1pki-cert(1) PKI Certificate Management Commands pki-cert(1)
2
3
4
6 pki-cert - Command-Line Interface for managing certificates on the Cer‐
7 tificate System server.
8
9
11 pki [CLI options] <subsystem>-cert
12 pki [CLI options] <subsystem>-cert-find [command options]
13 pki [CLI options] <subsystem>-cert-show <certificate ID> [command options]
14 pki [CLI options] <subsystem>-cert-revoke <certificate ID> [command options]
15 pki [CLI options] <subsystem>-cert-hold <certificate ID> [command options]
16 pki [CLI options] <subsystem>-cert-release-hold <certificate ID> [command options]
17 pki [CLI options] <subsystem>-cert-request-profile-find [command options]
18 pki [CLI options] <subsystem>-cert-request-profile-show <profile ID> [command options]
19 pki [CLI options] <subsystem>-cert-request-submit [command options]
20 pki [CLI options] <subsystem>-cert-request-review <request ID> [command options]
21
22
24 The pki-cert commands provide command-line interfaces to manage cer‐
25 tificates on the specified subsystem.
26
27 Valid subsystems are ca and tps. If the <subsystem>- prefix is omitted,
28 it will default to ca.
29
30 pki [CLI options] <subsystem>-cert
31 This command is to list available certificate commands for the sub‐
32 system. Different subsystems may have different certificate com‐
33 mands.
34
35 pki [CLI options] <subsystem>-cert-find [command options]
36 This command is to list certificates in the subsystem.
37
38 pki [CLI options] <subsystem>-cert-show <certificate ID> [command
39 options]
40 This command is to view a certificate details in the subsystem.
41
42 pki [CLI options] <subsystem>-cert-revoke <certificate ID>
43 This command is to revoke a certificate.
44
45 pki [CLI options] <subsystem>-cert-hold <certificate ID>
46 This command is to place a certificate on hold temporarily.
47
48 pki [CLI options] <subsystem>-cert-release-hold <certificate ID>
49 This command is to release a certificate that has been placed on
50 hold.
51
52 pki [CLI options] <subsystem>-cert-request-profile-find [command
53 options]
54 This command is to list available certificate request templates.
55
56 pki [CLI options] <subsystem>-cert-request-profile-show <profile ID>
57 [command options]
58 This command is to view a certificate request template.
59
60 pki [CLI options] <subsystem>-cert-request-submit [command options]
61 This command is to submit a certificate request.
62
63 pki [CLI options] <subsystem>-cert-request-review <request ID> [command
64 options]
65 This command is to review a certificate request.
66
67
69 The CLI options are described in pki(1).
70
71
73 To view available certificate commands, type pki <subsystem>-cert. To
74 view each command's usage, type pki <subsystem>-cert-<command> --help.
75
76
77 Viewing Certificates
78 Certificates can be viewed anonymously.
79
80 To list all certificates in the CA:
81
82 pki ca-cert-find
83
84 It is also possible to search for and list specific certificates by
85 adding a search filter. Use pki ca-cert-find --help to see options.
86 For example, to search based on issuance date:
87
88 pki ca-cert-find --issuedOnFrom 2012-06-15
89
90 To list certificates with search constraints defined in a file:
91
92 pki ca-cert-find --input <filename>
93
94 where the file is in the following format:
95
96
97 <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
98 <CertSearchRequest>
99
100 <serialNumberRangeInUse>true</serialNumberRangeInUse>
101 <serialFrom></serialFrom>
102 <serialTo></serialTo>
103
104 <subjectInUse>false</subjectInUse>
105 <eMail></eMail>
106 <commonName></commonName>
107 <userID></userID>
108 <orgUnit></orgUnit>
109 <org></org>
110 <locality></locality>
111 <state></state>
112 <country></country>
113
114 <matchExactly>false</matchExactly>
115
116 <status></status>
117
118 <revokedByInUse>false</revokedByInUse>
119 <revokedBy></revokedBy>
120
121 <revokedOnFrom>false</revokedOnFrom>
122 <revokedOnTo></revokedOnTo>
123
124 <revocationReasonInUse>false</revocationReasonInUse>
125 <revocationReason></revocationReason>
126
127 <issuedByInUse>false</issuedByInUse>
128 <issuedBy></issuedBy>
129
130 <issuedOnInUse>false</issuedOnInUse>
131 <issuedOnFrom></issuedOnFrom>
132 <issuedOnTo></issuedOnTo>
133
134 <validNotBeforeInUse>false</validNotBeforeInUse>
135 <validNotBeforeFrom></validNotBeforeFrom>
136 <validNotBeforeTo></validNotBeforeTo>
137
138 <validNotAfterInUse>false</validNotAfterInUse>
139 <validNotAfterFrom></validNotAfterFrom>
140 <validNotAfterTo></validNotAfterTo>
141
142 <validityLengthInUse>false</validityLengthInUse>
143 <validityOperation></validityOperation>
144 <validityCount></validityCount>
145 <validityUnit></validityUnit>
146
147 <certTypeInUse>false</certTypeInUse>
148 <certTypeSubEmailCA></certTypeSubEmailCA>
149 <certTypeSubSSLCA></certTypeSubSSLCA>
150 <certTypeSecureEmail></certTypeSecureEmail>
151
152 </CertSearchRequest>
153
154
155 To view a particular certificate:
156
157 pki ca-cert-show <certificate ID>
158
159
160 Revoking Certificates
161 Revoking, holding, or releasing a certificate must be executed as an
162 agent user. To revoke a certificate:
163
164 pki <agent authentication> ca-cert-revoke <certificate ID>
165
166 To place a certificate on hold temporarily:
167
168 pki <agent authentication> ca-cert-hold <certificate ID>
169
170 To release a certificate that has been placed on hold:
171
172 pki <agent authentication> ca-cert-release-hold <certificate ID>
173
174
175 Certificate Requests
176 To request a certificate, first generate a certificate signing request
177 (CSR), then submit it with a certificate profile. The list of available
178 profiles can be viewed using the following command:
179
180 pki ca-cert-request-profile-find
181
182 To generate a CSR, use the certutil, PKCS10Client, or CRMFPopClient,
183 and store it into a file.
184
185 Basic requests can be submitted using the following command:
186
187 pki ca-cert-request-submit --profile <profile ID> --request-type <type>
188 --csr-file <CSR file> --subject <subject DN>
189
190 To submit more advanced requests, download a template of the request
191 file for a particular profile using the following command:
192
193 pki ca-cert-request-profile-show <profile ID> --output <request file>
194
195 Then, edit the request file, fill in the input attributes required by
196 the profile, and submit the request using the following command:
197
198 pki ca-cert-request-submit <request file>
199
200 Depending on the profile, the command may require authentication (see
201 the profile configuration file). The CLI currently supports client
202 certificate authentication and directory-based authentication.
203
204 Also depending on the profile, an agent may need to review and approve
205 the request by running the following command:
206
207 pki <agent authentication> ca-cert-request-review <request ID> --file
208 <file to store the certificate request>
209
210 The --file <filename> and --action <action> options are mutually exclu‐
211 sive (i. e. - only one or the other may be specified during command
212 invocation).
213
214 If the --file <filename> option is specified, the certificate request,
215 as well as the defaults and constraints of the enrollment profile, will
216 be retrieved and stored in the output file provided by the --file
217 option. The agent can examine the file and override any values if nec‐
218 essary. To process the request, enter the appropriate action when
219 prompted:
220
221 Action (approve/reject/cancel/update/validate/assign/unassign):
222
223 The request in the file will be read in, and the specified action will
224 be applied against it.
225
226 Alternatively, when no changes to the request are necessary, the agent
227 can process the request in a single step using the --action <action>
228 option with the following command:
229
230 pki <agent authentication> ca-cert-request-review <request ID> --action
231 <action>
232
233
235 Ade Lee <alee@redhat.com>, Endi Dewata <edewata@redhat.com>, and
236 Matthew Harmsen <mharmsen@redhat.com>.
237
238
240 Copyright (c) 2014 Red Hat, Inc. This is licensed under the GNU General
241 Public License, version 2 (GPLv2). A copy of this license is available
242 at http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt.
243
244
245
246version 10.2 May 5, 2014 pki-cert(1)