Associating Existing User Accounts with PKI Groups
Existing users can be added to a PKI group using the usermod command. As with useradd, usermod updates all of the related user account files, including /etc/passwd, /etc/shadow, and /etc/group.
# usermod -a -G pkiadmin bjensen


The users added to the admin and audit groups are regular user accounts, not a system account like pkiuser.
Add the user accounts to the appropriate PKI management group, and only to that one group. Users are either an administrator or an auditor; the same user cannot be in both groups.
  • PKI auditors only need to be added to the pkiaudit group.
  • PKI administrators need to be added to the pkiadmin group and any group uses by a hardware token used by the subsystem, such as nfast for an nCipher hardware token.
The pkiuser user should be added to both the pkiadmin and pkiaudit groups:
# usermod -a -G pkiadmin pkiuser

# usermod -a -G pkiaudit pkiuser