pki --issue » History » Version 14

Version 13 (Tobias Brunner, 26.03.2015 12:10) → Version 14/21 (Tobias Brunner, 27.08.2015 17:56)

h1. ipsec pki --issue

h2. Synopsis

pki --issue [--in file] [--type pub|pkcs10|rsa|ecdsa|bliss] pub|pkcs10] --cakey file|--cakeyid hex
--cacert file [--dn subject-dn] [--san subjectAltName]+
[--lifetime days] [--not-before datetime] [--not-after datetime] [--dateform form]
[--serial hex] [--ca] [--pathlen len] [--flag serverAuth|clientAuth|crlSign|ocspSigning]+
[--crl uri [--crlissuer i]]+ [--ocsp uri]+ [--nc-permitted name]
[--nc-excluded name] [--policy-map issuer-oid:subject-oid]
[--policy-explicit len] [--policy-inhibit len] [--policy-any len]
[--cert-policy oid [--cps-uri uri] [--user-notice text]]+
[--digest md5|sha1|sha224|sha256|sha384|sha512] [--outform der|pem]

--help (-h) show usage information
--in (-i) public key/request file to issue, default: stdin
--type (-t) type of input, default: pub
--cacert (-c) CA certificate file
--cakey (-k) CA private key file
--cakeyid (-x) keyid on smartcard of CA private key
--dn (-d) distinguished name to include as subject
--san (-a) subjectAltName to include in certificate
--lifetime (-l) days the certificate is valid, default: 1095
--not-before (-F) absolute time when the validity of the certificate begins
--not-after (-T) absolute time when the validity of the certificate ends
--dateform (-D) strptime(3) format for the --not-before and --not-after options, default: %d.%m.%y %T
--serial (-s) serial number in hex, default: random
--ca (-b) include CA basicConstraint, default: no
--pathlen (-p) set path length constraint
--nc-permitted (-n) add permitted NameConstraint
--nc-excluded (-N) add excluded NameConstraint
--cert-policy (-P) certificatePolicy OID to include
--cps-uri (-C) Certification Practice statement URI for certificatePolicy
--user-notice (-U) user notice for certificatePolicy
--policy-mapping (-M) policyMapping from issuer to subject OID
--policy-explicit (-E) requireExplicitPolicy constraint
--policy-inhibit (-H) inhibitPolicyMapping constraint
--policy-any (-A) inhibitAnyPolicy constraint
--flag (-e) include extendedKeyUsage flag
--crl (-u) CRL distribution point URI to include
--crlissuer (-I) CRL Issuer for CRL at distribution point
--ocsp (-o) OCSP AuthorityInfoAccess URI to include
--digest (-g) digest for signature creation, default: key-specific
--outform (-f) encoding of generated cert, default: der
--debug (-v) set debug level, default: 1
--options (-+) read command line options from file

h2. Description

Issue an X.509 certificate signed with a CA's private key.

Since version:5.3.3 @--in@ also accepts private keys if @--type@ is set appropriately.

h2. Examples

* Create an options file to save repetitive typing work

cat > pki.opt
--cacert caCert.der --cakey caKey.der --digest sha256
--flag serverAuth --lifetime 1460
--type pkcs10

* Issue a CA-signed certificat based on a PKCS10 certificate request

pki --issue --options pki.opt --serial 01 --in myReq.der > myCert.der