Issuing User Certificate with CMC Shared Token

Overview

This page describes the process to issue a user certificate using CMC shared token authentication.

It assumes that:

Issuance protection certificate has been created.
CMC shared token authentication has been configured.
A shared token has been generated for a user.

Generating Certificate Request

$ pki nss-key-create --output-format json | tee output
$ KEY_ID=$(jq -r '.keyId' output)

$ pki \
    nss-cert-request \
    --key-id $KEY_ID \
    --subject "uid=testuser" \
    --ext /usr/share/pki/tools/certs/testuser.conf \
    --csr testuser.csr

Creating CMC Request

$ cp \
    /usr/share/pki/tools/examples/cmc/testuser-cmc-request.cfg \
    testuser-cmc-request.cfg

$ sed -i \
    -e "s/\(request.privKeyId\)=.*/\1=$KEY_ID/" \
    testuser-cmc-request.cfg

$ CMCRequest \
     testuser-cmc-request.cfg

Issuing User Certificate

$ HttpClient \
     /usr/share/pki/tools/examples/cmc/testuser-cmc-submit.cfg

$ CMCResponse \
    -d /root/.dogtag/nssdb \
    -i testuser.cmc-response \
    -o testuser.p7b

Importing User Certificate Chain

$ pki \
    pkcs7-import \
    --pkcs7 testuser.p7b \
    testuser

Tip	To find a page in the Wiki, enter the keywords in search field, press Enter, then click Wikis.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Issuing User Certificate with CMC Shared Token

Overview

Generating Certificate Request

Creating CMC Request

Issuing User Certificate

Importing User Certificate Chain

Clone this wiki locally