1PKI --SELF(1) strongSwan PKI --SELF(1)
2
6 pki --self - Create a self-signed certificate
7
9 pki --self [--in file|--keyid hex] [--type t] --dn distinguished-name
10 [--san subjectAltName] [--lifetime days] [--not-
11 before datetime] [--not-after datetime] [--serial hex]
12 [--flag flag] [--digest digest] [--ca] [--ocsp uri]
13 [--pathlen len] [--nc-permitted name] [--nc-excluded name]
14 [--policy-mapping mapping] [--policy-explicit len]
15 [--policy-inhibit len] [--policy-any len]
16 [--cert-policy oid [--cps-uri uri] [--user-notice text]]
17 [--outform encoding] [--debug level]
18 pki --self --options file
20 pki --self -h | --help
22
24 This sub-command of pki(1) is used to create a self-signed certificate.
25
27 -h, --help
28 Print usage information with a summary of the available options.
29 -v, --debug level
31 Set debug level, default: 1.
32 -+, --options file
34 Read command line options from file.
35 -i, --in file
37 Private key input file. If not given the key is read from STDIN.
38 -x, --keyid hex
40 Key ID of a private key on a smartcard.
41 -t, --type type
43 Type of the input key. Either rsa or ecdsa, defaults to rsa.
44 -d, --dn distinguished-name
46 Subject and issuer distinguished name (DN). Required.
47 -a, --san subjectAltName
49 subjectAltName extension to include in certificate. Can be used
50 multiple times.
51 -l, --lifetime days
53 Days the certificate is valid, default: 1095. Ignored if both an
54 absolute start and end time are given.
55 -F, --not-before datetime
57 Absolute time when the validity of the certificate begins. The
58 datetime format is defined by the --dateform option.
59 -T, --not-after datetime
61 Absolute time when the validity of the certificate ends. The
62 datetime format is defined by the --dateform option.
63 -D, --dateform form
65 strptime(3) format for the --not-before and --not-after options,
66 default: %d.%m.%y %T
67 -s, --serial hex
69 Serial number in hex. It is randomly allocated by default.
70 -e, --flag flag
72 Add extendedKeyUsage flag. One of serverAuth, clientAuth, crl‐
73 Sign, or ocspSigning. Can be used multiple times.
74 -g, --digest digest
76 Digest to use for signature creation. One of md5, sha1, sha224,
77 sha256, sha384, or sha512. Defaults to sha1.
78 -f, --outform encoding
80 Encoding of the created certificate file. Either der (ASN.1 DER)
81 or pem (Base64 PEM), defaults to der.
82 -b, --ca
84 Include CA basicConstraint extension in certificate.
85 -o, --ocsp uri
87 OCSP AuthorityInfoAccess URI to include in certificate. Can be
88 used multiple times.
89 -p, --pathlen len
91 Set path length constraint.
92 -n, --nc-permitted name
94 Add permitted NameConstraint extension to certificate.
95 -N, --nc-excluded name
97 Add excluded NameConstraint extension to certificate.
98 -M, --policy-mapping issuer-oid:subject-oid
100 Add policyMapping from issuer to subject OID.
101 -E, --policy-explicit len
103 Add requireExplicitPolicy constraint.
104 -H, --policy-inhibit len
106 Add inhibitPolicyMapping constraint.
107 -A, --policy-any len
109 Add inhibitAnyPolicy constraint.
110 Certificate Policy
112 Multiple certificatePolicy extensions can be added. Each with the fol‐
113 lowing information:
114 -P, --cert-policy oid
116 OID to include in certificatePolicy extension. Required.
117 -C, --cps-uri uri
119 Certification Practice statement URI for certificatePolicy.
120 -U, --user-notice text
122 User notice for certificatePolicy.
123
125 Generate a self-signed certificate using the given RSA key:
126 pki --self --in key.der --dn "C=CH, O=strongSwan, CN=moon" \
128 --san moon.strongswan.org > cert.der
129
131 pki(1)
1325.2.0 2013-07-31 PKI --SELF(1)