Ubuntu Manpage: pki-server-cert - Command-Line Interface for managing System Certificates.

Provided by: pki-server_10.6.0-1ubuntu2_amd64

NAME

       pki-server-cert - Command-Line Interface for managing System Certificates.

SYNOPSIS

       pki-server [CLI options] cert
       pki-server [CLI options] cert-find
       pki-server [CLI options] cert-update <cert ID>
       pki-server [CLI options] cert-create <cert ID>
       pki-server [CLI options] cert-import <cert ID>

DESCRIPTION

       The   pki-server   cert   commands   provide  command-line  interfaces  to  manage  system
       certificates.

       pki-server cert commands perform system certificate related operations on  a  specific  CS
       instance.   All  pki-server cert commands require specification of the cert ID to identify
       the target certificate.

       pki-server [CLI options] cert
           This command is to list available cert commands.

       pki-server [CLI options] cert-find
           This command is to list all system certificates.

       pki-server [CLI options] cert-update <cert ID>
           This command is to update the system certificate data and  CSR  in  the  corresponding
           subsystem's CS.cfg.

       pki-server [CLI options] cert-create <cert ID>
           This command is to create a system certificate.

       pki-server [CLI options] cert-import <cert ID>
           This command is to imports certificate into NSS database and updates the corresponding
           subsystem's CS.cfg.

       To view each command's usage, type  pki-server cert-<command> --help.

       All pki-server commands must be executed as the system administrator.

OPTIONS

       The other CLI options are described in pki-server(8).

OFFLINE SYSTEM CERTIFICATE RENEWAL

pki-server cert command is used as a part of offline system certificate renewal process.

Assumptions:

1. Valid CA signing cert

2. Valid admin cert

3. PKI server is currently down

Steps for offline system certificate renewal:

A. Run these commands to verify our assumptions:

1. List details of all system certificates
pki-server cert-find

2. Check details of admin cert
certutil -L \
-d <client NSS DB dir> \
-n <admin cert nickname>

3. Check status of PKI server
systemctl status pki-tomcatd@pki-tomcat

Note: Get the sslserver cert serial number from step #1 above to create permanent cert
later. The admin needs to make a list of certs from step #1 that needs to be renewed.

B. To bring up a PKI server that has expired SSL certificate:

1. Create temp SSL certificate
pki-server cert-create sslserver --temp

2. Import the temp SSL certificate into NSS database and update corresponding
subsystem's CS.cfg
pki-server cert-import sslserver

3. Start PKI server using the new temp SSL cert created
systemctl restart pki-tomcatd@pki-tomcat

C. To renew system certificates:

1. The admin will need to create system certs, reported in step #A1 above, that
are almost expired or already expired.
pki-server cert-create <cert ID> --renew \
-d <client NSS DB dir> \
-c <NSS DB password> \
-n <admin nickname>

For SSL server certificate:
pki-server cert-create sslserver --renew \
--serial <old serial> \
-d <client NSS DB dir> \
-c <NSS DB password> \
-n <admin nickname>

2. Stop the server to prevent NSS database corruption while importing:
systemctl stop pki-tomcatd@pki-tomcat

3. Import the renewed system certificate into NSS database and update
corresponding subsystem's CS.cfg
pki-server cert-import <cert ID>

4. Start the server with renewed permanent system certificates
systemctl start pki-tomcatd@pki-tomcat

AUTHORS

       Dinesh Prasanth M K <dmoluguw@redhat.com>

COPYRIGHT

       Copyright (c) 2017 Red Hat, Inc. This is licensed under the GNU  General  Public  License,
       version 2 (GPLv2). A copy of this license is available at http://www.gnu.org/licenses/old-
       licenses/gpl-2.0.txt.