signercli -cert
Certificate Management Command – Full Reference
1. Overview
The signercli -cert command provides full lifecycle management of certificates stored on the Signer Server.
It supports:
- Listing certificates by purpose
- Inspecting certificate details
- Selecting an active certificate
- Uploading certificates to different storage backends
- Downloading certificates in multiple formats
- Updating certificate metadata
- Securely deleting certificates
Important
This command manages certificate objects only.
Private keys are managed separately via
signercli -privkey.
2. Command Usage
signercli -cert <subcommand> [options]
3. Subcommands
| Subcommand | Description |
|---|---|
list [purpose] | List certificates by purpose |
get <id> | Get certificate details |
id [cert_id] [label] | Get or set the active certificate |
pem | Export PEM of the active certificate |
password <password> | Set private key password |
upload <file> | Upload a certificate |
download <id> | Download certificate (PEM / DER) |
download-pfx <id> | Download certificate as PFX |
update <id> | Update certificate metadata |
delete <id> | Delete a certificate |
help | Display help message |
4. Certificate Purposes
Certificates are classified by purpose, derived from EKU and metadata.
| Purpose | Description |
|---|---|
all | All certificates (default) |
codesign | Code signing certificates |
docsign | Document signing certificates |
serverauth | SSL/TLS server authentication |
clientauth | Client authentication |
timestamp | Timestamping certificates |
ocsp | OCSP signing certificates |
ca | CA certificates |
encrypt | Encryption certificates |
verify | Verification certificates |
5. Authentication Options
| Option | Description |
|---|---|
-api-key <key> | Authenticate using API key (no login required) |
-host <url> | Server URL (required with -api-key) |
-profile <name> | Use settings from a configuration profile |
Authentication behavior:
- API key authentication bypasses login
- Permissions are defined by the API key
- API key takes precedence over login tokens
6. Listing Certificates
List All Certificates
signercli -cert list -api-key <key> -host https://server:7443
List Certificates by Purpose
signercli -cert list codesign -api-key <key> -host https://server:7443
7. Viewing Certificate Details
signercli -cert get <certificate_id> -api-key <key>
Displays:
- Subject and issuer
- Serial number
- Validity period
- Certificate purpose
- Storage backend (DB / SW_HSM / HW_HSM)
8. Active Certificate Management
Show Active Certificate
signercli -certid
Set Active Certificate
signercli -certid <certificate_id> [label]
The active certificate is used by default for:
- Code signing
- Document signing
- Verification operations
9. Export Active Certificate PEM
signercli -cert pem
- Exports public certificate only
- Private key is never included
10. Uploading Certificates
Command Syntax
signercli -cert upload <file> [options]
Upload Options
| Option | Description |
|---|---|
-name <name> | Certificate display name |
-desc <description> | Certificate description |
-storage <type> | Storage backend (DB, SW_HSM, HW_HSM) |
-hsm-slot <id> | HSM slot ID (required for HW_HSM) |
-hsm-pin <pin> | HSM PIN (required for HW_HSM) |
Storage Types
DB (Default)
- Certificate stored in database
- No HSM interaction
signercli -cert upload cert.pem -name "My Cert"
SW_HSM (Software HSM)
- Certificate linked to software HSM (e.g. SoftHSM)
- No PIN required at upload time
signercli -cert upload cert.pem -name "CI Cert" -storage SW_HSM
HW_HSM (Hardware HSM)
- Certificate bound to hardware HSM slot
- Requires explicit slot ID and PIN
signercli -cert upload cert.pem \
-name "EV Code Signing Cert" \
-storage HW_HSM \
-hsm-slot 0 \
-hsm-pin 1234
Upload Notes
- Uploading a certificate does not import the private key
- The private key must already exist in the selected storage backend
- HSM PINs are never stored
11. Downloading Certificates
Download Certificate (PEM / DER)
signercli -cert download <id> -format pem -o /path/to/dir
signercli -cert download <id> -format der -o /path/to/dir
Include Certificate Chain
signercli -cert download <id> -include-chain -o /path/to/dir
Download Certificate as PFX
signercli -cert download-pfx <id> -password <pwd> -o /path/to/dir
⚠️ PFX export availability depends on:
- Storage backend
- Server security policy
- HSM restrictions
12. Updating Certificate Metadata
signercli -cert update <id> \
-name "New Name" \
-desc "Description"
- Updates server-side metadata only
- Does not modify certificate contents
13. Deleting Certificates
Delete Certificate
signercli -cert delete <id>
Delete Certificate and Related Private Key
signercli -cert delete <id> -delete-related
Delete HSM-Backed Certificate
signercli -cert delete <id> -hsm-pin <pin>
⚠️ Deletion is irreversible.
Deleting private keys is strongly discouraged in production environments.
14. Output Formats
-format classic | json | table | csv
Useful for:
- Automation
- Auditing
- CI/CD pipelines
15. Relationship to Other Commands
| Command | Description |
|---|---|
signercli -privkey | Private key management |
signercli -pubkey | Public key management |
signercli -csr | CSR generation |
signercli -cert-dist | Automated SSL (Let’s Encrypt) |
signercli -codesign-list | Code signing shortcut |
signercli -codesign-id | Set code signing certificate |
16. Typical Use Cases
- Certificate inventory management
- Secure CI/CD automation using API keys
- HSM-backed production signing
- Migration from legacy
codesign-*commands
17. Summary
The signercli -cert command provides a secure, storage-aware, and extensible certificate management interface, supporting:
- Multiple certificate purposes
- Database, software HSM, and hardware HSM backends
- Modern automation workflows
- Enterprise-grade security controls
It is the recommended interface for all new certificate management workflows.