Unix/Linux Go Back    


CentOS 7.0 - man page for pki (centos section 1)

Linux & Unix Commands - Search Man Pages
Man Page or Keyword Search:   man
Select Man Page Set:       apropos Keyword Search (sections above)


pki(1)			      PKI Command-Line Interface (CLI) Tools			   pki(1)

NAME
       pki - Command-Line Interface Tool for accessing Certificate System Servers.

SYNOPSIS
       pki [CLI options] <command> [command arguments]

DESCRIPTION
       pki  provides a command-line interface to Certificate System Servers, allowing administra-
       tors to manage certificates, groups, keys, security domains, and users.

OPTIONS
       -c <database password>
	      Specifies the certificate database password.

       -d <database>
	      Specifies the certificate database to be used.

       -h <hostname>
	      Specifies the hostname (default: localhost).

       --help Prints additional help information.

       -n <nickname>
	      Specifies the certificate nickname.

       -P <protocol>
	      Specifies the protocol (default: http).

       -p <port>
	      Specifies the port (default: 8080).

       -t <type>
	      Specifies the type of subsystem (default: ca).

       -U <uri>
	      Specifies the server URI.

       -u <username>
	      Specifies the username.

       -v     Displays verbose information.

       --version
	      Displays 'pki' CLI version information.

       -w <password>
	      Specifies the user password.

OPERATIONS
       To view available commands and options, simply type pki.  Some commands have sub-commands.
       To  view  the  sub-commands,  type pki <command>.  To view each command's usage, type  pki
       <command> --help.

   Connection
       By default, pki connects to the non-secure (HTTP) port of a CA server running on localhost
       on  port  8080.	To specify a different server location, use the appropriate arguements to
       give a different host (-h), port (-p), connection protocol  (-P), or subsystem type (-t).

       pki -P <protocol> -h <hostname> -p <port> -t <subsystem> <command>

       Alternatively, the connection parameters can be specified as a URL:

       pki -U <subsystem URL> <command>

       where the URL is of the format https://<hostname>:<port>/<subsystem>.

   Authentication
       Some commands require authentication.  These are commands that are restricted to  particu-
       lar  sets  of  users  (such as agents or admins) or those operations involving certificate
       profiles that require authentication.

       To execute a command without authentication:

       pki <command>

       To authenticate with a username and password:

       pki -u <username> -w <password> <command>

       To authenticate with a client certificate:

       pki -d <certificate database directory> -c <certificate database password> -n <certificate
       nickname> <command>

   Viewing Certificates
       Certificates can be viewed anonymously.

       To list all certificates:

       pki cert-find

       It  is  also possible to search for and list specific certificates by adding a search fil-
       ter.  Use pki cert-find --help to see options.  For example, to search based  on  issuance
       date:

       pki cert-find --issuedOnFrom 2012-06-15

       To view a particular certificate:

       pki cert-show <certificate ID>

   Revoking Certificates
       Revoking,  holding,  or	releasing  a  certificate  must be executed as an agent user.  To
       revoke a certificate:

       pki <agent authentication> cert-revoke <certificate ID>

       To place a certificate on hold temporarily:

       pki <agent authentication> cert-hold <certificate ID>

       To release a certificate that has been placed on hold:

       pki <agent authentication> cert-release-hold <certificate ID>

   Certificate Requests
       To request a certificate, first generate a certificate request in PKCS #10  or  CRMF,  and
       store this request in an XML file. For example:

       <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
       <CertEnrollmentRequest>
	   <profileId>caUserCert</profileId>
	   <isRenewal>false</isRenewal>
	   <Input>
	       <InputAttrs>
		   <InputAttr name="cert_request_type">crmf</InputAttr>
		   <InputAttr name="cert_request">MIIBozCCAZ8wggEFA ...
		       CSR in Base 64 ... </InputAttr>
	       </InputAttrs>
	       <inputId>KeyGenInput</inputId>
	   </Input>
	   <Input>
	       <InputAttrs>
		   <InputAttr name="sn_uid">testuser</InputAttr>
		   <InputAttr name="sn_e">testuser@example.com</InputAttr>
		   <InputAttr name="sn_c">US</InputAttr>
		   <InputAttr name="sn_ou">Engineering</InputAttr>
		   <InputAttr name="sn_cn">Test User</InputAttr>
		   <InputAttr name="sn_o">Example</InputAttr>
	       </InputAttrs>
	       <inputId>SubjectNameInput</inputId>
	   </Input>
	   <Input>
	       <InputAttrs>
		   <InputAttr name="requestor_name">admin</InputAttr>
		   <InputAttr name="requestor_email">admin@example.com
		   </InputAttr>
		   <InputAttr name="requestor_phone">123-456-7890</InputAttr>
	       </InputAttrs>
	       <inputId>SubmitterInfoInput</inputId>
	   </Input>
       </CertEnrollmentRequest>

       Then submit the request for review.  This can be done without authentication.

       pki cert-request-submit <request file>

       Then, an agent needs to review the request by running the following command:

       pki <agent authentication> cert-request-review <request ID> --output <request review file>

       The  request,  as  well as the defaults and constraints of the enrollment profile, will be
       stored in the output file.  The agent can examine the file and override any values if nec-
       essary.	To process the request, enter the appropriate action when prompted:

       Action (approve/reject/cancel/update/validate/assign/unassign):

       Alternatively,  the agent can process the request in a single step with the following com-
       mand:

       pki <agent authentication> cert-request-review <request ID> --action <action>

   Group Management Commands
       All group commands must be executed as an administrator. Some representative commands  are
       shown below.  Type pki group to get a list of additional commands.

       To  list  groups, use pki group-find.  It is possible to select the page size to limit the
       number of entries returned.  To list all groups:

       pki <admin authentication> group-find

       To view a particular group:

       pki <admin authentication> group-show <group ID>

       To add a group:

       pki <admin authentication> group-add <group ID> --description description

       To delete a group:

       pki <admin authentication> group-del <group ID>

       To add a user to a group:

       pki <admin authentication> group-member-add <group ID> <Member ID>

       To delete a user from a group:

       pki <admin authentication> group-member-del <group ID> <Member ID>

   Security Domain Commands
       pki can be used to access certain information from the security domain.

       To get an installation token (used when installing  a  new  subsystem  within  a  security
       domain):

       pki  <security  domain  admin  authentication> securitydomain-get-install-token --hostname
       <hostname> --subsystem <subsystem>

       To show the contents of the security domain:

       pki <security domain admin authentication> securitydomain-show

   User Management Commands
       All user commands must be executed as an administrator. Some representative  commands  are
       shown below.  Type pki user to get a list of additional commands.

       To  list  users,  use  pki user-find.  It is possible to select the page size to limit the
       size of the results.  To list all users:

       pki <admin authentication> user-find

       To view a particular user:

       pki <admin authentication> user-show <user ID>

       To add a user:

       pki <admin authentication> user-add <user ID> --fullName <full name>

       To delete a user:

       pki <admin authentication> user-del <user ID>

FILES
       /usr/bin/pki

AUTHORS
       Ade Lee <alee@redhat.com>, Endi Dewata <edewata@redhat.com>, and Matthew  Harmsen  <mharm-
       sen@redhat.com>.  pki was written by the Dogtag project.

COPYRIGHT
       Copyright  (c)  2012  Red Hat, Inc. This is licensed under the GNU General Public License,
       version 2 (GPLv2). A copy of this license is available at http://www.gnu.org/licenses/old-
       licenses/gpl-2.0.txt.

version 1.0				December 13, 2012				   pki(1)
Unix & Linux Commands & Man Pages : ©2000 - 2018 Unix and Linux Forums


All times are GMT -4. The time now is 03:17 AM.