Skip to content

Issuing User Certificate with CMC Shared Token

Endi S. Dewata edited this page Jun 6, 2023 · 14 revisions

Overview

This page describes the process to issue a user certificate using CMC shared token authentication.

It assumes that:

  • The CA admin has created an issuance protection certificate.

  • The CA admin has configured CMC shared token authentication.

  • The CA admin has generated a CMC shared token for the user.

Generating Key Pair

To generate a key pair in the user’s NSS database:

$ pki nss-key-create --output-format json | tee output
$ KEY_ID=$(jq -r '.keyId' output)

Creating Certificate Request

Create a certificate request with the key pair and an SKI extension (e.g. /usr/share/pki/tools/certs/testuser.conf):

$ pki \
    nss-cert-request \
    --key-id $KEY_ID \
    --subject "uid=testuser" \
    --ext testuser.conf \
    --csr testuser.csr

Creating CMC Request

To create a CMC request prepare a CMCRequest configuration file (e.g. /usr/share/pki/tools/examples/cmc/testuser-cmc-request.cfg) and store the key ID in the request.privKeyId property:

$ cp \
    /usr/share/pki/tools/examples/cmc/testuser-cmc-request.cfg \
    testuser-cmc-request.cfg

$ sed -i \
    -e "s/^\(request.privKeyId\)=.*/\1=$KEY_ID/" \
    testuser-cmc-request.cfg

Then execute the following command:

$ CMCRequest testuser-cmc-request.cfg

Submitting CMC Request

To submit the CMC request prepare an HttpClient configuration file (e.g. /usr/share/pki/tools/examples/cmc/testuser-cmc-submit.cfg), then execute the following command:

$ HttpClient testuser-cmc-submit.cfg

Processing CMC Response

To process the CMC response:

$ CMCResponse \
    -d /root/.dogtag/nssdb \
    -i testuser.cmc-response \
    -o testuser.p7b

Importing User Certificate

To import the certificate chain into the user’s NSS database:

$ pki pkcs7-import --pkcs7 testuser.p7b testuser
Clone this wiki locally