diff options
Diffstat (limited to 'src')
28 files changed, 1201 insertions, 41 deletions
diff --git a/src/charon-cmd/Makefile.am b/src/charon-cmd/Makefile.am index 9ed82be5e..73df45072 100644 --- a/src/charon-cmd/Makefile.am +++ b/src/charon-cmd/Makefile.am @@ -1,7 +1,6 @@ sbin_PROGRAMS = charon-cmd -CLEANFILES = charon-cmd.8 -dist_man8_MANS = charon-cmd.8 -EXTRA_DIST = charon-cmd.8.in +man8_MANS = charon-cmd.8 +CLEANFILES = $(man8_MANS) charon_cmd_SOURCES = \ cmd/cmd_options.h cmd/cmd_options.c \ @@ -24,9 +23,3 @@ charon_cmd_LDADD = \ $(top_builddir)/src/libhydra/libhydra.la \ $(top_builddir)/src/libcharon/libcharon.la \ -lm $(PTHREADLIB) $(DLLIB) - -charon-cmd.8 : charon-cmd.8.in - $(AM_V_GEN) \ - sed \ - -e "s:@IPSEC_VERSION@:$(PACKAGE_VERSION):" \ - $(srcdir)/$@.in > $@ diff --git a/src/charon-cmd/charon-cmd.8.in b/src/charon-cmd/charon-cmd.8.in index c9d52c92f..25d706995 100644 --- a/src/charon-cmd/charon-cmd.8.in +++ b/src/charon-cmd/charon-cmd.8.in @@ -1,4 +1,4 @@ -.TH CHARON\-CMD 8 "2013-06-21" "@IPSEC_VERSION@" "strongSwan" +.TH CHARON\-CMD 8 "2013-06-21" "@PACKAGE_VERSION@" "strongSwan" .SH "NAME" charon\-cmd \- Simple IKE client (IPsec VPN client) .SH SYNOPSIS diff --git a/src/ipsec/Android.mk b/src/ipsec/Android.mk index c25be3ebc..3936f7af9 100644 --- a/src/ipsec/Android.mk +++ b/src/ipsec/Android.mk @@ -19,6 +19,7 @@ $(GEN) : PRIVATE_CUSTOM_TOOL = sed \ -e "s:@IPSEC_DISTRO@::" \ -e "s:@IPSEC_DIR@:$(strongswan_DIR):" \ -e "s:@IPSEC_SCRIPT@:ipsec:" \ + -e "s:@IPSEC_BINDIR@:$(strongswan_DIR):" \ -e "s:@IPSEC_SBINDIR@:$(strongswan_SBINDIR):" \ -e "s:@IPSEC_CONFDIR@:$(strongswan_CONFDIR):" \ -e "s:@IPSEC_PIDDIR@:$(strongswan_PIDDIR):" \ diff --git a/src/ipsec/Makefile.am b/src/ipsec/Makefile.am index 73427c0fa..71f2d150b 100644 --- a/src/ipsec/Makefile.am +++ b/src/ipsec/Makefile.am @@ -20,6 +20,7 @@ _ipsec : _ipsec.in -e "s:@IPSEC_DISTRO@::" \ -e "s:@IPSEC_DIR@:$(ipsecdir):" \ -e "s:@IPSEC_SCRIPT@:$(ipsec_script):" \ + -e "s:@IPSEC_BINDIR@:$(bindir):" \ -e "s:@IPSEC_SBINDIR@:$(sbindir):" \ -e "s:@IPSEC_CONFDIR@:$(sysconfdir):" \ -e "s:@IPSEC_PIDDIR@:$(piddir):" \ diff --git a/src/ipsec/_ipsec.in b/src/ipsec/_ipsec.in index 03ddb744d..3c1f99825 100644 --- a/src/ipsec/_ipsec.in +++ b/src/ipsec/_ipsec.in @@ -15,7 +15,7 @@ # for more details. # define a minimum PATH environment in case it is not set -PATH="/sbin:/bin:/usr/sbin:/usr/bin:@IPSEC_SBINDIR@" +PATH="/sbin:/bin:/usr/sbin:/usr/bin:@IPSEC_SBINDIR@:@IPSEC_BINDIR@" export PATH # set daemon name @@ -28,6 +28,7 @@ IPSEC_VERSION="U@IPSEC_VERSION@/K`uname -r`" # where the private directory and the config files are IPSEC_DIR="@IPSEC_DIR@" +IPSEC_BINDIR="@IPSEC_BINDIR@" IPSEC_SBINDIR="@IPSEC_SBINDIR@" IPSEC_CONFDIR="@IPSEC_CONFDIR@" IPSEC_PIDDIR="@IPSEC_PIDDIR@" @@ -39,7 +40,7 @@ IPSEC_CHARON_PID="${IPSEC_PIDDIR}/${DAEMON_NAME}.pid" IPSEC_STROKE="${IPSEC_DIR}/stroke" IPSEC_STARTER="${IPSEC_DIR}/starter" -export IPSEC_DIR IPSEC_SBINDIR IPSEC_CONFDIR IPSEC_PIDDIR IPSEC_SCRIPT IPSEC_VERSION IPSEC_NAME IPSEC_STARTER_PID IPSEC_CHARON_PID +export IPSEC_DIR IPSEC_BINDIR IPSEC_SBINDIR IPSEC_CONFDIR IPSEC_PIDDIR IPSEC_SCRIPT IPSEC_VERSION IPSEC_NAME IPSEC_STARTER_PID IPSEC_CHARON_PID IPSEC_DISTRO="Institute for Internet Technologies and Applications\nUniversity of Applied Sciences Rapperswil, Switzerland" @@ -313,6 +314,10 @@ update) exit 7 fi ;; +pki) + shift + exec $IPSEC_BINDIR/pki "$@" + ;; version|--version) printf "$OS_NAME $IPSEC_NAME $IPSEC_VERSION\n" printf "$IPSEC_DISTRO\n" diff --git a/src/pki/Makefile.am b/src/pki/Makefile.am index e07938284..efbed9b2b 100644 --- a/src/pki/Makefile.am +++ b/src/pki/Makefile.am @@ -1,4 +1,6 @@ -ipsec_PROGRAMS = pki +SUBDIRS = man + +bin_PROGRAMS = pki pki_SOURCES = pki.c pki.h command.c command.h \ commands/gen.c \ diff --git a/src/pki/command.c b/src/pki/command.c index a5e5b8528..984da59b4 100644 --- a/src/pki/command.c +++ b/src/pki/command.c @@ -258,6 +258,6 @@ int command_dispatch(int c, char *v[]) return cmds[i].call(); } } - return command_usage("invalid operation"); + return command_usage(c > 1 ? "invalid operation" : NULL); } diff --git a/src/pki/commands/gen.c b/src/pki/commands/gen.c index e3602f0c3..b74be7d98 100644 --- a/src/pki/commands/gen.c +++ b/src/pki/commands/gen.c @@ -151,7 +151,7 @@ static void __attribute__ ((constructor))reg() command_register((command_t) { gen, 'g', "gen", "generate a new private key", {" [--type rsa|ecdsa] [--size bits] [--safe-primes]", - "[--shares n] [--threshold l] [--outform der|pem|pgp]"}, + "[--shares n] [--threshold l] [--outform der|pem]"}, { {"help", 'h', 0, "show usage information"}, {"type", 't', 1, "type of key, default: rsa"}, @@ -159,7 +159,7 @@ static void __attribute__ ((constructor))reg() {"safe-primes", 'p', 0, "generate rsa safe primes"}, {"shares", 'n', 1, "number of private rsa key shares"}, {"threshold", 'l', 1, "minimum number of participating rsa key shares"}, - {"outform", 'f', 1, "encoding of generated private key"}, + {"outform", 'f', 1, "encoding of generated private key, default: der"}, } }); } diff --git a/src/pki/commands/issue.c b/src/pki/commands/issue.c index 5f098ba41..9d669dfdd 100644 --- a/src/pki/commands/issue.c +++ b/src/pki/commands/issue.c @@ -514,14 +514,14 @@ static void __attribute__ ((constructor))reg() command_register((command_t) { issue, 'i', "issue", "issue a certificate using a CA certificate and key", - {"[--in file] [--type pub|pkcs10] --cakey file | --cakeyid hex", + {"[--in file] [--type pub|pkcs10] --cakey file|--cakeyid hex", " --cacert file [--dn subject-dn] [--san subjectAltName]+", - "[--lifetime days] [--serial hex] [--crl uri [--crlissuer i] ]+ [--ocsp uri]+", - "[--ca] [--pathlen len] [--flag serverAuth|clientAuth|crlSign|ocspSigning]+", - "[--nc-permitted name] [--nc-excluded name]", - "[--cert-policy oid [--cps-uri uri] [--user-notice text] ]+", - "[--policy-map issuer-oid:subject-oid]", + "[--lifetime days] [--serial hex] [--ca] [--pathlen len]", + "[--flag serverAuth|clientAuth|crlSign|ocspSigning]+", + "[--crl uri [--crlissuer i]]+ [--ocsp uri]+ [--nc-permitted name]", + "[--nc-excluded name] [--policy-mapping issuer-oid:subject-oid]", "[--policy-explicit len] [--policy-inhibit len] [--policy-any len]", + "[--cert-policy oid [--cps-uri uri] [--user-notice text]]+", "[--digest md5|sha1|sha224|sha256|sha384|sha512] [--outform der|pem]"}, { {"help", 'h', 0, "show usage information"}, diff --git a/src/pki/commands/pkcs7.c b/src/pki/commands/pkcs7.c index 790656c62..6c75693ab 100644 --- a/src/pki/commands/pkcs7.c +++ b/src/pki/commands/pkcs7.c @@ -445,8 +445,8 @@ static void __attribute__ ((constructor))reg() { command_register((command_t) { pkcs7, '7', "pkcs7", "PKCS#7 wrap/unwrap functions", - {"--sign | --verify | --encrypt | --decrypt", - "--certificate+ [--key]"}, + {"--sign|--verify|--encrypt|--decrypt|--show", + "[--in file] [--cert file]+ [--key file]"}, { {"help", 'h', 0, "show usage information"}, {"sign", 's', 0, "create PKCS#7 signed-data"}, @@ -455,8 +455,8 @@ static void __attribute__ ((constructor))reg() {"decrypt", 'd', 0, "decrypt PKCS#7 enveloped-data"}, {"show", 'p', 0, "show info about PKCS#7, print certificates"}, {"in", 'i', 1, "input file, default: stdin"}, - {"key", 'k', 1, "path to private key for sign/decryp"}, - {"cert", 'c', 1, "path to certificate for sign/verify/encryp"}, + {"key", 'k', 1, "path to private key for sign/decrypt"}, + {"cert", 'c', 1, "path to certificate for sign/verify/encrypt"}, } }); } diff --git a/src/pki/commands/pub.c b/src/pki/commands/pub.c index 9912061f4..5a658afec 100644 --- a/src/pki/commands/pub.c +++ b/src/pki/commands/pub.c @@ -158,13 +158,13 @@ static void __attribute__ ((constructor))reg() pub, 'p', "pub", "extract the public key from a private key/certificate", {"[--in file|--keyid hex] [--type rsa|ecdsa|pkcs10|x509]", - "[--outform der|pem|pgp|dnskey]"}, + "[--outform der|pem|dnskey]"}, { {"help", 'h', 0, "show usage information"}, {"in", 'i', 1, "input file, default: stdin"}, {"keyid", 'x', 1, "keyid on smartcard of private key"}, {"type", 't', 1, "type of credential, default: rsa"}, - {"outform", 'f', 1, "encoding of extracted public key"}, + {"outform", 'f', 1, "encoding of extracted public key, default: der"}, } }); } diff --git a/src/pki/commands/req.c b/src/pki/commands/req.c index d90ddc251..e269f64ea 100644 --- a/src/pki/commands/req.c +++ b/src/pki/commands/req.c @@ -174,9 +174,8 @@ static void __attribute__ ((constructor))reg() command_register((command_t) { req, 'r', "req", "create a PKCS#10 certificate request", - {"[--in file] [--type rsa|ecdsa]", - " --dn distinguished-name [--san subjectAltName]+", - "[--password challengePassword]", + {" [--in file] [--type rsa|ecdsa] --dn distinguished-name", + "[--san subjectAltName]+ [--password challengePassword]", "[--digest md5|sha1|sha224|sha256|sha384|sha512] [--outform der|pem]"}, { {"help", 'h', 0, "show usage information"}, diff --git a/src/pki/commands/self.c b/src/pki/commands/self.c index 448360821..a1f17c8f9 100644 --- a/src/pki/commands/self.c +++ b/src/pki/commands/self.c @@ -378,14 +378,14 @@ static void __attribute__ ((constructor))reg() command_register((command_t) { self, 's', "self", "create a self signed certificate", - {"[--in file | --keyid hex] [--type rsa|ecdsa]", + {" [--in file|--keyid hex] [--type rsa|ecdsa]", " --dn distinguished-name [--san subjectAltName]+", "[--lifetime days] [--serial hex] [--ca] [--ocsp uri]+", "[--flag serverAuth|clientAuth|crlSign|ocspSigning]+", "[--nc-permitted name] [--nc-excluded name]", - "[--cert-policy oid [--cps-uri uri] [--user-notice text] ]+", "[--policy-map issuer-oid:subject-oid]", "[--policy-explicit len] [--policy-inhibit len] [--policy-any len]", + "[--cert-policy oid [--cps-uri uri] [--user-notice text]]+", "[--digest md5|sha1|sha224|sha256|sha384|sha512] [--outform der|pem]"}, { {"help", 'h', 0, "show usage information"}, diff --git a/src/pki/commands/signcrl.c b/src/pki/commands/signcrl.c index f9746cca7..4f9dd291d 100644 --- a/src/pki/commands/signcrl.c +++ b/src/pki/commands/signcrl.c @@ -429,13 +429,13 @@ static void __attribute__ ((constructor))reg() command_register((command_t) { sign_crl, 'c', "signcrl", "issue a CRL using a CA certificate and key", - {"--cacert file --cakey file | --cakeyid hex --lifetime days", - "[--lastcrl crl] [--basecrl crl] [--crluri uri ]+", - "[ [--reason key-compromise|ca-compromise|affiliation-changed|", + {"--cacert file --cakey file|--cakeyid hex [--lifetime days]", + " [--lastcrl crl] [--basecrl crl] [--crluri uri]+", + " [[--reason key-compromise|ca-compromise|affiliation-changed|", " superseded|cessation-of-operation|certificate-hold]", - " [--date timestamp]", - " --cert file | --serial hex ]*", - "[--digest md5|sha1|sha224|sha256|sha384|sha512] [--outform der|pem]"}, + " [--date timestamp] --cert file|--serial hex]*", + " [--digest md5|sha1|sha224|sha256|sha384|sha512]", + " [--outform der|pem]"}, { {"help", 'h', 0, "show usage information"}, {"cacert", 'c', 1, "CA certificate file"}, diff --git a/src/pki/commands/verify.c b/src/pki/commands/verify.c index 3e983d3ec..11c596d78 100644 --- a/src/pki/commands/verify.c +++ b/src/pki/commands/verify.c @@ -125,7 +125,7 @@ static void __attribute__ ((constructor))reg() command_register((command_t) { verify, 'v', "verify", "verify a certificate using the CA certificate", - {"[--in file] [--ca file]"}, + {"[--in file] [--cacert file]"}, { {"help", 'h', 0, "show usage information"}, {"in", 'i', 1, "X.509 certificate to verify, default: stdin"}, @@ -133,4 +133,3 @@ static void __attribute__ ((constructor))reg() } }); } - diff --git a/src/pki/man/.gitignore b/src/pki/man/.gitignore new file mode 100644 index 000000000..44b27a64b --- /dev/null +++ b/src/pki/man/.gitignore @@ -0,0 +1 @@ +*.8
\ No newline at end of file diff --git a/src/pki/man/Makefile.am b/src/pki/man/Makefile.am new file mode 100644 index 000000000..618bd4093 --- /dev/null +++ b/src/pki/man/Makefile.am @@ -0,0 +1,14 @@ +man1_MANS = \ + pki.1 \ + pki---gen.1 \ + pki---self.1 \ + pki---issue.1 \ + pki---signcrl.1 \ + pki---req.1 \ + pki---pkcs7.1 \ + pki---keyid.1 \ + pki---print.1 \ + pki---pub.1 \ + pki---verify.1 + +CLEANFILES = $(man1_MANS) diff --git a/src/pki/man/pki---gen.1.in b/src/pki/man/pki---gen.1.in new file mode 100644 index 000000000..138ab6122 --- /dev/null +++ b/src/pki/man/pki---gen.1.in @@ -0,0 +1,112 @@ +.TH "PKI \-\-GEN" 1 "2013-07-31" "@PACKAGE_VERSION@" "strongSwan" +. +.SH "NAME" +. +pki \-\-gen \- Generate a new RSA or ECDSA private key +. +.SH "SYNOPSIS" +. +.SY pki\ \-\-gen +.OP \-\-type type +.OP \-\-size bits +.OP \-\-safe\-primes +.OP \-\-shares n +.OP \-\-threshold l +.OP \-\-outform encoding +.OP \-\-debug level +.YS +. +.SY pki\ \-\-gen +.BI \-\-options\~ file +.YS +. +.SY "pki \-\-gen" +.B \-h +| +.B \-\-help +.YS +. +.SH "DESCRIPTION" +. +This sub-command of +.BR pki (1) +is used to generate a new RSA or ECDSA private key. +. +.SH "OPTIONS" +. +.TP +.B "\-h, \-\-help" +Print usage information with a summary of the available options. +.TP +.BI "\-v, \-\-debug " level +Set debug level, default: 1. +.TP +.BI "\-+, \-\-options " file +Read command line options from \fIfile\fR. +.TP +.BI "\-t, \-\-type " type +Type of key to generate. Either \fIrsa\fR or \fIecdsa\fR, defaults to \fIrsa\fR. +.TP +.BI "\-s, \-\-size " bits +Key length in bits. Defaults to 2048 for \fIrsa\fR and 384 for \fIecdsa\fR. +For \fIecdsa\fR only three values are currently supported: 256, 384 and 521. +.TP +.BI "\-p, \-\-safe\-primes" +Generate RSA safe primes. +.TP +.BI "\-f, \-\-outform " encoding +Encoding of the generated private key. Either \fIder\fR (ASN.1 DER) or \fIpem\fR +(Base64 PEM), defaults +to \fIder\fR. +.PP +.SS "RSA Threshold Cryptography" +.TP +.BI "\-n, \-\-shares " <n> +Number of private RSA key shares. +.TP +.BI "\-l, \-\-threshold " <l> +Minimum number of participating RSA key shares. +. +.SH "PROBLEMS ON HOSTS WITH LOW ENTROPY" +. +If the +.I gmp +plugin is used to generate RSA private keys the key material is read from +.I /dev/random +(via the +.I random +plugin). Therefore, the command may block if the system's entropy pool is empty. +To avoid this, either use a hardware random number generator to feed +.I /dev/random +or use OpenSSL (via the +.I openssl +plugin or the command line) which is not as strict in regards to the quality of +the key material (it reads from +.I /dev/urandom +if necessary). It is also possible to configure the devices used by the +.I random +plugin in +.BR strongswan.conf (5). +Setting +.B libstrongswan.plugins.random.random +to +.I /dev/urandom +forces the plugin to treat bytes read from +.I /dev/urandom +as high grade random data, thus avoiding the blocking. Of +course, this doesn't change the fact that the key material generated this way is +of lower quality. +. +.SH "EXAMPLES" +. +.TP +.B pki \-\-gen \-\-size 3072 > rsa_key.der +Generates a 3072-bit RSA private key. +. +.TP +.B pki \-\-gen \-\-type ecdsa \-\-size 256 > ecdsa_key.der +Generates a 256-bit ECDSA private key. +. +.SH "SEE ALSO" +. +.BR pki (1) diff --git a/src/pki/man/pki---issue.1.in b/src/pki/man/pki---issue.1.in new file mode 100644 index 000000000..9effd9b15 --- /dev/null +++ b/src/pki/man/pki---issue.1.in @@ -0,0 +1,179 @@ +.TH "PKI \-\-ISSUE" 8 "2013-08-12" "@PACKAGE_VERSION@" "strongSwan" +. +.SH "NAME" +. +pki \-\-issue \- Issue a certificate using a CA certificate and key +. +.SH "SYNOPSIS" +. +.SY pki\ \-\-issue +.OP \-\-in file +.OP \-\-type type +.BI \-\-cakey\~ file |\-\-cakeyid\~ hex +.BI \-\-cacert\~ file +.OP \-\-dn subject-dn +.OP \-\-san subjectAltName +.OP \-\-lifetime days +.OP \-\-serial hex +.OP \-\-flag flag +.OP \-\-digest digest +.OP \-\-ca +.OP \-\-crl uri\ \fR[\fB\-\-crlissuer\ \fIissuer\fR] +.OP \-\-ocsp uri +.OP \-\-pathlen len +.OP \-\-nc-permitted name +.OP \-\-nc-excluded name +.OP \-\-policy\-mapping mapping +.OP \-\-policy\-explicit len +.OP \-\-policy\-inhibit len +.OP \-\-policy\-any len +.OP \-\-cert\-policy oid\ \fR[\fB\-\-cps\-uri\ \fIuri\fR]\ \fR[\fB\-\-user\-notice\ \fItext\fR] +.OP \-\-outform encoding +.OP \-\-debug level +.YS +. +.SY pki\ \-\-issue +.BI \-\-options\~ file +.YS +. +.SY "pki \-\-issue" +.B \-h +| +.B \-\-help +.YS +. +.SH "DESCRIPTION" +. +This sub-command of +.BR pki (1) +is used to issue a certificate using a CA certificate and private key. +. +.SH "OPTIONS" +. +.TP +.B "\-h, \-\-help" +Print usage information with a summary of the available options. +.TP +.BI "\-v, \-\-debug " level +Set debug level, default: 1. +.TP +.BI "\-+, \-\-options " file +Read command line options from \fIfile\fR. +.TP +.BI "\-i, \-\-in " file +Public key or PKCS#10 certificate request file to issue. If not given the +key/request is read from \fISTDIN\fR. +.TP +.BI "\-t, \-\-type " type +Type of the input. Either \fIpub\fR for a public key, or \fIpkcs10\fR for a +PKCS#10 certificate request, defaults to \fIpub\fR. +.TP +.BI "\-k, \-\-cakey " file +CA private key file. Either this or +.B \-\-cakeyid +is required. +.TP +.BI "\-x, \-\-cakeyid " hex +Key ID of a CA private key on a smartcard. Either this or +.B \-\-cakey +is required. +.TP +.BI "\-c, \-\-cacert " file +CA certificate file. Required. +.TP +.BI "\-d, \-\-dn " subject-dn +Subject distinguished name (DN) of the issued certificate. +.TP +.BI "\-a, \-\-san " subjectAltName +subjectAltName extension to include in certificate. Can be used multiple times. +.TP +.BI "\-l, \-\-lifetime " days +Days the certificate is valid, default: 1095. +.TP +.BI "\-s, \-\-serial " hex +Serial number in hex. It is randomly allocated by default. +.TP +.BI "\-e, \-\-flag " flag +Add extendedKeyUsage flag. One of \fIserverAuth\fR, \fIclientAuth\fR, +\fIcrlSign\fR, or \fIocspSigning\fR. Can be used multiple times. +.TP +.BI "\-g, \-\-digest " digest +Digest to use for signature creation. One of \fImd5\fR, \fIsha1\fR, +\fIsha224\fR, \fIsha256\fR, \fIsha384\fR, or \fIsha512\fR. Defaults to +\fIsha1\fR. +.TP +.BI "\-f, \-\-outform " encoding +Encoding of the created certificate file. Either \fIder\fR (ASN.1 DER) or +\fIpem\fR (Base64 PEM), defaults to \fIder\fR. +.TP +.BI "\-b, \-\-ca" +Include CA basicConstraint extension in certificate. +.TP +.BI "\-u, \-\-crl " uri +CRL distribution point URI to include in certificate. Can be used multiple +times. +.TP +.BI "\-I, \-\-crlissuer " issuer +Optional CRL issuer for the CRL at the preceding distribution point. +.TP +.BI "\-o, \-\-ocsp " uri +OCSP AuthorityInfoAccess URI to include in certificate. Can be used multiple +times. +.TP +.BI "\-p, \-\-pathlen " len +Set path length constraint. +.TP +.BI "\-n, \-\-nc-permitted " name +Add permitted NameConstraint extension to certificate. +.TP +.BI "\-N, \-\-nc-excluded " name +Add excluded NameConstraint extension to certificate. +.TP +.BI "\-M, \-\-policy-mapping " issuer-oid:subject-oid +Add policyMapping from issuer to subject OID. +.TP +.BI "\-E, \-\-policy-explicit " len +Add requireExplicitPolicy constraint. +.TP +.BI "\-H, \-\-policy-inhibit " len +Add inhibitPolicyMapping constraint. +.TP +.BI "\-A, \-\-policy-any " len +Add inhibitAnyPolicy constraint. +.PP +.SS "Certificate Policy" +Multiple certificatePolicy extensions can be added. Each with the following +information: +.TP +.BI "\-P, \-\-cert-policy " oid +OID to include in certificatePolicy extension. Required. +.TP +.BI "\-C, \-\-cps-uri " uri +Certification Practice statement URI for certificatePolicy. +.TP +.BI "\-U, \-\-user-notice " text +User notice for certificatePolicy. +. +.SH "EXAMPLES" +. +To save repetitive typing, command line options can be stored in files. +Lets assume +.I pki.opt +contains the following contents: +.PP +.EX + --cacert ca_cert.der --cakey ca_key.der --digest sha256 + --flag serverAuth --lifetime 1460 --type pkcs10 +.EE +.PP +Then the following command can be used to issue a certificate based on a +given PKCS#10 certificate request and the options above: +.PP +.EX + pki --issue --options pki.opt --in req.der > cert.der +.EE +.PP +. +.SH "SEE ALSO" +. +.BR pki (1)
\ No newline at end of file diff --git a/src/pki/man/pki---keyid.1.in b/src/pki/man/pki---keyid.1.in new file mode 100644 index 000000000..490f7afea --- /dev/null +++ b/src/pki/man/pki---keyid.1.in @@ -0,0 +1,72 @@ +.TH "PKI \-\-KEYID" 1 "2013-07-31" "@PACKAGE_VERSION@" "strongSwan" +. +.SH "NAME" +. +pki \-\-keyid \- Calculate key identifiers of a key or certificate +. +.SH "SYNOPSIS" +. +.SY pki\ \-\-keyid +.OP \-\-in file +.OP \-\-type type +.OP \-\-debug level +.YS +. +.SY pki\ \-\-keyid +.BI \-\-options\~ file +.YS +. +.SY "pki \-\-keyid" +.B \-h +| +.B \-\-help +.YS +. +.SH "DESCRIPTION" +. +This sub-command of +.BR pki (1) +calculates key identifiers of private keys and certificates. +. +.SH "OPTIONS" +. +.TP +.B "\-h, \-\-help" +Print usage information with a summary of the available options. +.TP +.BI "\-v, \-\-debug " level +Set debug level, default: 1. +.TP +.BI "\-+, \-\-options " file +Read command line options from \fIfile\fR. +.TP +.BI "\-i, \-\-in " file +Input file. If not given the input is read from \fISTDIN\fR. +.TP +.BI "\-t, \-\-type " type +Type of input. One of \fIrsa-priv\fR (RSA private key), \fIecdsa-priv\fR (ECDSA +private key), \fIpub\fR (public key), \fIpkcs10\fR (PKCS#10 certificate +request), \fIx509\fR (X.509 certificate), defaults to \fIrsa-priv\fR. +. +.SH "EXAMPLES" +. +Calculate key identifiers of an RSA private key: +.PP +.EX + pki --keyid --in key.der + subjectKeyIdentifier: 6a:9c:74:d1:f8:89:79:89:f6:5a:94:e9:89:f1... + subjectPublicKeyInfo hash: 6e:55:dc:7e:9c:a5:58:d9:5b:e3:c7:13:14:e1... +.EE +.PP +Calculate key identifiers of an X.509 certificate: +.PP +.EX + pki --keyid --in cert.der --type x509 + subjectKeyIdentifier: 6a:9c:74:d1:f8:89:79:89:f6:5a:94:e9:89:f1... + subjectPublicKeyInfo hash: 6e:55:dc:7e:9c:a5:58:d9:5b:e3:c7:13:14:e1... +.EE +.PP +. +.SH "SEE ALSO" +. +.BR pki (1)
\ No newline at end of file diff --git a/src/pki/man/pki---pkcs7.1.in b/src/pki/man/pki---pkcs7.1.in new file mode 100644 index 000000000..38186cf70 --- /dev/null +++ b/src/pki/man/pki---pkcs7.1.in @@ -0,0 +1,79 @@ +.TH "PKI \-\-PKCS7" 1 "2013-07-31" "@PACKAGE_VERSION@" "strongSwan" +. +.SH "NAME" +. +pki \-\-pkcs7 \- Provides PKCS#7 wrap/unwrap functions +. +.SH "SYNOPSIS" +. +.SY pki\ \-\-pkcs7 +.BR \-\-sign | \-\-verify | \-\-encrypt | \-\-decrypt | \-\-show +.OP \-\-in file +.OP \-\-cert file +.OP \-\-key file +.OP \-\-debug level +.YS +. +.SY pki\ \-\-pkcs7 +.BI \-\-options\~ file +.YS +. +.SY "pki \-\-pkcs7" +.B \-h +| +.B \-\-help +.YS +. +.SH "DESCRIPTION" +. +This sub-command of +.BR pki (1) +provides functions to wrap/unwrap PKCS#7 containers. +. +.SH "OPTIONS" +. +.TP +.B "\-h, \-\-help" +Print usage information with a summary of the available options. +.TP +.BI "\-v, \-\-debug " level +Set debug level, default: 1. +.TP +.BI "\-+, \-\-options " file +Read command line options from \fIfile\fR. +.TP +.BI "\-s, \-\-sign" +Create PKCS#7 signed-data. +.TP +.BI "\-u, \-\-verify" +Verify PKCS#7 signed-data. +.TP +.BI "\-e, \-\-encrypt" +Create PKCS#7 enveloped-data. +.TP +.BI "\-e, \-\-decrypt" +Decrypt PKCS#7 enveloped-data. +.TP +.BI "\-p, \-\-show" +Show information about PKCS#7 container, list certificates. +.TP +.BI "\-i, \-\-in " file +PKCS#7 input file. If not given the input is read from \fISTDIN\fR. +.TP +.BI "\-k, \-\-key " file +Private key used for +.B \-\-sign +and +.BR \-\-decrypt. +.TP +.BI "\-c, \-\-cert " file +Certificate for +.BR \-\-sign , +.B \-\-verify +and +.BR \-\-encrypt. +Can be used multiple times. +. +.SH "SEE ALSO" +. +.BR pki (1)
\ No newline at end of file diff --git a/src/pki/man/pki---print.1.in b/src/pki/man/pki---print.1.in new file mode 100644 index 000000000..8d3345edc --- /dev/null +++ b/src/pki/man/pki---print.1.in @@ -0,0 +1,53 @@ +.TH "PKI \-\-PRINT" 1 "2013-07-31" "@PACKAGE_VERSION@" "strongSwan" +. +.SH "NAME" +. +pki \-\-print \- Print a credential (key, certificate etc.) in human readable form +. +.SH "SYNOPSIS" +. +.SY pki\ \-\-print +.OP \-\-in file +.OP \-\-type type +.OP \-\-debug level +.YS +. +.SY pki\ \-\-print +.BI \-\-options\~ file +.YS +. +.SY "pki \-\-print" +.B \-h +| +.B \-\-help +.YS +. +.SH "DESCRIPTION" +. +This sub-command of +.BR pki (1) +prints credentials (keys, certificates etc.) in human readable form. +. +.SH "OPTIONS" +. +.TP +.B "\-h, \-\-help" +Print usage information with a summary of the available options. +.TP +.BI "\-v, \-\-debug " level +Set debug level, default: 1. +.TP +.BI "\-+, \-\-options " file +Read command line options from \fIfile\fR. +.TP +.BI "\-i, \-\-in " file +Input file. If not given the input is read from \fISTDIN\fR. +.TP +.BI "\-t, \-\-type " type +Type of input. One of \fIrsa-priv\fR (RSA private key), \fIecdsa-priv\fR (ECDSA +private key), \fIpub\fR (public key), \fIx509\fR (X.509 certificate), \fIcrl\fR +(Certificate Revocation List, CRL), defaults to \fIx509\fR. +. +.SH "SEE ALSO" +. +.BR pki (1)
\ No newline at end of file diff --git a/src/pki/man/pki---pub.1.in b/src/pki/man/pki---pub.1.in new file mode 100644 index 000000000..d588ae732 --- /dev/null +++ b/src/pki/man/pki---pub.1.in @@ -0,0 +1,75 @@ +.TH "PKI \-\-PUB" 1 "2013-07-31" "@PACKAGE_VERSION@" "strongSwan" +. +.SH "NAME" +. +pki \-\-pub \- Extract a public key from a private key or certificate +. +.SH "SYNOPSIS" +. +.SY pki\ \-\-pub +.RB [ \-\-in +.IR file | \fB\-\-keyid\fR +.IR hex ] +.OP \-\-type type +.OP \-\-outform encoding +.OP \-\-debug level +.YS +. +.SY pki\ \-\-pub +.BI \-\-options\~ file +.YS +. +.SY "pki \-\-pub" +.B \-h +| +.B \-\-help +.YS +. +.SH "DESCRIPTION" +. +This sub-command of +.BR pki (1) +extracts public keys from a private keys and certificates. +. +.SH "OPTIONS" +. +.TP +.B "\-h, \-\-help" +Print usage information with a summary of the available options. +.TP +.BI "\-v, \-\-debug " level +Set debug level, default: 1. +.TP +.BI "\-+, \-\-options " file +Read command line options from \fIfile\fR. +.TP +.BI "\-i, \-\-in " file +Input file. If not given the input is read from \fISTDIN\fR. +.TP +.BI "\-t, \-\-type " type +Type of input. One of \fIrsa\fR (RSA private key), \fIecdsa\fR (ECDSA +private key), \fIpkcs10\fR (PKCS#10 certificate request), \fIx509\fR (X.509 +certificate), defaults to \fIrsa\fR. +.TP +.BI "\-f, \-\-outform " encoding +Encoding of the extracted public key. One of \fIder\fR (ASN.1 DER), \fIpem\fR +(Base64 PEM), or \fIdnskey\fR (RFC 3110 DNS key), defaults to \fIder\fR. +. +.SH "EXAMPLES" +. +Extract the public key from an RSA private key: +.PP +.EX + pki --pub --in key.der > pub.der +.EE +.PP +Extract the public key from an X.509 certificate: +.PP +.EX + pki --pub --in cert.der --type x509 > pub.der +.EE +.PP +. +.SH "SEE ALSO" +. +.BR pki (1)
\ No newline at end of file diff --git a/src/pki/man/pki---req.1.in b/src/pki/man/pki---req.1.in new file mode 100644 index 000000000..ab144ce2a --- /dev/null +++ b/src/pki/man/pki---req.1.in @@ -0,0 +1,91 @@ +.TH "PKI \-\-REQ" 1 "2013-07-31" "@PACKAGE_VERSION@" "strongSwan" +. +.SH "NAME" +. +pki \-\-req \- Create a PKCS#10 certificate request +. +.SH "SYNOPSIS" +. +.SY pki\ \-\-req +.OP \-\-in file +.OP \-\-type type +.BI \-\-dn\~ distinguished-name +.OP \-\-san subjectAltName +.OP \-\-password password +.OP \-\-digest digest +.OP \-\-outform encoding +.OP \-\-debug level +.YS +. +.SY pki\ \-\-req +.BI \-\-options\~ file +.YS +. +.SY "pki \-\-req" +.B \-h +| +.B \-\-help +.YS +. +.SH "DESCRIPTION" +. +This sub-command of +.BR pki (1) +is used to create a PKCS#10 certificate request. +. +.SH "OPTIONS" +. +.TP +.B "\-h, \-\-help" +Print usage information with a summary of the available options. +.TP +.BI "\-v, \-\-debug " level +Set debug level, default: 1. +.TP +.BI "\-+, \-\-options " file +Read command line options from \fIfile\fR. +.TP +.BI "\-i, \-\-in " file +Private key input file. If not given the key is read from \fISTDIN\fR. +.TP +.BI "\-t, \-\-type " type +Type of the input key. Either \fIrsa\fR or \fIecdsa\fR, defaults to \fIrsa\fR. +.TP +.BI "\-d, \-\-dn " distinguished-name +Subject distinguished name (DN). Required. +.TP +.BI "\-a, \-\-san " subjectAltName +subjectAltName extension to include in request. Can be used multiple times. +.TP +.BI "\-p, \-\-password " password +The challengePassword to include in the certificate request. +.TP +.BI "\-g, \-\-digest " digest +Digest to use for signature creation. One of \fImd5\fR, \fIsha1\fR, +\fIsha224\fR, \fIsha256\fR, \fIsha384\fR, or \fIsha512\fR. Defaults to +\fIsha1\fR. +.TP +.BI "\-f, \-\-outform " encoding +Encoding of the created certificate file. Either \fIder\fR (ASN.1 DER) or +\fIpem\fR (Base64 PEM), defaults to \fIder\fR. +. +.SH "EXAMPLES" +. +Generate a certificate request for an RSA key, with a subjectAltName extension: +.PP +.EX + pki \-\-req \-\-in key.der \-\-dn "C=CH, O=strongSwan, CN=moon" \\ + \-\-san moon@strongswan.org > req.der +.EE +.PP +Generate a certificate request for an ECDSA key and a different digest: +.PP +.EX + pki \-\-req \-\-in key.der \-\-type ecdsa \-\-digest sha256 \\ + \-\-dn "C=CH, O=strongSwan, CN=carol" > req.der +.EE +.PP +. +.SH "SEE ALSO" +. +.BR pki (1)
\ No newline at end of file diff --git a/src/pki/man/pki---self.1.in b/src/pki/man/pki---self.1.in new file mode 100644 index 000000000..ee42cf9a0 --- /dev/null +++ b/src/pki/man/pki---self.1.in @@ -0,0 +1,148 @@ +.TH "PKI \-\-SELF" 1 "2013-07-31" "@PACKAGE_VERSION@" "strongSwan" +. +.SH "NAME" +. +pki \-\-self \- Create a self-signed certificate +. +.SH "SYNOPSIS" +. +.SY pki\ \-\-self +.RB [ \-\-in +.IR file | \fB\-\-keyid\fR +.IR hex ] +.OP \-\-type t +.BI \-\-dn\~ distinguished-name +.OP \-\-san subjectAltName +.OP \-\-lifetime days +.OP \-\-serial hex +.OP \-\-flag flag +.OP \-\-digest digest +.OP \-\-ca +.OP \-\-ocsp uri +.OP \-\-pathlen len +.OP \-\-nc-permitted name +.OP \-\-nc-excluded name +.OP \-\-policy\-mapping mapping +.OP \-\-policy\-explicit len +.OP \-\-policy\-inhibit len +.OP \-\-policy\-any len +.OP \-\-cert\-policy oid\ \fR[\fB\-\-cps\-uri\ \fIuri\fR]\ \fR[\fB\-\-user\-notice\ \fItext\fR] +.OP \-\-outform encoding +.OP \-\-debug level +.YS +. +.SY pki\ \-\-self +.BI \-\-options\~ file +.YS +. +.SY "pki \-\-self" +.B \-h +| +.B \-\-help +.YS +. +.SH "DESCRIPTION" +. +This sub-command of +.BR pki (1) +is used to create a self-signed certificate. +. +.SH "OPTIONS" +. +.TP +.B "\-h, \-\-help" +Print usage information with a summary of the available options. +.TP +.BI "\-v, \-\-debug " level +Set debug level, default: 1. +.TP +.BI "\-+, \-\-options " file +Read command line options from \fIfile\fR. +.TP +.BI "\-i, \-\-in " file +Private key input file. If not given the key is read from \fISTDIN\fR. +.TP +.BI "\-x, \-\-keyid " hex +Key ID of a private key on a smartcard. +.TP +.BI "\-t, \-\-type " type +Type of the input key. Either \fIrsa\fR or \fIecdsa\fR, defaults to \fIrsa\fR. +.TP +.BI "\-d, \-\-dn " distinguished-name +Subject and issuer distinguished name (DN). Required. +.TP +.BI "\-a, \-\-san " subjectAltName +subjectAltName extension to include in certificate. Can be used multiple times. +.TP +.BI "\-l, \-\-lifetime " days +Days the certificate is valid, default: 1095. +.TP +.BI "\-s, \-\-serial " hex +Serial number in hex. It is randomly allocated by default. +.TP +.BI "\-e, \-\-flag " flag +Add extendedKeyUsage flag. One of \fIserverAuth\fR, \fIclientAuth\fR, +\fIcrlSign\fR, or \fIocspSigning\fR. Can be used multiple times. +.TP +.BI "\-g, \-\-digest " digest +Digest to use for signature creation. One of \fImd5\fR, \fIsha1\fR, +\fIsha224\fR, \fIsha256\fR, \fIsha384\fR, or \fIsha512\fR. Defaults to +\fIsha1\fR. +.TP +.BI "\-f, \-\-outform " encoding +Encoding of the created certificate file. Either \fIder\fR (ASN.1 DER) or +\fIpem\fR (Base64 PEM), defaults to \fIder\fR. +.TP +.BI "\-b, \-\-ca" +Include CA basicConstraint extension in certificate. +.TP +.BI "\-o, \-\-ocsp " uri +OCSP AuthorityInfoAccess URI to include in certificate. Can be used multiple +times. +.TP +.BI "\-p, \-\-pathlen " len +Set path length constraint. +.TP +.BI "\-n, \-\-nc-permitted " name +Add permitted NameConstraint extension to certificate. +.TP +.BI "\-N, \-\-nc-excluded " name +Add excluded NameConstraint extension to certificate. +.TP +.BI "\-M, \-\-policy-mapping " issuer-oid:subject-oid +Add policyMapping from issuer to subject OID. +.TP +.BI "\-E, \-\-policy-explicit " len +Add requireExplicitPolicy constraint. +.TP +.BI "\-H, \-\-policy-inhibit " len +Add inhibitPolicyMapping constraint. +.TP +.BI "\-A, \-\-policy-any " len +Add inhibitAnyPolicy constraint. +.PP +.SS "Certificate Policy" +Multiple certificatePolicy extensions can be added. Each with the following +information: +.TP +.BI "\-P, \-\-cert-policy " oid +OID to include in certificatePolicy extension. Required. +.TP +.BI "\-C, \-\-cps-uri " uri +Certification Practice statement URI for certificatePolicy. +.TP +.BI "\-U, \-\-user-notice " text +User notice for certificatePolicy. +. +.SH "EXAMPLES" +. +Generate a self-signed certificate using the given RSA key: +.PP +.EX + pki \-\-self \-\-in key.der \-\-dn "C=CH, O=strongSwan, CN=moon" \\ + \-\-san moon.strongswan.org > cert.der +.EE +. +.SH "SEE ALSO" +. +.BR pki (1)
\ No newline at end of file diff --git a/src/pki/man/pki---signcrl.1.in b/src/pki/man/pki---signcrl.1.in new file mode 100644 index 000000000..6ba96f6bc --- /dev/null +++ b/src/pki/man/pki---signcrl.1.in @@ -0,0 +1,124 @@ +.TH "PKI \-\-SIGNCRL" 1 "2013-08-12" "@PACKAGE_VERSION@" "strongSwan" +. +.SH "NAME" +. +pki \-\-signcrl \- Issue a Certificate Revocation List (CRL) using a CA certificate and key +. +.SH "SYNOPSIS" +. +.SY pki\ \-\-signcrl +.BI \-\-cakey\~ file |\-\-cakeyid\~ hex +.BI \-\-cacert\~ file +.OP \-\-lifetime days +.OP \-\-lastcrl crl +.OP \-\-basecrl crl +.OP \-\-crluri uri +.OP \-\-digest digest +.OP \fR[\fB\-\-reason\ \fIreason\fR]\ \fR[\fB\-\-date\ \fIts\fR]\ \fB\-\-cert\ \fIfile\fB|\-\-serial\ \fIhex\fR +.OP \-\-outform encoding +.OP \-\-debug level +.YS +. +.SY pki\ \-\-signcrl +.BI \-\-options\~ file +.YS +. +.SY "pki \-\-signcrl" +.B \-h +| +.B \-\-help +.YS +. +.SH "DESCRIPTION" +. +This sub-command of +.BR pki (1) +is used to issue a Certificate Revocation List (CRL) using a CA certificate and +private key. +. +.SH "OPTIONS" +. +.TP +.B "\-h, \-\-help" +Print usage information with a summary of the available options. +.TP +.BI "\-v, \-\-debug " level +Set debug level, default: 1. +.TP +.BI "\-+, \-\-options " file +Read command line options from \fIfile\fR. +.TP +.BI "\-k, \-\-cakey " file +CA private key file. Either this or +.B \-\-cakeyid +is required. +.TP +.BI "\-x, \-\-cakeyid " hex +Key ID of a CA private key on a smartcard. Either this or +.B \-\-cakey +is required. +.TP +.BI "\-c, \-\-cacert " file +CA certificate file. Required. +.TP +.BI "\-l, \-\-lifetime " days +Days until the CRL gets a nextUpdate, default: 15. +.TP +.BI "\-a, \-\-lastcrl " crl +CRL of lastUpdate to copy revocations from. +.TP +.BI "\-b, \-\-basecrl " crl +Base CRL to create a delta CRL for. +.TP +.BI "\-u, \-\-crluri " uri +Freshest delta CRL URI to include in CRL. Can be used multiple times. +.TP +.BI "\-g, \-\-digest " digest +Digest to use for signature creation. One of \fImd5\fR, \fIsha1\fR, +\fIsha224\fR, \fIsha256\fR, \fIsha384\fR, or \fIsha512\fR. Defaults to +\fIsha1\fR. +.TP +.BI "\-f, \-\-outform " encoding +Encoding of the created certificate file. Either \fIder\fR (ASN.1 DER) or +\fIpem\fR (Base64 PEM), defaults to \fIder\fR. +.PP +.SS "Revoked Certificates" +Multiple revoked certificates can be added to the CRL by either providing the +certificate file or the respective serial number directly. +A reason and a timestamp can be configured for each revocation (they have to be +given before each certificate/serial on the command line). +.TP +.BI "\-r, \-\-reason " reason +The reason why the certificate was revoked. One of \fIkey\-compromise\fR, +\fIca\-compromise\fR, \fIaffiliation\-changed\fR, \fIsuperseded\fR, +\fIcessation\-of\-operation\fR, or \fIcertificate\-hold\fR. +.TP +.BI "\-d, \-\-date " ts +Revocation date as Unix timestamp. Defaults to the current time. +.TP +.BI "\-z, \-\-cert " file +Certificate file to revoke. +.TP +.BI "\-s, \-\-serial " hex +Hexadecimal encoded serial number of the certificate to revoke. +. +.SH "EXAMPLES" +. +Revoke a certificate: +.PP +.EX + pki \-\-signcrl \-\-cacert ca_cert.der \-\-cakey ca_key.der \\ + \-\-reason superseded \-\-cert cert.der > crl.der +.EE +.PP +Update an existing CRL with two new revocations, using the certificate's serial +number, but no reason: +.PP +.EX + pki \-\-signcrl \-\-cacert ca_cert.der \-\-cakey ca_key.der \\ + \-\-lastcrl old_crl.der \-\-serial 0123 \-\-serial 0345 > crl.der +.EE +.PP +.SH "SEE ALSO" +. +.BR pki (1)
\ No newline at end of file diff --git a/src/pki/man/pki---verify.1.in b/src/pki/man/pki---verify.1.in new file mode 100644 index 000000000..de34acad4 --- /dev/null +++ b/src/pki/man/pki---verify.1.in @@ -0,0 +1,56 @@ +.TH "PKI \-\-VERIFY" 1 "2013-07-31" "@PACKAGE_VERSION@" "strongSwan" +. +.SH "NAME" +. +pki \-\-verify \- Verify a certificate using a CA certificate +. +.SH "SYNOPSIS" +. +.SY pki\ \-\-verify +.OP \-\-in file +.OP \-\-cacert file +.OP \-\-debug level +.YS +. +.SY pki\ \-\-verify +.BI \-\-options\~ file +.YS +. +.SY "pki \-\-verify" +.B \-h +| +.B \-\-help +.YS +. +.SH "DESCRIPTION" +. +This sub-command of +.BR pki (1) +verifies a certificate using an optional CA certificate. +. +.SH "OPTIONS" +. +.TP +.B "\-h, \-\-help" +Print usage information with a summary of the available options. +.TP +.BI "\-v, \-\-debug " level +Set debug level, default: 1. +.TP +.BI "\-+, \-\-options " file +Read command line options from \fIfile\fR. +.TP +.BI "\-i, \-\-in " file +X.509 certificate to verify. If not given it is read from \fISTDIN\fR. +.TP +.BI "\-c, \-\-cacert " file +CA certificate to use. If not given the certificate is assumed to be +self-signed. +. +.SH "EXIT STATUS" +The exit status is 0 if the certificate was verified successfully, and 2 if +the verification failed. +. +.SH "SEE ALSO" +. +.BR pki (1)
\ No newline at end of file diff --git a/src/pki/man/pki.1.in b/src/pki/man/pki.1.in new file mode 100644 index 000000000..8dfc53af3 --- /dev/null +++ b/src/pki/man/pki.1.in @@ -0,0 +1,156 @@ +.TH PKI 1 "2013-07-31" "@PACKAGE_VERSION@" "strongSwan" +. +.SH "NAME" +. +pki \- Simple public key infrastructure (PKI) management tool +. +.SH "SYNOPSIS" +. +.SY "pki" +.I command +.RI [ option\~ .\|.\|.] +.YS +. +.SY "pki" +.B \-h +| +.B \-\-help +.YS +. +.SH "DESCRIPTION" +. +.B pki +is a suite of commands that allow you to manage a simple public key +infrastructure (PKI). +.P +Generate RSA and ECDSA key pairs, create PKCS#10 certificate requests +containing subjectAltNames, create X.509 self-signed end-entity and root CA +certificates, issue end-entity and intermediate CA certificates signed by the +private key of a CA and containing subjectAltNames, CRL distribution points +and URIs of OCSP servers. You can also extract raw public keys from private +keys, certificate requests and certificates and compute two kinds of SHA-1-based +key IDs. +. +.SH "COMMANDS" +. +.TP +.B "\-h, \-\-help" +Prints usage information and a short summary of the available commands. +.TP +.B "\-g, \-\-gen" +Generate a new private key. +.TP +.B "\-s, \-\-self" +Create a self-signed certificate. +.TP +.B "\-i, \-\-issue" +Issue a certificate using a CA certificate and key. +.TP +.B "\-c, \-\-signcrl" +Issue a CRL using a CA certificate and key. +.TP +.B "\-r, \-\-req" +Create a PKCS#10 certificate request. +.TP +.B "\-7, \-\-pkcs7" +Provides PKCS#7 wrap/unwrap functions. +.TP +.B "\-k, \-\-keyid" +Calculate key identifiers of a key or certificate. +.TP +.B "\-a, \-\-print" +Print a credential (key, certificate etc.) in human readable form. +.TP +.B "\-p, \-\-pub" +Extract a public key from a private key or certificate. +.TP +.B "\-v, \-\-verify" +Verify a certificate using a CA certificate. +. +.SH "EXAMPLES" +. +.SS "Generating a CA Certificate" +. +The first step is to generate a private key using the +.B \-\-gen +command. By default this generates a 2048-bit RSA key. +.PP +.EX + pki \-\-gen > ca_key.der +.EE +.PP +This key is used to create the self-signed CA certificate, using the +.B \-\-self +command. The distinguished name should be adjusted to your needs. +.PP +.EX + pki \-\-self \-\-ca \-\-in ca_key.der \\ + \-\-dn "C=CH, O=strongSwan, CN=strongSwan CA" > ca_cert.der +.EE +.PP +. +.SS "Generating End-Entity Certificates" +. +With the root CA certificate and key at hand end-entity certificates for clients +and servers can be issued. Similarly intermediate CA certificates can be issued, +which in turn can issue other certificates. +To generate a certificate for a server, we start by generating a private key. +.PP +.EX + pki \-\-gen > server_key.der +.EE +.PP +The public key will be included in the certificate so lets extract that from the +private key. +.PP +.EX + pki \-\-pub \-\-in server_key.der > server_pub.der +.EE +.PP +The following command will use the CA certificate and private key to issue the +certificate for this server. Adjust the distinguished name, subjectAltName(s) +and flags as needed (check +.BR pki\ \-\-issue (8) +for more options). +.PP +.EX + pki \-\-issue \-\-in server_pub.der \-\-cacert ca_cert.der \\ + \-\-cakey ca_key.der \-\-dn "C=CH, O=strongSwan, CN=VPN Server" \\ + \-\-san vpn.strongswan.org \-\-flag serverAuth > server_cert.der +.EE +.PP +Instead of storing the public key in a separate +file, the output of +.B \-\-pub +may also be piped directly into the above command. +. +.SS "Generating Certificate Revocation Lists (CRL)" +. +If end-entity certificates have to be revoked, CRLs may be generated using +the +.B \-\-signcrl +command. +.PP +.EX + pki \-\-signcrl \-\-cacert ca_cert.der \-\-cakey ca_key.der \\ + \-\-reason superseded \-\-cert server_cert.der > crl.der +.EE +.PP +The certificate given with \-\-cacert must be either a CA certificate or a +certificate with the +.I crlSign +extended key usage (\-\-flag crlSign). URIs to CRLs may be included in issued +certificates with the \-\-crl option. +. +.SH "SEE ALSO" +. +.BR pki\ \-\-gen (1), +.BR pki\ \-\-self (1), +.BR pki\ \-\-issue (1), +.BR pki\ \-\-signcrl (1), +.BR pki\ \-\-req (1), +.BR pki\ \-\-pkcs7 (1), +.BR pki\ \-\-keyid (1), +.BR pki\ \-\-print (1), +.BR pki\ \-\-pub (1), +.BR pki\ \-\-verify (1) |