-
Notifications
You must be signed in to change notification settings - Fork 137
PKI CLI Initialization
The PKI CLI needs an NSS database to store certificates and keys to perform crypto operations such as establishing SSL connection, certificate authentication, encryption/decryption, accessing PKCS #12 file in FIPS mode, etc. NSS database is not required for operations that do not require crypto operations, but it is recommended to create the NSS database before using PKI client for the first time.
The NSS database can be created (or recreated) by executing the following commands. The password can be specified directly on the command line:
$ pki -c Secret.123 client-init
The password can also be specified in a file:
$ pki -C password.txt client-init
Note: Since PKI 10.4.1 the PKI CLI support creating an NSS database without a password:
$ pki client-init
Also since PKI 10.4.1 if the PKI CLI is used without initialization it will create a default NSS database without a password.
By default the NSS database will be created at ~/.dogtag/nssdb
. To create NSS database at a different location, specify the path with the -d
parameter:
$ pki -d ~/.config/pki/nssdb client-init
If necessary, the trust policy can be enabled with the following command:
$ modutil \ -dbdir ~/.dogtag/nssdb \ -add p11-kit-trust \ -libfile /usr/share/pki/lib/p11-kit-trust.so
Some operations may require SSL connection to the server in which the server will present a server certificate to the client. To authenticate the server certificate, the CA certificate needs to be installed on the client.
If the CA certificate is already available as a file, it can be imported with the following command:
$ pki client-cert-import "CA Signing Certificate" --ca-cert ca.crt
Another option is to download the CA certificate directly from the CA server:
$ pki client-cert-import "CA Signing Certificate" --ca-server
Alternatively, the CA certificate can be imported during the first SSL connection to the server:
$ pki -U https://$HOSTNAME:8443 ca-cert-find WARNING: UNTRUSTED ISSUER encountered on 'CN=pki.example.com,O=EXAMPLE' indic ates a non-trusted CA cert 'CN=CA Signing Certificate,O=EXAMPLE' Import CA certificate (Y/n)? y CA server URI [http://pki.example.com:8080/ca]: ...
To execute admin operations using PKI CLI, the admin certificate and key needs be imported into the NSS database. See Importing Admin Certificate into PKI CLI.
Tip
|
To find a page in the Wiki, enter the keywords in search field, press Enter, then click Wikis. |