PKI CERTIFICATE CREATE

Level

pki,modify LICENCE PKI

History

Appears in 9.0.0
tpm, tpmpassword, keytype appears in 3.10.0
force appears in 4.3.0

Description

Create a new certificate. You must have the authority private key.
For a server certificate, the CN must be a FQDN
For a user, you must precise an email.

For a SmartCard type, you must have an email and have define the CRLDP of the authority.
You can also specify the UPN (UserPrincipalName) used to login in Windows environment.
If no authority name is given, the default one is taken. Will return an error if a certificate with the same DN already exists. Use force=1 to bypass the error and overwrite the pre-existing cert.

Cache category

pki

Example

PKI CERTIFICATE CREATE type=smartcard CN="John Doe" passphrase="secret" E=j.doe@company.com UPN="john.doe@COMPANY.DOMAIN"
PKI CERTIFICATE CREATE type=server CN="www.companie.com" passphrase="secret" ALTNAMES="*.companie.com;companie.com;12.34.56.78;98.76.54.32"

Usage

type=<user|server|smartcard>
CN=<name>
passphrase=<pass>
[caname=<name>]
[shortname=<name>]
[keytype=<RSA|SECP|Brainpool>]
[size=<key size>]
[nbdays=<days>]
[C=<country>]
[ST=<state>]
[L=<locality>]
[O=<organisation>]
[OU=<unit>]
[E=<email>]
[UA=<unstructuredAddress>]
[UN=<unstructuredName>]
[S=<serial>]
[UPN=<userPrincipalName>]
[ALTNAMES=<list of ip or fqdn name separated by ;>]
[tpm=<none|ondisk>]
- none: Do not use a TPM
- ondisk: Store the private key on disk but encrypts it with a symmetric key on the TPM. Requires a firewall with a TPM
[tpmpassword=<password>]
[force=<0|1>]
Valid sizes are:
RSA: 768 1024 1536 2048 4096
SECP: 256 384 521
Brainpool: 256 384 512

Format

section