PKI Cert Commands

NAME¶

pki-server-cert - Command-Line Interface for managing System Certificates.

SYNOPSIS¶

pki-server [CLI options] cert
pki-server [CLI options] cert-find
pki-server [CLI options] cert-update <cert ID>
pki-server [CLI options] cert-create <cert ID>
pki-server [CLI options] cert-import <cert ID>

DESCRIPTION¶

The pki-server cert commands provide command-line interfaces to manage system certificates.

pki-server cert commands perform system certificate related operations on a specific CS instance. All pki-server cert commands require specification of the cert ID to identify the target certificate.

pki-server [CLI options] cert

This command is to list available cert commands.

pki-server [CLI options] cert-find

This command is to list all system certificates.

pki-server [CLI options] cert-update <cert ID>

This command is to update the system certificate data and CSR in the corresponding subsystem's CS.cfg.

pki-server [CLI options] cert-create <cert ID>

This command is to create a system certificate.

pki-server [CLI options] cert-import <cert ID>

This command is to imports certificate into NSS database and updates the corresponding subsystem's CS.cfg.

To view each command's usage, type pki-server cert-<command> --help.

All pki-server commands must be executed as the system administrator.

OPTIONS¶

The other CLI options are described in pki-server(8).

OFFLINE SYSTEM CERTIFICATE RENEWAL¶

pki-server cert command is used as a part of offline system certificate renewal process.

Assumptions:

1. Valid CA signing cert

2. Valid admin cert

3. PKI server is currently down

Steps for offline system certificate renewal:

A. Run these commands to verify our assumptions:

1. List details of all system certificates

pki-server cert-find

2. Check details of admin cert

certutil -L \
-d <client NSS DB dir> \
-n <admin cert nickname>

3. Check status of PKI server

systemctl status pki-tomcatd@pki-tomcat

Note: Get the sslserver cert serial number from step #1 above to create permanent cert later. The admin needs to make a list of certs from step #1 that needs to be renewed.

B. To bring up a PKI server that has expired SSL certificate:

1. Create temp SSL certificate

pki-server cert-create sslserver --temp

2. Import the temp SSL certificate into NSS database and update corresponding subsystem's CS.cfg

pki-server cert-import sslserver

3. Start PKI server using the new temp SSL cert created

systemctl restart pki-tomcatd@pki-tomcat

C. To renew system certificates:

1. The admin will need to create system certs, reported in step #A1 above, that are almost expired or already expired.

pki-server cert-create <cert ID> --renew \
-d <client NSS DB dir> \
-c <NSS DB password> \
-n <admin nickname>

For SSL server certificate:

pki-server cert-create sslserver --renew \
--serial <old serial> \
-d <client NSS DB dir> \
-c <NSS DB password> \
-n <admin nickname>

2. Stop the server to prevent NSS database corruption while importing:

systemctl stop pki-tomcatd@pki-tomcat

3. Import the renewed system certificate into NSS database and update corresponding subsystem's CS.cfg

pki-server cert-import <cert ID>

4. Start the server with renewed permanent system certificates

systemctl start pki-tomcatd@pki-tomcat

AUTHORS¶

Dinesh Prasanth M K <dmoluguw@redhat.com>

COPYRIGHT¶

August 1, 2017

version 10.4

Source file:	pki-server-cert.8.en.gz (from pki-server 10.5.18-27.el7_9)
Source last updated:	2020-03-23 23:43:18
Converted to HTML:	2023-06-08 08:52:50