strongimcv_pki---req(1) [centos man page]
PKI --REQ(1) strongSwan PKI --REQ(1) NAME
pki --req - Create a PKCS#10 certificate request SYNOPSIS
pki --req [--in file] [--type type] --dn distinguished-name [--san subjectAltName] [--password password] [--digest digest] [--outform encoding] [--debug level] pki --req --options file pki --req -h | --help DESCRIPTION
This sub-command of pki(1) is used to create a PKCS#10 certificate request. OPTIONS
-h, --help Print usage information with a summary of the available options. -v, --debug level Set debug level, default: 1. -+, --options file Read command line options from file. -i, --in file Private key input file. If not given the key is read from STDIN. -t, --type type Type of the input key. Either rsa or ecdsa, defaults to rsa. -d, --dn distinguished-name Subject distinguished name (DN). Required. -a, --san subjectAltName subjectAltName extension to include in request. Can be used multiple times. -p, --password password The challengePassword to include in the certificate request. -g, --digest digest Digest to use for signature creation. One of md5, sha1, sha224, sha256, sha384, or sha512. Defaults to sha1. -f, --outform encoding Encoding of the created certificate file. Either der (ASN.1 DER) or pem (Base64 PEM), defaults to der. EXAMPLES
Generate a certificate request for an RSA key, with a subjectAltName extension: pki --req --in key.der --dn "C=CH, O=strongSwan, CN=moon" --san moon@strongswan.org > req.der Generate a certificate request for an ECDSA key and a different digest: pki --req --in key.der --type ecdsa --digest sha256 --dn "C=CH, O=strongSwan, CN=carol" > req.der SEE ALSO
pki(1) 5.1.1 2013-07-31 PKI --REQ(1)
Check Out this Related Man Page
PKI --GEN(1) strongSwan PKI --GEN(1) NAME
pki --gen - Generate a new RSA or ECDSA private key SYNOPSIS
pki --gen [--type type] [--size bits] [--safe-primes] [--shares n] [--threshold l] [--outform encoding] [--debug level] pki --gen --options file pki --gen -h | --help DESCRIPTION
This sub-command of pki(1) is used to generate a new RSA or ECDSA private key. OPTIONS
-h, --help Print usage information with a summary of the available options. -v, --debug level Set debug level, default: 1. -+, --options file Read command line options from file. -t, --type type Type of key to generate. Either rsa or ecdsa, defaults to rsa. -s, --size bits Key length in bits. Defaults to 2048 for rsa and 384 for ecdsa. For ecdsa only three values are currently supported: 256, 384 and 521. -p, --safe-primes Generate RSA safe primes. -f, --outform encoding Encoding of the generated private key. Either der (ASN.1 DER) or pem (Base64 PEM), defaults to der. RSA Threshold Cryptography -n, --shares <n> Number of private RSA key shares. -l, --threshold <l> Minimum number of participating RSA key shares. PROBLEMS ON HOSTS WITH LOW ENTROPY
If the gmp plugin is used to generate RSA private keys the key material is read from /dev/random (via the random plugin). Therefore, the command may block if the system's entropy pool is empty. To avoid this, either use a hardware random number generator to feed /dev/random or use OpenSSL (via the openssl plugin or the command line) which is not as strict in regards to the quality of the key material (it reads from /dev/urandom if necessary). It is also possible to configure the devices used by the random plugin in strongswan.conf(5). Setting libstrongswan.plugins.random.random to /dev/urandom forces the plugin to treat bytes read from /dev/urandom as high grade random data, thus avoiding the blocking. Of course, this doesn't change the fact that the key material generated this way is of lower quality. EXAMPLES
pki --gen --size 3072 > rsa_key.der Generates a 3072-bit RSA private key. pki --gen --type ecdsa --size 256 > ecdsa_key.der Generates a 256-bit ECDSA private key. SEE ALSO
pki(1) 5.1.1 2013-07-31 PKI --GEN(1)