.TH "PKI \-\-SELF" 1 "2016-12-13" "5.5.2" "strongSwan"
.
.SH "NAME"
.
pki \-\-self \- Create a self-signed certificate
.
.SH "SYNOPSIS"
.
.SY pki\ \-\-self
.RB [ \-\-in
.IR file | \fB\-\-keyid\fR
.IR hex ]
.OP \-\-type t
.BI \-\-dn\~ distinguished-name
.OP \-\-san subjectAltName
.OP \-\-lifetime days
.OP \-\-not-before datetime
.OP \-\-not-after datetime
.OP \-\-serial hex
.OP \-\-flag flag
.OP \-\-digest digest
.OP \-\-ca
.OP \-\-ocsp uri
.OP \-\-pathlen len
.OP \-\-addrblock block
.OP \-\-nc-permitted name
.OP \-\-nc-excluded name
.OP \-\-policy\-mapping mapping
.OP \-\-policy\-explicit len
.OP \-\-policy\-inhibit len
.OP \-\-policy\-any len
.OP \-\-cert\-policy oid\ \fR[\fB\-\-cps\-uri\ \fIuri\fR]\ \fR[\fB\-\-user\-notice\ \fItext\fR]
.OP \-\-outform encoding
.OP \-\-debug level
.YS
.
.SY pki\ \-\-self
.BI \-\-options\~ file
.YS
.
.SY "pki \-\-self"
.B \-h
|
.B \-\-help
.YS
.
.SH "DESCRIPTION"
.
This sub-command of
.BR pki (1)
is used to create a self-signed certificate.
.
.SH "OPTIONS"
.
.TP
.B "\-h, \-\-help"
Print usage information with a summary of the available options.
.TP
.BI "\-v, \-\-debug " level
Set debug level, default: 1.
.TP
.BI "\-+, \-\-options " file
Read command line options from \fIfile\fR.
.TP
.BI "\-i, \-\-in " file
Private key input file. If not given the key is read from \fISTDIN\fR.
.TP
.BI "\-x, \-\-keyid " hex
Smartcard or TPM private key object handle in hex format with an optional
0x prefix.
.TP
.BI "\-t, \-\-type " type
Type of the input key. Either \fIpriv\fR, \fIrsa\fR, \fIecdsa\fR, \fIed25519\fR
or \fIbliss\fR, defaults to \fIpriv\fR.
.TP
.BI "\-d, \-\-dn " distinguished-name
Subject and issuer distinguished name (DN). Required.
.TP
.BI "\-a, \-\-san " subjectAltName
subjectAltName extension to include in certificate. Can be used multiple times.
.TP
.BI "\-l, \-\-lifetime " days
Days the certificate is valid, default: 1095. Ignored if both
an absolute start and end time are given.
.TP
.BI "\-F, \-\-not-before " datetime
Absolute time when the validity of the certificate begins. The datetime format
is defined by the
.B \-\-dateform
option.
.TP
.BI "\-T, \-\-not-after " datetime
Absolute time when the validity of the certificate ends. The datetime format is
defined by the
.B \-\-dateform
option.
.TP
.BI "\-D, \-\-dateform " form
strptime(3) format for the
.B \-\-not\-before
and
.B \-\-not\-after
options, default:
.B %d.%m.%y %T
.TP
.BI "\-s, \-\-serial " hex
Serial number in hex. It is randomly allocated by default.
.TP
.BI "\-e, \-\-flag " flag
Add extendedKeyUsage flag. One of \fIserverAuth\fR, \fIclientAuth\fR,
\fIcrlSign\fR, or \fIocspSigning\fR. Can be used multiple times.
.TP
.BI "\-g, \-\-digest " digest
Digest to use for signature creation. One of \fImd5\fR, \fIsha1\fR,
\fIsha224\fR, \fIsha256\fR, \fIsha384\fR, or \fIsha512\fR.  The default is
determined based on the type and size of the signature key.
.TP
.BI "\-f, \-\-outform " encoding
Encoding of the created certificate file. Either \fIder\fR (ASN.1 DER) or
\fIpem\fR (Base64 PEM), defaults to \fIder\fR.
.TP
.BI "\-b, \-\-ca"
Include CA basicConstraint extension in certificate.
.TP
.BI "\-o, \-\-ocsp " uri
OCSP AuthorityInfoAccess URI to include in certificate. Can be used multiple
times.
.TP
.BI "\-p, \-\-pathlen " len
Set path length constraint.
.TP
.BI "\-B, \-\-addrblock " block
RFC 3779 address block to include in certificate. \fIblock\fR is either a
CIDR subnet (such as \fI10.0.0.0/8\fR) or an arbitrary address range
(\fI192.168.1.7-192.168.1.13\fR). Can be repeated to include multiple blocks.
Please note that the supplied blocks are included in the certificate as is,
so for standards compliance, multiple blocks must be supplied in correct
order and adjacent blocks must be combined. Refer to RFC 3779 for details.
.TP
.BI "\-n, \-\-nc-permitted " name
Add permitted NameConstraint extension to certificate. For DNS or email
constraints, the identity type is not always detectable by the given name. Use
the
.B dns:
or
.B email:
prefix to force a constraint type.
.TP
.BI "\-N, \-\-nc-excluded " name
Add excluded NameConstraint extension to certificate. For DNS or email
constraints, the identity type is not always detectable by the given name. Use
the
.B dns:
or
.B email:
prefix to force a constraint type.
.TP
.BI "\-M, \-\-policy-mapping " issuer-oid:subject-oid
Add policyMapping from issuer to subject OID.
.TP
.BI "\-E, \-\-policy-explicit " len
Add requireExplicitPolicy constraint.
.TP
.BI "\-H, \-\-policy-inhibit " len
Add inhibitPolicyMapping constraint.
.TP
.BI "\-A, \-\-policy-any " len
Add inhibitAnyPolicy constraint.
.PP
.SS "Certificate Policy"
Multiple certificatePolicy extensions can be added. Each with the following
information:
.TP
.BI "\-P, \-\-cert-policy " oid
OID to include in certificatePolicy extension. Required.
.TP
.BI "\-C, \-\-cps-uri " uri
Certification Practice statement URI for certificatePolicy.
.TP
.BI "\-U, \-\-user-notice " text
User notice for certificatePolicy.
.
.SH "EXAMPLES"
.
Generate a self-signed certificate using the given RSA key:
.PP
.EX
  pki \-\-self \-\-in key.der \-\-dn "C=CH, O=strongSwan, CN=moon" \\
      \-\-san moon.strongswan.org > cert.der
.EE
.
.SH "SEE ALSO"
.
.BR pki (1)