Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/strongswan/strongswan/llms.txt

Use this file to discover all available pages before exploring further.

pki --print parses and displays the contents of certificates, CRLs, public keys, private keys, and PKCS#10 CSRs in a human-readable format.

Synopsis

pki --print [--in <file>] [--type <type>] [--outform <format>]

Options

--in
string
Input file to parse (PEM or DER). If omitted, reads from stdin. The format is detected automatically.
--keyid
string
Hex-encoded CKA_ID of a key or certificate on a token.
--type
string
default:"x509"
Force interpretation of the input as a specific credential type. Accepted values:
  • x509 — X.509 certificate (default)
  • crl — Certificate Revocation List
  • ac — Attribute Certificate
  • pub — raw public key
  • priv — private key (auto-detect algorithm)
  • rsa / rsa-priv — RSA private key
  • ecdsa / ecdsa-priv — ECDSA private key
  • ed25519 / ed25519-priv — Ed25519 private key
  • ed448 / ed448-priv — Ed448 private key
  • pkcs10 — PKCS#10 CSR
--outform
string
Output encoding format. Used when re-encoding a credential after parsing.

Output fields

The output format depends on the credential type.

X.509 certificate fields

FieldDescription
subjectSubject Distinguished Name
issuerIssuer Distinguished Name
validityNot Before / Not After dates
serialCertificate serial number (hex)
flagsKey usage and extended key usage flags
subjkeySubject key identifier (SHA-1 of public key)
authkeyAuthority key identifier
pubkeyPublic key type and size
keyidPublic key fingerprint
subjAltNamesSubject Alternative Names
CRL CDPsCRL Distribution Point URIs
OCSPOCSP responder URIs

CRL fields

FieldDescription
issuerCA that signed the CRL
updateThis Update / Next Update dates
serialCRL number
revokedList of revoked certificates (serial, date, reason)

Private key fields

FieldDescription
privkeyKey algorithm and size
keyidKey fingerprint (SHA-1 of SubjectPublicKeyInfo)
subjkeySubject key identifier

Examples

Inspect an X.509 certificate: 
pki --print --in moonCert.pem
Example output for a CA certificate: 
subject:  "C=CH, O=strongSwan, CN=strongSwan Root CA"
issuer:   "C=CH, O=strongSwan, CN=strongSwan Root CA"
validity:  not before Nov 22 10:19:13 2023, ok
           not after  Nov 20 10:19:13 2033, ok (expires in 3649 days)
serial:    4e:4d:65:2b:3d:54:d7:5c
flags:     CA CRLSign self-signed
subjkey:   51:ce:28:2e:60:47:1f:8c:d2:28:38:55:24:d1:d8:3f:1b:03:6d:43
authkey:   51:ce:28:2e:60:47:1f:8c:d2:28:38:55:24:d1:d8:3f:1b:03:6d:43
pubkey:    RSA 3072 bits
keyid:     b2:08:41:e1:ef:3d:9c:8d:05:bd:a7:c5:1b:a4:0e:79:67:50:b4:a1
Example output for an end-entity certificate: 
subject:  "C=CH, O=strongSwan, CN=moon.strongswan.org"
issuer:   "C=CH, O=strongSwan, CN=strongSwan Root CA"
validity:  not before Nov 22 10:19:14 2023, ok
           not after  Nov 21 10:19:14 2028, ok (expires in 1824 days)
serial:    01
flags:     serverAuth ikeIntermediate
subjkey:   13:f0:4e:69:d0:22:78:17:38:18:29:66:4e:c9:08:f4:e2:e2:4e:90
authkey:   51:ce:28:2e:60:47:1f:8c:d2:28:38:55:24:d1:d8:3f:1b:03:6d:43
pubkey:    RSA 3072 bits
keyid:     36:d9:c0:7e:7f:be:38:50:71:73:4d:47:45:3c:bc:7a:29:25:e7:8d
subjAltNames:
         DNS:moon.strongswan.org
Inspect a CRL: 
pki --print --type crl --in strongswan.crl
Inspect a private key: 
pki --print --type priv --in strongswanKey.pem
Inspect a PKCS#10 CSR: 
pki --print --type pkcs10 --in moonReq.pem
Use pki --print to verify certificate contents before deploying them. Confirm that the subject, SANs, validity dates, and flags match your expectations.