Provided by: xca_2.9.0-1_amd64 
NAME
xca - X Certificate and key management
A GUI for handling X509 certificates, RSA/DSA/EC keys, PKCS#10 Requests and CRLs in Software and on
Smartcards.
SYNOPSIS
xca [OPTIONS]
DESCRIPTION
This application is intended as CA, certificate- and Key store. It uses a SQL database to store the
items. By default this is SQLite3, but MySQL and PostrgreSQL are also tested and supported. Known types
are Certificate signing requests (PKCS#10), Certificates (X509v3), RSA, DSA and EC keys and Certificate
revocation lists. The signing of requests, and the creation of self-signed certificates is supported.
Both can use templates for simplicity. The PKI structures can be imported and exported in several
formats like PKCS#12, PEM, DER, PKCS#8, PKCS#7.
XCA enables users to manage smartcards via the PKCS#11 interface
OPTIONS
--crlgen=<ca-identifier> *
Generate CRL for <ca>. Use the 'name' option to set the internal name of the new CRL.
--database=<database>
File name (*.xdb) of the SQLite database or a remote database descriptor:
[user@host/TYPE:dbname#prefix].
--exit Exit after importing items.
--help Print this help and exit.
--hierarchy=<directory> *
Save OpenSSL index hierarchy in <dir>.
--index=<file> *
Save OpenSSL index in <file>.
--import *
Import all provided items into the database.
--import-names *
A semicolon separated list of names applied to the imported items in the order found in the PEM
file and on the commandline.
--issuers *
Print all known issuer certificates that have an associated private key and the CA basic
constraints set to 'true'.
--keygen=<type> *
Generate a new key and import it into the database. Use the 'name' option to set the internal name
of the new key. The <type> parameter has the format: '[RSA|DSA|EC]:[<size>|<curve>].
--list-curves
Prints all known Elliptic Curves.
--list-items *
List all items in the database.
--name=<internal-name> *
Provides the name of new generated items. An automatic name will be generated if omitted.
--no-native-dialogs
Disables the native dialogs of the operating system for messages and file operations and uses Qt
specific dialogs instead.
--no-gui
Do not start the GUI. Alternatively set environment variable XCA_NO_GUI=1 or call xca as 'xca-
console' symlink.
--password=<password>
Database password for unlocking the database. See below for password format options.
--pem Print PEM representation of provided files. Prints only the public part of private keys.
--pem-file
Specify a file name for the PEM data. Implies '--pem'.
--print
Print a synopsis of provided files.
--select=<id-list> *
Selects all items in the comma separated id-list to be shown with 'print', 'text' or 'pem'.
--sqlpass=<password>
Password to access the remote SQL server. See below for password format options.
--text Print the content of provided files as OpenSSL does.
--verbose
Print debug log on stderr. Same as setting XCA_DEBUG=all. See XCA_DEBUG
--version
Print version information and exit.
Options marked with an asterisk need a database. Either from the commandline or as default database.
PASS PHRASE ARGUMENTS
The password options accept the same syntax as openssl does:
env:var
Obtain the password from the environment variable var. Since the environment of other processes is
visible on certain platforms (e.g. ps under certain Unix OSes) this option should be used with
caution.
fd:number
Read the password from the file descriptor number. This can be used to send the data via a pipe
for example.
file:pathname
The first line of pathname is the password. If the same pathname argument is supplied to password
and sqlpassword arguments then the first line will be used for both passwords. pathname need not
refer to a regular file: it could for example refer to a device or named pipe.
pass:password
The actual password is password. Since the password is visible to utilities (like 'ps' under Unix)
this form should only be used where security is not important.
stdin Read the password from standard input.
ENVIRONMENT VARIABLES
Some more or less useful environment variables are evaluated by xca
XCA_NO_GUI=1
Do not start the graphical user interface forcefully. Same as --no-gui argument. If both were not
given, XCA tries to be smart and looks at the other arguments to judge whether to start the GUI or
not.
XCA_DEBUG=<pattern>
The environment variable XCA_DEBUG controls the dynamic debugging. The format is a comma separate
list of pattern. Each pattern is: all|[-]<function>|[-]<filename>:<firstline>[-<lastline>] A
leading dash skips the match. The firstline and lastline may be empty and will be replaced by the
first and last line of the file. If -<lastline> is omitted then only the exact line number of
lastline is matched.
Example: XCA_DEBUG=all,-timerEvent Log everything but skip the annoying timerEvent messages.
Example: XCA_DEBUG=pki_base.cpp:100-,-pki_base.cpp:340 Log pki_base Messages from line 100 up to
the last line, except line 340.
XCA_ABORT_ON_WARNING=1
Developer option to crash into debugger in case of a warning-level log message. Documented for
completeness. Not useful for non-developers
XCA_PORTABLE=1
Force the windows portable mode. Documented for completeness. Not useful for non-developers
XCA_ARGUMENTS=<man|rst|completion>
Outputs the commandline arguments in man-page nroff, sphinx rst or as oneline list for command-
completion to automatically update the documentation if new arguments are added.
XCA_QPSQL_OPTIONS XCA_QMYSQL_OPTIONS XCA_QODBC_OPTIONS
Additional connection options for the SQL database drivers as described in
https://doc.qt.io/qt-5/qsqldatabase.html#setConnectOptions like QPSQL_OPTIONS=requiressl=1
SEE ALSO
A more detailed HTML documentation can be found in the doc directory, in the "Help" menu of the
application or on https://hohnstaedt.de/documentation
AUTHOR
This manual page was written by Christian Hohnstaedt <christian@hohnstaedt.de>
XCA(1)