pki --issue » History » Version 6

« Previous - Version 6/21 (diff) - Next » - Current version
Andreas Steffen, 21.01.2010 00:50
support of clientAuth extendedKeyUsage flag

ipsec pki --issue


pki --issue [--in file] [--type pub|pkcs10] --cacert file --cakey file --dn subject-dn
            [--san subjectAltName]+ [--lifetime days] [--serial hex]
            [--ca] [--pathlen len] [--crl uri]+ [--ocsp uri]+
            [--flag serverAuth|clientAuth|ocspSigning]+
            [--digest md5|sha1|sha224|sha256|sha384|sha512]

           --help     (-h)  show usage information
           --in       (-i)  public key/request file to issue, default: stdin
           --type     (-t)  type of input, default: pub
           --cacert   (-c)  CA certificate file
           --cakey    (-k)  CA private key file
           --dn       (-d)  distinguished name to include as subject
           --san      (-a)  subjectAltName to include in certificate
           --lifetime (-l)  days the certificate is valid, default: 1080
           --serial   (-s)  serial number in hex, default: random
           --ca       (-b)  include CA basicConstraint, default: no
           --pathlen  (-p)  set path length constraint
           --flag     (-f)  include extendedKeyUsage flag
           --crl      (-u)  CRL distribution point URI to include
           --ocsp     (-o)  OCSP AuthorityInfoAccess URI to include
           --digest   (-g)  digest for signature creation, default: sha1
           --debug    (-v)  set debug level, default: 1
           --options  (-+)  read command line options from file


Issue an X.509 certificate signed with a CA's private key.


  • Create an options file to save repetitive typing work
cat > pki.opt
--cacert caCert.der --cakey caKey.der --digest sha256
--flag serverAuth --lifetime 1460
--type pkcs10
  • Issue a CA-signed certificat based on a PKCS10 certificate request
pki --issue --options pki.opt --serial 01 --in myReq.der > myCert.der