Provided by: strongswan-starter_5.1.2-0ubuntu2_amd64 bug


       pki --self - Create a self-signed certificate


       pki --self [--in file|--keyid hex] [--type t] --dn distinguished-name
                  [--san subjectAltName] [--lifetime days] [--serial hex] [--flag flag]
                  [--digest digest] [--ca] [--ocsp uri] [--pathlen len] [--nc-permitted name]
                  [--nc-excluded name] [--policy-mapping mapping] [--policy-explicit len]
                  [--policy-inhibit len] [--policy-any len]
                  [--cert-policy oid [--cps-uri uri] [--user-notice text]] [--outform encoding]
                  [--debug level]

       pki --self --options file

       pki --self -h | --help


       This sub-command of pki(1) is used to create a self-signed certificate.


       -h, --help
              Print usage information with a summary of the available options.

       -v, --debug level
              Set debug level, default: 1.

       -+, --options file
              Read command line options from file.

       -i, --in file
              Private key input file. If not given the key is read from STDIN.

       -x, --keyid hex
              Key ID of a private key on a smartcard.

       -t, --type type
              Type of the input key. Either rsa or ecdsa, defaults to rsa.

       -d, --dn distinguished-name
              Subject and issuer distinguished name (DN). Required.

       -a, --san subjectAltName
              subjectAltName extension to include in certificate. Can be used multiple times.

       -l, --lifetime days
              Days the certificate is valid, default: 1095.

       -s, --serial hex
              Serial number in hex. It is randomly allocated by default.

       -e, --flag flag
              Add  extendedKeyUsage flag. One of serverAuth, clientAuth, crlSign, or ocspSigning.
              Can be used multiple times.

       -g, --digest digest
              Digest to use for signature creation. One of md5, sha1, sha224, sha256, sha384,  or
              sha512. Defaults to sha1.

       -f, --outform encoding
              Encoding  of  the  created  certificate file. Either der (ASN.1 DER) or pem (Base64
              PEM), defaults to der.

       -b, --ca
              Include CA basicConstraint extension in certificate.

       -o, --ocsp uri
              OCSP AuthorityInfoAccess URI to include in certificate. Can be used multiple times.

       -p, --pathlen len
              Set path length constraint.

       -n, --nc-permitted name
              Add permitted NameConstraint extension to certificate.

       -N, --nc-excluded name
              Add excluded NameConstraint extension to certificate.

       -M, --policy-mapping issuer-oid:subject-oid
              Add policyMapping from issuer to subject OID.

       -E, --policy-explicit len
              Add requireExplicitPolicy constraint.

       -H, --policy-inhibit len
              Add inhibitPolicyMapping constraint.

       -A, --policy-any len
              Add inhibitAnyPolicy constraint.

   Certificate Policy
       Multiple certificatePolicy extensions can be added. Each with the following information:

       -P, --cert-policy oid
              OID to include in certificatePolicy extension. Required.

       -C, --cps-uri uri
              Certification Practice statement URI for certificatePolicy.

       -U, --user-notice text
              User notice for certificatePolicy.


       Generate a self-signed certificate using the given RSA key:

         pki --self --in key.der --dn "C=CH, O=strongSwan, CN=moon" \
             --san > cert.der