-
Notifications
You must be signed in to change notification settings - Fork 139
Issuing KRA Transport Certificate with CMC
Endi S. Dewata edited this page Jan 24, 2022
·
5 revisions
This document describes the process for a CA agent to issue a KRA transport certificate with CMC in PKI 10.5 or later.
This process assumes that the CA agent has performed PKI CLI Initialization.
To create a CMC request prepare the following configuration file (e.g. kra_transport-cmc-request.cfg):
# NSS database directory where CA agent certificate is stored. dbdir=$HOME/.dogtag/nssdb # NSS database password. password=Secret.123 # Token name (default is internal). tokenname=internal # Nickname for CA agent certificate. nickname=caadmin # Request format: pkcs10 or crmf. format=pkcs10 # Total number of PKCS10/CRMF requests. numRequests=1 # Path to the PKCS10/CRMF request. # The content must be in Base-64 encoded format. # Multiple files are supported. They must be separated by space. input=kra_transport.csr # Path for the CMC request. output=kra_transport-cmc-request.bin
Then execute the following command:
$ CMCRequest kra_transport-cmc-request.cfg
To submit a CMC request prepare the following configuration file (e.g. kra_transport-cmc-submit.cfg):
# PKI server host name. host=pki.example.com # PKI server port number. port=8443 # Use secure connection. # For secure connection with ECC, set environment variable 'export NSS_USE_DECODED_CKA_EC_POINT=1'. secure=true # Use client authentication. clientmode=true # NSS database directory where CA agent certificate is stored. dbdir=$HOME/.dogtag/nssdb # NSS database password. password=Secret.123 # Token name (default: internal). tokenname=internal # Nickname of CA agent certificate. nickname=caadmin # CMC servlet path servlet=/ca/ee/ca/profileSubmitCMCFull?profileId=caCMCkraTransportCert # Path for the CMC request. input=kra_transport-cmc-request.bin # Path for the CMC response. output=kra_transport-cmc-response.bin
Then execute the following command:
$ HttpClient kra_transport-cmc-submit.cfg
To convert CMC response into PKCS #7 cert chain:
$ CMCResponse -i kra_transport-cmc-response.bin -o kra_transport.crt
Tip
|
To find a page in the Wiki, enter the keywords in search field, press Enter, then click Wikis. |