pki --issue » History » Version 9

« Previous - Version 9/21 (diff) - Next » - Current version
Andreas Steffen, 07.02.2011 20:12
updated ipsec pki --issue options

ipsec pki --issue


pki --issue [--in file] [--type pub|pkcs10] --cakey file | --cakeyid hex
             --cacert file [--dn subject-dn] [--san subjectAltName]+
            [--lifetime days] [--serial hex] [--crl uri [--crlissuer i] ]+ [--ocsp uri]+
            [--ca] [--pathlen len] [--flag serverAuth|clientAuth|crlSign|ocspSigning]+
            [--nc-permitted name] [--nc-excluded name]
            [--cert-policy oid [--cps-uri uri] [--user-notice text] ]+
            [--policy-map issuer-oid:subject-oid]
            [--policy-explicit len] [--policy-inhibit len] [--policy-any len]
            [--digest md5|sha1|sha224|sha256|sha384|sha512] [--outform der|pem]

           --help            (-h)  show usage information
           --in              (-i)  public key/request file to issue, default: stdin
           --type            (-t)  type of input, default: pub
           --cacert          (-c)  CA certificate file
           --cakey           (-k)  CA private key file
           --cakeyid         (-x)  keyid on smartcard of CA private key
           --dn              (-d)  distinguished name to include as subject
           --san             (-a)  subjectAltName to include in certificate
           --lifetime        (-l)  days the certificate is valid, default: 1095
           --serial          (-s)  serial number in hex, default: random
           --ca              (-b)  include CA basicConstraint, default: no
           --pathlen         (-p)  set path length constraint
           --nc-permitted    (-n)  add permitted NameConstraint
           --nc-excluded     (-N)  add excluded NameConstraint
           --cert-policy     (-P)  certificatePolicy OID to include
           --cps-uri         (-C)  Certification Practice statement URI for certificatePolicy
           --user-notice     (-U)  user notice for certificatePolicy
           --policy-mapping  (-M)  policyMapping from issuer to subject OID
           --policy-explicit (-E)  requireExplicitPolicy constraint
           --policy-inhibit  (-H)  inhibitPolicyMapping constraint
           --policy-any      (-A)  inhibitAnyPolicy constraint
           --flag            (-e)  include extendedKeyUsage flag
           --crl             (-u)  CRL distribution point URI to include
           --crlissuer       (-I)  CRL Issuer for CRL at distribution point
           --ocsp            (-o)  OCSP AuthorityInfoAccess URI to include
           --digest          (-g)  digest for signature creation, default: sha1
           --outform         (-f)  encoding of generated cert, default: der
           --debug           (-v)  set debug level, default: 1
           --options         (-+)  read command line options from file


Issue an X.509 certificate signed with a CA's private key.


  • Create an options file to save repetitive typing work
cat > pki.opt
--cacert caCert.der --cakey caKey.der --digest sha256
--flag serverAuth --lifetime 1460
--type pkcs10
  • Issue a CA-signed certificat based on a PKCS10 certificate request
pki --issue --options pki.opt --serial 01 --in myReq.der > myCert.der