1. Manuals
  2. Brands
  3. Red Hat Manuals
  4. Software
  5. CERTIFICATE SYSTEM 8 - DEPLOYMENT
  6. Manual

Red Hat CERTIFICATE SYSTEM 8 - COMMAND-LINE Manual

Command-line tools guide
Hide thumbs Also See for CERTIFICATE SYSTEM 8 - COMMAND-LINE:
Table of Contents

Advertisement

Quick Links

Download this manual See also: Installation Manual
Red Hat Certificate
System 8
Command-Line Tools Guide
Ella Deon Lackey
Publication date: July 22, 2009, updated on March 25, 2010

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the CERTIFICATE SYSTEM 8 - COMMAND-LINE and is the answer not in the manual?

Questions and answers

Related Manuals for Red Hat CERTIFICATE SYSTEM 8 - COMMAND-LINE

Summary of Contents for Red Hat CERTIFICATE SYSTEM 8 - COMMAND-LINE

  • Page 1 Red Hat Certificate System 8 Command-Line Tools Guide Ella Deon Lackey Publication date: July 22, 2009, updated on March 25, 2010...
  • Page 2 Command-Line Tools Guide Red Hat Certificate System 8 Command-Line Tools Guide Author Ella Deon Lackey Copyright © 2009 Red Hat, Inc. Copyright © 2009 Red Hat, Inc. The text of and illustrations in this document are licensed by Red Hat under a Creative Commons Attribution–Share Alike 3.0 Unported license ("CC-BY-SA").

  • Page 3: Table Of Contents

    About This Guide 1. Required Concepts ......................vii 2. What Is in This Guide ....................vii 3. Common Tool Information ....................ix 4. Examples and Formatting ....................ix 4.1. Formatting for Examples and Commands .............. ix 4.2. Tool Locations ..................... ix 4.3.
  • Page 4 Command-Line Tools Guide 8. Pretty Print Certificate 8.1. Syntax ........................29 8.2. Usage ........................29 9. Pretty Print CRL 9.1. Syntax ........................31 9.2. Usage ........................31 10. TKS Tool 10.1. Syntax ........................33 10.2. Usage ........................35 11. CMC Request 11.1.
  • Page 5 25. tpsclient 25.1. Syntax ........................71 Index...

  • Page 7: About This Guide

    About This Guide The Certificate System Command-Line Tools Guide describes the command-line tools and utilities bundled with Red Hat Certificate System and provides information such as command syntax and usage examples to help use these tools. This guide is intended for experienced system administrators who are planning to deploy the Certificate System.
  • Page 8 About This Guide Chapter 5, PIN Generator Describes how to use the tool for generating unique PINs for end users and for populating their directory entries with PINs. Chapter 6, ASCII to Binary Describes how to use the tool for converting ASCII data to its binary equivalent.

  • Page 9: Common Tool Information

    Common Tool Information Chapter 22, PKCS #10 Client Describes how to generate a Public-Key Cryptography Standards (PKCS) #10 enrollment request. Chapter 23, Bulk Issuance Tool Describes how to send either a KEYGEN or CRMF enrollment request to the bulk issuance interface to create certificates automatically.

  • Page 10: Additional Reading

    About This Guide Formatting Style Italicized text Bolded text Other formatting styles draw attention to important text. NOTE A note provides additional information that can help illustrate the behavior of the system or provide more detail for a specific issue. IMPORTANT Important information is necessary, but possibly unexpected, such as a configuration change that will not persist after a reboot.

  • Page 11: Giving Feedback

    If there is any error in this Command-Line Tools Guide or there is any way to improve the documentation, please let us know. Bugs can be filed against the documentation for Red Hat Certificate System through Bugzilla, http://bugzilla.redhat.com/bugzilla. Make the bug report as specific as possible, so we can be more effective in correcting any issues: •...

  • Page 12: Document History

    About This Guide 7. Document History Revision 8.0.5 March 25, 2010 Ella Deon Lackey dlackey@redhat.com Adding information on new end-entities client authentication port for the CA, related to the MitM resolution in Errata RHBA-2010:0170. Revision 8.0.4 February 18, 2009 Ella Deon Lackey dlackey@redhat.com...

  • Page 13: Create And Remove Instance Tools

    Chapter 1. Create and Remove Instance Tools The Certificate System includes three tools to create, configure, and remove subsystem instances: pkicreate, pkisilent, and pkiremove. NOTE The pkicreate tool does not install the Certificate System system; this is done through installing the packages or running the Red Hat Enterprise Linux yum command. This tool creates new instances after the default subsystems have been installed.

  • Page 14: Usage

    Chapter 1. Create and Remove Instance Tools Parameter Description subsystem_type Gives the type of subsystem being created. The possible values are as follows: • ca, for a Certificate Authority • ra, for a Registration Authority • kra, for a DRM •...

  • Page 15: Pkisilent

    pkisilent pkicreate -pki_instance_root=/var/lib -subsystem_type=ca -pki_instance_name=pki-ca2 -secure_port=9543 -unsecure_port=9080 -tomcat_server_port=1802 -user=pkiuser group=pkiuser -verbose Example 1.1. pkicreate Usage with a Single SSL Port Example 1.2, “pkicreate with Port Separation” Alternatively, the CA services can run on different ports. creates a CA instance with port separation. The agent port is 9544, the end-entity port is 9543, and the administrator port is 9545.

  • Page 16: Syntax

    Chapter 1. Create and Remove Instance Tools The utility can be downloaded and saved to any location and is then executed locally. 1.2.1. Syntax The pkisilent script can be used to configure a new subsystem instance. This tool has the following syntax: pkisilent Configuretype -cs_hostname hostname -cs_port admin_ssl_port -subsystem_name name -client_certdb_dir certDBdir -client_certdb_pwd password -preop_pin preoppin [ -...
  • Page 17 Syntax subca_silent.template. Both of these templates have detailed information on parameters and usage options for pkisilent. To check the specific options for any Configuretype option, just run the pkisilent command with the Configuretype option and the -help flag. For example, to get the help for configuring a subordinate CA: pkisilent ConfigureSubCA -help The Configuretype option sets what kind of subsystem is being configured.
  • Page 18 Chapter 1. Create and Remove Instance Tools Parameter Description sd_admin_port The admin SSL port of the CA which hosts security domain. sd_agent_port The agent SSL port of the CA which hosts security domain. sd_ssl_port The end-entities SSL port of the CA which hosts security domain. sd_admin_name The username of the administrative user for the CA hosting the security domain.

  • Page 19: Usage

    Usage Parameter Description tps_server_cert_subject_name tps_subsystem_cert_nickname tps_server_cert_nickname Required Subsystem Configuration ca_hostname The hostname for the CA subsystem which will issue the certificates for a subordin subsystem. ca_port The non-SSL port number of the CA. ca_ssl_port The SSL end entities port number of the CA. The hostname for the DRM subsystem to use to archive keys.
  • Page 20 Chapter 1. Create and Remove Instance Tools "o=pki-ca2" -db_name "server.example.com-pki-ca2" -key_size 2048 -key_type rsa -save_p12 true -backup_pwd password -backup_fname /export/backup.p12 -ca_subsystem_cert_subject_name "cn=ca\ subsystem\ cert,o=testca\ domain" -ca_ocsp_cert_subject_name "cn=ocsp\ signing \ cert,o=testca\ domain" -ca_server_cert_subject_name "cn=ca\ client\ cert,o=testca \ domain" -ca_sign_cert_subject_name "cn=ca\ signing\ cert,o=testca\ domain" - ca_audit_signing_cert_subject_name "cn=audit\ signing\ cert,o=testca\ domain"...
  • Page 21 Usage • The same LDAP base DN and database name, set in the -ldap_* parameters (either the hostname or the port must be different, since the clone does require a separate Directory Server instance) This clones an existing CA. pkisilent ConfigureCA -cs_hostname localhost -cs_port 9445 -subsystem_name "clone-ca2" -client_certdb_dir /tmp/ -client_certdb_pwd password -preop_pin sYY8er834FG9793fsef7et5 -sd_hostname "domain.example.com"...

  • Page 22: Pkiremove

    Chapter 1. Create and Remove Instance Tools "cn=ca\ signing\ cert,o=testca\ domain" -ca_audit_signing_cert_subject_name "cn=audit\ signing\ cert,o=testca\ domain" -external true -ext_csr_file /tmp/cert.req ...step 2... pkisilent ConfigureCA -cs_hostname localhost -cs_port 9445 -subsystem_name "pki-ca2" - preop_pin sYY8er834FG9793fsef7et5 -domain_name "testca" -admin_user admin -admin_email "admin@example.com" -admin_password password -external true -ext_cert_file /tmp/certs.cer - ext_cert_chain_file /tmp/cachain.cer 1.3.

  • Page 23: Tokeninfo

    Chapter 2. TokenInfo This tool is used to determine which external hardware tokens are visible to the Certificate System subsystem. This can be used to diagnose whether problems using tokens are related to the Certificate System being unable to detect it. 2.1.

  • Page 25: Sslget

    Chapter 3. SSLGet This tool is similar to the the wget command, which downloads files over HTTP. sslget supports client authentication using NSS libraries. The configuration wizard uses this utility to retrieve security domain information from the CA. 3.1. Syntax The sslget tool has the following syntax: sslget [ -e profile information ] -n rsa_nickname [[ -p password ] | [ -w passwordFile ]] [ -d dbdir ] [ -v ] [ -V ] -r url hostname [ :port ]...

  • Page 27: Auditverify

    Chapter 4. AuditVerify 4.1. About the AuditVerify Tool The AuditVerify tool is used to verify that signed audit logs were signed with the private signing key and that the audit logs have not been compromised. Auditors can verify the authenticity of signed audit logs using the AuditVerify tool. This tool uses the public key of the signed audit log signing certificate to verify the digital signatures embedded in a signed audit log file.

  • Page 28: Return Values

    Chapter 4. AuditVerify AuditVerify -d dbdir -n signing_certificate_nickname -a logListFile [-P cert/key_db_prefix] [- Option Description Specifies the directory containing the security databases with the imported audit log signing certificate. Gives the nickname of the certificate used to sign the log files. The nickname is whatever was used when signing certificate was imported into that database.

  • Page 29: Pin Generator

    Chapter 5. PIN Generator For the Certificate System to use the UidPwdPinDirAuth authentication plug-in module, the authentication directory must contain unique PINs for each end entity which will be issued a certificate. The Certificate System provides a tool, the PIN Generator, which generates unique PINs for end- entity entries in an LDAP directory.

  • Page 30: Syntax

    Chapter 5. PIN Generator 5.1.2. Syntax The setpin has the following syntax: setpin host=host_name [ port=port_number ] binddn=user_id [ bindpw=bind_password ] filter="LDAP_search_filter" [ basedn=LDAP_base_DN ] [[ length=PIN_length ] | [ minlength=minimum_PIN_length ] | [ maxlength=maximum_PIN_length ]] [ gen=character_type ] [ case=upperonly ] [ hash=algorithm ] [ saltattribute=LDAP_attribute_to_use_for_salt_creation ] [ input=file_name ] [ output=file_name ] [ write ] [ clobber ] [ testpingen=count ] [ debug ] [ optfile=file_name ] [ setup [ pinmanager=pinmanager_user ] [ pinmanagerpwd=pinmanager_password ] ]...

  • Page 31: Usage

    Usage Option Description Tests the PIN-generation mode. count sets the total number of PINs to generate fo testpingen debug Writes debugging information to the standard error. If debug=attrs is specified, each entry in the directory. optfile Sets the tool to read options, one per line, from a file. This allows all arguments to command line.
  • Page 32 Chapter 5. PIN Generator directory entries; the filter attribute must still be provided. For more information about the input file, Section 5.2.1, “Input File”. Figure 5.1, “Using an Input and Output File When Generating PINs” refer to shows how the input and output files work with the setpin tool. Figure 5.1.

  • Page 33: Input File

    Input File Exit Code Description notwritten The PINs were not written to the directory because the write option was not use writefailed The tool tried to modify the directory, but the write operation was unsuccessful. added The tool added the new PIN to the directory successfully. replaced The tool replaced an old PIN with a new one;...

  • Page 34: Output File

    Chapter 5. PIN Generator dn:cn=user1, dc=example,dc=com pin:pl229Ab dn:cn=user2, dc=example,dc=com pin:9j65dSf dn:cn=user3, dc=example,dc=com pin:3knAg60 NOTE Hashed PINs cannot be provided to the tool. 5.2.2. Output File The PIN Generator can capture the output to a text file specified by the output option. The output contains a sequence of records in the following format: dn: user_dn1 pin: generated_pin1...

  • Page 35: Exit Codes

    Exit Codes Hash Algorithm SHA-1 none The PIN is stored in the directory as a binary value, not as a base-64 encoded value. 5.2.4. Exit Codes When the PIN Generator is finished running, it returns a result code showing how it ended. These Table 5.2, “Result Codes Returned by the PIN Generator”.

  • Page 37: Ascii To Binary

    Chapter 6. ASCII to Binary The Certificate System ASCII to binary tool converts ASCII base-64 encoded data to binary base-64 encoded data. 6.1. Syntax The ASCII to binary tool, AtoB, has the following syntax: AtoB input_file output_file Option Description input_file Specifies the path and file to the base-64 encoded ASCII data.

  • Page 39: Binary To Ascii

    Chapter 7. Binary to ASCII The Certificate System binary to ASCII tool, BtoA converts binary base-64 encoded data to ASCII base-64 encoded data. 7.1. Syntax The BtoA tool uses the following syntax: BtoA input_file output_file Option Description input_file Specifies the path and file of the base-64 encoded binary data. output_file Specifies the path and file to which the tool should write the ASCII output.

  • Page 41: Pretty Print Certificate

    Chapter 8. Pretty Print Certificate The Pretty Print Certificate utility, PrettyPrintCert, prints the contents of a certificate stored as ASCII base-64 encoded data to a readable format. 8.1. Syntax The PrettyPrintCert command has the following syntax: PrettyPrintCert [-simpleinfo] input_file [output_file] Option Description Optional.
  • Page 42 Chapter 8. Pretty Print Certificate 30:81:89:02:81:81:00:DE:26:B3:C2:9D:3F:7F:FA:DF: 24:E3:9B:7A:24:AC:89:AD:C1:BA:27:D1:1C:13:70:F7: 96:59:41:1F:4D:21:7A:F5:C7:96:C4:75:83:35:9F:49: E4:B0:A7:5F:95:C4:09:EA:67:00:EF:BD:7C:39:92:11: 31:F2:CA:C9:16:87:B9:AD:B8:39:69:18:CE:29:81:5F: F3:4D:97:B9:DF:B7:60:B3:00:03:16:8E:C1:F8:17:6E: 7A:D2:00:0F:7D:9B:A2:69:35:18:70:1C:7C:AE:12:2F: 0B:0F:EC:69:CD:57:6F:85:F3:3E:9D:43:64:EF:0D:5F: EF:40:FF:A6:68:FD:DD:02:03:01:00:01: Extensions: Identifier: 2.16.840.1.113730.1.1 Critical: no Value: 03:02:00:A0: Identifier: Authority Key Identifier - 2.5.29.35 Critical: no Key Identifier: EB:B5:11:8F:00:9A:1A:A6:6E:52:94:A9:74:BC:65:CF: 07:89:2A:23: Signature: Algorithm: OID.1.2.840.113549.1.1.5 - 1.2.840.113549.1.1.5 Signature: 3E:8A:A9:9B:D1:71:EE:37:0D:1F:A0:C1:00:17:53:26: 6F:EE:28:15:20:74:F6:C5:4F:B4:E7:95:3C:A2:6A:74: 92:3C:07:A8:39:12:1B:7E:C4:C7:AE:79:C8:D8:FF:1F: D5:48:D8:2E:DD:87:88:69:D5:3A:06:CA:CA:9C:9A:55:...

  • Page 43: Pretty Print Crl

    Chapter 9. Pretty Print CRL The Pretty Print CRL tool, PrettyPrintCrl, prints the contents of a certificate revocation list (CRL) in an ASCII base-64 encoded file in a readable form. 9.1. Syntax The PrettyPrintCrl utility has the following syntax: PrettyPrintCrl input_file [output-file] Option Description input_file...
  • Page 44 Chapter 9. Pretty Print CRL Revocation Date: Tuesday, December 15, 1998 5:20:42 AM Extensions: Identifier: Revocation Reason - 2.5.29.21 Critical: no Reason: CA_Compromise Serial Number: 0x11 Revocation Date: Wednesday, December 16, 1998 4:51:54 AM Extensions: Identifier: Revocation Reason - 2.5.29.21 Critical: no Reason: Key_Compromise Serial Number: 0x10...

  • Page 45: Tks Tool

    Chapter 10. TKS Tool The TKS utility, tkstool, manages keys, including keys stored on tokens, the TKS master key, and related keys and databases. 10.1. Syntax The tkstool can be used to manage certificates and keys in several different ways. The syntax for these different operations is as follows: •...
  • Page 46 Chapter 10. TKS Tool • Listing all security modules. tkstool -S -d dbdir [-p dbprefix] [-x] • Generating a new transport key. tkstool -T -n keyname -d dbdir [-h token_name] [-p dbprefix] [-f pwfile] [-z noiseFile] • Unwrapping a wrapped master key. tkstool -U -n keyname -d dbdir -t transport_keyname -i inputFile [-h token_name] [-p dbprefix] [-f pwfile] •...

  • Page 47: Usage

    Usage Option Description Required for every operation except -N, -P, and -S. Gives the name of the key bei Required with -W. Gives the path and filename for the file to which to output the ne Changes the key database password (software). Gives the prefix to the key database directory.
  • Page 48 Chapter 10. TKS Tool NOTE A hardware HSM can be used instead of the software database if the modutil utility is first used to insert the HSM slot and token into the secmod.db database. If an HSM is used, then the option -h hsm_token must be added to each of commands below.
  • Page 49 Usage slot: NSS User Private Key and Certificate Services token: NSS Certificate DB Enter Password or Pin for "NSS Certificate DB": 0 transport 9. Use the transport key to generate and wrap a master key, and store the master key in a file called file.
  • Page 50 Chapter 10. TKS Tool (pre-computed KCV of the master key residing inside the wrapped data) Using the transport key to temporarily unwrap the master key to recompute its KCV value to check against its pre-computed KCV value . . . master key KCV: CED9 4A7B (computed KCV of the master key residing inside the wrapped data) master key KCV: CED9 4A7B...

  • Page 51: Cmc Request

    Chapter 11. CMC Request The CMC Request utility, CMCRequest, creates a CMC request from one or more PKCS #10 or CRMF requests. The utility can also be used to revoke certificates. 11.1. Syntax The CMCRequest command uses a configuration file (.cfg) as a parameter. The .cfg file must include the path to the file of the formatted CMC request: CMCRequest /path/to/file.cfg For revocation requests, the revRequest.enable parameter must be set to true, and related...
  • Page 52 Chapter 11. CMC Request Parameters Description For example, confirmCertAcceptance.issuer=cn=Certificate Manager,ou=1 If set to true, then the request contains this attribute. If this parameter is not set, the valu getCert.enable For example, getCert.enable=false. The serial number for the getCert control. getCert.serial For example, getCert.serial=300.

  • Page 53: Usage

    Usage Parameters Description For example, revRequest.comment=readable comment. If set to true, the current time is the invalidity date for the revoked certificate. If se revRequest.invalidityDatePresent For example, revRequest.invalidityDatePresent=false. If set to true, then the request contains this control. If this parameter is not set, th identityProof.enable For example, identityProof.enable=false.

  • Page 55: Cmc Enrollment

    Chapter 12. CMC Enrollment The CMC Enrollment utility, CMCEnroll, is used to sign a certificate request with an agent's certificate. This can be used in conjunction with the CA end-entity CMC Enrollment form to sign and enroll certificates for users. 12.1.
  • Page 56 Chapter 12. CMC Enrollment 5. After configuring the HTML form, test CMCEnroll and the form by doing the following: a. Create a certificate request using certutil. b. Copy the PKCS #10 ASCII output to a text file. c. Run the CMCEnroll command to sign the certificate request. If the input file is request34.txt, the agent's certificate is stored in the /export/certs directory, the certificate common name for this CA is CertificateManagerAgentsCert, and the password for the certificate database is 1234pass, the command is as follows:...

  • Page 57: Cmc Response

    Chapter 13. CMC Response The CMC Response utility, CMCResponse, parses a CMC response received by the utility. 13.1. Syntax The CMC Response utility uses the following syntax: CMCResponse -d directoryName -i /path/to/CMCResponse.file Options Description Specifies the path to the cert8.db directory. Specifies the path and filename of the CMC response file.

  • Page 59: Cmc Revocation

    Chapter 14. CMC Revocation The CMC Revocation utility, CMCRevoke, signs a revocation request with an agent's certificate. 14.1. Syntax This utility has the following syntax: CMCRevoke -d directoryName -n nickname -i issuerName -s serialName -m reasonToRevoke - c comment Option Description The path to the directory where the cert8.db, key3.db, and secmod.db databases containing certificates are located.
  • Page 60 Chapter 14. CMC Revocation 2. Open the CA's end-entities page. 3. Select the Revocation tab. 4. Select the CMC Revoke link in the menu. 5. Paste the output from the CMCRevoke operation into the text box. Remove the -----BEGIN NEW CERTIFICATE REQUEST----- and ----END NEW CERTIFICATE REQUEST----- lines from the pasted content.

  • Page 61: Crmf Pop Request

    Chapter 15. CRMF Pop Request The CRMFPopClient utility is a tool to send a Certificate Request Message Format (CRMF) request to a Certificate System CA with the request encoded with proof of possession (POP) data that can be verified by the CA server. If a client provides POP information with a request, the server can verify that the requester possesses the private key for the new certificate.

  • Page 62: Usage

    Chapter 15. CRMF Pop Request 15.2. Usage The following example generates a CRMF/POP request for the Certificate System user admin, has the server verify that the information is correct, and prints the certificate request to the screen: CRMFPopClient password123 nullAuthMgr host.example.com 1026 admin example POP_SUCCESS CN=MyTest,C=US,UID=MyUid OUTPUT_CERT_REQ The following example generates a CRMF/POP request that includes a transport for key archival in the DRM.

  • Page 63: Extension Joiner

    Chapter 16. Extension Joiner The Certificate System provides policy plug-in modules that allow standard and custom X.509 certificate extensions to be added to end-entity certificates that the server issues. Similarly, the Certificate Setup Wizard that generates certificates for subsystem users allows extensions to be selected and included in the certificates.
  • Page 64 Chapter 16. Extension Joiner AtoB input_file output_file where input_file is the path and file containing the base-64 encoded data in ASCII and output_file is the path and file for the utility to write the binary output. b. Run the dumpasn1 utility. dumpasn1output_file where output_file is the path and file containing the binary data.

  • Page 65: Key Usage Extension

    Chapter 17. Key Usage Extension The GenExtKeyUsage tool creates a base-64 encoded blob that adds ExtendedKeyUsage (OID 2.5.29.37) to the certificate. This blob is pasted into the certificate approval page when the certificate is created. 17.1. Syntax The GenExtKeyUsage tool has the following syntax: GenExtKeyUsage [true|false] OID ...

  • Page 67: Issuer Alternative Name Extension

    Chapter 18. Issuer Alternative Name Extension The GenIssuerAltNameExt creates a base-64 encoded blob that adds the issuer name extensions, IssuerAltNameExt (OID 2.5.29.18), to the new certificate. This blob is pasted into the certificate approval page when the certificate is created. 18.1.

  • Page 68: Usage

    Chapter 18. Issuer Alternative Name Extension 18.2. Usage The following example sets the issuer name in the RFC822Name and X500Name formats: GenIssuerAltNameExt RFC822Name TomTom@example.com X500Name cn=TomTom...

  • Page 69: Subject Alternative Name Extension

    Chapter 19. Subject Alternative Name Extension The GenSubjectAltNameExt creates a base-64 encoded blob to add the alternate subject name extension, SubjectAltNameExt (OID 2.5.29.17), to the new certificate. This blob is pasted into the certificate approval page when the certificate is created. 19.1.

  • Page 70: Usage

    Chapter 19. Subject Alternative Name Extension 19.2. Usage In the following example, the subject alternate names are set to the RFC822Name and X500Name types. GenSubjectAltNameExt RFC822Name TomTom@example.com X500Name cn=TomTom...

  • Page 71: Http Client

    Chapter 20. HTTP Client The HTTP Client utility, HttpClient, sends a CMC request (created with the CMC Request utility) or a PKCS #10 request to a CA. 20.1. Syntax This utility takes a single .cfg configuration file as a parameter. The syntax is as follows: HttpClient /path/to/file.cfg The .cfg file has the following parameters: Parameters...

  • Page 73: Ocsp Client Tool

    Chapter 21. OCSP Client Tool The OCSP request utility, OCSPClient, creates an OCSP request conforming to RFC 2560, submits it to the OCSP server, and saves the OCSP response in a file. 21.1. Syntax The OCSPClient tool has the following syntax: OCSPClient host port dbdir nickname serial_number or filename output times Option Description...

  • Page 75: Pkcs #10 Client

    Chapter 22. PKCS #10 Client The PKCS #10 utility, PKCS10Client, generates a 1024-bit RSA key pair in the security database, constructs a PKCS#10 certificate request with the public key, and outputs the request to a file. PKCS #10 is a certification request syntax standard defined by RSA. A CA may support multiple types of certificate requests.

  • Page 77: Bulk Issuance Tool

    Chapter 23. Bulk Issuance Tool The bulkissuance utility sends a KEYGEN or a CRMF enrollment request to the bulk issuance interface of a CA to create certificates automatically. The bulkissuance utility does not generate the certificate request itself. It submits the content in the input file to the CA server's bulk issuance interface.

  • Page 79: Revocation Automation Utility

    Chapter 24. Revocation Automation Utility The revoker utility sends revocation requests to the CA agent interface to revoke certificates. To access the interface, revoker needs to have access to an agent certificate that is acceptable to the CA. The revoker tool can do all of the following: •...
  • Page 81 Chapter 25. tpsclient The tpsclient tool can be used for debugging or testing the TPS. The tpsclient imitates the Enterprise Security Client and can give debug output or emulate enrolling and formatting tokens without having to use tokens. The tpsclient tool is launched by running the command tpsclient. The tool has no options. Running this opens a shell which allows specific commands to be directed toward the tpsclient.
  • Page 82 Chapter 25. tpsclient op.format.tokenKey.update.symmetricKeys.enable=true op.format.tokenKey.update.symmetricKeys.requiredVersion=2 This setting instructs the TPS to upgrade the token from version 1 to version 2 during the tpsclient format operation. 3. Format the token using tpsclient, as follows: tpsclient Command>op=token_set cuid=a00192030405060708c9 app_ver=6FBBC105 key_info=0101 Command>op=token_set auth_key=404142434445464748494a4b4c4d4e4f Command>op=token_set mac_key=404142434445464748494a4b4c4d4e4f Command>op=token_set kek_key=404142434445464748494a4b4c4d4e4f Command>op=ra_format uid=jsmith pwd=password num_threads=1 new_pin=password...
  • Page 83 Syntax Example 25.2, “Example tpsclient Format The sample input file for an enrollment operation is shown in Input File”. op=var_set name=ra_host value=server.example.com op=var_set name=ra_port value=7888 op=var_set name=ra_uri value=/nk_service op=token_set cuid=00000000000000000001 msn=01020304 app_ver=6FBBC105 key_info=0101 major_ver=0 minor_ver=0 op=token_set auth_key=404142434445464748494a4b4c4d4e4f op=token_set mac_key=404142434445464748494a4b4c4d4e4f op=token_set kek_key=404142434445464748494a4b4c4d4e4f op=ra_format uid=jsmith pwd=secret new_pin=newsecret num_threads=1 Example 25.2.
  • Page 84 Chapter 25. tpsclient Operation Description Options • num_threads sets the number of threads to use • secureid_pin gives the token password The usage with this operation is name=value, which sets op=token_set Sets the token value. op=token_statusReturns the current token status/ This has the usage name=name, where name is the varia op=var_get Gets the current value of the variable.
  • Page 85 Index example , 31 syntax , 31 setpin command , 17 ASCII to Binary tool , 25 sslget tool , 13 example , 25 syntax , 13 syntax , 25 TKS tool Binary to ASCII tool , 27 options , 34 example , 27 sample , 35 syntax , 27...

Table of Contents