« Previous - Version 13/21 (diff) - Next » - Current version
Andreas Steffen, 15.09.2009 23:26
use ipsec prefix

ipsec pki¶

Synopsis¶

ipsec pki --gen    (-g)  generate a new private key
ipsec pki --pub    (-p)  extract the public key from a private key/certificate
ipsec pki --req    (-r)  create a PKCS#10 certificate request
ipsec pki --self   (-s)  create a self signed certificate
ipsec pki --issue  (-i)  issue a certificate using a CA certificate and key
ipsec pki --keyid  (-k)  calculate key identifiers of a key/certificate
ipsec pki --verify (-v)  verify a certificate using the CA certificate
ipsec pki --help   (-h)  show usage information

ipsec pki --gen¶

pki --gen [--type rsa|ecdsa] [--size bits] [--outform der|pem|pgp]

           --help     (-h)  show usage information
           --type     (-t)  type of key, default: rsa
           --size     (-s)  keylength in bits, default: rsa 2048, ecdsa 384
           --outform  (-f)  encoding of generated private key
           --debug    (-v)  set debug level, default: 1
           --options  (-+)  read command line options from file

Examples¶

Generate a 3072 bit RSA private key

pki --gen --size 3072 > myKey.der

Generate a 256 bit ECDSA private key

pki --gen --type ecdsa --size 256 > myKey.der

ipsec pki --pub¶

pki --pub [--in file] [--type rsa|ecdsa|pkcs10|x509] [--outform der|pem|pgp]

           --help     (-h)  show usage information
           --in       (-i)  input file, default: stdin
           --type     (-t)  type of credential, default: rsa
           --outform  (-f)  encoding of extracted public key
           --debug    (-v)  set debug level, default: 1
           --options  (-+)  read command line options from file

ipsec pki --req¶

pki --req [--in file] [--type rsa|ecdsa] --dn distinguished-name
          [--san subjectAltName]+ [--password challengePassword]
          [--digest md5|sha1|sha224|sha256|sha384|sha512]

           --help     (-h)  show usage information
           --in       (-i)  private key input file, default: stdin
           --type     (-t)  type of input key, default: rsa
           --dn       (-d)  subject distinguished name
           --san      (-a)  subjectAltName to include in cert request
           --password (-p)  challengePassword to include in cert request
           --digest   (-g)  digest for signature creation, default: sha1
           --debug    (-v)  set debug level, default: 1
           --options  (-+)  read command line options from file

ipsec pki --self¶

pki --self [--in file] [--type rsa|ecdsa] --dn distinguished-name
           [--san subjectAltName]+ [--lifetime days] [--serial hex]
           [--ca] [--ocsp uri]+
           [--digest md5|sha1|sha224|sha256|sha384|sha512]

           --help     (-h)  show usage information
           --in       (-i)  private key input file, default: stdin
           --type     (-t)  type of input key, default: rsa
           --dn       (-d)  subject and issuer distinguished name
           --san      (-a)  subjectAltName to include in certificate
           --lifetime (-l)  days the certificate is valid, default: 1080
           --serial   (-s)  serial number in hex, default: random
           --ca       (-b)  include CA basicConstraint, default: no
           --ocsp     (-o)  OCSP AuthorityInfoAccess URI to include
           --digest   (-g)  digest for signature creation, default: sha1
           --debug    (-v)  set debug level, default: 1
           --options  (-+)  read command line options from file

ipsec pki --issue¶

pki --issue [--in file] [--type pub|pkcs10] --cacert file --cakey file --dn subject-dn
            [--san subjectAltName]+ [--lifetime days] [--serial hex]
            [--ca] [--crl uri]+ [--ocsp uri]+
            [--digest md5|sha1|sha224|sha256|sha384|sha512]

           --help     (-h)  show usage information
           --in       (-i)  public key/request file to issue, default: stdin
           --type     (-t)  type of input, default: pub
           --cacert   (-c)  CA certificate file
           --cakey    (-k)  CA private key file
           --dn       (-d)  distinguished name to include as subject
           --san      (-a)  subjectAltName to include in certificate
           --lifetime (-l)  days the certificate is valid, default: 1080
           --serial   (-s)  serial number in hex, default: random
           --ca       (-b)  include CA basicConstraint, default: no
           --crl      (-u)  CRL distribution point URI to include
           --ocsp     (-o)  OCSP AuthorityInfoAccess URI to include
           --digest   (-g)  digest for signature creation, default: sha1
           --debug    (-v)  set debug level, default: 1
           --options  (-+)  read command line options from file

ipsec pki --keyid¶

pki --keyid [--in file] [--type rsa-priv|ecdsa-priv|pub|pkcs10|x509]

           --help     (-h)  show usage information
           --in       (-i)  input file, default: stdin
           --type     (-t)  type of key, default: rsa-priv
           --debug    (-v)  set debug level, default: 1
           --options  (-+)  read command line options from file

ipsec pki --verify¶

pki --verify [--in file] [--ca file]

           --help     (-h)  show usage information
           --in       (-i)  X.509 certificate to verify, default: stdin
           --cacert   (-c)  CA certificate, default: verify self signed
           --debug    (-v)  set debug level, default: 1
           --options  (-+)  read command line options from file

strongSwan

Documentation¶

Resources¶

Wiki

ipsec pki¶

Synopsis¶

ipsec pki --gen¶

Examples¶

ipsec pki --pub¶

ipsec pki --req¶

ipsec pki --self¶

ipsec pki --issue¶

ipsec pki --keyid¶

ipsec pki --verify¶