XCA can be used without GUI to analyze PKI items and to generate CRLs and keys. In this case no X-Server connection is required (Linux)



Generate CRL for <ca>. Use the 'name' option to set the internal name of the new CRL. 1


File name (*.xdb) of the SQLite database or a remote database descriptor: [user@host/TYPE:dbname#prefix].


Exit after importing items.


Print this help and exit.


Save OpenSSL index hierarchy in <dir>. 1


Save OpenSSL index in <file>. 1


Import all provided items into the database. 1


Print all known issuer certificates that have an associated private key and the CA basic constraints set to 'true'. 1


Generate a new key and import it into the database. Use the 'name' option to set the internal name of the new key. The <type> parameter has the format: '[RSA|DSA|EC]:[<size>|<curve>]. 1


Prints all known Elliptic Curves.


Provides the name of new generated items. An automatic name will be generated if omitted. 1


Do not start the GUI. Alternatively set environment variable XCA_NO_GUI=1 or call xca as 'xca-console' symlink.


Database password for unlocking the database.


Print PEM representation of provided files. Prints only the public part of private keys.


Print a synopsis of provided files.


Password to access the remote SQL server.


Print the content of provided files as OpenSSL does.


Print debug log on stderr. Alternatively set the environment variable XCA_DEBUG=1.


Print version information and exit.


Requires a database. Either from the commandline or as default database.

Passphrase arguments

The password options accept the same syntax as openssl does:


Obtain the password from the environment variable var. Since the environment of other processes is visible on certain platforms (e.g. ps under certain Unix OSes) this option should be used with caution.


Read the password from the file descriptor number. This can be used to send the data via a pipe for example.


The first line of pathname is the password. If the same pathname argument is supplied to password and sqlpassword arguments then the first line will be used for both passwords. pathname need not refer to a regular file: it could for example refer to a device or named pipe.


The actual password is password. Since the password is visible to utilities (like 'ps' under Unix) this form should only be used where security is not important.


Read the password from standard input.