certlist lists the contents of one or more certificates.
certlist [-c] [-a attr [attr....] ]tag [username]
The certlist command lists the contents of one or more certificates. Using the -c option causes the output to be formatted as colon-separated data with the attribute names associated with each field on the previous line as follows:
# name: attribute1: attribute2: ... User: value1: value2: ...
The -f option causes the output to be formatted in stanza file format with the username attribute given as the stanza name. Each attribute=value pair is listed on a separate line:
user:
attribute1=value
attribute2=value
attribute3=value When neither of these command line options are selected, the attributes are output as attribute=value pairs.
The -a option selects a list of one or more certificate attributes to output. In addition to the attributes supported by the load module, several pseudo-attributes shall also be provided for each certificate.
Those attributes are:
| auth_user | User's authentication certificate. |
| distinguished_name | User's subject distinguished name in the certificate. |
| alternate_name | User's subject alternate name in the certificate. |
| validafter | The date the user's certificate becomes valid. |
| validuntil | The date the user's certificate becomes invalid. |
| tag | The name that uniquely identifies this certificate. |
| issuer | The distinguished name of the certificate issuer. |
| label | The label that identifies this certificate in the private keystore. |
| keystore | The location of the private keystore for the private key of the certificate. |
| serialnumber | The serial number of the certificate. |
| verified | true indicates that the user poved that he is in possession of the private key. |
| -c | Displays the output in colon-separated records. |
| -f | Displays the output in stanzas. |
| -a attr | Selects one or more attributes to be displayed. |
The tag parameter selects which of the user's certificates is to be output. The reserved value ALL indicates that all certificates for the user are to be listed.
The username parameter specifies the name of the AIX user to be queried. If invoked without the username parameter, the certdelete command uses the name of the current user.
| 0 | If successful. |
| EINVAL | If the command is ill-formed or the arguments are invalid. |
| ENOENT | If a) the user doesn't exist, b) the tag does not exist c) the file does not exist. |
| EACCES | If the attribute cannot be listed, for example, if the invoker does not have read_access to the user data-base. |
| EPERM | If the user identification and authentication fails. |
| errno | If system error. |
This command can be executed by any user in order to list the attributes of a certificate. Certificates listed may be owned by another user.
This command records the following event information:
CERT_List <username>
$ certlist -f -a verified keystore label signcert bob
bob:
verified=false
keystore=file:/var/pki/security/keys/bob
label=signcert
$ certlist -c -a validafter validbefore issuer signcert bob
#name:validafter:validuntil:issuer
bob:1018091201:1018091301:c=US,o=xyz
$ certlist -f ALL bob
bob:
auth_cert=logincert
distinguished_name=c=US,o=xyz,cn=bob
alternate_name=bob@xyz.com
validafter=0921154701
validuntil=0921154801
issuer=c=US,o=xyz
tag=logincert
verified=true
label=loginkey
keystore=file:/var/pki/security/keys/bob
serialnumber=03
bob:
auth_cert=logincert
distinguished_name=c=US,o=xyz,cn=bob
alternate_name=bob@ibm.com
validafter=1018091201
validuntil=1018091301
issuer=c=US,o=xyz
tag=signcert
verified=false
label=signkey
keystore=file:/var/pki/security/keys/bob
serialnumber=02
/usr/lib/security/pki/acct.cfg
/usr/lib/security/pki/policy.cfg
The certadd, certcreate, certdelete, certget, certlink, certrevoke, certverify, keyadd, keydelete, keylist, keypasswd, and mksecpki commands.