Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages


home | help
OPENXPKIADM(1)	      User Contributed Perl Documentation	OPENXPKIADM(1)

       openxpkiadm - tool for management operations of OpenXPKI	instances

       openxpkiadm COMMAND [SUBCOMMAND]	[OPTIONS]

	Global options:
	  --config DIR		Location of the	configuration repository
				optional, defaults to /usr/local/etc/openxpki/config.d
	  --instance|i NAME	Shortcut to set	the config path	to

	  help			brief help message
	  man			full documentation
	  version		print program version and exit
	  initdb		Initialize database
	  key			Manage keys
	  certificate		Manage certificates
	  hashpwd		Create the salted hash for a password
	  alias			Manage the token alias table

       Available commands:

       Command options:

	  --force		Force operation	(may be	destructive)
	  --dryrun		Don't change anything, just print what would
				be done

       Initializes the OpenXPKI	database schema. Will not destroy existing
       data unless called with --force.

       Key management for OpenXPKI Tokens (including issuing CAs and

       Command options:

	  --realm		PKI Realm to operate on

       key management subcommands

       list    Shows token key information for the specified realm, including
	       key algorithm, key length and secret splitting information.
	       TODO: Key info not implemented yet!

	       Lists keys together with	a status flag, which can be one	of the

		 c - token not defined in crypto.token
		 + - key exists	and file is non-empty
		 0 - key exists	but file is empty
		 ! - key files does not	exist (yet)


		 openxpkiadm key list --realm 'Root CA'

       Starts a	certificate management command and allows to list, install,
       delete and connect certificates for the configured PKI Realms.

	 openxpkiadm certificate <subcommand> <options>

       certificate management subcommands

       list    Subcommand options (optional):

		  --realm		   PKI realm to	operate	on
		  --all			   Show	all certificates
		  -v			   Show	subject	and issuer DN as well
		  -v -v			   Show	chain as well
		  -v -v	-v		   Show	(nearly	complete) database entry
		  -v -v	-v -v		   Show	pubkey and certificate data, too

	       Lists certificates present in the database for the specified
	       realm. If --all is not specified, only certificates that	have
	       an alias	defined	for them are listed. --all lists all
	       certificates, regardless	of whether they	have an	alias or not.
	       If --realm is left out, the certificates	in all realms are
	       listed The number of -v's increases the verbosity (see above
	       for what	is listed in which case).

       import  Subcommand options:

		 --file			   the PEM file	to import from

		 --revoked		   import with status "revoked"
		 --issuer		   the identifier of the issuer
		 --realm		   PKI realm to	import certificate to

	       Force options (use only if you exactly now what you are
		 --force-no-chain (only	without	issuer)
		       Import even if the chain	is incomplete, set NULL	as
		       Force the issuer	setting	even if	the chain validation
		       Force update for	an existing certificate
		       Build the chain but skip	cryptographic verification

	       Once again, only	use these options if you actually have to (the
	       occasions where this happens should be really, really rare).
	       Note that force-no-chain	might result in	a wrong	issuers
	       assignment if key identifiers or	subjects are ambiguous.
	       Consider	using explicit issuer in that cases if possible.

	       Adds a certificate to the database. The issuer is usually auto-
	       detected	and needs to be	given only in rare cases. By default
	       the certificates	are imported into the global realm, if you
	       want to add them	to a specific one, you need to specify it.
	       Note that a certificate always inherits the realm of its

	       The command outputs the subject's DN, issuer's DN and the
	       imported	realm for you to verify	that you imported the correct
	       certificate as well as a	unique identifier which	can be used to
	       globally	reference the certificate (i.e.	for configuration or
	       as an issuer). If you don't want	to remember the	identifier,
	       look into openxpkiadm certificate alias to find out how to
	       create a	symbolic name for an identifier.


		 openxpkiadm certificate import	--file cacert.pem

	       Import a	certificate which issuer is not	known in the
	       "ServerCA" realm:

		 openxpkiadm certificate import	--file cacert.pem \
		     --force-no-chain --realm ServerCA

	       You can create an alias directly	on import by adding either
	       alias, generation/group or token	to the command.	This will
	       execute the alias command with those paramters for the imported
	       certificate inline.

       remove  Subcommand options:

		 --name		   The alias or	identifier of the certificate

		 --realm	   The PKI realm in which the alias is defined

	       Force options (use only if you now what you are doing!):
		 --force-is-issuer Delete certificate even though it is	the
				   issuer of another certificate in the

	       Removes a certificate from the database.


		 openxpkiadm certificate remove	--realm	'Root CA' \
		       --name 'Root CA 1'

       chain   Subcommand options:

		 --realm	       The PKI realm to	operate	in
		 --name		       The alias or identifier of the child
		 --issuer	       The alias or identifier of the parent

		 --issuer-realm	       The realm in which the issuer alias
				       is defined

	       Force options (use only if you now what you are doing!):
		       Ignore that the certificate of the child	was not	found
		       in the DB
		       Ignore that the certificate of the parent was not found
		       in the DB

	       Once again, only	use these options if you actually have to (the
	       occasions where this happens should be really, really rare).

	       Specifies subject/issuer	relationship in	order to set up
	       certificate chains. The certificates to be connected must
	       already be present in the database (see import).	As those
	       connections are already set up during --import, this command
	       exists for changing the issuer if you made an error. It also
	       allows to specify an issuer that	does not agree with the
	       information contained in	the certificate	(but outputs a


	       openxpkiadm certificate chain --realm 'Root CA' \
		    --name 'Subordinate	CA 1' --issuer 'root1'

       An alias	is a symbolic name for a certificate in	a specific realm.
       OpenXPKI	uses aliases to	manage the crypto tokens for signer and	helper
       tokens. Several configs options and commands are	able to	process
       aliases,	too.

       The selection of	functional tokens is done based	on the
       notbefore/notafter date.	To force certain behaviour (e.g	time of	a ca
       rollover), you can force	a custom notbefore/notafter date on the

       Common options:
	   --realm	  PKI realm for	the alias
	   --identifier	  The identifier of the	certificate
	   --notbefore	  custom notbefore date	to set
	   --notafter	  custom notafter date to set
			  accepted formats are epoch or	yyyy-mm-dd hh:mm:ss
			  a literal 0 restores the certificates	validity.

       There are different ways	to deal	with aliases:

       list tokens
	   If you pass a realm but no identifier, you will receive the list of
	   active tokens for all token groups, the current root	certificate
	   and,	if set,	the upcoming root certificate as used by scep

	   For items with custom notbefore/notafter settings, the
	   certificate's value is shown	in brackets:

	       upcoming	root ca:
		   Alias     : root-2
		   Identifier: xGBSVo6N-9gpjB8UFll4TS-u-Eo
		   NotBefore : 2014-01-01 00:00:00 (2013-06-17 13:54:34)
		   NotAfter  : 2016-12-31 23:59:59 (2020-06-17 13:54:34)

	   To show the certificates subject besides the	identifier, add

	   To show a list of all or all	active tokens, you can add the filter

	      --filter all or --filter active

	   You can also	filter by a certain group name with --group

	   Specify --nogroup to	list tokens that do not	belong to a group.

       add functional token with automatic group discovery
	   Looks up the	name of	the associated group and finds the next
	   generation index by looking up the present aliases in the group.

	     --token  The name of the token type you want to add,
		      e.g. certsign or datasafe.


	       openxpkiadm alias --realm server-realm \
		   --identifier	rzg0GhTx81ioYGXADfuuIxFd9fw \
		   --token certsign

       add functional token with manual	group configuration
	   The alias is	automatically set to <group>-<generation>, e.g.
	   server-ca-1.	 The generation	identifier is increased	by one from
	   the latest one found	in the same group.

	     --group   The name	of the group (e.g. server-ca)


	       openxpkiadm alias --realm server-realm \
		   --identifier	rzg0GhTx81ioYGXADfuuIxFd9fw \
		   --group server-ca

       explicit	generation
	   If you need to force	a certain generation identifier, you can skip
	   the autodetection and provide the wanted index:

	       --generation  The numeric index to use for this alias

	   This	works with both	methods	above, token and group.


	       openxpkiadm alias --realm server-realm \
		   --identifier	rzg0GhTx81ioYGXADfuuIxFd9fw \
		   --group server-ca --generation 42

       add non-functional alias
	   Adds	the alias leaving group	and generation empty.

	     --alias		   The symbolic	name for the certificate


	       openxpkiadm alias --realm server-realm \
		   --identifier	rzg0GhTx81ioYGXADfuuIxFd9fw \
		   --alias my-very-important-certificate

       update alias
	   Update notebefore/notafter date of an existing alias.

	       --update	       Indicates that you want to update anm existing entry
	       --alias	       You can select the alias	by name	rather than passing
			       the identifier.


		openxpkiadm alias --update --realm ca-one \
		    --alias ca-one-signer-1
		    --notbefore	"2014-01-01:00:00:00"

	   This	updates	notbefore, notafter is not changed.

       remove alias
	   Remove the entry from the alias table.

	     --remove	       Indicates that the alias	should be removed.
	     --alias	       You can select the alias	by name	rather than passing
			       the identifier.


	       openxpkiadm alias --remove --realm server-realm \
		   --identifier	rzg0GhTx81ioYGXADfuuIxFd9fw \

	       openxpkiadm alias --remove --realm server-realm \
		   --alias server-ca-1

       Create the hash of a given password to be used with the internal	user

       Command options:

	 --scheme   The	hashing	scheme to use, allowed values are
		    ssha|sha|smd5|md5|crypt, default is	ssha
		    see	also OpenXPKI::Server::Authentication::Password

       Prompts for the password	and prints the hashed value including the used
	scheme as defined in RFC2307.

       openxpkiadm is the administrative frontend for controlling the OpenXPKI

	       The openxpkiadm script returns a	0 exit value on	success, and
	       >0 if  an error occurs.

perl v5.24.1			  2017-07-03			OPENXPKIADM(1)


Want to link to this manual page? Use this URL:

home | help