PKI PKCS12 CLI

From Dogtag
Jump to: navigation, search

Overview

Since version 10.3 the PKI CLI provides a set of commands to manage the certificates and keys in PKCS #12 file.

Generally the PKCS #12 commands can be executed without an NSS database. However, under certain cases an NSS database may be required:

  • decrypting the key info in PKCS #12 file to display more details about the key
  • importing certificates and keys from the PKCS #12 file
  • exporting certificates and keys the PKCS #12 file
  • running in FIPS mode

If required, use an existing NSS database or create a new one.

A new NSS database can be created as follows:

$ pki -d <NSS database location> -c <NSS password> client-init

The password can also be specified in a file:

$ pki -d <NSS database location> -C <NSS password file> client-init

To execute the PKCS #12 commands with the NSS database:

$ pki -d <NSS database location> -c <NSS password> pkcs12-...

or:

$ pki -d <NSS database location> -C <NSS password file> pkcs12-...

Note that if option -d is omitted the default location will be ~/.dogtag/nssdb.

Listing Certificates

To list the certificates in a PKCS #12 file:

$ pki pkcs12-cert-find --pkcs12-file test.p12 --pkcs12-password Secret.123
---------------
1 entries found
---------------
  Serial Number: 0x6
  Nickname: caadmin
  Subject DN: CN=PKI Administrator,E=caadmin@example.com,O=EXAMPLE
  Issuer DN: CN=CA Signing Certificate,O=EXAMPLE
  Key ID: 16228b70f066d50a68d59e64c9367b53c234473d
  Trust flags: u,u,u

Listing Keys

To list the keys in PKCS #12 file:

$ pki pkcs12-key-find --pkcs12-file test.p12 --pkcs12-password Secret.123
---------------
1 entries found
---------------
  Key ID: 16228b70f066d50a68d59e64c9367b53c234473d
  Subject DN: CN=PKI Administrator,E=caadmin@example.com,O=EXAMPLE
  Algorithm: RSA

The PKCS #12 password can also be specified in a file:

$ pki pkcs12-key-find --pkcs12-file test.p12 --pkcs12-password-file pkcs12pwd.txt

Adding Certificate into PKCS #12 File

To add a certificate including the key and trust flags from client NSS database:

$ pki -c Secret.123 pkcs12-cert-add caadmin --pkcs12-file test.p12 --pkcs12-password Secret.123
---------------------------
Added certificate "caadmin"
---------------------------

If the PKCS #12 file does not exist, it will be created automatically. If the PKCS #12 file already exists, the certificate will be added into the file.

The trust flags can be overwritten with the --trust-flags parameter:

$ pki -c Secret.123 pkcs12-cert-add caadmin --pkcs12-file test.p12 --pkcs12-password Secret.123 --trust-flags <trust flags>
---------------------------
Added certificate "caadmin"
---------------------------

To add a certificate from client NSS database without the key:

$ pki -c Secret.123 pkcs12-cert-add caadmin --pkcs12-file test.p12 --pkcs12-password Secret.123 --no-key
---------------------------
Added certificate "caadmin"
---------------------------

To add a certificate from a file (not implemented yet):

$ pki pkcs12-cert-add caadmin --pkcs12-file test.p12 --pkcs12-password Secret.123 --cert-file caadmin.pem
---------------------------
Added certificate "caadmin"
---------------------------

To add a certificate from a file with trust flags (not implemented yet):

$ pki pkcs12-cert-add caadmin --pkcs12-file test.p12 --pkcs12-password Secret.123 --cert-file caadmin.pem \
 --trust-flags "u,u,u"
---------------------------
Added certificate "caadmin"
---------------------------

Exporting Certificate from PKCS #12 File

To export a certificate from PKCS #12 file into a PEM file:

$ pki pkcs12-cert-export caadmin --pkcs12-file test.p12 --pkcs12-password Secret.123 --cert-file caadmin.pem

Modifying Certificate in PKCS #12 File

To rename a certificate (not implemented yet):

$ pki pkcs12-cert-mod caadmin --pkcs12-file test.p12 --pkcs12-password Secret.123 --nickname "new nickname"
------------------------------
Modified certificate "caadmin"
------------------------------

To add/change certificate trust flags:

$ pki pkcs12-cert-mod caadmin --pkcs12-file test.p12 --pkcs12-password Secret.123 --trust-flags "u,u,u"
------------------------------
Modified certificate "caadmin"
------------------------------

To remove certificate trust flags:

$ pki pkcs12-cert-mod caadmin --pkcs12-file test.p12 --pkcs12-password Secret.123 --trust-flags ""
------------------------------
Modified certificate "caadmin"
------------------------------

Removing Certificate from PKCS #12 File

To delete a certificate from PKCS #12 file:

$ pki pkcs12-cert-del caadmin --pkcs12-file test.p12 --pkcs12-password Secret.123
-----------------------------
Deleted certificate "caadmin"
-----------------------------

Removing Key from PKCS #12 File

To delete a key from PKCS #12 file:

$ pki pkcs12-key-del 16228b70f066d50a68d59e64c9367b53c234473d --pkcs12-file test.p12 --pkcs12-password Secret.123
------------------------------------------------------
Deleted key "16228b70f066d50a68d59e64c9367b53c234473d"
------------------------------------------------------

Importing PKCS #12 File into NSS Database

To import PKCS #12 file into the client security database (default: ~/.dogtag/nssdb):

$ pki -c Secret.123 pkcs12-import --pkcs12-file test.p12 --pkcs12-password Secret.123
---------------
Import complete
---------------

Optionally, the nicknames of the certificates to be imported can be specified as arguments:

$ pki -c Secret.123 pkcs12-import --pkcs12-file test.p12 --pkcs12-password Secret.123 \
 "caSigningCert cert-pki-tomcat CA" \
 "subsystemCert cert-pki-tomcat"
---------------
Import complete
---------------

To import without the trust flags:

$ pki -c Secret.123 pkcs12-import --pkcs12-file test.p12 --pkcs12-password Secret.123 --no-trust-flags
---------------
Import complete
---------------

The passwords can be specified in a file:

$ pki -C nsspwd.txt pkcs12-import --pkcs12-file test.p12 --pkcs12-password-file pkcs12pwd.txt

Exporting NSS Database into PKCS #12 File

To export NSS database (default: ~/.dogtag/nssdb) into PKCS #12 file:

$ pki -c Secret.123 pkcs12-export --pkcs12-file test.p12 --pkcs12-password Secret.123
---------------
Export complete
---------------

It will overwrite existing PKCS #12 file.

To export certain certificates only, specify the nicknames as command arguments:

$ pki -c Secret.123 pkcs12-export --pkcs12-file test.p12 --pkcs12-password Secret.123 \
 "auditSigningCert cert-pki-tomcat CA" \
 "ocspSigningCert cert-pki-tomcat CA"
---------------
Export complete
---------------

It will include the specified certificates with their keys, and the certificate chain without their keys.

To export without the trust flags:

$ pki -c Secret.123 pkcs12-export --pkcs12-file test.p12 --pkcs12-password Secret.123 --no-trust-flags
---------------
Export complete
---------------

The passwords can be specified in files:

$ pki -C nsspwd.txt pkcs12-export --pkcs12-file test.p12 --pkcs12-password-file pkcs12pwd.txt

References