Skip to content

PKI PKCS12 CLI

Endi S. Dewata edited this page Apr 22, 2023 · 12 revisions

Overview

Since version 10.3 the PKI CLI provides a set of commands to manage the certificates and keys in PKCS #12 file.

Generally the PKCS #12 commands can be executed without an NSS database. However, under certain cases an NSS database may be required:

  • decrypting the key info in PKCS #12 file to display more details about the key

  • importing certificates and keys from the PKCS #12 file

  • exporting certificates and keys the PKCS #12 file

  • running in FIPS mode

If an NSS database is required, by default the command will use ~/.dogtag/nssdb.

A different NSS database can be specified with a -d <directory> parameter. The password for the NSS database can be specified using a -c <password> or -C <password file>, for example:

$ pki -d <directory> -c <password> pkcs12-...

or:

$ pki -d <directory> -C <password file> pkcs12-...

Importing PKCS #12 File into NSS Database

To import PKCS #12 file into the client security database (default: ~/.dogtag/nssdb):

$ pki pkcs12-import \
    --pkcs12-file test.p12 \
    --pkcs12-password Secret.123
---------------
Import complete
---------------

Optionally, the nicknames of the certificates to be imported can be specified as arguments:

$ pki pkcs12-import \
    --pkcs12-file test.p12 \
    --pkcs12-password Secret.123 \
    "caSigningCert cert-pki-tomcat CA" \
    "subsystemCert cert-pki-tomcat"
---------------
Import complete
---------------

To import without the trust flags:

$ pki pkcs12-import \
    --pkcs12-file test.p12 \
    --pkcs12-password Secret.123 \
    --no-trust-flags
---------------
Import complete
---------------

The password can be specified in a file:

$ pki pkcs12-import \
    --pkcs12-file test.p12 \
    --pkcs12-password-file pkcs12pwd.txt

Exporting NSS Database into PKCS #12 File

To export NSS database (default: ~/.dogtag/nssdb) into PKCS #12 file:

$ pki pkcs12-export \
    --pkcs12-file test.p12 \
    --pkcs12-password Secret.123
---------------
Export complete
---------------

It will overwrite existing PKCS #12 file.

To export certain certificates only, specify the nicknames as command arguments:

$ pki pkcs12-export \
    --pkcs12-file test.p12 \
    --pkcs12-password Secret.123 \
    "auditSigningCert cert-pki-tomcat CA" \
    "ocspSigningCert cert-pki-tomcat CA"
---------------
Export complete
---------------

It will include the specified certificates with their keys, and the certificate chain without their keys.

To export without the trust flags:

$ pki pkcs12-export \
    --pkcs12-file test.p12 \
    --pkcs12-password Secret.123 \
    --no-trust-flags
---------------
Export complete
---------------

The password can be specified in a file:

$ pki pkcs12-export \
    --pkcs12-file test.p12 \
    --pkcs12-password-file pkcs12pwd.txt

Managing Certificates in PKCS #12 File

Managing Keys in PKCS #12 File

See Also

Clone this wiki locally