2 files changed, 143 insertions, 0 deletions

diff --git a/docs/configuration/pki/index.rst b/docs/configuration/pki/index.rst
index 7c0044e1..1b751a90 100644
--- a/docs/configuration/pki/index.rst
+++ b/docs/configuration/pki/index.rst
@@ -18,3 +18,138 @@ simply referenced by their name.
 Don't be afraid that you need to re-do your configuration. Key transformation is
 handled, as always, by our migration scripts, so this will be a smooth transition
 for you!
+
+Key Generation
+==============
+
+Certificate Authority (CA)
+--------------------------
+
+VyOS now also has the ability to create CAs, keys, Diffie-Hellman and other
+keypairs from an easy to access operational level command.
+
+.. opcmd:: generate pki ca
+
+  Create a new :abbr:`CA (Certificate Authority)` and output the CAs public and
+  private key on the console.
+
+.. opcmd:: generate pki ca install <name>
+
+  Create a new :abbr:`CA (Certificate Authority)` and output the CAs public and
+  private key on the console.
+
+  .. include:: pki_cli_import_help.txt
+
+.. opcmd:: generate pki ca sign <ca-name>
+
+  Create a new subordinate :abbr:`CA (Certificate Authority)` and sign it using
+  the private key referenced by `ca-name`.
+
+.. opcmd:: generate pki ca sign <name> install
+
+  Create a new subordinate :abbr:`CA (Certificate Authority)` and sign it using
+  the private key referenced by `name`.
+
+  .. include:: pki_cli_import_help.txt
+
+Certificates
+------------
+
+.. opcmd:: generate pki certificate
+
+  Create a new public/private keypair and output the certificate on the console.
+
+.. opcmd:: generate pki certificate install <name>
+
+  Create a new public/private keypair and output the certificate on the console.
+
+  .. include:: pki_cli_import_help.txt
+
+.. opcmd:: generate pki certificate self-signed
+
+  Create a new self-signed certificate. The public/private is then shown on the
+  console.
+
+.. opcmd:: generate pki certificate self-signed install <name>
+
+  Create a new self-signed certificate. The public/private is then shown on the
+  console.
+
+  .. include:: pki_cli_import_help.txt
+
+.. opcmd:: generate pki certificate sign <ca-name>
+
+  Create a new public/private keypair which is signed by the CA referenced by
+  `ca-name`. The signed certificate is then output to the console.
+
+.. opcmd:: generate pki certificate sign <ca-name> install <name>
+
+  Create a new public/private keypair which is signed by the CA referenced by
+  `ca-name`. The signed certificate is then output to the console.
+
+  .. include:: pki_cli_import_help.txt
+
+Diffie-Hellman parameters
+-------------------------
+
+.. opcmd:: generate pki dh
+
+  Generate a new set of :abbr:`DH (Diffie-Hellman)` parameters. The key size
+  is requested by the CLI and defaults to 2048 bit.
+
+  The generated parameters are then output to the console.
+
+.. opcmd:: generate pki dh install <name>
+
+  Generate a new set of :abbr:`DH (Diffie-Hellman)` parameters. The key size
+  is requested by the CLI and defaults to 2048 bit.
+
+  .. include:: pki_cli_import_help.txt
+
+OpenVPN
+-------
+
+.. opcmd:: generate pki openvpn shared-secret
+
+  Genearate a new OpenVPN shared secret.
+
+
+Configuration
+=============
+
+Operation
+=========
+
+VyOS operational mode commands are not only available for generating keys but
+also to display them.
+
+.. opcmd:: show pki ca
+
+  Show a list of installed :abbr:`CA (Certificate Authority)` certificates.
+
+  .. code-block:: none
+
+    vyos@vyos:~$ show pki ca
+    Certificate Authorities:
+    Name                      Subject                                                                                                  Issuer CN                                Issued               Expiry               Private Key    Parent
+    ------------------------  -------------------------------------------------------------------------------------------------------  ---------------------------------------  -------------------  -------------------  -------------  ------------------------
+    CAcert_Class_3_Root       CN=CAcert Class 3 Root,OU=http://www.CAcert.org,O=CAcert Inc.                                            1.2.840.113549.1.9.1=support@cacert.org  2021-04-19 12:18:30  2031-04-17 12:18:30  No             CAcert_Signing_Authority
+    CAcert_Signing_Authority  1.2.840.113549.1.9.1=support@cacert.org,CN=CA Cert Signing Authority,OU=http://www.cacert.org,O=Root CA  1.2.840.113549.1.9.1=support@cacert.org  2003-03-30 12:29:49  2033-03-29 12:29:49  No             N/A
+    peer_172_18_254_202       CN=Easy-RSA CA                                                                                           CN=Easy-RSA CA                           2021-06-14 19:45:27  2031-06-12 19:45:27  No             N/A
+
+.. opcmd:: show pki certificates
+
+  Show a list of installed certificates
+
+  .. code-block:: none
+
+    cpo@LR1.wue3:~$ show pki certificate
+    Certificates:
+    Name                 Type    Subject CN    Issuer CN       Issued               Expiry               Revoked    Private Key    CA Present
+    -------------------  ------  ------------  --------------  -------------------  -------------------  ---------  -------------  -------------------------
+    peer_172_18_254_202  Server  CN=peer1      CN=Easy-RSA CA  2021-06-14 20:04:47  2024-05-29 20:04:47  No         Yes            Yes (peer_172_18_254_202)
+
+
+.. opcmd:: show pki crl
+
+  Show a list of installed :abbr:`CRLs (Certificate Revocation List)`.
diff --git a/docs/configuration/pki/pki_cli_import_help.txt b/docs/configuration/pki/pki_cli_import_help.txt
new file mode 100644
index 00000000..89351903
--- /dev/null
+++ b/docs/configuration/pki/pki_cli_import_help.txt
@@ -0,0 +1,8 @@
+In addition to the command above, the output is in a format which can be used
+to directly import the key into the VyOS CLI by simply copy-pasting the output
+from op-mode into configuration mode.
+
+Name is used for the VyOS CLI command to identify this CA on the running
+configuration.
+
+