-
Notifications
You must be signed in to change notification settings - Fork 139
PKI PKCS12 CLI
Since version 10.3 the PKI CLI provides a set of commands to manage the certificates and keys in PKCS #12 file.
Generally the PKCS #12 commands can be executed without an NSS database. However, under certain cases an NSS database may be required:
-
decrypting the key info in PKCS #12 file to display more details about the key
-
importing certificates and keys from the PKCS #12 file
-
exporting certificates and keys the PKCS #12 file
-
running in FIPS mode
If an NSS database is required, by default the command will use ~/.dogtag/nssdb
.
A different NSS database can be specified with a -d <directory>
parameter. The password for the NSS database can be specified using a -c <password>
or -C <password file>
, for example:
$ pki -d <directory> -c <password> pkcs12-...
or:
$ pki -d <directory> -C <password file> pkcs12-...
To list the certificates in a PKCS #12 file:
$ pki pkcs12-cert-find --pkcs12-file test.p12 --pkcs12-password Secret.123 --------------- 1 entries found --------------- Certificate ID: 75e2ac1d08ca99ed4c9bd31ad847fd18bc4db9ca Serial Number: 0x6 Friendly Name: caadmin Subject DN: CN=PKI Administrator,[email protected],O=EXAMPLE Issuer DN: CN=CA Signing Certificate,O=EXAMPLE Trust flags: u,u,u Has Key: true Key ID: 16228b70f066d50a68d59e64c9367b53c234473d
To list the keys in PKCS #12 file:
$ pki pkcs12-key-find --pkcs12-file test.p12 --pkcs12-password Secret.123 --------------- 1 entries found --------------- Key ID: 16228b70f066d50a68d59e64c9367b53c234473d Friendly Name: caadmin
The PKCS #12 password can also be specified in a file:
$ pki pkcs12-key-find --pkcs12-file test.p12 --pkcs12-password-file pkcs12pwd.txt
To import a certificate including the key and trust flags from client NSS database:
$ pki pkcs12-cert-import caadmin \ --pkcs12-file test.p12 \ --pkcs12-password Secret.123 ------------------------------ Imported certificate "caadmin" ------------------------------
If the PKCS #12 file already exists, it will be overwritten. To add certificate into an existing PKCS #12 file, specify the --append
option:
$ pki pkcs12-cert-import caadmin \ --pkcs12-file test.p12 \ --pkcs12-password Secret.123 \ --append ------------------------------ Imported certificate "caadmin" ------------------------------
The trust flags can be overwritten with the --trust-flags
parameter:
$ pki pkcs12-cert-import caadmin \ --pkcs12-file test.p12 \ --pkcs12-password Secret.123 \ --trust-flags <trust flags> ------------------------------ Imported certificate "caadmin" ------------------------------
To import a certificate from client NSS database without the key:
$ pki pkcs12-cert-import caadmin \ --pkcs12-file test.p12 \ --pkcs12-password Secret.123 \ --no-key ------------------------------ Imported certificate "caadmin" ------------------------------
To import a certificate from a file (not implemented yet):
$ pki pkcs12-cert-import caadmin \ --pkcs12-file test.p12 \ --pkcs12-password Secret.123 \ --cert-file caadmin.pem ------------------------------ Imported certificate "caadmin" ------------------------------
To import a certificate from a file with trust flags (not implemented yet):
$ pki pkcs12-cert-import caadmin \ --pkcs12-file test.p12 \ --pkcs12-password Secret.123 \ --cert-file caadmin.pem \ --trust-flags "u,u,u" ------------------------------ Imported certificate "caadmin" ------------------------------
DEPRECATED: To add a certificate including the key and trust flags from client NSS database:
$ pki pkcs12-cert-add caadmin \ --pkcs12-file test.p12 \ --pkcs12-password Secret.123 --------------------------- Added certificate "caadmin" ---------------------------
If the PKCS #12 file does not exist, it will be created automatically. If the PKCS #12 file already exists, the certificate will be added into the file.
To export a certificate from PKCS #12 file into a PEM file:
$ pki pkcs12-cert-export caadmin \ --pkcs12-file test.p12 \ --pkcs12-password Secret.123 \ --cert-file caadmin.pem
To change the nickname of a certificate by its ID:
$ pki pkcs12-cert-mod 75e2ac1d08ca99ed4c9bd31ad847fd18bc4db9ca \ --pkcs12-file test.p12 \ --pkcs12-password Secret.123 \ --friendly-name "CA admin" --------------------------------------------------------------- Modified certificate "75e2ac1d08ca99ed4c9bd31ad847fd18bc4db9ca" ---------------------------------------------------------------
To change the nickname of a certificate by its current nickname:
$ pki pkcs12-cert-mod caadmin \ --pkcs12-file test.p12 \ --pkcs12-password Secret.123 \ --friendly-name "CA admin" ------------------------------ Modified certificate "caadmin" ------------------------------
To change the trust flags of a certificate by its ID:
$ pki pkcs12-cert-mod 75e2ac1d08ca99ed4c9bd31ad847fd18bc4db9ca \ --pkcs12-file test.p12 \ --pkcs12-password Secret.123 \ --trust-flags "u,u,u" --------------------------------------------------------------- Modified certificate "75e2ac1d08ca99ed4c9bd31ad847fd18bc4db9ca" ---------------------------------------------------------------
To change the trust flags of a certificate by its nickname:
$ pki pkcs12-cert-mod caadmin \ --pkcs12-file test.p12 \ --pkcs12-password Secret.123 \ --trust-flags "u,u,u" ------------------------------ Modified certificate "caadmin" ------------------------------
Note: If the trust flags value is blank, the trust flags will be removed from the certificate.
To delete a certificate from PKCS #12 file:
$ pki pkcs12-cert-del caadmin \ --pkcs12-file test.p12 \ --pkcs12-password Secret.123 ----------------------------- Deleted certificate "caadmin" -----------------------------
To delete a key from PKCS #12 file:
$ pki pkcs12-key-del 16228b70f066d50a68d59e64c9367b53c234473d \ --pkcs12-file test.p12 \ --pkcs12-password Secret.123 ------------------------------------------------------ Deleted key "16228b70f066d50a68d59e64c9367b53c234473d" ------------------------------------------------------
To import PKCS #12 file into the client security database (default: ~/.dogtag/nssdb
):
$ pki pkcs12-import \ --pkcs12-file test.p12 \ --pkcs12-password Secret.123 --------------- Import complete ---------------
Optionally, the nicknames of the certificates to be imported can be specified as arguments:
$ pki pkcs12-import \ --pkcs12-file test.p12 \ --pkcs12-password Secret.123 \ "caSigningCert cert-pki-tomcat CA" \ "subsystemCert cert-pki-tomcat" --------------- Import complete ---------------
To import without the trust flags:
$ pki pkcs12-import \ --pkcs12-file test.p12 \ --pkcs12-password Secret.123 \ --no-trust-flags --------------- Import complete ---------------
The password can be specified in a file:
$ pki pkcs12-import \ --pkcs12-file test.p12 \ --pkcs12-password-file pkcs12pwd.txt
To export NSS database (default: ~/.dogtag/nssdb
) into PKCS #12 file:
$ pki pkcs12-export \ --pkcs12-file test.p12 \ --pkcs12-password Secret.123 --------------- Export complete ---------------
It will overwrite existing PKCS #12 file.
To export certain certificates only, specify the nicknames as command arguments:
$ pki pkcs12-export \ --pkcs12-file test.p12 \ --pkcs12-password Secret.123 \ "auditSigningCert cert-pki-tomcat CA" \ "ocspSigningCert cert-pki-tomcat CA" --------------- Export complete ---------------
It will include the specified certificates with their keys, and the certificate chain without their keys.
To export without the trust flags:
$ pki pkcs12-export \ --pkcs12-file test.p12 \ --pkcs12-password Secret.123 \ --no-trust-flags --------------- Export complete ---------------
The password can be specified in a file:
$ pki pkcs12-export \ --pkcs12-file test.p12 \ --pkcs12-password-file pkcs12pwd.txt
Tip
|
To find a page in the Wiki, enter the keywords in search field, press Enter, then click Wikis. |