summaryrefslogtreecommitdiffstats
path: root/doc
diff options
context:
space:
mode:
authorChris Novakovic <chris@chrisn.me.uk>2020-09-04 00:42:56 +0200
committerDmitry Belyavskiy <beldmit@gmail.com>2020-09-11 13:32:27 +0200
commit64713cb10de05c2e3ac63300f4073b11f57287ba (patch)
treeb04238b1ae2aa8d38dbce0fb089e36fec0b65a2f /doc
parentImprove robustness and performance of building Unix static libraries (diff)
downloadopenssl-64713cb10de05c2e3ac63300f4073b11f57287ba.tar.xz
openssl-64713cb10de05c2e3ac63300f4073b11f57287ba.zip
apps/ca: allow CRL lastUpdate/nextUpdate fields to be specified
When generating a CRL using the "ca" utility, allow values for the lastUpdate and nextUpdate fields to be specified using the command line options -crl_lastupdate and -crl_nextupdate respectively. Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> (Merged from https://github.com/openssl/openssl/pull/12784)
Diffstat (limited to 'doc')
-rw-r--r--doc/man1/openssl-ca.pod.in20
1 files changed, 19 insertions, 1 deletions
diff --git a/doc/man1/openssl-ca.pod.in b/doc/man1/openssl-ca.pod.in
index d196565422..0253b994a0 100644
--- a/doc/man1/openssl-ca.pod.in
+++ b/doc/man1/openssl-ca.pod.in
@@ -22,6 +22,8 @@ B<openssl> B<ca>
[B<-crl_hold> I<instruction>]
[B<-crl_compromise> I<time>]
[B<-crl_CA_compromise> I<time>]
+[B<-crl_lastupdate> I<date>]
+[B<-crl_nextupdate> I<date>]
[B<-crldays> I<days>]
[B<-crlhours> I<hours>]
[B<-crlsec> I<seconds>]
@@ -337,6 +339,20 @@ This option has been deprecated and has no effect.
This option generates a CRL based on information in the index file.
+=item B<-crl_lastupdate> I<time>
+
+Allows the value of the CRL's lastUpdate field to be explicitly set; if
+this option is not present, the current time is used. Accepts times in
+YYMMDDHHMMSSZ format (the same as an ASN1 UTCTime structure) or
+YYYYMMDDHHMMSSZ format (the same as an ASN1 GeneralizedTime structure).
+
+=item B<-crl_nextupdate> I<time>
+
+Allows the value of the CRL's nextUpdate field to be explicitly set; if
+this option is present, any values given for B<-crldays>, B<-crlhours>
+and B<-crlsec> are ignored. Accepts times in the same formats as
+B<-crl_lastupdate>.
+
=item B<-crldays> I<num>
The number of days before the next CRL is due. That is the days from
@@ -781,7 +797,9 @@ then even if a certificate is issued with CA:TRUE it will not be valid.
Since OpenSSL 1.1.1, the program follows RFC5280. Specifically,
certificate validity period (specified by any of B<-startdate>,
-B<-enddate> and B<-days>) will be encoded as UTCTime if the dates are
+B<-enddate> and B<-days>) and CRL last/next update time (specified by
+any of B<-crl_lastupdate>, B<-crl_nextupdate>, B<-crldays>, B<-crlhours>
+and B<-crlsec>) will be encoded as UTCTime if the dates are
earlier than year 2049 (included), and as GeneralizedTime if the dates
are in year 2050 or later.