]>
Commit | Line | Data |
---|---|---|
821d7784 | 1 | .TH PKI 1 "2023-10-20" "@PACKAGE_VERSION@" "strongSwan" |
34cff934 TB |
2 | . |
3 | .SH "NAME" | |
4 | . | |
0dc8ba87 | 5 | pki \- Simple public key infrastructure (PKI) management tool |
34cff934 TB |
6 | . |
7 | .SH "SYNOPSIS" | |
8 | . | |
0dc8ba87 | 9 | .SY "pki" |
34cff934 TB |
10 | .I command |
11 | .RI [ option\~ .\|.\|.] | |
12 | .YS | |
13 | . | |
0dc8ba87 | 14 | .SY "pki" |
34cff934 TB |
15 | .B \-h |
16 | | | |
17 | .B \-\-help | |
18 | .YS | |
19 | . | |
20 | .SH "DESCRIPTION" | |
21 | . | |
0dc8ba87 | 22 | .B pki |
34cff934 TB |
23 | is a suite of commands that allow you to manage a simple public key |
24 | infrastructure (PKI). | |
25 | .P | |
26 | Generate RSA and ECDSA key pairs, create PKCS#10 certificate requests | |
27 | containing subjectAltNames, create X.509 self-signed end-entity and root CA | |
28 | certificates, issue end-entity and intermediate CA certificates signed by the | |
29 | private key of a CA and containing subjectAltNames, CRL distribution points | |
30 | and URIs of OCSP servers. You can also extract raw public keys from private | |
31 | keys, certificate requests and certificates and compute two kinds of SHA-1-based | |
32 | key IDs. | |
a9d70bd4 AS |
33 | .P |
34 | The | |
35 | .B pki | |
821d7784 | 36 | command also supports certificate enrollment via the |
a9d70bd4 AS |
37 | .B Simple Certificate Enrollment Protocol |
38 | (SCEP) as defined by RFC 8894, replacing the obsoleted | |
39 | .B ipsec scepclient | |
40 | tool. Additionally the | |
41 | .B Enrollment over Secure Transport | |
42 | (EST) protocol (RFC 7030) is supported, too. | |
821d7784 AS |
43 | .P |
44 | The latest feature is an | |
45 | .B Online Certificate Status Protocol | |
46 | (OCSP) responder as defined by RFC 6960, interoperating with an | |
47 | .B OpenXPKI | |
48 | server by directly accessing its internal certificate datebase. | |
34cff934 TB |
49 | . |
50 | .SH "COMMANDS" | |
51 | . | |
52 | .TP | |
53 | .B "\-h, \-\-help" | |
54 | Prints usage information and a short summary of the available commands. | |
55 | .TP | |
56 | .B "\-g, \-\-gen" | |
57 | Generate a new private key. | |
58 | .TP | |
59 | .B "\-s, \-\-self" | |
60 | Create a self-signed certificate. | |
61 | .TP | |
62 | .B "\-i, \-\-issue" | |
63 | Issue a certificate using a CA certificate and key. | |
64 | .TP | |
65 | .B "\-c, \-\-signcrl" | |
66 | Issue a CRL using a CA certificate and key. | |
67 | .TP | |
6e8c665a MW |
68 | .B "\-z, \-\-acert" |
69 | Issue an attribute certificate. | |
70 | .TP | |
34cff934 TB |
71 | .B "\-r, \-\-req" |
72 | Create a PKCS#10 certificate request. | |
73 | .TP | |
74 | .B "\-7, \-\-pkcs7" | |
75 | Provides PKCS#7 wrap/unwrap functions. | |
76 | .TP | |
77 | .B "\-k, \-\-keyid" | |
78 | Calculate key identifiers of a key or certificate. | |
79 | .TP | |
80 | .B "\-a, \-\-print" | |
81 | Print a credential (key, certificate etc.) in human readable form. | |
82 | .TP | |
6ef46686 TB |
83 | .B "\-d, \-\-dn" |
84 | Extract the subject DN of an X.509 certificate. | |
85 | .TP | |
34cff934 TB |
86 | .B "\-p, \-\-pub" |
87 | Extract a public key from a private key or certificate. | |
88 | .TP | |
89 | .B "\-v, \-\-verify" | |
90 | Verify a certificate using a CA certificate. | |
a9d70bd4 AS |
91 | .TP |
92 | .B "\-S, \-\-scep" | |
93 | Enroll an X.509 certificate with a SCEP server. | |
94 | .TP | |
95 | .B "\-C, \-\-scepca" | |
96 | Get CA [and RA] certificate[s] from a SCEP server. | |
97 | .TP | |
98 | .B "\-E, \-\-est" | |
99 | Enroll an X.509 certificate with an EST server. | |
100 | .TP | |
101 | .B "\-e, \-\-estca" | |
102 | Get CA certificate[s] from an EST server. | |
821d7784 AS |
103 | .TP |
104 | .B "\-o, \-\-ocsp" | |
105 | OCSP request parser and OCSP responder. | |
34cff934 | 106 | . |
1a8ffea3 TB |
107 | .SH "EXAMPLES" |
108 | . | |
109 | .SS "Generating a CA Certificate" | |
110 | . | |
111 | The first step is to generate a private key using the | |
112 | .B \-\-gen | |
113 | command. By default this generates a 2048-bit RSA key. | |
114 | .PP | |
115 | .EX | |
0dc8ba87 | 116 | pki \-\-gen > ca_key.der |
1a8ffea3 TB |
117 | .EE |
118 | .PP | |
119 | This key is used to create the self-signed CA certificate, using the | |
120 | .B \-\-self | |
121 | command. The distinguished name should be adjusted to your needs. | |
122 | .PP | |
123 | .EX | |
0dc8ba87 TB |
124 | pki \-\-self \-\-ca \-\-in ca_key.der \\ |
125 | \-\-dn "C=CH, O=strongSwan, CN=strongSwan CA" > ca_cert.der | |
1a8ffea3 TB |
126 | .EE |
127 | .PP | |
128 | . | |
129 | .SS "Generating End-Entity Certificates" | |
130 | . | |
131 | With the root CA certificate and key at hand end-entity certificates for clients | |
132 | and servers can be issued. Similarly intermediate CA certificates can be issued, | |
133 | which in turn can issue other certificates. | |
134 | To generate a certificate for a server, we start by generating a private key. | |
135 | .PP | |
136 | .EX | |
0dc8ba87 | 137 | pki \-\-gen > server_key.der |
1a8ffea3 TB |
138 | .EE |
139 | .PP | |
140 | The public key will be included in the certificate so lets extract that from the | |
141 | private key. | |
142 | .PP | |
143 | .EX | |
0dc8ba87 | 144 | pki \-\-pub \-\-in server_key.der > server_pub.der |
1a8ffea3 TB |
145 | .EE |
146 | .PP | |
147 | The following command will use the CA certificate and private key to issue the | |
148 | certificate for this server. Adjust the distinguished name, subjectAltName(s) | |
149 | and flags as needed (check | |
150 | .BR pki\ \-\-issue (8) | |
151 | for more options). | |
152 | .PP | |
153 | .EX | |
0dc8ba87 TB |
154 | pki \-\-issue \-\-in server_pub.der \-\-cacert ca_cert.der \\ |
155 | \-\-cakey ca_key.der \-\-dn "C=CH, O=strongSwan, CN=VPN Server" \\ | |
156 | \-\-san vpn.strongswan.org \-\-flag serverAuth > server_cert.der | |
1a8ffea3 TB |
157 | .EE |
158 | .PP | |
159 | Instead of storing the public key in a separate | |
160 | file, the output of | |
161 | .B \-\-pub | |
162 | may also be piped directly into the above command. | |
163 | . | |
164 | .SS "Generating Certificate Revocation Lists (CRL)" | |
165 | . | |
166 | If end-entity certificates have to be revoked, CRLs may be generated using | |
167 | the | |
168 | .B \-\-signcrl | |
169 | command. | |
170 | .PP | |
171 | .EX | |
0dc8ba87 TB |
172 | pki \-\-signcrl \-\-cacert ca_cert.der \-\-cakey ca_key.der \\ |
173 | \-\-reason superseded \-\-cert server_cert.der > crl.der | |
1a8ffea3 TB |
174 | .EE |
175 | .PP | |
176 | The certificate given with \-\-cacert must be either a CA certificate or a | |
177 | certificate with the | |
178 | .I crlSign | |
179 | extended key usage (\-\-flag crlSign). URIs to CRLs may be included in issued | |
180 | certificates with the \-\-crl option. | |
181 | . | |
34cff934 TB |
182 | .SH "SEE ALSO" |
183 | . | |
0dc8ba87 TB |
184 | .BR pki\ \-\-gen (1), |
185 | .BR pki\ \-\-self (1), | |
186 | .BR pki\ \-\-issue (1), | |
187 | .BR pki\ \-\-signcrl (1), | |
6e8c665a | 188 | .BR pki\ \-\-acert (1), |
0dc8ba87 TB |
189 | .BR pki\ \-\-req (1), |
190 | .BR pki\ \-\-pkcs7 (1), | |
191 | .BR pki\ \-\-keyid (1), | |
192 | .BR pki\ \-\-print (1), | |
6ef46686 | 193 | .BR pki\ \-\-dn (1), |
0dc8ba87 | 194 | .BR pki\ \-\-pub (1), |
a9d70bd4 AS |
195 | .BR pki\ \-\-verify (1), |
196 | .BR pki\ \-\-scep (1) | |
197 | .BR pki\ \-\-scepca (1) | |
198 | .BR pki\ \-\-est (1) | |
199 | .BR pki\ \-\-estca (1) | |
821d7784 | 200 | .BR pki\ \-\-ocsp (1) |