1pki-cert(1)           PKI Certificate Management Commands          pki-cert(1)
2
3
4

NAME

6       pki-ca-cert  -  Command-line interface for managing certificates on PKI
7       CA.
8
9

SYNOPSIS

11       pki [CLI-options] ca-cert
12       pki [CLI-options] ca-cert-find [command-options]
13       pki [CLI-options] ca-cert-show cert-ID [command-options]
14       pki [CLI-options] ca-cert-revoke cert-ID [command-options]
15       pki [CLI-options] ca-cert-hold cert-ID [command-options]
16       pki [CLI-options] ca-cert-release-hold cert-ID [command-options]
17       pki [CLI-options] ca-cert-request-profile-find [command-options]
18       pki [CLI-options] ca-cert-request-profile-show profile-ID  [command-op‐
19       tions]
20       pki [CLI-options] ca-cert-request-submit [command-options]
21       pki [CLI-options] ca-cert-request-review request-ID [command-options]
22
23

DESCRIPTION

25       The  pki-cert  commands  provide command-line interfaces to manage cer‐
26       tificates on the CA.
27
28
29       pki [CLI-options] ca-cert
30           This command is to list available certificate commands.
31
32
33       pki [CLI-options] ca-cert-find [command-options]
34           This command is to list certificates in the CA.
35
36
37       pki [CLI-options] ca-cert-show cert-ID [command-options]
38           This command is to view a certificate details.
39
40
41       pki [CLI-options] ca-cert-revoke cert-ID
42           This command is to revoke a certificate.
43
44
45       pki [CLI-options] ca-cert-hold cert-ID
46           This command is to place a certificate on hold temporarily.
47
48
49       pki [CLI-options] ca-cert-release-hold cert-ID
50           This command is to release a certificate that has  been  placed  on
51       hold.
52
53
54       pki [CLI-options] ca-cert-request-profile-find [command-options]
55           This command is to list available certificate request templates.
56
57
58       pki  [CLI-options] ca-cert-request-profile-show profile-ID [command-op‐
59       tions]
60           This command is to view a certificate request template.
61
62
63       pki [CLI-options] ca-cert-request-submit [command-options]
64           This command is to submit a certificate request.
65
66
67       pki [CLI-options] ca-cert-request-review request-ID [command-options]
68           This command is to review a certificate request.
69
70

OPTIONS

72       The command-options are described in pki(1).
73
74

OPERATIONS

76       To view available certificate commands, type pki ca-cert.  To view each
77       command's usage, type pki ca-cert-<command> --help.
78
79
80   Viewing Certificates
81       Certificates can be viewed anonymously.
82
83
84       To list all certificates in the CA:
85
86
87              $ pki ca-cert-find
88
89
90
91       It  is  also  possible  to search for and list specific certificates by
92       adding a search filter.  Use pki ca-cert-find --help  to  see  options.
93       For example, to search based on issuance date:
94
95
96              $ pki ca-cert-find --issuedOnFrom 2012-06-15
97
98
99
100       To list certificates with search constraints defined in a file:
101
102
103              $ pki ca-cert-find --input <filename>
104
105
106
107       where the file is in the following format:
108
109
110              <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
111              <CertSearchRequest>
112
113                  <serialNumberRangeInUse>true</serialNumberRangeInUse>
114                  <serialFrom></serialFrom>
115                  <serialTo></serialTo>
116
117                  <subjectInUse>false</subjectInUse>
118                  <eMail></eMail>
119                  <commonName></commonName>
120                  <userID></userID>
121                  <orgUnit></orgUnit>
122                  <org></org>
123                  <locality></locality>
124                  <state></state>
125                  <country></country>
126
127                  <matchExactly>false</matchExactly>
128
129                  <status></status>
130
131                  <revokedByInUse>false</revokedByInUse>
132                  <revokedBy></revokedBy>
133
134                  <revokedOnFrom>false</revokedOnFrom>
135                  <revokedOnTo></revokedOnTo>
136
137                  <revocationReasonInUse>false</revocationReasonInUse>
138                  <revocationReason></revocationReason>
139
140                  <issuedByInUse>false</issuedByInUse>
141                  <issuedBy></issuedBy>
142
143                  <issuedOnInUse>false</issuedOnInUse>
144                  <issuedOnFrom></issuedOnFrom>
145                  <issuedOnTo></issuedOnTo>
146
147                  <validNotBeforeInUse>false</validNotBeforeInUse>
148                  <validNotBeforeFrom></validNotBeforeFrom>
149                  <validNotBeforeTo></validNotBeforeTo>
150
151                  <validNotAfterInUse>false</validNotAfterInUse>
152                  <validNotAfterFrom></validNotAfterFrom>
153                  <validNotAfterTo></validNotAfterTo>
154
155                  <validityLengthInUse>false</validityLengthInUse>
156                  <validityOperation></validityOperation>
157                  <validityCount></validityCount>
158                  <validityUnit></validityUnit>
159
160                  <certTypeInUse>false</certTypeInUse>
161                  <certTypeSubEmailCA></certTypeSubEmailCA>
162                  <certTypeSubSSLCA></certTypeSubSSLCA>
163                  <certTypeSecureEmail></certTypeSecureEmail>
164
165              </CertSearchRequest>
166
167
168
169       To view a particular certificate:
170
171
172              $ pki ca-cert-show <certificate ID>
173
174
175
176   Revoking Certificates
177       Revoking,  holding,  or  releasing a certificate must be executed as an
178       agent user.  To revoke a certificate:
179
180
181              $ pki <agent authentication> ca-cert-revoke <certificate ID>
182
183
184
185       To place a certificate on hold temporarily:
186
187
188              $ pki <agent authentication> ca-cert-hold <certificate ID>
189
190
191
192       To release a certificate that has been placed on hold:
193
194
195              $ pki <agent authentication> ca-cert-release-hold <certificate ID>
196
197
198
199   Certificate Requests
200       To request a certificate, first generate a certificate signing  request
201       (CSR),  then  submit it with a certificate profile.  The list of avail‐
202       able profiles can be viewed using the following command:
203
204
205              $ pki ca-cert-request-profile-find
206
207
208
209       To generate a CSR, use the certutil,  PKCS10Client,  or  CRMFPopClient,
210       and store it into a file.
211
212
213       Basic requests can be submitted using the following command:
214
215
216              $ pki ca-cert-request-submit \
217                  --profile <profile ID> --request-type <type> --csr-file <CSR file> --subject <subject DN>
218
219
220
221       To  submit  more  advanced requests, download a template of the request
222       file for a particular profile using the following command:
223
224
225              $ pki ca-cert-request-profile-show <profile ID> --output <request file>
226
227
228
229       Then, edit the request file, fill in the input attributes  required  by
230       the profile, and submit the request using the following command:
231
232
233              $ pki ca-cert-request-submit <request file>
234
235
236
237       Depending  on  the profile, the command may require authentication (see
238       the profile configuration file).  The  CLI  currently  supports  client
239       certificate authentication and directory-based authentication.
240
241
242       To  submit  the  certificate renewal request can be submitted using the
243       following command:
244
245
246              $ pki ca-cert-request-submit --profile <Renewal Profile> --serial <Certificate ID> --renewal
247
248
249
250       Also depending on the profile, an agent may need to review and  approve
251       the request by running the following command:
252
253
254              $ pki <agent authentication> ca-cert-request-review <request ID> \
255                  --file <file to store the certificate request>
256
257
258
259       The  --file  and --action options are mutually exclusive (i.e. only one
260       or the other may be specified during command invocation).
261
262
263       If the --file option is specified, the certificate request, as well  as
264       the  defaults  and  constraints  of the enrollment profile, will be re‐
265       trieved and stored in the output file provided by  the  --file  option.
266       The  agent  can  examine the file and override any values if necessary.
267       To process the request, enter the appropriate action when prompted:
268
269
270              Action (approve/reject/cancel/update/validate/assign/unassign):
271
272
273
274       The request in the file will be read in, and the specified action  will
275       be applied against it.
276
277
278       Alternatively,  when no changes to the request are necessary, the agent
279       can process the request in a single step using the --action option with
280       the following command:
281
282
283              $ pki <agent authentication> ca-cert-request-review <request ID> --action <action>
284
285
286

AUTHORS

288       Ade   Lee  &lt;alee@redhat.com&gt;,  Endi  S.  Dewata  &lt;edewata@red‐
289       hat.com&gt;, and Matthew Harmsen &lt;mharmsen@redhat.com&gt;.
290
291
293       Copyright (c) 2014 Red Hat, Inc.  This is licensed under the  GNU  Gen‐
294       eral  Public  License,  version  2  (GPLv2).  A copy of this license is
295       available at http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt.
296
297
298
299PKI                               May 5, 2014                      pki-cert(1)
Impressum