1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
|
.TH "PKI \-\-SIGNCRL" 1 "2013-08-12" "@PACKAGE_VERSION@" "strongSwan"
.
.SH "NAME"
.
pki \-\-signcrl \- Issue a Certificate Revocation List (CRL) using a CA certificate and key
.
.SH "SYNOPSIS"
.
.SY pki\ \-\-signcrl
.BI \-\-cakey\~ file |\-\-cakeyid\~ hex
.BI \-\-cacert\~ file
.OP \-\-lifetime days
.OP \-\-this-update datetime
.OP \-\-next-update datetime
.OP \-\-lastcrl crl
.OP \-\-basecrl crl
.OP \-\-crluri uri
.OP \-\-digest digest
.OP \fR[\fB\-\-reason\ \fIreason\fR]\ \fR[\fB\-\-date\ \fIts\fR]\ \fB\-\-cert\ \fIfile\fB|\-\-serial\ \fIhex\fR
.OP \-\-outform encoding
.OP \-\-debug level
.YS
.
.SY pki\ \-\-signcrl
.BI \-\-options\~ file
.YS
.
.SY "pki \-\-signcrl"
.B \-h
|
.B \-\-help
.YS
.
.SH "DESCRIPTION"
.
This sub-command of
.BR pki (1)
is used to issue a Certificate Revocation List (CRL) using a CA certificate and
private key.
.
.SH "OPTIONS"
.
.TP
.B "\-h, \-\-help"
Print usage information with a summary of the available options.
.TP
.BI "\-v, \-\-debug " level
Set debug level, default: 1.
.TP
.BI "\-+, \-\-options " file
Read command line options from \fIfile\fR.
.TP
.BI "\-k, \-\-cakey " file
CA private key file. Either this or
.B \-\-cakeyid
is required.
.TP
.BI "\-x, \-\-cakeyid " hex
Key ID of a CA private key on a smartcard. Either this or
.B \-\-cakey
is required.
.TP
.BI "\-c, \-\-cacert " file
CA certificate file. Required.
.TP
.BI "\-l, \-\-lifetime " days
Days until the CRL gets a nextUpdate, default: 15. Ignored if both
an absolute start and end time are given.
.TP
.BI "\-F, \-\-this-update " datetime
Absolute time when the validity of the CRL begins. The datetime format is
defined by the
.B \-\-dateform
option.
.TP
.BI "\-T, \-\-next-update " datetime
Absolute time when the validity of the CRL end. The datetime format is
defined by the
.B \-\-dateform
option.
.TP
.BI "\-D, \-\-dateform " form
strptime(3) format for the
.B \-\-this\-update
and
.B \-\-next\-update
options, default:
.B %d.%m.%y %T
.TP
.BI "\-a, \-\-lastcrl " crl
CRL of lastUpdate to copy revocations from.
.TP
.BI "\-b, \-\-basecrl " crl
Base CRL to create a delta CRL for.
.TP
.BI "\-u, \-\-crluri " uri
Freshest delta CRL URI to include in CRL. Can be used multiple times.
.TP
.BI "\-g, \-\-digest " digest
Digest to use for signature creation. One of \fImd5\fR, \fIsha1\fR,
\fIsha224\fR, \fIsha256\fR, \fIsha384\fR, or \fIsha512\fR. The default is
determined based on the type and size of the signature key.
.TP
.BI "\-f, \-\-outform " encoding
Encoding of the created certificate file. Either \fIder\fR (ASN.1 DER) or
\fIpem\fR (Base64 PEM), defaults to \fIder\fR.
.PP
.SS "Revoked Certificates"
Multiple revoked certificates can be added to the CRL by either providing the
certificate file or the respective serial number directly.
A reason and a timestamp can be configured for each revocation (they have to be
given before each certificate/serial on the command line).
.TP
.BI "\-r, \-\-reason " reason
The reason why the certificate was revoked. One of \fIkey\-compromise\fR,
\fIca\-compromise\fR, \fIaffiliation\-changed\fR, \fIsuperseded\fR,
\fIcessation\-of\-operation\fR, or \fIcertificate\-hold\fR.
.TP
.BI "\-d, \-\-date " ts
Revocation date as Unix timestamp. Defaults to the current time.
.TP
.BI "\-z, \-\-cert " file
Certificate file to revoke.
.TP
.BI "\-s, \-\-serial " hex
Hexadecimal encoded serial number of the certificate to revoke.
.
.SH "EXAMPLES"
.
Revoke a certificate:
.PP
.EX
pki \-\-signcrl \-\-cacert ca_cert.der \-\-cakey ca_key.der \\
\-\-reason superseded \-\-cert cert.der > crl.der
.EE
.PP
Update an existing CRL with two new revocations, using the certificate's serial
number, but no reason:
.PP
.EX
pki \-\-signcrl \-\-cacert ca_cert.der \-\-cakey ca_key.der \\
\-\-lastcrl old_crl.der \-\-serial 0123 \-\-serial 0345 > crl.der
.EE
.PP
.SH "SEE ALSO"
.
.BR pki (1)
|