summaryrefslogtreecommitdiffstats
path: root/man
diff options
context:
space:
mode:
Diffstat (limited to 'man')
-rw-r--r--man/rules/meson.build1
-rw-r--r--man/systemd-keyutil.xml105
-rw-r--r--man/systemd-measure.xml10
-rw-r--r--man/systemd-sbsign.xml16
4 files changed, 106 insertions, 26 deletions
diff --git a/man/rules/meson.build b/man/rules/meson.build
index 7d2c62f574..e76cb0223b 100644
--- a/man/rules/meson.build
+++ b/man/rules/meson.build
@@ -992,6 +992,7 @@ manpages = [
'systemd-journald@.service',
'systemd-journald@.socket'],
''],
+ ['systemd-keyutil', '1', [], ''],
['systemd-localed.service', '8', ['systemd-localed'], 'ENABLE_LOCALED'],
['systemd-logind.service', '8', ['systemd-logind'], 'ENABLE_LOGIND'],
['systemd-machine-id-commit.service', '8', [], ''],
diff --git a/man/systemd-keyutil.xml b/man/systemd-keyutil.xml
new file mode 100644
index 0000000000..99d4d903b4
--- /dev/null
+++ b/man/systemd-keyutil.xml
@@ -0,0 +1,105 @@
+<?xml version='1.0'?> <!--*-nxml-*-->
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
+ "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd">
+<!-- SPDX-License-Identifier: LGPL-2.1-or-later -->
+
+<refentry id="systemd-keyutil"
+ xmlns:xi="http://www.w3.org/2001/XInclude">
+ <refentryinfo>
+ <title>systemd-keyutil</title>
+ <productname>systemd</productname>
+ </refentryinfo>
+
+ <refmeta>
+ <refentrytitle>systemd-keyutil</refentrytitle>
+ <manvolnum>1</manvolnum>
+ </refmeta>
+
+ <refnamediv>
+ <refname>systemd-keyutil</refname>
+ <refpurpose>Perform various operations on private keys and X.509 certificates</refpurpose>
+ </refnamediv>
+
+ <refsynopsisdiv>
+ <cmdsynopsis>
+ <command>systemd-keyutil</command>
+ <arg choice="opt" rep="repeat">OPTIONS</arg>
+ <arg choice="req">COMMAND</arg>
+ </cmdsynopsis>
+ </refsynopsisdiv>
+
+ <refsect1>
+ <title>Description</title>
+
+ <para><command>systemd-keyutil</command> can be used to perform various operations on private keys and
+ X.509 certificates.</para>
+ </refsect1>
+
+ <refsect1>
+ <title>Commands</title>
+
+ <variablelist>
+ <varlistentry>
+ <term><option>validate</option></term>
+
+ <listitem><para>Checks that we can load the private key and certificate specified with
+ <option>--private-key=</option> and <option>--certificate=</option> respectively.</para>
+
+ <para>As a side effect, if the private key is loaded from a PIN-protected hardware token, this
+ command can be used to cache the PIN in the kernel keyring. The
+ <varname>$SYSTEMD_ASK_PASSWORD_KEYRING_TIMEOUT_SEC</varname> and
+ <varname>$SYSTEMD_ASK_PASSWORD_KEYRING_TYPE</varname> environment variables can be used to control
+ how long and in which kernel keyring the PIN is cached.</para>
+
+ <xi:include href="version-info.xml" xpointer="v257"/>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><command>public</command></term>
+
+ <listitem><para>This commands prints the public key in PEM format extracted from either the
+ certificate given with <option>--certificate=</option> or the private key given with
+ <option>--private-key=</option>.</para>
+
+ <xi:include href="version-info.xml" xpointer="v257"/></listitem>
+ </varlistentry>
+ </variablelist>
+ </refsect1>
+
+ <refsect1>
+ <title>Options</title>
+ <para>The following options are understood:</para>
+
+ <variablelist>
+ <varlistentry>
+ <term><option>--private-key=<replaceable>PATH/URI</replaceable></option></term>
+ <term><option>--private-key-source=<replaceable>TYPE</replaceable>[:<replaceable>NAME</replaceable>]</option></term>
+ <term><option>--certificate=<replaceable>PATH</replaceable></option></term>
+ <term><option>--certificate-source=<replaceable>TYPE</replaceable>[:<replaceable>NAME</replaceable>]</option></term>
+
+ <listitem><para>Set the private key and certificate to use. The <option>--certificate=</option>
+ option takes a path to a PEM encoded X.509 certificate or a URI that's passed to the OpenSSL provider
+ configured with <option>--certificate-source</option>. The <option>--certificate-source</option>
+ takes one of <literal>file</literal> or <literal>provider</literal>, with the latter being followed
+ by a specific provider identifier, separated with a colon, e.g. <literal>provider:pkcs11</literal>.
+ The <option>--private-key=</option> option can take a path or a URI that will be passed to the
+ OpenSSL engine or provider, as specified by <option>--private-key-source=</option> as a
+ <literal>type:name</literal> tuple, such as <literal>engine:pkcs11</literal></para>.
+
+ <xi:include href="version-info.xml" xpointer="v257"/></listitem>
+ </varlistentry>
+
+ <xi:include href="standard-options.xml" xpointer="help"/>
+ <xi:include href="standard-options.xml" xpointer="version"/>
+ </variablelist>
+ </refsect1>
+
+ <refsect1>
+ <title>See Also</title>
+ <para><simplelist type="inline">
+ <member><citerefentry><refentrytitle>systemd-sbsign</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
+ <member><citerefentry><refentrytitle>systemd-measure</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
+ </simplelist></para>
+ </refsect1>
+</refentry>
diff --git a/man/systemd-measure.xml b/man/systemd-measure.xml
index 5ca373f181..c7e5a5e9e2 100644
--- a/man/systemd-measure.xml
+++ b/man/systemd-measure.xml
@@ -104,16 +104,6 @@
<xi:include href="version-info.xml" xpointer="v252"/></listitem>
</varlistentry>
-
- <varlistentry>
- <term><command>pcrpkey</command></term>
-
- <listitem><para>This commands prints the public key either given with <option>--public-key=</option>,
- or extracted from the certificate given with <option>--certificate=</option> or the private key given
- with <option>--private-key=</option>.</para>
-
- <xi:include href="version-info.xml" xpointer="v257"/></listitem>
- </varlistentry>
</variablelist>
</refsect1>
diff --git a/man/systemd-sbsign.xml b/man/systemd-sbsign.xml
index 1248377845..57b685f8c3 100644
--- a/man/systemd-sbsign.xml
+++ b/man/systemd-sbsign.xml
@@ -49,22 +49,6 @@
<xi:include href="version-info.xml" xpointer="v257"/>
</listitem>
</varlistentry>
-
- <varlistentry>
- <term><option>validate-key</option></term>
-
- <listitem><para>Checks that we can load the private key specified with
- <option>--private-key=</option>. </para>
-
- <para>As a side effect, if the private key is loaded from a PIN-protected hardware token, this
- command can be used to cache the PIN in the kernel keyring. The
- <varname>$SYSTEMD_ASK_PASSWORD_KEYRING_TIMEOUT_SEC</varname> and
- <varname>$SYSTEMD_ASK_PASSWORD_KEYRING_TYPE</varname> environment variables can be used to control
- how long and in which kernel keyring the PIN is cached.</para>
-
- <xi:include href="version-info.xml" xpointer="v257"/>
- </listitem>
- </varlistentry>
</variablelist>
</refsect1>