-
Notifications
You must be signed in to change notification settings - Fork 138
Issuing User Certificate with CMC Shared Token
This page describes the process to issue a user certificate using CMC shared token authentication.
It assumes that:
-
The CA admin has created an issuance protection certificate.
-
The CA admin has configured CMC shared token authentication.
-
The CA admin has generated a CMC shared token for the user.
To generate a key pair in the user’s NSS database:
$ pki nss-key-create --output-format json | tee output $ KEY_ID=$(jq -r '.keyId' output)
Create a certificate request with the key pair and an SKI extension (e.g. /usr/share/pki/tools/certs/testuser.conf):
$ pki \ nss-cert-request \ --key-id $KEY_ID \ --subject "uid=testuser" \ --ext testuser.conf \ --csr testuser.csr
To create a CMC request prepare a CMCRequest
configuration file (e.g. /usr/share/pki/tools/examples/cmc/testuser-cmc-request.cfg) and store the key ID in the request.privKeyId
property:
$ cp \ /usr/share/pki/tools/examples/cmc/testuser-cmc-request.cfg \ testuser-cmc-request.cfg $ sed -i \ -e "s/^\(request.privKeyId\)=.*/\1=$KEY_ID/" \ testuser-cmc-request.cfg
Then execute the following command:
$ CMCRequest testuser-cmc-request.cfg
To submit the CMC request prepare an HttpClient
configuration file (e.g. /usr/share/pki/tools/examples/cmc/testuser-cmc-submit.cfg), then execute the following command:
$ HttpClient testuser-cmc-submit.cfg
To process the CMC response:
$ CMCResponse \ -d /root/.dogtag/nssdb \ -i testuser.cmc-response \ -o testuser.p7b
To import the certificate chain into the user’s NSS database:
$ pki pkcs7-import --pkcs7 testuser.p7b testuser
Tip
|
To find a page in the Wiki, enter the keywords in search field, press Enter, then click Wikis. |