|
ipsec_certmake(8)
Contents
|
ipsec_certmake - Creates X.509 certificates, requests, and
Certificate Revocation Lists (CRLs)
/usr/sbin/ipsec_certmake [-h] file [file...]
Displays a usage message and exits.
The ipsec_certmake command enables you to create the following:
X.509 V3 public key certificates and hierarchies
of public key certificates Certificate revocation lists
(CRLs) PKCS10-formatted certificate requests
This command and other related certificate commands provided
in this IPsec implementation are intended for testing
purposes only. They are not intended to provide a
complete public-key certificate infrastructure.
The ipsec_certmake command reads each definition input
file and creates the specified certificate, CRL, and certificate
request files.
Blank lines are ignored. Everything after the percent
character (%) on a line is treated as a comment.
The encoding of private key and output files is specified
by preceding the path name with a formatting character,
delimited by colons as follows: Privacy-Encoded-Mail (PEM)
format
The file is encoded as a Base64-encoded binary.
Binary (DER-encoded) format
The file is encoded in accordance with the Distinguished
Encoding Rules (DER) of ASN.1. HEXL format
The file is encoded as a hexadecimal string. Each
line has the following form:
xxxxxxxx: yyyy yyyy yyyy yyyy yyyy yyyy yyyy yyyy
In this form, xxxxxxxx is the hexadecimal offset of
the data at the beginning of the line and yyyy yyyy
yyyy yyyy yyyy yyyy yyyy yyyy is up to 16 bytes of
hexadecimal data.
Certificate Requests [Toc] [Back]
The input to generate a PKCS10-formatted certificate
request has the following form. The output is a file containing
the certificate request that includes the new public
key and a file containing the corresponding private
key.
% ----------------------------------------------- %
Request to generate a certificate % CertificateRequest ::=
{
OutputFile ::= ":p:myhost-rsa-request.pem"
SubjectName ::= <C=US, O=Compaq Computer Corporation,
CN=myhost>
PublicKeyInfo ::= {
Size ::= 2048
Type ::= rsaEncryption
PrivateKeyFile ::= ":p:myhost-rsa-private.pem"
}
Signature ::= {
SignatureAlgorithm ::= sha1WithRSAEncryption
}
%
% Extensions
%
Extensions ::= {
SubjectAltNames ::= {
IP ::= 10.1.2.3
}
KeyUsage ::= {
DigitalSignature
KeyEncipherment
}
} }
A description of the fields in the preceding form is as
follows: A standard, X.509 distinguished name. Fill in
your own Country (C=), Organization (O=), and Common Name
(CN=). Based on the size of the Certification Authority's
(CA's) signing key. Either rsaEncryption for an RSA certificate
or dsaEncryption for a DSA certificate. Either
sha1WithRSAEncryption or md5WithRSAEncryption for an RSA
certificate, or dsaWithSHA-1 for a DSA certificate. Multiple
values with the following formats: IP ::= IP address
(either IPv4 or IPv6). DNS ::= fully.qualified.domain.name
EMAIL ::= [email protected]lified.domain.name
Any or all of the following values: DigitalSignature,
KeyEncipherment, DataEncipherment, KeyCertSign,
CRLSign, EncipherOnly, ServerAuth, ClientAuth, and
IkeIntermediate.
Certificates [Toc] [Back]
The input to generate an X.509 certificate has the following
form. The output is a file containing the X.509 certificate
that includes the new public key and a file containing
the corresponding private key.
Note
To generate a certificate, you must have already generated
a Certification Authority (CA) certificate and have its
private (issuer) key.
Certificate ::= {
OutputFile ::= ":b:myhost-rsa.bin"
SerialNumber ::= 1
SubjectName ::= <C=US,O=Compaq Computer Corporation,
CN=myhost>
IssuerName ::= <C=US,O=Compaq Computer Corporation,
CN=My Test CA>
Validity ::= {
NotBefore ::= "1999/07/30/19:30:00"
NotAfter ::= "2003/12/01/12:00:00"
}
PublicKeyInfo ::= {
Size ::= 1024
Type ::= rsaEncryption
PrivateKeyFile ::= ":b:myhost-rsa-private.bin"
}
Signature ::= {
SignatureAlgorithm ::= sha1WithRSAEncryption
IssuerKeyFile ::= ":p:test-rsa-root-private.pem"
}
Extensions ::= {
SubjectAltNames ::= {
IP ::= 10.0.2.4
IP ::= 10.0.3.4
}
ExtendedKeyUsage ::= {
IkeIntermediate
}
KeyUsage ::= {
DigitalSignature
KeyEncipherment
}
} }
A description of the fields in the preceding form is as
follows: A standard, X.509 distinguished name. Fill in
your own Country (C=), Organization (O=), and Common Name
(CN=). Must match the X.509 name in the CA certificate.
Specifies a range of dates between which the certificate
is considered valid. Must specify the file name of the
CA's private key file. Same as the information in the
certificate request. Same as the information in the certificate
request.
For a root CA certificate, you must set additional
attributes. The input to create a CA certificate has the
following form:
% % Root CA certificate for a test RSA hierarchy % Certificate
::= {
OutputFile ::= ":p:test-rsa-root.pem"
SerialNumber ::= 2124
SubjectName ::= <C=US,O=Compaq Computer Corporation,
CN=My Test CA>
IssuerName ::= <C=US,O=Compaq Computer Corporation,
CN=My Test CA>
Validity ::= {
NotBefore ::= "2000/01/01/19:30:00" % "2000 Jan 1st,
19:30:00"
NotAfter ::= "2001/01/01/12:00:00" % "2001 Jan 1st,
12:00:00"
}
PublicKeyInfo ::= {
Size ::= 1024
Type ::= rsaEncryption
PrivateKeyFile ::= ":p:test-rsa-root-private.pem"
}
Signature ::= {
SelfSigned
SignatureAlgorithm ::= sha1WithRSAEncryption
}
Extensions ::= {
BasicConstraints ::= {
CA
PathLength ::= 0
}
KeyUsage ::= {
DigitalSignature
KeyCertSign
}
} }
A description of the fields in the preceding form is as
follows: Same as IssuerName. Same as SubjectName. Indicates
that this is a root CA certificate. Indicates that
this is a root CA certificate.
Certificate Revocation Lists [Toc] [Back]
The input to generate a Certificate Revocation List (CRL)
has the following form. The output is a file containing
an X.509 V2 CRL revoking the specified certificates.
Note
To generate a CRL, you must have already generated a CA
certificate and have its private (issuer) key.
% % Revoke two of our certificates % CRL ::= {
OutputFile ::= ":p:test-rsa-crl.pem"
ThisUpdate ::= "2000/10/19/12:00:00"
IssuerName ::= <C=US, O=Compaq Computer Corporation,
CN=My Test CA>
RevokedCertificates ::= [
{
SerialNumber ::= 1
RevocationDate ::= "2000/10/19/08:00:00"
}
{
SerialNumber ::= 105
RevocationDate ::= "2000/09/30/08:00:00"
}
]
Signature ::= {
SignatureAlgorithm ::= sha1WithRSAEncryption
IssuerKeyFile ::= ":p:test-rsa-root-private.pem"
} }
A description of the fields in the preceding form is as
follows: Specifies the date and time when the CRL was
issued. Must match the IssuerName in the CA certificate
for the certificates being revoked. Certificates are
revoked by specifying their serial number and the revocation
date. A list of revoked certificates, delimited by
square brackets ([ ]). Must specify the file name of the
private key for the CA certificate of the certificates
being revoked.
Commands: ipsec_certview(8), ipsec_convert(8), ipsec_keypaircheck(8), ipsec_keytool(8)
ipsec_certmake(8)
[ Back ] |