pki: Install pki(1) as utility directly in $prefix/bin
ipsec pki is maintained as alias.
This commit is contained in:
parent
1a8ffea315
commit
0dc8ba8779
22
configure.ac
22
configure.ac
|
@ -1493,17 +1493,17 @@ AC_CONFIG_FILES([
|
|||
man/ipsec.secrets.5
|
||||
man/strongswan.conf.5
|
||||
src/charon-cmd/charon-cmd.8
|
||||
src/pki/man/ipsec-pki.8
|
||||
src/pki/man/pki---gen.8
|
||||
src/pki/man/pki---issue.8
|
||||
src/pki/man/pki---keyid.8
|
||||
src/pki/man/pki---pkcs7.8
|
||||
src/pki/man/pki---print.8
|
||||
src/pki/man/pki---pub.8
|
||||
src/pki/man/pki---req.8
|
||||
src/pki/man/pki---self.8
|
||||
src/pki/man/pki---signcrl.8
|
||||
src/pki/man/pki---verify.8
|
||||
src/pki/man/pki.1
|
||||
src/pki/man/pki---gen.1
|
||||
src/pki/man/pki---issue.1
|
||||
src/pki/man/pki---keyid.1
|
||||
src/pki/man/pki---pkcs7.1
|
||||
src/pki/man/pki---print.1
|
||||
src/pki/man/pki---pub.1
|
||||
src/pki/man/pki---req.1
|
||||
src/pki/man/pki---self.1
|
||||
src/pki/man/pki---signcrl.1
|
||||
src/pki/man/pki---verify.1
|
||||
])
|
||||
|
||||
AC_OUTPUT
|
||||
|
|
|
@ -19,6 +19,7 @@ $(GEN) : PRIVATE_CUSTOM_TOOL = sed \
|
|||
-e "s:@IPSEC_DISTRO@::" \
|
||||
-e "s:@IPSEC_DIR@:$(strongswan_DIR):" \
|
||||
-e "s:@IPSEC_SCRIPT@:ipsec:" \
|
||||
-e "s:@IPSEC_BINDIR@:$(strongswan_DIR):" \
|
||||
-e "s:@IPSEC_SBINDIR@:$(strongswan_SBINDIR):" \
|
||||
-e "s:@IPSEC_CONFDIR@:$(strongswan_CONFDIR):" \
|
||||
-e "s:@IPSEC_PIDDIR@:$(strongswan_PIDDIR):" \
|
||||
|
|
|
@ -20,6 +20,7 @@ _ipsec : _ipsec.in
|
|||
-e "s:@IPSEC_DISTRO@::" \
|
||||
-e "s:@IPSEC_DIR@:$(ipsecdir):" \
|
||||
-e "s:@IPSEC_SCRIPT@:$(ipsec_script):" \
|
||||
-e "s:@IPSEC_BINDIR@:$(bindir):" \
|
||||
-e "s:@IPSEC_SBINDIR@:$(sbindir):" \
|
||||
-e "s:@IPSEC_CONFDIR@:$(sysconfdir):" \
|
||||
-e "s:@IPSEC_PIDDIR@:$(piddir):" \
|
||||
|
|
|
@ -15,7 +15,7 @@
|
|||
# for more details.
|
||||
|
||||
# define a minimum PATH environment in case it is not set
|
||||
PATH="/sbin:/bin:/usr/sbin:/usr/bin:@IPSEC_SBINDIR@"
|
||||
PATH="/sbin:/bin:/usr/sbin:/usr/bin:@IPSEC_SBINDIR@:@IPSEC_BINDIR@"
|
||||
export PATH
|
||||
|
||||
# set daemon name
|
||||
|
@ -28,6 +28,7 @@ IPSEC_VERSION="U@IPSEC_VERSION@/K`uname -r`"
|
|||
|
||||
# where the private directory and the config files are
|
||||
IPSEC_DIR="@IPSEC_DIR@"
|
||||
IPSEC_BINDIR="@IPSEC_BINDIR@"
|
||||
IPSEC_SBINDIR="@IPSEC_SBINDIR@"
|
||||
IPSEC_CONFDIR="@IPSEC_CONFDIR@"
|
||||
IPSEC_PIDDIR="@IPSEC_PIDDIR@"
|
||||
|
@ -39,7 +40,7 @@ IPSEC_CHARON_PID="${IPSEC_PIDDIR}/${DAEMON_NAME}.pid"
|
|||
IPSEC_STROKE="${IPSEC_DIR}/stroke"
|
||||
IPSEC_STARTER="${IPSEC_DIR}/starter"
|
||||
|
||||
export IPSEC_DIR IPSEC_SBINDIR IPSEC_CONFDIR IPSEC_PIDDIR IPSEC_SCRIPT IPSEC_VERSION IPSEC_NAME IPSEC_STARTER_PID IPSEC_CHARON_PID
|
||||
export IPSEC_DIR IPSEC_BINDIR IPSEC_SBINDIR IPSEC_CONFDIR IPSEC_PIDDIR IPSEC_SCRIPT IPSEC_VERSION IPSEC_NAME IPSEC_STARTER_PID IPSEC_CHARON_PID
|
||||
|
||||
IPSEC_DISTRO="Institute for Internet Technologies and Applications\nUniversity of Applied Sciences Rapperswil, Switzerland"
|
||||
|
||||
|
@ -313,6 +314,10 @@ update)
|
|||
exit 7
|
||||
fi
|
||||
;;
|
||||
pki)
|
||||
shift
|
||||
exec $IPSEC_BINDIR/pki "$@"
|
||||
;;
|
||||
version|--version)
|
||||
printf "$OS_NAME $IPSEC_NAME $IPSEC_VERSION\n"
|
||||
printf "$IPSEC_DISTRO\n"
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
SUBDIRS = man
|
||||
|
||||
ipsec_PROGRAMS = pki
|
||||
bin_PROGRAMS = pki
|
||||
|
||||
pki_SOURCES = pki.c pki.h command.c command.h \
|
||||
commands/gen.c \
|
||||
|
|
|
@ -1,14 +1,14 @@
|
|||
man8_MANS = \
|
||||
ipsec-pki.8 \
|
||||
pki---gen.8 \
|
||||
pki---self.8 \
|
||||
pki---issue.8 \
|
||||
pki---signcrl.8 \
|
||||
pki---req.8 \
|
||||
pki---pkcs7.8 \
|
||||
pki---keyid.8 \
|
||||
pki---print.8 \
|
||||
pki---pub.8 \
|
||||
pki---verify.8
|
||||
man1_MANS = \
|
||||
pki.1 \
|
||||
pki---gen.1 \
|
||||
pki---self.1 \
|
||||
pki---issue.1 \
|
||||
pki---signcrl.1 \
|
||||
pki---req.1 \
|
||||
pki---pkcs7.1 \
|
||||
pki---keyid.1 \
|
||||
pki---print.1 \
|
||||
pki---pub.1 \
|
||||
pki---verify.1
|
||||
|
||||
CLEANFILES = $(man8_MANS)
|
||||
CLEANFILES = $(man1_MANS)
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
.TH "PKI \-\-GEN" 8 "2013-07-31" "@PACKAGE_VERSION@" "strongSwan"
|
||||
.TH "PKI \-\-GEN" 1 "2013-07-31" "@PACKAGE_VERSION@" "strongSwan"
|
||||
.
|
||||
.SH "NAME"
|
||||
.
|
||||
|
@ -29,7 +29,7 @@ pki \-\-gen \- Generate a new RSA or ECDSA private key
|
|||
.SH "DESCRIPTION"
|
||||
.
|
||||
This sub-command of
|
||||
.BR ipsec\-pki (8)
|
||||
.BR pki (1)
|
||||
is used to generate a new RSA or ECDSA private key.
|
||||
.
|
||||
.SH "OPTIONS"
|
||||
|
@ -100,13 +100,13 @@ of lower quality.
|
|||
.SH "EXAMPLES"
|
||||
.
|
||||
.TP
|
||||
.B ipsec pki \-\-gen \-\-size 3072 > rsa_key.der
|
||||
.B pki \-\-gen \-\-size 3072 > rsa_key.der
|
||||
Generates a 3072-bit RSA private key.
|
||||
.
|
||||
.TP
|
||||
.B ipsec pki \-\-gen \-\-type ecdsa \-\-size 256 > ecdsa_key.der
|
||||
.B pki \-\-gen \-\-type ecdsa \-\-size 256 > ecdsa_key.der
|
||||
Generates a 256-bit ECDSA private key.
|
||||
.
|
||||
.SH "SEE ALSO"
|
||||
.
|
||||
.BR ipsec\-pki (8)
|
||||
.BR pki (1)
|
|
@ -45,7 +45,7 @@ pki \-\-issue \- Issue a certificate using a CA certificate and key
|
|||
.SH "DESCRIPTION"
|
||||
.
|
||||
This sub-command of
|
||||
.BR ipsec\-pki (8)
|
||||
.BR pki (1)
|
||||
is used to issue a certificate using a CA certificate and private key.
|
||||
.
|
||||
.SH "OPTIONS"
|
||||
|
@ -170,10 +170,10 @@ Then the following command can be used to issue a certificate based on a
|
|||
given PKCS#10 certificate request and the options above:
|
||||
.PP
|
||||
.EX
|
||||
ipsec pki --issue --options pki.opt --in req.der > cert.der
|
||||
pki --issue --options pki.opt --in req.der > cert.der
|
||||
.EE
|
||||
.PP
|
||||
.
|
||||
.SH "SEE ALSO"
|
||||
.
|
||||
.BR ipsec\-pki (8)
|
||||
.BR pki (1)
|
|
@ -1,4 +1,4 @@
|
|||
.TH "PKI \-\-KEYID" 8 "2013-07-31" "@PACKAGE_VERSION@" "strongSwan"
|
||||
.TH "PKI \-\-KEYID" 1 "2013-07-31" "@PACKAGE_VERSION@" "strongSwan"
|
||||
.
|
||||
.SH "NAME"
|
||||
.
|
||||
|
@ -25,7 +25,7 @@ pki \-\-keyid \- Calculate key identifiers of a key or certificate
|
|||
.SH "DESCRIPTION"
|
||||
.
|
||||
This sub-command of
|
||||
.BR ipsec\-pki (8)
|
||||
.BR pki (1)
|
||||
calculates key identifiers of private keys and certificates.
|
||||
.
|
||||
.SH "OPTIONS"
|
||||
|
@ -53,7 +53,7 @@ request), \fIx509\fR (X.509 certificate), defaults to \fIrsa-priv\fR.
|
|||
Calculate key identifiers of an RSA private key:
|
||||
.PP
|
||||
.EX
|
||||
ipsec pki --keyid --in key.der
|
||||
pki --keyid --in key.der
|
||||
subjectKeyIdentifier: 6a:9c:74:d1:f8:89:79:89:f6:5a:94:e9:89:f1...
|
||||
subjectPublicKeyInfo hash: 6e:55:dc:7e:9c:a5:58:d9:5b:e3:c7:13:14:e1...
|
||||
.EE
|
||||
|
@ -61,7 +61,7 @@ Calculate key identifiers of an RSA private key:
|
|||
Calculate key identifiers of an X.509 certificate:
|
||||
.PP
|
||||
.EX
|
||||
ipsec pki --keyid --in cert.der --type x509
|
||||
pki --keyid --in cert.der --type x509
|
||||
subjectKeyIdentifier: 6a:9c:74:d1:f8:89:79:89:f6:5a:94:e9:89:f1...
|
||||
subjectPublicKeyInfo hash: 6e:55:dc:7e:9c:a5:58:d9:5b:e3:c7:13:14:e1...
|
||||
.EE
|
||||
|
@ -69,4 +69,4 @@ Calculate key identifiers of an X.509 certificate:
|
|||
.
|
||||
.SH "SEE ALSO"
|
||||
.
|
||||
.BR ipsec\-pki (8)
|
||||
.BR pki (1)
|
|
@ -1,4 +1,4 @@
|
|||
.TH "PKI \-\-PKCS7" 8 "2013-07-31" "@PACKAGE_VERSION@" "strongSwan"
|
||||
.TH "PKI \-\-PKCS7" 1 "2013-07-31" "@PACKAGE_VERSION@" "strongSwan"
|
||||
.
|
||||
.SH "NAME"
|
||||
.
|
||||
|
@ -27,7 +27,7 @@ pki \-\-pkcs7 \- Provides PKCS#7 wrap/unwrap functions
|
|||
.SH "DESCRIPTION"
|
||||
.
|
||||
This sub-command of
|
||||
.BR ipsec\-pki (8)
|
||||
.BR pki (1)
|
||||
provides functions to wrap/unwrap PKCS#7 containers.
|
||||
.
|
||||
.SH "OPTIONS"
|
||||
|
@ -76,4 +76,4 @@ Can be used multiple times.
|
|||
.
|
||||
.SH "SEE ALSO"
|
||||
.
|
||||
.BR ipsec\-pki (8)
|
||||
.BR pki (1)
|
|
@ -1,4 +1,4 @@
|
|||
.TH "PKI \-\-PRINT" 8 "2013-07-31" "@PACKAGE_VERSION@" "strongSwan"
|
||||
.TH "PKI \-\-PRINT" 1 "2013-07-31" "@PACKAGE_VERSION@" "strongSwan"
|
||||
.
|
||||
.SH "NAME"
|
||||
.
|
||||
|
@ -25,7 +25,7 @@ pki \-\-print \- Print a credential (key, certificate etc.) in human readable fo
|
|||
.SH "DESCRIPTION"
|
||||
.
|
||||
This sub-command of
|
||||
.BR ipsec\-pki (8)
|
||||
.BR pki (1)
|
||||
prints credentials (keys, certificates etc.) in human readable form.
|
||||
.
|
||||
.SH "OPTIONS"
|
||||
|
@ -50,4 +50,4 @@ private key), \fIpub\fR (public key), \fIx509\fR (X.509 certificate), \fIcrl\fR
|
|||
.
|
||||
.SH "SEE ALSO"
|
||||
.
|
||||
.BR ipsec\-pki (8)
|
||||
.BR pki (1)
|
|
@ -1,4 +1,4 @@
|
|||
.TH "PKI \-\-PUB" 8 "2013-07-31" "@PACKAGE_VERSION@" "strongSwan"
|
||||
.TH "PKI \-\-PUB" 1 "2013-07-31" "@PACKAGE_VERSION@" "strongSwan"
|
||||
.
|
||||
.SH "NAME"
|
||||
.
|
||||
|
@ -28,7 +28,7 @@ pki \-\-pub \- Extract a public key from a private key or certificate
|
|||
.SH "DESCRIPTION"
|
||||
.
|
||||
This sub-command of
|
||||
.BR ipsec\-pki (8)
|
||||
.BR pki (1)
|
||||
extracts public keys from a private keys and certificates.
|
||||
.
|
||||
.SH "OPTIONS"
|
||||
|
@ -60,16 +60,16 @@ Encoding of the extracted public key. One of \fIder\fR (ASN.1 DER), \fIpem\fR
|
|||
Extract the public key from an RSA private key:
|
||||
.PP
|
||||
.EX
|
||||
ipsec pki --pub --in key.der > pub.der
|
||||
pki --pub --in key.der > pub.der
|
||||
.EE
|
||||
.PP
|
||||
Extract the public key from an X.509 certificate:
|
||||
.PP
|
||||
.EX
|
||||
ipsec pki --pub --in cert.der --type x509 > pub.der
|
||||
pki --pub --in cert.der --type x509 > pub.der
|
||||
.EE
|
||||
.PP
|
||||
.
|
||||
.SH "SEE ALSO"
|
||||
.
|
||||
.BR ipsec\-pki (8)
|
||||
.BR pki (1)
|
|
@ -1,4 +1,4 @@
|
|||
.TH "PKI \-\-REQ" 8 "2013-07-31" "@PACKAGE_VERSION@" "strongSwan"
|
||||
.TH "PKI \-\-REQ" 1 "2013-07-31" "@PACKAGE_VERSION@" "strongSwan"
|
||||
.
|
||||
.SH "NAME"
|
||||
.
|
||||
|
@ -30,7 +30,7 @@ pki \-\-req \- Create a PKCS#10 certificate request
|
|||
.SH "DESCRIPTION"
|
||||
.
|
||||
This sub-command of
|
||||
.BR ipsec\-pki (8)
|
||||
.BR pki (1)
|
||||
is used to create a PKCS#10 certificate request.
|
||||
.
|
||||
.SH "OPTIONS"
|
||||
|
@ -74,18 +74,18 @@ Encoding of the created certificate file. Either \fIder\fR (ASN.1 DER) or
|
|||
Generate a certificate request for an RSA key, with a subjectAltName extension:
|
||||
.PP
|
||||
.EX
|
||||
ipsec pki \-\-req \-\-in key.der \-\-dn "C=CH, O=strongSwan, CN=moon" \\
|
||||
\-\-san moon@strongswan.org > req.der
|
||||
pki \-\-req \-\-in key.der \-\-dn "C=CH, O=strongSwan, CN=moon" \\
|
||||
\-\-san moon@strongswan.org > req.der
|
||||
.EE
|
||||
.PP
|
||||
Generate a certificate request for an ECDSA key and a different digest:
|
||||
.PP
|
||||
.EX
|
||||
ipsec pki \-\-req \-\-in key.der \-\-type ecdsa \-\-digest sha256 \\
|
||||
\-\-dn "C=CH, O=strongSwan, CN=carol" > req.der
|
||||
pki \-\-req \-\-in key.der \-\-type ecdsa \-\-digest sha256 \\
|
||||
\-\-dn "C=CH, O=strongSwan, CN=carol" > req.der
|
||||
.EE
|
||||
.PP
|
||||
.
|
||||
.SH "SEE ALSO"
|
||||
.
|
||||
.BR ipsec\-pki (8)
|
||||
.BR pki (1)
|
|
@ -1,4 +1,4 @@
|
|||
.TH "PKI \-\-SELF" 8 "2013-07-31" "@PACKAGE_VERSION@" "strongSwan"
|
||||
.TH "PKI \-\-SELF" 1 "2013-07-31" "@PACKAGE_VERSION@" "strongSwan"
|
||||
.
|
||||
.SH "NAME"
|
||||
.
|
||||
|
@ -44,7 +44,7 @@ pki \-\-self \- Create a self-signed certificate
|
|||
.SH "DESCRIPTION"
|
||||
.
|
||||
This sub-command of
|
||||
.BR ipsec\-pki (8)
|
||||
.BR pki (1)
|
||||
is used to create a self-signed certificate.
|
||||
.
|
||||
.SH "OPTIONS"
|
||||
|
@ -139,10 +139,10 @@ User notice for certificatePolicy.
|
|||
Generate a self-signed certificate using the given RSA key:
|
||||
.PP
|
||||
.EX
|
||||
ipsec pki \-\-self \-\-in key.der \-\-dn "C=CH, O=strongSwan, CN=moon" \\
|
||||
\-\-san moon.strongswan.org > cert.der
|
||||
pki \-\-self \-\-in key.der \-\-dn "C=CH, O=strongSwan, CN=moon" \\
|
||||
\-\-san moon.strongswan.org > cert.der
|
||||
.EE
|
||||
.
|
||||
.SH "SEE ALSO"
|
||||
.
|
||||
.BR ipsec\-pki (8)
|
||||
.BR pki (1)
|
|
@ -1,4 +1,4 @@
|
|||
.TH "PKI \-\-SIGNCRL" 8 "2013-08-12" "@PACKAGE_VERSION@" "strongSwan"
|
||||
.TH "PKI \-\-SIGNCRL" 1 "2013-08-12" "@PACKAGE_VERSION@" "strongSwan"
|
||||
.
|
||||
.SH "NAME"
|
||||
.
|
||||
|
@ -32,7 +32,7 @@ pki \-\-signcrl \- Issue a Certificate Revocation List (CRL) using a CA certific
|
|||
.SH "DESCRIPTION"
|
||||
.
|
||||
This sub-command of
|
||||
.BR ipsec\-pki (8)
|
||||
.BR pki (1)
|
||||
is used to issue a Certificate Revocation List (CRL) using a CA certificate and
|
||||
private key.
|
||||
.
|
||||
|
@ -107,18 +107,18 @@ Hexadecimal encoded serial number of the certificate to revoke.
|
|||
Revoke a certificate:
|
||||
.PP
|
||||
.EX
|
||||
ipsec pki \-\-signcrl \-\-cacert ca_cert.der \-\-cakey ca_key.der \\
|
||||
\-\-reason superseded \-\-cert cert.der > crl.der
|
||||
pki \-\-signcrl \-\-cacert ca_cert.der \-\-cakey ca_key.der \\
|
||||
\-\-reason superseded \-\-cert cert.der > crl.der
|
||||
.EE
|
||||
.PP
|
||||
Update an existing CRL with two new revocations, using the certificate's serial
|
||||
number, but no reason:
|
||||
.PP
|
||||
.EX
|
||||
ipsec pki \-\-signcrl \-\-cacert ca_cert.der \-\-cakey ca_key.der \\
|
||||
\-\-lastcrl old_crl.der \-\-serial 0123 \-\-serial 0345 > crl.der
|
||||
pki \-\-signcrl \-\-cacert ca_cert.der \-\-cakey ca_key.der \\
|
||||
\-\-lastcrl old_crl.der \-\-serial 0123 \-\-serial 0345 > crl.der
|
||||
.EE
|
||||
.PP
|
||||
.SH "SEE ALSO"
|
||||
.
|
||||
.BR ipsec\-pki (8)
|
||||
.BR pki (1)
|
|
@ -1,4 +1,4 @@
|
|||
.TH "PKI \-\-VERIFY" 8 "2013-07-31" "@PACKAGE_VERSION@" "strongSwan"
|
||||
.TH "PKI \-\-VERIFY" 1 "2013-07-31" "@PACKAGE_VERSION@" "strongSwan"
|
||||
.
|
||||
.SH "NAME"
|
||||
.
|
||||
|
@ -25,7 +25,7 @@ pki \-\-verify \- Verify a certificate using a CA certificate
|
|||
.SH "DESCRIPTION"
|
||||
.
|
||||
This sub-command of
|
||||
.BR ipsec\-pki (8)
|
||||
.BR pki (1)
|
||||
verifies a certificate using an optional CA certificate.
|
||||
.
|
||||
.SH "OPTIONS"
|
||||
|
@ -53,4 +53,4 @@ the verification failed.
|
|||
.
|
||||
.SH "SEE ALSO"
|
||||
.
|
||||
.BR ipsec\-pki (8)
|
||||
.BR pki (1)
|
|
@ -1,17 +1,17 @@
|
|||
.TH IPSEC\-PKI 8 "2013-07-30" "@PACKAGE_VERSION@" "strongSwan"
|
||||
.TH PKI 1 "2013-07-31" "@PACKAGE_VERSION@" "strongSwan"
|
||||
.
|
||||
.SH "NAME"
|
||||
.
|
||||
ipsec pki \- Simple public key infrastructure (PKI) management tool
|
||||
pki \- Simple public key infrastructure (PKI) management tool
|
||||
.
|
||||
.SH "SYNOPSIS"
|
||||
.
|
||||
.SY "ipsec pki"
|
||||
.SY "pki"
|
||||
.I command
|
||||
.RI [ option\~ .\|.\|.]
|
||||
.YS
|
||||
.
|
||||
.SY "ipsec pki"
|
||||
.SY "pki"
|
||||
.B \-h
|
||||
|
|
||||
.B \-\-help
|
||||
|
@ -19,7 +19,7 @@ ipsec pki \- Simple public key infrastructure (PKI) management tool
|
|||
.
|
||||
.SH "DESCRIPTION"
|
||||
.
|
||||
.B ipsec pki
|
||||
.B pki
|
||||
is a suite of commands that allow you to manage a simple public key
|
||||
infrastructure (PKI).
|
||||
.P
|
||||
|
@ -76,7 +76,7 @@ The first step is to generate a private key using the
|
|||
command. By default this generates a 2048-bit RSA key.
|
||||
.PP
|
||||
.EX
|
||||
ipsec pki \-\-gen > ca_key.der
|
||||
pki \-\-gen > ca_key.der
|
||||
.EE
|
||||
.PP
|
||||
This key is used to create the self-signed CA certificate, using the
|
||||
|
@ -84,8 +84,8 @@ This key is used to create the self-signed CA certificate, using the
|
|||
command. The distinguished name should be adjusted to your needs.
|
||||
.PP
|
||||
.EX
|
||||
ipsec pki \-\-self \-\-ca \-\-in ca_key.der \\
|
||||
\-\-dn "C=CH, O=strongSwan, CN=strongSwan CA" > ca_cert.der
|
||||
pki \-\-self \-\-ca \-\-in ca_key.der \\
|
||||
\-\-dn "C=CH, O=strongSwan, CN=strongSwan CA" > ca_cert.der
|
||||
.EE
|
||||
.PP
|
||||
.
|
||||
|
@ -97,14 +97,14 @@ which in turn can issue other certificates.
|
|||
To generate a certificate for a server, we start by generating a private key.
|
||||
.PP
|
||||
.EX
|
||||
ipsec pki \-\-gen > server_key.der
|
||||
pki \-\-gen > server_key.der
|
||||
.EE
|
||||
.PP
|
||||
The public key will be included in the certificate so lets extract that from the
|
||||
private key.
|
||||
.PP
|
||||
.EX
|
||||
ipsec pki \-\-pub \-\-in server_key.der > server_pub.der
|
||||
pki \-\-pub \-\-in server_key.der > server_pub.der
|
||||
.EE
|
||||
.PP
|
||||
The following command will use the CA certificate and private key to issue the
|
||||
|
@ -114,9 +114,9 @@ and flags as needed (check
|
|||
for more options).
|
||||
.PP
|
||||
.EX
|
||||
ipsec pki \-\-issue \-\-in server_pub.der \-\-cacert ca_cert.der \\
|
||||
\-\-cakey ca_key.der \-\-dn "C=CH, O=strongSwan, CN=VPN Server" \\
|
||||
\-\-san vpn.strongswan.org \-\-flag serverAuth > server_cert.der
|
||||
pki \-\-issue \-\-in server_pub.der \-\-cacert ca_cert.der \\
|
||||
\-\-cakey ca_key.der \-\-dn "C=CH, O=strongSwan, CN=VPN Server" \\
|
||||
\-\-san vpn.strongswan.org \-\-flag serverAuth > server_cert.der
|
||||
.EE
|
||||
.PP
|
||||
Instead of storing the public key in a separate
|
||||
|
@ -132,8 +132,8 @@ the
|
|||
command.
|
||||
.PP
|
||||
.EX
|
||||
ipsec pki \-\-signcrl \-\-cacert ca_cert.der \-\-cakey ca_key.der \\
|
||||
\-\-reason superseded \-\-cert server_cert.der > crl.der
|
||||
pki \-\-signcrl \-\-cacert ca_cert.der \-\-cakey ca_key.der \\
|
||||
\-\-reason superseded \-\-cert server_cert.der > crl.der
|
||||
.EE
|
||||
.PP
|
||||
The certificate given with \-\-cacert must be either a CA certificate or a
|
||||
|
@ -144,14 +144,13 @@ certificates with the \-\-crl option.
|
|||
.
|
||||
.SH "SEE ALSO"
|
||||
.
|
||||
.BR ipsec (8),
|
||||
.BR pki\ \-\-gen (8),
|
||||
.BR pki\ \-\-self (8),
|
||||
.BR pki\ \-\-issue (8),
|
||||
.BR pki\ \-\-signcrl (8),
|
||||
.BR pki\ \-\-req (8),
|
||||
.BR pki\ \-\-pkcs7 (8),
|
||||
.BR pki\ \-\-keyid (8),
|
||||
.BR pki\ \-\-print (8),
|
||||
.BR pki\ \-\-pub (8),
|
||||
.BR pki\ \-\-verify (8)
|
||||
.BR pki\ \-\-gen (1),
|
||||
.BR pki\ \-\-self (1),
|
||||
.BR pki\ \-\-issue (1),
|
||||
.BR pki\ \-\-signcrl (1),
|
||||
.BR pki\ \-\-req (1),
|
||||
.BR pki\ \-\-pkcs7 (1),
|
||||
.BR pki\ \-\-keyid (1),
|
||||
.BR pki\ \-\-print (1),
|
||||
.BR pki\ \-\-pub (1),
|
||||
.BR pki\ \-\-verify (1)
|
Loading…
Reference in New Issue