Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/strongswan/strongswan/llms.txt

Use this file to discover all available pages before exploring further.

pki --signcrl creates or updates a Certificate Revocation List (CRL) signed by a CA. Use it to revoke certificates and publish revocation status.

Synopsis

pki --signcrl --cacert <file> --cakey <file> [options]

Options

CA inputs

--cacert
string
required
Path to the CA certificate file (PEM or DER).
--cakey
string
required
Path to the CA private key file (PEM or DER).
--cakeyid
string
Hex-encoded CKA_ID of the CA private key on a token.

CRL properties

--lifetime
number
default:"15"
CRL validity period in days. Clients should not cache a CRL beyond this date.
--lastcrl
string
Path to a previous CRL to update. Revocations in the existing CRL are carried over into the new CRL.
--basecrl
string
Base CRL when issuing a delta CRL.
--digest
string
Digest algorithm for the CRL signature (e.g. sha256, sha384, sha512).
--rsa-padding
string
RSA padding scheme. Use pss for RSASSA-PSS.

Revoking certificates

Each revocation entry requires either --cert or --serial, and optionally --reason and --date.
--cert
string
Path to a certificate to revoke. The serial number is extracted from the certificate automatically.
--serial
string
Hex-encoded serial number of the certificate to revoke.
--reason
string
Reason for revocation. Accepted values:
  • key-compromise
  • ca-compromise
  • affiliation-changed
  • superseded
  • cessation-of-operation
  • certificate-hold
--date
string
Date of revocation as a Unix timestamp. Defaults to the current time.

Output

--outform
string
default:"der"
Output encoding format. Accepted values: pem, der.
--out
string
Write the CRL to the specified file. If omitted, output goes to stdout.

Examples

Create an empty CRL valid for 30 days: 
pki --signcrl \
  --cacert strongswanCert.pem \
  --cakey strongswanKey.pem \
  --lifetime 30 \
  --outform pem > strongswan.crl
Revoke a certificate and update an existing CRL: 
pki --signcrl \
  --cacert strongswanCert.pem \
  --cakey strongswanKey.pem \
  --lifetime 30 \
  --lastcrl strongswan.crl \
  --reason key-compromise \
  --cert moonCert.pem \
  --outform pem > new.crl
Revoke by serial number with a specific revocation date: 
pki --signcrl \
  --cacert strongswanCert.pem \
  --cakey strongswanKey.pem \
  --lifetime 30 \
  --lastcrl strongswan.crl \
  --serial 0x01 \
  --reason superseded \
  --date 1700000000 \
  --outform pem > new.crl
Revoke multiple certificates in a single CRL: 
pki --signcrl \
  --cacert strongswanCert.pem \
  --cakey strongswanKey.pem \
  --lifetime 30 \
  --reason key-compromise --cert moonCert.pem \
  --reason cessation-of-operation --cert carolCert.pem \
  --outform pem > new.crl
Always use --lastcrl when updating an existing CRL. Omitting it creates a new CRL with only the revocations specified in the current invocation; previously revoked certificates will no longer appear as revoked.
To embed the CRL distribution point URI in issued certificates, use pki --issue --crl <uri>. Clients will fetch the CRL from the specified URI to check revocation status.