1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
|
.\" First parameter, NAME, should be all caps
.\" Second parameter, SECTION, should be 1-8, maybe w/ subsection
.\" other parameters are allowed: see man(7), man(1)
.TH pki-ca-profile 1 "Sep 30, 2014" "version 10.2" "PKI CA Profile Management Commands" Dogtag Team
.\" Please adjust this date whenever revising the man page.
.\"
.\" Some roff macros, for reference:
.\" .nh disable hyphenation
.\" .hy enable hyphenation
.\" .ad l left justify
.\" .ad b justify to both left and right margins
.\" .nf disable filling
.\" .fi enable filling
.\" .br insert line break
.\" .sp <n> insert n+1 empty lines
.\" for man page specific macros, see man(7)
.SH NAME
pki-profile \- Command-Line Interface for managing Certificate System CA profiles.
.SH SYNOPSIS
.nf
\fBpki\fR [CLI options] \fBca-profile\fR
\fBpki\fR [CLI options] \fBca-profile-find\fR [command options]
\fBpki\fR [CLI options] \fBca-profile-show <profile ID>\fR [command options]
\fBpki\fR [CLI options] \fBca-profile-add <input file path>\fR [command options]
\fBpki\fR [CLI options] \fBca-profile-mod <input file path>\fR [command options]
\fBpki\fR [CLI options] \fBca-profile-del <profile ID>\fR [command options]
\fBpki\fR [CLI options] \fBca-profile-enable <profile ID>\fR [command options]
\fBpki\fR [CLI options] \fBca-profile-disable <profile ID>\fR [command options]
.fi
.SH DESCRIPTION
.PP
The \fBpki ca-profile\fR commands provide command-line interfaces to manage profiles on the CA.
.PP
\fBpki\fR [CLI options] \fBca-profile-find\fR [command options]
.RS 4
This command is to list the profiles.
.RE
.PP
\fBpki\fR [CLI options] \fBca-profile-show <profile ID>\fR [command options]
.RS 4
This command is to view the details of a profile.
.RE
.PP
\fBpki\fR [CLI options] \fBca-profile-add <input file path>\fR [command options]
.RS 4
This command is to create a new profile.
.RE
.PP
\fBpki\fR [CLI options] \fBca-profile-mod <input file path>\fR [command options]
.RS 4
This command is to modify an existing profile.
.RE
.PP
\fBpki\fR [CLI options] \fBca-profile-del <profile ID>\fR [command options]
.RS 4
This command is to delete a profile.
.RE
.PP
\fBpki\fR [CLI options] \fBca-profile-enable <profile ID>\fR [command options]
.RS 4
This command is to enable a profile.
.RE
.PP
\fBpki\fR [CLI options] \fBca-profile-disable <profile ID>\fR [command options]
.RS 4
This command is to disable a profile.
.RE
.SH OPTIONS
The CLI options are described in \fBpki\fR(1).
.SH OPERATIONS
To view available profile commands, type \fBpki ca-profile\fP. To view each command's usage, type \fB pki ca-profile-<command> \-\-help\fP.
All the ca-profile commands require CA agent authentication.
.SS Viewing the profiles
.B pki <CA agent authentication> ca-profile-find
The results can be paged using the \fB--start\fR and \fB--size\fR options described in \fBpki\fR(1).
To view the contents of a profile:
A set of profile inputs, profile outputs, authenticators, policies and constraints are defined in a profile.
These contents can be viewed using the following command:
.B pki <CA agent authentication> ca-profile-show <profile ID>
To store the output of the above operation, the output option must be specified.
.B pki <CA agent authentication> ca-profile-show <profile ID> --output <file path>
This output file can be used for modifying the profile.
It can be used as a template for certificate enrollment as well but, a more suitable template can be fetched using the \fBpki cert-request-profile-show\fR command.
The \fBpki cert-request-profile-show\fR command does not require an agent/administrator level authentication and contains only the profile inputs section (which is required for certificate enrollment).
.SS Add/Modify/Delete a profile
.B pki <CA admin authentication> ca-profile-add <input file path>
The contents of the input file must be in an XML format returned by the ca-profile-show command.
This data will be marshaled by the CLI client to create a new profile in the CA.
The profile must be disabled before it is modified. It must be enabled after modification to be used for
certificate enrollment.
To modify an existing profile:
.B pki <CA admin authentication> ca-profile-mod <input file path>
The profile data can be retrieved using the ca-profile-show command and after editing the file,
it can be provided to the profile-mod command to modify an existing profile.
To delete a profile in the CA:
.B pki <CA admin authentication> ca-profile-del <profile ID>
.SS Enabling/Disabling a profile in the CA
To enable a profile in the CA:
.B pki <CA agent authenticaton> ca-profile-enable <profile ID>
A profile must be enabled before it can be used.
To disable a profile in the CA:
.B pki <CA agent authentication> ca-profile-disable <profile ID>
A profile must be disabled before it can be modified.
.B Note:
Modifying or deleting a profile requires user(s) that have two roles (admin and agent). The same user may be in both roles. An agent
is needed to first disable the profile. Once the profile is disabled, it can be modified/deleted by an admin user. Then, an agent is needed to
enable the profile for use by the CA.
.SH AUTHORS
Abhishek Koneru <akoneru@redhat.com>.
.SH COPYRIGHT
Copyright (c) 2014 Red Hat, Inc. This is licensed under the GNU General Public License, version 2 (GPLv2). A copy of this license is available at http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt.
.SH SEE ALSO
.BR pki(1)
|
