ssl-admin - OpenSSL Certificate Manager
is a menu-driven tool designed to simplify the management and
distriibution of SSL certificates. ssl-admin was originally written to manage
SSL certificates for use with OpenVPN. This functionality has not been
There are a number of core operations within ssl-admin
, often times
mutually exlusive of one another. For example, you cannot generate a new CA
certificate and generate a client certificate all at once.
- This command will generate a new root certificate and key pair and store
the new files in work-dir. If you add the optional --clean
argument, you will wipe out the existing certificate store.
- This command will generate an intermediate CA certficate which can be used
for signing sub keys, etc.
- --client-cert, --ccert
- This will generate a client signing request, certificate, and key.
- --server-cert, --scert
- This will generate a client signing request, certificate, and key, with
server extensions enabled.
- --dh, --diffie-hellman
- Generates the Diffie-Hellman prime.
- Used to revoke a certificate in the store.
- This outputs a list of revoked certificates.
There are a number of directories within /usr/local/etc/ssl-admin/ which contain
the working and datafiles.
- ACTIVE (/usr/local/etc/ssl-admin/active)
- The active directory contains certificates that have not been revoked. The
only keys that are REQUIRED to be present are ca.crt and ca.key.
- CSR (/usr/local/etc/ssl-admin/csr)
- The csr directory contains certificate signing requests and keys for those
keys which have been created using ssl-admin. If you need to sign a
certificate signing request generated elsewhere, place the .csr here. The
key files are not required to be present.
- PACKAGES (/usr/local/etc/ssl-admin/packages)
- The packages directory contains any zipped packages you've built with
ssl-admin. Packages are generally used to distribute signed certificates
to end users.
- PROG (/usr/local/etc/ssl-admin/prog)
- The prog directory contains all the data files used by ssl-admin. DO
NOT EDIT OR MODIFY THE FILES IN THIS DIRECTORY unless you know exactly
what you are doing. If you are running OpenVPN, you may point your OpenVPN
crl-verify config option to /usr/local/etc/ssl-admin/prog/crl.pem.
- REVOKED (/usr/local/etc/ssl-admin/revoked)
- The revoked directory contains certificates and keys for those
certificates that have been revoked within ssl-admin.
- UPDATE RUN-TIME OPTIONS
- Allows the user to update key duration in days, desired key size, and
whether to enable intermediate CA signing.
- CREATE NEW CERTIFICATE REQUEST
- Creates a CSR, or Certificate Signing Request. Useful when the user needs
to send such to a third-party certificate authority.
- SIGN A CERTIFICATE REQUEST
- Signs a submitted Certificate Signing Request. This can either be created
using option 2 or one that has been submitted to the user from an
- PERFORM A ONE-STEP REQUEST/SIGN
- In some scenarios, such as OpenVPN installations, the administrator will
provide both the certificate and key. Both elements are needed to create
- REVOKE A CERTIFICATE
- This revokes a previously signed certificate. This does absolutely zero
good unless you are using and distributing the certificate
- RENEW/RE-SIGN A PAST CERTIFICATE REQUEST
- VIEW CURRENT CRL
- Allows you to view/inspect the current Certificate Revokation List
- VIEW INDEX INFORMATION
- Allows you to inspect the current OpenSSL CA index file.
- GENERATE A USER CONFIG WITH IN-LINE CERTIFICATES AND KEYS
- Given a standard, non-inline OpenVPN configuration file, this option will
replace certificate and key file name arguments with their in-line counter
parts. The end result is a single <cn>.ovpn file which contains all
of the cryptographic keys and certificates, embedded within the OpenVPN
- ZIP/PACKAGE END-USER FILES
- As an alternative to the in-line config, above, this option will create a
zip file for the given common name that includes that CN certificate, key,
the CA certificate, and the OpenVPN configuration. This file is then left
in the packages directory for distribution to the end user.
- GENERATE DIFFIE-HELLMAN
- This generated the Diffie-Hellman parameters used to more securely
exchange cryptographic keys. For more information, please see
- CREATE SELF-SIGNED CA
- CREATE SIGNED SERVER CERTIFICATE
- QUIT SSL-ADMIN
- This option quits the program and returns the user to the shell.
This man page needs to be completed.
- Upon starting ssl-admin, the user is prompted to enter the new CN twice to
generate a key.
Eric Crist <email@example.com>
v1.2.1 $Id: ssl-admin.1 356 2014-06-25 02:59:57Z ecrist $