CMC Examples Getting Subordinate CA Certificate - dogtagpki/pki GitHub Wiki

Getting Subordinate CA Certificate

  • Generate a PKCS10 request

    • Note: make sure the subject name is as intended.

$ PKCS10Client -d . -p netscape -n "CN=subCA Signing Certificate,OU=pki-tomcat,O=mySecurityDomain" -o ca_pkcs10.req
PKCS10Client: Debug: got token.
PKCS10Client: Debug: thread token set.
PKCS10Client: token Internal Key Storage Token logged in...
PKCS10Client: key pair generated.
PKCS10Client: CertificationRequest created.
PKCS10Client: b64encode completes.
Keypair private key id: 192bda1e7f8f2105e070df51d4fc928b6b3a15e9

-----BEGIN CERTIFICATE REQUEST-----
MIICmTCCAYECAQAwVDEZMBcGA1UECgwQbXlTZWN1cml0eURvbWFpbjETMBEGA1UECwwKcGtpLXRvbWNhdDEiMCAGA1UEAwwZc3ViQ0EgU2lnbmluZyBDZXJ0aWZpY2F0ZTCCASIwDQYJKo<s
<snip>
-----END CERTIFICATE REQUEST-----
PKCS10Client: done. Request written to file: sys_subca_pkcs10.req
  • Edit the CMCRequest cfg file to make sure that

    • the nickname contains the agent cert that will sign the request

    • see CMCRequest cfg file example: CMC.sys_subca_pkcs10.cfg

  • Generate the CMC request

$ CMCRequest cmc.sys_subca_pkcs10.cfg

cert/key prefix =
path = /root/cfu/test/cmc/
CryptoManger initialized
token internal logged in...
got signerCert: PKI Administrator for unknown00262DFC6A5E
createPKIData: begins
k=0
createPKIData:  format: pkcs10
PKCS10: PKCS10: begins
PKCS10: PKCS10: ends
selfSign is false...
signData: begins:
getPrivateKey: got signing cert
signData:  got signer privKey
createSignedData: begins
getSigningAlgFromPrivate: begins.
getSigningAlgFromPrivate: found signingKeyType=RSA
getSigningAlgFromPrivate: using SignatureAlgorithm: RSASignatureWithSHA256Digest
createSignedData: digest created for pkidata
createSignedData: digest algorithm =RSA
createSignedData: building cert chain
signData: signed request generated.
getCMCBlob: begins
getCMCBlob: generating signed data

The CMC enrollment request in base-64 encoded format:

MIIM3gYJKoZIhvcNAQcCoIIMzzCCDMsCAQMxDzANBglghkgBZQMEAgEFADCCAsQG
<snip>

The CMC enrollment request in data format is stored in /root/cfu/test/cmc/cmc.sys_subca_pkcs10.req.
  • Submit the CMC request

    • make sure the nickname contains the signing agent’s certificate nickname

    • make sure secure=true and clientmode=true

    • make sure servlet=/ca/ee/ca/profileSubmitCMCFullCACert

    • example: HttpClient_sys_ca.cfg

$ HttpClient HttpClient_sys_ca.cfg

Total number of bytes read = 3298
after SSLSocket created, thread token is Internal Key Storage Token
client cert is not null
handshake happened
writing to socket
Total number of bytes read = 2598
MIIKIgYJKoZIhvcNAQcCoIIKEzCCCg8CAQMxDzANBglghkgBZQMEAgEFADAxBggr
<snip>
The response in data format is stored in /root/cfu/test/cmc/cmc.sys_subca_pkcs10.resp
  • Check the result: (note that the response is a PKCS#7 cert chain in the success case)

$ CMCResponse -d . -i /root/cfu/test/cmc/cmc.sys_subca_pkcs10.resp
Certificates:
    Certificate:
        Data:
            Version:  v3
            Serial Number: 0x42
            Signature Algorithm: SHA256withRSA - 1.2.840.113549.1.1.11
            Issuer: CN=CA Signing Certificate,OU=pki-tomcat,O=unknown00262DFC6A5E Security Domain
            Validity:
                Not Before: Wednesday, July 5, 2017 4:28:14 PM PDT America/Los_Angeles
                Not  After: Sunday, July 5, 2037 4:28:14 PM PDT America/Los_Angeles
            Subject: CN=subCA Signing Certificate,OU=pki-tomcat,O=mySecurityDomain
<snip>
Number of controls is 1
Control #0: CMCStatusInfoV2
   OID: {1 3 6 1 5 5 7 7 25}
   BodyList: 1
   Status: SUCCESS
⚠️ **GitHub.com Fallback** ⚠️