SQ(1)                            User Commands                           SQ(1)

NAME
       sq pki certify - Certify a User ID for a Certificate

SYNOPSIS
       sq pki certify [OPTIONS] CERTIFIER-KEY KEY_ID|FINGERPRINT|FILE USERID

DESCRIPTION
       Certify a User ID for a Certificate.

       Using a certification a keyholder may vouch for the fact that another
       certificate legitimately belongs to a user id.  In the context of
       emails this means that the same entity controls the key and the email
       address.  These kind of certifications form the basis for the Web of
       Trust.

       This command emits the certificate with the new certification.  The
       updated certificate has to be distributed, preferably by sending it to
       the certificate holder for attestation.  See also `sq key
       attest-certifications`.

       By default a certification expires after 5 years.  Using the `--expiry`
       argument specific validity periods may be defined.  It allows for
       providing a point in time for validity to end or a validity duration.

       `sq pki certify` respects the reference time set by the top-level
       `--time` argument.  It sets the certification's creation time to the
       reference time.



OPTIONS
   Subcommand options
       -B, --binary
              Emit binary data

       -a, --amount=AMOUNT
              Set the amount of trust.  Values between 1 and 120 are
              meaningful. 120 means fully trusted.  Values less than 120
              indicate the degree of trust.  60 is usually used for partially
              trusted.

              [default: full]

       --add-userid
              Add the given user ID if it doesn't exist in the certificate.

       --allow-not-alive-certifier
              Allow the key to make a certification even if the current time
              is prior to its creation time or the current time is at or after
              its expiration time.

       --allow-revoked-certifier
              Don't fail if the certificate making the certification is
              revoked.

       -d, --depth=TRUST_DEPTH
              Set the trust depth (sometimes referred to as the trust level).
              0 means a normal certification of <CERTIFICATE, USERID>.  1
              means CERTIFICATE is also a trusted introducer, 2 means
              CERTIFICATE is a meta-trusted introducer, etc.

              [default: 0]

       --email
              Treat the given user ID as an email address.  If more than one
              user ID contain the given email address, all are certified.

       --expiry=EXPIRY
              Define EXPIRY for the certification as ISO 8601 formatted string
              or custom duration. If an ISO 8601 formatted string is provided,
              the validity period reaches from the reference time (may be set
              using `--time`) to the provided time. Custom durations starting
              from the reference time may be set using `N[ymwds]`, for N
              years, months, weeks, days, or seconds. The special keyword
              `never` sets an unlimited expiry.

              [default: 157784635s]

       -l, --local
              Make the certification a local certification.  Normally, local
              certifications are not exported.

       --non-revocable
              Mark the certification as being non-revocable. That is, you
              cannot later revoke this certification.  This should normally
              only be used with an expiration.

       --notation NAME VALUE
              Add a notation to the certification.  A user-defined notation's
              name must be of the form `name@a.domain.you.control.org`. If the
              notation's name starts with a !, then the notation is marked as
              being critical.  If a consumer of a signature doesn't understand
              a critical notation, then it will ignore the signature.  The
              notation is marked as being human readable.

       -o, --output=FILE
              Write to FILE or stdout if omitted

              [default: -]

       --private-key-store=KEY_STORE
              Provide parameters for private key store

       -r, --regex=REGEX
              Add a regular expression to constrain what a trusted introducer
              can certify.  The regular expression must match the certified
              User ID in all intermediate introducers, and the certified
              certificate. Multiple regular expressions may be specified.  In
              that case, at least one must match.

        CERTIFIER-KEY
              Create the certification using CERTIFIER-KEY.

        KEY_ID|FINGERPRINT|FILE
              Certify CERTIFICATE.

        USERID
              Certify USERID for CERTIFICATE.

   Global options
       See sq(1) for a description of the global options.

EXAMPLES
       Juliet certifies that Romeo controls romeo.pgp and romeo@example.org

              sq pki certify juliet.pgp romeo.pgp '<romeo@example.org>'



       Certify the User ID Ada, and set the certification time to July 21,
       2013 at midnight UTC:

              sq pki certify --time 20130721 neal.pgp ada.pgp Ada

SEE ALSO
       sq(1), sq-pki(1).

       For the full documentation see <https://book.sequoia-pgp.org>.

VERSION
       0.35.0 (sequoia-openpgp 1.20.0)

Sequoia PGP                         0.35.0                               SQ(1)