148 lines
3.8 KiB
Groff
148 lines
3.8 KiB
Groff
.TH "PKI \-\-SIGNCRL" 1 "2013-08-12" "@PACKAGE_VERSION@" "strongSwan"
|
|
.
|
|
.SH "NAME"
|
|
.
|
|
pki \-\-signcrl \- Issue a Certificate Revocation List (CRL) using a CA certificate and key
|
|
.
|
|
.SH "SYNOPSIS"
|
|
.
|
|
.SY pki\ \-\-signcrl
|
|
.BI \-\-cakey\~ file |\-\-cakeyid\~ hex
|
|
.BI \-\-cacert\~ file
|
|
.OP \-\-lifetime days
|
|
.OP \-\-this-update datetime
|
|
.OP \-\-next-update datetime
|
|
.OP \-\-lastcrl crl
|
|
.OP \-\-basecrl crl
|
|
.OP \-\-crluri uri
|
|
.OP \-\-digest digest
|
|
.OP \fR[\fB\-\-reason\ \fIreason\fR]\ \fR[\fB\-\-date\ \fIts\fR]\ \fB\-\-cert\ \fIfile\fB|\-\-serial\ \fIhex\fR
|
|
.OP \-\-outform encoding
|
|
.OP \-\-debug level
|
|
.YS
|
|
.
|
|
.SY pki\ \-\-signcrl
|
|
.BI \-\-options\~ file
|
|
.YS
|
|
.
|
|
.SY "pki \-\-signcrl"
|
|
.B \-h
|
|
|
|
|
.B \-\-help
|
|
.YS
|
|
.
|
|
.SH "DESCRIPTION"
|
|
.
|
|
This sub-command of
|
|
.BR pki (1)
|
|
is used to issue a Certificate Revocation List (CRL) using a CA certificate and
|
|
private key.
|
|
.
|
|
.SH "OPTIONS"
|
|
.
|
|
.TP
|
|
.B "\-h, \-\-help"
|
|
Print usage information with a summary of the available options.
|
|
.TP
|
|
.BI "\-v, \-\-debug " level
|
|
Set debug level, default: 1.
|
|
.TP
|
|
.BI "\-+, \-\-options " file
|
|
Read command line options from \fIfile\fR.
|
|
.TP
|
|
.BI "\-k, \-\-cakey " file
|
|
CA private key file. Either this or
|
|
.B \-\-cakeyid
|
|
is required.
|
|
.TP
|
|
.BI "\-x, \-\-cakeyid " hex
|
|
Key ID of a CA private key on a smartcard. Either this or
|
|
.B \-\-cakey
|
|
is required.
|
|
.TP
|
|
.BI "\-c, \-\-cacert " file
|
|
CA certificate file. Required.
|
|
.TP
|
|
.BI "\-l, \-\-lifetime " days
|
|
Days until the CRL gets a nextUpdate, default: 15. Ignored if both
|
|
an absolute start and end time are given.
|
|
.TP
|
|
.BI "\-F, \-\-this-update " datetime
|
|
Absolute time when the validity of the CRL begins. The datetime format is
|
|
defined by the
|
|
.B \-\-dateform
|
|
option.
|
|
.TP
|
|
.BI "\-T, \-\-next-update " datetime
|
|
Absolute time when the validity of the CRL end. The datetime format is
|
|
defined by the
|
|
.B \-\-dateform
|
|
option.
|
|
.TP
|
|
.BI "\-D, \-\-dateform " form
|
|
strptime(3) format for the
|
|
.B \-\-this\-update
|
|
and
|
|
.B \-\-next\-update
|
|
options, default:
|
|
.B %d.%m.%y %T
|
|
.TP
|
|
.BI "\-a, \-\-lastcrl " crl
|
|
CRL of lastUpdate to copy revocations from.
|
|
.TP
|
|
.BI "\-b, \-\-basecrl " crl
|
|
Base CRL to create a delta CRL for.
|
|
.TP
|
|
.BI "\-u, \-\-crluri " uri
|
|
Freshest delta CRL URI to include in CRL. Can be used multiple times.
|
|
.TP
|
|
.BI "\-g, \-\-digest " digest
|
|
Digest to use for signature creation. One of \fImd5\fR, \fIsha1\fR,
|
|
\fIsha224\fR, \fIsha256\fR, \fIsha384\fR, or \fIsha512\fR. The default is
|
|
determined based on the type and size of the signature key.
|
|
.TP
|
|
.BI "\-f, \-\-outform " encoding
|
|
Encoding of the created certificate file. Either \fIder\fR (ASN.1 DER) or
|
|
\fIpem\fR (Base64 PEM), defaults to \fIder\fR.
|
|
.PP
|
|
.SS "Revoked Certificates"
|
|
Multiple revoked certificates can be added to the CRL by either providing the
|
|
certificate file or the respective serial number directly.
|
|
A reason and a timestamp can be configured for each revocation (they have to be
|
|
given before each certificate/serial on the command line).
|
|
.TP
|
|
.BI "\-r, \-\-reason " reason
|
|
The reason why the certificate was revoked. One of \fIkey\-compromise\fR,
|
|
\fIca\-compromise\fR, \fIaffiliation\-changed\fR, \fIsuperseded\fR,
|
|
\fIcessation\-of\-operation\fR, or \fIcertificate\-hold\fR.
|
|
.TP
|
|
.BI "\-d, \-\-date " ts
|
|
Revocation date as Unix timestamp. Defaults to the current time.
|
|
.TP
|
|
.BI "\-z, \-\-cert " file
|
|
Certificate file to revoke.
|
|
.TP
|
|
.BI "\-s, \-\-serial " hex
|
|
Hexadecimal encoded serial number of the certificate to revoke.
|
|
.
|
|
.SH "EXAMPLES"
|
|
.
|
|
Revoke a certificate:
|
|
.PP
|
|
.EX
|
|
pki \-\-signcrl \-\-cacert ca_cert.der \-\-cakey ca_key.der \\
|
|
\-\-reason superseded \-\-cert cert.der > crl.der
|
|
.EE
|
|
.PP
|
|
Update an existing CRL with two new revocations, using the certificate's serial
|
|
number, but no reason:
|
|
.PP
|
|
.EX
|
|
pki \-\-signcrl \-\-cacert ca_cert.der \-\-cakey ca_key.der \\
|
|
\-\-lastcrl old_crl.der \-\-serial 0123 \-\-serial 0345 > crl.der
|
|
.EE
|
|
.PP
|
|
.SH "SEE ALSO"
|
|
.
|
|
.BR pki (1)
|