Партнёры:
Хостинг:
NAME
skicert - retrieve, remove, and view a certificate
SYNOPSIS
skicert -F [-s | -v] [[-h [-L virtual_host]] | -k key_owner]
[-p | [-B] cert_file]
skicert [-G] [-p] [-s | -v] [[-h [-L virtual_host]] | -k
key_owner]
skicert -R -h [-L virtual_host] [-s | -v] [-e | -a authority
-n number]
skicert -R -k key_owner [-s | -v] [-e | -a authority -n
number]
skicert -S [-p] [-s | -v] [ [-B] cert_file]
AVAILABILITY
SUNWski
DESCRIPTION
An X.509 certificate binds a public key value to a subject
identity (represented as an X.500 Distinguished Name (DN)).
The binding is achieved by having a trusted certification
authority (CA) digitally sign the certificate.
Certificates can be stored in any XFN supported repository
such as NIS or NIS+, in order to be made available to a
large user community. The skicert utility allows retrieval,
removal, and viewing of certificates from the configured
repository.
Storing Certificate in File
The skicert -F command retrieves the certificate(s) owned by
key_owner or the host (with -h option) from the naming ser-
vice and stores them in cert_file. If cert_file already
exists, it is overwritten. If no cert_file is provided, the
retrieved certificates are printed to stdout.
If the -p option is used, the retrieved certificates are
displayed one at a time, and for each certificate, the user
is prompted for a filename in which to store the certifi-
cate. If no filename is provided, the displayed certificate
will not be stored. If the specified file already exists, it
is overwritten.
The key_owner can be specified as an X.500 distinguished
name in string representation or as a UNIX username. If
key_owner is not provided, it is set to the user's UNIX
username.
Viewing Certificate from Naming Service
The skicert -G command retrieves the certificate(s) owned by
key_owner from the configured naming service and outputs
them in a user-friendly format to stdout. This is the
default operation mode.
The key_owner can be specified as an X.500 distinguished
name in string representation or as a UNIX username. If no
key_owner is provided, it is set to the user's name.
All certificates are printed out all at once. If the -p
option is used, the certificates are displayed one at a
time.
Removing a Certificate
The skicert -R command allows a system administrator to
remove one or more host or user certificates from the con-
figured name service, such as NIS or NIS+.
If the -h option is used, one or more certificates belonging
to the host are removed from the name service. Otherwise,
one or more certificates owned by key_owner are removed from
the name service. The key_owner can be specified as an X.500
distinguished name in string representation or as a UNIX
username.
If the -e option is specified, all certificates belonging to
the host or key_owner are removed from the name service.
Otherwise, the certificate identified by a combination of
authority and number is removed from the name service, where
authority is the X.500 Distinguished Name in printable
representation of the issuing authority, and number is the
serial number of the certificate to be removed. If no
authority and number information is provided at the command
line (and the -e option is not used), the system administra-
tor will be prompted for this information. If no issuer is
provided at the prompt, all certificates belonging to the
host or key_owner are removed from the name service.
Note that this operation can only be run by the superuser.
Viewing Certificate from File
The skicert -S command reads the certificates from the file
specified by cert_file and outputs the certificate contents
in a user-friendly format to stdout. If no cert_file is
given, the certificates are read from stdin.
By default, this option expects a RFC1421 formatted certifi-
cate. Use the -B option if the cert_file contains a binary
formatted certificate. If the cert_file contains a binary
formatted certificate, it should not contain the "-----BEGIN
CERTIFICATE-----" and "-----END CERTIFICATE-----"
boundaries, and only one binary certificate is allowed.
By default, all certificates are printed out all at once.
If the -p option is used, the certificates are displayed one
at a time.
OPTIONS
skicert can be run in the following modes:
-F Retrieve one or more certificates from the config-
ured repository and output them to a file or stdout.
By default, each certificate is output in printable
encoding (as defined by the Internet RFC1421 stan-
dard), and bounded at the beginning by: "-----BEGIN
CERTIFICATE-----" and bounded at the end by "-----
END CERTIFICATE-----". If the -B option is used,
the certificate is output in a binary format without
boundaries.
-G View (display contents of) one or more certificates
from the configured repository. Each certificate is
output to stdout in a user-friendly format. This is
the default operation mode.
-R Remove one or more certificates from the configured
repository.
-S Read one or more certificates from the file speci-
fied by cert_file, and output their contents in a
user-friendly format to stdout. If no cert_file is
provided, the certificates are read from stdin. By
default, each certificate in cert_file must be pro-
vided in the printable encoding format as defined by
the Internet RFC1421 standard, and must be bounded
at the beginning by "-----BEGIN CERTIFICATE-----",
and bounded at the end by "-----END CERTIFICATE----
-". Each of the boundaries must be followed by a
NEWLINE. Please refer to the example below. If -B
option is used, the cert_file must not include the
boundaries.
The following options are supported for all modes:
-s Run application silently (no status or error infor-
mation displayed).
-v Give verbose output. If both the -v and the -s
options are specified, the -v option is ignored.
The following additional options apply only to skicert -F,
skicert -G, and skicert -R:
-h Operate on a host certificate. This option may not be
used in conjunction with the -k option.
-L virtual_host
Name or the dot separated IP address of the virtual
host on whose certificate to operate. This option is
valid only with -h option.
-k key_owner
Identity of certificate owner. This is an X.500 dis-
tinguished name in string representation, for example,
"cn=Alice Smith, ou=SunSoft, o=SUN, c=US", or a UNIX
username. Defaults to the user's name. This option may
not be used in conjunction with the -h option.
The following additional options apply only to skicert -F,
and skicert -S:
-B cert_file
The cert_file contains a binary formatted certificate.
The following additional options apply only to skicert -F,
skicert -G, and skicert -S:
-p Display (and store in the case of skicert -F) the cer-
tificates one at a time, rather than all at once (which
is the default). In the case of skicert -F, this option
may not be used in conjunction with cert_file.
The following additional options apply only to skicert -R:
-e Remove all certificates belonging to host or key_owner.
This option may not be used in conjunction with the -a
or -n options.
-a authority
Issuer for certificate to be removed. This is an X.500
distinguished name in string representation, e.g.
"cn=CA, ou=SunSoft, o=SUN, c=US". This option must be
used in conjunction with the -n option, and must not be
used in conjunction with the -e option.
-n number
Serial number of certificate to be removed. This
option must be used in conjunction with the -a option,
and must not be used in conjunction with the -e option.
EXAMPLES
The command
example% skicert -G -k "cn=Alice Smith, ou=eng, o=SUN,
c=US"
allows a user to view the certificate(s) belonging to the
user with the distinguished name "cn=Alice Smith, ou=eng,
o=SUN, c=US".
The command
example% skicert -S certfile
allows a user to view the certificates stored in the file
"certfile." "certfile" should have the following format:
-----BEGIN CERTIFICATE-----
MIIBRDCB7wIEMe0zZzANBgkqhkiG9w0BAQQFADAbMQswCQYDVQQGEwJVUzEMMAoG
A1UEChQDU1VOMB4XDTk2MDcxNzE4MzkzNVoXDTk5MDcxNzE4MzkzNVowPTELMAkG
A1UEBhMCVVMxDDAKBgNVBAoUA1NVTjEPMA0GA1UEDRQGZHVtbXkxMQ8wDQYDVQQD
FAZkdW1teTEwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAt9LgN5oT1WtlCJFXLmhc
SY4kN7OcNkBYq9iT4R8K0uZIrgp9/hSe0DFgQaAZkIUjqB0YkeIFPmy6/K3bp0l9
1QIDAQABMA0GCSqGSIb3DQEBBAUAA0EAdolKCynL2WjOxHmmsRbEg51dwB2u/ExM
2ZMaZvLMXHX5VIsjxfLSCXu3iI/RdMIi5dGfZhrp2XBkg0gkii+Mkw==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIBSjCB9QIEMe0zYTANBgkqhkiG9w0BAQQFADAbMQswCQYDVQQGEwJVUzEMMAoG
A1UEChQDU1VOMB4XDTk2MDcxNzE4MzkyOVoXDTk5MDcxNzE4MzkyOVowQzELMAkG
A1UEBhMCVVMxDDAKBgNVBAoUA1NVTjEQMA4GA1UEDRQHY2hhcmxpZTEUMBIGA1UE
AxQLY2hhcmxpZSBsYWkwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAxQzeNvx72Dkp
GI9r6hALR3nVBG13PA/2wKrsT25xQGoSp104klnVgRfp4mbeiHEIfKG7Q9Z0bOei
luT4fG5EQQIDAQABMA0GCSqGSIb3DQEBBAUAA0EAUahDuBR5ONKIGvV4wvk2ZfVi
ms2TwKEDhtAkdQe0B3xeZk7e1/h6iK8QrXz2VtSCXde4onRr84Afj8je5gAkoQ==
-----END CERTIFICATE-----
The command
example% skicert -F -p -k "cn=Alice Smith, ou=eng,
o=SUN, c=US"
allows a user to view and store the certificate(s) belonging
to the user with the distinguished name "cn=Alice Smith,
ou=eng, o=SUN, c=US". For each returned certificate, the
user is prompted for a filename where the certificate will
be stored.
The command
example% skicert -R -e -k "cn=Alice Smith, ou=eng,
o=SUN, c=US"
allows a Certification Authority with system administrator
privileges to remove all certificates belonging to the user
with the distinguished name "cn=Alice Smith, ou=eng, o=SUN,
c=US" from the configured repository.
EXIT STATUS
The skicert command exits with 0 if successful and 1 other-
wise.
NOTES
The skicert -R command may only be executed by a system
administrator, who has the appropriate privileges to update
the underlying naming service from which the certificate(s)
are removed.
|
Закладки на сайте Проследить за страницей |
Created 1996-2024 by Maxim Chirkov Добавить, Поддержать, Вебмастеру |