ipsec_certmake(8)ipsec_certmake(8)NAMEipsec_certmake - Creates X.509 certificates, requests, and Certificate
Revocation Lists (CRLs)
SYNOPSIS
/usr/sbin/ipsec_certmake [-h] file [file...]
OPTIONS
Displays a usage message and exits.
DESCRIPTION
The ipsec_certmake command enables you to create the following: X.509
V3 public key certificates and hierarchies of public key certificates
Certificate revocation lists (CRLs) PKCS10-formatted certificate
requests
This command and other related certificate commands provided in this
IPsec implementation are intended for testing purposes only. They are
not intended to provide a complete public-key certificate infrastruc‐
ture.
The ipsec_certmake command reads each definition input file and creates
the specified certificate, CRL, and certificate request files.
Blank lines are ignored. Everything after the percent character (%) on
a line is treated as a comment.
The encoding of private key and output files is specified by preceding
the path name with a formatting character, delimited by colons as fol‐
lows: Privacy-Encoded-Mail (PEM) format
The file is encoded as a Base64-encoded binary. Binary (DER-
encoded) format
The file is encoded in accordance with the Distinguished Encod‐
ing Rules (DER) of ASN.1. HEXL format
The file is encoded as a hexadecimal string. Each line has the
following form:
xxxxxxxx: yyyy yyyy yyyy yyyy yyyy yyyy yyyy yyyy
In this form, xxxxxxxx is the hexadecimal offset of the data at
the beginning of the line and yyyy yyyy yyyy yyyy yyyy yyyy yyyy
yyyy is up to 16 bytes of hexadecimal data.
Certificate Requests
The input to generate a PKCS10-formatted certificate request has the
following form. The output is a file containing the certificate
request that includes the new public key and a file containing the cor‐
responding private key.
% ----------------------------------------------- % Request to generate
a certificate % CertificateRequest ::= {
OutputFile ::= ":p:myhost-rsa-request.pem"
SubjectName ::= <C=US, O=Compaq Computer Corporation, CN=myhost>
PublicKeyInfo ::= {
Size ::= 2048
Type ::= rsaEncryption
PrivateKeyFile ::= ":p:myhost-rsa-private.pem"
}
Signature ::= {
SignatureAlgorithm ::= sha1WithRSAEncryption
}
%
% Extensions
%
Extensions ::= {
SubjectAltNames ::= {
IP ::= 10.1.2.3
}
KeyUsage ::= {
DigitalSignature
KeyEncipherment
}
} }
A description of the fields in the preceding form is as follows: A
standard, X.509 distinguished name. Fill in your own Country (C=),
Organization (O=), and Common Name (CN=). Based on the size of the
Certification Authority's (CA's) signing key. Either rsaEncryption for
an RSA certificate or dsaEncryption for a DSA certificate. Either
sha1WithRSAEncryption or md5WithRSAEncryption for an RSA certificate,
or dsaWithSHA-1 for a DSA certificate. Multiple values with the fol‐
lowing formats: IP ::= IP address (either IPv4 or IPv6). DNS ::=
fully.qualified.domain.name EMAIL ::= user@fully.qualified.domain.name
Any or all of the following values: DigitalSignature, KeyEncipherment,
DataEncipherment, KeyCertSign, CRLSign, EncipherOnly, ServerAuth,
ClientAuth, and IkeIntermediate.
Certificates
The input to generate an X.509 certificate has the following form. The
output is a file containing the X.509 certificate that includes the new
public key and a file containing the corresponding private key.
Note
To generate a certificate, you must have already generated a Certifica‐
tion Authority (CA) certificate and have its private (issuer) key.
Certificate ::= {
OutputFile ::= ":b:myhost-rsa.bin"
SerialNumber ::= 1
SubjectName ::= <C=US,O=Compaq Computer Corporation, CN=myhost>
IssuerName ::= <C=US,O=Compaq Computer Corporation, CN=My Test CA>
Validity ::= {
NotBefore ::= "1999/07/30/19:30:00"
NotAfter ::= "2003/12/01/12:00:00"
}
PublicKeyInfo ::= {
Size ::= 1024
Type ::= rsaEncryption
PrivateKeyFile ::= ":b:myhost-rsa-private.bin"
}
Signature ::= {
SignatureAlgorithm ::= sha1WithRSAEncryption
IssuerKeyFile ::= ":p:test-rsa-root-private.pem"
}
Extensions ::= {
SubjectAltNames ::= {
IP ::= 10.0.2.4
IP ::= 10.0.3.4
}
ExtendedKeyUsage ::= {
IkeIntermediate
}
KeyUsage ::= {
DigitalSignature
KeyEncipherment
}
} }
A description of the fields in the preceding form is as follows: A
standard, X.509 distinguished name. Fill in your own Country (C=),
Organization (O=), and Common Name (CN=). Must match the X.509 name
in the CA certificate. Specifies a range of dates between which the
certificate is considered valid. Must specify the file name of the
CA's private key file. Same as the information in the certificate
request. Same as the information in the certificate request.
For a root CA certificate, you must set additional attributes. The
input to create a CA certificate has the following form:
% % Root CA certificate for a test RSA hierarchy % Certificate ::= {
OutputFile ::= ":p:test-rsa-root.pem"
SerialNumber ::= 2124
SubjectName ::= <C=US,O=Compaq Computer Corporation, CN=My Test CA>
IssuerName ::= <C=US,O=Compaq Computer Corporation, CN=My Test CA>
Validity ::= {
NotBefore ::= "2000/01/01/19:30:00" % "2000 Jan 1st, 19:30:00"
NotAfter ::= "2001/01/01/12:00:00" % "2001 Jan 1st, 12:00:00"
}
PublicKeyInfo ::= {
Size ::= 1024
Type ::= rsaEncryption
PrivateKeyFile ::= ":p:test-rsa-root-private.pem"
}
Signature ::= {
SelfSigned
SignatureAlgorithm ::= sha1WithRSAEncryption
}
Extensions ::= {
BasicConstraints ::= {
CA
PathLength ::= 0
}
KeyUsage ::= {
DigitalSignature
KeyCertSign
}
} }
A description of the fields in the preceding form is as follows: Same
as IssuerName. Same as SubjectName. Indicates that this is a root CA
certificate. Indicates that this is a root CA certificate.
Certificate Revocation Lists
The input to generate a Certificate Revocation List (CRL) has the fol‐
lowing form. The output is a file containing an X.509 V2 CRL revoking
the specified certificates.
Note
To generate a CRL, you must have already generated a CA certificate and
have its private (issuer) key.
% % Revoke two of our certificates % CRL ::= {
OutputFile ::= ":p:test-rsa-crl.pem"
ThisUpdate ::= "2000/10/19/12:00:00"
IssuerName ::= <C=US, O=Compaq Computer Corporation, CN=My Test CA>
RevokedCertificates ::= [
{
SerialNumber ::= 1
RevocationDate ::= "2000/10/19/08:00:00"
}
{
SerialNumber ::= 105
RevocationDate ::= "2000/09/30/08:00:00"
}
]
Signature ::= {
SignatureAlgorithm ::= sha1WithRSAEncryption
IssuerKeyFile ::= ":p:test-rsa-root-private.pem"
} }
A description of the fields in the preceding form is as follows: Speci‐
fies the date and time when the CRL was issued. Must match the Issuer‐
Name in the CA certificate for the certificates being revoked. Certifi‐
cates are revoked by specifying their serial number and the revocation
date. A list of revoked certificates, delimited by square brackets ([
]). Must specify the file name of the private key for the CA certifi‐
cate of the certificates being revoked.
SEE ALSO
Commands: ipsec_certview(8), ipsec_convert(8), ipsec_keypaircheck(8),
ipsec_keytool(8)ipsec_certmake(8)