pki --signcrl » History » Version 6
Tobias Brunner, 23.03.2017 18:04
Updated for 5.5.2
| 1 | 2 | Tobias Brunner | h1. ipsec pki --signcrl |
|---|---|---|---|
| 2 | 1 | Martin Willi | |
| 3 | 1 | Martin Willi | h2. Synopsis |
| 4 | 1 | Martin Willi | |
| 5 | 1 | Martin Willi | <pre> |
| 6 | 3 | Tobias Brunner | pki --signcrl --cacert file --cakey file|--cakeyid hex [--lifetime days] |
| 7 | 4 | Tobias Brunner | [--not-before datetime] [--not-after datetime] [--dateform form] |
| 8 | 3 | Tobias Brunner | [[--reason key-compromise|ca-compromise|affiliation-changed| |
| 9 | 1 | Martin Willi | superseded|cessation-of-operation|certificate-hold] |
| 10 | 3 | Tobias Brunner | [--date timestamp] --cert file|--serial hex]* |
| 11 | 3 | Tobias Brunner | [--digest md5|sha1|sha224|sha256|sha384|sha512] |
| 12 | 3 | Tobias Brunner | [--outform der|pem] |
| 13 | 1 | Martin Willi | |
| 14 | 4 | Tobias Brunner | --help (-h) show usage information |
| 15 | 4 | Tobias Brunner | --cacert (-c) CA certificate file |
| 16 | 4 | Tobias Brunner | --cakey (-k) CA private key file |
| 17 | 6 | Tobias Brunner | --cakeyid (-x) smartcard or TPM CA private key object handle |
| 18 | 4 | Tobias Brunner | --lifetime (-l) days the CRL gets a nextUpdate, default: 15 |
| 19 | 4 | Tobias Brunner | --not-before (-F) absolute time when the validity of the CRL begins |
| 20 | 4 | Tobias Brunner | --not-after (-T) absolute time when the validity of the CRL ends |
| 21 | 4 | Tobias Brunner | --dateform (-D) strptime(3) format for the --not-before and --not-after options, default: %d.%m.%y %T |
| 22 | 4 | Tobias Brunner | --lastcrl (-a) CRL of lastUpdate to copy revocations from |
| 23 | 4 | Tobias Brunner | --basecrl (-b) base CRL to create a delta CRL for |
| 24 | 4 | Tobias Brunner | --crluri (-u) freshest delta CRL URI to include |
| 25 | 4 | Tobias Brunner | --cert (-z) certificate file to revoke |
| 26 | 4 | Tobias Brunner | --serial (-s) hex encoded certificate serial number to revoke |
| 27 | 4 | Tobias Brunner | --reason (-r) reason for certificate revocation |
| 28 | 4 | Tobias Brunner | --date (-d) revocation date as unix timestamp, default: now |
| 29 | 5 | Tobias Brunner | --digest (-g) digest for signature creation, default: key-specific |
| 30 | 4 | Tobias Brunner | --outform (-f) encoding of generated crl, default: der |
| 31 | 4 | Tobias Brunner | --debug (-v) set debug level, default: 1 |
| 32 | 4 | Tobias Brunner | --options (-+) read command line options from file |
| 33 | 1 | Martin Willi | |
| 34 | 1 | Martin Willi | </pre> |
| 35 | 1 | Martin Willi | |
| 36 | 1 | Martin Willi | h2. Description |
| 37 | 1 | Martin Willi | |
| 38 | 1 | Martin Willi | Create a certificate revocation list. |
| 39 | 1 | Martin Willi | |
| 40 | 1 | Martin Willi | h2. Examples |
| 41 | 1 | Martin Willi | |
| 42 | 1 | Martin Willi | * Revoke a certificate: |
| 43 | 1 | Martin Willi | |
| 44 | 1 | Martin Willi | <pre> |
| 45 | 1 | Martin Willi | ipsec pki --signcrl --cacert caCert.der --cakey caKey.der --reason superseded --cert peerCert.der > crl.der |
| 46 | 1 | Martin Willi | </pre> |
| 47 | 1 | Martin Willi | |
| 48 | 1 | Martin Willi | * Update an existing CRL with two new revocations, using the certificates serial, but no reason: |
| 49 | 1 | Martin Willi | |
| 50 | 1 | Martin Willi | <pre> |
| 51 | 1 | Martin Willi | ipsec pki --signcrl --cacert caCert.der --cakey caKey.der --lastcrl crl1.der --serial 0123 --serial 0345 > crl2.der |
| 52 | 1 | Martin Willi | </pre> |