1pki-cert(1) PKI Certificate Management Commands pki-cert(1)
2
3
4
6 pki-ca-cert - Command-line interface for managing certificates on PKI
7 CA.
8
9
11 pki [CLI-options] ca-cert
12 pki [CLI-options] ca-cert-find [command-options]
13 pki [CLI-options] ca-cert-show cert-ID [command-options]
14 pki [CLI-options] ca-cert-revoke cert-ID [command-options]
15 pki [CLI-options] ca-cert-hold cert-ID [command-options]
16 pki [CLI-options] ca-cert-release-hold cert-ID [command-options]
17 pki [CLI-options] ca-cert-request-profile-find [command-options]
18 pki [CLI-options] ca-cert-request-profile-show profile-ID [com‐
19 mand-options]
20 pki [CLI-options] ca-cert-request-submit [command-options]
21 pki [CLI-options] ca-cert-request-review request-ID [command-options]
22
23
25 The pki-cert commands provide command-line interfaces to manage cer‐
26 tificates on the CA.
27
28
29 pki [CLI-options] ca-cert
30 This command is to list available certificate commands.
31
32
33 pki [CLI-options] ca-cert-find [command-options]
34 This command is to list certificates in the CA.
35
36
37 pki [CLI-options] ca-cert-show cert-ID [command-options]
38 This command is to view a certificate details.
39
40
41 pki [CLI-options] ca-cert-revoke cert-ID
42 This command is to revoke a certificate.
43
44
45 pki [CLI-options] ca-cert-hold cert-ID
46 This command is to place a certificate on hold temporarily.
47
48
49 pki [CLI-options] ca-cert-release-hold cert-ID
50 This command is to release a certificate that has been placed on
51 hold.
52
53
54 pki [CLI-options] ca-cert-request-profile-find [command-options]
55 This command is to list available certificate request templates.
56
57
58 pki [CLI-options] ca-cert-request-profile-show profile-ID [com‐
59 mand-options]
60 This command is to view a certificate request template.
61
62
63 pki [CLI-options] ca-cert-request-submit [command-options]
64 This command is to submit a certificate request.
65
66
67 pki [CLI-options] ca-cert-request-review request-ID [command-options]
68 This command is to review a certificate request.
69
70
72 The command-options are described in pki(1).
73
74
76 To view available certificate commands, type pki ca-cert. To view each
77 command's usage, type pki ca-cert-<command> --help.
78
79
80 Viewing Certificates
81 Certificates can be viewed anonymously.
82
83
84 To list all certificates in the CA:
85
86
87 $ pki ca-cert-find
88
89
90
91 It is also possible to search for and list specific certificates by
92 adding a search filter. Use pki ca-cert-find --help to see options.
93 For example, to search based on issuance date:
94
95
96 $ pki ca-cert-find --issuedOnFrom 2012-06-15
97
98
99
100 To list certificates with search constraints defined in a file:
101
102
103 $ pki ca-cert-find --input <filename>
104
105
106
107 where the file is in the following format:
108
109
110 <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
111 <CertSearchRequest>
112
113 <serialNumberRangeInUse>true</serialNumberRangeInUse>
114 <serialFrom></serialFrom>
115 <serialTo></serialTo>
116
117 <subjectInUse>false</subjectInUse>
118 <eMail></eMail>
119 <commonName></commonName>
120 <userID></userID>
121 <orgUnit></orgUnit>
122 <org></org>
123 <locality></locality>
124 <state></state>
125 <country></country>
126
127 <matchExactly>false</matchExactly>
128
129 <status></status>
130
131 <revokedByInUse>false</revokedByInUse>
132 <revokedBy></revokedBy>
133
134 <revokedOnFrom>false</revokedOnFrom>
135 <revokedOnTo></revokedOnTo>
136
137 <revocationReasonInUse>false</revocationReasonInUse>
138 <revocationReason></revocationReason>
139
140 <issuedByInUse>false</issuedByInUse>
141 <issuedBy></issuedBy>
142
143 <issuedOnInUse>false</issuedOnInUse>
144 <issuedOnFrom></issuedOnFrom>
145 <issuedOnTo></issuedOnTo>
146
147 <validNotBeforeInUse>false</validNotBeforeInUse>
148 <validNotBeforeFrom></validNotBeforeFrom>
149 <validNotBeforeTo></validNotBeforeTo>
150
151 <validNotAfterInUse>false</validNotAfterInUse>
152 <validNotAfterFrom></validNotAfterFrom>
153 <validNotAfterTo></validNotAfterTo>
154
155 <validityLengthInUse>false</validityLengthInUse>
156 <validityOperation></validityOperation>
157 <validityCount></validityCount>
158 <validityUnit></validityUnit>
159
160 <certTypeInUse>false</certTypeInUse>
161 <certTypeSubEmailCA></certTypeSubEmailCA>
162 <certTypeSubSSLCA></certTypeSubSSLCA>
163 <certTypeSecureEmail></certTypeSecureEmail>
164
165 </CertSearchRequest>
166
167
168
169 To view a particular certificate:
170
171
172 $ pki ca-cert-show <certificate ID>
173
174
175
176 Revoking Certificates
177 Revoking, holding, or releasing a certificate must be executed as an
178 agent user. To revoke a certificate:
179
180
181 $ pki <agent authentication> ca-cert-revoke <certificate ID>
182
183
184
185 To place a certificate on hold temporarily:
186
187
188 $ pki <agent authentication> ca-cert-hold <certificate ID>
189
190
191
192 To release a certificate that has been placed on hold:
193
194
195 $ pki <agent authentication> ca-cert-release-hold <certificate ID>
196
197
198
199 Certificate Requests
200 To request a certificate, first generate a certificate signing request
201 (CSR), then submit it with a certificate profile. The list of avail‐
202 able profiles can be viewed using the following command:
203
204
205 $ pki ca-cert-request-profile-find
206
207
208
209 To generate a CSR, use the certutil, PKCS10Client, or CRMFPopClient,
210 and store it into a file.
211
212
213 Basic requests can be submitted using the following command:
214
215
216 $ pki ca-cert-request-submit \
217 --profile <profile ID> --request-type <type> --csr-file <CSR file> --subject <subject DN>
218
219
220
221 To submit more advanced requests, download a template of the request
222 file for a particular profile using the following command:
223
224
225 $ pki ca-cert-request-profile-show <profile ID> --output <request file>
226
227
228
229 Then, edit the request file, fill in the input attributes required by
230 the profile, and submit the request using the following command:
231
232
233 $ pki ca-cert-request-submit <request file>
234
235
236
237 Depending on the profile, the command may require authentication (see
238 the profile configuration file). The CLI currently supports client
239 certificate authentication and directory-based authentication.
240
241
242 To submit the certificate renewal request can be submitted using the
243 following command:
244
245
246 $ pki ca-cert-request-submit --profile <Renewal Profile> --serial <Certificate ID> --renewal
247
248
249
250 Also depending on the profile, an agent may need to review and approve
251 the request by running the following command:
252
253
254 $ pki <agent authentication> ca-cert-request-review <request ID> \
255 --file <file to store the certificate request>
256
257
258
259 The --file and --action options are mutually exclusive (i.e. only one
260 or the other may be specified during command invocation).
261
262
263 If the --file option is specified, the certificate request, as well as
264 the defaults and constraints of the enrollment profile, will be
265 retrieved and stored in the output file provided by the --file option.
266 The agent can examine the file and override any values if necessary.
267 To process the request, enter the appropriate action when prompted:
268
269
270 Action (approve/reject/cancel/update/validate/assign/unassign):
271
272
273
274 The request in the file will be read in, and the specified action will
275 be applied against it.
276
277
278 Alternatively, when no changes to the request are necessary, the agent
279 can process the request in a single step using the --action option with
280 the following command:
281
282
283 $ pki <agent authentication> ca-cert-request-review <request ID> --action <action>
284
285
286
288 Ade Lee <alee@redhat.com>, Endi S. Dewata <edewata@redhat.com>, and
289 Matthew Harmsen <mharmsen@redhat.com>.
290
291
293 Copyright (c) 2014 Red Hat, Inc. This is licensed under the GNU Gen‐
294 eral Public License, version 2 (GPLv2). A copy of this license is
295 available at ⟨http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt⟩.
296
297
298
299PKI May 5, 2014 pki-cert(1)