Партнёры:
Хостинг:
NAME
certify - issue public key certificate
SYNOPSIS
certify [-a] [-s | -v] [-i identity] [-l log_file]
[ [-B -o output_file] | [ [-c] -o output_file] ] [-t
time_period] [input_file]
AVAILABILITY
SUNWskica
DESCRIPTION
The certify utility generates an X.509 (version 1) public
key certificate from a certification request (certreq(1)).
This utility is usually executed by a Certification Author-
ity (CA).
certify reads a certification request from input_file. If no
input file is provided, the input is read from stdin.
The certification request input must be formatted according
to the PKCS #10 standard or the "SignedPublicKeyAndChal-
lenge" type defined by Netscape (see: Netscape Extensions
for User Key Generation, Preliminary Navigator 3.0 Version,
6/29/96 Draft). In the latter case, identity, which is an
X.500 distinguished name in string representation, must be
specified, because it is not included in the certification
request. The certification request must be provided in
printable encoding as defined by the Internet RFC1421 stan-
dard.
certify validates the digital signature of the certification
request, extracts its public key information, and creates an
X.509 certificate. If the certification request input is a
PKCS #10 request, the distinguished name in the certifica-
tion request appears as the certificate owner in the gen-
erated certificate. If the certification request input is
formatted according to Netscape, the distinguished name
specified in identity is stored as the owner in the certifi-
cate. The certificate is digitally signed with the issuer's
private key, using MD5WithRSAEncryption as the signature
algorithm.
The issuer's identity (X.500 distinguished name), which
appears in the generated certificate in the issuer field, is
obtained from the CA's key package.
time_period specifies the number of days for which the cer-
tificate should be valid, starting from the current time and
date. The default validity period is 3 years (3 * 365 days).
The generated certificate is stored in output_file. If
output_file already exists, it is overwritten. If no output
file is given, the certificate is printed to stdout.
By default, the generated certificate is in printable encod-
ing format as defined by RFC1421. The certificate is con-
tained within the "-----BEGIN CERTIFICATE-----" and "-----
END CERTIFICATE-----" boundaries. If the -B option is used,
the output contains the newly generated certificate in
binary format. The -o option must be used with the -B
option to specify the output_file where the certificate will
be stored.
If the -c option is used, the output contains the newly gen-
erated certificate and its supporting certificate chain,
which are formatted as a PKCS #7 message of content type
"signed-data". This option is not available with the -B
option.
Audit information about the newly created certificate,
including the certificate creation time, issuer name, serial
number, owner name, version, validity timeframe, and the
certificate fingerprint (digest computed over the certifi-
cate information), is appended to log_file. If log_file does
not exist, it is created. If no log file is given, the cer-
tificate audit information is appended to a file named after
the user's username, suffixed by ".certlog", in the /etc/ski
directory; if such a file does not exist, it is created.
certify can only process one input file containing a single
certification request at a time.
certify requires that the CA has already registered its
private key with the SKI keyserver (see skilogin(1)).
OPTIONS
The following options are supported:
-a Print the number of certificates issued and
the number of certificate licenses available
to stdout.
-B Generate a binary formatted certificate to
be stored in the output_file (see option -o
). The certificate will not have the "----
-BEGIN CERTIFICATE-----" and "-----END
CERTIFICATE-----" boundaries.
-c Store the newly generated certificate and
its supporting certificate chain as a PKCS
#7 formatted message of content type
"signed-data" (by default, only the
certificate is stored). The -c option should
be used in the case where the requestor of
the certificate does not have direct access
to the certificates of the CAs higher up in
the certification hierarchy. If the -c
option is used, the -B option is ignored and
the certificate is generated in a printable
encoding (the defalut) format.
-s Run application silently (no status or error
information displayed).
-v Give verbose output. If both the -v and -s
options are specified, the -v option is
ignored.
-i identity Identity of the entity requesting the certi-
ficate. This is an X.500 distinguished name
in string representation. This option must
be provided in the case where the certifica-
tion request input is formatted according to
the "SignedPublicKeyAndChallenge" type
defined by Netscape (see: Netscape Exten-
sions for User Key Generation, Preliminary
Navigator 3.0 Version, 6/29/96 Draft).
-l log_file Log file where audit information about the
newly generated certificate, including the
certificate creation time, issuer name,
serial number, owner name, version, validity
timeframe, and certificate fingerprint (dig-
est computed over the certificate informa-
tion), is stored.
-o output_file File where the newly generated certificate
(and optionally its supporting certificate
chain) is stored.
-t time_period Validity period of the generated certifi-
cate. Specified in number of days, starting
from the current time and date. Defaults to
3 years (3 * 365 days).
EXIT STATUS
The certify command exits with 0 if successful and 1 other-
wise.
SEE ALSO
certreq(1), keypkg(1), skilogin(1)
NOTES
Issuing a certificate is a very security sensitive process,
involving great responsibility. Therefore, the certify com-
mand should be executed very carefully. Before issuing a
certificate, the CA should verify the requestor's identity
by some out-of-band mechanism. The format and validation
procedure of the credentials presented to a CA by a certifi-
cate requestor are a local matter and subject to the CA pol-
icy in place.
Due to the seriousness of the certificate generation, the
certify command should be run on a dedicated, off-line
machine only.
|
Закладки на сайте Проследить за страницей |
Created 1996-2024 by Maxim Chirkov Добавить, Поддержать, Вебмастеру |