PKI 10.8 PKI CLI Changes

From Dogtag
Revision as of 03:05, 27 September 2019 by Edewata (talk | contribs) (Changes on Handling of Untrusted Certificate Issuer)

Jump to: navigation, search

Changes on Default Protocol and Port

Previously the PKI CLI communicated with PKI server using HTTP over port 8080 by default. In version 10.8 PKI CLI will use HTTPS over port 8443 by default.

As before, the user can override the connection protocol and port using the -P <protocol> and -p <port> options, respectively, or specify the server URL using the -U <URL> option.

Changes on Handling of Untrusted Certificate Issuer

Previously if the PKI CLI received an SSL server certificate issued by an untrusted CA it would ask the user whether to trust the CA certificate. In version 10.8 PKI CLI will ask the user whether to trust the SSL server certificate itself.

If the user chooses not to trust the certificate, the operation will fail:

$ pki ca-cert-find
WARNING: UNTRUSTED ISSUER encountered on 'CN=server.example.com' indicates a non-trusted CA cert 'CN=CA Signing Certificate,O=EXAMPLE'
Trust this certificate (y/N)?
IOException: SocketException cannot write on socket

If the user chooses to trust the certificate, the certificate will be imported into the client's NSS database (default is ~/.dogtag/nssdb) and be assigned a "P,," trust flags:

$ pki ca-cert-find
WARNING: UNTRUSTED ISSUER encountered on 'CN=server.example.com' indicates a non-trusted CA cert 'CN=CA Signing Certificate,O=EXAMPLE'
Trust this certificate (y/N)? y
...

$ certutil -L -d ~/.dogtag/nssdb

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

CN=server.example.com                                        P,,

Once the certificate is trusted, the CLI will no longer generate the above warning if it receives the same certificate again.

New KRA Transport Certificate Commands

Some new commands have been added to simplify accessing the KRA transport certificate.

To show the KRA transport certificate information, execute the following command::

$ pki kra-cert-transport-show
  Serial Number: 0x8
  Subject DN: CN=DRM Transport Certificate,OU=pki-tomcat,O=EXAMPLE
  Issuer DN: CN=CA Signing Certificate,OU=pki-tomcat,O=EXAMPLE
  Not Valid Before: Thu Sep 26 15:14:46 CDT 2019
  Not Valid After: Wed Sep 15 15:14:46 CDT 2021

To export the KRA transport certificate, execute the following command:

$ kra-cert-transport-export
-----BEGIN CERTIFICATE-----
MIIDnzCCAoegAwIBAgIBCDANBgkqhkiG9w0BAQsFADBIMRAwDgYDVQQKDAdFWEFN
UExFMRMwEQYDVQQLDApwa2ktdG9tY2F0MR8wHQYDVQQDDBZDQSBTaWduaW5nIENl
cnRpZmljYXRlMB4XDTE5MDkyNjIwMTQ0NloXDTIxMDkxNTIwMTQ0NlowSzEQMA4G
A1UECgwHRVhBTVBMRTETMBEGA1UECwwKcGtpLXRvbWNhdDEiMCAGA1UEAwwZRFJN
IFRyYW5zcG9ydCBDZXJ0aWZpY2F0ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBANxo57HJUfIjX65O2ewsRT11UBNMX9TnTv7YpLE7ioIHcPIZ9yxPFwvu
gpgbqJHgdcEZtREEmufV/sNCWdSF3BQ9L44J74+LZLh584uzvWlbSRoMuYK0wncp
rbdkcVpD09NsdRtcLdAOQhSdYv7G+cpx49NG95JTg4x8nx+Tk0l82cPLaKAD8SlR
XiMlMI0WoOUd/1cDbd6dIsuWdngqJR21CoU4b/PNAxJ68OTXYH0EzqURC2mxL22g
d8ysxaG69n5RD62WSMSiskifUV3grHpj8003D5fZUoXDSArGKDRAZcJ2jCpugRpo
t5zh85Yt5iOriYUL+iushfpxdL0DK3MCAwEAAaOBkDCBjTAfBgNVHSMEGDAWgBRg
JYwzeQJaFk8lnWcbQwOXTht9djBFBggrBgEFBQcBAQQ5MDcwNQYIKwYBBQUHMAGG
KWh0dHA6Ly9sb2NhbGhvc3QubG9jYWxkb21haW46ODA4MC9jYS9vY3NwMA4GA1Ud
DwEB/wQEAwIE8DATBgNVHSUEDDAKBggrBgEFBQcDAjANBgkqhkiG9w0BAQsFAAOC
AQEAG9nC68GvoKTFEuJYEeyuVdKVnJWLfIYFrSOxrob9P5ymWfgF2I0ZiZUZv7fs
SRvJbFPeYrhB9yfrttzV+gu+wdEFjXfRLocR0qkWUexgL8OB8tbZbt5Izdm76wBE
cydHW3kHdSHXAwrhqvGfHmNA7HQgyHeOj7DPL70UnASYxOl9oGLnZetTmFO6Iwnd
rP2u8EKaYorBu6RpCVrXpYtlc9qKvzrDuY7CAl5UyTl4D2M/g/akRJiO4HIFXVG2
GdQga6nN9Dp27Eu6SXLe5fVd4Na2SiGzdceZj5hfFImVWKEeS9G+lsyXm1+bFMnG
nUw6fSSkYNRTxAPiGCiC+28vFQ==
-----END CERTIFICATE-----

See Also