Project

General

Profile

pki --signcrl » History » Version 5

Tobias Brunner, 26.03.2015 12:09

1 2 Tobias Brunner
h1. ipsec pki --signcrl
2 1 Martin Willi
3 1 Martin Willi
h2. Synopsis
4 1 Martin Willi
5 1 Martin Willi
<pre>
6 3 Tobias Brunner
  pki --signcrl --cacert file --cakey file|--cakeyid hex [--lifetime days]
7 4 Tobias Brunner
                [--not-before datetime] [--not-after datetime] [--dateform form]
8 3 Tobias Brunner
                [[--reason key-compromise|ca-compromise|affiliation-changed|
9 1 Martin Willi
                           superseded|cessation-of-operation|certificate-hold]
10 3 Tobias Brunner
                 [--date timestamp] --cert file|--serial hex]*
11 3 Tobias Brunner
                [--digest md5|sha1|sha224|sha256|sha384|sha512]
12 3 Tobias Brunner
                [--outform der|pem]
13 1 Martin Willi
14 4 Tobias Brunner
        --help        (-h)  show usage information
15 4 Tobias Brunner
        --cacert      (-c)  CA certificate file
16 4 Tobias Brunner
        --cakey       (-k)  CA private key file
17 4 Tobias Brunner
        --cakeyid     (-x)  keyid on smartcard of CA private key
18 4 Tobias Brunner
        --lifetime    (-l)  days the CRL gets a nextUpdate, default: 15
19 4 Tobias Brunner
        --not-before  (-F)  absolute time when the validity of the CRL begins
20 4 Tobias Brunner
        --not-after   (-T)  absolute time when the validity of the CRL ends
21 4 Tobias Brunner
        --dateform    (-D)  strptime(3) format for the --not-before and --not-after options, default: %d.%m.%y %T
22 4 Tobias Brunner
        --lastcrl     (-a)  CRL of lastUpdate to copy revocations from
23 4 Tobias Brunner
        --basecrl     (-b)  base CRL to create a delta CRL for
24 4 Tobias Brunner
        --crluri      (-u)  freshest delta CRL URI to include
25 4 Tobias Brunner
        --cert        (-z)  certificate file to revoke
26 4 Tobias Brunner
        --serial      (-s)  hex encoded certificate serial number to revoke
27 4 Tobias Brunner
        --reason      (-r)  reason for certificate revocation
28 4 Tobias Brunner
        --date        (-d)  revocation date as unix timestamp, default: now
29 5 Tobias Brunner
        --digest      (-g)  digest for signature creation, default: key-specific
30 4 Tobias Brunner
        --outform     (-f)  encoding of generated crl, default: der
31 4 Tobias Brunner
        --debug       (-v)  set debug level, default: 1
32 4 Tobias Brunner
        --options     (-+)  read command line options from file
33 1 Martin Willi
34 1 Martin Willi
</pre>
35 1 Martin Willi
36 1 Martin Willi
h2. Description
37 1 Martin Willi
38 1 Martin Willi
Create a certificate revocation list.
39 1 Martin Willi
40 1 Martin Willi
h2. Examples
41 1 Martin Willi
42 1 Martin Willi
* Revoke a certificate:
43 1 Martin Willi
44 1 Martin Willi
<pre>
45 1 Martin Willi
ipsec pki --signcrl --cacert caCert.der --cakey caKey.der --reason superseded --cert peerCert.der > crl.der
46 1 Martin Willi
</pre>
47 1 Martin Willi
48 1 Martin Willi
* Update an existing CRL with two new revocations, using the certificates serial, but no reason:
49 1 Martin Willi
50 1 Martin Willi
<pre>
51 1 Martin Willi
ipsec pki --signcrl --cacert caCert.der --cakey caKey.der --lastcrl crl1.der --serial 0123 --serial 0345 > crl2.der
52 1 Martin Willi
</pre>