# scion-pki certificate create¶

Create a certificate or certificate signing request

## Synopsis¶

‘create’ generates a certificate or a certificate signing request (CSR).

The command takes the following positional arguments:

• <subject-template> is the template for the certificate subject distinguished name.
• <crt-file> is the file path where the certificate or certificate requests is written to. The parent directory must exist and must be writable.
• <key-file> is the file path where the fresh private key is written to. The parent directory must exist and must be writable.

By default, the command creates a SCION control-plane PKI AS certificate. Another certificate type can be selected by providing the –profile flag. If a certificate chain is desired, specify the –bundle flag.

A fresh key is created in the provided <key-file>, unless the –key flag is set. If the –key flag is set, an existing private key is used and the <key-file> is ignored.

The –ca and –ca-key flags are required if a AS certificate or CA certificate is being created. Otherwise, they are not allowed.

The –not-before and –not-after flags can either be a timestamp or a relative time offset from the current time.

A timestamp can be provided in two different formats: unix timestamp and RFC 3339 timestamp. For example, 2021-06-24T12:01:02Z represents 1 minute and 2 seconds after the 12th hour of June 26th, 2021 in UTC.

The relative time offset can be formated as a time duration string with the following units: y, w, d, h, m, s. Negative offsets are also allowed. For example, -1h indicates the time of tool invocation minus one hour. Note that –not-after is relative to the current time if a relative time offset is used, and not to –not-before.

The <subject-template> is the template for the distinguished name of the requested certificate and must either be a x.509 certificate or a JSON file. The common name can be overridden by supplying the –common-name flag.

If it is a x.509 certificate, the subject of the template is used as the subject of the created certificate or certificate chain request.

A valid example for a JSON formatted template:

{
"common_name": "1-ff00:0:110 AS certificate",
"country": "CH",
"isd_as": "1-ff00:0:110"
}


All configurable fields with their type are defined by the following JSON schema:

{
"type": "object",
"properties": {
"isd_as":              { "type": "string" },
"common_name":         { "type": "string" },
"country":             { "type": "string" },
"locality":            { "type": "string" },
"organization":        { "type": "string" },
"organizational_unit": { "type": "string" },
"postal_code":         { "type": "string" },
"province":            { "type": "string" },
"serial_number":       { "type": "string" },
},
"required": ["isd_as"]
}


scion-pki certificate create [flags] <subject-template> <cert-file> <key-file>


## Examples¶

scion-pki certificate create --profile cp-root subject.tmpl cp-root.crt cp-root.key
scion-pki certificate create --ca cp-ca.crt --ca-key cp-ca.key subject.tmpl chain.pem cp-as.key
scion-pki certificate create --csr subject.tmpl chain.csr cp-as.key


## Options¶

    --bundle               Bundle the certificate with the issuer certificate as a certificate chain
--ca string            The path to the issuer certificate
--ca-key string        The path to the issuer private key used to sign the new certificate
--common-name string   The common name that replaces the common name in the subject template
--csr                  Generate a certificate signign request instead of a certificate
--curve string         The elliptic curve to use (P-256|P-384|P-521) (default "P-256")
--force                Force overwritting existing files
-h, --help                 help for create
--key string           The path to the existing private key to use instead of creating a new one
--not-after time       The NotAfter time of the certificate. Can either be a timestamp or an offset.

If the value is a timestamp, it is expected to either be an RFC 3339 formatted
timestamp or a unix timestamp. If the value is a duration, it is used as the
offset from the current time. (default depends on profile)
--not-before time      The NotBefore time of the certificate. Can either be a timestamp or an offset.

If the value is a timestamp, it is expected to either be an RFC 3339 formatted
timestamp or a unix timestamp. If the value is a duration, it is used as the
offset from the current time. (default 0s)
--profile string       The type of certificate to generate (cp-as|cp-ca|cp-root|sensitive-voting|regular-voting) (default "cp-as")