Project

General

Profile

pki --issue » History » Version 18

Tobias Brunner, 15.02.2019 09:09

1 1 Andreas Steffen
h1. ipsec pki --issue
2 1 Andreas Steffen
3 1 Andreas Steffen
h2. Synopsis
4 1 Andreas Steffen
5 1 Andreas Steffen
<pre>
6 16 Tobias Brunner
pki --issue [--in file] [--type pub|pkcs10|priv|rsa|ecdsa|ed25519|bliss] --cakey file|--cakeyid hex
7 1 Andreas Steffen
             --cacert file [--dn subject-dn] [--san subjectAltName]+
8 1 Andreas Steffen
            [--lifetime days] [--not-before datetime] [--not-after datetime] [--dateform form]
9 16 Tobias Brunner
            [--serial hex] [--ca] [--pathlen len] [--addrblock addr|subnet|range]+
10 16 Tobias Brunner
            [--flag serverAuth|clientAuth|crlSign|ocspSigning]+
11 10 Tobias Brunner
            [--crl uri [--crlissuer i]]+ [--ocsp uri]+ [--nc-permitted name]
12 10 Tobias Brunner
            [--nc-excluded name] [--policy-map issuer-oid:subject-oid]
13 9 Andreas Steffen
            [--policy-explicit len] [--policy-inhibit len] [--policy-any len]
14 10 Tobias Brunner
            [--cert-policy oid [--cps-uri uri] [--user-notice text]]+
15 17 Tobias Brunner
            [--digest md5|sha1|sha224|sha256|sha384|sha512] [--rsa-padding pkcs1|pss]
16 17 Tobias Brunner
            [--outform der|pem]
17 1 Andreas Steffen
18 9 Andreas Steffen
           --help            (-h)  show usage information
19 14 Tobias Brunner
           --in              (-i)  key/request file to issue, default: stdin
20 1 Andreas Steffen
           --type            (-t)  type of input, default: pub
21 9 Andreas Steffen
           --cacert          (-c)  CA certificate file
22 9 Andreas Steffen
           --cakey           (-k)  CA private key file
23 16 Tobias Brunner
           --cakeyid         (-x)  smartcard or TPM CA private key object handle
24 9 Andreas Steffen
           --dn              (-d)  distinguished name to include as subject
25 1 Andreas Steffen
           --san             (-a)  subjectAltName to include in certificate
26 1 Andreas Steffen
           --lifetime        (-l)  days the certificate is valid, default: 1095
27 11 Tobias Brunner
           --not-before      (-F)  absolute time when the validity of the certificate begins
28 11 Tobias Brunner
           --not-after       (-T)  absolute time when the validity of the certificate ends
29 11 Tobias Brunner
           --dateform        (-D)  strptime(3) format for the --not-before and --not-after options, default: %d.%m.%y %T
30 1 Andreas Steffen
           --serial          (-s)  serial number in hex, default: random
31 9 Andreas Steffen
           --ca              (-b)  include CA basicConstraint, default: no
32 9 Andreas Steffen
           --pathlen         (-p)  set path length constraint
33 16 Tobias Brunner
           --addrblock       (-B)  RFC 3779 addrBlock to include
34 9 Andreas Steffen
           --nc-permitted    (-n)  add permitted NameConstraint
35 9 Andreas Steffen
           --nc-excluded     (-N)  add excluded NameConstraint
36 9 Andreas Steffen
           --cert-policy     (-P)  certificatePolicy OID to include
37 9 Andreas Steffen
           --cps-uri         (-C)  Certification Practice statement URI for certificatePolicy
38 9 Andreas Steffen
           --user-notice     (-U)  user notice for certificatePolicy
39 9 Andreas Steffen
           --policy-mapping  (-M)  policyMapping from issuer to subject OID
40 9 Andreas Steffen
           --policy-explicit (-E)  requireExplicitPolicy constraint
41 9 Andreas Steffen
           --policy-inhibit  (-H)  inhibitPolicyMapping constraint
42 9 Andreas Steffen
           --policy-any      (-A)  inhibitAnyPolicy constraint
43 9 Andreas Steffen
           --flag            (-e)  include extendedKeyUsage flag
44 9 Andreas Steffen
           --crl             (-u)  CRL distribution point URI to include
45 9 Andreas Steffen
           --crlissuer       (-I)  CRL Issuer for CRL at distribution point
46 9 Andreas Steffen
           --ocsp            (-o)  OCSP AuthorityInfoAccess URI to include
47 1 Andreas Steffen
           --digest          (-g)  digest for signature creation, default: key-specific
48 17 Tobias Brunner
           --rsa-padding     (-R)  padding for RSA signatures, default: pkcs1
49 9 Andreas Steffen
           --outform         (-f)  encoding of generated cert, default: der
50 9 Andreas Steffen
           --debug           (-v)  set debug level, default: 1
51 9 Andreas Steffen
           --options         (-+)  read command line options from file
52 1 Andreas Steffen
</pre>
53 1 Andreas Steffen
54 4 Andreas Steffen
h2. Description
55 1 Andreas Steffen
56 1 Andreas Steffen
Issue an X.509 certificate signed with a CA's private key.
57 14 Tobias Brunner
58 18 Tobias Brunner
Since version:5.3.3 @--in@ also accepts private keys if @--type@ is set appropriately. Since version:5.5.1 the generic type @priv@ can be used to load any type of supported private key.
59 3 Andreas Steffen
60 3 Andreas Steffen
h2. Examples
61 3 Andreas Steffen
62 3 Andreas Steffen
* Create an options file to save repetitive typing work
63 3 Andreas Steffen
64 3 Andreas Steffen
<pre>
65 3 Andreas Steffen
cat > pki.opt
66 3 Andreas Steffen
--cacert caCert.der --cakey caKey.der --digest sha256
67 3 Andreas Steffen
--flag serverAuth --lifetime 1460
68 3 Andreas Steffen
--type pkcs10
69 3 Andreas Steffen
</pre>
70 3 Andreas Steffen
71 3 Andreas Steffen
* Issue a CA-signed certificat based on a PKCS10 certificate request
72 3 Andreas Steffen
73 3 Andreas Steffen
<pre>
74 1 Andreas Steffen
pki --issue --options pki.opt --serial 01 --in myReq.der > myCert.der
75 1 Andreas Steffen
</pre>