pki-healthcheck - Man Page

Command-Line Interface to check health of a PKI installation


pki-healthcheck [CLI-options]


A PKI installation can be complex, therefore identifying real or potential issues can be difficult and require a lot of analysis. This tool aims to reduce the burden by attempting to identify issues in advance so that they can be corrected, ideally before the issue becomes critical.


The areas of the system to check are logically grouped together. This grouping is called a source. A source consists of one or more checks.

A check is as atomic as possible to limit the scope and complexity.

Each check will return a result, either a result of WARNING, ERROR, CRITICAL or SUCCESS. Returning SUCCESS tells you that the check was done and was deemed correct.

Upon  failure,  the  output  will include name of the source and name of the check that detected the failure along with a message and name/value pairs indicating the problem. If a check can't make a final determination, it throws WARNING so that it can be examined.



   Display a list of the available sources and the checks associated with those sources.

Optional Arguments

   Execute one or more checks within this given source.

   Execute this particular check within a source. A source must be supplied as well with this option.

   Set the output type. Defaults to JSON.

   Exclude SUCCESS results on output.

   Only report errors in the requested severity of SUCCESS, WARNING, ERROR or CRITICAL. This can be provided multiple times to search on multiple levels.

   Generate additional debugging output.

JSON Output

The output is displayed as a list of result messages for each check executed in JSON format. This could be input for a monitoring system.

   Write the output to this filename rather than stdout.

   Pretty-print the JSON with this indention level. This can make the output more human-readable.

Human-Readable Output

The results are displayed in a more human-readable format.

   Take as input a JSON results output and convert it to a more human-readable form.

Exit Status

0 if all checks were successful

1 if any one check failed or the command failed to execute properly




Checks Included

Certificate sync between CS.cfg and NSS database
   Checks whether the system certificates in CS.cfg and NSS database are the same

System certificate expiry
   Checks the expiry status of the installed system certificates

System certificate trust flags
   Checks whether the installed system certificates carry the correct Trust flags

Subsystem connectivity check
   Checks whether a subsystem is running and able to respond to requests


Execute healthcheck with the default JSON output:

Execute healthcheck with a prettier JSON output:
pki-healthcheck --indent 2

Execute healthcheck and only display errors:
pki-healthcheck --failures-only

Execute healthcheck and display results in human-readable format:
pki-healthcheck --output-format human

Execute healthcheck and write results to a file:
pki-healthcheck --output-file /var/log/pki/healthcheck/results.json

Display in the previous report in a human-readable format:
pki-healthcheck --output-format human --input-file /var/log/pki/healthcheck/results.json


Dinesh Prasanth M K <>

Referenced By


January 16, 2020 pki-healthcheck CLI