ssh-keygen中与证书有关的命令摘录[转载]~~

原文出处：ssh-keygen — OpenSSH authentication key utility

简单说明：ssh-keygen中与证书有关的命令摘录，仅简单集中记录在这里而已。

 ssh-keygen    -I certificate_identity -s ca_key [-hU] [-D pkcs11_provider] [-n principals] [-O option] [-V validity_interval] [-z serial_number] file ...

-I certificate_identity
Specify the key identity when signing a public key. See the CERTIFICATES section for details. 

-s ca_key
Certify (sign) a public key using the specified CA key. See the CERTIFICATES section for details.
When generating a KRL, -s specifies a path to a CA public key file used to revoke certificates directly by key ID or serial number. See the KEY REVOCATION LISTS section for details. 

-h When signing a key, create a host certificate instead of a user certificate. See the CERTIFICATES section for details. 

-U When used in combination with -s or -Y sign, this option indicates that a CA key resides in a ssh-agent(1). See the CERTIFICATES section for more information. 

-D pkcs11 
Download the public keys provided by the PKCS#11 shared library pkcs11. When used in combination with -s, this option indicates that a CA key resides in a PKCS#11 token (see the CERTIFICATES section for details).

-n principals
Specify one or more principals (user or host names) to be included in a certificate when signing a key. Multiple principals may be specified, separated by commas. See the CERTIFICATES section for details. 

-O option
Specify a key/value option. These are specific to the operation that ssh-keygen has been requested to perform.
When signing certificates, one of the options listed in the CERTIFICATES section may be specified here.
When performing moduli generation or screening, one of the options listed in the MODULI GENERATION section may be specified.
When generating FIDO authenticator-backed keys, the options listed in the FIDO AUTHENTICATOR section may be specified.
When performing signature-related options using the -Y flag, the following options are accepted:
hashalg=algorithm
        Selects the hash algorithm to use for hashing the message to be signed. Valid algorithms are “sha256” and “sha512.” The default is “sha512.”
print-pubkey
        Print the full public key to standard output after signature verification.
verify-time=timestamp
        Specifies a time to use when validating signatures instead of the current time. The time may be specified as a date or time in the YYYYMMDD[Z] or in YYYYMMDDHHMM[SS][Z] formats. Dates and times will be interpreted in the current system time zone unless suffixed with a Z character, which causes them to be interpreted in the UTC time zone.
The -O option may be specified multiple times.

-V validity_interval
Specify a validity interval when signing a certificate. A validity interval may consist of a single time, indicating that the certificate is valid beginning now and expiring at that time, or may consist of two times separated by a colon to indicate an explicit time interval.
The start time may be specified as:

The string “always” to indicate the certificate has no specified start time.
        A date or time in the system time zone formatted as YYYYMMDD or YYYYMMDDHHMM[SS].
        A date or time in the UTC time zone as YYYYMMDDZ or YYYYMMDDHHMM[SS]Z.
        A relative time before the current system time consisting of a minus sign followed by an interval in the format described in the TIME FORMATS section of sshd_config(5).
        A raw seconds since epoch (Jan 1 1970 00:00:00 UTC) as a hexadecimal number beginning with “0x”.
The end time may be specified similarly to the start time:

The string “forever” to indicate the certificate has no specified end time.
        A date or time in the system time zone formatted as YYYYMMDD or YYYYMMDDHHMM[SS].
        A date or time in the UTC time zone as YYYYMMDDZ or YYYYMMDDHHMM[SS]Z.
        A relative time after the current system time consisting of a plus sign followed by an interval in the format described in the TIME FORMATS section of sshd_config(5).
        A raw seconds since epoch (Jan 1 1970 00:00:00 UTC) as a hexadecimal number beginning with “0x”.
For example:
+52w1d
        Valid from now to 52 weeks and one day from now.
-4w:+4w
        Valid from four weeks ago to four weeks from now.
20100101123000:20110101123000
        Valid from 12:30 PM, January 1st, 2010 to 12:30 PM, January 1st, 2011.
20100101123000Z:20110101123000Z
        Similar, but interpreted in the UTC time zone rather than the system time zone.
-1d:20110101
        Valid from yesterday to midnight, January 1st, 2011.
0x1:0x2000000000
        Valid from roughly early 1970 to May 2033.
-1m:forever
        Valid from one minute ago and never expiring.

-z serial_number
Specifies a serial number to be embedded in the certificate to distinguish this certificate from others from the same CA. If the serial_number is prefixed with a ‘+’ character, then the serial number will be incremented for each certificate signed on a single command-line. The default serial number is zero.
When generating a KRL, the -z flag is used to specify a KRL version number.