PKI CLI

Overview

PKI CLI is a client tool that can be used to access various services on PKI server.

Installation

When installing PKI server the PKI CLI (and the PKI Client library) will automatically be installed.

To install PKI CLI on a machine that does not have PKI server, execute the following command:

$ yum install pki-tools

Usage

In general the PKI CLI takes the following parameters:

$ pki [CLI options] <command> [command arguments/options]

The CLI options should be placed before the command. The command arguments/options should be placed after the command.

To view available commands and options:

$ pki --help

Some commands may have sub-commands. To view the sub-commands:

$ pki <command>

To view the command usage:

$ pki <command> --help

To run the command in verbose mode:

$ pki -v <command>

Options

See PKI CLI Options.

Configuration

See PKI Environment Variables.

Initialization

See PKI CLI Initialization.

Connection

See PKI CLI Connection.

Authentication

See PKI CLI Authentication.

Commands

• PKI Client CLI

• PKI Certificate CLI

• PKI User CLI

• PKI Group CLI

• PKI Security Domain CLI

• PKI Key CLI

• PKI ACME CLI

• PKI CA CLI

• PKI KRA CLI

• PKI OCSP CLI

• PKI TKS CLI

• PKI TPS CLI

• PKI NSS CLI

• PKI PKCS7 CLI

• PKI PKCS11 CLI

• PKI PKCS12 CLI

Paging

See PKI CLI Paging.

Troubleshooting

Running in verbose mode

In verbose mode the pki CLI will provide more information to troubleshoot issues.

To run pki CLI in verbose, specify -v as CLI options (i.e. before the command), not as command options (i.e. after the command):

$ pki <CLI options> <command> <command options>

Recording HTTP messages

The PKI CLI communicates to PKI server via HTTP. The HTTP messages can be recorded for troubleshooting.

To record the HTTP messages, specify the --output and --message-format options as follows:

$ mkdir <dir>
$ pki --output <dir> --message-format <format> <command>

The format is either xml (default) or json. The requests and responses will be stored in http-request-<n> and http-response-<n> files in the output directory.

Future Enhancements

Session

Currently each CLI command uses separate connection. So the user would have to provide authentication in each command. Ideally there should be a session that connects multiple CLI commands so the authentication only needs to be done once:

$ pki <authentication> login
$ pki ca-user-add testuser --fullName "Test User"
$ pki ca-group-member-add Administrators testuser
$ pki logout

There are several ways to address this:

• Store the credentials in a local file and keep the session ID in the cookies. User is responsible to remove it.

• Implement a shell so the CLI can accept multiple commands.

• Use Kerberos authentication.

Shell-mode

References

• CLI

• PKI CLI Development

• PKI Client

• Using the Certificate Database Tool

• Using the PKCS #12 Tool (pk12util)

• PKI 10.4 SSL Audit Design