Certificate Enrollment with PIN Authenticated Profile - dogtagpki/pki GitHub Wiki
This page describes the process to enroll a certificate using a PIN-authenticated profile (e.g. caDirPinUserCert
).
Availability: Since PKI 11.6.
The enrollment can be done using pki ca-cert-issue
command.
Specify the profile name, the CSR file, the username in the following command, and it will prompt for the password and the PIN:
$ pki ca-cert-issue \ --profile caDirPinUserCert \ --csr-file testuser.csr \ --username testuser \ --password \ --pin \ --output-file testuser.crt Password: ******** PIN: ********
The password and PIN can also be specified with --password-file
and --pin-file
options.
The certificate will be stored into testuser.crt
.
Availability: Since PKI 11.6
The enrollment can be done using pki ca-cert-request-submit
command.
Specify the profile name, the CSR file, the username in the following command, and it will prompt for the password and the PIN:
$ pki ca-cert-request-submit \ --profile caDirPinUserCert \ --csr-file testuser.csr \ --username testuser \ --password \ --pin Password: ******** PIN: ******** ----------------------------- Submitted certificate request ----------------------------- Request ID: 0xfd5377c93db8f0ed016de1d688e27f7e Type: enrollment Request Status: complete Operation Result: success Certificate ID: 0x784127bb5291d998224a9426aea15c2b
The password and PIN can also be specified with --password-file
and --pin-file
options.
The certificate can be retrieved with the following command:
$ pki ca-cert-export <cert ID> --output-file testuser.crt
The enrollment can also be done manually using XML messages.
Then retrieve the template for the XML request for the profile with the following command:
$ curl \ -k \ -s \ -H "Content-Type: application/xml" \ -H "Accept: application/xml" \ https://$HOSTNAME:8443/ca/rest/certrequests/profiles/caDirPinUserCert \ | xmllint --format - \ > request.xml
Insert the username of the LDAP user with the following command:
$ xmlstarlet edit --inplace \ -s "/CertEnrollmentRequest/Attributes" --type elem --name "Attribute" -v "testuser" \ -i "/CertEnrollmentRequest/Attributes/Attribute[not(@name)]" -t attr -n "name" -v "uid" \ request.xml
Insert the password of the LDAP user with the following command:
$ xmlstarlet edit --inplace \ -s "/CertEnrollmentRequest/Attributes" --type elem --name "Attribute" -v "Secret.123" \ -i "/CertEnrollmentRequest/Attributes/Attribute[not(@name)]" -t attr -n "name" -v "pwd" \ request.xml
Insert the PIN of the LDAP user with the following command:
$ xmlstarlet edit --inplace \ -s "/CertEnrollmentRequest/Attributes" --type elem --name "Attribute" -v "5yD9VI" \ -i "/CertEnrollmentRequest/Attributes/Attribute[not(@name)]" -t attr -n "name" -v "pin" \ request.xml
Insert the request type with the following command:
$ xmlstarlet edit --inplace \ -u "/CertEnrollmentRequest/Input/Attribute[@name='cert_request_type']/Value" \ -v "pkcs10" \ request.xml
Insert the CSR with the following command:
$ xmlstarlet edit --inplace \ -u "/CertEnrollmentRequest/Input/Attribute[@name='cert_request']/Value" \ -v "$(cat testuser.csr)" \ request.xml
The final XML request should look like the following:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <CertEnrollmentRequest> <Attributes> <Attribute name="uid">testuser</Attribute> <Attribute name="pwd">Secret.123</Attribute> <Attribute name="pin">5yD9VI</Attribute> </Attributes> ... <Input ...> ... <Attribute name="cert_request_type"> <Value>pkcs10</Value> ... </Attribute> <Attribute name="cert_request"> <Value>-----BEGIN CERTIFICATE REQUEST----- MIIBfTCB5wIBADAaMRgwFgYKCZImiZPyLGQBARMIdGVzdHVzZXIwgZ8wDQYJKoZI hvcNAQEBBQADgY0AMIGJAoGBALvbVD1U6nzYh61tjjKC24mBqeKjABpEpl5CqyrT guX5PtHdrlOUbWOro8vNzXMWccm3IVEgJHTQyQdxenIkIGcwMXu9XlwI6zph1UaT oJ1CRh8z2Tn5Ncg6LvOejDJg+XtKEXEOTq0qzztBXTEe9uuKYb9AKc6iSmtfM7ZO nCZPAgMBAAGgJDAiBggrBgEFBQcHFzEWBBTmaclfLv+kkK5z5kTMP54dlnecUDAN BgkqhkiG9w0BAQQFAAOBgQBeVpuaZ1Sr1tHznU/0xSQ3OvEd3poJ0mk44KRYFdwu NbeZaGtvhYFwLfQH0mMOWrzvrh0a2eXWC8z51iuqvNJCHDX+rUGIYpZH8mtY3jMp 8mlDWClrcpAdmJTj0ztFggmBd0Zvl4EqPqp0SY5YYLxwEwcKXT/g8bDdS5UM68hq QA== -----END CERTIFICATE REQUEST-----</Value> ... </Attribute> </Input> </CertEnrollmentRequest>
Then submit the request with the following command:
$ curl \ -k \ -s \ -X POST \ -d @request.xml \ -H "Content-Type: application/xml" \ -H "Accept: application/xml" \ https://$HOSTNAME:8443/ca/rest/certrequests \ | xmllint --format - <CertRequestInfos> <total>1</total> <CertRequestInfo ...> <requestID>0xfd5377c93db8f0ed016de1d688e27f7e</requestID> <requestType>enrollment</requestType> <requestStatus>complete</requestStatus> ... <certID>0x784127bb5291d998224a9426aea15c2b</certID> ... <certRequestType>pkcs10</certRequestType> <operationResult>success</operationResult> </CertRequestInfo> </CertRequestInfos>
The certificate can be retrieved with the following commands:
$ curl \ -k \ -s \ -H "Content-Type: application/xml" \ -H "Accept: application/xml" \ https://$HOSTNAME:8443/ca/rest/certs/<cert ID> \ | xmllint --format - \ > cert.xml $ xmlstarlet sel -t -v '/CertData/Encoded' cert.xml \ | sed 's/ $//' \ > testuser.crt
The enrollment can also be done manually using JSON messages.
Retrieve the template for the JSON request for the profile with the following command:
$ curl \ -k \ -s \ -H "Content-Type: application/json" \ -H "Accept: application/json" \ https://$HOSTNAME:8443/ca/rest/certrequests/profiles/caDirPinUserCert \ | python -m json.tool \ > request.json
Insert the username of the LDAP user with the following command:
$ jq '.Attributes.Attribute[.Attributes.Attribute|length] |= . + { "name": "uid", "value": "testuser" }' \ request.json | sponge request.json
Insert the password of the LDAP user with the following command:
$ jq '.Attributes.Attribute[.Attributes.Attribute|length] |= . + { "name": "pwd", "value": "Secret.123" }' \ request.json | sponge request.json
Insert the PIN of the LDAP user with the following command:
$ jq '.Attributes.Attribute[.Attributes.Attribute|length] |= . + { "name": "pin", "value": "5yD9VI" }' \ request.json | sponge request.json
Insert the request type with the following command:
$ jq '( .Input[].Attribute[] | select(.name=="cert_request_type") ).Value |= "pkcs10"' \ request.json | sponge request.json
Insert the CSR with the following command:
$ jq --rawfile cert_request testuser.csr '( .Input[].Attribute[] | select(.name=="cert_request") ).Value |= $cert_request' \ request.json | sponge request.json
The final JSON request should look like the following:
{ ..., "Input": [ { ..., "Attribute": [ { "name": "cert_request_type", "Value": "pkcs10", ... }, { "name": "cert_request", "Value": "-----BEGIN CERTIFICATE REQUEST-----\nMIICnjCCAYYCAQAwWTETMBEGCgmSJomT8ixkARkWA2NvbTEXMBUGCgmSJomT8ixkARkWB2V4YW1w\r\nbGUxDzANBgNVBAsMBnBlb3BsZTEYMBYGCgmSJomT8ixkAQEMCHRlc3R1c2VyMIIBIjANBgkqhkiG\r\n9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtRip472Jza92YAPnCZ6vyF32QGC+hpPnLbJv9kXRHWCVIHnM\r\nJ/Ifxa8MGitf3jqsy7pZMwW4MJwPMa4ai2jwE4u14dOVH4NMxjwM+IuEbWVbyenMS3HO1vCpo49X\r\nmwZbL3wvM83UJgd89l6qtqY5t9vmgzixDB83cxsoIQBXK2MiBl6ndn5lMP2CPdtF6vRt6CVOneN6\r\nu/nBlLv4FFJUDYep5fVLz8HvaQhcApa3/rIMxf1L919Eu+gj6WfvbW/vk+UM6UswoRQSgTr2Yl4n\r\nZyqt7H0c8wOsEqkESKrCvZYiBC8rMOgYJ2uoBGJBjvXXAFo6Br1OvVOSB/h+oJtq2wIDAQABoAAw\r\nDQYJKoZIhvcNAQELBQADggEBAIF8nUIwYPjPLDd61XO7Ai5uA5NhzHj/QIL25KdzSuDguURSsLMQ\r\nX4APwvCvmS77VL6wqrKx3yRoND3JhoU8WZ619vrpb76WXgs0Zm8zO8YigTbAJiFIak3BU6H+2wdX\r\nOhPSFZjdAdx4rY/qt2HwpkiJhuh1SkbboW8pKWwOeJmpPEc7GzzGxz/BcxfuAGg7FAwJTFFQWnZu\r\nrsN6Sls1sdkp7DFm+kA5IhVkv2IL9Pqc5IJoqvGAwrz/vBGGm5gZS/stEadHwBPdOHjK/3htWfwh\r\nQ7M9P7pkGWo/D1hTox//hpO29Lxxx6drmxVJpA4PAQLXtcd91EKkkYPEFBKv/pc=\r\n-----END CERTIFICATE REQUEST-----", ... } ] } ], ..., "Attributes": { "Attribute": [ { "name": "uid", "value": "testuser" }, { "name": "pwd", "value": "Secret.123" }, { "name": "pin", "value": "5yD9VI" } ] } }
Then submit the request with the following command:
$ curl \ -k \ -s \ -X POST \ -d @request.json \ -H "Content-Type: application/json" \ -H "Accept: application/json" \ https://$HOSTNAME:8443/ca/rest/certrequests \ | python -m json.tool { "total": 1, "entries": [ { "requestID": "0xfd5377c93db8f0ed016de1d688e27f7e", "requestType": "enrollment", "requestStatus": "complete", ..., "certId": "0x784127bb5291d998224a9426aea15c2b", ..., "certRequestType": "pkcs10", "operationResult": "success", ... } ] }
The certificate can be retrieved with the following commands:
$ curl \ -k \ -s \ -H "Content-Type: application/json" \ -H "Accept: application/json" \ https://$HOSTNAME:8443/ca/rest/certs/<cert ID> \ | python -m json.tool \ > cert.json $ jq -j '.Encoded' cert.json | tee testuser.crt