pki Tool
Synopsis
pki --gen (-g) generate a new private key pki --self (-s) create a self signed certificate pki --issue (-i) issue a certificate using a CA certificate and key pki --signcrl (-c) issue a CRL using a CA certificate and key pki --acert (-z) issue an attribute certificate pki --req (-r) create a PKCS#10 certificate request pki --pkcs7 (-7) PKCS#7 wrap/unwrap functions pki --pkcs12 (-u) PKCS#12 functions pki --keyid (-k) calculate key identifiers of a key/certificate pki --print (-a) print a credential in a human readable form pki --dn (-d) extract the subject DN of an X.509 certificate pki --pub (-p) extract the public key from a private key/certificate pki --verify (-v) verify a certificate using the CA certificate pki --scep (-S) Enroll an X.509 certificate with a SCEP server pki --scepca (-C) Get CA [and RA] certificate[s] from a SCEP server pki --est (-E) Enroll an X.509 certificate with an EST server pki --estca (-e) Get CA certificate[s] from an EST server pki --help (-h) show usage information
Description
The pki
command suite allows you to run a simple public key infrastructure.
Generate RSA, ECDSA or EdDSA public key pairs, create PKCS#10 certificate requests
containing subjectAltNames, create X.509 self-signed end entity and root CA
certificates, issue end entity and intermediate CA certificates signed by the
private key of a CA and containing subjectAltNames
, CRL distribution points and
URIs of OCSP servers. You can also extract raw public keys from private keys,
certificate requests and certificates and compute two kinds of SHA1-based key IDs.
Starting with version 5.9.8, the Additionally, with version 5.9.8 the newer |
Subcommands
Each subcommand has additional options. Pass --help
to a subcommand to get
additional information.
Configuration
The following parameters can be configured in the
pki
section of
strongswan.conf
:
Key | Default | Description |
---|---|---|
load |
Plugins to load in |
|
scep.http_bind |
Source IP address to bind for HTTP operations |
|
scep.http_timeout |
|
Timeout for HTTP operations |
scep.renewal_via_pkcs_req |
|
Some SCEP servers (e.g. openxpki) are incorrectly doing certificate
renewal via |
Tutorial
-
A quickstart tutorial on the use of the
pki
tool can be found here.