-
Notifications
You must be signed in to change notification settings - Fork 135
Creating Issuance Protection Certificate
Endi S. Dewata edited this page Jul 18, 2022
·
12 revisions
This page describes the process to create an issuance protection certificate for CMC Shared Token authentication in CA.
First, generate a certificate request in the CA’s NSS database:
$ pki \
-d /etc/pki/pki-tomcat/alias \
-f /etc/pki/pki-tomcat/password.conf \
nss-cert-request \
--subject "CN=Issuance Protection" \
--csr issuance_protection.csr
Then generate a CMC request with the above certificate request:
$ CMCRequest \
/usr/share/pki/server/examples/cmc/issuance_protection-cmc-request.cfg
Submit the CMC request to the server:
$ HttpClient \
/usr/share/pki/server/examples/cmc/issuance_protection-cmc-submit.cfg
Processed the response with the following command:
$ CMCResponse \
-d /etc/pki/pki-tomcat/alias \
-i issuance_protection.cmc-response \
-o issuance_protection.p7b
The issuance protection certificate chain will be stored in issuance_protection.p7b.
To import the certificate into the CA’s NSS database:
$ pki \
-d /etc/pki/pki-tomcat/alias \
-f /etc/pki/pki-tomcat/password.conf \
pkcs7-import \
--pkcs7 issuance_protection.p7b \
issuance_protection
To register the certificate as a system certificate:
$ pki-server ca-config-set ca.cert.issuance_protection.nickname issuance_protection
$ pki-server restart --wait
|
Tip
|
To find a page in the Wiki, enter the keywords in search field, press Enter, then click Wikis. |