PKI CLI Initialization - dogtagpki/pki GitHub Wiki

Overview

The PKI CLI needs an NSS database to store certificates and keys to perform crypto operations such as establishing SSL connection, certificate authentication, encryption/decryption, accessing PKCS #12 file in FIPS mode, etc. NSS database is not required for operations that do not require crypto operations, but it is recommended to create the NSS database before using PKI client for the first time.

Creating NSS database

The NSS database can be created (or recreated) by executing the following commands. The password can be specified directly on the command line:

$ pki -c Secret.123 client-init

The password can also be specified in a file:

$ pki -C password.txt client-init

Note: Since PKI 10.4.1 the PKI CLI support creating an NSS database without a password:

$ pki client-init

Also since PKI 10.4.1 if the PKI CLI is used without initialization it will create a default NSS database without a password.

By default the NSS database will be created at ~/.dogtag/nssdb. To create NSS database at a different location, specify the path with the -d parameter:

$ pki -d ~/.config/pki/nssdb client-init

Enabling Trust Policy

If necessary, the trust policy can be enabled with the following command:

$ modutil \
    -dbdir ~/.dogtag/nssdb \
    -add p11-kit-trust \
    -libfile /usr/share/pki/lib/p11-kit-trust.so

Importing CA Certificate

Some operations may require SSL connection to the server in which the server will present a server certificate to the client. To authenticate the server certificate, the CA certificate needs to be installed on the client.

If the CA certificate is already available as a file, it can be imported with the following command:

$ pki client-cert-import "CA Signing Certificate" --ca-cert ca.crt

Another option is to download the CA certificate directly from the CA server:

$ pki client-cert-import "CA Signing Certificate" --ca-server

Alternatively, the CA certificate can be imported during the first SSL connection to the server:

$ pki -U https://$HOSTNAME:8443 ca-cert-find
WARNING: UNTRUSTED ISSUER encountered on 'CN=pki.example.com,O=EXAMPLE' indic
ates a non-trusted CA cert 'CN=CA Signing Certificate,O=EXAMPLE'
Import CA certificate (Y/n)? y
CA server URI [http://pki.example.com:8080/ca]:
...

Importing Admin Certificate

To execute admin operations using PKI CLI, the admin certificate and key needs be imported into the NSS database. See Importing Admin Certificate into PKI CLI.

See Also

⚠️ **GitHub.com Fallback** ⚠️