Issues an X509 certificate for an end-entity or a subordinate CA.

pkiutil issue -csr <csr> -caprivkey <caprivkey> -certout <certout> -cacert <cacert> -sigalg <sigalg> [-sigalg <sigalg> ... -sigalg <sigalg>] [-subca]

For example:

pkiutil issue -csr mycsr.pem -caprivkey priv.pem -certout mysubcert.cer -cacert compositeca.pem  -sigalg SHA256withRSA -sigalg SHA256withECDSA -subca

See below for a description of each option.

-cacert <cacert>
-caprivkey <caprivkey>
-certout <certout>
-csr <csr>
-sigalg <sigalg>
-subca

-cacert <cacert>

Use the Issuer Distinguished Name of the <cacert> certificate, where <cacert> is a file generated with the pkiutil newca certificate.

Mandatory: Yes.

-caprivkey <caprivkey>

Sign the certificate with the <caprivkey> private key, where <caprivkey> is the name of a file generated with the pkiutil keygen command.

Mandatory: Yes.

-certout <certout>

Save the certificate in a file with the <certout> name.

Mandatory: Yes.

-csr <csr>

Use the <csr> request, where <csr> is the name of a file generated with the pkiutil newcsr command.

Mandatory: Yes.

-sigalg <sigalg>

Sign the certificate with the <sigalg> algorithm, where <sigalg> is one of the algorithm identifiers listed in PKIUtil algorithm reference. Select more than one algorithm to generate a composite certificate.

Mandatory: Yes.

-subca

Generate a subordinate CA certificate.

Mandatory: No. When omitting this option, the command generates an end-user certificate.