.nh
.TH pki-cert 1 "May 5, 2014" PKI "PKI Certificate Management Commands"
.SH NAME
.PP
pki-ca-cert - Command-line interface for managing certificates on PKI CA.

.SH SYNOPSIS
.PP
\fBpki\fP [\fICLI-options\fP] \fBca-cert\fP
.br
\fBpki\fP [\fICLI-options\fP] \fBca-cert-find\fP [\fIcommand-options\fP]
.br
\fBpki\fP [\fICLI-options\fP] \fBca-cert-show\fP \fIcert-ID\fP [\fIcommand-options\fP]
.br
\fBpki\fP [\fICLI-options\fP] \fBca-cert-revoke\fP \fIcert-ID\fP [\fIcommand-options\fP]
.br
\fBpki\fP [\fICLI-options\fP] \fBca-cert-hold\fP \fIcert-ID\fP [\fIcommand-options\fP]
.br
\fBpki\fP [\fICLI-options\fP] \fBca-cert-release-hold\fP \fIcert-ID\fP [\fIcommand-options\fP]
.br
\fBpki\fP [\fICLI-options\fP] \fBca-cert-request-profile-find\fP [\fIcommand-options\fP]
.br
\fBpki\fP [\fICLI-options\fP] \fBca-cert-request-profile-show\fP \fIprofile-ID\fP [\fIcommand-options\fP]
.br
\fBpki\fP [\fICLI-options\fP] \fBca-cert-request-submit\fP [\fIcommand-options\fP]
.br
\fBpki\fP [\fICLI-options\fP] \fBca-cert-request-review\fP \fIrequest-ID\fP [\fIcommand-options\fP]

.SH DESCRIPTION
.PP
The \fBpki-cert\fP commands provide command-line interfaces to manage certificates on the CA.

.PP
\fBpki\fP [\fICLI-options\fP] \fBca-cert\fP
.br
    This command is to list available certificate commands.

.PP
\fBpki\fP [\fICLI-options\fP] \fBca-cert-find\fP [\fIcommand-options\fP]
.br
    This command is to list certificates in the CA.

.PP
\fBpki\fP [\fICLI-options\fP] \fBca-cert-show\fP \fIcert-ID\fP [\fIcommand-options\fP]
.br
    This command is to view a certificate details.

.PP
\fBpki\fP [\fICLI-options\fP] \fBca-cert-revoke\fP \fIcert-ID\fP
.br
    This command is to revoke a certificate.

.PP
\fBpki\fP [\fICLI-options\fP] \fBca-cert-hold\fP \fIcert-ID\fP
.br
    This command is to place a certificate on hold temporarily.

.PP
\fBpki\fP [\fICLI-options\fP] \fBca-cert-release-hold\fP \fIcert-ID\fP
.br
    This command is to release a certificate that has been placed on hold.

.PP
\fBpki\fP [\fICLI-options\fP] \fBca-cert-request-profile-find\fP [\fIcommand-options\fP]
.br
    This command is to list available certificate request templates.

.PP
\fBpki\fP [\fICLI-options\fP] \fBca-cert-request-profile-show\fP \fIprofile-ID\fP [\fIcommand-options\fP]
.br
    This command is to view a certificate request template.

.PP
\fBpki\fP [\fICLI-options\fP] \fBca-cert-request-submit\fP [\fIcommand-options\fP]
.br
    This command is to submit a certificate request.

.PP
\fBpki\fP [\fICLI-options\fP] \fBca-cert-request-review\fP \fIrequest-ID\fP [\fIcommand-options\fP]
.br
    This command is to review a certificate request.

.SH OPTIONS
.PP
The \fIcommand-options\fP are described in \fBpki(1)\fP\&.

.SH OPERATIONS
.PP
To view available certificate commands, type \fBpki ca-cert\fP\&.
To view each command's usage, type \fBpki ca-cert-<command> --help\fP\&.

.SS Viewing Certificates
.PP
Certificates can be viewed anonymously.

.PP
To list all certificates in the CA:

.PP
.RS

.nf
$ pki ca-cert-find

.fi
.RE

.PP
It is also possible to search for and list specific certificates by adding a search filter.
Use \fBpki ca-cert-find --help\fP to see options.  For example, to search based on issuance date:

.PP
.RS

.nf
$ pki ca-cert-find --issuedOnFrom 2012-06-15

.fi
.RE

.PP
To list certificates with search constraints defined in a file:

.PP
.RS

.nf
$ pki ca-cert-find --input <filename>

.fi
.RE

.PP
where the file is in the following format:

.PP
.RS

.nf
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<CertSearchRequest>

    <serialNumberRangeInUse>true</serialNumberRangeInUse>
    <serialFrom></serialFrom>
    <serialTo></serialTo>

    <subjectInUse>false</subjectInUse>
    <eMail></eMail>
    <commonName></commonName>
    <userID></userID>
    <orgUnit></orgUnit>
    <org></org>
    <locality></locality>
    <state></state>
    <country></country>

    <matchExactly>false</matchExactly>

    <status></status>

    <revokedByInUse>false</revokedByInUse>
    <revokedBy></revokedBy>

    <revokedOnFrom>false</revokedOnFrom>
    <revokedOnTo></revokedOnTo>

    <revocationReasonInUse>false</revocationReasonInUse>
    <revocationReason></revocationReason>

    <issuedByInUse>false</issuedByInUse>
    <issuedBy></issuedBy>

    <issuedOnInUse>false</issuedOnInUse>
    <issuedOnFrom></issuedOnFrom>
    <issuedOnTo></issuedOnTo>

    <validNotBeforeInUse>false</validNotBeforeInUse>
    <validNotBeforeFrom></validNotBeforeFrom>
    <validNotBeforeTo></validNotBeforeTo>

    <validNotAfterInUse>false</validNotAfterInUse>
    <validNotAfterFrom></validNotAfterFrom>
    <validNotAfterTo></validNotAfterTo>

    <validityLengthInUse>false</validityLengthInUse>
    <validityOperation></validityOperation>
    <validityCount></validityCount>
    <validityUnit></validityUnit>

    <certTypeInUse>false</certTypeInUse>
    <certTypeSubEmailCA></certTypeSubEmailCA>
    <certTypeSubSSLCA></certTypeSubSSLCA>
    <certTypeSecureEmail></certTypeSecureEmail>

</CertSearchRequest>

.fi
.RE

.PP
To view a particular certificate:

.PP
.RS

.nf
$ pki ca-cert-show <certificate ID>

.fi
.RE

.SS Revoking Certificates
.PP
Revoking, holding, or releasing a certificate must be executed as an agent user.
To revoke a certificate:

.PP
.RS

.nf
$ pki <agent authentication> ca-cert-revoke <certificate ID>

.fi
.RE

.PP
To place a certificate on hold temporarily:

.PP
.RS

.nf
$ pki <agent authentication> ca-cert-hold <certificate ID>

.fi
.RE

.PP
To release a certificate that has been placed on hold:

.PP
.RS

.nf
$ pki <agent authentication> ca-cert-release-hold <certificate ID>

.fi
.RE

.SS Certificate Requests
.PP
To request a certificate, first generate a certificate signing request (CSR), then submit it with a certificate profile.
The list of available profiles can be viewed using the following command:

.PP
.RS

.nf
$ pki ca-cert-request-profile-find

.fi
.RE

.PP
To generate a CSR, use the certutil, PKCS10Client, or CRMFPopClient, and store it into a file.

.PP
Basic requests can be submitted using the following command:

.PP
.RS

.nf
$ pki ca-cert-request-submit \\
    --profile <profile ID> --request-type <type> --csr-file <CSR file> --subject <subject DN>

.fi
.RE

.PP
To submit more advanced requests, download a template of the request file for a particular profile using the following command:

.PP
.RS

.nf
$ pki ca-cert-request-profile-show <profile ID> --output <request file>

.fi
.RE

.PP
Then, edit the request file, fill in the input attributes required by the profile, and submit the request using the following command:

.PP
.RS

.nf
$ pki ca-cert-request-submit <request file>

.fi
.RE

.PP
Depending on the profile, the command may require authentication (see the profile configuration file).
The CLI currently supports client certificate authentication and directory-based authentication.

.PP
To submit the certificate renewal request can be submitted using the following command:

.PP
.RS

.nf
$ pki ca-cert-request-submit --profile <Renewal Profile> --serial <Certificate ID> --renewal

.fi
.RE

.PP
Also depending on the profile, an agent may need to review and approve the request by running
the following command:

.PP
.RS

.nf
$ pki <agent authentication> ca-cert-request-review <request ID> \\
    --file <file to store the certificate request>

.fi
.RE

.PP
The \fB--file\fP and \fB--action\fP options are mutually exclusive
(i.e. only one or the other may be specified during command invocation).

.PP
If the \fB--file\fP option is specified, the certificate request,
as well as the defaults and constraints of the enrollment profile,
will be retrieved and stored in the output file provided by the \fB--file\fP option.
The agent can examine the file and override any values if necessary.
To process the request, enter the appropriate action when prompted:

.PP
.RS

.nf
Action (approve/reject/cancel/update/validate/assign/unassign):

.fi
.RE

.PP
The request in the file will be read in, and the specified action will be applied against it.

.PP
Alternatively, when no changes to the request are necessary,
the agent can process the request in a single step using the \fB--action\fP option with the following command:

.PP
.RS

.nf
$ pki <agent authentication> ca-cert-request-review <request ID> --action <action>

.fi
.RE

.SH AUTHORS
.PP
Ade Lee &lt;alee@redhat.com&gt;, Endi S. Dewata &lt;edewata@redhat.com&gt;, and Matthew Harmsen &lt;mharmsen@redhat.com&gt;\&.

.SH COPYRIGHT
.PP
Copyright (c) 2014 Red Hat, Inc.
This is licensed under the GNU General Public License, version 2 (GPLv2).
A copy of this license is available at http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt.