Adding System User - dogtagpki/pki GitHub Wiki
This document describes the process to add a new system user and issue a client certificate for authentication. The document assumes that the CA has been installed and the administrator and the user are using separate Linux accounts.
As the admin of the subsystem, create a new system user (e.g. testuser):
$ pki -n caadmin ca-user-add testuser --fullName "Test User" --------------------- Added user "testuser" --------------------- User ID: testuser Full name: Test User
If necessary, add the new system user to the appropriate groups:
$ pki -n caadmin ca-group-member-add "Certificate Manager Agents" testuser ----------------------------- Added group member "testuser" ----------------------------- User: testuser
As the new system user, prepare a private NSS database:
$ pki -c Secret.123 client-init ------------------ Client initialized ------------------
As the user, generate and submit a certificate request.
If key archival is not needed, generate and submit a PKCS #10 request with the following command:
$ pki -c Secret.123 client-cert-request uid=testuser ----------------------------- Submitted certificate request ----------------------------- Request ID: 28 Type: enrollment Request Status: pending Operation Result: success
If key archival is needed, first obtain KRA transport certificate (see Getting KRA Transport Certificate).
Then generate and submit a CRMF request with the following command:
$ pki -c Secret.123 client-cert-request uid=testuser --profile caDualCert --type crmf --transport transport.pem ----------------------------- Submitted certificate request ----------------------------- Request ID: 28 Type: enrollment Request Status: pending Operation Result: success
Generate a CSR:
$ PKCS10Client -d ~/.dogtag/nssdb -p Secret.123 -a rsa -l 1024 -o testuser.csr -n "uid=testuser" PKCS10Client: Debug: got token. PKCS10Client: Debug: thread token set. PKCS10Client: token Internal Key Storage Token logged in... PKCS10Client: key pair generated. PKCS10Client: pair.getPublic() called. PKCS10Client: CertificationRequestInfo() created. PKCS10Client: CertificationRequest created. PKCS10Client: calling Utils.b64encode. PKCS10Client: b64encode completes. -----BEGIN NEW CERTIFICATE REQUEST----- MIIBfTCB5wIBADAaMRgwFgYKCZImiZPyLGQBARMIdGVzdHVzZXIwgZ8wDQYJKoZI hvcNAQEBBQADgY0AMIGJAoGBAPEcxFJBu2lNmIS+MNaZKO43h0dIhKZWZ8wEomQc tc9guIUGM5eFU+psj6n0XQCPMIVRe7mrzYHF8mlwAp416P5/97g9U6JOKkTXc5ia HVE1JRhykHiQ17Lp7Y6xXxfe6xKAXDoLOPJ4fNdadtbVeIGjudWktjgwh5CQBXsA GFP5AgMBAAGgJDAiBggrBgEFBQcHFzEWBBTmaclfLv+kkK5z5kTMP54dlnecUDAN BgkqhkiG9w0BAQQFAAOBgQAXrm979HwcG63Z64u+aybYrfOgyWxQ4kTtCA+NKYge HC6Z/mlb10J/wggOzrHUbE4IFyjbBo2k1FKe8zYcXIB6Ok5Z0TXueR1zKcb8hE35 o9dkH2sGJsSqMLN8NRyY5QeqOKmtaX8pm1aPhJ0wkvOYou52YqJdq6LF9KXmBGOH hA== -----END NEW CERTIFICATE REQUEST----- PKCS10Client: done. Request written to file: testuser.csr
Download the request template into a file:
$ pki ca-cert-request-profile-show caUserCert --output testuser.xml
Copy the CSR and subject DN into the file:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<CertEnrollmentRequest>
...
<Input id="i1">
<Attribute name="cert_request_type">
<Value>pkcs10</Value>
...
</Attribute>
<Attribute name="cert_request">
<Value>
-----BEGIN NEW CERTIFICATE REQUEST-----
MIIBfTCB5wIBADAaMRgwFgYKCZImiZPyLGQBARMIdGVzdHVzZXIwgZ8wDQYJKoZI
hvcNAQEBBQADgY0AMIGJAoGBAPEcxFJBu2lNmIS+MNaZKO43h0dIhKZWZ8wEomQc
tc9guIUGM5eFU+psj6n0XQCPMIVRe7mrzYHF8mlwAp416P5/97g9U6JOKkTXc5ia
HVE1JRhykHiQ17Lp7Y6xXxfe6xKAXDoLOPJ4fNdadtbVeIGjudWktjgwh5CQBXsA
GFP5AgMBAAGgJDAiBggrBgEFBQcHFzEWBBTmaclfLv+kkK5z5kTMP54dlnecUDAN
BgkqhkiG9w0BAQQFAAOBgQAXrm979HwcG63Z64u+aybYrfOgyWxQ4kTtCA+NKYge
HC6Z/mlb10J/wggOzrHUbE4IFyjbBo2k1FKe8zYcXIB6Ok5Z0TXueR1zKcb8hE35
o9dkH2sGJsSqMLN8NRyY5QeqOKmtaX8pm1aPhJ0wkvOYou52YqJdq6LF9KXmBGOH
hA==
-----END NEW CERTIFICATE REQUEST-----
</Value>
...
</Attribute>
</Input>
<Input id="i2">
...
<Attribute name="sn_uid">
<Value>testuser</Value>
...
</Attribute>
</Input>
...
</CertEnrollmentRequest>
Submit the request with the following command:
$ pki ca-cert-request-submit testuser.xml ----------------------------- Submitted certificate request ----------------------------- Request ID: 28 Type: enrollment Request Status: pending Operation Result: success
As a CA agent, approve the request. Then as an admin of the subsystem assign the certificate to the user.
To approve the request:
$ pki -n caadmin ca-cert-request-review 28 --action approve ------------------------------- Approved certificate request 28 ------------------------------- Request ID: 28 Type: enrollment Request Status: complete Operation Result: success Certificate ID: 0x1c
To assign the certificate to the user:
$ pki -n caadmin ca-user-cert-add testuser --serial 0x1c
To approve the request:
$ pki -n caadmin ca-cert-request-review 28 --action approve ------------------------------- Approved certificate request 28 ------------------------------- Request ID: 28 Type: enrollment Request Status: complete Operation Result: success Certificate ID: 0x1c
To download the certificate:
$ pki ca-cert-show 0x1c --output testuser.crt ------------------ Certificate "0x1c" ------------------ Serial Number: 0x1c Issuer: CN=CA Signing Certificate,O=EXAMPLE Subject: UID=testuser Status: VALID Not Before: Wed Nov 13 19:47:31 EST 2013 Not After: Mon May 12 20:47:31 EDT 2014
To assign the certificate to the user:
$ pki -n caadmin ca-user-cert-add testuser --input testuser.crt ------------------------------------------------------------------------- Added certificate "2;28;CN=CA Signing Certificate,O=EXAMPLE;UID=testuser" ------------------------------------------------------------------------- Cert ID: 2;28;CN=CA Signing Certificate,O=EXAMPLE;UID=testuser Version: 2 Serial Number: 0x1c Issuer: CN=CA Signing Certificate,O=EXAMPLE Subject: UID=testuser
As the user, download the certificate and import it into the security database.
To download and import the certificate into security database:
$ pki -c Secret.123 client-cert-import testuser --serial 0x1c
To download the certificate:
$ pki ca-cert-show 0x1c --output testuser.crt ------------------ Certificate "0x1c" ------------------ Serial Number: 0x1c Issuer: CN=CA Signing Certificate,O=EXAMPLE Subject: UID=testuser Status: VALID Not Before: Wed Nov 13 19:47:31 EST 2013 Not After: Mon May 12 20:47:31 EDT 2014
To import into security database:
$ pki -c Secret.123 -n testuser client-cert-import --cert testuser.crt
The certificate can be used by the user as follows:
$ pki -c Secret.123 -n testuser <command>
To export the user certificate into a PKCS #12 file:
$ pki -c Secret.123 client-cert-show testuser --pkcs12 testuser.p12 --pkcs12-password Secret.123
To export the CA certificate into a PEM file:
$ pki -c Secret.123 client-cert-show "CA Signing Certificate" --cert ca.pem
From user’s perspective, first initialize NSS database:
$ pki -c Secret.123 client-init ------------------ Client initialized ------------------
Then request a certificate:
$ pki -c Secret.123 client-cert-request uid=testuser ----------------------------- Submitted certificate request ----------------------------- Request ID: 28 Type: enrollment Request Status: pending Operation Result: success
Wait for approval, then retrieve the certificate:
$ pki -c Secret.123 client-cert-import testuser --serial 0x1c
From admin’s perspective, first create the user account:
$ pki -n caadmin ca-user-add testuser --fullName "Test User" --------------------- Added user "testuser" --------------------- User ID: testuser Full name: Test User
Then approve the request:
$ pki -n caadmin ca-cert-request-review 28 --action approve ------------------------------- Approved certificate request 28 ------------------------------- Request ID: 28 Type: enrollment Request Status: complete Operation Result: success Certificate ID: 0x1c
Finally assign the certificate to the user:
$ pki -n caadmin ca-user-cert-add testuser --serial 0x1c