pki --issue » History » Version 7

Version 6 (Andreas Steffen, 21.01.2010 00:50) → Version 7/21 (Andreas Steffen, 02.08.2010 11:22)

h1. ipsec pki --issue

h2. Synopsis

pki --issue [--in file] [--type pub|pkcs10] --cacert file --cakey file --dn subject-dn
[--san subjectAltName]+ [--lifetime days] [--serial hex]
[--ca] [--pathlen len] [--crl uri]+ [--ocsp uri]+
[--flag serverAuth|clientAuth|ocspSigning]+
[--digest md5|sha1|sha224|sha256|sha384|sha512] [--outpfomr der|pem]

--help (-h) show usage information
--in (-i) public key/request file to issue, default: stdin
--type (-t) type of input, default: pub
--cacert (-c) CA certificate file
--cakey (-k) CA private key file
--dn (-d) distinguished name to include as subject
--san (-a) subjectAltName to include in certificate
--lifetime (-l) days the certificate is valid, default: 1080
--serial (-s) serial number in hex, default: random
--ca (-b) include CA basicConstraint, default: no
--pathlen (-p) set path length constraint
--flag (-e) (-f) include extendedKeyUsage flag
--crl (-u) CRL distribution point URI to include
--ocsp (-o) OCSP AuthorityInfoAccess URI to include
--digest (-g) digest for signature creation, default: sha1
--outform (-f) encoding of generated cert, default: der

--debug (-v) set debug level, default: 1
--options (-+) read command line options from file

h2. Description

Issue an X.509 certificate signed with a CA's private key.

h2. Examples

* Create an options file to save repetitive typing work

cat > pki.opt
--cacert caCert.der --cakey caKey.der --digest sha256
--flag serverAuth --lifetime 1460
--type pkcs10

* Issue a CA-signed certificat based on a PKCS10 certificate request

pki --issue --options pki.opt --serial 01 --in myReq.der > myCert.der