pki --issue » History » Version 10

Version 9 (Andreas Steffen, 07.02.2011 20:12) → Version 10/21 (Tobias Brunner, 14.08.2013 17:16)

h1. ipsec pki --issue

h2. Synopsis

pki --issue [--in file] [--type pub|pkcs10] --cakey file|--cakeyid file | --cakeyid hex
--cacert file [--dn subject-dn] [--san subjectAltName]+
[--lifetime days] [--serial hex] [--crl uri [--crlissuer i] ]+ [--ocsp uri]+
[--ca] [--pathlen len]
[--flag serverAuth|clientAuth|crlSign|ocspSigning]+
[--crl uri [--crlissuer i]]+ [--ocsp uri]+ [--nc-permitted name]
[--nc-excluded name]
[--cert-policy oid [--cps-uri uri] [--user-notice text] ]+
[--policy-map issuer-oid:subject-oid]
[--policy-explicit len] [--policy-inhibit len] [--policy-any len]
[--cert-policy oid [--cps-uri uri] [--user-notice text]]+

[--digest md5|sha1|sha224|sha256|sha384|sha512] [--outform der|pem]

--help (-h) show usage information
--in (-i) public key/request file to issue, default: stdin
--type (-t) type of input, default: pub
--cacert (-c) CA certificate file
--cakey (-k) CA private key file
--cakeyid (-x) keyid on smartcard of CA private key
--dn (-d) distinguished name to include as subject
--san (-a) subjectAltName to include in certificate
--lifetime (-l) days the certificate is valid, default: 1095
--serial (-s) serial number in hex, default: random
--ca (-b) include CA basicConstraint, default: no
--pathlen (-p) set path length constraint
--nc-permitted (-n) add permitted NameConstraint
--nc-excluded (-N) add excluded NameConstraint
--cert-policy (-P) certificatePolicy OID to include
--cps-uri (-C) Certification Practice statement URI for certificatePolicy
--user-notice (-U) user notice for certificatePolicy
--policy-mapping (-M) policyMapping from issuer to subject OID
--policy-explicit (-E) requireExplicitPolicy constraint
--policy-inhibit (-H) inhibitPolicyMapping constraint
--policy-any (-A) inhibitAnyPolicy constraint
--flag (-e) include extendedKeyUsage flag
--crl (-u) CRL distribution point URI to include
--crlissuer (-I) CRL Issuer for CRL at distribution point
--ocsp (-o) OCSP AuthorityInfoAccess URI to include
--digest (-g) digest for signature creation, default: sha1
--outform (-f) encoding of generated cert, default: der
--debug (-v) set debug level, default: 1
--options (-+) read command line options from file

h2. Description

Issue an X.509 certificate signed with a CA's private key.

h2. Examples

* Create an options file to save repetitive typing work

cat > pki.opt
--cacert caCert.der --cakey caKey.der --digest sha256
--flag serverAuth --lifetime 1460
--type pkcs10

* Issue a CA-signed certificat based on a PKCS10 certificate request

pki --issue --options pki.opt --serial 01 --in myReq.der > myCert.der