certlink links a certificate in a remote repository to a user account.
certlink [-c|-r] [-p privatekeystore] -l label -o option tag [username]
The certlink command links a certificate in a remote repository to a user account. certlink is very similar to certadd except that the user provides a link to the certificate rather than providing the certificate itself.
If the -c (create only) option is given, it is an error if the {username, tag} pair already exists as a named certificate. Otherwise, an existing certificate shall be replaced by the new certificate. If the -r (replace only) option is given, it is an error if the {username, tag} pair does not already exist as a named certificate. These two options are mutually exclusive. The default behavior is to create the entry if it does not exist and to replace the existing certificate if it exists.
The -l option must be specified. The label is a variable length text string that will be used to map a key in the keystore to the certificate which contains the matching public key.
If the -p option is not given, the default will be /var/pki/security/keys/<username>. It is the responsibility of the invoker of this command to add the private key associated with the public key by using the keyadd command. Refer to the certadd command for more details on the use of the -l and -p flags. This information also applies to the certlink command.
The -o option is the URI where the certificate is stored. Currently only LDAP URIs are supported. The URI of the repository must be given in the format as specified in RFC 2255.
The tag parameter is a variable length text string from the same character set as user names which is used to uniquely identify the certificate among all of the certificates owned by username. The ALL tag shall be reserved for the certlist command so that all certificates owned by a user may be viewed. An error is also returned if a certificate named by the auth_cert attribute for a user is replaced.
When an existing certificate is replaced with another one, the keys corresponding to the replaced certificate remain in the keystore until deleted by the user. These keys can be removed from the keystore using key management commands. Similarly, the private key matching to a certificate can also be added to the keystore using the key management commands.
Only a certificate that is not revoked can be added unless the system policy specifies otherwise. The system revocation check policy is specified in the policy file /usr/lib/security/ pki/policy.cfg. The certificate revocation list will be obtained using the Certificate Revocation Distribution Point information in the certificate. If one is not given, the certificate distribution point information will be retrieved from the /usr/lib/security/ pki/ca.cfg file. The certificate will not be added, if the certificate revocation list could not be retrieved.
-c | Links a new certificate. |
-r | Replaces an existing certificate. |
-p | Specifies the location of the private keystore. |
-l label | Specifies a label for the private key corresponding to the public key in certificate. |
-o option | Specifies the URL where the certificate to be linked stored. |
0 | If successful. |
>0 | An error occured. |
This is a privileged (set-UID root) command.
Root and invokers belonging to group security can add certificates for anybody. A non-privileged user can only add certificates for themself.
To link a certificate stored in an external certificate repository and associate it with user Bob, enter:
$ certlink -c -l signcert -p /home/bob/keystore.p12 -o ldap:// cert.austin.ibm.com/o=ibm,ou=Finance,c=us?usercertificate??( cn=Bob James)?X-serial=1A:EF:54 cert1 bob
/usr/lib/security/pki/ca.cfg
/usr/lib/security/pki/policy.cfg
The certadd, certcreate, certdelete, certget, certlist, certrevoke, certverify, keyadd, keydelete, keylist, keypasswd, and mksecpki commands.