Project

General

Profile

pki --signcrl » History » Version 2

Tobias Brunner, 22.10.2012 16:05

1 2 Tobias Brunner
h1. ipsec pki --signcrl
2 1 Martin Willi
3 1 Martin Willi
h2. Synopsis
4 1 Martin Willi
5 1 Martin Willi
<pre>
6 1 Martin Willi
  pki --signcrl --cacert file --cakey file --lifetime days
7 1 Martin Willi
              [  [--reason key-compromise|ca-compromise|affiliation-changed|
8 1 Martin Willi
                           superseded|cessation-of-operation|certificate-hold]
9 1 Martin Willi
                 [--date timestamp]
10 1 Martin Willi
                  --cert file | --serial hex ]*
11 1 Martin Willi
              [--digest md5|sha1|sha224|sha256|sha384|sha512] [--outform der|pem]
12 1 Martin Willi
13 1 Martin Willi
        --help     (-h)  show usage information
14 1 Martin Willi
        --cacert   (-c)  CA certificate file
15 1 Martin Willi
        --cakey    (-k)  CA private key file
16 1 Martin Willi
        --lifetime (-l)  days the CRL gets a nextUpdate, default: 15
17 1 Martin Willi
        --lastcrl  (-a)  CRL of lastUpdate to copy revocations from
18 1 Martin Willi
        --cert     (-z)  certificate file to revoke
19 1 Martin Willi
        --serial   (-s)  hex encoded certificate serial number to revoke
20 1 Martin Willi
        --reason   (-r)  reason for certificate revocation
21 1 Martin Willi
        --date     (-d)  revocation date as unix timestamp, default: now
22 1 Martin Willi
        --digest   (-g)  digest for signature creation, default: sha1
23 1 Martin Willi
        --outform  (-f)  encoding of generated crl, default: der
24 1 Martin Willi
        --debug    (-v)  set debug level, default: 1
25 1 Martin Willi
        --options  (-+)  read command line options from file
26 1 Martin Willi
27 1 Martin Willi
</pre>
28 1 Martin Willi
29 1 Martin Willi
h2. Description
30 1 Martin Willi
31 1 Martin Willi
Create a certificate revocation list.
32 1 Martin Willi
33 1 Martin Willi
h2. Examples
34 1 Martin Willi
35 1 Martin Willi
* Revoke a certificate:
36 1 Martin Willi
37 1 Martin Willi
<pre>
38 1 Martin Willi
ipsec pki --signcrl --cacert caCert.der --cakey caKey.der --reason superseded --cert peerCert.der > crl.der
39 1 Martin Willi
</pre>
40 1 Martin Willi
41 1 Martin Willi
* Update an existing CRL with two new revocations, using the certificates serial, but no reason:
42 1 Martin Willi
43 1 Martin Willi
<pre>
44 1 Martin Willi
ipsec pki --signcrl --cacert caCert.der --cakey caKey.der --lastcrl crl1.der --serial 0123 --serial 0345 > crl2.der
45 1 Martin Willi
</pre>