signercli -pubkey
Public Key Management Command – Full Reference
1. Overview
The signercli -pubkey command provides public key management capabilities on the Signer Server.
It is primarily used to:
- List stored public keys
- Extract public keys from existing certificates
- Store public keys independently for verification and trust purposes
Unlike private keys, public keys are non-sensitive and are commonly used for:
- Signature verification
- Trust establishment
- Auditing and inspection
2. Command Usage
signercli -pubkey <command> [options]
3. Commands
| Command | Description |
|---|---|
list | List all public keys |
extract <cert-id> | Extract public key from a certificate |
help | Display help message |
4. Authentication and Global Options
Required Authentication
| Option | Description |
|---|---|
-api-key <key> | API key authentication (required) |
-host <url> | Signer Server URL (default: https://localhost:7443) |
Login-based authentication is not supported.
All
-pubkeyoperations require an API key.
Output Format
| Option | Description |
|---|---|
-format <type> | Output format: text, json |
5. Listing Public Keys
List All Public Keys
signercli -pubkey list -api-key cdk_xxx
JSON Output (Automation)
signercli -pubkey list -api-key cdk_xxx -format json
This format is suitable for:
- CI/CD verification pipelines
- Automated trust validation
- Inventory and auditing tools
6. Extracting Public Keys from Certificates
Command Syntax
signercli -pubkey extract <cert-id> [options]
Extract Public Key
signercli -pubkey extract abc123 -api-key cdk_xxx
Behavior:
- Extracts the public key from the specified certificate
- Stores it as a separate public key entry
- Does not modify the original certificate
Assign a Name to the Extracted Public Key
signercli -pubkey extract abc123 \
-name "My Public Key" \
-api-key cdk_xxx
Naming the public key helps with:
- Identification
- Verification workflows
- Long-term trust management
7. Public Key Storage Model
- Public keys are stored independently from certificates
- Multiple public keys may originate from different certificates
- Public keys contain no private or sensitive material
Typical use cases:
- Verifying detached signatures
- Establishing trust anchors
- External verification services
8. Security Notes
- Public keys are safe to distribute and export
- No private key material is ever exposed
- Extraction does not require access to private keys or HSMs
9. Relationship to Other Commands
| Command | Description |
|---|---|
signercli -cert | Certificate management |
signercli -privkey | Private key management |
signercli -cert-api | Full certificate lifecycle via API |
signercli -csr | CSR generation |
The typical lifecycle is:
PrivateKey → Certificate →PublicKey (extracted)
10. Typical Use Cases
- Signature verification services
- CI/CD verification steps
- Trust anchor management
- Auditing and compliance checks
11. Summary
The signercli -pubkey command provides a clean and secure interface for public key management, enabling:
- Centralized storage of public keys
- Easy extraction from existing certificates
- Automation-friendly verification workflows
It complements -cert and -privkey by completing the key–certificate–verification lifecycle.