Admin CLI

Description

Returns the status of the given worker, stating if its crypto token is active or not, and the loaded 'active' configuration. It is possible to get a brief summary or a complete listing for one worker or all configured workers. If all workers are displayed, all the global configuration parameters will also be displayed.

Returns the current worker or global configuration depending on options. Note that for worker configuration, this configuration might be inactive until a reload command is issued.

Sets a custom property used by the worker or crypto token. For available properties, refer to the respective section in the SignServer Reference for the given Worker and CryptoToken.

List the value of a worker or global property.

Usage:

signserver getproperty <signerid | signerName | global | node> <propertykey>

Used to batch a set of properties, both for the global and worker configuration. The command can be used to configure a Signer in a test environment, dump all the properties and upload it into production.

The setproperties command reads all the configuration properties form a property file, and depending on the contents of the key, it then sets the given property. All properties are set according to the following defined rule set.

For examples, see the directory sample-configs.

Removes a configured property.

Dumps all configured properties for one or all workers in the system into a property file. If the configuration for one worker is dumped, the dumpproperties tool can be used to transfer the configuration from one installation to another. If all configurations are dumped, it can be used as a backup tool.

Used to upload the certificate when the worker only needs the actual signing certificate and not the entire chain.

Used when uploading a complete certificate chain to the worker.

Note that the correct command to use for upload depends on the worker and crypto token used.

Used to import a certificate chain into a crypto token. It takes a worker ID of the crypto worker (or a worker ID of a worker with the crypto token configured in the legacy way), and a path pointing to a file containing the certificate chain and a key alias to import to. Currently supported by the PKCS11 and keystore crypto token implementations.

Used to generate a certificate request for a worker to be signed by a certificate authority. The command takes distinguished name and signature algorithm as parameters, and writes the request in PEM format to file. An optional key alias can be specified to generate a request given a specific key alias from the crypto token.

Used to activate crypto tokens. Authentication code is usually the PIN used to unlock the keys on the HSM. Not used if the token is set to auto-activation.

Brings a crypto token off-line. Not used if token is set to auto-activation.

Sends a request for renewal of the specified worker to the specified renewal worker. If the authcode parameter is omitted, the command will renew the certificate without an authcode, assuming the crypto token is auto-activated, or the worker is using a separate crypto worker (recommended). To use the previous behavior of prompting for the authcode, specify the -authprompt option. When the authcode is not passed as a parameter or prompted for, an explicit activation of the token will not be performed. For more information, see RenewalWorker.

Description

Command for adding, removing, or listing a worker's client authorization rules. Replaces the legacy commands addauthorizedclient, removeauthorizedclient, and listauthorizedclient.

Usage: signserver authorizedclients -worker <worker name or ID> -list 

       signserver authorizedclients -worker <worker name or ID> <-add/-remove> 
          -matchSubjectWithType <SUBJECT_MATCH_TYPE> -matchSubjectWithValue <value> \
          [-matchIssuerWithType <ISSUER_MATCH_TYPE>] -matchIssuerWithValue <issuer DN> \
          [-description <textual description>]

       signserver authorizedclients -worker <worker name or ID> <-add/-remove> \
          -matchSubjectWithType <SUBJECT_MATCH_TYPE> \
          [-matchIssuerWithType <ISSUER_MATCH_TYPE>] \
          [-description <textual description>] \
          -cert <PEM file>

signserver authorizedclients -worker CMSSigner -list

signserver authorizedclients -worker CMSSigner -add 
 -matchSubjectWithType SUBJECT_RDN_CN -matchSubjectWithValue "Client One"
 -matchIssuerWithValue "CN=AdminCA1, C=SE"

signserver authorizedclients -worker CMSSigner -add 
 -matchSubjectWithType SUBJECT_RDN_CN -matchSubjectWithValue "Client One"
 -matchIssuerWithType ISSUER_DN_BCSTYLE -matchIssuerWithValue "CN=AdminCA1, C=SE" -description "my rule"

signserver authorizedclients -worker CMSSigner -add 
 -matchSubjectWithType CERTIFICATE_SERIALNO -matchIssuerWithType ISSUER_DN_BCSTYLE 
 -cert /tmp/admin.pem

signserver authorizedclients -worker CMSSigner -remove 
 -matchSubjectWithType CERTIFICATE_SERIALNO 
 -matchIssuerWithType ISSUER_DN_BCSTYLE 
 -cert /tmp/admin.pem

The addauthorizedclient command is deprecated and only supports legacy rules. Use the authorizedclients command instead.

Adds a client certificate to a processable workers list of acceptable clients using this worker. Specify certificate serial number in hex and the Issuer DN of the client certificate. If DN components contains commas, these need to be escaped with backslashes. Alternatively, a certificate file (PEM or DER format) can be specified, from which the serial number and issuer DN is fetched.

signserver addauthorizedclient 1 EF34242D2324 "CN=Test Root CA"

signserver addauthorizedclient 1 EF3456789ABC "CN=Client,O=Test Organization,C=SE"

signserver addauthorizedclient 1 client.pem

The removeauthorizedclient command is deprecated and only supports legacy rules. Use the authorizedclients command instead.

Removes added client certificate entries.

The listauthorizedclients command is deprecated and only supports legacy rules. Use the authorizedclients command instead.

Displays the current list of acceptable clients.

Description

The resync command is used if a SignServer had a complete database failure. When this happens, the Global Configuration switches to Off-line mode and it is not possible for the nodes to communicate internally and the Global Configurations will no longer be in sync. When the database is up again, the resync command can be sent to the node that has the most valid Global Configuration to write it to the database. After the resynchronization is performed, the Global Configuration will re-enter On-line mode.

Description

Used to extract archived data from database identified by the archive ID. The ID depends on the worker. For example,  in case of the TSA, the TimeStampInfo serial number is used. The data is stored with the same file title as the archive ID, and with the file extension depending on the type of item, for example .request or .response.

Used to extract all archived data requested from a specified IP address. All data is stored as separate files with the archive ID as file title, and the file extension depending on the type of item.

 Used to extract all archived data requested from a client by its specified certificate serial number and issuer DN. All data is stored as separate files with the archive ID as file title and the file extension depending on the type of item.

Used to query contents of the archive. Actual archived data is not fetched by this command.

Usage:

signserver archive query -limit <number> [-criteria  "<field> <op> <value>" [-criteria...]] [-from <index>] [-header] [-request|-response]

Examples: 

signserver archive query -limit 10 -criteria "signerid EQ 1"
signserver archive query -limit 10 -criteria "signerid EQ 1" -request
signserver archive query -limit 10 -criteria "time GT 1359623137000" -criteria "requestIP EQ 127.0.0.1
signserver archive query -limit 10 -criteria "signerid EQ 1" -outpath /tmp/out\n\n"

Description

Lists administrator certificates (certificate serial number and issuer DN) for administrators authorized to use the Admin Web Service interface to administrate SignServer.

Authorizes an administrator to use the Admin Web Service interface by certificate serial number (in hexadecimal) and issuer DN with space after each comma separating DN components. If DN components contains commas, these needs to be escaped with backslashes.

The following displays how to enter the issuer DN when using a certificate issued from EJBCA with the default (as specified by EJBCA) LDAP DN order:

C=SE, O=TestOrganization, CN=IssuingCA

The following displays using escaped DN components:

C=SE, O=TestOrganization\, The, CN=IssuingCA\, Th

Note that the order is reversed, compared to how the issuer DN is stored in the certificate.

The following displays how to enter the issuer DN when using a certificate issued from EJBCA with the Use LDAP DN order option disabled:

CN=ReverseIssuingCA, O=TestOrganization, C=S

Alternatively, a certificate file can be specified from which the serial number and issuer DN will be taken.

signserver wsadmins -add -certserialno 123ABCDEF -issuerdn "CN=Neo Morpheus, C=SE"

signserver wsadmins -add -cert wsadmin.pe

Removes an administrator from the list of authorized administrators.

Specifies whether any administrator with a certificate accepted by the web server/proxy is authorized or not. When set (true) it overrides the WSADMINS global property. Takes an optional boolean parameter, if left out sets to true (allow all). This can be used for initial setup.

Description

Lists auditor certificates (certificate serial number and issuer DN) for administrators authorized to use the Admin Web Service interface to query the audit log of SignServer.

Authorizes an auditor to use the Admin Web Service interface by certificate serial number (given in hexadecimal) and issuer DN.

Removes an auditor from the list of authorized administrators.

Description

Lists archive auditor certificates (certificate serial number and issuer DN) for auditors authorized to use the Admin Web Service interface to query the archive of SignServer.

Authorizes an auditor, by specifying a certificate serial number (in hexadecimal) and issuer DN, to use the Admin Web Service interface for querying the archive.

Removes an auditor from the list of authorized archive auditors.

Query the CESeCore audit log.

Usage:

signserver auditlog -query -limit <number> [-criteria "<field> <op> <value>" [-criteria...]] [-from <index>] [-header]

If databaseprotection.enableverify is enabled at the server side, the signature of each row displayed is verified. If the verification fails for any of the rows matching the search criteria, an error message is displayed. The error message contains information about the first row that failed.

Queries the entries (key alias, certificates etc) in a CryptoToken. If no limit is given, all entries are queried and printed (10 at a time). You can specify to start query from an index in the result. Search conditions can be added to only search for entries with certain key aliases.

Usage:

signserver querytokenentries -token <id or name> -limit <number> [-criteria  "<field> <op> <value>" [-criteria...]] [-from <index>] [-v]

Description

Lists certificates (certificate serial number and issuer DN) for peer systems (i.e. EJBCA) authorized to use the Peer Systems interface to query available key bindings and perform certificate renewal/rekeying.

Authorizes a peer system to use the Peer Systems interface by certificate serial number (given in hexadecimal) and issuer DN.

Removes a peer system from the list of authorized peer systems.

Description

Gets the value of the status property. Execute the getstatusproperty command with the property name.

Gets the value of all status properties and their expiration time.

Sets the status property TIMESOURCE0_INSYNC to true.