pki --signcrl » History » Version 1

Version 1/8 - Next » - Current version
Martin Willi, 23.07.2010 16:47

ipsec pki --print


  pki --signcrl --cacert file --cakey file --lifetime days
              [  [--reason key-compromise|ca-compromise|affiliation-changed|
                 [--date timestamp]
                  --cert file | --serial hex ]*
              [--digest md5|sha1|sha224|sha256|sha384|sha512] [--outform der|pem]

        --help     (-h)  show usage information
        --cacert   (-c)  CA certificate file
        --cakey    (-k)  CA private key file
        --lifetime (-l)  days the CRL gets a nextUpdate, default: 15
        --lastcrl  (-a)  CRL of lastUpdate to copy revocations from
        --cert     (-z)  certificate file to revoke
        --serial   (-s)  hex encoded certificate serial number to revoke
        --reason   (-r)  reason for certificate revocation
        --date     (-d)  revocation date as unix timestamp, default: now
        --digest   (-g)  digest for signature creation, default: sha1
        --outform  (-f)  encoding of generated crl, default: der
        --debug    (-v)  set debug level, default: 1
        --options  (-+)  read command line options from file


Create a certificate revocation list.


  • Revoke a certificate:
ipsec pki --signcrl --cacert caCert.der --cakey caKey.der --reason superseded --cert peerCert.der > crl.der
  • Update an existing CRL with two new revocations, using the certificates serial, but no reason:
ipsec pki --signcrl --cacert caCert.der --cakey caKey.der --lastcrl crl1.der --serial 0123 --serial 0345 > crl2.der