1PKI --REQ(1)                      strongSwan                      PKI --REQ(1)
2
3
4

NAME

6       pki --req - Create a PKCS#10 certificate request
7

SYNOPSIS

9       pki --req [--in file|--keyid hex] [--type type] --dn distinguished-name
10                 [--san subjectAltName] [--profile profile] [--flag flag]
11                 [--password password] [--digest digest]
12                 [--rsa-padding padding] [--outform encoding] [--debug level]
13
14       pki --req [--in file|--keyid hex] [--type type] --oldreq file
15                 [--password password] [--digest digest]
16                 [--rsa-padding padding] [--outform encoding] [--debug level]
17
18       pki --req --options file
19
20       pki --req -h | --help
21

DESCRIPTION

23       This sub-command of pki(1) is used to create a PKCS#10 certificate  re‐
24       quest.
25

OPTIONS

27       -h, --help
28              Print usage information with a summary of the available options.
29
30       -v, --debug level
31              Set debug level, default: 1.
32
33       -+, --options file
34              Read command line options from file.
35
36       -i, --in file
37              Private key input file. If not given the key is read from STDIN.
38
39       -x, --keyid hex
40              Smartcard or TPM private key object handle in hex format with an
41              optional 0x prefix.
42
43       -t, --type type
44              Type of the input key. Either priv, rsa,  ecdsa  or  bliss,  de‐
45              faults to priv.
46
47       -d, --dn distinguished-name
48              Subject  distinguished name (DN). Required if the --dn option is
49              not set.
50
51       -a, --san subjectAltName
52              subjectAltName extension to include in request. Can be used mul‐
53              tiple times.
54
55       -P, --profile profile
56              Certificate  profile  name to be included in the certificate re‐
57              quest. Can be any UTF8 string. Supported e.g. by openxpki  (with
58              profiles  pc-client, tls-server, etc.) or pki --issue (with pro‐
59              files server, client, dual, or ocsp) that  are  translated  into
60              corresponding  Extended  Key  Usage (EKU) flags in the generated
61              X.509 certificate.
62
63       -e, --flag flag
64              Add extendedKeyUsage flag. One of serverAuth, clientAuth,  ocsp‐
65              Signing or msSmartcardLogon. Can be used multiple times. Adds an
66              X.509v3 EKU extension containing these flags to the  certificate
67              request.
68
69       -p, --password password
70              The challengePassword to include in the certificate request.
71
72       -o, --oldreq file
73              Old  certificate  request  to be used as a template. Required if
74              the --dn option is not set. The public key in the  old  certifi‐
75              cate  request is replaced and a fresh signature is generated us‐
76              ing the new private key. Optionally a new challengePassword  may
77              be set using the --password option.
78
79       -g, --digest digest
80              Digest  to  use  for  signature  creation.  One of sha1, sha224,
81              sha256,  sha384,  sha512,  sha3_224,  sha3_256,   sha3_384,   or
82              sha3_512.  The  default is determined based on the type and size
83              of the signature key.
84
85       -R, --rsa-padding padding
86              Padding to use for RSA signatures. Either pkcs1 or pss, defaults
87              to pkcs1.
88
89       -f, --outform encoding
90              Encoding of the created certificate file. Either der (ASN.1 DER)
91              or pem (Base64 PEM), defaults to der.
92

EXAMPLES

94       Generate a certificate request for an RSA key,  with  a  subjectAltName
95       extension and a TLS-server profile:
96
97         pki --req --in key.der --dn "C=CH, O=strongSwan, CN=moon" \
98             --san moon@strongswan.org --profile server > req.der
99
100       Generate  a  certificate request for a renewed key based on an existing
101       template
102
103         pki --req --in myNewKey.der --oldreq myReq.der > myNewReq.der
104
105       Generate a certificate request for an ECDSA key and a different digest:
106
107         pki --req --in key.der --type ecdsa --digest sha256 \
108             --dn "C=CH, O=strongSwan, CN=carol"  > req.der
109

SEE ALSO

111       pki(1)
112
113
114
1155.9.11                            2022-08-30                      PKI --REQ(1)
Impressum