Quick Navigator

Search Site

Unix VPS
A - Starter
B - Basic
C - Preferred
D - Commercial
MPS - Dedicated
Previous VPSs
* Sign Up! *

Contact Us
Online Help
Domain Status
Man Pages

Virtual Servers

Topology Map

Server Agreement
Year 2038

USA Flag



Man Pages

Manual Reference Pages  -  OPENXPKIADM (1)

.ds Aq ’


openxpkiadm - tool for management operations of OpenXPKI instances




 Global options:
   --config DIR          Location of the configuration repository
                         optional, defaults to /usr/local/etc/openxpki/config.d
   --instance|i NAME     Shortcut to set the config path to

   help                  brief help message
   man                   full documentation
   version               print program version and exit
   initdb                Initialize database
   key                   Manage keys
   certificate           Manage certificates
   hashpwd               Create the salted hash for a password
   alias                 Manage the token alias table


Available commands:


Command options:

   --force               Force operation (may be destructive)
   --dryrun              Dont change anything, just print what would
                         be done

Initializes the OpenXPKI database schema. Will not destroy existing data unless called with --force.


Key management for OpenXPKI Tokens (including issuing CAs and subsystems).

Command options:

   --realm               PKI Realm to operate on

key management subcommands
<B>listB> Shows token key information for the specified realm, including key algorithm, key length and secret splitting information. TODO: Key info not implemented yet!

Lists keys together with a status flag, which can be one of the following:

  c - token not defined in crypto.token
  + - key exists and file is non-empty
  0 - key exists but file is empty
  ! - key files does not exist (yet)


  openxpkiadm key list --realm Root CA


Starts a certificate management command and allows to list, install, delete and connect certificates for the configured PKI Realms.

  openxpkiadm certificate <subcommand> <options>

certificate management subcommands
<B>listB> Subcommand options (optional):

   --realm                  PKI realm to operate on
   --all                    Show all certificates
   -v                       Show subject and issuer DN as well
   -v -v                    Show chain as well
   -v -v -v                 Show (nearly complete) database entry
   -v -v -v -v              Show pubkey and certificate data, too

Lists certificates present in the database for the specified realm. If --all is not specified, only certificates that have an alias defined for them are listed. --all lists all certificates, regardless of whether they have an alias or not. If --realm is left out, the certificates in all realms are listed The number of -v’s increases the verbosity (see above for what is listed in which case).

<B>importB> Subcommand options:

--file the PEM file to import from

--revoked import with status revoked
--issuer the identifier of the issuer
--realm PKI realm to import certificate to

Force options (use only if you exactly now what you are doing!):
--force-no-chain (only without issuer)
Import even if the chain is incomplete, set NULL as issuer
Force the issuer setting even if the chain validation fails
Force update for an existing certificate

Once again, only use these options if you actually have to (the occasions where this happens should be really, really rare). Note that force-no-chain might result in a wrong issuers assignment if key identifiers or subjects are ambiguous. Consider using explicit issuer in that cases if possible.

Adds a certificate to the database. The issuer is usually auto-detected and needs to be given only in rare cases. By default the certificates are imported into the global realm, if you want to add them to a specific one, you need to specify it. Note that a certificate always inherits the realm of its issuer!

The command outputs the subject’s DN, issuer’s DN and the imported realm for you to verify that you imported the correct certificate as well as a unique identifier which can be used to globally reference the certificate (i.e. for configuration or as an issuer). If you don’t want to remember the identifier, look into openxpkiadm certificate alias to find out how to create a symbolic name for an identifier.


  openxpkiadm certificate import --file cacert.pem

Import a certificate which issuer is not known in the ServerCA realm:

  openxpkiadm certificate import --file cacert.pem \
      --force-no-chain --realm ServerCA

You can create an alias directly on import by adding either alias, generation/group or token to the command. This will execute the alias command with those paramters for the imported certificate inline.

<B>removeB> Subcommand options:

--name The alias or identifier of the certificate

--realm The PKI realm in which the alias is defined

Force options (use only if you now what you are doing!):
--force-is-issuer Delete certificate even though it is the
issuer of another certificate in the database

Removes a certificate from the database.


  openxpkiadm certificate remove --realm Root CA \
        --name Root CA 1

<B>chainB> Subcommand options:

  --realm               The PKI realm to operate in
  --name                The alias or identifier of the child
  --issuer              The alias or identifier of the parent

--issuer-realm The realm in which the issuer alias
is defined

Force options (use only if you now what you are doing!):
Ignore that the certificate of the child was not found
in the DB
Ignore that the certificate of the parent was not found
in the DB

Once again, only use these options if you actually have to (the occasions where this happens should be really, really rare).

Specifies subject/issuer relationship in order to set up certificate chains. The certificates to be connected must already be present in the database (see <B>importB>). As those connections are already set up during --import, this command exists for changing the issuer if you made an error. It also allows to specify an issuer that does not agree with the information contained in the certificate (but outputs a warning)


openxpkiadm certificate chain --realm ’Root CA’ \
--name ’Subordinate CA 1’ --issuer ’root1’


An alias is a symbolic name for a certificate in a specific realm. OpenXPKI uses aliases to manage the crypto tokens for signer and helper tokens. Several configs options and commands are able to process aliases, too.

The selection of functional tokens is done based on the notbefore/notafter date. To force certain behaviour (e.g time of a ca rollover), you can force a custom notbefore/notafter date on the aliases.

Common options:
--realm PKI realm for the alias
--identifier The identifier of the certificate
--notbefore custom notbefore date to set
--notafter custom notafter date to set
accepted formats are epoch or yyyy-mm-dd hh:mm:ss
a literal 0 restores the certificates validity.

There are different ways to deal with aliases:
<B>list tokensB> If you pass a realm but no identifier, you will receive the list of active tokens for all token groups, the current root certificate and, if set, the upcoming root certificate as used by scep GetNexCACert.

For items with custom notbefore/notafter settings, the certificate’s value is shown in brackets:

    upcoming root ca:
        Alias     : root-2
        Identifier: xGBSVo6N-9gpjB8UFll4TS-u-Eo
        NotBefore : 2014-01-01 00:00:00 (2013-06-17 13:54:34)
        NotAfter  : 2016-12-31 23:59:59 (2020-06-17 13:54:34)

To show the certificates subject besides the identifier, add --subject.

To show a list of all or all active tokens, you can add the filter parameter:

   --filter all or --filter active

You can also filter by a certain group name with --group <groupname>.

Specify --nogroup to list tokens that do not belong to a group.

<B>add functional token with automatic group discoveryB> Looks up the name of the associated group and finds the next generation index by looking up the present aliases in the group. Recommended.

  --token  The name of the token type you want to add,
           e.g. certsign or datasafe.


    openxpkiadm alias --realm server-realm \
        --identifier rzg0GhTx81ioYGXADfuuIxFd9fw \
        --token certsign

<B>add functional token with manual group configurationB> The alias for is automatically set to <group>-<generation>, e.g. server-ca-1.

  --group           The name of the group (e.g. server-ca)
  --generation      The numeric index to use for this alias


    openxpkiadm alias --realm server-realm \
        --identifier rzg0GhTx81ioYGXADfuuIxFd9fw \
        --group server-ca --gen 1

<B>add non-functional aliasB> Adds the alias leaving group and generation empty.

  --alias               The symbolic name for the certificate


    openxpkiadm alias --realm server-realm \
        --identifier rzg0GhTx81ioYGXADfuuIxFd9fw \
        --alias my-very-important-certificate

<B>update aliasB> Update notebefore/notafter date of an existing alias.

    --update        Indicates that you want to update anm existing entry
    --alias         You can select the alias by name rather than passing
                    the identifier.


     openxpkiadm alias --update --realm ca-one \
         --alias ca-one-signer-1
         --notbefore "2014-01-01:00:00:00"

This updates notbefore, notafter is not changed.

<B>remove aliasB> Remove the entry from the alias table.

  --remove          Indicates that the alias should be removed.
  --alias           You can select the alias by name rather than passing
                    the identifier.


    openxpkiadm alias --remove --realm server-realm \
        --identifier rzg0GhTx81ioYGXADfuuIxFd9fw \

    openxpkiadm alias --remove --realm server-realm \
        --alias server-ca-1


Create the hash of a given password to be used with the internal user database.

Command options:

  --scheme   The hashing scheme to use, allowed values are
             ssha|sha|smd5|md5|crypt, default is ssha
             see also OpenXPKI::Server::Authentication::Password

Prompts for the password and prints the hashed value including the used
scheme as defined in RFC2307.


<B>openxpkiadmB> is the administrative frontend for controlling the OpenXPKI installation.

The openxpkiadm script returns a 0 exit value on success, and >0 if an error occurs.
Search for    or go to Top of page |  Section 1 |  Main Index

perl v5.20.3 OPENXPKIADM (1) 2016-04-03

Powered by GSP Visit the GSP FreeBSD Man Page Interface.
Output converted with manServer 1.07.