.TH "PKI \-\-REQ" 1 "2022-08-30" "5.9.13" "strongSwan"
.
.SH "NAME"
.
pki \-\-req \- Create a PKCS#10 certificate request
.
.SH "SYNOPSIS"
.
.SY pki\ \-\-req
.RB [ \-\-in
.IR file | \fB\-\-keyid\fR
.IR hex ]
.OP \-\-type type
.BI \-\-dn\~ distinguished-name
.OP \-\-san subjectAltName
.OP \-\-profile profile
.OP \-\-flag flag
.OP \-\-password password
.OP \-\-digest digest
.OP \-\-rsa\-padding padding
.OP \-\-outform encoding
.OP \-\-debug level
.YS
.
.SY pki\ \-\-req
.RB [ \-\-in
.IR file | \fB\-\-keyid\fR
.IR hex ]
.OP \-\-type type
.BI \-\-oldreq\~ file
.OP \-\-password password
.OP \-\-digest digest
.OP \-\-rsa\-padding padding
.OP \-\-outform encoding
.OP \-\-debug level
.YS
.
.SY pki\ \-\-req
.BI \-\-options\~ file
.YS
.
.SY "pki \-\-req"
.B \-h
|
.B \-\-help
.YS
.q
.SH "DESCRIPTION"
.
This sub-command of
.BR pki (1)
is used to create a PKCS#10 certificate request.
.
.SH "OPTIONS"
.
.TP
.B "\-h, \-\-help"
Print usage information with a summary of the available options.
.TP
.BI "\-v, \-\-debug " level
Set debug level, default: 1.
.TP
.BI "\-+, \-\-options " file
Read command line options from \fIfile\fR.
.TP
.BI "\-i, \-\-in " file
Private key input file. If not given the key is read from \fISTDIN\fR.
.TP
.BI "\-x, \-\-keyid " hex
Smartcard or TPM private key object handle in hex format with an optional
0x prefix.
.TP
.BI "\-t, \-\-type " type
Type of the input key. Either \fIpriv\fR, \fIrsa\fR, \fIecdsa\fR or \fIbliss\fR,
defaults to \fIpriv\fR.
.TP
.BI "\-d, \-\-dn " distinguished-name
Subject distinguished name (DN). Required if the
.B \-\-dn
option is not set.
.TP
.BI "\-a, \-\-san " subjectAltName
subjectAltName extension to include in request. Can be used multiple times.
.TP
.BI "\-P, \-\-profile " profile
Certificate profile name to be included in the certificate request. Can be any
UTF8 string. Supported e.g. by
.B openxpki
(with profiles \fIpc-client\fR, \fItls-server\fR, etc.) or
.B pki \-\-issue
(with profiles \fIserver\fR, \fIclient\fR, \fIdual\fR, or \fIocsp\fR) that are
translated into corresponding Extended Key Usage (EKU) flags in the generated
X.509 certificate.
.TP
.BI "\-e, \-\-flag " flag
Add extendedKeyUsage flag. One of \fIserverAuth\fR, \fIclientAuth\fR,
\fIocspSigning\fR or \fImsSmartcardLogon\fR. Can be used multiple times. Adds an
X.509v3 EKU extension containing these flags to the certificate request.
.TP
.BI "\-p, \-\-password " password
The challengePassword to include in the certificate request.
.TP
.BI "\-o, \-\-oldreq " file
Old certificate request to be used as a template. Required if the
.B --dn
option is not set. The public key in the old certificate request is replaced and
a fresh signature is generated using the new private key. Optionally a new
challengePassword may be set using the
.B --password
option.
.TP
.BI "\-g, \-\-digest " digest
Digest to use for signature creation. One of \fIsha1\fR, \fIsha224\fR,
\fIsha256\fR, \fIsha384\fR, \fIsha512\fR, \fIsha3_224\fR, \fIsha3_256\fR,
\fIsha3_384\fR, or \fIsha3_512\fR. The default is determined based on
the type and size of the signature key.
.TP
.BI "\-R, \-\-rsa\-padding " padding
Padding to use for RSA signatures. Either \fIpkcs1\fR or \fIpss\fR, defaults
to \fIpkcs1\fR.
.TP
.BI "\-f, \-\-outform " encoding
Encoding of the created certificate file. Either \fIder\fR (ASN.1 DER) or
\fIpem\fR (Base64 PEM), defaults to \fIder\fR.
.
.SH "EXAMPLES"
.
Generate a certificate request for an RSA key, with a subjectAltName extension
and a TLS-server profile:
.PP
.EX
  pki \-\-req \-\-in key.der \-\-dn "C=CH, O=strongSwan, CN=moon" \\
      \-\-san moon@strongswan.org \-\-profile server > req.der
.EE
.PP
Generate a certificate request for a renewed key based on an existing template
.PP
.EX
  pki \-\-req \-\-in myNewKey.der \-\-oldreq myReq.der > myNewReq.der
.EE
.PP
Generate a certificate request for an ECDSA key and a different digest:
.PP
.EX
  pki \-\-req \-\-in key.der \-\-type ecdsa \-\-digest sha256 \\
      \-\-dn "C=CH, O=strongSwan, CN=carol"  > req.der
.EE
.PP
.
.SH "SEE ALSO"
.
.BR pki (1)