Skip to content

PKI PKCS11 CLI

Endi S. Dewata edited this page Mar 27, 2024 · 4 revisions

Overview

Since version 10.6 PKI provides a CLI to manage certificates and keys in a PKCS #11 token via an NSS Database. The CLI is implemented using JSS KeyStore.

By default PKI CLI will use the NSS database at ~/.dogtag/nssdb. To use a different NSS database, specify a -d parameter.

By default the CLI will ask for the token password on the console. To use a password file, specify a -f parameter.

To use this PKCS #11 utilities on an NSS database owned by a PKI server:

$ pki -d /var/lib/pki/pki-tomcat/conf/alias -f /var/lib/pki/pki-tomcat/conf/password.conf <command>

By default the CLI will use the internal token. To use the PKCS #11 utilities with HSM, specify a --token parameter:

$ pki -d /var/lib/pki/pki-tomcat/conf/alias -f /var/lib/pki/pki-tomcat/conf/password.conf --token HSM <command>

Certificate Management

Listing certificates

To list all certificates in a token:

$ pki \
    -d /var/lib/pki/pki-tomcat/conf/alias \
    -f /var/lib/pki/pki-tomcat/conf/password.conf \
    --token HSM \
    pkcs11-cert-find
  Cert ID: HSM:ca_signing
  Type: X.509
  Serial Number: 0x1
  Subject DN: CN=CA Signing Certificate,OU=pki-tomcat,O=EXAMPLE
  Issuer DN: CN=CA Signing Certificate,OU=pki-tomcat,O=EXAMPLE

  Cert ID: HSM:sslserver
  Type: X.509
  Serial Number: 0x3
  Subject DN: CN=pki.example.com.com,OU=pki-tomcat,O=EXAMPLE
  Issuer DN: CN=CA Signing Certificate,OU=pki-tomcat,O=EXAMPLE

  Cert ID: HSM:ca_ocsp_signing
  Type: X.509
  Serial Number: 0x2
  Subject DN: CN=CA OCSP Signing Certificate,OU=pki-tomcat,O=EXAMPLE
  Issuer DN: CN=CA Signing Certificate,OU=pki-tomcat,O=EXAMPLE

  Cert ID: HSM:ca_audit_signing
  Type: X.509
  Serial Number: 0x5
  Subject DN: CN=CA Audit Signing Certificate,OU=pki-tomcat,O=EXAMPLE
  Issuer DN: CN=CA Signing Certificate,OU=pki-tomcat,O=EXAMPLE

  Cert ID: HSM:subsystem
  Type: X.509
  Serial Number: 0x4
  Subject DN: CN=Subsystem Certificate,OU=pki-tomcat,O=EXAMPLE
  Issuer DN: CN=CA Signing Certificate,OU=pki-tomcat,O=EXAMPLE

Displaying certificate details

To display a specific certificate in a token:

$ pki \
    -d /var/lib/pki/pki-tomcat/conf/alias \
    -f /var/lib/pki/pki-tomcat/conf/password.conf \
    --token HSM \
    pkcs11-cert-show HSM:ca_signing
  Cert ID: HSM:ca_signing
  Type: X.509
  Serial Number: 0x1
  Subject DN: CN=CA Signing Certificate,OU=pki-tomcat,O=EXAMPLE
  Issuer DN: CN=CA Signing Certificate,OU=pki-tomcat,O=EXAMPLE

Removing a certificate

$ pki \
    -d /var/lib/pki/pki-tomcat/conf/alias \
    -f /var/lib/pki/pki-tomcat/conf/password.conf \
    --token HSM \
    pkcs11-cert-del HSM:ca_signing

Key Management

Listing keys

To list all keys in a token:

$ pki \
    -d /var/lib/pki/pki-tomcat/conf/alias \
    -f /var/lib/pki/pki-tomcat/conf/password.conf \
    --token HSM \
    pkcs11-key-find
  Key ID: HSM:8ee6ddc15bdec9b260d5f1b276fb416dd60cb805
  Type: RSA
  Algorithm: RSA

  Key ID: HSM:a6de2d573a9fa0d711cac2559f86927052e2548a
  Type: RSA
  Algorithm: RSA

  Key ID: HSM:d45332483fb3f2d1b8132ea699f84e9e179544a0
  Type: RSA
  Algorithm: RSA

  Key ID: HSM:d7f75b17d2e86644456bcbd926e2af1f7fd7a2ca
  Type: RSA
  Algorithm: RSA

  Key ID: HSM:c962205575386a5eb699c5487d9f7ab72bdd0328
  Type: RSA
  Algorithm: RSA

Displaying key details

To display a specific key in a token:

$ pki \
    -d /var/lib/pki/pki-tomcat/conf/alias \
    -f /var/lib/pki/pki-tomcat/conf/password.conf \
    --token HSM \
    pkcs11-key-show HSM:8ee6ddc15bdec9b260d5f1b276fb416dd60cb805
  Key ID: HSM:8ee6ddc15bdec9b260d5f1b276fb416dd60cb805
  Type: RSA
  Algorithm: RSA

Removing a key

$ pki \
    -d /var/lib/pki/pki-tomcat/conf/alias \
    -f /var/lib/pki/pki-tomcat/conf/password.conf \
    --token HSM \
    pkcs11-key-del HSM:8ee6ddc15bdec9b260d5f1b276fb416dd60cb805

See Also

Clone this wiki locally