Command Line Interface
Using the command line
The command line interface is accessed using the
This supports a range of functions including:
- generating new certificates
- creating new users
- updating user details
- deleting users
- processing CSR files, and
- generating CRLs.
The command line interface requires an Enterprise license.
The installer automatically updates your
PATH environment variable on Windows platforms so that the
sauth.bat script can be found. On Mac and Linux platforms, this needs to be done manually.
On Mac platforms with default install settings, you can do this by created a
.bash_profile file in
your home directory (or appending your existing file) with the following line:
Command line interface
The following commands are supported. See below for more information on arguments.
sauth cert -subj arg [-caname arg] [-keepca] [-passin arg] [-passout arg] [-verbose] [-stdout] [-noprivout]
sauth cert -name arg [-caname arg] [-keepca] [-passin arg] [-passout arg] [-verbose] [-stdout] [-noprivout]
Generates a new certificate for an existing user. The user can be identified using their subject distinguished name, or just their name.
Options/Preferences settings are used to control the output directory for the new identity file, whether or not a separate certificate file is also created, if a backup of the identity file is retained, file formats and names, directory publishing and iCalendar publishing behaviour.
-passout is not specified, a randomly generated password will be used for the new
sauth cert -subj "C=AU,O=Acme Inc,CN=John Doe" -passin "pass:caPassword"
sauth cert -name "John Doe" -passin "pass:caPassword" -passout "pass:JohnsPassword"
sauth batchcert [-caname arg] [-passin arg] [-passout arg] [-verbose] [-stdout]
Generates new certificates for all active users that are currently marked as having "warning" (orange) status.
Options/Preferences settings are used to control the time period for when users are marked with "warning" status
prior to certificate expiry, as well as other settings (see
cert command for details).
sauth batchcert -passin "pass:caPassword" -passout "pass:userPasswords"
sauth create -subj arg [-san arg] [-type arg] [-days arg] [-verbose]
sauth create -name arg [-san arg] [-type arg] [-days arg] [-verbose]
Creates a new user.
Default settings are used for the user's Organisational Unit, Organisation and Country settings when the
-name version of this command is used. Default settings are also used for the
certificate type and validity period if these are not specified.
sauth create -subj "C=AU,O=Acme Inc,CN=John Doe" -san "firstname.lastname@example.org"
sauth create -name "John Doe" -type "General Purpose" -days 365
sauth update -subj arg [-newsubj arg] [-san arg] [-type arg] [-days arg] [-active yes|no] [-verbose]
sauth update -name arg [-newsubj arg] [-san arg] [-type arg] [-days arg] [-active yes|no] [-verbose]
Updates an existing user entry with new details.
The user is identified using their subject distinguished name or name. The other arguments are used to specify new user settings.
sauth update -subj "C=AU,O=Acme Inc,CN=John" -newsubj "C=AU,O=New Acme Inc,CN=John Doe" -san "email@example.com"
sauth update -name "John Doe" -active no
sauth delete -subj arg
-name arg [-verbose]
Deletes the specified user, including all certificate records and backup identity files.
sauth delete -subj "C=AU,O=Acme Inc,CN=John"
sauth delete -name "John Doe"
sauth list [-active yes|no] [-verbose]
Prints the subject distinguished names of users to
Each user is listed on a separate line. These values can each be used as a
-subj argument parameter
to identify the user for other commands.
By default, all users are listed. The list can be restricted to active or inactive users by specifying
Additional fields are shown if the
-verbose argument is used.
sauth user list
sauth user list -active yes
sauth crl [-caname arg] [-passin arg] [-verbose] [-stdout]
Generates a new CRL.
The output directory and other settings are retrieved from Options/Preferences. If the CRL file already exists, it will be overwritten.
sauth crl -passin "env:CA_PASSWORD"
sauth csr -in file [-type
arg] [-days arg] [-caname
arg] [-passin arg] [-verbose]
Processes a certificate signing request file to generate a new certificate.
A new user is generated if required to hold the new certificate record. All subject distinguished name
parameters are included in the new certificate. Extension requests are included if
-type is not specified.
sauth csr -in csr.txt
sauth csr -in csr.txt -type "General Purpose" -days 365 -passin "env:CA_PASSWORD"
revoke -serial arg [-reason arg] [-verbose]
revoke -name arg [-reason arg] [-verbose]
revoke -subj arg] [-reason arg] [-verbose]
Revokes one or more certificates. A single certificate can be revoked based on the certificate serial number, or all valid certificates for a specified user can be revoked.
revoke -serial 123456
revoke -name "John Doe" -reason 2
sauth file -in file [-passin
arg] [-verbose] [-stdout]
Processes multiple commands that are contained in a text file. Each line in the file is processed as a separate command. This is more efficient than calling the application multiple times because it avoids JVM startup and shutdown times.
Comments can be included in the file using the
# character. Any
-verbose command arguments that might exist in the file are ignored, since they are overwritten by the
file command arguments.
sauth file -in commands.txt -passin "env:CA_PASSWORD" -verbose
# create new user
create -subj "C=AU,O=Acme Inc,CN=John Doe" -san "firstname.lastname@example.org"
# generate certificate for new user
cert -name "John Doe"
# issue an updated CRL
Displays this help information.
sauth version [-verbose]
Displays version information.
sauth version -verbose
Command line arguments
||The user's name. This is the
||The user's subject distinguished name. The argument must be formatted using the X.500 standard, with zero
or one values for
||The new subject distinguished name. Used to update user details. The same rules apply for a valid argument
||The user's subject alternative name. This is usually their email address, but may also be used to hold a DNS name or other value.|
||The name of the certificate type to use.|
||The certificate validity period in days.|
||Whether or not a user is marked as active.|
||The name of the CA to use.|
||Keep a copy of any new CA identities generated for future use as a CA, using the same password as the current CA.|
||A certificate serial number in decimal format.|
||The revocation reason code integer value (see rfc5280).|
||The input file. The file may be specified using an absolute or relative path, however relative paths are
relative to the location of the
Used to specify the CA password. A number of formats are supported for
||Specifies the password for new user identity files. See
||Prints details about the operation being performed.|
||Causes any new identities, certificates or CRLs to be printed to
||Do not output any private key or password information.|
Java system properties can be used to override some Options/Preferences settings. These properties can be set using the Java command line option -D.
||The data directory.|
||The output directory.|
||The path to the CA PKCS#12 identity file (
|3||Unable to complete command|
Web application interface
The Web application (servlet) interface can be used with a servlet container, like Apache Tomcat, to integrate SimpleAuthority with third party software for automating certificate operations. This interface supports all of the CLI commands listed above.
To get started:
- Install Apache Tomcat.
- (Windows and Linux) Update the Tomcat Java security policy files to enable unlimited strength cryptography.
- Copy the
SimpleAuthority.warfile to the Tomcat
- Start Tomcat.
- Open your browser at http://localhost:8080/SimpleAuthority/
Note that the CA password can be specified in the
SimpleAuthority.war deployment descriptor
Please contact us if you get stuck.