Provided by: strongswan-pki_5.9.6-1ubuntu2_amd64 bug


       pki - Simple public key infrastructure (PKI) management tool


       pki command [option ...]

       pki -h | --help


       pki  is  a  suite  of commands that allow you to manage a simple public key infrastructure

       Generate  RSA  and  ECDSA  key  pairs,  create  PKCS#10  certificate  requests  containing
       subjectAltNames,  create X.509 self-signed end-entity and root CA certificates, issue end-
       entity and intermediate CA certificates signed by the private key of a CA  and  containing
       subjectAltNames,  CRL  distribution  points and URIs of OCSP servers. You can also extract
       raw public keys from private keys, certificate requests and certificates and  compute  two
       kinds of SHA-1-based key IDs.


       -h, --help
              Prints usage information and a short summary of the available commands.

       -g, --gen
              Generate a new private key.

       -s, --self
              Create a self-signed certificate.

       -i, --issue
              Issue a certificate using a CA certificate and key.

       -c, --signcrl
              Issue a CRL using a CA certificate and key.

       -z, --acert
              Issue an attribute certificate.

       -r, --req
              Create a PKCS#10 certificate request.

       -7, --pkcs7
              Provides PKCS#7 wrap/unwrap functions.

       -k, --keyid
              Calculate key identifiers of a key or certificate.

       -a, --print
              Print a credential (key, certificate etc.) in human readable form.

       -d, --dn
              Extract the subject DN of an X.509 certificate.

       -p, --pub
              Extract a public key from a private key or certificate.

       -v, --verify
              Verify a certificate using a CA certificate.


   Generating a CA Certificate
       The  first  step  is  to  generate  a private key using the --gen command. By default this
       generates a 2048-bit RSA key.

         pki --gen > ca_key.der

       This key is used to create the self-signed CA certificate, using the --self  command.  The
       distinguished name should be adjusted to your needs.

         pki --self --ca --in ca_key.der \
             --dn "C=CH, O=strongSwan, CN=strongSwan CA" > ca_cert.der

   Generating End-Entity Certificates
       With  the  root  CA  certificate  and  key at hand end-entity certificates for clients and
       servers can be issued. Similarly intermediate CA certificates can be issued, which in turn
       can  issue  other  certificates.   To  generate  a  certificate  for a server, we start by
       generating a private key.

         pki --gen > server_key.der

       The public key will be included in the certificate so lets extract that from  the  private

         pki --pub --in server_key.der > server_pub.der

       The following command will use the CA certificate and private key to issue the certificate
       for this server. Adjust the distinguished name,  subjectAltName(s)  and  flags  as  needed
       (check pki --issue(8) for more options).

         pki --issue --in server_pub.der --cacert ca_cert.der \
             --cakey ca_key.der --dn "C=CH, O=strongSwan, CN=VPN Server" \
             --san --flag serverAuth > server_cert.der

       Instead  of  storing  the  public  key in a separate file, the output of --pub may also be
       piped directly into the above command.

   Generating Certificate Revocation Lists (CRL)
       If end-entity certificates have to be revoked, CRLs may be generated using  the  --signcrl

         pki --signcrl --cacert ca_cert.der --cakey ca_key.der \
             --reason superseded --cert server_cert.der > crl.der

       The  certificate given with --cacert must be either a CA certificate or a certificate with
       the crlSign extended key usage (--flag crlSign). URIs to CRLs may be  included  in  issued
       certificates with the --crl option.


       pki --gen(1),    pki --self(1),    pki --issue(1),    pki --signcrl(1),    pki --acert(1),
       pki --req(1), pki --pkcs7(1), pki --keyid(1), pki --print(1),  pki --dn(1),  pki --pub(1),
       pki --verify(1)