strongimcv_pki—issue (1) Linux Manual Page
pki –issue – Issue a certificate using a CA certificate and key
Synopsis
[ –in file ] [ –type type ] –cakey~file|–cakeyid~hex –cacert~file [ –dn subject-dn ] [ –san subjectAltName ] [ –lifetime days ] [ –not-before datetime ] [ –not-after datetime ] [ –serial hex ] [ –flag flag ] [ –digest digest ] [ –ca ] [ –crl uri –crlissuer issuer] ] [ –ocsp uri ] [ –pathlen len ] [ –nc-permitted name ] [ –nc-excluded name ] [ –policy-mapping mapping ] [ –policy-explicit len ] [ –policy-inhibit len ] [ –policy-any len ] [ –cert-policy oid –cps-uri uri] –user-notice text] ] [ –outform encoding ] [ –debug level ] –options~file -h | –help
Description
This sub-command of pki(1) is used to issue a certificate using a CA certificate and private key.
Options
-h, –help- Print usage information with a summary of the available options.
-v, –debuglevel- Set debug level, default: 1.
-+, –optionsfile- Read command line options from file.
-i, –infile- Public key or PKCS#10 certificate request file to issue. If not given the key/request is read from STDIN.
-t, –typetype- Type of the input. Either pub for a public key, or pkcs10 for a PKCS#10 certificate request, defaults to pub.
-k, –cakeyfile- CA private key file. Either this or
–cakeyidis required. -x, –cakeyidhex- Key ID of a CA private key on a smartcard. Either this or
–cakeyis required. -c, –cacertfile- CA certificate file. Required.
-d, –dnsubject-dn- Subject distinguished name (DN) of the issued certificate.
-a, –sansubjectAltName- subjectAltName extension to include in certificate. Can be used multiple times.
-l, –lifetimedays- Days the certificate is valid, default: 1095. Ignored if both an absolute start and end time are given.
-F, –not-beforedatetime- Absolute time when the validity of the certificate begins. The datetime format is defined by the
–dateformoption. -T, –not-afterdatetime- Absolute time when the validity of the certificate ends. The datetime format is defined by the
–dateformoption. -D, –dateformform- strptime(3) format for the
–not-beforeand–not-afteroptions, default:%d.%m.%y %T -s, –serialhex- Serial number in hex. It is randomly allocated by default.
-e, –flagflag- Add extendedKeyUsage flag. One of serverAuth, clientAuth, crlSign, or ocspSigning. Can be used multiple times.
-g, –digestdigest- Digest to use for signature creation. One of md5, sha1, sha224, sha256, sha384, or sha512. Defaults to sha1.
-f, –outformencoding- Encoding of the created certificate file. Either der (ASN.1 DER) or pem (Base64 PEM), defaults to der.
-b, –ca- Include CA basicConstraint extension in certificate.
-u, –crluri- CRL distribution point URI to include in certificate. Can be used multiple times.
-I, –crlissuerissuer- Optional CRL issuer for the CRL at the preceding distribution point.
-o, –ocspuri- OCSP AuthorityInfoAccess URI to include in certificate. Can be used multiple times.
-p, –pathlenlen- Set path length constraint.
-n, –nc-permittedname- Add permitted NameConstraint extension to certificate.
-N, –nc-excludedname- Add excluded NameConstraint extension to certificate.
-M, –policy-mappingissuer-oid:subject-oid- Add policyMapping from issuer to subject OID.
-E, –policy-explicitlen- Add requireExplicitPolicy constraint.
-H, –policy-inhibitlen- Add inhibitPolicyMapping constraint.
-A, –policy-anylen- Add inhibitAnyPolicy constraint.
Certificate Policy
Multiple certificatePolicy extensions can be added. Each with the following information:
-P, –cert-policyoid- OID to include in certificatePolicy extension. Required.
-C, –cps-uriuri- Certification Practice statement URI for certificatePolicy.
-U, –user-noticetext- User notice for certificatePolicy.
Examples
To save repetitive typing, command line options can be stored in files. Lets assume pki.opt contains the following contents:
Then the following command can be used to issue a certificate based on a given PKCS#10 certificate request and the options above:
See Also
pki(1)