pki Tool
Synopsis
pki --gen (-g) generate a new private key --self (-s) create a self signed certificate --issue (-i) issue a certificate using a CA certificate and key --signcrl (-c) issue a CRL using a CA certificate and key --acert (-z) issue an attribute certificate --req (-r) create a PKCS#10 certificate request --pkcs7 (-7) PKCS#7 wrap/unwrap functions --pkcs12 (-u) PKCS#12 functions --keyid (-k) calculate key identifiers of a key/certificate --print (-a) print a credential in a human readable form --dn (-d) extract the subject DN of an X.509 certificate --pub (-p) extract the public key from a private key/certificate --verify (-v) verify a certificate using the CA certificate --scep (-S) Enroll an X.509 certificate with a SCEP server --scepca (-C) Get CA [and RA] certificate[s] from a SCEP server --est (-E) Enroll an X.509 certificate with an EST server --estca (-e) Get CA certificate[s] from an EST server --ocsp (-o) OCSP request parser and OCSP responder --help (-h) show usage information
Description
The pki
command suite allows you to run a simple public key infrastructure.
Generate RSA, ECDSA or EdDSA public key pairs, create PKCS#10 certificate requests
containing subjectAltNames, create X.509 self-signed end entity and root CA
certificates, issue end entity and intermediate CA certificates signed by the
private key of a CA and containing subjectAltNames
, CRL distribution points and
URIs of OCSP servers. You can also extract raw public keys from private keys,
certificate requests and certificates and compute two kinds of SHA1-based key IDs.
Starting with version 5.9.8, the pki
command supports certificate enrollment
via the Simple Certificate Enrollment Protocol (SCEP) as defined by
RFC 8894, replacing the obsoleted
ipsec scepclient
tool.
Additionally, since version 5.9.8, the newer HTTPS/TLS
based Enrollment over
Secure Transport (EST) protocol (RFC 7030) is being offered, too.
Subcommands
Each subcommand has additional options. Pass --help
to a subcommand to get
additional information.
Configuration
The following parameters can be configured in the
pki
section of
strongswan.conf
:
Key | Default | Description |
---|---|---|
load |
Plugins to load in |
|
scep.http_bind |
Source IP address to bind for HTTP operations |
|
scep.http_timeout |
|
Timeout for HTTP operations |
scep.renewal_via_pkcs_req |
|
Some SCEP servers (e.g. openxpki) are incorrectly doing certificate
renewal via |
Tutorial
-
A quickstart tutorial on the use of the
pki
tool can be found here.