1cimtrust(8) System Manager's Manual cimtrust(8)
2
3
4
6 cimtrust - Add, remove or list X509 certificates in a PEM format trust
7 store.
8
10 cimtrust -a [ -U certuser ] -f file -T ( a | e | s )
11
12 cimtrust -r -i issuer ( -n serialnumber | -S subject )
13
14 cimtrust -l [ -i issuer [ -n serialnumber | -S subject ] ]
15
16 cimtrust --help
17
18 cimtrust --version
19
20
21 Remarks
22 The cimtrust command requires that the cimserver is running. This com‐
23 mand operates on a truststore on the local system only.
24
25
27 The add option of the cimtrust command adds an X509 certificate file of
28 a specified type to the truststore. The certuser specifies the user‐
29 name to be associated with the certificate in the file. If no certuser
30 is specified, the certificate may not be used to authenticate a user.
31
32 The remove option of the cimtrust command removes the X509 certifi‐
33 cate(s) matching the specified issuer and either serialnumber or sub‐
34 ject from the truststore.
35
36 The list option of the cimtrust command lists the X509 certificates in
37 the truststore. The list can be filtered by issuer and either serial‐
38 number or subject.
39
40 Certificates in the trust store may be revoked by adding a Certificate
41 Revocation List to the CRL store. For more information on CRL opera‐
42 tions see the cimcrl(8) command.
43
44 Options
45 cimtrust recognizes the following options:
46
47 -a Adds a certificate to the truststore. If the
48 specified file does not contain a valid X509 cer‐
49 tificate an error message is returned and no
50 action is taken. If the X509 certificate already
51 exists in the truststore, an error message is
52 returned.
53
54 -r Removes certificate(s) from the truststore. If
55 the truststore contains multiple certificates
56 matching the specified issuer and subject, all
57 the matching certificates are removed. If no cer‐
58 tificate exists for the specified issuer and
59 either serialnumber or subject , an error message
60 is returned and no action is taken.
61
62 -l Displays the X509 certificates in the truststore.
63
64 -f file Specifies a PEM format file containing an X509
65 certificate.
66
67 -U certuser Specifies a username to be associated with the
68 specified certificate. The username specified
69 should be a valid system user on the target sys‐
70 tem.
71
72 -i issuer Specifies the issuer name of the certificate.
73
74 -n serialnumber
75 Specifies the serial number of the certificate.
76
77 -S subject Specifies the subject name of the certificate.
78
79 -T ( a | e | s )
80 Specifies the type of a certificate. The type
81 must be one of the following:
82
83 authority (a): root/intermediate authority cer‐
84 tificates. Certificates of this type are added to
85 the trusted certificate store. The certuser is
86 optional for authority certificates. If no cer‐
87 tuser is specified, the certificate may not be
88 used to authenticate a user.
89
90 authority issued end-entity (e): Certificates of
91 this type are not added to the trusted certifi‐
92 cate store. The certuser is required for author‐
93 ity issued end-entity certificates.
94
95 Self-signed identity certificate (s): Certifi‐
96 cates of this type are not added to the trusted
97 certificate store. The certuser is required for
98 self-signed identity certificates.
99
100 --help Displays the command help message.
101
102 --version Displays the CIM Server version.
103
105 When an error occurs, an error message is written to the standard error
106 stream and a non-zero exit status value is returned. The following exit
107 status values are defined:
108
109 0 Success
110
111 1 General error
112
113 2 Connection failed
114
115 3 Connection timed out
116
117 4 Certificate already exists
118
119 5 Certificate does not exist
120
121 6 Invalid system user
122
124 Add the X509 self-signed identity certificate in the cert.pem file and
125 associate it to certuser guest. This certificate will be added to the
126 trusted certificate store:
127
128 cimtrust -a -U guest -f cert.pem -T s
129
130 Add the X509 authority root CA certificate in the ca.pem file with no
131 certuser association. This certificate will be added to the trusted
132 certificate store but may not be used to authenticate a user:
133
134 cimtrust -a -f ca.pem -T a
135
136 Add the X509 authority issued end-entity certificate in the user.pem
137 file and associate it to certuser pegasus. This certificate may be used
138 to authenticate user pegasus but will not be added to the trusted cer‐
139 tificate store:
140
141 cimtrust -a -f user.pem -U pegasus -T e
142
143 Remove the certificate matching the specified issuer and serialnumber
144 from the trust store:
145
146 cimtrust -r -i "/C=US/ST=California/L=Cupertino/O=Smart &
147 Secure/OU=Secure Software Division/CN=dev.admin.ss.com" -n 01
148
149 Remove the certificate(s) matching the specified issuer and subject
150 from the trust store:
151
152 cimtrust -r -i "/C=US/ST=California/L=Cupertino/O=Smart &
153 Secure/OU=Secure Software Division/CN=dev.admin.ss.com" -S
154 "/C=US/ST=California/L=Cupertino/O=Smart & Secure/OU=Secure Software
155 Division/CN=dev.admin.ss.com"
156
157 List all the X509 certificates in the trust store:
158
159 cimtrust -l
160
161
163 cimserver(8), cimcrl(8), cimconfig(8).
164
165
166
167 cimtrust(8)