1pki-cert(1)           PKI Certificate Management Commands          pki-cert(1)
2
3
4

NAME

6       pki-cert - Command-Line Interface for managing certificates on the Cer‐
7       tificate System server.
8
9

SYNOPSIS

11       pki [CLI options] <subsystem>-cert
12       pki [CLI options] <subsystem>-cert-find [command options]
13       pki [CLI options] <subsystem>-cert-show <certificate ID> [command options]
14       pki [CLI options] <subsystem>-cert-revoke <certificate ID> [command options]
15       pki [CLI options] <subsystem>-cert-hold <certificate ID> [command options]
16       pki [CLI options] <subsystem>-cert-release-hold <certificate ID> [command options]
17       pki [CLI options] <subsystem>-cert-request-profile-find [command options]
18       pki [CLI options] <subsystem>-cert-request-profile-show <profile ID> [command options]
19       pki [CLI options] <subsystem>-cert-request-submit [command options]
20       pki [CLI options] <subsystem>-cert-request-review <request ID> [command options]
21
22

DESCRIPTION

24       The pki-cert commands provide command-line interfaces  to  manage  cer‐
25       tificates on the specified subsystem.
26
27       Valid subsystems are ca and tps. If the <subsystem>- prefix is omitted,
28       it will default to ca.
29
30       pki [CLI options] <subsystem>-cert
31           This command is to list available certificate commands for the sub‐
32           system.   Different  subsystems may have different certificate com‐
33           mands.
34
35       pki [CLI options] <subsystem>-cert-find [command options]
36           This command is to list certificates in the subsystem.
37
38       pki  [CLI  options]  <subsystem>-cert-show  <certificate  ID>  [command
39       options]
40           This command is to view a certificate details in the subsystem.
41
42       pki [CLI options] <subsystem>-cert-revoke <certificate ID>
43           This command is to revoke a certificate.
44
45       pki [CLI options] <subsystem>-cert-hold <certificate ID>
46           This command is to place a certificate on hold temporarily.
47
48       pki [CLI options] <subsystem>-cert-release-hold <certificate ID>
49           This  command  is  to release a certificate that has been placed on
50           hold.
51
52       pki  [CLI   options]   <subsystem>-cert-request-profile-find   [command
53       options]
54           This command is to list available certificate request templates.
55
56       pki  [CLI  options]  <subsystem>-cert-request-profile-show <profile ID>
57       [command options]
58           This command is to view a certificate request template.
59
60       pki [CLI options] <subsystem>-cert-request-submit [command options]
61           This command is to submit a certificate request.
62
63       pki [CLI options] <subsystem>-cert-request-review <request ID> [command
64       options]
65           This command is to review a certificate request.
66
67

OPTIONS

69       The CLI options are described in pki(1).
70
71

OPERATIONS

73       To  view  available certificate commands, type pki <subsystem>-cert. To
74       view each command's usage, type  pki <subsystem>-cert-<command> --help.
75
76
77   Viewing Certificates
78       Certificates can be viewed anonymously.
79
80       To list all certificates in the CA:
81
82       pki ca-cert-find
83
84       It is also possible to search for and  list  specific  certificates  by
85       adding  a  search  filter.  Use pki ca-cert-find --help to see options.
86       For example, to search based on issuance date:
87
88       pki ca-cert-find --issuedOnFrom 2012-06-15
89
90       To list certificates with search constraints defined in a file:
91
92       pki ca-cert-find --input <filename>
93
94       where the file is in the following format:
95
96
97              <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
98              <CertSearchRequest>
99
100                  <serialNumberRangeInUse>true</serialNumberRangeInUse>
101                  <serialFrom></serialFrom>
102                  <serialTo></serialTo>
103
104                  <subjectInUse>false</subjectInUse>
105                  <eMail></eMail>
106                  <commonName></commonName>
107                  <userID></userID>
108                  <orgUnit></orgUnit>
109                  <org></org>
110                  <locality></locality>
111                  <state></state>
112                  <country></country>
113
114                  <matchExactly>false</matchExactly>
115
116                  <status></status>
117
118                  <revokedByInUse>false</revokedByInUse>
119                  <revokedBy></revokedBy>
120
121                  <revokedOnFrom>false</revokedOnFrom>
122                  <revokedOnTo></revokedOnTo>
123
124                  <revocationReasonInUse>false</revocationReasonInUse>
125                  <revocationReason></revocationReason>
126
127                  <issuedByInUse>false</issuedByInUse>
128                  <issuedBy></issuedBy>
129
130                  <issuedOnInUse>false</issuedOnInUse>
131                  <issuedOnFrom></issuedOnFrom>
132                  <issuedOnTo></issuedOnTo>
133
134                  <validNotBeforeInUse>false</validNotBeforeInUse>
135                  <validNotBeforeFrom></validNotBeforeFrom>
136                  <validNotBeforeTo></validNotBeforeTo>
137
138                  <validNotAfterInUse>false</validNotAfterInUse>
139                  <validNotAfterFrom></validNotAfterFrom>
140                  <validNotAfterTo></validNotAfterTo>
141
142                  <validityLengthInUse>false</validityLengthInUse>
143                  <validityOperation></validityOperation>
144                  <validityCount></validityCount>
145                  <validityUnit></validityUnit>
146
147                  <certTypeInUse>false</certTypeInUse>
148                  <certTypeSubEmailCA></certTypeSubEmailCA>
149                  <certTypeSubSSLCA></certTypeSubSSLCA>
150                  <certTypeSecureEmail></certTypeSecureEmail>
151
152              </CertSearchRequest>
153
154
155       To view a particular certificate:
156
157       pki ca-cert-show <certificate ID>
158
159
160   Revoking Certificates
161       Revoking, holding, or releasing a certificate must be  executed  as  an
162       agent user.  To revoke a certificate:
163
164       pki <agent authentication> ca-cert-revoke <certificate ID>
165
166       To place a certificate on hold temporarily:
167
168       pki <agent authentication> ca-cert-hold <certificate ID>
169
170       To release a certificate that has been placed on hold:
171
172       pki <agent authentication> ca-cert-release-hold <certificate ID>
173
174
175   Certificate Requests
176       To  request a certificate, first generate a certificate signing request
177       (CSR), then submit it with a certificate profile. The list of available
178       profiles can be viewed using the following command:
179
180       pki ca-cert-request-profile-find
181
182       To  generate  a  CSR, use the certutil, PKCS10Client, or CRMFPopClient,
183       and store it into a file.
184
185       Basic requests can be submitted using the following command:
186
187       pki ca-cert-request-submit --profile <profile ID> --request-type <type>
188       --csr-file <CSR file> --subject <subject DN>
189
190       To  submit  more  advanced requests, download a template of the request
191       file for a particular profile using the following command:
192
193       pki ca-cert-request-profile-show <profile ID> --output <request file>
194
195       Then, edit the request file, fill in the input attributes  required  by
196       the profile, and submit the request using the following command:
197
198       pki ca-cert-request-submit <request file>
199
200       Depending  on  the profile, the command may require authentication (see
201       the profile configuration file).  The  CLI  currently  supports  client
202       certificate authentication and directory-based authentication.
203
204       Also  depending on the profile, an agent may need to review and approve
205       the request by running the following command:
206
207       pki <agent authentication> ca-cert-request-review <request  ID>  --file
208       <file to store the certificate request>
209
210       The --file <filename> and --action <action> options are mutually exclu‐
211       sive (i. e. - only one or the other may  be  specified  during  command
212       invocation).
213
214       If  the --file <filename> option is specified, the certificate request,
215       as well as the defaults and constraints of the enrollment profile, will
216       be  retrieved  and  stored  in  the  output file provided by the --file
217       option.  The agent can examine the file and override any values if nec‐
218       essary.   To  process  the  request,  enter the appropriate action when
219       prompted:
220
221       Action (approve/reject/cancel/update/validate/assign/unassign):
222
223       The request in the file will be read in, and the specified action  will
224       be applied against it.
225
226       Alternatively,  when no changes to the request are necessary, the agent
227       can process the request in a single step using  the  --action  <action>
228       option with the following command:
229
230       pki <agent authentication> ca-cert-request-review <request ID> --action
231       <action>
232
233

AUTHORS

235       Ade  Lee  <alee@redhat.com>,  Endi  Dewata  <edewata@redhat.com>,   and
236       Matthew Harmsen <mharmsen@redhat.com>.
237
238
240       Copyright (c) 2014 Red Hat, Inc. This is licensed under the GNU General
241       Public License, version 2 (GPLv2). A copy of this license is  available
242       at http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt.
243
244
245
246version 10.2                      May 5, 2014                      pki-cert(1)
Impressum