Provided by: sq_0.37.0-1_amd64 bug

NAME
       sq pki certify - Certify a User ID for a Certificate


SYNOPSIS
       sq pki certify [OPTIONS] CERTIFIER-KEY KEY_ID|FINGERPRINT|FILE USERID


DESCRIPTION
       Certify a User ID for a Certificate.

       Using a certification a keyholder may vouch for the fact that another certificate legitimately belongs to
       a  user  id.   In  the  context  of emails this means that the same entity controls the key and the email
       address.  These kind of certifications form the basis for the Web of Trust.

       This command emits the certificate with the  new  certification.   The  updated  certificate  has  to  be
       distributed,  preferably  by  sending  it  to  the  certificate holder for attestation.  See also `sq key
       attest-certifications`.

       By default a certification expires after 5  years.   Using  the  `--expiry`  argument  specific  validity
       periods  may  be  defined.   It  allows  for  providing a point in time for validity to end or a validity
       duration.

       `sq pki certify` respects the reference time set  by  the  top-level  `--time`  argument.   It  sets  the
       certification's creation time to the reference time.


OPTIONS
   Subcommand options
       -B, --binary
              Emit binary data

       -a, --amount=AMOUNT
              Set  the  amount  of  trust.   Values  between  1 and 120 are meaningful. 120 means fully trusted.
              Values less than 120 indicate the degree of trust.  60 is usually used for partially trusted.

       --add-userid
              Add the given user ID if it doesn't exist in the certificate.

       --allow-not-alive-certifier
              Allow the key to make a certification even if the current time is prior to its  creation  time  or
              the current time is at or after its expiration time.

       --allow-revoked-certifier
              Don't fail if the certificate making the certification is revoked.

       -d, --depth=TRUST_DEPTH
              Set the trust depth (sometimes referred to as the trust level).  0 means a normal certification of
              <CERTIFICATE, USERID>.  1 means CERTIFICATE is also a trusted introducer, 2 means CERTIFICATE is a
              meta-trusted introducer, etc.

       --email
              Treat  the  given  user  ID as an email address.  If more than one user ID contain the given email
              address, all are certified.

       --expiry=EXPIRY
              Define EXPIRY for the certification as ISO 8601 formatted string or custom  duration.  If  an  ISO
              8601 formatted string is provided, the validity period reaches from the reference time (may be set
              using `--time`) to the provided time. Custom durations starting from the reference time may be set
              using  `N[ymwds]`,  for N years, months, weeks, days, or seconds. The special keyword `never` sets
              an unlimited expiry.

       -l, --local
              Make the certification a local certification.  Normally, local certifications are not exported.

       --non-revocable
              Mark  the  certification  as  being  non-revocable.  That  is,  you  cannot  later   revoke   this
              certification.  This should normally only be used with an expiration.

       --notation NAME VALUE
              Add  a  notation  to  the  certification.   A  user-defined  notation's  name  must be of the form
              `name@a.domain.you.control.org`. If the notation's name starts with a  !,  then  the  notation  is
              marked  as  being  critical.  If a consumer of a signature doesn't understand a critical notation,
              then it will ignore the signature.  The notation is marked as being human readable.

       -o, --output=FILE
              Write to FILE or stdout if omitted

       --private-key-store=KEY_STORE
              Provide parameters for private key store

       -r, --regex=REGEX
              Add a regular expression to  constrain  what  a  trusted  introducer  can  certify.   The  regular
              expression  must  match  the  certified User ID in all intermediate introducers, and the certified
              certificate. Multiple regular expressions may be specified.  In  that  case,  at  least  one  must
              match.

        CERTIFIER-KEY
              Create the certification using CERTIFIER-KEY.

        KEY_ID|FINGERPRINT|FILE
              Certify CERTIFICATE.

        USERID
              Certify USERID for CERTIFICATE.

   Global options
       See sq(1) for a description of the global options.


EXAMPLES
       Juliet certifies that Romeo controls romeo.pgp and romeo@example.org

              sq pki certify juliet.pgp romeo.pgp '<romeo@example.org>'

       Certify the User ID Ada, and set the certification time to July 21, 2013 at midnight UTC:

              sq pki certify --time 20130721 neal.pgp ada.pgp Ada


SEE ALSO
       sq(1), sq-pki(1).

       For the full documentation see <https://book.sequoia-pgp.org>.


VERSION
       0.34.0 (sequoia-openpgp 1.19.0)

Sequoia PGP                                          0.34.0                                                SQ(1)