PKI --GEN(1) strongSwan PKI --GEN(1)NAME
pki --gen - Generate a new RSA or ECDSA private key
SYNOPSIS
pki --gen [--type type] [--size bits] [--safe-primes] [--shares n] [--threshold l] [--outform encoding] [--debug level]
pki --gen --options file
pki --gen -h | --help
DESCRIPTION
This sub-command of pki(1) is used to generate a new RSA or ECDSA private key.
OPTIONS -h, --help
Print usage information with a summary of the available options.
-v, --debug level
Set debug level, default: 1.
-+, --options file
Read command line options from file.
-t, --type type
Type of key to generate. Either rsa or ecdsa, defaults to rsa.
-s, --size bits
Key length in bits. Defaults to 2048 for rsa and 384 for ecdsa. For ecdsa only three values are currently supported: 256, 384 and
521.
-p, --safe-primes
Generate RSA safe primes.
-f, --outform encoding
Encoding of the generated private key. Either der (ASN.1 DER) or pem (Base64 PEM), defaults to der.
RSA Threshold Cryptography
-n, --shares <n>
Number of private RSA key shares.
-l, --threshold <l>
Minimum number of participating RSA key shares.
PROBLEMS ON HOSTS WITH LOW ENTROPY
If the gmp plugin is used to generate RSA private keys the key material is read from /dev/random (via the random plugin). Therefore, the
command may block if the system's entropy pool is empty. To avoid this, either use a hardware random number generator to feed /dev/random
or use OpenSSL (via the openssl plugin or the command line) which is not as strict in regards to the quality of the key material (it reads
from /dev/urandom if necessary). It is also possible to configure the devices used by the random plugin in strongswan.conf(5). Setting
libstrongswan.plugins.random.random to /dev/urandom forces the plugin to treat bytes read from /dev/urandom as high grade random data, thus
avoiding the blocking. Of course, this doesn't change the fact that the key material generated this way is of lower quality.
EXAMPLES
pki --gen --size 3072 > rsa_key.der
Generates a 3072-bit RSA private key.
pki --gen --type ecdsa --size 256 > ecdsa_key.der
Generates a 256-bit ECDSA private key.
SEE ALSO pki(1)5.1.1 2013-07-31 PKI --GEN(1)
Check Out this Related Man Page
PKI --ISSUE(8) strongSwan PKI --ISSUE(8)NAME
pki --issue - Issue a certificate using a CA certificate and key
SYNOPSIS
pki --issue [--in file] [--type type] --cakey file|--cakeyid hex --cacert file [--dn subject-dn] [--san subjectAltName] [--lifetime days]
[--serial hex] [--flag flag] [--digest digest] [--ca] [--crl uri [--crlissuer issuer]] [--ocsp uri] [--pathlen len] [--nc-
permitted name] [--nc-excluded name] [--policy-mapping mapping] [--policy-explicit len] [--policy-inhibit len]
[--policy-any len] [--cert-policy oid [--cps-uri uri] [--user-notice text]] [--outform encoding] [--debug level]
pki --issue --options file
pki --issue -h | --help
DESCRIPTION
This sub-command of pki(1) is used to issue a certificate using a CA certificate and private key.
OPTIONS -h, --help
Print usage information with a summary of the available options.
-v, --debug level
Set debug level, default: 1.
-+, --options file
Read command line options from file.
-i, --in file
Public key or PKCS#10 certificate request file to issue. If not given the key/request is read from STDIN.
-t, --type type
Type of the input. Either pub for a public key, or pkcs10 for a PKCS#10 certificate request, defaults to pub.
-k, --cakey file
CA private key file. Either this or --cakeyid is required.
-x, --cakeyid hex
Key ID of a CA private key on a smartcard. Either this or --cakey is required.
-c, --cacert file
CA certificate file. Required.
-d, --dn subject-dn
Subject distinguished name (DN) of the issued certificate.
-a, --san subjectAltName
subjectAltName extension to include in certificate. Can be used multiple times.
-l, --lifetime days
Days the certificate is valid, default: 1095.
-s, --serial hex
Serial number in hex. It is randomly allocated by default.
-e, --flag flag
Add extendedKeyUsage flag. One of serverAuth, clientAuth, crlSign, or ocspSigning. Can be used multiple times.
-g, --digest digest
Digest to use for signature creation. One of md5, sha1, sha224, sha256, sha384, or sha512. Defaults to sha1.
-f, --outform encoding
Encoding of the created certificate file. Either der (ASN.1 DER) or pem (Base64 PEM), defaults to der.
-b, --ca
Include CA basicConstraint extension in certificate.
-u, --crl uri
CRL distribution point URI to include in certificate. Can be used multiple times.
-I, --crlissuer issuer
Optional CRL issuer for the CRL at the preceding distribution point.
-o, --ocsp uri
OCSP AuthorityInfoAccess URI to include in certificate. Can be used multiple times.
-p, --pathlen len
Set path length constraint.
-n, --nc-permitted name
Add permitted NameConstraint extension to certificate.
-N, --nc-excluded name
Add excluded NameConstraint extension to certificate.
-M, --policy-mapping issuer-oid:subject-oid
Add policyMapping from issuer to subject OID.
-E, --policy-explicit len
Add requireExplicitPolicy constraint.
-H, --policy-inhibit len
Add inhibitPolicyMapping constraint.
-A, --policy-any len
Add inhibitAnyPolicy constraint.
Certificate Policy
Multiple certificatePolicy extensions can be added. Each with the following information:
-P, --cert-policy oid
OID to include in certificatePolicy extension. Required.
-C, --cps-uri uri
Certification Practice statement URI for certificatePolicy.
-U, --user-notice text
User notice for certificatePolicy.
EXAMPLES
To save repetitive typing, command line options can be stored in files. Lets assume pki.opt contains the following contents:
--cacert ca_cert.der --cakey ca_key.der --digest sha256
--flag serverAuth --lifetime 1460 --type pkcs10
Then the following command can be used to issue a certificate based on a given PKCS#10 certificate request and the options above:
pki --issue --options pki.opt --in req.der > cert.der
SEE ALSO pki(1)5.1.1 2013-08-12 PKI --ISSUE(8)