diff options
Diffstat (limited to 'src/pki/man/pki---issue.1.in')
| -rw-r--r-- | src/pki/man/pki---issue.1.in | 179 |
1 files changed, 179 insertions, 0 deletions
diff --git a/src/pki/man/pki---issue.1.in b/src/pki/man/pki---issue.1.in new file mode 100644 index 000000000..9effd9b15 --- /dev/null +++ b/src/pki/man/pki---issue.1.in @@ -0,0 +1,179 @@ +.TH "PKI \-\-ISSUE" 8 "2013-08-12" "@PACKAGE_VERSION@" "strongSwan" +. +.SH "NAME" +. +pki \-\-issue \- Issue a certificate using a CA certificate and key +. +.SH "SYNOPSIS" +. +.SY pki\ \-\-issue +.OP \-\-in file +.OP \-\-type type +.BI \-\-cakey\~ file |\-\-cakeyid\~ hex +.BI \-\-cacert\~ file +.OP \-\-dn subject-dn +.OP \-\-san subjectAltName +.OP \-\-lifetime days +.OP \-\-serial hex +.OP \-\-flag flag +.OP \-\-digest digest +.OP \-\-ca +.OP \-\-crl uri\ \fR[\fB\-\-crlissuer\ \fIissuer\fR] +.OP \-\-ocsp uri +.OP \-\-pathlen len +.OP \-\-nc-permitted name +.OP \-\-nc-excluded name +.OP \-\-policy\-mapping mapping +.OP \-\-policy\-explicit len +.OP \-\-policy\-inhibit len +.OP \-\-policy\-any len +.OP \-\-cert\-policy oid\ \fR[\fB\-\-cps\-uri\ \fIuri\fR]\ \fR[\fB\-\-user\-notice\ \fItext\fR] +.OP \-\-outform encoding +.OP \-\-debug level +.YS +. +.SY pki\ \-\-issue +.BI \-\-options\~ file +.YS +. +.SY "pki \-\-issue" +.B \-h +| +.B \-\-help +.YS +. +.SH "DESCRIPTION" +. +This sub-command of +.BR pki (1) +is used to issue a certificate using a CA certificate and private key. +. +.SH "OPTIONS" +. +.TP +.B "\-h, \-\-help" +Print usage information with a summary of the available options. +.TP +.BI "\-v, \-\-debug " level +Set debug level, default: 1. +.TP +.BI "\-+, \-\-options " file +Read command line options from \fIfile\fR. +.TP +.BI "\-i, \-\-in " file +Public key or PKCS#10 certificate request file to issue. If not given the +key/request is read from \fISTDIN\fR. +.TP +.BI "\-t, \-\-type " type +Type of the input. Either \fIpub\fR for a public key, or \fIpkcs10\fR for a +PKCS#10 certificate request, defaults to \fIpub\fR. +.TP +.BI "\-k, \-\-cakey " file +CA private key file. Either this or +.B \-\-cakeyid +is required. +.TP +.BI "\-x, \-\-cakeyid " hex +Key ID of a CA private key on a smartcard. Either this or +.B \-\-cakey +is required. +.TP +.BI "\-c, \-\-cacert " file +CA certificate file. Required. +.TP +.BI "\-d, \-\-dn " subject-dn +Subject distinguished name (DN) of the issued certificate. +.TP +.BI "\-a, \-\-san " subjectAltName +subjectAltName extension to include in certificate. Can be used multiple times. +.TP +.BI "\-l, \-\-lifetime " days +Days the certificate is valid, default: 1095. +.TP +.BI "\-s, \-\-serial " hex +Serial number in hex. It is randomly allocated by default. +.TP +.BI "\-e, \-\-flag " flag +Add extendedKeyUsage flag. One of \fIserverAuth\fR, \fIclientAuth\fR, +\fIcrlSign\fR, or \fIocspSigning\fR. Can be used multiple times. +.TP +.BI "\-g, \-\-digest " digest +Digest to use for signature creation. One of \fImd5\fR, \fIsha1\fR, +\fIsha224\fR, \fIsha256\fR, \fIsha384\fR, or \fIsha512\fR. Defaults to +\fIsha1\fR. +.TP +.BI "\-f, \-\-outform " encoding +Encoding of the created certificate file. Either \fIder\fR (ASN.1 DER) or +\fIpem\fR (Base64 PEM), defaults to \fIder\fR. +.TP +.BI "\-b, \-\-ca" +Include CA basicConstraint extension in certificate. +.TP +.BI "\-u, \-\-crl " uri +CRL distribution point URI to include in certificate. Can be used multiple +times. +.TP +.BI "\-I, \-\-crlissuer " issuer +Optional CRL issuer for the CRL at the preceding distribution point. +.TP +.BI "\-o, \-\-ocsp " uri +OCSP AuthorityInfoAccess URI to include in certificate. Can be used multiple +times. +.TP +.BI "\-p, \-\-pathlen " len +Set path length constraint. +.TP +.BI "\-n, \-\-nc-permitted " name +Add permitted NameConstraint extension to certificate. +.TP +.BI "\-N, \-\-nc-excluded " name +Add excluded NameConstraint extension to certificate. +.TP +.BI "\-M, \-\-policy-mapping " issuer-oid:subject-oid +Add policyMapping from issuer to subject OID. +.TP +.BI "\-E, \-\-policy-explicit " len +Add requireExplicitPolicy constraint. +.TP +.BI "\-H, \-\-policy-inhibit " len +Add inhibitPolicyMapping constraint. +.TP +.BI "\-A, \-\-policy-any " len +Add inhibitAnyPolicy constraint. +.PP +.SS "Certificate Policy" +Multiple certificatePolicy extensions can be added. Each with the following +information: +.TP +.BI "\-P, \-\-cert-policy " oid +OID to include in certificatePolicy extension. Required. +.TP +.BI "\-C, \-\-cps-uri " uri +Certification Practice statement URI for certificatePolicy. +.TP +.BI "\-U, \-\-user-notice " text +User notice for certificatePolicy. +. +.SH "EXAMPLES" +. +To save repetitive typing, command line options can be stored in files. +Lets assume +.I pki.opt +contains the following contents: +.PP +.EX + --cacert ca_cert.der --cakey ca_key.der --digest sha256 + --flag serverAuth --lifetime 1460 --type pkcs10 +.EE +.PP +Then the following command can be used to issue a certificate based on a +given PKCS#10 certificate request and the options above: +.PP +.EX + pki --issue --options pki.opt --in req.der > cert.der +.EE +.PP +. +.SH "SEE ALSO" +. +.BR pki (1)
\ No newline at end of file |