-
Notifications
You must be signed in to change notification settings - Fork 137
PKI PKCS11 CLI
Endi S. Dewata edited this page Mar 27, 2024
·
4 revisions
Since version 10.6 PKI provides a CLI to manage certificates and keys in a PKCS #11 token via an NSS Database. The CLI is implemented using JSS KeyStore.
By default PKI CLI will use the NSS database at ~/.dogtag/nssdb
. To use a different NSS database, specify a -d
parameter.
By default the CLI will ask for the token password on the console. To use a password file, specify a -f
parameter.
To use this PKCS #11 utilities on an NSS database owned by a PKI server:
$ pki -d /var/lib/pki/pki-tomcat/conf/alias -f /var/lib/pki/pki-tomcat/conf/password.conf <command>
By default the CLI will use the internal token. To use the PKCS #11 utilities with HSM, specify a --token
parameter:
$ pki -d /var/lib/pki/pki-tomcat/conf/alias -f /var/lib/pki/pki-tomcat/conf/password.conf --token HSM <command>
To list all certificates in a token:
$ pki \ -d /var/lib/pki/pki-tomcat/conf/alias \ -f /var/lib/pki/pki-tomcat/conf/password.conf \ --token HSM \ pkcs11-cert-find Cert ID: HSM:ca_signing Type: X.509 Serial Number: 0x1 Subject DN: CN=CA Signing Certificate,OU=pki-tomcat,O=EXAMPLE Issuer DN: CN=CA Signing Certificate,OU=pki-tomcat,O=EXAMPLE Cert ID: HSM:sslserver Type: X.509 Serial Number: 0x3 Subject DN: CN=pki.example.com.com,OU=pki-tomcat,O=EXAMPLE Issuer DN: CN=CA Signing Certificate,OU=pki-tomcat,O=EXAMPLE Cert ID: HSM:ca_ocsp_signing Type: X.509 Serial Number: 0x2 Subject DN: CN=CA OCSP Signing Certificate,OU=pki-tomcat,O=EXAMPLE Issuer DN: CN=CA Signing Certificate,OU=pki-tomcat,O=EXAMPLE Cert ID: HSM:ca_audit_signing Type: X.509 Serial Number: 0x5 Subject DN: CN=CA Audit Signing Certificate,OU=pki-tomcat,O=EXAMPLE Issuer DN: CN=CA Signing Certificate,OU=pki-tomcat,O=EXAMPLE Cert ID: HSM:subsystem Type: X.509 Serial Number: 0x4 Subject DN: CN=Subsystem Certificate,OU=pki-tomcat,O=EXAMPLE Issuer DN: CN=CA Signing Certificate,OU=pki-tomcat,O=EXAMPLE
To display a specific certificate in a token:
$ pki \ -d /var/lib/pki/pki-tomcat/conf/alias \ -f /var/lib/pki/pki-tomcat/conf/password.conf \ --token HSM \ pkcs11-cert-show HSM:ca_signing Cert ID: HSM:ca_signing Type: X.509 Serial Number: 0x1 Subject DN: CN=CA Signing Certificate,OU=pki-tomcat,O=EXAMPLE Issuer DN: CN=CA Signing Certificate,OU=pki-tomcat,O=EXAMPLE
$ pki \ -d /var/lib/pki/pki-tomcat/conf/alias \ -f /var/lib/pki/pki-tomcat/conf/password.conf \ --token HSM \ pkcs11-cert-del HSM:ca_signing
To list all keys in a token:
$ pki \ -d /var/lib/pki/pki-tomcat/conf/alias \ -f /var/lib/pki/pki-tomcat/conf/password.conf \ --token HSM \ pkcs11-key-find Key ID: HSM:8ee6ddc15bdec9b260d5f1b276fb416dd60cb805 Type: RSA Algorithm: RSA Key ID: HSM:a6de2d573a9fa0d711cac2559f86927052e2548a Type: RSA Algorithm: RSA Key ID: HSM:d45332483fb3f2d1b8132ea699f84e9e179544a0 Type: RSA Algorithm: RSA Key ID: HSM:d7f75b17d2e86644456bcbd926e2af1f7fd7a2ca Type: RSA Algorithm: RSA Key ID: HSM:c962205575386a5eb699c5487d9f7ab72bdd0328 Type: RSA Algorithm: RSA
To display a specific key in a token:
$ pki \ -d /var/lib/pki/pki-tomcat/conf/alias \ -f /var/lib/pki/pki-tomcat/conf/password.conf \ --token HSM \ pkcs11-key-show HSM:8ee6ddc15bdec9b260d5f1b276fb416dd60cb805 Key ID: HSM:8ee6ddc15bdec9b260d5f1b276fb416dd60cb805 Type: RSA Algorithm: RSA
$ pki \ -d /var/lib/pki/pki-tomcat/conf/alias \ -f /var/lib/pki/pki-tomcat/conf/password.conf \ --token HSM \ pkcs11-key-del HSM:8ee6ddc15bdec9b260d5f1b276fb416dd60cb805
Tip
|
To find a page in the Wiki, enter the keywords in search field, press Enter, then click Wikis. |