PKI Server CA Certificate CLI - dogtagpki/pki GitHub Wiki

Listing Certificates

To list certificates in CA:

$ pki-server ca-cert-find

Creating Certificate

To create a certificate from a certificate request in CA:

$ pki-server ca-cert-create \
    --request <ID> \
    --profile <filename> \
    [--type <type>] \
    [--key-id <ID>] \
    [--serial <number>]

where:

  • The --request parameter specifies the request ID.

  • The --profile parameter specifies the filename of the bootstrap profile in /var/lib/pki/pki-tomcat/conf/ca without the path (e.g. serverCert.profile).

  • The --type parameter specifies whether the certificate to be created is self-signed (i.e. selfsign) or signed by another certificate (i.e. local).

  • The --key-id parameter specifies the key to be used for self-signed certificate.

  • The --serial parameter specifies an optional serial number for the new certificate. If the serial number is not specified and the certificate ID generator is configured to random, a new random serial number will be generated automatically.

Availability: Since PKI 11.3.

Importing Certificate

To import a certificate into CA:

$ pki-server ca-cert-import \
    --cert <path> \
    --profile <filename> \
    --request <ID>

where:

  • The --profile parameter specifies the filename of the bootstrap profile in /var/lib/pki/pki-tomcat/conf/ca without the path (e.g. serverCert.profile).

Availability: Since PKI 11.3.

Removing Certificate

To remove a certificate from CA:

$ pki-server ca-cert-del <serial>

Exporting Certificate Chain

To export certificate chain to install additional subsystems:

$ pki-server ca-cert-chain-export --pkcs12-file cert-chain.p12 --pkcs12-password-file password.txt
Tip
 To find a page in the Wiki, enter the keywords in search field, press Enter, then click Wikis.
⚠️ **GitHub.com Fallback** ⚠️