Annotation of embedaddon/strongswan/src/pki/man/pki---issue.1.in, revision 1.1
1.1 ! misho 1: .TH "PKI \-\-ISSUE" 1 "2019-05-06" "@PACKAGE_VERSION@" "strongSwan"
! 2: .
! 3: .SH "NAME"
! 4: .
! 5: pki \-\-issue \- Issue a certificate using a CA certificate and key
! 6: .
! 7: .SH "SYNOPSIS"
! 8: .
! 9: .SY pki\ \-\-issue
! 10: .OP \-\-in file
! 11: .OP \-\-type type
! 12: .BI \-\-cakey\~ file |\-\-cakeyid\~ hex
! 13: .BI \-\-cacert\~ file
! 14: .OP \-\-dn subject-dn
! 15: .OP \-\-san subjectAltName
! 16: .OP \-\-lifetime days
! 17: .OP \-\-not-before datetime
! 18: .OP \-\-not-after datetime
! 19: .OP \-\-serial hex
! 20: .OP \-\-flag flag
! 21: .OP \-\-digest digest
! 22: .OP \-\-rsa\-padding padding
! 23: .OP \-\-ca
! 24: .OP \-\-crl uri\ \fR[\fB\-\-crlissuer\ \fIissuer\fR]
! 25: .OP \-\-ocsp uri
! 26: .OP \-\-pathlen len
! 27: .OP \-\-addrblock block
! 28: .OP \-\-nc-permitted name
! 29: .OP \-\-nc-excluded name
! 30: .OP \-\-critical oid
! 31: .OP \-\-policy\-mapping mapping
! 32: .OP \-\-policy\-explicit len
! 33: .OP \-\-policy\-inhibit len
! 34: .OP \-\-policy\-any len
! 35: .OP \-\-cert\-policy oid\ \fR[\fB\-\-cps\-uri\ \fIuri\fR]\ \fR[\fB\-\-user\-notice\ \fItext\fR]
! 36: .OP \-\-outform encoding
! 37: .OP \-\-debug level
! 38: .YS
! 39: .
! 40: .SY pki\ \-\-issue
! 41: .BI \-\-options\~ file
! 42: .YS
! 43: .
! 44: .SY "pki \-\-issue"
! 45: .B \-h
! 46: |
! 47: .B \-\-help
! 48: .YS
! 49: .
! 50: .SH "DESCRIPTION"
! 51: .
! 52: This sub-command of
! 53: .BR pki (1)
! 54: is used to issue a certificate using a CA certificate and private key.
! 55: .
! 56: .SH "OPTIONS"
! 57: .
! 58: .TP
! 59: .B "\-h, \-\-help"
! 60: Print usage information with a summary of the available options.
! 61: .TP
! 62: .BI "\-v, \-\-debug " level
! 63: Set debug level, default: 1.
! 64: .TP
! 65: .BI "\-+, \-\-options " file
! 66: Read command line options from \fIfile\fR.
! 67: .TP
! 68: .BI "\-i, \-\-in " file
! 69: Public key or PKCS#10 certificate request file to issue. If not given the
! 70: key/request is read from \fISTDIN\fR.
! 71: .TP
! 72: .BI "\-t, \-\-type " type
! 73: Type of the input. One of \fIpub\fR (public key), \fIpriv\fR (private key),
! 74: \fIrsa\fR (RSA private key), \fIecdsa\fR (ECDSA private key),
! 75: \fIed25519\fR (Ed25519 private key), \fIed448\fR (Ed448 private key),
! 76: \fIbliss\fR (BLISS private key) or \fIpkcs10\fR (PKCS#10 certificate request),
! 77: defaults to \fIpub\fR.
! 78: .TP
! 79: .BI "\-k, \-\-cakey " file
! 80: CA private key file. Either this or
! 81: .B \-\-cakeyid
! 82: is required.
! 83: .TP
! 84: .BI "\-x, \-\-cakeyid " hex
! 85: Smartcard or TPM CA private key object handle in hex format with an optional
! 86: 0x prefix. Either this or
! 87: .B \-\-cakey
! 88: is required.
! 89: .TP
! 90: .BI "\-c, \-\-cacert " file
! 91: CA certificate file. Required.
! 92: .TP
! 93: .BI "\-d, \-\-dn " subject-dn
! 94: Subject distinguished name (DN) of the issued certificate.
! 95: .TP
! 96: .BI "\-a, \-\-san " subjectAltName
! 97: subjectAltName extension to include in certificate. Can be used multiple times.
! 98: .TP
! 99: .BI "\-l, \-\-lifetime " days
! 100: Days the certificate is valid, default: 1095. Ignored if both
! 101: an absolute start and end time are given.
! 102: .TP
! 103: .BI "\-F, \-\-not-before " datetime
! 104: Absolute time when the validity of the certificate begins. The datetime format
! 105: is defined by the
! 106: .B \-\-dateform
! 107: option.
! 108: .TP
! 109: .BI "\-T, \-\-not-after " datetime
! 110: Absolute time when the validity of the certificate ends. The datetime format is
! 111: defined by the
! 112: .B \-\-dateform
! 113: option.
! 114: .TP
! 115: .BI "\-D, \-\-dateform " form
! 116: strptime(3) format for the
! 117: .B \-\-not\-before
! 118: and
! 119: .B \-\-not\-after
! 120: options, default:
! 121: .B %d.%m.%y %T
! 122: .TP
! 123: .BI "\-s, \-\-serial " hex
! 124: Serial number in hex. It is randomly allocated by default.
! 125: .TP
! 126: .BI "\-e, \-\-flag " flag
! 127: Add extendedKeyUsage flag. One of \fIserverAuth\fR, \fIclientAuth\fR,
! 128: \fIcrlSign\fR, or \fIocspSigning\fR. Can be used multiple times.
! 129: .TP
! 130: .BI "\-g, \-\-digest " digest
! 131: Digest to use for signature creation. One of \fImd5\fR, \fIsha1\fR,
! 132: \fIsha224\fR, \fIsha256\fR, \fIsha384\fR, or \fIsha512\fR. The default is
! 133: determined based on the type and size of the signature key.
! 134: .TP
! 135: .BI "\-R, \-\-rsa\-padding " padding
! 136: Padding to use for RSA signatures. Either \fIpkcs1\fR or \fIpss\fR, defaults
! 137: to \fIpkcs1\fR.
! 138: .TP
! 139: .BI "\-f, \-\-outform " encoding
! 140: Encoding of the created certificate file. Either \fIder\fR (ASN.1 DER) or
! 141: \fIpem\fR (Base64 PEM), defaults to \fIder\fR.
! 142: .TP
! 143: .BI "\-b, \-\-ca"
! 144: Include CA basicConstraint extension in certificate.
! 145: .TP
! 146: .BI "\-u, \-\-crl " uri
! 147: CRL distribution point URI to include in certificate. Can be used multiple
! 148: times.
! 149: .TP
! 150: .BI "\-I, \-\-crlissuer " issuer
! 151: Optional CRL issuer for the CRL at the preceding distribution point.
! 152: .TP
! 153: .BI "\-o, \-\-ocsp " uri
! 154: OCSP AuthorityInfoAccess URI to include in certificate. Can be used multiple
! 155: times.
! 156: .TP
! 157: .BI "\-p, \-\-pathlen " len
! 158: Set path length constraint.
! 159: .TP
! 160: .BI "\-B, \-\-addrblock " block
! 161: RFC 3779 address block to include in certificate. \fIblock\fR is either a
! 162: CIDR subnet (such as \fI10.0.0.0/8\fR) or an arbitrary address range
! 163: (\fI192.168.1.7-192.168.1.13\fR). Can be repeated to include multiple blocks.
! 164: Please note that the supplied blocks are included in the certificate as is,
! 165: so for standards compliance, multiple blocks must be supplied in correct
! 166: order and adjacent blocks must be combined. Refer to RFC 3779 for details.
! 167: .TP
! 168: .BI "\-n, \-\-nc-permitted " name
! 169: Add permitted NameConstraint extension to certificate. For DNS or email
! 170: constraints, the identity type is not always detectable by the given name. Use
! 171: the
! 172: .B dns:
! 173: or
! 174: .B email:
! 175: prefix to force a constraint type.
! 176: .TP
! 177: .BI "\-N, \-\-nc-excluded " name
! 178: Add excluded NameConstraint extension to certificate. For DNS or email
! 179: constraints, the identity type is not always detectable by the given name. Use
! 180: the
! 181: .B dns:
! 182: or
! 183: .B email:
! 184: prefix to force a constraint type.
! 185: .TP
! 186: .BI "\-X, \-\-critical " oid
! 187: Add a critical extension with the given OID.
! 188: .TP
! 189: .BI "\-M, \-\-policy-mapping " issuer-oid:subject-oid
! 190: Add policyMapping from issuer to subject OID.
! 191: .TP
! 192: .BI "\-E, \-\-policy-explicit " len
! 193: Add requireExplicitPolicy constraint.
! 194: .TP
! 195: .BI "\-H, \-\-policy-inhibit " len
! 196: Add inhibitPolicyMapping constraint.
! 197: .TP
! 198: .BI "\-A, \-\-policy-any " len
! 199: Add inhibitAnyPolicy constraint.
! 200: .PP
! 201: .SS "Certificate Policy"
! 202: Multiple certificatePolicy extensions can be added. Each with the following
! 203: information:
! 204: .TP
! 205: .BI "\-P, \-\-cert-policy " oid
! 206: OID to include in certificatePolicy extension. Required.
! 207: .TP
! 208: .BI "\-C, \-\-cps-uri " uri
! 209: Certification Practice statement URI for certificatePolicy.
! 210: .TP
! 211: .BI "\-U, \-\-user-notice " text
! 212: User notice for certificatePolicy.
! 213: .
! 214: .SH "EXAMPLES"
! 215: .
! 216: To save repetitive typing, command line options can be stored in files.
! 217: Lets assume
! 218: .I pki.opt
! 219: contains the following contents:
! 220: .PP
! 221: .EX
! 222: --cacert ca_cert.der --cakey ca_key.der --digest sha256
! 223: --flag serverAuth --lifetime 1460 --type pkcs10
! 224: .EE
! 225: .PP
! 226: Then the following command can be used to issue a certificate based on a
! 227: given PKCS#10 certificate request and the options above:
! 228: .PP
! 229: .EX
! 230: pki --issue --options pki.opt --in req.der > cert.der
! 231: .EE
! 232: .PP
! 233: .
! 234: .SH "SEE ALSO"
! 235: .
! 236: .BR pki (1)
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>
![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to pki---issue.1.in CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / strongswan / src / pki / man