pki --req
Synopsis
pki --req [--in file|--keyid hex] [--type rsa|ecdsa|priv] --dn distinguished-name [--san subjectAltName]+ [--profile profile] [--password challengePassword] [--flag serverAuth|clientAuth|ocspSigning|msSmartcardLogon]+ [--digest sha1|sha224|sha256|sha384|sha512|sha3_224|sha3_256|sha3_384|sha3_512] [--rsa-padding pkcs1|pss] [--outform der|pem] pki --req [--in file|--keyid hex] [--type rsa|ecdsa|priv] --oldreq file [--password challengePassword] [--flag serverAuth|clientAuth|ocspSigning|msSmartcardLogon]+ [--digest sha1|sha224|sha256|sha384|sha512|sha3_224|sha3_256|sha3_384|sha3_512] [--rsa-padding pkcs1|pss] [--outform der|pem] pki --req --help
Description
This pki
subcommand generates a PKCS#10 certificate request.
Options
|
|
Prints usage information and a short summary of the available options |
|
|
Set debug level, default: |
|
|
Read command line options from file |
|
|
Private key input file. If not given the key is read from |
|
|
Smartcard or TPM private key object handle in hex format with an optional
|
|
|
Type of the input key. Either |
|
|
Subject distinguished name (DN). Required if the |
|
|
subjectAltName extension to include in request. Can be used multiple times |
|
|
Certificate profile name to be included in the certificate request. Can be any
UTF8 string. Supported e.g. by |
|
|
Add Extended Key Usage (EKU) flag. One of |
|
|
The |
|
|
Old certificate request to be used as a template. Required if the |
|
|
Digest to use for signature creation. One of |
|
|
Padding to use for RSA signatures. Either |
|
|
Encoding of the created certificate file. Either |
Examples
-
Generate a certificate request for an RSA public key with a TLS-server profile
pki --req --in myKey.der --dn "C=CH, O=strongSwan, CN=moon.strongswan.org" --profile server > myReq.der
-
Generate a certificate request for a renewed key based on an existing template
pki --req --in myNewKey.der --oldreq myReq.der > myNewReq.der
-
Generate a certificate request for an ECDSA public key
pki --req --in myKey.der --type ecdsa --dn "C=CH, O=strongSwan, CN=carol@strongswan.org" --digest sha256 > myReq.der
-
Create an options file supporting ECDSA keys with SHA256 digests
cat > req.opt --type ecdsa --digest sha256
-
Generate a certificate request for an ECDSA public key including a subjectAltName
pki --req --options req.opt --in myKey.der --dn "C=CH, O=strongSwan, CN=carol@strongswan.org" --san carol@strongswan.org > myReq.der