CMC Certificate Issuance User Workflow - dogtagpki/pki GitHub Wiki
This section gives users a high-level walk through of the certificate issuance process. It is recommended that you read this section first before looking at the Examples sections below.
Getting a certificate issuance using CMC involves the following steps:
-
Generating a PKCS#10 or CRMF certificate signing request (CSR) - This can be done using any available tools such as
PKCS10Client
orCRMFPopClient
provided by thepki-tools
package, oropenssl
, etc.-
note that if key archival is desired and KRA is set up to do so, one would want to use
CRMFPopClient
with KRA’s transport certificate in PEM format set in thekra.transport
file to do that.
-
-
Transforming the CSR from step 1 into CMC request - This involves running
CMCRequest
(provided by thepki-tools
package) over the CSR generated from the above step to generate a CMC request. Note thatCMCRequest
takes a configuration file where theinput
should point to the CSR andformat
should be eitherpkcs10
orcrmf
. There are many options to fine tune the resulting CMC request. Please runman CMCRequest
at command line to see the instruction, then look at examples in the following sections. -
Sending the resulting CMC request from step 2 to the CA - This involves running
HttpClient
over the CMC request generated from step 2 above and sending to the issuing CA. Note thatHttpClient
takes a configuration file where theinput
should point to the CMC request generated in step 2 above. The result ofHttpClient
will be in the file pointed to by theoutput
parameter. Please runHttpClient
at command line to see the instruction, then look at examples in the following sections. The result of runningHttpClient
, if successful, should be a PKCS #7 chain withCMCStatus
controls; -
Checking the issuance result (optional, but recommended) - This involves running
CMCResponse
over the output from step 3 above to interpret theCMCStatus
and if successful, present the cert chain in human readable form to the user. -
Importing the new certificate - There are many ways to do so. For a user certificate, you could use tools such as
certutil
to import the output PKCS #7 chain from step 3 above; for servers, you might be running some installation tool such aspkispawn
from Dogtag. Follow the instruction from whichever application that you are running to import the certificate. Keep in mind that the certificate chain is in PKCS #7 data format. Some application might be expecting Base64 encoding, in which case, you would want to transform that by runningBtoA
, and some application might expect header and footer for PEM format, then you need to add that as well.
Note: in case when POP is missing (as in the case of encryption-only keys), you need to follow the EncryptedPOP DecryptedPOP example below to complete the enrollment. In which case, HttpClient
would receive an EncryptedPOP CMCStatus (you would see that by running CMCResponse
in step 4), and you will need to go run CMCRequest
again with a different set of parameters for it’s config. Please see example below for details.