1PKI(1) strongSwan PKI(1)
2
6 pki - Simple public key infrastructure (PKI) management tool
7
9 pki command [option ...]
10 pki -h | --help
12
14 pki is a suite of commands that allow you to manage a simple public key
15 infrastructure (PKI).
16 Generate RSA and ECDSA key pairs, create PKCS#10 certificate requests
18 containing subjectAltNames, create X.509 self-signed end-entity and
19 root CA certificates, issue end-entity and intermediate CA certificates
20 signed by the private key of a CA and containing subjectAltNames, CRL
21 distribution points and URIs of OCSP servers. You can also extract raw
22 public keys from private keys, certificate requests and certificates
23 and compute two kinds of SHA-1-based key IDs.
24
26 -h, --help
27 Prints usage information and a short summary of the available
28 commands.
29 -g, --gen
31 Generate a new private key.
32 -s, --self
34 Create a self-signed certificate.
35 -i, --issue
37 Issue a certificate using a CA certificate and key.
38 -c, --signcrl
40 Issue a CRL using a CA certificate and key.
41 -z, --acert
43 Issue an attribute certificate.
44 -r, --req
46 Create a PKCS#10 certificate request.
47 -7, --pkcs7
49 Provides PKCS#7 wrap/unwrap functions.
50 -k, --keyid
52 Calculate key identifiers of a key or certificate.
53 -a, --print
55 Print a credential (key, certificate etc.) in human readable
56 form.
57 -p, --pub
59 Extract a public key from a private key or certificate.
60 -v, --verify
62 Verify a certificate using a CA certificate.
63
65 Generating a CA Certificate
66 The first step is to generate a private key using the --gen command. By
67 default this generates a 2048-bit RSA key.
68 pki --gen > ca_key.der
70 This key is used to create the self-signed CA certificate, using the
72 --self command. The distinguished name should be adjusted to your
73 needs.
74 pki --self --ca --in ca_key.der \
76 --dn "C=CH, O=strongSwan, CN=strongSwan CA" > ca_cert.der
77 Generating End-Entity Certificates
79 With the root CA certificate and key at hand end-entity certificates
80 for clients and servers can be issued. Similarly intermediate CA cer‐
81 tificates can be issued, which in turn can issue other certificates.
82 To generate a certificate for a server, we start by generating a pri‐
83 vate key.
84 pki --gen > server_key.der
86 The public key will be included in the certificate so lets extract that
88 from the private key.
89 pki --pub --in server_key.der > server_pub.der
91 The following command will use the CA certificate and private key to
93 issue the certificate for this server. Adjust the distinguished name,
94 subjectAltName(s) and flags as needed (check pki --issue(8) for more
95 options).
96 pki --issue --in server_pub.der --cacert ca_cert.der \
98 --cakey ca_key.der --dn "C=CH, O=strongSwan, CN=VPN Server" \
99 --san vpn.strongswan.org --flag serverAuth > server_cert.der
100 Instead of storing the public key in a separate file, the output of
102 --pub may also be piped directly into the above command.
103 Generating Certificate Revocation Lists (CRL)
105 If end-entity certificates have to be revoked, CRLs may be generated
106 using the --signcrl command.
107 pki --signcrl --cacert ca_cert.der --cakey ca_key.der \
109 --reason superseded --cert server_cert.der > crl.der
110 The certificate given with --cacert must be either a CA certificate or
112 a certificate with the crlSign extended key usage (--flag crlSign).
113 URIs to CRLs may be included in issued certificates with the --crl
114 option.
115
117 pki --gen(1), pki --self(1), pki --issue(1), pki --signcrl(1),
118 pki --acert(1), pki --req(1), pki --pkcs7(1), pki --keyid(1),
119 pki --print(1), pki --pub(1), pki --verify(1)
1205.2.0 2013-07-31 PKI(1)