PKI CA Certificate CLI - dogtagpki/pki GitHub Wiki
The pki ca-cert
commands provide an interface to manage certificates and certificate requests in CA.
To manage certificate profiles, see PKI CA Profile CLI.
To manage certificate requests, see PKI CA Certificate Request CLI.
To list all certificates:
$ pki ca-cert-find
To list certificates with specific status:
$ pki ca-cert-find --status VALID
To list certificates with specific name:
$ pki ca-cert-find --name "Subsystem Certificate"
To generate a certificate request, see Generating Certificate Request.
To submit a certificate request, See also Submitting Certificate Request.
To retrieve a certificate:
$ pki ca-cert-show <certificate ID> --encoded --output <filename>
Revoking, holding, or releasing certificates must be executed as a CA agent.
To revoke a certificate:
$ pki <agent authentication> ca-cert-revoke <certificate ID>
To hold a certificate temporarily:
$ pki <agent authentication> ca-cert-hold <certificate ID>
To release a certificate that has been held:
$ pki <agent authentication> ca-cert-release-hold <certificate ID>
The pki ca-cert-status
provides a simpler way to test OCSP request by downloading the issuer certificate automatically from the server. However, the proper OCSP request should be generated using the proper OCSP client with the issuer certificate already installed on the client.
To check certificate status using the CA’s internal OCSP responder:
$ pki ca-cert-status <certificate ID>
To check certificate status using other OCSP responder:
$ pki ca-cert-status <certificate ID> --ocsp http://$HOSTNAME:8080/ocsp/ee/ocsp
See also OCSPClient.