pki Tool


pki --gen     (-g)  generate a new private key
pki --self    (-s)  create a self signed certificate
pki --issue   (-i)  issue a certificate using a CA certificate and key
pki --signcrl (-c)  issue a CRL using a CA certificate and key
pki --acert   (-z)  issue an attribute certificate
pki --req     (-r)  create a PKCS#10 certificate request
pki --pkcs7   (-7)  PKCS#7 wrap/unwrap functions
pki --pkcs12  (-u)  PKCS#12 functions
pki --keyid   (-k)  calculate key identifiers of a key/certificate
pki --print   (-a)  print a credential in a human readable form
pki --dn      (-d)  extract the subject DN of an X.509 certificate
pki --pub     (-p)  extract the public key from a private key/certificate
pki --verify  (-v)  verify a certificate using the CA certificate
pki --help    (-h)  show usage information


The pki command suite allows you to run a simple public key infrastructure. Generate RSA, ECDSA or EdDSA public key pairs, create PKCS#10 certificate requests containing subjectAltNames, create X.509 self-signed end entity and root CA certificates, issue end entity and intermediate CA certificates signed by the private key of a CA and containing subjectAltNames, CRL distribution points and URIs of OCSP servers. You can also extract raw public keys from private keys, certificate requests and certificates and compute two kinds of SHA1-based key IDs.


pki --gen

pki --self

pki --print

pki --pkcs7

pki --keyid

pki --issue

pki --acert

pki --pkcs12

pki --pub

pki --signcrl

pki --verify

pki --dn

pki --req

Each subcommand has additional options. Pass --help to a subcommand to get additional information.