Skip to content

Issuing CA Signing Certificate with CMC

Jump to bottom
Endi S. Dewata edited this page Jan 24, 2022 · 6 revisions

Overview

This document describes the process for a parent CA agent to issue a subordinate CA certificate with CMC in PKI 10.5 or later.

This process assumes that the parent CA agent has performed PKI CLI Initialization.

Creating CMC Request

To create a CMC request prepare the following configuration file (e.g. ca_signing-cmc-request.cfg):

# NSS database directory where the CA agent certificate is stored.
dbdir=$HOME/.dogtag/nssdb

# NSS database password.
password=Secret.123

# Token name (default is internal).
tokenname=internal

# Nickname for agent certificate.
nickname=caadmin

# Request format: pkcs10 or crmf.
format=pkcs10

# Total number of PKCS10/CRMF requests.
numRequests=1

# Path to the PKCS10/CRMF request.
# The content must be in Base-64 encoded format.
# Multiple files are supported. They must be separated by space.
input=ca_signing.csr

# Path for the CMC request.
output=ca_signing-cmc-request.bin

Then execute the following command:

$ CMCRequest ca_signing-cmc-request.cfg

Submitting CMC Request

To submit a CMC request prepare the following configuration file (e.g. ca_signing-cmc-submit.cfg):

# PKI server host name.
host=pki.example.com

# PKI server port number.
port=8443

# Use secure connection.
# For secure connection with ECC, set environment variable 'export NSS_USE_DECODED_CKA_EC_POINT=1'.
secure=true

# Use client authentication.
clientmode=true

# NSS database directory where the CA agent certificate is stored.
dbdir=$HOME/.dogtag/nssdb

# NSS database password.
password=Secret.123

# Token name (default: internal).
tokenname=internal

# Nickname of agent certificate.
nickname=caadmin

# CMC servlet path
servlet=/ca/ee/ca/profileSubmitCMCFull?profileId=caCMCcaCert

# Path for the CMC request.
input=ca_signing-cmc-request.bin

# Path for the CMC response.
output=ca_signing-cmc-response.bin

Then execute the following command:

$ HttpClient ca_signing-cmc-submit.cfg

Processing CMC Response

To convert CMC response into PKCS #7 cert chain:

$ CMCResponse -i ca_signing-cmc-response.bin -o ca_signing.crt

References

Tip
 To find a page in the Wiki, enter the keywords in search field, press Enter, then click Wikis.
Clone this wiki locally