pki Tool

Synopsis

pki --gen     (-g)  generate a new private key
    --self    (-s)  create a self signed certificate
    --issue   (-i)  issue a certificate using a CA certificate and key
    --signcrl (-c)  issue a CRL using a CA certificate and key
    --acert   (-z)  issue an attribute certificate
    --req     (-r)  create a PKCS#10 certificate request
    --pkcs7   (-7)  PKCS#7 wrap/unwrap functions
    --pkcs12  (-u)  PKCS#12 functions
    --keyid   (-k)  calculate key identifiers of a key/certificate
    --print   (-a)  print a credential in a human readable form
    --dn      (-d)  extract the subject DN of an X.509 certificate
    --pub     (-p)  extract the public key from a private key/certificate
    --verify  (-v)  verify a certificate using the CA certificate
    --scep    (-S)  Enroll an X.509 certificate with a SCEP server
    --scepca  (-C)  Get CA [and RA] certificate[s] from a SCEP server
    --est     (-E)  Enroll an X.509 certificate with an EST server
    --estca   (-e)  Get CA certificate[s] from an EST server
    --ocsp    (-o)  OCSP request parser and OCSP responder
    --help    (-h)  show usage information

Description

The pki command suite allows you to run a simple public key infrastructure. Generate RSA, ECDSA or EdDSA public key pairs, create PKCS#10 certificate requests containing subjectAltNames, create X.509 self-signed end entity and root CA certificates, issue end entity and intermediate CA certificates signed by the private key of a CA and containing subjectAltNames, CRL distribution points and URIs of OCSP servers. You can also extract raw public keys from private keys, certificate requests and certificates and compute two kinds of SHA1-based key IDs.

Starting with version 5.9.8, the pki command supports certificate enrollment via the Simple Certificate Enrollment Protocol (SCEP) as defined by RFC 8894, replacing the obsoleted ipsec scepclient tool.

Additionally, since version 5.9.8, the newer HTTPS/TLS based Enrollment over Secure Transport (EST) protocol (RFC 7030) is being offered, too.

Version 5.9.12 introduced an Online Certificate Status Protocol (OCSP) responder as defined by RFC 6960, interoperating with an OpenXPKI server by directly accessing its internal certificate database.

Subcommands

Each subcommand has additional options. Pass --help to a subcommand to get additional information.

Configuration

The following parameters can be configured in the pki section of strongswan.conf:

Key Default Description

Key	Default	Description
load		Plugins to load in `pki` tool
scep.http_bind		Source IP address to bind for HTTP operations
scep.http_timeout	`30s`	Timeout for HTTP operations
scep.renewal_via_pkcs_req	`no`	Some SCEP servers (e.g. openxpki) are incorrectly doing certificate renewal via `msgType` `PKCSReq` (`19`) instead of `RenewalReq` (`17`)

load

Plugins to load in pki tool

scep.http_bind

Source IP address to bind for HTTP operations

scep.http_timeout

30s

Timeout for HTTP operations

scep.renewal_via_pkcs_req

no

Some SCEP servers (e.g. openxpki) are incorrectly doing certificate renewal via msgType PKCSReq (19) instead of RenewalReq (17)

Tutorial

A quickstart tutorial on the use of the pki tool can be found here.