1PKI --REQ(1) strongSwan PKI --REQ(1)
2
6 pki --req - Create a PKCS#10 certificate request
7
9 pki --req [--in file|--keyid hex] [--type type] --dn distinguished-name
10 [--san subjectAltName] [--profile profile] [--flag flag]
11 [--password password] [--digest digest]
12 [--rsa-padding padding] [--outform encoding] [--debug level]
13 pki --req [--in file|--keyid hex] [--type type] --oldreq file
15 [--password password] [--digest digest]
16 [--rsa-padding padding] [--outform encoding] [--debug level]
17 pki --req --options file
19 pki --req -h | --help
21
23 This sub-command of pki(1) is used to create a PKCS#10 certificate re‐
24 quest.
25
27 -h, --help
28 Print usage information with a summary of the available options.
29 -v, --debug level
31 Set debug level, default: 1.
32 -+, --options file
34 Read command line options from file.
35 -i, --in file
37 Private key input file. If not given the key is read from STDIN.
38 -x, --keyid hex
40 Smartcard or TPM private key object handle in hex format with an
41 optional 0x prefix.
42 -t, --type type
44 Type of the input key. Either priv, rsa, ecdsa or bliss, de‐
45 faults to priv.
46 -d, --dn distinguished-name
48 Subject distinguished name (DN). Required if the --dn option is
49 not set.
50 -a, --san subjectAltName
52 subjectAltName extension to include in request. Can be used mul‐
53 tiple times.
54 -P, --profile profile
56 Certificate profile name to be included in the certificate re‐
57 quest. Can be any UTF8 string. Supported e.g. by openxpki (with
58 profiles pc-client, tls-server, etc.) or pki --issue (with pro‐
59 files server, client, dual, or ocsp) that are translated into
60 corresponding Extended Key Usage (EKU) flags in the generated
61 X.509 certificate.
62 -e, --flag flag
64 Add extendedKeyUsage flag. One of serverAuth, clientAuth, ocsp‐
65 Signing or msSmartcardLogon. Can be used multiple times. Adds an
66 X.509v3 EKU extension containing these flags to the certificate
67 request.
68 -p, --password password
70 The challengePassword to include in the certificate request.
71 -o, --oldreq file
73 Old certificate request to be used as a template. Required if
74 the --dn option is not set. The public key in the old certifi‐
75 cate request is replaced and a fresh signature is generated us‐
76 ing the new private key. Optionally a new challengePassword may
77 be set using the --password option.
78 -g, --digest digest
80 Digest to use for signature creation. One of sha1, sha224,
81 sha256, sha384, sha512, sha3_224, sha3_256, sha3_384, or
82 sha3_512. The default is determined based on the type and size
83 of the signature key.
84 -R, --rsa-padding padding
86 Padding to use for RSA signatures. Either pkcs1 or pss, defaults
87 to pkcs1.
88 -f, --outform encoding
90 Encoding of the created certificate file. Either der (ASN.1 DER)
91 or pem (Base64 PEM), defaults to der.
92
94 Generate a certificate request for an RSA key, with a subjectAltName
95 extension and a TLS-server profile:
96 pki --req --in key.der --dn "C=CH, O=strongSwan, CN=moon" \
98 --san moon@strongswan.org --profile server > req.der
99 Generate a certificate request for a renewed key based on an existing
101 template
102 pki --req --in myNewKey.der --oldreq myReq.der > myNewReq.der
104 Generate a certificate request for an ECDSA key and a different digest:
106 pki --req --in key.der --type ecdsa --digest sha256 \
108 --dn "C=CH, O=strongSwan, CN=carol" > req.der
109
111 pki(1)
1125.9.11 2022-08-30 PKI --REQ(1)