strongimcv_pki---signcrl(1) [centos man page]
PKI --SIGNCRL(1) strongSwan PKI --SIGNCRL(1) NAME
pki --signcrl - Issue a Certificate Revocation List (CRL) using a CA certificate and key SYNOPSIS
pki --signcrl --cakey file|--cakeyid hex --cacert file [--lifetime days] [--lastcrl crl] [--basecrl crl] [--crluri uri] [--digest digest] [[--reason reason] [--date ts] --cert file|--serial hex] [--outform encoding] [--debug level] pki --signcrl --options file pki --signcrl -h | --help DESCRIPTION
This sub-command of pki(1) is used to issue a Certificate Revocation List (CRL) using a CA certificate and private key. OPTIONS
-h, --help Print usage information with a summary of the available options. -v, --debug level Set debug level, default: 1. -+, --options file Read command line options from file. -k, --cakey file CA private key file. Either this or --cakeyid is required. -x, --cakeyid hex Key ID of a CA private key on a smartcard. Either this or --cakey is required. -c, --cacert file CA certificate file. Required. -l, --lifetime days Days until the CRL gets a nextUpdate, default: 15. -a, --lastcrl crl CRL of lastUpdate to copy revocations from. -b, --basecrl crl Base CRL to create a delta CRL for. -u, --crluri uri Freshest delta CRL URI to include in CRL. Can be used multiple times. -g, --digest digest Digest to use for signature creation. One of md5, sha1, sha224, sha256, sha384, or sha512. Defaults to sha1. -f, --outform encoding Encoding of the created certificate file. Either der (ASN.1 DER) or pem (Base64 PEM), defaults to der. Revoked Certificates Multiple revoked certificates can be added to the CRL by either providing the certificate file or the respective serial number directly. A reason and a timestamp can be configured for each revocation (they have to be given before each certificate/serial on the command line). -r, --reason reason The reason why the certificate was revoked. One of key-compromise, ca-compromise, affiliation-changed, superseded, cessa- tion-of-operation, or certificate-hold. -d, --date ts Revocation date as Unix timestamp. Defaults to the current time. -z, --cert file Certificate file to revoke. -s, --serial hex Hexadecimal encoded serial number of the certificate to revoke. EXAMPLES
Revoke a certificate: pki --signcrl --cacert ca_cert.der --cakey ca_key.der --reason superseded --cert cert.der > crl.der Update an existing CRL with two new revocations, using the certificate's serial number, but no reason: pki --signcrl --cacert ca_cert.der --cakey ca_key.der --lastcrl old_crl.der --serial 0123 --serial 0345 > crl.der SEE ALSO
pki(1) 5.1.1 2013-08-12 PKI --SIGNCRL(1)
Check Out this Related Man Page
PKI --SELF(1) strongSwan PKI --SELF(1) NAME
pki --self - Create a self-signed certificate SYNOPSIS
pki --self [--in file|--keyid hex] [--type t] --dn distinguished-name [--san subjectAltName] [--lifetime days] [--serial hex] [--flag flag] [--digest digest] [--ca] [--ocsp uri] [--pathlen len] [--nc-permitted name] [--nc-excluded name] [--policy-mapping mapping] [--policy-explicit len] [--policy-inhibit len] [--policy-any len] [--cert-policy oid [--cps-uri uri] [--user-notice text]] [--outform encoding] [--debug level] pki --self --options file pki --self -h | --help DESCRIPTION
This sub-command of pki(1) is used to create a self-signed certificate. OPTIONS
-h, --help Print usage information with a summary of the available options. -v, --debug level Set debug level, default: 1. -+, --options file Read command line options from file. -i, --in file Private key input file. If not given the key is read from STDIN. -x, --keyid hex Key ID of a private key on a smartcard. -t, --type type Type of the input key. Either rsa or ecdsa, defaults to rsa. -d, --dn distinguished-name Subject and issuer distinguished name (DN). Required. -a, --san subjectAltName subjectAltName extension to include in certificate. Can be used multiple times. -l, --lifetime days Days the certificate is valid, default: 1095. -s, --serial hex Serial number in hex. It is randomly allocated by default. -e, --flag flag Add extendedKeyUsage flag. One of serverAuth, clientAuth, crlSign, or ocspSigning. Can be used multiple times. -g, --digest digest Digest to use for signature creation. One of md5, sha1, sha224, sha256, sha384, or sha512. Defaults to sha1. -f, --outform encoding Encoding of the created certificate file. Either der (ASN.1 DER) or pem (Base64 PEM), defaults to der. -b, --ca Include CA basicConstraint extension in certificate. -o, --ocsp uri OCSP AuthorityInfoAccess URI to include in certificate. Can be used multiple times. -p, --pathlen len Set path length constraint. -n, --nc-permitted name Add permitted NameConstraint extension to certificate. -N, --nc-excluded name Add excluded NameConstraint extension to certificate. -M, --policy-mapping issuer-oid:subject-oid Add policyMapping from issuer to subject OID. -E, --policy-explicit len Add requireExplicitPolicy constraint. -H, --policy-inhibit len Add inhibitPolicyMapping constraint. -A, --policy-any len Add inhibitAnyPolicy constraint. Certificate Policy Multiple certificatePolicy extensions can be added. Each with the following information: -P, --cert-policy oid OID to include in certificatePolicy extension. Required. -C, --cps-uri uri Certification Practice statement URI for certificatePolicy. -U, --user-notice text User notice for certificatePolicy. EXAMPLES
Generate a self-signed certificate using the given RSA key: pki --self --in key.der --dn "C=CH, O=strongSwan, CN=moon" --san moon.strongswan.org > cert.der SEE ALSO
pki(1) 5.1.1 2013-07-31 PKI --SELF(1)