PKI Server Certificate CLI - dogtagpki/pki GitHub Wiki
The pki-server cert commands provides an interface to manage system certificates.
The commands take a certificate ID (sometimes also called certificate tag) instead of certificate nickname. Valid certificate IDs are:
-
ca_signing -
ca_ocsp_signing -
ca_audit_signing -
kra_storage -
kra_transport -
kra_audit_signing -
ocsp_signing -
ocsp_audit_signing -
tks_audit_signing -
tps_audit_signing -
sslserver -
subsystem
The certificate IDs are always the same on any instance, for example a CA will always have a ca_signing, ca_ocsp_signing, ca_audit_signing, sslserver, and subsystem certificates regardless if the actual certificate nicknames.
To list all certificates:
$ pki-server cert-find Cert ID: ca_signing Nickname: caSigningCert cert-pki-tomcat CA Token: Internal Key Storage Token Serial Number: 0x1 Subject DN: CN=CA Signing Certificate,OU=pki-tomcat,O=EXAMPLE Issuer DN: CN=CA Signing Certificate,OU=pki-tomcat,O=EXAMPLE Not Valid Before: Tue Apr 03 23:15:43 2018 Not Valid After: Sat Apr 03 23:15:43 2038 Cert ID: ca_ocsp_signing Nickname: ocspSigningCert cert-pki-tomcat CA Token: Internal Key Storage Token Serial Number: 0x2 Subject DN: CN=CA OCSP Signing Certificate,OU=pki-tomcat,O=EXAMPLE Issuer DN: CN=CA Signing Certificate,OU=pki-tomcat,O=EXAMPLE Not Valid Before: Tue Apr 03 23:15:44 2018 Not Valid After: Mon Mar 23 23:15:44 2020 Cert ID: sslserver Nickname: Server-Cert cert-pki-tomcat Token: Internal Key Storage Token Serial Number: 0x3 Subject DN: CN=vm-066.abc.idm.lab.eng.brq.redhat.com,OU=pki-tomcat,O=EXAMPLE Issuer DN: CN=CA Signing Certificate,OU=pki-tomcat,O=EXAMPLE Not Valid Before: Tue Apr 03 23:15:44 2018 Not Valid After: Mon Mar 23 23:15:44 2020 Cert ID: subsystem Nickname: subsystemCert cert-pki-tomcat Token: Internal Key Storage Token Serial Number: 0x4 Subject DN: CN=Subsystem Certificate,OU=pki-tomcat,O=EXAMPLE Issuer DN: CN=CA Signing Certificate,OU=pki-tomcat,O=EXAMPLE Not Valid Before: Tue Apr 03 23:15:44 2018 Not Valid After: Mon Mar 23 23:15:44 2020 Cert ID: ca_audit_signing Nickname: auditSigningCert cert-pki-tomcat CA Token: Internal Key Storage Token Serial Number: 0x5 Subject DN: CN=CA Audit Signing Certificate,OU=pki-tomcat,O=EXAMPLE Issuer DN: CN=CA Signing Certificate,OU=pki-tomcat,O=EXAMPLE Not Valid Before: Tue Apr 03 23:15:45 2018 Not Valid After: Mon Mar 23 23:15:45 2020
To display basic certificate info:
$ pki-server cert-show ca_signing Cert ID: ca_signing Nickname: caSigningCert cert-pki-tomcat CA Token: Internal Key Storage Token Serial Number: 0x1 Subject DN: CN=CA Signing Certificate,OU=pki-tomcat,O=EXAMPLE Issuer DN: CN=CA Signing Certificate,OU=pki-tomcat,O=EXAMPLE Not Valid Before: Tue Apr 03 23:15:43 2018 Not Valid After: Sat Apr 03 23:15:43 2038
To pretty print the certificate:
$ pki-server cert-show ca_signing --pretty-print
Cert ID: ca_signing
Nickname: caSigningCert cert-pki-tomcat CA
Token: Internal Key Storage Token
Serial Number: 0x1
Subject DN: CN=CA Signing Certificate,OU=pki-tomcat,O=EXAMPLE
Issuer DN: CN=CA Signing Certificate,OU=pki-tomcat,O=EXAMPLE
Not Valid Before: Tue Apr 03 23:15:43 2018
Not Valid After: Sat Apr 03 23:15:43 2038
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
Issuer: "CN=CA Signing Certificate,OU=pki-tomcat,O=EXAMPLE"
Validity:
Not Before: Tue Apr 03 23:15:43 2018
Not After : Sat Apr 03 23:15:43 2038
Subject: "CN=CA Signing Certificate,OU=pki-tomcat,O=EXAMPLE"
...
To generate a new key pair in internal NSS token and an enrollment request:
$ pki-server cert-request \
--subject "CN=CA Signing Certificate" \
--ext /usr/share/pki/server/certs/ca_signing.conf \
ca_signing
To store the key pair in HSM, specify --token <name> option.
The enrollment request will be stored in /var/lib/pki/<instance>/conf/certs/<cert ID>.csr.
Availability: Since PKI 11.5.
The pki-server cert-create can be used to create a permanent system certificate using PKI server’s NSS database directly with RSNv3 serial numbers so it can be used before the CA subsystem is created or while the server is down.
Note: Do not use this command with legacy serial number generators (i.e. sequential or RSNv1).
To create a self-signed CA signing certificate:
$ pki-server cert-create \
--ext /usr/share/pki/server/certs/ca_signing.conf \
ca_signing
To issue a certificate signed by the CA signing certificate:
$ pki-server cert-create \
--issuer ca_signing \
--ext /usr/share/pki/server/certs/ca_signing.conf \
sslserver
To sign with a key in HSM, specify --token <name> option.
Availability: Since PKI 11.5
The pki-server cert-create can be used to create a temporary SSL server certificate to restore the CA subsystem in case the existing certificate has already expired.
Note: The temporary certificate needs to be replaced with the permanent one once the CA subsystem is restored.
To create temporary certificate with the same serial number:
$ pki-server cert-create sslserver --temp
To create temporary certificate with specific serial number:
$ pki-server cert-create sslserver --temp --serial <serial>
To renew permanent certificate:
$ pki-server cert-create <cert ID> --renew
By default the new certificate will be stored in /var/lib/pki/<instance>/conf/certs/<cert ID>.crt. An optional --output <file> parameter can be added to specify a different output file.
The following command can be used to import a certificate into the NSS database.
Note: Prior to PKI 11.5 a copy of the certificate will be stored in the CS.cfg as well. In PKI 11.5 or later the certificate will no longer be stored in the CS.cfg.
To import a certificate into internal NSS token:
$ pki-server cert-import <cert ID>
By default it will import the certificate from /var/lib/pki/<instance>/conf/certs/<cert ID>.crt. An optional --input <file> parameter can be used to specify a different input file.
To import the certificate into HSM, specify --token <name> option.
By default it will import the certificate with the nickname specified in CS.cfg of the subsystem. If the subsystem does not exist yet, it will use the cert ID as the nickname. To change the nickname, specify --nickname <nickname> option.
To export a system certificate and key into a PKCS #12 file, execute the following command:
$ pki-server cert-export ca_signing --pkcs12-file ca_signing.p12 --pkcs12-password Secret.123
By default it will overwrite the output file. To append the certificate and key into an existing file specify the --append parameter.
To export a certificate into a PEM file, execute the following command:
$ pki-server cert-export ca_signing --cert-file ca_signing.crt $ cat ca_signing.crt -----BEGIN CERTIFICATE----- MIIDnTCCAoWgAwIBAgIBATANBgkqhkiG9w0BAQsFADAzMRAwDgYDVQQKDAdFWEFN UExFMR8wHQYDVQQDDBZDQSBTaWduaW5nIENlcnRpZmljYXRlMB4XDTE2MDgyMzAx MjExNVoXDTM2MDgyMzAxMjExNVowMzEQMA4GA1UECgwHRVhBTVBMRTEfMB0GA1UE AwwWQ0EgU2lnbmluZyBDZXJ0aWZpY2F0ZTCCASIwDQYJKoZIhvcNAQEBBQADggEP ADCCAQoCggEBAMowizm9ahYpkSZdT2eWQYepMiwgMVtpd8KQwEI8+LtL6+op2kc2 q3Sl4cuvJSt83exxAiWigLLgBjyV1+flVpbZdpCHxRhUf93nc3AWXvuBedc5PBmS Mpay0RN+NyXGuhhDBnITg9MqLa/Od7Dg/3vLDuAa/KavpMnWuA482AerJZAZ/3Lf o0uUkic0Frmj33XPbSD+fhNklAUNh+ThOeNv0R++/VQemGEn55pp8091yP70yV8K 0YINuAMV26oJhsJ8Q8EaIqhQ0a5HYJC5yFl7taJ38dsdML5HyM5p4h6jWZRt/lmK IDMoORuZ4O4DeiSozIAUBqr0v1y7v0ib6fsCAwEAAaOBuzCBuDAfBgNVHSMEGDAW gBQ+KX+nUGFvp58wii188K8fP3Ey2TAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB /wQEAwIBxjAdBgNVHQ4EFgQUPil/p1Bhb6efMIotfPCvHz9xMtkwVQYIKwYBBQUH AQEESTBHMEUGCCsGAQUFBzABhjlodHRwOi8vdm0tMDk4LmFiYy5pZG0ubGFiLmVu Zy5icnEucmVkaGF0LmNvbTo4MDgwL2NhL29jc3AwDQYJKoZIhvcNAQELBQADggEB AGhLTli5ywVP0o0bIsQN+WxVARP6AuBaik4KE53Y5TG39k+pearoU8Dj7OAet+jx fJml1BKNwhBnzpIO/FxmZOL81z230dquysybYGBb8hokI+6ViNJFRgrvDkK73fQG Q28A4kFwI99OeLEkfbqtkKBYVszmIY8onFDqVEcPJnZ1OiqQ7DBtSnayVwtl0x82 QE7W81pcFV2ph5xyuA/GE9G1njvLzsbxkPvLRhG2u2JBNkpisgN0mtRvF3hyeQ24 FG/mYlVFpH5vqCWas2XngcQrZ18/neH4XXoeENdbzA/1ShsswY1l+TsLZ6va3YT4 UM+xLngEa2wh7PzeJpkchWA= -----END CERTIFICATE-----
To export the CSR, specify the --csr-file parameter:
$ pki-server cert-export ca_signing --csr-file ca_signing.csr $ cat ca_signing.csr -----BEGIN NEW CERTIFICATE REQUEST----- MIICqjCCAZICAQAwMzEQMA4GA1UECgwHRVhBTVBMRTEfMB0GA1UEAwwWQ0EgU2ln bmluZyBDZXJ0aWZpY2F0ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB AMowizm9ahYpkSZdT2eWQYepMiwgMVtpd8KQwEI8+LtL6+op2kc2q3Sl4cuvJSt8 3exxAiWigLLgBjyV1+flVpbZdpCHxRhUf93nc3AWXvuBedc5PBmSMpay0RN+NyXG uhhDBnITg9MqLa/Od7Dg/3vLDuAa/KavpMnWuA482AerJZAZ/3Lfo0uUkic0Frmj 33XPbSD+fhNklAUNh+ThOeNv0R++/VQemGEn55pp8091yP70yV8K0YINuAMV26oJ hsJ8Q8EaIqhQ0a5HYJC5yFl7taJ38dsdML5HyM5p4h6jWZRt/lmKIDMoORuZ4O4D eiSozIAUBqr0v1y7v0ib6fsCAwEAAaAyMDAGCSqGSIb3DQEJDjEjMCEwDwYDVR0T AQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAcYwDQYJKoZIhvcNAQELBQADggEBAIuj lv1iNtL/vFiR5I9YfbmnjGKRA74dtlIQvYPMTxvNKLyUB0TgnctJlZtFB/fMou2r Bnz29DnWsBPBpQl6Iz3yiYpXaZUNHJ3vgpYPyGkUnwsJwGhuAw8/VyDYcheKSju0 BtvPf7V9E6VE94MrPJfA42RCAgPFPapBmsc+lgthviW3QNlNzW/rumA02eRAV5eF MzyL8DkIlndhwWj0pd1NICBUioZqd2tB+PfFMQwmdkZyinsYjxRBZDhXopfWjsIW HGcgNGD1Ys8pMIKNQTLYBzRpqOzzXoK2zvc7Xy80P2UB8Sd/fFnr1NPoT/r6vJXs 5b/HYhvgXT9glL9hARA= -----END NEW CERTIFICATE REQUEST-----
To remove a system certificate while retaining its key:
$ pki-server cert-del <cert ID>
To remove a system certificate and its key:
$ pki-server cert-del <cert ID> --remove-key