Certificate Management

After submitting the certificate signing request to the CA, the CA will sign the request and return a signed copy of the certificate. Typically this will be sent in PEM format, the same format used for the CSR and private key.

The certificate data can be imported in one of two ways:

  • Use pki certificate <name> enter then copy and paste the PEM data

  • Copy the PEM format certificate file to the TNSR host, then use pki certificate <name> import <file> to import from a file from the current working directory.

The certificate data is stored in a file at /etc/pki/tls/tnsr/certs/<name>.crt after entering or importing the contents.


When importing a certificate created outside of TNSR, The private key must be imported and present before TNSR can import the certificate.

Copy and Paste

First, use the enter command:

tnsr# pki certificate mycert enter
Type or paste a PEM-encoded certificate.
Include the lines containing 'BEGIN CERTIFICATE' and 'END CERTIFICATE'


Remember that the private key, CSR, and certificate must all use identical names!

Next, paste the certificate data:

<cert data>

Import from File

First, make sure that the copy of the certificate file is in PEM format. The CA may have delivered the certificate in PEM format, or another format. Convert the certificate to PEM format if it did not come that way.

Next, copy the certificate file to TNSR and start the CLI from the directory containing the certificate file. The filename extension is not significant, and may be pem, crt, txt, or anything else depending on how the file was delivered from the CA.

Next, use the import command:

tnsr# pki certificate mycert import mycert.pem

Other Certificate Operations

To view a list of all certificates known to TNSR, including the certificate validity times and status:

tnsr# pki certificate list
    restconf:   [Not after: Feb  9 15:31:27 2024 GMT] [days left: 361, valid]
    myuser:     [Not after: Feb  9 16:36:36 2024 GMT] [days left: 361, valid]

To view the PEM data for a specific certificate known to TNSR:

tnsr# pki certificate <name> get

To view a brief summary of the certificate details, use get short:

tnsr(config)# pki certificate restconf get short
   commonName: selfca
   commonName: tnsr.example.com
NotBefore: Feb  9 15:31:27 2023 GMT
NotAfter: Feb  9 15:31:27 2024 GMT

To view the full certificate details, use get full:

tnsr(config)# pki certificate restconf get full
        Version: 3 (0x2)
        Serial Number:
        Signature Algorithm: sha512WithRSAEncryption
        Issuer: CN=selfca
            Not Before: Feb  9 15:31:27 2023 GMT
            Not After : Feb  9 15:31:27 2024 GMT
        Subject: CN=tnsr.example.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Alternative Name:
                DNS:tnsr.example.com, IP Address:
            X509v3 Subject Key Identifier:
                [Key ID]
            X509v3 Authority Key Identifier:
                [CA Key ID]
            X509v3 Basic Constraints:
            X509v3 Key Usage:
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage:
                TLS Web Server Authentication, TLS Web Client Authentication,
    Signature Algorithm: sha512WithRSAEncryption
    Signature Value:

To delete a certificate:

tnsr# pki certificate <name> delete