/yk-csr-generator

YubiKey CSR Generator: A robust CLI tool that enables users to produce Certificate Signing Requests (CSRs) leveraging YubiKey devices. Comes with enhanced attributes configuration, broad hash algorithm support, and versatile output options. Aimed at providing a seamless, secure, and efficient experience for CSR creation.

Primary LanguageC#MIT LicenseMIT

CodeQL .github/workflows/release.yml

YubiKey CSR Generator

This tool generates a Certificate Signing Request (CSR) using a private key from a YubiKey device.

Usage

yk-csr-gen [options]

Options

  • --new-pk, --replace-private-key: Indicates whether to replace the existing private key in the slot. If specified or set to true, a new private key will be generated. (Default: False)
  • --slot, --slot-number <82|83|84|85|86|87|88|89|8A|8B|8C|8D|8E|8F|90|91|92|93|94|95|9A|9C|9D|9E>: The slot number on the YubiKey device to be used for the key generation or retrieval. (Default: 9D)
  • --out, --out-file <out-file>: The file path where the generated CSR will be written. If not provided, CSR will be printed to the console.
  • --out-pub, --out-pub-file <out-pub-file>: If specified, the file path where the public key extracted from the CSR will be written.
  • --text: Print CSR to console irrespective of file output option. (Default: False)
  • --text-pub: Print the public key to the console. (Default: False)
  • --hash <1.3.14.3.2.26|2.16.840.1.101.3.4.2.1|2.16.840.1.101.3.4.2.2|2.16.840.1.101.3.4.2.3|SHA1|sha1|SHA256|sha256|SHA384|sha384|SHA512|sha512>: Specifies the hash algorithm to use for the CSR. Supported hash algorithms are SHA1, SHA256, SHA384, and SHA512. OIDs and friendly names (case-insensitive) of the algorithms can be used. (Default: SHA256)
  • --cn, --common-name <common-name>: The Common Name (CN) attribute to be included in the CSR's Distinguished Name (DN).
  • --c, --country, --region <country>: The Country or Region (C) attribute for the CSR's DN.
  • --dc, --domain-component <domain-component>: The Domain Component (DC) attribute for the CSR's DN.
  • --e, --email <email>: The Email Address (E) attribute for the CSR's DN.
  • --city, --l, --locality <locality>: The Locality (L) attribute for the CSR's DN, typically represents the city or locality.
  • --organizational-unit, --ou <organizational-unit>: The Organizational Unit (OU) attribute for the CSR's DN, typically represents the department within an organization.
  • --o, --organization <organization>: The Organization (O) attribute for the CSR's DN.
  • --province, --st, --state <province>: The State or Province (ST) attribute for the CSR's DN.
  • --s-dns, --san-dns <san-dns>: [Multiple] DNS name to be added to the Subject Alternative Name (SAN) extension.
  • --s-e, --san-email <san-email>: [Multiple] Email address to be added to the SAN extension.
  • --s-ip, --san-ip <san-ip>: [Multiple] IP address to be added to the SAN extension.
  • --s-uri, --san-uri <san-uri>: [Multiple] URI to be added to the SAN extension.
  • --s-upn, --san-user-principal-name <san-user-principal-name>: [Multiple] User Principal Name (UPN) to be added to the SAN extension.
  • --oid <oid>: [EXPERIMENTAL] [Multiple] Specify custom OID values in the form of o.i.d=value.
  • --version: Show version information.
  • -?, -h, --help: Show help and usage information.