Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/strongswan/strongswan/llms.txt

Use this file to discover all available pages before exploring further.

pki --req creates a PKCS#10 Certificate Signing Request (CSR) from a private key. The CSR can then be submitted to a CA using pki --issue.

Synopsis

pki --req --in <key> --dn <dn> [options]

Options

--in
string
Path to the private key file (PEM or DER). Read from stdin if omitted.
--keyid
string
Hex-encoded CKA_ID of a private key on a token. Use instead of --in for HSM/smartcard-backed keys.
--type
string
default:"priv"
Input key type. Accepted values: priv (auto-detect), rsa, ecdsa.
--dn
string
required
Subject Distinguished Name in RFC 4514 format, for example:
"C=CH, O=strongSwan, CN=moon.strongswan.org"
--san
string
Subject Alternative Name. Can be specified multiple times.
FormatExample
FQDNmoon.strongswan.org
Emailcarol@strongswan.org
IPv4 address192.168.0.1
IPv6 addressfec0::1
--flag
string
Extended Key Usage flag to include in the CSR. Can be specified multiple times. Accepted values: serverAuth, clientAuth, ocspSigning, msSmartcardLogon.
--digest
string
Digest algorithm for the CSR signature (e.g. sha256, sha384, sha512). Defaults to an algorithm appropriate for the key type.
--rsa-padding
string
RSA padding scheme. Use pss for RSASSA-PSS.
--profile
string
Certificate profile to request. Passed as an extension in the CSR.
--req
string
Path to a previous CSR to use as input. Extracts the public key from the existing request.
--outform
string
default:"der"
Output encoding format. Accepted values: pem, der.
--out
string
Write the CSR to the specified file path. If omitted, output goes to stdout.

Examples

Create a CSR for a VPN gateway: 
pki --req \
  --type priv \
  --in moonKey.pem \
  --dn "C=CH, O=strongSwan, CN=moon.strongswan.org" \
  --san moon.strongswan.org \
  --outform pem > moonReq.pem
Create a CSR for a VPN client with an email SAN: 
pki --req \
  --type priv \
  --in carolKey.pem \
  --dn "C=CH, O=strongSwan, CN=carol@strongswan.org" \
  --san carol@strongswan.org \
  --outform pem > carolReq.pem
Create a CSR with an EKU flag: 
pki --req \
  --type priv \
  --in moonKey.pem \
  --dn "C=CH, O=strongSwan, CN=moon.strongswan.org" \
  --san moon.strongswan.org \
  --flag serverAuth \
  --outform pem > moonReq.pem
The CSR contains the subject’s DN, SANs, and public key, signed by the subject’s private key to prove possession. The CA may override the DN and SANs when issuing the certificate.
Pass the resulting CSR to pki --issue --type pkcs10 --in moonReq.pem to sign it with a CA.