Command Line Examples
Create X509 CRT
The command below assumes there is a file called seed.p12, which is the pre-existing PKCS12 with a password of changeit without the single quotes. This uses the default authentication method, X509 Authentication.
./certifierUtil get-crt-token -X X509 -k ./seed.p12 -p changeit
Alternatively, SAT can be utilized for authentication in place of an X.509 certificate.
./certifierUtil get-crt-token -X SAT -S <SAT_TOKEN>
This command could also be invoked from ./tests/functional/create_x509_crt.sh. Example -
cd ./tests/functional ./test-create-x509-crt.sh ../../seed.p12 changeit
Fetch a new certificate
The command below , passes in the contents of the base64_data from the command above (create x509 crt). This command will make an HTTPS call to certifier and will create a brand new password-protected PKCS12 file that contains the certificate chain returned and public/private key pair. libcertifier.cfg must be present and have valid values - See last Section of this page to learn how the configuration file works.
./certifierUtil get-cert -f -T <base64_data>
This command could also be invoked from ./tests/functional/test-device-reg.sh. Example:
cd ./tests/functional ./test-device-reg.sh <base64_data>
Fetch an X509 cert end-to-end
The command below combines both examples above into a single call.
./certifierUtil get-cert -f -k ./seed.p12 -p changeit -o matter_dac.p12 -w changeit
Same command with SAT authentication:
./certifierUtil get-cert -f -X SAT -S <SAT_TOKEN> -o matter_dac.p12 -w changeit
Fetch a Matter Device Attestation Certificate
The command below fetches a Device Attestation Certificate with a desired Product-ID (16-bit hex) using X509 Authentication. VendorID will always be fixed to 0xFFF4
./certifierUtil get-cert -k ./seed.p12 -p changeit -o matter_dac.p12 -w changeit --product-id 1101 -P XFN_DL_PAI_1_Class_3
Same command with SAT authentication:
./certifierUtil get-cert -X SAT -S <SAT_TOKEN> -o matter_dac.p12 -w changeit --product-id 1101 -P XFN_DL_PAI_1_Class_3
Fetch a Matter Operational Certificate
The command below fetches a Matter-compliant Operational Certificate with a desired NodeID (64-bit hex).
./certifierUtil get-cert -k ./seed.p12 -p changeit -o matter_opcert.p12 -w changeit --node-id AAAABBBBCCCCDDDD -P XFN_Matter_OP_Class_3_ICA
Same command with SAT authentication:
./certifierUtil get-cert -X SAT -S <SAT_TOKEN> -o matter_opcert.p12 -w changeit --node-id AAAABBBBCCCCDDDD -P XFN_Matter_OP_Class_3_ICA
== Other Examples
Get Certificate Status
./certifierUtil get-cert-status -k <pkcs12-file-path> -p <password>
Revoke Certificate
./certifierUtil revoke -k <pkcs12-file-path> -p <password>
Renew Certificate
./certifierUtil renew-cert -k <pkcs12-file-path> -p <password>
Print Certificate
./certifierUtil print-cert -k <pkcs12-file-path> -p <password>
== certifierUtil commands
| Command | Description |
|---|---|
help |
Display this summary |
version |
Display version info |
get-cert |
Fetch Certificate from PKI |
get-crt-token |
Generate Base64 CRT Token |
get-cert-status |
Check validity of certificate |
renew-cert |
Renew certificate’s validity period if not expired, and meets renew requirements |
print-cert |
Display leaf certificate’s PEM Base64 data |
revoke |
Revoke Certificate |
sectigo-get-cert |
Fetch Certificate from Sectigo |
sectigo-search-cert |
Search for certificates issued by Sectigo using various filters |
sectigo-renew-cert |
Renew a Sectigo certificate if not expired, and meets renew requirements |
sectigo-revoke-cert |
Revoke a Sectigo certificate |
sectigo-ocsp-status |
Check OCSP status of a Sectigo certificate |
== certifierUtil get-cert options
| Long Option | Short Option | Examples | Description |
|---|---|---|---|
help |
h |
--help |
Display this summary |
input-p12-path |
k |
--input-p12-path <file-path> |
Path to the PKCS12 File |
input-p12-password |
p |
--input-p12-password <value> |
Password to decrypt input P12 File |
config |
L |
--config <file-path> |
Pass in custom set of configurations for commandline utility |
verbose |
v |
--verbose |
Enable verbose log output mode. |
auth-type |
X |
--auth-type <auth-type> |
Select Output CRT Type (X509 or other values) |
auth-token |
S |
--auth-token <value> |
Pass in App Authentication Token. |
crt |
T |
--crt <crt> |
Input CRT (Base64). |
overwrite-p12 |
f |
--overwrite-p12 |
Overwrite P12 File |
profile-name |
P |
--profile-name <value> |
Choose type of Certificate to be fetched from PKI (Either DAC Certificate - XFN_DL_PAI_1_Class_3 - or Matter Operational Certificate - XFN_Matter_OP_Class_3_ICA) |
output-p12-path |
o |
--output-p12-path <value> |
Choose pathname of the resulting file that will store the P12 Chain that will include the generated certificate |
output-p12-password |
w |
--output-12-password <value> |
Password to encrypt the output p12 file |
validity-days |
v |
--validity-days <days> |
Choose number of validity days that a certificate is issued with |
product-id |
i |
--product-id <id> |
Choose ProductID (16-bit integer) to be assigned to the resulting certificate. |
node-id |
n |
--node-id <id> |
Choose NodeID (64-bit integer) to be assigned to the resulting certificate |
fabric-id |
F |
--fabric-id <id> |
Choose FabricID (64-bit integer) to be assigned to the resulting certificate |
case-auth-tag |
a |
--case-auth-tag <id> |
Choose CASE Authentication Tag (32-bit integer) to be assigned to the resulting certificate |
ca-path |
c |
--ca-path <value> |
Pass in custom path where libcertifier-cert.crt file is located at |
== certifierUtil get-crt-token options
| Long Option | Short Option | Examples | Description |
|---|---|---|---|
help |
h |
--help |
Display this summary |
input-p12-path |
k |
--input-p12-path <file-path> |
Path to the PKCS12 File |
input-p12-password |
p |
--input-p12-password <value> |
Password to decrypt input P12 File |
config |
L |
--config <file-path> |
Pass in custom set of configurations for commandline utility |
verbose |
v |
--verbose |
Enable verbose log output mode. |
auth-type |
X |
--auth-type <auth-type> |
Select Output CRT Type (X509 or other values) |
auth-token |
S |
--auth-token <value> |
Pass in App Authentication Token |
== certifierUtil get-cert-status options
| Long Option | Short Option | Examples | Description |
|---|---|---|---|
help |
h |
--help |
Display this summary |
input-p12-path |
k |
--input-p12-path <file-path> |
Path to the PKCS12 File |
input-p12-password |
p |
--input-p12-password <value> |
Password to decrypt input P12 File |
config |
L |
--config <value> |
Pass in custom set of configurations for commandline utility |
verbose |
v |
--verbose |
Enable verbose log output mode. |
ca-path |
c |
--ca-path <value> |
Pass in custom path where libcertifier-cert.crt file is located at |
== certifierUtil renew-cert options
| Long Option | Short Option | Examples | Description |
|---|---|---|---|
help |
h |
--help |
Display this summary |
input-p12-path |
k |
--input-p12-path <file-path> |
Path to the PKCS12 File |
input-p12-password |
p |
--input-p12-password <value> |
Password to decrypt input P12 File |
config |
L |
--config <value> |
Pass in custom set of configurations for commandline utility |
verbose |
v |
--verbose |
Enable verbose log output mode. |
ca-path |
c |
--ca-path <value> |
Pass in custom path where libcertifier-cert.crt file is located at |
== certifierUtil print-cert options
| Long Option | Short Option | Examples | Description |
|---|---|---|---|
help |
h |
--help |
Display this summary |
input-p12-path |
k |
--input-p12-path <value> |
Path to the PKCS12 File |
input-p12-password |
p |
--input-p12-password <value> |
Password to decrypt input P12 File |
config |
L |
--config <value> |
Pass in custom set of configurations for commandline utility |
verbose |
v |
--verbose |
Enable verbose log output mode. |
== certifierUtil revoke options
| Long Option | Short Option | Examples | Description |
|---|---|---|---|
help |
h |
--help |
Display this summary |
input-p12-path |
k |
--input-p12-path <value> |
Path to the PKCS12 File |
input-p12-password |
p |
--input-p12-password <value> |
Password to decrypt input P12 File |
config |
L |
--config <value> |
Pass in custom set of configurations for commandline utility |
verbose |
v |
--verbose |
Enable verbose log output mode. |
ca-path |
c |
--ca-path <value> |
Pass in custom path where libcertifier-cert.crt file is located at |
== certifierUtil sectigo-get-cert options
| Long Option | Short Option | Examples | Description |
|---|---|---|---|
help |
h |
--help |
Display this summary |
common-name |
C |
--common-name <value> |
Certificate common name |
id |
I |
--id <value> |
User or device ID |
project-name |
r |
--project-name <value> |
Project name |
business-justification |
b |
--business-justification <value> |
Business justification |
subject-alt-names |
A |
--subject-alt-names <value> |
Subject alternative names (CSV) |
group-name |
G |
--group-name <value> |
Group name |
group-email |
E |
--group-email <value> |
Group email |
owner-first-name |
O |
--owner-first-name <value> |
Owner first name |
owner-last-name |
J |
--owner-last-name <value> |
Owner last name |
owner-email |
Z |
--owner-email <value> |
Owner email |
devhub-id |
D |
--devhub-id <value> |
DevHub ID |
validity-days |
V |
--validity-days <value> |
Validity days for the certificate |
key-type |
W |
--key-type <value> |
Key type for the certificate. Supported key types: [RSA-2048, RSA-3072, RSA-4096, RSA-8192, ECC-PRIME256V1, ECC-SECP384R1] |
auth-token |
K |
--auth-token <value> |
Auth token to authenticate with API |
url |
u |
--url <value> |
Sectigo API URL |
config |
l |
--config <file> |
Path to config file |
== certifierUtil sectigo-search-cert options
Long Option |
Short Option |
Examples |
Description |
help |
h |
--help |
Display this summary |
auth-token |
K |
--auth-token <value> |
Auth token to authenticate with API |
group-name |
G |
--group-name <value> |
Group name to filter the search results |
group-email |
E |
--group-email <value> |
Group email to filter the search results |
status |
S |
--status <value> |
Status to filter the search results |
common-name |
C |
--common-name <value> |
Common name of certificate to filter the search results |
offset |
o |
--offset <value> |
Offset value for paginated results |
limit |
L |
--limit <value> |
Limit value for paginated results |
start-date |
f |
--start-date <value> |
Start date to filter the search results (Format: YYYY-MM-DD) |
end-date |
t |
--end-date <value> |
End date to filter the search results (Format: YYYY-MM-DD) |
certificate-id |
e |
--certificate-id <value> |
Certificate ID to filter the search results |
validity-start-date |
p |
--validity-start-date <value> |
Validity start date to filter the search results (Format: YYYY-MM-DD) |
validity-end-date |
q |
--validity-end-date <value> |
Validity end date to filter the search results (Format: YYYY-MM-DD) |
cert-order |
c |
--cert-order <value> |
To fetch the certificate order leaf and the ICA and Root order, pass leaf |
is-cn-in-san |
a |
--is-cn-in-san |
To check if the common name is also present in the subject alternative names, pass this flag |
request-type |
y |
--request-type <value> |
To fetch certificates based on requests. Ex. ACME, API, WEB, XCM |
timestamp |
m |
--timestamp <value> |
To fetch certificates based on timestamp types. Ex. createdTimestamp, approvedTimestamp, signedTimestamp, rejectedTimestamp, revokedTimestamp |
devhub-id |
D |
--devhub-id <value> |
To fetch certificates based on DevHub ID |
key-type |
W |
--key-type <value> |
To fetch certificate(s) that match this public key type/algorithm. Supported key types: [RSA-2048, RSA-3072, RSA-4096, RSA-8192, ECC-PRIME256V1, ECC-SECP384R1] |
config |
l |
--config <file> |
Path to config file |
== certifierUtil sectigo-renew-cert options
Long Option |
Short Option |
Examples |
Description |
help |
h |
--help |
Display this summary |
auth-token |
K |
--auth-token <value> |
Auth token to authenticate with API |
common-name |
C |
--common-name <value> |
Certificate common name (required for renewal) |
serial-number |
N |
--serial-number <value> |
Certificate serial number (either this or certificate ID is required for renewal) |
certificate-id |
e |
--certificate-id <value> |
Certificate ID (either this or serial number is required for renewal) |
requestor-email |
s |
--requestor-email <value> |
Requestor email (required for renewal) |
config |
l |
--config <file> |
Path to config file |
== certifierUtil sectigo-revoke-cert options
Long Option |
Short Option |
Examples |
Description |
help |
h |
--help |
Display this summary |
auth-token |
K |
--auth-token <value> |
Auth token to authenticate with API |
common-name |
C |
--common-name <value> |
Certificate common name |
serial-number |
N |
--serial-number <value> |
Certificate serial number (either this or certificate ID is required for revocation) |
certificate-id |
e |
--certificate-id <value> |
Certificate ID (either this or serial number is required for revocation) |
requestor-email |
s |
--requestor-email <value> |
Requestor email (required for revocation) |
revocation-request-reason |
R |
--revocation-request-reason <value> |
Revocation reason |
config |
l |
--config <file> |
Path to config file |
== certifierUtil sectigo-ocsp-status options
Long Option |
Short Option |
Examples |
Description |
help |
h |
--help |
Display this summary |
cert-path |
j |
--cert-path <value> |
Path to the certificate file (PEM format) |
config |
l |
--config <file> |
Path to config file |
Configuration File
Configuration File is a file used to specify internal certifier util parameters such as timeouts, ecc curve types and other miscellaneous items. This file follows the JSON Format and can be manually editted from the libcertifier.cfg.sample template file present in the root directory.
Here are the details for every valid entry that can be added to the Configuration File:
| Entry Name | Default Value | Description |
|---|---|---|
libcertifier.certifier.url |
xPKI URL |
|
libcertifier.profile.name |
"XFN_Matter_OP_Class_3_ICA" |
Set Profile name for the desired certificate to fetch (Defaults to Matter Operational Certificate) |
libcertifier.validity.days |
365 |
Set the number of validity days of the issuing certificate |
libcertifier.auth.type |
"X509" |
Choose CRT input type |
libcertifier.ecc.curve.id |
"prime256v1" |
Select ECC Curve ID for the issuing certificate |
libcertifier.http.connect.timeout |
10 |
Set HTTP Connection Timeout |
libcertifier.http.timeout |
10 |
Set HTTP Timeout |
libcertifier.http.trace |
0 |
Enable Debug/Trace output during HTTP exchange |
libcertifier.input.p12.path |
"seed.p12" |
Set Path to the input PKCS#12 File containing a keypair and client certificate |
libcertifier.input.p12.password |
"changeit" |
Set password of the PKCS#12 file |
libcertifier.log.file |
"/tmp/libcertifier.log" |
Set file to store all logs of the xPKI transaction |
libcertifier.log.level |
0 |
Choose verbosity level of the logs |
libcertifier.log.max.size |
5000000 |
Set max size (in bytes) to write in the log file |
libcertifier.measure.performance |
0 |
Enable performance logs. |
libcertifier.source.id |
"libcertifier-opensource" |
Set the request source id |
libcertifier.tls.insecure.host |
0 |
Mark TLS insecure host. |
libcertifier.tls.insecure.peer |
0 |
Mark TLS insecure peer. |
libcertifier.certificate.lite |
1 |
Mark request for a lite certificate. |
libcertifier.system.id |
"BBBBBBBBBBBBBBBB" |
Set System ID value in the Subject Field of the Certificates in the Chain. |
libcertifier.fabric.id |
"DDDDDDDDDDDDDDDD" |
Set Fabric ID value in the Subject Field of the Matter Operational Certificate in the Chain. |
libcertifier.product.id |
"1101" |
Set Product ID value in the Subject Field of the Certificates in the Chain. |
libcertifier.cn.name |
"AAAAAAAA" |
Set CN Field value in the Subject Field of the Leaf Certificate. |
libcertifier.node.id |
"CCCCCCCCCCCCCCCC" |
Set Node ID OID Field value in the Subject Field of the Matter Operational Certificate. |
libcertifier.ext.key.usage |
"critical,clientAuth,serverAuth" |
Mark request for a lite certificate. |
libcertifier.sectigo.url |
Sectigo URL |
|
libcertifier.sectigo.auth.token |
"" |
Sectigo API authentication token |
libcertifier.sectigo.common.name |
"example.com" |
Certificate common name (CN) |
libcertifier.sectigo.group.name |
"Example Group" |
Group name for the certificate request |
libcertifier.sectigo.group.email |
Group email for notifications |
|
libcertifier.sectigo.id |
"user123" |
User or device ID |
libcertifier.sectigo.owner.first.name |
"First" |
Owner’s first name |
libcertifier.sectigo.owner.last.name |
"Last" |
Owner’s last name |
libcertifier.sectigo.business.justification |
"Testing" |
Business justification for the request |
libcertifier.sectigo.subject.alt.names |
[] |
Subject alternative names. |
libcertifier.sectigo.owner.email |
Owner’s email address |
|
libcertifier.sectigo.tracking.id |
"1234" |
Tracking ID for the request |