1PKI --ISSUE(1)                    strongSwan                    PKI --ISSUE(1)
2
3
4

NAME

6       pki --issue - Issue a certificate using a CA certificate and key
7

SYNOPSIS

9       pki --issue [--in file] [--type type] --cakey file|--cakeyid hex
10                   --cacert file [--dn subject-dn] [--san subjectAltName]
11                   [--lifetime days] [--not-before datetime] [--not-
12                   after datetime] [--serial hex] [--flag flag]
13                   [--digest digest] [--ca] [--crl uri [--crlissuer issuer]]
14                   [--ocsp uri] [--pathlen len] [--nc-permitted name] [--nc-
15                   excluded name] [--policy-mapping mapping]
16                   [--policy-explicit len] [--policy-inhibit len]
17                   [--policy-any len]
18                   [--cert-policy oid [--cps-uri uri] [--user-notice text]]
19                   [--outform encoding] [--debug level]
20
21       pki --issue --options file
22
23       pki --issue -h | --help
24

DESCRIPTION

26       This  sub-command  of  pki(1) is used to issue a certificate using a CA
27       certificate and private key.
28

OPTIONS

30       -h, --help
31              Print usage information with a summary of the available options.
32
33       -v, --debug level
34              Set debug level, default: 1.
35
36       -+, --options file
37              Read command line options from file.
38
39       -i, --in file
40              Public key or PKCS#10 certificate request file to issue. If  not
41              given the key/request is read from STDIN.
42
43       -t, --type type
44              Type  of the input. Either pub for a public key, or pkcs10 for a
45              PKCS#10 certificate request, defaults to pub.
46
47       -k, --cakey file
48              CA private key file. Either this or --cakeyid is required.
49
50       -x, --cakeyid hex
51              Key ID of a CA private  key  on  a  smartcard.  Either  this  or
52              --cakey is required.
53
54       -c, --cacert file
55              CA certificate file. Required.
56
57       -d, --dn subject-dn
58              Subject distinguished name (DN) of the issued certificate.
59
60       -a, --san subjectAltName
61              subjectAltName  extension to include in certificate. Can be used
62              multiple times.
63
64       -l, --lifetime days
65              Days the certificate is valid, default: 1095. Ignored if both an
66              absolute start and end time are given.
67
68       -F, --not-before datetime
69              Absolute  time  when the validity of the certificate begins. The
70              datetime format is defined by the --dateform option.
71
72       -T, --not-after datetime
73              Absolute time when the validity of  the  certificate  ends.  The
74              datetime format is defined by the --dateform option.
75
76       -D, --dateform form
77              strptime(3) format for the --not-before and --not-after options,
78              default: %d.%m.%y %T
79
80       -s, --serial hex
81              Serial number in hex. It is randomly allocated by default.
82
83       -e, --flag flag
84              Add extendedKeyUsage flag. One of serverAuth,  clientAuth,  crl‐
85              Sign, or ocspSigning. Can be used multiple times.
86
87       -g, --digest digest
88              Digest  to use for signature creation. One of md5, sha1, sha224,
89              sha256, sha384, or sha512. Defaults to sha1.
90
91       -f, --outform encoding
92              Encoding of the created certificate file. Either der (ASN.1 DER)
93              or pem (Base64 PEM), defaults to der.
94
95       -b, --ca
96              Include CA basicConstraint extension in certificate.
97
98       -u, --crl uri
99              CRL  distribution  point  URI  to include in certificate. Can be
100              used multiple times.
101
102       -I, --crlissuer issuer
103              Optional CRL issuer for the CRL at  the  preceding  distribution
104              point.
105
106       -o, --ocsp uri
107              OCSP  AuthorityInfoAccess  URI to include in certificate. Can be
108              used multiple times.
109
110       -p, --pathlen len
111              Set path length constraint.
112
113       -n, --nc-permitted name
114              Add permitted NameConstraint extension to certificate.
115
116       -N, --nc-excluded name
117              Add excluded NameConstraint extension to certificate.
118
119       -M, --policy-mapping issuer-oid:subject-oid
120              Add policyMapping from issuer to subject OID.
121
122       -E, --policy-explicit len
123              Add requireExplicitPolicy constraint.
124
125       -H, --policy-inhibit len
126              Add inhibitPolicyMapping constraint.
127
128       -A, --policy-any len
129              Add inhibitAnyPolicy constraint.
130
131   Certificate Policy
132       Multiple certificatePolicy extensions can be added. Each with the  fol‐
133       lowing information:
134
135       -P, --cert-policy oid
136              OID to include in certificatePolicy extension. Required.
137
138       -C, --cps-uri uri
139              Certification Practice statement URI for certificatePolicy.
140
141       -U, --user-notice text
142              User notice for certificatePolicy.
143

EXAMPLES

145       To save repetitive typing, command line options can be stored in files.
146       Lets assume pki.opt contains the following contents:
147
148         --cacert ca_cert.der --cakey ca_key.der --digest sha256
149         --flag serverAuth --lifetime 1460 --type pkcs10
150
151       Then the following command can be used to issue a certificate based  on
152       a given PKCS#10 certificate request and the options above:
153
154         pki --issue --options pki.opt --in req.der > cert.der
155

SEE ALSO

157       pki(1)
158
159
160
1615.2.0                             2013-08-12                    PKI --ISSUE(1)
Impressum