1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
|
.TH "PKI \-\-SIGNCRL" 1 "2013-08-12" "@PACKAGE_VERSION@" "strongSwan"
.
.SH "NAME"
.
pki \-\-signcrl \- Issue a Certificate Revocation List (CRL) using a CA certificate and key
.
.SH "SYNOPSIS"
.
.SY pki\ \-\-signcrl
.BI \-\-cakey\~ file |\-\-cakeyid\~ hex
.BI \-\-cacert\~ file
.OP \-\-lifetime days
.OP \-\-lastcrl crl
.OP \-\-basecrl crl
.OP \-\-crluri uri
.OP \-\-digest digest
.OP \fR[\fB\-\-reason\ \fIreason\fR]\ \fR[\fB\-\-date\ \fIts\fR]\ \fB\-\-cert\ \fIfile\fB|\-\-serial\ \fIhex\fR
.OP \-\-outform encoding
.OP \-\-debug level
.YS
.
.SY pki\ \-\-signcrl
.BI \-\-options\~ file
.YS
.
.SY "pki \-\-signcrl"
.B \-h
|
.B \-\-help
.YS
.
.SH "DESCRIPTION"
.
This sub-command of
.BR pki (1)
is used to issue a Certificate Revocation List (CRL) using a CA certificate and
private key.
.
.SH "OPTIONS"
.
.TP
.B "\-h, \-\-help"
Print usage information with a summary of the available options.
.TP
.BI "\-v, \-\-debug " level
Set debug level, default: 1.
.TP
.BI "\-+, \-\-options " file
Read command line options from \fIfile\fR.
.TP
.BI "\-k, \-\-cakey " file
CA private key file. Either this or
.B \-\-cakeyid
is required.
.TP
.BI "\-x, \-\-cakeyid " hex
Key ID of a CA private key on a smartcard. Either this or
.B \-\-cakey
is required.
.TP
.BI "\-c, \-\-cacert " file
CA certificate file. Required.
.TP
.BI "\-l, \-\-lifetime " days
Days until the CRL gets a nextUpdate, default: 15.
.TP
.BI "\-a, \-\-lastcrl " crl
CRL of lastUpdate to copy revocations from.
.TP
.BI "\-b, \-\-basecrl " crl
Base CRL to create a delta CRL for.
.TP
.BI "\-u, \-\-crluri " uri
Freshest delta CRL URI to include in CRL. Can be used multiple times.
.TP
.BI "\-g, \-\-digest " digest
Digest to use for signature creation. One of \fImd5\fR, \fIsha1\fR,
\fIsha224\fR, \fIsha256\fR, \fIsha384\fR, or \fIsha512\fR. Defaults to
\fIsha1\fR.
.TP
.BI "\-f, \-\-outform " encoding
Encoding of the created certificate file. Either \fIder\fR (ASN.1 DER) or
\fIpem\fR (Base64 PEM), defaults to \fIder\fR.
.PP
.SS "Revoked Certificates"
Multiple revoked certificates can be added to the CRL by either providing the
certificate file or the respective serial number directly.
A reason and a timestamp can be configured for each revocation (they have to be
given before each certificate/serial on the command line).
.TP
.BI "\-r, \-\-reason " reason
The reason why the certificate was revoked. One of \fIkey\-compromise\fR,
\fIca\-compromise\fR, \fIaffiliation\-changed\fR, \fIsuperseded\fR,
\fIcessation\-of\-operation\fR, or \fIcertificate\-hold\fR.
.TP
.BI "\-d, \-\-date " ts
Revocation date as Unix timestamp. Defaults to the current time.
.TP
.BI "\-z, \-\-cert " file
Certificate file to revoke.
.TP
.BI "\-s, \-\-serial " hex
Hexadecimal encoded serial number of the certificate to revoke.
.
.SH "EXAMPLES"
.
Revoke a certificate:
.PP
.EX
pki \-\-signcrl \-\-cacert ca_cert.der \-\-cakey ca_key.der \\
\-\-reason superseded \-\-cert cert.der > crl.der
.EE
.PP
Update an existing CRL with two new revocations, using the certificate's serial
number, but no reason:
.PP
.EX
pki \-\-signcrl \-\-cacert ca_cert.der \-\-cakey ca_key.der \\
\-\-lastcrl old_crl.der \-\-serial 0123 \-\-serial 0345 > crl.der
.EE
.PP
.SH "SEE ALSO"
.
.BR pki (1)
|
