1PKI(1) strongSwan PKI(1)
2
3
4
6 pki - Simple public key infrastructure (PKI) management tool
7
9 pki command [option ...]
10
11 pki -h | --help
12
14 pki is a suite of commands that allow you to manage a simple public key
15 infrastructure (PKI).
16
17 Generate RSA and ECDSA key pairs, create PKCS#10 certificate requests
18 containing subjectAltNames, create X.509 self-signed end-entity and
19 root CA certificates, issue end-entity and intermediate CA certificates
20 signed by the private key of a CA and containing subjectAltNames, CRL
21 distribution points and URIs of OCSP servers. You can also extract raw
22 public keys from private keys, certificate requests and certificates
23 and compute two kinds of SHA-1-based key IDs.
24
26 -h, --help
27 Prints usage information and a short summary of the available
28 commands.
29
30 -g, --gen
31 Generate a new private key.
32
33 -s, --self
34 Create a self-signed certificate.
35
36 -i, --issue
37 Issue a certificate using a CA certificate and key.
38
39 -c, --signcrl
40 Issue a CRL using a CA certificate and key.
41
42 -z, --acert
43 Issue an attribute certificate.
44
45 -r, --req
46 Create a PKCS#10 certificate request.
47
48 -7, --pkcs7
49 Provides PKCS#7 wrap/unwrap functions.
50
51 -k, --keyid
52 Calculate key identifiers of a key or certificate.
53
54 -a, --print
55 Print a credential (key, certificate etc.) in human readable
56 form.
57
58 -d, --dn
59 Extract the subject DN of an X.509 certificate.
60
61 -p, --pub
62 Extract a public key from a private key or certificate.
63
64 -v, --verify
65 Verify a certificate using a CA certificate.
66
68 Generating a CA Certificate
69 The first step is to generate a private key using the --gen command. By
70 default this generates a 2048-bit RSA key.
71
72 pki --gen > ca_key.der
73
74 This key is used to create the self-signed CA certificate, using the
75 --self command. The distinguished name should be adjusted to your
76 needs.
77
78 pki --self --ca --in ca_key.der \
79 --dn "C=CH, O=strongSwan, CN=strongSwan CA" > ca_cert.der
80
81 Generating End-Entity Certificates
82 With the root CA certificate and key at hand end-entity certificates
83 for clients and servers can be issued. Similarly intermediate CA cer‐
84 tificates can be issued, which in turn can issue other certificates.
85 To generate a certificate for a server, we start by generating a pri‐
86 vate key.
87
88 pki --gen > server_key.der
89
90 The public key will be included in the certificate so lets extract that
91 from the private key.
92
93 pki --pub --in server_key.der > server_pub.der
94
95 The following command will use the CA certificate and private key to
96 issue the certificate for this server. Adjust the distinguished name,
97 subjectAltName(s) and flags as needed (check pki --issue(8) for more
98 options).
99
100 pki --issue --in server_pub.der --cacert ca_cert.der \
101 --cakey ca_key.der --dn "C=CH, O=strongSwan, CN=VPN Server" \
102 --san vpn.strongswan.org --flag serverAuth > server_cert.der
103
104 Instead of storing the public key in a separate file, the output of
105 --pub may also be piped directly into the above command.
106
107 Generating Certificate Revocation Lists (CRL)
108 If end-entity certificates have to be revoked, CRLs may be generated
109 using the --signcrl command.
110
111 pki --signcrl --cacert ca_cert.der --cakey ca_key.der \
112 --reason superseded --cert server_cert.der > crl.der
113
114 The certificate given with --cacert must be either a CA certificate or
115 a certificate with the crlSign extended key usage (--flag crlSign).
116 URIs to CRLs may be included in issued certificates with the --crl
117 option.
118
120 pki --gen(1), pki --self(1), pki --issue(1), pki --signcrl(1),
121 pki --acert(1), pki --req(1), pki --pkcs7(1), pki --keyid(1),
122 pki --print(1), pki --dn(1), pki --pub(1), pki --verify(1)
123
124
125
1265.9.1 2015-08-06 PKI(1)