Annotation of embedaddon/strongswan/src/pki/man/pki.1.in, revision 1.1
1.1 ! misho 1: .TH PKI 1 "2015-08-06" "@PACKAGE_VERSION@" "strongSwan"
! 2: .
! 3: .SH "NAME"
! 4: .
! 5: pki \- Simple public key infrastructure (PKI) management tool
! 6: .
! 7: .SH "SYNOPSIS"
! 8: .
! 9: .SY "pki"
! 10: .I command
! 11: .RI [ option\~ .\|.\|.]
! 12: .YS
! 13: .
! 14: .SY "pki"
! 15: .B \-h
! 16: |
! 17: .B \-\-help
! 18: .YS
! 19: .
! 20: .SH "DESCRIPTION"
! 21: .
! 22: .B pki
! 23: is a suite of commands that allow you to manage a simple public key
! 24: infrastructure (PKI).
! 25: .P
! 26: Generate RSA and ECDSA key pairs, create PKCS#10 certificate requests
! 27: containing subjectAltNames, create X.509 self-signed end-entity and root CA
! 28: certificates, issue end-entity and intermediate CA certificates signed by the
! 29: private key of a CA and containing subjectAltNames, CRL distribution points
! 30: and URIs of OCSP servers. You can also extract raw public keys from private
! 31: keys, certificate requests and certificates and compute two kinds of SHA-1-based
! 32: key IDs.
! 33: .
! 34: .SH "COMMANDS"
! 35: .
! 36: .TP
! 37: .B "\-h, \-\-help"
! 38: Prints usage information and a short summary of the available commands.
! 39: .TP
! 40: .B "\-g, \-\-gen"
! 41: Generate a new private key.
! 42: .TP
! 43: .B "\-s, \-\-self"
! 44: Create a self-signed certificate.
! 45: .TP
! 46: .B "\-i, \-\-issue"
! 47: Issue a certificate using a CA certificate and key.
! 48: .TP
! 49: .B "\-c, \-\-signcrl"
! 50: Issue a CRL using a CA certificate and key.
! 51: .TP
! 52: .B "\-z, \-\-acert"
! 53: Issue an attribute certificate.
! 54: .TP
! 55: .B "\-r, \-\-req"
! 56: Create a PKCS#10 certificate request.
! 57: .TP
! 58: .B "\-7, \-\-pkcs7"
! 59: Provides PKCS#7 wrap/unwrap functions.
! 60: .TP
! 61: .B "\-k, \-\-keyid"
! 62: Calculate key identifiers of a key or certificate.
! 63: .TP
! 64: .B "\-a, \-\-print"
! 65: Print a credential (key, certificate etc.) in human readable form.
! 66: .TP
! 67: .B "\-d, \-\-dn"
! 68: Extract the subject DN of an X.509 certificate.
! 69: .TP
! 70: .B "\-p, \-\-pub"
! 71: Extract a public key from a private key or certificate.
! 72: .TP
! 73: .B "\-v, \-\-verify"
! 74: Verify a certificate using a CA certificate.
! 75: .
! 76: .SH "EXAMPLES"
! 77: .
! 78: .SS "Generating a CA Certificate"
! 79: .
! 80: The first step is to generate a private key using the
! 81: .B \-\-gen
! 82: command. By default this generates a 2048-bit RSA key.
! 83: .PP
! 84: .EX
! 85: pki \-\-gen > ca_key.der
! 86: .EE
! 87: .PP
! 88: This key is used to create the self-signed CA certificate, using the
! 89: .B \-\-self
! 90: command. The distinguished name should be adjusted to your needs.
! 91: .PP
! 92: .EX
! 93: pki \-\-self \-\-ca \-\-in ca_key.der \\
! 94: \-\-dn "C=CH, O=strongSwan, CN=strongSwan CA" > ca_cert.der
! 95: .EE
! 96: .PP
! 97: .
! 98: .SS "Generating End-Entity Certificates"
! 99: .
! 100: With the root CA certificate and key at hand end-entity certificates for clients
! 101: and servers can be issued. Similarly intermediate CA certificates can be issued,
! 102: which in turn can issue other certificates.
! 103: To generate a certificate for a server, we start by generating a private key.
! 104: .PP
! 105: .EX
! 106: pki \-\-gen > server_key.der
! 107: .EE
! 108: .PP
! 109: The public key will be included in the certificate so lets extract that from the
! 110: private key.
! 111: .PP
! 112: .EX
! 113: pki \-\-pub \-\-in server_key.der > server_pub.der
! 114: .EE
! 115: .PP
! 116: The following command will use the CA certificate and private key to issue the
! 117: certificate for this server. Adjust the distinguished name, subjectAltName(s)
! 118: and flags as needed (check
! 119: .BR pki\ \-\-issue (8)
! 120: for more options).
! 121: .PP
! 122: .EX
! 123: pki \-\-issue \-\-in server_pub.der \-\-cacert ca_cert.der \\
! 124: \-\-cakey ca_key.der \-\-dn "C=CH, O=strongSwan, CN=VPN Server" \\
! 125: \-\-san vpn.strongswan.org \-\-flag serverAuth > server_cert.der
! 126: .EE
! 127: .PP
! 128: Instead of storing the public key in a separate
! 129: file, the output of
! 130: .B \-\-pub
! 131: may also be piped directly into the above command.
! 132: .
! 133: .SS "Generating Certificate Revocation Lists (CRL)"
! 134: .
! 135: If end-entity certificates have to be revoked, CRLs may be generated using
! 136: the
! 137: .B \-\-signcrl
! 138: command.
! 139: .PP
! 140: .EX
! 141: pki \-\-signcrl \-\-cacert ca_cert.der \-\-cakey ca_key.der \\
! 142: \-\-reason superseded \-\-cert server_cert.der > crl.der
! 143: .EE
! 144: .PP
! 145: The certificate given with \-\-cacert must be either a CA certificate or a
! 146: certificate with the
! 147: .I crlSign
! 148: extended key usage (\-\-flag crlSign). URIs to CRLs may be included in issued
! 149: certificates with the \-\-crl option.
! 150: .
! 151: .SH "SEE ALSO"
! 152: .
! 153: .BR pki\ \-\-gen (1),
! 154: .BR pki\ \-\-self (1),
! 155: .BR pki\ \-\-issue (1),
! 156: .BR pki\ \-\-signcrl (1),
! 157: .BR pki\ \-\-acert (1),
! 158: .BR pki\ \-\-req (1),
! 159: .BR pki\ \-\-pkcs7 (1),
! 160: .BR pki\ \-\-keyid (1),
! 161: .BR pki\ \-\-print (1),
! 162: .BR pki\ \-\-dn (1),
! 163: .BR pki\ \-\-pub (1),
! 164: .BR pki\ \-\-verify (1)
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>
![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to pki.1.in CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / strongswan / src / pki / man