scion-pki certificate request

Request an AS certificate from a CA

Synopsis

‘request’ requests an AS certificate from a remote CA using the provided CSR.

The provided are used to sign the CSR provided in . They must be valid and verifiable by the remote CA in order for the request to be served.

By default, the target CA for the request is extracted from the certificate chain that is used to sign the CSR. To select a different CA, you can specify the –ca flag with one or multiple target CAs. If multiple CAs are specified, they are tried in the order that they are declared until the first successful certificate chain renewal. If none of the declared CAs issued a verifiable certificate chain, the command returns a non-zero exit code.

The TRCs are used to validate and verify the renewed certificate chain. If the chain is not verifiable with any of the active TRCs the command returns a non-zero exit code.

The resulting certificate chain is written to stdout by default. This can be changed by specifying the –out flag.

scion-pki certificate request [flags] <csr-file> <chain-file> <key-file>

Examples

  scion-pki certificate request --trc ISD1-B1-S1.trc csr.pem cp-as.pem cp-as.key
  scion-pki certificate request --trc ISD1-B1-S1.trc,ISD1-B1-S2.trc --out cp-as.new.pem csr.pem cp-as.pem cp-as.key
  scion-pki certificate request --trc ISD1-B1-S1.trc --ca 1-ff00:0:110,1-ff00:0:111 csr.pem cp-as.pem cp-as.key
  scion-pki certificate request --trc ISD1-B1-S1.trc --remote 1-ff00:0:110,172.30.200.2 csr.pem cp-as.pem cp-as.key

Options

      --ca strings             Comma-separated list of ISD-AS identifiers of target CAs.
                               The CAs are tried in order until success or all of them failed.
                               --ca is mutually exclusive with --remote
      --dispatcher string      Path to the dispatcher socket (default "/run/shm/dispatcher/default.sock")
  -h, --help                   help for request
  -i, --interactive            interactive mode
      --isd-as isd-as          The local ISD-AS to use. (default 0-0)
  -l, --local ip               Local IP address to listen on. (default invalid IP)
      --log.level string       Console logging level verbosity (debug|info|error)
      --no-color               disable colored output
      --no-probe               do not probe paths for health
      --out string             The path to write the renewed certificate chain
      --refresh                set refresh flag for path request
      --remote stringArray     The remote CA address to use for certificate renewal.
                               The address is of the form <ISD-AS>,<IP>. --remote can be specified multiple times
                               and all specified remotes are tried in order until success or all of them failed.
                               --remote is mutually exclusive with --ca.
      --sciond string          SCION Daemon address. (default "127.0.0.1:30255")
      --sequence string        Space separated list of hop predicates
      --timeout duration       The timeout for the renewal request per CA (default 10s)
      --tracing.agent string   The tracing agent address
      --trc strings            Comma-separated list of trusted TRC files or glob patterns. If more than two TRCs are specified,
                                only up to two active TRCs with the highest Base version are used (required)

SEE ALSO

• scion-pki certificate - Manage certificates for the SCION control plane PKI.