PKI CA Profile CLI - dogtagpki/pki GitHub Wiki
This document describes the CLI to manage certificate profiles in CA. The commands can only be executed by CA admin.
To submit certificate requests using these profiles, see PKI CA Certificate CLI.
$ pki -n caadmin ca-profile-find ------------------ 59 entries matched ------------------ Profile ID: caUserCert Name: Manual User Dual-Use Certificate Enrollment Description: This certificate profile is for enrolling user certificates. ... ----------------------------- Number of entries returned 20 -----------------------------
To display a specific certificate profile:
$ pki -n caadmin ca-profile-show caUserCert -------------------- Profile "caUserCert" -------------------- Profile ID: caUserCert Name: Manual User Dual-Use Certificate Enrollment Description: This certificate profile is for enrolling user certificates. Name: Key Generation Class: keyGenInputImpl Attribute Name: cert_request_type Attribute Description: Key Generation Request Type Attribute Syntax: keygen_request_type Attribute Name: cert_request Attribute Description: Key Generation Request Attribute Syntax: keygen_request ... Name: Certificate Output Class: certOutputImpl Attribute Name: pretty_cert Attribute Description: Certificate Pretty Print Attribute Syntax: pretty_print Attribute Name: b64_cert Attribute Description: Certificate Base-64 Encoded Attribute Syntax: pretty_print
To display a specific certificate profile in raw format:
$ pki -n caadmin ca-profile-show caUserCert --raw #Tue Jul 10 01:59:22 CEST 2018 policyset.userCertSet.6.constraint.params.keyUsageNonRepudiation=true policyset.userCertSet.7.constraint.class_id=noConstraintImpl policyset.userCertSet.6.default.params.keyUsageKeyAgreement=false policyset.userCertSet.3.constraint.params.keyType=RSA input.i2.class_id=subjectNameInputImpl policyset.userCertSet.7.default.params.exKeyUsageCritical=false policyset.userCertSet.10.constraint.params.renewal.graceBefore=30 output.o1.class_id=certOutputImpl ...
Note: A certificate profile must be disabled before it can be modified. Once the modification is complete, the profile can be reenabled.
To modify a certificate profile, download the current profile configuration, edit the file as needed, then upload the changes with pki ca-profile-mod command.
To upload an updated profile configuration in XML format:
$ pki -n caadmin ca-profile-mod caUserCert.xml
To upload an updated profile configuration in raw format:
$ pki -n caadmin ca-profile-mod caUserCert.cfg --raw
Note: A certificate profile must be disabled before it can be deleted.
To delete a certificate profile, execute the following command:
$ pki -n caadmin ca-profile-del caUserCert