pki --issue - Issue a certificate using a CA certificate and
key
pki --issue |
[--in file]
[--type type]
--cakey file|--cakeyid hex
--cacert file [--dn
subject-dn] [--san
subjectAltName] [--lifetime
days] [--not-before
datetime] [--not-after
datetime] [--serial
hex] [--flag flag]
[--digest digest]
[--rsa-padding padding]
[--ca] [--crl
uri [--crlissuer issuer]]
[--ocsp uri]
[--pathlen len]
[--nc-permitted name]
[--addrblock block]
[--nc-excluded name]
[--policy-mapping mapping]
[--policy-explicit len]
[--policy-inhibit len]
[--policy-any len]
[--cert-policy
oid [--cps-uri uri] [--user-notice text]]
[--outform encoding]
[--debug level] |
pki --issue |
--options file |
This sub-command of pki(1) is used to issue a certificate
using a CA certificate and private key.
- -h, --help
- Print usage information with a summary of the available options.
- -v, --debug
level
- Set debug level, default: 1.
- -+, --options file
- Read command line options from file.
- -i, --in
file
- Public key or PKCS#10 certificate request file to issue. If not given the
key/request is read from STDIN.
- -t, --type
type
- Type of the input. One of pub (public key), priv (private
key), rsa (RSA private key), ecdsa (ECDSA private key),
ed25519 (Ed25519 private key) bliss (BLISS private key) or
pkcs10 (PKCS#10 certificate request), defaults to pub.
- -k, --cakey
file
- CA private key file. Either this or --cakeyid is required.
- -x, --cakeyid
hex
- Smartcard or TPM CA private key object handle in hex format with an
optional 0x prefix. Either this or --cakey is required.
- -c, --cacert
file
- CA certificate file. Required.
- -d, --dn
subject-dn
- Subject distinguished name (DN) of the issued certificate.
- -a, --san
subjectAltName
- subjectAltName extension to include in certificate. Can be used multiple
times.
- -l, --lifetime
days
- Days the certificate is valid, default: 1095. Ignored if both an absolute
start and end time are given.
- -F, --not-before
datetime
- Absolute time when the validity of the certificate begins. The datetime
format is defined by the --dateform option.
- -T, --not-after
datetime
- Absolute time when the validity of the certificate ends. The datetime
format is defined by the --dateform option.
- -D, --dateform
form
- strptime(3) format for the --not-before and --not-after
options, default: %d.%m.%y %T
- -s, --serial
hex
- Serial number in hex. It is randomly allocated by default.
- -e, --flag
flag
- Add extendedKeyUsage flag. One of serverAuth, clientAuth,
crlSign, or ocspSigning. Can be used multiple times.
- -g, --digest
digest
- Digest to use for signature creation. One of md5, sha1,
sha224, sha256, sha384, or sha512. The default
is determined based on the type and size of the signature key.
- -R, --rsa-padding
padding
- Padding to use for RSA signatures. Either pkcs1 or pss,
defaults to pkcs1.
- -f, --outform
encoding
- Encoding of the created certificate file. Either der (ASN.1 DER) or
pem (Base64 PEM), defaults to der.
- -b, --ca
- Include CA basicConstraint extension in certificate.
- -u, --crl
uri
- CRL distribution point URI to include in certificate. Can be used multiple
times.
- -I, --crlissuer
issuer
- Optional CRL issuer for the CRL at the preceding distribution point.
- -o, --ocsp
uri
- OCSP AuthorityInfoAccess URI to include in certificate. Can be used
multiple times.
- -p, --pathlen
len
- Set path length constraint.
- -B, --addrblock
block
- RFC 3779 address block to include in certificate. block is either a
CIDR subnet (such as 10.0.0.0/8) or an arbitrary address range
(192.168.1.7-192.168.1.13). Can be repeated to include multiple
blocks. Please note that the supplied blocks are included in the
certificate as is, so for standards compliance, multiple blocks must be
supplied in correct order and adjacent blocks must be combined. Refer to
RFC 3779 for details.
- -n, --nc-permitted
name
- Add permitted NameConstraint extension to certificate. For DNS or email
constraints, the identity type is not always detectable by the given name.
Use the dns: or email: prefix to force a constraint
type.
- -N, --nc-excluded
name
- Add excluded NameConstraint extension to certificate. For DNS or email
constraints, the identity type is not always detectable by the given name.
Use the dns: or email: prefix to force a constraint
type.
- -M, --policy-mapping
issuer-oid:subject-oid
- Add policyMapping from issuer to subject OID.
- -E, --policy-explicit
len
- Add requireExplicitPolicy constraint.
- -H, --policy-inhibit
len
- Add inhibitPolicyMapping constraint.
- -A, --policy-any
len
- Add inhibitAnyPolicy constraint.
Multiple certificatePolicy extensions can be added. Each with the
following information:
- -P, --cert-policy
oid
- OID to include in certificatePolicy extension. Required.
- -C, --cps-uri
uri
- Certification Practice statement URI for certificatePolicy.
- -U, --user-notice
text
- User notice for certificatePolicy.
To save repetitive typing, command line options can be stored in
files. Lets assume pki.opt contains the following contents:
--cacert ca_cert.der --cakey ca_key.der --digest sha256
--flag serverAuth --lifetime 1460 --type pkcs10
Then the following command can be used to issue a certificate
based on a given PKCS#10 certificate request and the options above:
pki --issue --options pki.opt --in req.der > cert.der