certadd Command

Purpose

certadd stores a certificate into the local LDAP repository.

Syntax

certadd [-c|-r] [-p privatekeystore] [-f file] -l label tag [username]

Description

The certadd command stores a user-supplied certificate in the local LDAP repository.

If the -c (create only) option is used, it will return an error if the username and tag pair already exists as a named certificate. Otherwise, the existing certificate shall be replaced by the new certificate. If the -r (replace only) option is used, an error is returned if the username and tag pair does not already exist as a named certificate. These two options are mutually exclusive. The default behavior is to create the entry if it does not exist and to replace the existing certificate if it exists.

If the -f option is not given, the certificate shall be read from stdin. The certificate is in DER format. The certadd command is limited to root users, or users with the appropriate administrative roles, when the username parameter is other than the current user.

The -l option must always be specified. The label is a variable length text string that will be used to map a key in the keystore to the certificate which contains the matching public key. Make sure this label is the same as the one specified when the certcreate command is invoked.

If the -p option is not given, the default will be file:/var/pki/security/keys/<username>. If no protocol is specified, file: is assumed. Currently only URIs of type file: are supported. It is the responsibility of the invoker of this command to ensure that the private keystore contains the private key matching the public key in the certificate. If the certificate to be added is created using the certcreate command, then the private key is already in the private keystore. Alternatively, if the certificate is externally created, the user can later add the private key associated with the public key to the private keystore using the keyadd command.

The tag parameter is a variable length text string from the same character set as user names which is used to uniquely identify the certificate amongst all of the certificates owned by username. The tag ALL shall be reserved for the certlist command so that all certificates owned by a user may be viewed, therefore can not be used with the certadd command. It shall be also an error to replace a certificate named by the auth_cert attribute for a user. When an existing certificate is replaced with another one, the keys corresponding to the replaced certificate remain in the keystore until deleted by the user. These keys could be removed from the keystore using key management commands. Similarly, the keys for the new certificate could also be added to the keystore again using the key management commands. Only a certificate that is not revoked can be added, unless the system policy specifies otherwise.

The system revocation check policy is specified in the policy file, /usr/lib/security/ pki/policy.cfg under the stanza crl. When the check attribute is set to yes, the certificates are checked against a CRL. The certificate revocation list will be obtained using the Certificate Revocation Distribution Point information from the certificate and from the /usr/lib/security/pki/ca.cfg file. This file has an entry called crl, which one can use to specify the method of CRL retrieval. ldap:, http: and file: retrieval methods are supported. If more than one URI is specified, they must be delimited with a space. The certificate will not be added if the certificate revocation list could not be retrieved.

Flags

Item Description
-c Adds a new certificate.
-r Replaces an existing certificate.
-l label Specifies a label for the private key that matches the public key in certificate.
-p privatekeystore Specifies the location of the private keystore.
-f file Specifies a file that contains the DER-encoded certificate.

Exit Status

Item Description
0 The command completed successfully.
>0 An error occurred.

Security

This is a privileged (set-UID root) command.

Root and invokers belonging to group security can add certificates for anybody. A non-privileged user can only add certificates for themself.

Audit

This command records the following event information:

CERT_Add <username>

Examples

To add a certificate stored in cert.der to the local LDAP repository and associate it with user Bob, enter:
$ certadd -c -f cert.der -l signcert cert1 bob
or,
$ certadd -c -l signcert cert1 bob < cert.der
This will read the DER encoded certificate from file cert.der and assign signcert as the label and cert1 as the tag and store it in LDAP as Bob's certificate. The default private keystore location will be /var/pki/ security/keys/bob.
To replace Bob's cert1 certificate with another certificate enter:
$ certadd -r -f newcert1.der -l newsigncert cert1 bob

Files

/usr/lib/security/pki/acct.cfg

/usr/lib/security/pki/ca.cfg

/usr/lib/security/pki/policy.cfg