.TH "PKI \-\-SELF" 1 "2013-07-31" "5.2.1" "strongSwan"
.
.SH "NAME"
.
pki \-\-self \- Create a self-signed certificate
.
.SH "SYNOPSIS"
.
.SY pki\ \-\-self
.RB [ \-\-in
.IR file | \fB\-\-keyid\fR
.IR hex ]
.OP \-\-type t
.BI \-\-dn\~ distinguished-name
.OP \-\-san subjectAltName
.OP \-\-lifetime days
.OP \-\-not-before datetime
.OP \-\-not-after datetime
.OP \-\-serial hex
.OP \-\-flag flag
.OP \-\-digest digest
.OP \-\-ca
.OP \-\-ocsp uri
.OP \-\-pathlen len
.OP \-\-nc-permitted name
.OP \-\-nc-excluded name
.OP \-\-policy\-mapping mapping
.OP \-\-policy\-explicit len
.OP \-\-policy\-inhibit len
.OP \-\-policy\-any len
.OP \-\-cert\-policy oid\ \fR[\fB\-\-cps\-uri\ \fIuri\fR]\ \fR[\fB\-\-user\-notice\ \fItext\fR]
.OP \-\-outform encoding
.OP \-\-debug level
.YS
.
.SY pki\ \-\-self
.BI \-\-options\~ file
.YS
.
.SY "pki \-\-self"
.B \-h
|
.B \-\-help
.YS
.
.SH "DESCRIPTION"
.
This sub-command of
.BR pki (1)
is used to create a self-signed certificate.
.
.SH "OPTIONS"
.
.TP
.B "\-h, \-\-help"
Print usage information with a summary of the available options.
.TP
.BI "\-v, \-\-debug " level
Set debug level, default: 1.
.TP
.BI "\-+, \-\-options " file
Read command line options from \fIfile\fR.
.TP
.BI "\-i, \-\-in " file
Private key input file. If not given the key is read from \fISTDIN\fR.
.TP
.BI "\-x, \-\-keyid " hex
Key ID of a private key on a smartcard.
.TP
.BI "\-t, \-\-type " type
Type of the input key. Either \fIrsa\fR or \fIecdsa\fR, defaults to \fIrsa\fR.
.TP
.BI "\-d, \-\-dn " distinguished-name
Subject and issuer distinguished name (DN). Required.
.TP
.BI "\-a, \-\-san " subjectAltName
subjectAltName extension to include in certificate. Can be used multiple times.
.TP
.BI "\-l, \-\-lifetime " days
Days the certificate is valid, default: 1095. Ignored if both
an absolute start and end time are given.
.TP
.BI "\-F, \-\-not-before " datetime
Absolute time when the validity of the certificate begins. The datetime format
is defined by the
.B \-\-dateform
option.
.TP
.BI "\-T, \-\-not-after " datetime
Absolute time when the validity of the certificate ends. The datetime format is
defined by the
.B \-\-dateform
option.
.TP
.BI "\-D, \-\-dateform " form
strptime(3) format for the
.B \-\-not\-before
and
.B \-\-not\-after
options, default:
.B %d.%m.%y %T
.TP
.BI "\-s, \-\-serial " hex
Serial number in hex. It is randomly allocated by default.
.TP
.BI "\-e, \-\-flag " flag
Add extendedKeyUsage flag. One of \fIserverAuth\fR, \fIclientAuth\fR,
\fIcrlSign\fR, or \fIocspSigning\fR. Can be used multiple times.
.TP
.BI "\-g, \-\-digest " digest
Digest to use for signature creation. One of \fImd5\fR, \fIsha1\fR,
\fIsha224\fR, \fIsha256\fR, \fIsha384\fR, or \fIsha512\fR. Defaults to
\fIsha1\fR.
.TP
.BI "\-f, \-\-outform " encoding
Encoding of the created certificate file. Either \fIder\fR (ASN.1 DER) or
\fIpem\fR (Base64 PEM), defaults to \fIder\fR.
.TP
.BI "\-b, \-\-ca"
Include CA basicConstraint extension in certificate.
.TP
.BI "\-o, \-\-ocsp " uri
OCSP AuthorityInfoAccess URI to include in certificate. Can be used multiple
times.
.TP
.BI "\-p, \-\-pathlen " len
Set path length constraint.
.TP
.BI "\-n, \-\-nc-permitted " name
Add permitted NameConstraint extension to certificate.
.TP
.BI "\-N, \-\-nc-excluded " name
Add excluded NameConstraint extension to certificate.
.TP
.BI "\-M, \-\-policy-mapping " issuer-oid:subject-oid
Add policyMapping from issuer to subject OID.
.TP
.BI "\-E, \-\-policy-explicit " len
Add requireExplicitPolicy constraint.
.TP
.BI "\-H, \-\-policy-inhibit " len
Add inhibitPolicyMapping constraint.
.TP
.BI "\-A, \-\-policy-any " len
Add inhibitAnyPolicy constraint.
.PP
.SS "Certificate Policy"
Multiple certificatePolicy extensions can be added. Each with the following
information:
.TP
.BI "\-P, \-\-cert-policy " oid
OID to include in certificatePolicy extension. Required.
.TP
.BI "\-C, \-\-cps-uri " uri
Certification Practice statement URI for certificatePolicy.
.TP
.BI "\-U, \-\-user-notice " text
User notice for certificatePolicy.
.
.SH "EXAMPLES"
.
Generate a self-signed certificate using the given RSA key:
.PP
.EX
  pki \-\-self \-\-in key.der \-\-dn "C=CH, O=strongSwan, CN=moon" \\
      \-\-san moon.strongswan.org > cert.der
.EE
.
.SH "SEE ALSO"
.
.BR pki (1)