ipsec pki¶

Synopsis¶

ipsec pki --gen    (-g)  generate a new private key
ipsec pki --pub    (-p)  extract the public key from a private key/certificate
ipsec pki --req    (-r)  create a PKCS#10 certificate request
ipsec pki --self   (-s)  create a self signed certificate
ipsec pki --issue  (-i)  issue a certificate using a CA certificate and key
ipsec pki --keyid  (-k)  calculate key identifiers of a key/certificate
ipsec pki --verify (-v)  verify a certificate using the CA certificate
ipsec pki --help   (-h)  show usage information

Description¶

The ipsec pki command suite allows you to run a simple public key infrastructure. Generate RSA and ECDSA public key pairs, create PKCS#10 certificate requests containing subjectAltNames, create X.509 self-signed end entity and root CA certificates, issue end entity and intermediate CA certificates signed by the private key of a CA and containing subjectAltNames, CRL distribution points and URIs of OCSP servers. You can also extract raw public keys from private keys, certificate requests and certificates and compute two kinds of SHA1-based key IDs.

• ipsec pki --gen
• ipsec pki --pub
• ipsec pki --req
• ipsec pki --self
• ipsec pki --issue
• ipsec pki --keyid
• ipsec pki --verify

ipsec pki --gen¶

pki --gen [--type rsa|ecdsa] [--size bits] [--outform der|pem|pgp]

           --help     (-h)  show usage information
           --type     (-t)  type of key, default: rsa
           --size     (-s)  keylength in bits, default: rsa 2048, ecdsa 384
           --outform  (-f)  encoding of generated private key
           --debug    (-v)  set debug level, default: 1
           --options  (-+)  read command line options from file

Examples¶

• Generate a 3072 bit RSA private key

pki --gen --size 3072 > myKey.der

• Generate a 256 bit ECDSA private key

pki --gen --type ecdsa --size 256 > myKey.der

ipsec pki --pub¶

pki --pub [--in file] [--type rsa|ecdsa|pkcs10|x509] [--outform der|pem|pgp]

           --help     (-h)  show usage information
           --in       (-i)  input file, default: stdin
           --type     (-t)  type of credential, default: rsa
           --outform  (-f)  encoding of extracted public key
           --debug    (-v)  set debug level, default: 1
           --options  (-+)  read command line options from file

Examples¶

• Extract the public key from an RSA private key

pki --pub --in myKey.der > myPub.der

• Extract the public key from an ECDSA private key

pki --pub --in myKey.der --type ecdsa  > myPub.der

• Extract the public key from a PKCS#10 certificate request

pki --pub --in myReq.der --type pkcs10  > myPub.der

• Extract the public key from an X.509 certificate

pki --pub --in myCert.der --type x509  > myPub.der

ipsec pki --req¶

pki --req [--in file] [--type rsa|ecdsa] --dn distinguished-name
          [--san subjectAltName]+ [--password challengePassword]
          [--digest md5|sha1|sha224|sha256|sha384|sha512]

           --help     (-h)  show usage information
           --in       (-i)  private key input file, default: stdin
           --type     (-t)  type of input key, default: rsa
           --dn       (-d)  subject distinguished name
           --san      (-a)  subjectAltName to include in cert request
           --password (-p)  challengePassword to include in cert request
           --digest   (-g)  digest for signature creation, default: sha1
           --debug    (-v)  set debug level, default: 1
           --options  (-+)  read command line options from file

Examples¶

• Generate a certificate request for an RSA public key

pki --req --in myKey.der --dn "C=CH, O=strongSwan, CN=moon" > myReq.der

• Generate a certificate request for an ECDSA public key

pki --req --in myKey.der --type ecdsa --dn "C=CH, O=strongSwan, CN=carol" --digest sha256 > myReq.der

• Create an options file supporting ECDSA keys with SHA256 digests

cat > req.opt
--type ecdsa
--digest sha256

• Generate a certificate request for an ECDSA public key including a subjectAltName

pki --req --options req.opt --in myKey.der --dn "C=CH, O=strongSwan, CN=carol" --san carol@strongswan.org > myReq.der

ipsec pki --self¶

pki --self [--in file] [--type rsa|ecdsa] --dn distinguished-name
           [--san subjectAltName]+ [--lifetime days] [--serial hex]
           [--ca] [--ocsp uri]+
           [--digest md5|sha1|sha224|sha256|sha384|sha512]

           --help     (-h)  show usage information
           --in       (-i)  private key input file, default: stdin
           --type     (-t)  type of input key, default: rsa
           --dn       (-d)  subject and issuer distinguished name
           --san      (-a)  subjectAltName to include in certificate
           --lifetime (-l)  days the certificate is valid, default: 1080
           --serial   (-s)  serial number in hex, default: random
           --ca       (-b)  include CA basicConstraint, default: no
           --ocsp     (-o)  OCSP AuthorityInfoAccess URI to include
           --digest   (-g)  digest for signature creation, default: sha1
           --debug    (-v)  set debug level, default: 1
           --options  (-+)  read command line options from file

Examples¶

• Generate a self-signed certificate for an RSA public key

pki --self --in myKey.der --dn "C=CH, O=strongSwan, CN=moon" > myCert.der

ipsec pki --issue¶

pki --issue [--in file] [--type pub|pkcs10] --cacert file --cakey file --dn subject-dn
            [--san subjectAltName]+ [--lifetime days] [--serial hex]
            [--ca] [--crl uri]+ [--ocsp uri]+
            [--digest md5|sha1|sha224|sha256|sha384|sha512]

           --help     (-h)  show usage information
           --in       (-i)  public key/request file to issue, default: stdin
           --type     (-t)  type of input, default: pub
           --cacert   (-c)  CA certificate file
           --cakey    (-k)  CA private key file
           --dn       (-d)  distinguished name to include as subject
           --san      (-a)  subjectAltName to include in certificate
           --lifetime (-l)  days the certificate is valid, default: 1080
           --serial   (-s)  serial number in hex, default: random
           --ca       (-b)  include CA basicConstraint, default: no
           --crl      (-u)  CRL distribution point URI to include
           --ocsp     (-o)  OCSP AuthorityInfoAccess URI to include
           --digest   (-g)  digest for signature creation, default: sha1
           --debug    (-v)  set debug level, default: 1
           --options  (-+)  read command line options from file

ipsec pki --keyid¶

pki --keyid [--in file] [--type rsa-priv|ecdsa-priv|pub|pkcs10|x509]

           --help     (-h)  show usage information
           --in       (-i)  input file, default: stdin
           --type     (-t)  type of key, default: rsa-priv
           --debug    (-v)  set debug level, default: 1
           --options  (-+)  read command line options from file

ipsec pki --verify¶

pki --verify [--in file] [--ca file]

           --help     (-h)  show usage information
           --in       (-i)  X.509 certificate to verify, default: stdin
           --cacert   (-c)  CA certificate, default: verify self signed
           --debug    (-v)  set debug level, default: 1
           --options  (-+)  read command line options from file