pki Tool


pki --gen     (-g)  generate a new private key
pki --self    (-s)  create a self signed certificate
pki --issue   (-i)  issue a certificate using a CA certificate and key
pki --signcrl (-c)  issue a CRL using a CA certificate and key
pki --acert   (-z)  issue an attribute certificate
pki --req     (-r)  create a PKCS#10 certificate request
pki --pkcs7   (-7)  PKCS#7 wrap/unwrap functions
pki --pkcs12  (-u)  PKCS#12 functions
pki --keyid   (-k)  calculate key identifiers of a key/certificate
pki --print   (-a)  print a credential in a human readable form
pki --dn      (-d)  extract the subject DN of an X.509 certificate
pki --pub     (-p)  extract the public key from a private key/certificate
pki --verify  (-v)  verify a certificate using the CA certificate
pki --scep    (-S)  Enroll an X.509 certificate with a SCEP server
pki --scepca  (-C)  Get CA [and RA] certificate[s] from a SCEP server
pki --est     (-E)  Enroll an X.509 certificate with an EST server
pki --estca   (-e)  Get CA certificate[s] from an EST server
pki --ocsp    (-o)  OCSP request parser and OCSP responder
pki --help    (-h)  show usage information


The pki command suite allows you to run a simple public key infrastructure. Generate RSA, ECDSA or EdDSA public key pairs, create PKCS#10 certificate requests containing subjectAltNames, create X.509 self-signed end entity and root CA certificates, issue end entity and intermediate CA certificates signed by the private key of a CA and containing subjectAltNames, CRL distribution points and URIs of OCSP servers. You can also extract raw public keys from private keys, certificate requests and certificates and compute two kinds of SHA1-based key IDs.

Starting with version 5.9.8, the pki command supports certificate enrollment via the Simple Certificate Enrollment Protocol (SCEP) as defined by RFC 8894, replacing the obsoleted ipsec scepclient tool.

Additionally, with version 5.9.8 the newer https based Enrollment over Secure Transport (EST) protocol (RFC 7030) is being offered, too.

Version 5.9.12 introduces an Online Certificate Status Protocol (OCSP) responder as defined by RFC 6960, interoperating with an OpenXPKI server by directly accessing its internal certificate datebase.



The following parameters can be configured in the pki section of strongswan.conf:

Key Default Description


Plugins to load in pki tool


Source IP address to bind for HTTP operations



Timeout for HTTP operations



Some SCEP servers (e.g. openxpki) are incorrectly doing certificate renewal via msgType PKCSReq (19) instead of RenewalReq (17)