pki --req - Create a PKCS#10 certificate request

       This sub-command of pki(1) is used to create a PKCS#10 certificate request.

       Generate a certificate request for an RSA key, with a subjectAltName extension and a TLS-server profile:

         pki --req --in key.der --dn "C=CH, O=strongSwan, CN=moon" \
             --san moon@strongswan.org --profile server > req.der

       Generate a certificate request for a renewed key based on an existing template

         pki --req --in myNewKey.der --oldreq myReq.der > myNewReq.der

       Generate a certificate request for an ECDSA key and a different digest:

         pki --req --in key.der --type ecdsa --digest sha256 \
             --dn "C=CH, O=strongSwan, CN=carol"  > req.der

       pki --req - Create a PKCS#10 certificate request

-h,--help
              Print usage information with a summary of the available options.

       -v,--debuglevel
              Set debug level, default: 1.

       -+,--optionsfile
              Read command line options from file.

       -i,--infile
              Private key input file. If not given the key is read from STDIN.

       -x,--keyidhex
              Smartcard or TPM private key object handle in hex format with an optional 0x prefix.

       -t,--typetype
              Type of the input key. Either priv, rsa, ecdsa or bliss, defaults to priv.

       -d,--dndistinguished-name
              Subject distinguished name (DN). Required if the --dn option is not set.

       -a,--sansubjectAltName
              subjectAltName extension to include in request. Can be used multiple times.

       -P,--profileprofile
              Certificate  profile  name  to  be  included  in  the certificate request. Can be any UTF8 string.
              Supported e.g. by openxpki (with profiles  pc-client,  tls-server,  etc.)  or  pki--issue  (with
              profiles  server, client, dual, or ocsp) that are translated into corresponding Extended Key Usage
              (EKU) flags in the generated X.509 certificate.

       -e,--flagflag
              Add extendedKeyUsage flag. One of serverAuth, clientAuth, ocspSigning or msSmartcardLogon. Can  be
              used  multiple  times.  Adds  an  X.509v3  EKU extension containing these flags to the certificate
              request.

       -p,--passwordpassword
              The challengePassword to include in the certificate request.

       -o,--oldreqfile
              Old certificate request to be used as a template. Required if the --dn  option  is  not  set.  The
              public key in the old certificate request is replaced and a fresh signature is generated using the
              new private key. Optionally a new challengePassword may be set using the --password option.

       -g,--digestdigest
              Digest  to  use  for  signature  creation.  One of sha1, sha224, sha256, sha384, sha512, sha3_224,
              sha3_256, sha3_384, or sha3_512. The default is determined based on  the  type  and  size  of  the
              signature key.

       -R,--rsa-paddingpadding
              Padding to use for RSA signatures. Either pkcs1 or pss, defaults to pkcs1.

       -f,--outformencoding
              Encoding  of the created certificate file. Either der (ASN.1 DER) or pem (Base64 PEM), defaults to
              der.

pki(1)

5.9.13                                             2022-08-30                                       PKI--REQ(1)

pki--req [--infile|--keyidhex] [--typetype] --dndistinguished-name [--sansubjectAltName]
                 [--profileprofile] [--flagflag] [--passwordpassword] [--digestdigest]
                 [--rsa-paddingpadding] [--outformencoding] [--debuglevel]

       pki--req [--infile|--keyidhex] [--typetype] --oldreqfile [--passwordpassword] [--digestdigest]
                 [--rsa-paddingpadding] [--outformencoding] [--debuglevel]

       pki--req--optionsfilepki--req-h | --help