1. Manuals
  2. Brands
  3. Red Hat Manuals
  4. Software
  5. CERTIFICATE SYSTEM 7.3 - ADMINISTRATION
  6. Manual

Red Hat CERTIFICATE SYSTEM 7.3 - COMMAND-LINE Manual

Command-line tools guide
Hide thumbs Also See for CERTIFICATE SYSTEM 7.3 - COMMAND-LINE:
Table of Contents

Advertisement

Quick Links

Download this manual See also: Administration Manual
Red Hat Certificate
System 7.3
Command-Line Tools Guide
Publication date: March 25, 2010 (updated)

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the CERTIFICATE SYSTEM 7.3 - COMMAND-LINE and is the answer not in the manual?

Questions and answers

Related Manuals for Red Hat CERTIFICATE SYSTEM 7.3 - COMMAND-LINE

Summary of Contents for Red Hat CERTIFICATE SYSTEM 7.3 - COMMAND-LINE

  • Page 1 Red Hat Certificate System 7.3 Command-Line Tools Guide Publication date: March 25, 2010 (updated)
  • Page 2 Command-Line Tools Guide Red Hat Certificate System 7.3 Command-Line Tools Guide Copyright © 2009 Red Hat, Inc. Copyright © 2009 Red Hat, Inc. The text of and illustrations in this document are licensed by Red Hat under a Creative Commons Attribution–Share Alike 3.0 Unported license ("CC-BY-SA").

  • Page 3: Table Of Contents

    About This Guide 1. Required Information ..................... vii 2. What Is in This Guide ....................vii 3. Common Tool Information ....................ix 4. Examples and Formatting ....................ix 4.1. File Locations for Examples and Commands ............ix 4.2. Using Mozilla LDAP Tools ..................ix 4.3.
  • Page 4 Command-Line Tools Guide 8.1. Syntax ........................31 8.2. Usage ........................31 9. Pretty Print Certificate 9.1. Syntax ........................33 9.2. Usage ........................33 10. Pretty Print CRL 10.1. Syntax ........................37 10.2. Usage ........................37 11. TKS Tool 11.1. Syntax ........................39 11.2.
  • Page 5 25. Revocation Automation Utility 25.1. Syntax ........................73 26. tpsclient 26.1. Syntax ........................77 Index...

  • Page 7: About This Guide

    About This Guide The Certificate System Command-Line Tools Guide describes the command-line tools and utilities bundled with Red Hat Certificate System and provides information such as command syntax and usage examples to help use these tools. This guide is intended for experienced system administrators who are planning to deploy the Certificate System.
  • Page 8 About This Guide Chapter 6, PIN Generator Describes how to use the tool for generating unique PINs for end users and for populating their directory entries with PINs. Chapter 7, ASCII to Binary Describes how to use the tool for converting ASCII data to its binary equivalent.

  • Page 9: Common Tool Information

    Common Tool Information Chapter 23, PKCS #10 Client Describes how to generate a Public-Key Cryptography Standards (PKCS) #10 enrollment request. Chapter 24, Bulk Issuance Tool Describes how to send either a KEYGEN or CRMF enrollment request to the bulk issuance interface to create certificates automatically.

  • Page 10: Guide Formatting

    About This Guide The default subsystem instances, however, are configured to use a single secure port for all services. Therefore, any example commands or files reference these default ports. Susbsystem SSL Port Non-SSL Port 9443 9080 12889 12888 10443 10080 OCSP 11443 11080...

  • Page 11: Additional Reading

    If there is any error in this Command-Line Tools Guide or there is any way to improve the documentation, please let us know. Bugs can be filed against the documentation for Red Hat Certificate System through Bugzilla, http://bugzilla.redhat.com/bugzilla. Make the bug report as specific as possible, so we can be more effective in correcting any issues: •...

  • Page 12: Document History

    We appreciate receiving any feedback — requests for new sections, corrections, improvements, enhancements, even new ways of delivering the documentation or new styles of docs. You are welcome to contact Red Hat Content Services directly at docs@redhat.com. 7. Document History Revision 7.3.4...

  • Page 13: Create And Remove Instance Tools

    Chapter 1. Create and Remove Instance Tools The Certificate System includes two tools to create and remove subsystem instances, pkicreate and pkiremove. NOTE The pkicreate tool does not install the Certificate System system; this is done through installing the packages or running the Red Hat Enterprise Linux up2date command. This tool creates new instances after the default subsystems have been installed.
  • Page 14 Chapter 1. Create and Remove Instance Tools Parameter Description • kra, for a DRM • ocsp, for an OCSP • tks, for a TKS • tps, for a TPS pki_instance_name Gives the name of the new instance.The name must be unique within the security domain. Even cloned subsystems must have different instance names for cloning to succeed.

  • Page 15: Usage

    Usage Parameter Description user Sets the user as which the Certificate System instance will run. This option must be set. group Sets the group as which the Certificate System instance will run. This option must be set. Optional. Runs the new instance creation in verbose verbose mode.

  • Page 16: Usage

    Chapter 1. Create and Remove Instance Tools Parameter Description pki_instance_name Gives the name of the instance. 1.2.2. Usage The following example removes a DRM instance named rhpki-drm2 which was installed in the / var/lib/rhpki-drm2 directory. pkiremove -pki_instance_root=/var/lib -pki_instance_name=rhpki-drm2...

  • Page 17: Silent Installation

    Chapter 2. Silent Installation The Certificate System includes a tool, pkisilent, which can completely create and configure an instance in a single step. Normally, adding instances requires running the pkicreate utility to create the instance and then accessing the subsystem HTML page to complete the configuration. The pkisilent utility creates and configures the instance in a single step.
  • Page 18 Chapter 2. Silent Installation -help,-? displays help information -cs_hostname CS Hostname -cs_port CS SSL port -sd_hostname Security Domain Hostname -sd_ssl_port Security Domain SSL port -sd_admin_name Security Domain username -sd_admin_password Security Domain password -ca_hostname CA Hostname -ca_port CA non SSL port -ca_ssl_port CA SSL port -client_certdb_dir Client CertDB dir -client_certdb_pwd client certdb password...
  • Page 19 Syntax perl pkisilent ConfigureTPS -cs_hostname hostname -cs_port SSLport -ca_hostname hostname -ca_port port -ca_ssl_port SSLport -ca_agent_name agentName -ca_agent_password password -client_certdb_dir certDBdir -client_certdb_pwd password -preop_pin preoppin -domain_name domain_name -admin_user adminUID -admin_email admin@email -admin_password password -agent_name agentName -ldap_host hostname -ldap_port port -bind_dn bindDN -bind_password password -base_dn search_base_DN -db_name dbName...
  • Page 20 Chapter 2. Silent Installation Parameter Description The SSL port number of the CA. ca_ssl_port The UID of the CA agent. ca_agent_name The password of the CA agent. ca_agent_password The directory for the subsystem certificate client_certdb_dir databases. The password to protect the certificate database. client_certdb_pwd The preoperation PIN number used for the initial preop_pin...

  • Page 21: Usage

    Usage Parameter Description Gives the name of the HSM token used to store token_name the subsystem certificates. Only for the CA subsystem. Gives the password for the HSM. Only for the CA token_password subsystem. Gives the hostname of the LDAP directory ldap_auth_host database to use for the TPS subsystem token database.
  • Page 22 Chapter 2. Silent Installation -ca_agent_name agent -ca_agent_password password -client_certdb_dir /tmp/ -client_certdb_pwd password -preop_pin fS44I6SASGF34FD76WKJHIW4 -domain_name "testca" -admin_user admin -admin_email "admin@example.com" -admin_password password -agent_name "rhpki-tks2 agent" -ldap_host server -ldap_port 389 -bind_dn "cn=directory manager" -bind_password password -base_dn "o=rhpki-tks2" -db_name "rhpki-tks2" -key_size 2048 -key_type rsa -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject "tps agent cert"...

  • Page 23: Tokeninfo

    Chapter 3. TokenInfo This tool is used to determine which external hardware tokens are visible to the Certificate System subsystem. This can be used to diagnose whether problems using tokens are related to the Certificate System being unable to detect it. 3.1.

  • Page 25: Sslget

    Chapter 4. SSLGet This tool is similar to the the wget command, which downloads files over HTTP. sslget supports client authentication using NSS libraries. The configuration wizard uses this utility to retrieve security domain information from the CA. 4.1. Syntax The sslget tool has the following syntax: sslget [-e profile information] -n rsa_nickname [-p password | -w pwfile] [-d dbdir] [-v] [-V] -r url hostname[:port]...
  • Page 26 Chapter 4. SSLGet MTFndhdGVyLnNmYmF5LnJlZGhhdC5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAk EAsMcYjKD2cDJOeKjhuAiyaC0YVh8hUzfcrf7ZJlVyROQx1pQrHiHmBQbcCdQxNz YK7rxWiR62BPDR4dHtQzj8RwIDAQABoAAwDQYJKoZIhvcNAQEEBQADQQAKpuTYGP %2BI1k50tjn6enPV6j%2B2lFFjrYNwlYWBe4qYhm3WoA0tIuplNLpzP0vw6ttIMZ kpE8rcfAeMG10doUpp &xmlOutput=true&sessionID=-4771521138734965265 &auth_hostname=server.example.com&auth_port=9443" -d "/var/lib/rhpki-tps/alias" -p "password123" -v -n "Server-Cert cert-rhpki-tps" -r "/ca/ee/ca/profileSubmit" server.example.com:9443...

  • Page 27: Auditverify

    Chapter 5. AuditVerify 5.1. About the AuditVerify Tool The AuditVerify tool is used to verify that signed audit logs were signed with the private signing key and that the audit logs have not been compromised. Auditors can verify the authenticity of signed audit logs using the AuditVerify tool. This tool uses the public key of the signed audit log signing certificate to verify the digital signatures embedded in a signed audit log file.

  • Page 28: Return Values

    Chapter 5. AuditVerify AuditVerify -d dbdir -n signing_certificate_nickname -a logListFile [-P cert/key_db_prefix] [- Option Description Specifies the directory containing the security databases with the imported audit log signing certificate. Gives the nickname of the certificate used to sign the log files. The nickname is whatever was used when the log signing certificate was imported into that database.

  • Page 29: Usage

    2. If the audit databases do not contain prefixes and are located in the user home directory, such as /usr/home/smith/.redhat, and the signing certificate nickname is “auditsigningcert”, the AuditVerify command is run as follows: AuditVerify -d /usr/home/smith/.redhat -n auditsigningcert -a /etc/audit/logListFile -P ""...

  • Page 31: Pin Generator

    Chapter 6. PIN Generator For the Certificate System to use the UidPwdPinDirAuth authentication plug-in module, the authentication directory must contain unique PINs for each end entity which will be issued a certificate. The Certificate System provides a tool, the PIN Generator, which generates unique PINs for end- entity entries in an LDAP directory.

  • Page 32: Syntax

    Chapter 6. PIN Generator setpin optfile=/usr/lib/rhpki/native-tools/setpin.conf 6.1.2. Syntax The setpin has the following syntax: setpin host=host_name [port=port_number] binddn=user_id [bindpw=bind_password] filter="LDAP_search_filter" [basedn=LDAP_base_DN] [length=PIN_length | minlength=minimum_PIN_length | maxlength=maximum_PIN_length] [gen=character_type] [case=upperonly] [hash=algorithm] [saltattribute=LDAP_attribute_to_use_for_salt_creation] [input=file_name] [output=file_name] [write] [clobber] [testpingen=count] [debug] [optfile=file_name] [setup [pinmanager=pinmanager_user] [pinmanagerpwd=pinmanager_password]] Option Description Required.
  • Page 33 Syntax Option Description constructed out of alphabetic characters (RNG- alpha), alphanumeric characters (RNG- alphanum), or any printable ASCII characters (printableascii). Restricts the character cases to uppercase case only; otherwise, the case is mixed. Restricting alphabetic characters to uppercase reduces the overall combinations for the password space significantly.

  • Page 34: Usage

    Chapter 6. PIN Generator Option Description Overwrites pre-existing PINs, if any, associated clobber with a DN. If this option is not used, any existing PINs are left in the directory. Tests the PIN-generation mode. count sets the testpingen total number of PINs to generate for testing. Writes debugging information to the standard debug error.
  • Page 35 How setpin Works setpin host=csldap port=19000 binddn="CN=Directory Manager" bindpw=redhat filter="(ou=employees)" \ basedn="o=example.com" This example queries the directory for all the entries in the employees organizational unit (ou). For each entry matching the filter, information is printed out to standard error and to the standard output.
  • Page 36 Chapter 6. PIN Generator Figure 6.1. Using an Input and Output File When Generating PINs The output file contains the entry and PIN information from running setpin, as shown in the following example: Processing: cn=QA Managers,ou=employees,o=example.com Adding new pin/password dn:cn=QA Managers,ou=employees,o=example.com pin:lDWynV status:notwritten Processing: cn=PD Managers,ou=employees,o=example.com...

  • Page 37: Input File

    Input File Exit Code Description The PINs were not written to the directory notwritten because the write option was not used. The tool tried to modify the directory, but the writefailed write operation was unsuccessful. The tool added the new PIN to the directory added successfully.

  • Page 38: Output File

    Chapter 6. PIN Generator dn:cn=user2, o=example.com dn:cn=user3, o=example.com PINs can also be provided for the DNs in plain-text format; these PINs are hashed according to the command-line arguments. dn:cn=user1, o=example.com pin:pl229Ab dn:cn=user2, o=example.com pin:9j65dSf dn:cn=user3, o=example.com pin:3knAg60 NOTE Hashed PINs cannot be provided to the tool. 6.2.2.

  • Page 39: Exit Codes

    Exit Codes specified in the hash argument; the default algorithm is SHA-1. One byte is prepended to indicate the hash type used. The PIN is stored as follows: byte[0] = X The value of X depends on the hash algorithm chosen during the PIN generation process. Hash Algorithm SHA-1 none...

  • Page 41: Ascii To Binary

    Chapter 7. ASCII to Binary The Certificate System ASCII to binary tool converts ASCII base-64 encoded data to binary base-64 encoded data. 7.1. Syntax The ASCII to binary tool, AtoB, has the following syntax: AtoB input_file output_file Option Description input_file Specifies the path and file to the base-64 encoded ASCII data.

  • Page 43: Binary To Ascii

    Chapter 8. Binary to ASCII The Certificate System binary to ASCII tool, BtoA converts binary base-64 encoded data to ASCII base-64 encoded data. 8.1. Syntax The BtoA tool uses the following syntax: BtoA input_file output_file Option Description input_file Specifies the path and file of the base-64 encoded binary data.

  • Page 45: Pretty Print Certificate

    Chapter 9. Pretty Print Certificate The Pretty Print Certificate utility, PrettyPrintCert, prints the contents of a certificate stored as ASCII base-64 encoded data to a readable format. 9.1. Syntax The PrettyPrintCert command has the following syntax: PrettyPrintCert [-simpleinfo] input_file [output_file] Option Description Optional.
  • Page 46 Chapter 9. Pretty Print Certificate Issuer: CN=Test CA,OU=Widget Makers 'R'Us,O=Example Corporation, Widgets\,Inc.,C=US Validity: Not Before: Wednesday, February 17, 1999 7:43:39 PM Not After: Thursday, February 17, 2000 7:43:39 PM Subject: MAIL=admin@example.com,CN=testCA Administrator, UID=admin, OU=IS, O=Example Corporation,C=US Subject Public Key Info: Algorithm: RSA - 1.2.840.113549.1.1.1 Public Key: 30:81:89:02:81:81:00:DE:26:B3:C2:9D:3F:7F:FA:DF:...
  • Page 47 Usage MAIL=admin@example.com CN=testCA Administrator UID=admin OU=IS O=Example Corporation C=US...

  • Page 49: Pretty Print Crl

    Chapter 10. Pretty Print CRL The Pretty Print CRL tool, PrettyPrintCrl, prints the contents of a certificate revocation list (CRL) in an ASCII base-64 encoded file in a readable form. 10.1. Syntax The PrettyPrintCrl utility has the following syntax: PrettyPrintCrl input_file [output-file] Option Description input_file...
  • Page 50 Chapter 10. Pretty Print CRL Extensions: Identifier: Revocation Reason - 2.5.29.21 Critical: no Reason: Key_Compromise Serial Number: 0x12 Revocation Date: Tuesday, December 15, 1998 5:20:42 AM Extensions: Identifier: Revocation Reason - 2.5.29.21 Critical: no Reason: CA_Compromise Serial Number: 0x11 Revocation Date: Wednesday, December 16, 1998 4:51:54 AM Extensions: Identifier: Revocation Reason - 2.5.29.21 Critical: no...

  • Page 51: Tks Tool

    Chapter 11. TKS Tool The TKS utility, tksTool, manages keys, including keys stored on tokens, the TKS master key, and related keys and databases. 11.1. Syntax The tksTool can be used to manage certificates and keys in several different ways. The syntax for these different operations is as follows: •...
  • Page 52 Chapter 11. TKS Tool • Listing all security modules. tksTool -S -d dbdir [-p dbprefix] [-x] • Generating a new transport key. tksTool -T -n keyname -d dbdir [-h token_name] [-p dbprefix] [-f pwfile] [-z noiseFile] • Unwrapping a wrapped master key. tksTool -U -n keyname -d dbdir -t transport_keyname -i inputFile [-h token_name] [-p dbprefix] [-f pwfile] •...

  • Page 53: Usage

    Usage Option Description Displays the KCV of the specified key. Lists the specified key or all keys. Generates a new master key. Creates a new key database (software). Required for every operation except -N, -P, and - S. Gives the name of the key being managed. Required with -W.
  • Page 54 Chapter 11. TKS Tool 2. Create new software databases. tksTool -N -d . Enter a password which will be used to encrypt your keys. The password should be at least 8 characters long, and should contain at least one non-alphabetic character. Enter new password: Re-enter password: NOTE...
  • Page 55 Usage transport key KCV: A428 53BA Storing transport key on final specified token . . . Naming transport key "transport" . . . Successfully generated, stored, and named the transport key! 8. List the contents of the key database again. tksTool -L -d .
  • Page 56 Chapter 11. TKS Tool tksTool -U -d . -n unwrapped_master -t transport -i file Enter Password or Pin for "NSS Certificate DB": Retrieving the transport key from the specified token (for unwrapping) . . . Reading in the wrapped data (and resident master key KCV) from the file called "file"...

  • Page 57: Cmc Request

    For example, nickname=CS Agent-102504a's 102504a ID. Required. The full path to the directory where dbdir the cert8.db, key3.db, and secmod.db databases are located. For example, dbdir=/u/smith/db/. Required. The token password for cert8.db, password which stores the agent certificate. For example, password=redhat.
  • Page 58 Chapter 12. CMC Request Parameters Description The request format, either pkcs10 or crmf. format For example, format=crmf. Table 12.1. The following .cfg file parameters set CMC controls: Parameters Description If set to true, then the request contains this confirmCertAcceptance.enable control. If this parameter is not set, the value is assumed to be false.
  • Page 59 Syntax Parameters Description For example, transactionMgt.enable=true. The transaction identifier for transactionMgt transactionMgt.id control. VeriSign recommends that the transaction ID should be an MD5 hash of the public key. If set to true, then the request contains this senderNonce.enable control. If this parameter is not set, the value is assumed to be false.

  • Page 60: Usage

    Chapter 12. CMC Request Parameters Description For example, revRequest.comment=readable comment. If set to true, the current time is the invalidity revRequest.invalidityDatePresent date for the revoked certificate. If set to false, no invalidity date is present. For example, revRequest.invalidityDatePresent=false. If set to true, then the request contains this identityProof.enable control.

  • Page 61: Cmc Enrollment

    Chapter 13. CMC Enrollment The CMC Enrollment utility, CMCEnroll, is used to sign a certificate request with an agent's certificate. This can be used in conjunction with the CA end-entity CMC Enrollment form to sign and enroll certificates for users. 13.1.
  • Page 62 Chapter 13. CMC Enrollment form method="post" action="/enrollment" onSubmit="return validate(document.forms[0])" 4. Add the following line below that line: input type="hidden" name="authenticator" value="CMCAuth" 5. After configuring the HTML form, test CMCEnroll and the form by doing the following: a. Create a certificate request using certutil. b.

  • Page 63: Cmc Response

    Chapter 14. CMC Response The CMC Response utility, CMCResponse, parses a CMC response received by the utility. 14.1. Syntax The CMC Response utility uses the following syntax: CMCResponse -d directoryName -i /path/to/CMCResponse.file Options Description Specifies the path to the cert8.db directory. Specifies the path and filename of the CMC response file.

  • Page 65: Cmc Revocation

    Chapter 15. CMC Revocation The CMC Revocation utility, CMCRevoke, signs a revocation request with an agent's certificate. 15.1. Syntax This utility has the following syntax: CMCRevoke -d directoryName -n nickname -i issuerName -s serialName -m reasonToRevoke -c comment Option Description The path to the directory where the cert8.db, key3.db, and secmod.db databases containing the agent certificates are located.
  • Page 66 Chapter 15. CMC Revocation is CertificateManagerAgentCert, and the serial number of the certificate is 22, the command is as follows: CMCRevoke -d "/var/lib/rhpki-ca/alias" -n "CertificateManagerAgentCert" -i "cn=agentAuthMgr" -s 22 -m 0 -c "test comment" 2. Open the CA's end-entities page. 3.

  • Page 67: Crmf Pop Request

    Chapter 16. CRMF Pop Request The CRMFPopClient utility is a tool to send a Certificate Request Message Format (CRMF) request to a Certificate System CA with the request encoded with proof of possession (POP) data that can be verified by the CA server. If a client provides POP information with a request, the server can verify that the requester possesses the private key for the new certificate.

  • Page 68: Usage

    The following example generates a CRMF/POP request for the Certificate System user admin, has the server verify that the information is correct, and prints the certificate request to the screen: CRMFPopClient password123 nullAuthMgr host.redhat.com 1026 admin redhat \ POP_SUCCESS CN=MyTest,C=US,UID=MyUid OUTPUT_CERT_REQ The following example generates a CRMF/POP request that includes a transport for key archival in the DRM.

  • Page 69: Extension Joiner

    Chapter 17. Extension Joiner The Certificate System provides policy plug-in modules that allow standard and custom X.509 certificate extensions to be added to end-entity certificates that the server issues. Similarly, the Certificate Setup Wizard that generates certificates for subsystem users allows extensions to be selected and included in the certificates.
  • Page 70 Chapter 17. Extension Joiner the base-64 encoded blob using the dumpasn1 utility. For information on the AtoB utility, see Chapter 7, ASCII to Binary. The dumpasn1 tool can be downloaded at http://fedoraproject.org/ extras/4/i386/repodata/repoview/dumpasn1-0-20050404-1.fc4.html. a. Run the AtoB utility to convert the ASCII to binary. AtoBinput_file output_file where input_file is the path and file containing the base-64 encoded data in ASCII and output_file is the path and file for the utility to write the binary output.

  • Page 71: Key Usage Extension

    Chapter 18. Key Usage Extension The GenExtKeyUsage tool creates a base-64 encoded blob that adds ExtendedKeyUsage (OID 2.5.29.37) to the certificate. This blob is pasted into the certificate approval page when the certificate is created. 18.1. Syntax The GenExtKeyUsage tool has the following syntax: GenExtKeyUsage [true|false] OID ...

  • Page 73: Issuer Alternative Name Extension

    Chapter 19. Issuer Alternative Name Extension The GenIssuerAltNameExt creates a base-64 encoded blob that adds the issuer name extensions, IssuerAltNameExt (OID 2.5.29.18), to the new certificate. This blob is pasted into the certificate approval page when the certificate is created. 19.1.

  • Page 74: Usage

    / var/lib/rhpki-ca/othername.txt. KerberosName has the format Realm| NameType|NameStrings, such as realm1|0| userID1,userID2. Table 19.1. 19.2. Usage The following example sets the issuer name in the RFC822Name and DirectoryName formats: GenIssuerAltNameExt RFC822Name TomTom@redhat.com DirectoryName cn=TomTom...

  • Page 75: Subject Alternative Name Extension

    Chapter 20. Subject Alternative Name Extension The GenSubjectAltNameExt creates a base-64 encoded blob to add the alternate subject name extension, SubjectAltNameExt (OID 2.5.29.17), to the new certificate. This blob is pasted into the certificate approval page when the certificate is created. 20.1.

  • Page 76: Usage

    / var/lib/rhpki-ca/othername.txt. KerberosName has the format Realm| NameType|NameStrings, such as realm1|0| userID1,userID2. Table 20.1. 20.2. Usage In the following example, the subject alternate names are set to the RFC822Name and DirectoryName types. GenSubjectAltNameExt RFC822Name TomTom@redhat.com DirectoryName cn=TomTom...

  • Page 77: Http Client

    For example: clientmode=true The password for the cert8.db database. password This parameter is ignored if secure=false and clientauth=false. For example: password=redhat The nickname of the client certificate. This nickname parameter is ignored if clientmode=false. For example: nickname=CS Agent-102504a's 102504a ID...

  • Page 79: Ocsp Request

    Chapter 22. OCSP Request The OCSP request utility, OCSPClient, creates an OCSP request conforming to RFC 2560, submits it to the OCSP server, and saves the OCSP response in a file. 22.1. Syntax The OCSPClient tool has the following syntax: OCSPClient host port dbdir nickname serial_number output times Option Description...

  • Page 81: Pkcs #10 Client

    Chapter 23. PKCS #10 Client The PKCS #10 utility, PKCS10Client, generates a 1024-bit RSA key pair in the security database, constructs a PKCS#10 certificate request with the public key, and outputs the request to a file. PKCS #10 is a certification request syntax standard defined by RSA. A CA may support multiple types of certificate requests.

  • Page 83: Bulk Issuance Tool

    Chapter 24. Bulk Issuance Tool The bulkissuance utility sends a KEYGEN or a CRMF enrollment request to the bulk issuance interface of a CA to create certificates automatically. The bulkissuance utility does not generate the certificate request itself. It submits the content in the input file to the CA server's bulk issuance interface.

  • Page 85: Revocation Automation Utility

    Chapter 25. Revocation Automation Utility The revoker utility sends revocation requests to the CA agent interface to revoke certificates. To access the interface, revoker needs to have access to an agent certificate that is acceptable to the CA. The revoker tool can do all of the following: •...
  • Page 86 Chapter 25. Revocation Automation Utility Option Description Sets the invalidity date in hours from current time for when to revoke the certificate. hostname Gives the hostname of the server to which to send the request. port Optional. Gives the port number of the server. Table 25.1.

  • Page 87: Tpsclient

    Chapter 26. tpsclient The tpsclient tool can be used for debugging or testing the TPS. The tpsclient imitates the Enterprise Security Client and can give debug output or emulate enrolling and formatting tokens without having to use tokens. The tpsclient tool is launched by running the command tpsclient. The tool has no options. Running this opens a shell which allows specific commands to be directed toward the tpsclient.
  • Page 88 Chapter 26. tpsclient op.format.tokenKey.update.symmetricKeys.enable=true op.format.tokenKey.update.symmetricKeys.requiredVersion=2 This setting instructs the TPS to upgrade the token from version 1 to version 2 during the tpsclient format operation. 3. Format the token using tpsclient, as follows: tpsclient Command>op=token_set cuid=a00192030405060708c9 app_ver=6FBBC105 key_info=0101 Command>op=token_set auth_key=404142434445464748494a4b4c4d4e4f Command>op=token_set mac_key=404142434445464748494a4b4c4d4e4f Command>op=token_set kek_key=404142434445464748494a4b4c4d4e4f ## Formatting operation ##Command>op=ra_format uid=test pwd=password num_threads=1...

  • Page 89: Syntax

    Syntax 26.1. Syntax The tpsclient tool has the following syntax: tpsclient op=operation options Operation Description Options op=help Brings up the help page, which lists all usage and options for the tpsclient tool. op=debug Enables debugging. filename sets the debug file. op=ra_enroll Tests certificate enrollments.
  • Page 90 Chapter 26. tpsclient Operation Description Options op=token_set Sets the token value. The usage with this operation is name=value, which sets the token name and description. op=token_status Returns the current token status/ op=var_get Gets the current value of the This has the usage name=name, where name is variable.

  • Page 91: Index

    Index syntax , 37 setpin command , 19 sslget tool , 13 ASCII to Binary tool , 29 syntax , 13 example , 29 syntax , 29 TKS tool options , 40 Binary to ASCII tool , 31 sample , 41 example , 31 syntax , 39 syntax , 31...

Table of Contents