scion-pki certificate sign¶
Sign a certificate based on a certificate signing request
‘sign’ creates a certificate based on a certificate signing request (CSR).
The command takes the following positional arguments:
- <csr-file> is the file path where the PEM-encoded certificate signing request is located.
By default, the command creates a SCION control-plane PKI AS certificate. Another certificate type can be selected by providing the –profile flag. If a certificate chain is desired, specify the –bundle flag.
The –ca and –ca-key flags are required.
The –not-before and –not-after flags can either be a timestamp or a relative time offset from the current time.
A timestamp can be provided in two different formats: unix timestamp and RFC 3339 timestamp. For example, 2021-06-24T12:01:02Z represents 1 minute and 2 seconds after the 12th hour of June 26th, 2021 in UTC.
The relative time offset can be formated as a time duration string with the following units: y, w, d, h, m, s. Negative offsets are also allowed. For example, -1h indicates the time of tool invocation minus one hour. Note that –not-after is relative to the current time if a relative time offset is used, and not to –not-before.
scion-pki certificate sign [flags] <csr-file>
scion-pki certificate sign --ca cp-ca.crt --ca-key cp-ca.key cp-as.csr scion-pki certificate sign --profile cp-ca --ca cp-root.crt --ca-key cp-root.key cp-ca.csr
--bundle Bundle the certificate with the issuer certificate as a certificate chain --ca string The path to the issuer certificate --ca-key string The path to the issuer private key used to sign the new certificate -h, --help help for sign --not-after time The NotAfter time of the certificate. Can either be a timestamp or an offset. If the value is a timestamp, it is expected to either be an RFC 3339 formatted timestamp or a unix timestamp. If the value is a duration, it is used as the offset from the current time. (default depends on profile) --not-before time The NotBefore time of the certificate. Can either be a timestamp or an offset. If the value is a timestamp, it is expected to either be an RFC 3339 formatted timestamp or a unix timestamp. If the value is a duration, it is used as the offset from the current time. (default 0s) --profile string The type of certificate to sign (cp-as|cp-ca) (default "cp-as")