.TH "ca-init" "1" "16 October 2009" "ca-scripts version 0.9" "SSL Certificate Authority utilities" 
.SH NAME
ca-init \- initialise an SSL CA and generate certificates
.
.SH SYNOPSIS
.
.SY ca-init
.OP \-csx
.OP \-f config
.OP \-i template
.OP \-o output
.
.SY ca-init
.OP \-h
|
.OP \-\-help
.YS
.
.SH DESCRIPTION
.
\fBca-init\fR reads the ca-scripts configuration file passed to the \fB\-f\fR
or \fB\-\-config\fR option, or \fI/etc/ca-scripts.conf\fR by default, and uses
the information there to generate an
.BR openssl (1)
configuration file and a certificate and private key suitable for use as an
.BR x509 (1)
certificate authority. The format of the ca-scripts configuration file is
documented in
.BR ca-scripts.conf (5).
.
.SH OPTIONS
.
.TP
\fB\-h\fR, \fB\-\-help\fR
Prints out a short synopsis of the options to
.BR ca-init (1).
.
.TP
\fB\-c\fR, \fB\-\-encrypt\fR
Encrypt the private key generated for the certificate authority with 3DES.
.
.TP
\fB\-f \fIFILE\fR, \fB\-\-config \fIFILE\fR
Load the ca-scripts configuration from \fIFILE\fR instead of
\fI/etc/ca-scripts.conf\fR.
.
.TP
\fB\-i \fIFILE\fR, \fB\-\-template \fIFILE\fR
Use the index.html template in \fIFILE\fR rather than the standard one
provided with ca-scripts. See the \fBTEMPLATING\fR section of
.BR ca-scripts.conf (5)
for more details of the templating system. Hint: it's
.BR sed (1)
based...
.
.TP
\fB\-o \fIFILE\fR, \fB\-\-output \fIFILE\fR
Generate a HTML page in \fIFILE\fR suitable for serving your CA certificate and
revocation lists via HTTP. The default template is basic but provides MD5 and
SHA1 fingerprints of both files for verification purposes.
.
.TP
\fB\-s\fR, \fB\-\-crt-only\fR
Generate the CA certificate and private key from a previously-created openssl
configuration. May only be used after having run \fBca-init\fR with the 
\fB\-\-cnf-only\fR option, and mutually exclusive to that option.
.
.TP
\fB\-x\fR, \fB\-\-cnf-only\fR
Create initial CA directory structure and openssl configuration, but do not
generate CA certificate and private key. Using this option in conjunction with
\fB\-\-crt-only\fR allows the user to manually customise the openssl config
before generating the certificates. Mutually exclusive to \fB\-\-crt-only\fR.
.
.SH THE CA DIRECTORY STRUCTURE
.
\fBca-init\fR creates a number of subdirectories under the path specified in
the mandatory configuration variable \fICA_HOME\fR. This path must exist before
\fBca-init\fR will run correctly. All files and directories under this path
will be created with a restrictive umask of 0027, and in particular the CA
private key will be created with permissions of 0400.
.PP
It is recommended but not required that a non-privileged system "ssl" user and
group are created for running the ca-scripts suite of utilities, and that any
local services needing access to a certificate are added to the "ssl" group.
Access to generate certificates can be bestowed to individuals on a multi-user
system by adding them to the same group and allowing them to run ca-scripts
utilities via
.BR sudo (8).
.PP
The directories \fBca-init\fR creates are as follows:
.TP
\fIcnf/\fR
Contains a cache of openssl configuration files created by the various
ca-scripts utilities from templates.
.
.TP
\fIcrl/\fR
Contains the certificate revocation list for the CA in both PEM and DER forms.
.
.TP
\fIcrt/\fR
Contains the signed certificates generated by
.BR ca-create-cert (1).
.
.TP
\fIcsr/\fR
Contains the unsigned certificate signing requests generated by
.BR ca-create-cert (1).
.
.TP
\fIdb/\fR
Contains internal 
.BR openssl (1ssl)
database files required for certificate authority management.
.
.TP
\fIidx/\fR
Contains signed certificates indexed by serial number to make certificate 
revocation simpler.
.
.TP
\fIkey/\fR
Contains the private keys associated with the certificates in \fIcrt/\fR.
.
.TP
\fIp12/\fR
Contains any generated PKCS#12 certificate archives created by
.BR ca-create-cert (1).
.
.SH BUGS
Probably. Of particular note is that the default openssl configuration file
requires the C (country) and O (organisation) fields of all generated
certificates to match those in the CA certificate, but
.BR ca-create-cert (1)
allows these fields to be changed.
.
.SH AVAILABILITY
New releases of the ca-scripts utilities can be found at
.UR http://\:www.pl0rt.org/\:code/\:ca-scripts
the developer's website.
.UE .
A 
.UR git://\:git.pl0rt.org/\:alex/\:code/\:ca-scripts
git repository
.UE
for development versions also exists.
.
.SH AUTHORS
.
Copyright \(co 2009
.MT a.bramley@gmail.com
Alex Bramley
.ME .
.
.SH SEE ALSO
.
.BR ca-create-cert (1),
.BR ca-scripts.conf (5),
.BR openssl (1ssl),
.BR ca (1ssl),
.BR req (1ssl),
.BR x509 (1ssl),
.BR config (5ssl), and
.BR x509v3_config (5ssl).
.