PKI Console - dogtagpki/pki GitHub Wiki
The Certificate System provides a Java GUI-based administration tool called the Console that is used for administrative tasks such as managing users and maintaining PKI subsystems (except TPS), performs daily operational and managerial duties for the subsystem, and configures the server.
To install PKI console:
$ dnf install pki-console
The PKI console uses NSS Database located at the following directory:
-
Fedora:
~/.dogtag-idm-console -
RHEL:
~/.redhat-idm-console
If the database does not exist it will be created automatically.
To create a new NSS database manually:
$ pki -d ~/.dogtag-idm-console client-init
To authenticate using username and password, make sure the CS.cfg of the subsystem is configured as follows:
authType=pwd
By default the server is configured to use username and password authentication.
To authenticate using client certificate, make sure the CS.cfg of the subsystem is configured as follows:
authType=sslclientauth
Import the subsystem admin certificate into the NSS database, for example:
$ pki -d ~/.dogtag-idm-console client-cert-import \ --pkcs12 ~/.dogtag/pki-tomcat/ca_admin_cert.p12 \ --pkcs12-password Secret.123
To start PKI console:
$ pkiconsole https://pki.example.com:8443/<subsystem>
Supported subsystems are: ca, kra, ocsp, tks.
If access banner is enabled on the server, it will appear before the console is started, for example:
$ pkiconsole https://pki.example.com:8443/ca WARNING! Access to this service is restricted to those individuals with specific permissions. Any attempts to gain access, authorized or not, and all operations that follow, are audited and could be used against you in the court of law. Do you want to proceed (y/N)? y
See also Access Banner.
See PKI Console Features.
Prior to PKI 10.4 the PKI Console did not have session timeout.
Since PKI 10.4 the session timeout can be configured with following parameter in /var/lib/pki/pki-tomcat/conf/server.xml:
<Server>
<Service>
<Connector name="Secure"
...
keepAliveTimeout="300000"
...
/>
</Service>
</Server>
The default value is 300000 ms (5 minutes).
See also Tomcat User Guide.
Create /usr/share/applications/pkiconsole.desktop:
[Desktop Entry] Name=PKI Console Comment=Manage PKI Server Exec=/usr/bin/pkiconsole https://pki.example.com:8443/ca Icon=pki Terminal=true Type=Application Categories=RemoteAccess
$ pkiconsole -h Usage: pkiconsole <URL> [OPTIONS..] -f <file> Capture stderr and stdout to file. -D <options> Debug options. -x <options> Extra options (javalaf, nowinpos, nologo). -h,--help Show help message. Example: pkiconsole https://hostname:8443/ca
$ pkiconsole -D "?" -D option format: -D [<type1,type2,...>][:<flag1,flag2,...] Predefined Debug Types: n Debug level 0<=n<=9, 0 = min info, 9 = max info ldap LDAP Calls jss JSS Calls http HTTP Calls memgc Garbage Collection rsptime Response Time nojars no jar files - for debuggers Debug Flags: idx Enumerate debug entries lvl Show debug level for debug entries ts Time stamp debug entries, format Hour:Minute:Second.Milliseconds cls Show caller short mode: (file:line) clf ShowCaller full mode: package.metod(file:line) all Shortcut for enabling idx,lvl,ts,cls cs Print call stack for each debug entry on<list> Show only entries that contain strings in the filter <list> off<list> Do not show entries that contain strings in the filter <list> on/off filter <list> list has the format X<string1>[X<string2>X<string3>...] where X is the list entry separator character. Examples: -D 9:all -D ldap,http:idx -D ":cls,on@HttpChannel,off@send>"
-
RHCS 8.1 - Creating Certificate Profiles through the CA Console
-
RHCS 8.1 - Configuring Agent-Approved Key Recovery in the Console
-
RHCS 8.1 - Setting up Automated Notifications in the Console
-
RHCS 8.1 - Configuring Specific Jobs Using the Certificate Manager Console
-
RHCS 8.1 - Starting the Certificate System Administrative Console