PKI 10.8 PKI CLI Changes
General PKI CLI Changes
Adding Trust Policy Module
Normally the PKI CLI will automatically create a new NSS database if there is no NSS database provided. Previously the NSS database was created without any Trust Policy, so no certificates were trusted unless the certificates or the issuers were explicitly imported and trusted in the NSS database.
In version 10.8 PKI CLI will add the p11-kit-trust module into the NSS database such that it will trust the CA certificates provided by the system. This allows the PKI CLI to use publicly available PKI CA without importing the CA certificate first, for example:
$ pki -U https://pki.demo.dogtagpki.org ca-cert-find
Changes on Default Protocol and Port
Previously the PKI CLI communicated with PKI server using HTTP over port 8080 by default. In version 10.8 PKI CLI will use HTTPS over port 8443 by default.
As before, the user can override the connection protocol and port using the -P <protocol> and -p <port> options, respectively, or specify the server URL using the -U <URL> option.
Changes on Handling of Untrusted Certificate Issuer
Previously if the PKI CLI received an SSL server certificate issued by an untrusted CA it would ask the user whether to trust the CA certificate. In version 10.8 PKI CLI will ask the user whether to trust the SSL server certificate itself.
If the user chooses not to trust the certificate, the operation will fail:
$ pki ca-cert-find WARNING: UNTRUSTED ISSUER encountered on 'CN=server.example.com' indicates a non-trusted CA cert 'CN=CA Signing Certificate,O=EXAMPLE' Trust this certificate (y/N)? IOException: SocketException cannot write on socket
If the user chooses to trust the certificate, the certificate will be imported into the client's NSS database (default is ~/.dogtag/nssdb) and be assigned a "P,," trust flags:
$ pki ca-cert-find WARNING: UNTRUSTED ISSUER encountered on 'CN=server.example.com' indicates a non-trusted CA cert 'CN=CA Signing Certificate,O=EXAMPLE' Trust this certificate (y/N)? y ... $ certutil -L -d ~/.dogtag/nssdb Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI CN=server.example.com P,,
Once the certificate is trusted, the CLI will no longer generate the above warning if it receives the same certificate again.
PKI CA CLI Changes
New Certificate Request Review Process
Previously, to review a certificate request using PKI CLI the CA agent needed to use one of the two processes below:
- The agent could execute pki cert-request-review <request ID> --file <filename> command which would retrieve the certificate request and store it into a file. Then the CLI will wait for the agent to review and possibly update the request in the file, and also wait for the agent to specify an action to be taken against the request. While waiting, the CLI maintained an open connection to the server, so the review had to be completed before the connection timed out.
- Alternatively, the agent could execute pki cert-request-review <request ID> --action <action> command which would retrieve the certificate request, then perform an action against the request directly without a chance to review or update the request.
To improve the usability, in version 10.8 the process will work as follows:
- Initially, the agent can execute pki ca-cert-request-review <request ID> --output-file <filename> to retrieve the certificate request and store it into a file. Here the CLI will terminate immediately.
- The agent can review the request and possibly update the request in the file. There is no time limitation.
- Finally, the agent can execute pki ca-cert-request-<action> <request ID> --input-file <filename> to take an action against the request.
Note that the old and new review processes utilize nonce to protect against Cross-Site Request Forgery (CSRF).
PKI KRA CLI Changes
New Transport Certificate Commands
Some new commands have been added to simplify accessing the KRA transport certificate.
To show the KRA transport certificate information, execute the following command::
$ pki kra-cert-transport-show Serial Number: 0x8 Subject DN: CN=DRM Transport Certificate,OU=pki-tomcat,O=EXAMPLE Issuer DN: CN=CA Signing Certificate,OU=pki-tomcat,O=EXAMPLE Not Valid Before: Thu Sep 26 15:14:46 CDT 2019 Not Valid After: Wed Sep 15 15:14:46 CDT 2021
To export the KRA transport certificate, execute the following command:
$ kra-cert-transport-export -----BEGIN CERTIFICATE----- MIIDnzCCAoegAwIBAgIBCDANBgkqhkiG9w0BAQsFADBIMRAwDgYDVQQKDAdFWEFN UExFMRMwEQYDVQQLDApwa2ktdG9tY2F0MR8wHQYDVQQDDBZDQSBTaWduaW5nIENl cnRpZmljYXRlMB4XDTE5MDkyNjIwMTQ0NloXDTIxMDkxNTIwMTQ0NlowSzEQMA4G A1UECgwHRVhBTVBMRTETMBEGA1UECwwKcGtpLXRvbWNhdDEiMCAGA1UEAwwZRFJN IFRyYW5zcG9ydCBDZXJ0aWZpY2F0ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC AQoCggEBANxo57HJUfIjX65O2ewsRT11UBNMX9TnTv7YpLE7ioIHcPIZ9yxPFwvu gpgbqJHgdcEZtREEmufV/sNCWdSF3BQ9L44J74+LZLh584uzvWlbSRoMuYK0wncp rbdkcVpD09NsdRtcLdAOQhSdYv7G+cpx49NG95JTg4x8nx+Tk0l82cPLaKAD8SlR XiMlMI0WoOUd/1cDbd6dIsuWdngqJR21CoU4b/PNAxJ68OTXYH0EzqURC2mxL22g d8ysxaG69n5RD62WSMSiskifUV3grHpj8003D5fZUoXDSArGKDRAZcJ2jCpugRpo t5zh85Yt5iOriYUL+iushfpxdL0DK3MCAwEAAaOBkDCBjTAfBgNVHSMEGDAWgBRg JYwzeQJaFk8lnWcbQwOXTht9djBFBggrBgEFBQcBAQQ5MDcwNQYIKwYBBQUHMAGG KWh0dHA6Ly9sb2NhbGhvc3QubG9jYWxkb21haW46ODA4MC9jYS9vY3NwMA4GA1Ud DwEB/wQEAwIE8DATBgNVHSUEDDAKBggrBgEFBQcDAjANBgkqhkiG9w0BAQsFAAOC AQEAG9nC68GvoKTFEuJYEeyuVdKVnJWLfIYFrSOxrob9P5ymWfgF2I0ZiZUZv7fs SRvJbFPeYrhB9yfrttzV+gu+wdEFjXfRLocR0qkWUexgL8OB8tbZbt5Izdm76wBE cydHW3kHdSHXAwrhqvGfHmNA7HQgyHeOj7DPL70UnASYxOl9oGLnZetTmFO6Iwnd rP2u8EKaYorBu6RpCVrXpYtlc9qKvzrDuY7CAl5UyTl4D2M/g/akRJiO4HIFXVG2 GdQga6nN9Dp27Eu6SXLe5fVd4Na2SiGzdceZj5hfFImVWKEeS9G+lsyXm1+bFMnG nUw6fSSkYNRTxAPiGCiC+28vFQ== -----END CERTIFICATE-----