Red Hat Certificate System 7.3 Command-Line Tools Guide 7.
Red Hat Certificate System 7.3 This book covers important, Certificate System-specific, command-line tools that you can use to create, remove, and manage subsystem instances and to create and manage keys and certificates.
Red Hat Certificate System 7.3: Command-Line Tools Guide Copyright © 2008 Red Hat, Inc. Copyright © 2008 Red Hat. This material may only be distributed subject to the terms and conditions set forth in the Open Publication License, V1.0 or later with the restrictions noted below (the latest version of the OPL is presently available at http://www.opencontent.org/openpub/). Distribution of substantively modified versions of this document is prohibited without the explicit permission of the copyright holder.
Red Hat Certificate System 7.
About This Guide ...................................................................................................... vii 1. Who Should Read This Guide ........................................................................ vii 2. Required Information ..................................................................................... vii 3. What Is in This Guide .................................................................................... vii 4. Common Tool Information ..........................
Red Hat Certificate System 7.3 9. Pretty Print Certificate ...........................................................................................35 1. Syntax ..........................................................................................................35 2. Usage ..........................................................................................................35 10. Pretty Print CRL ..................................................................................................
About This Guide The Certificate System Command-Line Tools Guide describes the command-line tools and utilities bundled with Red Hat Certificate System and provides information such as command syntax and usage examples to help use these tools. 1. Who Should Read This Guide This guide is intended for experienced system administrators who are planning to deploy the Certificate System.
About This Guide Chapter 3, TokenInfo Describes the utility which can be used to identify tokens on a machine, which shows whether the Certificate System can detect those tokens to use for a subsystem. Chapter 4, SSLGet Describes a tool used by the Certificate System to help configure and use security domains. Chapter 5, AuditVerify Describes how to use the tool used to verify signed audit logs.
Common Tool Information encoding rules (DER)-encoded Extended Key Usage extension. Chapter 19, Issuer Alternative Name Extension Describes how to generate an Issuer Alternative Name extension in base-64 encoding. Chapter 20, Subject Alternative Name Extension Describes how to generate a Subject Alternative Name extension in base-64 encoding. Chapter 21, HTTP Client Describes how to communicate with any HTTP/HTTPS server.
About This Guide • Certificate System Enterprise Security Client Guide explains how to install, configure, and use the Enterprise Security Client, the user client application for managing smart cards, user certificates, and user keys. • Certificate System Migration Guide provides detailed migration information for migrating all parts and subsystems of previous versions of Certificate System to Red Hat Certificate System 7.3.
Giving Feedback Formatting Style Purpose emphasize a new term or other phrase. Bolded text Most phrases which are in bold are application names, such as Cygwin, or are fields or options in a user interface, such as a User Name Here: field or Save button. Other formatting styles draw attention to important text. NOTE A note provides additional information that can help illustrate the behavior of the system or provide more detail for a specific issue.
About This Guide • Select the Red Hat Certificate System product. • Set the component to Doc - cli-tools-guide. • Set the version number to 7.3. • For errors, give the page number (for the PDF) or URL (for the HTML), and give a succinct description of the problem, such as incorrect procedure or typo. For enhancements, put in what information needs to be added and why. • Give a clear title for the bug. For example, "Incorrect command example for setup script options" is better than "Bad example".
Chapter 1. Create and Remove Instance Tools The Certificate System includes two tools to create and remove subsystem instances, pkicreate and pkiremove. NOTE The pkicreate tool does not install the Certificate System system; this is done through installing the packages or running the Red Hat Enterprise Linux up2date command. This tool creates new instances after the default subsystems have been installed.
Chapter 1. Create and Remove Instance Tools Parameter Description pki_instance_root Gives the full path to the new instance configuration directory. subsystem_type Gives the type of subsystem being created. The possible values are as follows: • ca, for a Certificate Authority • ra, for a Registration Authority • kra, for a DRM • ocsp, for an OCSP • tks, for a TKS • tps, for a TPS pki_instance_name Gives the name of the new instance.The name must be unique within the security domain.
pkiremove 1.2. Usage In the following example, the pkicreate is used to create a new DRM instance running on ports 10543 and 10180, named rhpki-drm2, in the /var/lib/rhpki-drm2 directory. pkicreate -pki_instance_root=/var/lib -subsystem_type=kra -pki_instance_name=rhpki-drm2 -secure_port=10543 \ -unsecure_port=10180 -tomcat_server_port=1802 -user=pkiuser -group=pkigroup -verbose To keep the pkicreate script from creating a new instance when it is run, set the DONT_RUN_PKICREATE environment variable to 1.
4
Chapter 2. Silent Installation The Certificate System includes a tool, pkisilent, which can completely create and configure an instance in a single step. Normally, adding instances requires running the pkicreate utility to create the instance and then accessing the subsystem HTML page to complete the configuration. The pkisilent utility creates and configures the instance in a single step. The pkisilent tool must be downloaded independently. It is available through the Red Hat Certificate System 7.
Chapter 2.
Syntax -admin_user adminUID -admin_email admin@email -admin_password password -agent_name agentName -ldap_host hostname -ldap_port port -bind_dn bindDN -bind_password password -base_dn search_base_DN -db_name dbName -key_size keySize -key_type keyType -agent_key_size keySize -agent_key_type keyType -agent_cert_subject cert_subject_name -backup_pwd password This tool has the following syntax for the TPS subsystem: perl pkisilent ConfigureTPS -cs_hostname hostname -cs_port SSLport -ca_hostname hostname -ca
Chapter 2. Silent Installation Java™ Class Name Subsystem ConfigureDRM For the DRM. ConfigureOCSP For the OCSP. ConfigureTKS For the TKS. ConfigureTPS For the TPS. Table 2.1. Subsystem Java™ Classes for pkisilent NOTE The ConfigureCA script is used to create a security domain or to add the new CA to an existing domain. The other scripts only add the subsystem to an existing security domain. Parameter Description cs_hostname The hostname for the Certificate System machine.
Syntax Parameter Description agent_name The new agent for the new subsystem. agent_key_size The key size to use for generating the agent certificate and key pair. agent_key_type The key type to use for generating the agent certificate and key pair. agent_cert_subject The subject name for the agent certificate. ldap_host The hostname of the Directory Server machine. ldap_port The non-SSL port of the Directory Server.
Chapter 2. Silent Installation Parameter Description database to use for the TPS subsystem token database. Only for the TPS subsystem. ldap_auth_base_dn Gives the base DN in the LDAP directory tree of the TPS token database under which to create token entries. Only for the TPS subsystem. Table 2.2. Parameters for pkisilent 2.
Usage perl pkisilent ConfigureTPS -cs_hostname localhost -cs_port 7988 -ca_hostname server.example.com -ca_port 9080 -ca_ssl_port 9443 -ca_agent_name agent -ca_agent_password password -client_certdb_dir /tmp/ -client_certdb_pwd password -preop_pin fS44I6SASGF34FD76WKJHIW4 -domain_name "testca" -admin_user admin -admin_email "admin@example.
12
Chapter 3. TokenInfo This tool is used to determine which external hardware tokens are visible to the Certificate System subsystem. This can be used to diagnose whether problems using tokens are related to the Certificate System being unable to detect it. 1. Syntax The TokenInfo tool has the following syntax: TokenInfo /directory/alias Option Description /directory/alias Specifies the path and file to the certificate and key database directory; for example, /var/lib/rhpki-ca/alias/. Table 3.1.
14
Chapter 4. SSLGet This tool is similar to the the wget command, which downloads files over HTTP. sslget supports client authentication using NSS libraries. The configuration wizard uses this utility to retrieve security domain information from the CA. 1. Syntax The sslget tool has the following syntax: sslget [-e profile information] -n rsa_nickname [-p password | -w pwfile] [-d dbdir] [-v] [-V] -r url hostname[:port] Option Description e Optional.
Chapter 4. SSLGet For example, to submit a certificate request through a certificate profile enrollment for to a CA, the command is as follows: sslget -e "profileId=caInternalAuthServerCert&cert_request_type=pkcs10 &requestor_name=TPS-server.example.
Chapter 5. AuditVerify 1. About the AuditVerify Tool The AuditVerify tool is used to verify that signed audit logs were signed with the private signing key and that the audit logs have not been compromised. Auditors can verify the authenticity of signed audit logs using the AuditVerify tool. This tool uses the public key of the signed audit log signing certificate to verify the digital signatures embedded in a signed audit log file.
Chapter 5. AuditVerify certutil -d /var/lib/instance_ID/logs/signedAudit/dbdir -A -n "CA Certificate" -t \ "CT,CT,CT" -a -i /var/lib/instance_ID/alias/cacert.txtcertutil -d \ /var/lib/instance_ID/logs/signedAudit/dbdir -A -n "Log Signing Certificate" -a -i \ /var/lib/instance_ID/alias/logsigncert.txt 3.
Return Values Option Description should be prepended to the new audit security database files. Optional. Specifies verbose output. v Table 5.1. 4. Return Values When AuditVerify is used, one of the following codes is returned: Return Value Description 0 Indicates that the signed audit log has been successfully verified. 1 Indicates that there was an error while the tool was running.
20
Chapter 6. PIN Generator For the Certificate System to use the UidPwdPinDirAuth authentication plug-in module, the authentication directory must contain unique PINs for each end entity which will be issued a certificate. The Certificate System provides a tool, the PIN Generator, which generates unique PINs for end-entity entries in an LDAP directory. The tool stores these PINs as hashed values in the same directory against the corresponding user entries.
Chapter 6. PIN Generator ## This line switches setpin into setup mode. ## Please do not change it. setup=yes 3. Run setpin, and set the option file to setpin.conf. setpin optfile=/usr/lib/rhpki/native-tools/setpin.conf 1.2.
Syntax Option Description filter searches from the root. length Specifies the exact number a PIN must contain; the default is 6. Do not use with minlength or maxlength. minlength Sets the minimum length of the generated PINs. If used with maxlength, this sets the lower end of the range of the PIN length. Do not use with length. maxlength Sets the maximum length of the generated PINs. If used with minlength, this sets the upper end of the range of the PIN length. Do not use with length.
Chapter 6. PIN Generator Option Description and generates PINs for only those DNs . output Specifies the absolute path to the file to write the PINs as setpin generates them. If a file is not set, then the output is written to the standard output. Regardless of whether an output file is set, all error messages are directed to the standard error. write Sets whether the tool should write PINs to the directory. If specified, the PINs are written to the directory as they are generated.
Usage Table 6.1. 1.3. Usage The following command generates PINs for all entries that have the CN attribute in their distinguished name in an LDAP directory named csldap listening on port 19000. The PIN Generator binds to the directory as Directory Manager and starts searching the directory from the base DN dn=o=example.com in the directory tree. Any existing PINs are overwritten with the new ones.
Chapter 6. PIN Generator unless that option is used. This allows the PINs to be verified before any entries are modified. The information can be written to a different output file by using the output option; see Section 2.2, “Output File” for more information. The entries returned by the LDAP search filter can be further restricted by using an ASCII input file which lists the entry DNs; only entries matching those in the file are updated. The input file is set with the input option.
Input File The output file contains the entry and PIN information from running setpin, as shown in the following example: Processing: cn=QA Managers,ou=employees,o=example.com Adding new pin/password dn:cn=QA Managers,ou=employees,o=example.com pin:lDWynV status:notwritten Processing: cn=PD Managers,ou=employees,o=example.com Adding new pin/password dn:cn=PD Managers,ou=employees,o=example.com pin:G69uV7 status:notwritten The output also contains the status of each entry in the directory.
Chapter 6. PIN Generator The PIN Generator can receive a list of DNs to modify in a text file specified by the input argument. If an input file is specified, then the tool compares the DNs returned by the filtered to the ones in the input file and updates only those DNs that match in the input file. The input enables the user to provide the PIN Generator with an exact list of DNs to modify; it is also possible to provide the PIN Generator with PINs in plain text for all DNs or for specific DNs.
Output File NOTE Hashed PINs cannot be provided to the tool. 2.2. Output File The PIN Generator can capture the output to a text file specified by the output option. The output contains a sequence of records in the following format: dn: user_dn1 pin: generated_pin1 status: status1 dn: user_dn2 pin: generated_pin2 status: status2 ... dn: user_dn# pin: generated_pin# status: status# where user_dn is a distinguished name matching the DN filter or listed in the input file.
Chapter 6. PIN Generator X Hash Algorithm 0 SHA-1 1 MD5 45 none Table 6.3. The PIN is stored in the directory as a binary value, not as a base-64 encoded value. 2.4. Exit Codes When the PIN Generator is finished running, it returns a result code showing how it ended. These result codes are listed in Table 6.4, “Result Codes Returned by the PIN Generator”. Result Code Description 0 The PIN generation was successful; PINs were set for all the DNs in the specified directory.
Chapter 7. ASCII to Binary The Certificate System ASCII to binary tool converts ASCII base-64 encoded data to binary base-64 encoded data. 1. Syntax The ASCII to binary tool, AtoB, has the following syntax: AtoB input_file output_file Option Description input_file Specifies the path and file to the base-64 encoded ASCII data. output_file Specifies the file where the utility should write the binary output. Table 7.1. 2. Usage The example command takes the base-64 ASCII data in the ascii_data.
32
Chapter 8. Binary to ASCII The Certificate System binary to ASCII tool, BtoA converts binary base-64 encoded data to ASCII base-64 encoded data. 1. Syntax The BtoA tool uses the following syntax: BtoA input_file output_file Option Description input_file Specifies the path and file of the base-64 encoded binary data. output_file Specifies the path and file to which the tool should write the ASCII output. Table 8.1. 2.
34
Chapter 9. Pretty Print Certificate The Pretty Print Certificate utility, PrettyPrintCert, prints the contents of a certificate stored as ASCII base-64 encoded data to a readable format. 1. Syntax The PrettyPrintCert command has the following syntax: PrettyPrintCert [-simpleinfo] input_file [output_file] Option Description simpleinfo Optional. Prints limited certificate information in an easy to parse format.
Chapter 9. Pretty Print Certificate -----END CERTIFICATE----- The certificate in pretty-print format in the ascii_cert.out file looks like the following: Certificate: Data: Version: v3 Serial Number: 0x100C Signature Algorithm: OID.1.2.840.113549.1.1.5 -1.2.840.113549.1.1.5 Issuer: CN=Test CA,OU=Widget Makers 'R'Us,O=Example Corporation, Widgets\,Inc.,C=US Validity: Not Before: Wednesday, February 17, 1999 7:43:39 PM Not After: Thursday, February 17, 2000 7:43:39 PM Subject: MAIL=admin@example.
Usage format output file cert.simple. PrettyPrintCert -simpleinfo /usr/home/smith/test/ascii_cert.in /usr/home/smith/test/cert.simple The base-64 encoded certificate data in ascii_cert.
38
Chapter 10. Pretty Print CRL The Pretty Print CRL tool, PrettyPrintCrl, prints the contents of a certificate revocation list (CRL) in an ASCII base-64 encoded file in a readable form. 1. Syntax The PrettyPrintCrl utility has the following syntax: PrettyPrintCrl input_file [output-file] Option Description input_file Specifies the path to the file that contains the ASCII base-64 encoded CRL. output_file Optional. Specifies the path to the file to write the CRL.
Chapter 10. Pretty Print CRL The CRL in pretty-print format in the ascii_crl.out output file looks like the following: Certificate Revocation List: Data: Version: v2 Signature Algorithm: MD5withRSA - 1.2.840.113549.1.1.4 Issuer: CN=Test CA,O=Example Corporation This Update: Thu Dec 17 14:37:24 PST 1998 Revoked Certificates: Serial Number: 0x13 Revocation Date: Tuesday, December 15, 1998 5:18:32 AM Extensions: Identifier: Revocation Reason - 2.5.29.
Chapter 11. TKS Tool The TKS utility, tksTool, manages keys, including keys stored on tokens, the TKS master key, and related keys and databases. 1. Syntax The tksTool can be used to manage certificates and keys in several different ways. The syntax for these different operations is as follows: • Deleting a key from a token. tksTool -D -n keyname -d dbdir [-h token_name] [-p dbprefix] [-f pwfile] • Inputting shares to generate a new transport key.
Chapter 11. TKS Tool tksTool -P -d dbdir [-p dbprefix] [-f pwfile] • Renaming a symmetric key. tksTool -R -n keyname -r new_keyname -d dbdir [-h token_name] [-p dbprefix] [-f pwfile] • Listing all security modules. tksTool -S -d dbdir [-p dbprefix] [-x] • Generating a new transport key. tksTool -T -n keyname -d dbdir [-h token_name] [-p dbprefix] [-f pwfile] [-z noiseFile] • Unwrapping a wrapped master key.
Syntax The tksTool options are as follows: Option Description D Deletes a key from the token. d Required. Gives the security module database (HSM, if allowed for that operation) or the key database directory (software). f Gives the path and filename of the password file, if one is used. h Gives the token name for the toke which contains the key to be managed. Some operations allow an all option to manage all keys in the token. I Inputs shares to generate a new transport key.
Chapter 11. TKS Tool Option Description z Gives the path and filename of the noise file to generate the key. Table 11.1. There are two additional options which can be used with tksTool to get more information about the utility. Option Description H Displays the extended help information. V Display the version number of the tksTool tool. Table 11.2. 2. Usage 1.
Usage NOTE A hardware HSM can be used instead of the software database if the modutil utility is first used to insert the HSM slot and token into the secmod.db database. If an HSM is used, then the option -h hsm_token must be added to each of commands below. 3. List the contents of the local software key database. tksTool -L -d . slot: NSS User Private Key and Certificate Services token: NSS Certificate DB Enter Password or Pin for "NSS Certificate DB": tksTool: the specified token is empty 4.
Chapter 11. TKS Tool Successfully generated, stored, and named the transport key! 8. List the contents of the key database again. tksTool -L -d . slot: NSS User Private Key and Certificate Services token: NSS Certificate DB Enter Password or Pin for "NSS Certificate DB": 0 transport 9. Use the transport key to generate and wrap a master key, and store the master key in a file called file. tksTool -W -d .
Usage NOTE The order of the keys is not important, and some systems may display the keys in a different order. 11.Use the transport key to generate and unwrap a master key called unwrapped_master stored in a file called file. tksTool -U -d . -n unwrapped_master -t transport -i file Enter Password or Pin for "NSS Certificate DB": Retrieving the transport key from the specified token (for unwrapping) . . . Reading in the wrapped data (and resident master key KCV) from the file called "file" . . .
Chapter 11. TKS Tool tksTool -D -d . -n wrapped_master Enter Password or Pin for "NSS Certificate DB": tksTool: 1 key(s) called "wrapped_master" were deleted 14.List the contents of the key database again to show all keys. tksTool -L -d .
Chapter 12. CMC Request The CMC Request utility, CMCRequest, creates a CMC request from one or more PKCS #10 or CRMF requests. The utility can also be used to revoke certificates. 1. Syntax The CMCRequest command uses a configuration file (.cfg) as a parameter. The .cfg file must include the path to the file of the formatted CMC request: CMCRequest /path/to/file.cfg For revocation requests, the revRequest.
Chapter 12. CMC Request Parameters Description Required. The full path to the directory where the cert8.db, key3.db, and secmod.db databases are located. For example, dbdir=/u/smith/db/. password Required. The token password for cert8.db, which stores the agent certificate. For example, password=redhat. format The request format, either pkcs10 or crmf. For example, format=crmf. Table 12.1. The following .cfg file parameters set CMC controls: Parameters Description confirmCertAcceptance.
Syntax Parameters Description For example, getCert.enable=false. getCert.serial The serial number for the getCert control. For example, getCert.serial=300. getCert.issuer The issuer name for the getCert control. For example, getCert.issuer=cn=Certificate Manager,ou=102504a,o=102504a,c=us. dataReturn.enable If set to true, then the request contains this control. If this parameter is not set, the value is assumed to be false. For example, dataReturn.enable=false. dataReturn.
Chapter 12. CMC Request Parameters Description is assumed to be false. For example, revRequest.enable=true. revRequest.nickname The nickname for the certificate being revoked. For example, revRequest.nickname=newuser's 102504a ID. revRequest.issuer The issuer name for the certificate being revoked. For example, revRequest.issuer=cn=Certificate Manager,ou=102504a,o=102504a,c=us. revRequest.serial The serial number for the certificate being revoked. For example, revRequest.serial=75. revRequest.
Usage Parameters Description For example, revRequest.invalidityDatePresent=false. identityProof.enable If set to true, then the request contains this control. If this parameter is not set, the value is assumed to be false. For example, identityProof.enable=false. identityProof.sharedSecret The shared secret for identityProof control. For example, identityProof.sharedSecret=testing. popLinkWitness.enable If set to true, then the request contains this control.
Chapter 12. CMC Request By default, the URI of the servlet that processes a simple CMC request is /ca/ee/ca/profileSubmitCMCSimple; this must be specified in the HttpClient configuration.
Chapter 13. CMC Enrollment The CMC Enrollment utility, CMCEnroll, is used to sign a certificate request with an agent's certificate. This can be used in conjunction with the CA end-entity CMC Enrollment form to sign and enroll certificates for users. 1.
Chapter 13. CMC Enrollment requests, change the configuration so that this field is available. To enable the CMC Enrollment form for the CA end-entity interface, do the following: 1. Open the CA's web directory in /var/lib/rhpki-ca/web-apps/ca/ee/ca. 2. Open the CMCEnrollment.html file. 3. Find the following line: form method="post" action="/enrollment" onSubmit="return validate(document.forms[0])" 4. Add the following line below that line: input type="hidden" name="authenticator" value="CMCAuth" 5.
Usage form. e. The certificate is immediately processed and returned since a signed request was sent and the CMCAuth plug-in was enabled. f. Use the agent page to search for the new certificates.
58
Chapter 14. CMC Response The CMC Response utility, CMCResponse, parses a CMC response received by the utility. 1. Syntax The CMC Response utility uses the following syntax: CMCResponse -d directoryName -i /path/to/CMCResponse.file Options Description d Specifies the path to the cert8.db directory. i Specifies the path and filename of the CMC response file. Table 14.1. The parsed output is printed to the screen.
60
Chapter 15. CMC Revocation The CMC Revocation utility, CMCRevoke, signs a revocation request with an agent's certificate. 1. Syntax This utility has the following syntax: CMCRevoke -d directoryName -n nickname -i issuerName -s serialName -m reasonToRevoke -c comment Option Description d The path to the directory where the cert8.db, key3.db, and secmod.db databases containing the agent certificates are located. n The nickname of the agent's certificate.
Chapter 15. CMC Revocation NOTE Surround values that include spaces in quotation marks. 2. Testing CMC Revocation Test that CMC revocation is working properly by doing the following: 1. Create a CMC revocation request for an existing certificate.
Chapter 16. CRMF Pop Request The CRMFPopClient utility is a tool to send a Certificate Request Message Format (CRMF) request to a Certificate System CA with the request encoded with proof of possession (POP) data that can be verified by the CA server. If a client provides POP information with a request, the server can verify that the requester possesses the private key for the new certificate. The tool does all of the following: 1. Has the CA enforce or verify POP information encoded within a CRMF request.
Chapter 16. CRMF Pop Request Option Description password The password of the Certificate System user. pop_option Optional. Sets the type of POP request to generate; since this can generate invalid requests, this option can be used for testing. There are three values: • POP_SUCCESS. Generates a request with the correct POP information; the server verifies that the information is correct. • POP_FAIL. Generates a request with incorrect POP information; the server rejects this request if it is submitted.
Usage certificate must be in the same directory from which the utility is launched; the tool picks up this file automatically. CRMFPopClient password123 POP_SUCCESS OUTPUT_CERT_REQ CN=MyTest,C=US,UID=MyUid NOTE A file named transport.txt containing the transport certificate in base-64 format must be created in the directory from which the utility is launched. This file must be available for archival to a DRM.
66
Chapter 17. Extension Joiner The Certificate System provides policy plug-in modules that allow standard and custom X.509 certificate extensions to be added to end-entity certificates that the server issues. Similarly, the Certificate Setup Wizard that generates certificates for subsystem users allows extensions to be selected and included in the certificates. The wizard interface and the request-approval page of the agent interface contain a text area to paste any extension in its MIME-64 encoded format.
Chapter 17. Extension Joiner This creates a base-64 encoded blob of the joined extensions, similar to this example: MEwwLgYDVR0lAQHBCQwIgYFKoNFBAMGClGC5EKDM5PeXzUGBi2CVyLNCQYFU iBakowGgYDVR0SBBMwEaQPMA0xCzAJBgNVBAYTAlVT 3. Copy the encoded blob, without any modifications, to a file. 4.
Usage 0 warnings, 0 errors. If the output data do not appeat to be correct, check that the original Java™ extension files are correct, and repeat converting the files from ASCII to binary and dumping the data until the correct output is returned. 5. When the extensions have been verified, copy the base-64 encoded blob that was created by running ExtJoiner to the Certificate System wizard screen, and generate the certificate or the certificate signing request (CSR).
70
Chapter 18. Key Usage Extension The GenExtKeyUsage tool creates a base-64 encoded blob that adds ExtendedKeyUsage (OID 2.5.29.37) to the certificate. This blob is pasted into the certificate approval page when the certificate is created. 1. Syntax The GenExtKeyUsage tool has the following syntax: GenExtKeyUsage [true|false] OID ... Option Description true | false Sets the criticality. true means the extension is critical; false means it is not critical.
72
Chapter 19. Issuer Alternative Name Extension The GenIssuerAltNameExt creates a base-64 encoded blob that adds the issuer name extensions, IssuerAltNameExt (OID 2.5.29.18), to the new certificate. This blob is pasted into the certificate approval page when the certificate is created. 1. Syntax The GenIssuerAltNameExt tool uses parameter pairs where the first parameter specifies the general type of name attribute which is used for the issuer and the second parameter gives that name in that format.
Chapter 19. Issuer Alternative Name Extension Parameter Description o=Example Corporation, c=US. • For DNSName, the value must be a valid fully-qualified domain name. For example, testCA.example.com. • For EDIPartyName, the value must be an IA5String. For example, Example Corporation. • For URIName, the value must be a non-relative URI following the URL syntax and encoding rules. The name must include both a scheme, such as http, and a fully qualified domain name or IP address of the host.
Usage Parameter Description realm1|0|userID1,userID2. Table 19.1. 2. Usage The following example sets the issuer name in the RFC822Name and DirectoryName formats: GenIssuerAltNameExt RFC822Name TomTom@redhat.
76
Chapter 20. Subject Alternative Name Extension The GenSubjectAltNameExt creates a base-64 encoded blob to add the alternate subject name extension, SubjectAltNameExt (OID 2.5.29.17), to the new certificate. This blob is pasted into the certificate approval page when the certificate is created. 1. Syntax The GenSubjAltNameExt tool uses parameter pairs where the first parameter specifies the type of name format, and the second parameter gives that name in the specified format.
Chapter 20. Subject Alternative Name Extension Parameter Description cn=SubCA, ou=Research Dept, o=Example Corporation, c=US. • For DNSName, the value must be a valid fully-qualified domain name. For example, testCA.example.com. • For EDIPartyName, the value must be an IA5String. For example, Example Corporation. • For URIName, the value must be a non-relative URI following the URL syntax and encoding rules.
Usage Parameter Description Realm|NameType|NameStrings, such as realm1|0|userID1,userID2. Table 20.1. 2. Usage In the following example, the subject alternate names are set to the RFC822Name and DirectoryName types. GenSubjectAltNameExt RFC822Name TomTom@redhat.
80
Chapter 21. HTTP Client The HTTP Client utility, HttpClient, sends a CMC request (created with the CMC Request utility) or a PKCS #10 request to a CA. 1. Syntax This utility takes a single .cfg configuration file as a parameter. The syntax is as follows: HttpClient /path/to/file.cfg The .cfg file has the following parameters: Parameters Description host The hostname for the Certificate System server. For example: host=server.com port The port number for Certificate System server.
Chapter 21. HTTP Client Parameters Description servlet The URI of the servlet that processes full CMC requests. The default value is /ca/profileSubmitCMCFull. For example: servlet=/ca/profileSubmitCMCFull Table 21.1.
Chapter 22. OCSP Request The OCSP request utility, OCSPClient, creates an OCSP request conforming to RFC 2560, submits it to the OCSP server, and saves the OCSP response in a file. 1. Syntax The OCSPClient tool has the following syntax: OCSPClient host port dbdir nickname serial_number output times Option Description host Specifies hostname of the OCSP server. port Gives the port number of the OCSP server. dbdir Gives the location of the security databases (cert8.db, key3.db, and secmod.
84
Chapter 23. PKCS #10 Client The PKCS #10 utility, PKCS10Client, generates a 1024-bit RSA key pair in the security database, constructs a PKCS#10 certificate request with the public key, and outputs the request to a file. PKCS #10 is a certification request syntax standard defined by RSA. A CA may support multiple types of certificate requests. The Certificate System CA supports KEYGEN, PKCS#10, CRMF, and CMC.
86
Chapter 24. Bulk Issuance Tool The bulkissuance utility sends a KEYGEN or a CRMF enrollment request to the bulk issuance interface of a CA to create certificates automatically. The bulkissuance utility does not generate the certificate request itself. It submits the content in the input file to the CA server's bulk issuance interface. The bulk issuance interface is part of the agent interface of the CA.
Chapter 24. Bulk Issuance Tool This utility requires an input file which includes the URI to the CA's bulk issuance interface and the certificate request.
Chapter 25. Revocation Automation Utility The revoker utility sends revocation requests to the CA agent interface to revoke certificates. To access the interface, revoker needs to have access to an agent certificate that is acceptable to the CA. The revoker tool can do all of the following: • Specify which certificate or a list of certificates to revoke by listing the hexadecimal serial numbers. • Specify a revocation reason. • Specify an invalidity date. • Unrevoke a certificate that is currently on hold.
Chapter 25. Revocation Automation Utility Option Description • 0 - Unspecified (default). • 1 - The key was compromised. • 2 - The CA key was compromised. • 3 - The affiliation of the user has changed. • 4 - The certificate has been superseded. • 5 - Cessation of operation. • 6 - The certificate is on hold. i Sets the invalidity date in hours from current time for when to revoke the certificate. hostname Gives the hostname of the server to which to send the request. port Optional.
Index A ASCII to Binary tool , 31 example , 31 syntax , 31 B Binary to ASCII tool , 33 example , 33 syntax , 33 C command-line utilities ASCII to Binary , 31 Binary to ASCII , 33 extension joiner , 67 for adding extensions to CMS certificates , 67 PIN Generator , 21 Pretty Print Certificate , 35 Pretty Print CRL , 39 sslget , 15 TKS tool , 41 TokenInfo , 13 24 Pretty Print Certificate tool , 35 example , 35 syntax , 35 Pretty Print CRL tool , 39 example , 39 syntax , 39 S setpin command , 21 sslget tool
92
