pki --req

Synopsis

pki --req [--in file|--keyid hex] [--type rsa|ecdsa|priv] --dn distinguished-name
          [--san subjectAltName]+ [--password challengePassword]
          [--digest md5|sha1|sha224|sha256|sha384|sha512|sha3_224|sha3_256|sha3_384|sha3_512]
          [--rsa-padding pkcs1|pss] [--outform der|pem]

pki --req --help

Description

This pki subcommand generates a PKCS#10 certificate request.

Options

--in          (-i)  private key input file, default: stdin
--keyid       (-x)  smartcard or TPM private key object handle
--type        (-t)  type of input key, default: priv
--dn          (-d)  subject distinguished name
--san         (-a)  subjectAltName to include in cert request
--password    (-p)  challengePassword to include in cert request
--digest      (-g)  digest for signature creation, default: key-specific
--rsa-padding (-R)  padding for RSA signatures, default: pkcs1
--outform     (-f)  encoding of generated request, default: der
--debug       (-v)  set debug level, default: 1
--options     (-+)  read command line options from file----
--help        (-h)  show usage information

Examples

  • Generate a certificate request for an RSA public key

pki --req --in myKey.der --dn "C=CH, O=strongSwan, CN=moon.strongswan.org" > myReq.de
  • Generate a certificate request for an ECDSA public key

pki --req --in myKey.der --type ecdsa --dn "C=CH, O=strongSwan, CN=carol@strongswan.org" --digest sha256 > myReq.der
  • Create an options file supporting ECDSA keys with SHA256 digests

cat > req.opt
--type ecdsa
--digest sha256
  • Generate a certificate request for an ECDSA public key including a subjectAltName

pki --req --options req.opt --in myKey.der --dn "C=CH, O=strongSwan, CN=carol@strongswan.org" --san carol@strongswan.org > myReq.der