-
Notifications
You must be signed in to change notification settings - Fork 137
PKI CA Profile CLI
This document describes the CLI to manage certificate profiles in CA. The commands can only be executed by CA admin.
To submit certificate requests using these profiles, see PKI CA Certificate CLI.
$ pki -n caadmin ca-profile-find ------------------ 59 entries matched ------------------ Profile ID: caUserCert Name: Manual User Dual-Use Certificate Enrollment Description: This certificate profile is for enrolling user certificates. ... ----------------------------- Number of entries returned 20 -----------------------------
To display a specific certificate profile:
$ pki -n caadmin ca-profile-show caUserCert
--------------------
Profile "caUserCert"
--------------------
Profile ID: caUserCert
Name: Manual User Dual-Use Certificate Enrollment
Description: This certificate profile is for enrolling user certificates.
Name: Key Generation
Class: keyGenInputImpl
Attribute Name: cert_request_type
Attribute Description: Key Generation Request Type
Attribute Syntax: keygen_request_type
Attribute Name: cert_request
Attribute Description: Key Generation Request
Attribute Syntax: keygen_request
...
Name: Certificate Output
Class: certOutputImpl
Attribute Name: pretty_cert
Attribute Description: Certificate Pretty Print
Attribute Syntax: pretty_print
Attribute Name: b64_cert
Attribute Description: Certificate Base-64 Encoded
Attribute Syntax: pretty_print
To display a specific certificate profile in raw format:
$ pki -n caadmin ca-profile-show caUserCert --raw #Tue Jul 10 01:59:22 CEST 2018 policyset.userCertSet.6.constraint.params.keyUsageNonRepudiation=true policyset.userCertSet.7.constraint.class_id=noConstraintImpl policyset.userCertSet.6.default.params.keyUsageKeyAgreement=false policyset.userCertSet.3.constraint.params.keyType=RSA input.i2.class_id=subjectNameInputImpl policyset.userCertSet.7.default.params.exKeyUsageCritical=false policyset.userCertSet.10.constraint.params.renewal.graceBefore=30 output.o1.class_id=certOutputImpl ...
Note: A certificate profile must be disabled before it can be modified. Once the modification is complete, the profile can be reenabled.
To modify a certificate profile, download the current profile configuration, edit the file as needed, then upload the changes with pki ca-profile-mod command.
To upload an updated profile configuration in XML format:
$ pki -n caadmin ca-profile-mod caUserCert.xml
To upload an updated profile configuration in raw format:
$ pki -n caadmin ca-profile-mod caUserCert.cfg --raw
Note: A certificate profile must be disabled before it can be deleted.
To delete a certificate profile, execute the following command:
$ pki -n caadmin ca-profile-del caUserCert
|
Tip
|
To find a page in the Wiki, enter the keywords in search field, press Enter, then click Wikis. |