Red Hat Certificate System 7.3 Command-Line Tools Guide 7.3 ISBN: NIA Publication date:Red Hat Certificate System 7.3 This book covers important, Certificate System-specific, command-line tools that you can use to create, remove, and manage subsystem instances and to create and manage keys and certificates.Red Hat Certificate System 7.3: Command-Line Tools Guide Copyright © 2008 Red Hat, Inc. ‘Copyright © 2008 Red Hat Ths materia may only be dsinbutod Subject othe tarms and cantons sot forth tho (Open Pubication License. V1 r later wit he esticions noted below the latest version ofthe OPL is present vali a te/v.cpancontentcrgtoponput). Disiputon of substantively modiad versions ofthis documents prohibited witout me expe peemission of he eopyrantnoder Distrbuton ofthe work or devatve ofthe wok any standard (paper book fom for commercial purposes is rohbted unless prior permission is ebined fem the conymgnt raider Red Hat andthe Red Hat ‘Shadow Man" logo are registered trademarks of Red Ha, Inc. inthe United States and other countries ‘Alot ademas referenced herein ae he propery oF mek respactue owners. “The GPG fingerprint of te secunty(Bredhat com key i: (6A 20 86 86 28 0660 FC 05 F8 EC.C4 210% 80 CD DB 42 A3 CE 1801 Varsity Drive leigh, NC27608.2072 usa Phone. +1 919756 3709 Phone 888 733 4281 Fax +1919 754 9701 PO Box 13588 FResoarch Tange Park, NG 27700 usaRed Hat Certificate System 7.3‘About This Guide vil 1. Who Should Read This Guide oo - cen 2, Requited Information .......snnmsnninnenennnnnnni oo oe Vi 3. What Is in This Guide vil 4, Common Too! Information x 5, Additonal Reading .... rR HATTERAS carl 6. Examples and Formatting . 7. Giving Feedback 8, Revision History 4. Create and Remove Instance Tools 1. pkicreate 4.1, Syntax 4.2, Usage 2. pkitemove 2.4, Syntax 2.2. Usage 2, Silent instalation 1. Syntax, 2. Usage 3. TokenInfo 1. Syntax... 4, 9SLGat 41. Syntax 2. Usage .. 5. AuditVerity 1. About the AuditVerify Toot ..... fo 2. Setting up the Auditor's Database ......nensnnnnnnnn . sii 3. Syntax 18 4, Return Values 19 5. Usage oo oe oo son 6. PIN Generator ; call 1. The setpin Command 2 1.1. Editing the setpin.conf Configuration File a 1.2, SMA on. . 1.3. Usage... 2. How setpin Works 2.1. Input File 2.2. Output Fite .. 2.3. How PINs Ave Stored inthe Directory 2.4. Exit Codes. 7. ASCII to Binary 41. Syntax: 2. Usage 8. Binary to ASCII 41. Syntax, 2. UsageRed Hat Certificate System 7.3 ©. Pretty Print Certificate 41. Syntax. 2. Usage 10. Pratty Print CRL 41. Syntax . 2. Usage .. 11, TKS Tool 1. Syntax... 2. Usage 12. CMC Request 41. Syntax, 2. Usage 13. CMC Enrollment 1. Syntax, 2. Usage 414, CMC Response 1. Syntax... 15, CMC Revocation... 41. Syntax . 2. Testing CMC Revocation 16. CRMF Pop Request 41. Syntax, 2. Usage 17. Extension Joiner 1. Syntax, 2. Usage 18. Key Usage Extension 1. Syntax, 19. Issuor Alternative Name Extension 4. Syntax . 2. Usage .. esse o 20. Subject Alternative Name Extension... 4. Syntax... 2. Usage 21. HTTP Client 1, Syntax 22, OCSP Request 41. Syntax, 23, PKS #10 Client 41. Syntax 24, Bulk Issuance Toot... 1. Syntax, 25, Revocation Automation Utility. 1. SyMtax sen Index vwAbout This Guide The Certificate System Command-Line Tools Guide describes the command-line tools and utilities bundled with Red Hat Certificate System and provides information such as command syntax and usage examples to help use these tools. 1. Who Should Read This Guide ‘This guide is intended for experienced system administrators who are planning to deploy the Certificate System. Cortiicate System agents shauld use the Certificate System Agent's Guide for information on how to perform agent tasks, such as handling certificate requests and revoking certificates, 2. Required Information This guide assumes familiarity with the following concepts: + Public-key cryptography and the Secure Sockets Layer (SSL) protocol + SSL cipher suites + The purpose of and major steps in the SSL handshake + Intranet, extranet, Internet security, and the role of digital certificates in a secure enterprise, Including the following topics: + Encryption and decryption + Public keys, private keys, and symmetric keys. + Significance of key lengths + Digital signatures + Digital certificates *+ The role of cigital cartficates in a public-key infrastructure (PK) + Cottiicate hierarchies 3. What Is in TI Guide This guide contains the following topics: Chapter 1, Create and Remove Instance Describes the tools used to create and Tools remove subsystem instances, Chapter 2, Silent installation Describes the tool used fora silent instance creation.About This Guide Chapter 3, Tokeninfo Chapter 4, SSLGet Chapter 5, AuaitVerity Chapter 6, PIN Generator (Chapter 7, ASCI/ to Binary Chapter 8, Binary to ASCII Chapter 9, Pretty Print Certificate Chapter 10, Pretty Print CRL Chapter 11, TKS Toot Chapter 12, CMC Request (Chapter 13, CMC Enrolment Chapter 14, CMC Response Chapter 15, CMC Revocation Chapter 16, CRMF Pop Request Chapter 17, Extension Joiner Chapter 18, Key Usage Extension Describes the utility which can be used to identify tokens on a machine, which shows whether the Cerificate System can detect those tokens to use for a subsystem, Describes a tool used by the Certificate ‘System to help configure and use security domains. Describes how to use the tool used to verify signed audit logs. Describes how to use the tool for generating Unique PINs for end users and for populating their directory entries with PINs. Describes how to use the tool for converting ASCII data to its binary equivalent, Describes how to use the tool for converting binary data to its ASCII equivalent, Describes how to use the too! for printing or viewing the contents of a certificate stored as ASCII base-64 encoded data in a human-readable form, Describes how to use the too! for printing or viewing the contents of a CRL stored as ASCII base-64 encoded data in a human-readable form, Describes how to manipulate symmetric keys, including keys stored on tokens, the TKS master key, and related keys and databases, Describes how to construct a Certificate Management Messages over Cryptographic Message Syntax (CMC) request. Describes how to sign a CMC certificate ‘enrollment request with an agent's certificate. Describes how to parse a CMC response, Describes how to sign a CMC revocation request with an agent's certificate, Describes how to generate Certificate Request Message Format (CRMF) requests, with proof of passession (POP). Describes how to use the tool for joining MIME-64 encoded formats of cerificate ‘extensions to create a single blob. Describes how to generate a distinguished vil‘Common Tool Information ‘encoding rules (DER)-encoded Extended Key Usage extension. Chapter 19, Issuer Alternative Name Describes how to generate an Issuer Extension Alternative Name extension in base-64 ‘encoding, Chapter 20, Subject Alternative Name Describes how to generate a Subject Extension Alternative Name extension in base-64 ‘encoding, Chapter 21, HTTP Client Describes how to communicate with any HTTP/HTTPS server. Chapter 22, OCSP Request Describes how to verty certificate status by ‘submitting Online Certificate Status Protocol (OCSP) requests to an instance of an OCSP- subsystem. Chapter 23, PKCS #10 Client Describes how to generate a Public-Key Cryptography Standards (PKCS) #10 enrollment request. Chapter 24, Bulk Issuance Tool Describes how to send either a KEYGEN or CRMF enrollment request to the bulk issuancs interface to create certificates ‘automatically. Chapter 25, Revocation Automation Utility Describes how to automate user management scripts to revoke certificates, Table 1. List of Contents 4. Common Tool Information All ofthe tools in this guide are located in the /usz/zia directory, except forthe Silent Install tool which is downloaded separately and installed to any directory. These tools can be run from any location without specifying the too! location. 5. Additional Reading The documentation for the Certificate System also contains the following guides: + Certificate System Administrator's Guide explains all administrative functions for the Cerificate System, such a8 adding users, creating and renewing certificates, managing smart cards, publishing CRLs, and modifying subsystem settings like port numbers. + Certificate System Agent's Guide details how to perform agent operations for the CA, DRM, OCSP, and TPS subsystems through the Certificate System agent services interfaces.About This Guide + Certificate System Enterprise Seourty Client Guide explains how to install, configure, and use the Enterprise Security Client, the user client application for managing smart cards, user certificates, and usar keys. + Certificate System Migration Guide provides detailed migration information for migrating all parts and subsystems of previous versions of Certificate System to Red Hat Certificate System 7.3. Additional Certificate System information Is provided in the Certificate System SDK, an online reference to HTTP interfaces, javadocs, samples, and tutorials related to Cartficate System; a downloadable zip fle ofthis material is available for user interaction with the tutorials, For the latest information about Cerificate System, including current release notes, complete product documentation, technical notes, and deployment information, see the Red Hat documentation page: ‘attp://ine. redhat. com/docs/nanuals/cart-systen/ 6. Examples and Formatting Al ofthe examples for Red Hat Certiicate System commands, file locations, and other usage are given for Red Hat Enterprise Linux 5 systems. Be certain to use the appropriate commands and files for your platform, For example: To start the Red Hat Directory Server: ce dir-server start Example 1. Example Command Certain words are represented in different fonts, styles, and weighs. Different character, formatting is used to indicate the function or purpose of the phrase being highlighted. Monospace is used for commands, package names, fles and directory paths, and any text displayed in a prompt. This type of formatting is used for anything entered or returned Monospace: in a. command prompt with a background Italicized text Any text whichis italicized is a variable, such as instance_name or hostname. Occasionally, this is also used toGiving Feedback ‘emphasize a new term or other phrase. Bolded text Most phrases which are in bold are application names, such as Cygwin, oF are fields or options in a user interface, such as a User Name Here: fiold or Save button thor formatting styles draw attention to important text ey A note provides additional information that can help illustrate the behavior of the Dee ee ets a A tip is typically an alternative way of performing a task IMPORTANT Important information is necessary, but possibly unexpected, such as a Ceo Men Races CMe EU CR Lied ‘A caution indicates an act that would violate your support agreement. ‘A warning indicates potential data loss, as may happen when tuning hardware neues If there is any error in this Command-Line Tools Guide or there is any way to improve the documentation, please let us know. Bugs can be filed against the documentation for Red Hat Cettifcate System through Bugzilla, http/bugzille redhat.com/ougailla. Make the bug report as specific as possible, so we can be more effective in correcting any issues:About This Guide + Select the Red Hat Certificate System product. + Set the component to noe - e1i-roote-quiae. + Set the version number to 7.3. + For errors, give the page number (for the PDF) or URL (for the HTML), and give a succinct {description of the problem, such as incorrect procedure or typo, For enhancements, put in what information needs to be added and why. + Give a clear ttle for the bug. For example, * 2 + options” Is better than "Sad exanpl sect command example for We appreciate receiving any feedback — requests for new sections, corrections, improvements, enhancements, even new ways of delivering the documentation or new styles of docs. You are welcome to contact Red Hat Content Services directly at maitto:docs@redhat.com, 8. Revision History Revision History Revision 7.3.2 Tuesday, August 5, 2008 Ella Deon Lackey Added revision history Updated version for 7.3.0, Updates to presentation and layout for commands. xiChapter 1. Create and Remove Instance Tools The Certificate System includes two tools to create and remove subsystem instances, nd ei The pkicreate tool does not install the Certifcate System system; this is done Coe ee eee ea ue ere eae Ce eee eee sce ect ecto been installed. Tee eee eee ene Aree ee ea ae 1. pkicreate The pis ool creates instances of Certificate System subsystems and does a minimal configuration of the new instance, such as setting the configuration directory and port numbers. Further configuration is done through the HTML configuration page, as with configuring the default instances, The following sections explain the syntax and usage of the tool 1.4. Syntax This tool has the following syntax: ee eee wuser-nser name ~group-group name (-vernose] [-nelp] toh eter ee ee DONT_RUN_PKICREAE; if this is sot, the pkicreate ulilty is prevented from doing See ee en Cee ee ie Coon ee eee cy allows the default instance to be installed in a user-defined location instead of the PetiaChapter 1. Create and Remove Instance Tools Parameter Perry pki_instance root Gives the full path to the new instance ‘configuration directory. el Gives the type of subsystem being created. The possible values are as follows: * ca, fora Certificate Authority + v2, fora Registration Authority + kes, fora DRM + oosp, foran OCSP + vs, fora TKS, + eps, fora TPS pki_instance_nane Gives the name of the new instance. The name must be unique within the security domain. Even cloned subsystems must have cifferent instance names for cloning to succeed. seoure_port Optional. Sets the SSL port number. If this is not set, the number is randomly generated unsecure port Optional, Sets the regular port number. If this is not set, the number is randomiy generated. toncat_sesver_ gost Sets the port number for the Tomcat web server. This option must be set for CA, OCSP, ‘TKS, and DRM instances. vvex_port Is not used when creating a TPS instance since it does not use a Tomcat wob server. user Sots the user as which the Certificate System instance will run. This option must be set. group ‘Sets the croup as which the Certificate ‘System instance will un, This option must be set, verzose Optional. Runs the new instance creation in verbose mode. help Shows the help information. Table 1.1.pkiremove 1.2, Usage In the following example, the skiczeate is used to create a new DRM instance running on ports 10543 and 20280, named eheki-drea, in the /vax/1ib/zhpki-denz directory. pkicreate -pki_instance_root~/var/lib -subaystem typeckra ~pki_instance_Aane=rhpki-drag -secure_port=10543 \ “unsecure port~10280 ~tomcat server port~1002 ~aser-pkiuses ~groupeprigroup ~verbose To keep the pisczeate script from creating a new instance when It is run, set the ‘owZ_pinl_exzcreare environment variable to 1 export DOWT_ROW_PRICREATE~1 2. pkiremove The ckizenove tool removes subsystem instances, This tool removes the single subsystem instance specified; it does not uninstall the Certificate System packages. 2.1. Syntax This too! has the following syntax: pkirenove ~pki_instance_roots/directory/path -pki_instance_name=instancs_D od piei_inetance_rost Gives the full path to the instance configuration directory pki_instance_nane Gives the name of the instance. Table 1.2. 2.2, Usage The following example removes a DRM instance named ehyks~aza2 which was installed in the /vaz/Lite/rhpki-den2 directory. pkirenove -pki_instance roote/var/1ib ~pki_instance_nane=rhpkicdrn?Chapter 2. Silent Installation The Certificate System includes a tool, » an instance in a single step. Normally, adding instances requires running the ox to create the instance and then accessing the subsystem HTML page to complete the configuration. The tty creates and configures the instance in a single step. The (00! must be downloaded independent. Its available thraugh the Red Hat Certificate System 7.3 Red Hat Network channel ‘ens, which can completely create and configure utlity ie Ce OS Cun ee ee eee nen tool depends on having libraries, JRE, and core jar files already installed. too! Two files are installed for the pr: the Perl wrapper script the jar files containing the Java™ classes to perform a silent installation, The utllty can be downloaded and saved to any location and Is then executed locally. 1. Syntax This too! has the following syntax for a CA perl pkisitent contigureca -cs hostname aestnane ~cs_port sszpezt db_div cercpeair scersdh pea password “donain_nome donain_nane ~adnin os! in0TD -adninvenail sdninéomail “aanin_pasenord password vagent_name agentuame -agent_key_size keysize vagent_key_type keyzype vagent_cert_subject cert_subject_nane fost hostname ee Se ee eer, eee ean pencles ties oeChapter 2. Silent Installation “tolten_name HSM name token pwd HaM password “save f12 export-pi2-fi ~backip pwd password This too! has the following syntax for the RA subsystem: peel phisilent consiguzena subject nane “help,-? displays help information “cs_hostnane CS Hostname “es port 6s Sez port “sd_hostnans security nonain nostname “sd_sei_port Security Domain S62 port -sdadmin name security Domain username ~sd_admin_password security Domain password ~ca_hostname CA Hostname “es pert cA non Sot pore “ca_ssl_port CA 8Sb port “client cesta diz Client certos ix “client certdh ped client certdb password ~preop_pin pre op pin ~donain_nans domain name “aunin Geer asnin User Name “adnin_enail Admin enail “aanin_pasevoss aqnin password cagent_nane Agent Cert Nickname ~token_naue HSN/scftware Token name “token_pwa Hsu/softwaze Token password “kay size Rey Size ~key_type Key type [rsa] -agent_key_size agent cert Key Size -agent_Key_type Agent cert Key type (rsa) ragent_cert_subject agent cert subject ~ra_subsystem_cert_subject_nane AR subsystem cert ~ra_server_cert_subject_naue AA server cert supject “sunsyateu_name RA sunsystem name This too! has the following syntax for the DRM, OCSP, and TKS subsystems: perl pkisilent Configuresubsysten?ype -cs_hostnane hostname “es_port Sézport oa hostname hostname “ealpart port wcalesl_port sstpost ~ca_agent_name agentNane wea agent_passvord password “elient_caztdh diy certDediz “client _certde pwd password “preop_pin preoppin donain_nane donain_naneSyntax “aonin_sses aominoz “admin_enail adningomail “adnin pasenord password ~agent_nane agentname “ldap Host hostname “aaap_port pore “bind dn bincow ~pind_password password “psse_sn searen_pas2 ov “de_pane abNane “key_size keySize mkey_eyps keytype wagent_key size keysize vagent_key type Keyzype wagent_cert_subject cert_subject_name ~packu_pwd password This too! has the following syntax for the TPS subsystem perl pkisilent configurerrs ~cs hostname hostname “cs port Sezport ~calhostname Rostname nca_port port ~ca_ssl_port sstpert “cs agent_name agentwane ~ca_agent_password password welient_castdh dir cereDedie “client certdh ped password ~preop_pin precppin “donain_nane donain_nane “asnin Gees aqminvz ~aanin_enail samingenai2 “aanin_pasewosa password vagent_nane agentitam= “ldap_host hostname “adap port port “bind da binds “bing password password “pase sn seazeh_ pase ov “ao_nane aNane ckey_size keysize ~key_type keyType vagent_key_size keysize vagent_key type keyType wagent_cert_subject cert_subject_name “asap auth ost ldap aurh nose widap_auth port Ldap auth port “idap_auth_base_on Idap_auth_pase_an ere ey Ee Configureca For the CA. configurera For the RA.Chapter 2. Silent Installation Java™ Class Name SS For the DRM. For the OCSP. For the TKS, For the TPS, gureca script is used to create a security domain or to add the new ising domain. The other scripts only add the subsystem to an ers ed e a The hostname for the Certificate System machine, ‘The SSL port number of the Certificate System The hostname for the CA subsystem which will issue the certificates for the DRM, OCSP, TKS, of TPS subsystem The non-SSL port number ofthe CA. The SSL port number ofthe CA. The UID of the CA agent. ‘The password of the CA agent. ‘The directory for the subsystem certificate databases. ‘The password to protect the certificate database, preop_pin The preoperation PIN number used forthe initial configuration, The name ofthe security domain to which the subsystem willbe added. oma ednin_vser The new admin user for the new subsystem, adain_enail ‘The email address of the admin user. The password for the admin user. ednin_passwSyntax subject dap_nost Adap_port bind_dn bind_passwora base_en key_size save_piz backup_pwd token_name soken_pasewora Ldap_suth_host oo ‘The new agent for the new subsystem The key size to use for generating the agent cortificate and key pair. ‘The key type to use for generating the agent certificate and key pair. The subject name for the agant certificate, The hostname of the Directory Server machine, The non-SSL port of the Directory Server. The bind DN which will access the Directory ‘Server; this is normally the Directory Manager 10. The bind DN password The entry DN under which to create all of the subsystem entries. The database name. The size of the key to generate. Tho recommended size for an RSA key is 1024 bits for regular operations and 2048 bits for sensitive operations. ‘The type of key to generate; the only option is RSA ‘Sets whether to export the keys and certificate information to a backup PKCS #12 file. czas backs up the information; ¢a1se ‘does not back up the information. Only for the CA subsystem. ‘The password to protect the PKCS #12 backup file containing the subsystem keys ‘and certificates. Not for use with TPS instalation. Gives the name of the HSM token used to store the subsystem certificates. Only forthe CA subsystem. Gives the password for the HSM. Only for the CA subsystem. Gives the hostname of the LDAP directory database to use for the TPS subsystem token database, Only forthe TPS subsystem, Gives the port number of the LOAP directoryChapter 2. Silent Installation Parameter ‘database to use for the TPS subsystem token database. Only for the TPS subsystem, Adap_auth_base_de Gives the base DN in the LDAP directory roe of the TPS token database under which to create token entries. Only for the TPS subsystem. Table 2.2. Parameters for pkisilent 2. Usage The options are slightly different between the subsystems; all subsystems except for the CA subsystem require extra options specifying the Certificate Authority to which to submit the certificate requests. This silent installation script example installs a CA subsystem: perl pkisilent configureca -cs hostname localhost -ce_port 9543 cclient_certdb dir /cmp/ -client_certab_pwd passvora ~preop pin svveer034FG9793Ece£7005 “donain name "testea" admin user admin ~aduin enail “aduin@example.con" wadmin Gassword password ~agent_nane “chpki-ca? agent” -agent_key_size 2048 “agent key type rsa ~agent_cert subject "ea agent cert" -Idap host server cidap_port 389 ~bind dn “cuvdizectory managex” “bind password password “pase_dn "ocnncki-cal" ab sane "zhpii-cal" keysize 2040 wkey_type rsa -save plz trie -backup_pwd password This silent installation script example installs a TKS subsystem; this script has extra options to point to the CA server: perl prisitent ContiguretKs ~ce hostname locainost -es_port 13543 “ca hostaane server.cxample.com -ca port 9080 -ce_sel_port 9443, ‘agent_name agent ~ca_agent_password password wclient_certap_dir /cmp/ -clisat_cartab_pyd password -precp pin S447 €SASGF4ED7eMRIRIMA “donain_nane "testes" -admin_user admin -admin enail “adninfexanple.con” “aciin Password password ~agent_nane "ehpki-tke2 agent" —Idap host server vidap_fort 389 -bind_dn "enedizectory manager” -bind password password “base_dn "o-rnpki-tke2" ~db name "enpii-tks2" ~key size 2048 ~key_type rsa -agent_key size 2048 -agent_key type rsa -agent_cert_cupjec= Stk agent cart -paciiip_poa pasewora This silent installation script example installs a TPS subsystem; this script has extra options to point to the LDAP authentication database used for storing token information: 0Usage 12Chapter 3. TokenInfo ‘This tool is used to determine which external hardware tokens are visible to the Certificate ‘System subsystem. This can be used to diagnose whether problems using tokens are related to the Certificate System being unable to detect it 1. Syntax The rokenzazo tool has the following syntax: Tokentnfo /directory/alias ‘Specifies the path and file to the certificate and key database directory; for example, (Ivar/1ib/zhpki-ca/alias/. Table 3.1. 8iChapter 4. SSLGet This too! is similar to the the w=: command, which downloads fles over HTTP. 22132 ‘supports client authentication using NSS libraries. The configuration wizard uses this utlity to retrieve security domain information from the CA. 1. Syntax The 22iget tool has the following syntax: ssiget [-e profile information] -n rsa_nickname [-p password | -w pwfitel [4 dbaiz) [-v] [-¥] -2 unt aastneme[:port] Option ion . ‘Optional. Submits information through a subsystem form by specifying the form name ‘and the form fiskds. For example, this can be Used to submit certificate enrollments through a certfcate profi. = Gives the CA certificate nickname. P Gives the cortficate database password. Not used if the -i option is used. * Optional. Gives the password file path and name. Not used ifthe -» option is used. @ Optional. Gives the path to the security databases ¥ Optional, Sets the operation in verbose mode. v Optional. Gives the version of the szige= tool. = Gives the URL of the site or server from which to download the information. hostname Gives the hostname of the server to which to ‘send the request port Optional. Gives the port number of the server. Table 4.1. 2. Usage Itis possible to use =s19e¢ to submit information securely to Certificate System subsystems. 6Chapter 4. SSLGet For example, to submit a certificate request through a certificate profile enroliment for io a CA, ‘the command is as follows: 6Chapter 5. AuditVerify 1. About the AuditVerify Tool The asaicveri ty tool is used to verify that signed audit logs were signed with the private signing key and that the audit logs have not been compromised. Ausitors can verify the authenticity of signed auait logs using the as: y tool. This tool ses the public key of the signed audit log signing certificate to verify the digital signatures ‘embedded in a signed audit log file. The tool response indicates either that the signed aueit log was successfully verified or that the signed aucit log was not successfully verified. An unsuccessful verification wams the auditor that the signature failed to verity, indicating the log file may have been tampered with (compromised). 2. Setting up the Auditor's Database auditverity needs access to a set of security databases containing the signed aucit log signing certificate and its chain of issuing certificates. One of the CA certificates in the Issuance chain must be marked as trusted in the database. ‘The auditor should import the audit signing certificate into certificate and key databases before running avaiitveri ty. The auditor should not use the security databases of the Cartficate ‘System instance that generated the signed audit log fils. If there are no readily accessible cortificate and key database, the aucitor must create a set of certificate and key databases and import the signed aucit log signing certificate chain, To create the security databases and import the certificate chain, do the following: 1. Create the security database directory in the filesystem, mkdiz /var/1ib/instance_r0/1ogs/signednudit/abdir 2, Use the cozeuri tool to create an empty set of certificate databases. certutil a /var/1ib/instance_10/ogs/signedandit/dbaix — 3. Import the CA certificate and log signing certificate into the databases, marking the CA certificate as trusted. The cartificates can be obtained from the CA in ASCII format Itthe CA certificate is in a fle called cacere cae and the log signing certificate is in a file called 1ogsigncers.zxz, both in the Certificate System 21:22/ directory, then th a 's used to set the trust for the new audit security database directory pointing to those files, as follows: 7Chapter 5. AuditVerity certutil ~a /var/1ip/ instance 1D/iogs/signedaudit/abair -a -n "ca certificate" -¢ \ sor,cr,cT" -a -i /var/1ip/instance_rD/alias/cacert.tutoertutil -d \ Jvar/lib/instance_ID/1ogs/signedaudit/dbdir -A -n “Leg Signing certificate" -a -i \ ‘Yvar/Lib/instance_t0/s1ias/logsigncert. txt 3. Syntax The ana: _=ify tool has the following syntax: Auditverify ~d dbdir -n sigi cert /key db prefix) [-v] g_certificate nickname -a logiistFile (-2 e ‘Specifies the directory containing the security databases with the imported audit log signing cortificate, 2 Gives the nickname of the certificate used to sign the log files. The nickname is whatever was used when the log signing certificate was imported into that database. . ‘Specifies the text fle containing @ comma ‘separated list (in chronological order) of the signad aucit logs to be verified. The contents Of the /ogListFile are the full paths to the audit logs. For example. (vax /1ib/2npki-ca/1ogs/signedauaic/ea_cert-cz_susi:, \ (/yaz/1ib/2apki-ca/ 1oga/'signedasdic/ea_cert—os_sud \ (uaz 1ib/thpkei-ca/logs/signadnndit/ea_cert-ca_sudiz > Optional. The prefix to prepend to the certificate and key database filenames. If Used, a value of empty quotation marks (") ‘should be specified for this argument, since the auditor is using separate cortificate and key databases from the Certificate System Instance and itis unlikely that the prefixReturn Values ‘should be prepended to the new audit security database fs, y Optional. Specifies verbose output. Table 5.1. 4. Return Values When auaicvericy is used, one ofthe following codes is retumed: Panel Cerny 0 Indicates that the signed audit log has been ‘successfully verified. 1 Indicates that there was an error while the too! was running, 2 Indicates that one or more invalid signatures were found in the specified file, meaning that at least one of the log files could not be verified. Table 5.2. 5. Usage After a separate audit database directory has been configured, do the following: 1. Create a text file containing a comma-separated list ofthe lg files tobe verified. The name of this file is referenced in the audi tveri fy command. For example, this file could be toctiscriie in the /ece/auaic directory. The contents are the comma-separated lst of audit logs to be verified, such as "sxaiziog.i223, auditlog.1214, auditlog. 1215." 2. If the audit databases do not contain prefixes and are located in the user home directory, such as /usr/nome/snich/ redhat, and the signing certificate nickname is “auditsigningoert’, the ava:cveri zy command is run as follows: Auditverify -d /usr/home/smith/ redhat -n auditsigningcert -a fece/audit/iogisteiie -P "= -v 0Chapter 6. PIN Generator For the Certificate System to use the ‘siarwarsnpizath authentication plug-in module, the authentication directary must contain unique PINs for each end entity which will be issued @ cortiicate. The Certificate System provides a tool, the PIN Generator, which generates unique PINs for end-entty entries in an LDAP directory. The tool stores these PINs as hashed values in the same directory against the corresponding user entries. It also copies the PINs to a text file so that the PINs can be sent to the end entities. 1. The setpin Command This chapter describes the syntax and arguments of the =<: tool and the expected responses. For information on generating and storing PINs in the user authentication directory, see the Certificate System Administration Guide. 1.1, Editing the setpin.conf Configuration File Tho =evpin tool can use a configuration fil, s=cpin. cont, to store some of is required options. Before running =erein, modify ths fle to reflect the directory information, and set the s=zpin tool to use this file by daing the following: 1. Open the secrin. cons file, ca /asr/2ib/zhpki/native-tools vi setpin.cont 2. Edit the directory parameters in the file to match the directory installation information. Eater the hostname of the LOAP server ausber of the LOAP sexver Enter the ON of the Directory Manager user binddnacieDizectory Manage: + Binge Enter the password for the Directory manager user # Enver the DN and password for the new pin manager user pinmanager-cn-pinsanager,c~exanpie inmanagerpwde $ Enter the base over which this user has the power # te remove pins xample.com 2Chapter 6. PIN Generator #8 mis Line switones secpin into setup moge. 42 Fleas do ast cnange i. secup=yes 3. Run setpin, and set the option fle to setpin.cont. setpin optfilee/usr/1ib/rhpki/native-tocls/setpin.cont 1.2, Syntax The sevpin has the following syntax: setpin hostshost_nam= [portsport_number] binddneuser id [bindpw=bind password) filter="ZDAp search filter" [basedn=2DAP base_DN] [ength=zim_iength | minlengthminigum_prv_tength | waxlength=meiimum_ PIN tenet] [gen-character type] [caseupperonly] [hashwalgorithal [galzacteihure-zpap_attripuce to gee forsale creation) (inpur-file name] loutput=rite name] [write] (clobber] [testpingen=count] [debug] [optfile-file name) [setup [pinnanager-pinmanagex user] [pinmanagerpwd=pinmanager_password] | Option hose Required. Specifies the LDAP directory to which to connect, port Specifies the LDAP directory port to which to bind. The default port number is the default LDAP port ingan ‘Required. Specifies the user as whom the PIN Generator binds to the LDAP directory. This user account must have read/write access to the directory. bindpw Gives the password for the user ID set in the ‘pinata option. Ifthe bind password is not ue, then the request contains this ccontrol. If this parameter is not set, the value is assumed to be gaise. For example, idensityProof-enabi ee ‘The shared secret for idensityProot control. For example, identity: £.shazedsecret=resting I set to crue, then the request contains this ‘control. If this parameter is not set, the value is assumed to be saise, For example, popLinkwitness.enable=taise, I set to crue, then the request contains this ‘control. If this parameter is not set, the value is assumed to bo ¢aice. For example, rravorwitness.enabh ase ‘The space-delimited list of body part IDs for the urapopmtiness control, For example, ‘LeaPopWitness bodyPazt7Ds Once a simple CMC request, a PKCS #10 request, has been generated, do the following to send ito the CA: 1. Run the azop tool to convert the base-64-encoded PKCS #10 request fo binary. 2. Use the netciiens utlly to send the request. 3Chapter 12. CMC Request By default, the URI of the serviet that processes a simple CMC request is /e2/2e/ea/profi1esunnizcrcsinpie; this must be specified in the aczpcaient ‘configuration.Chapter 13. CMC Enrollment The CMC Enrollment utlity, 011, Is used to sign a certificate request with an agent's certificate. This can be used in conjunction with the CA end-entity CMC Enrollment form to sign and enroll certificates for users. 1. Syntax This utility has the following syntax: qucenroli -d directory containing age cercizioate nickname srtificate requ cert “h ab password -n file -p certificate DB_passwd (-c coment] 5 ‘The directory containing the key. di, and cecnod. ct files associated with the agent certificate Password to the directory specified in the = ‘option. 5 ‘The nickname of the certificate = ‘The filename of the certificate request 7 ‘The password to the browser certificate database, Optional. Includes comments about the request. Table 13.1. es Re Rest tee ne ance 2. Usage Signed requests must be submitted to the CA, either by sending them directly to the Certificate Authority or by using the CA agent page. Certificate System provides a Certificate Authority Cortiicate Enrolment form called ceicenzorinent..ncea. The default configuration ofthis form does not include the necessary field to paste an enrollment request, To use this form to submit 5Chapter 13. CMC Enrollment requests, change the configuration so that this field is available. To enable the CMC Enrollment form for the CA end-entity interface, do the following: 1. Open the CA's web directory in /vaz/1ib/ rhpki-ca /wes-appe/oz/ee/ca 2. Open the cucenroiimenc nem fil, 2. Find the following line: 4. Add the following line below that line: 5. Aller configuring the HTML form, test cticenzo12 and the form by doing the following: a. Create a certificate request using cezcuti2. . Copy the PKCS #10 ASCII output to a text fle. cc. Run the cxicenzo22 command to sign the certificate request. Ifthe input file is request34.cxt, the agent's certificate is stored in the /export/cercs directory, the certificate common name for this CA is certiticateManagerAsentscert, and the password for the certificate database is +234es=, the command is as follows: The output ofthis command is stored in a file with the same filename and . cu: appended to the filename. 4. Submit the signed certileate through the CA enc-entes page. |. Open the end-entos page Select the CMC Enrolment profile frm li, Paste the conten of the output le into the frst textarea ofthis form, and END NEW iv, Remove ~ ‘CBRTIFICATE. REQUEST-- ‘BEGIN NEW CERTIFICATE REQUEST- - from the pasted content. v, Select Certificate Type User Certificate, fil in the contact information, and submit theUsage form. ce. The certificate is immediately processed and returned since a signed request was sent and the csicasch plug-in was enabled, 1. Use the agent page to search for the new certificates. a7Chapter 14. CMC Response ‘The CMC Response ullly, cucn2szonse, parses a CMC response received by the utlity. 1. Syntax ‘The CMC Response utlty uses the following syntax: cuczesponse 4 directozyNane ~i /path/to/cucresponse. file Options oo d Specifies the path to the certs.a» directory. 4 Specifies the path and filename of the CMC response file. Table 14.1. ‘The parsed output is printed to the screen,Chapter 15. CMC Revocation The CMC Revocation utility, cxcn2voke, signs a revocation request with an agents certificate. 1. Syntax This utility has the following syntax: cuckevoke ~d directorywane -n nickname -i issuerWene -s serialmane “a rearcaToneveke -¢ comment Description 3 ‘The path to the directory where the cexea an, key3.ab, and secnoc.ap databases ‘containing the agent certificates are located . ‘The nickname of the agent's certificate i ‘The issuer name of the certificate being revoked. . ‘The decimal serial number of the certificate being revoked. ® ‘The reason the certificate is being revoked. ‘The reason code for the different allowed revocation reasons are as follows: + 0- Unspecified + 1- Key compromised. + 2-CAkey compromised. + 3--Afliation changed. + 4-Cerificate superseded, + 5- Cassation of operation, + 6- Cerificate is on hold, e ‘Text comments about the request. Table 15.1. aChapter 15. CMC Revocation oni @ STC ete ene un 2. Testing CMC Revocat Test that CMC revocation is working properly by doing the following: n 1. Create a CMC revocation request for an existing certificate, For example, ifthe directory containing the agent certificate is /var/1i2/snrks-ea/s1iae/, the nickname of the cortiticate is . and the serial number of the certificate is 22, the command is as follows: cMoRevoke ~d "/var/1ib/chpki-ca/alias™ -n "Corti ficateManagerAgentCert” ~i Ncneagentauthlige" -s 22 -m 0 -c "rast comment” 2. Open the CA's end-entities page. 3, Select the Revocation tab, 4, Select the CMC Revoke link in the monu. lines from the pasted content, 6. Click Submit. 7. The results page displays that certificate 22 has been revoked. @Chapter 16. CRMF Pop Request The crurzopci isnt ult is tool to send a Certificate Request Message Format (CRMF) request to a Certificate System CA with the request encoded with proof of passession (POP) data that can be verified by the CA server. ia client provides POP information with a request, ‘the server can verity that the requester possesses the private key for the new oartficate. ‘The tool does all of the following: 1. Has the CA enforces or verity POP information encoded within a CRMF request. 2. Makes simple certificate requests without using the standard Certificate System agent page or interface. 3. Makes a simplo certificate request that includes a transport carlficate for kay archival from the ORM. 1. Syntax ‘There are two syntax styles for the cnurPopci anc ulllty, depending on the intended use: ceuszopciient token passuora authenticator nest part username password Ipop_eptionl subject_dn (oureuT_cent Reg) churropclient token password (pop option] OUTPUT_CERT REQ subject_da Co ecu toker_password ‘The password for the cryptographic token. authenticator ‘The authentication manager within the Certificate System; this is most often set to pallauthiar host ‘The hostname of the CA instance. port ‘The non-SSL port of the Certificate System cA. username ‘The Cerificate System user for whom the certificate request is issued. @Chapter 16. CRMF Pop Request Option password ‘The password of the Certificate System user. ‘pop_option Optional. Sets the type of POP request to generate; since this can generate invalid requests, this option can be used for testing. “There are three values: + poe_success. Generates a request with the correct POP information; the server verifies, that the information is correct. + pon_sazz. Generales a request with Incorrect POP information; the server rejects this request if itis submitted, This is Used to test server configuration, + p08_vowe. Generates a CRMF request with no POP information. Ifthe server is ‘configured to verify all the POP information, then it rejects this request. In that case, it ‘can be used to test the server configuration. subject_dn ‘The distinguished name of the requested certificate, oureur_cERT_REQ Optional. Prints the generated csrtficate request to the screen. Table 16.1. 2. Usage The following example generates a CRMF/POP request for the Certificate System user acnin, has the server very that the information is correct, and prints the certificate request to the churropclient passwordi23 avliauthlgr host.zedhat.com 1026 admin redhat \ ‘POR_SUCCESS CH=MyTest, O-US, UID=MyUid OUTPUT_CERT_REQ ‘The following example generates a CRMF/POP request that includes a transport for key archival in the DRM, The czenspore.:x* file containing the base-64 encoded transport aUsage certificate must be in the same directory from which the utility is launched: the tool picks up this file automatically ‘crurvopcliont passwordi23 roP_succ# cNesytest, C=US, UID=Myuia {$ OUTPUT_CERT_REQ oi Oe eee eee ed ee Tee format must be created in the directory from which the utility is launched. This file Grete er ern 6Chapter 17. Extension Joiner The Certifcate System provides policy plug-in modules that allow standard and custom X.509 certificate extensions to be added to end-entity certificates that the server issues. Similarly, the Cortiicate Setup Wizard that generates certificates for subsystem users allows extensions to be selected and included in the certificates. The wizard interface and the request-approval page of the agent interface contain a text area to paste any extension in its MIME-64 encoded format. ‘The text field for pasting the extension accepts a single extension blob. To add multiple extensions, they must frst be combined into a single extension blob, then pasted into the text field. The =:es>inee tool joins multiple extensions together into a single MIME-64 encoded blob. This new, combined blob can then be pasted in the wizard text field or the request-approval page of the agent interface to specify multiple extensions at once. 1. Syntax The extzoiner utility has the following synta Extdoiner exs_rile0 ext_rilel ... ext_rilen Option ext filett ‘Specifies the path and names for files ‘containing the base-64 DER encoding of an X.509 extension, Table 17.1. 2. Usage ExtJoiner does not generate an extension in its MIME-64 encoded format; it joins existing MIME-64 encoded extensions. To join multiple custom extensions and add the extensions toa cottificate request using ssr=2:xex, do the following: 1. Find and note the location ofthe extension program fies. 2. Run extzoiner, specifying the extension files. For example, if there are two extension files named xysx=1 and nyzx:2 in a directory called /e-c/exzensions, then the command would be as follows: ExtJoiner /etc/extensions/mysxti /etc/excensions/nyext2 orChapter 17. Extension Joiner This creates a base-64 encoded blob of the joined extensions, similar to this example: HE wel gEDVRO LAQHECQNIgYFKONFBAMGCLGCSERDMSPexzUGEi2CVyINCQYE | bakowsg¥OVROSBBtwEaQeMAOXC2ATEGNVEAYTALVT 3. Copy the encoded biob, without any modifications, toa fie. 4. Verify that the extensions are joined correctly before adding them to a certificate request by converting the binary data to ASCII using the are utlity and then dumping the contents of the base-64 encoded blob using the duxcas2 utility. For information on the atcs ulility, see Chapter 7, ASCII to Binary. The ciumpasn2 tool can be downloaded at to:ifedoreproject.org/extras/4/1386/repodata/repoview/dumpasnt-0-20050404.1.fed. htm. ‘a. Run the acos ullily to convert the ASCII to binary Avobingur dile cuteue file where input_file is the path and file containing the base-64 encoded data in ASCII and ‘output_file is the path and fle for the utility to write the binary output. b. Run the sunpasnt silty, dumpasnioutput_file where output_file is the path and file containing the binary data. The output looks similar to this: 0 30 76: SEQUENCE { 2 30 46: sEgueNce ( 4/06 3: OBJECT IDENTIFIER extReyUsage (2 5 29 37) 9 01 1; BOOLEAN TRUE 12 04 36: OCTET STRING + 30 22 06 05 2A 83 45 04 03 06 OA SI G2 EA 42 89 £33 93 DE SE 35 06 06 2p 82 S7 22 cD 08 06 05 51 38 @1 6A 4K py 50 30 26: SEQUENCE ¢ 52 06 3; OBJECT IDENTIFIER issuerAltNane (2 5 29 18) 57 04 49: cuET sTAING : 30 11 a4 OF 30 OD 31 0B 30 09 06 03 $5 04 06 13 02 55 53 y =Usage If the output data do not appeat to be correct, check that the original Java™ extension files are correct, and repeat converting the files from ASCII to binary and dumping the data until the correct output is returned 5. When the extensions have been verifiad, copy the base-64 encoded blob that was created by running =x=s0ine: to the Certficate System wizard screen, and generate the certificate or the certificate signing request (CSR).Chapter 18. Key Usage Extension The centsetkaysaage tool creates a base-64 encoded blob that adds zxcendearayzsage (OID 25.29.37) to the certficate. This blob is pasted into the certfieate approval page when the coriticate is created 1. Syntax The centxeseyusage tool has the following syntax: Genextreyusaye [true|false] om ... Option Desi true | rans Sots the criticality. z= means the extension. is critical; raise means itis not critical, The cilicality value is used during the certificate validation process. If an extension is marked ‘as critical, then the path validation software must be capable of interpreting that extension, oD ‘The OID numbers that represent each corifcate type selected for the certificate. Table 18.1. For more information on the OIDs that can be used for each certificate type, refer to appendix A, “Cortiicate and CRL Extensions,” in the Certificate System Administrator's Guide. 7Chapter 19. Issuer Alternative Name Extension ‘The centasusraltyansnic: creates a base-64 encoded blob that adds the issuer name extensions, rssueza1svanezx: (OID 2.5.29.18), to the new certificate, This blob Is pasted into the certificate approval page when the certificate is created, 1. Syntax The cenrssucral tances: tool uses parameter pairs where the frst parameter specifies the ‘general type of name attribute which is used for the issuer and the second parameter gives that ‘name in that format. The tool has the following syntax: GenTssueraltNameExt general type0 general_namso ... general_typeiT genere)_nanew) Ped Per general_type Sots the type of name. It can be one of the following strings: + REcezaNane + pirectorywane + epreartyNene + rpaddrees + otnesvane general_name A string, conforming to the name type, that ives the name of the issuer. *+ For nrcszztene, the value must be a valid Intemet mail address. For example, restcagexample.con. + For nireccorywane, the value must be a string form of X.600 name, similar to the ‘subject name in a certificate. For example, ensSubeA, cu-Ressarch Dept,Chapter 19. Issuer Alternative Name Extension Parameter oo ovtxample Corporation, cous. For pusiiase, the value must be a valid {ully-qualified domain name. For example, vestcn.example.com. For epreartytane, the value must be an lasString. For example, exauple corporation, For uriiiane, the value must be a ‘non-relative URI following the URL syntax land encoding rules. The name must include both a scheme, such as nz=p, and a fully qualified domain name or IP address of the host. For example, nttp://Testcn. example. cou, For zenadvess, the value must be a valid IP address. An IPv4 address must be in the format n.n.n.n Of a.n.n.n,mom.mim, FOr ‘example, 128.22.29.40 or 128.21.39.40, 255.255.255.00. An IPV6 address with netmask is separated by a ‘comma, For example, 68.3, FFOLI#43, BEEF: PFEP{EPEE: EFPE:EFEF' :13,1.68.3, FF FROL::43, SEEP:ERER:S¢EF: {FEF EFEE | FEEE:FE00: 0000, For ozrirame, the value must be a unique, valid OID specified in dot-separated numeric component notation. For example, 1.2.3.4,55.6.5.99. ocnesvane is used fornames with any other format; this supports Printablestring, iaSstring, vnrescring, supstring, any, and Kerberostane, Printablescring, TaSString, UTFeString, MPString, and ny seta string to a base-64 encoded fle specifying the subtree, such as Kerberasiiene has the format Realm|NameTypelNemeStrings, such asUsage Parameter oo cs pesimi | /sseezb2 wesero2, Table 19.1. 2. Usage The following example sets the issuer name in the rrce22xans and cizectorysane formats: GentssueraltNoneExt REC822Name Tomton@redhat.com DirectoryWane cn=TonTonChapter 20. Subject Alternative Name Extension The censunjecraicnanerx: creates a base-64 encoded blob to add the alternate subject name extension, subjectalsitanezxt (OID 25.29.17), to the new certificate. This blo is pasted into the certicate approval page when the cortiicate is created. 1. Syntax ‘The sensubjaltitancex: tool uses parameter pairs where the first parameter specifies the type ‘of name format, and the second parameter gives that name in the specified format. This too! has the following syntax: Gensubjectaltwauenxt general_typed genera general_nanen -. general typen Parameter general_type ‘Sets the type of name that Is used, This can be any of the following strings: ane + pwsNane + eprzarcymane + uRINene + weaddress + otnestane general_neme Astring, conforming to the specified format, of the subject name, + For rrcszzvane, the value must be a valid Intemet mail address. For example, vestcatezample.com. + For nizectozysane, the value must be a string form of X.500 name, similar to the subject name in a certiicate. For example, 7Chapter 20. Subject Alternative Name Extension Parameter SUDA, Cu-Research Dept, momple Corporation, c=U8. + For nuswane, the value must be a valid {ully-qualified domain name, For example, restca.example.com. + For rpzeartyttane, the value must be an lASString. For example, exaupre corporation. + For urztiane, the value must be a non.relative URI following the URL syntax land encoding rules. The name must include both a scheme, such as neep, and a fully qualified domain name or IP address of the host. For example, hvtp://testca-example. com + For readdress, the value must be a valid IP address. An IPv4 address must be in the format n..n.n Of a.n.nn,m.th.m.s, FOr example, 129.22.28.49 oF 4128.21.99, 40,255.255.255.00. An IPV6 address with netmask is separated by a comma, For example, 0:0:0:0:0:0:13.1.68.3, FOL: 43 0.5, FEEP:FSFE:EFee:EFEE:EFEE:EPEES: FEOL::43, FEFF:FPEP: P9¢P: SFEF: FFE; PEEP: #000000, + For orpyane, the value must be a unique, valid OID specified in dot-separated numeric component notation. For example, 2.2.9:4.55-6,8.95. + ornesiane is used for names with any ‘other format; this supports Princablestring, iaSscring, urrescring, aMPscring, any, and Kerberostianc. Printab! uaSstving, UrFeateing, auesteing, and ny set a string to a base-64 encoded fle specifying the subtree, such as /van/1i) spkineal exberostane has the formatUsage Parameter oo Realm|NameType|NameStrings, such as realmi | 0 luserIDi, userID2, Table 20.1. 2. Usage In the following example, the subject alternate names are set to the sese22Nans and irectozywane types. GensubjectaltWauetxt RFCE22Nane TomTon{zedhat com DivectoryMame cn=ToaToRChapter 21. HTTP Client The HTTP Client utlly, s=zpci iene, sends a CMC request (created with the CMC Request utlity) or a PKCS #10 request to a CA. 1. Syntax This utility takes a single czy configuration file as a parameter. The syntax is as follows: urepcliant /patn/to/rize. org The cfg fle has the following parameters: Paran server. For example: nost=server.com port ‘The port number for Cerificate System ‘server. For example: por’ secure zue for an HTTPS connection, cazse for an HTTP connection. For example: socure=trse ‘The full path and filename for the enrollment request, which must be in binary format. For example: inpuz-cucneqcaMenin output ‘The full path and filename for the response in binary format. For example: cutput=oncresp gedic ‘The full path to the directory where the cort®.db, key3.db, and seemed. di databases are located. This parameter is ignored if secue=ra1se. For example ebdizre/u clientmode ‘eve for cient authentication, fae for no client authentication, This parameter is. Ignored if secuse=fa1se. For example: clientnode-teue passwora ‘The password for the cercs.ap database, ‘This parameter is ignored if secure=faise and clencauch-faise. For example: passvord-redhat nickname ‘The nickname of the client cartificate. This parameter is ignored if c1iencuode=raise, For example: nicknans Agent-102504a's 102504a 1D aiChapter 21. HTTP Client ee server ‘The URI of the serve that processes full CMC requests. The default value is (/ca/profilesubmiveuceul1. For example: serviet=/e2/proritesunnitcncrut Table 21.1.Chapter 22. OCSP Request The OCSP request utilty, ox22cLiese, creates an OCSP request conforming to RFC 2580, submits it to the OCSP server, and saves the OCSP response in a fle. 1. Syntax The ocszciiant tool has the following syntax: cesecliant nost port audir nickname serialnumber output times Option host ‘Specifies hostname of the OCSP server. port ‘Gives the port number of the OCSP server. dir Gives the location of the security databases (cerzs.db, key3.db, and seemed.) which cconiain the CA certificate that signed the ccorificate being checked. nickname Gives the CA certificate nickname. |Lnumber Gives the serial number of the certificate that's status is being checked. output Gives the path and file to which to print the DER-encoded OCSP response. times Specifies the number of times to submit the request. Table 22.1. @Chapter 23. PKCS #10 Client The PKCS #10 utllly, sxcsicc1sene, generates a 1024-bit RSA key pair in the security database, constructs a PKCS#10 certificate request with the public key, and outputs the request toafile PKCS #10 is a certification request syntax standard defined by RSA. A CA may support multiple types of certificate requests. The Certificate System CA supports KEYGEN, PKCS#10, CRMF, and CMC. To get a certificate from the CA, the certificate request needs to be submitted to and approved bya CA agent. Once approved, a certfcate is created for the request, and certificate attributes, such as extensions, are populated according to certificate profiles. 1. Syntax ‘The excsiceisent tool has the following syntax: PRCELOCLient -p certDSPassuord ~d certpspizectory -2 outputFile 2 subjecton Opt Ce P Gives the password for the security databases. « Gives the path to the security databases, ° Sots the path and filename to output the new PKCS #10 certificate, : Gives the subject DN of the certificate, Table 23.1. EFChapter 24. Bulk Issuance Tool The ultlity sends @ KEYGEN or a CRMF enrollment request to the bulk issuance Interface of a CA to creale certificates automatically. The nelcissuance utlity does not generate the certificate request itself. It submits the content in the input fe to the CA server's, bulk issuance interface. kissuans The bulk issuance interface is part of the agent interface of the CA. Ifthe request is submitted through the agent interface, the request is processed, and the certificate is created Immediately. 1. Syntax The ‘kigsuance command has the following syntax: bulkissuance -n rsq_nickname [-p password | ~w passwordFile} [rd dedic] [-v] (-¥1 -f inputrite hostname: [port] Option 2 Gives the agent certificate nickname. Gives the certificate database password. Not Used if the -» option is used. w Optional. Gives the path to the password fle Not used ifthe ~p option is used. a Optional. Gives the path to the securty databases. . Optional. Sets the operation in verbose mode v Optional. Gives the version of the parkissuance tool Gives the path and filename of the input fle ‘containing an HTTP request to send to the specified hostname, hostname Gives the hostname of the server to which to ‘send the request, port Optional. Gives the port number of the server. Table 24.1. a7Chapter 24, Bulk Issuance Too! Meee eee dS DL eet cet ey Sree eet %Chapter 25. Revocation Automation Utility The vevoxes ulllly sends revocation requests to the CA agent interface to revoke certificates, To access the interface, revoker needs to have access to an agent certificate that is acceptable tothe CA. Tho cevoikes tool can do all ofthe following: + Specify which certificate or a lst of certificates to revoke by listing the hexadecimal serial numbers. + Specify a revocation reason. + Specify an invalidity date. + Unrevoke a certificate that is currently on hol 1. Syntax ‘The seve ullty has the folowing syntax: sevoker “2 serialvunser -n rea_nicenans [-¢ password | -w passwordFitel (-d dedir} [-v] (-V) [-a] [-r reasoncode) [+i sunberofsours} hostaane: [port] Option : Gives the serial numbers in hexadecimal of the certificates to revoke. 5 Gives the agent certificate nickname. P Gives the certificate database password. Not Used if the -» option is used. ” Optional. Gives the path to the password file, Not used ifthe -p option is used. a Optional. Gives the path to the security databases. Optional. Sets the operation in verbose mode. Optional. Gives the version of the zevorer tool, : Gives the reason to revoke the certificate, The following are the possible reasons: 8Chapter 25. Revocation Automation Utility Option oo + 0- Unspecified (default) + 1- The key was compromised. + 2+ The CA key was compromised 3- The affliation of the user has changod, + 4.The certificate has been superseded. + 5- Cossation of operation, + 6- The certificate is on hold. 4 ‘Sets the invalidity date in hours from current timo for when to revoke the certificate. hostname Gives the hostname of the server to which to send the request. port Optional. Gives the port number of the server. Table 25.Index A ASCII to Binary tool , 31 example , 31 syntax, 31 B Binary to ASCII tool , 33, example , 33, syntax, 33, c ‘commandline utilities ASCII to Binary , 31 Binary to ASCII, 33 ‘extension joiner , 67 for adding extensions to CMS certificates . 67 PIN Generator , 24 Pretty Print Certificate , 35 Pretty Print CRL , 39 ssiget , 15 TKS tool , 44 Tokeninfo , 13 E Extension Joiner tool , 67 extensions tools for generating , 67 ExtJoiner tool ‘example , 67 syntax, 67 Pp PIN Generator too! , 24 exit codes , 30 how it works , 25 how PINs are stored in the directory , 29, output fle , 29 checking the directory-entry status , 27 format , 29 reasons to use an output file, 27 overwting existing PINs in the directory 24 Pretty Print Certficate tool , 35 example , 35 syntax , 35 Pretty Print CRL tool , 39 example , 39 syntax , 39 s setpin command , 21 ssiget tool , 15 syntax , 15 T TKS tool ‘options , 43 sample , 44 syntax , 41 Tokentnfo tool , 13 syntax , 13 a1