NAME¶
pki --self - Create a self-signed certificate
SYNOPSIS¶
pki --self |
[--in file|--keyid hex]
[--type t]
--dn distinguished-name
[--san subjectAltName]
[--lifetime days]
[--not-before datetime]
[--not-after datetime]
[--serial hex]
[--flag flag]
[--digest digest]
[--ca] [--ocsp
uri] [--pathlen len]
[--nc-permitted name]
[--nc-excluded name]
[--policy-mapping mapping]
[--policy-explicit len]
[--policy-inhibit len]
[--policy-any len]
[--cert-policy
oid [--cps-uri uri] [--user-notice text]]
[--outform encoding]
[--debug level] |
pki --self |
--options file |
DESCRIPTION¶
This sub-command of pki(1) is used to create a self-signed
certificate.
OPTIONS¶
- -h, --help
- Print usage information with a summary of the available options.
- -v, --debug
level
- Set debug level, default: 1.
- -+, --options file
- Read command line options from file.
- -i, --in
file
- Private key input file. If not given the key is read from
STDIN.
- -x, --keyid
hex
- Key ID of a private key on a smartcard.
- -t, --type
type
- Type of the input key. Either rsa or ecdsa, defaults to
rsa.
- -d, --dn
distinguished-name
- Subject and issuer distinguished name (DN). Required.
- -a, --san
subjectAltName
- subjectAltName extension to include in certificate. Can be used multiple
times.
- -l, --lifetime
days
- Days the certificate is valid, default: 1095. Ignored if both an absolute
start and end time are given.
- -F, --not-before
datetime
- Absolute time when the validity of the certificate begins. The datetime
format is defined by the --dateform option.
- -T, --not-after
datetime
- Absolute time when the validity of the certificate ends. The datetime
format is defined by the --dateform option.
- -D, --dateform
form
- strptime(3) format for the --not-before and --not-after
options, default: %d.%m.%y %T
- -s, --serial
hex
- Serial number in hex. It is randomly allocated by default.
- -e, --flag
flag
- Add extendedKeyUsage flag. One of serverAuth, clientAuth,
crlSign, or ocspSigning. Can be used multiple times.
- -g, --digest
digest
- Digest to use for signature creation. One of md5, sha1,
sha224, sha256, sha384, or sha512. Defaults to
sha1.
- -f, --outform
encoding
- Encoding of the created certificate file. Either der (ASN.1 DER) or
pem (Base64 PEM), defaults to der.
- -b, --ca
- Include CA basicConstraint extension in certificate.
- -o, --ocsp
uri
- OCSP AuthorityInfoAccess URI to include in certificate. Can be used
multiple times.
- -p, --pathlen
len
- Set path length constraint.
- -n, --nc-permitted
name
- Add permitted NameConstraint extension to certificate.
- -N, --nc-excluded
name
- Add excluded NameConstraint extension to certificate.
- -M, --policy-mapping
issuer-oid:subject-oid
- Add policyMapping from issuer to subject OID.
- -E, --policy-explicit
len
- Add requireExplicitPolicy constraint.
- -H, --policy-inhibit
len
- Add inhibitPolicyMapping constraint.
- -A, --policy-any
len
- Add inhibitAnyPolicy constraint.
Certificate Policy¶
Multiple certificatePolicy extensions can be added. Each with the
following information:
- -P, --cert-policy
oid
- OID to include in certificatePolicy extension. Required.
- -C, --cps-uri
uri
- Certification Practice statement URI for certificatePolicy.
- -U, --user-notice
text
- User notice for certificatePolicy.
EXAMPLES¶
Generate a self-signed certificate using the given RSA key:
pki --self --in key.der --dn "C=CH, O=strongSwan, CN=moon" \
--san moon.strongswan.org > cert.der