skipca: Setting Up Trusted CAs
Certificates are the digital documents that testify to the binding of a public key to an individual or other entity for the purpose of preventing someone else from impersonating you. In order for two hosts running a security package to communicate, they must exchange certificates. The skipca command-line interface is used to designate a CA as trusted and to manage that database. skipca options are add, extract, init, list, delete, create, and revoke CA certificates.
You must restart the key manager with skipd_restart before any changes will take effect.
This command has broad security implications. By designating a CA, you are trusting the identity of all certificates signed by that CA. Since root CA certificates are self-signed, there is no automated way to verify that a CA certificate actually comes from that CA. Before adding a CA certificate, you must be absolutely certain that the certificate is valid. Validity may be checked by having the CA publish the hash of its certificate publicly and comparing that hash with the hash obtained from the certificate.
Syntax
skipca -[a|r|l|i|e|R|U] [...]
Options
|
-a [-c ca-file] |
--a ( add) option places new certificates into the trusted Certificate Authority database. The ca-file is an X.509 certificate which is either self-signed or signed by an existing trusted CA in this CA database. Note: The add option does not copy over a CA certificate if it already exists in the CA database. |
|
-e [-s ca-slot] |
The extract command writes the CA certificate in the specified slot number to the standard output. If the output is redirected to a file, the file is suitable for the skipca -a command. |
|
-i [-qo] |
Prior to use, the CA database must be initialized. The init option creates the database. The init option does not delete any of the CA certificates present when issued for an existing database. Use the init option with the -o operand to forcibly reinitialize the data base, destroying any existing certificates. The init option with the -q operand tells init to be as quiet as possible about initialization. |
|
-l [-VvxL] [-s ca-slot] |
The list option provides a listing of all the certificates in the CA database by slot number, Issuer, and Subject. If a slot number is specified, only the CA Certificate for that slot is printed. The -L flag enables printing of the Certificate validity periods. -v enables a verbose display of the entire certificate. If -V is specified, the output is displayed in a machine parseable manner. If -x is specified the manual revocation list for that CA is display. |
|
-R [-s ca-slot] [-S serialnumber] |
Each CA maintains a list of certificates which have been revoked by the user. This is different from a traditional CRL as it is not distributed by the CA and is manually maintained. The revoke command allows the user to add certificates to the per-CA list of revoked certificates. ca-slot specifies which CA to operate on. The ca-slot may be obtained through the skipca -l command. serialnumber is the serial number of the certificate which you wish revoke. Each X.509 Certificate produced by a CA is numbered uniquely with a serial number. |
|
-U [-s ca-slot] [-S serialnumber] |
The unrevoke command removes hosts from the per CA revocation list. ca-slot and serialnumber are the same as the arguments for the revoke command. |
|
-r[-s ca-slot] |
The -r option deletes the CA certificate in the specified slot number. |
- © 2010, Oracle Corporation and/or its affiliates