Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/strongswan/strongswan/llms.txt

Use this file to discover all available pages before exploring further.

pki --issue signs a certificate using a CA private key and CA certificate. The input can be a PKCS#10 certificate signing request (CSR), a raw public key, or a private key from which the public key is extracted.

Synopsis

pki --issue --cacert <file> --cakey <file> [--in <file>] [--type <type>] [options]

Options

CA inputs

--cacert
string
required
Path to the CA certificate file (PEM or DER).
--cakey
string
required
Path to the CA private key file (PEM or DER). Required when signing with a file-based key.
--cakeyid
string
Hex-encoded CKA_ID of the CA private key on a token. Use instead of --cakey for HSM/smartcard-backed keys.

Certificate input

--in
string
Input file containing the subject’s public key, private key, or PKCS#10 CSR. Read from stdin if omitted.
--type
string
default:"pub"
Input file type. Accepted values:
  • pkcs10 — PKCS#10 certificate signing request
  • pub — raw public key (default)
  • priv — private key (public key is extracted)
  • rsa, ecdsa, ed25519, ed448 — type-specific private keys

Subject attributes

--dn
string
Subject Distinguished Name to embed in the certificate. If using a PKCS#10 input, this overrides the DN in the CSR.
--san
string
Subject Alternative Name. Can be specified multiple times. Accepts FQDNs, email addresses, IPv4 and IPv6 addresses.

Certificate properties

--lifetime
number
default:"1095"
Certificate validity period in days.
--not-before
string
Start of certificate validity. Accepts a date string or Unix timestamp.
--not-after
string
End of certificate validity. Overrides --lifetime if specified.
--serial
string
Serial number in hexadecimal. If omitted, a random serial is generated.
--ca
boolean
Issue as a CA certificate, including the CA basic constraint.
--pathlen
number
Maximum CA path length constraint. Only meaningful when --ca is set.
--flag
string
Extended Key Usage (EKU) flag. Can be specified multiple times. Accepted values:
  • serverAuth — TLS server authentication
  • clientAuth — TLS client authentication
  • ikeIntermediate — IKE intermediate certificate
  • crlSign — CRL signing
  • ocspSigning — OCSP response signing
  • msSmartcardLogon — Microsoft smartcard logon
--crl
string
CRL Distribution Point URI to embed. Can be specified multiple times.
--ocsp
string
OCSP responder URI to embed. Can be specified multiple times.
--digest
string
Digest algorithm (e.g. sha256, sha384, sha512). Defaults to an algorithm appropriate for the CA key type.
--rsa-padding
string
RSA padding scheme. Use pss for RSASSA-PSS.
--outform
string
default:"der"
Output encoding format. Accepted values: pem, der.
--out
string
Write the issued certificate to the specified file path. If omitted, output goes to stdout.

Examples

Issue a certificate from a PKCS#10 CSR: 
pki --issue \
  --cacert strongswanCert.pem \
  --cakey strongswanKey.pem \
  --type pkcs10 \
  --in moonReq.pem \
  --serial 01 \
  --lifetime 1826 \
  --outform pem > moonCert.pem
Issue a VPN gateway certificate with SANs and EKU flags: 
pki --issue \
  --cacert strongswanCert.pem \
  --cakey strongswanKey.pem \
  --in moonKey.pem \
  --dn "C=CH, O=strongSwan, CN=moon.strongswan.org" \
  --san moon.strongswan.org \
  --flag serverAuth \
  --flag ikeIntermediate \
  --lifetime 1826 \
  --outform pem > moonCert.pem
Issue a client certificate with a CRL distribution point: 
pki --issue \
  --cacert strongswanCert.pem \
  --cakey strongswanKey.pem \
  --type pkcs10 \
  --in carolReq.pem \
  --serial 02 \
  --lifetime 1826 \
  --flag clientAuth \
  --crl http://crl.strongswan.org/strongswan.crl \
  --outform pem > carolCert.pem
When --type pkcs10 is used, the DN and SANs are taken from the CSR unless overridden with --dn or --san.
Use incrementing --serial values (hex) to maintain unique serial numbers per CA. Serial numbers are visible in CRLs and are used by OCSP.