[thirdparty/strongswan.git] / src / pki / man / pki.1.in

.TH PKI 1 "2023-10-20" "@PACKAGE_VERSION@" "strongSwan"
.
.SH "NAME"
.
pki \- Simple public key infrastructure (PKI) management tool
.
.SH "SYNOPSIS"
.
.SY "pki"
.I command
.RI [ option\~ .\|.\|.]
.YS
.
.SY "pki"
.B \-h
|
.B \-\-help
.YS
.
.SH "DESCRIPTION"
.
.B pki
is a suite of commands that allow you to manage a simple public key
infrastructure (PKI).
.P
Generate RSA and ECDSA key pairs, create PKCS#10 certificate requests
containing subjectAltNames, create X.509 self-signed end-entity and root CA
certificates, issue end-entity and intermediate CA certificates signed by the
private key of a CA and containing subjectAltNames, CRL distribution points
and URIs of OCSP servers. You can also extract raw public keys from private
keys, certificate requests and certificates and compute two kinds of SHA-1-based
key IDs.
.P
The
.B pki
command also supports certificate enrollment via the
.B Simple Certificate Enrollment Protocol
(SCEP) as defined by RFC 8894, replacing the obsoleted
.B ipsec scepclient
tool. Additionally the
.B Enrollment over Secure Transport
(EST) protocol (RFC 7030) is supported, too.
.P
The latest feature is an
.B Online Certificate Status Protocol
(OCSP) responder as defined by RFC 6960, interoperating with an
.B OpenXPKI
server by directly accessing its internal certificate datebase.
.
.SH "COMMANDS"
.
.TP
.B "\-h, \-\-help"
Prints usage information and a short summary of the available commands.
.TP
.B "\-g, \-\-gen"
Generate a new private key.
.TP
.B "\-s, \-\-self"
Create a self-signed certificate.
.TP
.B "\-i, \-\-issue"
Issue a certificate using a CA certificate and key.
.TP
.B "\-c, \-\-signcrl"
Issue a CRL using a CA certificate and key.
.TP
.B "\-z, \-\-acert"
Issue an attribute certificate.
.TP
.B "\-r, \-\-req"
Create a PKCS#10 certificate request.
.TP
.B "\-7, \-\-pkcs7"
Provides PKCS#7 wrap/unwrap functions.
.TP
.B "\-k, \-\-keyid"
Calculate key identifiers of a key or certificate.
.TP
.B "\-a, \-\-print"
Print a credential (key, certificate etc.) in human readable form.
.TP
.B "\-d, \-\-dn"
Extract the subject DN of an X.509 certificate.
.TP
.B "\-p, \-\-pub"
Extract a public key from a private key or certificate.
.TP
.B "\-v, \-\-verify"
Verify a certificate using a CA certificate.
.TP
.B "\-S, \-\-scep"
Enroll an X.509 certificate with a SCEP server.
.TP
.B "\-C, \-\-scepca"
Get CA [and RA] certificate[s] from a SCEP server.
.TP
.B "\-E, \-\-est"
Enroll an X.509 certificate with an EST server.
.TP
.B "\-e, \-\-estca"
Get CA certificate[s] from an EST server.
.TP
.B "\-o, \-\-ocsp"
OCSP request parser and OCSP responder.
.
.SH "EXAMPLES"
.
.SS "Generating a CA Certificate"
.
The first step is to generate a private key using the
.B \-\-gen
command. By default this generates a 2048-bit RSA key.
.PP
.EX
  pki \-\-gen > ca_key.der
.EE
.PP
This key is used to create the self-signed CA certificate, using the
.B \-\-self
command. The distinguished name should be adjusted to your needs.
.PP
.EX
  pki \-\-self \-\-ca \-\-in ca_key.der \\
      \-\-dn "C=CH, O=strongSwan, CN=strongSwan CA" > ca_cert.der
.EE
.PP
.
.SS "Generating End-Entity Certificates"
.
With the root CA certificate and key at hand end-entity certificates for clients
and servers can be issued. Similarly intermediate CA certificates can be issued,
which in turn can issue other certificates.
To generate a certificate for a server, we start by generating a private key.
.PP
.EX
  pki \-\-gen > server_key.der
.EE
.PP
The public key will be included in the certificate so lets extract that from the
private key.
.PP
.EX
  pki \-\-pub \-\-in server_key.der > server_pub.der
.EE
.PP
The following command will use the CA certificate and private key to issue the
certificate for this server. Adjust the distinguished name, subjectAltName(s)
and flags as needed (check
.BR pki\ \-\-issue (8)
for more options).
.PP
.EX
  pki \-\-issue \-\-in server_pub.der \-\-cacert ca_cert.der \\
      \-\-cakey ca_key.der \-\-dn "C=CH, O=strongSwan, CN=VPN Server" \\
      \-\-san vpn.strongswan.org \-\-flag serverAuth > server_cert.der
.EE
.PP
Instead of storing the public key in a separate
file, the output of
.B \-\-pub
may also be piped directly into the above command.
.
.SS "Generating Certificate Revocation Lists (CRL)"
.
If end-entity certificates have to be revoked, CRLs may be generated using
the
.B \-\-signcrl
command.
.PP
.EX
  pki \-\-signcrl \-\-cacert ca_cert.der \-\-cakey ca_key.der \\
      \-\-reason superseded \-\-cert server_cert.der > crl.der
.EE
.PP
The certificate given with \-\-cacert must be either a CA certificate or a
certificate with the
.I crlSign
extended key usage (\-\-flag crlSign). URIs to CRLs may be included in issued
certificates with the \-\-crl option.
.
.SH "SEE ALSO"
.
.BR pki\ \-\-gen (1),
.BR pki\ \-\-self (1),
.BR pki\ \-\-issue (1),
.BR pki\ \-\-signcrl (1),
.BR pki\ \-\-acert (1),
.BR pki\ \-\-req (1),
.BR pki\ \-\-pkcs7 (1),
.BR pki\ \-\-keyid (1),
.BR pki\ \-\-print (1),
.BR pki\ \-\-dn (1),
.BR pki\ \-\-pub (1),
.BR pki\ \-\-verify (1),
.BR pki\ \-\-scep (1)
.BR pki\ \-\-scepca (1)
.BR pki\ \-\-est (1)
.BR pki\ \-\-estca (1)
.BR pki\ \-\-ocsp (1)
Commit	Line	Data
821d7784	1	.TH PKI 1 "2023-10-20" "@PACKAGE_VERSION@" "strongSwan"
34cff934 TB	2	.
	3	.SH "NAME"
	4	.
0dc8ba87	5	pki \- Simple public key infrastructure (PKI) management tool
34cff934 TB	6	.
	7	.SH "SYNOPSIS"
	8	.
0dc8ba87	9	.SY "pki"
34cff934 TB	10	.I command
	11	.RI [ option\~ .\\|.\\|.]
	12	.YS
	13	.
0dc8ba87	14	.SY "pki"
34cff934 TB	15	.B \-h
	16	\|
	17	.B \-\-help
	18	.YS
	19	.
	20	.SH "DESCRIPTION"
	21	.
0dc8ba87	22	.B pki
34cff934 TB	23	is a suite of commands that allow you to manage a simple public key
	24	infrastructure (PKI).
	25	.P
	26	Generate RSA and ECDSA key pairs, create PKCS#10 certificate requests
	27	containing subjectAltNames, create X.509 self-signed end-entity and root CA
	28	certificates, issue end-entity and intermediate CA certificates signed by the
	29	private key of a CA and containing subjectAltNames, CRL distribution points
	30	and URIs of OCSP servers. You can also extract raw public keys from private
	31	keys, certificate requests and certificates and compute two kinds of SHA-1-based
	32	key IDs.
a9d70bd4 AS	33	.P
	34	The
	35	.B pki
821d7784	36	command also supports certificate enrollment via the
a9d70bd4 AS	37	.B Simple Certificate Enrollment Protocol
	38	(SCEP) as defined by RFC 8894, replacing the obsoleted
	39	.B ipsec scepclient
	40	tool. Additionally the
	41	.B Enrollment over Secure Transport
	42	(EST) protocol (RFC 7030) is supported, too.
821d7784 AS	43	.P
	44	The latest feature is an
	45	.B Online Certificate Status Protocol
	46	(OCSP) responder as defined by RFC 6960, interoperating with an
	47	.B OpenXPKI
	48	server by directly accessing its internal certificate datebase.
34cff934 TB	49	.
	50	.SH "COMMANDS"
	51	.
	52	.TP
	53	.B "\-h, \-\-help"
	54	Prints usage information and a short summary of the available commands.
	55	.TP
	56	.B "\-g, \-\-gen"
	57	Generate a new private key.
	58	.TP
	59	.B "\-s, \-\-self"
	60	Create a self-signed certificate.
	61	.TP
	62	.B "\-i, \-\-issue"
	63	Issue a certificate using a CA certificate and key.
	64	.TP
	65	.B "\-c, \-\-signcrl"
	66	Issue a CRL using a CA certificate and key.
	67	.TP
6e8c665a MW	68	.B "\-z, \-\-acert"
	69	Issue an attribute certificate.
	70	.TP
34cff934 TB	71	.B "\-r, \-\-req"
	72	Create a PKCS#10 certificate request.
	73	.TP
	74	.B "\-7, \-\-pkcs7"
	75	Provides PKCS#7 wrap/unwrap functions.
	76	.TP
	77	.B "\-k, \-\-keyid"
	78	Calculate key identifiers of a key or certificate.
	79	.TP
	80	.B "\-a, \-\-print"
	81	Print a credential (key, certificate etc.) in human readable form.
	82	.TP
6ef46686 TB	83	.B "\-d, \-\-dn"
	84	Extract the subject DN of an X.509 certificate.
	85	.TP
34cff934 TB	86	.B "\-p, \-\-pub"
	87	Extract a public key from a private key or certificate.
	88	.TP
	89	.B "\-v, \-\-verify"
	90	Verify a certificate using a CA certificate.
a9d70bd4 AS	91	.TP
	92	.B "\-S, \-\-scep"
	93	Enroll an X.509 certificate with a SCEP server.
	94	.TP
	95	.B "\-C, \-\-scepca"
	96	Get CA [and RA] certificate[s] from a SCEP server.
	97	.TP
	98	.B "\-E, \-\-est"
	99	Enroll an X.509 certificate with an EST server.
	100	.TP
	101	.B "\-e, \-\-estca"
	102	Get CA certificate[s] from an EST server.
821d7784 AS	103	.TP
	104	.B "\-o, \-\-ocsp"
	105	OCSP request parser and OCSP responder.
34cff934	106	.
1a8ffea3 TB	107	.SH "EXAMPLES"
	108	.
	109	.SS "Generating a CA Certificate"
	110	.
	111	The first step is to generate a private key using the
	112	.B \-\-gen
	113	command. By default this generates a 2048-bit RSA key.
	114	.PP
	115	.EX
0dc8ba87	116	pki \-\-gen > ca_key.der
1a8ffea3 TB	117	.EE
	118	.PP
	119	This key is used to create the self-signed CA certificate, using the
	120	.B \-\-self
	121	command. The distinguished name should be adjusted to your needs.
	122	.PP
	123	.EX
0dc8ba87 TB	124	pki \-\-self \-\-ca \-\-in ca_key.der \\
0dc8ba87 TB	125	\-\-dn "C=CH, O=strongSwan, CN=strongSwan CA" > ca_cert.der
1a8ffea3 TB	126	.EE
	127	.PP
	128	.
	129	.SS "Generating End-Entity Certificates"
	130	.
	131	With the root CA certificate and key at hand end-entity certificates for clients
	132	and servers can be issued. Similarly intermediate CA certificates can be issued,
	133	which in turn can issue other certificates.
	134	To generate a certificate for a server, we start by generating a private key.
	135	.PP
	136	.EX
0dc8ba87	137	pki \-\-gen > server_key.der
1a8ffea3 TB	138	.EE
	139	.PP
	140	The public key will be included in the certificate so lets extract that from the
	141	private key.
	142	.PP
	143	.EX
0dc8ba87	144	pki \-\-pub \-\-in server_key.der > server_pub.der
1a8ffea3 TB	145	.EE
	146	.PP
	147	The following command will use the CA certificate and private key to issue the
	148	certificate for this server. Adjust the distinguished name, subjectAltName(s)
	149	and flags as needed (check
	150	.BR pki\ \-\-issue (8)
	151	for more options).
	152	.PP
	153	.EX
0dc8ba87 TB	154	pki \-\-issue \-\-in server_pub.der \-\-cacert ca_cert.der \\
	155	\-\-cakey ca_key.der \-\-dn "C=CH, O=strongSwan, CN=VPN Server" \\
	156	\-\-san vpn.strongswan.org \-\-flag serverAuth > server_cert.der
1a8ffea3 TB	157	.EE
	158	.PP
	159	Instead of storing the public key in a separate
	160	file, the output of
	161	.B \-\-pub
	162	may also be piped directly into the above command.
	163	.
	164	.SS "Generating Certificate Revocation Lists (CRL)"
	165	.
	166	If end-entity certificates have to be revoked, CRLs may be generated using
	167	the
	168	.B \-\-signcrl
	169	command.
	170	.PP
	171	.EX
0dc8ba87 TB	172	pki \-\-signcrl \-\-cacert ca_cert.der \-\-cakey ca_key.der \\
0dc8ba87 TB	173	\-\-reason superseded \-\-cert server_cert.der > crl.der
1a8ffea3 TB	174	.EE
	175	.PP
	176	The certificate given with \-\-cacert must be either a CA certificate or a
	177	certificate with the
	178	.I crlSign
	179	extended key usage (\-\-flag crlSign). URIs to CRLs may be included in issued
	180	certificates with the \-\-crl option.
	181	.
34cff934 TB	182	.SH "SEE ALSO"
34cff934 TB	183	.
0dc8ba87 TB	184	.BR pki\ \-\-gen (1),
	185	.BR pki\ \-\-self (1),
	186	.BR pki\ \-\-issue (1),
	187	.BR pki\ \-\-signcrl (1),
6e8c665a	188	.BR pki\ \-\-acert (1),
0dc8ba87 TB	189	.BR pki\ \-\-req (1),
	190	.BR pki\ \-\-pkcs7 (1),
	191	.BR pki\ \-\-keyid (1),
	192	.BR pki\ \-\-print (1),
6ef46686	193	.BR pki\ \-\-dn (1),
0dc8ba87	194	.BR pki\ \-\-pub (1),
a9d70bd4 AS	195	.BR pki\ \-\-verify (1),
	196	.BR pki\ \-\-scep (1)
	197	.BR pki\ \-\-scepca (1)
	198	.BR pki\ \-\-est (1)
	199	.BR pki\ \-\-estca (1)
821d7784	200	.BR pki\ \-\-ocsp (1)