mksecpki configures AIX PKI server components. The components of AIX PKI are Certificate Authority, Registration Authority, and Audit subsystems.
mksecpki {-u username -f reference_file [-p CA_port] [-H ldap_host] [-D dn -w password] [-i certificate_issuer_dn] | -U username}
The mksecpki command configures AIX PKI server components. mksecpki must be run after configuring an LDAP server to publish certificates. The values for the options -H, -D, -w, and -i must be the same values as the ones specified during the LDAP configuration. Otherwise, the CA will not be able to publish certificates to LDAP.
The -u option specifies the AIX username which will host AIX PKI. The username must follow AIX username rules. Do not use -u and -U together. The invoker of the command will be asked to provide a password for the username. mksecpki will create a database instance with the same name.
The -f option specifies the file containing the reference number and passphrase. The client certificate requests will use these exact same values while communication with the CA. The reference number and passphrase are each specified on a separate line. The following is the contents of an example iafile:
11122233 temppwd1234
The -p option specifies the port that Certificate Authority accepts the certificate requests. If no port number is given, 1077 will be assumed.
The -H option specifies the hostname of the LDAP server where the certificates are published to. Prior to invoking the mksecpki command, an LDAP server must be setup to publish certificates. Otherwise, the certificates will not be published to LDAP, however, certificate will be returned to the requestor when certificate management commands are used. If the -H option is not given the localhost will be used as the hostname.
The -D option is used to specify the directory administrators distinguished name. This must be the same one that is specified during the configuration of the LDAP server.
The -w option specifies the password corresponding to the administrator DN. It is an error not to specify both the admin DN and password.
The -i option specifies the distinguish name of the Certificate Authority issuing the certificates. This must be the same value as the one given when setting an LDAP server for publishing certificates.
The -U option specifies the username that hosts the AIX PKI that will be unconfigured. The command will confirm the unconfiguration before starting its operation. This option removes the username from the system. The invokers of this command will be asked if they want to remove the home directory of the username. When this command runs without errors, it displays a message indicating the successful completion. The invoker of this command is recommended to wait for this message.
This command should grant execute (x) access only to the root user and members of the security group.
To configure AIX PKI server side using pkitest.ibm.com as the LDAP host name for publish certificates and using o=aix,c=us as the issuer name, enter:
$ mksecpki -u pkiuser -f iafile -p 829 -H pkitest.ibm.com -D cn=admin -w password -i o=aix,c=us
where iafile contains the reference number and passphrase.
To unconfigure the server, enter:
$ mksecpki -U pkiuser
/usr/lib/security/pki/ca.cfg
The certadd, certcreate, certdelete, certget, certlink, certlist, certrevoke, certverify, keyadd, keydelete, keylist, and keypasswd commands.