-
Notifications
You must be signed in to change notification settings - Fork 139
Creating Issuance Protection Certificate
This page describes the process to create an issuance protection certificate for CMC shared token authentication.
First, generate a certificate request in the CA’s NSS database:
$ pki \ -d /var/lib/pki/pki-tomcat/conf/alias \ -f /var/lib/pki/pki-tomcat/conf/password.conf \ nss-cert-request \ --subject "CN=CA Issuance Protection" \ --csr ca_issuance_protection.csr
To create a CMC request prepare a CMCRequest
configuration file. A sample configuration file is available at /usr/share/pki/server/examples/cmc/ca_issuance_protection-cmc-request.cfg.
Then execute the following command:
$ CMCRequest ca_issuance_protection-cmc-request.cfg
To submit the CMC request prepare an HttpClient
configuration file. A sample configuration file is available at /usr/share/pki/server/examples/cmc/ca_issuance_protection-cmc-submit.cfg.
$ HttpClient ca_issuance_protection-cmc-submit.cfg
To convert the CMC response into PKCS #7 cert chain:
$ CMCResponse \ -d /var/lib/pki/pki-tomcat/conf/alias \ -i ca_issuance_protection.cmc-response \ -o ca_issuance_protection.p7b
The issuance protection certificate chain will be stored in ca_issuance_protection.p7b
.
To import the certificate into the CA’s NSS database:
$ pki \ -d /var/lib/pki/pki-tomcat/conf/alias \ -f /var/lib/pki/pki-tomcat/conf/password.conf \ pkcs7-import \ --pkcs7 ca_issuance_protection.p7b \ ca_issuance_protection
To configure the certificate nickname:
$ pki-server ca-config-set ca.cert.issuance_protection.nickname ca_issuance_protection
$ pki-server ca-undeploy --wait $ pki-server ca-deploy --wait
Tip
|
To find a page in the Wiki, enter the keywords in search field, press Enter, then click Wikis. |