PKI CERTIFICATE CREATE

Level

pki+modify LICENCE PKI

History

Appears in 9 0 0
tpm, tpmpassword, keytype appears in 3 10 0
force appears in 4 3 0

Description

Create a new certificate You must have the authority private key
For a server certificate, the CN must be a FQDN
For a user, you must precise an email

For a SmartCard type, you must have an email and have define the CRLDP of the authority
You can also specify the UPN (UserPrincipalName) used to login in Windows environment
If no authority name is given, the default one is taken Will return an error if a certificate with the same DN already exists Use force=1 to bypass the error and overwrite the pre-existing cert CACHE_CATEGORY pki

Example

PKI CERTIFICATE CREATE type=smartcard CN="John Doe" passphrase="secret" E=j doe@company com UPN="john doe@COMPANY DOMAIN"
PKI CERTIFICATE CREATE type=server CN="www companie com" passphrase="secret" ALTNAMES="* companie com;companie com;12 34 56 78;98 76 54 32"

Usage

type=<user|server|smartcard>
CN=<name>
passphrase=<pass>
[caname=<name>]
[shortname=<name>]
[keytype=<RSA|SECP|Brainpool>]
[size=<key size>]
[nbdays=<days>]
[C=<country>]
[ST=<state>]
[L=<locality>]
[O=<organisation>]
[OU=<unit>]
[E=<email>]
[UA=<unstructuredAddress>]
[UN=<unstructuredName>]
[S=<serial>]
[UPN=<userPrincipalName>]
[ALTNAMES=<list of ip or fqdn name separated by ;>]
[tpm=<none|ondisk>]
- none: Do not use a TPM
- ondisk: Store the private key on disk but encrypts it with a symmetric key on the TPM Requires a firewall with a TPM
[tpmpassword=<password>]
[force=<0|1>]
Valid sizes are:
RSA: 768 1024 1536 2048 4096
SECP: 256 384 521
Brainpool: 256 384 512