Provided by: strongswan-starter_5.1.2-0ubuntu2_amd64 bug


       pki --issue - Issue a certificate using a CA certificate and key


       pki --issue [--in file] [--type type] --cakey file|--cakeyid hex --cacert file
                   [--dn subject-dn] [--san subjectAltName] [--lifetime days] [--serial hex]
                   [--flag flag] [--digest digest] [--ca] [--crl uri [--crlissuer issuer]]
                   [--ocsp uri] [--pathlen len] [--nc-permitted name] [--nc-excluded name]
                   [--policy-mapping mapping] [--policy-explicit len] [--policy-inhibit len]
                   [--policy-any len] [--cert-policy oid [--cps-uri uri] [--user-notice text]]
                   [--outform encoding] [--debug level]

       pki --issue --options file

       pki --issue -h | --help


       This  sub-command  of  pki(1)  is  used  to issue a certificate using a CA certificate and
       private key.


       -h, --help
              Print usage information with a summary of the available options.

       -v, --debug level
              Set debug level, default: 1.

       -+, --options file
              Read command line options from file.

       -i, --in file
              Public key or  PKCS#10  certificate  request  file  to  issue.  If  not  given  the
              key/request is read from STDIN.

       -t, --type type
              Type of the input. Either pub for a public key, or pkcs10 for a PKCS#10 certificate
              request, defaults to pub.

       -k, --cakey file
              CA private key file. Either this or --cakeyid is required.

       -x, --cakeyid hex
              Key ID of a CA private key on a smartcard. Either this or --cakey is required.

       -c, --cacert file
              CA certificate file. Required.

       -d, --dn subject-dn
              Subject distinguished name (DN) of the issued certificate.

       -a, --san subjectAltName
              subjectAltName extension to include in certificate. Can be used multiple times.

       -l, --lifetime days
              Days the certificate is valid, default: 1095.

       -s, --serial hex
              Serial number in hex. It is randomly allocated by default.

       -e, --flag flag
              Add extendedKeyUsage flag. One of serverAuth, clientAuth, crlSign, or  ocspSigning.
              Can be used multiple times.

       -g, --digest digest
              Digest  to use for signature creation. One of md5, sha1, sha224, sha256, sha384, or
              sha512. Defaults to sha1.

       -f, --outform encoding
              Encoding of the created certificate file. Either der (ASN.1  DER)  or  pem  (Base64
              PEM), defaults to der.

       -b, --ca
              Include CA basicConstraint extension in certificate.

       -u, --crl uri
              CRL distribution point URI to include in certificate. Can be used multiple times.

       -I, --crlissuer issuer
              Optional CRL issuer for the CRL at the preceding distribution point.

       -o, --ocsp uri
              OCSP AuthorityInfoAccess URI to include in certificate. Can be used multiple times.

       -p, --pathlen len
              Set path length constraint.

       -n, --nc-permitted name
              Add permitted NameConstraint extension to certificate.

       -N, --nc-excluded name
              Add excluded NameConstraint extension to certificate.

       -M, --policy-mapping issuer-oid:subject-oid
              Add policyMapping from issuer to subject OID.

       -E, --policy-explicit len
              Add requireExplicitPolicy constraint.

       -H, --policy-inhibit len
              Add inhibitPolicyMapping constraint.

       -A, --policy-any len
              Add inhibitAnyPolicy constraint.

   Certificate Policy
       Multiple certificatePolicy extensions can be added. Each with the following information:

       -P, --cert-policy oid
              OID to include in certificatePolicy extension. Required.

       -C, --cps-uri uri
              Certification Practice statement URI for certificatePolicy.

       -U, --user-notice text
              User notice for certificatePolicy.


       To  save  repetitive  typing,  command  line  options can be stored in files.  Lets assume
       pki.opt contains the following contents:

         --cacert ca_cert.der --cakey ca_key.der --digest sha256
         --flag serverAuth --lifetime 1460 --type pkcs10

       Then the following command can be used to issue a certificate based  on  a  given  PKCS#10
       certificate request and the options above:

         pki --issue --options pki.opt --in req.der > cert.der