Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/strongswan/strongswan/llms.txt

Use this file to discover all available pages before exploring further.

pki --self creates a self-signed X.509 certificate from a private key. This is primarily used to create root CA certificates.

Synopsis

pki --self --in <key> --dn <dn> [options]

Options

--in
string
Path to the input private key file (PEM or DER). If omitted, the key is read from stdin.
--keyid
string
Hex-encoded CKA_ID of a private key stored on a token (HSM/smartcard). Use instead of --in for hardware-backed keys.
--type
string
default:"priv"
Input type. Accepted values: priv (auto-detect), rsa, ecdsa, ed25519, ed448, pub, pkcs10.
--dn
string
required
Subject Distinguished Name (DN) in RFC 4514 format, for example:
"C=CH, O=strongSwan, CN=strongSwan Root CA"
--san
string
Subject Alternative Name (SAN). Can be specified multiple times. Accepts FQDNs, email addresses, IPv4 and IPv6 addresses, and URIs.
--lifetime
number
default:"1095"
Certificate validity period in days. Defaults to 1095 days (3 years).
--not-before
string
Start of certificate validity. Accepts a date string or Unix timestamp. Defaults to the current time.
--not-after
string
End of certificate validity. Overrides --lifetime if specified.
--serial
string
Serial number in hexadecimal. If omitted, a random serial is generated.
--ca
boolean
Include the CA basic constraint, marking this as a CA certificate.
--pathlen
number
Maximum CA path length constraint. Only meaningful when --ca is set.
--flag
string
Extended Key Usage (EKU) flag. Can be specified multiple times. Accepted values: serverAuth, clientAuth, crlSign, ocspSigning, ikeIntermediate, msSmartcardLogon.
--ocsp
string
OCSP responder URI to embed in the certificate. Can be specified multiple times.
--digest
string
Digest algorithm to use for the signature (e.g. sha256, sha384, sha512). Defaults to a digest appropriate for the key type.
--rsa-padding
string
RSA padding scheme. Use pss for RSASSA-PSS. Defaults to PKCS#1 v1.5.
--outform
string
default:"der"
Output encoding format. Accepted values: pem, der.

Examples

Create a self-signed root CA certificate valid for 10 years: 
pki --self \
  --ca \
  --lifetime 3652 \
  --in strongswanKey.pem \
  --dn "C=CH, O=strongSwan, CN=strongSwan Root CA" \
  --outform pem > strongswanCert.pem
Create a self-signed certificate with SANs for a host: 
pki --self \
  --in moonKey.pem \
  --dn "C=CH, O=strongSwan, CN=moon.strongswan.org" \
  --san moon.strongswan.org \
  --san 192.168.0.1 \
  --lifetime 730 \
  --outform pem > moonCert.pem
Create a CA certificate with an OCSP responder: 
pki --self \
  --ca \
  --lifetime 3652 \
  --in strongswanKey.pem \
  --dn "C=CH, O=strongSwan, CN=strongSwan Root CA" \
  --ocsp http://ocsp.strongswan.org \
  --outform pem > strongswanCert.pem
Self-signed certificates are only appropriate for root CA certificates. For end-entity certificates (VPN gateways, clients), use pki --issue instead.
Use --lifetime 3652 (roughly 10 years) for long-lived root CA certificates. For intermediate CAs, a shorter lifetime of 5 years (1826 days) is common.