certlist Command

Purpose

certlist lists the contents of one or more certificates.

Syntax

certlist [-c] [-a attr [attr....] ]tag [username]

Description

The certlist command lists the contents of one or more certificates. Using the -c option causes the output to be formatted as colon-separated data with the attribute names associated with each field on the previous line as follows:

# name: attribute1: attribute2: ... 
User: value1: value2: ...

The -f option causes the output to be formatted in stanza file format with the username attribute given as the stanza name. Each attribute=value pair is listed on a separate line:

user: 
     attribute1=value 
     attribute2=value 
     attribute3=value

When neither of these command line options are selected, the attributes are output as attribute=value pairs.

The -a option selects a list of one or more certificate attributes to output. In addition to the attributes supported by the load module, several pseudo-attributes shall also be provided for each certificate.

Those attributes are:

Item	Description
auth_user	User's authentication certificate.
distinguished_name	User's subject distinguished name in the certificate.
alternate_name	User's subject alternate name in the certificate.
validafter	The date the user's certificate becomes valid.
validuntil	The date the user's certificate becomes invalid.
tag	The name that uniquely identifies this certificate.
issuer	The distinguished name of the certificate issuer.
label	The label that identifies this certificate in the private keystore.
keystore	The location of the private keystore for the private key of the certificate.
serialnumber	The serial number of the certificate.
verified	`true` indicates that the user poved that he is in possession of the private key.

Flags

Item	Description
-c	Displays the output in colon-separated records.
-f	Displays the output in stanzas.
-a attr	Selects one or more attributes to be displayed.

The tag parameter selects which of the user's certificates is to be output. The reserved value ALL indicates that all certificates for the user are to be listed.

The username parameter specifies the name of the AIX® user to be queried. If invoked without the username parameter, the certdelete command uses the name of the current user.

Exit Status

Item	Description
0	If successful.
EINVAL	If the command is ill-formed or the arguments are invalid.
ENOENT	If a) the user doesn't exist, b) the tag does not exist c) the file does not exist.
EACCES	If the attribute cannot be listed, for example, if the invoker does not have read_access to the user data-base.
EPERM	If the user identification and authentication fails.
errno	If system error.

Security

This command can be executed by any user in order to list the attributes of a certificate. Certificates listed may be owned by another user.

Audit

This command records the following event information:

CERT_List <username>

Examples

$ certlist -f -a verified keystore label signcert bob
bob:
      verified=false
      keystore=file:/var/pki/security/keys/bob
      label=signcert
$ certlist -c -a validafter validbefore issuer signcert bob
#name:validafter:validuntil:issuer
bob:1018091201:1018091301:c=US,o=xyz
$ certlist -f ALL bob
bob:
      auth_cert=logincert
      distinguished_name=c=US,o=xyz,cn=bob
      alternate_name=bob@xyz.com
      validafter=0921154701
      validuntil=0921154801
      issuer=c=US,o=xyz
      tag=logincert
      verified=true
      label=loginkey
      keystore=file:/var/pki/security/keys/bob
      serialnumber=03
bob:
      auth_cert=logincert
      distinguished_name=c=US,o=xyz,cn=bob
      alternate_name=bob@ibm.com
      validafter=1018091201
      validuntil=1018091301
      issuer=c=US,o=xyz
      tag=signcert
      verified=false
      label=signkey
      keystore=file:/var/pki/security/keys/bob
      serialnumber=02

Files

/usr/lib/security/pki/acct.cfg

/usr/lib/security/pki/policy.cfg