Annotation of embedaddon/strongswan/src/pki/man/pki---signcrl.1.in, revision 1.1.1.1
1.1 misho 1: .TH "PKI \-\-SIGNCRL" 1 "2019-05-06" "@PACKAGE_VERSION@" "strongSwan"
2: .
3: .SH "NAME"
4: .
5: pki \-\-signcrl \- Issue a Certificate Revocation List (CRL) using a CA certificate and key
6: .
7: .SH "SYNOPSIS"
8: .
9: .SY pki\ \-\-signcrl
10: .BI \-\-cakey\~ file |\-\-cakeyid\~ hex
11: .BI \-\-cacert\~ file
12: .OP \-\-lifetime days
13: .OP \-\-this-update datetime
14: .OP \-\-next-update datetime
15: .OP \-\-lastcrl crl
16: .OP \-\-basecrl crl
17: .OP \-\-crluri uri
18: .OP \-\-digest digest
19: .OP \-\-rsa\-padding padding
20: .OP \fR[\fB\-\-reason\ \fIreason\fR]\ \fR[\fB\-\-date\ \fIts\fR]\ \fB\-\-cert\ \fIfile\fB|\-\-serial\ \fIhex\fR
21: .OP \-\-critical oid
22: .OP \-\-outform encoding
23: .OP \-\-debug level
24: .YS
25: .
26: .SY pki\ \-\-signcrl
27: .BI \-\-options\~ file
28: .YS
29: .
30: .SY "pki \-\-signcrl"
31: .B \-h
32: |
33: .B \-\-help
34: .YS
35: .
36: .SH "DESCRIPTION"
37: .
38: This sub-command of
39: .BR pki (1)
40: is used to issue a Certificate Revocation List (CRL) using a CA certificate and
41: private key.
42: .
43: .SH "OPTIONS"
44: .
45: .TP
46: .B "\-h, \-\-help"
47: Print usage information with a summary of the available options.
48: .TP
49: .BI "\-v, \-\-debug " level
50: Set debug level, default: 1.
51: .TP
52: .BI "\-+, \-\-options " file
53: Read command line options from \fIfile\fR.
54: .TP
55: .BI "\-k, \-\-cakey " file
56: CA private key file. Either this or
57: .B \-\-cakeyid
58: is required.
59: .TP
60: .BI "\-x, \-\-cakeyid " hex
61: Smartcard or TPM CA private key object handle in hex format with an optional
62: 0x prefix. Either this or
63: .B \-\-cakey
64: is required.
65: .TP
66: .BI "\-c, \-\-cacert " file
67: CA certificate file. Required.
68: .TP
69: .BI "\-l, \-\-lifetime " days
70: Days until the CRL gets a nextUpdate, default: 15. Ignored if both
71: an absolute start and end time are given.
72: .TP
73: .BI "\-F, \-\-this-update " datetime
74: Absolute time when the validity of the CRL begins. The datetime format is
75: defined by the
76: .B \-\-dateform
77: option.
78: .TP
79: .BI "\-T, \-\-next-update " datetime
80: Absolute time when the validity of the CRL end. The datetime format is
81: defined by the
82: .B \-\-dateform
83: option.
84: .TP
85: .BI "\-D, \-\-dateform " form
86: strptime(3) format for the
87: .B \-\-this\-update
88: and
89: .B \-\-next\-update
90: options, default:
91: .B %d.%m.%y %T
92: .TP
93: .BI "\-a, \-\-lastcrl " crl
94: CRL of lastUpdate to copy revocations from.
95: .TP
96: .BI "\-b, \-\-basecrl " crl
97: Base CRL to create a delta CRL for.
98: .TP
99: .BI "\-u, \-\-crluri " uri
100: Freshest delta CRL URI to include in CRL. Can be used multiple times.
101: .TP
102: .BI "\-g, \-\-digest " digest
103: Digest to use for signature creation. One of \fImd5\fR, \fIsha1\fR,
104: \fIsha224\fR, \fIsha256\fR, \fIsha384\fR, or \fIsha512\fR. The default is
105: determined based on the type and size of the signature key.
106: .TP
107: .BI "\-R, \-\-rsa\-padding " padding
108: Padding to use for RSA signatures. Either \fIpkcs1\fR or \fIpss\fR, defaults
109: to \fIpkcs1\fR.
110: .TP
111: .BI "\-X, \-\-critical " oid
112: Add a critical extension with the given OID.
113: .TP
114: .BI "\-f, \-\-outform " encoding
115: Encoding of the created certificate file. Either \fIder\fR (ASN.1 DER) or
116: \fIpem\fR (Base64 PEM), defaults to \fIder\fR.
117: .PP
118: .SS "Revoked Certificates"
119: Multiple revoked certificates can be added to the CRL by either providing the
120: certificate file or the respective serial number directly.
121: A reason and a timestamp can be configured for each revocation (they have to be
122: given before each certificate/serial on the command line).
123: .TP
124: .BI "\-r, \-\-reason " reason
125: The reason why the certificate was revoked. One of \fIkey\-compromise\fR,
126: \fIca\-compromise\fR, \fIaffiliation\-changed\fR, \fIsuperseded\fR,
127: \fIcessation\-of\-operation\fR, or \fIcertificate\-hold\fR.
128: .TP
129: .BI "\-d, \-\-date " ts
130: Revocation date as Unix timestamp. Defaults to the current time.
131: .TP
132: .BI "\-z, \-\-cert " file
133: Certificate file to revoke.
134: .TP
135: .BI "\-s, \-\-serial " hex
136: Hexadecimal encoded serial number of the certificate to revoke.
137: .
138: .SH "EXAMPLES"
139: .
140: Revoke a certificate:
141: .PP
142: .EX
143: pki \-\-signcrl \-\-cacert ca_cert.der \-\-cakey ca_key.der \\
144: \-\-reason superseded \-\-cert cert.der > crl.der
145: .EE
146: .PP
147: Update an existing CRL with two new revocations, using the certificate's serial
148: number, but no reason:
149: .PP
150: .EX
151: pki \-\-signcrl \-\-cacert ca_cert.der \-\-cakey ca_key.der \\
152: \-\-lastcrl old_crl.der \-\-serial 0123 \-\-serial 0345 > crl.der
153: .EE
154: .PP
155: .SH "SEE ALSO"
156: .
157: .BR pki (1)
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>
![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to pki---signcrl.1.in CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / strongswan / src / pki / man