PKI Server CA Certificate Request CLI - dogtagpki/pki GitHub Wiki

Overview

The pki-server ca-cert-request-* commands provide a way to manage certificate requests in CA database when PKI server is offline. These commands can only be executed by the system administrator.

Finding Certificate Requests

To find the certificate request for a certificate in CA database:

$ pki-server ca-cert-request-find --cert-file <cert file>

As of PKI 10.4 the content of the certificate has to be formatted as follows:

  • The certificate must be base-64 encoded.

  • Each line must be at most 64 bytes long and terminated with CRLF.

  • There is no BEGIN/END CERTIFICATE header/footer.

For example:

MIIDnTCCAoWgAwIBAgIBBTANBgkqhkiG9w0BAQsFADBIMRAwDgYDVQQKDAdFWEFN<CRLF>
UExFMRMwEQYDVQQLDApwa2ktdG9tY2F0MR8wHQYDVQQDDBZDQSBTaWduaW5nIENl<CRLF>
...
EzgqNUFrj/ATV31qVzEb6aka+93bd437Iga68OTz+8fhif8TbILWfJG87rU3w00D<CRLF>
DMK8f1ILzfnK1kUEkBQ9zoiDlQyiUsl6TDJKXFc8Woqi0VTgK2AJ7cVdrwtOiE++<CRLF>
6jk3lUH/goACLP5fIuZWqlM=<CRLF>

Note: The certificate format may change in the future.

Displaying Certificate Request

To display a certificate request in CA database:

$ pki-server ca-cert-request-show <request ID>

Importing Certificate Request

To import a certificate request in CA database:

$ pki-server ca-cert-request-import \
    [--request <ID>] \
    --csr <path> \
    --profile <filename>

where:

  • The --request parameter specifies an optional ID for the request. If the request ID is not specified and the request ID generator is configured to random, a new random request ID will be generated automatically.

  • The --csr parameter specifies the relative or absolute path to the CSR file.

  • The --profile parameter specifies the filename of the bootstrap profile in /var/lib/pki/pki-tomcat/conf/ca without the path (e.g. serverCert.profile).

Availability: Since PKI 11.4.

Tip
 To find a page in the Wiki, enter the keywords in search field, press Enter, then click Wikis.
⚠️ **GitHub.com Fallback** ⚠️