Skip to content

PKI KRA Key CLI

Jump to bottom
Endi S. Dewata edited this page Aug 24, 2021 · 33 revisions

Overview

This page describes the CLI commands to manage keys in KRA. It assumes KRA is already installed. All key operations have to be executed with KRA Agent credentials.

A request has the following properties:

  • request ID

  • key ID

  • type

  • status

A key has the following properties:

  • key ID

  • client key ID

  • status: active or inactive

  • owner

  • type

  • type-specific properties

A key ID is an ID generated by the server which is unique for each key stored in the server. A client key ID is an ID provided by the client while generating or archiving a key. The client key ID does not have to be unique, but there can only be one active key for each client key ID. To generate/archive a new key with the same client key ID, the existing active key will need to be deactivated first.

Key Request Templates

Key Request Management

Key Management

All key operations should be executed as KRA agent.

Listing Keys

To list archived keys:

$ pki -n caadmin kra-key-find
----------------
1 key(s) matched
----------------
  Key ID: 0x1
  Client Key ID: test
  Status: active
  Algorithm: RSA
  Size: 1024
  Owner: kraadmin
----------------------------
Number of entries returned 1
----------------------------

Generating Key

To generate a new key on the server:

$ pki -n caadmin kra-key-generate test --key-algorithm RSA --key-size 1024
---------------------------
Key generation request info
---------------------------
  Request ID: 0x1
  Key ID: 0x1
  Type: asymkeyGenRequest
  Status: complete

Archiving Key

The pki kra-key-archive command can be used to archive a binary data, a passphrase, or a pre-encrypted secret into KRA.

The command accepts a --transport <nickname> parameter that can be used to specify the nickname of the transport certificate already in the client’s NSS database. If not specified, the command will retrieve the transport certificate from KRA and store it in the client’s NSS database.

Archiving a binary data

To archive a binary data:

$ pki -n caadmin kra-key-archive \
    --clientKeyID test \
    --input-data private.key
------------------------
Archival request details
------------------------
  Request ID: 0x1
  Key ID: 0x1
  Type: securityDataEnrollment
  Status: complete

Archiving a passphrase

To archive a passphrase:

$ pki -n caadmin kra-key-archive \
    --clientKeyID test \
    --passphrase secret
------------------------
Archival request details
------------------------
  Request ID: 0x1
  Key ID: 0x1
  Type: securityDataEnrollment
  Status: complete

Archiving a pre-encrypted secret

To archive a pre-encrypted secret, store the input in a file (e.g. input.json):

{
    "Attributes": {
        "Attribute": [
            {
                "name": "clientKeyID",
                "value": "test"
            },
            {
                "name": "dataType",
                "value":"symmetricKey"
            },
            {
                "name": "wrappedPrivateData",
                "value": "..."
            },
            {
                "name": "keyAlgorithm",
                "value": "AES"
            },
            {
                "name": "realm",
                "value": "example"
            },
            {
                "name": "keySize",
                "value": "128"
            }
        ]
    },
    "ClassName": "com.netscape.certsrv.key.KeyArchivalRequest"
}

Then execute the following command:

$ pki -n caadmin kra-key-archive \
    --input input.json \
    --input-format json

Recovering Key

To recover a key, prepare the request in a file using the recovery template, for example:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<KeyRecoveryRequest>
    <Attributes>
        <Attribute name="keyId">1</Attribute>
    </Attributes>
    <ClassName>com.netscape.certsrv.key.KeyRecoveryRequest</ClassName>
</KeyRecoveryRequest>

Then submit the request with the following command:

$ pki -n caadmin kra-key-recover --input recoverKey.xml

Retrieving Key

Retrieving key with default security parameters

By default key retrieval will be done with randomly generated security parameters.

To retrieve a key and store it into a file:

$ pki -n caadmin kra-key-retrieve --keyID 0x1 --output-data private.key
------------------------
Retrieve Key Information
------------------------
  Key Algorithm: RSA
  Key Size: 1024
  Nonce data: rYkeh4Rb+MI=
  Output: private.key

To retrieve a key and display it on the screen:

$ pki -n caadmin kra-key-retrieve --keyID 0x1
------------------------
Retrieve Key Information
------------------------
  Key Algorithm: RSA
  Key Size: 1024
  Nonce data: rYkeh4Rb+MI=
  Actual archived data: MIICdwIBADANBgkqhkiG9w0BAQEFAASCAmEwggJdAgEAAoGBALTyleypbSGRnb8+
P/BItA74mTdLX4eFY+fKE4hraeOV4ts+4M9qfry/FJkbMq3dpIpsxuMmGclbHEUQ
J/MfLAHgaxwVLGK8qCGb0IeY0Z7qIbGucSCLcDVpODlsTvqftK/SJZm56ODu7xXh
CZT6MFzv07jJ19MYvNm+1NWthuB1AgMBAAECgYEAgCj5i2ANDaOniRa8DqJP9fKa
ApH+HWya8EcuQodhvnIg9Yy5ie8xyNnF6xNad87uhaS50ZTg2r8PbNMemJJRhenP
xCCF4nht7C7YfeMS9dohAmi15IFga5rRJ2p9TYZXaHBDbg7SUGk4l0/w6kDTXxfI
t9X8h7rc46YfEI2BEoECQQDbVXp/OWbGCtHQMvCX6SeoDbi7j/fF6RkC02fNhlNt
t0yhFPXu+TOifB6wLgoyAPP5aFCBDSkli+4VhsSLQoBRAkEA0zJX2OQywnj5jpfA
NvwHQF0T4tQz/kuNrzM0JNztMeV7EBXdycPWC/jWE0Ml0u5BSqWxa/cHZrT+Ts8p
JLqY5QJAdRTkFxXlLsKHzcPjerQTXzoz6quncBZGK6P+PU//KQo39aTiw3ZzgcEQ
AKwS9S5dDj4I+1qzJD/WD9epA020gQJAO8w5S1Pxe1a9cj5NUkQx2WuBQexLfGjw
CPc6gGV9U29iVL+cOJCWfnVKR9HvV7XWDsizX5pmIhKFHtNRFvEucQJBANS4zipX
m09uLdioohLoKrfp0gdqyiEnCXWX08PwenuU+VsQOVx80nw5S1M+nnFHK4KO+Zsi
xc8DHiXQl0lyXD0=

Retrieving key with custom security parameters

Displaying Key

To display a key given the key ID:

$ pki -n caadmin kra-key-show 0x1
  Key ID: 0x1
  Client Key ID: test
  Status: active
  Algorithm: RSA
  Size: 1024
  Owner: kraadmin
  Public Key:

MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC08pXsqW0hkZ2/Pj/wSLQO+Jk3
S1+HhWPnyhOIa2njleLbPuDPan68vxSZGzKt3aSKbMbjJhnJWxxFECfzHywB4Gsc
FSxivKghm9CHmNGe6iGxrnEgi3A1aTg5bE76n7Sv0iWZuejg7u8V4QmU+jBc79O4
ydfTGLzZvtTVrYbgdQIDAQAB

To display the active key given the client key ID:

$ pki -n caadmin kra-key-show --clientKeyID test
  Key ID: 0x1
  Client Key ID: test
  Status: active
  Algorithm: RSA
  Size: 1024
  Owner: kraadmin
  Public Key:

MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC08pXsqW0hkZ2/Pj/wSLQO+Jk3
S1+HhWPnyhOIa2njleLbPuDPan68vxSZGzKt3aSKbMbjJhnJWxxFECfzHywB4Gsc
FSxivKghm9CHmNGe6iGxrnEgi3A1aTg5bE76n7Sv0iWZuejg7u8V4QmU+jBc79O4
ydfTGLzZvtTVrYbgdQIDAQAB

Changing Key Status

To deactivate a key:

$ pki -n caadmin kra-key-mod 0x1 --status inactive
  Key ID: 0x1
  Client Key ID: test
  Status: inactive
  Algorithm: RSA
  Size: 1024
  Owner: kraadmin
  Public Key:

MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC08pXsqW0hkZ2/Pj/wSLQO+Jk3
S1+HhWPnyhOIa2njleLbPuDPan68vxSZGzKt3aSKbMbjJhnJWxxFECfzHywB4Gsc
FSxivKghm9CHmNGe6iGxrnEgi3A1aTg5bE76n7Sv0iWZuejg7u8V4QmU+jBc79O4
ydfTGLzZvtTVrYbgdQIDAQAB

To activate a key:

$ pki -n caadmin kra-key-mod 0x1 --status active
  Key ID: 0x1
  Client Key ID: test
  Status: active
  Algorithm: RSA
  Size: 1024
  Owner: kraadmin
  Public Key:

MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC08pXsqW0hkZ2/Pj/wSLQO+Jk3
S1+HhWPnyhOIa2njleLbPuDPan68vxSZGzKt3aSKbMbjJhnJWxxFECfzHywB4Gsc
FSxivKghm9CHmNGe6iGxrnEgi3A1aTg5bE76n7Sv0iWZuejg7u8V4QmU+jBc79O4
ydfTGLzZvtTVrYbgdQIDAQAB

See Also

Tip
 To find a page in the Wiki, enter the keywords in search field, press Enter, then click Wikis.
Clone this wiki locally