1 denise.eckstein 1.1 .TA c \" lowercase initial letter of .TH name
2 .TH cimtrust 8
3 .SH NAME
4 cimtrust \- Add, remove or list X509 certificates in a PEM format trust store.
5 .SH SYNOPSIS
6
7 .B cimtrust
8 -a [ -U certuser ] -f file -T ( a | e | s )
9
10 .B cimtrust
11 -r -i issuer ( -n serialnumber | -S subject )
12
13 .B cimtrust
14 -l [ -i issuer [ -n serialnumber | -S subject ] ]
15
16 .B cimtrust
17 --help
18
19 .B cimtrust
20 --version
21
22 denise.eckstein 1.1 .SS Remarks
23 The cimtrust command requires that the cimserver is running. This command operates on a truststore on the local system only.
24
25 .SH DESCRIPTION
26 The add option of the cimtrust command adds an X509 certificate \fPfile \fP
27 of a specified \fPtype \fP to the truststore. The \fPcertuser \fPspecifies
28 the username to be associated with the certificate in the file.
29 If no \fPcertuser \fPis specified, the certificate may not be used
30 to authenticate a user.
31 .PP
32 The remove option of the cimtrust command removes the X509 certificate(s)
33 matching the specified
34 .B issuer
35 and either
36 .B serialnumber
37 or
38 .B subject
39 from the truststore.
40 .PP
41 The list option of the cimtrust command lists the X509 certificates
42 in the truststore. The list can be filtered by
43 denise.eckstein 1.1 .B issuer
44 and either
45 .B serialnumber
46 or
47 .B subject.
48 .PP
49 Certificates in the trust store may be revoked by adding a
50 Certificate Revocation List to the CRL store. For more information
51 on CRL operations see the
52 .B cimcrl(8)
53 command.
54 .SS Options
55 .B cimtrust
56 recognizes the following options:
57 .RS
58 .TP 15
59 .B -a
60 Adds a certificate to the truststore. If the specified
61 .B file
62 does not contain a valid X509 certificate an error message is returned
63 and no action is taken. If the X509 certificate already exists
64 denise.eckstein 1.1 in the truststore, an error message is returned.
65 .TP
66 .B -r
67 Removes certificate(s) from the truststore. If the truststore contains
68 multiple certificates matching the specified
69 .B issuer
70 and
71 .B subject,
72 all the matching certificates are removed. If no certificate exists for
73 the specified
74 .B issuer
75 and either
76 .B serialnumber
77 or
78 .B subject
79 , an error message is returned and no action is taken.
80 .TP
81 .B -l
82 Displays the X509 certificates in the truststore.
83 .TP
84 .B -f file
85 denise.eckstein 1.1 Specifies a PEM format file containing an X509 certificate.
86 .TP
87 .B -U certuser
88 Specifies a username to be associated with the specified certificate.
89 The username specified should be a valid system user on the target system.
90 .TP
91 .B -i issuer
92 Specifies the issuer name of the certificate.
93 .TP
94 .B -n serialnumber
95 Specifies the serial number of the certificate.
96 .TP
97 .B -S subject
98 Specifies the subject name of the certificate.
99 .TP
100 .B -T ( a | e | s )
101 Specifies the type of a certificate. The type must be one of the following:
102
103 authority (a): root/intermediate authority certificates. Certificates of this type are added to the trusted certificate store. The certuser is optional for authority certificates. If no certuser is specified, the certificate may not be used to authenticate a user.
104
105 authority issued end-entity (e): Certificates of this type are not added to the trusted certificate store. The certuser is required for authority issued end-entity certificates.
106 denise.eckstein 1.1
107 Self-signed identity certificate (s): Certificates of this type are not added to the trusted certificate store. The certuser is required for self-signed identity certificates.
108 .TP
109 .B --help
110 Displays the command help message.
111 .TP
112 .B --version
113 Displays the CIM Server version.
114 .SH EXIT STATUS
115 When an error occurs, an error message is written to the standard error
116 stream and a non-zero exit status value is returned. The following exit
117 status values are defined:
118 .RS
119 .TP
120 .B 0
121 Success
122 .PD
123 .TP
124 .B 1
125 General error
126 .PD
127 denise.eckstein 1.1 .TP
128 .B 2
129 Connection failed
130 .PD
131 .TP
132 .B 3
133 Connection timed out
134 .PD
135 .TP
136 .B 4
137 Certificate already exists
138 .PD
139 .TP
140 .B 5
141 Certificate does not exist
142 .PD
143 .TP
144 .B 6
145 Invalid system user
146 .PD
147 .RE
148 denise.eckstein 1.1 .SH EXAMPLES
149 Add the X509 self-signed identity certificate in the cert.pem file and
150 associate it to certuser guest. This certificate will be added to the
151 trusted certificate store:
152
153 cimtrust -a -U guest -f cert.pem -T s
154
155 Add the X509 authority root CA certificate in the ca.pem file with no certuser
156 association. This certificate will be added to the trusted certificate store but
157 may not be used to authenticate a user:
158
159 cimtrust -a -f ca.pem -T a
160
161 Add the X509 authority issued end-entity certificate in the user.pem file and
162 associate it to certuser pegasus. This certificate may be used to authenticate
163 user pegasus but will not be added to the trusted certificate store:
164
165 cimtrust -a -f user.pem -U pegasus -T e
166
167 Remove the certificate matching the specified issuer and serialnumber from
168 the trust store:
169 denise.eckstein 1.1
170 cimtrust -r -i "/C=US/ST=California/L=Cupertino/O=Smart & Secure/OU=Secure Software Division/CN=dev.admin.ss.com" -n 01
171
172 Remove the certificate(s) matching the specified issuer and subject from the trust store:
173
174 cimtrust -r -i "/C=US/ST=California/L=Cupertino/O=Smart & Secure/OU=Secure Software Division/CN=dev.admin.ss.com" -S "/C=US/ST=California/L=Cupertino/O=Smart & Secure/OU=Secure Software Division/CN=dev.admin.ss.com"
175
176 List all the X509 certificates in the trust store:
177
178 cimtrust -l
179
180 .SH SEE ALSO
181 .PP
182 cimserver(8), cimcrl(8), cimconfig(8).
|