Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages

  
 
  

home | help
ssl-admin(1)		    General Commands Manual		  ssl-admin(1)

NAME
       ssl-admin - OpenSSL Certificate Manager

SYNOPSIS
       ssl-admin

DESCRIPTION
       ssl-admin is a menu-driven tool designed	to simplify the	management and
       distriibution of	SSL certificates.  ssl-admin was originally written to
       manage  SSL  certificates for use with OpenVPN.	This functionality has
       not been	removed.

CORE FUNCTIONS
       There are a number of core operations within ssl-admin, often times mu-
       tually exlusive of one another.	For example, you cannot	generate a new
       CA certificate and generate a client certificate	all at once.

       --new-ca
	      This command will	generate a new root certificate	and  key  pair
	      and  store  the  new files in work-dir.  If you add the optional
	      --clean argument,	you will wipe  out  the	 existing  certificate
	      store.

       --int-ca
	      This  command  will generate an intermediate CA certficate which
	      can be used for signing sub keys,	etc.

       --client-cert, --ccert
	      This will	generate a client signing  request,  certificate,  and
	      key.

       --server-cert, --scert
	      This  will  generate  a client signing request, certificate, and
	      key, with	server extensions enabled.

       --dh, --diffie-hellman
	      Generates	the Diffie-Hellman prime.

       --revoke
	      Used to revoke a certificate in the store.

       --crl-list
	      This outputs a list of revoked certificates.

DIRECTORIES
       There are a  number  of	directories  within  /usr/local/etc/ssl-admin/
       which contain the working and datafiles.

       ACTIVE (/usr/local/etc/ssl-admin/active)
	      The  active  directory  contains certificates that have not been
	      revoked. The only	keys that  are	REQUIRED  to  be  present  are
	      ca.crt and ca.key.

       CSR (/usr/local/etc/ssl-admin/csr)
	      The csr directory	contains certificate signing requests and keys
	      for those	keys which have	been created using ssl-admin.  If  you
	      need  to sign a certificate signing request generated elsewhere,
	      place the	.csr here. The	key  files  are	 not  required	to  be
	      present.

       PACKAGES	(/usr/local/etc/ssl-admin/packages)
	      The packages directory contains any zipped packages you've built
	      with ssl-admin.	Packages  are  generally  used	to  distribute
	      signed certificates to end users.

       PROG (/usr/local/etc/ssl-admin/prog)
	      The  prog	 directory contains all	the data files used by ssl-ad-
	      min.  DO NOT EDIT	OR MODIFY THE FILES IN THIS  DIRECTORY	unless
	      you  know	 exactly what you are doing.  If you are running Open-
	      VPN, you may point your  OpenVPN	crl-verify  config  option  to
	      /usr/local/etc/ssl-admin/prog/crl.pem.

       REVOKED (/usr/local/etc/ssl-admin/revoked)
	      The  revoked  directory contains certificates and	keys for those
	      certificates that	have been revoked within ssl-admin.

MENU OPTIONS
       UPDATE RUN-TIME OPTIONS
	      Allows the user to update	key  duration  in  days,  desired  key
	      size, and	whether	to enable intermediate CA signing.

       CREATE NEW CERTIFICATE REQUEST
	      Creates  a CSR, or Certificate Signing Request.  Useful when the
	      user needs to send such to a third-party certificate authority.

       SIGN A CERTIFICATE REQUEST
	      Signs a submitted	Certificate Signing Request.  This can	either
	      be  created using	option 2 or one	that has been submitted	to the
	      user from	an alternate source.

       PERFORM A ONE-STEP REQUEST/SIGN
	      In some scenarios, such as OpenVPN installations,	 the  adminis-
	      trator will provide both the certificate and key.	 Both elements
	      are needed to create in-line certificates.

       REVOKE A	CERTIFICATE
	      This revokes a previously	signed certificate.  This  does	 abso-
	      lutely  zero good	unless you are using and distributing the cer-
	      tificate revokation list!!!

       RENEW/RE-SIGN A PAST CERTIFICATE	REQUEST

       VIEW CURRENT CRL
	      Allows you to view/inspect the  current  Certificate  Revokation
	      List

       VIEW INDEX INFORMATION
	      Allows you to inspect the	current	OpenSSL	CA index file.

       GENERATE	A USER CONFIG WITH IN-LINE CERTIFICATES	AND KEYS
	      Given  a	standard,  non-inline OpenVPN configuration file, this
	      option will replace certificate and key file name	arguments with
	      their  in-line  counter  parts.  The  end	 result	 is  a	single
	      <cn>.ovpn	file which contains all	of the cryptographic keys  and
	      certificates, embedded within the	OpenVPN	configuration.

       ZIP/PACKAGE END-USER FILES
	      As an alternative	to the in-line config, above, this option will
	      create a zip file	for the	given common name that	includes  that
	      CN certificate, key, the CA certificate, and the OpenVPN config-
	      uration.	This file is then left in the packages	directory  for
	      distribution to the end user.

       GENERATE	DIFFIE-HELLMAN
	      This  generated  the  Diffie-Hellman parameters used to more se-
	      curely  exchange	cryptographic  keys.   For  more  information,
	      please  see  http://en.wikipedia.org/wiki/Diffie-Hellman_key_ex-
	      change

       CREATE SELF-SIGNED CA

       CREATE SIGNED SERVER CERTIFICATE

       QUIT SSL-ADMIN
	      This option quits	the program and	returns	the user to the	shell.

NOTES
       This man	page needs to be completed.

BUGS
       Upon starting ssl-admin,	the user is prompted to	enter the new CN twice
       to generate a key.

FILES
       /usr/local/etc/ssl-admin/ssl-admin.conf

SEE ALSO
       ssl-admin.conf(5), openssl(1)

AUTHOR
       Eric Crist <ecrist@secure-computing.net>

       v1.2.1 $Id: ssl-admin.1 356 2014-06-25 02:59:57Z	ecrist $

								  ssl-admin(1)

NAME | SYNOPSIS | DESCRIPTION | CORE FUNCTIONS | DIRECTORIES | MENU OPTIONS | NOTES | BUGS | FILES | SEE ALSO | AUTHOR

Want to link to this manual page? Use this URL:
<https://www.freebsd.org/cgi/man.cgi?query=ssl-admin&sektion=1&manpath=FreeBSD+12.1-RELEASE+and+Ports>

home | help