Reconcile either takes in or will generate an audit report and then add/remove certs as needed.
Root of Trust (rot): Will parse either a combination of CSV files that define certs to add and/or certs to remove with a CSV of certificate stores or an audit CSV file. If an audit CSV file is provided, the add and remove actions defined in the audit file will be immediately executed. If a combination of CSV files are provided, the utility will first generate an audit report and then execute the add/remove actions defined in the audit report.
kfutil stores rot reconcile [flags]
-a, --add-certs string CSV file containing cert(s) to enroll into the defined cert stores
-d, --dry-run Dry run mode
-h, --help help for reconcile
-v, --import-csv Import an audit report file in CSV format.
-i, --input-file string Path to a file generated by 'stores rot audit' command. (default "rot_audit.csv")
-k, --max-keys -1 The max number of private keys that should be in a store to be considered a 'root' store. If set to -1 then all stores will be considered. (default -1)
-l, --max-leaf-certs -1 The max number of non-root-certs that should be in a store to be considered a 'root' store. If set to -1 then all stores will be considered. (default -1)
-m, --min-certs -1 The minimum number of certs that should be in a store to be considered a 'root' store. If set to -1 then all stores will be considered. (default -1)
-o, --outpath string Path to write the audit report file to. If not specified, the file will be written to the current directory.
-r, --remove-certs string CSV file containing cert(s) to remove from the defined cert stores
-s, --stores string CSV file containing cert stores to enroll into
--api-path string API Path to use for authenticating to Keyfactor Command. (default is KeyfactorAPI) (default "KeyfactorAPI")
--auth-provider-profile string The profile to use defined in the securely stored config. If not specified the config named 'default' will be used if it exists. (default "default")
--auth-provider-type string Provider type choices: (azid)
--config string Full path to config file in JSON format. (default is $HOME/.keyfactor/command_config.json)
--debug Enable debugFlag logging.
--domain string Domain to use for authenticating to Keyfactor Command.
--exp Enable expEnabled features. (USE AT YOUR OWN RISK, these features are not supported and may change or be removed at any time.)
--format text How to format the CLI output. Currently only text is supported. (default "text")
--hostname string Hostname to use for authenticating to Keyfactor Command.
--log-insecure Log insecure API requests. (USE AT YOUR OWN RISK, this WILL log sensitive information to the console.)
--no-prompt Do not prompt for any user input and assume defaults or environmental variables are set.
--password string Password to use for authenticating to Keyfactor Command. WARNING: Remember to delete your console history if providing kfcPassword here in plain text.
--profile string Use a specific profile from your config file. If not specified the config named 'default' will be used if it exists.
--username string Username to use for authenticating to Keyfactor Command.
- kfutil stores rot - Root of trust utility