scion-pki certificate create¶
Create a certificate or certificate signing request
Synopsis¶
‘create’ generates a certificate or a certificate signing request (CSR).
The command takes the following positional arguments:
is the template for the certificate subject distinguished name. is the file path where the certificate or certificate requests is written to. The parent directory must exist and must be writable. is the file path where the fresh private key is written to. The parent directory must exist and must be writable.
By default, the command creates a SCION control-plane PKI AS certificate. Another certificate type can be selected by providing the –profile flag. If a certificate chain is desired, specify the –bundle flag.
A fresh key is created in the provided
The –ca and –ca-key flags are required if a AS certificate or CA certificate is being created. Otherwise, they are not allowed.
The –not-before and –not-after flags can either be a timestamp or a relative time offset from the current time.
A timestamp can be provided in two different formats: unix timestamp and RFC 3339 timestamp. For example, 2021-06-24T12:01:02Z represents 1 minute and 2 seconds after the 12th hour of June 26th, 2021 in UTC.
The relative time offset can be formated as a time duration string with the following units: y, w, d, h, m, s. Negative offsets are also allowed. For example, -1h indicates the time of tool invocation minus one hour. Note that –not-after is relative to the current time if a relative time offset is used, and not to –not-before.
The
If it is a x.509 certificate, the subject of the template is used as the subject of the created certificate or certificate chain request.
A valid example for a JSON formatted template::
{ “common_name”: “1-ff00:0:110 AS certificate”, “country”: “CH”, “isd_as”: “1-ff00:0:110” }
All configurable fields with their type are defined by the following JSON schema::
{ “type”: “object”, “properties”: { “isd_as”: { “type”: “string” }, “common_name”: { “type”: “string” }, “country”: { “type”: “string” }, “locality”: { “type”: “string” }, “organization”: { “type”: “string” }, “organizational_unit”: { “type”: “string” }, “postal_code”: { “type”: “string” }, “province”: { “type”: “string” }, “serial_number”: { “type”: “string” }, “street_address”: { “type”: “string” }, }, “required”: [“isd_as”] }
For more information on JSON schemas, see https://json-schema.org/.
scion-pki certificate create [flags] <subject-template> <cert-file> <key-file>
Examples¶
scion-pki certificate create --profile cp-root subject.tmpl cp-root.crt cp-root.key
scion-pki certificate create --ca cp-ca.crt --ca-key cp-ca.key subject.tmpl chain.pem cp-as.key
scion-pki certificate create --csr subject.tmpl chain.csr cp-as.key
Options¶
--bundle Bundle the certificate with the issuer certificate as a certificate chain
--ca string The path to the issuer certificate
--ca-key string The path to the issuer private key used to sign the new certificate
--ca-kms string The uri to configure a Cloud KMS or an HSM used for signing the certificate.
--common-name string The common name that replaces the common name in the subject template
--csr Generate a certificate signign request instead of a certificate
--curve string The elliptic curve to use (P-256|P-384|P-521) (default "P-256")
--force Force overwritting existing files
-h, --help help for create
--key string The path to the existing private key to use instead of creating a new one
--kms string The uri to configure a Cloud KMS or an HSM.
--not-after time The NotAfter time of the certificate. Can either be a timestamp or an offset.
If the value is a timestamp, it is expected to either be an RFC 3339 formatted
timestamp or a unix timestamp. If the value is a duration, it is used as the
offset from the current time. (default depends on profile)
--not-before time The NotBefore time of the certificate. Can either be a timestamp or an offset.
If the value is a timestamp, it is expected to either be an RFC 3339 formatted
timestamp or a unix timestamp. If the value is a duration, it is used as the
offset from the current time. (default 0s)
--profile string The type of certificate to generate (cp-as|cp-ca|cp-root|sensitive-voting|regular-voting) (default "cp-as")
SEE ALSO¶
scion-pki certificate - Manage certificates for the SCION control plane PKI.