1PKI --REQ(1) strongSwan PKI --REQ(1)
2
6 pki --req - Create a PKCS#10 certificate request
7
9 pki --req [--in file|--keyid hex] [--type type] --dn distinguished-name
10 [--san subjectAltName] [--profile profile]
11 [--password password] [--digest digest]
12 [--rsa-padding padding] [--outform encoding] [--debug level]
13 pki --req [--in file|--keyid hex] [--type type] --oldreq file
15 [--password password] [--digest digest]
16 [--rsa-padding padding] [--outform encoding] [--debug level]
17 pki --req --options file
19 pki --req -h | --help
21
23 This sub-command of pki(1) is used to create a PKCS#10 certificate re‐
24 quest.
25
27 -h, --help
28 Print usage information with a summary of the available options.
29 -v, --debug level
31 Set debug level, default: 1.
32 -+, --options file
34 Read command line options from file.
35 -i, --in file
37 Private key input file. If not given the key is read from STDIN.
38 -x, --keyid hex
40 Smartcard or TPM private key object handle in hex format with an
41 optional 0x prefix.
42 -t, --type type
44 Type of the input key. Either priv, rsa, ecdsa or bliss, de‐
45 faults to priv.
46 -d, --dn distinguished-name
48 Subject distinguished name (DN). Required if the --dn option is
49 not set.
50 -a, --san subjectAltName
52 subjectAltName extension to include in request. Can be used mul‐
53 tiple times.
54 -P, --profile profile
56 Certificate profile name to be included in the certificate re‐
57 quest. Can be any UTF8 string. Supported e.g. by openxpki (with
58 profiles pc-client, tls-server, etc.) or pki --issue (with pro‐
59 files server, client, dual, or ocsp) that are translated into
60 corresponding Extended Key Usage (EKU) flags in the generated
61 X.509 certificate.
62 -p, --password password
64 The challengePassword to include in the certificate request.
65 -o, --oldreq file
67 Old certificate request to be used as a template. Required if
68 the --dn option is not set. The public key in the old certifi‐
69 cate request is replaced and a fresh signature is generated us‐
70 ing the new private key. Optionally a new challengePassword may
71 be set using the --password option.
72 -g, --digest digest
74 Digest to use for signature creation. One of sha1, sha224,
75 sha256, sha384, sha512, sha3_224, sha3_256, sha3_384, or
76 sha3_512. The default is determined based on the type and size
77 of the signature key.
78 -R, --rsa-padding padding
80 Padding to use for RSA signatures. Either pkcs1 or pss, defaults
81 to pkcs1.
82 -f, --outform encoding
84 Encoding of the created certificate file. Either der (ASN.1 DER)
85 or pem (Base64 PEM), defaults to der.
86
88 Generate a certificate request for an RSA key, with a subjectAltName
89 extension and a TLS-server profile:
90 pki --req --in key.der --dn "C=CH, O=strongSwan, CN=moon" \
92 --san moon@strongswan.org --profile server > req.der
93 Generate a certificate request for a renewed key based on an existing
95 template
96 pki --req --in myNewKey.der --oldreq myReq.der > myNewReq.der
98 Generate a certificate request for an ECDSA key and a different digest:
100 pki --req --in key.der --type ecdsa --digest sha256 \
102 --dn "C=CH, O=strongSwan, CN=carol" > req.der
103
105 pki(1)
1065.9.9 2022-08-30 PKI --REQ(1)