IMPORTANT
Action required: Apply the fix for SNS firewall disks.
Please follow the procedure described in the How to update my SSD Firmware - Stormshield Knowledge Base article (authentication required).
PKI CERTIFICATE CREATE
Level
pki,modify LICENCE PKI
History
Appears in 9.0.0
tpm, tpmpassword, keytype appears in 3.10.0
force appears in 4.3.0
Description
Create a new certificate. You must have the authority private key.
For a server certificate, the CN must be a FQDN
For a user, you must precise an email.
For a SmartCard type, you must have an email and have define the CRLDP of the authority.
You can also specify the UPN (UserPrincipalName) used to login in Windows environment.
If no authority name is given, the default one is taken.
Will return an error if a certificate with the same DN already exists. Use force=1 to bypass the error and overwrite the pre-existing cert.
CACHE_CATEGORY
pki
Example
PKI CERTIFICATE CREATE type=smartcard CN="John Doe" passphrase="secret" E=j.doe@company.com UPN="john.doe@COMPANY.DOMAIN"
PKI CERTIFICATE CREATE type=server CN="www.companie.com" passphrase="secret" ALTNAMES="*.companie.com;companie.com;12.34.56.78;98.76.54.32"
Usage
type=<user|server|smartcard>
CN=<name>
passphrase=<pass>
[caname=<name>]
[shortname=<name>]
[keytype=<RSA|SECP|Brainpool>]
[size=<key size>]
[nbdays=<days>]
[C=<country>]
[ST=<state>]
[L=<locality>]
[O=<organisation>]
[OU=<unit>]
[E=<email>]
[UA=<unstructuredAddress>]
[UN=<unstructuredName>]
[S=<serial>]
[UPN=<userPrincipalName>]
[ALTNAMES=<list of ip or fqdn name separated by ;>]
[tpm=<none|ondisk>]
- none: Do not use a TPM
- ondisk: Store the private key on disk but encrypts it with a symmetric key on the TPM. Requires a firewall with a TPM
[tpmpassword=<password>]
[force=<0|1>]
Valid sizes are:
RSA: 768 1024 1536 2048 4096
SECP: 256 384 521
Brainpool: 256 384 512