PKI CA Authority CLI - dogtagpki/pki GitHub Wiki
PKI provides a set of CLIs to manage the lightweight CAs (LWCA).
Note: The current LWCA implementation has some limitations:
-
It does not work with clone outside of IPA environment. See Ticket #2956.
-
It does not include authority ID into some audit events. See Ticket #2959.
-
It does not work with HSM. See Ticket #2412.
To list all authorities:
$ pki -n caadmin ca-authority-find ----------------- 2 entries matched ----------------- Host authority: true Authority DN: CN=CA Signing Certificate,OU=pki-tomcat,O=EXAMPLE ID: f37225e8-b6d7-49be-abe1-6a2f5f3e0be3 Issuer DN: CN=CA Signing Certificate,OU=pki-tomcat,O=EXAMPLE Serial no: 0x9ac1b2540e75b6a6af68fb167549302e Enabled: true Ready to sign: true Description: Host authority Authority DN: CN=test ID: 4aa054e0-4742-4968-8c38-6c7b8539ceb1 Parent ID: f37225e8-b6d7-49be-abe1-6a2f5f3e0be3 Issuer DN: CN=CA Signing Certificate,OU=pki-tomcat,O=EXAMPLE Serial no: 0xff105174b5dd0443c5ae812df6497766 Enabled: true Ready to sign: true ---------------------------- Number of entries returned 2 ----------------------------
To search by parent ID:
$ pki -n caadmin ca-authority-find \ --parent-id f37225e8-b6d7-49be-abe1-6a2f5f3e0be3 ----------------- 1 entries matched ----------------- Authority DN: CN=test ID: 4aa054e0-4742-4968-8c38-6c7b8539ceb1 Parent ID: f37225e8-b6d7-49be-abe1-6a2f5f3e0be3 Issuer DN: CN=CA Signing Certificate,OU=pki-tomcat,O=EXAMPLE Serial no: 0xff105174b5dd0443c5ae812df6497766 Enabled: true Ready to sign: true ---------------------------- Number of entries returned 1 ----------------------------
To search by issuer DN:
$ pki -n caadmin ca-authority-find \ --issuer-dn "CN=CA Signing Certificate,OU=pki-tomcat,O=EXAMPLE" ----------------- 2 entries matched ----------------- Host authority: true Authority DN: CN=CA Signing Certificate,OU=pki-tomcat,O=EXAMPLE ID: f37225e8-b6d7-49be-abe1-6a2f5f3e0be3 Issuer DN: CN=CA Signing Certificate,OU=pki-tomcat,O=EXAMPLE Serial no: 0x9ac1b2540e75b6a6af68fb167549302e Enabled: true Ready to sign: true Description: Host authority Authority DN: CN=test ID: 4aa054e0-4742-4968-8c38-6c7b8539ceb1 Parent ID: f37225e8-b6d7-49be-abe1-6a2f5f3e0be3 Issuer DN: CN=CA Signing Certificate,OU=pki-tomcat,O=EXAMPLE Serial no: 0xff105174b5dd0443c5ae812df6497766 Enabled: true Ready to sign: true ---------------------------- Number of entries returned 2 ----------------------------
To display a particular authority given an authority ID:
$ pki -n caadmin ca-authority-show 4aa054e0-4742-4968-8c38-6c7b8539ceb1 Authority DN: CN=test ID: 4aa054e0-4742-4968-8c38-6c7b8539ceb1 Parent ID: f37225e8-b6d7-49be-abe1-6a2f5f3e0be3 Issuer DN: CN=CA Signing Certificate,OU=pki-tomcat,O=EXAMPLE Serial no: 0xff105174b5dd0443c5ae812df6497766 Enabled: true Ready to sign: true
To display a particular authority given an authority DN (not yet implemented):
$ pki -n caadmin ca-authority-show --dn CN=test Authority DN: CN=test ID: 4aa054e0-4742-4968-8c38-6c7b8539ceb1 Parent ID: f37225e8-b6d7-49be-abe1-6a2f5f3e0be3 Issuer DN: CN=CA Signing Certificate,OU=pki-tomcat,O=EXAMPLE Serial no: 0xff105174b5dd0443c5ae812df6497766 Enabled: true Ready to sign: true
To display the host/main authority:
$ pki -n caadmin ca-authority-show --host-authority Host authority: true Authority DN: CN=CA Signing Certificate,OU=pki-tomcat,O=EXAMPLE ID: f37225e8-b6d7-49be-abe1-6a2f5f3e0be3 Issuer DN: CN=CA Signing Certificate,OU=pki-tomcat,O=EXAMPLE Serial no: 0x9ac1b2540e75b6a6af68fb167549302e Enabled: true Ready to sign: true Description: Host authority
To create a sub-authority with the parent ID:
$ pki -n caadmin ca-authority-create CN=test \ --parent f37225e8-b6d7-49beabe1-6a2f5f3e0be3 Authority DN: CN=test ID: 4aa054e0-4742-4968-8c38-6c7b8539ceb1 Parent ID: f37225e8-b6d7-49be-abe1-6a2f5f3e0be3 Issuer DN: CN=CA Signing Certificate,OU=pki-tomcat,O=EXAMPLE Serial no: 0xff105174b5dd0443c5ae812df6497766 Enabled: true Ready to sign: true
To create a sub-authority with the parent DN (not yet implemented):
$ pki -n caadmin ca-authority-create CN=test \ --parent-dn "CN=CA Signing Certificate,O=EXAMPLE" Authority DN: CN=test ID: 4aa054e0-4742-4968-8c38-6c7b8539ceb1 Parent ID: f37225e8-b6d7-49be-abe1-6a2f5f3e0be3 Issuer DN: CN=CA Signing Certificate,OU=pki-tomcat,O=EXAMPLE Serial no: 0xff105174b5dd0443c5ae812df6497766 Enabled: true Ready to sign: true
To create a top-level authority (not yet implemented):
$ pki -n caadmin ca-authority-create CN=test Authority DN: CN=test ID: 4aa054e0-4742-4968-8c38-6c7b8539ceb1 Issuer DN: CN=CA Signing Certificate,OU=pki-tomcat,O=EXAMPLE Serial no: 0xff105174b5dd0443c5ae812df6497766 Enabled: true Ready to sign: true
To enable an authority:
$ pki -n caadmin ca-authority-enable 4aa054e0-4742-4968-8c38-6c7b8539ceb1 Authority DN: CN=test ID: 4aa054e0-4742-4968-8c38-6c7b8539ceb1 Parent ID: f37225e8-b6d7-49be-abe1-6a2f5f3e0be3 Issuer DN: CN=CA Signing Certificate,OU=pki-tomcat,O=EXAMPLE Serial no: 0xff105174b5dd0443c5ae812df6497766 Enabled: true Ready to sign: true
To disable an authority:
$ pki -n caadmin ca-authority-disable 4aa054e0-4742-4968-8c38-6c7b8539ceb1 Authority DN: CN=test ID: 4aa054e0-4742-4968-8c38-6c7b8539ceb1 Parent ID: f37225e8-b6d7-49be-abe1-6a2f5f3e0be3 Issuer DN: CN=CA Signing Certificate,OU=pki-tomcat,O=EXAMPLE Serial no: 0xff105174b5dd0443c5ae812df6497766 Enabled: false Ready to sign: true
To download the signing certificate:
$ wget http://$HOSTNAME:8080/ca/rest/authorities/77d0eaca-27d5-41ef-bfa5-44185294cfc7/cert
To download the certificate chain:
$ wget http://$HOSTNAME:8080/ca/rest/authorities/77d0eaca-27d5-41ef-bfa5-44185294cfc7/chain
In PKI 10.5 or later the certificate request can be submitted with the issuer ID:
$ pki client-cert-request UID=testuser \ --issuer-id 77d0eaca-27d5-41ef-bfa5-44185294cfc7
or with the issuer DN:
$ pki client-cert-request UID=testuser --issuer-dn CN=test
In PKI 10.4 or older, first generate a CSR:
$ PKCS10Client -d ~/.dogtag/nssdb -p Secret.123 -a rsa -l 1024 -o testuser.csr -n UID=testuser
Then submit the CSR with the issuer ID:
$ pki ca-cert-request-submit --csr-file testuser.csr \ --issuer-id 77d0eaca-27d5-41ef-bfa5-44185294cfc7
or with the issuer DN:
$ pki ca-cert-request-submit --csr-file testuser.csr --issuer-dn CN=test
Approve the request:
$ pki -n caadmin ca-cert-request-review <request ID> --action approve
Display the certificate:
$ pki ca-cert-show <serial number>