PKI Server CLI - dogtagpki/pki GitHub Wiki

Overview

PKI Server CLI (i.e. pki-server) is a server tool for managing PKI servers on the local machine. The command does not require an authentication, but it can only be run by the system administrator.

Usage

In general the PKI Server CLI takes the following parameters:

$ pki-server [CLI options] <command> [command arguments/options]

The CLI options should be placed before the command. The command arguments/options should be placed after the command.

To view available commands and options:

$ pki-server --help

Some commands may have sub-commands. To view the sub-commands:

$ pki-server <command>

To view the command usage:

$ pki-server <command> --help

To run the command in verbose mode:

$ pki-server -v <command>

Shell Mode

PKI Server CLI provides a shell mode to run multiple commands interactively.

To run PKI Server CLI in shell mode:

$ pki-server
PKI Server Command-Line Interface 11.9.0
pki-server> ca-user-add \
    --full-name Administrator \
    --type adminType \
    admin
pki-server> ca-user-cert-add \
    --cert admin.crt \
    admin
pki-server> ca-user-role-add admin "Administrators"
pki-server> ca-user-role-add admin "Certificate Manager Agents"
pki-server> exit

Availability: Since PKI 11.9.

Batch Mode

PKI Server CLI provides a batch mode to run multiple commands at once.

To run PKI Server CLI in batch mode, prepare the commands in a file (e.g. script.txt):

# create admin user
ca-user-add \
    --full-name Administrator \
    --type adminType \
    admin

# import admin cert
ca-user-cert-add \
    --cert admin.crt \
    admin

# assign admin roles
ca-user-role-add admin "Administrators"
ca-user-role-add admin "Certificate Manager Agents"

Then execute the following command:

$ pki-server - < script.txt

Availability: Since PKI 11.9.

Server Management Commands

NSS Management Commands

Subsystem Management Commands

Other Commands

Issues

Due to OpenLDAP changes in Fedora 29 Python is no longer able to use NSS database to establish an SSL LDAP connection. This issue might be affecting the following commands:

  • pki-server ca-cert-request-find

  • pki-server ca-cert-request-show

  • pki-server subsystem-cert-request-find

  • pki-server db-upgrade

  • pki-server cert-update

  • pki-server cert-fix

  • pki-server cert-create

See also:

Workaround #1: Export CA Certificate Chain

Prior to executing the above commands export the CA signing certificate chain from the NSS database into individual certificate files, for example:

$ certutil -L -d /var/lib/pki/pki-tomcat/conf/alias -n ca_signing -a > /var/lib/pki/pki-tomcat/conf/alias/ca_signing.crt

Then execute the following command to generate the hash files for the certificate files:

$ openssl rehash /var/lib/pki/pki-tomcat/conf/alias

Workaround #2: Disable SSL LDAP Connection

Prior to executing the above commands, disable the SSL LDAP connection first, then it can be reenabled again later.

Tip
 To find a page in the Wiki, enter the keywords in search field, press Enter, then click Wikis.
⚠️ **GitHub.com Fallback** ⚠️