-
Notifications
You must be signed in to change notification settings - Fork 139
PKI PKCS12 CLI
Since version 10.3 the PKI CLI provides a set of commands to manage the certificates and keys in PKCS #12 file.
Generally the PKCS #12 commands can be executed without an NSS database. However, under certain cases an NSS database may be required:
-
decrypting the key info in PKCS #12 file to display more details about the key
-
importing certificates and keys from the PKCS #12 file
-
exporting certificates and keys the PKCS #12 file
-
running in FIPS mode
If an NSS database is required, by default the command will use ~/.dogtag/nssdb
.
A different NSS database can be specified with a -d <directory>
parameter. The password for the NSS database can be specified using a -c <password>
or -C <password file>
, for example:
$ pki -d <directory> -c <password> pkcs12-...
or:
$ pki -d <directory> -C <password file> pkcs12-...
To import PKCS #12 file into the client security database (default: ~/.dogtag/nssdb
):
$ pki pkcs12-import \ --pkcs12-file test.p12 \ --pkcs12-password Secret.123 --------------- Import complete ---------------
Optionally, the nicknames of the certificates to be imported can be specified as arguments:
$ pki pkcs12-import \ --pkcs12-file test.p12 \ --pkcs12-password Secret.123 \ "caSigningCert cert-pki-tomcat CA" \ "subsystemCert cert-pki-tomcat" --------------- Import complete ---------------
To import without the trust flags:
$ pki pkcs12-import \ --pkcs12-file test.p12 \ --pkcs12-password Secret.123 \ --no-trust-flags --------------- Import complete ---------------
The password can be specified in a file:
$ pki pkcs12-import \ --pkcs12-file test.p12 \ --pkcs12-password-file pkcs12pwd.txt
To export NSS database (default: ~/.dogtag/nssdb
) into PKCS #12 file:
$ pki pkcs12-export \ --pkcs12-file test.p12 \ --pkcs12-password Secret.123 --------------- Export complete ---------------
It will overwrite existing PKCS #12 file.
To export certain certificates only, specify the nicknames as command arguments:
$ pki pkcs12-export \ --pkcs12-file test.p12 \ --pkcs12-password Secret.123 \ "auditSigningCert cert-pki-tomcat CA" \ "ocspSigningCert cert-pki-tomcat CA" --------------- Export complete ---------------
It will include the specified certificates with their keys, and the certificate chain without their keys.
To export without the trust flags:
$ pki pkcs12-export \ --pkcs12-file test.p12 \ --pkcs12-password Secret.123 \ --no-trust-flags --------------- Export complete ---------------
The password can be specified in a file:
$ pki pkcs12-export \ --pkcs12-file test.p12 \ --pkcs12-password-file pkcs12pwd.txt
See PKI PKCS12 Key CLI.
Tip
|
To find a page in the Wiki, enter the keywords in search field, press Enter, then click Wikis. |