1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
|
.TH "PKI \-\-SELF" 1 "2016-12-13" "@PACKAGE_VERSION@" "strongSwan"
.
.SH "NAME"
.
pki \-\-self \- Create a self-signed certificate
.
.SH "SYNOPSIS"
.
.SY pki\ \-\-self
.RB [ \-\-in
.IR file | \fB\-\-keyid\fR
.IR hex ]
.OP \-\-type t
.BI \-\-dn\~ distinguished-name
.OP \-\-san subjectAltName
.OP \-\-lifetime days
.OP \-\-not-before datetime
.OP \-\-not-after datetime
.OP \-\-serial hex
.OP \-\-flag flag
.OP \-\-digest digest
.OP \-\-ca
.OP \-\-ocsp uri
.OP \-\-pathlen len
.OP \-\-addrblock block
.OP \-\-nc-permitted name
.OP \-\-nc-excluded name
.OP \-\-policy\-mapping mapping
.OP \-\-policy\-explicit len
.OP \-\-policy\-inhibit len
.OP \-\-policy\-any len
.OP \-\-cert\-policy oid\ \fR[\fB\-\-cps\-uri\ \fIuri\fR]\ \fR[\fB\-\-user\-notice\ \fItext\fR]
.OP \-\-outform encoding
.OP \-\-debug level
.YS
.
.SY pki\ \-\-self
.BI \-\-options\~ file
.YS
.
.SY "pki \-\-self"
.B \-h
|
.B \-\-help
.YS
.
.SH "DESCRIPTION"
.
This sub-command of
.BR pki (1)
is used to create a self-signed certificate.
.
.SH "OPTIONS"
.
.TP
.B "\-h, \-\-help"
Print usage information with a summary of the available options.
.TP
.BI "\-v, \-\-debug " level
Set debug level, default: 1.
.TP
.BI "\-+, \-\-options " file
Read command line options from \fIfile\fR.
.TP
.BI "\-i, \-\-in " file
Private key input file. If not given the key is read from \fISTDIN\fR.
.TP
.BI "\-x, \-\-keyid " hex
Smartcard or TPM private key object handle in hex format with an optional
0x prefix.
.TP
.BI "\-t, \-\-type " type
Type of the input key. Either \fIpriv\fR, \fIrsa\fR, \fIecdsa\fR, \fIed25519\fR
or \fIbliss\fR, defaults to \fIpriv\fR.
.TP
.BI "\-d, \-\-dn " distinguished-name
Subject and issuer distinguished name (DN). Required.
.TP
.BI "\-a, \-\-san " subjectAltName
subjectAltName extension to include in certificate. Can be used multiple times.
.TP
.BI "\-l, \-\-lifetime " days
Days the certificate is valid, default: 1095. Ignored if both
an absolute start and end time are given.
.TP
.BI "\-F, \-\-not-before " datetime
Absolute time when the validity of the certificate begins. The datetime format
is defined by the
.B \-\-dateform
option.
.TP
.BI "\-T, \-\-not-after " datetime
Absolute time when the validity of the certificate ends. The datetime format is
defined by the
.B \-\-dateform
option.
.TP
.BI "\-D, \-\-dateform " form
strptime(3) format for the
.B \-\-not\-before
and
.B \-\-not\-after
options, default:
.B %d.%m.%y %T
.TP
.BI "\-s, \-\-serial " hex
Serial number in hex. It is randomly allocated by default.
.TP
.BI "\-e, \-\-flag " flag
Add extendedKeyUsage flag. One of \fIserverAuth\fR, \fIclientAuth\fR,
\fIcrlSign\fR, or \fIocspSigning\fR. Can be used multiple times.
.TP
.BI "\-g, \-\-digest " digest
Digest to use for signature creation. One of \fImd5\fR, \fIsha1\fR,
\fIsha224\fR, \fIsha256\fR, \fIsha384\fR, or \fIsha512\fR. The default is
determined based on the type and size of the signature key.
.TP
.BI "\-f, \-\-outform " encoding
Encoding of the created certificate file. Either \fIder\fR (ASN.1 DER) or
\fIpem\fR (Base64 PEM), defaults to \fIder\fR.
.TP
.BI "\-b, \-\-ca"
Include CA basicConstraint extension in certificate.
.TP
.BI "\-o, \-\-ocsp " uri
OCSP AuthorityInfoAccess URI to include in certificate. Can be used multiple
times.
.TP
.BI "\-p, \-\-pathlen " len
Set path length constraint.
.TP
.BI "\-B, \-\-addrblock " block
RFC 3779 address block to include in certificate. \fIblock\fR is either a
CIDR subnet (such as \fI10.0.0.0/8\fR) or an arbitrary address range
(\fI192.168.1.7-192.168.1.13\fR). Can be repeated to include multiple blocks.
Please note that the supplied blocks are included in the certificate as is,
so for standards compliance, multiple blocks must be supplied in correct
order and adjacent blocks must be combined. Refer to RFC 3779 for details.
.TP
.BI "\-n, \-\-nc-permitted " name
Add permitted NameConstraint extension to certificate. For DNS or email
constraints, the identity type is not always detectable by the given name. Use
the
.B dns:
or
.B email:
prefix to force a constraint type.
.TP
.BI "\-N, \-\-nc-excluded " name
Add excluded NameConstraint extension to certificate. For DNS or email
constraints, the identity type is not always detectable by the given name. Use
the
.B dns:
or
.B email:
prefix to force a constraint type.
.TP
.BI "\-M, \-\-policy-mapping " issuer-oid:subject-oid
Add policyMapping from issuer to subject OID.
.TP
.BI "\-E, \-\-policy-explicit " len
Add requireExplicitPolicy constraint.
.TP
.BI "\-H, \-\-policy-inhibit " len
Add inhibitPolicyMapping constraint.
.TP
.BI "\-A, \-\-policy-any " len
Add inhibitAnyPolicy constraint.
.PP
.SS "Certificate Policy"
Multiple certificatePolicy extensions can be added. Each with the following
information:
.TP
.BI "\-P, \-\-cert-policy " oid
OID to include in certificatePolicy extension. Required.
.TP
.BI "\-C, \-\-cps-uri " uri
Certification Practice statement URI for certificatePolicy.
.TP
.BI "\-U, \-\-user-notice " text
User notice for certificatePolicy.
.
.SH "EXAMPLES"
.
Generate a self-signed certificate using the given RSA key:
.PP
.EX
pki \-\-self \-\-in key.der \-\-dn "C=CH, O=strongSwan, CN=moon" \\
\-\-san moon.strongswan.org > cert.der
.EE
.
.SH "SEE ALSO"
.
.BR pki (1)
|
