Skip to content

Issuing KRA Transport Certificate with CMC

Endi S. Dewata edited this page Jan 24, 2022 · 5 revisions

Overview

This document describes the process for a CA agent to issue a KRA transport certificate with CMC in PKI 10.5 or later.

This process assumes that the CA agent has performed PKI CLI Initialization.

Creating CMC Request

To create a CMC request prepare the following configuration file (e.g. kra_transport-cmc-request.cfg):

# NSS database directory where CA agent certificate is stored.
dbdir=$HOME/.dogtag/nssdb

# NSS database password.
password=Secret.123

# Token name (default is internal).
tokenname=internal

# Nickname for CA agent certificate.
nickname=caadmin

# Request format: pkcs10 or crmf.
format=pkcs10

# Total number of PKCS10/CRMF requests.
numRequests=1

# Path to the PKCS10/CRMF request.
# The content must be in Base-64 encoded format.
# Multiple files are supported. They must be separated by space.
input=kra_transport.csr

# Path for the CMC request.
output=kra_transport-cmc-request.bin

Then execute the following command:

$ CMCRequest kra_transport-cmc-request.cfg

Submitting CMC Request

To submit a CMC request prepare the following configuration file (e.g. kra_transport-cmc-submit.cfg):

# PKI server host name.
host=pki.example.com

# PKI server port number.
port=8443

# Use secure connection.
# For secure connection with ECC, set environment variable 'export NSS_USE_DECODED_CKA_EC_POINT=1'.
secure=true

# Use client authentication.
clientmode=true

# NSS database directory where CA agent certificate is stored.
dbdir=$HOME/.dogtag/nssdb

# NSS database password.
password=Secret.123

# Token name (default: internal).
tokenname=internal

# Nickname of CA agent certificate.
nickname=caadmin

# CMC servlet path
servlet=/ca/ee/ca/profileSubmitCMCFull?profileId=caCMCkraTransportCert

# Path for the CMC request.
input=kra_transport-cmc-request.bin

# Path for the CMC response.
output=kra_transport-cmc-response.bin

Then execute the following command:

$ HttpClient kra_transport-cmc-submit.cfg

Processing CMC Response

To convert CMC response into PKCS #7 cert chain:

$ CMCResponse -i kra_transport-cmc-response.bin -o kra_transport.crt

See Also

Clone this wiki locally