1PKI --ISSUE(1)                    strongSwan                    PKI --ISSUE(1)
2
3
4

NAME

6       pki --issue - Issue a certificate using a CA certificate and key
7

SYNOPSIS

9       pki --issue [--in file] [--type type] --cakey file|--cakeyid hex
10                   --cacert file [--dn subject-dn] [--san subjectAltName]
11                   [--lifetime days] [--not-before datetime] [--not-
12                   after datetime] [--serial hex] [--flag flag]
13                   [--digest digest] [--rsa-padding padding] [--ca]
14                   [--crl uri [--crlissuer issuer]] [--ocsp uri]
15                   [--pathlen len] [--nc-permitted name] [--addrblock block]
16                   [--nc-excluded name] [--policy-mapping mapping]
17                   [--policy-explicit len] [--policy-inhibit len]
18                   [--policy-any len]
19                   [--cert-policy oid [--cps-uri uri] [--user-notice text]]
20                   [--outform encoding] [--debug level]
21
22       pki --issue --options file
23
24       pki --issue -h | --help
25

DESCRIPTION

27       This sub-command of pki(1) is used to issue a certificate  using  a  CA
28       certificate and private key.
29

OPTIONS

31       -h, --help
32              Print usage information with a summary of the available options.
33
34       -v, --debug level
35              Set debug level, default: 1.
36
37       -+, --options file
38              Read command line options from file.
39
40       -i, --in file
41              Public  key or PKCS#10 certificate request file to issue. If not
42              given the key/request is read from STDIN.
43
44       -t, --type type
45              Type of the input. One of pub (public key), priv (private  key),
46              rsa  (RSA  private  key),  ecdsa  (ECDSA  private  key), ed25519
47              (Ed25519 private  key)  bliss  (BLISS  private  key)  or  pkcs10
48              (PKCS#10 certificate request), defaults to pub.
49
50       -k, --cakey file
51              CA private key file. Either this or --cakeyid is required.
52
53       -x, --cakeyid hex
54              Smartcard or TPM CA private key object handle in hex format with
55              an optional 0x prefix. Either this or --cakey is required.
56
57       -c, --cacert file
58              CA certificate file. Required.
59
60       -d, --dn subject-dn
61              Subject distinguished name (DN) of the issued certificate.
62
63       -a, --san subjectAltName
64              subjectAltName extension to include in certificate. Can be  used
65              multiple times.
66
67       -l, --lifetime days
68              Days the certificate is valid, default: 1095. Ignored if both an
69              absolute start and end time are given.
70
71       -F, --not-before datetime
72              Absolute time when the validity of the certificate  begins.  The
73              datetime format is defined by the --dateform option.
74
75       -T, --not-after datetime
76              Absolute  time  when  the  validity of the certificate ends. The
77              datetime format is defined by the --dateform option.
78
79       -D, --dateform form
80              strptime(3) format for the --not-before and --not-after options,
81              default: %d.%m.%y %T
82
83       -s, --serial hex
84              Serial number in hex. It is randomly allocated by default.
85
86       -e, --flag flag
87              Add  extendedKeyUsage  flag. One of serverAuth, clientAuth, crl‐
88              Sign, or ocspSigning. Can be used multiple times.
89
90       -g, --digest digest
91              Digest to use for signature creation. One of md5, sha1,  sha224,
92              sha256,  sha384,  or sha512.  The default is determined based on
93              the type and size of the signature key.
94
95       -R, --rsa-padding padding
96              Padding to use for RSA signatures. Either pkcs1 or pss, defaults
97              to pkcs1.
98
99       -f, --outform encoding
100              Encoding of the created certificate file. Either der (ASN.1 DER)
101              or pem (Base64 PEM), defaults to der.
102
103       -b, --ca
104              Include CA basicConstraint extension in certificate.
105
106       -u, --crl uri
107              CRL distribution point URI to include  in  certificate.  Can  be
108              used multiple times.
109
110       -I, --crlissuer issuer
111              Optional  CRL  issuer  for the CRL at the preceding distribution
112              point.
113
114       -o, --ocsp uri
115              OCSP AuthorityInfoAccess URI to include in certificate.  Can  be
116              used multiple times.
117
118       -p, --pathlen len
119              Set path length constraint.
120
121       -B, --addrblock block
122              RFC  3779  address  block  to  include  in certificate. block is
123              either a CIDR  subnet  (such  as  10.0.0.0/8)  or  an  arbitrary
124              address  range  (192.168.1.7-192.168.1.13).  Can  be repeated to
125              include multiple blocks.  Please note that the  supplied  blocks
126              are  included in the certificate as is, so for standards compli‐
127              ance, multiple blocks must be  supplied  in  correct  order  and
128              adjacent blocks must be combined. Refer to RFC 3779 for details.
129
130       -n, --nc-permitted name
131              Add  permitted  NameConstraint extension to certificate. For DNS
132              or email constraints, the identity type is not always detectable
133              by the given name. Use the dns: or email: prefix to force a con‐
134              straint type.
135
136       -N, --nc-excluded name
137              Add excluded NameConstraint extension to certificate. For DNS or
138              email constraints, the identity type is not always detectable by
139              the given name. Use the dns: or email: prefix to  force  a  con‐
140              straint type.
141
142       -M, --policy-mapping issuer-oid:subject-oid
143              Add policyMapping from issuer to subject OID.
144
145       -E, --policy-explicit len
146              Add requireExplicitPolicy constraint.
147
148       -H, --policy-inhibit len
149              Add inhibitPolicyMapping constraint.
150
151       -A, --policy-any len
152              Add inhibitAnyPolicy constraint.
153
154   Certificate Policy
155       Multiple  certificatePolicy extensions can be added. Each with the fol‐
156       lowing information:
157
158       -P, --cert-policy oid
159              OID to include in certificatePolicy extension. Required.
160
161       -C, --cps-uri uri
162              Certification Practice statement URI for certificatePolicy.
163
164       -U, --user-notice text
165              User notice for certificatePolicy.
166

EXAMPLES

168       To save repetitive typing, command line options can be stored in files.
169       Lets assume pki.opt contains the following contents:
170
171         --cacert ca_cert.der --cakey ca_key.der --digest sha256
172         --flag serverAuth --lifetime 1460 --type pkcs10
173
174       Then  the following command can be used to issue a certificate based on
175       a given PKCS#10 certificate request and the options above:
176
177         pki --issue --options pki.opt --in req.der > cert.der
178

SEE ALSO

180       pki(1)
181
182
183
1845.7.2                             2016-12-13                    PKI --ISSUE(1)
Impressum