ipsec pki --self¶
Synopsis¶
pki --self [--in file | --keyid hex] [--type rsa|ecdsa]
--dn distinguished-name [--san subjectAltName]+
[--lifetime days] [--serial hex] [--ca] [--ocsp uri]+
[--flag serverAuth|clientAuth|crlSign|ocspSigning]+
[--nc-permitted name] [--nc-excluded name]
[--cert-policy oid [--cps-uri uri] [--user-notice text] ]+
[--policy-map issuer-oid:subject-oid]
[--policy-explicit len] [--policy-inhibit len] [--policy-any len]
[--digest md5|sha1|sha224|sha256|sha384|sha512] [--outform der|pem]
--help (-h) show usage information
--in (-i) private key input file, default: stdin
--keyid (-x) keyid on smartcard of private key
--type (-t) type of input key, default: rsa
--dn (-d) subject and issuer distinguished name
--san (-a) subjectAltName to include in certificate
--lifetime (-l) days the certificate is valid, default: 1095
--serial (-s) serial number in hex, default: random
--ca (-b) include CA basicConstraint, default: no
--pathlen (-p) set path length constraint
--nc-permitted (-n) add permitted NameConstraint
--nc-excluded (-N) add excluded NameConstraint
--cert-policy (-P) certificatePolicy OID to include
--cps-uri (-C) Certification Practice statement URI for certificatePolicy
--user-notice (-U) user notice for certificatePolicy
--policy-mapping (-M) policyMapping from issuer to subject OID
--policy-explicit (-E) requireExplicitPolicy constraint
--policy-inhibit (-H) inhibitPolicyMapping constraint
--policy-any (-A) inhibitAnyPolicy constraint
--flag (-e) include extendedKeyUsage flag
--ocsp (-o) OCSP AuthorityInfoAccess URI to include
--digest (-g) digest for signature creation, default: sha1
--outform (-f) encoding of generated cert, default: der
--debug (-v) set debug level, default: 1
--options (-+) read command line options from file
Description¶
Generate an X.509 self-signed certificate
Examples¶
- Generate a self-signed certificate for an RSA public key
pki --self --in myKey.der --dn "C=CH, O=strongSwan, CN=moon" > myCert.der