plucky (1) systemd-keyutil.1.gz
NAME
systemd-keyutil - Perform various operations on private keys and X.509 certificates
SYNOPSIS
systemd-keyutil [OPTIONS...] {COMMAND}
DESCRIPTION
systemd-keyutil can be used to perform various operations on private keys and X.509 certificates.
COMMANDS
validate
Checks that we can load the private key and certificate specified with --private-key= and
--certificate= respectively.
As a side effect, if the private key is loaded from a PIN-protected hardware token, this command can
be used to cache the PIN in the kernel keyring. The $SYSTEMD_ASK_PASSWORD_KEYRING_TIMEOUT_SEC and
$SYSTEMD_ASK_PASSWORD_KEYRING_TYPE environment variables can be used to control how long and in which
kernel keyring the PIN is cached.
Added in version 257.
public
This commands prints the public key in PEM format extracted from either the certificate given with
--certificate= or the private key given with --private-key=.
Added in version 257.
OPTIONS
The following options are understood:
--private-key=PATH/URI, --private-key-source=TYPE[:NAME], --certificate=PATH,
--certificate-source=TYPE[:NAME]
Set the private key and certificate to use. The --certificate= option takes a path to a PEM encoded
X.509 certificate or a URI that's passed to the OpenSSL provider configured with
--certificate-source. The --certificate-source takes one of "file" or "provider", with the latter
being followed by a specific provider identifier, separated with a colon, e.g. "provider:pkcs11".
The --private-key= option can take a path or a URI that will be passed to the OpenSSL engine or
provider, as specified by --private-key-source= as a "type:name" tuple, such as "engine:pkcs11".
Added in version 257.
-h, --help
Print a short help text and exit.
--version
Print a short version string and exit.
SEE ALSO
systemd-sbsign(1), systemd-measure(1)