1PKI(1)                            strongSwan                            PKI(1)
2
3
4

NAME

6       pki - Simple public key infrastructure (PKI) management tool
7

SYNOPSIS

9       pki command [option ...]
10
11       pki -h | --help
12

DESCRIPTION

14       pki is a suite of commands that allow you to manage a simple public key
15       infrastructure (PKI).
16
17       Generate RSA and ECDSA key pairs, create PKCS#10  certificate  requests
18       containing  subjectAltNames,  create  X.509  self-signed end-entity and
19       root CA certificates, issue end-entity and intermediate CA certificates
20       signed  by  the private key of a CA and containing subjectAltNames, CRL
21       distribution points and URIs of OCSP servers. You can also extract  raw
22       public  keys  from  private keys, certificate requests and certificates
23       and compute two kinds of SHA-1-based key IDs.
24
25       The pki command now supports certificate enrollment via the Simple Cer‐
26       tificate  Enrollment  Protocol (SCEP) as defined by RFC 8894, replacing
27       the obsoleted ipsec scepclient tool. Additionally the  Enrollment  over
28       Secure Transport (EST) protocol (RFC 7030) is supported, too.
29

COMMANDS

31       -h, --help
32              Prints  usage  information  and a short summary of the available
33              commands.
34
35       -g, --gen
36              Generate a new private key.
37
38       -s, --self
39              Create a self-signed certificate.
40
41       -i, --issue
42              Issue a certificate using a CA certificate and key.
43
44       -c, --signcrl
45              Issue a CRL using a CA certificate and key.
46
47       -z, --acert
48              Issue an attribute certificate.
49
50       -r, --req
51              Create a PKCS#10 certificate request.
52
53       -7, --pkcs7
54              Provides PKCS#7 wrap/unwrap functions.
55
56       -k, --keyid
57              Calculate key identifiers of a key or certificate.
58
59       -a, --print
60              Print a credential (key, certificate  etc.)  in  human  readable
61              form.
62
63       -d, --dn
64              Extract the subject DN of an X.509 certificate.
65
66       -p, --pub
67              Extract a public key from a private key or certificate.
68
69       -v, --verify
70              Verify a certificate using a CA certificate.
71
72       -S, --scep
73              Enroll an X.509 certificate with a SCEP server.
74
75       -C, --scepca
76              Get CA [and RA] certificate[s] from a SCEP server.
77
78       -E, --est
79              Enroll an X.509 certificate with an EST server.
80
81       -e, --estca
82              Get CA certificate[s] from an EST server.
83

EXAMPLES

85   Generating a CA Certificate
86       The first step is to generate a private key using the --gen command. By
87       default this generates a 2048-bit RSA key.
88
89         pki --gen > ca_key.der
90
91       This key is used to create the self-signed CA  certificate,  using  the
92       --self  command.  The  distinguished  name  should  be adjusted to your
93       needs.
94
95         pki --self --ca --in ca_key.der \
96             --dn "C=CH, O=strongSwan, CN=strongSwan CA" > ca_cert.der
97
98   Generating End-Entity Certificates
99       With the root CA certificate and key at  hand  end-entity  certificates
100       for  clients  and servers can be issued. Similarly intermediate CA cer‐
101       tificates can be issued, which in turn can  issue  other  certificates.
102       To  generate  a certificate for a server, we start by generating a pri‐
103       vate key.
104
105         pki --gen > server_key.der
106
107       The public key will be included in the certificate so lets extract that
108       from the private key.
109
110         pki --pub --in server_key.der > server_pub.der
111
112       The  following  command  will use the CA certificate and private key to
113       issue the certificate for this server. Adjust the  distinguished  name,
114       subjectAltName(s)  and  flags  as needed (check pki --issue(8) for more
115       options).
116
117         pki --issue --in server_pub.der --cacert ca_cert.der \
118             --cakey ca_key.der --dn "C=CH, O=strongSwan, CN=VPN Server" \
119             --san vpn.strongswan.org --flag serverAuth > server_cert.der
120
121       Instead of storing the public key in a separate  file,  the  output  of
122       --pub may also be piped directly into the above command.
123
124   Generating Certificate Revocation Lists (CRL)
125       If  end-entity  certificates  have to be revoked, CRLs may be generated
126       using the --signcrl command.
127
128         pki --signcrl --cacert ca_cert.der --cakey ca_key.der \
129             --reason superseded --cert server_cert.der > crl.der
130
131       The certificate given with --cacert must be either a CA certificate  or
132       a  certificate  with  the  crlSign extended key usage (--flag crlSign).
133       URIs to CRLs may be included in issued certificates with the --crl  op‐
134       tion.
135

SEE ALSO

137       pki --gen(1),    pki --self(1),    pki --issue(1),    pki --signcrl(1),
138       pki --acert(1),    pki --req(1),    pki --pkcs7(1),     pki --keyid(1),
139       pki --print(1),     pki --dn(1),     pki --pub(1),     pki --verify(1),
140       pki --scep(1) pki --scepca(1) pki --est(1) pki --estca(1)
141
142
143
1445.9.11                            2022-08-22                            PKI(1)
Impressum