version 1.111, 2013/01/17 23:00:01 |
version 1.112, 2013/01/18 07:57:47 |
|
|
.Fl k |
.Fl k |
.Fl f Ar krl_file |
.Fl f Ar krl_file |
.Op Fl u |
.Op Fl u |
.Op Fl s ca_public |
.Op Fl s Ar ca_public |
.Op Fl z version_number |
.Op Fl z Ar version_number |
.Ar |
.Ar |
.Nm ssh-keygen |
.Nm ssh-keygen |
.Fl Q |
.Fl Q |
|
|
Finally, |
Finally, |
.Nm |
.Nm |
can be used to generate and update Key Revocation Lists, and to test whether |
can be used to generate and update Key Revocation Lists, and to test whether |
given keys have been revoked by one. See the |
given keys have been revoked by one. |
|
See the |
.Sx KEY REVOCATION LISTS |
.Sx KEY REVOCATION LISTS |
section for details. |
section for details. |
.Pp |
.Pp |
|
|
.Pp |
.Pp |
When generating a KRL, |
When generating a KRL, |
.Fl s |
.Fl s |
specifies a path to a CA public key file used to revoke certificated directly |
specifies a path to a CA public key file used to revoke certificates directly |
by key ID or serial number. |
by key ID or serial number. |
See the |
See the |
.Sx KEY REVOCATION LISTS |
.Sx KEY REVOCATION LISTS |
|
|
or |
or |
.Dq rsa |
.Dq rsa |
for protocol version 2. |
for protocol version 2. |
|
.It Fl u |
|
Update a KRL. |
|
When specified with |
|
.Fl k , |
|
keys listed via the command-line are added to the existing KRL rather than |
|
a new KRL being created. |
.It Fl V Ar validity_interval |
.It Fl V Ar validity_interval |
Specify a validity interval when signing a certificate. |
Specify a validity interval when signing a certificate. |
A validity interval may consist of a single time, indicating that the |
A validity interval may consist of a single time, indicating that the |
|
|
(valid from 12:30 PM, January 1st, 2010 to 12:30 PM, January 1st, 2011), |
(valid from 12:30 PM, January 1st, 2010 to 12:30 PM, January 1st, 2011), |
.Dq -1d:20110101 |
.Dq -1d:20110101 |
(valid from yesterday to midnight, January 1st, 2011). |
(valid from yesterday to midnight, January 1st, 2011). |
.It Fl u |
|
Update a KRL. |
|
When specified with |
|
.Fl k , |
|
keys listed via the command-line are added to the existing KRL rather than |
|
a new KRL being created. |
|
.It Fl v |
.It Fl v |
Verbose mode. |
Verbose mode. |
Causes |
Causes |
|
|
.Nm |
.Nm |
is able to manage OpenSSH format Key Revocation Lists (KRLs). |
is able to manage OpenSSH format Key Revocation Lists (KRLs). |
These binary files specify keys or certificates to be revoked using a |
These binary files specify keys or certificates to be revoked using a |
compact format; taking as little a one bit per certificate if they are being |
compact format, taking as little a one bit per certificate if they are being |
revoked by serial number. |
revoked by serial number. |
.Pp |
.Pp |
KRLs may be generated using the |
KRLs may be generated using the |
|
|
.Bl -tag -width Ds |
.Bl -tag -width Ds |
.It Cm serial : Ar serial_number Op -serial_number |
.It Cm serial : Ar serial_number Op -serial_number |
Revokes a certificate with the specified serial number. |
Revokes a certificate with the specified serial number. |
Serial numbers are 64 bit values, not including zero and may be expressed |
Serial numbers are 64-bit values, not including zero and may be expressed |
in decimal, hex or octal. |
in decimal, hex or octal. |
If two serial numbers are specified separated by a hyphen, then the range |
If two serial numbers are specified separated by a hyphen, then the range |
of serial numbers including and between each is revoked. |
of serial numbers including and between each is revoked. |
|
|
option. |
option. |
.It Cm key : Ar public_key |
.It Cm key : Ar public_key |
Revokes the specified key. |
Revokes the specified key. |
In a certificate is listed, then it is revoked as a plain public key. |
If a certificate is listed, then it is revoked as a plain public key. |
.It Cm sha1 : Ar public_key |
.It Cm sha1 : Ar public_key |
Revokes the specified key by its SHA1 hash. |
Revokes the specified key by its SHA1 hash. |
.El |
.El |