Skip to content

PKI KRA Key CLI

Jump to bottom
Endi S. Dewata edited this page Dec 16, 2020 · 33 revisions

Overview

This page describes the CLI commands to manage keys in KRA. It assumes KRA is already installed. All key operations have to be executed with KRA Agent credentials.

A request has the following properties:

  • request ID

  • key ID

  • type

  • status

A key has the following properties:

  • key ID

  • client key ID

  • status: active or inactive

  • owner

  • type

  • type-specific properties

A key ID is an ID generated by the server which is unique for each key stored in the server. A client key ID is an ID provided by the client while generating or archiving a key. The client key ID does not have to be unique, but there can only be one active key for each client key ID. To generate/archive a new key with the same client key ID, the existing active key will need to be deactivated first.

Request Templates

Listing Request Templates

To list available request templates:

$ pki kra-key-template-find
-----------------
3 entries matched
-----------------

  Template ID: retrieveKey
  Description: Template for submitting a key retrieval or key recovery request.

  Template ID: archiveKey
  Description: Template for submitting a key archival request

  Template ID: generateKey
  Description: Template for submitting a request for generating a symmetric key.

----------------------------
Number of entries returned 3
----------------------------

Displaying a Request Template

To display a request template:

$ pki kra-key-template-show retrieveKey

To store a request template into a file:

$ pki kra-key-template-show retrieveKey --output retrieveKey.xml

Requests

All key request operations should be executed as KRA agent.

Listing Requests

To list submitted requests:

$ pki -d ~/.dogtag/pki-tomcat/ca/alias -c Secret.123 -n caadmin kra-key-request-find
-----------------
1 entries matched
-----------------
  Request ID: 0x1
  Key ID: 0x1
  Type: asymkeyGenRequest
  Status: complete
----------------------------
Number of entries returned 1
----------------------------

Displaying a Request

To display a request:

$ pki -d ~/.dogtag/pki-tomcat/ca/alias -c Secret.123 -n caadmin kra-key-request-show 0x1
  Request ID: 0x1
  Key ID: 0x1
  Type: asymkeyGenRequest
  Status: complete

Reviewing a Request

To approve a request:

$ pki -d ~/.dogtag/pki-tomcat/ca/alias -c Secret.123 -n caadmin kra-key-request-review 0x1 --action approve
------
Result
------
  Request ID: 0x1
  Key ID: 0x1
  Type: asymkeyGenRequest
  Status: complete

Keys

All key operations should be executed as KRA agent.

Listing Keys

To list archived keys:

$ pki -d ~/.dogtag/pki-tomcat/ca/alias -c Secret.123 -n caadmin kra-key-find
----------------
1 key(s) matched
----------------
  Key ID: 0x1
  Client Key ID: test
  Status: active
  Algorithm: RSA
  Size: 1024
  Owner: kraadmin
----------------------------
Number of entries returned 1
----------------------------

Generating a Key

To generate a new key on the server:

$ pki -d ~/.dogtag/pki-tomcat/ca/alias -c Secret.123 -n caadmin kra-key-generate test --key-algorithm RSA --key-size 1024
---------------------------
Key generation request info
---------------------------
  Request ID: 0x1
  Key ID: 0x1
  Type: asymkeyGenRequest
  Status: complete

Archiving a Key

Archiving a binary data

To archive a binary data stored in a file:

$ pki -d ~/.dogtag/pki-tomcat/ca/alias -c Secret.123 -n caadmin kra-key-archive --clientKeyID test --input-data private.key
------------------------
Archival request details
------------------------
  Request ID: 0x1
  Key ID: 0x1
  Type: securityDataEnrollment
  Status: complete

Archiving a passphrase

To archive a passphrase specified in the command-line:

$ pki -d ~/.dogtag/pki-tomcat/ca/alias -c Secret.123 -n caadmin kra-key-archive --clientKeyID test --passphrase secret
------------------------
Archival request details
------------------------
  Request ID: 0x1
  Key ID: 0x1
  Type: securityDataEnrollment
  Status: complete

Archiving a pre-encrypted secret

Recover a key

To recover a key, prepare the request in a file using the recovery template, for example:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<KeyRecoveryRequest>
    <Attributes>
        <Attribute name="keyId">1</Attribute>
    </Attributes>
    <ClassName>com.netscape.certsrv.key.KeyRecoveryRequest</ClassName>
</KeyRecoveryRequest>

Then submit the request with the following command:

$ pki -d ~/.dogtag/pki-tomcat/ca/alias -c Secret.123 -n caadmin kra-key-recover --input recoverKey.xml

Retrieving a Key

Retrieving key with default security parameters

By default key retrieval will be done with randomly generated security parameters.

To retrieve a key and store it into a file:

$ pki -d ~/.dogtag/pki-tomcat/ca/alias -c Secret.123 -n caadmin kra-key-retrieve --keyID 0x1 --output-data private.key
------------------------
Retrieve Key Information
------------------------
  Key Algorithm: RSA
  Key Size: 1024
  Nonce data: rYkeh4Rb+MI=
  Output: private.key

To retrieve a key and display it on the screen:

$ pki -d ~/.dogtag/pki-tomcat/ca/alias -c Secret.123 -n caadmin kra-key-retrieve --keyID 0x1
------------------------
Retrieve Key Information
------------------------
  Key Algorithm: RSA
  Key Size: 1024
  Nonce data: rYkeh4Rb+MI=
  Actual archived data: MIICdwIBADANBgkqhkiG9w0BAQEFAASCAmEwggJdAgEAAoGBALTyleypbSGRnb8+
P/BItA74mTdLX4eFY+fKE4hraeOV4ts+4M9qfry/FJkbMq3dpIpsxuMmGclbHEUQ
J/MfLAHgaxwVLGK8qCGb0IeY0Z7qIbGucSCLcDVpODlsTvqftK/SJZm56ODu7xXh
CZT6MFzv07jJ19MYvNm+1NWthuB1AgMBAAECgYEAgCj5i2ANDaOniRa8DqJP9fKa
ApH+HWya8EcuQodhvnIg9Yy5ie8xyNnF6xNad87uhaS50ZTg2r8PbNMemJJRhenP
xCCF4nht7C7YfeMS9dohAmi15IFga5rRJ2p9TYZXaHBDbg7SUGk4l0/w6kDTXxfI
t9X8h7rc46YfEI2BEoECQQDbVXp/OWbGCtHQMvCX6SeoDbi7j/fF6RkC02fNhlNt
t0yhFPXu+TOifB6wLgoyAPP5aFCBDSkli+4VhsSLQoBRAkEA0zJX2OQywnj5jpfA
NvwHQF0T4tQz/kuNrzM0JNztMeV7EBXdycPWC/jWE0Ml0u5BSqWxa/cHZrT+Ts8p
JLqY5QJAdRTkFxXlLsKHzcPjerQTXzoz6quncBZGK6P+PU//KQo39aTiw3ZzgcEQ
AKwS9S5dDj4I+1qzJD/WD9epA020gQJAO8w5S1Pxe1a9cj5NUkQx2WuBQexLfGjw
CPc6gGV9U29iVL+cOJCWfnVKR9HvV7XWDsizX5pmIhKFHtNRFvEucQJBANS4zipX
m09uLdioohLoKrfp0gdqyiEnCXWX08PwenuU+VsQOVx80nw5S1M+nnFHK4KO+Zsi
xc8DHiXQl0lyXD0=

Retrieving key with custom security parameters

Displaying a Key

To display a key given the key ID:

$ pki -d ~/.dogtag/pki-tomcat/ca/alias -c Secret.123 -n caadmin kra-key-show 0x1
  Key ID: 0x1
  Client Key ID: test
  Status: active
  Algorithm: RSA
  Size: 1024
  Owner: kraadmin
  Public Key:

MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC08pXsqW0hkZ2/Pj/wSLQO+Jk3
S1+HhWPnyhOIa2njleLbPuDPan68vxSZGzKt3aSKbMbjJhnJWxxFECfzHywB4Gsc
FSxivKghm9CHmNGe6iGxrnEgi3A1aTg5bE76n7Sv0iWZuejg7u8V4QmU+jBc79O4
ydfTGLzZvtTVrYbgdQIDAQAB

To display the active key given the client key ID:

$ pki -d ~/.dogtag/pki-tomcat/ca/alias -c Secret.123 -n caadmin kra-key-show --clientKeyID test
  Key ID: 0x1
  Client Key ID: test
  Status: active
  Algorithm: RSA
  Size: 1024
  Owner: kraadmin
  Public Key:

MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC08pXsqW0hkZ2/Pj/wSLQO+Jk3
S1+HhWPnyhOIa2njleLbPuDPan68vxSZGzKt3aSKbMbjJhnJWxxFECfzHywB4Gsc
FSxivKghm9CHmNGe6iGxrnEgi3A1aTg5bE76n7Sv0iWZuejg7u8V4QmU+jBc79O4
ydfTGLzZvtTVrYbgdQIDAQAB

Changing Key Status

To activate/inactivate a key:

$ pki -d ~/.dogtag/pki-tomcat/ca/alias -c Secret.123 -n caadmin kra-key-mod 0x1 --status active
  Key ID: 0x1
  Client Key ID: test
  Status: active
  Algorithm: RSA
  Size: 1024
  Owner: kraadmin
  Public Key:

MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC08pXsqW0hkZ2/Pj/wSLQO+Jk3
S1+HhWPnyhOIa2njleLbPuDPan68vxSZGzKt3aSKbMbjJhnJWxxFECfzHywB4Gsc
FSxivKghm9CHmNGe6iGxrnEgi3A1aTg5bE76n7Sv0iWZuejg7u8V4QmU+jBc79O4
ydfTGLzZvtTVrYbgdQIDAQAB

See Also

Tip
 To find a page in the Wiki, enter the keywords in search field, press Enter, then click Wikis.
Clone this wiki locally