Appendix B: CA Database

Index File

The index file consists of zero or more lines, each containing the following fields separated by tab characters:

  1. Certificate status flag (V=valid, R=revoked, E=expired).

  2. Certificate expiration date in YYMMDDHHMMSSZ format.

  3. Certificate revocation date in YYMMDDHHMMSSZ[,reason] format. Empty if not revoked.

  4. Certificate serial number in hex.

  5. Certificate filename or literal string ‘unknown’.

  6. Certificate distinguished name.

The openssl ca command uses this file as certificate database.

Attribute File

The attribute file contains a single line: unique_subject = no. It reflects the setting in the CA section of the configuration file at the time the first record is added to the database.

Serial Number Files

The openssl ca command uses two serial number files:

  1. Certificate serial number file.

  2. CRL number file.

The files contain the next available serial number in hex.


  1. The entire database must fit into memory.

  2. There are no provisions for concurrency handling.