PKI CA Authority CLI - dogtagpki/pki GitHub Wiki

Overview

PKI provides a set of CLIs to manage the lightweight CAs (LWCA).

Note: The current LWCA implementation has some limitations:

  • It does not work with clone outside of IPA environment. See Ticket #2956.

  • It does not include authority ID into some audit events. See Ticket #2959.

  • It does not work with HSM. See Ticket #2412.

Listing Authorities

To list all authorities:

$ pki -n caadmin ca-authority-find
-----------------
2 entries matched
-----------------
  Host authority: true
  Authority DN:   CN=CA Signing Certificate,OU=pki-tomcat,O=EXAMPLE
  ID:             f37225e8-b6d7-49be-abe1-6a2f5f3e0be3
  Issuer DN:      CN=CA Signing Certificate,OU=pki-tomcat,O=EXAMPLE
  Serial no:      0x9ac1b2540e75b6a6af68fb167549302e
  Enabled:        true
  Ready to sign:  true
  Description:    Host authority

  Authority DN:   CN=test
  ID:             4aa054e0-4742-4968-8c38-6c7b8539ceb1
  Parent ID:      f37225e8-b6d7-49be-abe1-6a2f5f3e0be3
  Issuer DN:      CN=CA Signing Certificate,OU=pki-tomcat,O=EXAMPLE
  Serial no:      0xff105174b5dd0443c5ae812df6497766
  Enabled:        true
  Ready to sign:  true
----------------------------
Number of entries returned 2
----------------------------

To search by parent ID:

$ pki -n caadmin ca-authority-find \
    --parent-id f37225e8-b6d7-49be-abe1-6a2f5f3e0be3
-----------------
1 entries matched
-----------------
  Authority DN:   CN=test
  ID:             4aa054e0-4742-4968-8c38-6c7b8539ceb1
  Parent ID:      f37225e8-b6d7-49be-abe1-6a2f5f3e0be3
  Issuer DN:      CN=CA Signing Certificate,OU=pki-tomcat,O=EXAMPLE
  Serial no:      0xff105174b5dd0443c5ae812df6497766
  Enabled:        true
  Ready to sign:  true
----------------------------
Number of entries returned 1
----------------------------

To search by issuer DN:

$ pki -n caadmin ca-authority-find \
    --issuer-dn "CN=CA Signing Certificate,OU=pki-tomcat,O=EXAMPLE"
-----------------
2 entries matched
-----------------
  Host authority: true
  Authority DN:   CN=CA Signing Certificate,OU=pki-tomcat,O=EXAMPLE
  ID:             f37225e8-b6d7-49be-abe1-6a2f5f3e0be3
  Issuer DN:      CN=CA Signing Certificate,OU=pki-tomcat,O=EXAMPLE
  Serial no:      0x9ac1b2540e75b6a6af68fb167549302e
  Enabled:        true
  Ready to sign:  true
  Description:    Host authority

  Authority DN:   CN=test
  ID:             4aa054e0-4742-4968-8c38-6c7b8539ceb1
  Parent ID:      f37225e8-b6d7-49be-abe1-6a2f5f3e0be3
  Issuer DN:      CN=CA Signing Certificate,OU=pki-tomcat,O=EXAMPLE
  Serial no:      0xff105174b5dd0443c5ae812df6497766
  Enabled:        true
  Ready to sign:  true
----------------------------
Number of entries returned 2
----------------------------

Displaying Authority Details

To display a particular authority given an authority ID:

$ pki -n caadmin ca-authority-show 4aa054e0-4742-4968-8c38-6c7b8539ceb1
  Authority DN:   CN=test
  ID:             4aa054e0-4742-4968-8c38-6c7b8539ceb1
  Parent ID:      f37225e8-b6d7-49be-abe1-6a2f5f3e0be3
  Issuer DN:      CN=CA Signing Certificate,OU=pki-tomcat,O=EXAMPLE
  Serial no:      0xff105174b5dd0443c5ae812df6497766
  Enabled:        true
  Ready to sign:  true

To display a particular authority given an authority DN (not yet implemented):

$ pki -n caadmin ca-authority-show --dn CN=test
  Authority DN:   CN=test
  ID:             4aa054e0-4742-4968-8c38-6c7b8539ceb1
  Parent ID:      f37225e8-b6d7-49be-abe1-6a2f5f3e0be3
  Issuer DN:      CN=CA Signing Certificate,OU=pki-tomcat,O=EXAMPLE
  Serial no:      0xff105174b5dd0443c5ae812df6497766
  Enabled:        true
  Ready to sign:  true

To display the host/main authority:

$ pki -n caadmin ca-authority-show --host-authority
  Host authority: true
  Authority DN:   CN=CA Signing Certificate,OU=pki-tomcat,O=EXAMPLE
  ID:             f37225e8-b6d7-49be-abe1-6a2f5f3e0be3
  Issuer DN:      CN=CA Signing Certificate,OU=pki-tomcat,O=EXAMPLE
  Serial no:      0x9ac1b2540e75b6a6af68fb167549302e
  Enabled:        true
  Ready to sign:  true
  Description:    Host authority

Creating an Authority

To create a sub-authority with the parent ID:

$ pki -n caadmin ca-authority-create CN=test \
    --parent f37225e8-b6d7-49beabe1-6a2f5f3e0be3
  Authority DN:   CN=test
  ID:             4aa054e0-4742-4968-8c38-6c7b8539ceb1
  Parent ID:      f37225e8-b6d7-49be-abe1-6a2f5f3e0be3
  Issuer DN:      CN=CA Signing Certificate,OU=pki-tomcat,O=EXAMPLE
  Serial no:      0xff105174b5dd0443c5ae812df6497766
  Enabled:        true
  Ready to sign:  true

To create a sub-authority with the parent DN (not yet implemented):

$ pki -n caadmin ca-authority-create CN=test \
    --parent-dn "CN=CA Signing Certificate,O=EXAMPLE"
  Authority DN:   CN=test
  ID:             4aa054e0-4742-4968-8c38-6c7b8539ceb1
  Parent ID:      f37225e8-b6d7-49be-abe1-6a2f5f3e0be3
  Issuer DN:      CN=CA Signing Certificate,OU=pki-tomcat,O=EXAMPLE
  Serial no:      0xff105174b5dd0443c5ae812df6497766
  Enabled:        true
  Ready to sign:  true

To create a top-level authority (not yet implemented):

$ pki -n caadmin ca-authority-create CN=test
  Authority DN:   CN=test
  ID:             4aa054e0-4742-4968-8c38-6c7b8539ceb1
  Issuer DN:      CN=CA Signing Certificate,OU=pki-tomcat,O=EXAMPLE
  Serial no:      0xff105174b5dd0443c5ae812df6497766
  Enabled:        true
  Ready to sign:  true

Enabling/Disabling an Authority

To enable an authority:

$ pki -n caadmin ca-authority-enable 4aa054e0-4742-4968-8c38-6c7b8539ceb1
  Authority DN:   CN=test
  ID:             4aa054e0-4742-4968-8c38-6c7b8539ceb1
  Parent ID:      f37225e8-b6d7-49be-abe1-6a2f5f3e0be3
  Issuer DN:      CN=CA Signing Certificate,OU=pki-tomcat,O=EXAMPLE
  Serial no:      0xff105174b5dd0443c5ae812df6497766
  Enabled:        true
  Ready to sign:  true

To disable an authority:

$ pki -n caadmin ca-authority-disable 4aa054e0-4742-4968-8c38-6c7b8539ceb1
  Authority DN:   CN=test
  ID:             4aa054e0-4742-4968-8c38-6c7b8539ceb1
  Parent ID:      f37225e8-b6d7-49be-abe1-6a2f5f3e0be3
  Issuer DN:      CN=CA Signing Certificate,OU=pki-tomcat,O=EXAMPLE
  Serial no:      0xff105174b5dd0443c5ae812df6497766
  Enabled:        false
  Ready to sign:  true

Downloading Authority Certificate

To download the signing certificate:

$ wget http://$HOSTNAME:8080/ca/rest/authorities/77d0eaca-27d5-41ef-bfa5-44185294cfc7/cert

To download the certificate chain:

$ wget http://$HOSTNAME:8080/ca/rest/authorities/77d0eaca-27d5-41ef-bfa5-44185294cfc7/chain

Certificate Enrollment

Submitting certificate request

In PKI 10.5 or later the certificate request can be submitted with the issuer ID:

$ pki client-cert-request UID=testuser \
    --issuer-id 77d0eaca-27d5-41ef-bfa5-44185294cfc7

or with the issuer DN:

$ pki client-cert-request UID=testuser --issuer-dn CN=test

In PKI 10.4 or older, first generate a CSR:

$ PKCS10Client -d ~/.dogtag/nssdb -p Secret.123 -a rsa -l 1024 -o testuser.csr -n UID=testuser

Then submit the CSR with the issuer ID:

$ pki ca-cert-request-submit --csr-file testuser.csr \
    --issuer-id 77d0eaca-27d5-41ef-bfa5-44185294cfc7

or with the issuer DN:

$ pki ca-cert-request-submit --csr-file testuser.csr --issuer-dn CN=test

Issuing certificate

Approve the request:

$ pki -n caadmin ca-cert-request-review <request ID> --action approve

Display the certificate:

$ pki ca-cert-show <serial number>

See Also

⚠️ **GitHub.com Fallback** ⚠️