Importing Admin Certificate into PKI CLI - dogtagpki/pki GitHub Wiki
This page describes the process to import the admin certificate into PKI CLI such that the certificate can be used to execute admin operations from the command line.
This document assumes that the admin certificate and the key are stored
in a PKCS #12 file (e.g. ~/.dogtag/pki-tomcat/ca_admin_cert.p12) after CA installation,
and the PKCS #12 file is protected with a password specified in the
pki_client_pkcs12_password parameter during installation.
To check the content of the PKCS #12 file execute the following command:
$ pki pkcs12-cert-find \
--pkcs12 ~/.dogtag/pki-tomcat/ca_admin_cert.p12 \
--pkcs12-password Secret.123
Certificate ID: 0x35488a4d338dfce3968b9f9a0d6a668a5ea3508d
Serial Number: 0x1ec63c581a462361700bf8ceedc5b8ad
Friendly Name: caadmin
Subject DN: CN=PKI Administrator,[email protected],OU=pki-tomcat,O=EXAMPLE
Issuer DN: CN=CA Signing Certificate,OU=pki-tomcat,O=EXAMPLE
Has Key: true
Key ID: 0x35488a4d338dfce3968b9f9a0d6a668a5ea3508d
The nickname of the admin certificate is listed as Friendly Name.
This nickname can be configured during installation using the pki_admin_nickname parameter for pkispawn.
By default the PKI CLI uses an NSS database at ~/.dogtag/nssdb.
To import the PKCS #12 file into the NSS database, execute the following command:
$ pki pkcs12-import \
--pkcs12 ~/.dogtag/pki-tomcat/ca_admin_cert.p12 \
--pkcs12-password Secret.123
Note: Due to JSS #796 that command might not work. In that case use this command instead:
$ pki client-cert-import \
--pkcs12 ~/.dogtag/pki-tomcat/ca_admin_cert.p12 \
--pkcs12-password Secret.123
The certificate can be used by specifying a -n <nickname> parameter, for example:
$ pki -n caadmin ca-user-find