EasyRSA 3

Aus abotpedia
Version vom 3. Dezember 2014, 12:11 Uhr von MWorschech (Diskussion | Beiträge)
(Unterschied) ← Nächstältere Version | Aktuelle Version (Unterschied) | Nächstjüngere Version → (Unterschied)
Wechseln zu: Navigation, Suche

Easy-RSA 3 usage and overview

USAGE: easyrsa [options] COMMAND [command-options]

A list of commands is shown below. To get detailed usage and help for a command, run: ./easyrsa help COMMAND

For a listing of options that can be supplied before the command, use: ./easyrsa help options

Here is the list of commands available with a short syntax reminder. Use the 'help' command above to get full usage details. init-pki build-ca [ cmd-opts ] gen-dh gen-req <filename_base> [ cmd-opts ] sign-req <type> <filename_base> build-client-full <filename_base> [ cmd-opts ] build-server-full <filename_base> [ cmd-opts ] revoke <filename_base> gen-crl update-db show-req <filename_base> [ cmd-opts ] show-cert <filename_base> [ cmd-opts ] import-req <request_file_path> <short_basename> export-p7 <filename_base> [ cmd-opts ] export-p12 <filename_base> [ cmd-opts ] set-rsa-pass <filename_base> [ cmd-opts ] set-ec-pass <filename_base> [ cmd-opts ] 


init-pki [ cmd-opts ]

Removes & re-initializes the PKI dir for a clean PKI" ;; build-ca) text=" build-ca [ cmd-opts ] Creates a new CA" opts=" nopass - do not encrypt the CA key (default is encrypted) subca - create a sub-CA keypair and request (default is a root CA)" ;; gen-dh) text=" gen-dh Generates DH (Diffie-Helllman) parameters" ;; gen-req) text=" gen-req <filename_base> [ cmd-opts ] Generate a standalone keypair and request (CSR) This request is suitable for sending to a remote CA for signing." opts=" nopass - do not encrypt the private key (default is encrypted)" ;; sign|sign-req) text=" sign-req <type> <filename_base> Sign a certificate request of the defined type. <type> must be a known type such as 'client', 'server', or 'ca' (or a user-added type.) This request file must exist in the reqs/ dir and have a .req file extension. See import-req below for importing reqs from other sources." ;; build|build-client-full|build-server-full) text=" build-client-full <filename_base> [ cmd-opts ] build-server-full <filename_base> [ cmd-opts ] Generate a keypair and sign locally for a client or server This mode uses the <filename_base> as the X509 CN." opts=" nopass - do not encrypt the private key (default is encrypted)" ;; revoke) text=" revoke <filename_base> Revoke a certificate specified by the filename_base" ;; gen-crl) text=" gen-crl Generate a CRL" ;; update-db) text=" update-db Update the index.txt database This command will use the system time to update the status of issued certificates." ;; show-req|show-cert) text=" show-req <filename_base> [ cmd-opts ] show-cert <filename_base> [ cmd-opts ] Shows details of the req or cert referenced by filename_base Human-readable output is shown, including any requested cert options when showing a request." opts=" full - show full req/cert info, including pubkey/sig data" ;; import-req) text=" import-req <request_file_path> <short_basename> Import a certificate request from a file This will copy the specified file into the reqs/ dir in preparation for signing. The <short_basename> is the filename base to create. Example usage: import-req /some/where/bob_request.req bob" ;; export-p12) text=" export-p12 <filename_base> [ cmd-opts ] Export a PKCS#12 file with the keypair specified by <filename_base>" opts=" noca - do not include the ca.crt file in the PKCS12 output nokey - do not include the private key in the PKCS12 output" ;; export-p7) text=" export-p7 <filename_base> [ cmd-opts ] Export a PKCS#7 file with the pubkey specified by <filename_base>" opts=" noca - do not include the ca.crt file in the PKCS7 output" ;; set-rsa-pass|set-ec-pass) text=" set-rsa-pass <filename_base> [ cmd-opts ] set-ec-pass <filename_base> [ cmd-opts ] Set a new passphrase on an RSA or EC key for the listed <filename_base>." opts=" nopass - use no password and leave the key unencrypted file - (advanced) treat the file as a raw path, not a short-name" ;; altname|subjectaltname|san) text=" --subject-alt-name=SAN_FORMAT_STRING This global option adds a subjectAltName to the request or issued certificate. It MUST be in a valid format accepted by openssl or req/cert generation will fail. Note that including multiple such names requires them to be comma-separated; further invocations of this option will REPLACE the value. Examples of the SAN_FORMAT_STRING shown below: DNS:alternate.example.net DNS:primary.example.net,DNS:alternate.example.net IP:203.0.113.29 email:alternate@example.net"

Abgerufen von „https://wiki.abot.xyz/index.php?title=EasyRSA_3&oldid=29