Skip to content

Generating Certificate Request

Jump to bottom
Endi S. Dewata edited this page Feb 14, 2021 · 15 revisions

Overview

This page describe the process to generate certificate request.

Note that the PKI Client CLI provides a simplified mechanism to generate and submit a CSR for client certificates. See Certificate Profiles.

Generating PKCS #10 Request

If key archival is not needed, generate a PKCS #10 request.

Using PKCS10Client

$ PKCS10Client -d ~/.dogtag/nssdb -p Secret.123 -a rsa -l 1024 -o testuser.csr \
    -n "uid=testuser,ou=people,dc=example,dc=com"
PKCS10Client: Debug: got token.
PKCS10Client: Debug: thread token set.
PKCS10Client: token Internal Key Storage Token logged in...
PKCS10Client: key pair generated.
PKCS10Client: pair.getPublic() called.
PKCS10Client: CertificationRequestInfo() created.
PKCS10Client: CertificationRequest created.
PKCS10Client: calling Utils.b64encode.
PKCS10Client: b64encode completes.
-----BEGIN NEW CERTIFICATE REQUEST-----
MIIBfTCB5wIBADAaMRgwFgYKCZImiZPyLGQBARMIdGVzdHVzZXIwgZ8wDQYJKoZI
hvcNAQEBBQADgY0AMIGJAoGBAPEcxFJBu2lNmIS+MNaZKO43h0dIhKZWZ8wEomQc
tc9guIUGM5eFU+psj6n0XQCPMIVRe7mrzYHF8mlwAp416P5/97g9U6JOKkTXc5ia
HVE1JRhykHiQ17Lp7Y6xXxfe6xKAXDoLOPJ4fNdadtbVeIGjudWktjgwh5CQBXsA
GFP5AgMBAAGgJDAiBggrBgEFBQcHFzEWBBTmaclfLv+kkK5z5kTMP54dlnecUDAN
BgkqhkiG9w0BAQQFAAOBgQAXrm979HwcG63Z64u+aybYrfOgyWxQ4kTtCA+NKYge
HC6Z/mlb10J/wggOzrHUbE4IFyjbBo2k1FKe8zYcXIB6Ok5Z0TXueR1zKcb8hE35
o9dkH2sGJsSqMLN8NRyY5QeqOKmtaX8pm1aPhJ0wkvOYou52YqJdq6LF9KXmBGOH
hA==
-----END NEW CERTIFICATE REQUEST-----
PKCS10Client: done. Request written to file: testuser.csr

The CSR is stored in testuser.csr.

Using certutil

Prepare noise file and password file:

$ openssl rand -out noise.bin 2048
$ echo Secret.123 > password.txt

To generate the request onto the screen:

$ certutil -R \
 -d ~/.dogtag/nssdb \
 -f password.txt \
 -s "uid=testuser,ou=people,dc=example,dc=com" \
 -g 2048 \
 -z noise.bin \
 -o testuser.csr \
 -a


Generating key.  This may take a few moments...

The CSR is stored in testuser.csr.

See also NSS Database.

Using openssl

$ openssl req -newkey rsa:2048 -keyout testuser.key -nodes -new -out testuser.csr -subj "/UID=testuser/OU=people/DC=example/DC=com"
Generating a 2048 bit RSA private key
..+++
....................................................................................................+++
writing new private key to 'testuser.key'
-----

Generating CRMF Request

If key archival is needed, generate a CRMF request.

Getting KRA Transport Certificate

To export KRA transport certificate from the server side:

$ pki-server cert-export kra_transport --cert-file kra_transport.crt

To export KRA transport certificate from the client side:

$ pki kra-cert-transport-export --output-file kra_transport.crt

Alternatively, first find KRA transport certificate’s serial number by its subject DN:

$ pki ca-cert-find --name "DRM Transport Certificate"
---------------
1 entries found
---------------
  Serial Number: 0x7
  Subject DN: CN=DRM Transport Certificate,O=EXAMPLE
  Status: VALID
  Type: X.509 version 3
  Key Algorithm: PKCS #1 RSA with 2048-bit key
  Not Valid Before: Thu Oct 22 18:26:11 CEST 2015
  Not Valid After: Wed Oct 11 18:26:11 CEST 2017
  Issued On: Thu Oct 22 18:26:11 CEST 2015
  Issued By: caadmin
----------------------------
Number of entries returned 1
----------------------------

Then save the certificate into a file:

$ pki ca-cert-show 0x7 --output kra_transport.crt
-----------------
Certificate "0x7"
-----------------
  Serial Number: 0x7
  Issuer: CN=CA Signing Certificate,O=EXAMPLE
  Subject: CN=DRM Transport Certificate,O=EXAMPLE
  Status: VALID
  Not Before: Thu Oct 22 18:26:11 CEST 2015
  Not After: Wed Oct 11 18:26:11 CEST 2017

Using CRMFPopClient

$ CRMFPopClient \
    -d ~/.dogtag/nssdb \
    -p Secret.123 \
    -a rsa \
    -l 1024 \
    -b kra_transport.crt \
    -n "uid=testuser,o=example"
-----BEGIN NEW CERTIFICATE REQUEST-----
MIIFRDCCBUAwggSmAgEBMIHDgAECpRwwGjEYMBYGCgmSJomT8ixkAQETCHRlc3R1
c2VypoGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCp54GKKkFMW/Conp1ZawSh
sYHTeVsU1DOKKt30rmSIi/afdy7+V99E6DSIETv8STFVwNktW8pookFbVt004SZR
fNgXg2jIO2rf467nVf6I5mhjSF6ZLH8mucSuP7FQfH6r/pMz8sc2x6KB5EEbeFrV
AZZoDbY30iU5vsiYp2Y6bQIDAQABMIID2TCCA7MGCSsGAQUFBwUBBKCCA6QwggOg
oRQGCCqGSIb3DQMHBAgBAQEBAQEBAYKCAQEAnpRiOn5bkkRU7doSpuer70pqysSA
x+R70aFeMr2PyUxR9iw22FK4eTc+0T6AeNSIfX9BYZwoY12SU4n+ttQphXgZNhyu
tuiZKh36JdDgJcbBhe6BI53R0IT3/wpqMin1iWLEdNFzCBLLRn463sAGRVm9saCV
3CV1cfO1XTLXn9YcdC/EKqcEWqz98J3t6DNLupDVDuAoHBobDft3bk8eGWP9BnM8
Q+Vx6Dh8H9EorYmTVxBJkr9CVrHOdveb71R2a58IZQ9eCFB3hu6vk0EOvk0b9XHp
XgeVtziN6OSsr36unwub7d0MXva5cZy5t37f4uWJgb8uv9jT2ViJmr3wWAOCAoEA
GcapcqkrfWd5cEjeA2dj1hlGG1ZoORLhugSDJGeEWRM6LFmv0gkodI5Q+QQqqDEu
1dAV1sQDqOPfbudkq8E7a3vINuihwWKdGh9GE9VcDH3gk0Bu+atm4SoMrEM0Je04
RFZJSEFGFdj/1DJZHdVr0S3nD84trquSmnN5p947O33taKKdgfmlp93+Y0R9su6H
K72a+2kB037nUnItLnp6TATinJqt06Xds1Rs6reXWK6EdGqTUdzKCQ7vK+c8NCbh
q2mpJnkCxIHvClPPsUGKXMlrEsIkolGm8ycNH1xKkSMuzYYxzSmyU/zPGmNUnJ3o
GlZAXo21RQp4+xD9dR+VpOi4U8BkAOH7KfSO6ZH5ZpGL/XxhoKaZuwj7XlFv6ihM
FUW7iZkuZFx+v+iDQcPjnmVY/v/6o0GXC7D5HPv1NxpnrLuCLVy58f3E3Fu64XeX
JSq5Ch9m1/3g9e/xSZP5KHx7DBbgNzk9vfPjqpZ77uScIWMB+Dg1tooSe0anb5wm
/hIxv+6NI8ruj+47oAL+pqxHUg+pnQqW83shl/JIbIf5RbYvusDdn+3Gk3AqOgW+
rs9RYFeYb4aRcwdFF+vgV1gDAkIhKWlLy6uKMmQSXdXqIXXVvi0LJalgL4Erl2Py
LCNoKRNsDJbqxtEds2CXWmjf6qVRZADQNiu9lUDhY5XC38auosR1rZGTZ+QvMi9u
+BZlGnbwxEGdZ0e0Ug9zMnZUrO8JniI2d+zBo/PqzhFJjTa0pDWE7rMzHazriroh
ysP9JlL+CcAx7VPt6sEFsA7YVDXVrMLUBwUJzKqqT8c4QZPoyItxz0hWKuhfz5IC
Yr7eVvNNAdjmtqiE04N4vjAgBggrBgEFBQcHFwQU5mnJXy7/pJCuc+ZEzD+eHZZ3
nFChgZMwDQYJKoZIhvcNAQEEBQADgYEAiN661XjIYn4mDdQlYwaqXpNzt2ySWysk
57FO9jd/l3Ngh2N1Jzvx7T/5N9OEbpGYrfXnS+8Iy+xSRouL//A7r1Q2iT67PEO4
2a0YnoHMwF3tR3MEY2cmq97rdW+G7Tv1q/X++jjAZhhByieDm94WlXHVY6kjoXn+
JovTekCfljA=
-----END NEW CERTIFICATE REQUEST-----

To generate and submit the request using CRMFPopClient, see Submitting Certificate Request with Key Archival.

See Also

Tip
 To find a page in the Wiki, enter the keywords in search field, press Enter, then click Wikis.
Clone this wiki locally