*nix Documentation Project
·  Home
 +   man pages
·  Linux HOWTOs
·  FreeBSD Tips
·  *niX Forums

  man pages->Tru64 Unix man pages -> ipsec_certmake (8)              
Title
Content
Arch
Section
 

ipsec_certmake(8)

Contents


NAME    [Toc]    [Back]

       ipsec_certmake - Creates X.509 certificates, requests, and
       Certificate Revocation Lists (CRLs)

SYNOPSIS    [Toc]    [Back]

       /usr/sbin/ipsec_certmake [-h] file [file...]

OPTIONS    [Toc]    [Back]

       Displays a usage message and exits.

DESCRIPTION    [Toc]    [Back]

       The ipsec_certmake command enables you to create the  following:
  X.509  V3 public key certificates and hierarchies
       of public key certificates  Certificate  revocation  lists
       (CRLs) PKCS10-formatted certificate requests

       This  command  and other related certificate commands provided
 in this IPsec implementation are intended for  testing
  purposes  only.   They  are not intended to provide a
       complete public-key certificate infrastructure.

       The ipsec_certmake command  reads  each  definition  input
       file  and creates the specified certificate, CRL, and certificate
 request files.

       Blank lines are ignored.   Everything  after  the  percent
       character (%) on a line is treated as a comment.

       The  encoding of private key and output files is specified
       by preceding the path name with  a  formatting  character,
       delimited by colons as follows: Privacy-Encoded-Mail (PEM)
       format

              The file is encoded  as  a  Base64-encoded  binary.
              Binary (DER-encoded) format

              The  file is encoded in accordance with the Distinguished
 Encoding Rules (DER) of ASN.1.  HEXL format

              The  file  is encoded as a hexadecimal string. Each
              line has the following form:

              xxxxxxxx: yyyy yyyy yyyy yyyy yyyy yyyy yyyy yyyy

              In this form, xxxxxxxx is the hexadecimal offset of
              the data at the beginning of the line and yyyy yyyy
              yyyy yyyy yyyy yyyy yyyy yyyy is up to 16 bytes  of
              hexadecimal data.

   Certificate Requests    [Toc]    [Back]
       The  input  to  generate  a  PKCS10-formatted  certificate
       request has the following form.  The output is a file containing
 the certificate request that includes the new public
 key and a file containing  the  corresponding  private
       key.

       %     -----------------------------------------------    %
       Request to generate a certificate % CertificateRequest ::=
       {
         OutputFile   ::= ":p:myhost-rsa-request.pem"

         SubjectName   ::=  <C=US, O=Compaq Computer Corporation,
       CN=myhost>

         PublicKeyInfo ::= {
           Size ::= 2048
           Type ::= rsaEncryption
           PrivateKeyFile ::= ":p:myhost-rsa-private.pem"
         }
         Signature ::= {
           SignatureAlgorithm ::= sha1WithRSAEncryption
         }

         %
         % Extensions
         %
         Extensions ::= {
           SubjectAltNames ::= {
                               IP ::= 10.1.2.3
           }
           KeyUsage ::= {
             DigitalSignature
             KeyEncipherment
            }
         } }

       A description of the fields in the preceding  form  is  as
       follows:  A  standard,  X.509 distinguished name.  Fill in
       your own Country (C=), Organization  (O=), and Common Name
       (CN=).  Based on the size of the Certification Authority's
       (CA's) signing key.  Either rsaEncryption for an RSA  certificate
  or  dsaEncryption for a DSA certificate.  Either
       sha1WithRSAEncryption or md5WithRSAEncryption for  an  RSA
       certificate,  or dsaWithSHA-1 for a DSA certificate.  Multiple
 values with the following formats: IP ::= IP address
       (either    IPv4    or   IPv6).    DNS   ::=   fully.qualified.domain.name
     EMAIL      ::=      user@fully.qualified.domain.name
 Any or all of the following values: DigitalSignature,
 KeyEncipherment, DataEncipherment,  KeyCertSign,
  CRLSign,  EncipherOnly, ServerAuth, ClientAuth, and
       IkeIntermediate.

   Certificates    [Toc]    [Back]
       The input to generate an X.509 certificate has the following
  form.  The output is a file containing the X.509 certificate
 that includes the new public key and a file  containing
 the corresponding private key.

                                  Note

       To generate a certificate, you must have already generated
       a Certification Authority (CA) certificate  and  have  its
       private (issuer) key.

       Certificate ::= {
         OutputFile   ::= ":b:myhost-rsa.bin"

         SerialNumber ::= 1
         SubjectName   ::=  <C=US,O=Compaq  Computer Corporation,
       CN=myhost>
         IssuerName   ::=  <C=US,O=Compaq  Computer  Corporation,
       CN=My Test CA>
         Validity     ::= {
           NotBefore  ::= "1999/07/30/19:30:00"
           NotAfter   ::= "2003/12/01/12:00:00"
         }
         PublicKeyInfo ::= {
           Size ::= 1024
           Type ::= rsaEncryption
           PrivateKeyFile ::= ":b:myhost-rsa-private.bin"
         }
         Signature ::= {
           SignatureAlgorithm ::= sha1WithRSAEncryption
           IssuerKeyFile ::= ":p:test-rsa-root-private.pem"
         }
         Extensions ::= {
           SubjectAltNames ::= {
             IP ::= 10.0.2.4
             IP ::= 10.0.3.4
           }
           ExtendedKeyUsage ::= {
             IkeIntermediate
           }
           KeyUsage ::= {
             DigitalSignature
             KeyEncipherment
           }
         } }


       A  description  of  the fields in the preceding form is as
       follows: A standard, X.509 distinguished  name.   Fill  in
       your own Country (C=), Organization  (O=), and Common Name
       (CN=).  Must match the X.509 name in the  CA  certificate.
       Specifies  a  range of dates between which the certificate
       is considered valid.  Must specify the file  name  of  the
       CA's  private  key  file.   Same as the information in the
       certificate request.  Same as the information in the  certificate
 request.

       For  a  root  CA  certificate,  you  must  set  additional
       attributes.  The input to create a CA certificate has  the
       following form:

       %  %  Root  CA certificate for a test RSA hierarchy % Certificate
 ::= {
         OutputFile   ::= ":p:test-rsa-root.pem"

         SerialNumber ::= 2124
         SubjectName  ::=  <C=US,O=Compaq  Computer  Corporation,
       CN=My Test CA>
         IssuerName    ::=  <C=US,O=Compaq  Computer Corporation,
       CN=My Test CA>
         Validity     ::= {
           NotBefore  ::= "2000/01/01/19:30:00"  % "2000 Jan 1st,
       19:30:00"
           NotAfter   ::= "2001/01/01/12:00:00"  % "2001 Jan 1st,
       12:00:00"
         }
         PublicKeyInfo ::= {
           Size ::= 1024
           Type ::= rsaEncryption
           PrivateKeyFile ::= ":p:test-rsa-root-private.pem"
         }
         Signature ::= {
           SelfSigned
           SignatureAlgorithm ::= sha1WithRSAEncryption
         }

         Extensions ::= {
           BasicConstraints ::= {
             CA
             PathLength ::= 0
           }
           KeyUsage ::= {
             DigitalSignature
             KeyCertSign
           }
         } }


       A description of the fields in the preceding  form  is  as
       follows:  Same as IssuerName.  Same as SubjectName.  Indicates
 that this is a root CA certificate.  Indicates  that
       this is a root CA certificate.

   Certificate Revocation Lists    [Toc]    [Back]
       The  input to generate a Certificate Revocation List (CRL)
       has the following form.  The output is a  file  containing
       an X.509 V2 CRL revoking the specified certificates.

                                  Note

       To  generate  a  CRL, you must have already generated a CA
       certificate and have its private (issuer) key.

       % % Revoke two of our certificates % CRL ::= {
         OutputFile ::= ":p:test-rsa-crl.pem"

         ThisUpdate ::= "2000/10/19/12:00:00"
         IssuerName ::=  <C=US,  O=Compaq  Computer  Corporation,
       CN=My Test CA>

         RevokedCertificates ::= [
           {
             SerialNumber ::= 1
             RevocationDate ::= "2000/10/19/08:00:00"
           }
           {
             SerialNumber ::= 105
             RevocationDate ::= "2000/09/30/08:00:00"
           }
         ]

         Signature ::= {
           SignatureAlgorithm ::= sha1WithRSAEncryption
           IssuerKeyFile ::= ":p:test-rsa-root-private.pem"
         } }


       A  description  of  the fields in the preceding form is as
       follows: Specifies the date and  time  when  the  CRL  was
       issued.   Must  match the IssuerName in the CA certificate
       for  the  certificates  being  revoked.  Certificates  are
       revoked  by specifying their serial number and the revocation
 date.  A list of revoked certificates,  delimited  by
       square  brackets ([ ]).  Must specify the file name of the
       private key for the CA  certificate  of  the  certificates
       being revoked.

SEE ALSO    [Toc]    [Back]

      
      
       Commands:  ipsec_certview(8), ipsec_convert(8), ipsec_keypaircheck(8), ipsec_keytool(8)



                                                ipsec_certmake(8)
[ Back ]
 Similar pages
Name OS Title
CSSM_CL_CrlCache Tru64 Cache a copy of a certificate revocation list (CDSA)
CSSM_TP_CrlVerify Tru64 Verify integrity of the certificate revocation list (CDSA)
TP_CrlVerify Tru64 Verify integrity of the certificate revocation list (CDSA)
CL_CrlCache Tru64 Cache a copy of a certificate revocation list (CDSA)
certpatch OpenBSD add subjectAltName identities to X.509 certificates
SSL_CTX_load_verify_locations Tru64 Set default locations for trusted CA certificates
SSL_CTX_load_verify_locations NetBSD set default locations for trusted CA certificates
SSL_CTX_load_verify_locations OpenBSD set default locations for trusted CA certificates
CSSM_TP_CertReclaimAbort Tru64 Terminate the process of reclaiming certificates (CDSA)
TP_CertReclaimAbort Tru64 Terminate the process of reclaiming certificates (CDSA)
Copyright © 2004-2005 DeniX Solutions SRL
newsletter delivery service