| version 1.111, 2013/01/17 23:00:01 |
version 1.112, 2013/01/18 07:57:47 |
|
|
| .Fl k |
.Fl k |
| .Fl f Ar krl_file |
.Fl f Ar krl_file |
| .Op Fl u |
.Op Fl u |
| .Op Fl s ca_public |
.Op Fl s Ar ca_public |
| .Op Fl z version_number |
.Op Fl z Ar version_number |
| .Ar |
.Ar |
| .Nm ssh-keygen |
.Nm ssh-keygen |
| .Fl Q |
.Fl Q |
|
|
| Finally, |
Finally, |
| .Nm |
.Nm |
| can be used to generate and update Key Revocation Lists, and to test whether |
can be used to generate and update Key Revocation Lists, and to test whether |
| given keys have been revoked by one. See the |
given keys have been revoked by one. |
| |
See the |
| .Sx KEY REVOCATION LISTS |
.Sx KEY REVOCATION LISTS |
| section for details. |
section for details. |
| .Pp |
.Pp |
|
|
| .Pp |
.Pp |
| When generating a KRL, |
When generating a KRL, |
| .Fl s |
.Fl s |
| specifies a path to a CA public key file used to revoke certificated directly |
specifies a path to a CA public key file used to revoke certificates directly |
| by key ID or serial number. |
by key ID or serial number. |
| See the |
See the |
| .Sx KEY REVOCATION LISTS |
.Sx KEY REVOCATION LISTS |
|
|
| or |
or |
| .Dq rsa |
.Dq rsa |
| for protocol version 2. |
for protocol version 2. |
| |
.It Fl u |
| |
Update a KRL. |
| |
When specified with |
| |
.Fl k , |
| |
keys listed via the command-line are added to the existing KRL rather than |
| |
a new KRL being created. |
| .It Fl V Ar validity_interval |
.It Fl V Ar validity_interval |
| Specify a validity interval when signing a certificate. |
Specify a validity interval when signing a certificate. |
| A validity interval may consist of a single time, indicating that the |
A validity interval may consist of a single time, indicating that the |
|
|
| (valid from 12:30 PM, January 1st, 2010 to 12:30 PM, January 1st, 2011), |
(valid from 12:30 PM, January 1st, 2010 to 12:30 PM, January 1st, 2011), |
| .Dq -1d:20110101 |
.Dq -1d:20110101 |
| (valid from yesterday to midnight, January 1st, 2011). |
(valid from yesterday to midnight, January 1st, 2011). |
| .It Fl u |
|
| Update a KRL. |
|
| When specified with |
|
| .Fl k , |
|
| keys listed via the command-line are added to the existing KRL rather than |
|
| a new KRL being created. |
|
| .It Fl v |
.It Fl v |
| Verbose mode. |
Verbose mode. |
| Causes |
Causes |
|
|
| .Nm |
.Nm |
| is able to manage OpenSSH format Key Revocation Lists (KRLs). |
is able to manage OpenSSH format Key Revocation Lists (KRLs). |
| These binary files specify keys or certificates to be revoked using a |
These binary files specify keys or certificates to be revoked using a |
| compact format; taking as little a one bit per certificate if they are being |
compact format, taking as little a one bit per certificate if they are being |
| revoked by serial number. |
revoked by serial number. |
| .Pp |
.Pp |
| KRLs may be generated using the |
KRLs may be generated using the |
|
|
| .Bl -tag -width Ds |
.Bl -tag -width Ds |
| .It Cm serial : Ar serial_number Op -serial_number |
.It Cm serial : Ar serial_number Op -serial_number |
| Revokes a certificate with the specified serial number. |
Revokes a certificate with the specified serial number. |
| Serial numbers are 64 bit values, not including zero and may be expressed |
Serial numbers are 64-bit values, not including zero and may be expressed |
| in decimal, hex or octal. |
in decimal, hex or octal. |
| If two serial numbers are specified separated by a hyphen, then the range |
If two serial numbers are specified separated by a hyphen, then the range |
| of serial numbers including and between each is revoked. |
of serial numbers including and between each is revoked. |
|
|
| option. |
option. |
| .It Cm key : Ar public_key |
.It Cm key : Ar public_key |
| Revokes the specified key. |
Revokes the specified key. |
| In a certificate is listed, then it is revoked as a plain public key. |
If a certificate is listed, then it is revoked as a plain public key. |
| .It Cm sha1 : Ar public_key |
.It Cm sha1 : Ar public_key |
| Revokes the specified key by its SHA1 hash. |
Revokes the specified key by its SHA1 hash. |
| .El |
.El |
![[BACK]](/icons/back.gif){kind=icon}
Return to ssh-keygen.1 CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [local] / src / usr.bin / ssh