1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
|
.\" First parameter, NAME, should be all caps
.\" Second parameter, SECTION, should be 1-8, maybe w/ subsection
.\" other parameters are allowed: see man(7), man(1)
.TH pki-cert 1 "May 5, 2014" "version 10.2" "PKI Certificate Management Commands" Dogtag Team
.\" Please adjust this date whenever revising the man page.
.\"
.\" Some roff macros, for reference:
.\" .nh disable hyphenation
.\" .hy enable hyphenation
.\" .ad l left justify
.\" .ad b justify to both left and right margins
.\" .nf disable filling
.\" .fi enable filling
.\" .br insert line break
.\" .sp <n> insert n+1 empty lines
.\" for man page specific macros, see man(7)
.SH NAME
pki-cert \- Command-Line Interface for managing certificates on the Certificate System server.
.SH SYNOPSIS
.nf
\fBpki\fR [CLI options] \fB<subsystem>-cert\fR
\fBpki\fR [CLI options] \fB<subsystem>-cert-find\fR [command options]
\fBpki\fR [CLI options] \fB<subsystem>-cert-show\fR <certificate ID> [command options]
\fBpki\fR [CLI options] \fB<subsystem>-cert-revoke\fR <certificate ID> [command options]
\fBpki\fR [CLI options] \fB<subsystem>-cert-hold\fR <certificate ID> [command options]
\fBpki\fR [CLI options] \fB<subsystem>-cert-release-hold\fR <certificate ID> [command options]
\fBpki\fR [CLI options] \fB<subsystem>-cert-request-profile-find\fR [command options]
\fBpki\fR [CLI options] \fB<subsystem>-cert-request-profile-show\fR <profile ID> [command options]
\fBpki\fR [CLI options] \fB<subsystem>-cert-request-submit\fR [command options]
\fBpki\fR [CLI options] \fB<subsystem>-cert-request-review\fR <request ID> [command options]
.fi
.SH DESCRIPTION
.PP
The \fBpki-cert\fR commands provide command-line interfaces to manage certificates on the specified subsystem.
.PP
Valid subsystems are \fBca\fR and \fBtps\fR. If the <subsystem>- prefix is omitted, it will default to \fBca\fR.
.PP
\fBpki\fR [CLI options] \fB<subsystem>-cert\fR
.RS 4
This command is to list available certificate commands for the subsystem.
Different subsystems may have different certificate commands.
.RE
.PP
\fBpki\fR [CLI options] \fB<subsystem>-cert-find\fR [command options]
.RS 4
This command is to list certificates in the subsystem.
.RE
.PP
\fBpki\fR [CLI options] \fB<subsystem>-cert-show\fR <certificate ID> [command options]
.RS 4
This command is to view a certificate details in the subsystem.
.RE
.PP
\fBpki\fR [CLI options] \fB<subsystem>-cert-revoke\fR <certificate ID>
.RS 4
This command is to revoke a certificate.
.RE
.PP
\fBpki\fR [CLI options] \fB<subsystem>-cert-hold\fR <certificate ID>
.RS 4
This command is to place a certificate on hold temporarily.
.RE
.PP
\fBpki\fR [CLI options] \fB<subsystem>-cert-release-hold\fR <certificate ID>
.RS 4
This command is to release a certificate that has been placed on hold.
.RE
.PP
\fBpki\fR [CLI options] \fB<subsystem>-cert-request-profile-find\fR [command options]
.RS 4
This command is to list available certificate request templates.
.RE
.PP
\fBpki\fR [CLI options] \fB<subsystem>-cert-request-profile-show\fR <profile ID> [command options]
.RS 4
This command is to view a certificate request template.
.RE
.PP
\fBpki\fR [CLI options] \fB<subsystem>-cert-request-submit\fR [command options]
.RS 4
This command is to submit a certificate request.
.RE
.PP
\fBpki\fR [CLI options] \fB<subsystem>-cert-request-review\fR <request ID> [command options]
.RS 4
This command is to review a certificate request.
.RE
.SH OPTIONS
The CLI options are described in \fBpki\fR(1).
.SH OPERATIONS
To view available certificate commands, type \fBpki <subsystem>-cert\fP. To view each command's usage, type \fB pki <subsystem>-cert-<command> --help\fP.
.SS Viewing Certificates
Certificates can be viewed anonymously.
To list all certificates in the CA:
.B pki ca-cert-find
It is also possible to search for and list specific certificates by adding a search filter. Use \fBpki ca-cert-find \-\-help\fP to see options. For example, to search based on issuance date:
.B pki ca-cert-find --issuedOnFrom 2012-06-15
To list certificates with search constraints defined in a file:
.B pki ca-cert-find --input <filename>
where the file is in the following format:
.IP
.nf
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<CertSearchRequest>
<serialNumberRangeInUse>true</serialNumberRangeInUse>
<serialFrom></serialFrom>
<serialTo></serialTo>
<subjectInUse>false</subjectInUse>
<eMail></eMail>
<commonName></commonName>
<userID></userID>
<orgUnit></orgUnit>
<org></org>
<locality></locality>
<state></state>
<country></country>
<matchExactly>false</matchExactly>
<status></status>
<revokedByInUse>false</revokedByInUse>
<revokedBy></revokedBy>
<revokedOnFrom>false</revokedOnFrom>
<revokedOnTo></revokedOnTo>
<revocationReasonInUse>false</revocationReasonInUse>
<revocationReason></revocationReason>
<issuedByInUse>false</issuedByInUse>
<issuedBy></issuedBy>
<issuedOnInUse>false</issuedOnInUse>
<issuedOnFrom></issuedOnFrom>
<issuedOnTo></issuedOnTo>
<validNotBeforeInUse>false</validNotBeforeInUse>
<validNotBeforeFrom></validNotBeforeFrom>
<validNotBeforeTo></validNotBeforeTo>
<validNotAfterInUse>false</validNotAfterInUse>
<validNotAfterFrom></validNotAfterFrom>
<validNotAfterTo></validNotAfterTo>
<validityLengthInUse>false</validityLengthInUse>
<validityOperation></validityOperation>
<validityCount></validityCount>
<validityUnit></validityUnit>
<certTypeInUse>false</certTypeInUse>
<certTypeSubEmailCA></certTypeSubEmailCA>
<certTypeSubSSLCA></certTypeSubSSLCA>
<certTypeSecureEmail></certTypeSecureEmail>
</CertSearchRequest>
.fi
.PP
To view a particular certificate:
.B pki ca-cert-show <certificate ID>
.SS Revoking Certificates
Revoking, holding, or releasing a certificate must be executed as an agent user.
To revoke a certificate:
.B pki <agent authentication> ca-cert-revoke <certificate ID>
To place a certificate on hold temporarily:
.B pki <agent authentication> ca-cert-hold <certificate ID>
To release a certificate that has been placed on hold:
.B pki <agent authentication> ca-cert-release-hold <certificate ID>
.SS Certificate Requests
To request a certificate, first generate a certificate signing request (CSR),
then submit it with a certificate profile. The list of available profiles can
be viewed using the following command:
.B pki ca-cert-request-profile-find
To generate a CSR, use the certutil, PKCS10Client, or
CRMFPopClient, and store it into a file.
Basic requests can be submitted using the following command:
.B pki ca-cert-request-submit --profile <profile ID> --request-type <type> --csr-file <CSR file> --subject <subject DN>
To submit more advanced requests, download a template of the request file for
a particular profile using the following command:
.B pki ca-cert-request-profile-show <profile ID> \-\-output <request file>
Then, edit the request file, fill in the input attributes required by the
profile, and submit the request using the following command:
.B pki ca-cert-request-submit <request file>
Depending on the profile, an agent may need to review the request by running
the following command:
.B pki <agent authentication> ca-cert-request-review <request ID> --file <file to store the certificate request>
The \-\-file <filename> and \-\-action <action> options are mutually exclusive (i. e. - only one or the other may be specified during command invocation).
If the \-\-file <filename> option is specified, the certificate request, as well as the defaults and constraints of the enrollment profile, will be retrieved and stored in the output file provided by the \-\-file option. The agent can examine the file and override any values if necessary. To process the request, enter the appropriate action when prompted:
.B Action (approve/reject/cancel/update/validate/assign/unassign):
The request in the file will be read in, and the specified action will be applied against it.
Alternatively, when no changes to the request are necessary, the agent can process the request in a single step using the --action <action> option with the following command:
.B pki <agent authentication> ca-cert-request-review <request ID> --action <action>
.SH AUTHORS
Ade Lee <alee@redhat.com>, Endi Dewata <edewata@redhat.com>, and Matthew Harmsen <mharmsen@redhat.com>.
.SH COPYRIGHT
Copyright (c) 2014 Red Hat, Inc. This is licensed under the GNU General Public License, version 2 (GPLv2). A copy of this license is available at http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt.
|
