strongimcv_pki—issue (1) Linux Manual Page
pki –issue – Issue a certificate using a CA certificate and key
Synopsis
[ –in file ] [ –type type ] –cakey~file|–cakeyid~hex –cacert~file [ –dn subject-dn ] [ –san subjectAltName ] [ –lifetime days ] [ –not-before datetime ] [ –not-after datetime ] [ –serial hex ] [ –flag flag ] [ –digest digest ] [ –ca ] [ –crl uriDescription
This sub-command of pki(1) is used to issue a certificate using a CA certificate and private key.Options
- -h, –help
- Print usage information with a summary of the available options.
- -v, –debug level
- Set debug level, default: 1.
- -+, –options file
- Read command line options from file.
- -i, –in file
- Public key or PKCS#10 certificate request file to issue. If not given the key/request is read from STDIN.
- -t, –type type
- Type of the input. Either pub for a public key, or pkcs10 for a PKCS#10 certificate request, defaults to pub.
- -k, –cakey file
- CA private key file. Either this or –cakeyid is required.
- -x, –cakeyid hex
- Key ID of a CA private key on a smartcard. Either this or –cakey is required.
- -c, –cacert file
- CA certificate file. Required.
- -d, –dn subject-dn
- Subject distinguished name (DN) of the issued certificate.
- -a, –san subjectAltName
- subjectAltName extension to include in certificate. Can be used multiple times.
- -l, –lifetime days
- Days the certificate is valid, default: 1095. Ignored if both an absolute start and end time are given.
- -F, –not-before datetime
- Absolute time when the validity of the certificate begins. The datetime format is defined by the –dateform option.
- -T, –not-after datetime
- Absolute time when the validity of the certificate ends. The datetime format is defined by the –dateform option.
- -D, –dateform form
- strptime(3) format for the –not-before and –not-after options, default: %d.%m.%y %T
- -s, –serial hex
- Serial number in hex. It is randomly allocated by default.
- -e, –flag flag
- Add extendedKeyUsage flag. One of serverAuth, clientAuth, crlSign, or ocspSigning. Can be used multiple times.
- -g, –digest digest
- Digest to use for signature creation. One of md5, sha1, sha224, sha256, sha384, or sha512. Defaults to sha1.
- -f, –outform encoding
- Encoding of the created certificate file. Either der (ASN.1 DER) or pem (Base64 PEM), defaults to der.
- -b, –ca
- Include CA basicConstraint extension in certificate.
- -u, –crl uri
- CRL distribution point URI to include in certificate. Can be used multiple times.
- -I, –crlissuer issuer
- Optional CRL issuer for the CRL at the preceding distribution point.
- -o, –ocsp uri
- OCSP AuthorityInfoAccess URI to include in certificate. Can be used multiple times.
- -p, –pathlen len
- Set path length constraint.
- -n, –nc-permitted name
- Add permitted NameConstraint extension to certificate.
- -N, –nc-excluded name
- Add excluded NameConstraint extension to certificate.
- -M, –policy-mapping issuer-oid:subject-oid
- Add policyMapping from issuer to subject OID.
- -E, –policy-explicit len
- Add requireExplicitPolicy constraint.
- -H, –policy-inhibit len
- Add inhibitPolicyMapping constraint.
- -A, –policy-any len
- Add inhibitAnyPolicy constraint.
Certificate Policy
Multiple certificatePolicy extensions can be added. Each with the following information:- -P, –cert-policy oid
- OID to include in certificatePolicy extension. Required.
- -C, –cps-uri uri
- Certification Practice statement URI for certificatePolicy.
- -U, –user-notice text
- User notice for certificatePolicy.
Examples
To save repetitive typing, command line options can be stored in files. Lets assume pki.opt contains the following contents:
Then the following command can be used to issue a certificate based on a given PKCS#10 certificate request and the options above: