PKI CA Profile CLI - dogtagpki/pki GitHub Wiki

Overview

This document describes the CLI to manage certificate profiles in CA. The commands can only be executed by CA admin.

To submit certificate requests using these profiles, see PKI CA Certificate CLI.

Listing Certificate Profiles

$ pki -n caadmin ca-profile-find
------------------
59 entries matched
------------------
  Profile ID: caUserCert
  Name: Manual User Dual-Use Certificate Enrollment
  Description: This certificate profile is for enrolling user certificates.

  ...

-----------------------------
Number of entries returned 20
-----------------------------

Displaying Certificate Profile Details

To display a specific certificate profile:

$ pki -n caadmin ca-profile-show caUserCert
--------------------
Profile "caUserCert"
--------------------
  Profile ID: caUserCert
  Name: Manual User Dual-Use Certificate Enrollment
  Description: This certificate profile is for enrolling user certificates.

  Name: Key Generation
  Class: keyGenInputImpl

    Attribute Name: cert_request_type
    Attribute Description: Key Generation Request Type
    Attribute Syntax: keygen_request_type

    Attribute Name: cert_request
    Attribute Description: Key Generation Request
    Attribute Syntax: keygen_request

  ...

  Name: Certificate Output
  Class: certOutputImpl

    Attribute Name: pretty_cert
    Attribute Description: Certificate Pretty Print
    Attribute Syntax: pretty_print

    Attribute Name: b64_cert
    Attribute Description: Certificate Base-64 Encoded
    Attribute Syntax: pretty_print

To display a specific certificate profile in raw format:

$ pki -n caadmin ca-profile-show caUserCert --raw
#Tue Jul 10 01:59:22 CEST 2018
policyset.userCertSet.6.constraint.params.keyUsageNonRepudiation=true
policyset.userCertSet.7.constraint.class_id=noConstraintImpl
policyset.userCertSet.6.default.params.keyUsageKeyAgreement=false
policyset.userCertSet.3.constraint.params.keyType=RSA
input.i2.class_id=subjectNameInputImpl
policyset.userCertSet.7.default.params.exKeyUsageCritical=false
policyset.userCertSet.10.constraint.params.renewal.graceBefore=30
output.o1.class_id=certOutputImpl
...

Exporting Certificate Profile

See Exporting Certificate Profile.

Adding Certificate Profile

See Adding Certificate Profile.

Modifying Certificate Profile

Note: A certificate profile must be disabled before it can be modified. Once the modification is complete, the profile can be reenabled.

To modify a certificate profile, download the current profile configuration, edit the file as needed, then upload the changes with pki ca-profile-mod command.

To upload an updated profile configuration in XML format:

$ pki -n caadmin ca-profile-mod caUserCert.xml

To upload an updated profile configuration in raw format:

$ pki -n caadmin ca-profile-mod caUserCert.cfg --raw

Editing Certificate Profile

See Editing Certificate Profile.

Deleting Certificate Profile

Note: A certificate profile must be disabled before it can be deleted.

To delete a certificate profile, execute the following command:

$ pki -n caadmin ca-profile-del caUserCert

Enabling Certificate Profile

See Enabling Certificate Profile.

Disabling Certificate Profile

See Disabling Certificate Profile.

See Also

⚠️ **GitHub.com Fallback** ⚠️