certget Command

Purpose

certget retrieves a single certificate from local LDAP repository.

Syntax

certget {-f file | [-b | -t]}tag [username]

Description

The certget command retrieves a single certificate from the local LDAP repository. This command retrieves a single certificate at a time. If the invoker wishes to retrieve all the certificates for a user, the certlist command may be used to first to obtain a list of the certificates and then perform the certget operation on the certificate list.

If the -f option is used, the certificate shall be written in binary format to the named file. Otherwise the certificate is output to stdout either in binary or hexadecimal. If the -b option is given, binary output is used (default). If the -t option is given, hexadecimal output is used. Certificates are output in DER format.

The tag parameter uniquely selects one of the user's certificates. The username parameter specifies which AIX® user is to be queried. If invoked without the username parameter, the certdelete command uses the name of the current user.

Flags

Item Description
-f Specifies the file that the DER encoded certificate will be stored.
-b Specifies the format of the certificate data to be binary.
-t Specifies the format of the certificate data to be hexadecimal.

Exit Status

Item Description
0 If successful.
EINVAL If the command is ill-formed or the arguments are invalid.
ENOENT If a) the user doesn't exist, b) the tag does not exist c) the file does not exist.
EIO If unable to create/modify LDAP entry.
ENOCONNECT If the service is not available.
errno If system error.

Security

This command can be executed by anyone to retrieve a certificate belonging to a user from the local repository.

Audit

This command records the following event information:

CERT_Get <username>

Examples

  1. To retrieve Bob's certificate tagged as signcert and store in cert.der, enter:
    $ certget -f cert.der signcert bob
  2. To store Bob's certificate signcert in hexadecimal in cert.der, enter:
    $ certget -t signcert > cert.der

Files

/usr/lib/security/pki/acct.cfg