Skip to content

PKI Server CA Certificate Request CLI

Endi S. Dewata edited this page Mar 27, 2024 · 12 revisions

Overview

The pki-server ca-cert-request-* commands provide a way to manage certificate requests in CA database when PKI server is offline. These commands can only be executed by the system administrator.

Finding Certificate Requests

To find the certificate request for a certificate in CA database:

$ pki-server ca-cert-request-find --cert-file <cert file>

As of PKI 10.4 the content of the certificate has to be formatted as follows:

  • The certificate must be base-64 encoded.

  • Each line must be at most 64 bytes long and terminated with CRLF.

  • There is no BEGIN/END CERTIFICATE header/footer.

For example:

MIIDnTCCAoWgAwIBAgIBBTANBgkqhkiG9w0BAQsFADBIMRAwDgYDVQQKDAdFWEFN<CRLF>
UExFMRMwEQYDVQQLDApwa2ktdG9tY2F0MR8wHQYDVQQDDBZDQSBTaWduaW5nIENl<CRLF>
...
EzgqNUFrj/ATV31qVzEb6aka+93bd437Iga68OTz+8fhif8TbILWfJG87rU3w00D<CRLF>
DMK8f1ILzfnK1kUEkBQ9zoiDlQyiUsl6TDJKXFc8Woqi0VTgK2AJ7cVdrwtOiE++<CRLF>
6jk3lUH/goACLP5fIuZWqlM=<CRLF>

Note: The certificate format may change in the future.

Displaying Certificate Request

To display a certificate request in CA database:

$ pki-server ca-cert-request-show <request ID>

Importing Certificate Request

To import a certificate request in CA database:

$ pki-server ca-cert-request-import \
    [--request <ID>] \
    --csr <path> \
    --profile <filename>

where:

  • The --request parameter specifies an optional ID for the request. If the request ID is not specified and the request ID generator is configured to random, a new random request ID will be generated automatically.

  • The --csr parameter specifies the relative or absolute path to the CSR file.

  • The --profile parameter specifies the filename of the bootstrap profile in /var/lib/pki/pki-tomcat/conf/ca without the path (e.g. serverCert.profile).

Availability: Since PKI 11.4.

Clone this wiki locally