Project

General

Profile

pki --signcrl » History » Version 3

« Previous - Version 3/8 (diff) - Next » - Current version
Tobias Brunner, 14.08.2013 17:27


ipsec pki --signcrl

Synopsis

  pki --signcrl --cacert file --cakey file|--cakeyid hex [--lifetime days]
                [[--reason key-compromise|ca-compromise|affiliation-changed|
                           superseded|cessation-of-operation|certificate-hold]
                 [--date timestamp] --cert file|--serial hex]*
                [--digest md5|sha1|sha224|sha256|sha384|sha512]
                [--outform der|pem]

        --help     (-h)  show usage information
        --cacert   (-c)  CA certificate file
        --cakey    (-k)  CA private key file
        --cakeyid  (-x)  keyid on smartcard of CA private key
        --lifetime (-l)  days the CRL gets a nextUpdate, default: 15
        --lastcrl  (-a)  CRL of lastUpdate to copy revocations from
        --basecrl  (-b)  base CRL to create a delta CRL for
        --crluri   (-u)  freshest delta CRL URI to include
        --cert     (-z)  certificate file to revoke
        --serial   (-s)  hex encoded certificate serial number to revoke
        --reason   (-r)  reason for certificate revocation
        --date     (-d)  revocation date as unix timestamp, default: now
        --digest   (-g)  digest for signature creation, default: sha1
        --outform  (-f)  encoding of generated crl, default: der
        --debug    (-v)  set debug level, default: 1
        --options  (-+)  read command line options from file

Description

Create a certificate revocation list.

Examples

  • Revoke a certificate:
ipsec pki --signcrl --cacert caCert.der --cakey caKey.der --reason superseded --cert peerCert.der > crl.der
  • Update an existing CRL with two new revocations, using the certificates serial, but no reason:
ipsec pki --signcrl --cacert caCert.der --cakey caKey.der --lastcrl crl1.der --serial 0123 --serial 0345 > crl2.der