From: Tobias Brunner Date: Mon, 12 Aug 2013 14:39:21 +0000 (+0200) Subject: pki: Add pki --signcrl man page X-Git-Tag: 5.1.1dr4~25^2~9 X-Git-Url: http://git.ipfire.org/gitweb/gitweb.cgi?a=commitdiff_plain;h=96aa5a1dddacc6fb618e391b3bb5506806dadd53;p=thirdparty%2Fstrongswan.git pki: Add pki --signcrl man page --- diff --git a/configure.ac b/configure.ac index 20f5033016..108c22380f 100644 --- a/configure.ac +++ b/configure.ac @@ -1497,6 +1497,7 @@ AC_CONFIG_FILES([ src/pki/man/pki---gen.8 src/pki/man/pki---issue.8 src/pki/man/pki---self.8 + src/pki/man/pki---signcrl.8 ]) AC_OUTPUT diff --git a/src/pki/commands/signcrl.c b/src/pki/commands/signcrl.c index f9746cca70..4f9dd291d6 100644 --- a/src/pki/commands/signcrl.c +++ b/src/pki/commands/signcrl.c @@ -429,13 +429,13 @@ static void __attribute__ ((constructor))reg() command_register((command_t) { sign_crl, 'c', "signcrl", "issue a CRL using a CA certificate and key", - {"--cacert file --cakey file | --cakeyid hex --lifetime days", - "[--lastcrl crl] [--basecrl crl] [--crluri uri ]+", - "[ [--reason key-compromise|ca-compromise|affiliation-changed|", + {"--cacert file --cakey file|--cakeyid hex [--lifetime days]", + " [--lastcrl crl] [--basecrl crl] [--crluri uri]+", + " [[--reason key-compromise|ca-compromise|affiliation-changed|", " superseded|cessation-of-operation|certificate-hold]", - " [--date timestamp]", - " --cert file | --serial hex ]*", - "[--digest md5|sha1|sha224|sha256|sha384|sha512] [--outform der|pem]"}, + " [--date timestamp] --cert file|--serial hex]*", + " [--digest md5|sha1|sha224|sha256|sha384|sha512]", + " [--outform der|pem]"}, { {"help", 'h', 0, "show usage information"}, {"cacert", 'c', 1, "CA certificate file"}, diff --git a/src/pki/man/Makefile.am b/src/pki/man/Makefile.am index 74363aed78..df71614fe9 100644 --- a/src/pki/man/Makefile.am +++ b/src/pki/man/Makefile.am @@ -2,6 +2,7 @@ man8_MANS = \ ipsec-pki.8 \ pki---gen.8 \ pki---self.8 \ - pki---issue.8 + pki---issue.8 \ + pki---signcrl.8 CLEANFILES = $(man8_MANS) diff --git a/src/pki/man/ipsec-pki.8.in b/src/pki/man/ipsec-pki.8.in index fdfb9284c9..49499bd393 100644 --- a/src/pki/man/ipsec-pki.8.in +++ b/src/pki/man/ipsec-pki.8.in @@ -72,4 +72,5 @@ Verify a certificate using a CA certificate. .BR ipsec (8), .BR pki\ \-\-gen (8), .BR pki\ \-\-self (8), -.BR pki\ \-\-issue (8) +.BR pki\ \-\-issue (8), +.BR pki\ \-\-signcrl (8) diff --git a/src/pki/man/pki---signcrl.8.in b/src/pki/man/pki---signcrl.8.in new file mode 100644 index 0000000000..7d67c4945e --- /dev/null +++ b/src/pki/man/pki---signcrl.8.in @@ -0,0 +1,124 @@ +.TH "PKI \-\-SIGNCRL" 8 "2013-08-12" "@PACKAGE_VERSION@" "strongSwan" +. +.SH "NAME" +. +pki \-\-signcrl \- Issue a Certificate Revocation List (CRL) using a CA certificate and key +. +.SH "SYNOPSIS" +. +.SY pki\ \-\-signcrl +.BI \-\-cakey\~ file |\-\-cakeyid\~ hex +.BI \-\-cacert\~ file +.OP \-\-lifetime days +.OP \-\-lastcrl crl +.OP \-\-basecrl crl +.OP \-\-crluri uri +.OP \-\-digest digest +.OP \fR[\fB\-\-reason\ \fIreason\fR]\ \fR[\fB\-\-date\ \fIts\fR]\ \fB\-\-cert\ \fIfile\fB|\-\-serial\ \fIhex\fR +.OP \-\-outform encoding +.OP \-\-debug level +.YS +. +.SY pki\ \-\-signcrl +.BI \-\-options\~ file +.YS +. +.SY "pki \-\-signcrl" +.B \-h +| +.B \-\-help +.YS +. +.SH "DESCRIPTION" +. +This sub-command of +.BR ipsec\-pki (8) +is used to issue a Certificate Revocation List (CRL) using a CA certificate and +private key. +. +.SH "OPTIONS" +. +.TP +.B "\-h, \-\-help" +Print usage information with a summary of the available options. +.TP +.BI "\-v, \-\-debug " level +Set debug level, default: 1. +.TP +.BI "\-+, \-\-options " file +Read command line options from \fIfile\fR. +.TP +.BI "\-k, \-\-cakey " file +CA private key file. Either this or +.B \-\-cakeyid +is required. +.TP +.BI "\-x, \-\-cakeyid " hex +Key ID of a CA private key on a smartcard. Either this or +.B \-\-cakey +is required. +.TP +.BI "\-c, \-\-cacert " file +CA certificate file. Required. +.TP +.BI "\-l, \-\-lifetime " days +Days until the CRL gets a nextUpdate, default: 15. +.TP +.BI "\-a, \-\-lastcrl " crl +CRL of lastUpdate to copy revocations from. +.TP +.BI "\-b, \-\-basecrl " crl +Base CRL to create a delta CRL for. +.TP +.BI "\-u, \-\-crluri " uri +Freshest delta CRL URI to include in CRL. Can be used multiple times. +.TP +.BI "\-g, \-\-digest " digest +Digest to use for signature creation. One of \fImd5\fR, \fIsha1\fR, +\fIsha224\fR, \fIsha256\fR, \fIsha384\fR, or \fIsha512\fR. Defaults to +\fIsha1\fR. +.TP +.BI "\-f, \-\-outform " encoding +Encoding of the created certificate file. Either \fIder\fR (ASN.1 DER) or +\fIpem\fR (Base64 PEM), defaults to \fIder\fR. +.PP +.SS "Revoked Certificates" +Multiple revoked certificates can be added to the CRL by either providing the +certificate file or the respective serial number directly. +A reason and a timestamp can be configured for each revocation (they have to be +given before each certificate/serial on the command line). +.TP +.BI "\-r, \-\-reason " reason +The reason why the certificate was revoked. One of \fIkey\-compromise\fR, +\fIca\-compromise\fR, \fIaffiliation\-changed\fR, \fIsuperseded\fR, +\fIcessation\-of\-operation\fR, or \fIcertificate\-hold\fR. +.TP +.BI "\-d, \-\-date " ts +Revocation date as Unix timestamp. Defaults to the current time. +.TP +.BI "\-z, \-\-cert " file +Certificate file to revoke. +.TP +.BI "\-s, \-\-serial " hex +Hexadecimal encoded serial number of the certificate to revoke. +. +.SH "EXAMPLES" +. +Revoke a certificate: +.PP +.EX + ipsec pki \-\-signcrl \-\-cacert ca_cert.der \-\-cakey ca_key.der \\ + \-\-reason superseded \-\-cert cert.der > crl.der +.EE +.PP +Update an existing CRL with two new revocations, using the certificate's serial +number, but no reason: +.PP +.EX + ipsec pki \-\-signcrl \-\-cacert ca_cert.der \-\-cakey ca_key.der \\ + \-\-lastcrl old_crl.der \-\-serial 0123 \-\-serial 0345 > crl.der +.EE +.PP +.SH "SEE ALSO" +. +.BR ipsec\-pki (8) \ No newline at end of file