openssl ca [-verbose] [-config filename] [-name section] [-gencrl] [-revoke file][-crl_reason reason] [-crl_hold instruction] [-crl_compromise time] [-crl_CA_compromise time ] [ -subj subj] [-crldays days] [-crlhours hours] [-crlexts section] [-startdate date] [-enddate date][-days arg] [-md arg] [-policy arg] [-keyfile arg] [-keyform arg] [-key arg] [-passin arg] [-cert file][-selfsign] [-in file] [-out file] [-notext] [-outdir dir] [-infiles] [-spkac file] [-ss_cert file] [-preserveDN] [-batch] [-msie_hack] [-extensions section][-utf8] [-create_serial] [-multivalue-rdn] [-sigopt] [-noemailDN][ -crlsec] [-extfile file] [-updatedb] [ -engine id ]

-verbose        - Talk alot while doing things

 -config file    - A config file

 -name arg       - The particular CA definition to use

 -gencrl         - Generate a new CRL

 -crldays days   - Days is when the next CRL is due

 -crlhours hours - Hours is when the next CRL is due

 -startdate YYMMDDHHMMSSZ  - certificate validity notBefore

 -enddate YYMMDDHHMMSSZ    - certificate validity notAfter (overrides -days)

 -days arg       - number of days to certify the certificate for

 -md arg         - md to use, see openssl dgst -h for list

 -policy arg     - The CA 'policy' to support

 -keyfile arg    - private key file

 -keyform arg    - private key file format (PEM or ENGINE)

 -key arg        - key to decode the private key if it is encrypted

 -cert file      - The CA certificate

 -selfsign       - sign a certificate with the key associated with it

 -in file        - The input PEM encoded certificate request(s)

 -out file       - Where to put the output file(s)

 -outdir dir     - Where to put output certificates

 -infiles ....   - The last argument, requests to process

 -spkac file     - File contains DN and signed public key and challenge

 -ss_cert file   - File contains a self signed cert to sign

 -preserveDN     - Don't re-order the DN

 -noemailDN      - Don't add the EMAIL field into certificate' subject

 -batch          - Don't ask questions

 -msie_hack      - msie modifications to handle all those universal strings

 -revoke file    - Revoke a certificate (given in file)

 -subj arg       - Use arg instead of request's subject

 -utf8           - input characters are UTF8 (default ASCII)

 -multivalue-rdn - enable support for multivalued RDNs

 -extensions ..  - Extension section (override value in config file)

 -extfile file   - Configuration file with X509v3 extentions to add

 -crlexts ..     - CRL extension section (override value in config file)

 -engine e       - use engine e, possibly a hardware device.

 -status serial  - Shows certificate status given the serial number

 -updatedb       - Updates db for expired certificates

openssl ca -in cert_req.pem -extensions v3_ca -out newcert.pem

openssl ca -config openssl.cnf -name CA_default -days  -md sha1 -policy policy_anything -cert demoCA/cacert.pem -in cert_req.pem -out cert1.pem -preserveDN -noemailDN -subj /CN=CN/O=JS/OU=WX/cn=myname -extensions myexts

openssl ca -revoke rsa_server_cert.pem -config openssl_utf8.cnf -keyfile rsa_ca_prikey.pem -passin pass:"" -cert rsa_ca_cert.pem

openssl ca -gencrl -config openssl_utf8.cnf -utf8 -keyfile rsa_ca_prikey.pem -passin pass:"" -cert rsa_ca_cert.pem -out crl.pem

openssl ca -gencrl -crl_reason keyCompromise -crl_compromise 20010101030303Z  -crl_hold holdInstructionReject -crl_CA_compromise  20020101030303Z -crldays  -out crl2.crl

参考：http://blog.csdn.net/as3luyuan123/article/details/13346613