Skip to content

PKI PKCS12 CLI

Jump to bottom
Endi S. Dewata edited this page Nov 6, 2020 · 12 revisions

Overview

Since version 10.3 the PKI CLI provides a set of commands to manage the certificates and keys in PKCS #12 file.

Generally the PKCS #12 commands can be executed without an NSS database. However, under certain cases an NSS database may be required:

  • decrypting the key info in PKCS #12 file to display more details about the key

  • importing certificates and keys from the PKCS #12 file

  • exporting certificates and keys the PKCS #12 file

  • running in FIPS mode

If required, use an existing NSS database or create a new one.

A new NSS database can be created as follows:

$ pki -d <NSS database location> -c <NSS password> client-init

The password can also be specified in a file:

$ pki -d <NSS database location> -C <NSS password file> client-init

To execute the PKCS #12 commands with the NSS database:

$ pki -d <NSS database location> -c <NSS password> pkcs12-...

or:

$ pki -d <NSS database location> -C <NSS password file> pkcs12-...

Note that if option -d is omitted the default location will be ~/.dogtag/nssdb.

Listing Certificates

To list the certificates in a PKCS #12 file:

$ pki pkcs12-cert-find --pkcs12-file test.p12 --pkcs12-password Secret.123
---------------
1 entries found
---------------
  Certificate ID: 75e2ac1d08ca99ed4c9bd31ad847fd18bc4db9ca
  Serial Number: 0x6
  Friendly Name: caadmin
  Subject DN: CN=PKI Administrator,[email protected],O=EXAMPLE
  Issuer DN: CN=CA Signing Certificate,O=EXAMPLE
  Trust flags: u,u,u
  Has Key: true
  Key ID: 16228b70f066d50a68d59e64c9367b53c234473d

Listing Keys

To list the keys in PKCS #12 file:

$ pki pkcs12-key-find --pkcs12-file test.p12 --pkcs12-password Secret.123
---------------
1 entries found
---------------
  Key ID: 16228b70f066d50a68d59e64c9367b53c234473d
  Friendly Name: caadmin

The PKCS #12 password can also be specified in a file:

$ pki pkcs12-key-find --pkcs12-file test.p12 --pkcs12-password-file pkcs12pwd.txt

Adding Certificate into PKCS #12 File

To add a certificate including the key and trust flags from client NSS database:

$ pki -c Secret.123 pkcs12-cert-add caadmin \
    --pkcs12-file test.p12 --pkcs12-password Secret.123
---------------------------
Added certificate "caadmin"
---------------------------

If the PKCS #12 file does not exist, it will be created automatically. If the PKCS #12 file already exists, the certificate will be added into the file.

The trust flags can be overwritten with the --trust-flags parameter:

$ pki -c Secret.123 pkcs12-cert-add caadmin \
    --pkcs12-file test.p12 --pkcs12-password Secret.123 \
    --trust-flags <trust flags>
---------------------------
Added certificate "caadmin"
---------------------------

To add a certificate from client NSS database without the key:

$ pki -c Secret.123 pkcs12-cert-add caadmin \
    --pkcs12-file test.p12 --pkcs12-password Secret.123 \
    --no-key
---------------------------
Added certificate "caadmin"
---------------------------

To add a certificate from a file (not implemented yet):

$ pki pkcs12-cert-add caadmin \
    --pkcs12-file test.p12 --pkcs12-password Secret.123 \
    --cert-file caadmin.pem
---------------------------
Added certificate "caadmin"
---------------------------

To add a certificate from a file with trust flags (not implemented yet):

$ pki pkcs12-cert-add caadmin \
    --pkcs12-file test.p12 --pkcs12-password Secret.123 \
    --cert-file caadmin.pem --trust-flags "u,u,u"
---------------------------
Added certificate "caadmin"
---------------------------

Exporting Certificate from PKCS #12 File

To export a certificate from PKCS #12 file into a PEM file:

$ pki pkcs12-cert-export caadmin \
    --pkcs12-file test.p12 --pkcs12-password Secret.123 --cert-file caadmin.pem

Modifying Certificate in PKCS #12 File

To change the nickname of a certificate by its ID:

$ pki pkcs12-cert-mod 75e2ac1d08ca99ed4c9bd31ad847fd18bc4db9ca \
    --pkcs12-file test.p12 --pkcs12-password Secret.123 --friendly-name "CA admin"
---------------------------------------------------------------
Modified certificate "75e2ac1d08ca99ed4c9bd31ad847fd18bc4db9ca"
---------------------------------------------------------------

To change the nickname of a certificate by its current nickname:

$ pki pkcs12-cert-mod caadmin \
    --pkcs12-file test.p12 --pkcs12-password Secret.123 --friendly-name "CA admin"
------------------------------
Modified certificate "caadmin"
------------------------------

To change the trust flags of a certificate by its ID:

$ pki pkcs12-cert-mod 75e2ac1d08ca99ed4c9bd31ad847fd18bc4db9ca \
    --pkcs12-file test.p12 --pkcs12-password Secret.123 --trust-flags "u,u,u"
---------------------------------------------------------------
Modified certificate "75e2ac1d08ca99ed4c9bd31ad847fd18bc4db9ca"
---------------------------------------------------------------

To change the trust flags of a certificate by its nickname:

$ pki pkcs12-cert-mod caadmin \
    --pkcs12-file test.p12 --pkcs12-password Secret.123 --trust-flags "u,u,u"
------------------------------
Modified certificate "caadmin"
------------------------------

Note: If the trust flags value is blank, the trust flags will be removed from the certificate.

Removing Certificate from PKCS #12 File

To delete a certificate from PKCS #12 file:

$ pki pkcs12-cert-del caadmin --pkcs12-file test.p12 --pkcs12-password Secret.123
-----------------------------
Deleted certificate "caadmin"
-----------------------------

Removing Key from PKCS #12 File

To delete a key from PKCS #12 file:

$ pki pkcs12-key-del 16228b70f066d50a68d59e64c9367b53c234473d --pkcs12-file test.p12 --pkcs12-password Secret.123
------------------------------------------------------
Deleted key "16228b70f066d50a68d59e64c9367b53c234473d"
------------------------------------------------------

Importing PKCS #12 File into NSS Database

To import PKCS #12 file into the client security database (default: ~/.dogtag/nssdb):

$ pki -c Secret.123 pkcs12-import --pkcs12-file test.p12 --pkcs12-password Secret.123
---------------
Import complete
---------------

Optionally, the nicknames of the certificates to be imported can be specified as arguments:

$ pki -c Secret.123 pkcs12-import --pkcs12-file test.p12 --pkcs12-password Secret.123 \
 "caSigningCert cert-pki-tomcat CA" \
 "subsystemCert cert-pki-tomcat"
---------------
Import complete
---------------

To import without the trust flags:

$ pki -c Secret.123 pkcs12-import --pkcs12-file test.p12 --pkcs12-password Secret.123 --no-trust-flags
---------------
Import complete
---------------

The passwords can be specified in a file:

$ pki -C nsspwd.txt pkcs12-import --pkcs12-file test.p12 --pkcs12-password-file pkcs12pwd.txt

Exporting NSS Database into PKCS #12 File

To export NSS database (default: ~/.dogtag/nssdb) into PKCS #12 file:

$ pki -c Secret.123 pkcs12-export --pkcs12-file test.p12 --pkcs12-password Secret.123
---------------
Export complete
---------------

It will overwrite existing PKCS #12 file.

To export certain certificates only, specify the nicknames as command arguments:

$ pki -c Secret.123 pkcs12-export --pkcs12-file test.p12 --pkcs12-password Secret.123 \
 "auditSigningCert cert-pki-tomcat CA" \
 "ocspSigningCert cert-pki-tomcat CA"
---------------
Export complete
---------------

It will include the specified certificates with their keys, and the certificate chain without their keys.

To export without the trust flags:

$ pki -c Secret.123 pkcs12-export --pkcs12-file test.p12 --pkcs12-password Secret.123 --no-trust-flags
---------------
Export complete
---------------

The passwords can be specified in files:

$ pki -C nsspwd.txt pkcs12-export --pkcs12-file test.p12 --pkcs12-password-file pkcs12pwd.txt

See Also

Tip
 To find a page in the Wiki, enter the keywords in search field, press Enter, then click Wikis.
Clone this wiki locally