diff options
| author | Chris Novakovic <chris@chrisn.me.uk> | 2020-09-03 23:42:56 +0100 |
|---|---|---|
| committer | Dmitry Belyavskiy <beldmit@gmail.com> | 2020-09-11 14:32:27 +0300 |
| commit | 64713cb10de05c2e3ac63300f4073b11f57287ba (patch) | |
| tree | b04238b1ae2aa8d38dbce0fb089e36fec0b65a2f /doc | |
| parent | 0e60ce6334c86d271df5342029639048a635fefa (diff) | |
apps/ca: allow CRL lastUpdate/nextUpdate fields to be specified
When generating a CRL using the "ca" utility, allow values for the
lastUpdate and nextUpdate fields to be specified using the command line
options -crl_lastupdate and -crl_nextupdate respectively.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/12784)
Diffstat (limited to 'doc')
| -rw-r--r-- | doc/man1/openssl-ca.pod.in | 20 |
1 files changed, 19 insertions, 1 deletions
diff --git a/doc/man1/openssl-ca.pod.in b/doc/man1/openssl-ca.pod.in index d196565422..0253b994a0 100644 --- a/doc/man1/openssl-ca.pod.in +++ b/doc/man1/openssl-ca.pod.in @@ -22,6 +22,8 @@ B<openssl> B<ca> [B<-crl_hold> I<instruction>] [B<-crl_compromise> I<time>] [B<-crl_CA_compromise> I<time>] +[B<-crl_lastupdate> I<date>] +[B<-crl_nextupdate> I<date>] [B<-crldays> I<days>] [B<-crlhours> I<hours>] [B<-crlsec> I<seconds>] @@ -337,6 +339,20 @@ This option has been deprecated and has no effect. This option generates a CRL based on information in the index file. +=item B<-crl_lastupdate> I<time> + +Allows the value of the CRL's lastUpdate field to be explicitly set; if +this option is not present, the current time is used. Accepts times in +YYMMDDHHMMSSZ format (the same as an ASN1 UTCTime structure) or +YYYYMMDDHHMMSSZ format (the same as an ASN1 GeneralizedTime structure). + +=item B<-crl_nextupdate> I<time> + +Allows the value of the CRL's nextUpdate field to be explicitly set; if +this option is present, any values given for B<-crldays>, B<-crlhours> +and B<-crlsec> are ignored. Accepts times in the same formats as +B<-crl_lastupdate>. + =item B<-crldays> I<num> The number of days before the next CRL is due. That is the days from @@ -781,7 +797,9 @@ then even if a certificate is issued with CA:TRUE it will not be valid. Since OpenSSL 1.1.1, the program follows RFC5280. Specifically, certificate validity period (specified by any of B<-startdate>, -B<-enddate> and B<-days>) will be encoded as UTCTime if the dates are +B<-enddate> and B<-days>) and CRL last/next update time (specified by +any of B<-crl_lastupdate>, B<-crl_nextupdate>, B<-crldays>, B<-crlhours> +and B<-crlsec>) will be encoded as UTCTime if the dates are earlier than year 2049 (included), and as GeneralizedTime if the dates are in year 2050 or later. |