-
Notifications
You must be signed in to change notification settings - Fork 137
Importing Admin Certificate into PKI CLI
This page describes the process to import the admin certificate into PKI CLI such that the certificate can be used to execute admin operations from the command line.
This document assumes that the admin certificate and the key are stored
in a PKCS #12 file (e.g. ~/.dogtag/pki-tomcat/ca_admin_cert.p12
) after CA installation,
and the PKCS #12 file is protected with a password specified in the
pki_client_pkcs12_password
parameter during installation.
To check the content of the PKCS #12 file execute the following command:
$ pki pkcs12-cert-find \ --pkcs12 ~/.dogtag/pki-tomcat/ca_admin_cert.p12 \ --pkcs12-password Secret.123 Certificate ID: 0x35488a4d338dfce3968b9f9a0d6a668a5ea3508d Serial Number: 0x1ec63c581a462361700bf8ceedc5b8ad Friendly Name: caadmin Subject DN: CN=PKI Administrator,[email protected],OU=pki-tomcat,O=EXAMPLE Issuer DN: CN=CA Signing Certificate,OU=pki-tomcat,O=EXAMPLE Has Key: true Key ID: 0x35488a4d338dfce3968b9f9a0d6a668a5ea3508d
The nickname of the admin certificate is listed as Friendly Name
.
This nickname can be configured during installation using the pki_admin_nickname
parameter for pkispawn
.
By default the PKI CLI uses an NSS database at ~/.dogtag/nssdb
.
To import the PKCS #12 file into the NSS database, execute the following command:
$ pki pkcs12-import \ --pkcs12 ~/.dogtag/pki-tomcat/ca_admin_cert.p12 \ --pkcs12-password Secret.123
Note: Due to JSS #796 that command might not work. In that case use this command instead:
$ pki client-cert-import \ --pkcs12 ~/.dogtag/pki-tomcat/ca_admin_cert.p12 \ --pkcs12-password Secret.123
The certificate can be used by specifying a -n <nickname>
parameter, for example:
$ pki -n caadmin ca-user-find
Tip
|
To find a page in the Wiki, enter the keywords in search field, press Enter, then click Wikis. |