admin

admin 命令组是用来管理 CA 服务的。CA 管理员可以通过此命令初完成以下操作：

• 初始化 CA 服务

• 支持密钥分片验证，推荐定期进行验证演练，确保备份的密钥分片的正确性。

• 解封恢复 CA，通过达到门限数量的授权密钥分片恢复 CA 至可用状态

• 轮换更新 CA 授权密钥分片

示例

初始化 CA 服务:

$ cacli admin setup --key-shares=3 --key-threshold=2

Seal Type: Shamir
CA Setup Operation Nonce: a5eb1b35-fb33-4619-8844-c544f0917d20
Total Shares: 3
Threshold: 2
-> Backup Progress: 1/3
Backup Finished: false
Verify Progress: 0/3
Verify Success: unfinished

Unseal Key: uk1./BCN5rygSWvN4eHKbCiZCEgSzp0hnUTvlqvrCaQdVig=
...

验证 CA 授权密钥分片:

$ cacli admin verify --participant=2
Please input your unseal key(Input will be hidden, and type Enter to confirm input. The nonce of the current operation is '4b765d5f-68e8-4c1a-b1d1-3b15b502ccc8'): uk1./BCN5rygSWvN4eHKbCiZCEgSzp0hnUTvlqvrCaQdVig=

Seal Type: Shamir
CA Verify Operation Nonce: 4b765d5f-68e8-4c1a-b1d1-3b15b502ccc8
Total Shares: 3
Threshold: 2
Verify Progress: 1/2
Verify Success: unfinished

The nonce can only be sent to other admins.

使用授权密钥分片恢复 CA:

$ cacli admin unseal --init
Please input your unseal key(Input will be hidden, and type Enter to confirm input. The nonce of the current operation is '2ab3eb11-fe15-4eb3-997b-57bd8c6b2870'): uk1./BCN5rygSWvN4eHKbCiZCEgSzp0hnUTvlqvrCaQdVig=

CA Unseal Operation Nonce: 2ab3eb11-fe15-4eb3-997b-57bd8c6b2870
Unseal Progress: 1/2
Unseal Result: unfinished

The nonce can only be sent to other admins.

CA 授权密钥分片轮换：

$ cacli admin rekey --key-shares=3 --key-threshold=2

Please input your **CURRENT** unseal key(Input will be hidden, and type Enter to confirm input. The nonce of the current operation is '3eaf93f5-d86a-4ad1-8118-5f6fff6254c3'): uk1.F39EQdAN662Dy/mAbhysSetjkiWiQHRlmcMqBlUxLCQ=

Seal Type: Shamir
CA Rekey Operation Nonce: 3eaf93f5-d86a-4ad1-8118-5f6fff6254c3
Total Shares: 3
Threshold: 2
Modified Total Shares: 3
Modified Threshold: 2
-> Input Progress: 1/2
Input Validation Success: unfinished
Backup Progress: 0/3
Backup Finished: false
Verify Progress: 0/3
Verify Success: unfinished

用法说明

Usage: cacli admin <subcommand> [options] [args]
This command groups subcommands for admins interacting with CA.

Subcommands:
    setup           Setup an uninitialized CA and backup unseal keys
    verify          Verify the correctness of backup unseal keys
    unseal          Authorize(Unseal) an unauthorized CA
    rekey           change root key in CA

subcommand 的更多信息及使用方法，请查看以下文档：