pki --req


pki --req [--in file|--keyid hex] [--type rsa|ecdsa|priv] --dn distinguished-name
          [--san subjectAltName]+ [--profile profile] [--password challengePassword]
          [--flag serverAuth|clientAuth|ocspSigning|msSmartcardLogon]+
          [--digest sha1|sha224|sha256|sha384|sha512|sha3_224|sha3_256|sha3_384|sha3_512]
          [--rsa-padding pkcs1|pss] [--outform der|pem]

pki --req [--in file|--keyid hex] [--type rsa|ecdsa|priv] --oldreq file
          [--password challengePassword]
          [--flag serverAuth|clientAuth|ocspSigning|msSmartcardLogon]+
          [--digest sha1|sha224|sha256|sha384|sha512|sha3_224|sha3_256|sha3_384|sha3_512]
          [--rsa-padding pss|pkcs1] [--outform der|pem]

pki --req --help


This pki subcommand generates a PKCS#10 certificate request.




Prints usage information and a short summary of the available options



Set debug level, default: 1



Read command line options from file



Private key input file. If not given the key is read from STDIN



Smartcard or TPM private key object handle in hex format with an optional 0x prefix



Type of the input key. Either priv, rsa, ecdsa or bliss. Defaults to priv



Subject distinguished name (DN). Required if the --oldreq option is not set



subjectAltName extension to include in request. Can be used multiple times



Certificate profile name to be included in the certificate request. Can be any UTF8 string. Supported e.g. by openxpki (with profiles pc-client, tls-server, etc.) or pki --issue (with profiles server, client, dual, or ocsp) that are translated into corresponding Extended Key Usage (EKU) flags in the generated X.509 certificate



Add Extended Key Usage (EKU) flag. One of serverAuth, clientAuth, ocspSigning or msSmartcardLogon. Can be used multiple times. Adds a X.509v3 extendedKeyUsage extension containing these flags to the certificate request



The challengePassword to include in the certificate request



Old certificate request to be used as a template. Required if the --dn option is not set. The public key in the old certificate request is replaced and a fresh signature is generated using the new private key. Optionally a new challengePassword may be set using the --password option



Digest to use for signature creation. One of sha1, sha224, sha256, sha384, sha512, sha3_224, sha3_256, sha3_384, or sha3_512. The default is determined based on the type and size of the signature key



Padding to use for RSA signatures. Either pss (the default) or pkcs1



Encoding of the created certificate file. Either der (ASN.1 DER) or pem (Base64 PEM), defaults to der


  • Generate a certificate request for an RSA public key with a TLS-server profile

pki --req --in myKey.der --dn "C=CH, O=strongSwan,"
          --profile server > myReq.der
  • Generate a certificate request for a renewed key based on an existing template

pki --req --in myNewKey.der --oldreq myReq.der > myNewReq.der
  • Generate a certificate request for an ECDSA public key

pki --req --in myKey.der --type ecdsa --dn "C=CH, O=strongSwan,"
          --digest sha256 > myReq.der
  • Create an options file supporting ECDSA keys with SHA256 digests

cat > req.opt
--type ecdsa
--digest sha256
  • Generate a certificate request for an ECDSA public key including a subjectAltName

pki --req --options req.opt --in myKey.der --dn "C=CH, O=strongSwan,"
          --san > myReq.der