From Dogtag
Jump to: navigation, search


PKI CLI is a client tool that can be used to access various services on PKI server.


When installing PKI server the PKI CLI (and the PKI Client library) will automatically be installed.

To install PKI CLI on a machine that does not have PKI server, execute the following command:

$ yum install pki-tools


In general the PKI CLI takes the following parameters:

$ pki [CLI options] <command> [command arguments/options]

The CLI options should be placed before the command. The command arguments/options should be placed after the command.

To view available commands and options:

$ pki --help

Some commands may have sub-commands. To view the sub-commands:

$ pki <command>

To view the command usage:

$ pki <command> --help

To run the command in verbose mode:

$ pki -v <command>


See PKI CLI Options.


See PKI Environment Variables.


See PKI CLI Initialization.


See PKI CLI Connection.


See PKI CLI Authentication.



See PKI CLI Paging.


Running in verbose mode

In verbose mode the pki CLI will provide more information to troubleshoot issues.

To run pki CLI in verbose, specify -v as CLI options (i.e. before the command), not as command options (i.e. after the command):

$ pki <CLI options> <command> <command options>

Recording HTTP messages

The PKI CLI communicates to PKI server via HTTP. The HTTP messages can be recorded for troubleshooting.

To record the HTTP messages, specify the --output and --message-format options as follows:

$ mkdir <dir>
$ pki --output <dir> --message-format <format> <command>

The format is either xml (default) or json. The requests and responses will be stored in http-request-<n> and http-response-<n> files in the output directory.

Future Enhancements


Currently each CLI command uses separate connection. So the user would have to provide authentication in each command. Ideally there should be a session that connects multiple CLI commands so the authentication only needs to be done once:

$ pki <authentication> login
$ pki ca-user-add testuser --fullName "Test User"
$ pki ca-group-member-add Administrators testuser
$ pki logout

There are several ways to address this:

  • Store the credentials in a local file and keep the session ID in the cookies. User is responsible to remove it.
  • Implement a shell so the CLI can accept multiple commands.
  • Use Kerberos authentication.