Skip to content

Issuing User Certificate with CMC Shared Token

Jump to bottom
Endi S. Dewata edited this page Jul 19, 2022 · 14 revisions

Overview

This page describes the process to issue a user certificate using CMC shared token authentication.

It assumes that:

  • Issuance protection certificate has been created.

  • CMC shared token authentication has been configured.

  • A shared token has been generated for a user.

Generating Certificate Request

$ pki nss-key-create --output-format json | tee output
$ KEY_ID=$(jq -r '.keyId' output)

$ pki \
    nss-cert-request \
    --key-id $KEY_ID \
    --subject "uid=testuser" \
    --ext /usr/share/pki/tools/certs/testuser.conf \
    --csr testuser.csr

Creating CMC Request

$ cp \
    /usr/share/pki/tools/examples/cmc/testuser-cmc-request.cfg \
    testuser-cmc-request.cfg

$ sed -i \
    -e "s/^\(request.privKeyId\)=.*/\1=$KEY_ID/" \
    testuser-cmc-request.cfg

$ CMCRequest testuser-cmc-request.cfg

Issuing User Certificate

$ HttpClient /usr/share/pki/tools/examples/cmc/testuser-cmc-submit.cfg

$ CMCResponse \
    -d /root/.dogtag/nssdb \
    -i testuser.cmc-response \
    -o testuser.p7b

Importing User Certificate

$ pki pkcs7-import --pkcs7 testuser.p7b testuser
Tip
 To find a page in the Wiki, enter the keywords in search field, press Enter, then click Wikis.
Clone this wiki locally