 |
Index for
Section 8 |
|
 |
Alphabetical
listing for I |
|
 |
Bottom of
page |
|
ipsec_certmake(8)
NAME
ipsec_certmake - Creates X.509 certificates, requests, and Certificate
Revocation Lists (CRLs)
SYNOPSIS
/usr/sbin/ipsec_certmake [-h] file [file...]
OPTIONS
-h Displays a usage message and exits.
DESCRIPTION
The ipsec_certmake command enables you to create the following:
· X.509 V3 public key certificates and hierarchies of public key
certificates
· Certificate revocation lists (CRLs)
· PKCS10-formatted certificate requests
This command and other related certificate commands provided in this IPsec
implementation are intended for testing purposes only. They are not
intended to provide a complete public-key certificate infrastructure.
The ipsec_certmake command reads each definition input file and creates the
specified certificate, CRL, and certificate request files.
Blank lines are ignored. Everything after the percent character (%) on a
line is treated as a comment.
The encoding of private key and output files is specified by preceding the
path name with a formatting character, delimited by colons as follows:
:p: Privacy-Encoded-Mail (PEM) format
The file is encoded as a Base64-encoded binary.
:b: Binary (DER-encoded) format
The file is encoded in accordance with the Distinguished Encoding
Rules (DER) of ASN.1.
:h: HEXL format
The file is encoded as a hexadecimal string. Each line has the
following form:
xxxxxxxx: yyyy yyyy yyyy yyyy yyyy yyyy yyyy yyyy
In this form, xxxxxxxx is the hexadecimal offset of the data at the
beginning of the line and yyyy yyyy yyyy yyyy yyyy yyyy yyyy yyyy
is up to 16 bytes of hexadecimal data.
Certificate Requests
The input to generate a PKCS10-formatted certificate request has the
following form. The output is a file containing the certificate request
that includes the new public key and a file containing the corresponding
private key.
% -----------------------------------------------
% Request to generate a certificate
%
CertificateRequest ::= {
OutputFile ::= ":p:myhost-rsa-request.pem"
SubjectName ::= <C=US, O=Compaq Computer Corporation, CN=myhost>
PublicKeyInfo ::= {
Size ::= 2048
Type ::= rsaEncryption
PrivateKeyFile ::= ":p:myhost-rsa-private.pem"
}
Signature ::= {
SignatureAlgorithm ::= sha1WithRSAEncryption
}
%
% Extensions
%
Extensions ::= {
SubjectAltNames ::= {
IP ::= 10.1.2.3
}
KeyUsage ::= {
DigitalSignature
KeyEncipherment
}
}
}
A description of the fields in the preceding form is as follows:
SubjectName
A standard, X.509 distinguished name. Fill in your own Country (C=),
Organization (O=), and Common Name (CN=).
PublicKeyInfo.Size
Based on the size of the Certification Authority's (CA's) signing key.
PublicKeyInfo.Type
Either rsaEncryption for an RSA certificate or dsaEncryption for a DSA
certificate.
Signature.SignatureAlgorithm
Either sha1WithRSAEncryption or md5WithRSAEncryption for an RSA
certificate, or dsaWithSHA-1 for a DSA certificate.
Extensions.SubjectAltNames
Multiple values with the following formats:
· IP ::= IP address (either IPv4 or IPv6).
· DNS ::= fully.qualified.domain.name
· EMAIL ::= user@fully.qualified.domain.name
Extensions.KeyUsage
Any or all of the following values: DigitalSignature, KeyEncipherment,
DataEncipherment, KeyCertSign, CRLSign, EncipherOnly, ServerAuth,
ClientAuth, and IkeIntermediate.
Certificates
The input to generate an X.509 certificate has the following form. The
output is a file containing the X.509 certificate that includes the new
public key and a file containing the corresponding private key.
Note
To generate a certificate, you must have already generated a
Certification Authority (CA) certificate and have its private (issuer)
key.
Certificate ::= {
OutputFile ::= ":b:myhost-rsa.bin"
SerialNumber ::= 1
SubjectName ::= <C=US,O=Compaq Computer Corporation, CN=myhost>
IssuerName ::= <C=US,O=Compaq Computer Corporation, CN=My Test CA>
Validity ::= {
NotBefore ::= "1999/07/30/19:30:00"
NotAfter ::= "2003/12/01/12:00:00"
}
PublicKeyInfo ::= {
Size ::= 1024
Type ::= rsaEncryption
PrivateKeyFile ::= ":b:myhost-rsa-private.bin"
}
Signature ::= {
SignatureAlgorithm ::= sha1WithRSAEncryption
IssuerKeyFile ::= ":p:test-rsa-root-private.pem"
}
Extensions ::= {
SubjectAltNames ::= {
IP ::= 10.0.2.4
IP ::= 10.0.3.4
}
ExtendedKeyUsage ::= {
IkeIntermediate
}
KeyUsage ::= {
DigitalSignature
KeyEncipherment
}
}
}
A description of the fields in the preceding form is as follows:
SubjectName
A standard, X.509 distinguished name. Fill in your own Country (C=),
Organization (O=), and Common Name (CN=).
IssuerName
Must match the X.509 name in the CA certificate.
Validity
Specifies a range of dates between which the certificate is considered
valid.
Signature.IssuerKeyFile
Must specify the file name of the CA's private key file.
PublicKeyInfo
Same as the information in the certificate request.
Extensions
Same as the information in the certificate request.
For a root CA certificate, you must set additional attributes. The input
to create a CA certificate has the following form:
%
% Root CA certificate for a test RSA hierarchy
%
Certificate ::= {
OutputFile ::= ":p:test-rsa-root.pem"
SerialNumber ::= 2124
SubjectName ::= <C=US,O=Compaq Computer Corporation, CN=My Test CA>
IssuerName ::= <C=US,O=Compaq Computer Corporation, CN=My Test CA>
Validity ::= {
NotBefore ::= "2000/01/01/19:30:00" % "2000 Jan 1st, 19:30:00"
NotAfter ::= "2001/01/01/12:00:00" % "2001 Jan 1st, 12:00:00"
}
PublicKeyInfo ::= {
Size ::= 1024
Type ::= rsaEncryption
PrivateKeyFile ::= ":p:test-rsa-root-private.pem"
}
Signature ::= {
SelfSigned
SignatureAlgorithm ::= sha1WithRSAEncryption
}
Extensions ::= {
BasicConstraints ::= {
CA
PathLength ::= 0
}
KeyUsage ::= {
DigitalSignature
KeyCertSign
}
}
}
A description of the fields in the preceding form is as follows:
SubjectName
Same as IssuerName.
IssuerName
Same as SubjectName.
Signature.SelfSigned
Indicates that this is a root CA certificate.
BasicConstraints
Indicates that this is a root CA certificate.
Certificate Revocation Lists
The input to generate a Certificate Revocation List (CRL) has the following
form. The output is a file containing an X.509 V2 CRL revoking the
specified certificates.
Note
To generate a CRL, you must have already generated a CA certificate
and have its private (issuer) key.
%
% Revoke two of our certificates
%
CRL ::= {
OutputFile ::= ":p:test-rsa-crl.pem"
ThisUpdate ::= "2000/10/19/12:00:00"
IssuerName ::= <C=US, O=Compaq Computer Corporation, CN=My Test CA>
RevokedCertificates ::= [
{
SerialNumber ::= 1
RevocationDate ::= "2000/10/19/08:00:00"
}
{
SerialNumber ::= 105
RevocationDate ::= "2000/09/30/08:00:00"
}
]
Signature ::= {
SignatureAlgorithm ::= sha1WithRSAEncryption
IssuerKeyFile ::= ":p:test-rsa-root-private.pem"
}
}
A description of the fields in the preceding form is as follows:
ThisUpdate
Specifies the date and time when the CRL was issued.
IssuerName
Must match the IssuerName in the CA certificate for the certificates
being revoked. Certificates are revoked by specifying their serial
number and the revocation date.
RevokedCertificates
A list of revoked certificates, delimited by square brackets ([ ]).
Signature.IssuerKeyFile
Must specify the file name of the private key for the CA certificate of
the certificates being revoked.
SEE ALSO
Commands: ipsec_certview(8), ipsec_convert(8), ipsec_keypaircheck(8),
ipsec_keytool(8)
|
Index for
Section 8 |
|
|
Alphabetical
listing for I |
|
 |
Top of
page |
|