Annotation of embedaddon/strongswan/src/pki/man/pki---issue.1.in, revision 1.1.1.1
1.1 misho 1: .TH "PKI \-\-ISSUE" 1 "2019-05-06" "@PACKAGE_VERSION@" "strongSwan"
2: .
3: .SH "NAME"
4: .
5: pki \-\-issue \- Issue a certificate using a CA certificate and key
6: .
7: .SH "SYNOPSIS"
8: .
9: .SY pki\ \-\-issue
10: .OP \-\-in file
11: .OP \-\-type type
12: .BI \-\-cakey\~ file |\-\-cakeyid\~ hex
13: .BI \-\-cacert\~ file
14: .OP \-\-dn subject-dn
15: .OP \-\-san subjectAltName
16: .OP \-\-lifetime days
17: .OP \-\-not-before datetime
18: .OP \-\-not-after datetime
19: .OP \-\-serial hex
20: .OP \-\-flag flag
21: .OP \-\-digest digest
22: .OP \-\-rsa\-padding padding
23: .OP \-\-ca
24: .OP \-\-crl uri\ \fR[\fB\-\-crlissuer\ \fIissuer\fR]
25: .OP \-\-ocsp uri
26: .OP \-\-pathlen len
27: .OP \-\-addrblock block
28: .OP \-\-nc-permitted name
29: .OP \-\-nc-excluded name
30: .OP \-\-critical oid
31: .OP \-\-policy\-mapping mapping
32: .OP \-\-policy\-explicit len
33: .OP \-\-policy\-inhibit len
34: .OP \-\-policy\-any len
35: .OP \-\-cert\-policy oid\ \fR[\fB\-\-cps\-uri\ \fIuri\fR]\ \fR[\fB\-\-user\-notice\ \fItext\fR]
36: .OP \-\-outform encoding
37: .OP \-\-debug level
38: .YS
39: .
40: .SY pki\ \-\-issue
41: .BI \-\-options\~ file
42: .YS
43: .
44: .SY "pki \-\-issue"
45: .B \-h
46: |
47: .B \-\-help
48: .YS
49: .
50: .SH "DESCRIPTION"
51: .
52: This sub-command of
53: .BR pki (1)
54: is used to issue a certificate using a CA certificate and private key.
55: .
56: .SH "OPTIONS"
57: .
58: .TP
59: .B "\-h, \-\-help"
60: Print usage information with a summary of the available options.
61: .TP
62: .BI "\-v, \-\-debug " level
63: Set debug level, default: 1.
64: .TP
65: .BI "\-+, \-\-options " file
66: Read command line options from \fIfile\fR.
67: .TP
68: .BI "\-i, \-\-in " file
69: Public key or PKCS#10 certificate request file to issue. If not given the
70: key/request is read from \fISTDIN\fR.
71: .TP
72: .BI "\-t, \-\-type " type
73: Type of the input. One of \fIpub\fR (public key), \fIpriv\fR (private key),
74: \fIrsa\fR (RSA private key), \fIecdsa\fR (ECDSA private key),
75: \fIed25519\fR (Ed25519 private key), \fIed448\fR (Ed448 private key),
76: \fIbliss\fR (BLISS private key) or \fIpkcs10\fR (PKCS#10 certificate request),
77: defaults to \fIpub\fR.
78: .TP
79: .BI "\-k, \-\-cakey " file
80: CA private key file. Either this or
81: .B \-\-cakeyid
82: is required.
83: .TP
84: .BI "\-x, \-\-cakeyid " hex
85: Smartcard or TPM CA private key object handle in hex format with an optional
86: 0x prefix. Either this or
87: .B \-\-cakey
88: is required.
89: .TP
90: .BI "\-c, \-\-cacert " file
91: CA certificate file. Required.
92: .TP
93: .BI "\-d, \-\-dn " subject-dn
94: Subject distinguished name (DN) of the issued certificate.
95: .TP
96: .BI "\-a, \-\-san " subjectAltName
97: subjectAltName extension to include in certificate. Can be used multiple times.
98: .TP
99: .BI "\-l, \-\-lifetime " days
100: Days the certificate is valid, default: 1095. Ignored if both
101: an absolute start and end time are given.
102: .TP
103: .BI "\-F, \-\-not-before " datetime
104: Absolute time when the validity of the certificate begins. The datetime format
105: is defined by the
106: .B \-\-dateform
107: option.
108: .TP
109: .BI "\-T, \-\-not-after " datetime
110: Absolute time when the validity of the certificate ends. The datetime format is
111: defined by the
112: .B \-\-dateform
113: option.
114: .TP
115: .BI "\-D, \-\-dateform " form
116: strptime(3) format for the
117: .B \-\-not\-before
118: and
119: .B \-\-not\-after
120: options, default:
121: .B %d.%m.%y %T
122: .TP
123: .BI "\-s, \-\-serial " hex
124: Serial number in hex. It is randomly allocated by default.
125: .TP
126: .BI "\-e, \-\-flag " flag
127: Add extendedKeyUsage flag. One of \fIserverAuth\fR, \fIclientAuth\fR,
128: \fIcrlSign\fR, or \fIocspSigning\fR. Can be used multiple times.
129: .TP
130: .BI "\-g, \-\-digest " digest
131: Digest to use for signature creation. One of \fImd5\fR, \fIsha1\fR,
132: \fIsha224\fR, \fIsha256\fR, \fIsha384\fR, or \fIsha512\fR. The default is
133: determined based on the type and size of the signature key.
134: .TP
135: .BI "\-R, \-\-rsa\-padding " padding
136: Padding to use for RSA signatures. Either \fIpkcs1\fR or \fIpss\fR, defaults
137: to \fIpkcs1\fR.
138: .TP
139: .BI "\-f, \-\-outform " encoding
140: Encoding of the created certificate file. Either \fIder\fR (ASN.1 DER) or
141: \fIpem\fR (Base64 PEM), defaults to \fIder\fR.
142: .TP
143: .BI "\-b, \-\-ca"
144: Include CA basicConstraint extension in certificate.
145: .TP
146: .BI "\-u, \-\-crl " uri
147: CRL distribution point URI to include in certificate. Can be used multiple
148: times.
149: .TP
150: .BI "\-I, \-\-crlissuer " issuer
151: Optional CRL issuer for the CRL at the preceding distribution point.
152: .TP
153: .BI "\-o, \-\-ocsp " uri
154: OCSP AuthorityInfoAccess URI to include in certificate. Can be used multiple
155: times.
156: .TP
157: .BI "\-p, \-\-pathlen " len
158: Set path length constraint.
159: .TP
160: .BI "\-B, \-\-addrblock " block
161: RFC 3779 address block to include in certificate. \fIblock\fR is either a
162: CIDR subnet (such as \fI10.0.0.0/8\fR) or an arbitrary address range
163: (\fI192.168.1.7-192.168.1.13\fR). Can be repeated to include multiple blocks.
164: Please note that the supplied blocks are included in the certificate as is,
165: so for standards compliance, multiple blocks must be supplied in correct
166: order and adjacent blocks must be combined. Refer to RFC 3779 for details.
167: .TP
168: .BI "\-n, \-\-nc-permitted " name
169: Add permitted NameConstraint extension to certificate. For DNS or email
170: constraints, the identity type is not always detectable by the given name. Use
171: the
172: .B dns:
173: or
174: .B email:
175: prefix to force a constraint type.
176: .TP
177: .BI "\-N, \-\-nc-excluded " name
178: Add excluded NameConstraint extension to certificate. For DNS or email
179: constraints, the identity type is not always detectable by the given name. Use
180: the
181: .B dns:
182: or
183: .B email:
184: prefix to force a constraint type.
185: .TP
186: .BI "\-X, \-\-critical " oid
187: Add a critical extension with the given OID.
188: .TP
189: .BI "\-M, \-\-policy-mapping " issuer-oid:subject-oid
190: Add policyMapping from issuer to subject OID.
191: .TP
192: .BI "\-E, \-\-policy-explicit " len
193: Add requireExplicitPolicy constraint.
194: .TP
195: .BI "\-H, \-\-policy-inhibit " len
196: Add inhibitPolicyMapping constraint.
197: .TP
198: .BI "\-A, \-\-policy-any " len
199: Add inhibitAnyPolicy constraint.
200: .PP
201: .SS "Certificate Policy"
202: Multiple certificatePolicy extensions can be added. Each with the following
203: information:
204: .TP
205: .BI "\-P, \-\-cert-policy " oid
206: OID to include in certificatePolicy extension. Required.
207: .TP
208: .BI "\-C, \-\-cps-uri " uri
209: Certification Practice statement URI for certificatePolicy.
210: .TP
211: .BI "\-U, \-\-user-notice " text
212: User notice for certificatePolicy.
213: .
214: .SH "EXAMPLES"
215: .
216: To save repetitive typing, command line options can be stored in files.
217: Lets assume
218: .I pki.opt
219: contains the following contents:
220: .PP
221: .EX
222: --cacert ca_cert.der --cakey ca_key.der --digest sha256
223: --flag serverAuth --lifetime 1460 --type pkcs10
224: .EE
225: .PP
226: Then the following command can be used to issue a certificate based on a
227: given PKCS#10 certificate request and the options above:
228: .PP
229: .EX
230: pki --issue --options pki.opt --in req.der > cert.der
231: .EE
232: .PP
233: .
234: .SH "SEE ALSO"
235: .
236: .BR pki (1)
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>