Skip to content

CMC Certificate Issuance User Workflow

Endi S. Dewata edited this page Jan 30, 2021 · 2 revisions

Certificate Issuance User Workflow

This section gives users a high-level walk through of the certificate issuance process. It is recommended that you read this section first before looking at the Examples sections below.

Getting a certificate issuance using CMC involves the following steps:

  1. Generating a PKCS#10 or CRMF certificate signing request (CSR) - This can be done using any available tools such as PKCS10Client or CRMFPopClient provided by the pki-tools package, or openssl, etc.

    • note that if key archival is desired and KRA is set up to do so, one would want to use CRMFPopClient with KRA’s transport certificate in PEM format set in the kra.transport file to do that.

  2. Transforming the CSR from step 1 into CMC request - This involves running CMCRequest (provided by the pki-tools package) over the CSR generated from the above step to generate a CMC request. Note that CMCRequest takes a configuration file where the input should point to the CSR and format should be either pkcs10 or crmf. There are many options to fine tune the resulting CMC request. Please run man CMCRequest at command line to see the instruction, then look at examples in the following sections.

  3. Sending the resulting CMC request from step 2 to the CA - This involves running HttpClient over the CMC request generated from step 2 above and sending to the issuing CA. Note that HttpClient takes a configuration file where the input should point to the CMC request generated in step 2 above. The result of HttpClient will be in the file pointed to by the output parameter. Please run HttpClient at command line to see the instruction, then look at examples in the following sections. The result of running HttpClient, if successful, should be a PKCS #7 chain with CMCStatus controls;

  4. Checking the issuance result (optional, but recommended) - This involves running CMCResponse over the output from step 3 above to interpret the CMCStatus and if successful, present the cert chain in human readable form to the user.

  5. Importing the new certificate - There are many ways to do so. For a user certificate, you could use tools such as certutil to import the output PKCS #7 chain from step 3 above; for servers, you might be running some installation tool such as pkispawn from Dogtag. Follow the instruction from whichever application that you are running to import the certificate. Keep in mind that the certificate chain is in PKCS #7 data format. Some application might be expecting Base64 encoding, in which case, you would want to transform that by running BtoA, and some application might expect header and footer for PEM format, then you need to add that as well.

Note: in case when POP is missing (as in the case of encryption-only keys), you need to follow the EncryptedPOP DecryptedPOP example below to complete the enrollment. In which case, HttpClient would receive an EncryptedPOP CMCStatus (you would see that by running CMCResponse in step 4), and you will need to go run CMCRequest again with a different set of parameters for it’s config. Please see example below for details.

Clone this wiki locally