pki --req

Synopsis

pki --req [--in file|--keyid hex] [--type rsa|ecdsa|priv] --dn distinguished-name
          [--san subjectAltName]+ [--profile profile] [--password challengePassword]
          [--flag serverAuth|clientAuth|ocspSigning|msSmartcardLogon]+
          [--digest sha1|sha224|sha256|sha384|sha512|sha3_224|sha3_256|sha3_384|sha3_512]
          [--rsa-padding pkcs1|pss] [--outform der|pem]

pki --req [--in file|--keyid hex] [--type rsa|ecdsa|priv] --oldreq file
          [--password challengePassword]
          [--flag serverAuth|clientAuth|ocspSigning|msSmartcardLogon]+
          [--digest sha1|sha224|sha256|sha384|sha512|sha3_224|sha3_256|sha3_384|sha3_512]
          [--rsa-padding pkcs1|pss] [--outform der|pem]

pki --req --help

Description

This pki subcommand generates a PKCS#10 certificate request.

Options

-h

--help

Prints usage information and a short summary of the available options

-v

--debug

Set debug level, default: 1

-+

--options

Read command line options from file

-i

--in

Private key input file. If not given the key is read from STDIN

-x

--keyid

Smartcard or TPM private key object handle in hex format with an optional 0x prefix

-t

--type

Type of the input key. Either priv, rsa, or ecdsa. Defaults to priv

-d

--dn

Subject distinguished name (DN). Required if the --oldreq option is not set

-a

--san

subjectAltName extension to include in request. Can be used multiple times

-P

--profile

Certificate profile name to be included in the certificate request. Can be any UTF8 string. Supported e.g. by openxpki (with profiles pc-client, tls-server, etc.) or pki --issue (with profiles server, client, dual, or ocsp) that are translated into corresponding Extended Key Usage (EKU) flags in the generated X.509 certificate

-e

--flag

Add Extended Key Usage (EKU) flag. One of serverAuth, clientAuth, ocspSigning or msSmartcardLogon. Can be used multiple times. Adds a X.509v3 extendedKeyUsage extension containing these flags to the certificate request

-p

--password

The challengePassword to include in the certificate request

-o

--oldreq

Old certificate request to be used as a template. Required if the --dn option is not set. The public key in the old certificate request is replaced and a fresh signature is generated using the new private key. Optionally a new challengePassword may be set using the --password option

-g

--digest

Digest to use for signature creation. One of sha1, sha224, sha256, sha384, sha512, sha3_224, sha3_256, sha3_384, or sha3_512. The default is determined based on the type and size of the signature key

-R

--rsa-padding

Padding to use for RSA signatures. Either pkcs1 or pss, defaults to pkcs1

-f

--outform

Encoding of the created certificate file. Either der (ASN.1 DER) or pem (Base64 PEM), defaults to der

Examples

  • Generate a certificate request for an RSA public key with a TLS-server profile

pki --req --in myKey.der --dn "C=CH, O=strongSwan, CN=moon.strongswan.org"
          --profile server > myReq.der
  • Generate a certificate request for a renewed key based on an existing template

pki --req --in myNewKey.der --oldreq myReq.der > myNewReq.der
  • Generate a certificate request for an ECDSA public key

pki --req --in myKey.der --type ecdsa --dn "C=CH, O=strongSwan, CN=carol@strongswan.org"
          --digest sha256 > myReq.der
  • Create an options file supporting ECDSA keys with SHA256 digests

cat > req.opt
--type ecdsa
--digest sha256
  • Generate a certificate request for an ECDSA public key including a subjectAltName

pki --req --options req.opt --in myKey.der --dn "C=CH, O=strongSwan, CN=carol@strongswan.org"
          --san carol@strongswan.org > myReq.der