diff options
Diffstat (limited to 'src/pki/man/pki---signcrl.1.in')
| -rw-r--r-- | src/pki/man/pki---signcrl.1.in | 124 |
1 files changed, 124 insertions, 0 deletions
diff --git a/src/pki/man/pki---signcrl.1.in b/src/pki/man/pki---signcrl.1.in new file mode 100644 index 000000000..6ba96f6bc --- /dev/null +++ b/src/pki/man/pki---signcrl.1.in @@ -0,0 +1,124 @@ +.TH "PKI \-\-SIGNCRL" 1 "2013-08-12" "@PACKAGE_VERSION@" "strongSwan" +. +.SH "NAME" +. +pki \-\-signcrl \- Issue a Certificate Revocation List (CRL) using a CA certificate and key +. +.SH "SYNOPSIS" +. +.SY pki\ \-\-signcrl +.BI \-\-cakey\~ file |\-\-cakeyid\~ hex +.BI \-\-cacert\~ file +.OP \-\-lifetime days +.OP \-\-lastcrl crl +.OP \-\-basecrl crl +.OP \-\-crluri uri +.OP \-\-digest digest +.OP \fR[\fB\-\-reason\ \fIreason\fR]\ \fR[\fB\-\-date\ \fIts\fR]\ \fB\-\-cert\ \fIfile\fB|\-\-serial\ \fIhex\fR +.OP \-\-outform encoding +.OP \-\-debug level +.YS +. +.SY pki\ \-\-signcrl +.BI \-\-options\~ file +.YS +. +.SY "pki \-\-signcrl" +.B \-h +| +.B \-\-help +.YS +. +.SH "DESCRIPTION" +. +This sub-command of +.BR pki (1) +is used to issue a Certificate Revocation List (CRL) using a CA certificate and +private key. +. +.SH "OPTIONS" +. +.TP +.B "\-h, \-\-help" +Print usage information with a summary of the available options. +.TP +.BI "\-v, \-\-debug " level +Set debug level, default: 1. +.TP +.BI "\-+, \-\-options " file +Read command line options from \fIfile\fR. +.TP +.BI "\-k, \-\-cakey " file +CA private key file. Either this or +.B \-\-cakeyid +is required. +.TP +.BI "\-x, \-\-cakeyid " hex +Key ID of a CA private key on a smartcard. Either this or +.B \-\-cakey +is required. +.TP +.BI "\-c, \-\-cacert " file +CA certificate file. Required. +.TP +.BI "\-l, \-\-lifetime " days +Days until the CRL gets a nextUpdate, default: 15. +.TP +.BI "\-a, \-\-lastcrl " crl +CRL of lastUpdate to copy revocations from. +.TP +.BI "\-b, \-\-basecrl " crl +Base CRL to create a delta CRL for. +.TP +.BI "\-u, \-\-crluri " uri +Freshest delta CRL URI to include in CRL. Can be used multiple times. +.TP +.BI "\-g, \-\-digest " digest +Digest to use for signature creation. One of \fImd5\fR, \fIsha1\fR, +\fIsha224\fR, \fIsha256\fR, \fIsha384\fR, or \fIsha512\fR. Defaults to +\fIsha1\fR. +.TP +.BI "\-f, \-\-outform " encoding +Encoding of the created certificate file. Either \fIder\fR (ASN.1 DER) or +\fIpem\fR (Base64 PEM), defaults to \fIder\fR. +.PP +.SS "Revoked Certificates" +Multiple revoked certificates can be added to the CRL by either providing the +certificate file or the respective serial number directly. +A reason and a timestamp can be configured for each revocation (they have to be +given before each certificate/serial on the command line). +.TP +.BI "\-r, \-\-reason " reason +The reason why the certificate was revoked. One of \fIkey\-compromise\fR, +\fIca\-compromise\fR, \fIaffiliation\-changed\fR, \fIsuperseded\fR, +\fIcessation\-of\-operation\fR, or \fIcertificate\-hold\fR. +.TP +.BI "\-d, \-\-date " ts +Revocation date as Unix timestamp. Defaults to the current time. +.TP +.BI "\-z, \-\-cert " file +Certificate file to revoke. +.TP +.BI "\-s, \-\-serial " hex +Hexadecimal encoded serial number of the certificate to revoke. +. +.SH "EXAMPLES" +. +Revoke a certificate: +.PP +.EX + pki \-\-signcrl \-\-cacert ca_cert.der \-\-cakey ca_key.der \\ + \-\-reason superseded \-\-cert cert.der > crl.der +.EE +.PP +Update an existing CRL with two new revocations, using the certificate's serial +number, but no reason: +.PP +.EX + pki \-\-signcrl \-\-cacert ca_cert.der \-\-cakey ca_key.der \\ + \-\-lastcrl old_crl.der \-\-serial 0123 \-\-serial 0345 > crl.der +.EE +.PP +.SH "SEE ALSO" +. +.BR pki (1)
\ No newline at end of file |