Ubuntu Manpage: pki-server-cert - Command-Line Interface for managing System Certificates.

Provided by: pki-server_10.6.0-1ubuntu2_amd64

NAME

       pki-server-cert - Command-Line Interface for managing System Certificates.

SYNOPSIS

       pki-server [CLI options] cert
       pki-server [CLI options] cert-find
       pki-server [CLI options] cert-update <cert ID>
       pki-server [CLI options] cert-create <cert ID>
       pki-server [CLI options] cert-import <cert ID>

DESCRIPTION

       The pki-server cert commands provide command-line interfaces to manage system certificates.

       pki-server  cert  commands  perform system certificate related operations on a specific CS instance.  All
       pki-server cert commands require specification of the cert ID to identify the target certificate.

       pki-server [CLI options] cert
           This command is to list available cert commands.

       pki-server [CLI options] cert-find
           This command is to list all system certificates.

       pki-server [CLI options] cert-update <cert ID>
           This command is to update the system certificate  data  and  CSR  in  the  corresponding  subsystem's
           CS.cfg.

       pki-server [CLI options] cert-create <cert ID>
           This command is to create a system certificate.

       pki-server [CLI options] cert-import <cert ID>
           This  command  is  to imports certificate into NSS database and updates the corresponding subsystem's
           CS.cfg.

       To view each command's usage, type  pki-server cert-<command> --help.

       All pki-server commands must be executed as the system administrator.

OPTIONS

       The other CLI options are described in pki-server(8).

OFFLINE SYSTEM CERTIFICATE RENEWAL

pki-server cert command is used as a part of offline system certificate renewal process.

Assumptions:

1. Valid CA signing cert

2. Valid admin cert

3. PKI server is currently down

Steps for offline system certificate renewal:

A. Run these commands to verify our assumptions:

1. List details of all system certificates
pki-server cert-find

2. Check details of admin cert
certutil -L \
-d <client NSS DB dir> \
-n <admin cert nickname>

3. Check status of PKI server
systemctl status pki-tomcatd@pki-tomcat

Note: Get the sslserver cert serial number from step #1 above to create permanent cert later. The
admin needs to make a list of certs from step #1 that needs to be renewed.

B. To bring up a PKI server that has expired SSL certificate:

1. Create temp SSL certificate
pki-server cert-create sslserver --temp

2. Import the temp SSL certificate into NSS database and update corresponding subsystem's CS.cfg
pki-server cert-import sslserver

3. Start PKI server using the new temp SSL cert created
systemctl restart pki-tomcatd@pki-tomcat

C. To renew system certificates:

1. The admin will need to create system certs, reported in step #A1 above, that are almost
expired or already expired.
pki-server cert-create <cert ID> --renew \
-d <client NSS DB dir> \
-c <NSS DB password> \
-n <admin nickname>

For SSL server certificate:
pki-server cert-create sslserver --renew \
--serial <old serial> \
-d <client NSS DB dir> \
-c <NSS DB password> \
-n <admin nickname>

2. Stop the server to prevent NSS database corruption while importing:
systemctl stop pki-tomcatd@pki-tomcat

3. Import the renewed system certificate into NSS database and update corresponding subsystem's
CS.cfg
pki-server cert-import <cert ID>

4. Start the server with renewed permanent system certificates
systemctl start pki-tomcatd@pki-tomcat

AUTHORS

       Dinesh Prasanth M K <dmoluguw@redhat.com>

COPYRIGHT

       Copyright  (c)  2017  Red  Hat,  Inc.  This  is  licensed under the GNU General Public License, version 2
       (GPLv2). A copy of this license is available at http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt.

version 10.4                                       Aug 1, 2017                                pki-server-cert(8)