Scroll to navigation

PKI --REQ(1) strongSwan PKI --REQ(1)

NAME

pki --req - Create a PKCS#10 certificate request

SYNOPSIS

pki --req [--in file|--keyid hex] [--type type] --dn distinguished-name [--san subjectAltName] [--profile profile] [--flag flag] [--password password] [--digest digest] [--rsa-padding padding] [--outform encoding] [--debug level]
pki --req [--in file|--keyid hex] [--type type] --oldreq file [--password password] [--digest digest] [--rsa-padding padding] [--outform encoding] [--debug level]
pki --req --options file
pki --req -h | --help

DESCRIPTION

This sub-command of pki(1) is used to create a PKCS#10 certificate request.

OPTIONS

Print usage information with a summary of the available options.
Set debug level, default: 1.
-+, --options file
Read command line options from file.
Private key input file. If not given the key is read from STDIN.
Smartcard or TPM private key object handle in hex format with an optional 0x prefix.
Type of the input key. Either priv, rsa, ecdsa or bliss, defaults to priv.
Subject distinguished name (DN). Required if the --dn option is not set.
subjectAltName extension to include in request. Can be used multiple times.
Certificate profile name to be included in the certificate request. Can be any UTF8 string. Supported e.g. by openxpki (with profiles pc-client, tls-server, etc.) or pki --issue (with profiles server, client, dual, or ocsp) that are translated into corresponding Extended Key Usage (EKU) flags in the generated X.509 certificate.
Add extendedKeyUsage flag. One of serverAuth, clientAuth, ocspSigning or msSmartcardLogon. Can be used multiple times. Adds an X.509v3 EKU extension containing these flags to the certificate request.
The challengePassword to include in the certificate request.
Old certificate request to be used as a template. Required if the --dn option is not set. The public key in the old certificate request is replaced and a fresh signature is generated using the new private key. Optionally a new challengePassword may be set using the --password option.
Digest to use for signature creation. One of sha1, sha224, sha256, sha384, sha512, sha3_224, sha3_256, sha3_384, or sha3_512. The default is determined based on the type and size of the signature key.
Padding to use for RSA signatures. Either pkcs1 or pss, defaults to pkcs1.
Encoding of the created certificate file. Either der (ASN.1 DER) or pem (Base64 PEM), defaults to der.

EXAMPLES

Generate a certificate request for an RSA key, with a subjectAltName extension and a TLS-server profile:


pki --req --in key.der --dn "C=CH, O=strongSwan, CN=moon" \
--san moon@strongswan.org --profile server > req.der

Generate a certificate request for a renewed key based on an existing template


pki --req --in myNewKey.der --oldreq myReq.der > myNewReq.der

Generate a certificate request for an ECDSA key and a different digest:


pki --req --in key.der --type ecdsa --digest sha256 \
--dn "C=CH, O=strongSwan, CN=carol" > req.der

SEE ALSO

pki(1)

2022-08-30 5.9.13