-
Notifications
You must be signed in to change notification settings - Fork 135
PKI PKCS12 CLI
Since version 10.3 the PKI CLI provides a set of commands to manage the certificates and keys in PKCS #12 file.
Generally the PKCS #12 commands can be executed without an NSS database. However, under certain cases an NSS database may be required:
-
decrypting the key info in PKCS #12 file to display more details about the key
-
importing certificates and keys from the PKCS #12 file
-
exporting certificates and keys the PKCS #12 file
-
running in FIPS mode
If required, use an existing NSS database or create a new one.
A new NSS database can be created as follows:
$ pki -d <NSS database location> -c <NSS password> client-init
The password can also be specified in a file:
$ pki -d <NSS database location> -C <NSS password file> client-init
To execute the PKCS #12 commands with the NSS database:
$ pki -d <NSS database location> -c <NSS password> pkcs12-...
or:
$ pki -d <NSS database location> -C <NSS password file> pkcs12-...
Note that if option -d is omitted the default location will be ~/.dogtag/nssdb.
To list the certificates in a PKCS #12 file:
$ pki pkcs12-cert-find --pkcs12-file test.p12 --pkcs12-password Secret.123 --------------- 1 entries found --------------- Certificate ID: 75e2ac1d08ca99ed4c9bd31ad847fd18bc4db9ca Serial Number: 0x6 Friendly Name: caadmin Subject DN: CN=PKI Administrator,E=caadmin@example.com,O=EXAMPLE Issuer DN: CN=CA Signing Certificate,O=EXAMPLE Trust flags: u,u,u Has Key: true Key ID: 16228b70f066d50a68d59e64c9367b53c234473d
To list the keys in PKCS #12 file:
$ pki pkcs12-key-find --pkcs12-file test.p12 --pkcs12-password Secret.123 --------------- 1 entries found --------------- Key ID: 16228b70f066d50a68d59e64c9367b53c234473d Friendly Name: caadmin
The PKCS #12 password can also be specified in a file:
$ pki pkcs12-key-find --pkcs12-file test.p12 --pkcs12-password-file pkcs12pwd.txt
To import a certificate including the key and trust flags from client NSS database:
$ pki pkcs12-cert-import caadmin \
--pkcs12-file test.p12 \
--pkcs12-password Secret.123
------------------------------
Imported certificate "caadmin"
------------------------------
If the PKCS #12 file already exists, it will be overwritten. To add certificate into an existing PKCS #12 file, specify the --append option:
$ pki pkcs12-cert-import caadmin \
--pkcs12-file test.p12 \
--pkcs12-password Secret.123 \
--append
------------------------------
Imported certificate "caadmin"
------------------------------
The trust flags can be overwritten with the --trust-flags parameter:
$ pki -c Secret.123 pkcs12-cert-import caadmin \
--pkcs12-file test.p12 \
--pkcs12-password Secret.123 \
--trust-flags <trust flags>
------------------------------
Imported certificate "caadmin"
------------------------------
To import a certificate from client NSS database without the key:
$ pki -c Secret.123 pkcs12-cert-import caadmin \
--pkcs12-file test.p12 \
--pkcs12-password Secret.123 \
--no-key
------------------------------
Imported certificate "caadmin"
------------------------------
To import a certificate from a file (not implemented yet):
$ pki pkcs12-cert-import caadmin \
--pkcs12-file test.p12 \
--pkcs12-password Secret.123 \
--cert-file caadmin.pem
------------------------------
Imported certificate "caadmin"
------------------------------
To import a certificate from a file with trust flags (not implemented yet):
$ pki pkcs12-cert-import caadmin \
--pkcs12-file test.p12 \
--pkcs12-password Secret.123 \
--cert-file caadmin.pem \
--trust-flags "u,u,u"
------------------------------
Imported certificate "caadmin"
------------------------------
DEPRECATED: To add a certificate including the key and trust flags from client NSS database:
$ pki -c Secret.123 pkcs12-cert-add caadmin \
--pkcs12-file test.p12 --pkcs12-password Secret.123
---------------------------
Added certificate "caadmin"
---------------------------
If the PKCS #12 file does not exist, it will be created automatically. If the PKCS #12 file already exists, the certificate will be added into the file.
To export a certificate from PKCS #12 file into a PEM file:
$ pki pkcs12-cert-export caadmin \
--pkcs12-file test.p12 --pkcs12-password Secret.123 --cert-file caadmin.pem
To change the nickname of a certificate by its ID:
$ pki pkcs12-cert-mod 75e2ac1d08ca99ed4c9bd31ad847fd18bc4db9ca \
--pkcs12-file test.p12 --pkcs12-password Secret.123 \
--friendly-name "CA admin"
---------------------------------------------------------------
Modified certificate "75e2ac1d08ca99ed4c9bd31ad847fd18bc4db9ca"
---------------------------------------------------------------
To change the nickname of a certificate by its current nickname:
$ pki pkcs12-cert-mod caadmin \
--pkcs12-file test.p12 --pkcs12-password Secret.123 \
--friendly-name "CA admin"
------------------------------
Modified certificate "caadmin"
------------------------------
To change the trust flags of a certificate by its ID:
$ pki pkcs12-cert-mod 75e2ac1d08ca99ed4c9bd31ad847fd18bc4db9ca \
--pkcs12-file test.p12 --pkcs12-password Secret.123 \
--trust-flags "u,u,u"
---------------------------------------------------------------
Modified certificate "75e2ac1d08ca99ed4c9bd31ad847fd18bc4db9ca"
---------------------------------------------------------------
To change the trust flags of a certificate by its nickname:
$ pki pkcs12-cert-mod caadmin \
--pkcs12-file test.p12 --pkcs12-password Secret.123 \
--trust-flags "u,u,u"
------------------------------
Modified certificate "caadmin"
------------------------------
Note: If the trust flags value is blank, the trust flags will be removed from the certificate.
To delete a certificate from PKCS #12 file:
$ pki pkcs12-cert-del caadmin \
--pkcs12-file test.p12 --pkcs12-password Secret.123
-----------------------------
Deleted certificate "caadmin"
-----------------------------
To delete a key from PKCS #12 file:
$ pki pkcs12-key-del 16228b70f066d50a68d59e64c9367b53c234473d \
--pkcs12-file test.p12 --pkcs12-password Secret.123
------------------------------------------------------
Deleted key "16228b70f066d50a68d59e64c9367b53c234473d"
------------------------------------------------------
To import PKCS #12 file into the client security database (default: ~/.dogtag/nssdb):
$ pki -c Secret.123 pkcs12-import --pkcs12-file test.p12 --pkcs12-password Secret.123 --------------- Import complete ---------------
Optionally, the nicknames of the certificates to be imported can be specified as arguments:
$ pki -c Secret.123 pkcs12-import --pkcs12-file test.p12 --pkcs12-password Secret.123 \
"caSigningCert cert-pki-tomcat CA" \
"subsystemCert cert-pki-tomcat"
---------------
Import complete
---------------
To import without the trust flags:
$ pki -c Secret.123 pkcs12-import \
--pkcs12-file test.p12 --pkcs12-password Secret.123 --no-trust-flags
---------------
Import complete
---------------
The passwords can be specified in a file:
$ pki -C nsspwd.txt pkcs12-import --pkcs12-file test.p12 --pkcs12-password-file pkcs12pwd.txt
To export NSS database (default: ~/.dogtag/nssdb) into PKCS #12 file:
$ pki -c Secret.123 pkcs12-export --pkcs12-file test.p12 --pkcs12-password Secret.123 --------------- Export complete ---------------
It will overwrite existing PKCS #12 file.
To export certain certificates only, specify the nicknames as command arguments:
$ pki -c Secret.123 pkcs12-export --pkcs12-file test.p12 --pkcs12-password Secret.123 \
"auditSigningCert cert-pki-tomcat CA" \
"ocspSigningCert cert-pki-tomcat CA"
---------------
Export complete
---------------
It will include the specified certificates with their keys, and the certificate chain without their keys.
To export without the trust flags:
$ pki -c Secret.123 pkcs12-export \
--pkcs12-file test.p12 --pkcs12-password Secret.123 --no-trust-flags
---------------
Export complete
---------------
The passwords can be specified in files:
$ pki -C nsspwd.txt pkcs12-export --pkcs12-file test.p12 --pkcs12-password-file pkcs12pwd.txt
|
Tip
|
To find a page in the Wiki, enter the keywords in search field, press Enter, then click Wikis. |