mksecpki Command

Purpose

mksecpki configures AIX® PKI server components. The components of AIX PKI are Certificate Authority, Registration Authority, and Audit subsystems.

Syntax

mksecpki {-u username -f reference_file [-p CA_port] [-H ldap_host] [-D dn -w password] [-i certificate_issuer_dn] | -U username}

Description

The mksecpki command configures AIX PKI server components. mksecpki must be run after configuring an LDAP server to publish certificates. The values for the options -H, -D, -w, and -i must be the same values as the ones specified during the LDAP configuration. Otherwise, the CA will not be able to publish certificates to LDAP.

The -u option specifies the AIX username which will host AIX PKI. The username must follow AIX username rules. Do not use -u and -U together. The invoker of the command will be asked to provide a password for the username. mksecpki will create a database instance with the same name.

The -f option specifies the file containing the reference number and passphrase. The client certificate requests will use these exact same values while communication with the CA. The reference number and passphrase are each specified on a separate line. The following is the contents of an example iafile:

11122233 
temppwd1234
The -p option specifies the port that Certificate Authority accepts the certificate requests. If no port number is given, 1077 will be assumed.

The -H option specifies the hostname of the LDAP server where the certificates are published to. Prior to invoking the mksecpki command, an LDAP server must be setup to publish certificates. Otherwise, the certificates will not be published to LDAP, however, certificate will be returned to the requestor when certificate management commands are used. If the -H option is not given the localhost will be used as the hostname.

The -D option is used to specify the directory administrators distinguished name. This must be the same one that is specified during the configuration of the LDAP server.

The -w option specifies the password corresponding to the administrator DN. It is an error not to specify both the admin DN and password.

The -i option specifies the distinguish name of the Certificate Authority issuing the certificates. This must be the same value as the one given when setting an LDAP server for publishing certificates.

The -U option specifies the username that hosts the AIX PKI that will be unconfigured. The command will confirm the unconfiguration before starting its operation. This option removes the username from the system. The invokers of this command will be asked if they want to remove the home directory of the username. When this command runs without errors, it displays a message indicating the successful completion. The invoker of this command is recommended to wait for this message.

Flags

Item Description
-u username Specifies the name of the username that is going to be created that will host AIX PKI server components.
-f reference_file Specifies the file which contains the reference number and passphrase that is used when making a certificate creation request.
-p CA_port Specifies the Certificate Authority Communication Port.
-H ldap_host Specifies the LDAP host where the certificates are going to be published.
-D adminDN Specifies directory administrator distinguished name (DN).
Note: The -D option requires that the -w password option also be specified.
-w password Specifies directory administrator password.
-i certificate_issuer_dn Specifies the distinguished name of the Certificate Authority issuing certificates.
-U username Specifies the username which hosts the AIX PKI that will be unconfigured.

Security

This command should grant execute (x) access only to the root user and members of the security group.

Examples

To configure AIX PKI server side using pkitest.ibm.com as the LDAP host name for publish certificates and using o=aix,c=us as the issuer name, enter:
$ mksecpki -u pkiuser -f iafile -p 829 -H pkitest.ibm.com -D cn=admin 
-w password -i o=aix,c=us
where iafile contains the reference number and passphrase.
To unconfigure the server, enter:
$ mksecpki -U pkiuser

Files

/usr/lib/security/pki/ca.cfg