1PKI --ISSUE(1)                    strongSwan                    PKI --ISSUE(1)
2
3
4

NAME

6       pki --issue - Issue a certificate using a CA certificate and key
7

SYNOPSIS

9       pki --issue [--in file] [--type type] --cakey file|--cakeyid hex
10                   --cacert file [--dn subject-dn] [--san subjectAltName]
11                   [--lifetime days] [--not-before datetime] [--not-
12                   after datetime] [--serial hex] [--flag flag]
13                   [--digest digest] [--rsa-padding padding] [--ca]
14                   [--crl uri [--crlissuer issuer]] [--ocsp uri]
15                   [--pathlen len] [--addrblock block] [--nc-permitted name]
16                   [--nc-excluded name] [--critical oid]
17                   [--policy-mapping mapping] [--policy-explicit len]
18                   [--policy-inhibit len] [--policy-any len]
19                   [--cert-policy oid [--cps-uri uri] [--user-notice text]]
20                   [--outform encoding] [--debug level]
21
22       pki --issue --options file
23
24       pki --issue -h | --help
25

DESCRIPTION

27       This sub-command of pki(1) is used to issue a certificate  using  a  CA
28       certificate and private key.
29

OPTIONS

31       -h, --help
32              Print usage information with a summary of the available options.
33
34       -v, --debug level
35              Set debug level, default: 1.
36
37       -+, --options file
38              Read command line options from file.
39
40       -i, --in file
41              Public  key or PKCS#10 certificate request file to issue. If not
42              given the key/request is read from STDIN.
43
44       -t, --type type
45              Type of the input. One of pub (public key), priv (private  key),
46              rsa  (RSA  private  key),  ecdsa  (ECDSA  private  key), ed25519
47              (Ed25519 private key), ed448 (Ed448 private key),  bliss  (BLISS
48              private  key)  or pkcs10 (PKCS#10 certificate request), defaults
49              to pub.
50
51       -k, --cakey file
52              CA private key file. Either this or --cakeyid is required.
53
54       -x, --cakeyid hex
55              Smartcard or TPM CA private key object handle in hex format with
56              an optional 0x prefix. Either this or --cakey is required.
57
58       -c, --cacert file
59              CA certificate file. Required.
60
61       -d, --dn subject-dn
62              Subject distinguished name (DN) of the issued certificate.
63
64       -a, --san subjectAltName
65              subjectAltName  extension to include in certificate. Can be used
66              multiple times.
67
68       -l, --lifetime days
69              Days the certificate is valid, default: 1095. Ignored if both an
70              absolute start and end time are given.
71
72       -F, --not-before datetime
73              Absolute  time  when the validity of the certificate begins. The
74              datetime format is defined by the --dateform option.
75
76       -T, --not-after datetime
77              Absolute time when the validity of  the  certificate  ends.  The
78              datetime format is defined by the --dateform option.
79
80       -D, --dateform form
81              strptime(3) format for the --not-before and --not-after options,
82              default: %d.%m.%y %T
83
84       -s, --serial hex
85              Serial number in hex. It is randomly allocated by default.
86
87       -e, --flag flag
88              Add extendedKeyUsage flag. One of serverAuth,  clientAuth,  crl‐
89              Sign, or ocspSigning. Can be used multiple times.
90
91       -g, --digest digest
92              Digest  to use for signature creation. One of md5, sha1, sha224,
93              sha256, sha384, or sha512.  The default is determined  based  on
94              the type and size of the signature key.
95
96       -R, --rsa-padding padding
97              Padding to use for RSA signatures. Either pkcs1 or pss, defaults
98              to pkcs1.
99
100       -f, --outform encoding
101              Encoding of the created certificate file. Either der (ASN.1 DER)
102              or pem (Base64 PEM), defaults to der.
103
104       -b, --ca
105              Include CA basicConstraint extension in certificate.
106
107       -u, --crl uri
108              CRL  distribution  point  URI  to include in certificate. Can be
109              used multiple times.
110
111       -I, --crlissuer issuer
112              Optional CRL issuer for the CRL at  the  preceding  distribution
113              point.
114
115       -o, --ocsp uri
116              OCSP  AuthorityInfoAccess  URI to include in certificate. Can be
117              used multiple times.
118
119       -p, --pathlen len
120              Set path length constraint.
121
122       -B, --addrblock block
123              RFC 3779 address block to include in certificate. block  is  ei‐
124              ther  a CIDR subnet (such as 10.0.0.0/8) or an arbitrary address
125              range (192.168.1.7-192.168.1.13). Can  be  repeated  to  include
126              multiple  blocks.   Please note that the supplied blocks are in‐
127              cluded in the certificate as is, so  for  standards  compliance,
128              multiple  blocks  must be supplied in correct order and adjacent
129              blocks must be combined. Refer to RFC 3779 for details.
130
131       -n, --nc-permitted name
132              Add permitted NameConstraint extension to certificate.  For  DNS
133              or email constraints, the identity type is not always detectable
134              by the given name. Use the dns: or email: prefix to force a con‐
135              straint type.
136
137       -N, --nc-excluded name
138              Add excluded NameConstraint extension to certificate. For DNS or
139              email constraints, the identity type is not always detectable by
140              the  given  name.  Use the dns: or email: prefix to force a con‐
141              straint type.
142
143       -X, --critical oid
144              Add a critical extension with the given OID.
145
146       -M, --policy-mapping issuer-oid:subject-oid
147              Add policyMapping from issuer to subject OID.
148
149       -E, --policy-explicit len
150              Add requireExplicitPolicy constraint.
151
152       -H, --policy-inhibit len
153              Add inhibitPolicyMapping constraint.
154
155       -A, --policy-any len
156              Add inhibitAnyPolicy constraint.
157
158   Certificate Policy
159       Multiple certificatePolicy extensions can be added. Each with the  fol‐
160       lowing information:
161
162       -P, --cert-policy oid
163              OID to include in certificatePolicy extension. Required.
164
165       -C, --cps-uri uri
166              Certification Practice statement URI for certificatePolicy.
167
168       -U, --user-notice text
169              User notice for certificatePolicy.
170

EXAMPLES

172       To save repetitive typing, command line options can be stored in files.
173       Lets assume pki.opt contains the following contents:
174
175         --cacert ca_cert.der --cakey ca_key.der --digest sha256
176         --flag serverAuth --lifetime 1460 --type pkcs10
177
178       Then the following command can be used to issue a certificate based  on
179       a given PKCS#10 certificate request and the options above:
180
181         pki --issue --options pki.opt --in req.der > cert.der
182

SEE ALSO

184       pki(1)
185
186
187
1885.9.6                             2019-05-06                    PKI --ISSUE(1)
Impressum