Shows token key information for the specified realm, including
key algorithm, key length and secret splitting information.
TODO: Key info not implemented yet!
Lists keys together with a status flag, which can be one of the following:
Starts a certificate management command and allows to list, install, delete and connect certificates for the configured PKI Realms.
openxpkiadm certificate <subcommand> <options>
certificate management subcommands
<B>listB> Subcommand options (optional):
--realm PKI realm to operate on --all Show all certificates -v Show subject and issuer DN as well -v -v Show chain as well -v -v -v Show (nearly complete) database entry -v -v -v -v Show pubkey and certificate data, too
Lists certificates present in the database for the specified realm. If --all is not specified, only certificates that have an alias defined for them are listed. --all lists all certificates, regardless of whether they have an alias or not. If --realm is left out, the certificates in all realms are listed The number of -vs increases the verbosity (see above for what is listed in which case).
<B>importB> Subcommand options:
--file the PEM file to import from
--revoked import with status revoked
--issuer the identifier of the issuer
--realm PKI realm to import certificate to
Force options (use only if you exactly now what you are doing!):
--force-no-chain (only without issuer)
Import even if the chain is incomplete, set NULL as issuer
Force the issuer setting even if the chain validation fails
Force update for an existing certificate
Once again, only use these options if you actually have to (the occasions where this happens should be really, really rare). Note that force-no-chain might result in a wrong issuers assignment if key identifiers or subjects are ambiguous. Consider using explicit issuer in that cases if possible.
Adds a certificate to the database. The issuer is usually auto-detected and needs to be given only in rare cases. By default the certificates are imported into the global realm, if you want to add them to a specific one, you need to specify it. Note that a certificate always inherits the realm of its issuer!
The command outputs the subjects DN, issuers DN and the imported realm for you to verify that you imported the correct certificate as well as a unique identifier which can be used to globally reference the certificate (i.e. for configuration or as an issuer). If you dont want to remember the identifier, look into openxpkiadm certificate alias to find out how to create a symbolic name for an identifier.
openxpkiadm certificate import --file cacert.pem
Import a certificate which issuer is not known in the ServerCA realm:
openxpkiadm certificate import --file cacert.pem \ --force-no-chain --realm ServerCA
You can create an alias directly on import by adding either alias, generation/group or token to the command. This will execute the alias command with those paramters for the imported certificate inline.
<B>removeB> Subcommand options:
--name The alias or identifier of the certificate
--realm The PKI realm in which the alias is defined
Force options (use only if you now what you are doing!):
--force-is-issuer Delete certificate even though it is the
issuer of another certificate in the database
Removes a certificate from the database.
openxpkiadm certificate remove --realm Root CA \ --name Root CA 1
<B>chainB> Subcommand options:
Mandatory: --realm The PKI realm to operate in --name The alias or identifier of the child --issuer The alias or identifier of the parent
--issuer-realm The realm in which the issuer alias
Force options (use only if you now what you are doing!):
Ignore that the certificate of the child was not found
in the DB
Ignore that the certificate of the parent was not found
in the DB
Once again, only use these options if you actually have to (the occasions where this happens should be really, really rare).
Specifies subject/issuer relationship in order to set up certificate chains. The certificates to be connected must already be present in the database (see <B>importB>). As those connections are already set up during --import, this command exists for changing the issuer if you made an error. It also allows to specify an issuer that does not agree with the information contained in the certificate (but outputs a warning)
openxpkiadm certificate chain --realm Root CA \
--name Subordinate CA 1 --issuer root1
An alias is a symbolic name for a certificate in a specific realm. OpenXPKI uses aliases to manage the crypto tokens for signer and helper tokens. Several configs options and commands are able to process aliases, too.
The selection of functional tokens is done based on the notbefore/notafter date. To force certain behaviour (e.g time of a ca rollover), you can force a custom notbefore/notafter date on the aliases.
--realm PKI realm for the alias
--identifier The identifier of the certificate
--notbefore custom notbefore date to set
--notafter custom notafter date to set
accepted formats are epoch or yyyy-mm-dd hh:mm:ss
a literal 0 restores the certificates validity.
There are different ways to deal with aliases:
<B>list tokensB> If you pass a realm but no identifier, you will receive the list of active tokens for all token groups, the current root certificate and, if set, the upcoming root certificate as used by scep GetNexCACert.
For items with custom notbefore/notafter settings, the certificates value is shown in brackets:
upcoming root ca: Alias : root-2 Identifier: xGBSVo6N-9gpjB8UFll4TS-u-Eo NotBefore : 2014-01-01 00:00:00 (2013-06-17 13:54:34) NotAfter : 2016-12-31 23:59:59 (2020-06-17 13:54:34)
To show the certificates subject besides the identifier, add --subject.
To show a list of all or all active tokens, you can add the filter parameter:
--filter all or --filter active
You can also filter by a certain group name with --group <groupname>.
Specify --nogroup to list tokens that do not belong to a group.
<B>add functional token with automatic group discoveryB> Looks up the name of the associated group and finds the next generation index by looking up the present aliases in the group. Recommended.
--token The name of the token type you want to add, e.g. certsign or datasafe.
openxpkiadm alias --realm server-realm \ --identifier rzg0GhTx81ioYGXADfuuIxFd9fw \ --token certsign
<B>add functional token with manual group configurationB> The alias for is automatically set to <group>-<generation>, e.g. server-ca-1.
--group The name of the group (e.g. server-ca) --generation The numeric index to use for this alias
openxpkiadm alias --realm server-realm \ --identifier rzg0GhTx81ioYGXADfuuIxFd9fw \ --group server-ca --gen 1
<B>add non-functional aliasB> Adds the alias leaving group and generation empty.
--alias The symbolic name for the certificate
openxpkiadm alias --realm server-realm \ --identifier rzg0GhTx81ioYGXADfuuIxFd9fw \ --alias my-very-important-certificate
<B>update aliasB> Update notebefore/notafter date of an existing alias.
openxpkiadm alias --update --realm ca-one \ --alias ca-one-signer-1 --notbefore "2014-01-01:00:00:00"
This updates notbefore, notafter is not changed.
<B>remove aliasB> Remove the entry from the alias table.
--remove Indicates that the alias should be removed. --alias You can select the alias by name rather than passing the identifier.
openxpkiadm alias --remove --realm server-realm \ --identifier rzg0GhTx81ioYGXADfuuIxFd9fw \ openxpkiadm alias --remove --realm server-realm \ --alias server-ca-1
Create the hash of a given password to be used with the internal user database.
--scheme The hashing scheme to use, allowed values are ssha|sha|smd5|md5|crypt, default is ssha see also OpenXPKI::Server::Authentication::Password
Prompts for the password and prints the hashed value including the used
scheme as defined in RFC2307.
<B>openxpkiadmB> is the administrative frontend for controlling the OpenXPKI installation.
The openxpkiadm script returns a 0 exit value on success, and >0 if an error occurs.
|perl v5.20.3||OPENXPKIADM (1)||2016-04-03|