Project

General

Profile

pki --signcrl » History » Version 3

Tobias Brunner, 14.08.2013 17:27

1 2 Tobias Brunner
h1. ipsec pki --signcrl
2 1 Martin Willi
3 1 Martin Willi
h2. Synopsis
4 1 Martin Willi
5 1 Martin Willi
<pre>
6 3 Tobias Brunner
  pki --signcrl --cacert file --cakey file|--cakeyid hex [--lifetime days]
7 3 Tobias Brunner
                [[--reason key-compromise|ca-compromise|affiliation-changed|
8 1 Martin Willi
                           superseded|cessation-of-operation|certificate-hold]
9 3 Tobias Brunner
                 [--date timestamp] --cert file|--serial hex]*
10 3 Tobias Brunner
                [--digest md5|sha1|sha224|sha256|sha384|sha512]
11 3 Tobias Brunner
                [--outform der|pem]
12 1 Martin Willi
13 1 Martin Willi
        --help     (-h)  show usage information
14 1 Martin Willi
        --cacert   (-c)  CA certificate file
15 1 Martin Willi
        --cakey    (-k)  CA private key file
16 3 Tobias Brunner
        --cakeyid  (-x)  keyid on smartcard of CA private key
17 1 Martin Willi
        --lifetime (-l)  days the CRL gets a nextUpdate, default: 15
18 1 Martin Willi
        --lastcrl  (-a)  CRL of lastUpdate to copy revocations from
19 3 Tobias Brunner
        --basecrl  (-b)  base CRL to create a delta CRL for
20 3 Tobias Brunner
        --crluri   (-u)  freshest delta CRL URI to include
21 1 Martin Willi
        --cert     (-z)  certificate file to revoke
22 1 Martin Willi
        --serial   (-s)  hex encoded certificate serial number to revoke
23 1 Martin Willi
        --reason   (-r)  reason for certificate revocation
24 1 Martin Willi
        --date     (-d)  revocation date as unix timestamp, default: now
25 1 Martin Willi
        --digest   (-g)  digest for signature creation, default: sha1
26 1 Martin Willi
        --outform  (-f)  encoding of generated crl, default: der
27 1 Martin Willi
        --debug    (-v)  set debug level, default: 1
28 1 Martin Willi
        --options  (-+)  read command line options from file
29 1 Martin Willi
30 1 Martin Willi
</pre>
31 1 Martin Willi
32 1 Martin Willi
h2. Description
33 1 Martin Willi
34 1 Martin Willi
Create a certificate revocation list.
35 1 Martin Willi
36 1 Martin Willi
h2. Examples
37 1 Martin Willi
38 1 Martin Willi
* Revoke a certificate:
39 1 Martin Willi
40 1 Martin Willi
<pre>
41 1 Martin Willi
ipsec pki --signcrl --cacert caCert.der --cakey caKey.der --reason superseded --cert peerCert.der > crl.der
42 1 Martin Willi
</pre>
43 1 Martin Willi
44 1 Martin Willi
* Update an existing CRL with two new revocations, using the certificates serial, but no reason:
45 1 Martin Willi
46 1 Martin Willi
<pre>
47 1 Martin Willi
ipsec pki --signcrl --cacert caCert.der --cakey caKey.der --lastcrl crl1.der --serial 0123 --serial 0345 > crl2.der
48 1 Martin Willi
</pre>