1. Manuals
  2. Brands
  3. Red Hat Manuals
  4. Software
  5. CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE
  6. Manual

Red Hat CERTIFICATE SYSTEM 7.2 - COMMAND-LINE TOOLS Manual

Command-line tools guide
Hide thumbs Also See for CERTIFICATE SYSTEM 7.2 - COMMAND-LINE TOOLS:
Table of Contents

Advertisement

Quick Links

Download this manual See also: Administration Manual, Reference Manual
Red Hat Certificate System 7.2
Command-Line Tools
Guide
7.2
ISBN: N/A
Publication date:

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the CERTIFICATE SYSTEM 7.2 - COMMAND-LINE TOOLS and is the answer not in the manual?

Questions and answers

Subscribe to Our Youtube Channel

Related Manuals for Red Hat CERTIFICATE SYSTEM 7.2 - COMMAND-LINE TOOLS

Summary of Contents for Red Hat CERTIFICATE SYSTEM 7.2 - COMMAND-LINE TOOLS

  • Page 1 Red Hat Certificate System 7.2 Command-Line Tools Guide ISBN: N/A Publication date:...
  • Page 2 Red Hat Certificate System 7.2 This book covers important, Certificate System-specific, command-line tools that you can use to create, remove, and manage subsystem instances and to create and manage keys and certificates.
  • Page 3 All other trademarks referenced herein are the property of their respective owners. The GPG fingerprint of the security@redhat.com key is: CA 20 86 86 2B D6 9D FC 65 F6 EC C4 21 91 80 CD DB 42 A6 0E...
  • Page 4 Red Hat Certificate System 7.2...

  • Page 5: Table Of Contents

    About This Guide ...................... vii 1. Required Information ..................vii 2. What Is in This Guide ..................vii 3. Additional Reading ..................ix 4. Common Tool Information ................x 5. Examples and Formatting ................x 6. Giving Feedback .................... xi 7. Revision History .................... xii 1.
  • Page 6 Red Hat Certificate System 7.2 2. Usage ......................33 10. Pretty Print CRL ....................37 1. Syntax ......................37 2. Usage ......................37 11. TKS Tool ......................39 1. Syntax ......................39 2. Usage ......................42 12. CMC Request .....................47 1. Syntax ......................47 2. Usage ......................51 13. CMC Enrollment ....................53 1.

  • Page 7: About This Guide

    About This Guide The Certificate System Command-Line Tools Guide describes the command-line tools and utilities bundled with Red Hat Certificate System and provides information such as command syntax and usage examples to help use these tools. This guide is intended for experienced system administrators who are planning to deploy the Certificate System.
  • Page 8 About This Guide whether the Certificate System can detect those tokens to use for a subsystem. Chapter 4, SSLGet Describes a tool used by the Certificate System to help configure and use security domains. Chapter 5, AuditVerify Describes how to use the tool used to verify signed audit logs.

  • Page 9: Additional Reading

    Additional Reading Chapter 19, Issuer Alternative Name Describes how to generate an Issuer Extension Alternative Name extension in base-64 encoding. Chapter 20, Subject Alternative Name Describes how to generate a Subject Extension Alternative Name extension in base-64 encoding. Chapter 21, HTTP Client Describes how to communicate with any HTTP/HTTPS server.

  • Page 10: Common Tool Information

    For the latest information about Certificate System, including current release notes, complete product documentation, technical notes, and deployment information, see the Red Hat documentation page: http://www.redhat.com/docs/manuals/cert-system/ 4. Common Tool Information All of the tools in this guide are located in the...

  • Page 11: Giving Feedback

    If there is any error in this Command-Line Tools Guide or there is any way to improve the documentation, please let us know. Bugs can be filed against the documentation for Red Hat Certificate System through Bugzilla, http://bugzilla.redhat.com/bugzilla. Make the bug report as specific as possible, so we can be more effective in correcting any issues:...

  • Page 12: Revision History

    We appreciate receiving any feedback — requests for new sections, corrections, improvements, enhancements, even new ways of delivering the documentation or new styles of docs. You are welcome to contact Red Hat Content Services directly at mailto:docs@redhat.com. 7. Revision History Revision History Revision 7.2.1...

  • Page 13: Create And Remove Instance Tools

    Chapter 1. Create and Remove Instance Tools The Certificate System includes two tools to create and remove subsystem instances, pkicreate pkiremove NOTE tool does not install the Certificate System system; this is done pkicreate through installing the packages or running the Red Hat Enterprise Linux up2date command.

  • Page 14: Usage

    Chapter 1. Create and Remove Instance Tools Parameter Description Gives the full path to the new instance pki_instance_root configuration directory. subsystem_type Gives the type of subsystem being created. The possible values are as follows: • , for a Certificate Manager •...

  • Page 15: Pkiremove

    pkiremove , named , in the directory. 10543 10180 rhpki-drm2 /var/lib/rhpki-drm2 pkicreate -pki_instance_root=/var/lib -subsystem_type=kra -pki_instance_name=rhpki-drm2 -secure_port=10543 -unsecure_port=10180 -tomcat_server_port=1802 -user=pkiuser -group=pkigroup -verbose To keep the script from creating a new instance when it is run, set the pkicreate environment variable to 1. DONT_RUN_PKICREATE export DONT_RUN_PKICREATE=1 2.

  • Page 17: Silent Installation

    Chapter 2. Silent Installation The Certificate System includes a tool, , which can completely create and configure pkisilent an instance in a single step. Normally, adding instances requires running the utility pkicreate to create the instance and then accessing the subsystem HTML page to complete the configuration.
  • Page 18 Chapter 2. Silent Installation -token_pwd HSM_password -save_p12 export-p12-file -backup_pwd password This tool has the following syntax for the DRM, OCSP, and TKS subsystems: perl pkisilent ConfiguresubsystemType -cs_hostname hostname -cs_port SSLport -ca_hostname hostname -ca_port port -ca_ssl_port SSLport -ca_agent_name agentName -ca_agent_password password -client_certdb_dir certDBdir -client_certdb_pwd password -preop_pin preoppin...
  • Page 19 Syntax -bind_password password -base_dn search_base_DN -db_name dbName -key_size keySize -key_type keyType -agent_key_size keySize -agent_key_type keyType -agent_cert_subject cert_subject_name -ldap_auth_host ldap_auth_host -ldap_auth_port ldap_auth_port -ldap_auth_base_dn ldap_auth_base_dn Java Class Name Subsystem ConfigureCA For the CA. ConfigureDRM For the DRM. ConfigureOCSP For the OCSP. ConfigureTKS For the TKS.
  • Page 20 Chapter 2. Silent Installation Parameter Description client_certdb_pwd The password to protect the certificate database. preop_pin The preoperation PIN number used for the initial configuration. domain_name The name of the security domain to which the subsystem will be added. admin_user The new admin user for the new subsystem. admin_email The email address of the admin user.

  • Page 21: Usage

    Usage Parameter Description installation. token_name Gives the name of the HSM token used to store the subsystem certificates. Only for the CA subsystem. token_password Gives the password for the HSM. Only for the CA subsystem. ldap_auth_host Gives the hostname of the LDAP directory database to use for the TPS subsystem token database.
  • Page 22 Chapter 2. Silent Installation fS44I6SASGF34FD76WKJHIW4 -domain_name "testca" -admin_user admin -admin_email "admin@example.com" -admin_password password -agent_name "rhpki-tks2 agent" -ldap_host server -ldap_port 389 -bind_dn "cn=directory manager" -bind_password password -base_dn "o=rhpki-tks2" -db_name "rhpki-tks2" -key_size 2048 -key_type rsa -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject "tks agent cert" -backup_pwd password This silent installation script example installs a TPS subsystem;...

  • Page 23: Tokeninfo

    Chapter 3. TokenInfo This tool is used to determine which external hardware tokens are visible to the Certificate System subsystem. This can be used to diagnose whether problems using tokens are related to the Certificate System being unable to detect it. 1.

  • Page 25: Sslget

    Chapter 4. SSLGet This tool is similar to the the command, which downloads files over HTTP. wget sslget supports client authentication using NSS libraries. The configuration wizard uses this utility to retrieve security domain information from the CA. 1. Syntax tool has the following syntax: sslget sslget [-e profile information] -n rsa_nickname [-p password | -w pwfile]...
  • Page 26 Chapter 4. SSLGet sslget -e "profileId=caInternalAuthServerCert&cert_request_type=pkcs10 &requestor_name=TPS-server.example.com-7889 &cert_request=MIIBGTCBxAIBADBfMSgwJgYDVQQKEx8yMDA2MTEwNngxMi BTZmJheSBSZWRoYXQgRG9tYWluMRIwEAYDVQQLEwlyaHBraS10cHMxHzAdBgNVBA MTFndhdGVyLnNmYmF5LnJlZGhhdC5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAk EAsMcYjKD2cDJOeKjhuAiyaC0YVh8hUzfcrf7ZJlVyROQx1pQrHiHmBQbcCdQxNz YK7rxWiR62BPDR4dHtQzj8RwIDAQABoAAwDQYJKoZIhvcNAQEEBQADQQAKpuTYGP %2BI1k50tjn6enPV6j%2B2lFFjrYNwlYWBe4qYhm3WoA0tIuplNLpzP0vw6ttIMZ kpE8rcfAeMG10doUpp &xmlOutput=true&sessionID=-4771521138734965265 &auth_hostname=server.example.com&auth_port=9443" -d "/var/lib/rhpki-tps/alias" -p "password123" -v -n "Server-Cert cert-rhpki-tps" -r "/ca/ee/ca/profileSubmit" server.example.com:9443...

  • Page 27: Auditverify

    Chapter 5. AuditVerify tool is used to verify that signed audit logs were signed with the private AuditVerify signing key and that the audit logs have not been compromised. Auditors can verify the authenticity of signed audit logs using the tool.

  • Page 28: Syntax

    Chapter 5. AuditVerify /var/lib/instance_ID/logs/signedAudit/dbdir -A -n "Log Signing Certificate" -a -i \ /var/lib/instance_ID/alias/logsigncert.txt 2. Syntax tool has the following syntax: AuditVerify AuditVerify -d dbdir -n signing_certificate_nickname -a logListFile [-P cert/key_db_prefix] [-v] Option Description Specifies the directory containing the security databases with the imported audit log signing certificate.

  • Page 29: Return Values

    2. If the audit databases do not contain prefixes and are located in the user home directory, such as , and the signing certificate nickname is /usr/home/smith/.redhat “auditsigningcert”, the command is run as follows: AuditVerify AuditVerify -d /usr/home/smith/.redhat -n auditsigningcert -a /etc/audit/logListFile -P "" -v...

  • Page 31: Pin Generator

    Chapter 6. PIN Generator For the Certificate System to use the authentication plug-in module, the UidPwdPinDirAuth authentication directory must contain unique PINs for each end entity which will be issued a certificate. The Certificate System provides a tool, the PIN Generator, which generates unique PINs for end-entity entries in an LDAP directory.

  • Page 32: Syntax

    Chapter 6. PIN Generator ## This line switches setpin into setup mode. ## Please do not change it. setup=yes 3. Run , and set the option file to setpin setpin.conf setpin optfile=/usr/lib/rhpki/native-tools/setpin.conf 1.2. Syntax has the following syntax: setpin setpin host=host_name [port=port_number] binddn=user_id [bindpw=bind_password] filter="LDAP_search_filter"...
  • Page 33 Syntax Option Description length Specifies the exact number a PIN must contain; the default is 6. Do not use with minlength maxlength minlength Sets the minimum length of the generated PINs. If used with , this sets the maxlength lower end of the range of the PIN length. Do not use with length maxlength...
  • Page 34 Chapter 6. PIN Generator Option Description output Specifies the absolute path to the file to write the PINs as generates them. If a file is setpin not set, then the output is written to the standard output. Regardless of whether an output file is set, all error messages are directed to the standard error.

  • Page 35: Usage

    ) for filtering out the user entries that require PINs filter command looks like the following: setpin setpin host=csldap port=19000 binddn="CN=Directory Manager" bindpw=redhat filter="(ou=employees)" \ basedn="o=example.com" This example queries the directory for all the entries in the organizational unit (...
  • Page 36 Chapter 6. PIN Generator The information can be written to a different output file by using the option; see output Section 2.2, “Output File” for more information. The entries returned by the LDAP search filter can be further restricted by using an ASCII input file which lists the entry DNs; only entries matching those in the file are updated.

  • Page 37: Input File

    Input File Table 6.1. PIN Generator Status If a PIN already exists for a user, it is not changed if the command is run a second time. setpin This allows new PINs to be created for new users without overwriting PINs for users who have already received a PIN.

  • Page 38: Output File

    Chapter 6. PIN Generator PINs can also be provided for the DNs in plain-text format; these PINs are hashed according to the command-line arguments. dn:cn=user1, o=example.com pin:pl229Ab dn:cn=user2, o=example.com pin:9j65dSf dn:cn=user3, o=example.com pin:3knAg60 NOTE Hashed PINs cannot be provided to the tool. 2.2.

  • Page 39: How Pins Are Stored In The Directory

    Exit Codes 2.3. How PINs Are Stored in the Directory Each PIN is concatenated with the corresponding LDAP attribute named in the saltattribute argument. If this argument is not specified, the DN is used. That string is hashed with the routine specified in the hash argument;...
  • Page 40 Chapter 6. PIN Generator Table 6.2. Result Codes Returned by the PIN Generator...

  • Page 41: Ascii To Binary

    Chapter 7. ASCII to Binary The Certificate System ASCII to binary tool converts ASCII base-64 encoded data to binary base-64 encoded data. 1. Syntax The ASCII to binary tool, , has the following syntax: AtoB AtoB input_file output_file Option Description input_file Specifies the path and file to the base-64 encoded ASCII data.

  • Page 43: Binary To Ascii

    Chapter 8. Binary to ASCII The Certificate System binary to ASCII tool, converts binary base-64 encoded data to BtoA ASCII base-64 encoded data. 1. Syntax tool uses the following syntax: BtoA BtoA input_file output_file Option Description input_file Specifies the path and file of the base-64 encoded binary data.

  • Page 45: Usage

    Chapter 9. Pretty Print Certificate The Pretty Print Certificate utility, , prints the contents of a certificate stored PrettyPrintCert as ASCII base-64 encoded data to a readable format. 1. Syntax command has the following syntax: PrettyPrintCert PrettyPrintCert [-simpleinfo] input_file [output_file] Option Description Optional.
  • Page 46 Chapter 9. Pretty Print Certificate The certificate in pretty-print format in the file looks like the following: ascii_cert.out Certificate: Data: Version: v3 Serial Number: 0x100C Signature Algorithm: OID.1.2.840.113549.1.1.5 -1.2.840.113549.1.1.5 Issuer: CN=Test CA,OU=Widget Makers 'R'Us,O=Example Corporation, Widgets\,Inc.,C=US Validity: Not Before: Wednesday, February 17, 1999 7:43:39 PM Not After: Thursday, February 17, 2000 7:43:39 PM Subject: MAIL=admin@example.com,CN=testCA Administrator, UID=admin, OU=IS, O=Example Corporation,C=US...
  • Page 47 Usage PrettyPrintCert -simpleinfo /usr/home/smith/test/ascii_cert.in /usr/home/smith/test/cert.simple The base-64 encoded certificate data in file looks similar to the following: ascii_cert.in -----BEGIN CERTIFICATE----- MIIC2DCCAkGgAwIBAgICEAwwDQYJKoZIhvcNAQEFBQAwfDELMAkGA1UEBhMCVVMxIzA hBgNVBAoTGlBhbG9va2FWaWxsZSBXaWRnZXRzLCBJbmMuMR0wGwYDVQQLExRXaWRnZX QgTWFrZXJzICdSJyBVczEpMCcGA1UEAxMgVGVzdCBUZXN0IFRlc3QgVGVzdCBUZXN0I FRlc3QgQ0EwHhcNOTkwMjE4MDMMzM5WhcNMDAwMjE4MDM0MzM5WjCBrjELMAkGA1UEB hMCVVMxJjAkBgNVBAoTHU5ldHNjYXBlIENvbW11bmljYXRpb25zIENvcnAuMRUwEwYD VQQLEwOZXRzY2FwZSBDTVMxGDAWBEBEwhtaGFybXNlbjEfMB0GA1UEAxWaW50ZGV2Y2 EgQWRtaW5pcwp0frfJOObeiSsia3BuifRHBNw95ZZQR9NIXr1x5bE -----END CERTIFICATE----- The simple certificate information in the output file looks like the following: cert.simple MAIL=admin@example.com CN=testCA Administrator...

  • Page 49: Pretty Print Crl

    Chapter 10. Pretty Print CRL The Pretty Print CRL tool, , prints the contents of a certificate revocation list PrettyPrintCrl (CRL) in an ASCII base-64 encoded file in a readable form. 1. Syntax utility has the following syntax: PrettyPrintCrl PrettyPrintCrl input_file [output-file] Option Description input_file...
  • Page 50 Chapter 10. Pretty Print CRL Certificate Revocation List: Data: Version: v2 Signature Algorithm: MD5withRSA - 1.2.840.113549.1.1.4 Issuer: CN=Test CA,O=Example Corporation This Update: Thu Dec 17 14:37:24 PST 1998 Revoked Certificates: Serial Number: 0x13 Revocation Date: Tuesday, December 15, 1998 5:18:32 AM Extensions: Identifier: Revocation Reason - 2.5.29.21 Critical: no...

  • Page 51: Tks Tool

    Chapter 11. TKS Tool The TKS utility, , manages keys, including keys stored on tokens, the TKS master key, tksTool and related keys and databases. 1. Syntax can be used to manage certificates and keys in several different ways. The syntax tksTool for these different operations is as follows: •...
  • Page 52 Chapter 11. TKS Tool tksTool -P -d dbdir [-p dbprefix] [-f pwfile] • Renaming a symmetric key. tksTool -R -n keyname -r new_keyname -d dbdir [-h token_name] [-p dbprefix] [-f pwfile] • Listing all security modules. tksTool -S -d dbdir [-p dbprefix] [-x] •...
  • Page 53 Syntax options are as follows: tksTool Option Description Deletes a key from the token. Required. Gives the security module database (HSM, if allowed for that operation) or the key database directory (software). Gives the path and filename of the password file, if one is used.

  • Page 54: Usage

    Chapter 11. TKS Tool Option Description Gives the path and filename of the noise file to generate the key. There are two additional options which can be used with to get more information about tksTool the utility. Option Description Displays the extended help information. Display the version number of the tksTool tool.
  • Page 55 Usage commands below. 3. List the contents of the local software key database. tksTool -L -d . slot: NSS User Private Key and Certificate Services token: NSS Certificate DB Enter Password or Pin for "NSS Certificate DB": tksTool: the specified token is empty 4.
  • Page 56 Chapter 11. TKS Tool tksTool -L -d . slot: NSS User Private Key and Certificate Services token: NSS Certificate DB Enter Password or Pin for "NSS Certificate DB": 0 transport 9. Use the transport key to generate and wrap a master key, and store the master key in a file called file tksTool -W -d .
  • Page 57 Usage in a file called file tksTool -U -d . -n unwrapped_master -t transport -i file Enter Password or Pin for "NSS Certificate DB": Retrieving the transport key from the specified token (for unwrapping) . . . Reading in the wrapped data (and resident master key KCV) from the file called "file"...
  • Page 58 Chapter 11. TKS Tool tksTool -L -d . slot: NSS User Private Key and Certificate Services token: NSS Certificate DB Enter Password or Pin for "NSS Certificate DB": 0 unwrapped_master 1 transport...

  • Page 59: Cmc Request

    Chapter 12. CMC Request The CMC Request utility, , creates a CMC request from one or more PKCS #10 or CMCRequest CRMF requests. The utility can also be used to revoke certificates. 1. Syntax command uses a configuration file ( ) as a parameter.
  • Page 60 Description databases are located. For example, dbdir=/u/smith/db/ password Required. The token password for cert8.db which stores the agent certificate. For example, password=redhat format The request format, either pkcs10 crmf For example, format=crmf The following file parameters set CMC controls: .cfg...
  • Page 61 Syntax Parameters Description getCert.issuer The issuer name for the control. getCert For example, getCert.issuer=cn=Certificate Manager,ou=102504a,o=102504a,c=us dataReturn.enable If set to , then the request contains this true control. If this parameter is not set, the value is assumed to be false For example, dataReturn.enable=false dataReturn.data...
  • Page 62 Chapter 12. CMC Request Parameters Description For example, revRequest.nickname=newuser's 102504a revRequest.issuer The issuer name for the certificate being revoked. For example, revRequest.issuer=cn=Certificate Manager,ou=102504a,o=102504a,c=us revRequest.serial The serial number for the certificate being revoked. For example, revRequest.serial=75 revRequest.reason The reason for revoking this certificate. The allowed values are unspecified keyCompromise...

  • Page 63: Usage

    Usage Parameters Description For example, identityProof.enable=false identityProof.sharedSecret The shared secret for control. identityProof For example, identityProof.sharedSecret=testing popLinkWitness.enable If set to , then the request contains this true control. If this parameter is not set, the value is assumed to be false For example, popLinkWitness.enable=false...

  • Page 65: Cmc Enrollment

    Chapter 13. CMC Enrollment The CMC Enrollment utility, , is used to sign a certificate request with an agent's CMCEnroll certificate. This can be used in conjunction with the CA end-entity CMC Enrollment form to sign and enroll certificates for users. 1.
  • Page 66 Chapter 13. CMC Enrollment 1. Open the CA's web directory in /var/lib/rhpki-ca/web-apps/ca/ee/ca 2. Open the file. CMCEnrollment.html 3. Find the following line: form method="post" action="/enrollment" onSubmit="return validate(document.forms[0])" 4. Add the following line below that line: input type="hidden" name="authenticator" value="CMCAuth" 5. After configuring the HTML form, test and the form by doing the following: CMCEnroll a.
  • Page 67 Usage f. Use the agent page to search for the new certificates.

  • Page 69: Cmc Response

    Chapter 14. CMC Response The CMC Response utility, , parses a CMC response received by the utility. CMCResponse 1. Syntax The CMC Response utility uses the following syntax: CMCResponse -d directoryName -i /path/to/CMCResponse.file Options Description Specifies the path to the directory.

  • Page 71: Cmc Revocation

    Chapter 15. CMC Revocation The CMC Revocation utility, , signs a revocation request with an agent's certificate. CMCRevoke 1. Syntax This utility has the following syntax: CMCRevoke -d directoryName -n nickname -i issuerName -s serialName -m reasonToRevoke -c comment Option Description The path to the directory where the cert8.db...

  • Page 72: Testing Cmc Revocation

    Chapter 15. CMC Revocation NOTE Surround values that include spaces in quotation marks. 2. Testing CMC Revocation Test that CMC revocation is working properly by doing the following: 1. Create a CMC revocation request for an existing certificate. For example, if the directory containing the agent certificate is , the nickname of the /var/lib/rhpki-ca/alias/...

  • Page 73: Crmf Pop Request

    Chapter 16. CRMF Pop Request utility is a tool to send a Certificate Request Message Format (CRMF) CRMFPopClient request to a Certificate System CA with the request encoded with proof of possession (POP) data that can be verified by the CA server. If a client provides POP information with a request, the server can verify that the requester possesses the private key for the new certificate.

  • Page 74: Usage

    CRMFPopClient password123 nullAuthMgr host.redhat.com 1026 admin redhat \ POP_SUCCESS CN=MyTest,C=US,UID=MyUid OUTPUT_CERT_REQ The following example generates a CRMF/POP request that includes a transport for key archival in the DRM.
  • Page 75 Usage CN=MyTest,C=US,UID=MyUid NOTE A file named containing the transport certificate in base-64 transport.txt format must be created in the directory from which the utility is launched. This file must be available for archival to a DRM.

  • Page 77: Extension Joiner

    Chapter 17. Extension Joiner The Certificate System provides policy plug-in modules that allow standard and custom X.509 certificate extensions to be added to end-entity certificates that the server issues. Similarly, the Certificate Setup Wizard that generates certificates for subsystem users allows extensions to be selected and included in the certificates.
  • Page 78 Chapter 17. Extension Joiner iBakowGgYDVR0SBBMwEaQPMA0xCzAJBgNVBAYTAlVT 3. Copy the encoded blob, without any modifications, to a file. 4. Verify that the extensions are joined correctly before adding them to a certificate request by converting the binary data to ASCII using the utility and then dumping the contents of AtoB the base-64 encoded blob using the...
  • Page 79 Usage If the output data do not appeat to be correct, check that the original Java™ extension files are correct, and repeat converting the files from ASCII to binary and dumping the data until the correct output is returned. 5. When the extensions have been verified, copy the base-64 encoded blob that was created by running to the Certificate System wizard screen, and generate the certificate or ExtJoiner...

  • Page 81: Key Usage Extension

    Chapter 18. Key Usage Extension tool creates a base-64 encoded blob that adds (OID GenExtKeyUsage ExtendedKeyUsage 2.5.29.37) to the certificate. This blob is pasted into the certificate approval page when the certificate is created. 1. Syntax tool has the following syntax: GenExtKeyUsage GenExtKeyUsage [true|false] OID ...

  • Page 83: Issuer Alternative Name Extension

    Chapter 19. Issuer Alternative Name Extension creates a base-64 encoded blob that adds the issuer name GenIssuerAltNameExt extensions, (OID 2.5.29.18), to the new certificate. This blob is pasted into IssuerAltNameExt the certificate approval page when the certificate is created. 1. Syntax tool uses parameter pairs where the first parameter specifies the GenIssuerAltNameExt general type of name attribute which is used for the issuer and the second parameter gives that...
  • Page 84 Chapter 19. Issuer Alternative Name Extension Parameter Description o=Example Corporation, c=US • For , the value must be a valid DNSName fully-qualified domain name. For example, testCA.example.com • For , the value must be an EDIPartyName IA5String. For example, Example Corporation •...

  • Page 85: Usage

    Usage Parameter Description realm1|0|userID1,userID2 2. Usage The following example sets the issuer name in the formats: RFC822Name DirectoryName GenIssuerAltNameExt RFC822Name TomTom@redhat.com DirectoryName cn=TomTom...

  • Page 87: Subject Alternative Name Extension

    Chapter 20. Subject Alternative Name Extension creates a base-64 encoded blob to add the alternate subject name GenSubjectAltNameExt extension, (OID 2.5.29.17), to the new certificate. This blob is pasted into SubjectAltNameExt the certificate approval page when the certificate is created. 1.
  • Page 88 Chapter 20. Subject Alternative Name Extension Parameter Description o=Example Corporation, c=US • For , the value must be a valid DNSName fully-qualified domain name. For example, testCA.example.com • For , the value must be an EDIPartyName IA5String. For example, Example Corporation •...

  • Page 89: Usage

    Usage Parameter Description realm1|0|userID1,userID2 2. Usage In the following example, the subject alternate names are set to the RFC822Name types. DirectoryName GenSubjectAltNameExt RFC822Name TomTom@redhat.com DirectoryName cn=TomTom...

  • Page 91: Http Client

    . For example: secure=false clientmode=true The password for the database. password cert8.db This parameter is ignored if secure=false . For example: clientauth=false password=redhat The nickname of the client certificate. This nickname parameter is ignored if clientmode=false For example: nickname=CS Agent-102504a's 102504a ID...
  • Page 92 Chapter 21. HTTP Client Parameters Description The URI of the servlet that processes full servlet CMC requests. The default value is . For example: /ca/profileSubmitCMCFull servlet=/ca/profileSubmitCMCFull...

  • Page 93: Ocsp Request

    Chapter 22. OCSP Request The OCSP request utility, , creates an OCSP request conforming to RFC 2560, OCSPClient submits it to the OCSP server, and saves the OCSP response in a file. 1. Syntax tool has the following syntax: OCSPClient OCSPClient host port dbdir nickname serial_number output times Option Description...

  • Page 95: Pkcs #10 Client

    Chapter 23. PKCS #10 Client The PKCS #10 utility, , generates a 1024-bit RSA key pair in the security PKCS10Client database, constructs a PKCS#10 certificate request with the public key, and outputs the request to a file. PKCS #10 is a certification request syntax standard defined by RSA. A CA may support multiple types of certificate requests.

  • Page 97: Bulk Issuance Tool

    Chapter 24. Bulk Issuance Tool utility sends a KEYGEN or a CRMF enrollment request to the bulk issuance bulkissuance interface of a CA to create certificates automatically. The utility does not bulkissuance generate the certificate request itself. It submits the content in the input file to the CA server's bulk issuance interface.

  • Page 99: Revocation Automation Utility

    Chapter 25. Revocation Automation Utility utility sends revocation requests to the CA agent interface to revoke certificates. revoker To access the interface, revoker needs to have access to an agent certificate that is acceptable to the CA. tool can do all of the following: revoker •...
  • Page 100 Chapter 25. Revocation Automation Utility Option Description • 0 - Unspecified (default). • 1 - The key was compromised. • 2 - The CA key was compromised. • 3 - The affiliation of the user has changed. • 4 - The certificate has been superseded. •...

  • Page 101: Tpsclient

    Chapter 26. tpsclient tool can be used for debugging or testing the TPS. The imitates the tpsclient tpsclient Enterprise Security Client and can give debug output or emulate enrolling and formatting tokens without having to use tokens. tool is launched by running the command .
  • Page 102 Chapter 26. tpsclient tks.mk_mappings.#02#01=lunasa1:masterkey This configuration instructs the TKS to map the master key named on the masterkey token to the key. lunasa1 #02#01 2. Enable key upgrade in the TPS by editing the update symmetric keys parameter in the TPS file: CS.cfg op.format.tokenKey.update.symmetricKeys.enable=true...

  • Page 103: Syntax

    Syntax op=token_set kek_key=404142434445464748494a4b4c4d4e4f op=ra_enroll uid=jdoe pwd=password new_pin=password num_threads=1 Example 26.1. Example tpsclient Enrollment Input File The sample input file for an enrollment operation is shown in Example 26.2, “Example tpsclient Format Input File”. op=var_set name=ra_host value=server.example.com op=var_set name=ra_port value=7888 op=var_set name=ra_uri value=/nk_service op=token_set cuid=00000000000000000001 msn=01020304 app_ver=6FBBC105 key_info=0101 major_ver=0 minor_ver=0 op=token_set auth_key=404142434445464748494a4b4c4d4e4f...
  • Page 104 Chapter 26. tpsclient Operation Description Options • sets the num_threads number of threads to use • gives the secureid_pin token password • set whether keygen server-side key generation is enabled. op=ra_reset_pin Resets the token PIN. • gives the user ID of the user running.
  • Page 105 Syntax Operation Description Options op=var_get Gets the current value of the This has the usage variable. name, where name is name= the variable being checked. op=var_list Lists all possible variables. op=var_set Sets variable values. • sets the name of the name variable.

  • Page 107: Index

    overwriting existing PINs in the directory , Index Pretty Print Certificate tool , 33 example , 33 syntax , 33 Pretty Print CRL tool , 37 ASCII to Binary tool , 29 example , 37 example , 29 syntax , 37 syntax , 29 setpin command , 19 Binary to ASCII tool , 31...

Table of Contents