Krill CLI man page

Synopsis

krillc [global-options] SUBCOMMAND [options]

Description

krillc is the command line interface for the krill daemon.

Global options

The available global options are:

-s server, --server=server

Provides the path to a file containing basic configuration. If this option is not given, Krill will try to use /etc/krill.conf. See krill.conf(5) for more about the format of the configuration file.

-h, --help

Print some help information.

-V, --version

Print version information.

Subcommands

config

Creates a configuration file for Krill and prints it to stdout

user

Generate a user authentication configuration file fragment

OPTIONS

--id=<ID>

ID (e.g., username, email) to generate configuration for

-a <ATTR>, --attr=<ATTR>

Attributes for the user

health

Perform an authenticated health check

info

Show server info

list

List the current CAs

show

Show details of a CA

OPTIONS

-c <CA>, --ca=<CA> [env: KRILL_CLI_MY_CA]

Name of the CA to control

history

Show the history of a CA

commands

Show the commands sent to a CA

OPTIONS

-c <CA>, --ca=<CA> [env: KRILL_CLI_MY_CA]

Name of the CA to control

--rows=<ROWS>

Number of rows (max 250)

--offset=<OFFSET>

Number of results to skip

--after=<AFTER>

Show commands issued after date/time

--before=<BEFORE>

Show commands issued before date/time

details

Show details for a command in the history of a CA

OPTIONS

-c <CA>, --ca=<CA> [env: KRILL_CLI_MY_CA]

Name of the CA to control

--key=<KEY>

The command key as shown in ‘history commands’”

add

Add a new CA

OPTIONS

-c <CA>, --ca=<CA> [env: KRILL_CLI_MY_CA]

Name of the CA to control

delete

Delete a CA and let it withdraw its objects and request revocation. WARNING: Irreversible!

OPTIONS

-c <CA>, --ca=<CA> [env: KRILL_CLI_MY_CA]

Name of the CA to control

issues

Show issues

OPTIONS

-c <CA>, --ca=<CA> [env: KRILL_CLI_MY_CA]

Name of the CA to check for issues

children

Manage children of a CA

add

Add a child to a CA

OPTIONS

-c <CA>, --ca=<CA> [env: KRILL_CLI_MY_CA]

Name of the CA to control

--child=<CHILD>

The name of the child CA you wish to control

-a <ASN>, --asn=<ASN>

The AS resources to be included

-4 <IPV4>, --ipv4=<IPV4>

The IPv4 resources to be included

-6 <IPV6>, --ipv6=<IPV6>

The IPv6 resources to be included

-r <REQUEST>, --request=<REQUEST>

Path to the RFC 8183 Child Request XML file

update

Update an existing child of a CA

OPTIONS

-c <CA>, --ca=<CA> [env: KRILL_CLI_MY_CA]

Name of the CA to control

--child=<CHILD>

The name of the child CA you wish to control

-a <ASN>, --asn=<ASN>

The AS resources to be included

-4 <IPV4>, --ipv4=<IPV4>

The IPv4 resources to be included

-6 <IPV6>, --ipv6=<IPV6>

The IPv6 resources to be included

-r <REQUEST>, --request=<REQUEST>

Path to the RFC 8183 Child Request XML file

info

Show info for a child

OPTIONS

-c <CA>, --ca=<CA> [env: KRILL_CLI_MY_CA]

Name of the CA to control

--child=<CHILD>

The name of the child CA you wish to control

remove

Remove an existing child from a CA

OPTIONS

-c <CA>, --ca=<CA> [env: KRILL_CLI_MY_CA]

Name of the CA to control

--child=<CHILD>

The name of the child CA you wish to control

response

Show the RFC 8183 Parent Response XML

OPTIONS

-c <CA>, --ca=<CA> [env: KRILL_CLI_MY_CA]

Name of the CA to control

--child=<CHILD>

The name of the child CA you wish to control

connections

Show connections stats for children of a CA

OPTIONS

-c <CA>, --ca=<CA> [env: KRILL_CLI_MY_CA]

Name of the CA to control

suspend

Suspend a child CA: un-publish certificate(s) issued to child

OPTIONS

-c <CA>, --ca=<CA> [env: KRILL_CLI_MY_CA]

Name of the CA to control

--child=<CHILD>

The name of the child CA you wish to control

unsuspend

Unsuspend a child CA: publish certificate(s) issued to child

OPTIONS

-c <CA>, --ca=<CA> [env: KRILL_CLI_MY_CA]

Name of the CA to control

--child=<CHILD>

The name of the child CA you wish to control

parents

Manage parents for a CA

request

Show RFC 8183 Child Request XML

OPTIONS

-c <CA>, --ca=<CA> [env: KRILL_CLI_MY_CA]

Name of the CA to control

add

Add a parent to, or update a parent of a CA

OPTIONS

-c <CA>, --ca=<CA> [env: KRILL_CLI_MY_CA]

Name of the CA to control

--parent=<PARENT>

The name of the parent CA you wish to control

-r <RESPONSE>, --response=<RESPONSE>

Path to the RFC 8183 Child Request XML file

refresh

Refresh the parents of this CA

OPTIONS

-c <CA>, --ca=<CA> [env: KRILL_CLI_MY_CA]

Name of the CA to control

contact

Show contact information for a parent of a CA

OPTIONS

-c <CA>, --ca=<CA> [env: KRILL_CLI_MY_CA]

Name of the CA to control

--parent=<PARENT>

The name of the parent CA you wish to control

statuses

Show overview of all parent statuses of a CA

OPTIONS

-c <CA>, --ca=<CA> [env: KRILL_CLI_MY_CA]

Name of the CA to control

remove

Remove an existing parent from a CA

OPTIONS

-c <CA>, --ca=<CA> [env: KRILL_CLI_MY_CA]

Name of the CA to control

--parent=<PARENT>

The name of the parent CA you wish to control

keyroll

Perform a manual key rollover for a CA

init

Initialize roll for all keys held by a CA

OPTIONS

-c <CA>, --ca=<CA> [env: KRILL_CLI_MY_CA]

Name of the CA to control

activate

Finish roll for all keys held by a CA

OPTIONS

-c <CA>, --ca=<CA> [env: KRILL_CLI_MY_CA]

Name of the CA to control

repo

Manage the repository of a CA

request

Show RFC 8183 Publisher Request XML

OPTIONS

-c <CA>, --ca=<CA> [env: KRILL_CLI_MY_CA]

Name of the CA to control

show

Show current repo configuration

OPTIONS

-c <CA>, --ca=<CA> [env: KRILL_CLI_MY_CA]

Name of the CA to control

status

Show current repo status

OPTIONS

-c <CA>, --ca=<CA> [env: KRILL_CLI_MY_CA]

Name of the CA to control

configure

Configure which repository a CA uses

OPTIONS

-c <CA>, --ca=<CA> [env: KRILL_CLI_MY_CA]

Name of the CA to control

-r <RESPONSE>, --response=<RESPONSE>

Path to the RFC 8183 Publisher Response XML file

roas

Manage the ROAs of a CA

list

List current ROAs

OPTIONS

-c <CA>, --ca=<CA> [env: KRILL_CLI_MY_CA]

Name of the CA to control

update

Add and remove ROAs

OPTIONS

-c <CA>, --ca=<CA> [env: KRILL_CLI_MY_CA]

Name of the CA to control

--delta=<DELTA>

Path to a file with added and removed ROAs

--add=<ADD>

One or more ROAs to add

--remove=<REMOVE>

One or more ROAs to remove

--dryrun=<DRYRUN>

Perform a dry run of the update, return the BGP analysis

--try=<TRY_UPDATE>

Try to perform the update, advice for errors or invalids

bgp

Show current authorizations in relation to known announcements

analyze

Show full report of ROAs vs known BGP announcements

OPTIONS

-c <CA>, --ca=<CA> [env: KRILL_CLI_MY_CA]

Name of the CA to control

suggest

Show ROA suggestions based on known BGP announcements

OPTIONS

-c <CA>, --ca=<CA> [env: KRILL_CLI_MY_CA]

Name of the CA to control

-4 <IPV4>, --ipv4=<IPV4>

Scope to these IPv4 resources

-6 <IPV6>, --ipv6=<IPV6>

Scope to these IPv6 resources

bgpsec

Manage the BGPsec router keys of a CA

list

Show current BGPsec router keys

OPTIONS

-c <CA>, --ca=<CA> [env: KRILL_CLI_MY_CA]

Name of the CA to control

add

Add a BGPsec router key

OPTIONS

-c <CA>, --ca=<CA> [env: KRILL_CLI_MY_CA]

Name of the CA to control

-a <ASN>, --asn=<ASN>

The ASN to authorize the router key for

--csr=<CSR>

Path to the DER-encoded certificate signing request

remove

Remove a BGPsec router key

OPTIONS

-c <CA>, --ca=<CA> [env: KRILL_CLI_MY_CA]

Name of the CA to control

-a <ASN>, --asn=<ASN>

The ASN of router key to be removed

--key=<KEY>

The hex encoded key identifier of the router key

aspas

Manage the ASPAs of a CA

list

Show current ASPAs

OPTIONS

-c <CA>, --ca=<CA> [env: KRILL_CLI_MY_CA]

Name of the CA to control

add

Add or replace an ASPA

OPTIONS

-c <CA>, --ca=<CA> [env: KRILL_CLI_MY_CA]

Name of the CA to control

--aspa=<ASPA>

The ASPA formatted like: 65000 => 65001, 65002, 65003

remove

Remove the ASPA for a customer ASN

OPTIONS

-c <CA>, --ca=<CA> [env: KRILL_CLI_MY_CA]

Name of the CA to control

--customer=<CUSTOMER>

Customer ASN of the ASPA to remove

update

Update an existing ASPA

OPTIONS

-c <CA>, --ca=<CA> [env: KRILL_CLI_MY_CA]

Name of the CA to control

--customer=<CUSTOMER>

Customer ASN of an existing ASPA

--add=<ADD>

Provider ASN to add

--remove=<REMOVE>

Provider ASN to remove

pubserver

Manage the Publication Server

publishers

Manage the publishers of the publication server

list

List all publishers

stale

List all publishers which have not published in a while

OPTIONS

--seconds=<SECONDS>

Number of seconds since last publication

add

Add a publisher

OPTIONS

--request=<REQUEST>

Path to the RFC 8183 Publisher Request XML file

-p <PUBLISHER>, --publisher=<PUBLISHER>

Override the publisher handle in the XML

response

Show RFC 8183 Repository Response XML

OPTIONS

-p <PUBLISHER>, --publisher=<PUBLISHER>

Name of the publisher

show

Show details for a publisher

OPTIONS

-p <PUBLISHER>, --publisher=<PUBLISHER>

Name of the publisher

remove

Remove a publisher

OPTIONS

-p <PUBLISHER>, --publisher=<PUBLISHER>

Name of the publisher

delete

Delete specific files from the publication server

server

Manage the publication server

init

Initialize the publication server

OPTIONS

--rrdp=<RRDP>

The RRDP base URI for the repository (excluding notification.xml)

--rsync=<RSYNC>

The rsync base URI for the repository

stats

Show publication server statistics

session-reset

Reset the RRDP session

clear

Clear the publication server so it can re-initialized

bulk

Manually trigger refresh/republish/resync for all CAs

refresh

Force all CAs to ask their parents for updated certificates

publish

Force all CAs to create new objects if needed (in which case they will also sync)

sync

Force all CAs to sync with their repo server

See also

krill(1), krill.conf(5), krillta(1), krillup(1)