mutually exlusive of one another. For example, you cannot generate a
new CA certificate and generate a client certificate all at once.
--new-ca
This command will generate a new root certificate and key pair
and store the new files in work-dir. If you add the optional
--clean argument, you will wipe out the existing certificate
store.
--int-ca
This command will generate an intermediate CA certficate which
can be used for signing sub keys, etc.
--client-cert, --ccert
This will generate a client signing request, certificate, and
key.
--server-cert, --scert
This will generate a client signing request, certificate, and
key, with server extensions enabled.
--dh, --diffie-hellman
Generates the Diffie-Hellman prime.
--revoke
Used to revoke a certificate in the store.
--crl-list
This outputs a list of revoked certificates.
DIRECTORIES
There are a number of directories within /usr/local/etc/ssl-admin/
which contain the working and datafiles.
ACTIVE (/usr/local/etc/ssl-admin/active)
The active directory contains certificates that have not been
revoked. The only keys that are REQUIRED to be present are
ca.crt and ca.key.
CSR (/usr/local/etc/ssl-admin/csr)
The csr directory contains certificate signing requests and keys
for those keys which have been created using ssl-admin. If you
need to sign a certificate signing request generated elsewhere,
place the .csr here. The key files are not required to be
present.
PACKAGES (/usr/local/etc/ssl-admin/packages)
The packages directory contains any zipped packages you've built
with ssl-admin. Packages are generally used to distribute
signed certificates to end users.
PROG (/usr/local/etc/ssl-admin/prog)
The prog directory contains all the data files used by ssl-
admin. DO NOT EDIT OR MODIFY THE FILES IN THIS DIRECTORY unless
you know exactly what you are doing. If you are running Open‐
VPN, you may point your OpenVPN crl-verify config option to
/usr/local/etc/ssl-admin/prog/crl.pem.
REVOKED (/usr/local/etc/ssl-admin/revoked)
The revoked directory contains certificates and keys for those
certificates that have been revoked within ssl-admin.
MENU OPTIONS
UPDATE RUN-TIME OPTIONS
Allows the user to update key duration in days, desired key
size, and whether to enable intermediate CA signing.
CREATE NEW CERTIFICATE REQUEST
Creates a CSR, or Certificate Signing Request. Useful when the
user needs to send such to a third-party certificate authority.
SIGN A CERTIFICATE REQUEST
Signs a submitted Certificate Signing Request. This can either
be created using option 2 or one that has been submitted to the
user from an alternate source.
PERFORM A ONE-STEP REQUEST/SIGN
In some scenarios, such as OpenVPN installations, the adminis‐
trator will provide both the certificate and key. Both elements
are needed to create in-line certificates.
REVOKE A CERTIFICATE
This revokes a previously signed certificate. This does abso‐
lutely zero good unless you are using and distributing the cer‐
tificate revokation list!!!
RENEW/RE-SIGN A PAST CERTIFICATE REQUEST
VIEW CURRENT CRL
Allows you to view/inspect the current Certificate Revokation
List
VIEW INDEX INFORMATION
Allows you to inspect the current OpenSSL CA index file.
GENERATE A USER CONFIG WITH IN-LINE CERTIFICATES AND KEYS
Given a standard, non-inline OpenVPN configuration file, this
option will replace certificate and key file name arguments with
their in-line counter parts. The end result is a single
<cn>.ovpn file which contains all of the cryptographic keys and
certificates, embedded within the OpenVPN configuration.
ZIP/PACKAGE END-USER FILES
As an alternative to the in-line config, above, this option will
create a zip file for the given common name that includes that
CN certificate, key, the CA certificate, and the OpenVPN config‐
uration. This file is then left in the packages directory for
distribution to the end user.
GENERATE DIFFIE-HELLMAN
This generated the Diffie-Hellman parameters used to more
securely exchange cryptographic keys. For more information,
please see http://en.wikipedia.org/wiki/Diffie-Hell‐
man_key_exchange
CREATE SELF-SIGNED CA
CREATE SIGNED SERVER CERTIFICATE
QUIT SSL-ADMIN
This option quits the program and returns the user to the shell.
NOTES
This man page needs to be completed.
BUGS
Upon starting ssl-admin, the user is prompted to enter the new CN twice
to generate a key.
FILES
/usr/local/etc/ssl-admin/ssl-admin.conf
SEE ALSOssl-admin.conf(5), openssl(1)AUTHOR
Eric Crist <ecrist@secure-computing.net>
v1.2.1 $Id: ssl-admin.1 356 2014-06-25 02:59:57Z ecrist $
ssl-admin(1)
