1pki-server-cert(8) PKI Cert Commands pki-server-cert(8)
2
6 pki-server-cert - Command-Line Interface for managing System Certifi‐
7 cates.
8
11 pki-server [CLI options] cert
12 pki-server [CLI options] cert-find
13 pki-server [CLI options] cert-update <cert ID>
14 pki-server [CLI options] cert-create <cert ID>
15 pki-server [CLI options] cert-import <cert ID>
16
19 The pki-server cert commands provide command-line interfaces to manage
20 system certificates.
21 pki-server cert commands perform system certificate related operations
23 on a specific CS instance. All pki-server cert commands require speci‐
24 fication of the cert ID to identify the target certificate.
25 pki-server [CLI options] cert
27 This command is to list available cert commands.
28 pki-server [CLI options] cert-find
30 This command is to list all system certificates.
31 pki-server [CLI options] cert-update <cert ID>
33 This command is to update the system certificate data and CSR in
34 the corresponding subsystem's CS.cfg.
35 pki-server [CLI options] cert-create <cert ID>
37 This command is to create a system certificate.
38 pki-server [CLI options] cert-import <cert ID>
40 This command is to imports certificate into NSS database and
41 updates the corresponding subsystem's CS.cfg.
42 To view each command's usage, type pki-server cert-<command> --help.
44 All pki-server commands must be executed as the system administrator.
46
49 The other CLI options are described in pki-server(8).
50
53 pki-server cert command is used as a part of offline system certificate
54 renewal process.
55 Assumptions:
57 1. Valid CA signing cert
59 2. Valid admin cert
61 3. PKI server is currently down
63 Steps for offline system certificate renewal:
65 A. Run these commands to verify our assumptions:
67 1. List details of all system certificates
69 pki-server cert-find
70 2. Check details of admin cert
72 certutil -L \
73 -d <client NSS DB dir> \
74 -n <admin cert nickname>
75 3. Check status of PKI server
77 systemctl status pki-tomcatd@pki-tomcat
78 Note: Get the sslserver cert serial number from step #1 above to
80 create permanent cert later. The admin needs to make a list of
81 certs from step #1 that needs to be renewed.
82 B. To bring up a PKI server that has expired SSL certificate:
84 1. Create temp SSL certificate
86 pki-server cert-create sslserver --temp
87 2. Import the temp SSL certificate into NSS database and update
89 corresponding subsystem's CS.cfg
90 pki-server cert-import sslserver
91 3. Start PKI server using the new temp SSL cert created
93 systemctl restart pki-tomcatd@pki-tomcat
94 C. To renew system certificates:
96 1. The admin will need to create system certs, reported in step
98 #A1 above, that are almost expired or already expired.
99 pki-server cert-create <cert ID> --renew \
100 -d <client NSS DB dir> \
101 -c <NSS DB password> \
102 -n <admin nickname>
103 For SSL server certificate:
105 pki-server cert-create sslserver --renew \
106 --serial <old serial> \
107 -d <client NSS DB dir> \
108 -c <NSS DB password> \
109 -n <admin nickname>
110 2. Stop the server to prevent NSS database corruption while
112 importing:
113 systemctl stop pki-tomcatd@pki-tomcat
114 3. Import the renewed system certificate into NSS database and
116 update corresponding subsystem's CS.cfg
117 pki-server cert-import <cert ID>
118 4. Start the server with renewed permanent system certificates
120 systemctl start pki-tomcatd@pki-tomcat
121
123 Dinesh Prasanth M K <dmoluguw@redhat.com>
124
127 Copyright (c) 2017 Red Hat, Inc. This is licensed under the GNU General
128 Public License, version 2 (GPLv2). A copy of this license is available
129 at http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt.
130version 10.4 Aug 1, 2017 pki-server-cert(8)