pki --self (1)
NAME
pki --self - Create a self-signed certificateSYNOPSIS
[--in file|--keyid hex] [ --type t ] --dn~distinguished-name [ --san subjectAltName ] [ --lifetime days ] [ --serial hex ] [ --flag flag ] [ --digest digest ] [ --ca ] [ --ocsp uri ] [ --pathlen len ] [ --nc-permitted name ] [ --nc-excluded name ] [ --policy-mapping mapping ] [ --policy-explicit len ] [ --policy-inhibit len ] [ --policy-any len ] [ --cert-policy oid [--cps-uri uri] [--user-notice text] ] [ --outform encoding ] [ --debug level ] --options~file -h | --helpDESCRIPTION
This sub-command of pki(1) is used to create a self-signed certificate.OPTIONS
- -h, --help
- Print usage information with a summary of the available options.
- -v, --debug level
- Set debug level, default: 1.
- -+, --options file
- Read command line options from file.
- -i, --in file
- Private key input file. If not given the key is read from STDIN.
- -x, --keyid hex
- Key ID of a private key on a smartcard.
- -t, --type type
- Type of the input key. Either rsa or ecdsa, defaults to rsa.
- -d, --dn distinguished-name
- Subject and issuer distinguished name (DN). Required.
- -a, --san subjectAltName
- subjectAltName extension to include in certificate. Can be used multiple times.
- -l, --lifetime days
- Days the certificate is valid, default: 1095.
- -s, --serial hex
- Serial number in hex. It is randomly allocated by default.
- -e, --flag flag
- Add extendedKeyUsage flag. One of serverAuth, clientAuth, crlSign, or ocspSigning. Can be used multiple times.
- -g, --digest digest
- Digest to use for signature creation. One of md5, sha1, sha224, sha256, sha384, or sha512. Defaults to sha1.
- -f, --outform encoding
- Encoding of the created certificate file. Either der (ASN.1 DER) or pem (Base64 PEM), defaults to der.
- -b, --ca
- Include CA basicConstraint extension in certificate.
- -o, --ocsp uri
- OCSP AuthorityInfoAccess URI to include in certificate. Can be used multiple times.
- -p, --pathlen len
- Set path length constraint.
- -n, --nc-permitted name
- Add permitted NameConstraint extension to certificate.
- -N, --nc-excluded name
- Add excluded NameConstraint extension to certificate.
- -M, --policy-mapping issuer-oid:subject-oid
- Add policyMapping from issuer to subject OID.
- -E, --policy-explicit len
- Add requireExplicitPolicy constraint.
- -H, --policy-inhibit len
- Add inhibitPolicyMapping constraint.
- -A, --policy-any len
- Add inhibitAnyPolicy constraint.
Certificate Policy
Multiple certificatePolicy extensions can be added. Each with the following information:- -P, --cert-policy oid
- OID to include in certificatePolicy extension. Required.
- -C, --cps-uri uri
- Certification Practice statement URI for certificatePolicy.
- -U, --user-notice text
- User notice for certificatePolicy.
EXAMPLES
Generate a self-signed certificate using the given RSA key:
pki --self --in key.der --dn "C=CH, O=strongSwan, CN=moon" \
--san moon.strongswan.org > cert.der
SEE ALSO
pki(1)
![assorted[chips]](/wp-content/themes/codetools-2016child/images/assortedchips_logo_black.png){kind=logo}