Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Improve command line syntax and capabilities #91

Open
mbartosch opened this issue Jan 12, 2015 · 0 comments
Open

Improve command line syntax and capabilities #91

mbartosch opened this issue Jan 12, 2015 · 0 comments
Assignees
@pgk69

Comments

@mbartosch
Copy link
Contributor

Suggestion for syntax, man page and features:

CertNanny command line reference

certnanny [OPTIONS] COMMAND [ARGUMENTS]

OPTIONS

--config FILE

--debug [LEVEL]
--verbose
--keystore KEYSTORE
--force
--dryrun

OPTIONS

--debug [LEVEL]

Override loglevel in CertNanny configuration file. LEVEL is optional and can be one of the acceptable values for the loglevel directive in the configuration file. If LEVEL is not specified a default of 6 will be used (SCEP Debug).

--verbose

Generate more information about the operations performed by CertNanny. The verbose information will be written to STDERR.

--keystore KEYSTORE

Optional.
Limit specified CertNanny command to keystore KEYSTORE.
Default: all configured keystores

--force

Optional. If specified forces the execution of certain activities, e. g. a renewal operation even though the existing is still valid.

--dryrun

Optional. If specified the command will not perform an actual SCEP request, instead dump data to STDOUT (see renew command).

COMMANDS

check

Check all configured keystores and performs internal sanity checks.
If --keystore KEYSTORE is specified only the keystore KEYSTORE will be processed.

If minor problems are detected (e. g. a missing directory) the program will try to resolve the problem (e. g. by creating the missing directory). If the problem cannot be resolved automatically the program will print diagnostics and exit with an error.

If invoked with the --verbose option it also prints keystore and certificate overview information:

  • symbolic name of the keystore
  • keystore type
  • keystore parameters (e. g. SCEP URI, autorenew_days, warnexpiry_days settings)
  • list of trusted Root CAs for the keystore
  • if an end entity certificate is found in the keystore:
    • Certificate Subject
    • Certificate Issuer
    • SerialNumber (decimal, hexadecimal)
    • NotBefore
    • NotAfter
    • indication if certificate validity is within configured "renewal" and/or "warn" threshold

renew

Run automatic renewal on all configured keystores. Can be repeated as many times as desired and will automatically keep
the correct state.
Implicitly also performs all actions of the "check" command.

If --keystore KEYSTORE is specified only the keystore KEYSTORE will be processed.

If invoked with the --verbose option it also prints keystore and certificate overview information (see check command) and all operations that are executed during renew operation.

If --dryrun is specified the program will perform all actions required for the renew command but will NOT actually send out an SCEP request to the SCEP server. Instead the SCEP request is printed to STDOUT.
The --dryrun option implicitly requires specification of --recipient FILE on the command line. FILE must be a PEM encoded certificate which will be used as the RA certificate for the generated SCEP request.

If --force is specified the program will assume that the certificate must be renewed regardless of the remaining certificate validity (identical to setting renewal_days to a 100000).

enroll

...
If --keystore KEYSTORE is specified only the keystore KEYSTORE will be processed.

cleanup

Clear the internal state of CertNanny for a pending certificate renewal.

This command can be used to recover from a stalled renewal process, but it should be used only if indicated by the responsible RA Operator.
WARNING: Using this command may result in defective renewal state which can only be recovered by a RA Operator interaction on the SCEP server side. Only use this command if requested by the RA Operator!

If --keystore KEYSTORE is specified only the keystore KEYSTORE will be processed.

NOTE: The cleanup command will refuse to delete the internal state unless --force is also specified!

executehook HOOK --keystore KEYSTORE [--define KEY=VALUE]

Executes the hook HOOK for the keystore KEYSTORE. The --keystore option is mandatory.

This command is primarily for hook testing. If possible the variables for the hooks will be set correctly, but where this is not possible, dummy values may be used by the program.

It is possible to override variables passed to the hooks via --define KEY=VALUE. See section Hook Definitions for a list of available KEYs.

HOOK must be one of the following (see CertNanny configuration documentation for details on hooks):

renewal.install.pre
renewal.install.post
renewal.state
rootCA.install.pre
rootCA.install.post
notify.warnexpiry
notify.warnexpiry

install
...

uninstall
...
@mbartosch mbartosch assigned pgk69 and rad1us and unassigned pgk69 and rad1us Jan 12, 2015
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@pgk69 pgk69

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@rad1us @mbartosch @pgk69