Annotation of embedaddon/strongswan/src/pki/man/pki---self.1.in, revision 1.1.1.1
1.1 misho 1: .TH "PKI \-\-SELF" 1 "2019-05-06" "@PACKAGE_VERSION@" "strongSwan"
2: .
3: .SH "NAME"
4: .
5: pki \-\-self \- Create a self-signed certificate
6: .
7: .SH "SYNOPSIS"
8: .
9: .SY pki\ \-\-self
10: .RB [ \-\-in
11: .IR file | \fB\-\-keyid\fR
12: .IR hex ]
13: .OP \-\-type t
14: .BI \-\-dn\~ distinguished-name
15: .OP \-\-san subjectAltName
16: .OP \-\-lifetime days
17: .OP \-\-not-before datetime
18: .OP \-\-not-after datetime
19: .OP \-\-serial hex
20: .OP \-\-flag flag
21: .OP \-\-digest digest
22: .OP \-\-rsa\-padding padding
23: .OP \-\-ca
24: .OP \-\-ocsp uri
25: .OP \-\-pathlen len
26: .OP \-\-addrblock block
27: .OP \-\-nc-permitted name
28: .OP \-\-nc-excluded name
29: .OP \-\-critical oid
30: .OP \-\-policy\-mapping mapping
31: .OP \-\-policy\-explicit len
32: .OP \-\-policy\-inhibit len
33: .OP \-\-policy\-any len
34: .OP \-\-cert\-policy oid\ \fR[\fB\-\-cps\-uri\ \fIuri\fR]\ \fR[\fB\-\-user\-notice\ \fItext\fR]
35: .OP \-\-outform encoding
36: .OP \-\-debug level
37: .YS
38: .
39: .SY pki\ \-\-self
40: .BI \-\-options\~ file
41: .YS
42: .
43: .SY "pki \-\-self"
44: .B \-h
45: |
46: .B \-\-help
47: .YS
48: .
49: .SH "DESCRIPTION"
50: .
51: This sub-command of
52: .BR pki (1)
53: is used to create a self-signed certificate.
54: .
55: .SH "OPTIONS"
56: .
57: .TP
58: .B "\-h, \-\-help"
59: Print usage information with a summary of the available options.
60: .TP
61: .BI "\-v, \-\-debug " level
62: Set debug level, default: 1.
63: .TP
64: .BI "\-+, \-\-options " file
65: Read command line options from \fIfile\fR.
66: .TP
67: .BI "\-i, \-\-in " file
68: Private key input file. If not given the key is read from \fISTDIN\fR.
69: .TP
70: .BI "\-x, \-\-keyid " hex
71: Smartcard or TPM private key object handle in hex format with an optional
72: 0x prefix.
73: .TP
74: .BI "\-t, \-\-type " type
75: Type of the input key. Either \fIpriv\fR, \fIrsa\fR, \fIecdsa\fR, \fIed25519\fR,
76: \fIed448\fR or \fIbliss\fR, defaults to \fIpriv\fR.
77: .TP
78: .BI "\-d, \-\-dn " distinguished-name
79: Subject and issuer distinguished name (DN). Required.
80: .TP
81: .BI "\-a, \-\-san " subjectAltName
82: subjectAltName extension to include in certificate. Can be used multiple times.
83: .TP
84: .BI "\-l, \-\-lifetime " days
85: Days the certificate is valid, default: 1095. Ignored if both
86: an absolute start and end time are given.
87: .TP
88: .BI "\-F, \-\-not-before " datetime
89: Absolute time when the validity of the certificate begins. The datetime format
90: is defined by the
91: .B \-\-dateform
92: option.
93: .TP
94: .BI "\-T, \-\-not-after " datetime
95: Absolute time when the validity of the certificate ends. The datetime format is
96: defined by the
97: .B \-\-dateform
98: option.
99: .TP
100: .BI "\-D, \-\-dateform " form
101: strptime(3) format for the
102: .B \-\-not\-before
103: and
104: .B \-\-not\-after
105: options, default:
106: .B %d.%m.%y %T
107: .TP
108: .BI "\-s, \-\-serial " hex
109: Serial number in hex. It is randomly allocated by default.
110: .TP
111: .BI "\-e, \-\-flag " flag
112: Add extendedKeyUsage flag. One of \fIserverAuth\fR, \fIclientAuth\fR,
113: \fIcrlSign\fR, or \fIocspSigning\fR. Can be used multiple times.
114: .TP
115: .BI "\-g, \-\-digest " digest
116: Digest to use for signature creation. One of \fImd5\fR, \fIsha1\fR,
117: \fIsha224\fR, \fIsha256\fR, \fIsha384\fR, or \fIsha512\fR. The default is
118: determined based on the type and size of the signature key.
119: .TP
120: .BI "\-R, \-\-rsa\-padding " padding
121: Padding to use for RSA signatures. Either \fIpkcs1\fR or \fIpss\fR, defaults
122: to \fIpkcs1\fR.
123: .TP
124: .BI "\-f, \-\-outform " encoding
125: Encoding of the created certificate file. Either \fIder\fR (ASN.1 DER) or
126: \fIpem\fR (Base64 PEM), defaults to \fIder\fR.
127: .TP
128: .BI "\-b, \-\-ca"
129: Include CA basicConstraint extension in certificate.
130: .TP
131: .BI "\-o, \-\-ocsp " uri
132: OCSP AuthorityInfoAccess URI to include in certificate. Can be used multiple
133: times.
134: .TP
135: .BI "\-p, \-\-pathlen " len
136: Set path length constraint.
137: .TP
138: .BI "\-B, \-\-addrblock " block
139: RFC 3779 address block to include in certificate. \fIblock\fR is either a
140: CIDR subnet (such as \fI10.0.0.0/8\fR) or an arbitrary address range
141: (\fI192.168.1.7-192.168.1.13\fR). Can be repeated to include multiple blocks.
142: Please note that the supplied blocks are included in the certificate as is,
143: so for standards compliance, multiple blocks must be supplied in correct
144: order and adjacent blocks must be combined. Refer to RFC 3779 for details.
145: .TP
146: .BI "\-n, \-\-nc-permitted " name
147: Add permitted NameConstraint extension to certificate. For DNS or email
148: constraints, the identity type is not always detectable by the given name. Use
149: the
150: .B dns:
151: or
152: .B email:
153: prefix to force a constraint type.
154: .TP
155: .BI "\-N, \-\-nc-excluded " name
156: Add excluded NameConstraint extension to certificate. For DNS or email
157: constraints, the identity type is not always detectable by the given name. Use
158: the
159: .B dns:
160: or
161: .B email:
162: prefix to force a constraint type.
163: .TP
164: .BI "\-X, \-\-critical " oid
165: Add a critical extension with the given OID.
166: .TP
167: .BI "\-M, \-\-policy-mapping " issuer-oid:subject-oid
168: Add policyMapping from issuer to subject OID.
169: .TP
170: .BI "\-E, \-\-policy-explicit " len
171: Add requireExplicitPolicy constraint.
172: .TP
173: .BI "\-H, \-\-policy-inhibit " len
174: Add inhibitPolicyMapping constraint.
175: .TP
176: .BI "\-A, \-\-policy-any " len
177: Add inhibitAnyPolicy constraint.
178: .PP
179: .SS "Certificate Policy"
180: Multiple certificatePolicy extensions can be added. Each with the following
181: information:
182: .TP
183: .BI "\-P, \-\-cert-policy " oid
184: OID to include in certificatePolicy extension. Required.
185: .TP
186: .BI "\-C, \-\-cps-uri " uri
187: Certification Practice statement URI for certificatePolicy.
188: .TP
189: .BI "\-U, \-\-user-notice " text
190: User notice for certificatePolicy.
191: .
192: .SH "EXAMPLES"
193: .
194: Generate a self-signed certificate using the given RSA key:
195: .PP
196: .EX
197: pki \-\-self \-\-in key.der \-\-dn "C=CH, O=strongSwan, CN=moon" \\
198: \-\-san moon.strongswan.org > cert.der
199: .EE
200: .
201: .SH "SEE ALSO"
202: .
203: .BR pki (1)
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>