History

UserDocumentation »

« Previous - Version 3/21 (diff) - Next » - Current version
Andreas Steffen, 12.09.2009 06:37
missing newline

ipsec pki

Synopsis

pki --gen    generate a new private key
pki --pub    extract the public key from a private key/certificate
pki --keyid  calculate key identifiers of a key/certificate
pki --self   create a self signed certificate
pki --issue  issue a certificate using a CA certificate and key
pki --verify verify a certificate using the CA certificate
pki --help   show usage information

ipsec pki --gen

pki --gen [--type rsa|ecdsa] [--size bits] [--outform der|pem|pgp]

           --help     show usage information
           --type     type of key, default: rsa
           --size     keylength in bits, default: rsa 2048, ecdsa 384
           --outform  encoding of generated private key

ipsec pki --pub

pki --pub [--in file] [--type rsa|ecdsa|x509] [--outform der|pem|pgp]

           --help     show usage information
           --in       input file, default: stdin
           --type     type of credential, default: rsa
           --outform  encoding of extracted public key

ipsec pki --keyid

pki --keyid [--in file] [--type rsa-priv|ecdsa-priv|pub|x509]

           --help     show usage information
           --in       input file, default: stdin
           --type     type of key, default: rsa-priv

ipsec pki --self

 pki --self [--in file] [--type rsa|ecdsa] --dn distinguished-name [--san subjectAltName] [--lifetime days] \
            [--serial hex] [--ca] [--ocsp URI] [--digest md5|sha1|sha224|sha256|sha384|sha512] [--options file]

          --help     show usage information
          --in       private key input file, default: stdin
          --type     type of input key, default: rsa
          --dn       subject and issuer distinguished name
          --san      subjectAltName to include in certificate
          --lifetime days the certificate is valid, default: 1080
          --serial   serial number in hex, default: random
          --ca       include CA basicConstraint, default: no
          --ocsp     OCSP AuthoritiyInfoAccess URI to incude
          --digest   digest for signature creation, default: sha1
          --options  read command line options from file

ipsec pki --issue

pki --issue [--in file] [--type pub|pkcs10] --cacert file --cakey file --dn subject-dn [--san subjectAltName] [--lifetime days] \
            [--serial hex] [--ca] [--crl uri]+ [--ocsp URI] [--digest md5|sha1|sha224|sha256|sha384|sha512] [--options file]

         --help     show usage information
         --in       public key/request file to issue, default: stdin
         --type     type of input, default: pub
         --cacert   CA certificate file
         --cakey    CA private key file
         --dn       distinguished name to include as subject
         --san      subjectAltName to include in certificate
         --lifetime days the certificate is valid, default: 1080
         --serial   serial number in hex, default: random
         --ca       include CA basicConstraint, default: no
         --crl      CRL distribution point URI to include
         --ocsp     OCSP AuthoritiyInfoAccess URI to incude
         --digest   digest for signature creation, default: sha1
         --options  read command line options from file

ipsec pki --verify

pki --verify [--in file] [--ca file]

         --help     show usage information
         --in       x509 certifcate to verify, default: stdin
         --cacert   CA certificate, default: verify self signed