Skip to content

Importing Admin Certificate into PKI CLI

Endi S. Dewata edited this page Mar 23, 2023 · 14 revisions

Overview

This page describes the process to import the admin certificate into PKI CLI such that the certificate can be used to execute admin operations from the command line.

This document assumes that the admin certificate and the key are stored in a PKCS #12 file (e.g. ~/.dogtag/pki-tomcat/ca_admin_cert.p12) after CA installation, and the PKCS #12 file is protected with a password specified in the pki_client_pkcs12_password parameter during installation.

Checking PKCS #12 File

To check the content of the PKCS #12 file execute the following command:

$ pki pkcs12-cert-find \
    --pkcs12 ~/.dogtag/pki-tomcat/ca_admin_cert.p12 \
    --pkcs12-password Secret.123
  Certificate ID: 0x35488a4d338dfce3968b9f9a0d6a668a5ea3508d
  Serial Number: 0x1ec63c581a462361700bf8ceedc5b8ad
  Friendly Name: caadmin
  Subject DN: CN=PKI Administrator,[email protected],OU=pki-tomcat,O=EXAMPLE
  Issuer DN: CN=CA Signing Certificate,OU=pki-tomcat,O=EXAMPLE
  Has Key: true
  Key ID: 0x35488a4d338dfce3968b9f9a0d6a668a5ea3508d

The nickname of the admin certificate is listed as Friendly Name. This nickname can be configured during installation using the pki_admin_nickname parameter for pkispawn.

Importing Admin Certificate

By default the PKI CLI uses an NSS database at ~/.dogtag/nssdb.

To import the PKCS #12 file into the NSS database, execute the following command:

$ pki pkcs12-import \
    --pkcs12 ~/.dogtag/pki-tomcat/ca_admin_cert.p12 \
    --pkcs12-password Secret.123

Note: Due to JSS #796 that command might not work. In that case use this command instead:

$ pki client-cert-import \
    --pkcs12 ~/.dogtag/pki-tomcat/ca_admin_cert.p12 \
    --pkcs12-password Secret.123

The certificate can be used by specifying a -n <nickname> parameter, for example:

$ pki -n caadmin ca-user-find
Clone this wiki locally