NAME¶
pki --issue - Issue a certificate using a CA certificate and key
SYNOPSIS¶
[
--in file]
[
--type type]
--cakey file|--cakeyid hex
--cacert file [
--dn
subject-dn] [
--san
subjectAltName] [
--lifetime
days] [
--not-before
datetime] [
--not-after
datetime] [
--serial hex]
[
--flag flag]
[
--digest digest]
[
--ca] [
--crl
uri [ --crlissuer issuer]]
[
--ocsp uri]
[
--pathlen len]
[
--nc-permitted name]
[
--nc-excluded name]
[
--policy-mapping mapping]
[
--policy-explicit len]
[
--policy-inhibit len]
[
--policy-any len]
[
--cert-policy
oid [--cps-uri uri] [
--user-notice text]]
[
--outform encoding]
[
--debug level]
--options file -h |
--help
DESCRIPTION¶
This sub-command of
pki(1) is used to issue a certificate using a CA
certificate and private key.
OPTIONS¶
- -h, --help
- Print usage information with a summary of the available
options.
- -v, --debug level
- Set debug level, default: 1.
- -+, --options file
- Read command line options from file.
- -i, --in file
- Public key or PKCS#10 certificate request file to issue. If
not given the key/request is read from STDIN.
- -t, --type type
- Type of the input. Either pub for a public key, or
pkcs10 for a PKCS#10 certificate request, defaults to
pub.
- -k, --cakey file
- CA private key file. Either this or --cakeyid is
required.
- -x, --cakeyid hex
- Key ID of a CA private key on a smartcard. Either this or
--cakey is required.
- -c, --cacert file
- CA certificate file. Required.
- -d, --dn subject-dn
- Subject distinguished name (DN) of the issued
certificate.
- -a, --san subjectAltName
- subjectAltName extension to include in certificate. Can be
used multiple times.
- -l, --lifetime days
- Days the certificate is valid, default: 1095. Ignored if
both an absolute start and end time are given.
- -F, --not-before datetime
- Absolute time when the validity of the certificate begins.
The datetime format is defined by the --dateform option.
- -T, --not-after datetime
- Absolute time when the validity of the certificate ends.
The datetime format is defined by the --dateform option.
- -D, --dateform form
- strptime(3) format for the --not-before and
--not-after options, default: %d.%m.%y %T
- -s, --serial hex
- Serial number in hex. It is randomly allocated by
default.
- -e, --flag flag
- Add extendedKeyUsage flag. One of serverAuth,
clientAuth, crlSign, or ocspSigning. Can be used
multiple times.
- -g, --digest digest
- Digest to use for signature creation. One of md5,
sha1, sha224, sha256, sha384, or
sha512. Defaults to sha1.
- -f, --outform encoding
- Encoding of the created certificate file. Either der
(ASN.1 DER) or pem (Base64 PEM), defaults to der.
- -b, --ca
- Include CA basicConstraint extension in certificate.
- -u, --crl uri
- CRL distribution point URI to include in certificate. Can
be used multiple times.
- -I, --crlissuer issuer
- Optional CRL issuer for the CRL at the preceding
distribution point.
- -o, --ocsp uri
- OCSP AuthorityInfoAccess URI to include in certificate. Can
be used multiple times.
- -p, --pathlen len
- Set path length constraint.
- -n, --nc-permitted name
- Add permitted NameConstraint extension to certificate.
- -N, --nc-excluded name
- Add excluded NameConstraint extension to certificate.
- -M, --policy-mapping
issuer-oid:subject-oid
- Add policyMapping from issuer to subject OID.
- -E, --policy-explicit len
- Add requireExplicitPolicy constraint.
- -H, --policy-inhibit len
- Add inhibitPolicyMapping constraint.
- -A, --policy-any len
- Add inhibitAnyPolicy constraint.
Certificate Policy¶
Multiple certificatePolicy extensions can be added. Each with the following
information:
- -P, --cert-policy oid
- OID to include in certificatePolicy extension.
Required.
- -C, --cps-uri uri
- Certification Practice statement URI for
certificatePolicy.
- -U, --user-notice text
- User notice for certificatePolicy.
EXAMPLES¶
To save repetitive typing, command line options can be stored in files. Lets
assume
pki.opt contains the following contents:
--cacert ca_cert.der --cakey ca_key.der --digest sha256
--flag serverAuth --lifetime 1460 --type pkcs10
Then the following command can be used to issue a certificate based on a given
PKCS#10 certificate request and the options above:
pki --issue --options pki.opt --in req.der > cert.der
SEE ALSO¶
pki(1)
