Provided by: strongswan-starter_5.1.2-0ubuntu2.11_amd64
NAME
pki --issue - Issue a certificate using a CA certificate and key
SYNOPSIS
pki --issue [--in file] [--type type] --cakey file|--cakeyid hex --cacert file [--dn subject-dn] [--san subjectAltName] [--lifetime days] [--serial hex] [--flag flag] [--digest digest] [--ca] [--crl uri [--crlissuer issuer]] [--ocsp uri] [--pathlen len] [--nc-permitted name] [--nc-excluded name] [--policy-mapping mapping] [--policy-explicit len] [--policy-inhibit len] [--policy-any len] [--cert-policy oid [--cps-uri uri] [--user-notice text]] [--outform encoding] [--debug level] pki --issue --options file pki --issue -h | --help
DESCRIPTION
This sub-command of pki(1) is used to issue a certificate using a CA certificate and private key.
OPTIONS
-h, --help Print usage information with a summary of the available options. -v, --debug level Set debug level, default: 1. -+, --options file Read command line options from file. -i, --in file Public key or PKCS#10 certificate request file to issue. If not given the key/request is read from STDIN. -t, --type type Type of the input. Either pub for a public key, or pkcs10 for a PKCS#10 certificate request, defaults to pub. -k, --cakey file CA private key file. Either this or --cakeyid is required. -x, --cakeyid hex Key ID of a CA private key on a smartcard. Either this or --cakey is required. -c, --cacert file CA certificate file. Required. -d, --dn subject-dn Subject distinguished name (DN) of the issued certificate. -a, --san subjectAltName subjectAltName extension to include in certificate. Can be used multiple times. -l, --lifetime days Days the certificate is valid, default: 1095. -s, --serial hex Serial number in hex. It is randomly allocated by default. -e, --flag flag Add extendedKeyUsage flag. One of serverAuth, clientAuth, crlSign, or ocspSigning. Can be used multiple times. -g, --digest digest Digest to use for signature creation. One of md5, sha1, sha224, sha256, sha384, or sha512. Defaults to sha1. -f, --outform encoding Encoding of the created certificate file. Either der (ASN.1 DER) or pem (Base64 PEM), defaults to der. -b, --ca Include CA basicConstraint extension in certificate. -u, --crl uri CRL distribution point URI to include in certificate. Can be used multiple times. -I, --crlissuer issuer Optional CRL issuer for the CRL at the preceding distribution point. -o, --ocsp uri OCSP AuthorityInfoAccess URI to include in certificate. Can be used multiple times. -p, --pathlen len Set path length constraint. -n, --nc-permitted name Add permitted NameConstraint extension to certificate. -N, --nc-excluded name Add excluded NameConstraint extension to certificate. -M, --policy-mapping issuer-oid:subject-oid Add policyMapping from issuer to subject OID. -E, --policy-explicit len Add requireExplicitPolicy constraint. -H, --policy-inhibit len Add inhibitPolicyMapping constraint. -A, --policy-any len Add inhibitAnyPolicy constraint. Certificate Policy Multiple certificatePolicy extensions can be added. Each with the following information: -P, --cert-policy oid OID to include in certificatePolicy extension. Required. -C, --cps-uri uri Certification Practice statement URI for certificatePolicy. -U, --user-notice text User notice for certificatePolicy.
EXAMPLES
To save repetitive typing, command line options can be stored in files. Lets assume pki.opt contains the following contents: --cacert ca_cert.der --cakey ca_key.der --digest sha256 --flag serverAuth --lifetime 1460 --type pkcs10 Then the following command can be used to issue a certificate based on a given PKCS#10 certificate request and the options above: pki --issue --options pki.opt --in req.der > cert.der
SEE ALSO
pki(1)