-
Notifications
You must be signed in to change notification settings - Fork 139
PKI KRA Key CLI
This page describes the CLI commands to manage keys in KRA. It assumes KRA is already installed. All key operations have to be executed with KRA Agent credentials.
A request has the following properties:
-
request ID
-
key ID
-
type
-
status
A key has the following properties:
-
key ID
-
client key ID
-
status: active or inactive
-
owner
-
type
-
type-specific properties
A key ID is an ID generated by the server which is unique for each key stored in the server. A client key ID is an ID provided by the client while generating or archiving a key. The client key ID does not have to be unique, but there can only be one active key for each client key ID. To generate/archive a new key with the same client key ID, the existing active key will need to be deactivated first.
To list available key request templates:
$ pki kra-key-template-find ----------------- 3 entries matched ----------------- Template ID: retrieveKey Description: Template for submitting a key retrieval or key recovery request. Template ID: archiveKey Description: Template for submitting a key archival request Template ID: generateKey Description: Template for submitting a request for generating a symmetric key. ---------------------------- Number of entries returned 3 ----------------------------
To display a key request template:
$ pki kra-key-template-show retrieveKey
To store a key request template into a file:
$ pki kra-key-template-show retrieveKey --output retrieveKey.xml
All key request operations should be executed as KRA agent.
To list submitted key requests:
$ pki -d ~/.dogtag/pki-tomcat/ca/alias -c Secret.123 -n caadmin kra-key-request-find ----------------- 1 entries matched ----------------- Request ID: 0x1 Key ID: 0x1 Type: asymkeyGenRequest Status: complete ---------------------------- Number of entries returned 1 ----------------------------
To display a key request:
$ pki -d ~/.dogtag/pki-tomcat/ca/alias -c Secret.123 -n caadmin kra-key-request-show 0x1 Request ID: 0x1 Key ID: 0x1 Type: asymkeyGenRequest Status: complete
To approve a key request:
$ pki -d ~/.dogtag/pki-tomcat/ca/alias -c Secret.123 -n caadmin \
kra-key-request-review 0x1 --action approve
------
Result
------
Request ID: 0x1
Key ID: 0x1
Type: asymkeyGenRequest
Status: complete
All key operations should be executed as KRA agent.
To list archived keys:
$ pki -d ~/.dogtag/pki-tomcat/ca/alias -c Secret.123 -n caadmin kra-key-find ---------------- 1 key(s) matched ---------------- Key ID: 0x1 Client Key ID: test Status: active Algorithm: RSA Size: 1024 Owner: kraadmin ---------------------------- Number of entries returned 1 ----------------------------
To generate a new key on the server:
$ pki -d ~/.dogtag/pki-tomcat/ca/alias -c Secret.123 -n caadmin \
kra-key-generate test --key-algorithm RSA --key-size 1024
---------------------------
Key generation request info
---------------------------
Request ID: 0x1
Key ID: 0x1
Type: asymkeyGenRequest
Status: complete
The pki kra-key-archive command can be used to archive a binary data, a passphrase, or a pre-encrypted secret into KRA.
The command accepts a --transport <nickname> parameter that can be used to specify the nickname of the transport certificate already in the client’s NSS database. If not specified, the command will retrieve the transport certificate from KRA and store it in the client’s NSS database.
To archive a binary data:
$ pki -d ~/.dogtag/pki-tomcat/ca/alias -c Secret.123 -n caadmin \
kra-key-archive \
--clientKeyID test \
--input-data private.key
------------------------
Archival request details
------------------------
Request ID: 0x1
Key ID: 0x1
Type: securityDataEnrollment
Status: complete
To archive a passphrase:
$ pki -d ~/.dogtag/pki-tomcat/ca/alias -c Secret.123 -n caadmin \
kra-key-archive \
--clientKeyID test \
--passphrase secret
------------------------
Archival request details
------------------------
Request ID: 0x1
Key ID: 0x1
Type: securityDataEnrollment
Status: complete
To archive a pre-encrypted secret, store the input in a file (e.g. input.json):
{
"Attributes": {
"Attribute": [
{
"name": "clientKeyID",
"value": "test"
},
{
"name": "dataType",
"value":"symmetricKey"
},
{
"name": "wrappedPrivateData",
"value": "..."
},
{
"name": "keyAlgorithm",
"value": "AES"
},
{
"name": "realm",
"value": "example"
},
{
"name": "keySize",
"value": "128"
}
]
},
"ClassName": "com.netscape.certsrv.key.KeyArchivalRequest"
}
Then execute the following command:
$ pki -d ~/.dogtag/pki-tomcat/ca/alias -c Secret.123 -n caadmin \
kra-key-archive \
--input input.json \
--input-format json
See also PKI KRA Key Archive Java API.
To recover a key, prepare the request in a file using the recovery template, for example:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<KeyRecoveryRequest>
<Attributes>
<Attribute name="keyId">1</Attribute>
</Attributes>
<ClassName>com.netscape.certsrv.key.KeyRecoveryRequest</ClassName>
</KeyRecoveryRequest>
Then submit the request with the following command:
$ pki -d ~/.dogtag/pki-tomcat/ca/alias -c Secret.123 -n caadmin \
kra-key-recover --input recoverKey.xml
By default key retrieval will be done with randomly generated security parameters.
To retrieve a key and store it into a file:
$ pki -d ~/.dogtag/pki-tomcat/ca/alias -c Secret.123 -n caadmin \
kra-key-retrieve --keyID 0x1 --output-data private.key
------------------------
Retrieve Key Information
------------------------
Key Algorithm: RSA
Key Size: 1024
Nonce data: rYkeh4Rb+MI=
Output: private.key
To retrieve a key and display it on the screen:
$ pki -d ~/.dogtag/pki-tomcat/ca/alias -c Secret.123 -n caadmin kra-key-retrieve --keyID 0x1 ------------------------ Retrieve Key Information ------------------------ Key Algorithm: RSA Key Size: 1024 Nonce data: rYkeh4Rb+MI= Actual archived data: MIICdwIBADANBgkqhkiG9w0BAQEFAASCAmEwggJdAgEAAoGBALTyleypbSGRnb8+ P/BItA74mTdLX4eFY+fKE4hraeOV4ts+4M9qfry/FJkbMq3dpIpsxuMmGclbHEUQ J/MfLAHgaxwVLGK8qCGb0IeY0Z7qIbGucSCLcDVpODlsTvqftK/SJZm56ODu7xXh CZT6MFzv07jJ19MYvNm+1NWthuB1AgMBAAECgYEAgCj5i2ANDaOniRa8DqJP9fKa ApH+HWya8EcuQodhvnIg9Yy5ie8xyNnF6xNad87uhaS50ZTg2r8PbNMemJJRhenP xCCF4nht7C7YfeMS9dohAmi15IFga5rRJ2p9TYZXaHBDbg7SUGk4l0/w6kDTXxfI t9X8h7rc46YfEI2BEoECQQDbVXp/OWbGCtHQMvCX6SeoDbi7j/fF6RkC02fNhlNt t0yhFPXu+TOifB6wLgoyAPP5aFCBDSkli+4VhsSLQoBRAkEA0zJX2OQywnj5jpfA NvwHQF0T4tQz/kuNrzM0JNztMeV7EBXdycPWC/jWE0Ml0u5BSqWxa/cHZrT+Ts8p JLqY5QJAdRTkFxXlLsKHzcPjerQTXzoz6quncBZGK6P+PU//KQo39aTiw3ZzgcEQ AKwS9S5dDj4I+1qzJD/WD9epA020gQJAO8w5S1Pxe1a9cj5NUkQx2WuBQexLfGjw CPc6gGV9U29iVL+cOJCWfnVKR9HvV7XWDsizX5pmIhKFHtNRFvEucQJBANS4zipX m09uLdioohLoKrfp0gdqyiEnCXWX08PwenuU+VsQOVx80nw5S1M+nnFHK4KO+Zsi xc8DHiXQl0lyXD0=
To display a key given the key ID:
$ pki -d ~/.dogtag/pki-tomcat/ca/alias -c Secret.123 -n caadmin kra-key-show 0x1 Key ID: 0x1 Client Key ID: test Status: active Algorithm: RSA Size: 1024 Owner: kraadmin Public Key: MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC08pXsqW0hkZ2/Pj/wSLQO+Jk3 S1+HhWPnyhOIa2njleLbPuDPan68vxSZGzKt3aSKbMbjJhnJWxxFECfzHywB4Gsc FSxivKghm9CHmNGe6iGxrnEgi3A1aTg5bE76n7Sv0iWZuejg7u8V4QmU+jBc79O4 ydfTGLzZvtTVrYbgdQIDAQAB
To display the active key given the client key ID:
$ pki -d ~/.dogtag/pki-tomcat/ca/alias -c Secret.123 -n caadmin kra-key-show --clientKeyID test Key ID: 0x1 Client Key ID: test Status: active Algorithm: RSA Size: 1024 Owner: kraadmin Public Key: MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC08pXsqW0hkZ2/Pj/wSLQO+Jk3 S1+HhWPnyhOIa2njleLbPuDPan68vxSZGzKt3aSKbMbjJhnJWxxFECfzHywB4Gsc FSxivKghm9CHmNGe6iGxrnEgi3A1aTg5bE76n7Sv0iWZuejg7u8V4QmU+jBc79O4 ydfTGLzZvtTVrYbgdQIDAQAB
To activate/inactivate a key:
$ pki -d ~/.dogtag/pki-tomcat/ca/alias -c Secret.123 -n caadmin kra-key-mod 0x1 --status active Key ID: 0x1 Client Key ID: test Status: active Algorithm: RSA Size: 1024 Owner: kraadmin Public Key: MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC08pXsqW0hkZ2/Pj/wSLQO+Jk3 S1+HhWPnyhOIa2njleLbPuDPan68vxSZGzKt3aSKbMbjJhnJWxxFECfzHywB4Gsc FSxivKghm9CHmNGe6iGxrnEgi3A1aTg5bE76n7Sv0iWZuejg7u8V4QmU+jBc79O4 ydfTGLzZvtTVrYbgdQIDAQAB
|
Tip
|
To find a page in the Wiki, enter the keywords in search field, press Enter, then click Wikis. |