strongimcv_pki(1) [centos man page]
PKI(1) strongSwan PKI(1) NAME
pki - Simple public key infrastructure (PKI) management tool SYNOPSIS
pki command [option ...] pki -h | --help DESCRIPTION
pki is a suite of commands that allow you to manage a simple public key infrastructure (PKI). Generate RSA and ECDSA key pairs, create PKCS#10 certificate requests containing subjectAltNames, create X.509 self-signed end-entity and root CA certificates, issue end-entity and intermediate CA certificates signed by the private key of a CA and containing subjectAltNames, CRL distribution points and URIs of OCSP servers. You can also extract raw public keys from private keys, certificate requests and certifi- cates and compute two kinds of SHA-1-based key IDs. COMMANDS
-h, --help Prints usage information and a short summary of the available commands. -g, --gen Generate a new private key. -s, --self Create a self-signed certificate. -i, --issue Issue a certificate using a CA certificate and key. -c, --signcrl Issue a CRL using a CA certificate and key. -r, --req Create a PKCS#10 certificate request. -7, --pkcs7 Provides PKCS#7 wrap/unwrap functions. -k, --keyid Calculate key identifiers of a key or certificate. -a, --print Print a credential (key, certificate etc.) in human readable form. -p, --pub Extract a public key from a private key or certificate. -v, --verify Verify a certificate using a CA certificate. EXAMPLES
Generating a CA Certificate The first step is to generate a private key using the --gen command. By default this generates a 2048-bit RSA key. pki --gen > ca_key.der This key is used to create the self-signed CA certificate, using the --self command. The distinguished name should be adjusted to your needs. pki --self --ca --in ca_key.der --dn "C=CH, O=strongSwan, CN=strongSwan CA" > ca_cert.der Generating End-Entity Certificates With the root CA certificate and key at hand end-entity certificates for clients and servers can be issued. Similarly intermediate CA cer- tificates can be issued, which in turn can issue other certificates. To generate a certificate for a server, we start by generating a pri- vate key. pki --gen > server_key.der The public key will be included in the certificate so lets extract that from the private key. pki --pub --in server_key.der > server_pub.der The following command will use the CA certificate and private key to issue the certificate for this server. Adjust the distinguished name, subjectAltName(s) and flags as needed (check pki --issue(8) for more options). pki --issue --in server_pub.der --cacert ca_cert.der --cakey ca_key.der --dn "C=CH, O=strongSwan, CN=VPN Server" --san vpn.strongswan.org --flag serverAuth > server_cert.der Instead of storing the public key in a separate file, the output of --pub may also be piped directly into the above command. Generating Certificate Revocation Lists (CRL) If end-entity certificates have to be revoked, CRLs may be generated using the --signcrl command. pki --signcrl --cacert ca_cert.der --cakey ca_key.der --reason superseded --cert server_cert.der > crl.der The certificate given with --cacert must be either a CA certificate or a certificate with the crlSign extended key usage (--flag crlSign). URIs to CRLs may be included in issued certificates with the --crl option. SEE ALSO
pki --gen(1), pki --self(1), pki --issue(1), pki --signcrl(1), pki --req(1), pki --pkcs7(1), pki --keyid(1), pki --print(1), pki --pub(1), pki --verify(1) 5.1.1 2013-07-31 PKI(1)
Check Out this Related Man Page
PKI --ISSUE(8) strongSwan PKI --ISSUE(8) NAME
pki --issue - Issue a certificate using a CA certificate and key SYNOPSIS
pki --issue [--in file] [--type type] --cakey file|--cakeyid hex --cacert file [--dn subject-dn] [--san subjectAltName] [--lifetime days] [--serial hex] [--flag flag] [--digest digest] [--ca] [--crl uri [--crlissuer issuer]] [--ocsp uri] [--pathlen len] [--nc- permitted name] [--nc-excluded name] [--policy-mapping mapping] [--policy-explicit len] [--policy-inhibit len] [--policy-any len] [--cert-policy oid [--cps-uri uri] [--user-notice text]] [--outform encoding] [--debug level] pki --issue --options file pki --issue -h | --help DESCRIPTION
This sub-command of pki(1) is used to issue a certificate using a CA certificate and private key. OPTIONS
-h, --help Print usage information with a summary of the available options. -v, --debug level Set debug level, default: 1. -+, --options file Read command line options from file. -i, --in file Public key or PKCS#10 certificate request file to issue. If not given the key/request is read from STDIN. -t, --type type Type of the input. Either pub for a public key, or pkcs10 for a PKCS#10 certificate request, defaults to pub. -k, --cakey file CA private key file. Either this or --cakeyid is required. -x, --cakeyid hex Key ID of a CA private key on a smartcard. Either this or --cakey is required. -c, --cacert file CA certificate file. Required. -d, --dn subject-dn Subject distinguished name (DN) of the issued certificate. -a, --san subjectAltName subjectAltName extension to include in certificate. Can be used multiple times. -l, --lifetime days Days the certificate is valid, default: 1095. -s, --serial hex Serial number in hex. It is randomly allocated by default. -e, --flag flag Add extendedKeyUsage flag. One of serverAuth, clientAuth, crlSign, or ocspSigning. Can be used multiple times. -g, --digest digest Digest to use for signature creation. One of md5, sha1, sha224, sha256, sha384, or sha512. Defaults to sha1. -f, --outform encoding Encoding of the created certificate file. Either der (ASN.1 DER) or pem (Base64 PEM), defaults to der. -b, --ca Include CA basicConstraint extension in certificate. -u, --crl uri CRL distribution point URI to include in certificate. Can be used multiple times. -I, --crlissuer issuer Optional CRL issuer for the CRL at the preceding distribution point. -o, --ocsp uri OCSP AuthorityInfoAccess URI to include in certificate. Can be used multiple times. -p, --pathlen len Set path length constraint. -n, --nc-permitted name Add permitted NameConstraint extension to certificate. -N, --nc-excluded name Add excluded NameConstraint extension to certificate. -M, --policy-mapping issuer-oid:subject-oid Add policyMapping from issuer to subject OID. -E, --policy-explicit len Add requireExplicitPolicy constraint. -H, --policy-inhibit len Add inhibitPolicyMapping constraint. -A, --policy-any len Add inhibitAnyPolicy constraint. Certificate Policy Multiple certificatePolicy extensions can be added. Each with the following information: -P, --cert-policy oid OID to include in certificatePolicy extension. Required. -C, --cps-uri uri Certification Practice statement URI for certificatePolicy. -U, --user-notice text User notice for certificatePolicy. EXAMPLES
To save repetitive typing, command line options can be stored in files. Lets assume pki.opt contains the following contents: --cacert ca_cert.der --cakey ca_key.der --digest sha256 --flag serverAuth --lifetime 1460 --type pkcs10 Then the following command can be used to issue a certificate based on a given PKCS#10 certificate request and the options above: pki --issue --options pki.opt --in req.der > cert.der SEE ALSO
pki(1) 5.1.1 2013-08-12 PKI --ISSUE(8)