strongimcv_pki---self (1) - Linux Manuals

strongimcv_pki---self: Create a self-signed certificate

Command to display strongimcv_pki---self manual in Linux: $ man 1 strongimcv_pki---self

NAME

pki --self - Create a self-signed certificate

SYNOPSIS

[--in file|--keyid hex] [ --type t ] --dn~distinguished-name [ --san subjectAltName ] [ --lifetime days ] [ --not-before datetime ] [ --not-after datetime ] [ --serial hex ] [ --flag flag ] [ --digest digest ] [ --ca ] [ --ocsp uri ] [ --pathlen len ] [ --nc-permitted name ] [ --nc-excluded name ] [ --policy-mapping mapping ] [ --policy-explicit len ] [ --policy-inhibit len ] [ --policy-any len ] [ --cert-policy oid [--cps-uri uri] [--user-notice text] ] [ --outform encoding ] [ --debug level ] --options~file -h | --help

DESCRIPTION

This sub-command of pki(1) is used to create a self-signed certificate.

OPTIONS

-h, --help: Print usage information with a summary of the available options.
-v, --debug level: Set debug level, default: 1.
-+, --options file: Read command line options from file.
-i, --in file: Private key input file. If not given the key is read from STDIN.
-x, --keyid hex: Key ID of a private key on a smartcard.
-t, --type type: Type of the input key. Either rsa or ecdsa, defaults to rsa.
-d, --dn distinguished-name: Subject and issuer distinguished name (DN). Required.
-a, --san subjectAltName: subjectAltName extension to include in certificate. Can be used multiple times.
-l, --lifetime days: Days the certificate is valid, default: 1095. Ignored if both an absolute start and end time are given.
-F, --not-before datetime: Absolute time when the validity of the certificate begins. The datetime format is defined by the --dateform option.
-T, --not-after datetime: Absolute time when the validity of the certificate ends. The datetime format is defined by the --dateform option.
-D, --dateform form: strptime(3) format for the --not-before and --not-after options, default: %d.%m.%y %T
-s, --serial hex: Serial number in hex. It is randomly allocated by default.
-e, --flag flag: Add extendedKeyUsage flag. One of serverAuth, clientAuth, crlSign, or ocspSigning. Can be used multiple times.
-g, --digest digest: Digest to use for signature creation. One of md5, sha1, sha224, sha256, sha384, or sha512. Defaults to sha1.
-f, --outform encoding: Encoding of the created certificate file. Either der (ASN.1 DER) or pem (Base64 PEM), defaults to der.
-b, --ca: Include CA basicConstraint extension in certificate.
-o, --ocsp uri: OCSP AuthorityInfoAccess URI to include in certificate. Can be used multiple times.
-p, --pathlen len: Set path length constraint.
-n, --nc-permitted name: Add permitted NameConstraint extension to certificate.
-N, --nc-excluded name: Add excluded NameConstraint extension to certificate.
-M, --policy-mapping issuer-oid:subject-oid: Add policyMapping from issuer to subject OID.
-E, --policy-explicit len: Add requireExplicitPolicy constraint.
-H, --policy-inhibit len: Add inhibitPolicyMapping constraint.
-A, --policy-any len: Add inhibitAnyPolicy constraint.

Certificate Policy

Multiple certificatePolicy extensions can be added. Each with the following information:

-P, --cert-policy oid: OID to include in certificatePolicy extension. Required.
-C, --cps-uri uri: Certification Practice statement URI for certificatePolicy.
-U, --user-notice text: User notice for certificatePolicy.

EXAMPLES

Generate a self-signed certificate using the given RSA key:

pki --self --in key.der --dn "C=CH, O=strongSwan, CN=moon" \
--san moon.strongswan.org > cert.der