-
Notifications
You must be signed in to change notification settings - Fork 140
PKI CA Profile CLI
This document describes the CLI to manage certificate profiles in CA. The commands can only be executed by CA admin.
To submit certificate requests using these profiles, see PKI CA Certificate CLI.
$ pki -n caadmin ca-profile-find ------------------ 59 entries matched ------------------ Profile ID: caUserCert Name: Manual User Dual-Use Certificate Enrollment Description: This certificate profile is for enrolling user certificates. ... ----------------------------- Number of entries returned 20 -----------------------------
To display a specific certificate profile:
$ pki -n caadmin ca-profile-show caUserCert
--------------------
Profile "caUserCert"
--------------------
Profile ID: caUserCert
Name: Manual User Dual-Use Certificate Enrollment
Description: This certificate profile is for enrolling user certificates.
Name: Key Generation
Class: keyGenInputImpl
Attribute Name: cert_request_type
Attribute Description: Key Generation Request Type
Attribute Syntax: keygen_request_type
Attribute Name: cert_request
Attribute Description: Key Generation Request
Attribute Syntax: keygen_request
...
Name: Certificate Output
Class: certOutputImpl
Attribute Name: pretty_cert
Attribute Description: Certificate Pretty Print
Attribute Syntax: pretty_print
Attribute Name: b64_cert
Attribute Description: Certificate Base-64 Encoded
Attribute Syntax: pretty_print
To display a specific certificate profile in raw format:
$ pki -n caadmin ca-profile-show caUserCert --raw #Tue Jul 10 01:59:22 CEST 2018 policyset.userCertSet.6.constraint.params.keyUsageNonRepudiation=true policyset.userCertSet.7.constraint.class_id=noConstraintImpl policyset.userCertSet.6.default.params.keyUsageKeyAgreement=false policyset.userCertSet.3.constraint.params.keyType=RSA input.i2.class_id=subjectNameInputImpl policyset.userCertSet.7.default.params.exKeyUsageCritical=false policyset.userCertSet.10.constraint.params.renewal.graceBefore=30 output.o1.class_id=certOutputImpl ...
To download the profile configuration in XML format:
$ pki -n caadmin ca-profile-show caUserCert --output caUserCert.xml -------------------- Profile "caUserCert" -------------------- ------------------------------------------ Saved profile caUserCert to caUserCert.xml ------------------------------------------
The output file will look like the following:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<Profile xmlns:ns2="http://www.w3.org/2005/Atom" id="caUserCert">
<classId>caEnrollImpl</classId>
<name>Manual User Dual-Use Certificate Enrollment</name>
<description>This certificate profile is for enrolling user certificates.</description>
<enabled>true</enabled>
<visible>true</visible>
<enabledBy>caadmin</enabledBy>
<authzAcl></authzAcl>
<renewal>false</renewal>
<xmlOutput>false</xmlOutput>
<Input id="i1">
<ClassID>keyGenInputImpl</ClassID>
<Name>Key Generation</Name>
<Attribute name="cert_request_type">
<Descriptor>
<Syntax>keygen_request_type</Syntax>
<Description>Key Generation Request Type</Description>
</Descriptor>
</Attribute>
<Attribute name="cert_request">
<Descriptor>
<Syntax>keygen_request</Syntax>
<Description>Key Generation Request</Description>
</Descriptor>
</Attribute>
</Input>
...
<Output id="o1">
<name>Certificate Output</name>
<classId>certOutputImpl</classId>
<attributes name="pretty_cert">
<Descriptor>
<Syntax>pretty_print</Syntax>
<Description>Certificate Pretty Print</Description>
</Descriptor>
</attributes>
<attributes name="b64_cert">
<Descriptor>
<Syntax>pretty_print</Syntax>
<Description>Certificate Base-64 Encoded</Description>
</Descriptor>
</attributes>
</Output>
<PolicySets>
<PolicySet>
<id>userCertSet</id>
<value id="1">
<def id="Subject Name Default" classId="userSubjectNameDefaultImpl">
<description>This default populates a User-Supplied Certificate Subject Name to the request.</description>
<policyAttribute name="name">
<Descriptor>
<Syntax>string</Syntax>
<Description>Subject Name</Description>
</Descriptor>
</policyAttribute>
</def>
<constraint id="Subject Name Constraint">
<description>This constraint accepts the subject name that matches UID=.*</description>
<classId>subjectNameConstraintImpl</classId>
<constraint id="pattern">
<descriptor>
<Syntax>string</Syntax>
<Description>Subject Name Pattern</Description>
</descriptor>
<value>UID=.*</value>
</constraint>
</constraint>
</value>
...
</PolicySet>
</PolicySets>
<link href="https://pki.example.com:8443/ca/rest/profiles/caUserCert" rel="self"/>
</Profile>
To download the profile configuration in Raw format:
$ pki -n caadmin ca-profile-show caUserCert --output caUserCert.cfg --raw ------------------------------------------ Saved profile caUserCert to caUserCert.cfg ------------------------------------------
The output file will look like the following:
#Tue Jul 10 00:58:57 CEST 2018 policyset.userCertSet.6.constraint.params.keyUsageNonRepudiation=true policyset.userCertSet.7.constraint.class_id=noConstraintImpl policyset.userCertSet.6.default.params.keyUsageKeyAgreement=false policyset.userCertSet.3.constraint.params.keyType=RSA input.i2.class_id=subjectNameInputImpl policyset.userCertSet.7.default.params.exKeyUsageCritical=false policyset.userCertSet.10.constraint.params.renewal.graceBefore=30 output.o1.class_id=certOutputImpl policyset.userCertSet.3.default.name=Key Default ...
To create a new certificate profile, prepare a new profile configuration file or download and modify an existing one.
Then submit the new configuration to the server with pki ca-profile-add command.
In XML format, the new profile ID must be specified as follows:
<Profile ... id="newProfile">
...
</Profile>
To create the new profile:
$ pki -n caadmin ca-profile-add newProfile.xml
In raw format, the new profile ID must be specified as follows:
profileId=newProfile
To create the new profile:
$ pki -n caadmin ca-profile-add newProfile.cfg --raw
Note: A certificate profile must be disabled before it can be modified. Once the modification is complete, the profile can be reenabled.
To modify a certificate profile, download the current profile configuration, edit the file as needed, then upload the changes with pki ca-profile-mod command.
To upload an updated profile configuration in XML format:
$ pki -n caadmin ca-profile-mod caUserCert.xml
To upload an updated profile configuration in raw format:
$ pki -n caadmin ca-profile-mod caUserCert.cfg --raw
Note: A certificate profile must be disabled before it can be modified. Once the modification is complete, the profile can be reenabled.
For convenience, a certificate profile can be visually edited in raw format (without downloading the configuration file manually) with the following command:
$ pki -n caadmin> ca-profile-edit caUserCert
This command will automatically download the profile configuration in raw format and open it with a vi text editor. When the editor is closed, the edited profile configuration will be used to update the profile on the server.
Note: A certificate profile must be disabled before it can be deleted.
To delete a certificate profile, execute the following command:
$ pki -n caadmin ca-profile-del caUserCert
To enable a certificate profile:
$ pki -n caadmin ca-profile-enable caUserCert
To disable a certificate profile:
$ pki -n caadmin ca-profile-disable caUserCert
|
Tip
|
To find a page in the Wiki, enter the keywords in search field, press Enter, then click Wikis. |