pki Tool

Synopsis

pki --gen     (-g)  generate a new private key
pki --self    (-s)  create a self signed certificate
pki --issue   (-i)  issue a certificate using a CA certificate and key
pki --signcrl (-c)  issue a CRL using a CA certificate and key
pki --acert   (-z)  issue an attribute certificate
pki --req     (-r)  create a PKCS#10 certificate request
pki --pkcs7   (-7)  PKCS#7 wrap/unwrap functions
pki --pkcs12  (-u)  PKCS#12 functions
pki --keyid   (-k)  calculate key identifiers of a key/certificate
pki --print   (-a)  print a credential in a human readable form
pki --dn      (-d)  extract the subject DN of an X.509 certificate
pki --pub     (-p)  extract the public key from a private key/certificate
pki --verify  (-v)  verify a certificate using the CA certificate
pki --scep    (-S)  Enroll an X.509 certificate with a SCEP server
pki --scepca  (-C)  Get CA [and RA] certificate[s] from a SCEP server
pki --est     (-E)  Enroll an X.509 certificate with an EST server
pki --estca   (-e)  Get CA certificate[s] from an EST server
pki --ocsp    (-o)  OCSP request parser and OCSP responder
pki --help    (-h)  show usage information

Description

The pki command suite allows you to run a simple public key infrastructure. Generate RSA, ECDSA or EdDSA public key pairs, create PKCS#10 certificate requests containing subjectAltNames, create X.509 self-signed end entity and root CA certificates, issue end entity and intermediate CA certificates signed by the private key of a CA and containing subjectAltNames, CRL distribution points and URIs of OCSP servers. You can also extract raw public keys from private keys, certificate requests and certificates and compute two kinds of SHA1-based key IDs.

Starting with version 5.9.8, the pki command supports certificate enrollment via the Simple Certificate Enrollment Protocol (SCEP) as defined by RFC 8894, replacing the obsoleted ipsec scepclient tool.

Additionally, since version 5.9.8, the newer HTTPS/TLS based Enrollment over Secure Transport (EST) protocol (RFC 7030) is being offered, too.

Version 5.9.12 introduced an Online Certificate Status Protocol (OCSP) responder as defined by RFC 6960, interoperating with an OpenXPKI server by directly accessing its internal certificate database.

Subcommands

Each subcommand has additional options. Pass --help to a subcommand to get additional information.

Configuration

The following parameters can be configured in the pki section of strongswan.conf:

Key Default Description

Key	Default	Description
load		Plugins to load in `pki` tool
scep.http_bind		Source IP address to bind for HTTP operations
scep.http_timeout	`30s`	Timeout for HTTP operations
scep.renewal_via_pkcs_req	`no`	Some SCEP servers (e.g. openxpki) are incorrectly doing certificate renewal via `msgType` `PKCSReq` (`19`) instead of `RenewalReq` (`17`)

load

Plugins to load in pki tool

scep.http_bind

Source IP address to bind for HTTP operations

scep.http_timeout

30s

Timeout for HTTP operations

scep.renewal_via_pkcs_req

no

Some SCEP servers (e.g. openxpki) are incorrectly doing certificate renewal via msgType PKCSReq (19) instead of RenewalReq (17)

Tutorial

A quickstart tutorial on the use of the pki tool can be found here.