pki --signcrl
Synopsis
pki --signcrl --cacert file --cakey file|--cakeyid hex [--lifetime days]
[--not-before datetime] [--not-after datetime] [--dateform form]
[[--reason key-compromise|ca-compromise|affiliation-changed|superseded|cessation-of-operation|certificate-hold]
[--date timestamp] --cert file|--serial hex]*
[--digest md5|sha1|sha224|sha256|sha384|sha512|sha3_224|sha3_256|sha3_384|sha3_512]
[--rsa-padding pss|pkcs1] [--outform der|pem]
pki --signcrl --help
Description
This pki subcommand generates an X.509 certificate revocation list (CRL)
signed by a CA private key.
Options
--cacert (-c) CA certificate file --cakey (-k) CA private key file --cakeyid (-x) smartcard or TPM CA private key object handle --lifetime (-l) days the CRL gets a nextUpdate, default: 15 --not-before (-F) absolute time when the validity of the CRL begins --not-after (-T) absolute time when the validity of the CRL ends --dateform (-D) strptime(3) format for the --not-before and --not-after options, default: %d.%m.%y %T --lastcrl (-a) CRL of lastUpdate to copy revocations from --basecrl (-b) base CRL to create a delta CRL for --crluri (-u) freshest delta CRL URI to include --cert (-z) certificate file to revoke --serial (-s) hex encoded certificate serial number to revoke --reason (-r) reason for certificate revocation --date (-d) revocation date as unix timestamp, default: now --digest (-g) digest for signature creation, default: key-specific --rsa-padding (-R) padding for RSA signatures, default: pss --outform (-f) encoding of generated crl, default: der --debug (-v) set debug level, default: 1 --options (-+) read command line options from file --help (-h) show usage information
Examples
-
Revoke a certificate
pki --signcrl --cacert caCert.der --cakey caKey.der --reason superseded --cert peerCert.der > crl.der
-
Update an existing CRL with two new revocations, using the certificates serial, but no reason
pki --signcrl --cacert caCert.der --cakey caKey.der --lastcrl crl1.der --serial 0123 --serial 0345 > crl2.der