command_register((command_t) {
sign_crl, 'c', "signcrl",
"issue a CRL using a CA certificate and key",
- {"--cacert file --cakey file | --cakeyid hex --lifetime days",
- "[--lastcrl crl] [--basecrl crl] [--crluri uri ]+",
- "[ [--reason key-compromise|ca-compromise|affiliation-changed|",
+ {"--cacert file --cakey file|--cakeyid hex [--lifetime days]",
+ " [--lastcrl crl] [--basecrl crl] [--crluri uri]+",
+ " [[--reason key-compromise|ca-compromise|affiliation-changed|",
" superseded|cessation-of-operation|certificate-hold]",
- " [--date timestamp]",
- " --cert file | --serial hex ]*",
- "[--digest md5|sha1|sha224|sha256|sha384|sha512] [--outform der|pem]"},
+ " [--date timestamp] --cert file|--serial hex]*",
+ " [--digest md5|sha1|sha224|sha256|sha384|sha512]",
+ " [--outform der|pem]"},
{
{"help", 'h', 0, "show usage information"},
{"cacert", 'c', 1, "CA certificate file"},
--- /dev/null
+.TH "PKI \-\-SIGNCRL" 8 "2013-08-12" "@PACKAGE_VERSION@" "strongSwan"
+.
+.SH "NAME"
+.
+pki \-\-signcrl \- Issue a Certificate Revocation List (CRL) using a CA certificate and key
+.
+.SH "SYNOPSIS"
+.
+.SY pki\ \-\-signcrl
+.BI \-\-cakey\~ file |\-\-cakeyid\~ hex
+.BI \-\-cacert\~ file
+.OP \-\-lifetime days
+.OP \-\-lastcrl crl
+.OP \-\-basecrl crl
+.OP \-\-crluri uri
+.OP \-\-digest digest
+.OP \fR[\fB\-\-reason\ \fIreason\fR]\ \fR[\fB\-\-date\ \fIts\fR]\ \fB\-\-cert\ \fIfile\fB|\-\-serial\ \fIhex\fR
+.OP \-\-outform encoding
+.OP \-\-debug level
+.YS
+.
+.SY pki\ \-\-signcrl
+.BI \-\-options\~ file
+.YS
+.
+.SY "pki \-\-signcrl"
+.B \-h
+|
+.B \-\-help
+.YS
+.
+.SH "DESCRIPTION"
+.
+This sub-command of
+.BR ipsec\-pki (8)
+is used to issue a Certificate Revocation List (CRL) using a CA certificate and
+private key.
+.
+.SH "OPTIONS"
+.
+.TP
+.B "\-h, \-\-help"
+Print usage information with a summary of the available options.
+.TP
+.BI "\-v, \-\-debug " level
+Set debug level, default: 1.
+.TP
+.BI "\-+, \-\-options " file
+Read command line options from \fIfile\fR.
+.TP
+.BI "\-k, \-\-cakey " file
+CA private key file. Either this or
+.B \-\-cakeyid
+is required.
+.TP
+.BI "\-x, \-\-cakeyid " hex
+Key ID of a CA private key on a smartcard. Either this or
+.B \-\-cakey
+is required.
+.TP
+.BI "\-c, \-\-cacert " file
+CA certificate file. Required.
+.TP
+.BI "\-l, \-\-lifetime " days
+Days until the CRL gets a nextUpdate, default: 15.
+.TP
+.BI "\-a, \-\-lastcrl " crl
+CRL of lastUpdate to copy revocations from.
+.TP
+.BI "\-b, \-\-basecrl " crl
+Base CRL to create a delta CRL for.
+.TP
+.BI "\-u, \-\-crluri " uri
+Freshest delta CRL URI to include in CRL. Can be used multiple times.
+.TP
+.BI "\-g, \-\-digest " digest
+Digest to use for signature creation. One of \fImd5\fR, \fIsha1\fR,
+\fIsha224\fR, \fIsha256\fR, \fIsha384\fR, or \fIsha512\fR. Defaults to
+\fIsha1\fR.
+.TP
+.BI "\-f, \-\-outform " encoding
+Encoding of the created certificate file. Either \fIder\fR (ASN.1 DER) or
+\fIpem\fR (Base64 PEM), defaults to \fIder\fR.
+.PP
+.SS "Revoked Certificates"
+Multiple revoked certificates can be added to the CRL by either providing the
+certificate file or the respective serial number directly.
+A reason and a timestamp can be configured for each revocation (they have to be
+given before each certificate/serial on the command line).
+.TP
+.BI "\-r, \-\-reason " reason
+The reason why the certificate was revoked. One of \fIkey\-compromise\fR,
+\fIca\-compromise\fR, \fIaffiliation\-changed\fR, \fIsuperseded\fR,
+\fIcessation\-of\-operation\fR, or \fIcertificate\-hold\fR.
+.TP
+.BI "\-d, \-\-date " ts
+Revocation date as Unix timestamp. Defaults to the current time.
+.TP
+.BI "\-z, \-\-cert " file
+Certificate file to revoke.
+.TP
+.BI "\-s, \-\-serial " hex
+Hexadecimal encoded serial number of the certificate to revoke.
+.
+.SH "EXAMPLES"
+.
+Revoke a certificate:
+.PP
+.EX
+ ipsec pki \-\-signcrl \-\-cacert ca_cert.der \-\-cakey ca_key.der \\
+ \-\-reason superseded \-\-cert cert.der > crl.der
+.EE
+.PP
+Update an existing CRL with two new revocations, using the certificate's serial
+number, but no reason:
+.PP
+.EX
+ ipsec pki \-\-signcrl \-\-cacert ca_cert.der \-\-cakey ca_key.der \\
+ \-\-lastcrl old_crl.der \-\-serial 0123 \-\-serial 0345 > crl.der
+.EE
+.PP
+.SH "SEE ALSO"
+.
+.BR ipsec\-pki (8)
\ No newline at end of file