Skip to content

Creating Issuance Protection Certificate

Endi S. Dewata edited this page Mar 27, 2024 · 12 revisions

Overview

This page describes the process to create an issuance protection certificate for CMC shared token authentication.

Generating Certificate Request

First, generate a certificate request in the CA’s NSS database:

$ pki \
    -d /var/lib/pki/pki-tomcat/conf/alias \
    -f /var/lib/pki/pki-tomcat/conf/password.conf \
    nss-cert-request \
    --subject "CN=CA Issuance Protection" \
    --csr ca_issuance_protection.csr

Creating CMC Request

To create a CMC request prepare a CMCRequest configuration file. A sample configuration file is available at /usr/share/pki/server/examples/cmc/ca_issuance_protection-cmc-request.cfg.

Then execute the following command:

$ CMCRequest ca_issuance_protection-cmc-request.cfg

Submitting CMC Request

To submit the CMC request prepare an HttpClient configuration file. A sample configuration file is available at /usr/share/pki/server/examples/cmc/ca_issuance_protection-cmc-submit.cfg.

$ HttpClient ca_issuance_protection-cmc-submit.cfg

Processing CMC Response

To convert the CMC response into PKCS #7 cert chain:

$ CMCResponse \
    -d /var/lib/pki/pki-tomcat/conf/alias \
    -i ca_issuance_protection.cmc-response \
    -o ca_issuance_protection.p7b

The issuance protection certificate chain will be stored in ca_issuance_protection.p7b.

Importing Issuance Protection Certificate

To import the certificate into the CA’s NSS database:

$ pki \
    -d /var/lib/pki/pki-tomcat/conf/alias \
    -f /var/lib/pki/pki-tomcat/conf/password.conf \
    pkcs7-import \
    --pkcs7 ca_issuance_protection.p7b \
    ca_issuance_protection

Configuring Issuance Protection

To configure the certificate nickname:

$ pki-server ca-config-set ca.cert.issuance_protection.nickname ca_issuance_protection

Restarting CA Subsystem

$ pki-server ca-undeploy --wait
$ pki-server ca-deploy --wait

See Also

Clone this wiki locally