scion-pki certificate create

Create a certificate or certificate signing request

Synopsis

‘create’ generates a certificate or a certificate signing request (CSR).

The command takes the following positional arguments:

  • is the template for the certificate subject distinguished name.

  • is the file path where the certificate or certificate requests is written to. The parent directory must exist and must be writable.

  • is the file path where the fresh private key is written to. The parent directory must exist and must be writable.

By default, the command creates a SCION control-plane PKI AS certificate. Another certificate type can be selected by providing the –profile flag. If a certificate chain is desired, specify the –bundle flag.

A fresh key is created in the provided , unless the –key flag is set. If the –key flag is set, an existing private key is used and the is ignored.

The –ca and –ca-key flags are required if a AS certificate or CA certificate is being created. Otherwise, they are not allowed.

The –not-before and –not-after flags can either be a timestamp or a relative time offset from the current time.

A timestamp can be provided in two different formats: unix timestamp and RFC 3339 timestamp. For example, 2021-06-24T12:01:02Z represents 1 minute and 2 seconds after the 12th hour of June 26th, 2021 in UTC.

The relative time offset can be formated as a time duration string with the following units: y, w, d, h, m, s. Negative offsets are also allowed. For example, -1h indicates the time of tool invocation minus one hour. Note that –not-after is relative to the current time if a relative time offset is used, and not to –not-before.

The is the template for the distinguished name of the requested certificate and must either be a x.509 certificate or a JSON file. The common name can be overridden by supplying the –common-name flag.

If it is a x.509 certificate, the subject of the template is used as the subject of the created certificate or certificate chain request.

A valid example for a JSON formatted template::

{ “common_name”: “1-ff00:0:110 AS certificate”, “country”: “CH”, “isd_as”: “1-ff00:0:110” }

All configurable fields with their type are defined by the following JSON schema::

{ “type”: “object”, “properties”: { “isd_as”: { “type”: “string” }, “common_name”: { “type”: “string” }, “country”: { “type”: “string” }, “locality”: { “type”: “string” }, “organization”: { “type”: “string” }, “organizational_unit”: { “type”: “string” }, “postal_code”: { “type”: “string” }, “province”: { “type”: “string” }, “serial_number”: { “type”: “string” }, “street_address”: { “type”: “string” }, }, “required”: [“isd_as”] }

For more information on JSON schemas, see https://json-schema.org/.

scion-pki certificate create [flags] <subject-template> <cert-file> <key-file>

Examples

  scion-pki certificate create --profile cp-root subject.tmpl cp-root.crt cp-root.key
  scion-pki certificate create --ca cp-ca.crt --ca-key cp-ca.key subject.tmpl chain.pem cp-as.key
  scion-pki certificate create --csr subject.tmpl chain.csr cp-as.key

Options

      --bundle               Bundle the certificate with the issuer certificate as a certificate chain
      --ca string            The path to the issuer certificate
      --ca-key string        The path to the issuer private key used to sign the new certificate
      --ca-kms string        The uri to configure a Cloud KMS or an HSM used for signing the certificate.
      --common-name string   The common name that replaces the common name in the subject template
      --csr                  Generate a certificate signign request instead of a certificate
      --curve string         The elliptic curve to use (P-256|P-384|P-521) (default "P-256")
      --force                Force overwritting existing files
  -h, --help                 help for create
      --key string           The path to the existing private key to use instead of creating a new one
      --kms string           The uri to configure a Cloud KMS or an HSM.
      --not-after time       The NotAfter time of the certificate. Can either be a timestamp or an offset.
                             
                             If the value is a timestamp, it is expected to either be an RFC 3339 formatted
                             timestamp or a unix timestamp. If the value is a duration, it is used as the
                             offset from the current time. (default depends on profile)
      --not-before time      The NotBefore time of the certificate. Can either be a timestamp or an offset.
                             
                             If the value is a timestamp, it is expected to either be an RFC 3339 formatted
                             timestamp or a unix timestamp. If the value is a duration, it is used as the
                             offset from the current time. (default 0s)
      --profile string       The type of certificate to generate (cp-as|cp-ca|cp-root|sensitive-voting|regular-voting) (default "cp-as")

SEE ALSO