·

strongimcv_pki—self (1) Linux Manual Page

ByLinux Manual Posted on

pki –self – Create a self-signed certificate

Synopsis

[–in file|–keyid hex] [ –type t ] –dn~distinguished-name [ –san subjectAltName ] [ –lifetime days ] [ –not-before datetime ] [ –not-after datetime ] [ –serial hex ] [ –flag flag ] [ –digest digest ] [ –ca ] [ –ocsp uri ] [ –pathlen len ] [ –nc-permitted name ] [ –nc-excluded name ] [ –policy-mapping mapping ] [ –policy-explicit len ] [ –policy-inhibit len ] [ –policy-any len ] [ –cert-policy oid [–cps-uri uri[–user-notice text] ] [ –outform encoding ] [ –debug level ] –options~file -h | –help

Description

This sub-command of pki(1) is used to create a self-signed certificate.

Options

-h, –help
Print usage information with a summary of the available options.
-v, –debug level
Set debug level, default: 1.
-+, –options file
Read command line options from file.
-i, –in file
Private key input file. If not given the key is read from STDIN.
-x, –keyid hex
Key ID of a private key on a smartcard.
-t, –type type
Type of the input key. Either rsa or ecdsa, defaults to rsa.
-d, –dn distinguished-name
Subject and issuer distinguished name (DN). Required.
-a, –san subjectAltName
subjectAltName extension to include in certificate. Can be used multiple times.
-l, –lifetime days
Days the certificate is valid, default: 1095. Ignored if both an absolute start and end time are given.
-F, –not-before datetime
Absolute time when the validity of the certificate begins. The datetime format is defined by the –dateform option.
-T, –not-after datetime
Absolute time when the validity of the certificate ends. The datetime format is defined by the –dateform option.
-D, –dateform form
strptime(3) format for the –not-before and –not-after options, default: %d.%m.%y %T
-s, –serial hex
Serial number in hex. It is randomly allocated by default.
-e, –flag flag
Add extendedKeyUsage flag. One of serverAuth, clientAuth, crlSign, or ocspSigning. Can be used multiple times.
-g, –digest digest
Digest to use for signature creation. One of md5, sha1, sha224, sha256, sha384, or sha512. Defaults to sha1.
-f, –outform encoding
Encoding of the created certificate file. Either der (ASN.1 DER) or pem (Base64 PEM), defaults to der.
-b, –ca
Include CA basicConstraint extension in certificate.
-o, –ocsp uri
OCSP AuthorityInfoAccess URI to include in certificate. Can be used multiple times.
-p, –pathlen len
Set path length constraint.
-n, –nc-permitted name
Add permitted NameConstraint extension to certificate.
-N, –nc-excluded name
Add excluded NameConstraint extension to certificate.
-M, –policy-mapping issuer-oid:subject-oid
Add policyMapping from issuer to subject OID.
-E, –policy-explicit len
Add requireExplicitPolicy constraint.
-H, –policy-inhibit len
Add inhibitPolicyMapping constraint.
-A, –policy-any len
Add inhibitAnyPolicy constraint.

Certificate Policy

Multiple certificatePolicy extensions can be added. Each with the following information:
-P, –cert-policy oid
OID to include in certificatePolicy extension. Required.
-C, –cps-uri uri
Certification Practice statement URI for certificatePolicy.
-U, –user-notice text
User notice for certificatePolicy.

Examples

Generate a self-signed certificate using the given RSA key:

  pki –self –in key.der –dn "C=CH, O=strongSwan, CN=moon" \
–san moon.strongswan.org cert.der

See Also

pki(1)

Leave a Reply

Your email address will not be published. Required fields are marked *